Your daily source of Pwnage, Policy and Politics.

Episode 274 – Diplopedia, Vuln Mgmt, MC & NASA

[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 274.mp3[/podcast]
ISDPodcast Episode 274 for December 8, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:

SANS Cyber Defense Initiative 2010
Washington, DC.
Marriott Wardman Park
Dec 10-17, 2010
http://washingtontechnology.com/calendar/2010/12/sans-cyber-defense-initiative-2010.aspx

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Wednesday, February 23, 2011 – Wednesday, April 27, 2011

Use the Discount Code: isdpod15 for a 15% discount.

DojoCon:

13699 Dulles Technology Dr
Herndon, VA 20171

Dec 11-12, 2010

http://www.dojocon.org/

Appalachian Institute of Digital Evidence (AIDE):

AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV

When: February 17 – 18, 2011

CFP Deadline: December 12, 2010

http://aide.marshall.edu/default.htm
Ultimate Pentesting VM: /resources/upv/ Stories:
News: http://fcw.com/articles/2010/12/07/state-department-diplopedia.aspx
As Secretary of State Hillary Clinton launched a damage control operation to world leaders after State Department diplomatic cables were published by the WikiLeaks website, the atmosphere was calm in the Office of eDiplomacy.

That’s because cables likes the ones leaked to WikiLeaks have been replaced by Diplopedia, a highly secure system by which ambassadors and their staffs can compare notes, pass tips and even offer candid observations on world leaders, Dayo Olopade, a political reporter, writes in The Daily Beast.

Olopade recently spoke with officials in the office of eDipolmacy about cybersecurity efforts in the wake of leak of the trove of classified and unclassified diplomatic cables that span 1966 to 2010.

A team of 60 people within eDiplomacy are working on ways to modernize the way American diplomats talk to each other confidentially.

Diplopedia is an online encyclopedia of foreign affairs information, according to the State Department. It is a wiki that can be edited with an Intranet Web browser that can be accessed by authorized State Department personnel. They can contribute their experience, knowledge and expertise in the form of articles, discussion or editing of material submitted by others.

News: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1524784,00.html?track=sy160
A new survey, 1963 respondents of 2000, has found many organizations are still struggling to deal with patch and configuration management issues and are often lacking efficient processes to deploy patches to systems and applications in a timely manner. According to eEye’s “2011 Vulnerability and Management Trends Report,”

  • 85% of those surveyed indicated that their IT staff is overburdened with regulatory compliance issues.
  • About half of those surveyed said regulatory compliance initiatives take up to 50% of their work weeks.
  • More than half (60%) indicated that as many as a quarter of the applications deployed in their organizations have unpatched vulnerabilities.
  • 73 percent of respondents’ organizations have as many as 100 applications deployed; 18 percent have more than 200 deployed.
  • 31% of professionals indicated they don’t have enough personnel to handle increased patching demands
  • 18 percent stated they did not have an integrated vulnerability scanning and patching solution
  • 13 percent said their scanning solution could not recognize Zero-Day vulnerabilities
  • Sixteen percent of respondents said their solution could not effectively patch remote devices and distributed networks

Cross Platform Patch Management: http://www.landesk.com/

News: http://www.guardian.co.uk/media/2010/dec/08/anonymous-4chan-wikileaks-mastercard-paypal?utm_campaign=Computer+Security+-+Google+News&utm_medium=Twitter&utm_source=SNS.analytics
The MasterCard website was forced offline for several hours today, following an online assault led by a shadowy group of hackers protesting against the card issuer’s decision to block payments made to the WikiLeaks website.

The “distributed denial of service” attack was apparently orchestrated by a “hacktivist” group calling itself Anonymous, which has in recent days temporarily paralysed the websites of Post Finance, the Swiss bank which closed WikiLeaks frontman Julian Assange’s account, and the website of the Swedish prosecution office.

Twitter is next in its sights, following allegations that the social networking site is “censoring” visibility of the breadth of discussion of WikiLeaks by preventing it from appearing in Twitter’s “trends”. Twitter has denied that it is doing this, saying its systems identify topics that are “being talked about more right now than they were previously” – which doesn’t include WikiLeaks.

But who, or what, is – or are – Anonymous?

A 22-year-old spokesman, who wished to be known only as “Coldblood”, told the Guardian that the group – which is about a thousand strong – is “quite a loose band of people who share the same kind of ideals” and wish to be a force for “chaotic good”.

There is no real command structure in the group, the London-based spokesman said, while most of its members are teenagers who are “trying to make an impact on what happens with the limited knowledge they have”. But others are parents, IT professionals and people who happen to have time – and resources – on their hands.

The group has gained notoriety for its attacks on copyright-enforcement agencies and organisations such as the Church of Scientology.

Anonymous was born out of the influential internet messageboard 4chan, a forum popular with hackers and gamers, in 2003. The group’s name is a tribute to 4chan’s early days, when any posting to its forums where no name was given was ascribed to “Anonymous”. But the ephemeral group, which picks up causes “whenever it feels like it”, has now “gone beyond 4Chan into something bigger”, its spokesman said.

The membership of Anonymous is impossible to pin down; it has been described as being like a flock of birds – the only way you can identify members is by what they’re doing together. Essentially, once enough people on the 4chan message boards decide that an issue is worth pursuing in large enough numbers, it becomes an “Anonymous” cause.

The group counts the current campaign in support of WikiLeaks as “probably one of [its] most high profile yet”. The group gained notoriety more recently for a number of sustained assaults against the sites of US music industry body RIAA, Kiss musician Gene Simmons, and solicitors’ firms involved in lawsuits against people suspected of illegal filesharing. In early 2008, Anonymous launched a campaign against the Church of Scientology, bringing down related websites and promising to “expel” the religion from the internet.

“We’re against corporations and government interfering on the internet,” Coldblood added. “We believe it should be open and free for everyone. Governments shouldn’t try to censor because they don’t agree with it.

“Anonymous is supporting WikiLeaks not because we agree or disagree with the data that is being sent out, but we disagree with any from of censorship on the internet. If we let WikiLeaks fall without a fight then governments will think they can just take down any sites they wish or disagree with.”

The spokesman said Anonymous plans to “move away” from DDoS attacks and instead focus on “methods to support” WikiLeaks, such as mirroring the site. “There’s no doubt in [Anonymous members'] mind that they are breaking [the] law,” he said of the latest attacks. “But they feel that there’s safety in numbers.”

Anonymous refused to say whether it would target government-owned websites next, but warned: “anything goes.”

News: http://www.theregister.co.uk/2010/12/08/nasa_disk_wiping_failure/
NASA officials failed to wipe sensitive agency data from computers before releasing them to the public, a violation of procedures that are part of the plan to securely end the Space Shuttle program, an audit released on Tuesday said.

Kennedy Space Center in Florida – one of four NASA sites with reported weaknesses in the disposition process – cleared the release of 14 computers to the public that had failed tests to verify data had been destroyed, the report found. Of the four that remained in NASA’s possession, one contained Space Shuttle related data that was subject to export control by the International Traffic in Arms Regulations. The audit, prepared by NASA’s Inspector General, covered a 12-month period starting in June 2009.

“The weaknesses we identified in NASA’s IT sanitization policy and procedures put NASA at risk of releasing sensitive information that could cause harm to its mission and violate federal laws and regulations that protect such information,” the report stated.

The investigators also found hard drives that were missing from Kennedy and the Langley Research Center in Virginia. Some of the hard drives were later found inside a publicly accessible dumpster.

NIST SP800-88: Guidelines for Media Sanitization: http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf