Changes

From Security Weekly Wiki
Jump to navigationJump to search
3,675 bytes added ,  19:58, 9 December 2010
no edit summary
#[http://securityvulns.com/Zdocument248.html Maintaining administrative access on the DL] - [Larry] - Compromise a system and now create an account (or use ASPNET) for maintaining access. Hopefully a good admin will note that, if you make the user an admin in the admin group. So, how do you keep it under wraps? This issue with SAM allows for a user to be modified so that it looks like a regular user, but with admin privileges. Microsoft says that there is no investigation needed, as other vulnerabilities are required to compromise the system first.
#[http://www.theregister.co.uk/2010/12/08/nasa_disk_wiping_failure/ How do astronauts wipe?] - [Larry] - Apparently not very well. NASA has been found to be disposing of a couple of machines that had not been properly sanitized. In addition to un-wiped hard drives, several machines were found to be marked externally with identifying information and ip addresses…
# [http://blog.taddong.com/2010/12/browser-exploitation-for-fun-profit.html Browser Exploitation With BeEF, Metasploit, and Samurai] - They actually made some changes to the Metasploit reverse_https module to avoid port conflicts to make all this work together. I think this is one of the most important techniques out there that we need to bring to customers and raise awareness. It hits on so many points, such as internal vs. external, web app security, and client-side security.
# [http://www.schneier.com/blog/archives/2010/12/wikileaks_1.html Schneier On Wikileaks] - [PaulDotCom] - Bruce has a few good points for discussion, such as encryption not being the issue because the cables were only encrypted for transmission. Which has interesting parallels into many information security concepts and problems. He also drops a logic bomb on us, "Secrets are only as secure as the least trusted person who knows them.". Well, yea... He also goes on to say that the government is learning the hard way what the movie and music industries have learned, controlling something once its digital is impossible. So many people ask me why Wikileaks is doing this, and I've yet to come up with a really good answer.
# [http://feedproxy.google.com/~r/SecurityBloggersNetwork/~3/OiPYVG_5uM8/ Best Predictions For 2011] - [PaulDotCom] - I like this one: "Most people will renew every security product currently in their environment no matter how well they works (or don't)." Its so true, people just renew stuff without measuring how it works. Also in there: "Someone will predict cloud computing will cause/fix all these other problems". I'm so sick and tired of hearing about the cloud. Cloud this, cloud that, "cloud security". Its all just computers and networks still, right?
# Topic: In The Clouds: Why do we make a big deal about "cloud computing" and "cloud security"? I think we need to make a big deal about "web computing" and "web app security" and "client computing" and "client security". Oh wait, we already do, nevermind.
# [http://www.kctv5.com/news/26051235/detail.html Fail Of The Week: Kansas City Residents Get "The Club"] - [PaulDotCom] - Ha! Here's a club, now go use it and pretend that it stops someone from stealing your car.
# [http://www.digitalbond.com/index.php/2010/12/08/quick-and-easy-oracle-default-password-enumeration Oracle Password Enumeration] - [PaulDotCom] - I've found that most people don't bother installing patches or securing Oracle. I think they believe that because its internal that no one is looking. And, its so complex, why would anyone bother? Or, they are running Oracle as part of some pre-packaged software and don't even know it. This tool, osscanner, is cool: ''when oscanner finds a valid default account with enough privileges, it will log in and do password guessing for all the accounts it finds in the user tables.'' Nice! Now all we need is a way to keep track of all these little utilities we use for stuff like this, there's even naming overlap to boot!
# [http://superconductor.voltage.com/2010/12/how-unique-are-ssns.html utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+voltage%2FVDQg+%28Superconductor%29] - [PaulDotCom] - I think the Debian developers created the randomness for the SSN. Doh! ''a study by San Diego start-up ID Analytics indicates that there's a significant chance that your Social Security number is being used by someone else.'' And we're not talking stolen either!
= Other Stories of Of Interest = * [http://gearpatrol.com/blog/2010/12/03/essential-gear-10-badass-tactical-pens/ Tactical Pens!] - [PaulDotCom] - Yes, a tactical pen. Its either your signature or your brains on that paper, you choose.
2,337

edits

Navigation menu