HNNCast 111309
HNNCast for the Second Week of November, 2009
Also on YouTube (for 3GP mobile or 720p true HD users):
PART 1: Lead Stories and News
PART 2: Courtnee & the Quickies
Lead Stories
- 60 Minutes of FUD, Romanian Raids, RBS WorldPay Heist, FREE COFEE
News
- SPAM and Botnets Revive without McColo, ACM Attacks CALEA
- Courtnee: Outsource Much?
- Another Stupid Hacker Challenge, iPhone ALPINE Worms
Quickies
- OpenSSL Amputee Release, WordPress Patch, Festi, Kiddy Porn Propagating Virus, Unu Goes Offline, myspace.com/zeus Phishing, Bot-Net C-and-C Adaptations, ClubHack Registration, DEFCON Remodels, Another One Diddles Brittney’s Twiddle, Reissue of The Social Organization of the Computer Underground, NYU CSAW Awards in Brief
Programming Note
- Roku
Stack of Shame
- 108
2 Responses to 'HNNCast 111309'
Subscribe to comments with RSS or TrackBack to 'HNNCast 111309'.
Leave a Reply
You must be logged in to post a comment.
Posted: November 15th, 2009
at 12:55am by tan
Tagged with 3com, 3FN, 60 Minutes, ACM, ANSI J-STD-025, AP, ATM, barrackobama.com, botnet, Brittney Spears, CALEA India, Card Skimming, CBS, child porn, ClubHack, COFEE, Computer Online Forensic Evidence Extractor, CRYPTOME, CSAW, Data Center, Data Privacy Wiresoft, Defcon.org, EFF, Electric Grid, Festi, Furnas Centrais Eleticas, Google Ap Engine, Gordon meyer, Hacker Challenge, Hacking, HSBC France, Intercage/Atrivio, iPhone, iphone-privacy-a, jailbroken, maleware, McColo, Medical Records, Myspace, NYU, Obama, OpenSSL, Outsourcing, patch, PurInfinity, RBS, RBS WorldPay, Rick Astly, Roku, Romania, Sabotaging the System, Satyam, SPAM, sql injection, SSH, SSL, The Social Organization of the Computer Underground, Twitter, Unu, virii, Wordpress, worm, ZDI, Zeus
Comments: 2 comments
Lead Stories
60 Minutes of FUD
http://www.cbs.com/primetime/60_minutes/video/?pid=v_sxt9cPkCWizFu6IhOxYFpG9jdCcoV6
Romanian Raids
http://www.wired.com/threatlevel/2009/11/romania/
RBS WorldPay Heist
http://www.informationweek.com/news/software/showArticle.jhtml?articleID=221601284
FREE COFEE
http://www.crunchgear.com/2009/11/06/siren-gif-microsoft-cofee-law-enforcement-tool-leaks-all-over-the-internet/
News
SPAM and Botnets Revive without McColo
http://voices.washingtonpost.com/securityfix/2009/11/a_year_later_a_look_back_at_mc.html?wprss=securityfix
http://www.avertlabs.com/research/blog/index.php/2009/11/11/the-mccolo-effect-one-year-later/
http://www.eweek.com/c/a/Security/Botnets-Tighten-Defenses-Year-After-McColo-Shutdown-61350
ACM Attacks CALEA
http://www.pcworld.com/article/181985/how_to_ddos_a_federal_wiretap.html
Courtnee: Outsource Much?
http://news.hostexploit.com/index.php?option=com_content&view=article&id=222
http://www.telegraphindia.com/
http://www.etalkindia.com/computer_technology_news_it_forum/satyam_banned_fo
Another Stupid Hacker Challenge
http://www.darkreading.com/security/management/showArticle.jhtml?articleID=221600869&cid=ref-true
iPhone ALPINE Worms
http://www.darkreading.com/blog/archives/2009/11/worlds_first_ip.html
http://www.theregister.co.uk/2009/11/11/iphone_hacking_tool/
Quickies
http://www.scmagazineus.com/Festi-botnet-appears/article/157294/
http://isc.sans.org/diary.html?storyid=7543&rss
http://risky.biz/unu-gone
http://www.poly.edu/csaw
http://voices.washingtonpost.com/securityfix/2009/11/nastygram_myspace_phish_plants.html
http://www.theregister.co.uk/2009/11/09/bot_herders_coopt_google_appengine/
http://clubhack.com/2009/
Programming Note
http://rcm.amazon.com/e/cm?lt1=_blank&bc1=EEEEEE&IS2=1&bg1=EEEEEE&fc1=000000&lc1=FF0000&t=hacnewnet-20&o=1&p=8&l=as1&m=amazon&f=ifr&asins=B002SFDJMQ
Stack of Shame
http://www.zerodayinitiative.com/advisories/upcoming/
tan
15 Nov 09 at 12:59 am
Just some after thoughts about that dumb-ass hacker challenge from Wiresoft.
It’s not just that $24k is “chump change” – the problem is that when you see “24 hours to beat our firewall”, anyone who has any experience will read between the lines where it says:
a) When you find something, we’re going to do everything in the world to deny it was an issue with our product. So, you should video tape your 24 hour attack under the supervision of a notary public because once the window is closed, everything is going to be heresay.
b) If you use an 0day, it’s going to die because when you read “24 hours to hack in” you realize that everything is going to be sniffed, kernel logged and anything else you can think of. There is also a good chance the vendor will then take credit for “discovering” your bug and killing it, passing no credit on to you.
Another point would be that when you see one of these challenges, you can rest assured that you’re dealing with SNAKE OIL SALESMEN. Someone who is just “discovering” computer security and thinks they have this great solution already. But when you see a challenge like this you KNOW they don’t see the bigger picture and whatever their product is has to suffer from that same ignorance.
Investors and Universities need to stop trying to turn student works into commercial product. Or, if they do, they HAVE to understand that computer security is an industry that suffers MOST from initial impressions and knee jerk reactions. Things are almost NEVER what they seem at first glance in this game and any great idea that may come out of a University needs a “Sherpa” – not just to give a luke warm “thumbs up” to the high level idea, but to dive into the nitty gritty details of HOW things are done.
Universities teach students programming that solves problems without concern for security. Security complicates the solution and it’s the solution that is the lesson objective – so we leave it out. For example, a “secure” code snippet might have 2-3 lines of code for every 1 line of “insecure” code – perhaps more than that even. So of COURSE these students think they can implement their own ideas – without any clue of how dangerous it is for them to take their classroom coding mentality into an actual production environment.
Heh, so if I were a betting man, I’d say, “I see your $24k and… all in”.
tan
15 Nov 09 at 7:18 pm