Today I was in a brief / talk / meeting and I just wanted to share with you some of the things that I saw in this event that might better help you know what NOT to do while getting up in front of any size crowd. Death by bullets (Yes this is bulleted to be ironic). But seriously, this was a reoccuring theme throughout the meeting. Try and keep it to 3 or 5.
I believe there is a fear in the security community about speaking. Most don’t believe they either have something important enough to say, or have some awesome ‘thing’ and are just too afraid of the stage. Here are some resources and videos that have helped me gain the confidence to speak. Gary Vaynerchuck @ Web 2.0 Expo: [http://www.youtube.com/watch?v=EhqZ0RU95d4**](http://www.youtube.com/watch?v=EhqZ0RU95d4) – Specifically look at how he speaks. How he starts, how he finishes.
This is an untested theory, but I don’t see why it wouldn’t work. Anyone who wants to prove it either way is very welcome to comment on the matter below. Ok. Say you have the following exerpt from an /etc/shadow file: root:awac7eQv2CT0g:12685:0:10000:::: billybob:$7$b1XHzqR5$RJxOyHRAix2rVmtXyHkLikmnod.z94P6vSL1h8ZeUdY/urvOvkvJjg2hn/J0r90YAdAA8HedGIPR2D7.zIzJS0:14438:0:99999:7::: Both passwords in clear text are “uncrackable”. Here is where the trick comes into it. We use the weakness in LM hashes to crack the password (as long as it’s under 15 characters of course).
Alright you all have heard of some of the annoying items that make ThinkGeek a one stop shop for cube warfare, such as the Annoy-a-tron and the Phantom Keystroker. Well nothing can hold a candle to the BSODomizer. Along the lines of the Annoy-a-tron and the Phantom Keystroker, this device is hardware and messes with your target on a timer based method. But what gets added to the mix is the fact that it has an IR reciever as well, so while you are giggling in your cube trying not to bust up laughing, you can actually use any Universal Remote set to the Sony TV code, a TV-B-Gone (Mitch Altman’s awesome invention), or even a computer that it set to send that signal from it’s IR port.
Yesterday on Twitter I posed 3 questions: Question 1: Now that Clickjacking has faded away from “Newest Greatest BAD STUFF”, how many implemented NoScript personally? What about Enterprise wide? Question 2: Now, everyone who responded that you are still at IE in the enterprise. Why? Did you show the powers that be clickjacking and it’s effects? Question 3: Ok here is the final question of the trio, Why, since we rely on IE, aren’t we screeming at M$ to implement NoScript-like features?
It’s official Burp Suite 1.2 is officially released to the masses. It includes a whole host of new features. Mainly (the ones spoke of in the blog post about the release): Site map showing information accumulated about target applications in tree and table form Suite-level target scope configuration, driving numerous individual tool actions Display filters on site map and Proxy request history Suite-wide search function Support for invisible proxying
It’s not quite the snooze button I asked for, but it will do. Google implemented Gmail Tasks inside of Gmail Labs. Here is the blog post about it: http://gmailblog.blogspot.com/2008/12/new-in-labs-tasks.html
If you haven’t seen it yet, I posted about a Nerv-Labs Live DVD that included all kinds security distros in one bootable DVD. Which was also featured in Episode 0x415 of Hak5. Well, there were some things that it was kinda lacking, mainly Helix and Samurai. Well, my buddy Marcus Carey from SunTzu Data did it up right. Let me introduce SumoLinux. SumoLinux has the following linux distributions on it:
Guest Article By: Ryan Pfleghaar (post_break) of iamthekiller.net DEFENDING AGAINST JASAGER Jasager has been making people question wireless security since episode one of season four on Hak5. The number one question besides “How do I get this to work” is ”How do I protect myself?”. This exploit in wireless security has been somewhat of a challenge to protect against and with this article I am going to detail how Mubix and I came up with a quick and easy fix.
I have had this rant on Twitter (if they had threading I would link to it). I have also had it in person a half dozen times at CSI Annual. And a piece of it was touched on a piece of the puzzle by Jack Daniel on his blog posting “The Fallacy of Penetration Testing”. We as “Security Professionals” have a big problem. We usually don’t have the power to make change.