From Security Weekly Wiki
Jump to navigationJump to search
6,792 bytes added ,  20:44, 8 March 2012
== Paul's Stories ==
#[ Testing the Security of Virtual Data Centers] - Attacking virtualization servers via the API is a very product
ive form of testing. The API, if you can bypass the authentication, allows you to control all of the systems and even take screenshots of all running VMs! This is a super cool hack, and can have devistating effe
cts on your infrstructure, such as allowing attackers to disable VMs, delete them, and all sorts of nasty stuff. You really need to spend time hardening your VM layer, as it protects all of the systems running o
n it, so its time well spent. In the words of a PaulDotCom sweeper (in slurring drunken speach) "Pick a good password".
#[ Slide Show: 10 Movie Scenes Of Authentication Worth Rewatching] - Somewhat intere
sting take on mostly older movies and how they do authentication with voice and retina scans. Demolition Man has the best retina authentication, as Wesley Snipes removes the eyeball from someone to escape from p
rison. Not sure how this relates to security and authentication as we experience today, but maybe proving that authentication sucks in the movies too.
#[ Healthcare Security Pros Need To Speak The Language Of Finance] - This article just wreaks of security fail. Its the age old problem of getting executives to buy into security. They use the analogy of the bag of silica that comes with jewelry, and how we still need to hav
e a warning label that says "do not eat". I just don't get it, if you are stupid enough to eat the silica, you should get sick. Wait, am I saying that if you are stupid enough to believe that you are secure beca
use you use Apple products and therefor your are secure, that you deserve to get hacked? Yes, that is what I am saying. The real problem is convicing management of the top things you can do EFFECTIVELY to keep y
our data safe are justifiable. This is where we fall down, the perception we have of what actually keeps things secure is warped. Do I have the answer? Not really, but there has to be some correlation between st
affing, skills, tools, and process...
#[ 5% of websites have had at least 1 SQL Injection vulnerability without needing to login] - This data comes from Whitehat Security, so I am confident in the numbers. However, keep in mind this comes from people who have actually hired a company to test their web security. In reality, this number is
much higher on the general Internet.
#[ Engineer Shows TSA Nude Scanners are Useless] - This really proves that TSA is security theater. I like to think that there are people
actually testing TSA security, airport penetrationt testers if you will, using any means neccessary to get through ariport security with weapons or explosives (well, maybe not shooting up a TSA checkpoint or anything). Obviously there is not. There is too much money at stake for the people who sell the scanners. So, a researcher sewed a pocket to the outside of his shirt and put a metal container in it. Since the scann
ers, both types, use a contrast to the background, the metal case did not show up because it fell outside of the persons body. Of course, nothing will be done and we will continue to be subjected to unknown amou
nts of radiation when traveling.
#[ Ray Ozzie says the PC is dead] - The PC is dead because people hack them, nothing else ;) There is a lot of talk about mobile security, however, the battle i
s still on the desktop.
#[ Stolen iPad leads to 780lb crystal meth seizure] - So they let the police in to invstigate a stolen iPad, which they had tracked to their locat
ion using the location tracking in the iPad. Not sure if they recovered the iPad, but they did find 780lbs of Meth. Can you say dumb criminal of the year?
#[ The one tiny slip that put LulzSec chief Sabu in the FBI's pocket] - Supposedly he logged into IRC just once without using Tor! All criminals
make mistakes, well most anyhow.
#[ Researchers find MYSTERY programming language in Duqu Trojan] - ''The creation of a dedicated programming language to construct the communications module shows how skilled the developers were, as well as providing evidence that significant financial resources were ploughed into developing the Duqu Trojan project.'' Pretty cool finding. Never hea
rd of the MYSTERY programming language before, is that like Ruby?
#[ Chrome Falls In First Five Minutes Of Hacking Contest] - While this is the headline, check this out: ''
While the hacks against Chrome are notable, by the end of the first day of the Pwn2Own competition, teams had successfully demonstrated hacks against all of the browsers.'' Yea, so browser security sucks all aro
#[ toolsmith: Pen Testing with Pwn Plug] - Love the pwn plug, can't wait to get more hands on with one (if you know what I mean). Dave is a great guy and I look forwad to seeing more come from this project.
#[ Experts avoid AV because they can - the rest of you should still use it] - Do as I say, not as I do. As John says, A/V is like your smallpox vaccine, you know you need it, you know the virus
could still be out there, so why not protect yourself? However, if we as security pros are the "doctors" and "nurses" if you will, shouldn't we protect ourselves? Maybe this is where the anolog falls down.
#[ Enumerating URLs from IP Addresses Using Bing’s Search API] - This is perhaps one of the handiest scripts for pe
n testers! Give it a list of IP addresses and it uses Bing to enumerate all of the domains and URLs hosted there. So useful.
== Larry's Stories ==


Navigation menu