Drunken Security News – Episode 330

We're finally back with the videos from Security Weekly. We had some technical issues with the recording of the shows, so if you didn't hear them live, unfortunately, they're gone forever. But we think we've got a handle on it and we have episode 330 for you. First was an interview with Andrew Righter, and in the video below, Paul talks with Banasidhe, President of the Board for Security BSides Las Vegas. She's on this week to tell us about the mentor program they are using for first-time speakers at the Vegas conference. More mentors are still needed, so if you're interested, please get in touch with the BSides Vegas crew. As part of Rapid7's research, they found they can track any ships, private or military while on the ocean and access a system that prevents collisions. It's not like these things can turn on a dime, or do the hallway dance when two people keep choosing the same side to walk on. Not only are printers on the internet vulnerable, but now they're capable of being used to launch DDOS attacks. You can send a request over UDP and then the response is larger and even better, you can redirect the response elsewhere. So how exactly do we fix this sort of thing? Larry also reports that Twitter is saying that "the hacks will continue!" however what should be cleared up is that that hacking isn't directly against Twitter. It's not an attack in the sense where the Twitter developers have written bad code getting compromised, it's the attack against what I like to call "Layer 8" the human. The problem is largely with spear phishing against users. There isn't much any system can do if someone asks you for your password and you give it to them. If you need to see what kinds of things that can happen with these attacks, check out the stock chart for the Dow Jones on April 23, 2013. Look at that one downward spike. That's when the AP News Twitter feed was hijacked and tweeted that the White House had been bombed and Obama was dead. I'm not sure which is really worse, that the AP gave up their password to this attack or that the traders on Wall Street based their stock strategy on a single tweet. Would anyone want to offer a little startup capital for our new security venture called "Wickid Pissa Security"? Ok, maybe you have to be from Mass or Rhode Island to really get that one. Paul talked about an article that tells of the seven elements of success for a security program. Or, as Larry sums it up, "1. Don't click on shit. 2. Refer to Rule 1." Easy. But the article refers to buy-in from everyone on board and using metrics to measure how efficient your program is. What good does it do to put in all this work and have no idea whether it even mattered or changed anything at all. Plus, those numbers can help at review time. Apparently smart meters and blackouts are a problem in the UK. Or as the article mentions, "Smart meters are essentially crap computers in a crap box" What were you doing at 14? As for me, I was sorting baseball cards and watching Brady Bunch re-runs ("Marcia, Marcia, Marcia!") Check out this 14 year old, Ali Hasan Gauri found an XSS vulnerability in a Cisco subdomain. Yeah, that's the kind of stuff that if he were to tell me about it at 14, my eyes would glaze over and ask if he wanted pizza. Meanwhile, he'll probably be retired-wealthy by 22. When the guys simply keep talking about the same vulnerabilities showing up week after week, at what point does listening to Security Weekly become required listening for developers? It almost seems we should have a special segment for the router vulnerability of the week! Can the new Google Glass be hacked? Easy root access can lead to lots of spyware, but a couple other problems that Larry seems to be aware of is they don't have great battery life and it can be embarrassing when porn comes up during a staff meeting. As an aside, Saturday Nigh Live also did their own review of Google Glass. There's all that and more, so listen in to get all the details. Don't miss this week's show on Thursday, May 9 at 6 pm with Kaspersky Lab's Kurt Baumgartner and Safelight Security's Rob Cheyne. Don't miss it!