* DEFCON - Look for our "vendor table" where we will be selling t-shirts in all colors and sizes for $10. Carlos will be giving a presentation on Meterpreter, and Larry will participate in Defcon Poetry jam with the tantalizing title of "FAIL". We will also be having an invite-only party, so stay tuned!
* Active listener -- thank to Mark Wityszyn (pronounced like wity-son). [http://
pauldotcom.com/ebay_for_hackers.pdf Ebay For Hackers - PDF]
#[http://www.shell-fu.org/lister.php?id=829 Nice Wiping Tip] - [pauldotcom] - Giving the finger to forensics, I love it! Linux is so great, the built in tools are just so flexible and provide so much functionality. I don't know why anyone would run Windows as their primary OS, it just gets in my way!
#[http://www.darkreading.com/insiderthreat/security/vulnerabilities/showArticle.jhtml?articleID=217900202&cid=RSSfeed SMS Hacking] - [pauldotcom] - This just has security fail written all over it. SMS presents a huge risk to organizations, and here it sounds like some researchers are taking it to the next level and finding some vulnerabilities. The most attractive feature for attackers is the "wlaways on" nature of sms. i don't think you will see a smartphone botnet, at least not yet, but certainly if you could come up with a way to steal data from people's phones that would be great. the problem is that its too widespread, people have all sorts of different numbers and its tough to target an organizations cell phone precense without some accurate information gathering. I'm thinking that you break into a company, steal the directory, parse cell phones, then launch an attack
pauldotcom.com/2009/06/common-sense-your-greatest-wea.html Common Sense: Your Greatest Weapon] - [pauldotcom] - In this post I point out some security FAIL, in a fishing tale kind of way :) I was fishing one day, and observed what the fish were eating, and then used that information to catch more fish. To put a different spin on it, thats what the bad guys are going. They are looking at what the fish (i.e. users) are eating and adapting. As defenders, we are doing a poor job of adapting. From wireless, to not checking logs, to over dependance on A/V, sometimes I feel like we all suck. I did manage to identify strategies that work and are worth putting effort into, policy & procedures, vuln management, and system hardening. So there, go do it :).
#[http://chuvakin.blogspot.com/2009/06/pci-dss-marches-on-level-2-merchant-to.html PCI Debate: Level 2 Merchants Now Require QSA] - [pauldotcom] - There is good and bad that goes along with this. As Brian would say, the PCI cheerleaders are cheering about it. They say it will help a lot of organizations, because now these organizations need to be audited, and it will find some things that need to be fixed, security will improve, and everyone will be happy and take off early on Friday to go drink beer. The other side, is that many PCI QSA will do a lack-luster job, create a false sense of security, and the overall state of information security will degrade, in the meantime putting more money into the QSA pocket. I mean think about it, the times are tough, so lets boost some PCI business by requring level 2 merchants. Awesome.
#[http://support.apple.com/kb/HT3639 iPhone 3.0 - over 35 security updates] - [pauldotcom] - Wow, and hear I am, the apple fan boy that I am, jumping up and down for joy at copy/paste and voice memos. I dig a little deeper and realize that I was bent over a barrel running iPhone software! Holy freaking security updates, I mine as well just publish all of the information on my phone to the Internet. I feel dirty, like that scene from Ace Ventura when he finds out that woman is really a man, and starts squeezing toothpaste in his mouth and showering, scrubbing, etc... Yea, like that. I think I'm switching to an N95 or a Pre real soon now, oh wait, I just shelled out more $$ to Apple for a 3G S. At least my phone will look pretty.