SANS Pen Test Poster
SANS have put out this nice poster of useful pen-testing resources.
SANS have put out this nice poster of useful pen-testing resources.
Threat Post has an article about some researchers who have found that iOS 6 default mobile hotspot random passwords are not so random after all (there are 1,842 different words) and therefore not too hard to brute force. Additonally...
“It should be noted that all generated keys are only valid for the lifetime of a single session and that generation of those keys only relies on the PSK,” the paper said. “This implies that the security level of the whole mobile hotspot depends on the quality of the passphrase.”The original paper "Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots" is here [pdf]. The title says it all - this is a true example of Usability vs. Security, and as too often seems to be the case, security loses.
Following on from my previous post on 'gaming the system', a friend sent me this link to Frank Abagnale Junior - the man played by Leonardo DiCaprio in "Catch me if you can" - giving the closing keynote at the RSA APAC conference (youtube).
It's an interesting talk to hear how someone with a hacker mindset in the 60s was able to social engineer and defeat some of the security systems of the day...just by not following 'the rules'.
John McAfee has posted an "instructional" video on "How to uninstall McAfee Antivirus" (youtube).
I'm sure the McAfee marketing department are appreciating his efforts...
I do enjoy stories of people gaming systems. This one came up today of a man who took advantage of a National Australia Bank promotion to earn 380,000 frequent flyer points for $70. The bank offered 100 frequent flyer points per purchase - but failed to state a minimum purchase value. A whole lot of 1c purchases later and the guy had 380,000 points -- before the bank noticed and closed the loophole!
It kinda reminds me of the (in)famous Pepsi promotion in the US in the 90s where they offered a Harrier Jump Jet as the prize for collecting 7,000,000 pepsi points. When a guy bought the points for $700,000 and went to claim his multi-million dollar jet the result was -- a lawsuit!
At least in the NAB case, the guy got to keep the points!
The lesson? Imaginative people will always find a way to game the system if the reward is worth the effort!
The 2013 OWASP top 10 has been released, and sad to say the number one spot has not changed since the last top 10 in 2010.....Injection!
OWASP Top 10 – 2013
|
A1 – Injection
|
A2 – Broken Authentication
and Session Management
|
A3 – Cross-Site Scripting
(XSS)
|
A4 – Insecure Direct
Object References
|
A5 – Security
Misconfiguration
|
A6 – Sensitive Data
Exposure
|
A7 – Missing Function
Level Access Control
|
A8 – Cross-Site Request
Forgery (CSRF)
|
A9 – Using Known
Vulnerable Components
|
A10 – Unvalidated
Redirects and Forwards
|
The NY Times has an interesting article on the hacking culture in China. It is especially interesting in the context of the Business Week article from the following day titled How the US Government hacks the world.
And just so the non-governmental types don't feel left out, a friend passed me the LA Times article on 'hacking back', a topic which seems to have become more and more of a discussion point recently.
Perhaps we'll end up taking a leaf out of the history books and start issuing Letters of Marque to Cyber-privateers!
Not so new, but here [pdf] is an interesting bit of research I only saw recently on Zero-Day attacks by some Symantec staff.
Zero-day attacks last on average 312 days, and up to 30 months, and they typically a ffect few hosts.... After the disclosure of zero-day vulnerabilities, the volume of attacks exploiting them increases by up to 5 orders of magnitude.
Disclaimer: The views and opinions expressed here are those of the authors only and in no way represent the views, positions, or opinions of any previous, current, or future employers, clients, or associates.