And here we go! Drunken Security News, episode 327 with Paul, Jack and Allison in studio. As always, you can follow along at the Security Weekly wiki's show notes.
Allison found a story about how a Canon EOS can be hacked and used as a remote surveillance tool. When an article includes the line: "However, the camera's connectivity was not designed with security in mind", you know that's not going to end well. The article goes on to describe how the images can be transferred to a server via FTP (hello clear text!) and the camera even has its own web server with pretty weak authentication. Apparently, Canon believes the situation is a feature, not a bug.
hackers, I mean security researchers can most easily stay out of jail. Some of the tips in this article sound like they're taken straight from a video that Allison found a few months ago from the Hack In The Box conference with presenter The Grugq, talking about OpSec. Some of the pieces of advice include: "don't trust anyone" (that didn't work out so well for LulzSec), "don't reveal your plans", "don't work from home" and more. All seems to be worthwhile information, if that's the direction you choose to go with your skills. Not that anyone at Security Weekly ever condones accessing a computer or network that you don't have permission to access.
If you're in the New England area, definitely consider attending both BSides Boston on May 18 and BSides Rhode Island on June 14 and 15.
Paul described an article talking about another vulnerability in Linksys wireless routers. It was described by the author as a "Cross Site File Upload" vulnerability. Multiple vulnerabilities were found in both the WRT54GL and EA2000 routers. Amazingly, some of the vulnerabilities were revealed by simply adding a / to the end of a URL accessing the device.
Jack and Paul got into it a little bit about a post by Dr. Gene Spafford where Spaf thinks that CTF competitions may be focusing on the wrong skills. Maybe competitions make learning more fun and can also create a stress situation which may be more like a real world attack and defense of a system. Paul countered with his belief that there is still a great deal of value in sitting in front of a system that is under active attack. It's not often that the crew will truly disagree with points of view, so this makes for a great discussion.
And is it possible to have a Drunken Security News without including something about porn? Of course not. And Paul doesn't disappoint. Maybe this one also falls into the "no kidding" bucket, but Paul talked about top porn sites becoming more of a malware risk. Gee, did you really think you can go to a free porn site and be completely risk-free of malware? Right. And there's zero chance of catching an STD from a prostitute. As Paul mentioned, always use protection when visiting your porn sites.
There's all that and more in the stories for the week, watch the video for all the great discussions and don't miss Dr. Whit Diffie on tonight's Security Weekly!
