http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2012-10-25 23:01:28 - NovaInfosec.com : This is a very cool story for those crypto geeks out there Apparently, Zachary Harris, a mathematician by trade, received an email from a Google recruiter He happened to notice that Google used DKIM to verify the message s authenticity based on a relatively short 512-bit RSA key Thinking it was a challenge for Google employment, Zachary figured he could crack it in a reasonable time and so he did He then forged an email to Larry Page from Sergey Brin referencing his website as something they might want to check out Zackary didn t hear anything back from the recruiter but a few days later he noticed Google switched to using 2048-bit keys and lots of hits on his website from Google IPs Seeing Google s flaws he investigated a few other popular sites and discovered many others, including Amazon, Twitter, eBay and Yahoo, using crackable key lengths In this day in age sites should at least be using 1024-bit public keys via TheRegistercouk US-CERT has issued a warning that DomainKeys Identified Mail DKIM verifiers that use low-grade encryption are open to being spoofed and need to be upgraded to combat attackers wielding contemporary quantities of computing power You might think this http://www.secuobs.com/revue/news/407867.shtmlhttp://www.secuobs.com/revue/news/407867.shtml Secuobs.com : 2012-10-25 21:18:37 - NovaInfosec.com - We came across an interesting article regarding the Department of Homeland Security and the realignment of their cybersecurity office It s a few days old but might be useful for those that missed it It s interesting that they added two new divisions, expanding from three divisions to five The five cybersecurity divisions are as follows Federal Network Security Network Security Deployment National Cybersecurity and Communications Integration Center The Stakeholder Engagement and Cyber Infrastructure Resilience Division Office of Emergency Communications via FederalNewsRadio The Homeland Security Department s Office of Cybersecurity and Communications is expanding to five divisions from three and creating a performance-management office DHS is reorganizing CS C in light of its increased responsibilities and improved stature in the federal and private sector cyber communities Our new structure will result in an organization more capable of agile operations of forming stronger partnerships and of professionally, efficiently, and effectively enhancing the security, resiliency, and reliability of the nation s cyber and communications infrastructure, wrote Mike Locatis, the assistant secretary of the Office of Cybersecurity and Communications, in an internal memo obtained by Federal News Radio This realignment also centralizes common support functions of budget, finance, and acquisitions, information management and human capital Continued here What do you think http://www.secuobs.com/revue/news/407818.shtmlhttp://www.secuobs.com/revue/news/407818.shtml Secuobs.com : 2012-10-24 22:52:53 - NovaInfosec.com - The Australian Defense Signals Directorate DSD has once again updated their 35 Strategies to Mitigate Targeted Cyber Intrusions report for 2012 The biggest take-away is that at least 85pourcents of the unsophisticated intrusions they responded to could have been mitigated by simply implementing their top 4 strategies as a package The top mitigations this year included the following Application Whitelisting Patch Applications Patch Operating Systems Minimize Number of Users with Domain or Local Admin Privileges For those with a careful eye, you ll notice that nothing has chanced since last year when they released the report in July of 2011 Of course perhaps a little more interesting are the bottom three recommendations Network-Based Intrusion Detection Prevent System Gateway Blacklisting Selected Network Traffic Capture via DSD Introduction Australian computer networks are being targeted by adversaries seeking access to sensitive information A commonly used technique is social engineering, where malicious spear phishing emails are tailored to entice the reader to open them Users may be tempted to open malicious email attachments or follow embedded links to malicious websites Either action can compromise the network and disclose sensitive information The Defence Signals Directorate DSD has developed a list of strategies to mitigate targeted cyber intrusions http://www.secuobs.com/revue/news/407593.shtmlhttp://www.secuobs.com/revue/news/407593.shtml Secuobs.com : 2012-10-24 21:11:39 - NovaInfosec.com - Years ago I remember having a discussion with a colleague on interesting areas of research in information security He brought up the idea of malicious browser plugins extensions and mentioned creating something that could help raise awareness I poo-pooed the idea at the time but the tides have changed according to a recent article on The Register It looks like Zoltan Balazs has created a proof-of-concept with the forthcoming release of an extension that offers capabilities that any malicious hacker would jump for The extension works on most recent browser versions and current operating systems with a notable exception of Internet Explorer The extension Zoltan plans to present at Hacker Halted in Miami offers a command-and-control control panel, rootkit capabilities, the ability to steal cookies and passwords, execute JavaScript, upload and download files, and more The command-and-control aspect of this extension is particularly interesting Since communication appears as a standard browser connection, the extension could easily bypass most traditional protections such as firewalls usually allow HTTPS out from browser , web proxies including access to authentication credentials if needed , and white-listing usually allows since only sees browser running So how do we defend against potential malicious extensions As a first step Zoltan http://www.secuobs.com/revue/news/407564.shtmlhttp://www.secuobs.com/revue/news/407564.shtml Secuobs.com : 2012-10-24 21:11:39 - NovaInfosec.com - FCWcom had a nice article highlighting several of the core National Institute of Standards and Technology NIST risk management documents in reading list form The Federal Information Security Management Act of 2002, and more recently the Federal Risk and Authorization Management Program, had tapped NIST years ago decompose these abstract standards and guidelines into more detailed actionable recommendations so that agencies could effectively assess and manage their security risks As a result of years to work, NIST has completed quite a comprehensive list of documentation pertaining to risk management Although reading through these five documents isn t the most exciting way to learn risk management, it s probably one of the most comprehensive SP 800-30 Risk Management Guide for IT Systems SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach SP 800-39 Managing Information Security Risk Organization, Mission and Information System View SP 800-53 Recommended Security Controls for Federal Information Systems and Organizations SP 800-53A Guide for Assessing the Security Controls in Federal Information Systems and Organizations Building Effective Security Assessment Plans via FCWcom The Federal Information Security Management Act of 2002 and the newer Federal Risk and Authorization http://www.secuobs.com/revue/news/407563.shtmlhttp://www.secuobs.com/revue/news/407563.shtml Secuobs.com : 2012-10-24 02:52:05 - NovaInfosec.com - Well, we have addressed the Cybersecurity Executive Order many times before, but hopefully with the upcoming election, the EO will become more fact than fiction We came across an interesting article addressing this issue According to Washington insiders attending a Government Events cybersecurity conference on October 22, the cybersecurity EO is expected to become reality, and should set the standard for future legislation The article further states that the Executive Order should serve as a guide, regardless of any post-election power shifts in Washington The Executive Order is a great starting point, but it has its limitations, so further legislation will still be needed for national cybersecurity via FCWcom The expected cybersecurity executive order should serve as a template for action when Congress once again takes up cybersecurity legislation, according to Capitol Hill insiders speaking at 1105 Government Events Oct 22 cybersecurity conference The order will be useful for guidance regardless of any potential post-election power shifts, they said 1105 Government Events is part of 1105 Media, the parent company of FCW There are a lot of moving pieces, but the ground has now been plowed No matter who s in leadership position, the awareness has been raised, people are on the record http://www.secuobs.com/revue/news/407397.shtmlhttp://www.secuobs.com/revue/news/407397.shtml Secuobs.com : 2012-10-24 01:25:55 - NovaInfosec.com - Apparently crooks used the USAgov shortening service to make their phishes look a little bit more legit Using shorteners in this way isn t anything new but this instance is worth noting because the flaw wasn t actually in the Bitly-supported service Rather the bad guys used an existing USAgov link that points to a vulnerable vermontgov website The vulnerability, an open-redirect, allows the them to forward spammed users to a financially themed phishing site via Net-Securityorg The fact that cyber crooks often misuse URL shortening services in order to trick users into following dangerous links is not news, but Symantec researchers have lately spotted a considerable increase in malicious links shortened with the 1USAgov service The result of a collaboration between USAgov and bitlycom, the service is automatically employed whenever anyone uses bitly to shorten a URL that ends in gov or mil In the latest spam campaigns, the offered shortened 1USAgov links lead to a vermontgov site, which then thanks to a open-redirect vulnerability is made to forward the visitors to a scammy work-from-home website that spoofs a legitimate financial news network website Continued here Were you aware of this scam Post your comments below Today s post pic is http://www.secuobs.com/revue/news/407390.shtmlhttp://www.secuobs.com/revue/news/407390.shtml Secuobs.com : 2012-10-23 22:26:00 - NovaInfosec.com - I didn t get a chance to see the debates last night however I did follow along somewhat on Twitter Thank goodness Bill BillBrenner70 Brenner provided a nice write-up so I could at least get some type of infosec perspective According to his article on CSO Online I didn t miss much though During the entire debate the C word was only briefly discussed once So basically if infosec is your thing and you were hoping that the debates would sway you one way or another you got nothing Obviously, Osama I mean Obama has a track record of emphasizing infosec but the debate last night failed to provide any foresight into the priority either candidate would place on this important area over the next four years via CSO Online Obama used the word cybersecurity once during last night s third and final presidential debate, with no elaboration whatsoever Romney mentioned systems getting hacked once, during a segment on China Considering all the hacking into the systems of private enterprise and the US government these last four years, I m surprised Both of these guys flunked We heard a lot from Obama about partnerships he s set up to work for Middle http://www.secuobs.com/revue/news/407375.shtmlhttp://www.secuobs.com/revue/news/407375.shtml Secuobs.com : 2012-10-23 18:58:32 - NovaInfosec.com - It seems that the EU has hopped on the October-as-cyber-security-awareness-month bandwagon as well So far organizers, lead by the European Network and Information Security Agency ENISA , have claimed the first European Cyber Security Month ECSM a success with almost 2 million reached on Facebook I wonder how they measured that perhaps people that Liked it Anyway, as I discussed before we have our doubts on if it s even worth spending this much time dedicated to cyber security awareness in this way but perhaps in the EU s case it s more appropriate as they re just starting out As the years go on though, it would probably be better to tailor this effort down to a week or so and rely on other more effective awareness mechanisms The good news is that at least ENISA scheduled ECSM to be at the same time as the US effort thereby