Episode 661 - Weekend Wrap-up with Dr. b0n3z [ 45:28 | 20.82 MB ] Play Now | Play in Popup | Download (64)
Episode 661 – Weekend Wrap-up with Dr. b0n3z
InfoSec Daily Podcast Episode 661 for May 5, 2012. Tonight’s podcast is hosted by Dr. Bonez and Themson Mester.
Guests: oncee and spridel
Announcements
GraniteSec (formerly The New England InfoSec Tweetup)
When: May 19, 2012
Where: Veasey Memorial Park, Groveland, MA
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center – Huntington, West Virginia
LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek
When: June 20 – 27, 2012
Where: Courtyard Seattle Federal Way, WA
http://www.sans.org/mentor/details.php?nid=28014
Social Engineering Training
When: July 21-24, 2012
Where: Black Hat Vegas
When: August 20-24, 2012
Where: Bristol, UK
When: November 12-16, 2012
Where: Columbia, MD
http://www.social-engineer.com/social-engineer-training
Inside and Out of the Social-Engineer Toolkit (SET)
When: July 21 – 22, 2012
When: July 23 – 24, 2012
Where: Black Hat Vegas
http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html
DerbyCon 2012 – The “Deuce” Reunion
When: September 27-30, 2012
Where: Louisville, KY
Hack3rCon^3
When: October 19-21, 2012
Where: Charleston, WV
Skydogcon
When: October 26-28
Where: Hotel Preston in Nashville, TN
Please consider making your Amazon purchases through our affiliate link. If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side.
Or simply use our QR Code Links.
Amazon:
Amazon UK:
Stories
Source: http://www.wired.com/threatlevel/2012/05/mi6-codebreaker-at-blackhat/
A top British codebreaker who died a mysterious death in his flat two years ago had just returned from a computer security conference in the United States before his death, according to information disclosed during an inquest this week.
The body of Gareth Williams, a codebreaker with Britain’s MI6 spy agency, was discovered stuffed into a sports bag in his bathtub on Aug. 23, 2010, though he’s believed to have been killed Aug. 15.
Williams had just returned to London on Aug. 11 after spending six weeks in the United States, where he attended the annual Black Hat security conference in Las Vegas as part of a contingent of British spies, according to witnesses who spoke at the inquest. He attended Black Hat in 2008 as well.
It’s believed Williams may have also attended Black Hat’s companion hacker conference, DefCon, which follows Black Hat and draws many of the same attendees. In 2010, Black Hat was held July 24 to 29, while DefCon ran from July 30 to Aug. 1.
…
Source: http://news.cnet.com/8301-1009_3-57428067-83/fbi-we-need-wiretap-ready-web-sites-now/
The FBI is asking Internet companies not to oppose a controversial proposal that would require firms, including Microsoft, Facebook, Yahoo, and Google, to build in backdoors for government surveillance.
In meetings with industry representatives, the White House, and U.S. senators, senior FBI officials argue the dramatic shift in communication from the telephone system to the Internet has made it far more difficult for agents to wiretap Americans suspected of illegal activities, CNET has learned.
The FBI general counsel’s office has drafted a proposed law that the bureau claims is the best solution: requiring that social-networking Web sites and providers of VoIP, instant messaging, and Web e-mail alter their code to ensure their products are wiretap-friendly.
“If you create a service, product, or app that allows a user to communicate, you get the privilege of adding that extra coding,” an industry representative who has reviewed the FBI’s draft legislation told CNET. The requirements apply only if a threshold of a certain number of users is exceeded, according to a second industry representative briefed on it.
…
Source: http://www.cio.com/article/705760/Ten_Commandments_for_Effective_Security_Training
Information security people think that simply making users aware of security issues will make them change their behavior. But security pros are learning the hard way that awareness rarely equals change.
1. Serve small bites
People learn better when they can focus on small pieces of information that the mind can digest easily. It’s unreasonable to cover 55 different topics in 15 minutes of security training and expect someone to remember it all and then change their behavior.
Short bursts of training are always more effective.
2. Reinforce lessons
People learn by repeating elements over time–without frequent feedback and opportunities for practice, even well-learned abilities go away. Security training should be an ongoing event, not a one-off seminar.
3. Train in context
People tend to remember context more than content. In security training, it’s important to present lessons in the same context as the one in which the person is most likely to be attacked.
