InfoSec Daily Podcast Episode 822 for December 21, 2012. Tonight's podcast is hosted by Steven Hatfield with Boris Sverdlik, Themson Mester, and Justin Brown.
Announcements
Securi-Tay
When: January 16, 2013
Where: Abertay University in Scotland (drink more scotch)
Tickets are on sale! They're £10 (ten pounds) and can be bought from the website (which is securi-tay.co.uk). It's a student-run security conference and the money goes to cover the cost of running it, and any spare will be put behind the bar – so the more people that buy tickets, the more drunk everyone can get. Plus it's Scotland, so they have good whiskey. Get on it people!
CFP is CLOSED!
ShmooCon
When: February 15-17, 2013
Where: Washington DC
http://shmoocon.org spridel is going, them is going, im a pony
BSides Boston
When: February 23, 2013
Where: Microsoft’s New England Research & Development Center (NERD) Cambridge, MA
http://www.securitybsides.com/w/page/12194141/BSidesBoston
CFP is OPEN!
CarolinaCon
When: March 15-17, 2013
Where: Raleigh, NC
CFP is OPEN!
BSidesPuertoRico
When: April 5-7, 2013
Where: San Juan, Puerto Rico
CFP is open
Cost: TBD.
BSides Orlando
When: April 13-14, 2013
Where: Orlando, FL
CFP is open http://www.securitybsides.com/w/page/61141960/BSidesOrlandoCFP
BSidesLondon
@bsideslondon
When: April 24, 2013
Where: London. England
http://www.securitybsides.com/w/page/59132020/BSidesLondon-2013
https://docs.google.com/spreadsheet/viewform?formkey=dGYyQzA0N1hlY2J0cDEwS2RYcUk5WFE6MQ#gid=0
BSidesMemphis
When: May 18, 2013
Where: Southwest Tennessee Community College
http://www.securitybsides.com/w/page/59761145/BsidesMemphis2013
AIDE InfoSec Conference
When: May 24 and 25
Where: Huntington, WV
BsidesLV 2013 “Science Fair”
http://blog.uncommonsensesecurity.com/2012/08/the-bsides-las-vegas-2013-innovation.html
DerbyCon 3
When: September 26-30, 2013
Where: Louisville, KY
http://derbycon.com
For easy use of the Amazon Affiliate link, use AffiliateFox. Configure it for amazon.com with infdaipod05-20, and for amazon.co.uk with infdaipod-21. Thanks for supporting the podcast!
Stories
Source: http://www.securityweek.com/researcher-ciscos-patch-against-voip-hack-easily-bypassed
Earlier this month Ang Cui, a fifth-year graduate student from the Columbia University Intrusion Detection Systems Lab, demonstrated a series of vulnerabilities while presenting at the Amphion Forum. One of them, affecting VoIP offerings from Cisco, was previously patched, but the researcher claims that didn’t fix the issue.
Using a common Cisco-branded VoIP phone, Cui inserted and then removed a small external circuit board from the phone’s Ethernet port and starting using his own smartphone to capture every word spoken near the VoIP phone, even though it was still on-the-hook. Cisco said the vulnerability was patched in November, and was dismissive of the overall attack, as it required physical access to the device.
However, Cui countered that argument noting that the attack could be easily accomplished by a company visitor left unattended for a just few seconds. Further, in an interview with ThreatPost, he and his advisor, Salvatore J. Solfo, told Kaspersky Lab’s news service that the patch from Cisco was version specific, requiring only a slight modification made to the exploit in order to bypass November’s fix.
…
Source: http://www.net-security.org/secworld.php?id=14146
GreenSQL revealed that 88 percent of all companies participating in its December survey do not protect their databases from both external and internal threats, and almost one fifth do nothing to protect their databases at all.
IT professionals were asked: “How do you protect your data from SQL injection attacks?” Respondents said:
- I improve code practices – 52%
- I do not protect my database from SQL injection attacks – 18%
- I use an application firewall – 18%
- I use a database firewall – 12%
…
http://securityreactions.tumblr.com/post/38301919186/yet-another-2013-predictions-article
http://www.theregister.co.uk/2012/12/21/facebook_paid_message_delivery/
Facebook, which began the year with a reputation for caring more about its users than about making a buck, is ending the year with the rollout of yet another way to try to squeeze more money from its members.
This latest money-making effort comes with a revamp of its popular Messages service — that part of Facebook through which you can message/e-mail your "friends" and, in fact, those who aren't your friends. What's changing — and a spokesman describes it to CNET as a "small experiment" — is that Facebook will start charging some people for messages they want to send to people they're not friends with.
The $1 cost seems steep just to shoot someone a message, but no matter. Facebook will surely drop the price if no one uses it. But the bigger point: This latest "test" shows that Facebook, eager to prove to Wall Street that it's building a cash-generating empire, is looking for more ways to add revenue streams not tied to advertising and, importantly, is trying to get more user credit cards on file.
…
Russian firm ElcomSoft on Thursday announced the release of Elcomsoft Forensic Disk Decryptor (EFDD), a new forensic tool that can reportedly access information stored in disks and volumes encrypted with desktop and portable versions of BitLocker, PGP, and TrueCrypt. EFDD runs on all 32-bit and 64-bit editions of Windows XP, Windows Vista, and Windows 7, as well as Windows 2003 and Windows Server 2008. The price tag isn’t outrageous, but EFDD will still set you back a solid $299.
EFDD offers access to encrypted information either by completely decrypting everything or by doing so for individual files in real time. You can choose to either decrypt all files and folders stored in the cryptographic container (full, unrestricted forensic access to all stored information) or mount the encrypted volume as new drive letter for instant access (information is decrypted on-the-fly)
…
