Register for PaulDotCom training at Blackhat USA: Defensive Countermeasures: Foundations for Becoming a Devious Defender & Offensive Countermeasures: The Art Of Active Defense July 27-28 & 29-30.
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 266 for Thursday November 3d, 2011.
- Check out Hack Naked TV
- Larry is teaching SEC580 Metasploit Kung Fu for Enterprise Pen Testing in San Antonio, TX December 4-5. Tell them that NYC is where Salsa is being made now. Want 10% off of every class in San Antonio? Use the discount code Larry-SA10
- Don't forget to Read our blog, Participate on our mailing list, Visit PaulDotCom Insider, Follow us on Twitter, Join the IRC channel at irc.freenode.net #pauldotcom, Watch our Videos and Add us on Facebook where we can be "friends"
- BSides, BSides, BSides everywhere
Guest Interview: Jeff Moss
6:00 PM EDT
Black Hat Founder and Director Jeff Moss has spent almost 2 decades as founder and director of Black Hat and DefCon, two of the most important security conferences in the world. In 2009 Moss was appointed to the Homeland Security Advisory Council to provide advice and recommendations to the Secretary on matters related to homeland security. Jeff has also worked for Ernst & Young, LLP in their Information System Security division and is currently CSO of ICANN.
PaulDotCom rapid fire questions round (TM):
- Which 3 letter acronym scares you the most?
- When playing a game of ass-grabby-grabby do you prefer to go first or second?
- Android, iOS or Blackberry?
- 3 Words to describe yourself.
- In a life or death situation if you had to give mouth-to-mouth recessitation to someone would you rather it be 1) Linday Lohan 2) Kevin Mitnick 3) A Defcon attendee chosen at random
- How did you get your start in information security?
- Tell me about the early days of Defcon, how did you get the idea to start a hacker conference?
- Were the initial Defcon conferences "crazy" because of the age of the participants, hackers outlook on life in general, just some irresponsible people, all of the above? What are some of the more funnythings that have happened at previous Defcon conferences.
- At some point you went on to create Blackhat, how did that come about?
- Many people have commented that when you sold Blackhat to CMP Media you were "selling out", What is your response to such comments?
- How has the attendee composition of your conferences changed over the past few years?
- Do you worry that "hacking" (white-hat, not pejorative) today is becoming less of an intelectual challenge and more "here, click this link"? Is this a good thing or a bad thing?
- Recently several organizations have suffered major security breaches, including HBGary, RSA, and Sony, what should organizations be learning from these breaches?
- Looking forward, what security trends, offensive or defensive, scare you the most?
- On the flip side, what trends, if any, in information security give you the most hope?
- How have companies outlooks on security changed over the years? Are making progress by speaking about security issues or is it falling on def ears?
- On a federal level, do you believe the Government should regulate and/or enforce secure coding practices?
- Tell us about your work with the Security Advisory Council.
- What are your responsibilities as ICANN Chief Security Officer?
Guest Tech Segment: Jon McCoy
Jon McCoy is a .NET Software Engineer who focuses on security and forensics. He has worked on a number of Open Source projects ranging from hacking tools to software for the paralyzed. With a deep knowledge of programming under the .NET Framework he has released new attacks on live applications and the .NET Framework itself.
Stories For Discussion
- Majority of mobile users under 44 now have a smartphone - S, but, like, who cares? Does the age of a smartphone user really matter? We know more people are going to use smartphones. The scary thing is that few of them are smart with how they user them, regardless of age!
- Hardware disposed of in a toilet - "The Royal Data Throne is a place where data is ... disposed," says PCB Creations. "This is a fun sculpture that is full of detail, it has guts in the tanks and a secret hiding place for your ... data under the lid." What a load of crap. I was really hoping this story was going to be about someone who took home a USB thumb drive and their kid stole it and flushed it down the toilet. Then, some sewage treatment plant employee pulled it out of the pipes, cleaned it off, and plugged it into his computer at work. And some cyber attacker pulls off an APT attack and blames it on Lulzsec, when really it could be an act of cyberwar. Drink 10 times now :)
- Apple reportedly making 2M iPad 3 units in 2011 & unveiling iPhone 5 in late 2012 - You know what, I'm really pissed… Okay, not really. I will likely buy the new iPad and the new iPhones and sell my old devices. Interesting though, with Apple releasing new hardware so often, and there being a HUGE market for used devices, and the upgrade process very painless means… People's data could be at risk. Make sure you wipe your devices, you don't want an attacker to gain a hold of your iTunes account or email server credentials. That would be bad, but at least you'd have the latest device from Apple to Tweet and Facebook about your security breach, even better if an attacker does that for you, or not..