4. Vary the message
Concepts are best learned when they are encountered in many contexts and expressed in different ways. Security training that presents a concept to a user multiple times and in different phrasing makes the trainee more likely to relate it to past experiences and forge new connections.
5. Involve your students
It’s obvious that when we are actively involved in the learning process, we remember things better. If a trainee can practice identifying phishing schemes and creating good passwords, improvement can be dramatic.
Sadly, hands-on learning still takes a backseat to old-school instructional models, including the dreaded lecture.
6. Give immediate feedback
If you’ve ever played sports, it’s easy to understand this one. “Calling it at the point of the foul” creates teachable moments and greatly increases their impact. If a user falls for a company-generated attack and gets training on the spot, it’s highly unlikely they’ll fall for that trick again.
7. Tell a story
When people are introduced to characters and narrative development, they often form subtle emotional ties to the material that helps keep them engaged. Rather than listing facts and data, use storytelling techniques. (Editor’s note: see, for example, How to rob a bank.)
8. Make them think
People need an opportunity to evaluate and process their performance before they can improve. Security awareness training should challenge people to examine the information presented, question its validity, and draw their own conclusions.
9. Let them set the pace
It may sound cliche, but everyone really does learn at their own pace. A one-size-fits-all security training program is doomed to fail because it does not allow users to progress at the best speed for them.
10. Offer conceptual and procedural knowledge
Conceptual knowledge provides the big picture and lets a person apply techniques to solve a problem. Procedural knowledge focuses on the specific actions required to solve the problem.
Combining the two types of knowledge greatly enhances users’ understanding. For example, a user may need a procedural lesson to understand that an IP address included in a URL is an indication that they are seeing a phishing URL. However, they also need the conceptual understanding of all the parts of a URL to understand the difference between an IP address and a domain name, otherwise they may mistake something like www4.google.com for a phishing URL.
…
Source: https://torrentfreak.com/judge-an-ip-address-doesnt-identify-a-person-120503/
A landmark ruling in one of the many mass-BitTorrent lawsuits in the US has delivered a severe blow to a thus far lucrative business. New York Judge Gary Brown explains in great detail why an IP-address is not sufficient evidence to identify copyright infringers. According to the Judge this lack of specific evidence means that many alleged BitTorrent pirates have been wrongfully accused by copyright holders.
Mass-BitTorrent lawsuits have been dragging on for more than two years in the US, involving more than a quarter million alleged downloaders.
The copyright holders who start these cases generally provide nothing more than an IP-address as evidence. They then ask the courts to grant a subpoena, allowing them to ask Internet providers for the personal details of the alleged offenders.
The problem, however, is that the person listed as the account holder is often not the person who downloaded the infringing material. Or put differently; an IP-address is not a person.
Previous judges who handled BitTorrent cases have made observations along these lines, but none have been as detailed as New York Magistrate Judge Gary Brown was in a recent order.
In his recommendation order the Judge labels mass-BitTorrent lawsuits a “waste of judicial resources.” For a variety of reasons he recommends other judges to reject similar cases in the future.
The Judge continues by arguing that having an IP-address as evidence is even weaker than a telephone number, as the majority of US homes have a wireless network nowadays. This means that many people, including complete strangers if one has an open network, can use the same IP-address simultaneously.
In other words, the copyright holders in these cases have wrongfully accused dozens, hundreds, and sometimes thousands of people.
Aside from effectively shutting down all mass-BitTorrent lawsuits in the Eastern District of New York, the order is a great reference for other judges dealing with similar cases.
…
Source: http://cryptome.org/2012/05/apple-filevault-hole.htm
As someone said here recently, carefully built crypto has a unfortunate tendency to consist of three thick impregnable walls and a picket fence in the back with the gate left open.
That seems to have happened to Apple’s older (“legacy”) Filevault in the current release of MacOX Lion (10.7.3)…. something intended to protect sensitive information stored on laptops by providing for encrypted user home directories contained in an encrypted file system mounted on top of the user’s home directory.
Someone, for some unknown reason, turned on a debug switch (DEBUGLOG) in the current released version of MacOS Lion 10.7.3 that causes the authorizationhost process’s HomeDirMounter DIHLFVMount to log in *PLAIN TEXT* in a system wide logfile readible by anyone with root or admin access the login password of the user of an encrypted home directory tree (“legacy Filevault”).
The log in question is kept by default for several weeks…
Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012.
…
[end]
