Difference between revisions of "Episode266"

From Security Weekly Wiki
Jump to navigationJump to search
Line 52: Line 52:
 
==Larry's Stories==
 
==Larry's Stories==
 
#[http://packetstormsecurity.org/news/view/20070/Insulin-Pump-Hack-Delivers-Fatal-Dosage-Over-The-Air.html Pump Up the Insulin] - [Larry] - Barnaby Jack is my hero, again.  He's taken this liking to embedded devices, and this time into insulin pumps. He built a 900Mhz sniffer and omnidirectional antenna to discover the devices,, and when queried cough up their serial number - this serial number is needed to perform additional interactions with the device.  From there, he developed tools to be able to increase the insulin dosage, including the ability to unload all 300 units at once. (yeah,m that is MORE than enough to kill you). Normally the device would vibrate or emit an alarm when the dosage is changed wirelessly, but Jack found a way to disable that too, over wireless.  The vendor says they are looking at a fix, including encryption.  Nothing like not thinking about security 10 years ago…
 
#[http://packetstormsecurity.org/news/view/20070/Insulin-Pump-Hack-Delivers-Fatal-Dosage-Over-The-Air.html Pump Up the Insulin] - [Larry] - Barnaby Jack is my hero, again.  He's taken this liking to embedded devices, and this time into insulin pumps. He built a 900Mhz sniffer and omnidirectional antenna to discover the devices,, and when queried cough up their serial number - this serial number is needed to perform additional interactions with the device.  From there, he developed tools to be able to increase the insulin dosage, including the ability to unload all 300 units at once. (yeah,m that is MORE than enough to kill you). Normally the device would vibrate or emit an alarm when the dosage is changed wirelessly, but Jack found a way to disable that too, over wireless.  The vendor says they are looking at a fix, including encryption.  Nothing like not thinking about security 10 years ago…
#[http://carnal0wnage.attackresearch.com/2011/11/common-mobile-app-vulnerabilities.html Coomon Mobile App vulns] - [Larry] - While this may not be earth shattering news to some of our listeners, it still fascinates the heck out of me that, web app vulnerabilities form like 10 years ago, are STILL available in mobile apps, and fail on ALL of the same things that we've been preaching about for years.  Why does this happen?  Do the developers think that their traffic is secure over the cell networks?  what about that WiFi stuff? Do the devs forget or is it just laziness?
+
#[http://carnal0wnage.attackresearch.com/2011/11/common-mobile-app-vulnerabilities.html Common Mobile App vulns] - [Larry] - While this may not be earth shattering news to some of our listeners, it still fascinates the heck out of me that, web app vulnerabilities form like 10 years ago, are STILL available in mobile apps, and fail on ALL of the same things that we've been preaching about for years.  Why does this happen?  Do the developers think that their traffic is secure over the cell networks?  what about that WiFi stuff? Do the devs forget or is it just laziness?
 
#[http://idealab.talkingpointsmemo.com/2011/11/report-anonymous-cancels-operation-cartel.php Taking down a A Cartel] - [Larry] Subtitled as "Wow, who thought this was a smart idea?"  Allegedly Anonymous wants to bring down a drug cartel that they have information on supporters and members.  While it may be fun to think that they can change the world by doing so, they quickly "backed down" (at least by some reports), after hearing that the cartel was employing their own computer folks to track down the anonymous members.  Umm, hello, organized crime has the correct kind of resources to do the tracking.  I wonder if the story was done by the government to expose anonymous?
 
#[http://idealab.talkingpointsmemo.com/2011/11/report-anonymous-cancels-operation-cartel.php Taking down a A Cartel] - [Larry] Subtitled as "Wow, who thought this was a smart idea?"  Allegedly Anonymous wants to bring down a drug cartel that they have information on supporters and members.  While it may be fun to think that they can change the world by doing so, they quickly "backed down" (at least by some reports), after hearing that the cartel was employing their own computer folks to track down the anonymous members.  Umm, hello, organized crime has the correct kind of resources to do the tracking.  I wonder if the story was done by the government to expose anonymous?
  

Revision as of 16:40, 3 November 2011


Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 266 for Thursday November 3d, 2011.

Guest Interview: Jeff Moss

6:00 PM EDT

Jeff Moss.jpg

Black Hat Founder and Director Jeff Moss has spent almost 2 decades as founder and director of Black Hat and DefCon, two of the most important security conferences in the world. In 2009 Moss was appointed to the Homeland Security Advisory Council to provide advice and recommendations to the Secretary on matters related to homeland security. Jeff has also worked for Ernst & Young, LLP in their Information System Security division and is currently CSO of ICANN.

PaulDotCom rapid fire questions round (TM):

  1. What 3 letter acronym scares you the most?
  2. If APT were a drink, what would it taste like?
  3. Android, iOS or Blackberry?
  4. Sneakers or Wargames?
  5. 3 words you use to describe CISSPs...
  6. Describe DefCon planning in two words.

Guest Tech Segment: Jon McCoy

Jon mccoy.jpg

Jon McCoy is a .NET Software Engineer who focuses on security and forensics. He has worked on a number of Open Source projects ranging from hacking tools to software for the paralyzed. With a deep knowledge of programming under the .NET Framework he has released new attacks on live applications and the .NET Framework itself.


Jon's web page

Jon's presentations


Stories For Discussion

Paul's Stories

Jack's Stories

Larry's Stories

  1. Pump Up the Insulin - [Larry] - Barnaby Jack is my hero, again. He's taken this liking to embedded devices, and this time into insulin pumps. He built a 900Mhz sniffer and omnidirectional antenna to discover the devices,, and when queried cough up their serial number - this serial number is needed to perform additional interactions with the device. From there, he developed tools to be able to increase the insulin dosage, including the ability to unload all 300 units at once. (yeah,m that is MORE than enough to kill you). Normally the device would vibrate or emit an alarm when the dosage is changed wirelessly, but Jack found a way to disable that too, over wireless. The vendor says they are looking at a fix, including encryption. Nothing like not thinking about security 10 years ago…
  2. Common Mobile App vulns - [Larry] - While this may not be earth shattering news to some of our listeners, it still fascinates the heck out of me that, web app vulnerabilities form like 10 years ago, are STILL available in mobile apps, and fail on ALL of the same things that we've been preaching about for years. Why does this happen? Do the developers think that their traffic is secure over the cell networks? what about that WiFi stuff? Do the devs forget or is it just laziness?
  3. Taking down a A Cartel - [Larry] Subtitled as "Wow, who thought this was a smart idea?" Allegedly Anonymous wants to bring down a drug cartel that they have information on supporters and members. While it may be fun to think that they can change the world by doing so, they quickly "backed down" (at least by some reports), after hearing that the cartel was employing their own computer folks to track down the anonymous members. Umm, hello, organized crime has the correct kind of resources to do the tracking. I wonder if the story was done by the government to expose anonymous?

Darren's Stories

  1. 1:60 FaceBook posts are malicious and 1:100 tweets are malicious - Inconceivable that malicious activity happens on these social sites… 14 percent of linked-in users felt un-secure using the site. wonder what the next target will be.
  2. China Did it - Apparently we can blame China for everything… China the NEW APT… how long before vendors actually says that they keep china out of your network?
  3. Chemical Industry under attack and ITS CHINA AGIAN!! - See….
  4. US observation satellites hacked by China - will the insanity ever stop?
  5. even Mr. Kapersky himself is in the China CYBER terrorism camp - Who is going to stop the great Chineese menace?
  6. VIM turns 20! - 20 years ago VIM was released I know a lot of us use it.

John's Stories