Announcements:

The Louisville Metro InfoSec Conference:
http://www.louisvilleinfosec.com
When: Thursday, October 7th, 2010
Where: Churchill Downs

Bsides Atlanta:
http://www.securitybsides.com/BSidesAtlanta
When: Friday, October 8, 2010
Where: Think Inc World HQ, 1375 Peachtree St.  Suite 600, Atlanta, Ga (The Earthlink Bldg).
http://bsidesatlanta.eventbrite.com/

MyHardDriveDied.com Data Recovery Class:

http://www.myharddrivedied.com
Dallas, TX – October 11th – 15th
Washington, DC – December 6th – 10th
Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

Jason Lawrence – SANS Forensics 508 – Computer Forensics and Investigations in Sandy Springs, GA
http://www.sans.org/mentor/details.php?nid=21538
When: Tuesday, October 12, 2010 – Tuesday, December 14, 2010
Use the Discount Code: isdpod15 for a 15% discount.

Adrian Sanabria - SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN
http://www.sans.org/mentor/details.php?nid=22258
When: Tuesday, October 12, 2010 – Tuesday, December 14, 2010
Use the Discount Code: isdpod15KY for a 15% discount.

Phreaknic:
http://www.phreaknic.info
When: Oct 15-17 2010
Where: Nashville, TN

Hak3rCon:
http://www.hack3rcon.org
When: Oct 23-24 2010
Where: Charleston, WV

Stories of Interest:
News Item: http://www.informationweek.com/news/government/enterprise-apps/showArticle.jhtml?articleID=227400495
Following a July decision to freeze the last two phases of development on its Sentinel case-management system, the FBI now plans to take over management of the project from its primary contractor, Lockheed Martin.

The agency plans to use agile development processes to complete the project using its own employees and other technology partners, while reducing its reliance on Lockheed Martin. FBI CIO Chad Fulgham, in an interview with InformationWeek, described the move as “a significant change in the scope and responsibility” for Lockheed Martin.

The decision represents a bold move by the agency to salvage the Sentinel project, which is currently budgeted to cost $451 million, from multiple delays and rising costs. Fulgham said his goal is to complete the project on budget and without further delays.

FBI director Robert Mueller indicated in April that Sentinel, originally scheduled for completion in 2009, would be pushed back into 2011 due to delays and stop work orders. Fulgham now puts the target completion date at Sept. 2011, the end of the government’s fiscal year, but acknowledges that agile development projects can be difficult to forecast. Development on Sentinel, currently paused, should begin again by October, Fulgham said.

The FBI awarded Sentinel to Lockheed Martin in March 2006 following the failure of an earlier effort (called the Virtual Case File system) to replace its outdated system for managing case records, saying it had learned its lessons from Virtual Case File’s shortcomings. Sentinel was originally due to be completed over four phases. Two phases have been delivered to this point, with most of the system’s hardware and software infrastructure in place. In July, the FBI released enhancements to the system’s user interface, new electronic forms, digital signature features, and additional collaborative features, and more than 5,000 users now login to Sentinel weekly. However, much of the system’s functionality, including a new case management database and some reporting capabilities, has yet to be put in place, and the existing outdated Automated Case Support system has yet to be retired.

News Item: http://www.csoonline.com/article/615413/intel-ciso-the-biggest-threat-to-security-is-a-misperception-of-risk
What is the most significant vulnerability that information security faces today and in the future? According to Malcolm Harkins, CISO of Intel, the biggest threat facing infosec is the misperception of risk.

Harkins spoke at the Forrester Security Forum 2010 in Boston and asked infosec professionals who attended to first ponder what they thought was the biggest risk they are facing within their own organizations. Several people had answers: Insider threats and people were suggested by some. Harkin agreed that it is indeed people, but not perhaps for the reasons participants had in mind. Instead, he argued, both exaggeration and underestimation of risk in the human mind is what leaves us most vulnerable to danger.

There are two things that drive misperception: economics and psychology, said Harkin. When it comes to economics, choices are made by decision makers as they are affected by incentive and resources.

“As a security professional, I’ve started thinking about the fact that we are choice architects. We are trying to get people to think about things and make decisions,” he said.

