Watch/Listen to this Episode
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 313 for Thursday December 20th, 2012
- Tom Clancy's new book, Threat Vector, makes mention to a Hack Naked T-shirt
- Welcome our latest official sponsor, The SANS Institute! You will be hearing a lot more about some of the different programs and curriculums at SANS over the course of next year.
- For the first time ever, BSides is coming to Rhode Island. Paul will be co-organizing BSides Rhode Island with the latest PaulDotCom
victimintern Patrick Laverty. This incredible event will be held on Saturday, June 15 in Providence. We are currently looking for great sponsors and outstanding speakers. If you are interested in either sponsoring, speaking or helping out in any way, you can get in touch with us at BSidesRhodeIsland@gmail.com. Our Twitter handle is http://twitter.com/BSidesRI and our site is at http://www.securitybsides.com/BSidesRI
Check out our last year:
Adam Shostack Jeremiah Grossman Dan Geer Allan Paller Dr. Anton Chuvakin Thomas Ptacek Marcus Sachs Kevin Finisterre Nick Farr Gene Kim
Guest: Tim Medin
Tim currently works at Counter Hack Challenges, a company devoted to the development of information security challenges for education, evaluation and competition. Prior to Counter Hack Challenges, Tim was a Senior Security Consultant for FishNet Security where the majority of his focus was on penetration testing. He has held a variety of positions in technology fields including developer, network engineer, control systems engineer, robotic engineer, penetration tester, and McDonald's fry cook. Tim regularly contributes to the Command Line Kung Fu Blog and is a project lead for the Laudanum Project, a collection of injectable scripts designed to be used in penetration testing. He can be found on twitter as @timmedin.
- The Stogie Geeks Show! - For cigar enthusiasts, by cigar enthusiasts. Our top ten new cigars for 2012 will be revealed tonight!
- Please subscribe to the PaulDotCom Insider Newsletter for all things PaulDotCom, discounts on training, and updates on cool stuff we're doing (like looking for people to help, take people under our wings and teach them security, etc...)
- We are in the process of archiving and cataloging our technical segments, please visit the PaulDotCom Technical Library. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.
- Bsides everywhere baby! Likely there is one near you, so check the web site www.securitybsides.com. Next local BSides is in Boston and has been moved to May and of course there's BSides Rhode Island on June 15.
- Larry teaching SANS SEC617 all over and coming to a city near you in 2013
- Celebrity hacker gets ten years - I'm not sure what else he's done, but if all you've done is leak nude photos you should get a pass. Because name one judge, jury, or law enforcement agent that did not get a kick out seeing Scarlett JOhansen naked. Shit, its problably the background image of all the FBI agents working on the case! Ten years is a long time, there had to be other stuff too.
- HTTPS Everywhere for Internet Explorer - I can't tell people enough, web browser extentions are the way to go. Sure, its risky adding on software to your browser. However, I believe its worth the risk. My recommendation is an HTTPS everywhere add-on, along with one to block flash, javscript and Java. Then also one to block ads and pop-ups. If you have these 3 or 4 extensions, in whevery browser you use, then you greatly reduce the risk of getting compromised. Lets not forget that you may see some of your relatives over the holiday. This is a great time to install some protectsions in their browser.
- Apple addresses another Wi-Fi bug with iOS 6.0.2 update - I love this unknown Wifi bug. There is a bug, we fixed it, but we won't tell you anything about it. I believe vendors should be required to release the details about security flaws once a patch has been produced. I mean, we're just going to reverse engineer the patch anyhow...
- Adobe to patch 2-year-old Shockwave vulnerability next year - So you've ignored it for 2 years, what's waiting another week? I think the largest fail by a vendor ever is Adobe. They've had counteless vulnerabilities across all of their products, including Reader, AIR, and of course Flash. Enough is enough, ifyou can avoid using an Adobe product, I say do so. HTML5 is here, and hopefully that presents LESS risk, but we'll see.
