Infosec-Soapies
Honey, I’m home!! – Hacking Z-Wave & other Black Hat news
You’ve probably never thought of this, but the home automation market in the US was worth approximately $3.2 billion in 2010 and is expected to exceed $5.5 billion in 2016.
Under the hood, the Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems. Zigbee is based on an open specification (IEEE 802.15.4) and has been the subject of several academic and practical security researches. Z-wave is a proprietary wireless protocol that works in the Industrial, Scientific and Medical radio band (ISM). It transmits on the 868.42 MHz (Europe) and 908.42MHz (United States) frequencies designed for low-bandwidth data communications in embedded devices such as security sensors, alarms and home automation control panels.
Twitter killed the (infosec) Blogging Star ?
Like it, hate it or just plain struggling to understand it, Twitter has made a huge impact across a wide range of fields. We use it fairly heavily internally for simulated water-cooler chatter and quick link-exchange. (like any piece of sp-geek-over-engineering we also have a tweet-bot to convert tweets to emails, and convert blog notifications to tweets). It’s pretty clear though, that once we started tweeting internally, people started blogging less. There’s something liberating about saying “here’s a link”, as opposed to taking the time to formulate your thoughts into a full blown posting.
2 pieces of coolness…
a) was the politely dropped kaminsky firefox bug [http://lists.grok.org.uk/pipermail/full-disclosure/2009-September/070620.html]
It still requires a click for command execution, but considering its multi platform firefox ownage sans shellcode, i think its cool.. i think its even cooler that dan dropped it sans any fanfare..
b) has to be Pusscat‘s attack on the SMBv2 Remote bug published on [the VRT blog..]
From the post:
“we get lucky here as well in that there is a pointer srv!pSrvStatistics which also points to srvnet!SrvNetStatistics, and counts the number of requests that have been made to a specific call (as well as other things).
John Viega’s “the myths of security”.. Really??
i go through a ton of books. Over the past 10 years, this has been dominated by books on computer security, computer science, programming (and some sprinklings of management classics).
I generally stay away from writing reviews, but was genuinely suprised at the number of 5 star reviews Viega’s new book had received and felt i had to chime in.
I picked up “the myths of security” (what the computer industry doesn’t want you to know) with hope, because O’Reilly books in general are well done and i really liked some of Johns previous books. Alas! I tried hard to think of a good thing to say about the book, and the best i can come up with right now is that “at least, it wont take up space on my bookshelf”.
The book is tiny (48 chapters, where each chapter is between a paragraph to 2-3 pages) which isn’t a bad thing, but it reads mostly as a collection of blog posts or hurriedly written notes-to-self.
Apple gets some clue points?
At [DeepSec] last year i had the pleasure of hearing Ivan Krsti? speak. While some of his arguments had (small) holes in them (which the audience were quick to pounce on), he raised the ugly fact that people like me like to ignore.. That some of us spend a lot more time thinking of elaborate ways to break stuff than we do designing less breakable stuff..
I think for most security “breakers” its an argument that sometimes hits hard, and makes you wonder if you should be refocusing your efforts..
Episode 9 of the ITSecurity Pubcast..
Yvette Du Toit (E&Y – UK/ZA) featured on the latest ITSecurity Pubcast and spoke about her role in CREST. SensePost were invited along, and i showed that while i have a face for radio, i do not have the voice for it.. Ahh.. some day ill find my niche..
Till then, you can listen to the pubcast [here] and SensePosters can grab the mp3 [here]
Should InfoSec companies be betting on PCI ?
The United States committee on Homeland Security’s Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology recently held a hearing to determine if “the Payment Card Industry Data Standards Reduce Cybercrime?”
Risky Business played snippets of the hearing under the apt title: “Washington spanks PCI DSS” – Like most episodes of RB, its well worth the listen..
One of the “merchants” giving testimony made his point quite succinctly. The credit card companies require us to keep card details, and shift the burden of fraudulent transactions to the merchant. There are much better ways to handle transactions, but the current method is a cheap way for the CC vendors to shift the burden and the risk to the merchants who historically had no alternative.
Like deja-vu (all over again)
Those of you who were around in 2001 will recall http://anti.security.is (anti-sec f.a.q)..
The sentiment pops up periodically (in different forms) and it seems like CansecWest this year has seen a resurgence of it.. From Charlie Millers comments on the Safari bug:
“Did you consider reporting the vulnerability to Apple?
I never give up free bugs. I have a new campaign. It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there’s value to this work. No more free bugs.”
Top Ten Web Hacking Techniques of 2008
(aka – Whoot! we are almost famous!!)
Jeremiah Grossman’s panel of judges (Rich Mogull, Chris Hoff, HD Moore and RFP) hath spoken (or spake) and the top 10 web-hacking techniques of 2008 have been published.
Of course we would be lying completely if we said it wasn’t cool to make it into the top 10 (and doubly cool to make it twice in the top 10!)..
HITB08 – Marcus Ranum Keynote on CyberWar..
I just managed to pull the HackintheBox torrents for their [2008 talks]. (SensePosters can grab a local copy [here]). I watched Marcus Ranums “Cyberwar is Bullshit” talk. A talk that was truly wince-worthy! While the talk will make you scream at the screen a few times, it is worth watching just to see the Q&A section after the talk.. It’s quite clear that Ranum gets owned more thoroughly than his online gallery did.
Page 1 of 3
Next