InfoSec Daily Podcast Episode 657 for May 1, 2012. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Geordy Rostad, and Themson Mester.
Announcements
GraniteSec (formerly The New England InfoSec Tweetup)
When: May 19, 2012
Where: Veasey Memorial Park, Groveland, MA
http://granitesec.org
When: May 19, 2012
Where: Veasey Memorial Park, Groveland, MA
http://granitesec.org
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center - Huntington, West Virginia
http://www.appyide.org/
When: May 21-25, 2012
Where: MU Forensic Science Center - Huntington, West Virginia
http://www.appyide.org/
Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek
When: June 20 – 27, 2012
Where: Courtyard Seattle Federal Way, WA
http://www.sans.org/mentor/details.php?nid=28014
When: June 20 – 27, 2012
Where: Courtyard Seattle Federal Way, WA
http://www.sans.org/mentor/details.php?nid=28014
Social Engineering Training
When: July 21-24, 2012
Where: Black Hat Vegas
Where: Black Hat Vegas
When: August 20-24, 2012
Where: Bristol, UK
Where: Bristol, UK
When: November 12-16, 2012
Where: Columbia, MD
http://www.social-engineer.com/social-engineer-training
Where: Columbia, MD
http://www.social-engineer.com/social-engineer-training
Inside and Out of the Social-Engineer Toolkit (SET)
When: July 21 – 22, 2012
When: July 23 – 24, 2012
Where: Black Hat Vegas
http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html
When: July 21 – 22, 2012
When: July 23 – 24, 2012
Where: Black Hat Vegas
http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html
DerbyCon 2012 – The “Deuce” Reunion
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Please consider making your Amazon purchases through our affiliate link. If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side.
Or simply use our QR Code Links.
Amazon:
Amazon UK:
Stories
Source: https://www.zdnet.com/blog/security/mac-botnet-generated-10000-a-day-for-flashback-gang/11727
Security researchers at Symantec are estimating that the cyber-criminals behind the Flashback Mac OS X botnet may have raked in about $10,000 a day.
In a new blog post that discusses the business model of the botnet, Symantec found that Flashback was robbing Google of advertising dollars by redirecting clicks from infected Mac OS X machines and stealing the ad revenue.
At its height, Flashback contained more than 700,000 Mac machines and Symantec calculates that a botnet of that size could easily generate about $10,000 a day in click-fraud.
….
The Justice Department has cleared Google of wiretapping violations in connection to the company secretly intercepting Americans’ data on unencrypted Wi-Fi routers for two years ending in 2010, Google said.
“The DOJ had access to Google employees, reviewed the key documents, and concluded that it would not pursue a case for violation of the Wiretap Act,” Google wrote in a Thursday filing (.pdf) with the Federal Communications Commission.
The Justice Department declined comment.
If true, the development means that at least three government agencies — the FCC, Federal Trade Commission and the Justice Department — found Google committed no wrongdoing in the so-called Street View debacle.
Those outcomes, however, contradict a federal judge who last year ruled the search-and-advertising giant could be held liable for violating federal wiretapping law. The decision by U.S. District Judge James Ware of California green-lighted about a dozen lawsuits seeking damages — a decision that has been stayed pending Google’s appeal.
Google has said it didn’t realize it was sniffing packets of data on unsecured Wi-Fi networks in about a dozen countries between 2008 and 2010 until German privacy authorities began questioning what data Google’s Street View mapping cars were collecting. Google, along with other companies, use databases of Wi-Fi networks and their locations to augment or replace GPS when attempting to figure out the location of a computer or mobile device.
In Google’s letter to the FCC, it said it would pay a $25,000 FCC fine, levied two weeks ago, to settle the agency’s claims that Google stonewalled the commission’s Streetview investigation. Google denied wrongdoing, but agreed to pay “in order to put this investigation behind it.”
….
Soon, users running Firefox 3.6.x will start being automatically upgraded to the current version 12.0 release of the open source web browser. The plan to auto-update these users has been being discussed since the end of March, when Mozilla Release Manager Alex Keybl proposed the move on a Mozilla planning discussion thread.