News Item: http://www.darkreading.com/security_monitoring/security/app-security/showArticle.jhtml?articleID=227500475

Enterprise software developers often get a bad rap for poor security in their applications, but new data shows that many software suppliers’ products were less secure than internally developed enterprise ones.

More than 80 percent of the time, third-party software failed security tests with Veracode, according to a report published today by Veracode. And Veracode found that 57 percent of all applications contained security flaws. More than 80 percent of both internally developed and commercial applications don’t comply with the OWASP Top 10 list of critical Web application errors to avoid.

OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Love this quoted common misconception “All software is secure until proven otherwise”; unfortunately this is the case due to the business need to push the product to generate revenue versus the need to ensure the product is properly coded to protect against common vulnerabilities. Money appears to still be far more important than security, go figure..it pays the bills.

News Item: http://www.techeye.net/security/polish-hacker-gets-inside-us-militarys-defence-logistic-agency-website
There is one movie every Polish person knows. It’s a cult comedy from the 80s called “Mis” – meaning “Teddy Bear”. Now, thanks to a hacker going by a name “Porkythepig”, everyone can see it – but not on YouTube where you would expect it, but on the USA military Defence Logistics Agency website.

If you go the site and just type “porkythepig”, a fragment of a movie begins to play. It’s in Polish, of course – for those not fluent in Polish the man with a guitar sings: “I’m a Happy Romek…” * It’s funny but the story is much more serious.

On Seclists.org you can find a post by porkythepig about the potential vulnerability that exists on many sites, including military and government.

Announcements:

The Louisville Metro InfoSec Conference:
http://www.louisvilleinfosec.com
When: Thursday, October 7th, 2010
Where: Churchill Downs

Bsides Atlanta:
http://www.securitybsides.com/BSidesAtlanta
When: Friday, October 8, 2010
Where: Think Inc World HQ, 1375 Peachtree St.  Suite 600, Atlanta, Ga (The Earthlink Bldg).
http://bsidesatlanta.eventbrite.com/

MyHardDriveDied.com Data Recovery Class:

http://www.myharddrivedied.com
Dallas, TX – October 11th – 15th
Washington, DC – December 6th – 10th
Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

Jason Lawrence – SANS Forensics 508 – Computer Forensics and Investigations in Sandy Springs, GA
http://www.sans.org/mentor/details.php?nid=21538
When: Tuesday, October 12, 2010 – Tuesday, December 14, 2010
Use the Discount Code: isdpod15 for a 15% discount.

Adrian Sanabria - SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN
http://www.sans.org/mentor/details.php?nid=22258
When: Tuesday, October 12, 2010 – Tuesday, December 14, 2010
Use the Discount Code: isdpod15KY for a 15% discount.

Phreaknic:
http://www.phreaknic.info
When: Oct 15-17 2010
Where: Nashville, TN

Hak3rCon:
http://www.hack3rcon.org
When: Oct 23-24 2010
Where: Charleston, WV

Stories of Interest:
News Item:   http://www.guardian.co.uk/technology/2010/sep/21/twitter-internet-worm-hacking-attack
Sarah Brown and Lord Sugar were among thousands of Twitter users who yesterday found themselves directing people to third-party sites, including hardcore pornography, as the messaging website fell prey to an “embarrassing” hacking attack discovered by a Japanese programmer and then exploited by a number of others.

At one point more than 100,000 people on the service were estimated to have been affected, while the owners – who are based on the US west coast — were asleep. Graham Cluley, a consultant with the online security company Sophos, said a rogue code or worm spread throughout the service “like someone had just thrown petrol on a fire”.  The problem brought a renewed focus on the importance of Twitter, which restricts users to 140-character tweets, and has more than 100 million users around the world.

News Item: http://www.aviationweek.com/aw/generic/story_channel.jsp?channel=defense&id=news/dti/2010/09/01/DT_09_01_2010_p42-248207.xml
Geopolitical concerns and two wars in recent years have put Israel at the forefront of cyberwar and cyber-defense. As the most computerized country in the Middle East, Israel stands to lose a great deal if its military and civilian networks prove vulnerable to cyber-attack.

According to Maj. Gen. (ret.) Isaac Ben-Israel, a professor at Tel Aviv University and an expert on digital warfare, Israel’s defense community has been aware of the dangers of cyberspace for two decades. In the late 1990s, the government established a special authority to supervise all aspects of national information security. The internal security authority (Shin Bet) took responsibility for civilian and national assets, while military security supervised defense networks. These activities eventually came under the supervision of the national security council, which also advised on national research and development initiatives in cyber-security systems. This initiative led to the formation of high-tech companies specializing in cyber-security, which became market leaders internationally. Most of these firms were founded by former Israel Defense Force (IDF) veterans who became experts in computer systems during their service.

Israel is also involved in developing an offensive cyber-doctrine. While air force Maj. Gen. Amos Yadlin, chief of intelligence, is concerned about defensive capabilities in cyberspace, he also promotes an offensive dimension to cyberwarfare, stating that both fit well within Israel’s combat doctrine. According to Yadlin, cyberwarfare covers three areas—intelligence-gathering, defense and attack. The IDF plans to be active in all three. Although authorities keep a low profile on such activities, foreign sources highlight some of the latest Israeli successes in the field.

News Item:  http://www.theregister.co.uk/2010/09/21/asp_dot_net_padding_oracle_fix/
Keith (not my story just a nice writeup): http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/
Attackers have begun exploiting a recently disclosed vulnerability in Microsoft web-development applications that opens password files and other sensitive data to interception and tampering.

The vulnerability in the way ASP.Net apps encrypt data was disclosed last week at the Ekoparty Conference in Argentina. Microsoft on Friday issued a temporary fix for the so-called “cryptographic padding attack,” which allows attackers to decrypt protected files by sending vulnerable systems large numbers of corrupted requests.

Now, Microsoft security pros say they are seeing “limited attacks” in the wild and warned that they can be used to read and tamper with a system’s most sensitive configuration files.

“There is a combination of attacks that was publicly demonstrated that can leak the contents of your web.config file, including any sensitive, unencrypted, information in the file,” Microsoft’s Scott Guthrie wrote on Monday night. “You should apply the workaround to block the padding oracle attack in its initial stage of the attack.” (He went on to say sensitive data within web.config files should also be encrypted.)

News Item: http://www.csoonline.com/article/616846/was-stuxnet-built-to-attack-iran-s-nuclear-program-
A highly sophisticated computer worm that has spread through Iran, Indonesia and India was built to destroy operations at one target: possibly Iran’s Bushehr nuclear reactor.

That’s the emerging consensus of security experts who have examined the Stuxnet worm. In recent weeks, they’ve broken the cryptographic code behind the software and taken a look at how the worm operates in test environments. Researchers studying the worm all agree that Stuxnet was built by a very sophisticated and capable attacker — possibly a nation state — and it was designed to destroy something big.

Though it was first developed more than a year ago, Stuxnet was discovered in July 2010, when a Belarus-based security company discovered the worm on computers belonging to an Iranian client. Since then it has been the subject of ongoing study by security researchers who say they’ve never seen anything like it before. Now, after months of private speculation, some of the researchers who know Stuxnet best say that it may have been built to sabotage Iran’s nukes.

Last week Ralph Langner, a well-respected expert on industrial systems security, published an analysis of the worm, which targets Siemens software systems, and suggested that it may have been used to sabotage Iran’s Bushehr nuclear reactor. A Siemens expert, Langner simulated a Siemens industrial network and then analyzed the worm’s attack.

http://dl.dropbox.com/u/2595211/24Jul2010_TG_StuxNet_GIS_1.jpg
http://dl.dropbox.com/u/2595211/24Jul2010_TG_StuxNet_GIS_2.jpg

Announcements:

The Louisville Metro InfoSec Conference:
http://www.louisvilleinfosec.com
When: Thursday, October 7th, 2010
Where: Churchill Downs

Bsides Atlanta:
http://www.securitybsides.com/BSidesAtlanta
When: Friday, October 8, 2010
Where: Think Inc World HQ, 1375 Peachtree St.  Suite 600, Atlanta, Ga (The Earthlink Bldg).
http://bsidesatlanta.eventbrite.com/

MyHardDriveDied.com Data Recovery Class:

http://www.myharddrivedied.com
Dallas, TX – October 11th – 15th
Washington, DC – December 6th – 10th
Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

Jason Lawrence – SANS Forensics 508 – Computer Forensics and Investigations in Sandy Springs, GA
http://www.sans.org/mentor/details.php?nid=21538
When: Tuesday, October 12, 2010 – Tuesday, December 14, 2010
Use the Discount Code: isdpod15 for a 15% discount.

Adrian Sanabria - SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN
http://www.sans.org/mentor/details.php?nid=22258
When: Tuesday, October 12, 2010 – Tuesday, December 14, 2010
Use the Discount Code: isdpod15KY for a 15% discount.

Phreaknic:
http://www.phreaknic.info
When: Oct 15-17 2010
Where: Nashville, TN

Hak3rCon:
http://www.hack3rcon.org
When: Oct 23-24 2010
Where: Charleston, WV

Stories of Interest:
News Item 1:http://fcw.com/articles/2010/09/13/cybererye-targeting-the-head-of-cybercrime.aspx

There appears to be little relief in sight from the relentless onslaught of spam that continues to deliver malicious code and phishing lures to our inboxes day in and day out. According to Symantec’s “State of Spam and Phishing Report” for August, spam made up more than 92 percent of e-mail last month. The percentage of spam has fluctuated from a low of about 79 percent in November to more than 95 percent, but it has held pretty steady around 90 percent for most of the past year.

But there might be a small patch of light on the horizon, coming from – of all places – the U.S. District Court for the Eastern District of Virginia, where a judge has recommended that ownership of 276 Internet domains used by the Waledac botnetbe turned over to Microsoft. If the judgment comes down from the court, it would effectively cut off the botnet’s command and control network.
That action, part of Microsoft’s Operation b49 to use existing federal law against organized cyber crime, will not by itself stop the criminals. Communications within the Waledac botnet have been effectively shut down since March, soon after Microsoft first went to court. But volumes of spam – one of the most effective means of delivering malware and opening doors for criminals – bounce back every time a botnet is taken down. However, the technique of attacking the criminals eventually could prove more effective than improving spam filters and antivirus engines.

News Item 2: http://www.bankinfosecurity.com/articles.php?art_id=2911
Telephone-based phishing, or vishing scams  are quickly ranking among the most popular socially-engineered schemes perpetrated by fraudsters. The latest target: The Federal Deposit Insurance Corp., which last week warned of a vishing scam that is duping consumers.

According to the FDIC’s statement, the criminals behind the vishing calls allegedly told consumers they were delinquent in loan payments that had been applied for over the Internet or made through a payday lender. The loans may or may have not even existed, giving the vishers opportunity to collect personal information to confirm the authenticity of the loans. Recipients of the calls said the vishers requested everything from Social Security numbers to dates of birth.

The FDIC-related vishing scam is but one in a number of targeted vishing attacks reported in recent months – a reflection of the growing sophistication of the criminals who perpetrate socially engineered schemes.

News Item 3: http://www.infosecurity-magazine.com/view/12566/second-qualys-annual-report-shows-increasing-hacker-sophistication/
Qualys Report: http://dvlabs.tippingpoint.com/toprisks2010
Keith: While it’s interesting to read the report and it’s focus not on the passive attacks aimed at certain flaws, but on concerted targeted and persitant attacks against specific entities. True hostiles are technically competent and no longer just the script kiddies playing with windows toys.

interesting points:
1) attackers are no longer single individuals but group and well trained
2) web application developers, database administrators and system administrators continue to lack security training
- PHP RFI and LFI, SQL Injections, etc
3) legacy vulnerabilities continue to exist on production systems
4) client side attacks are on the rise and those responsible are not taking the threats seriously
- PDF, Flash, Quicktime
5) botnets continue to develop

With the slew of free and low cost training and documentation available, it is not being utilized by the responsible parties.

