Well, they took very little of what I said, and played up the voyeur aspect (I told them webcams were not that big a worry, but drive by bot installs were). Also, I'm currently now being hired as a pentester, so the part about me being hired to break into other boxes is not quite accurate. Still, it could have been worse:
http://www.whas11.com/home/Eyes-on-you-Beware-Internet-hackers-on-your-webcam-92464624.html Thanks, Adrian On Sun, Mar 28, 2010 at 7:00 PM, Adrian Crenshaw <[email protected]>wrote: > Mick and Robin, Thanks. Russ, I'm looking into Espia now. > > > Adrian > > On Sat, Mar 27, 2010 at 1:43 PM, Butturini, Russell < > [email protected]> wrote: > >> Meterpreter plus the espia plugins would probably make for a good demo. >> >> ------------------------------ >> *From*: [email protected] < >> [email protected]> >> *To*: PaulDotCom Security Weekly Mailing List < >> [email protected]> >> *Sent*: Sat Mar 27 09:14:54 2010 >> *Subject*: [Pauldotcom] Tips for not looking stupid on TV? >> >> I'm guessing the reported just did a Google search for Louisville >> and hacking and came up with me. He basically asked " I’m writing to see if >> you would like to help me with a story we’re doing. It is about a hole in >> Microsoft security in Internet Explorer that allows hackers to spy on people >> through their webcams. Is it possible? How does it work? And can you show >> us for the purposes of a story?" I was not aware of anything specific to >> webcams and IE, but he sent me a clipping and I think he was basing it on >> this: >> >> http://www.youtube.com/user/MichaelSias#p/u/11/8DtgG58aIBw >> >> I told him: >> >> 1. Looks like they are relating it to Operation Aurora. >> >> 2. It's not really Web cam specific, any vulnerability that say it allows >> for "arbitrary code execution" could do the same thing. >> >> 3. Most of the buzz seems to be talking about IE 6, which it pretty out of >> date. However, some corporations still run int because it it what their >> webapps support. >> >> 4. The specific vulnerability is CVE-2010-0249 and code for the exploit >> can be found here: >> http://www.exploit-db.com/exploits/11167 >> >> 5. Microsoft has release a patch for it: >> http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx >> >> 6. If a user is silly enough to run a random exe a website/email/p2p >> network gives them, they will likely get "owned" regardless of the whither >> on not there is an exploit. >> >> 7. There are programs out their that can be used to monitor others. An >> exploit that allows for "arbitrary code execution" can install one in >> theory, but so could a snooping significant other. >> >> 8. Google hacking/Google dorks are always fun. Basically, people put >> devices on an Internet facing LAN that should not. Beside webcams, you can >> also fine printers and other devices. Try these Google searches: >> >> intitle:"Live View / – AXIS" >> inurl:/cgi/ieng >> inurl:hp/device/this.LCDispatcher >> >> Or a big list from here: >> http://www.hackersforcharity.org/ghdb/?function=summary&cat=18 >> >> >> Any tips on how to best deal with the media? Is there a webcam related IE >> exploit out there I'm not aware of, or is is just a case of "one of the >> things people can do with arbitrary code execution"? >> >> Thanks, >> Adrian >> >> >> >> ****************************************************************************** >> This email contains confidential and proprietary information and is not to >> be used or disclosed to anyone other than the named recipient of this email, >> and is to be used only for the intended purpose of this communication. >> ****************************************************************************** >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
