InfoSec Daily Podcast Episode 559 for January 4, 2012. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Karthik Rangarajan, Geordy Rostad, and Keith Pachulski.
Announcements:
Brad Smith (theNurse)
We all know and love Brad Smith, aka theNurse. His humor and smiling positivity is a wonderful example for our community. At Hacker Halted he had a massive stroke and has been in the hospital for almost a month.
Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to. Please feel free to check in for status or to donate. Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.
http://www.social-engineer.org/brad-smith-updates/
http://www.social-engineer.org/bradsmithdonation/
CampusCon 2012
When: January 21, 2012
Where: WIT {Waterford Institute of Technology} Sports – Waterford, Ireland
http://campuscon.hackingwit.com
(from Baconzombie)
SANS Mentoring: Security 401 SANS Security Essentials Bootcamp Style
When: Starts January 24, 2012
Where: Atlanta, GA
Discount Code:
http://www.sans.org/mentor/details.php?nid=25484
ShmooCon 2012
When: January 27th-29th, 2012
Where: Washington Hilton Hotel, Washington, DC
http://www.shmoocon.org
Social Engineering Training
When: March 5-9
Where: Seattle, Washington
When: April 9-13
Where: Bristol, UK
http://www.social-engineer.com/social-engineer-training
Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu
CFP now open!
DerbyCon 2012 – "Dropping the Deuce"
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
Pentest Lessons:
Adam Compton & Zac Wagle's should get credit for the "Pentest Lessons" idea. They also started a twitter account: https://twitter.com/pentestlessons.
Lesson 1: Know not only how to use the tool, but what the tool can/cannot do.
Lesson 2: ALWAYS read the Statement of Work (SOW) before you show-up on-site.
Lesson 3: Write down what you've found, include the how and when*
Lesson 4: When you run an exploit, don’t do it blindly. Always, always, know what the exploit does, and how it will affect the machine you’re attacking. (deploying an “agent” means you`ve exploited the machine)
* Very Important
Stories
Source: http://news.cnet.com/8301-30685_3-57350968-264/mobile-browsing-reaches-all-time-high
If you haven't whipped your Web site into shape for easy viewing on small-screen devices, you'd better get cracking.
Mobile browsing reached its highest levels so far, 7.7 percent of total browser usage, in December.
(Credit: Net Applications)
That's because the use of mobile devices reached an all-time high in December, accounting for 7.7 percent of browser usage according to Net Applications' measurements of daily visits to its network of 40,000 Web sites. That may still be a small fraction of total Web traffic, but it's a large and growing population in absolute numbers.
Tablet browsing in many ways is similar to desktop browsing; screen resolution on the dominant iPad and iPad 2 aren't that far off a laptop. But touch interfaces are different from mouse interfaces, especially when it comes to tapping buttons with precision. And smaller tablets are awkwardly in between the iPad and mobile-phone screens. It's for these reasons that there's a lot of work in retooling CSS and other Web technologies to make Web sites adjust to different screen sizes, but for now it's a tough challenge for Web programmers.
Among mobile browsers, Apple's Safari remained the top dog with 53.3 percent of usage, a drop from 55.0 percent in November. Opera rose to 21.7 percent and Google's Android browser dipped to 15.9 percent in December, making their reversed positions in October look more like an anomaly than the new order.
Apple's Safari leads mobile browser usage.
(Credit: Net Applications)
In the desktop browser market, months-long trends continued unabated. The top dog, Microsoft's Internet Explorer, fell from 52.6 percent to 51.9 percent. Mozilla's Firefox also fell, 22.1 percent to 21.8 percent, while Google's Chrome rose from 18.2 percent to 19.1 percent.
….
Source: http://www.flyingpenguin.com/?p=15273
The end of December 2011 marked a significant milestone for IE6 measurement. The U.S. finally has dropped below 1% usage. Things even are looking good for bright red China, which still sits over 25% (4% of the world) but has dropped a whopping 10% in under a year.
It is possible that measurement methods may be skewed by proxies and bogus tokens but the more likely story is that China is on a browser support time-line that can't seem to get past an OS introduction date.
This reminds me of a time years ago when I was called in by a huge software-as-a-service provider and asked how to get SSLv2 through a PCI DSS assessment. "Why would you want to do that" I asked. "We have a lot of IE6 users" was their reply.
My response was twofold. First, I questioned whether IE6 data and SSLv2 data was trusted. Browsers can negotiate down to SSLv2 but that does not mean they were incapable of running SSLv3 or better. Perhaps if they dug into the data they would find a different picture and see far less IE6. Second, I recommend to post a warning banner to any IE6 user to upgrade their browser within a set time-frame or with a count-down clock. Even something like an orange warning banner would be nice.
….
The website for California’s Statewide Law Enforcement Association (CSLEA) union remained offline Tuesday following the announcement of a hack by well-known hacktivist group Anonymous over the holiday weekend.
In part of what the group has deemed “pr0j3ct m4hy3m,” (project mayhem) Anonymous released approximately 2,500 names, addresses and phone numbers of those affiliated with the union, many of them police officers, according to Sacramento’s News 10. The group also published some of the members’ credit card information taken from the group’s online gift shop.
The hack was made public by a tweet from @YourAnonNews late Saturday: “BREAKING: California Statewide Law Enforcement Agency DEFACED and PWNT by #AntiSec #Anonymous.” A note on the site, also linked to in the tweet and now published on Pastebin, claims that thousands of police user names and passwords had been circulated across Anonymous channels for the two months leading up to the disclosure of the hack.
As Threatpost previously reported, private e-mail correspondence belonging to Fred Baclagan, a special agent with the California Department of Justice, was initially leaked as part of this hack in mid-November.
….
Source: http://www.securitypark.co.uk/security_article267100.html
It has been reported that the so-called `Lilupophilupop.com’ SQL injection attack has now compromised more than a million sites.
Imperva comments and says the fact that the number of site comprises has soared in just a few weeks highlights the issue that SQL attacks are still a major problem for companies hosting Web sites and their users.
According to Rob Rachwald, Director of Security Strategy with the data security specialist, SQL injection is now the most pernicious vulnerability in human computer history.
“Over the last six year years, our research has shown that SQL injection has been responsible for 83 per cent of successful hacking-related data breaches and – as incidents like this confirm – the trend is clearly rising. Perhaps worse, with hackers automating their attacks, no-one who hosts a Web application is immune,” he said.
“Our report of last September (http://bit.ly/vxB5uI) found that Web applications suffered an average of 71 SQL injection attempts every hour – that’s more than one a minute. Specific applications, meanwhile, were found to occasionally be under aggressive attack, with peaks of between 800 and 1,200 attacks an hour – i.e. one attack every 3.0 to 4.5 seconds,” he added.
Rachwald explained that defending against SQL injection attacks is no easy task, since databases are integral components of Web applications.
….
To paraphrase an old saw: It takes a geek to catch a geek. That's the logic behind a new Indian response to the growing threat of cyber war, anyway.
Indian authorities were stunned by the impact of the Stuxnet virus on Iran's nuclear facility at Natanz last year. Now, in the wake of repeated assaults on Indian company and government web sites, an organization of self-professed "white hat" hackers is recruiting its own army.
“If you see the statistics, less than 15 percent of Indians use the internet, but we are already No. 1 when it comes to virus infections and we are No. 2 in cyber crimes,” said Rajshekhar Murthy, an Indian hacker and entrepreneur.
Last month, at Malcon — the malware conference Murthy founded in 2010 — the security expert's nonprofit Information Security and Analysis Center (ISAC) unveiled plans to create a national registry of hackers with the training to protect the country's critical electronic infrastructure.
नहीं टिकटिक मल (Don’t Click Shit)
करते बकवास बात नहीं (Don’t Talk Shit)