- Ongoing drive-by download campaign hijacked MIT server - Amazing how things never change. There are stories that go way back, telling of interesting things that have happened on the MIT network, and I'm sure a library of ones we don't know about. Its not just MIT, but Universities remain a target, primarily for bandwidth and availability of unmanaged systems. This script, hosted on MIT's server, looked for vulnerable PHPMyAdmin servers and compromised them. Then they use the access to the database to write exploit code into all the web sites and pages hosted in the database. Its a really neat attack. Lesson's learned? 1) Even blocking all traffic from MIT doesn't help you 2) Don't leave PHPMyAdmin exposed to the Internet 3) Try to monitor your network to look for this stuff.
- Holiday shopping with personal devices at work could pose security risk - I mean really, are we that concerned with employees doing Internet shopping when they are using IE 6 on some old legacy app that you can't upgrade because its no longer supported and the vendor wants $$ to upgrade, but you won't, and it can't be patched, and its full of XSS and SQLi that my toddler can exploit? But really, people shopping online is the real threat. Oh, I get it, no wait, I really don't...
- Study: Many Facebook users are careless - Just an FYI careless means stupid, they just didn't want to say stupid, but we'll say it, many Facebook users are stupid. I mean, unless you really believe that someone wants to give you free iPads, Southwest tickets, Starbucks gift cards, and that Justin Beiber has actually gone through puberty to father a child? Come on!!!!
- Thousands of WordPress blogs hijacked to deploy malicious code - Avast hasn't disclosed what kind of hole in TimThumb is being exploited by the attackers. The hole is probably a vulnerability that was exposed three months ago which was already being actively exploited at that time; even one of the developers was affected. So, we know there is a vulnerability, people are exploiting it, but we're not going to fix it and focus on playing Battlefield and new features. FAIL.
- The 8 Craziest YouTube Account Hacks - I just wanted to make sure everyone saw this, because its funny.
- Pump Up the Insulin - [Larry] - Barnaby Jack is my hero, again. He's taken this liking to embedded devices, and this time into insulin pumps. He built a 900Mhz sniffer and omnidirectional antenna to discover the devices,, and when queried cough up their serial number - this serial number is needed to perform additional interactions with the device. From there, he developed tools to be able to increase the insulin dosage, including the ability to unload all 300 units at once. (yeah,m that is MORE than enough to kill you). Normally the device would vibrate or emit an alarm when the dosage is changed wirelessly, but Jack found a way to disable that too, over wireless. The vendor says they are looking at a fix, including encryption. Nothing like not thinking about security 10 years ago…
- Common Mobile App vulns - [Larry] - While this may not be earth shattering news to some of our listeners, it still fascinates the heck out of me that, web app vulnerabilities form like 10 years ago, are STILL available in mobile apps, and fail on ALL of the same things that we've been preaching about for years. Why does this happen? Do the developers think that their traffic is secure over the cell networks? what about that WiFi stuff? Do the devs forget or is it just laziness?
- Taking down a A Cartel - [Larry] Subtitled as "Wow, who thought this was a smart idea?" Allegedly Anonymous wants to bring down a drug cartel that they have information on supporters and members. While it may be fun to think that they can change the world by doing so, they quickly "backed down" (at least by some reports), after hearing that the cartel was employing their own computer folks to track down the anonymous members. Umm, hello, organized crime has the correct kind of resources to do the tracking. I wonder if the story was done by the government to expose anonymous?
- 1:60 FaceBook posts are malicious and 1:100 tweets are malicious - Inconceivable that malicious activity happens on these social sites… 14 percent of linked-in users felt un-secure using the site. wonder what the next target will be.
- China Did it - Apparently we can blame China for everything… China the NEW APT… how long before vendors actually says that they keep china out of your network?
- Chemical Industry under attack and ITS CHINA AGIAN!! - See….
- US observation satellites hacked by China - will the insanity ever stop?
- even Mr. Kapersky himself is in the China CYBER terrorism camp - Who is going to stop the great Chineese menace?
- VIM turns 20! - 20 years ago VIM was released I know a lot of us use it.