maximizing its effectiveness If you are interested in learning more about ECSM, head on over to the official European Cyber Security Month site via Net-Securityorg Halfway through the first European Cyber Security Month ECSM , the pilot campaign has already reached 1,986,270 people on Facebook Europe-wide In addition, a special Security Month awareness event has http://www.secuobs.com/revue/news/407331.shtmlhttp://www.secuobs.com/revue/news/407331.shtml Secuobs.com : 2012-10-23 06:25:15 - NovaInfosec.com - We came across this article on how lawmakers are looking to cut compensation that contractors can charge for their employees From a whopping 700k per employee lawmakers are pushing for something around 230k Most of us in the contractor biz only make a fraction of that amount with the rest of those charges probably going to multiple layers of bureaucratic management and other overhead costs Of course the question remains how could this affect the hiring of critical infosec talent via GovExeccom Federal employee unions and government accountability and public interest groups urged lawmakers Thursday to adopt Senate language that would cap the federal government s reimbursements for defense contractor compensation at 230,700 per employee The Senate Armed Services Committee approved that cap in June, as an amendment to the fiscal 2013 National Defense Authorization Act The House has not adopted the provision, however, and House-Senate negotiators will have to work out the difference The bill has not yet gone to conference Leaders of advocacy groups, including the National Treasury Employees Union, the American Federation of Government Employees, OMB Watch and the Project on Government Oversight, signed an Oct 18 letter to the chairmen and ranking members of the House http://www.secuobs.com/revue/news/407160.shtmlhttp://www.secuobs.com/revue/news/407160.shtml Secuobs.com : 2012-10-23 04:59:54 - NovaInfosec.com - We came across this article on how lawmakers are looking to cut compensation that contractors can charge for their employees From a whopping 700k per employee lawmakers are pushing for something around 230k Most of us in the contractor biz only make a fraction of that amount with the rest of those charges probably going to multiple layers of bureaucratic management and other overhead costs Of course the question remains how could this affect the hiring of critical infosec talent via GovExeccom Federal employee unions and government accountability and public interest groups urged lawmakers Thursday to adopt Senate language that would cap the federal government s reimbursements for defense contractor compensation at 230,700 per employee The Senate Armed Services Committee approved that cap in June, as an amendment to the fiscal 2013 National Defense Authorization Act The House has not adopted the provision, however, and House-Senate negotiators will have to work out the difference The bill has not yet gone to conference Leaders of advocacy groups, including the National Treasury Employees Union, the American Federation of Government Employees, OMB Watch and the Project on Government Oversight, signed an Oct 18 letter to the chairmen and ranking members of the House http://www.secuobs.com/revue/news/407152.shtmlhttp://www.secuobs.com/revue/news/407152.shtml Secuobs.com : 2012-10-22 18:38:50 - NovaInfosec.com - Where do you want to be this week Now you ll always know with our Where You Want to Be This Week feature, which will tell you about infosec meetups happening in your local area as of Sunday night If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to grecs on Twitter Not much happening this week in terms of meet-ups Drop by the NovaInfosec Meetup to honor the CitySec movement and also be sure to check out grecs weekend best bets later in the week as we might have something else you d be interested in With that said, here are your meet-ups for this week and as well as a preview for next week This Week Wednesday 10 24 NovaInfosec Meetup - CitySec movement at Velocity Five Falls Church from 7 00 to 10 00 PM more info Next Week And for those who would like to plan ahead, here is a preview of events on our calendar for next week Nothing scheduled yet Remember that Baltimore Node, HacDC, Nova Labs, Reverse Space, and Unallocated Space are four local hacker spaces that also hold several standard activities each week so check them out http://www.secuobs.com/revue/news/407052.shtmlhttp://www.secuobs.com/revue/news/407052.shtml Secuobs.com : 2012-10-22 06:11:24 - NovaInfosec.com - GovWin came out with an interesting report late last week regarding job growth in Maryland At the CyberMaryland conference in Baltimore they predicted that as other areas of government spending will remain flat or decrease, infosec spending is expected to increase with over a 50pourcents growth in the number of jobs and associated dollars over the next four years This equates to defense and civilian federal agency spending rising from 92 billion in 2011 to 14 billion in 2016 The question remains where should we look for these jobs The report mentioned the usual suspects ManTech, SAIC, Lockheed Martin, and General Dynamics as being the top recruiters And if you are interested in moving to other locales beyond Baltimore and Maryland, the rest of the top five cybersecurity markets include Palo Alto, San Francisco, Boston, and Denver Hey where s NoVA via BaltimoreSuncom Cybersecurity industry analysts expect the market to grow more than 50 percent in the next four years even as other types of defense spending are expected to flatten or decline, creating new opportunities for workers and businesses in Maryland The analysts presented their findings last week at the CyberMaryland conference in Baltimore Information security http://www.secuobs.com/revue/news/406919.shtmlhttp://www.secuobs.com/revue/news/406919.shtml Secuobs.com : 2012-10-22 04:03:58 - NovaInfosec.com - Another bit of information that came to our attention late last week while we were consumed at Hack3rCon was news that a malicious hacking group had breached the official FBI website Purportedly the leak included 295 email addresses and plaintext passwords along with other bits of information posted to various Pastebin-like sites According to OZDCnet the site in question was hXXp wwwfbigovcfootprintnet We re at a bit of a loss on how anyone could have confused a FBI sub-domain with the official website Regardless, OZDCnet and other prominent researchers later discovered that this data had already been floating around since June So nothing new here via HackReadcom The official website server of Federal Bureau of Investigation FBI has been hacked and the database has been leaked by The Hackers Army from Pakistan The founder of The Hackers Army contacted us in an email about their latest hack, explaining why the hack was done, the founder said that a Pakistani doesn t need any reason to hack FBI, as the FBI itself a reason The hackers gain access of the FBI s website a couple of hours ago, downloaded the database and leaked it publicly on Pastebin The leak data contains address, server address, http://www.secuobs.com/revue/news/406906.shtmlhttp://www.secuobs.com/revue/news/406906.shtml Secuobs.com : 2012-10-22 03:20:26 - NovaInfosec.com - In case you missed this piece late Friday, it looks like a hacking group known as Kosova Hacker s Security have hacked the Weather as in Weathergov in retaliation for attacks like Stuxnet and family as well as prior bombings Operated by the US National Weather Service, a local file inclusion weakness in the website led to the disclosure of potentially sensitive data The vulnerability has since been addressed via TheRegistercouk Hackers have lifted potentially sensitive data from the US National Weather Service after exploiting a vulnerability in the weathergov website A previously-unknown group called Kosova Hacker s Security claimed credit for the hack in a lengthy post on pastebin, containing a stream of data lifted as a result of the hack Leaked data includes a list of partial login credentials, something that might give other hacking crews a head start in attacking the website, as well as numerous system and network configuration files The leaked information appears to consist only of system files and the like rather than scientific data, something that strongly distinguishes the breach from the so-called ClimateGate hack against the Climatic Research Unit CRU at the University of East Anglia back in November 2009 Continued here http://www.secuobs.com/revue/news/406905.shtmlhttp://www.secuobs.com/revue/news/406905.shtml Secuobs.com : 2012-10-21 02:59:23 - NovaInfosec.com - At HackerCon today I had a chance to sit in on Carlos carlos_perez Perez s DNSRecon talk This awesome tool brings together all the tips and tricks that Carlos has learned and used over the years into one easy-to-use package Yeah, there are already scripts like Fierce that goes out and dumps almost everything imaginable however Carlos, like many of us, wanted something a little more strategic He wrote the original DNSRecon script in Ruby several years back however recently ported it to Python due to limited DNS-related libraries in Ruby at the time And good news is that most of us already have this tool available to us if you have an up to date version of Backtrack You ll find it in the pentest enumeration dns dnsrecon directory The core option parameter set that must be included is -d followed by the domain as shown in the example below By default this query returns information such as the SOA, NS, A, AAAA, MX, and SRV records Optionally, you can use domain in place of -d For most users this standard query is where we ll probably start dnsreconpy -d Carlos has also added a number of options to augment this standard query to quickly http://www.secuobs.com/revue/news/406847.shtmlhttp://www.secuobs.com/revue/news/406847.shtml Secuobs.com : 2012-10-19 21:20:11 - NovaInfosec.com - It seems like everyone is getting into crowdsourcing their problems In the security industry, you usually hear about Google or Facebook paying out bug bounties for vulnerabilities but the FTC is bringing things to a new level The Federal Trade Commission is offering 50,000 to anyone with a solution to eliminating telemarketing robocalls Even though the FTC has been successful in outlawing commercial telemarketing, little has been done to decrease or eliminate the pre-recorded messages that we receive on our phones This is mostly due to the fact that robocalls are harder to trace many come from overseas with inconsistent caller IDs Any proposed solutions to the robocall problem that are submitted in this contest will be reviewed based on the following criteria proof of its effectiveness and resistance to being circumvented by telemarketers ease of implementation and practicality Only teams of 10 employees or less will be eligible to compete for the 50,000 prize The contest runs from October 25, 2012 through January 17, 2013 For more information, go to its requisition Good luck via Arstechnicacom The race against robots is on the Federal Trade Commission is offering 50,000 cash to anyone that can come up with a way to eliminate the insidious telemarketing http://www.secuobs.com/revue/news/406719.shtmlhttp://www.secuobs.com/revue/news/406719.shtml Secuobs.com : 2012-10-19 19:41:25 - NovaInfosec.com - Here s a fun article on a pseudo-local security conferencing starting today In it they discuss the Hack3rCon Conference going on this weekend in Charleston, WVa The talks at the conference, referred to as Doomsday Eve , are lighthearted but address serious issues, such as infrastructure preparation Rob Dixon, co-founder of 304Geekscom, states that Doomsday and IT go together, because people should protect their home and business infrastructures, as IT is a part of our everyday lives Topics that vary from Bash Scripting 101 for Pen Testers and Intro to Linux Exploit Development to In Case of Zombies, Break Glass and Hacking Survival It will be informative, enlightening and make you think hmmm, what if via WVGazettecom If you idly click through the online schedule for this weekend s third Hack3rConconference in Charleston or to give the name in official hacker-ese Hack3rCon 3 , you might grow worried that they know something you don t Along with talks of interest solely to information security pros, like Bash Scripting 101 for Pen Testers and Intro to Linux Exploit Development, there are ones titled In Case of Zombies, Break Glass and Hacking Survival on computing in a post-apocalyptic world Rob Dixon is a co-founder of 304Geekscom, which helped spawn HackerCon, a growing http://www.secuobs.com/revue/news/406695.shtmlhttp://www.secuobs.com/revue/news/406695.shtml Secuobs.com : 2012-10-19 07:52:17 - NovaInfosec.com - Welcome to another edition of our Weekly Rewind where we summarize all our posts from the last week The top stories this week were 3 DHS Urged to Create Cyber Reserve , 2 Nip Tip Add a Separator Between Terminal Comands , and 1 Selecting the Ultimate Privacy Screen If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference A la Schneier you can also use this rewind post to talk about the security stories in the news that we haven t covered DHS Urged To Create Cyber Reserve We thought this was an interesting article on cybersecurity A task force has suggested that Department of Homeland Security put together a Cyber Reserve of security professionals to call upon in a national crisis, following the same premise as the military s reserve If this is implemented, DHS would most likely look to gather IT professionals with rare specialized skills to have on call in case of emergency The task force further states that the key to DHS being successful with the cyber reserve is to keep updated information on former personnel, as well as other experts What do you think about a Cyber Reserve , and http://www.secuobs.com/revue/news/406582.shtmlhttp://www.secuobs.com/revue/news/406582.shtml Secuobs.com : 2012-10-19 05:44:50 - NovaInfosec.com - Here it is again another of our weekly Best Bets posts If you aren t planning on being at Hack3rCon in WV this weekend, it looks like Nova Labs is the place to be with a movie night and ham training As we ve previously noted most local meetups seem to be crowded into weekday evenings with almost nothing on the weekend The purpose of this post is to advertise some of the smaller events that are occurring over the weekend Most of these events occur at local hackerspaces Usually we don t include hackerspace activities in the full calendar as they tend to bury everything else Anyway, here are some happenings I ve picked through that you might want to attend this weekend As always you can also use the comments of this Best Bets post to announce or discuss other events happening this weekend that I may have missed Friday 10 19 Nada Saturday 10 20 Movie Night from 8 00 PM at Nova Labs more info Sunday 10 21 Amateur Radio Ham Technical License Training from 1 00 PM at Nova Labs more info Remember to checkout some of the other activities at Baltimore Node, HacDC, Nova Labs, Reverse Space, and Unallocated Space as they http://www.secuobs.com/revue/news/406565.shtmlhttp://www.secuobs.com/revue/news/406565.shtml Secuobs.com : 2012-10-18 19:34:11 - NovaInfosec.com - The Department of Homeland Security is expected to take the lead on cybersecurity, but the question remains if they are ready to take on the task DHS has made progress in this field by creating the National Cybersecurity and Communications Integration Center NCCIC , but admits that as a department, they are still maturing However, DHS states that what is hindering their growth is the lack of true cybersecurity talent to build up their workforce via FCWcom The federal government is looking expectantly to the Homeland Security Department to take the lead on cybersecurity, and while officials there say they are ready to step up, it s not an effort without inherent growing pains Real progress is being made toward becoming a cohesive, effective frontrunner for federal cybersecurity, according to Mark Weatherford, DHS undersecretary of cybersecurity for the National Protection and Program Directorate However, he admits it isn t an easy journey DHS is nine years old now, and that sounds like we should be a really mature organization But I can tell you, when you put this many different independent, large organizations together and say, OK, now you re one large DHS organization, which is what happened in 2003 we re still maturing, Weatherford said Oct 17 at http://www.secuobs.com/revue/news/406493.shtmlhttp://www.secuobs.com/revue/news/406493.shtml Secuobs.com : 2012-10-18 17:59:05 - NovaInfosec.com - Looks like the Four Horseman made the security news over on The Register It mentions gattaca making the ballet as well as the close calls with jadedsecurity and indi303 The article also brought in comments or mentioned erratarob, jack_daniel, and wimremes About half way through the author mentions an association of infosec professionals in the Washington DC area called NovaInfoseccom They got the comment right however I think we re getting confused with NoVA Hackers again I support both but NoVA Hackers is more of what they described Anyway, beyond what we already know on who made the ballet we also discovered Diana-Lynn Contesti successfully garnered over 500 signatures She s been on and off the board for over a decade so if you are happy with the current status of ISC 2 and the CISSP, there s another option for you In total each CISSP in good standing will get to vote or write in three names to fill one of the three corresponding open board positions Come time for the November 16th election this is what the ballot will likely look like Claudio Cilli Diana-Lynn Contesti Flemming Faber Jack Jones David Lewis aka gattaca Bruce Murphy Dr Corey Schou Hiroshi Yasuda And http://www.secuobs.com/revue/news/406479.shtmlhttp://www.secuobs.com/revue/news/406479.shtml Secuobs.com : 2012-10-18 05:50:58 - NovaInfosec.com - Tenacity is seeking Cyber Security Engineers to help instrument one of the most highly-targeted networks in the world The customer environment is one of the most sought-after in the area once you re here you ll never want to leave And don t forget if your organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details Well anyway on to the job post Title Cyber Security Sytems Engineer Location Reston, VA Company Name Tenacity Solutions, Inc Job Description Tenacity is seeking Cyber Security Engineers to help instrument one of the most highly-targeted networks in the world Our customers networks are under constant attack by the most sophisticated adversaries both state and non-state actors Successful candidates will join in identifying and evaluating new sensor technologies to expand and upgrade the customers network instrumentation Candidates would also deliver Security Information and Event Management SIEM , Intrusion Management IDPS , Enterprise Malware Management, 0-day discovery, and SSL Proxing solutions Requirements Required Skills, Knowledge, Abilities TS SCI w Poly Bachelor s degree in electrical engineering, computer engineering, computer science or other closely related discipline Minimum of five years of progressively responsible experience in network engineering with emphasis in http://www.secuobs.com/revue/news/406354.shtmlhttp://www.secuobs.com/revue/news/406354.shtml Secuobs.com : 2012-10-17 21:46:24 - NovaInfosec.com - I m the sort of person that likes to look at things from various perspectives And this recent article revealed this point perfectly From the US perspective there might be Chinese government sponsored attacks against us Additionally, there are probably many Chinese groups and individuals that may not directly be under orders from their government however attack the us for other reasons eg, showing their patriotism Now taking a look from the Chinese perspective it may be the case that there are US government sponsored attacks against them And just like those Chinese patriots there might also be US patriots as well It s just interesting to turn the tables and look at the reverse perspective sometimes via Forbescom News last week that a US government report alleged Chinese telecom companies were likely spying on US firms comes at a time when Chinese companies are getting hacked into like never before Including from computer systems in the US Now China has joined the chorus of countries saying the internet is no longer safe Whether it s Huawei supposedly spying on US telecom partners or Chinese hackers breaking into Washington secrets, the same now holds for China Foreigners are hacking into or spying http://www.secuobs.com/revue/news/406270.shtmlhttp://www.secuobs.com/revue/news/406270.shtml Secuobs.com : 2012-10-17 19:11:49 - NovaInfosec.com - Several months back jasonmoliver tweeted a neat little hack from LifeHacker that adds a separator between commands on Linux and Mac OS X terminals I had enjoyed it for months but then I was fortunate enough to get a new MBP For whatever reason I couldn t determine the exact settings on my old computer so it wasn t very easy to do the same thing on the new Mac I searched around but was unable to find the recommendation Finally, I asked jasonmoliver again and he quickly tweeted out the original article And so I don t loose this vital little trick again I thought it would be great for our second NIP Tip The implementation is pretty simple I ll focus on Mac OS X since that s my drink of choice Start by opening terminal window, copying the second code listing from the original LifeHacker article, and pasting it into a bash_ps1 file in your user home directory The original LifeHacker instructions used nano but obviously you can use whatever editor you re most familiar with Next, add or edit the bash_profile file in your home directory to include the following text if -f HOME bash_ps1 then HOME bash_ps1 fi Finally, restart http://www.secuobs.com/revue/news/406218.shtmlhttp://www.secuobs.com/revue/news/406218.shtml Secuobs.com : 2012-10-16 23:53:22 - NovaInfosec.com - Protecting your privacy is very important to many and there s nothing more annoying than that person looking over your shoulder at your laptop screen Many think this would be too obvious however never underestimate someone with good eye sight One friend from college had such good vision that from the back row of a large lector hall he could see the completed bubbles on for one of those multiple choice answer sheets I d estimate that distance was about 50 feet or so Yeah, and he pretty much aced all the tests Imagine what he could have done looking over shoulders from 50 feet away For all I know he s employed using his excellent vision right now doing some type of investigative work Anyway, a while ago I finally got into the whole privacy screen thing and started researching them They not only offer privacy but also something you could use to tone down the horrible reflective and fingerprint laden screen that most Macs come with There are a ton of products in the privacy screen category, and while there are some good brands and some bad brands, I m sure there isn t that much of a difference between all the top http://www.secuobs.com/revue/news/405919.shtmlhttp://www.secuobs.com/revue/news/405919.shtml Secuobs.com : 2012-10-15 21:31:31 - NovaInfosec.com - Where do you want to be this week Now you ll always know with our Where You Want to Be This Week feature, which will tell you about infosec meetups happening in your local area as of Sunday night If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to grecs on Twitter Don t know what you will be doing during the week Why not drop by one of the many meet-ups happening this week and we are sure that you are going to enjoy the events Also be sure to check out grecs weekend best bets later in the week as we might have something else you d be interested in With that said, here are your meetups for this week and as well as a preview for next week This Week Tuesday 10 16 ISACA CM Meetup Information Assurance Architecture Integrating Security in the Mission Workflow by Keith Willet at The Conference Center at the Maritime Institute from 11 00 AM to 6 00 PM more info ISSA DC Meetup - Creating a Secure Desktop by Derek Melber and Paul Andrew at Government Printing Office Room A138 from 6 30to 8 00 PM more http://www.secuobs.com/revue/news/405692.shtmlhttp://www.secuobs.com/revue/news/405692.shtml Secuobs.com : 2012-10-15 16:57:34 - NovaInfosec.com - So it s National Security Awareness Month aka, NCSAM again We ve usually tried to come up with something interesting to say Two years ago I was all oh ra for it Then last year I touched on how not much had changed but closed with a rallying call Well this year I m just sort of tired of it Yeah, I support the whole awareness thing but more and more it just seems