internetnews.com's Sean Michael Kerner is at Black Hat DC 2009, and he's got some fascinating information from it on his blog.
He has four stories:
1) One presenter claims you can hack a satellite feed with less than $1000 worth of equipment. Please note that the hacker is not controlling the satellite itself; instead, he's looking for feeds that are not public but that are broadcast over satellite.
2) Another presenter said that users of Adobe Flash are creating implementations that are defective by design, at least in security terms. One common error involves files that have the username and password hardcoded into them. She showed that these vulnerable files can be found with a simple Google search.
3) A presenter posited the possibility of a novel attack on browsers that stores executable code in the offline data cache, but said that this attack is not yet a serious threat.
4) Hacking SSL is the fear of every webhost. Moxie Marlinspike demonstrated an attack that involves tricking a browser into thinking it's in a secure SSH session when in fact the browser is not in such a session. Marlinspike obtained login information for Gmail, Yahoo, PayPal, Facebook, etc. and then discarded that information. Marlinspike could not think of any way to fight the attack, but Kaminsky reminded attendees that DNS SEC would protect against this attack.
This year's conference does not contain the kind of blockbuster vulnerability that Kaminsky demonstrated last year (see The DNS Vulnerability and the ISP). So please reread last year's article on the DNS vulnerability and please implement DNS SEC if possible.
No comments:
Post a Comment