The show was missing its usual sunshine and unicorns as Jack was unable to attend the show but fear not, Paul and Larry took us all through the stories of the week! First, Larry found an article telling us why we should never trust geolocation values. The article talks about how the major geolocators (Google and Apple) will keep a database of where wifi hotspots exist and their mapping systems use these known values. But what if one of those "known values" moves? What if a hotspot that was in downtown Providence gets moved to Paris? We'd probably have another person drive their car into the ocean! But the part that Larry is talking about that he'd like to get is actually the reverse. Rather than knowing where the hotspots are and get an address back, have a way to submit the address and get a list of known hotspots in the area.
Stop us if you've heard this one before...there's a Java 0-day in the wild. Well, at least this one was for Java 6. Worried about how to remedy this? Wondering when the patch will be released? Well, it kind of has, it's called "upgrade to Java 7" which then throws a gray area into the whole "it's a 0-day" thing.
Ok, so here is the reason that we listen to the stories of the week. The experience that Paul and Larry have in the business is priceless in itself so when a story can spin off into an interesting story from the field, it's worth *at least* what you pay for the show. Paul tells us about WebAntix, a shell script that someone wrote that uses a Nessus NBE to take a list of URLs and go take a screenshot of each site and create a web site with those screenshots. Really useful on a pentest, right? Paul also mentions how Tim (@LaNMaSteR53) had written something similar called Peeping Tom. But what got spurred on here is Larry's story about a pentest that he was on. He was using a tool to spider through the client's site and realizing it was going to take a while, he went to lunch. In the meantime, the tool hit a page that it couldn't authenticate into. The tool didn't know when to quit and it would continue to try the page, failing each time. With each failure, a new log entry was created. However the company had a log watcher that would send an email to many people on each individual failed auth. 1.2 million emails later, the Exchange server was dead.
There's also this BYOD thing. Employers are wrestling with this problem in how they deal with employees bringing in their own laptops, mobile devices, tablets and who knows what else. Paul talks about how back in the days when Jack was probably only middle-aged, you could go to work at a place like IBM and they'd supply you with a far more expensive, far more powerful machine than you could probably afford on your own. So you almost looked forward to going to work just to use this souped up computer. Here lies the BYOD problem for businesses. On one hand, they can save money knowing that people have all this stuff on their own and they're going to use it so there's no longer a need to buy them the latest and greatest super strong computer. But, can that also be used in the reverse? What if a business wants to fight the whole BYOD thing by putting people back on super strong machines to where they won't even want to bring their own in anymore? It may be an interesting thought, but it really isn't going to keep the leakiest of machines out of the office, also known as the mobile phone.
How about if you ever need to get sudo on a Mac OSX machine and don't have the password? As long as someone has ever successfully done a sudo on the machine, you can simply do a sudo -k in the Terminal window, set the date back to the epoch and voila, you now have sudo on that machine. Or simply use Dave Kennedy's python script to do it all for you. Ok, this is one where I have to tell a story of my own. One time in a job, someone emailed me about how to get elevated privileges on a machine and I wrote back in email that he should go ask the system admin team for sudo access. Well, apparently he thought I was an idiot or didn't know how to spell or something because he promptly wrote to the unix administrator and said that I suggested he ask for some kind of "pseudo-access" to the box. Much laughter ensued.
What good would it be if I simply recap the whole show for you. Of course we want you to listen, so let's go quick with a few more. You can use an unauthenticated API to access some functions and interact with a Tesla automobile. The Register is telling us that the Poison Ivy RAT is the AK-47 of attacks. Learn to break Android apps with tutorials and sample sites for learning! An ISP was caught tracking mouse clicks! The horrors! Well, they were tracking where users were clicking on their support page. I can at least see the defense here. They wanted to know how effective their support page was and whether people were able to quickly and easily find the right answers, and where they were clicking around on the screen, hopefully in an attempt to make it more efficient. At least that's the story I'd believe.
We intentionally turn off comments on posts here (damn hackers...) but we'd still love feedback on what you think of the show and these recaps of the stories. You can tweet it to me (@plaverty9) or to Paul (@securityweekly) as well as suggestions or ideas for the show.
So there you go, that's some of the stories of the week but if you watch the video or download the podcast, there are even more! Plus, don't forget to check us out each week on Thursday nights at 6 pm Eastern time!