to becoming sort of ho-hum for those of us in the security community and I m guessing the same for many non-security types as well National Security Awareness Month was good in the beginning to get the ball rolling but now, personally, I think it s kind of a waste Maybe a single day or perhaps a week is about all I d recommend dedicating to it The fairly regular dumps by Anonymous, the continual investigation into the Stuxnet Duqu Flame attacks, the espionage conspiracies about foreign communication companies, and the almost daily announcements of company breaches along with the resulting amplified barrage of news coverage in the mainstream press have resulted in much more security awareness than any dedicated month could Anyway here are a few good resources you can http://www.secuobs.com/revue/news/405625.shtmlhttp://www.secuobs.com/revue/news/405625.shtml Secuobs.com : 2012-10-13 05:25:28 - NovaInfosec.com - Travis w0rm53r Fritz contacted us with this little nugget of information to pass around Taken from today s SANS NewsBites it discusses the Cyber Foundations CyberCenters program and their upcoming deadline for veterans and high school students to register for inexpensive entry-level training and a follow-up competition It specifically focuses on the fundamentals of cyber security, including modules for networking, OSs, and system administration For those that show an aptitude in security, the program will offer additional career opportunities via SANSorg Next Friday is the deadline for veterans and high school students to register for the Cyber Foundations CyberCenters program, that includes on-line tutorials and challenges in three areas that are the essential foundations of effective cybersecurity careers Those who show talent will earn opportunities for acceptance in the new CyberCenters program where they will get intensive hands-on training and internships in the only fast-track to high-paying careers in cybersecurity Fees are very low 25 but may still be waived Tell the veterans and high school students you know who have IT talent to register at https wwwcybercentersorg Read the full NewsBites issue here Today s post pic is from UCRedu See ya http://www.secuobs.com/revue/news/405412.shtmlhttp://www.secuobs.com/revue/news/405412.shtml Secuobs.com : 2012-10-12 14:59:55 - NovaInfosec.com - Here it is again another of our weekly Best Bets posts If old school gaming is your thing, then this is the weekend for you Both Nova Labs and Unallocated Space are holding gaming nights this weekend And probably the infosec highlight if you want to head down into DC is the CryptyParty at HacDC This event sounds very interesting with various talks and workshops on crypto and privacy Some of their listed topics include Tor, OpenPGP, SSL, Cryptocat, Truecrypt, and LUKS As we ve previously noted most local meetups seem to be crowded into weekday evenings with almost nothing on the weekend The purpose of this post is to advertise some of the smaller events that are occurring over the weekend Most of these events occur at local hackerspaces Usually we don t include hackerspace activities in the full calendar as they tend to bury everything else Anyway, here are some happenings I ve picked through that you might want to attend this weekend As always you can also use the comments of this Best Bets post to announce or discuss other events happening this weekend that I may have missed Friday 10 12 Nada Saturday 10 13 Social Game Night from 8 00 PM http://www.secuobs.com/revue/news/405286.shtmlhttp://www.secuobs.com/revue/news/405286.shtml Secuobs.com : 2012-10-12 04:55:34 - NovaInfosec.com - We thought this was an interesting article on cybersecurity A task force has suggested that Department of Homeland Security put together a Cyber Reserve of security professionals to call upon in a national crisis, following the same premise as the military s reserve If this is implemented, DHS would most likely look to gather IT professionals with rare specialized skills to have on call in case of emergency The task force further states that the key to DHS being successful with the cyber reserve is to keep updated information on former personnel, as well as other experts One weekend a month, two weeks a year Would you join via NextGovcom A cyber skills task force has recommended that the Homeland Security Department build a reserve army of cyber specialists from across government and industry to address emergencies Last week, the task force briefed DHS leaders on recommendations for filling a talent void and molding top-notch cyber talent to meet future, unknown network threats One objective is to establish a National Guard-like band of cyber experts, called the CyberReserve, to ensure capable professionals are on tap in times of national crises There is precedent for this sort of organization in Estonia, as well as the electric http://www.secuobs.com/revue/news/405202.shtmlhttp://www.secuobs.com/revue/news/405202.shtml Secuobs.com : 2012-10-11 22:48:06 - NovaInfosec.com - We came across an interesting job posting with ERT for a Senior IT Security Analyst This looks like a great opportunity for someone with a strong background in meeting FISMA compliance, and a Bachelor s Degree in a related field Full clearances and some travel are required for this position But as an added bonus, you would work for fellow Novablogger jasonmoliver And don t forget if your organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details Well anyway on to the job post Title Senior IT Security Analyst Location Silver Spring, MD Company Name ERT Job Description Will serve as a team member functioning as the Certification Agent for a local Federal Civilian Agency Develop security package documentation related to NIST compliant FISMA system assessments as part of the accreditation audit process Perform a variety of tasks relating to hands on security control testing, continuous monitoring, system analysis, architecture and mitigation recommendations, and conduct evaluations of documentation as it relates to each IT system and its configuration Must have a strong background meeting FISMA compliance using the Risk Management Framework RMF Duties will include all audit functions tied to http://www.secuobs.com/revue/news/405165.shtmlhttp://www.secuobs.com/revue/news/405165.shtml Secuobs.com : 2012-10-08 17:08:11 - NovaInfosec.com - Where do you want to be this week Now you ll always know with our Where You Want to Be This Week feature, which will tell you about infosec meetups happening in your local area as of Sunday night If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to grecs on Twitter Only one meet-up this week, but we are sure that you are going to enjoy what the week has in-store for you Also be sure to check out grecs weekend best bets later in the week as we might have something else you d be interested in With that said, here are your meetups for this week and as well as a preview for next week This Week Monday 10 08 NoVA Hackers Association Meetup Normal Meetup at QinetiQ Reston from 5 30 to 8 30 PM more info And for those who would like to plan ahead, here is a preview of events on our calendar for next week Tuesday ISACA CM Meetup Wednesday Mindforge Meetup Remember that Baltimore Node, HacDC, Nova Labs, Reverse Space, and Unallocated Space are four local hacker spaces that also http://www.secuobs.com/revue/news/404211.shtmlhttp://www.secuobs.com/revue/news/404211.shtml Secuobs.com : 2012-10-05 22:54:10 - NovaInfosec.com - Here it is again another of our weekly Best Bets posts There isn t much infosec going on this weekend besides 2600 in Arlington The HAM Radio Night at Unallocated Space is also happening Friday but after that the schedule looks pretty dry If you know of anything, please add it to the comments below As we ve previously noted most local meetups seem to be crowded into weekday evenings with almost nothing on the weekend The purpose of this post is to advertise some of the smaller events that are occurring over the weekend Most of these events occur at local hackerspaces Usually we don t include hackerspace activities in the full calendar as they tend to bury everything else Anyway, here are some happenings I ve picked through that you might want to attend this weekend You can also use the comments of this Best Bets post to announce or discuss other events happening this weekend that I may have missed Friday 10 5 HAM Radio Night from 6 00 PM at Unallocated Space more info 2600 Arlington Meetup from 7 00 PM at Champps Pentagon Row more info Saturday 10 6 Nada Sunday 10 7 Nada Remember to checkout some of the other activities http://www.secuobs.com/revue/news/403924.shtmlhttp://www.secuobs.com/revue/news/403924.shtml Secuobs.com : 2012-10-05 07:50:46 - NovaInfosec.com - Welcome to another edition of our Weekly Rewind where we summarize all our posts from the last week The top stories this week were 3 DerbyCon Day 2 Talk Notes Social Engineering Defense Contractors on LinkedIn and Facebook , 2 Did You Get a 101pourcents Pay Increase Last Year , and 1 Wielding Katana 30 Beta The DerbyCon Edition If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference A la Schneier you can also use this rewind post to talk about the security stories in the news that we haven t covered DerbyCon Day 2 Talk Notes Social Engineering Defense Contractors on LinkedIn and Facebook So I thought I d check out and blog about this presentation since it seems fairly close to home with many of us in the metro-DC area Despite there being no abstract I ve heard the speaker, Jordan Harbinger, on The Social Engineering Podcast a few times and he seems to know his stuff on teaching others to build rapport with others, a key skill for any social engineer Did you attend Jordan s talk at DerbyCon If so let us know what you thought in the http://www.secuobs.com/revue/news/403771.shtmlhttp://www.secuobs.com/revue/news/403771.shtml Secuobs.com : 2012-10-05 02:57:05 - NovaInfosec.com - We came across an interesting article that addresses new strategies in defending against cybercrime attacks, by focusing on identifying the hackers themselves, as opposed to the malware Companies such as CrowdStrike and Trend Micro look to profile the hackers and unveil their identity, as well as the identity of their infrastructure suppliers The article states that even if the hackers are identified, it is unlikely that they will be arrested But, we ll take shutting down a hacker and his support team none the less via DarkReadingcom Even if you learn the name and get a photo of the Chinese hacker sitting behind the keyboard and siphoning your valuable intellectual property, it s unlikely to lead to his arrest But there are ways to use that information to put the squeeze on the attacker and his sponsors After years of focusing mainly on the malware used in data breaches and financially motivated hacks, some security experts have begun to turn the spotlight on the attacker himself, attempting to profile the bad actors stealing your blueprints or customer credit card numbers, or leaking your usernames and passwords on Pastebin Leading that charge is CrowdStrike, the startup that aims to aggressively profile, target, and, ultimately, help unmask sophisticated cyberattackers Trend Micro also has been http://www.secuobs.com/revue/news/403744.shtmlhttp://www.secuobs.com/revue/news/403744.shtml Secuobs.com : 2012-10-05 02:57:05 - NovaInfosec.com - A few weeks ago mikko tweeted an awesome tip for when you want to view a page s source of a potentially malicious website however don t want to render it in a browser And say you happen to be on a Windows machine that doesn t have your normal tools installed Of course you could also follow our advice for determining safe websites that recommends a few services for determining bad sites but that s no fun Instead Notepad provides everything you need Open Notepad Select File - Open Enter the URL and hit OK And that s basically it Pretty slick, huh There are also several websites that allow you to view a page s source without rendering it and they have the added bonus of helping to anonymize your requests One that I like is the whole UnMask series of sites from DigitOnto, LLC They allow you to either pull all content unmaskContentcom or just the pieces you want eg, UnmaskScriptcom Got any more tips or resources for viewing a site s page source content without rendering it Let us know in the comments below Today s post pic is