Meterpreter plus the espia plugins would probably make for a good demo.
________________________________
From: [email protected]
<[email protected]>
To: PaulDotCom Security Weekly Mailing List <[email protected]>
Sent: Sat Mar 27 09:14:54 2010
Subject: [Pauldotcom] Tips for not looking stupid on TV?
I'm guessing the reported just did a Google search for Louisville and
hacking and came up with me. He basically asked " I’m writing to see if you
would like to help me with a story we’re doing. It is about a hole in Microsoft
security in Internet Explorer that allows hackers to spy on people through
their webcams. Is it possible? How does it work? And can you show us for the
purposes of a story?" I was not aware of anything specific to webcams and IE,
but he sent me a clipping and I think he was basing it on this:
http://www.youtube.com/user/MichaelSias#p/u/11/8DtgG58aIBw
I told him:
1. Looks like they are relating it to Operation Aurora.
2. It's not really Web cam specific, any vulnerability that say it allows for
"arbitrary code execution" could do the same thing.
3. Most of the buzz seems to be talking about IE 6, which it pretty out of
date. However, some corporations still run int because it it what their webapps
support.
4. The specific vulnerability is CVE-2010-0249 and code for the exploit can be
found here:
http://www.exploit-db.com/exploits/11167
5. Microsoft has release a patch for it:
http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx
6. If a user is silly enough to run a random exe a website/email/p2p network
gives them, they will likely get "owned" regardless of the whither on not there
is an exploit.
7. There are programs out their that can be used to monitor others. An exploit
that allows for "arbitrary code execution" can install one in theory, but so
could a snooping significant other.
8. Google hacking/Google dorks are always fun. Basically, people put devices on
an Internet facing LAN that should not. Beside webcams, you can also fine
printers and other devices. Try these Google searches:
intitle:"Live View / – AXIS"
inurl:/cgi/ieng
inurl:hp/device/this.LCDispatcher
Or a big list from here:
http://www.hackersforcharity.org/ghdb/?function=summary&cat=18
Any tips on how to best deal with the media? Is there a webcam related IE
exploit out there I'm not aware of, or is is just a case of "one of the things
people can do with arbitrary code execution"?
Thanks,
Adrian
******************************************************************************
This email contains confidential and proprietary information and is not to be
used or disclosed to anyone other than the named recipient of this email,
and is to be used only for the intended purpose of this communication.
******************************************************************************_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