According to Keybl, Firefox 3.6.x users with updates enabled should start being upgraded in early May – the specific date has yet to be confirmed. The 3.6.x branch of Firefox, the first release of which arrived in January 2010, reached its end of life last week on 24 April; the last update to the 3.6 series was version 3.6.28 from early March.
For users and organisations that don't want to upgrade to version 12 of Firefox because of the Rapid Release process – which sees a new browser update every six weeks – Mozilla has an Extended Support Release (ESR) of Firefox specifically aimed at enterprises and other large organisations. The current Firefox ESR release, version 10.0.4, is based on Firefox 10.
Those who don't want to upgrade can turn off updates in Firefox – on Windows, updates can be disabled via Tools > Options > Advanced > uncheck "Firefox" under "Automatically check for updates". Mac users can access these settings from Preferences under the Firefox menu; however, some Mac OS X users will not be able to upgrade from 3.6.x as newer versions of Firefox no longer support PowerPC-based systems or version 10.4 of the operating system.
….
While many companies claim to embrace change, it’s hard to get people to move beyond their comfort zones. But enterprises need to embrace dynamic market changes and seek out new ways to grow as customer needs evolve. To help ensure the corporate culture evolves with the times, companies need to continually re-examine policies and procedures. The new book “Kill The Company: End the Status Quo, Start an Innovation Revolution” (Bibliomotion/Available in May) contends that work teams are often too confined by corporate behaviors, cultures and processes to take advantage of change. Author Lisa Bodell offers insights on moving beyond the status quo and embracing innovation. Managers who avoid these mistaken approaches can help make their company a market leader. Bodell is founder and CEO of futurethink, a global innovation training firm. For more about the book, click here.
1. Don’t: “That’s our department’s business. Not yours.”
Do: Encourage inter-departmental collaboration to drive success.
2. Don’t: “If I wanted your ideas, I’d ask for them.”
Do: Seek ideas from bottom-up for fullest perspective of customer needs and trends.
3. Don’t: “Failure is Not an Option.”
Do: Understand that anything worth pursuing requires educated risks.
4. Don’t: “Forget about it if it’s not in your job description.”
Do: Inspire talent to think outside their job description and work independently.
5. Don’t: “Are you wasting time on Facebook again?”
Do: Work with teams to come up with effective, external communications plans via Facebook and other social media sites.
6. Don’t: “Let’s focus on making our quota this month.”
Do: Always keep the long-term goals of the organization foremost in mind.
7. Don’t: “Sorry, that’s not possible because of our processes.”
Do: Eliminate processes that essentially serve as bottlenecks.
8. Don’t: “There is no ROI on training expenses.”
Do: Recognize the continued development of their employees as meaningful ROI.
9. Don’t: “Our approach has stood the test of time.”
Do: Maintain traditional branding while being flexible enough to adapt to changing market trends.
10. Don’t: “Don’t rock the boat.”
Do: Embrace questions that constructively challenge your team.
….
A bill that would stop employers from requesting future hires' social networking passwords has been filed in the U.S. House of Representatives. The bill, called the Social Networking Online Protection Act, or SNOPA, was filed Friday by Rep. Eliot Engel (D – New York) and Rep. Jan Schakowsky (D – Illinois). The proposed law would not only prohibit employers from asking current and potential employees for the usernames and passwords to their social networking accounts, it would also prohibit colleges, universities, and K-12 schools from asking the same of their students. The bill would also bar employers and schools from demanding access to such accounts or online content, and from punishing employees and students who refuse to volunteer the information.
"Several states, including New York, have begun addressing this issue," Rep. Engel said in a statement. "But we need a federal statute to protect all Americans across the country."
A bill to protect employees' passwords from snooping bosses is currently on the governor's desk in Maryland, waiting to be signed into law. Nine similar measures have been introduced around the country, but they have yet to clear the committees they were referred to.
Rep. Engel claims the legislation is a line in the sand that defines what's private.
"No one would feel comfortable going to a public place and giving out their username and passwords to total strangers," he said. "They should not be required to do so at work, school, or while trying to obtain work or an education. This is a matter of personal privacy and makes sense in our digital world."
….
[end]