News Item 4:  http://gawker.com/5637234/gcreep-google-engineer-stalked-teens-spied-on-chats
http://gawker.com/5640290/google-spy-could-face-jail-time

We entrust Google with our most private communications because we assume the company takes every precaution to safeguard our data. It doesn’t. A Google engineer spied on four underage teens for months before the company was notified of the abuses. David Barksdale, a 27-year-old former Google engineer, repeatedly took advantage of his position as a member of an elite technical group at the company to access users’ accounts, violating the privacy of at least four minors during his employment, we’ve learned. Barksdale met the kids through a technology group in the Seattle area while working as a Site Reliability Engineer at Google’s Kirkland, Wash. office. He was fired in July 2010 after his actions were reported to the company.
It’s unclear how widespread Barksdale’s abuses were, but in at least four cases, Barksdale spied on minors’ Google accounts without their consent, according to a source close to the incidents. In an incident this spring involving a 15-year-old boy who he’d befriended, Barksdale tapped into call logs from Google Voice, Google’s Internet phone service, after the boy refused to tell him the name of his new girlfriend, according to our source. After accessing the kid’s account to retrieve her name and phone number, Barksdale then taunted the boy and threatened to call her.

In other cases involving teens of both sexes, Barksdale exhibited a similar pattern of aggressively violating others’ privacy, according to our source. He accessed contact lists and chat transcripts, and in one case quoted from an IM that he’d looked up behind the person’s back. (He later apologized to one for retrieving the information without her knowledge.) In another incident, Barksdale unblocked himself from a Gtalk buddy list even though the teen in question had taken steps to cut communications with the Google engineer.

Announcements:

The Louisville Metro InfoSec Conference:
http://www.louisvilleinfosec.com
When: Thursday, October 7th, 2010
Where: Churchill Downs

Bsides Atlanta:
http://www.securitybsides.com/BSidesAtlanta
When: Friday, October 8, 2010
Where: Think Inc World HQ, 1375 Peachtree St.  Suite 600, Atlanta, Ga (The Earthlink Bldg).
http://bsidesatlanta.eventbrite.com/

MyHardDriveDied.com Data Recovery Class:

http://www.myharddrivedied.com
Dallas, TX – October 11th – 15th
Washington, DC – December 6th – 10th
Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

Jason Lawrence – SANS Forensics 508 – Computer Forensics and Investigations in Sandy Springs, GA
http://www.sans.org/mentor/details.php?nid=21538
When: Tuesday, October 12, 2010 – Tuesday, December 14, 2010
Use the Discount Code: isdpod15 for a 15% discount.

Adrian Sanabria - SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN
http://www.sans.org/mentor/details.php?nid=22258
When: Tuesday, October 12, 2010 – Tuesday, December 14, 2010
Use the Discount Code: isdpod15KY for a 15% discount.

Phreaknic:
http://www.phreaknic.info
When: Oct 15-17 2010
Where: Nashville, TN

Hak3rCon:
http://www.hack3rcon.org
When: Oct 23-24 2010
Where: Charleston, WV

Stories of Interest:
News Item 1:http://www.neurosciencemarketing.com/blog/articles/fake-rolex-cheating.htm

You can find fake designer and luxury products just about anywhere these days, and most people consider owning one a harmless transgression. After all, if you were never going to pay $12,000 for a real Rolex, who is really hurt if you wear a fake that cost you $30? Rolex didn’t really lose a sale, right? It turns out that the victim of the “crime” may be none other than YOU!

A fascinating research project has demonstrated that the act of wearing a fake designer item actually causes an individual to behave in a more unethical and cynical manner. The study, by Francesca Gino, Michael I. Norton, and Dan Ariely, started by giving a group of young female subjects expensive Chloé sunglasses to wear. These glasses were actually all authentic products, but half of the subjects were told that they were wearing a fake.

In subsequent testing the subjects wearing the “fake” sunglasses were more than TWICE as likely to cheat on a math test (71% vs 26%) when they thought their cheating would not be detected. Another test showed that the subjects wearing “fake” sunglasses judged other people as more likely to behave in a dishonest manner.
News Item 2:  http://threatpost.com/en_us/blogs/researchers-google-aurora-attackers-back-business-091310

Security researchers say that a new wave of attacks suggests that the malicious hackers behind a security compromise at Google and a number of other prestigious U.S. firms are back in business, this time using an unpatched security flaw in Adobe’s PDF Reader application.

