[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 204.mp3[/podcast]
ISDPodcast Episode 204 for August 31, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:

Atlanta ISSA:

• ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

• Atlanta, GA September 18th (http:///www.shoecon.org)
  

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

• This is a FREE event for InfoSec and IT professionals to attend to celebrate the life Matthew Shoemaker.
  

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Other upcoming cons Adrian will be at:
Phreaknic, Oct 15-17 2010, Nashville, TN
http://www.phreaknic.info
Hak3rCon Oct 23-24 2010, Charleston, WV
http://www.hack3rcon.org
MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

News Item 1:  http://www.techworld.com.au/article/358564/microsoft_won’t_stop_net_androidOracle’s patent and copyright lawsuit against Google for its use of Java in Android won’t be repeated by Microsoft if .Net is used on the Linux-based mobile operating system instead. Director of the open source technology centre at Microsoft Tom Hanrahan said the Community Promise allows projects like Mono to fully support its technology. “The type of action Oracle is taking against Google over Java is not going to happen,” Hanrahan said. Microsoft’s Community Promise has made the .Net runtime and C# specifications available to Miguel de Icaza and the Mono project developers. “If a .Net port to Android was through Mono it would fall under that agreement,” he said. Novell has already developed MonoTouch for Apple’s iOS-based devices like the iPhone and iPad, and a Mono port to Android, dubbed “MonoDroid”, is on the roadmap, due for a preview release in Q3 this year.
Oracle’s complaint against Google centres around its development of the Dalvik virtual machine that can run applications written in Java. Dalvik is not an officially sanctioned Java runtime environment, however Sun did initially praise Google for supporting Java on Android. Mono developer Miguel de Icaza is not concerned about legal challenges by Microsoft over .Net implementations and wrote on his blog that Google could switch from Java. “Google could settle current damages with Oracle, and switch to the better designed, more pleasant to use, and more open .Net platform,” de Icaza wrote.

News Item 2: http://blogs.forbes.com/andygreenberg/2010/08/26/researcher-creates-clearinghouse-of-14-million-hacked-passwords/
The “Wall of Sheep” has become a cherished tradition at the annual Defcon hacker conference in Las Vegas: Anyone foolish enough to use the local wireless network at the hotel will likely have his or her username and password stolen, and later see those vital digital details projected onto a screen for thousands of attendees to see.

Now Canadian researcher Ron Bowes has created a sort of Wall of Sheep for the entire Internet. By simply collecting all the publicly-spilled repositories of users’ passwords from recent hacking incidents, he’s created a clearinghouse for stolen passwords on his Web site – 14,488,929 distinct passwords to be exact, collected from 32,943,045 users.

Bowes didn’t steal these passwords, and they’re not associated with usernames, an extra piece of data that would make listing them far more dangerous. All but 250,000 or so became public after the breach of RockYou.com, a social networking applications site penetrated by cybercriminals using an SQL-injection. Another 180,000 were spilled when the bulletin board software site phpbb was hacked using a vulnerability in one of the site’s plugins. 37,000 more were stolen from MySpace using phishing techniques.

Bowes, a consultant with Dash9 security and a developer for security scanning tool NMap, says he collected the passwords to help researchers figure out how users choose passwords and make the authentication process more secure. The site he’s assembled is a wiki, so anyone can update it with new breached password lists. “Since I created it, I’ve had exceptionally good feedback from researchers around the world.,” Bowes wrote in his blog. ” As far as I know, it’s the best collection of breached passwords anywhere.”
News Item 3: http://www.darkreading.com/insiderthreat/security/storage/showArticle.jhtml?articleID=227101757&subSection=Storage+security

[Notes Keith - While the rise in data leaked continues to increase, many companies still are hesitant to enforce proper egress controls to access social networking sites, implement policies regarding their use or implement multi-level content filtering solutions..checking web traffic for access to playboy is not the sole purpose of a content filtering solution. As with all portions of a properly created security program, the technology must be used to enforce the policies. If the policies don't define the limitations the technology will fail to meet the needs. With that, there needs to be constant monitoring and proactive response by the responsible parties when sensitive information is detected which may be exiting the network. Policies must my definitive, any vagueness in the policies may render them void should a termination turn into an unemployment or criminal proceeding.

