Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 318 for Thursday January 31st, 2013
- Offensive Countermeasures in Europe! - March 12-15 in Amsterdam!
- Security BSides Rhode Island HUGE ticket announcement
- The Stogie Geeks Show! - For cigar enthusiasts, by cigar enthusiasts.
- New tech segment on SQL injection and PHP at http://pauldotcom.com by intern Patrick Laverty - "From '1' to Pwned: Using SQL Injection and PHP to Own the Box"
SANS is running a special promotion for Forensic Online courses.
To learn more about the 15% discount on online forensic classes, visit SANS Specials Training page, which will also tell you how to access the many FREE forensic resources available from SANS. Hurry, the discount will only be valid through February 20.
Interview: Dr. Gene Spafford
Dr. Spafford is one of the senior, most recognized leaders in the field of computing. He has an on-going record of accomplishment as a senior advisor and consultant on issues of security and intelligence, education, cybercrime and computing policy to a number of major companies, law enforcement organizations, academic and government agencies... [With over three decades of experience as a researcher and instructor, Professor Spafford has worked in software engineering, reliable distributed computing, host and network security, digital forensics, computing policy, and computing curriculum design. Dr. Spafford is a professor with an appointment in Computer Science at Purdue University, where he has been a member of the faculty since 1987.]
- Join us on our 3d ever Google+ Hangout! Add PaulDotCom on Google+ and join us in the Google Hangout.
- We are in the process of archiving and cataloging our technical segments, please visit the PaulDotCom Technical Library and we indexed all of the interviews we have conducted. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.
- Larry teaching SANS SEC617 all over and coming to a city near you in 2013
- Suicidal Sensors: Darpa Wants Next-Gen Spy Hardware to Literally Dissolve - Talk about wiping your phone, not just wiping, but it would literally melt! This cannot get into the hands of administrators, can you imagine if the system controlling this got hacked and you melted every phone in the organization? Scary, but freaking cool. My guess is the CIA and NSA already have such technology, but then again I watch too many movies.
- VMware Management Interface - A Little Story of XSS - An XSS vulnerability in VMware is bad. Once an attacker gets on the internal network, or learns of your architecture, getting you to click on a link could lead to forking over complete control of your virtualization environment. I am a firm believer that you need to patch and harden the crap out of your virtualization platform. As a pen tester, its a huge target for me, I will take all those snapshots thank you very much.
- Hackers Hijacking Security Cameras for Malware and Spying - "In addition to security cameras, modems, printers and routers, Stiansen says the company’s honeypots are also picking up increased traffic from smart TVs." Yes, bring on the embedded device hacking baby! Love it. It amazes me that we are still dealing with this problem. The more embedded systems we deploy does not in and of itself increase awareness. I watch a lot of spy shows. The good and bad guys are always hacking into the CCTV cameras, spying or running a loop to evade detection. It happens fast, like hollywood hacking. The scary part is that it happens just as fast in real life because no one pays attention to the security of their security systems. WHY??!?!?!?!?!?
- Web smut sites are SAFER than search engines - Its safer to surf to news web sites than porn web sites. This is great, see now we can adjust the web filters to ONLY allow people to browse for porn. Nice! Score, get the lotion as we say.
- Chinese hackers break into the New York Times - The New York Times has reported that for the last four months Chinese hackers have been infiltrating its networks, broken into the email accounts of senior staff, stolen the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees. Sounds like they got a free pen test, but never got a report.
- Kali Linux – A Teaser into the Future. - I like how as awesome as Backtrack is, they are constantly making it better. I like how it went from a bootable CD, to a full-fledge Linux distro. I will always have a VM running Backtrack, its just handy to have a bunch of tools that work in one place.
- Hacker 'sextorted' 350 women into stripping off after stealing embarrassing pictures - he then attempted to blackmail the women into letting him take topless pictures of them via webcam using Skype, posting pictures on their Facebook pages if they refused to cooperate. Okay, so here's the thing, if you are going to store naked pics of yourself on your computer, don't include your face! Also, try not to let people install malware on your systems. And if push comes to shove, just let them post the pictures and try to profit from it, heck it worked for Kim Kardashian.
- UPnP scan shows 50 million network devices open to packet attack - This is not a shock to me at all. UPnP is horrible, there just had to be a flaw in there somewhere. HD Moore found some, and turns out there are millions of vulnerable devices on the Internet. I am so happy to see this research come to light, it needs to happen. Free tools exist to check for the vulnerabilities, and details are forthcoming.
Jack's Stories that would make Motley Crue blush
- The New York Times was hacked by evil Chinese hackers. Or maybe the story is not completely accurate?
- Once More Into The (PRC Aggregated) Breaches an informative post by Bob Rudis on the challenges of interpreting aggregated data sources.
- Security No-Man's Land Mike Rothman reminds us of the "have-nots" of InfoSec as we approach the RSA conference. Echoing some of what Dan Geer wrote about the week before, and some of Wendy Nather's "Security Poverty Line" work- it is important to remember that imnproving security for Fortune 1000 companies falls far short of actually improving security overall.
- Robert Graham's ten-year retrospective on the SQL Slammer worm
- Remember the college kid tossed from school for reporting a vulnerability? It turns out his story isn't quite as innocent as it was portrayed by some. Still dumbness and overreaction IMHO, but more has come to light, including this letter of expulsion.