From Security Weekly Wiki
Jump to navigationJump to search
22 bytes removed ,  01:08, 11 October 2014
Text replacement - "PaulDotCom SANS" to "Security Weekly SANS"
= Announcements & Shameless Plugs =
Live from the PaulDotCom G-Unit Studios Welcome to Security Weekly, Episode 122 for September 11th, 2008
Welcome to Security Weekly, a show for security professionals, by security professionals. This week with a special guest in the studio!
* [ PaulDotCom Security Weekly SANS Click-Through] - Go there, register for fabulous SANS training! Go now!
* [ ICE (Integrated Cyber Exercise) - Oct. 1-3 at SANS Las Vegas!] - Interview in this episode!
* NS2008! Paul giving keynote: Things That Go Bump In The Network: Embedded Device (In)Security and teaching SEC535, Network Security Projects Using Hacked Wireless Routers! Don't forget our live podcast immediately following!
[ Cheap SSD Drives] - [Larry] great, they are getting cheap - 32 Gig for $99, although slower and more power hungry than spinning disk. I bring this up, because the SSD drives provide a significant barrier to recovering deleted and or modified. This makes it very difficult to perform any type of forensics on these drives. How, as an industry do we deal with this situation? Not allow for system disks to utilize SSD?
[ Secure RFID Technology?] - [PaulDotComPaul] - Continuing our discussion from last week, here is a story about a new technology from Verayo which aims to use PUF (Physical Unclonable Functions) to generate a random identifier. Truth? Fiction? Who knows, this is why testing the security of devices is so important. [ Read more here]
[ "21" Meets RFID and the 21st century] - [PaulDotComPaul] - Chalk this up to "stupid ideas" here is an RFID poker table, nice!
[ Encryption is great!] - [Larry] - but bad implementations, and those that retrieve encrypted passwords are bad. We say all the time to use tried and try encryption algorithms, an this USB key manufacturer did just that. However, they added the ability for the password that is also used to access the device to be checked against a history of passwords. This function resides in memory, and brute force of the passwords can be conducted.
[ A Note About Mobile (in)security] - [PaulDotComPaul] - So, make a long story short, while an F-Secure researcher was giving a presentation about mobile security, a bluetooth worm outbreak happened and people's phones in the room were infected. There is also this [ scary Java vulnerability] that could effect mobile phones, over 100 million of them in fact. So, how do you control this in your environment? Do you just give people phones, or do you have a managed system like Blackberry? But what happens if a bluetooth phone worms creeps into your building? "Hi, this is security, before you can enter the building you must disable bluetooth on your phone". Is there even such a thing as a bluetooth IDS/IPS?
[ SCADA Attack released] - [Larry] - No offense to Kevin, but this is a re-implementation of the attack released by CORE a month or so back. So why does this one seem to get more press? This implementation is a Metasploit module. Yep, you can attack the latest in SCADA vulnerabilities for free.
[ You own the hardware] - [Larry] - You own the hardware, so tinker with it. There is already some folks poking at the Esquire magazine E-ink cover. Sure, not a device that has huge security implications, but take ownership of all of the other small (or large) devices that you network in your home or office.
[ Wireless Driver Vulns, and no patches, oh my!] - [PaulDotComPaul] - Laurent Butti and Julien Tinnes
from France Telecom have found vulnerabilities (DoS, possible remote code) in several wireless chipsets. For example, the Netgear WN802T (firmware 1.3.16) with MARVELL 88W8361P-BEM1 chipset is vulnerable to a bug that "...can be triggered by a malicious association request to the wireless access point with a Null SSID." Wow, thats pretty easy, and guess what, NO PATCH. [ This one, for Atheros, is patched]

Navigation menu