Your daily source of Pwnage, Policy and Politics.

Episode 205 – Iranian Warez, Data Sharing & AON Oops!

Play

ISDPodcast Episode 205 for September 1, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

  • This is a FREE event for InfoSec and IT professionals to attend to celebrate the life Matthew Shoemaker.

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
    Use the
    Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Other upcoming cons Adrian will be at:

MyHardDriveDied.com:

News Item 1: http://torrentfreak.com/iranian-government-runs-public-warez-server-100824/
The Iranian Research Organization for Science and Technology is directly connected to the Iranian Government.   Aside from evaluating and advising policy makers on science and technology issues, the largest research outfit in the country also provides a warez server where Photoshop, MS Office and many other applications can be downloaded for free, totally legal thanks to Iran’s lenient copyright policy.

In most of the western world the actions of the Iranian Government are often met with skepticism. Foreign governments get an uneasy feeling when Iran opens a nuclear facility, fearing it might lead to a nuclear arms program that would be an international threat.

Aside from nuclear issues, Iran has gained a bad reputation for censoring the public in its own country. These censorship issues reached new highs last year during the election protests, where the Government went as far as cutting citizens’ Internet access.

For copyright holders worldwide, the Iranian Government poses a significant threat. The country’s copyright law is set up to protect all copyrighted works produced by Iranians, but not those by creators from other countries.

News Item 2: http://vmyths.com/2010/08/26/oby/
Let’s cut to the chase. U.S. Deputy Defense Secretary William J. Lynn III wrote an op-ed for a commercial publication in which he claims a single USB thumb drive caused the worst military data breach in history. And according to Wikipedia, that one little USB stick led to the creation of the Pentagon’s new Cyber Command.

Breathless reports like this one say this single specific tiny little USB thumb drive got infected with agent.btz, a tiny little chunk of malware the antivirus world has known about since, what, 2008? Yet it took at least 14 months for the Pentagon to clean it up.

Come on, people — fourteen months?!? The antivirus experts dismiss agent.btz as banal, not brilliant.  I’ll bet it took so long only because it was a classified operation. This malware would have blown over in a week if DoD-CERT had issued an email saying “hey, there’s a new virus running around, please scan your PCs for agent.btz.”

http://www.infragard.net/

News Item 3: http://www.darkreading.com/database_security/security/privacy/showArticle.jhtml?articleID=227200092&subSection=Privacy
[Notes: While another unfortunate example of improperly reviewing and sanitizing data, there are several technologies available to help prevent these types or erroneous mistakes automatically within the databases to obfuscate the data through masking.]

AON Consulting, the state of Delaware’s benefits consultant, mistakenly posted the Social Security numbers, gender, and birth dates of about 22,000 retired state workers on the Web two weeks ago, state officials and the company said yesterday.

Oracle Database Data Masking Information for developers:
http://www.oracle.com/us/products/database/data-masking-161222.html
http://www.oracle.com/us/products/database/042928.pdf