First of all, congratulations to Jack Daniel, who at the recent RSA conference was named to the security bloggers hall of fame, joining Bruce Schneier and Brian Krebs. And of course, I'll add the self-serving congratulations to the Security Weekly team for winning the security bloggers Best Podcast Award. So congratulations to Paul, Larry, John, Carlos, Jack, Mike the Intern Perez (who does a TON of behind the scenes stuff to make it all work), Allison, all the guests and of course, to all the listeners and those who voted. Ok, enough of the self-ball washing. On to the stories of the week. First, we get Joe McCray talking about his own home security labs, comparing electric bills and still dropping f-bombs at his "friends". Paul and Larry were pretty well impressed with Nir Goldshlager's explanation of hacking Facebook OAuth and being able to access anyone's profile. If you had this access, whose profile would you go after? There's an SSHD rootkit in the wild, hitting most RPM based Linux distributions. One issue here is the researchers still aren't sure how attackers are getting in and whether they're using a back door. Paul likens this to a recent site test that we did where a site had been defaced. We tried all kinds of tests, pokes and prods and we couldn't find a single vulnerability that would let someone easily deface it with a minimal amount of work. Until we stumbled across some mass site defacing scripts, reversed engineered them and realized the attackers were simply using a sort of back door. Using a symlink attack on a shared hosting server, attackers can find a single vulnerable site and then simply get server access to the configuration files for all other sites on that box. Here we were trying to find the vulnerability on the front end when it turned out the problem was a back door wide open to the world.
Listen closely to know where Paul keeps his wine opener.
Have you recently heard Episode 28 of Security Weekly and thought Twitchy was back? Yeah, we're aware of that issue and we're working on a fix. So far, it appears to only be a problem with Google Feeds. Google seems to have made a change on their side where the oldest item in the feed is displaying first. Maybe the most amazing part of this problem is some people reported that they listened to the entire podcast before they realized it was pretty old. It's equally amazing and disheartening to think how little has changed in the years since Episode 28 first aired.
After reflecting how long PSW has been broadcasting, John brought up the question about how long Paul will keep on going. "Until I say so" seemed to be a logical response, to which Larry adds "We're going to ride this gravy train all the way to the bottom." Lastly, Paul vowed to keep on going until he has a beard as long and awesome as Jack's. In other words, Paul ain't going anywhere any time soon. If you can make talking about security and drinking beer a part of your job, why would you ever quit?
Two more Java zero-days found. But how can you legally get away with writing them? Well, you can simply write add-ons to fix interoperability with applications, even if the interoperability is with Metasploit!
RSA lawyers think offensive security is a bad idea. The believe that this may be a bad idea because you can get yourself into trouble when you go on the offensive against attackers. Well sure, of course hacking the hackers can get you in trouble, but as Paul and John always make evidently clear at the beginning of any class or discussion on offensive security, you must work with and get full buy-in from local authorities or you will be dead in the water.
It's also interesting that Mandiant came out with more than 70 pages of documentation for their allegations of corporate spying, and now Chinese netizens (trolls?) are also offering corroborating evidence. Yet official responses coming from China and it's state-sponsored media are basically amounting to "Nuh uh. Mandiant, you're unprofessional and baseless." And that's it. If China wants to defend itself against the allegations, why can't they offer something more? Additionally, just how complex and "l33t" are the Chinese hacks? Maybe about complex as they need to be, which in some cases might not be that advanced at all, but it is good enough.
Lastly, Larry gives us a mini-rant on why does iOS still have trouble the emergency calling feature still allowing leakage of data? Is it really that hard to close this hole? What's it going to take?
That's it for the stories of the week. Make sure you get your fill of Security Weekly as the launch of Security Weekly spawn version 2.0 could be coming any time now. Being the great dad he is, Paul will take a little time to focus on his new family member. I'm certain photos will be made available shortly after arrival.
Episode 322 Show Notes