What 420,000 insecure devices reveal about Web security
An article for Cnet new about Web security: A researcher used a simple, binary technique to take control of more than 420,000 insecure devices including Webcams, routers, and printers running on the Internet — and says that’s just a hint of the potential for real trouble to get started.
In a Seclists posting yesterday, the researcher, Gordon Lyon, describes how he was able to take control of open, embedded devices on the Internet. He did so by using either empty or default credentials such as “root:root” or “admin:admin”, indicating how a surprisingly large number of devices connected to the Web have no security to safeguard against a possible takeover.
To read more click here:
CarolinaCon 9 Conference Overview
I had the pleasure of attending CarolinaCon 9 this past weekend (March 15 – 17, 2013). The event took place in Raleigh, NC at the Hilton North Raleigh/Midtown on 3415 Wake Forest Road and it was a great experience.
The events started Friday evening at 6:30 PM with opening remarks from the staff, then followed by an informative presentation from Omar Santos, on a talk titled “The Evolution of Network Security: How Networks Are Still Getting Hacked”. Following Omar’s talk, other attention-grabbing presentations were presented such as “Intro to Lock Picking” by @smrk3r, “Terminal Cornucopia” by @treefort, followed by the final presentation of the day by @al14s & @c0ncealed titled “RAWR (Rapid Assessment of Web Resources)“
At the conclusion of Friday’s talks, everyone seemed to crowd into SkyBox, the sport’s bar located at the Hotel. The food and drinks were reasonably priced and tasty. In conjunction with the customary catch talk, tech talk and BS talk, the NCAA tournament was playing on every television set which increased the overall atmosphere.
Day 2 started with some notable talks from Stephen Chapman (@Chapman) on “Search Engine Hacking”. His talk discussed some very simple search terms that would garnish high-valued results such as obtaining confidential information and credit cards. @Chapman also recommended looking up Johnny Long (@ihackstuff) as well as Starch & Liu for some good tips on search/Google hacking. Other informative presentations included Bryan Miller’s “The Low Hanging Fruit of Penetration Testing”, Paul Coggin (@paulcoggin) with “Digital Energy BPT”, “msfpayload isn’t dead yet: AV Avoidance in Payload Delivery” by @melvin2001 and finally the anticipated talk of the day by the knowledgeable and entertaining Joe McCray (@j0emccray) on “Exploit Development for Mere Mortals” where many of the attendees received a 30 second assembly class that was very useful.
The last event of day 2 was a very entertaining with “Hacker Trivia” hosted by Vic Vandal, AlStrowger?, emwav. Hacker Trivia a jeopardy like game contained questions from hacker movies, hacker related history and exploit identification as well as other security related items. Every person that answered a question correctly, receive a complimentary shot.
Day 3, the final day also had some great talks from Michael Smith (@drbearsec), @JohnInGeneral and Thomas Richards (@G13net) to name a few. The day also focused on wrapping things up with the CTF and Crypto events. Many attendees were also trying to collect contact information on the new and old contacts they connected with during the event.
My overall assessment and from discussions I have with other attendees was pure satisfaction with the event. I am definitely looking forward to next year’s CarolinaCon 10. Please contact the CarolinaCon staff if you did not get a chance to purchase a shirt and wanted one. It was stated, they might be ordering some additional shirts due to the high demand. In addition, it was stated, the videos of the speakers would be available soon, so keep a lookout for that.
About CarolinaCon:
CarolinaCon is an annual conference in North Carolina that is dedicated to sharing knowledge about technology, security and information rights. CarolinaCon also serves to enhance the local and international awareness of current technology related issues and developments. CarolinaCon also strives to m ix in enough entertainment and side contests/challenges to make for a truly fun event.
CarolinaCon was started in 2005 and has been held every year since. With each passing year the conference continues to grow and attract more attendees and speakers. As has always been the case, CarolinaCon is put together and run by an all-volunteer staff. CarolinaCon is proudly brought to you by “The CarolinaCon Group”. The CarolinaCon Group is a non-profit organization registered in the state of NC, dedicated to educating the local and global communities about technology, information/network/computer security, and information rights.
The CarolinaCon Group is also closely associated with various 2600 chapters across NC, SC, TN, VA, LA, DC, GA, PA and NY. Many of the volunteers who help develop and deliver CarolinaCon come from those chapters.
U.S. National Vulnerability Database Hacked
An article form DarkReading about a database being hack: The U.S. National Vulnerability Database (NVD) was taken down by its administrators at the National Institute of Standards and Technology last Friday, March 8.
As of this morning, the site shows this message: Site/Page Not Available The NIST National Vulnerability Database (NVD) has experienced an issue with its Web Services and is currently not available. We are working to restore service as quickly as possible. We will provide updates as soon as new information is available.
To read more click here:
DoD creating cyber “offensive” teams to strike back against foreign attackers
An article fro SCmagazine about new cyber team:The Department of Defense (DoD) is creating 13 teams, consisting of programmers and computer experts, whose sole mission will be to carry out offensive attacks against foreign adversaries should a critical attack on the U.S. occur.
On Tuesday, National Security Agency Director Gen. Keith Alexander, who is also the chief of the newly minted Cyber Command, told Congress that he would be leading the effort to establish the teams. The Cyber Command was created to integrate cyber space operations for the protection of DoD networks. According to a New York Times article, Gen. Alexander said the DoD would use the cyber teams for offensive measures only – a noteworthy, and first, admittance by the administration that weapons for cyber combat are being conceived by the government.
To read more click here:
Denial-of-service attack takes down JP Morgan Chase sites
An posting from New Cnet about Chase web site being take down by DOS: The Web sites for banking giant JP Morgan Chase are offline this afternoon as the result of a distributed-denial-of-service attack, a representative told CNET.
The site’s usual banking tools and content were replaced this afternoon with a message that said: Our website is temporarily down, but our branches and Mobile Apps are available. Please try again later.
The representative couldn’t say how long the site had been down or how long it would be until service was resumed.
To read more click here:
Google rolls out initiative to help hacked sites
An posting about how google going to find away to help hack site from New sCnet: It’s not pretty when a Web site gets a “this site may be compromised” or “this site may harm your computer” status note. Many webmasters and Web site owners can be at a loss of what to do in these situations.
For this reason, Google has launched “Help for Hacked Sites” informational series, which has a dozen articles and videos aimed to help people avoid having their sites hacked and also teach them how to gain back control of compromised sites.
To read more click here:
