[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 263.mp3[/podcast]
ISDPodcast Episode 263 for November 22, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:

MyHardDriveDied.com Data Recovery Class:
http://www.myharddrivedied.com
Washington, DC – December 6th – 10th
Use the Discount Code: isdpodcast for a $300 discount.

SANS Cyber Defense Initiative 2010
Washington, DC.
Marriott Wardman Park
Dec 10-17, 2010
http://washingtontechnology.com/calendar/2010/12/sans-cyber-defense-initiative-2010.aspx

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Wednesday, February 23, 2011 – Wednesday, April 27, 2011

Use the Discount Code: isdpod15 for a 15% discount.

DojoCon:

13699 Dulles Technology Dr
Herndon, VA 20171

Dec 11-12, 2010

http://www.dojocon.org/

Appalachian Institute of Digital Evidence (AIDE):

AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV

When: February 17 – 18, 2011

CFP Deadline: December 12, 2010

http://aide.marshall.edu/default.htm

CarolinaCon 2011
When: Final weekend of April 2011 (30th? – more info pending)
Where: The venue is Holiday Inn (Crabtree) in Raleigh, NC
Call for Papers is now open: speakers@carolinacon.org
http://carolinacon.org/

Stories of Interest:
Tools: http://www.backtrack-linux.org/backtrack/backtrack-4-r2-download/
Backtrack 4 Release 2

• Kernel 2.6.35.8 – *Much* improved mac80211 stack.
• USB 3.0 support.
• New wireless cards supported.
• All wireless Injection patches applied, maximum support for wireless attacks.
• Even *faster* desktop environment.
• Revamped Fluxbox environment for the KDE challenged.
• Metasploit rebuilt from scratch, MySQL db_drivers working out of the box.
• Updated old packages, added new ones, and removed obsolete ones.
• New BackTrack Wiki with better documentation and support.
• Our most professional, tested and streamlined release ever.

For those wanting to upgrade an older release of BT4, an apt-get update && apt-get dist-upgrade should do the job.

Bank of America

News: http://thehill.com/blogs/hillicon-valley/technology/129879-house-bill-would-give-dhs-authority-over-private-sector-networks
A new bill unveiled Wednesday by House Homeland Security chairman Bennie Thompson (D-Miss.) would give the Department of Homeland Security the authority to enforce federal cybersecurity standards on private sector companies deemed critical to national security.

The Homeland Security Cyber and Physical Infrastructure Protection Act of 2010 authorizes DHS to establish and enforce risk and performance-based cybersecurity standards on federal agencies and private sector companies consider part of the country’s critical infrastructure. Such firms include utilities, communications providers and financial institutions.

The legislation is co-sponsored by Reps. Jane Harman (D-Calif.) and Yvette Clark (D-N.Y.). It will also create a new Cybersecurity Compliance Division within DHS that would make sure organizations comply with the new security regulations. The lawmakers argue DHS has not had sufficient authority or resources to fulfill its mission as the lead federal agency for cyversecurity.

“From a security and good-government standpoint, the way to deliver better cybersecurity is to leverage, modify, and enhance existing structures and efforts, rather than make wholesale bureaucratic changes,” Thompson said in a statement. “This bill will make our Nation more secure and better positions DHS – the ‘focal point for the security of cyberspace’ – to fulfill its critical homeland security mission.”

News: http://news.techworld.com/security/3249585/china-internet-hijack-hugely-exaggerated-says-researcher/
The claimed ‘hijack’ of Internet traffic by China Telecom has been hugely exaggerated in scale and intent, a traffic analysis by Internet security company Arbor Networks has concluded.

A blog by Arbor chief scientist Craig Labovitz picks apart the speculative claim, attributed to McAfee’s VP of threat research, Dmitri
Alperovitch (subsequently clarified here), that the unusual routing diversion through China Telecom at 4am GMT on 8 April 2010 could have
amounted to as much as 15 percent of Internet traffic.

According to Labovitz, this appears to have been calculated by comparing the 40,000 affected BGP routes to the 340,000 in the routing table as a whole, a calculation originally cited by the industry BGPmon website.

Using numbers culled from the Arbor Atlas traffic monitoring system of 80 global ISPs, however, traffic on that day barely increased beyond normal patterns at most it amounted to only a few gigabits per second out of an Internet total between 80 and 100 terabits per second.

News: http://www.computerworld.com/s/article/9197440/Hacked_Federal_Reserve_network_was_test_only
A June 2010 hacking incident that compromised a network at the Federal Reserve Bank of Cleveland happened on a test system and not the bank’s production servers.

On Thursday, Lin Mun Poo was charged with hacking the Fed and other U.S. corporations, including payment processor FedComp and an unnamed federal defense contractor. He was arrested on Oct. 21 following a U.S. Secret Service sting.

The Secret Service says it found more than 400,000 bank card numbers on Poo’s laptop at the time of his arrest. But those numbers apparently did not come from the Fed, which said Friday that none of its sensitive data was compromised during the incident. “We don’t process credit cards or debit card information,” said June Gates, a spokeswoman with the Federal Reserve of Cleveland.

According to Gates, the hacker managed to break into a single Fed test PC that was connected to other test computers. “This is a system that is used to test software and applications with fake data and information,” she said. “The incident did not involve our live production system on which we process our work.”

News: http://news.softpedia.com/news/Only-Five-Percent-of-Users-Have-Non-Letter-Characters-in-Their-Password-165085.shtml
A survey conducted by antivirus vendor BitDefender revealed that only five percent of people use digits or special characters in their passwords and that sixty percent use single-case-only access codes. The conclusions are the result of a questionnaire taken by 1,000 random individuals, half men, half women, from 16 countries, with an average age of 29.5 years.  The questions attempted to determine passwords strength and habits and were individually explained to respondents in a live interview.  Results revealed that 67% of users have more than five password-protected online accounts, with one in four having six accounts and almost one in three having seven or more.  Meanwhile, 73% of respondents said that they reuse the same password, a bad habit that security experts have tried to change for years.

The practice poses serious problems, since some accounts hold more value than others. For example, an online banking account is clearly more sensitive than a social networking one. With password reuse, if one account gets compromised, all of them are fair game. In July, we reported how Turkish hackers broke into the PayPal accounts of Israelis, whose usernames and passwords were stolen from an insecure Pizza Hut website. Furthermore, one in four respondents said that their password was six characters long. This, combined with the fact that 63% of them only use single-case alphabetic characters, means that a large percentage of passwords are trivial to crack via brute force.  And to top it all off, BitDefender also claims that 12% of the respondents showed a willingness to disclose their password to the surveyors, in order to recieve advice about its strength.