Episode 317 – Drunken Security News

January 25, 2013
After playing a little "Five Questions with Security Weekly" (three, sir!) with tech segment guest Alissa Torres, Paul started off with a quote from Dr. Dan Geer that the guys basically resolved down to "Who cares about security?" Geer's quote is: "When those that can make the changes to improve security are not those that impacted by the effect of poor security, you will basically get status quo and no security improvement." or as Jack puts it, if my decisions on security don't bite me in the ass, I'm probably not going to make the best possible decisions. They also took this into the area of application security and who cares about it there. First, we have the developers who are being paid to write code and get the software out the door. Then we have the company paying the developers. Their concern is getting the software out the door and selling it. Then we have the customers who purchase the software and just want it to work. Where are the security decisions in this cycle? shark.jpgGoogle also seems to have added a new feature. In Google Images, now you'll see a camera icon to the right of the search bar. If you enter a URL to an image or upload an image, Google will find all the places where that image has been used. Somewhere, Mantei Te'o screams "Where were you when I needed you three years ago, Google!!" So Barracuda Networks has a wide-open back door to their device. It's always kind of funny, in a bad way, when security companies have poor security practices in place. It's another example of "do as we say, not as we do". A researcher was able to find that he could connect to the device's MySQL database with a username of "product" and no password! C'mon man! At a minimum, put a password on the thing. Even if it is shared internally within Barracuda, that's at least a little bit better. As Jack talked about from his days supporting customers on products, it's understandable to have some sort of back door. Customers do sometimes lock themselves out and not keep backups. So when that happens, what do you tell an angry customer who has paid you thousands of dollars? "Oh sorry, you were dumb. You're screwed." No, that's not going to fly. So vendors do put in a back door. But if you're going to have a master key to all the systems, don't make it so easy to get in to.
Cisco responds to the WRT54GL Linksys router hack. They're working on a fix for people being able to remotely get a root shell, but their recommendation in the meantime? Only let friends use your router. Oh yeah, with friends like these... Have you signed up for the SANS webinar titled "Uninstall Java? Realistic Recommendation? No. Insanity? Yes!" with John Strand, Paul Asadoorian and Eric Conrad? It's coming up, this Tuesday at 2 pm EST. Do you have all the HTTP response codes memorized? Someone is proposing a new range of 700-level codes Some that might be helpful: HTTP 725: It Works On My Machine. And I fear how often the Security Weekly web server will return an HTTP 767. It simply reads "Drunk". Former Dawson College graduate student, Ahmed Al-Khabaz, who was expelled for allegedly hacking the university's infrastructure, has received multiple job offers. The guys talks about the situation with a little more detail than is often reported. He found a vulnerability and reported it. So far, so good. But then a little while later, he pointed a scanner at the vulnerability that he found, presumably setting off alarms. Even worse, the noise from the scanner pointed back to him. Once he reported the vulnerability, what's he doing going back to it, and as "evil" Jack mentions, why didn't Al-Khabaz cover his tracks better when he switched his hat color? Nonetheless, lots of weirdness abounds in this story. The university overreacted (what?!? a university overreacted? never!) instead of using this as a learning opportunity. Plus, the student may have made some mistakes along the way, yet he comes out better for it. So is the lesson here to hack your way to a job? Is that what the universities are for? Umm, no. Never go after something that you don't have explicit, written permission to hack. Plus there's Paul's suggestion of punishment here, the student should have been required to work the help desk for three months. That's enough to teach anyone a good lesson. That's it for this week. Watch the video for these stories and more!
prestitial ad