Twenty percent of companies investigated the exposure of confidential, sensitive or private information via a post to a social networking site

Seven percent of companies terminated an employee for social networking policy violations.

Twenty percent disciplined an employee for such violations.

Fifty-three percent explicitly prohibit the use of Facebook, while 31 percent explicitly prohibit use of LinkedIn.

Fifty-six percent are highly concerned about data loss via email sent from mobile devices.

Twenty-two percent investigated the exposure of confidential, sensitive or private information via lost or stolen mobile devices or storage media in the past 12 months.

Fifty-eight percent of respondents say that budget constraints have negatively impacted their organization's ability to protect confidential, proprietary, or sensitive information.

For those companies not able to afford commercial offerings due to budgetary restraints, there are numerous open source solutions that are able to perform DLP/Content Management Solutions with little impact and initial monetary funding. (snort/squid/squid guard/ossec]

Despite efforts to keep sensitive data in house, many corporations continue to experience serious data leaks, according to a survey published earlier today.

In its seventh annual study of outbound email and data loss prevention issues, Proofpoint Inc. found that email continues to be the number one source of data loss risks in large enterprises. More than a third (35 percent) or respondents investigated a leak of confidential or proprietary information via email in the past 12 months, the study says.

[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 203.mp3[/podcast]
ISDPodcast Episode 203 for August 30, 2010.  Tonight’s podcast is hosted by Rick Hayes, Adrian Crenshaw, and Keith Pachulski.

Announcements:

Atlanta ISSA:

• ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

• Atlanta, GA September 18th (http:///www.shoecon.org)
  

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

• This is a FREE event for InfoSec and IT professionals to attend to celebrate the life Matthew Shoemaker.
  

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Other upcoming cons Adrian will be at:
Phreaknic, Oct 15-17 2010, Nashville, TN
http://www.phreaknic.info
Hak3rCon Oct 23-24 2010, Charleston, WV
http://www.hack3rcon.org
MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

News Item 1: http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=227100032&subSection=Attacks/breaches
Technical Details : http://asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/

A new botnet built for knocking websites offline has attacked mostly Chinese and some U.S. sites, according to researchers.  About 90 percent of the command and control servers running YoyoDdos, the nickname given the botnet by researchers at Arbor Networks who have been studying and tracking it, have IP addresses in China, and two-thirds of its victim websites are out of China. The botnet has attacked around 180 websites so far, including 32 in the U.S.
News Item 2: http://www.zdnet.com.au/hackers-accidentally-give-microsoft-their-code-339305548.htmWhen hackers crash their systems while developing viruses, the code is often sent directly to Microsoft, according to one of its senior security architects, Rocky Heckman.

When the hacker’s system crashes in Windows, as with all typical Windows crashes, Heckman said the user would be prompted to send the error details — including the malicious code — to Microsoft. The funny thing is that many say yes, according to Heckman.

“People have sent us their virus code when they’re trying to develop their virus and they keep crashing their systems,” Heckman said. “It’s amazing how much stuff we get.”

At a Microsoft Tech.Ed 2010 conference session on hacking, Heckman detailed to the delegates the top five hacking methods and the best methods for developers to avoid falling victim to them. Heckman explained how to create malicious code that could be used in cross-site scripting or SQL injection attacks and, although he said it “wasn’t anything you couldn’t pick up on the internet”, he suggested delegates use the code responsibly to aid in their protection efforts.

According to Heckman, based on the number of attacks on Microsoft’s website, the company was only too familiar with what types of attacks were most popular.

News Item 3:  http://www.computerworld.com/s/article/9181278/ICANN_asks_Demand_Media_for_answers_after_report
The group responsible for managing the Internet’s domain name system is asking Demand Media’s eNom division for answers following complaints from Internet security groups.

ENom, the world’s second-largest domain name registrar, came under fire last week in a report from HostExploit, a volunteer-run anti-malware research group. According to HostExploit, eNom is host to an unusually large number of malicious websites and is a preferred domain name registrar for pharmaceutical spammers.

ICANN now says that it is looking into the matter, according to Kurt Pritz, senior vice president of services with the Internet Corporation for Assigned Names and Numbers. Typically, ICANN advises people with information on illegal activity to take their complaints to law enforcement. “However, given the serious nature of some of the allegations made in the HostExploit report, we will ask eNom for their response and will follow up as appropriate,” Pritz said in a statement, e-mailed to IDG News Service.

HostExploit says that some eNom resellers are violating ICANN rules by allowing customers to provide false Whois database information, not following ICANN deletion policy and generally not complying with their obligations as resellers.

[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 202.mp3[/podcast]
ISDPodcast Episode 202 for August 27, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:

Local Password Exploitation Class:

• The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
• The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
  • Pulling stored passwords from web browsers/IM clients and other apps
  • Hash cracking of Windows passwords, as well as other systems
  • Sniffing plain text passwords off the network
  • How passwords on one box can be used to worm though other hosts on a network
• Seating is limited to 50 people.
• The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

• Atlanta, GA September 18th (http:///www.shoecon.org)
  

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

• ShoeCon is being held as a FREE event for InfoSec and IT professionals to attend to celebrate the life Matthew Shoemaker.  Matthew or “Shoe” was a fellow security professional, DC404 member and InfoSec podcaster.  This event will be held in conjunction with the September DC404 meeting at the Wellesley Inn-Atlanta Airport.

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Other upcoming cons Adrian will be at:
Phreaknic, Oct 15-17 2010, Nashville, TN
http://www.phreaknic.info
Hak3rCon Oct 23-24 2010, Charleston WV
http://www.hack3rcon.org
MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

Karthik Rangarajan is looking for a full-time position. He is graduating in December 2010, and can start immediately after he graduates. He has experience with Static Code Analysis, and has been a developer for a fairly decent amount of time before he got into security. He has a track record of being a fast learner and having a high learning curve. He can be reached at krangarajan at gatech dot edu or isdpodcast at gmail dot com.

Rant: Monitoring your systems for brute force attacks against SSH/FTP using Open Source tools such as OSSEC.

The attacks are common at this point and only through proper log monitoring can you effectively detect and respond to the attacks. There is no reason to not be monitoring logs generated by public facing services to alert on active attacks against systems. This should be part of the basic incident identification & response capabilities within all organizations.

<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/ftpd.log</location>
</localfile>

Done…with the correct settings in ossec the alarms now get sent to the ossec wui, to the *sql database and/or email

Stories of Interest:
News Item 1: http://www.washingtonpost.com/wp-dyn/content/article/2010/08/25/AR2010082505962.html
[Notes Keith: Government speak at its finest. None of the statements seem to jive with one another. Cyberspace will be treated as a domain of potential warfare. Warfare implies both offensive and defensive actions in concert with one another. Active defenses that are created by using a more robust and redundant environment but then later discusses the offensive capabilities. Sounds like they dont quite have the plan all together that formalized..

News Item 2: http://news.techworld.com/security/3236787/rustock-botnet-ditches-encryption-to-ramp-spam/

The Rustock mega-botnet appears to have ditched the experimental use of TLS (transport layer security) to obscure its activity, Symantec has reported.

Rustock’s use of TLS is now averages between 0.1 and 0.2 percent of all spam, peaking at 0.5 percent, a tiny fraction of the levels seen in March when it reached averages of around 25 percent with a peak of as much as 77 percent.

The key moment was on 20 April, when the volume of spam featuring the tactic suddenly plunged to sub-one percent levels after an equally sudden rise in rates in the weeks prior to that date.

TLS adds a small but cumulative overhead to server email processing, which ties up mail servers but also affects the rate at which spam is sent. Why Rustock’s controllers adopted the technique at all was never clear but might have been connected to a misplaced belief that it would make it harder for servers to filters its activity or detect the command and control system used to direct its activity.