- Top 10 gadgets for Christmas 2012- The Inquirer - I'd like to run through these and discuss and potential security issues.
- Making Database Security Your No. 1 2013 Resolution - We did a great interview on this topic, and I still think database security is largely ignored, so don't ignore it! Talk to your database people, give them some encouragement, offer to thelp them, include them in the security andoperations process.
- VMware patches 'critical' vulnerability - If you are relying on VMware, you need to stay up on patches. This means having full fault tolerance, being able to shut down systems and patch them without down time. This comes down to planning your virtualization!
- Top 12 IT Security Stories of 2012 - Can't wait to run through this list, either we look back at 2012 or look forward to 2013.
- Abusing SAP Servers - SpiderLabs Anterior - SAP is one of those things that people ignore, so good to see it getting some coverage.
- Soldier of Fortran • IBM Mainframe User Enumeration and Bruteforcing - I put this in there because security articles focusing on mainframes are few,and this is one of the better sources.
- Security and Networking - Blog - Should We Exploit Every Vulnerability to Prove it Exist? - Carlos wrote this article, I think most know where I stand, if a vulnerability exists and there is a patch, you apply it, period.
Celeb hacker goes to prison - [Larry] - for 10 years. Why, hacking celebrity e-mail accounts. Things to keep in mind…if there are naked photos of you on the internet someone will find them. Also, He'll have some good spank material in prison.
Circular logic - [Larry] - Shockwave player uses an old, vulnerable flash runtime….uh, adobe, don;t you both make these? Dependency fail?
Hacked Card terminals - [Larry] - Not your ordinary variety…the kind that visits your table (aka, outside of the US). Steals your card, and even prints you a "real" receipt. Allegedly there is some place in the Ukraine where you can get the pre-hacked models for about $2900 (normal price is $2400-ish)
Onity backpedaling - [Larry] - Apparently Onity is willing to offer for free, or subsidize with some clients the replacements for some of the hackable hotel locks. Of course, only locks since 2005, and even then there is a release that says, basically, these may not be invulnerable and you can't sue us…
Jack's Tales of Christmas Present
- BSides Everywhere Here's a map of all of the cities which have held a BSides. Can't wait to add Puerto Rico, Rhode Island, and many others next year.
- WordPress Pingback Vulnerability - Reported by Acunetix this week after the WordPress team disclosed this vulnerability, without a patch. The problem is you can DDOS a site by simply linking to many other blogs that have pingback and they can then attack the site we commented on. When someone puts a comment on a site and links to a WordPress blog, the WP site will then call back to confirm that there is a link to it there. Create a comment with links to lots of WP sites and they can DDOS a site. The only solution currently offered is to rename the xmlrpc.php file.
- Not one but TWO Twitter accounts Pwned - Teen hacker CosmoTheGod apparently took over a second twitter account owned by a member of the Westboro Baptist Church. He was able to get access to the account by doing a password reset to an emal account that he owned.
- Asked on the pauldotcom listserv, what is a good way to handle registrations that allow for unique usernames but won't let someone enumerate the system and find all the taken usernames? Some suggestions included using email as a username or allowing the user to pick a name and then the system will randomly append a four-digit number, to guarantee uniqueness. Similarly, there is also the issue on password resets where the user enters a username to have a password reset but often the site will tell the user if the name entered does not exist.
- New TSA Rules and TSA site - Know that now children under 12, and passengers 75 or older, no longer have to take off their shoes at security.
- On a different listserv, someone was looking for help because if you did a search for his site on Yahoo, you saw ads for a brand of shoes. But clicking on the links in Yahoo, took you to the site and looked normal. However, if you changed your User Agent to Google Bot and clicked on the same links, you went to a different web site that sells shoes. This issue is near and dear to me as it's one that I had to deal with and clean up as well. The problem resides with altered .htaccess files. Usually due to the files being writeable by the web server and having some other insecure software on the site.
- Don't forget about BSides RI, June 15, still looking for speakers and sponsors! email@example.com http://securitybsides.com/BSidesRI