From Security Weekly Wiki
Jump to navigationJump to search
3,497 bytes added ,  19:10, 6 October 2011
no edit summary
== Larry's Stories ==
#[ American Express 0-day] - [Larry] - Oh man, how sloppy can you get. This researcher (who allegedly tried to report it responsibly, albeit with limited communication options). The American Express US Admin page was apparently left open to the world without access restriction or password. Access to the admin app gives debug access and the ability to view/steal cookies. Need a little automaton with the "attack"? The debug is vulnerable to XSS, and using some GET requests, it may be possible to create a refresh to inject code indefinitely, and steal cookies with injected jQuery commands. Sloppy, Sloppy, Sloppy.
#[ OMG WIFIJAMMER!] - [Larry] - Ok, cook script for automating what is a fairly easy attack…..BUT. Get your terminology right; Jamming would refer to shenanigans at Layer 1 by introducing noise into the air, or reserving access to the medium with RTS/CTS. This is not a "jam", it is a "deauth", an attack that has been around for some time, by spoofing deauth frames from AP to STA. Of course, this may not be completely usable in the current form, as many new wireless drivers specifically ignire deauth sent to broadcast…
#[ Wifi User still at risk] - [Larry] - A poll done by the WiFi Alliance (yes the folks that ensure interoperability for WiFi Devices), they noted that while many users now set up appropriately secure wireless networks (with WPA/WPA2 PSK, natch), do not concern themselves with too much else, like non default/non-weak passwords, VPNs at hotspots or even not connecting to non-preferred networks. This is what happens when technology enables security through design, but other technology is in place, and active that allows users to remain blissfully ignorant…and pwned.
#[ The Matryoshka Router] - [Larry] - Didier finds open ports of on the WAN of his ADSL router, even though the router was configured properly (ports 2002, 4002, 6002 and 9002). I've seen this on assessments, and not had the same luck as Didier - her reports that even thought the passwords were changed, he was able to log into those unknown ports with telnet and the default username and password (I'm guessing cisco/cisco), which appeared to be bound to various VTY lines. A word to the wise folks, just because it isn;t an "ethernet interface" be sure to apply ACLs to your VTY lines as well. Now, because SHODAN only scans specific ports, I really need to figure out a repeatable nmap command line to quickly (a relative term) scan the entire internet for specific ports. Where's fyodor and Ron Bowes when you need them?
#[ Fail an audit already, will ya?] - [Larry] - Yes, it is ok not to be perfect. Here's how you get backing to help fix it. It is ok to fail, 'cause all good security folks would admit that there is no such thing as perfect security, so why are your audits coming back that way? From the article " in the past three years 36% of companies had suffered a breach and yet only 15% had failed an audit".


Navigation menu