Quantcast

Archive: Oct 2012

Pwned by the Owner 2: Tracking Down the Thief’s Whereabouts

Trying to get his stolen computer back, Andrew ‘Zoz’ Brooks sought ways to figure out where it was, and had some success owing to smart cyber tricks. Learning the Machine’s Location What I did have was the serial number of the machine and the stats of what machine it was, so I started to look...

Pwned by the Owner: What Happens When You Steal a Hacker’s Computer

Dr. Andrew Zoz Brooks, a well-known computer expert and co-host in ‘Prototype This!’ TV series, shares his hilarious computer theft story with Defcon attendees. Alright, I have no less of an authority of speaking at Defcon than Jason Scott here. Everyone is really confused about what room I am...

Data Mining a Mountain of Zero Day Vulnerabilities 6: Mobile Application Vulnerabilities and Secure Coding

Winding up with his Black Hat presentation, Chris Wysopal dwells on smartphone application vulnerabilities and the issue of assuring secure code development. Smartphone Application Vulnerabilities I have a little bit of data here on smartphones. Like I said, we don’t have a lot of data because we just...

Data Mining a Mountain of Zero Day Vulnerabilities 5: Code Security Assessment

Chris Wysopal breaks down the industries and application types by security assessment criteria, and elaborates on secure code correlation with software vendor. Industries Holding Their Software Vendors Accountable Then we looked at, you know, what industries are securing their supply chain; what industries...

Data Mining a Mountain of Zero Day Vulnerabilities 4: Distribution Trends over Time

Chris Wysopal comments on vulnerability distribution trends within a specified time span and analyzes web applications compliance with security standards. How Vulnerability Distribution Is Changing Over Time So, then we looked at trends over time. Are any of these vulnerability distribution percentages...

Data Mining a Mountain of Zero Day Vulnerabilities 3: Vulnerabilities by Language, Supplier and Industry

Additional application vulnerability metrics provided and explained by Chris Wysopal in this part are programming languages, supplier types, and industry. Vulnerabilities by Language So, next I want to take a look at this by language because the language you program in makes a big difference in the kind of...

Data Mining a Mountain of Zero Day Vulnerabilities 2: Top Vulnerability Categories

Getting into the retrieved statistics, Chris Wysopal lists the most common vulnerabilities in web- and non-web applications by ratio and overall prevalence. Web Application Vulnerabilities So, now we’re going to dive into our numbers (see chart). This here is the top vulnerability categories for web...

Data Mining a Mountain of Zero Day Vulnerabilities

Black Hat Europe 2012 conference guest Chris Wysopal, the CTO and Co-founder of Veracode, presents his research on the different sorts of prevalent and potentially exploitable web application vulnerabilities derived from the large data set that was processed by his company. I’m Chris Wysopal, CTO and...

Bypassing the Android Permission Model 7: Exploiting Open Interfaces to Steal Permissions

This is the final part of Georgia Weidman’s HITBSecConf2012 talk where she explains why open interfaces in Android may pose a security threat, and provides mitigations for the risks emanating from Android interfaces. Android Interfaces with Dangerous Functionality If anyone’s ever done Android...

Bypassing the Android Permission Model 6: Compromising Privacy on the Code Level

In this part, Georgia Weidman breaks insecure data storing down to the code level, explaining code samples behind sensitive information access. Vulnerable and Malicious Code Everybody hates it when you show code examples in your talk, but these are really short ones, just to illustrate how easy this is. So,...

Bypassing the Android Permission Model 5: Accessing Data Stored on SD Cards

Exploiting the way data is stored on SD cards in order to access it is what Georgia Weidman elaborates on here, explaining the corresponding demo in detail. So far we have talked about evil Android guy with horns, evil application that wants to hurt you, and it’s malicious. When you download it, it’s...

Bypassing the Android Permission Model 4: SMS Botnets Based on Malicious Rooting

Georgia Weidman explains her instructive demo about using a maliciously rooted Android phone as an SMS bot, and outlines problems with critical firmware updates. Malicious Rooting Now I’m going to show a demo of something you might want to do after you root somebody’s phone if you’re a malicious...

Bypassing the Android Permission Model 3: Evil Rooting with DroidDream

This part of Georgia Weidman’s presentation is dedicated to the malicious side of Android rooting, vividly exemplified by the infamous DroidDream app. We are going to look at some evil ideas for rooting Android. Anybody remember this guy? (See image) DroidDream made a huge media splash because researchers...

Bypassing the Android Permission Model 2: Android Rooting Programs

Georgia Weidman touches upon the Android rooting issue and describes her experiment with Android permissions to show how apps can get hold of user data. I figured out why Android apps have so many permissions. Since I’ve done so much Android development lately, and I’ve watched my apps just fall over and...