from ProductWikicom See ya http://www.secuobs.com/revue/news/403743.shtmlhttp://www.secuobs.com/revue/news/403743.shtml Secuobs.com : 2012-10-04 16:01:05 - NovaInfosec.com - We came across a fun article on The Register a few days ago and wanted to pass it on There s been a new proposal to replace the first crypto couple with Hindu mythological characters Sita and Rama The article discusses the pros and cons of this proposal however I thought it would be fun to point out a Wikipedia article that goes into the whole history of Alice, Bob, and all the fun characters we currently enjoy According to Wikipedia besides Alice, the sender of a message Bob, the receiver of the message Eve, a passive attacker trying to eavesdrop on the message and Mallory aka Mallet, Trudy , an active attacker trying to MITM the message, you might have also heard of Carol, Chuck, Craig, Dave, Oscar, Peggy, Trent, or Walter Carol aka Carlos or Charlie often acts as a third good-girl participant in the communications between Alice and Bob while Chuck on the other hand is a third participant with malicious intent Craig is usually portrayed as the password cracker and Dave is a forth good-guy participant in the communications with Alice, Bob, and Carol Be sure to head over to the fun Wikipedia page to hear about Oscar http://www.secuobs.com/revue/news/403573.shtmlhttp://www.secuobs.com/revue/news/403573.shtml Secuobs.com : 2012-10-03 20:00:08 - NovaInfosec.com - I m excited to have been accepted to speak at this year s two-day BSidesDE event starting Friday, November 9th at Wilmington University We have a lot cool content we re working on to turn this PHP security material into a very cool resource that all infosec pros can use to better reach out to the PHP developer community Anyway, here is my talk info Title PHP Website Security, Attack Analysis, Mitigations Abstract PHP is a very powerful language for easily developing web applications however with this power comes great responsibility and in this case that means not shooting yourself in the foot with lax security practices Issues can arise from everything from language vulnerabilities and weak default settings to insecure coding practices and misconfigurations This presentation plans to address many of these concerns by providing valuable lessons in the security of, attacks against, and management of PHP in your environment The talk begins with an overview of PHP security, including it s known issues and corresponding security enhancements the maintainers have incorporated over time Beginning with an in-depth discussion of Suhosin and how it can be used to lock down your PHP environment, the presentation next details PHPIDS and how it http://www.secuobs.com/revue/news/403387.shtmlhttp://www.secuobs.com/revue/news/403387.shtml Secuobs.com : 2012-10-03 15:54:59 - NovaInfosec.com - It just seems like yesterday we were all talking about Schneier s hope that NIST choose no award for the 5-year SHA-3 competition however it looks like they didn t heed his advice This morning NIST formally announced Keccak as the winner of the SHA-3 competition via GovInfoSecuritycom IT security professionals at the National Institute of Standards and Technology work deliberately, taking years to revise intricate information security guidance or choosing the next generation of cryptographic hash algorithm Nearly five years after announcing a competition to develop a new cryptographic hash algorithm, NIST announced a winner on Oct 2 Keccak pronounced catch-ack , which was created by Guido Bertoni, Joan Daemen and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors, both major European semiconductor companies NIST says the European team defeated 63 other submissions, and will become the Institute s SHA-3 hash algorithm In 2007, NIST security experts thought SHA-2, the standard secure hash algorithm, might be threatened, so it sought a new one through the competition Continued here What do you think of NIST s choice Let us known in the comments below Today s post pic is from Mocanacom See ya http://www.secuobs.com/revue/news/403315.shtmlhttp://www.secuobs.com/revue/news/403315.shtml Secuobs.com : 2012-10-03 04:58:44 - NovaInfosec.com - So apparently according to a recent story on CNET there s an underground industry in hacking Twitter accounts with desirable handles via password guessing You d think they would have some type of lockout feature to stop this Well guess what according to one of Twitter s help pages they do The lockout period lasts about an hour and then it clears One thing that they don t mention is that the lockout is by IP address and not by account So anyone could easily multiply the number of guess attempts they have by simply using one or more proxies to attack Obviously a tighter solution would be to lock out the account instead of the IP address however this technique could cause problems For example, if there s someone that wants to DoS your account, they could simply trigger the lockout through repeated failed login attempts Now this lockout-by-IP approach isn t anything new this article from way back in 2010 notes the IP lockout technique as well as a few other tricks attackers could try out CNET details the trials and tribulations of locking in this fashion in their story about one prominent Twitter user blanket who had recently had his account http://www.secuobs.com/revue/news/403214.shtmlhttp://www.secuobs.com/revue/news/403214.shtml Secuobs.com : 2012-10-03 04:58:44 - NovaInfosec.com - DerbyCon was pretty much full of some awesome talks however I mostly chose to just sit back and relax instead of taking furious notes and putting out blog posts I did get one post out on social engineering defense contractors but then I attended the talk Wielding Katana A Live Security Suite by JP Dunning and Chris Silvers Since I found myself tweeting about many of its features, I figured I d write-up something from my twotes For a quick overview the author describes Katana as Katana is a portable multi-boot security suite which brings together many of today s best security distributions and portable applications to run off a single Flash Drive It includes distributions which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, and Malware Removal Katana also comes with over 100 portable Windows applications such as Wireshark, Metasploit, NMAP, Cain Abel, and many more Important Note The new 30 beta release is only available through October 3rd After that you ll be stuck with the older version until the developer decides to publish it again So immediately go here and download it before moving on Katana has been around for several years however this talk was my http://www.secuobs.com/revue/news/403213.shtmlhttp://www.secuobs.com/revue/news/403213.shtml Secuobs.com : 2012-10-02 19:04:22 - NovaInfosec.com - We came across this Washington Post article and thought we d pass it along Apparently according to data pulled from some consulting company that does this kind of stuff, the pay for cybersecurity analysts jumped 101pourcents this past year compared to an average 21pourcents growth across all jobs in the same region As expected it s the typical supply vs demand that s at work here The article notes that companies are in particular taking retaining existing employees very seriously however I haven t personally observed this from those I know around NoVA It s just too easy to find jobs elsewhere since there s an entire recruiting industry that supports these in-demand professionals If companies want to retain their infosec employees, they need something perhaps internal headhunters that makes it easier to move around within the behemoth DoD beltway bandits Unfortunately, for many that stay with the same company, I don t think you were one of those that saw a 101pourcents raise last year via WashingtonPostcom The demand for cybersecurity professionals far outstrips the supply of these highly skilled workers in the Washington area, a dynamic which experts and recruiters say is driving up compensation for qualified individuals and fueling fierce competition among http://www.secuobs.com/revue/news/403085.shtmlhttp://www.secuobs.com/revue/news/403085.shtml Secuobs.com : 2012-10-01 21:02:57 - NovaInfosec.com - We ve introduced Plan X before with it s cyberwar research intentions And as we discussed later, there s been an overwhelming response from industry and academia So much so that DARPA postponed a planned industry day in September until October and expanded it to two days Describe Plan X how you want create system that can engage in cyberwarfare, building battle units that can perform cyberwarfare, developing high-level mission plans that can act as auto-pilot functions, active defense, but we are basically talking about offense And yeah everybody seems to be a lot more open about it than even six months ago, but the government and contractors continue to be unsure of what direction they should go Until something there just isn t any any clear legal direction and everyone is afraid to take the first shot via WashingtonPostcom The Defense Advanced Research Projects Agency stirred notice when it asked contractors to come up with ideas on how to create systems and platforms that can engage in cyberwarfare But perhaps what was even more attention-getting has been the response DARPA reported last month that its Plan X, as the effort is known, has received an unanticipated and http://www.secuobs.com/revue/news/402851.shtmlhttp://www.secuobs.com/revue/news/402851.shtml Secuobs.com : 2012-10-01 17:49:39 - NovaInfosec.com - Where do you want to be this week Now you ll always know with our Where You Want to Be This Week feature, which will tell you about infosec meetups happening in your local area as of Sunday night If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to grecs on Twitter A light start to October in terms of meet-ups but we are sure that you are going to enjoy what the week has in-store for you Also be sure to check out grecs weekend best bets later in the week as we might have something else you d be interested in With that said, here are your meetups for this week and as well as a preview for next week This Week Thursday 10 04 OWASP NoVA Meetup - Normal meetup at Living Social Reston from 6 30 to 9 00 PM more info Friday 10 05 2600 Arlington Meetup - Normal Meetup at Champps Pentagon Row from 7 00 to 10 00 PM more info And for those who would like to plan ahead, here is a preview of events on our calendar for next week Nothing scheduled as of yet Remember that http://www.secuobs.com/revue/news/402809.shtmlhttp://www.secuobs.com/revue/news/402809.shtml Secuobs.com : 2012-09-29 22:23:54 - NovaInfosec.com - So I thought I d check out and blog about this presentation since it seems fairly close to home with many of us in the metro-DC area Despite there being no abstract I ve heard the speaker, Jordan Harbinger, on The Social Engineering Podcast a few times and he seems to know his stuff on teaching others to build rapport with others, a key skill for any social engineer In this experiment, he spent a few hours, mostly on his iPhone at Starbucks, trying to elicit information from those in the defense, law enforcement, and military industries In the end Jordan retrieved enough information to have potentially convinced the targeted individuals to give data that could be pretty close to being classified The overall process he followed included five steps that almost anyone can do Here are those five steps along with my summary of each 1 Find a Target-Rich Environment Jordan started by asking a few of his government contractor friends where most of those with clearances hang out on social networks Almost universally everyone was on LinkedIn and the scary thing was that the information people post on LinkedIn is usually even more sensitive than the information we may http://www.secuobs.com/revue/news/402597.shtmlhttp://www.secuobs.com/revue/news/402597.shtml Secuobs.com : 2012-09-28 22:58:50 - NovaInfosec.com - Welcome to another edition of our Weekly Rewind where we summarize all our posts from the last week The top stories this week were 3 Watering Hole Site Pulls an IEEE , 2 Gattaca Officially on ISC Ballot , and 1 100K IEEE Usernames Passwords Exposed If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference A la Schneier you can also use this rewind post to talk about the security stories in the news that we haven t covered iKAT VI Beating Heart Edition It seems