Writing on the Symantec Security blog, researcher Karthik Selvaraj said that evidence collected on a new round of targeted attacks share many of the same fingerprints as the so-called Aurora attacks in late 2009. Symantec believes the two attacks to be of the same origin. The latest attacks appear to date back at least to the beginnning of this month, when researchers say they began seeing attacks leveraging the recent Adobe 0 day vulnerability in PDF Reader that used social engineering attacks – in particular: specially crafted e-mail messages that contained a malicious PDF file attachment. Adobe warned last week about attacks, in the wild, that used a new zero day flaw in the PDF Reader and Acrobat software.
Writing for Symantec, Selvaraj noted that the wording of the e-mail messages was very similar to those associated with the Aurora attacks. The PDFs used in the attack were unlike others leveraging the zero day flaw that had been found in the wild, and all traced back to a single computer in Shandong Province, China. Furthermore, malicious components downloaded as part of the attack were similiar or identical for each of the PDFs traced to the computer in Shandong Province, Symantec said.  Analysis of the malware used in the Aurora attacks pointed to China as the source of the attacks. And, in February, 2010, media reports (anonymously) linked two schools in Shandong Province to the Google Aurora attacks. Security researchers have theorized that the Chinese government may be behind the Aurora attacks, or tacitly complicit with them, as it looks to gain access to sensitive intellectual property, as well as insight into the actions and intentions of foreign governments, as well as domestic groups that it considers a threat to the governing Communist Party. The attacks have already prompted much soul searching on the part of Google and the U.S. Government, which has raised the alarm about the dangers posed by state sponsored actors and so-called “Advanced Persistent Threats.”The Security researchers say that a new wave of attacks suggests that the malicious hackers behind a security compromise at Google and a number of other prestigious U.S. firms are back in business, this time using an unpatched security flaw in Adobe’s PDF (Portable Document Format) Reader application.
News Item 3: http://www.csoonline.com/article/616217/interpol-chief-has-facebook-identity-stolen
Related Link: http://news.techworld.com/security/3239719/facebook-poses-security-risk-at-work-study-finds/?olo=rss
Ron Noble, the Chief of Interpol, has his facebook account compromised. Apparently he was using facebook as a place to store information on individuals being investigated. Facebook isn’t at fault for this compromise of sensitive information but the person responsible for placing the information there…and why in the hell is anyone using facebook as a storage medium for sensitive information in first place???

News Item 4: http://www.nytimes.com/2010/09/12/world/europe/12raids.html

The group, Baikal Environmental Wave, was organizing protests against Prime Minister Vladimir V. Putin’s decision to reopen a paper factory that had polluted nearby Lake Baikal, a natural wonder that by some estimates holds 20 percent of the world’s fresh water.

Instead, the group fell victim to one of the authorities’ newest tactics for quelling dissent: confiscating computers under the pretext of searching for pirated Microsoft software.

Across Russia, the security services have carried out dozens of similar raids against outspoken advocacy groups or opposition newspapers in recent years. Security officials say the inquiries reflect their concern about software piracy, which is rampant in Russia. Yet they rarely if ever carry out raids against advocacy groups or news organizations that back the government.

As the ploy grows common, the authorities are receiving key assistance from an unexpected partner: Microsoft itself. In politically tinged inquiries across Russia, lawyers retained by Microsoft have staunchly backed the police.

Interviews and a review of law enforcement documents show that in recent cases, Microsoft lawyers made statements describing the company as a victim and arguing that criminal charges should be pursued.

Announcements:

ShoeCon 2010:

• http:///www.shoecon.org

• When: Saturday, September 18, 2010
• Where: Wellesley Inn-Atlanta Airport (Google Maps)

• This is a FREE event for InfoSec and IT professionals to attend to celebrate the life Matthew Shoemaker.
  

SANS Mentoring Program:

• Jason Lawrence – SANS Forensics 508 – Computer Forensics and Investigations in Sandy Springs, GA
  • http://www.sans.org/mentor/details.php?nid=21538
  • When: Tuesday, October 12, 2010 – Tuesday, December 14, 2010
  • Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria – SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN
  • http://www.sans.org/mentor/details.php?nid=22258
  • When: Tuesday, October 12, 2010 – Tuesday, December 14, 2010
  • Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

• http://www.louisvilleinfosec.com
• When: Thursday, October 7th, 2010
• Where: Churchill Downs
  

Bsides Atlanta:

