Oct 16, 2012
Guest Tech Segment: Charlie Eriksen on Wordpress plugin security
In this technical segment, we will look at Charlie Eriksens research into Wordpress plugin security. By searching large amounts of code for code that is often insecurely written, it is possible to find a large amount of vulnerabilities in plugins running on thousands of Wordpress sites across the internet.
Stories
How Your #Naked Pictures Ended Up on the Internet
The Security-Conscious Uncle - Yea, I'm talking about ATM card
security. After reading this, and hearing my thoughts and views on
Debit cards, I want to keep my money in my own safe. Banks make it
so hard to keep your money secure. I don't want a Debit card, its a
ridiculous concept that only benefits the bank. I want more than a
4-digit pin number too. My best advice is to only tie your ATM card
to an account with a small amount of cash to limit damages, if your
bank even allows you to do that.
No homecoming queen vote if you don't wear RFID tag? - I'm sorry, I
don't want to wear an RFID tag. Tracking students has gotten way
out of control. I proved how you can clone RFID tags in a MA CCDC
compition. So, students, if you want a lesson on how to become any
one of your classmates, please come find me.
Hacker wins $60 - Don't get me wrong, I think this is a good thing.
The more we encourage legit folks to find vulnerabilities, the
better.
Firefox 16 pulled offline following security flaw find - Firefox is
becoming the new IE!
Mobile Brings a New Dimension to the Enterprise Risk Equation - I
think I've solved the BYOD problem, just buy all employees brand
new iPhone 5s, manage them with an MDM (like Apple Profile Manager)
and everyone is happy. I think this comes down to giving the people
what they want.
Reporting Mistakes - I agree that we need to be forthcoming about
where security has failed. I don't get First, talking about the
exact way to exploit an 0day makes it easier for more people to
exploit it. Learning of a 0Day exploit, and the details, gives us a
fighting chance to defend ourselves. I think there has to be some
quiet time if you want to involved the vendor, then you gotta tell
people. It also depends on the nature of the 0day, maybe the vendor
won't listen, or maybe its 0Day in the DNS protocol.
James Bond's Dry Erase Marker: The Hotel PenTest Pen - SpiderLabs
Anterior - This is just way too super cool, best usage of Arduino
and Dry Erase marker EVER (maybe the only usage of the two
together).
HP Communities - CISO Concerns - Security vs. Usability - CISOs
love to bat around terms like security, usability, compliance,
affordability, ROI, etc... These are fine, in the right context,
but lets not forget, you have the word security in your title, and
at some level you have to prevent people from getting pwned.
Sometimes I think we lose site of that.