like right after our iKAT article last month, Paul Craig released the new 2012 version at XCON 2012 For those unfamilar with iKAT no it s not an iPhone or iPad attack tool, but instead described as a tool that was designed to aid security consultants with the task of auditing the security of a browser controlled environment such as Kiosks, Citrix Terminals and WebTV s by the developer Paul Craig Coined the iKAT VI, the Beating Heart Edition, it includes a number of interface and backend improvements Do you use iKAT in your assessments Let us know in the comments below continued http://www.secuobs.com/revue/news/402502.shtmlhttp://www.secuobs.com/revue/news/402502.shtml Secuobs.com : 2012-09-28 19:30:14 - NovaInfosec.com - I came across this article on Dark Reading yesterday that, at least from the title, advised against cyber breach insurance Reading it a little deeper though, the author, Kelly Jackson Higgins, was really writing about not spending your money in the wrong way In the past we ve written that perhaps insurance could be used as an additional motivator for companies to get secure Think of it as like the premiums for car insurance The more accidents you get into, the higher your rates are going to be Bringing this analogy into this article, it s more about using cyber insurance the right way, ie, to actually help you become a better driver and not as a counterbalance for being a careless driver via DarkReadingcom As an increasing number of businesses are starting to look at cyber breach insurance as a tool to mitigate the risks of data breaches, IT security pros need to be prepared to help their organizations avoid the hazards of choosing a policy that may not pay out when the worst occurs Chief among the biggest pitfalls Trying to use insurance as a financial replacement for investment in sound protection of databases and other data security infrastructure These http://www.secuobs.com/revue/news/402424.shtmlhttp://www.secuobs.com/revue/news/402424.shtml Secuobs.com : 2012-09-27 21:12:20 - NovaInfosec.com - Here it is again another of our weekly Best Bets posts Looks like a pretty light weekend but there are two very interesting events going on Both look pretty fun As we ve previously noted most local meetups seem to be crowded into weekday evenings with almost nothing on the weekend The purpose of this post is to advertise some of the smaller events that are occurring over the weekend Most of these events occur at local hackerspaces Usually we don t include hackerspace activities in the full calendar as they tend to bury everything else Anyway, here are some happenings I ve picked through that you might want to attend this weekend You can also use the comments of this Best Bets post to announce or discuss other events happening this weekend that I may have missed Friday 9 28 Hardware Hacking from 6 00 PM at Unallocated Space more info Saturday 9 29 LAN Party from 6 00 PM at Unallocated Space more info Sunday 9 30 Nada Remember to checkout some of the other activities at Baltimore Node, HacDC, Nova Labs, Reverse Space, and Unallocated Space as they hold several standard activities throughout the week as well And be sure to subscribe to our http://www.secuobs.com/revue/news/402241.shtmlhttp://www.secuobs.com/revue/news/402241.shtml Secuobs.com : 2012-09-27 16:23:30 - NovaInfosec.com - As we announced last month DerbyCon is upon us and I m excited to be heading down into Louisville soon I even scored a last-minute room at the con hotel from some of those less fortunate to have had to cancel I m supposed to be arriving at 10 00 PM this evening so if anyone wants to split a cab to they Hyatt ping me on Twitter at grecs and we can set something up Anyway, if anyone is up for meeting up, getting some drinks, or just arguing the intricacies of infosec, just hit me up I always enjoy meeting new people so please don t be shy come up and introduce yourself I ll be doing a mix of attending talks, networking, and of course some blogging When not doing any of the above, you ll probably find me in the vendor area or wherever I can find a power and Internet access hungered down over my laptop I ll should be sporting a black ScotteVest so maybe that will or will not help me stand out some To get updates as to where I might be the best way is to probably track me on Twitter at grecs For those interested I m http://www.secuobs.com/revue/news/402170.shtmlhttp://www.secuobs.com/revue/news/402170.shtml Secuobs.com : 2012-09-27 03:58:29 - NovaInfosec.com - Brian Krebs as usually did some great research in his most recent post looking into so called watering hole attacks Instead of attacking directly with PDF attachments or links to zip files, the perpetrators simply compromise a site that their targeted individuals are most likely to visit Then the bad guys infect their systems through some type of browser drive-by attack Pretty sneaky if you ask me I ve always been wary of going to some infosec sites for fear that the bad guys have compromised it with the goal of infecting an infosecer s computer Fortunately, disabling JavaScript and Java is the key to avoid almost all of these drive-by attacks Going without Java can be hard as I previously discovered And with almost all sites being AJAXified nowadays it s practically impossible to get anything working unless JavaScript is enabled As we recommended before the best approach is whitelisting and NoScript does a pretty good job at that Of course if you re visiting a trusted site that s since been compromised, you re pretty much out of luck Anyway back to Brian s interesting discovery Although redacted in the original July RSA FirstWatch report, some of the data led Brain to successfully enumerating the http://www.secuobs.com/revue/news/402041.shtmlhttp://www.secuobs.com/revue/news/402041.shtml Secuobs.com : 2012-09-26 02:18:50 - NovaInfosec.com - Bruce schneierblog Schneier has an interesting blog post today for those that are deep into crypto, especially the upcoming announcement of the SHA-3 winner They are down to five and one is Bruce s own Skein The interesting thing is that his hope is that the announcement is no award You see he feels none of the contenders are really any better than the tried and true SHA-512 via Schneiercom NIST is about to announce the new hash algorithm that will become SHA-3 This is the result of a six-year competition, and my own Skein is one of the five remaining finalists out of an initial 64 It s probably too late for me to affect the final decision, but I am hoping for no award It s not that the new hash functions aren t any good, it s that we don t really need one When we started this process back in 2006, it looked as if we would be needing a new hash function soon The SHA family which is really part of the MD4 and MD5 family , was under increasing pressure from new types of cryptanalysis We didn t know how long the various SHA-2 variants would remain secure But it s 2012, and http://www.secuobs.com/revue/news/401779.shtmlhttp://www.secuobs.com/revue/news/401779.shtml Secuobs.com : 2012-09-25 22:59:11 - NovaInfosec.com - Looks like there was a pretty significant accidental discovery earlier this month over on the IEEEorg and SpectrumIEEEorg websites Apparently, clear text credentials were left on an open FTP server for a month or so as part of their web server logs The individual that found this data let IEEE know and at least as of today it s partially fixed The finder even went so far as to create a website to announce the leak at IEEELogcom Of course a quick domain lookup reveals they ve enabled a whois privacy feature Anyway, here s the intro on that page Data breach at IEEEorg 100k plaintext passwords Using the data to gain insights into the engineering and scientific community IEEE suffered a data breach which I discovered on September 18 For a few days I was uncertain what to do with the information and the data Yesterday I let them know, and they fixed at least partially the problem The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery Among the almost 100000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford http://www.secuobs.com/revue/news/401741.shtmlhttp://www.secuobs.com/revue/news/401741.shtml Secuobs.com : 2012-09-25 22:59:11 - NovaInfosec.com - From our friends over at inforisktoday here s a post summarizing the new NIST access control guidance Officially called NISTIR 7874, Guidelines for Access-Control Systems Evaluation Metrics, the newly released document provides a basic background on different access control techniques The document seems to be the more technically-focused version of NISTIR 7316, Assessment of Access Control Systems This later publication addresses access controls at more of a conceptual and policy level via InfoRisk Todaycom The National Institute of Standards and Technology has released an interagency report, Guidelines for Access-Control Systems Evaluation Metrics, which provides background information on access-control properties NIST says the guidance, NISTIR 7874, is aimed to help access control experts improve their evaluation of the highest security access-control systems by discussing the administration, enforcement, performance and support properties of mechanisms that are embedded in each access-control system The new report extends the information in NISTIR 7316, Assessment of Access Control Systems, which demonstrates the fundamental concepts of policy, models and mechanisms of access-control systems Why is this guidance important NIST explains Adequate security of information and information systems is a fundamental management responsibility Nearly all applications include some form of access control Access control is concerned with determining the allowed http://www.secuobs.com/revue/news/401740.shtmlhttp://www.secuobs.com/revue/news/401740.shtml Secuobs.com : 2012-09-25 19:12:36 - NovaInfosec.com - Well maybe not so new at this point but just wanted to put out a quick post about a continuing sponsor as well as some updates on our recently added Supporters page First for the new sponsor If you haven t already noticed them the Milton Security Group has been sponsoring us the past two months They specialize in enabling organizations to go the whole BYOD route Their products enable granular control over all devices on your network So if that s your thing and you need their type of products, head on over to their site and check them out Next up is our new Supporters page Of course Milton was the first company we placed there however for organizations looking to get in front of NoVA, DC, and MD information security professionals, you ll probably notice we still have the Silver and Browse sponsorship levels open Not only do you get listed on the Supporters page but also in strategic locations on the entire website as shown on our Sponsor Us page Contact us and we can get the discussions going Finally, you ll notice that on our Supporters page we ve also listed a number of continuing monthly or yearly http://www.secuobs.com/revue/news/401676.shtmlhttp://www.secuobs.com/revue/news/401676.shtml Secuobs.com : 2012-09-25 08:03:17 - NovaInfosec.com - This program from NIST s National Strategy for Trusted Identities in Cyberspace NSTIC program looks interesting They ve awarded approximately 2 million dollars each to five companies to research identify technologies One of the goals is secure information sharing As you know this can be a touchy subject Anyway, the lucky organizations include the American Association of Motor Vehicle Administrators AAMVA , Criterion Systems, Daon, Inc, Resilient Network Systems, Inc, and University Corporation for Advanced Internet Development UCAID via GSNMagazinecom Five companies working to develop trusted electronic identity technologies to combat identity theft, protect online transactions and secure information sharing were given 10 million in grants under NIST s National Strategy for Trusted Identities in Cyberspace NSTIC program NSTIC is a White House initiative to work collaboratively with the private sector, advocacy groups and public-sector agencies The selected pilot proposals, said NIST, advance the program s vision of individuals and organizations adopting secure, efficient, easy-to-use and interoperable identity credentials to access online services in a way that promotes confidence, privacy, choice and innovation Increasing confidence in online transactions fosters innovation and economic growth, said undersecretary