Dumb and dumber: Media circus meets police thuggery at AusCERT
Thu, 05/19/2011 - 17:55
The publication of allegedly stolen, private photographs by Fairfax Online was eclipsed in stupidity only by the QLD Police Service's decision to seize the iPad of journalist Ben Grubb at the AusCERT conference on Tuesday.
Every time the coppers raid media organisations to seize computers and documents in order to track down, say, the source of an embarrassing political leak, it pisses me off something awful.
The lack of respect shown to the media and its sources by governments -- both state and federal -- in this country is pretty astonishing.
Wed, 06/01/2011 - 20:54
#2
Any Advisories?
Hello Pat,
Do you know when Cisco or HackLabs are intending to publish the advisories from this AusCERT tutorial?
I can't find anything on the web site of HackLabs and our Cisco security sales rep tells me that they had to attend the tutorial which they refused and this sounds like blackmail to me but I am not sure who to believe?
Thu, 06/02/2011 - 08:44
#3
It seems funny to comment
It seems funny to comment about a HackLabs tutorial on VoIP security issues on a post that references neither...
I didn't go to the tutorial, but most VoIP hacking demos I've seen show students how to exploit weaknesses in configuration and don't necessarily involve the exploitation of some K-Rad 0day.
And personally I wouldn't trust anything a SalesaTron 2000 says, especially when Cisco is actually on record supporting the talk:
http://www.allvoipnews.com/cisco-voip-phones-part-of-security-weakness-d...
So no, I don't think anyone is blackmailing anyone, and yes, your Cisco rep is full of shit. No advisory is required if no new vulnerability is demonstrated.
Fri, 06/03/2011 - 17:46
#4
Follow Up
Hello Pat,
I brought up the tutorial because it was mentioned in the first comment at the top.
Anyway, I sent the allvoipnews article to my account manager and they responded that was not the entire quote.
When I pressed them they highlighted "A spokesman for Cisco says the company has "reached out to the conference organizers and speakers for more details. At this point we have no information to suggest any undisclosed product vulnerabilities, but we will assess any new information and respond in line with our well-established process for the public reporting of security vulnerabilities," which are identified here." from http://www.pcworld.com/businesscenter/article/227888/cisco_voip_phones_t...
I have some unanswered questions from Cisco considering if these were known vulnerabilities with patches then why would this fact be withheld by HackLabs?
Sun, 06/05/2011 - 14:45
#5
I can't see that anything has
I can't see that anything has been withheld from anyone. Your comments are kinda reading like anti-HackLabs trolling at the moment, but whatever.
Have you ever seen a VoIP security tutorial before? Most of the issues involve customers failing to enable security features like encryption... SIP issues etc etc etc.
It isn't a matter of finding traditional "vulnerabilities" -- it's about exploiting gaps in poor configurations.
I'm having a bit of trouble following your grammar, also. The last paragraph doesn't make a great deal of sense... It's a grammar style that is oddly familiar to me, too...
Wed, 06/08/2011 - 21:14
#6
Confused?
Hello Pat,
We didn't remotely activate the handset as a listening device with SIP during the SANS self study course but didn't use Cisco either for the lab.
It might be an old vulnerability of Cisco IOS which I patched during the upgrade?
I am trying to avoid the politics and conflicting stories I hear of the conference and just want some clarity if new vulnerabilities were disclosed since my RSA rep still tells me I have nothing to worry about :-)
Chris Gatford handled this situation like a professional should. He got on with the conference despite the shit-storm going on around him. He attended all of the remaining conference events after the lame Heinrich presentation and then the publication of the Grubb article (that never should have seen the light of day) as if nothing was wrong. He and Peter also delivered a successful VoIP hacking training session yesterday. A lesser person would have folded under the pressure.
Personally I think anyone that has to go through someones family to get to them is a coward. I would have been more inclined to resort to physical violence, but that's just me.