ISC StormCast for Monday, July 11th 2016
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 11 July 2016
⏱️ 5 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Monday, July 11th, 2016 edition of the Santernet Storm Center's Stormcast. |
| 0:07.5 | My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida. |
| 0:11.8 | A couple weeks ago, I talked about how security cameras are being used to launch DDoS attacks. |
| 0:18.7 | Back then, the story was somewhat raw and not a lot of details. Rob now has |
| 0:24.6 | an interesting story looking at the web server being used by many of these security cameras. |
| 0:30.9 | Turns out this is the Boa web server. Small web server seems to be very popular with these security |
| 0:37.3 | cameras even though |
| 0:38.7 | the last update was released over 10 years ago on February 2005. Since then, vulnerabilities have |
| 0:47.6 | been discovered in this web server, but the web server itself has not been updated, despite that several of these camera vendors continue to use this outdated version of the Boa web server. |
| 1:02.0 | So Rob took a look at these vulnerabilities which are pretty easily exploited and also gives you some hints as to how to find this web server on your |
| 1:13.6 | network because well it's just a time bomb ticking there waiting to be exploited. |
| 1:19.6 | Outdated code like this that cannot be patched and default passwords and insecure protocols like |
| 1:25.6 | Telnet. All of this is really the domain of industrial control systems. |
| 1:31.6 | Kevin Liston recently took the industrial control system security class or ICS security class and he summarized in a diary some of the lessons he learned, like for example, network isolation and how |
| 1:45.8 | applicability they are for other networks as well. Interesting diary, if you wonder about the |
| 1:53.1 | lessons he learned, well, take a look at it. And let's stick with devices here for another |
| 1:57.5 | story and that's, well, cars. haven't heard about car hacking in a while this |
| 2:02.1 | latest story is about the bmw connected car portal in this portal you can essentially manage |
| 2:10.3 | and remote control some features of your car and apparently they don't validate Vince correctly when you add them. |
| 2:20.2 | With that, you can then essentially add arbitrary cars to your account and gain control over these cars. |
| 2:28.7 | In addition, there is also a cross-site scripting vulnerability in that portal that could be exploited in order to |
| 2:36.3 | inject JavaScript and control a user's browser. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.