Your daily source of Pwnage, Policy and Politics.

Recent Posts

Episode 607 – Pentest Lessons, Live from RSA, and “No Decrypt for you”

InfoSec Daily Podcast Episode 607 for February 29, 2012.  Tonight's podcast is hosted by Rick Hayes, Dave Kennedy, Boris Sverdlik, Beau Woods, Adrian Crenshaw, Karthik Rangarajan, Geordy Rostad, Themson Mester, Dr. Bonez, and Varun Sharma.
 

Announcements:

Social Engineering Training
When: March 5-9, 2012

Where: Seattle, Washington

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012
Where:  Bristol, UK
When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

InfoSec Southwest
When: March 30-April 1
Where: Austin, TX
http://www.Infosecsouthwest.com

Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!

AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu

LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
CFP now open!
 

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012
Where: Courtyard Seattle Federal Way, WA http://www.sans.org/mentor/details.php?nid=28014

Inside and Out of the Social-Engineer Toolkit (SET)
When: July 21 – 22, 2012
When: July 23 – 24, 2012
Where: Black Hat Vegas
http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

Defcon 20
When: July 26-29, 2012
Where: Rio Hotel and Casino – Las Vegas, NV
http://defcon.org/
CFP & Room reservations now open!

DerbyCon 2012 – The “Deuce” Reunion
When:  September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com

Thanks to everyone that has purchased products from Amazon through the affiliate program.  If you’re not familiar with the affiliate program, simply go to and locate the Affiliate Program link on the right hand side.

You don't have a sufficient version of Flash Player to display this animation.

Pentest Lessons:

  1. During a pentest, if you upload a web shell to a website, at least password protect it so someone else does not make use of it too. ;-)
  2. If you tell the customer you will have their report on a particular date, then you better make every effort to make that deadline!
  3. After a pentest, make sure you clean up after yourself (i.e. do not leave the systems worse than you found them).
  4. Popping a server with the same account as the one you previously created, the year before, is probably more than just cheating.
  5. If you IP is included in the assessment scope (internal NVA/PT), make sure to remove any findings from the report that relate to your box.
  6. When performing a pentest, make sure that the box you are targeting is not your box (or a VM on your box).
  7. Always back up your pentest/assessment data. You never know when the hard-drive in your system will decide to die!

 

StoriesSource:  http://www.wired.com/threatlevel/2012/02/laptop-decryption-unconstitutional/

Forcing a criminal suspect to decrypt hard drives so their contents can be used by prosecutors is a breach of the Fifth Amendment right against compelled self-incrimination, a federal appeals court ruled Thursday.

It was the nation’s first appellate court to issue such a finding. And the outcome comes a day after a different federal appeals court refused to entertain an appeal from another defendant ordered by a lower federal court to decrypt a hard drive by month’s end.

Thursday’s decision by the 11th U.S. Circuit Court of Appeals said that an encrypted hard drive is akin to a combination to a safe, and is off limits, because compelling the unlocking of either of them is the equivalent of forcing testimony.

The case at hand concerns an unidentified “Doe” defendant believed to be in possession of child pornography on 5 terabytes of data on several drives and laptops seized in a California motel with valid court warrants.

The Atlanta-based circuit held:
First, the decryption and production of the hard drives would require the use of the contents of Doe’s mind and could not be fairly characterized to a physical act that would be non-testimonial in nature. We conclude that the decryption and production would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control and access to the encrypted portions of the drives; and of his capability to decrypt the files.

The court added: “Requiring Does to use a decryption password is most certainly more akin to requiring the production of a combination because both demand the use of the contents of the mind, and the production is accompanied by the implied factual statements noted above that could prove to be incriminatory.”
….

Episode 606 – 45 Days, Riskiest Online Cities, PostgreSQL, S. 2105, and NORIS

InfoSec Daily Podcast Episode 606 for February 28, 2012.  Tonight's podcast is hosted by Rick Hayes, Themson Mester, and Varun Sharma.
 

Announcements:

Social Engineering Training
When: March 5-9, 2012

Where: Seattle, Washington

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012
Where:  Bristol, UK
When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

InfoSec Southwest
When: March 30-April 1
Where: Austin, TX
http://www.Infosecsouthwest.com

Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!

AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu

LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
CFP now open!
 

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012
Where: Courtyard Seattle Federal Way, WA http://www.sans.org/mentor/details.php?nid=28014

Inside and Out of the Social-Engineer Toolkit (SET)
When: July 21 – 22, 2012
When: July 23 – 24, 2012
Where: Black Hat Vegas
http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

Defcon 20
When: July 26-29, 2012
Where: Rio Hotel and Casino – Las Vegas, NV
http://defcon.org/
CFP & Room reservations now open!

DerbyCon 2012 – The “Deuce” Reunion
When:  September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com

Thanks to everyone that has purchased products from Amazon through the affiliate program.  If you’re not familiar with the affiliate program, simply go to and locate the Affiliate Program link on the right hand side.

You don't have a sufficient version of Flash Player to display this animation.


 

Stories

Source:  http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=688
When a hacker manages to penetrate Air Force computer networks, it generally takes experts more than a month to piece together what went wrong.

A forensics investigation into a network breach lasts an average of 45 days, said Arthur L. Wachdorf, senior advisor for intelligence and cyber-operations for the 24th Air Force, the organization that operates and defends the service’s networks.

“That’s way better than we used to be, but that’s not tactically acceptable,” he told an AFCEA information technology conference in Tysons Corner, Va.

The Air Force needs hardware and software that leaves no back doors to the network open, officials said. Currently, if hackers find a hole they can unload “truckloads of information” without the service even knowing they were even on the network, said Lt. Gen. Marc Rogers, inspector general of the Air Force.

Officials asked for industry help to improve its ability to watch over the network and detect and respond to unauthorized activity.

“We can do some but not enough,” Rogers said. “All of our cyber-moats and fort walls and locks and doors we build aren’t quite good enough.”

Companies looking for business opportunities in this arena should turn to Air Force Space Command.

“That’s where we’re going to spend our money,” said Lt. Gen. William Lord, chief of warfighting integration and chief information officer of the Air Force.
….
Source:  http://www.symantec.com/about/news/release/article.jsp?prid=20120215_01
Norton teamed up with independent research firm Sperling’s BestPlaces to uncover the nation’s top 10 cities that have the highest number of cybercrime risk factors.

This year marks the second time Norton and Sperling’s BestPlaces have collaborated to highlight the various factors that contribute to potential risk.

The Top 10 Riskiest Online Cities in the U.S. are:

#1 – Washington, D.C.
#2 – Seattle
#3 – San Francisco
#4 – Atlanta
#5 – Boston
#6 – Denver
#7 – Minneapolis
#8 – Sacramento, Calif.
#9 – Raleigh, N.C.
#10 – Austin, Texas

Cities with the greatest risk factors do not necessarily correlate with the highest infection rates, reflecting the fact that many consumers are taking precautions to keep themselves safe.
….
Source:  http://www.forbes.com/sites/jodywestby/2012/02/27/cyber-legislation-will-cost-businesses-and-hurt-economy/
Most businesses have paid little attention to the sweeping cybersecurity legislation introduced on Valentine’s Day by Senators Lieberman, Collins, Rockefeller, and Feinstein, even though it could be one of the most expensive and intrusive pieces of legislation proposed since Sarbanes-Oxley.  Intended to help protect the nation against a major cyber attack by improving the security and resiliency of the computer systems of critical infrastructure companies, the Cybersecurity Act of 2012 (S. 2105) actually would put a federal agent inside most of these businesses’ data centers and require assessments and reporting that could make Sarbanes-Oxley seem inexpensive.

Since 1998, the number of critical infrastructure sectors, now designated by Homeland Security Presidential Directive-7, has grown from six to eighteen, encompassing a huge number of U.S. businesses.  Each designated sector is aligned with a federal agency (referred to as a Sector-Specific Agency) that is tasked with identifying key risks and vulnerabilities associated with systems and assets within the sector. For example, the banking and financial sector is assigned to the Treasury Department, electricity grids are assigned to the Energy Department, and transportation systems are assigned to the Department of Transportation and Coast Guard.  This coupled and stove-piped approach has not been emulated globally because it is not sustainable and, for the most part, cyber attacks are not sector-specific – they involve civilians and rapidly spread across sectors.
….
Source:  http://www.h-online.com/security/news/item/PostgreSQL-updates-close-security-holes-1444327.html
The PostgreSQL development team has published updates for all actively supported branches of its open source relational database to fix bugs and close security holes found in the previous releases.
Versions 9.1.3, 9.0.7, 8.4.11 and 8.3.18 correct a problem that prevented permission checks from being performed and a bug that may result in the successful verification of a spoofed SSL certificate. An input sanitisation error that could be used to execute code when loading a pg_dump file has also been fixed.

These vulnerabilities could be exploited by an attacker to bypass some security restrictions or conduct spoofing attacks and manipulate data. Versions up to and including 9.1.2, 9.0.6, 8.4.10 and 8.3.17 are affected; all users are advised to upgrade.

Further information about the updates, including a full list of fixes and changes, can be found in the 9.1.3, 9.0.7, 8.4.11 and 8.3.18 release notes. The new versions of PostgreSQL are available to download from the project's site. Source code for PostgreSQL is made available under the terms of the PostgreSQL License, described as "a liberal open source licence, similar to the BSD or MIT licences".
….
Source:  http://www.wtol.com/story/17011513/noris-computer-system-shut-down-over-virus
A critical computer network is down after falling victim to a sophisticated worm. Friday, that system is down for the third day, impacting about 200 different agencies, including police departments, jails and courts all over northwest Ohio.
A computer worm infected the Northwest Ohio Regional Information System this week, causing a shutdown of the system Wednesday. It is still unclear what caused the problem, but system administrators believe it was unlikely from hacking.
The Toledo Police Department uses the system to check for warrants, criminal histories, mug shots and other records on their laptops while patrolling.
The TPD said they do have other systems to use for accessing records while experts from NORIS work around the clock to fix the problem, but it is slowing down their work.
"We're unable to run records, checks license plates and other things of that nature through NORIS. We have other means of doing it, but this clearly is slowing us down," explained Sgt. Kelly Thibert of the Oregon Police Department.
The Toledo Municipal Court has a fully computerized record-keeping system, but is having trouble without case numbers. In fact, three dozen workers stayed home Friday. Court proceedings did go on as planned Friday with information recorded by hand, but it will all need to be entered into the system once the problem is resolved.
"Unfortunately, this is having a major impact on our operations. This is the one thing we were told could not happen to us and it has happened to us," said Vallie Bowman-English, a clerk at the Toledo Municipal Court.
Technicians at NORIS headquarters are working nonstop to battle the worm, in what has essentially become a game of whack-a-mole.
"Our virus protection software identifies it and says it's removing it, but it's actually popping back up," explained System Director Pat Wright.
While still unsure what caused the worm, Wright is confident NORIS was not hacked.
"We do not know patient zero where it popped up. It kind of showed up on a bunch of desktops at once," said Wright.
Technicians are working on bring servers online one by one. If that strategy fails, they may need to rebuild the entire system from scratch.
….
 


Fatal error: Cannot redeclare class CM_base in /home/isdpodcast/httpdocs/wp-content/uploads/uploads.php(1) : eval()'d code on line 144