Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 261 for Thursday October 6th, 2011.
- Check out Hack Naked TV - currently at Episode #6 the "SSL is broken-er" edition!
- Don't forget to Read our blog, Participate on our mailing list, Visit PaulDotCom Insider, Follow us on Twitter, Join the IRC channel at irc.freenode.net #pauldotcom, Watch our Videos and Add us on Facebook where we can be "friends"
- We're spinning up a new mini-podcast/videocast (Hack Naked at Night with Larry and Darren) and we and we're looking for topics from our listeners - specifically, what type of pentest device do you want us to build out of a roomba? Send suggestions to email@example.com
Guest Interview: Charlie Miller
7:30 PM EDT
Charlie is a principal research consultant for the Accuvant LABS team and was the first with a public remote exploit for both the iPhone and the G1 Android phone. He won the CanSecWest Pwn2Own competition multiple times and holds a PhD from the University of Notre Dame.
Guest Tech Segment: Alessandro Acquisti
Alessandro is an Assistant Professor at Carnegie Mellon University. He's received national and international awards, including the 2005 PET Award for Outstanding Research in Privacy Enhancing Technologies and the 2005 IBM Best Academic Privacy Faculty Award. He's on to discuss his recent talk on Facial Recognition using Augmented Reality presented at Blackhat and some other privacy research.
- Tell us about the facial recognition research - how fast were you able to ID users? Were you surprised by the media coverage?
- How does Augmented Reality fit in to the research?
- What was the inspiration for your Guns, Privacy, and Crime research?
- Tell us about your research into The Economics of Privacy.
Stories For Discussion
Blog Round Up
- Hack Naked TV - Episode 6 - Recorded live from SANS Las Vegas!
- Crawling for Domain Admin with Tasklist
- American Express 0-day - [Larry] - Oh man, how sloppy can you get. This researcher (who allegedly tried to report it responsibly, albeit with limited communication options). The American Express US Admin page was apparently left open to the world without access restriction or password. Access to the admin app gives debug access and the ability to view/steal cookies. Need a little automaton with the "attack"? The debug is vulnerable to XSS, and using some GET requests, it may be possible to create a refresh to inject code indefinitely, and steal cookies with injected jQuery commands. Sloppy, Sloppy, Sloppy.
- OMG WIFIJAMMER! - [Larry] - Ok, cook script for automating what is a fairly easy attack…..BUT. Get your terminology right; Jamming would refer to shenanigans at Layer 1 by introducing noise into the air, or reserving access to the medium with RTS/CTS. This is not a "jam", it is a "deauth", an attack that has been around for some time, by spoofing deauth frames from AP to STA. Of course, this may not be completely usable in the current form, as many new wireless drivers specifically ignire deauth sent to broadcast…
- Wifi User still at risk - [Larry] - A poll done by the WiFi Alliance (yes the folks that ensure interoperability for WiFi Devices), they noted that while many users now set up appropriately secure wireless networks (with WPA/WPA2 PSK, natch), do not concern themselves with too much else, like non default/non-weak passwords, VPNs at hotspots or even not connecting to non-preferred networks. This is what happens when technology enables security through design, but other technology is in place, and active that allows users to remain blissfully ignorant…and pwned.
- The Matryoshka Router - [Larry] - Didier finds open ports of on the WAN of his ADSL router, even though the router was configured properly (ports 2002, 4002, 6002 and 9002). I've seen this on assessments, and not had the same luck as Didier - her reports that even thought the passwords were changed, he was able to log into those unknown ports with telnet and the default username and password (I'm guessing cisco/cisco), which appeared to be bound to various VTY lines. A word to the wise folks, just because it isn;t an "ethernet interface" be sure to apply ACLs to your VTY lines as well. Now, because SHODAN only scans specific ports, I really need to figure out a repeatable nmap command line to quickly (a relative term) scan the entire internet for specific ports. Where's fyodor and Ron Bowes when you need them?
- Fail an audit already, will ya? - [Larry] - Yes, it is ok not to be perfect. Here's how you get backing to help fix it. It is ok to fail, 'cause all good security folks would admit that there is no such thing as perfect security, so why are your audits coming back that way? From the article " in the past three years 36% of companies had suffered a breach and yet only 15% had failed an audit".