of Commerce for Standards and Technology and NIST Director Patrick Gallagher on Sept 20 These investments in the development of http://www.secuobs.com/revue/news/401555.shtmlhttp://www.secuobs.com/revue/news/401555.shtml Secuobs.com : 2012-09-25 04:54:41 - NovaInfosec.com - When we last left our heroes The Four Horseman indi303 and jadedsecurity barely missed getting or submitting the required number of signatures and gattaca had successfully emailed 597 petitions to include him on the ISC 2 ballot jadedsecurity was seeking out to challenge the signature deadline based on wording on the bylaws Unfortunately, the challenge didn t come through for indi303 and jadedsecurity however this afternoon came the official announcement that gattaca made the cut after verification of all his petitioners Congrats As we covered before the hopes of the other Four Horseman lie in the hands of the dreaded write-in vote We ve posted instructions from two of the last three years for the voting process and how write-ins might work in the upcoming election Officially, the 2012 instructions won t be released until November 9th but they haven t seemed to have changed that much over the years The key part is that spelling counts Should you decide to write in candidates, please be sure to properly spell their name as it appears in their member record If it is a common name, please be sure to include any initials or middle name to ensure they are accurately identified in http://www.secuobs.com/revue/news/401532.shtmlhttp://www.secuobs.com/revue/news/401532.shtml Secuobs.com : 2012-09-25 02:01:50 - NovaInfosec.com - erratarob brought up some excellent points in his post last week re the push for cybersecurity legislation In his An open letter to Senator Rockefeller he points out several of the main issues with many of the proposals so far, which seem to favor more of a hands-off approach rather than passing legislation Rob discusses topics like the use of the ambiguous term best practice, security cost in terms of decreasing marginal returns, the government serving the people vs their own interests, two-way sharing instead of just from industry to government, and instilling fear without actual evidence Here are some of the choice quotes from his article There is no such thing as best practice, because there is no such thing as adequate practice The problem isn t that we don t know how to secure companies, it s that we don t know how to do so economically Security is a tradeoff with decreasing marginal returns You don t pass laws because you think it s in our best interests We tell you what our interests are The justification for passing a law is because we ask you too, not because you want it We rejected your legislation because it wasn t about cybersecurity, but increasing http://www.secuobs.com/revue/news/401523.shtmlhttp://www.secuobs.com/revue/news/401523.shtml Secuobs.com : 2012-09-24 17:31:16 - NovaInfosec.com - It seems like right after our iKAT article last month, Paul Craig released the new 2012 version at XCON 2012 For those unfamilar with iKAT no it s not an iPhone or iPad attack tool, but instead described as a tool that was designed to aid security consultants with the task of auditing the security of a browser controlled environment such as Kiosks, Citrix Terminals and WebTV s by the developer Paul Craig Coined the iKAT VI, the Beating Heart Edition, it includes a number of interface and backend improvements One of the first things you ll probably notice is an update to the overall layout After a web developer criticized the site saying that it looked like a 12 year old s WordPress site, Paul volunteered that same person to overhaul the look and feel of iKAT So as you can see in the three pics below it is now nice looking, easier to navigate, Web 20, and fully W3C compliant Beyond all the Web 20 goodness under the surface the new release includes a number of improvements, the most significant of which includes a new client server architecture designed to avoid blacklists and other signature-based detection mechanisms In this model iKAT drops http://www.secuobs.com/revue/news/401422.shtmlhttp://www.secuobs.com/revue/news/401422.shtml Secuobs.com : 2012-09-24 17:31:16 - NovaInfosec.com - Where do you want to be this week Now you ll always know with our Where You Want to Be This Week feature, which will tell you about infosec meetups happening in your local area as of Sunday night If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to grecs on Twitter Here is our weekly installment of Where do you want to be this week A moderate schedule but we are sure that you are going to enjoy what the week has in-store for you Also be sure to check out grecs weekend best bets later in the week as we might have something else you d be interested in With that said, here are your meetups for this week and as well as a preview for next week This Week Wednesday 9 26 CapSecDC Meetup - August Make-Out Edition at Fado Irish Pub Restaurant from 6 30 to 9 30 PM more info Thursday 9 27 OWASP DC Meetup - Access Management by Jan Poczobutt at Living Social from 6 30 to 8 30 PM more info CharmSec Meetup - Normal meetup at VSlainte Irish Pub Restaurant from 7 00 to 10 00 PM more info And for those who http://www.secuobs.com/revue/news/401421.shtmlhttp://www.secuobs.com/revue/news/401421.shtml Secuobs.com : 2012-09-21 08:01:10 - NovaInfosec.com - Welcome to another edition of our Weekly Rewind where we summarize all our posts from the last week The top stories this week were 3 And Then There Was One ISC2 Petitioner , 2 Metasploit Module to Steal iOS5 Backups , and 1 Shodan Nuff Said If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference A la Schneier you can also use this rewind post to talk about the security stories in the news that we haven t covered Metasploit Module to Steal iOS 5 Backups We received this great article from satishb3 over at SecurityLearnnet It s a bit more technical than we usually go but it s about Metasploit and iPhones How could we pass that up Plus he s included a video that shows his module in action Enjoy What did you think about the video Post your comments below continued here ShmooCon CFP Opens with New BELAY IT Track The Shmoo Group announced over the weekend that the CFP for ShmooCon has officially opened as of September 15th Funny how no one noticed it until they tweeted about it Sunday night Anyway, the big news this year is a little experiment based http://www.secuobs.com/revue/news/401003.shtmlhttp://www.secuobs.com/revue/news/401003.shtml Secuobs.com : 2012-09-21 05:47:41 - NovaInfosec.com - Beyond our previous post earlier this week about Shodan where we covered it s basic search capabilities, we also found a number of interesting tidbits on their site that we thought we d pass along These capabilities included an exploit search as well as several interesting research projects Although not as encompassing as ExploitSearch with over 12 sources, Shodan also offers an exploit search that queries OSVDB, CVE, Exploit DB, Packet Storm, and Metasploit The screenshot below illustrates the basic search interface It follows the same Google-like simplicity as on the main Shodan search page Additionally, clicking the arrows below the search bar reveals four additional fields where users can search four of the individual sources based on the appropriate identifiers eg, CVE and BID Selecting Research from the main navigation menu reveals several other interesting projects their team previously investigated First is the HTTP Header Survey, which they describe as A survey of Alexa s top 10,000 websites on the Internet was conducted to measure the usage of security-related HTTP headers, mobile awareness and potential information leakage We did this by grabbing the banners of those websites with 18 different user agents using a modified UATester script, and analyzing the resulting HTTP http://www.secuobs.com/revue/news/400976.shtmlhttp://www.secuobs.com/revue/news/400976.shtml Secuobs.com : 2012-09-21 05:03:05 - NovaInfosec.com - Here it is again another of our weekly Best Bets posts Looks like a pretty light weekend but there are two very interesting events going on One is dedicated to a talk on hacking the gender gap while the other is a whole slew of talks à la a minicon As we ve previously noted most local meetups seem to be crowded into weekday evenings with almost nothing on the weekend The purpose of this post is to advertise some of the smaller events that are occurring over the weekend Most of these events occur at local hackerspaces Usually we don t include hackerspace activities in the full calendar as they tend to bury everything else Anyway, here are some happenings I ve picked through that you might want to attend this weekend You can also use the comments of this Best Bets post to announce or discuss other events happening this weekend that I may have missed Friday 9 21 Nada Saturday 9 22 Hacking the Gender Gap from 2 00 PM at HacDC more info Sunday 9 23 Minicon from 4 00 PM at Unallocated Space more info Remember to checkout some of the other activities at Baltimore Node, HacDC, Nova Labs, Reverse Space, and http://www.secuobs.com/revue/news/400973.shtmlhttp://www.secuobs.com/revue/news/400973.shtml Secuobs.com : 2012-09-20 06:01:33 - NovaInfosec.com - Being an election year, campaigning is in the air With technology at an all time high, candidates are reaching out across the Internet to have their platforms heard My spam folder seems to be filled with the political topic du jour from every political party affiliation imaginable Sometimes I wonder who and how many people I pissed off to get on so many mailing lists Two of the hot topics of the moment are where the party lines are divided over the issues of cybersecurity and the workforce and if so how wide of a division exists It seems that the greater divide exists over security of the Internet The Republican Party seems to have taken a page out of Senator John McCain s book, emphasizing a hands-off approach with a focus on the public and private sectors working together Specifically noted is allowing for a free-flow of information between them Their platform also puts the onus of protection of federal systems back on the federal government Democrats point at the positive steps they have made over the last term and vow to continue strides toward investing in research and development and strengthening of the public private partnerships While the Obama administration http://www.secuobs.com/revue/news/400713.shtmlhttp://www.secuobs.com/revue/news/400713.shtml Secuobs.com : 2012-09-19 06:47:38 - NovaInfosec.com - Yesterday NIST published a revised version of their risk assessment guidance, officially titled Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments PDF We ve been looking for what actually changed since it s 2002 predecessor but there doen t seem to be any marked up versions published Furthermore the revised 95-page document didn t contain a list of changes Overall risk assessments aren t too exciting and the same goes for this document The only interesting fact is that this publication completes NIST s makeover of the five core infosec documents envisioned by the Joint Task Force to create a unified information security framework for the federal government including the DoD and IC Now that s pretty exciting The only question that remains is if agencies will hang on to their one-off practices or follow suite via InfoRiskTodaycom The National Institute of Standards and Technology has issued what could be characterized as the bible of risk assessment Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, provides direction for conducting risk assessments and amplifies the guidance found in SP 800-39 Managing Information Security Risk Though SP 800-30 was written for federal information systems and organizations, its lessons can be applied to other http://www.secuobs.com/revue/news/400445.shtmlhttp://www.secuobs.com/revue/news/400445.shtml Secuobs.com : 2012-09-19 05:20:09 - NovaInfosec.com - After several of The Four Horseman unfortunately missed the 500 signature mark I was curious about what the actual process would be for write-in candidates Although ISC 2 won t be publishing the official announcement with instructions until November 9th, I took a look back through my email archive just to get an idea of what to expect I couldn t find a recent message but did come across one titled OFFICIAL Board Elections Begin