= Stories For Discussion =
# [http://www.tomscott.com/evil/ Evil] - [Larry] I'm really loving social network APIs. With them we have the ability to search for all sorts of things about people, this one for their phone numbers. This could get interesting.
#[http://feedproxy.google.com/~r/SecurityBloggersNetwork/~3/BKq3djw_EOY/ World's Sexiest Hacker] - [
pauldotcom] - Is she? She got busted as part of the Zeus botnet. Yea, it was a slow week for stories! I still think that Larry is the sexiest hacker in the world, Dennis Brown may be a close second.
# Topic - "Does NAC Work Good enough" - So here's the thing, as pen testers, we know that NAC doesn't slow us down. If we have physical access we can spoof a MAC address, unplug a printer and use its MAC address, or with VoIP use VoIP hopper to jump VLANs. However, from a defensive standpoint, having NAC helps keep laptops from coming back on the network, prevents contractors and vendors from plugging in infected systems. To that point, does segmentation really work effectively? While you can put all the HR systems on one segment, is that effort really worth it? I tend to believe that putting systems in one segment just moves the problem around. Different segments need to talk to each other, and its not that hard to figure what's allowed and get around it. DMZ I believe is a good thing, but systems want to talk to each other. People will open holes, so is all the firewall administration worth the little protection it provides? I think in security we tend to move the problem around instead of fixing it. I'm saying put effort into patching your systems and monitoring your logs, rather than move the problem around.
# [http://www.darkreading.com/authentication/security/client/showArticle.jhtml?articleID=227700141&cid=RSSfeed Man in the mobile] - [
pauldotcom] - Bleh, too many buzzwords. However, two-factor authentication that send you a TXT message doesn't work so well if an attacker pwns your phone. So, do better.# [http://arstechnica.com/security/news/2010/08/cars-hacked-through-wireless-tyre-sensors.ars Hacking Tire Pressure Sensors] - [ pauldotcom] - ''"The wireless sensors, compulsory in new automobiles in the US since 2008, can be used to track vehicles or feed bad data to the electronic control units (ECU), causing them to malfunction."'' I think hacking cars is neat, but unless there is money to be made, attackers will just yawn. Maybe there will be some pranks, but I don't see this being a huge concern.
#[http://www.boingboing.net/2010/10/04/security-company-ad.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+boingboing%2FiBag+%28Boing+Boing%29 Tricking folks into security services?] - [Larry] - I wonder how something like this would go over in our industry? I have a feeling not very well. Although I think for a parallel, in our industry if we are able to sneak something in like this, we're in, not just with trickery.
#[http://www.engadget.com/2010/10/03/hacker-claims-third-party-iphone-apps-can-transmit-udid-pose-se/ Iphone app data] - [Larry] - Buyer beware I guess? But, how would the average consumer ever know? Phone UDIDs (Unique IDS) can be grabbed by the API, and sent via app with other personal information, although it is "prohibited". Some even in cleartext...
#[http://newsoft-tech.blogspot.com/2010/09/d-link-dcs-2121-and-state-of-embedded.html Dlink Video FAIL!] - [
pauldotcom] - So fail, command injection, root/admin hard coded.
= Other Stories of Interest =