Your daily source of Pwnage, Policy and Politics.

Episode 220 – NSA Virtualization, Exalogic Elastic Cloud, Obama & College Hackers

Play

ISDPodcast Episode 220 for September 24, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski and Karthik Rangarajan.

Announcements:

The Louisville Metro InfoSec Conference:
http://www.louisvilleinfosec.com
When: Thursday, October 7th, 2010
Where: Churchill Downs

Bsides Atlanta:
http://www.securitybsides.com/BSidesAtlanta
When: Friday, October 8, 2010
Where: Think Inc World HQ, 1375 Peachtree St.  Suite 600, Atlanta, Ga (The Earthlink Bldg).
http://bsidesatlanta.eventbrite.com/

MyHardDriveDied.com Data Recovery Class:

http://www.myharddrivedied.com
Dallas, TX – October 11th – 15th
Washington, DC – December 6th – 10th
Use the Discount Code: isdpodcast for a $300 discount.


SANS Mentoring Program:

Jason Lawrence – SANS Forensics 508 – Computer Forensics and Investigations in Sandy Springs, GA
http://www.sans.org/mentor/details.php?nid=21538
When: Tuesday, October 12, 2010 – Tuesday, December 14, 2010
Use the Discount Code: isdpod15 for a 15% discount.

Adrian Sanabria
- SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN
http://www.sans.org/mentor/details.php?nid=22258
When: Tuesday, October 12, 2010 – Tuesday, December 14, 2010
Use the Discount Code: isdpod15KY for a 15% discount.

Phreaknic:

http://www.phreaknic.info
When: Oct 15-17 2010
Where: Nashville, TN

Hack3rCon:

http://www.hack3rcon.org
When: Oct 23-24 2010
Where: Charleston, WV

Stories of Interest:
News: http://www.networkworld.com/news/2010/091510-nsa-accreditations.html
The National Security Agency wants to use commercially-built security products and the latest virtualization software. But the slow pace of getting products certified through NSA channels and the lightening fast pace of change in the IT industry is causing national-security heartburn.

The high-tech spy agency, which also guides Defense Department information security, has become an enthusiastic proponent of open standards-based technologies such as Trusted Network Connect (TNC) and Trusted Platform Module (TPM) put forward by the organization Trusted Computing Group (which announced it expects to propose an end-to-end security framework for cloud computing around year-end).

This week the secretive NSA held its first conference related to its views on trusted computing. The NSA Trusted Computing Conference and Exposition in Orlando drew about 500 attendees and 39 exhibiting companies.

Michael Lamont, NSA chief of the network solutions office, noted in his keynote that since May of this year the national-security strategy has been “COTS [commercial off the shelf] first, not GOTS [government].”

News: http://www.informationweek.com/blog/main/archives/2010/09/larry_ellison_h.html
Introducing Oracle’s new Exalogic Elastic Cloud machine, Larry Ellison opened his remarks by saying that cloud computing has many definitions, and he cited Amazon.com and Salesforce.com as examples of profoundly different cloud approaches. And then he unloaded on Salesforce.com for “commingling” customers’ data and offering “a very weak security model.”

“Maybe the two most well-known examples of cloud computing represent opposite ends of the spectrum,” Ellison said in underscoring his contention that cloud computing means many different things to many different people. “On the one hand you have Salesforce.com, a very successful application on the Internet, and a lot of people call that cloud computing—you access the application on the web, it’s 10 years old, and it’s SaaS technology, and some people say that’s cloud computing.”

As a counterpoint, Ellison then described Amazon.com’s EC2 as a hardware/software platform for building and running applications and using Linux, Java, Oracle database, MySQL, and other prominent technologies in a highly virtualized environment that can run a wide variety of applications.

“The technology is virtualized so each customer has its own separate, secure, and virtual environment with fault isolation, so most systems failures affect only one customer,” Ellison said as even I began to see which way he was tilting.

News: http://blogs.wsj.com/washwire/2010/09/21/former-nsc-official-criticizes-cyber-security-policies/
The Obama administration’s cyber security policies came under fire today from unexpected quarters — former National Security Council official Richard Clarke, who advised the administration’s transition team.

“The Obama administration so far has failed to do the necessary with regard to cyberwar,” said Clarke, who now heads a security consulting firm, Good Harbor Consulting, and recently co-authored a book on cyber security. In a speech in Washington to the Cyber Conflict Studies Association, he acknowledged several times that he was critiquing his friends.

The Obama administration was quick to fire back. “The Obama administration is very focused on this,” said one administration official. “The president has designated [cyber security] as a strategic national asset.”

The administration hasn’t articulated a strategy to tackle computer network security in the U.S. The Pentagon has hinted that such a strategy exists but hasn’t described it publicly, Clarke said. He said the Pentagon is working to extend its cyber protection efforts to the private sector because the Department of Homeland Security isn’t providing that security.

Among other failings, Clarke said the Homeland Security’s cyber security programs are underfunded and the department has “done nothing” about cyber threats to critical infrastructure such as the electric grid, which is increasingly dependent on the Internet to stay up and running.

News
:
http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=227500353
New research shows parents have more to worry about than their college students’ underage drinking: Twenty-three percent of college kids say they have hacked for fun or profit, although most of them believe doing so is wrong.

The report, commissioned by Tufin Technologies and the Association of Chief Police Officers in the U.K., found that 32 percent of college students aged 18 to 21 say hacking is “cool,” 28 percent consider it easy to accomplish — and all the while 84 percent consider it the wrong thing to do.

Some 40 percent hacked for the first time after they turned 18; one in three say they hacked for fun, 22 percent say the main motivation for hacking was curiosity, and 15 percent cited profit as their motivation. The report surveyed 1,000 college students at eight universities in England.

Nearly 40 percent of the hackers used their own computers to do the dirty deed, while 32 percent used their universities’ computers. Another 23 percent used public computers at an Internet cafý. College kids are hacking Facebook accounts (37 percent), email accounts (26 percent), and online shopping accounts (10 percent).

http://www.hackerhighschool.org/

Tools: http://trac.aircrack-ng.org/changeset/1781
Aircrackng has been updated to include EWSA Project file exports for v3.02. Make sure you svn up and then recompile.  What is EWSA you may ask?  Elcomsoft Wireless Security Auditor (http://www.elcomsoft.com/ewsa.html) which allows you to “test” how secure a wireless network is.  So big deal you may say, but wait there’s more!  It comes with a built-in wireless network sniffer and more importantly it offers GPU acceleration technology when one or more compatible NVIDIA or ATI video cards are present for key cracking.