This is some pretty creative stuff with a mp3 player although the link is kinda vague on any details about anything really.
The shimming attack also mentioned sounds very neat, but again a lack of details.
I find his opinions on things very interesting and he has a habit of approaching things totally differently then a lot of other security guys and limits the sky is falling talk.
The link is a good 25 minute talk, worth listening to, or watching.
The key to successfully recovering after any incident is having a plan. This is why you need to understand good incident handeling procedures and practice!
It’s always best to have these steps written down, so here it is for your gmail account.
This is also a good reminder to ensure your account recovery settings are up to date, and make sure to include a SMS number.
Unfortunately if you are not in your account when something like this happens you are already too late, once your password is reset it may take a while to regain access to it.
I can understand why the FTC would want to have someone with this skill set, but looking into his past would make all sorts of alarm bells go off.
Even the stuff he pulled while working for them, I would have liked to have been around the conversations that the management was having after all those. Even the conversations before he was hired and how the justification of the risk of hiring this guy and if he is the one they picked what the heck where the guys that they turned down.
Well I know I have liked this in the past when I saw it fire off on myself when traveling. At that time it seemed to have worked immediately. I have always wondered if it would really work.
I can say for now that it does, but not as fast as I thought it would.
My account was access from an IP in China, looks like my wife picked up a trojan on her mac. That in itself is full of awesome.
Good is not sharing multiple passwords across multiple sites.
Bad is having all of that account information in one place.
Lucky I was sitting on it right when it happened so I was able to stay logged in, log out all of the other sessions and change the password.
Lets not do that again.
Another challenge to do, I have been doing a lot of research in to exploiting with pdf’s so it’s nice timing for this. I hope to have some information posted soon on what I have been doing and the results of my testing.
But I think I am going to have to stop that for a while to do this!
How much further can click jacking in facebook go?
Right now the main ones that I have seen are working to either gather information (or just a prof of concept) and try to use a browser vulnerability on the redirected page to infect the host.
Another from the Sophos blog tries to get you on a monthly cell plan.
What else could you do?
What about harvesting facebook passwords? What good is that, well I can’t say the number but I bet there is more people than not that use the same password for everything! You could also use this in research with passwords and combine information such as what people do, age, work history, and geographical location to build a model for what kind of password they would use. Why not?
I could also see targeted spear fishing attacks with click jacking.
Sounds like something fun!
Well this did work a few weeks ago.
Until a week or so ago, someone could use an IPS evasion module in Metasploit to pass attacks through a SonicWall. This involved using DCE / RPC Fragmentation which fragments the packets during the NetBIOS session setup.
This has been known since at least 2006 ish when Snort implemented a dynamic pre-processor to handle this in it’s engine. Several other UTM’s have the ability to detect this type of traffic, most of them based on the Snort pre-processor.
Last week I was successfully getting the ms10_061 passed the SonicWalls IPS engine and AV engine using the fragmentation. I did not specifically chose the ms10_061, but it was in the list of top 10 blocked attacks on the dashboard.
Turn off the Frag,
Right through like Jim Morrison.
I reported the issue to SonicWall and after a some debate there is a new signature.
I love it when people do all of the work for you.
Firesheep is a FireFox plugin to hijack FB session, it looks really good.
There is a slide show here
With a short demo.
Here is a shot of the capture running.
This will work with twitter, facebook, and google.
Anything that does not keep an SSL connection is in trouble. So far it will support Windows and OSX but you need the PCAP libs installed for it to work.
Remember on Windows thats LibPCAP.
Not that this is anything special, its the remediation steps that caught my eye. Also the number of platforms affected.
Just delete the lib!
Adobe Reader and Acrobat 9.x - Windows Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.
The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.
Adobe Reader 9.x - Macintosh 1) Go to the Applications->Adobe Reader 9 folder. 2) Right Click on Adobe Reader. 3) Select Show Package Contents. 4) Go to the Contents->Frameworks folder. 5) Delete or move the AuthPlayLib.bundle file.
Acrobat Pro 9.x - Macintosh 1) Go to the Applications->Adobe Acrobat 9 Pro folder. 2) Right Click on Adobe Acrobat Pro. 3) Select Show Package Contents. 4) Go to the Contents->Frameworks folder. 5) Delete or move the AuthPlayLib.bundle file.
Adobe Reader 9.x - UNIX 1) Go to installation location of Reader (typically a folder named Adobe). 2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris). 3) Remove the library named "libauthplay.so.0.0.0."
NIST has a little more information.
I really just want to know what the purpose of the DLL file is, but that seems to be hard to find.