Bypassing the Android Permission Model

Georgia Weidman, the Founder and CEO of Bulb Security, takes the floor at HITBSecConf2012 Amsterdam to present her research on security details and flaws of the Android permission model. Cheers everyone to my European debut! There will be no 0-days in this talk, except one – the 0-day that I came up with...

Drinking From the Caffeine Firehose 4: Pen Tests As a Source of Trending Data

Dan Tentler further exemplifies the stunning exposure of digital systems to virtually unimpeded access, and provides a summary of his Defcon talk. Ok, how about listening on telnet? These are intersections, like, stoplights, you can telnet into them and put them in test mode, and the warning says:...

Drinking From the Caffeine Firehose 3: Vulnerable Infrastructure Systems

Dan Tentler, aka Viss, provides a walkthrough of more systems that are exposed to outer intrusion, including massive cooling, power and i.LON controls. So, next – massive cooling equipment. This is a warehouse I found somewhere in Central America that had 14 gigantic evaporative coolers connected to it...

Drinking From the Caffeine Firehose 2: Accessing Private and Industrial Systems

This part encompasses the Dan Tentler’s proof of concept with regard to how vulnerable home automation and industrial systems are in terms of third-party access. Private residences – really rich people tend to use these things, because it’s kind of a home automation thing, it’s kind of cool to heat...

Drinking From the Caffeine Firehose We Know as Shodan

Freelance pentest guy Dan Tentler, aka Viss, delivers a talk at Defcon 20 about different digital control and supervision systems that can be accessed online. Welcome to “Drinking from the Caffeine Firehose We Know as Shodan”! Anybody recognizing that scene? (Image 1) Did everybody watch old...

Watch out for new Skype virus – Worm.NgrBot (Dorkbot)!

Skype faced a wave of SPAM that spreads a dangerous Trojan called Worm.NgrBot (variant of the Dorkbot). Leading antivirus vendors Kaspersky Lab and Doctor Web confirmed the existence of a threat. On Friday, many Skype users started receiving a malicious link created with the help of goo.gl service from their...

McAfee Internet Security 2015 review

$79.99 McAfee Internet Security 2015 accommodates a competitive feature set and removes the prevalent threats for good. Usability:  Features:  Efficiency:  Support:  Overall:  Buy Now There aren’t many security companies out there that can proudly boast the experience,...

Steal Everything, Kill Everyone, Cause Total Financial Ruin 6: Enforcing Security Awareness

This is the final part of Jayson E. Street’s Defcon talk where he explains how easy it may be to harvest company data and provides a summary of the presentation. People are so busy protecting their stuff from these very high-level attacks that they are forgetting SQLI (oops, sorry Sony). Sometimes it’s a...

Steal Everything, Kill Everyone, Cause Total Financial Ruin 5: Methods of Espionage

In this part, you will learn about the typical mistakes that even financial institutions and law enforcement agencies make in terms of counterespionage. Okay, so let’s talk about financial ruin, let’s talk about espionage. I hate to hurt some people’s feelings and say: “It’s not just the...

Steal Everything, Kill Everyone, Cause Total Financial Ruin 4: Workplace Violence Countermeasures

Physical damage resulting from poor intrusion detection systems at facilities is the subject Jayson E. Street focuses on here, providing his real-world examples Well, here’s the real warm and fuzzy side. We’re actually talking about how, you know, to kill everyone, because that always brings up a crowd...

Steal Everything, Kill Everyone, Cause Total Financial Ruin 3: Countermeasures of Theft

Jayson E. Street now illustrates some of his security assessments with photos and descriptions of how easily corporate and employees’ property can be stolen. I love this one. This is what I call the trifecta bad, because, yes, I stole the phone or cloned it; yes, I’ve got the laptop – 30 laptops...

Steal Everything, Kill Everyone, Cause Total Financial Ruin 2: I’m Getting In

Jayson E. Street’s subject in this part is the different tricks to apply during penetration engagements, and the rules he sticks to in his work. Now I’m not talking about social engineering part so much, as this is all the damage I’m going to do after your security guy lets me through the front door....

Steal Everything, Kill Everyone, Cause Total Financial Ruin

Jayson E. Street, Information Systems security expert and CIO at Stratagem 1 Solutions, describes his real-world intrusion engagements during his Defcon talk to show the flaws of the current security model within enterprises. Hi! This is my talk. I want you to understand I had to start with this slide (see...

From White Hat to Black 5: Darkmarket and Undercover FBI Operation

In the final part of the story, Kevin Poulsen dwells on the undercover FBI operation targeting Max Vision’s carding business, and speaks on where Max’s black hat activities ended up getting him in the long run. What happened next was there was another vulnerability. In fact, his whole career is kind of...