News Item 3:  http://www.darkreading.com/vulnerability_management/security/vulnerabilities/showArticle.jhtml?articleID=226900111
Three years after the United Nations’ website was defaced by activist hackers using a SQL injection attack, the site still contains multiple instances of these vulnerabilities.

Security researcher Robert Graham, CEO of Errata Security, did his now-annual checkup on the UN site and found that while the UN had removed the bug that was exploited in the August 2007 attack, the site is still rife with multiple SQL injection vulnerabilities.

In the 2007 defacement, attackers replaced then-Secretary General Ban Ki-Moon’s speeches with some of their own calling for “peace forever” and “no war.” The attackers exploited a SQL injection bug.

“In what’s become a yearly blogpost, the UN still has not fixed the SQL injection problems that led to their website being hacked back in 2007,” Graham blogged today. “For example, if you click on ‘print this article’, then use that URL instead, the SQL injection still works.”

News Item 4:  http://www.nytimes.com/2010/08/23/business/global/23telecom.html
Warning about a potential threat to national security, eight Republican lawmakers have asked the Obama administration to scrutinize a bid by one of the biggest corporations in China to supply telecommunications equipment to Sprint Nextel in the United States.

In a letter sent last week to top administration officials, including Treasury Secretary Timothy F. Geithner and the director of national intelligence, Lt. Gen. James R. Clapper Jr., the senators expressed concern over claims that the company had sold equipment to the regime of Saddam Hussein and had a close business relationship with the Islamic Revolutionary Guard in Iran.

The senators also said the company, Huawei Inc., had close ties to the People’s Liberation Army in China.

“Sprint Nextel supplies important equipment to the U.S. military and law enforcement agencies, and it offers a broad array of devices, systems, software and services to the private sector,” wrote the group of senators, including Jon Kyl of Arizona, Christopher S. Bond of Missouri and Susan Collins of Maine. “We are concerned that Huawei’s position as a supplier of Sprint Nextel could create substantial risk for U.S. companies and possibly undermine U.S. national security.”

A campaign to block Huawei’s bid to sell equipment in the United States would almost certainly aggravate American-Chinese trade relations and intensify a longstanding debate over whether big Chinese companies will be allowed to invest in sensitive industries in the United States.

[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 201.mp3[/podcast]
ISDPodcast Episode 201 for August 26, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:
Local Password Exploitation Class:

• The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
• The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
  • Pulling stored passwords from web browsers/IM clients and other apps
  • Hash cracking of Windows passwords, as well as other systems
  • Sniffing plain text passwords off the network
  • How passwords on one box can be used to worm though other hosts on a network
• Seating is limited to 50 people.
• The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

• Atlanta, GA September 18th (http:///www.shoecon.org)
  

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

• This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.
  

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Other upcoming cons Adrian will be at:
Phreaknic, Oct 15-17 2010, Nashville, TN
http://www.phreaknic.info
Hak3rCon Oct 23-24 2010, Charleston WV
http://www.hack3rcon.org
MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

Karthik Rangarajan is looking for a full-time position. He is graduating in December 2010, and can start immediately after he graduates. He has experience with Static Code Analysis, and has been a developer for a fairly decent amount of time before he got into security. He has a track record of being a fast learner and having a high learning curve. He can be reached at krangarajan at gatech dot edu or isdpodcast at gmail dot com.

Rant: Not understanding that protecting sensitive information should be part of a basic security program such as proper authentication, accounting, authorization and auditing indicates you`ve made 0 forward movement with your program.

Stupid Phrase of the day: Cyber Information Security

Stories of Interest:
News Item 1:  http://www.csoonline.com/article/603542/deep-theater-defense-?source=rss_cso_exclude_net_net

As an executive, do you ever get worried wondering if your corporate brand is properly protected from a lack of technological integrity? Corporations today have sensitive HR data, financial data, and often consumer data. If this data is compromised, often the outside world finds out about it, lawsuits are initiated and the corporate brand is tarnished. This could lead to consumers thinking twice about purchasing your products or services.

In the case of retail organizations, how does one effectively protect customer credit card data? Consider deploying an IT architecture that information security professionals call a deep-theater defense. Let’s investigate the design of this protective architecture:
News Item 2: http://www.zdnet.co.uk/news/security/2010/08/16/apple-manager-accused-of-1m-kickback-scheme-40089826/?s_cid=938

Paul Shin Devine was indicted on Friday on suspicion of obtaining confidential Apple information which he transmitted to iPod and iPhone accessory suppliers, according to the San Jose Mercury News. In return, Devine allegedly received kickbacks, which he allegedly shared with Andrew Ang of Singapore, an employee of one of the suppliers.

“Apple is committed to the highest ethical standards in the way we do business,” Apple spokesman Steve Dowling said in a statement. “We have zero tolerance for dishonest behaviour inside or outside the company.”

According to the indictment, the information allegedly shared by Devine included product specifications, sales forecasts and details of competitors’ bids.

The six suppliers allegedly involved were not named in a federal court indictment, which the US District Court in San Jose ordered to be unsealed on 13 August, according to a court docket. However, the Wall Street Journal named three of the suppliers allegedly involved as China’s Kaedar Electronics, South Korea’s Cresyn, and Singapore’s Jin Li Mould Manufacturing.
News Item 3: http://gcn.com/articles/2010/08/23/cybereye-cybersecurity-jobs.aspx
Cybersecurity is a growth industry, with rapidly increasing demand for qualified professionals in government and industry and a growing number of schools offering courses and degrees. But a couple of security bloggers warn that cybersecurity jobs in large enterprises, especially government, are likely to be frustrating.

Mike Subelsky, who describes himself as a hacker and entrepreneur who has worked in cybersecurity for eight years in the military, as a government civilian and as a contractor, describes the work as uncreative, bureaucratic and restrictive.

“In classified settings, you are severely restricted in the sources and kinds of technologies you use,” he writes. “You won’t have admin permissions on the machine you’re working on. Forget installing Chrome with the latest extensions, you’ll be lucky to get Version 2 of Firefox!  Or you might not have access to the Internet at all!”

A like-minded blogger identified as NetSecGuy wrote that “the government leads in cyber-boring.” Not only is the technology outdated, but management has no clue and information is seen as something to be hoarded rather than shared.

News Item 4:  http://joongangdaily.joins.com/article/view.asp?aid=2924915
Leaked military information is becoming a common occurrence here in large part because of a lack of security awareness among defense officials, despite the increasing severity of cyber attacks at the hands of North Korean hackers.

Some senior defense officials have lost sensitive and classified information after transferring files to USB drives – even though the military prohibits the use of such technology to store data because it can easily be stolen.

Strong disciplinary measures are needed to ratchet up security awareness among defense officials.

According to a Defense Security Command report to the National Assembly, the number of military officials punished for violating security codes and leaking – both intentionally and accidentally – confidential military information has been increasing sharply every year. The number was 510 in 2005 and rose to 879 in 2006, 965 in 2007, 1,164 in 2008, 1,512 in 2009 and 886 through the first six months of this year.

There have been some serious cases this year as well. The computers of 13 soldiers stationed at one particular base were hacked from January to March, exposing 1,715 files.

[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 200.mp3[/podcast]
ISDPodcast Episode 200 for August 25, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:

Local Password Exploitation Class:

• The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
• The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
  • Pulling stored passwords from web browsers/IM clients and other apps
  • Hash cracking of Windows passwords, as well as other systems
  • Sniffing plain text passwords off the network
  • How passwords on one box can be used to worm though other hosts on a network
• Seating is limited to 50 people.
• The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

• Atlanta, GA September 18th (http:///www.shoecon.org)
  

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

• This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.
  

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Other upcoming cons Adrian will be at:
Phreaknic, Oct 15-17 2010, Nashville, TN
http://www.phreaknic.info
Hak3rCon Oct 23-24 2010, Charleston WV
http://www.hack3rcon.org
MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

Karthik Rangarajan is looking for a full-time position. He is graduating in December 2010, and can start immediately after he graduates. He has experience with Static Code Analysis, and has been a developer for a fairly decent amount of time before he got into security. He has a track record of being a fast learner and having a high learning curve. He can be reached at krangarajan at gatech dot edu or isdpodcast at gmail dot com.

Rant: Having multiple sets of physical access controls to a facility makes no sense when you don’t check to see if a person has identification to access the facility

Stories of Interest:
News Item 1: http://www.washingtonpost.com/wp-dyn/content/article/2010/08/24/AR2010082406154.html
Now it is official: The most significant breach of U.S. military computers was caused by a flash drive inserted into a U.S. military laptop on a post in the Middle East in 2008.

In an article to be published Wednesday discussing the Pentagon’s cyberstrategy, Deputy Defense Secretary William J. Lynn III says malicious code placed on the drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military’s Central Command.

“That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control,” he says in the Foreign Affairs article.  “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.”

News Item 2: http://news.cnet.com/8301-27080_3-20014625-245.html
A flaw in the way Windows handles DLL (dynamic-link library) and related files likely affects hundreds of applications and has already been used in malicious attacks in the wild, a security researcher said on Tuesday.

Microsoft acknowledged in an advisory on Monday a type of attack mechanism known as DLL preloading, or binary planting and said that while it is not new it does have a new remote-attack vector. Malicious code can now be planted on a network share instead of just on a local system, making it much easier to attack vulnerable systems by duping people into clicking on malicious Web links or opening malicious documents.

Security firm Acros disclosed the issue last week after finding that it affects iTunes, and Rapid7 Chief Technology Officer HD Moore published additional information about it this week here and here. Moore, creator of the Metasploit database and framework, also released a tool to test whether applications are vulnerable.

Now, the Exploit-db.com exploit database is getting flooded with submissions of applications that people say are vulnerable, including Windows Live Mail, Windows Movie Maker, Microsoft PowerPoint 2010, Office 2007, and non-Microsoft applications like Firefox 3.6.8, Foxit Reader, Wireshark and uTorrent, said Mati Aharoni, founder of security firm Offensive Security, which runs the exploit database.  A post to the Full Disclosure mailing list claims that the Windows Address Book in Windows XP is also vulnerable.

News Item 3: http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=226700303
Passwords with fewer than 12 characters can be quickly brute-force decoded using a PC graphics processing unit (GPU) that costs just a few hundred dollars, according to researchers at the Georgia Institute of Technology.

“We’ve been using a commonly available graphics processor to test the integrity of typical passwords of the kind in use here at Georgia Tech and many other places,” said Richard Boyd, a senior research scientist at the university’s research institute, in a statement. “Right now we can confidently say that a seven-character password is hopelessly inadequate.”

Today’s top graphics processors offer about two teraflops of parallel processing power. For comparison, “in the year 2000, the world’s fastest supercomputer, a cluster of linked machines costing $110 million, operated at slightly more than 7 teraflops,” he said.

The barrier to using multi-core graphics processors — available from Nvidia or AMD’s ATI division — for compute-intensive processes other than graphics processing, said Boyd, first fell in 2007, when Nvidia released a C-based software development kit. “Once Nvidia did that, interest in GPUs really started taking off,” he said. “If you can write a C program, you can program a GPU now.” Or use it to crack a password.

News Item 4: http://www.japantoday.com/category/crime/view/hackers-steal-customer-data-by-accessing-supermarket-database
Hackers stole customer data from eight online supermarkets in Japan, including Uny Co. and Neo Beat Co, in July using a hacking technique called SQL injection to access their databases, sources familiar with the matter said Saturday.
A source close to Neo Beat, which also operates the websites of these online supermarkets, said it believes that the approximately 30,000 unauthorized accesses to its database server were likely ‘‘perpetrated by a group of professional hackers.’‘

The accesses, which were conducted from Japan and China on July 24-26, resulted in the theft of data on a total of 12,191 customers of the Osaka-based company as well as its seven business partners including supermarket chains Izumiya Co, Maruetsu Inc and Ryukyu Jusco Co.

Neo Beat has since filed a damage report with the Osaka prefectural police, and the companies have closed their online markets since late last month. Police investigators are now looking into the case and gathering relevant information.