SANS Pen Test Poster

SANS have put out this nice poster of useful pen-testing resources.

iOS mobile hotspots

Threat Post has an article about some researchers who have found that iOS 6 default mobile hotspot random passwords are not so random after all (there are 1,842 different words) and therefore not too hard to brute force. Additonally...

“It should be noted that all generated keys are only valid for the lifetime of a single session and that generation of those keys only relies on the PSK,” the paper said. “This implies that the security level of the whole mobile hotspot depends on the quality of the passphrase.”
The original paper "Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots" is here [pdf]. The title says it all - this is a true example of Usability vs. Security, and as too often seems to be the case, security loses.

Best option - use a long, custom non-dictionary password....

Frank Abagnale Jnr.

Following on from my previous post on 'gaming the system', a friend sent me this link to Frank Abagnale Junior - the man played by Leonardo DiCaprio in "Catch me if you can" - giving the closing keynote at the RSA APAC conference (youtube).

It's an interesting talk to hear how someone with a hacker mindset in the 60s was able to social engineer and defeat some of the security systems of the day...just by not following 'the rules'.

Whacky McAfee

John McAfee has posted an "instructional" video on "How to uninstall McAfee Antivirus" (youtube).

I'm sure the McAfee marketing department are appreciating his efforts...

Gaming the system

I do enjoy stories of people gaming systems. This one came up today of a man who took advantage of a National Australia Bank promotion to earn 380,000 frequent flyer points for $70. The bank offered 100 frequent flyer points per purchase - but failed to state a minimum purchase value. A whole lot of 1c purchases later and the guy had 380,000 points -- before the bank noticed and closed the loophole!

It kinda reminds me of the (in)famous Pepsi promotion in the US in the 90s where they offered a Harrier Jump Jet as the prize for collecting 7,000,000 pepsi points. When a guy bought the points for $700,000 and went to claim his multi-million dollar jet the result was -- a lawsuit!

At least in the NAB case, the guy got to keep the points!

The lesson? Imaginative people will always find a way to game the system if the reward is worth the effort!

OWASP Top 10

The 2013 OWASP top 10 has been released, and sad to say the number one spot has not changed since the last top 10 in 2010.....Injection!

OWASP Top 10 – 2013
A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting (XSS)
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery (CSRF)
A9 – Using Known Vulnerable Components
A10 – Unvalidated Redirects and Forwards

Back in 2011 I referenced Troy Hunt's excellent ebook reference for the 2010 OWASP top 10. If you didn't go get it then, download it now. 

Hack me, hack you!

The NY Times has an interesting article on the hacking culture in China. It is especially interesting in the context of the Business Week article from the following day titled How the US Government hacks the world.

And just so the non-governmental types don't feel left out, a friend passed me the LA Times article on 'hacking back', a topic which seems to have become more and more of a discussion point recently.

Perhaps we'll end up taking a leaf out of the history books and start issuing Letters of Marque to Cyber-privateers!

Zero-Day Attacks

Not so new, but here [pdf] is an interesting bit of research I only saw recently on Zero-Day attacks by some Symantec staff.

Zero-day attacks last on average 312 days, and up to 30 months, and they typically a ffect few hosts.... After the disclosure of zero-day vulnerabilities, the volume of attacks exploiting them increases by up to 5 orders of magnitude.

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme