InfoSec Daily Podcast Episode 551 for December 21, 2011. Tonight's podcast is hosted by Rick Hayes, Karthik Rangarajan, and Varun Sharma.
Announcements:
Brad Smith (theNurse)
We all know and love Brad Smith, aka theNurse. His humor and smiling positivity is a wonderful example for our community. At Hacker Halted he had a massive stroke and has been in the hospital for almost a month.
Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to. Please feel free to check in for status or to donate. Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.
http://www.social-engineer.org/brad-smith-updates/
http://www.social-engineer.org/bradsmithdonation/
CampusCon 2012
When: January 21, 2012
Where: WIT {Waterford Institute of Technology} Sports – Waterford, Ireland
http://campuscon.hackingwit.com
(from Baconzombie)
SANS Mentoring: Security 401 SANS Security Essentials Bootcamp Style
When: Starts January 24, 2012
Where: Atlanta, GA
Discount Code:
http://www.sans.org/mentor/details.php?nid=25484
ShmooCon 2012
When: January 27th-29th, 2012
Where: Washington Hilton Hotel, Washington, DC
http://www.shmoocon.org
Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!
LayerOne
When: May 26-27, 2012
Where: Unannouced
Los Angeles area
http://www.layerone.org/
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu
CFP now open!
DerbyCon 2012 – "Dropping the Deuce"
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
Pentest Lessons:
Adam Compton & Zac Wagle's should get credit for the "Pentest Lessons" idea. They also started a twitter account: https://twitter.com/pentestlessons.
Lesson 1: Don't blindly follow the intern's suggestions.
Lesson 2: Don't enable the firewall on a host you've compromised without first checking the rules to see if you're going to block your own connection to the host.
Backstory: They popped a box via ColdFusion vuln and ran into an issue that required some network troubleshooting. The intern suggested turning on the firewall so they could use the logging to troubleshoot. They turn on the firewall and POP! No more connection. In addition, port 80 got blocked, so the customer's site went down as well. They had to call the customer to get the firewall turned back off.
Lesson 3: Don't scan Polycom VOIP phones' embedded web server with a web scanner or vulnerability scanner with web checks enabled. You will reboot every phone. The federal contractor I was working for had executives in all day conference calls with their government clients. Their conference calls were rudely cut short.
Lesson 4: Your company’s network is most secure when all of the employees are on vacation.
Lesson 5: Do not copy content from one pentest report to another. Saving 10 minutes is not worth getting fired.
Lesson 6: Do not copy a PDF from an OpenOffice Word to an Office XP into an Office 2011. Its hell to read for anyone else, and crashes systems.
Stories
Source: http://online.wsj.com/article/SB10001424052970204058404577110541568535300.html
In Beijing, Foreign Ministry spokesman Liu Weimin said at a daily briefing that he hadn't heard about the matter, though he repeated that Chinese law forbids hacker attacks. He added that China wants to cooperate more with the international community to prevent hacker attacks.
The Chamber moved to shut down the hacking operation by unplugging and destroying some computers and overhauling its security system. The security revamp was timed for a 36-hour period over one weekend when the hackers, who kept regular working hours, were expected to be off duty.
Damage from data theft is often difficult to assess.
People familiar with the Chamber investigation said it has been hard to determine what was taken before the incursion was discovered, or whether cyberspies used information gleaned from the Chamber to send booby-trapped emails to its members to gain a foothold in their computers, too.
Chamber officials said they scoured email known to be purloined and determined that communications with fewer than 50 of its members were compromised. They notified those members. People familiar with the investigation said the emails revealed the names of companies and key people in contact with the Chamber, as well as trade-policy documents, meeting notes, trip reports and schedules.
…
Source: http://www.msfn.org/_/security/hackers-may-develop-a-computer-virus-to-infe-r8865?
"Synthetic biology" is accelerating "faster than computer technology", say experts who have warned that hackers could someday use it to develop a computer virus to bend human minds.
According to Andrew Hessel of Singularity University on US space agency NASA's research campus, "It could lead to a world where hackers could engineer viruses or bacteria to control human minds.
"This is one of the most powerful technologies in the world. Synthetic biology — the writing of life. I advocate cells are living computers and DNA is a programming language.
"I want to see life programmed and used to solve global challenges so that humanity can achieve a sustainable relationship within the biosphere. It's growing fast. It will grow faster than computer technologies."
He predicts a world where people can "print" DNA, and even "decode" it. But he warned that viruses and bacteria send chemicals into human brains and could someday be used to influence, or even "control" people, 'Daily Mail' reported.
A literal virus — injected into a "host" in the guise of a vaccine, say — could be used to control behaviour, says Hessel who warns people "may've to learn how to counterattack" against such weapons.
….
Source: http://blog.trendmicro.com/seasons-warnings-iphone-4s-scam-and-other-holiday-threats
Looking for cheaper iPhone 4S this holiday season? Be wary, because cybercriminals can trick you into giving out your online financial credentials. We’ve recently found a phishing attack that specifically targets users who are out to purchase an iPhone 4S through eBay.
The attack involves domains that display replicated eBay posts for iPhone 4S units. The screenshots below show a sample of the fake page, and the original eBay post from which the content was copied.
