Changes

From Security Weekly Wiki
Jump to navigationJump to search
6,113 bytes added ,  16:28, 29 June 2017
m
Text replacement - "\{\{\#ev\:bliptv\|(.*)\}" to "\[https://youtube.com/securityweeklytv Visit The Security Weekly YouTube Channel for all of our latest videos\!\]"
= Episode Media =
[http://traffic.libsyn.com/pauldotcom/PaulDotCom-354.mp3 MP3 pt1
[MP3 pt2]
= Announcements =
PaulDotCom Security Weekly - Episode 352 354 for Thursday November 21st, 2013
* We've released a book on Offensive Countermeasures! Visit [http://tinyurl.com/OCM-Amazon tinyurl.com/OCM-Amazon] to add this to your summer reading list.
<center>[[File:martinroesch.jpg]]</center>
<!---<center>{{#ev\[https:bliptv|6661208}//youtube.com/securityweeklytv Visit The Security Weekly YouTube Channel for all of our latest videos\!\]}</center>--->
Biography:
# How did you get your start in information security?# What advice do you have for others getting their start in information security?# Why did you decide to write Snort?# Its been a long journey since the early days of snort, can you summarize how you got to this point?# Wait, I thought IDS was dead?# How has IDS evolved to detect the latest threats?# How do you keep track of sessions on 10GB connections?
<!---<center>[[File:Stephen-sims.jpg]]</center>--->
<!---<center>{{#ev\[https:bliptv|6661268}//youtube.com/securityweeklytv Visit The Security Weekly YouTube Channel for all of our latest videos\!\]}</center>--->
= Stories =
<!---<center>{{#ev\[https:bliptv|6664062}//youtube.com/securityweeklytv Visit The Security Weekly YouTube Channel for all of our latest videos\!\]}</center>--->
== Paul's Stories ==
So, I was reading about an FTC panel, featuring Craig Heffner and others trying to improve the state of embedded security. You can read that article here:
 
[http://www.veracode.com/blog/2013/11/muddying-the-water-on-security-and-embedded-devices/ Muddying The Water On Security And Embedded Devices]
 
Basically, its the same story. Embedded systems security sucks. And yes, even when we polish the message, shave, shower, put on a suite and tie and meet with stakeholders, the baby is still ugly. It comes down to usability and price. They, the vendors, even admit it comes down to usability. They want the consumer to be able to check on the roast in the oven while they weed the garden. I'm not sure which embedded device would allow you to do that, but security is not in the picture. Security is trumped by usability, and we're losing the battle big time. Here is some more evidence:
#[http://securityvulns.com/docs29992.html Stem Innovation ‘IZON’ Hard-coded Credentials] - Because no one would guess that user/user is valid when logging in via the web interface.
#[http://blog.depthsecurity.com/2013/11/dahua-dvr-authentication-bypass-cve.html Depth Security: Dahua DVR Authentication Bypass - CVE-2013-6117] - This one is really funny, he actually caught himself on tape dropping his motorcycle. I hope him, and the bike, were okay! ActiveX controls your camera, yuk.
#[http://securityvulns.com/news/Juniper/JunOS/1311.htmlJuniper JunOS crossite scripting] - XSS in your firewall, spells trouble.
#[http://securityvulns.com/news/Vivotek/AB.html Vivotek IP cameras authentication bypass] - Spy on people, complete with Python code.
#[http://securityvulns.com/news/HP/iLO/1311.htmlHP Integrated Lights-Out security vulnerabilities - security vulnerabilities database] - Still, iLO vulnerabilities..
#[http://blog.erratasec.com/2013/11/isowall-isolating-firewall.htmlisowall: an isolating firewall] - This is a really awesome firewall distribution for setting up a quarantine for infected systems. It uses its own IP stack!
#[http://www.rationalsurvivability.com/blog/2013/11/maslows-hierarchy-of-security-product-needs-vendor-selection/Maslow’s Hierarchy Of Security Product Needs & Vendor Selection…] - This one is just funny!
#[http://www.fireeye.com/blog/corporate/2013/11/top-security-predictions-for-2014.htmlTop Security Predictions for 2014] - Care for some predictions?
#[http://idoneous-security.blogspot.com/2013/11/whats-my-name-no-really-what-is-it.html"What’s my name? No] - Outstanding post from Wendy. Us pen testers we like to enumerate usernames. Those users, oh those users, they love to forget their usernames. So we run into this problem, where we have to expose the username somehow, and this means attackers can enumerate it. The best take on this: Wendy says if attackers can do harm because they have a valid username, your application is in trouble!
#[http://news.hitb.org/content/github-resets-user-passwords-following-rash-account-hijack-attacksGitHub resets user passwords following rash of account hijack attacks]
#[http://www.darkreading.com/attacks-breaches/whos-the-boss-over-your-jboss-servers/240164144Who's The Boss Over Your JBoss Servers? -- Dark Reading]
#[http://threatpost.com/going-back-to-the-future-in-the-name-of-better-security/102977Going Back to the Future in the Name of Better Security]
#[http://www.theregister.co.uk/2013/11/18/vbulletin_hacked/vBulletin.com's password database hack gives forum admins the jitters]
#[http://www.theregister.co.uk/2013/11/21/scada_flaws_put_world_leaders_at_risk_of_terrible_traffic_jam/SCADA flaws put world leaders at risk of TERRIBLE TRAFFIC JAM]
#[http://www.theregister.co.uk/2013/11/15/stealthy_linux_backdoor/Linux backdoor squirts code into SSH to keep its badness buried • The Register]
#[http://www.theinquirer.net/inquirer/news/2307618/hacking-of-forum-software-firm-vbulletin-spawns-host-of-zero-day-attacksHacking of forum software firm vBulletin spawns host of zero-day attacks- The Inquirer]
#[http://threatpost.com/netflixers-beware-angler-exploit-kit-targets-silverlight-vulnerability/102968Netflixers Beware: Angler Exploit Kit Targets Silverlight Vulnerability]
#[http://www.troyhunt.com/2013/11/adobe-credentials-and-serious.htmlTroy Hunt: Adobe credentials and the serious insecurity of password hints]
#[http://blog.cmpxchg8b.com/2013/11/qnx.htmlTavis Ormandy: QNX]
#[http://w00tsec.blogspot.com/2013/11/unpacking-firmware-images-from-cable.htmlw00tsec: Unpacking Firmware Images from Cable Modems]
==Larry's Stories==
==Greg's Stories==
# Dave Kennedy testifies in front of Congressional Committee on the security of healthcare.gov [https://www.trustedsec.com/november-2013/trustedsec-congressional-hearing-report/ TrustedSec Congressional Hearing Report]
# Your LG Smart TV knows you are watching midget porn [http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html LG Smart TV logging usage]
# Github bans weak passwords as many accounts were brute forced [https://github.com/blog/1698-weak-passwords-brute-forced Weak Passwords suck]
# Facebook mines data in Adobe Breach to identify potential re-used passwords [http://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/ Facebook warning]
# [http://nakedsecurity.sophos.com/2013/11/19/us-local-police-department-pays-cryptolocker-ransom/ MA police department pays crypto locker ransom] - "we were never compromised"

Navigation menu