[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 201.mp3[/podcast]
ISDPodcast Episode 201 for August 26, 2010. Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.
Local Password Exploitation Class:
- The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
- The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
- Pulling stored passwords from web browsers/IM clients and other apps
- Hash cracking of Windows passwords, as well as other systems
- Sniffing plain text passwords off the network
- How passwords on one box can be used to worm though other hosts on a network
- Seating is limited to 50 people.
- The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund. Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check. A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/). Please show your receipt for donation of at least $10 at the door.
- ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)
- SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)
9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354
- Use the Discount Code: isdpod15 for a 15% discount.
- Atlanta, GA September 18th (http:///www.shoecon.org)
Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
- This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.
SANS Mentoring Program:
- Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
- Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258). Use the Discount Code: isdpod15KY for a 15% discount.
The Louisville Metro InfoSec Conference:
- Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).
Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st. This discount will expire on that date.
- MHDD Data Recovery Class current dates and locations:
- Dallas, TX – October 11th – 15th
- SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
- Washington, DC – December 6th – 10th
- Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: email@example.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.
Karthik Rangarajan is looking for a full-time position. He is graduating in December 2010, and can start immediately after he graduates. He has experience with Static Code Analysis, and has been a developer for a fairly decent amount of time before he got into security. He has a track record of being a fast learner and having a high learning curve. He can be reached at krangarajan at gatech dot edu or isdpodcast at gmail dot com.
Rant: Not understanding that protecting sensitive information should be part of a basic security program such as proper authentication, accounting, authorization and auditing indicates you`ve made 0 forward movement with your program.
Stupid Phrase of the day: Cyber Information Security
Stories of Interest:
News Item 1: http://www.csoonline.com/article/603542/deep-theater-defense-?source=rss_cso_exclude_net_net
As an executive, do you ever get worried wondering if your corporate brand is properly protected from a lack of technological integrity? Corporations today have sensitive HR data, financial data, and often consumer data. If this data is compromised, often the outside world finds out about it, lawsuits are initiated and the corporate brand is tarnished. This could lead to consumers thinking twice about purchasing your products or services.
In the case of retail organizations, how does one effectively protect customer credit card data? Consider deploying an IT architecture that information security professionals call a deep-theater defense. Let’s investigate the design of this protective architecture:
News Item 2: http://www.zdnet.co.uk/news/security/2010/08/16/apple-manager-accused-of-1m-kickback-scheme-40089826/?s_cid=938
Paul Shin Devine was indicted on Friday on suspicion of obtaining confidential Apple information which he transmitted to iPod and iPhone accessory suppliers, according to the San Jose Mercury News. In return, Devine allegedly received kickbacks, which he allegedly shared with Andrew Ang of Singapore, an employee of one of the suppliers.
“Apple is committed to the highest ethical standards in the way we do business,” Apple spokesman Steve Dowling said in a statement. “We have zero tolerance for dishonest behaviour inside or outside the company.”
According to the indictment, the information allegedly shared by Devine included product specifications, sales forecasts and details of competitors’ bids.
The six suppliers allegedly involved were not named in a federal court indictment, which the US District Court in San Jose ordered to be unsealed on 13 August, according to a court docket. However, the Wall Street Journal named three of the suppliers allegedly involved as China’s Kaedar Electronics, South Korea’s Cresyn, and Singapore’s Jin Li Mould Manufacturing.
News Item 3: http://gcn.com/articles/2010/08/23/cybereye-cybersecurity-jobs.aspx
Cybersecurity is a growth industry, with rapidly increasing demand for qualified professionals in government and industry and a growing number of schools offering courses and degrees. But a couple of security bloggers warn that cybersecurity jobs in large enterprises, especially government, are likely to be frustrating.
Mike Subelsky, who describes himself as a hacker and entrepreneur who has worked in cybersecurity for eight years in the military, as a government civilian and as a contractor, describes the work as uncreative, bureaucratic and restrictive.
“In classified settings, you are severely restricted in the sources and kinds of technologies you use,” he writes. “You won’t have admin permissions on the machine you’re working on. Forget installing Chrome with the latest extensions, you’ll be lucky to get Version 2 of Firefox! Or you might not have access to the Internet at all!”
A like-minded blogger identified as NetSecGuy wrote that “the government leads in cyber-boring.” Not only is the technology outdated, but management has no clue and information is seen as something to be hoarded rather than shared.
News Item 4: http://joongangdaily.joins.com/article/view.asp?aid=2924915
Leaked military information is becoming a common occurrence here in large part because of a lack of security awareness among defense officials, despite the increasing severity of cyber attacks at the hands of North Korean hackers.
Some senior defense officials have lost sensitive and classified information after transferring files to USB drives – even though the military prohibits the use of such technology to store data because it can easily be stolen.
Strong disciplinary measures are needed to ratchet up security awareness among defense officials.
According to a Defense Security Command report to the National Assembly, the number of military officials punished for violating security codes and leaking – both intentionally and accidentally – confidential military information has been increasing sharply every year. The number was 510 in 2005 and rose to 879 in 2006, 965 in 2007, 1,164 in 2008, 1,512 in 2009 and 886 through the first six months of this year.
There have been some serious cases this year as well. The computers of 13 soldiers stationed at one particular base were hacked from January to March, exposing 1,715 files.