• http://www.securitybsides.com/BSidesAtlanta
• When: Friday, October 8, 2010
• Where: Think Inc World HQ, 1375 Peachtree St.  Suite 600, Atlanta, Ga (The Earthlink Bldg).
• http://bsidesatlanta.eventbrite.com/

Phreaknic:

• http://www.phreaknic.info
• When: Oct 15-17 2010
• Where: Nashville, TN

Hak3rCon:

• http://www.hack3rcon.org
• When: Oct 23-24 2010
• Where: Charleston, WV

MyHardDriveDied.com Data Recovery Class:

• http://www.myharddrivedied.com

• Dallas, TX – October 11th – 15th
• Washington, DC – December 6th – 10th
• Use the Discount Code: isdpodcast for a $300 discount.

Defcon and Blackhat 2010 videos:

• http://good.net/dl/bd/?C=M;O=D

Awesome Search Site:
http://www.shodanhq.com

Stories of Interest:
News Item 1:  http://www.secmaniac.com
Social-Engineer Toolkit version 0.7.1 released, added file format attacks to the USB/DVD attack vector.

News Item 2: http://weblogs.baltimoresun.com/news/crime/blog/2010/09/employee_charged_with_hacking.html
It happened one day last year, as more than a dozen board members of a Baltimore substance abuse center had gathered around a conference room. The CEO was giving a PowerPoint presentation on his accomplishments.

Suddenly, his computer shut down, then restarted, replacing the latest slide with an image of a naked woman onto a 64-inch screen. The board members include city officials and foundation heads and is chaired by Baltimore’s health commissioner.

Today, Baltimore’s State’s Attorney’s Office announced a grand jury had indicted Walter Powell, 51, with hacking into the computer system. They described him as a disgruntled worker who allegedly used his home computer to access the system, distribute confidential emails from his boss and break into the presentation.

The CEO of the Baltimore Substance Abuse System Inc., which distributes public funds to more than 50 substance abuse programs helping thousands of people, told me the attack cost $80,000 — mostly to rebuild the system, replace software and upgrade security measures.

The CEO, Greg Warren, said no confidential information leaked out.

News Item 3: http://gcn.com/articles/2010/09/06/data-recovery-vetting.aspx
Many government and private-sector organizations consider recovering data from damaged laptop PC hard drives to be a minor budget item that third-party vendors can best handle. But a seemingly inexpensive fix could lead to compromised or stolen data, network breaches and other security nightmares because organizations typically do not vet data recovery vendors.

The National Institute of Standards and Technology has issued new guidelines to resolve that problem, but it will be at least a year before agencies are required to fully comply with it.

When recovering intellectual property or sensitive documents stored in damaged equipment, major security problems can arise if agencies or companies have not paid attention to vetting data recovery vendors, experts say.

The NIST guidance, which appeared as part of the institute’s Special Publication 800-34 Rev 1, “Contingency Planning Guide for Federal Information Systems,” represents a small part of the publication that covers the entire breadth of data recovery procedures for federal agencies, said Marianne Swanson, NIST’s senior adviser for information systems security.

News Item 4:  http://blog.skeptikal.org/2010/09/cross-subdomain-session-fixation.html
Last fall I wrote a bit about cross-subdomain cookie attacks. As often as I come across more uses for them, I think that they are a much more serious issue than most people (myself included) have made them sound. Today, I came across a variant which I’d theorized about in the past, but never bothered to find in the wild, and I think it merits some attention.

You may be familiar with Hack Is Wack- a stupid marketing campaign from Norton/Symantec. The premise is simple: users submit videos, which are voted on, and the winner gets to roll with Snoop Dogg…’s manager. You may not know it, but most of Snoop’s music is information security-related. “What’s My Name” is about AuthN, “Drop it like it’s Hot” is about SQL injection, not to mention constant references to cron, gzip, and other unix commands in his lyrics. It’s really a pretty natural match.

At any rate, the Hack is Wack site is chock full of holes. For example, there’s the publicly available, indexed cache directory with all that SQL, JSON and other data. There’s the XSS vulns (HTML5 only, though it should be simple enough to rewrite), CSRF holes, and the Flash upload issues in the video upload script (a Joomla module that appears to have been used without any quality control or review despite the fact that it’s currently in Alpha)