November 16 from November of 2009 Here it is Dear Valued Member, It s election time again Let your voice be heard The voting process for the ISC 2 2009 board of directors election starts at 8 00 am EST, 13 00 GMT, on Monday, 16 November 2009 Only members in good standing as of 17 July 2009 are eligible to cast their vote Don t miss your chance to impact the direction of ISC 2 On 16 November, you will be able to log on to the member Website at http membersisc2org and register your vote for four candidates You may select from the six running on the official ballot, OR you may write in up to four ISC 2 members in good standing OR some combination thereof Voting will close promptly at 5 00 pm http://www.secuobs.com/revue/news/400435.shtmlhttp://www.secuobs.com/revue/news/400435.shtml Secuobs.com : 2012-09-19 00:49:35 - NovaInfosec.com - We ve talked about other security web services before, eg, VPN Hunter, Exploit Search, and Nmap-Online, but this post is dedicated to the king of them all Shodan We ve been meaning to mention something about this awesome resource for quite sometime and with yesterdays tweet from shawnmer it seemed like the right time shawnmer 100 Cisco routers running lawful intercept code via Shodan http bitly Qk7slD CSCO doc http bitly Qk7slF CALEA The first link above expands to http wwwshodanhqcom search q C7200-ADVIPSERVICESK9_LI-M and returns almost 200 Cisco devices that may be running lawful intercept code Get the idea If not, Shodan s man page goes into more than enough detail for basic usage SHODAN is a search engine that lets you find specific computers routers, servers, etc using a variety of filters Some have also described it as a public port scan directory or a search engine of banners Web search engines, such as Google and Bing, are great for finding websites But what if you re interested in finding computers running a certain piece of software such as Apache Or if you want to know which version of Microsoft IIS is the most popular Or you want to see how many anonymous FTP servers there are Maybe a http://www.secuobs.com/revue/news/400404.shtmlhttp://www.secuobs.com/revue/news/400404.shtml Secuobs.com : 2012-09-18 05:52:09 - NovaInfosec.com - Well the ISC 2 petitioning phase closed out at 5 00 PM today and it looks like at least one of The Four Horsemen will be on it Congrats to gattaca for collecting over 597 of the necessary 500 signatures Now I m sure there will be a verification phase and some of the signature won t be valid however it looks like he s got a good buffer just in case Next up was indi303 who had collected 561 signatures before the deadline however he missed submitting them prior to 5 00 PM ISC 2 needs to make the rules a little clearer on this though All you have to do is look at the email timestamps to verify if supporters submitted their signatures before the deadline Yes, unethical petitioners could have faked the timestamps but they could have also spoofed entire messages Anyway, indi303 seems fine with this result though and shrugged it off as a lessons learned for next year Finally we have jadedsecurity, who was very close and as of 5 10 PM had collected over 479 signatures Yes, he missed that deadline however instead of sitting back jadedsecurity plans on challenging that due time and adding more signatures through tomorrow at 8 00 AM Per http://www.secuobs.com/revue/news/400212.shtmlhttp://www.secuobs.com/revue/news/400212.shtml Secuobs.com : 2012-09-18 00:29:05 - NovaInfosec.com - In skimming through the Twitter stream this afternoon we came across an interesting article on Tech Dirt from late last week with what looks to be an actual marked-up draft copy of Obama s Cybersecurity Executive Order EO that we wrote about last week In that story we discussed how Jason Miller from Fed News Radio saw the draft and his original reports were based on that Unfortunately, the only thing that was missing was well the actual draft And it looks like this is what Tech Dirt presumably found a copy of though not necessarily the one Jason saw If this turns out to be a real draft, it doesn t really change anything though Basically the original reporting was spot on via TechDirtcom Earlier this week, we wrote about how the White House was working on an executive order to act as a stand in for cybersecurity legislation that has so far failed to pass Congress CISPA passed in the House, but a different effort, the Cybersecurity Act, failed in the Senate, and it would have been difficult to get the two houses aligned anyway Last weekend Jason Miller from Federal News Radio wrote about a draft he http://www.secuobs.com/revue/news/400189.shtmlhttp://www.secuobs.com/revue/news/400189.shtml Secuobs.com : 2012-09-17 18:34:59 - NovaInfosec.com - Where do you want to be this week Now you ll always know with our Where You Want to Be This Week feature, which will tell you about infosec meetups happening in your local area as of Sunday night If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to grecs on Twitter Here is our weekly installment of Where do you want to be this week A moderate schedule but we are sure that you are going to enjoy what the week has in-store for you Also be sure to check out grecs weekend best bets later in the week as we might have something else you d be interested in With that said, here are your meetups for this week and as well as a preview for next week This Week Tuesday 9 18 ISSA DC Meetup - Open Source and Security by Phil Odence at Government Printing Office Room A138 from 6 30 to 8 00 PM more info Wednesday 9 19 ISSA Baltimore Meetup - How to Recruit Spies on the Internet by Ira Winkler at Concurrent Technologies Corporation from 5 00 to 7 00 PM more info NovaInfosec Meetup - CitySec movement at Velocity Five Falls Church from 7 00 http://www.secuobs.com/revue/news/400101.shtmlhttp://www.secuobs.com/revue/news/400101.shtml Secuobs.com : 2012-09-17 05:56:42 - NovaInfosec.com - The Shmoo Group announced over the weekend that the CFP for ShmooCon has officially opened as of September 15th Funny how no one noticed it until they tweeted about it Sunday night Anyway, the big news this year is a little experiment based on the closing plenary from last year The overarching theme from that discussion was that we are spending too much time focusing on the sexy offensive stuff instead of on the necessary defensive tactics With that in mind The Shmoo Group is dropping the BREAK IT track and replacing it with BELAY IT In their announcement over the weekend they describe this new track as follows BELAY IT is a track for talks that are more strategic long term in nature than talks in BUILD IT Fixes to broken protocols, discussions on foundational defensive concepts, and technologies that are still research-ware but show promise are all examples of what we re looking for in BELAY IT This is going to be a bit of an experiment, so we ll be listening to submitters and attendees as to how well it works We ll take a look at BELAY IT after the con and determine if it will be a permanent fixture http://www.secuobs.com/revue/news/399974.shtmlhttp://www.secuobs.com/revue/news/399974.shtml Secuobs.com : 2012-09-15 05:54:39 - NovaInfosec.com - We receive this great article from satishb3 over at SecurityLearnnet It s a bit more technical than we usually go but it s about Metasploit and iPhones How could we pass that up Plus he s included a video that shows his module in action Enjoy If you have an article you d like published on NovaInfoseccom, just send it over to us via our Submit Article form And without further ado we ll turn it over to satishb3 Metasploit contains a post exploitation module using which we can steal the Apple iOS backup files from a victim s computer However the existing module was designed for iOS 4 backups and does not support the latest iOS 5 backups I have updated the scripts to make it work with iOS 5 backups Running the existing apple_ios_backup post exploitation module in the Metasploit v440 against an iOS 5 backup ends up with the below exception meterpreter run post multi gather apple_ios_backup Checking for backups in C Documents and Settings Administrator Application Data Apple Computer MobileSync Backup Found C Documents and Settings Administrator Application Data Apple Computer MobileSync Backup b716de79051ef093a98fc3ff1c46ca5e36faabc3 Checking for backups in C Documents and Settings SATISH-E6338BC0 Application Data Apple Computer MobileSync Backup Pulling data from C Documents and Settings Administrator Application Data Apple Computer MobileSync Backup b716de79051ef093a98fc3ff1c46ca5e36faabc3 Reading Manifestmbdb from C Documents and Settings Administrator Application Data Apple http://www.secuobs.com/revue/news/399825.shtmlhttp://www.secuobs.com/revue/news/399825.shtml Secuobs.com : 2012-09-14 08:04:20 - NovaInfosec.com - Welcome to another edition of our Weekly Rewind where we summarize all our posts from the last week The top stories this week were 3 Draft Cybersecurity Executive Order Leaks , 2 Apple UDID Source Revealed by Local , and 1 A Little Bit of PGP History If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference A la Schneier you can also use this rewind post to talk about the security stories in the news that we haven t covered AppSecDC Makes it to Prime Time or at least Vimeo Hey here s something to do with your downtime this weekend between social events As you may remember the Open Web Application Security Project OWASP held it s third annual AppSecDC conference, right here in our backyard this past April This was a much anticipated and talked about conference with speakers coming straight out of our Twitter base and blog authors, including our very own grecs Now, you can relive those moments, or for those who didn t attend, see firsthand what it was all about What did you think about the video Post your comments below continued http://www.secuobs.com/revue/news/399624.shtmlhttp://www.secuobs.com/revue/news/399624.shtml Secuobs.com : 2012-09-14 03:36:36 - NovaInfosec.com - Here it is again another of our weekly Best Bets posts Unfortunately we couldn t find any pure infosec related things going on this weekend however there are several related social events happening So while you may not get that malware analysis class, maybe you ll meet a few malware analysts As we ve previously noted most local meetups seem to be crowded into weekday evenings with almost nothing on the weekend The purpose of this post is to advertise some of the smaller events that are occurring over the weekend Most of these events occur at local hackerspaces Usually we don t include hackerspace activities in the full calendar as they tend to bury everything else Anyway, here are some happenings I ve picked through that you might want to attend this weekend You can also use the comments of this Best Bets post to announce or discuss other events happening this weekend that I may have missed Friday 9 14 Hardware Hacking Open Workshop from 6 00 PM at Unallocated Space more info Saturday 9 15 Social Movie Night from 8 00 PM at Nova Labs more info Sunday 9 16 Analog Gaming Sunday from 2 00 PM at Unallocated Space more info Remember to checkout some of http://www.secuobs.com/revue/news/399592.shtmlhttp://www.secuobs.com/revue/news/399592.shtml Secuobs.com : 2012-09-13 18:48:54 - NovaInfosec.com - We came across an interesting job posting with Booz Allen Hamilton for a junior pen tester It seems like this is an entry level position, as they are asking for a minimum of one year of work experience, and the education requirement is a high school diploma This could be a great opportunity for someone entering the infosec industry And don t forget if your organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details Well anyway on to the job post Title Junior Penetration Tester Location Herndon, VA Company Name Booz Allen Hamilton Job Description Support the internal information assurance IA program through the application of expert internal and external penetration testing techniques to identify web application, system vulnerabilities, and test security controls in firewalls, routers, IDS, IPS, and various types of servers, including Windows and Unix Web, mail, FTP, DNS, domain controllers, and applications hosted both internally and at vendor locations Provide recommended controls and countermeasures to reduce risk Work with internal and client-team administrators and developers to help them understand and implement server hardening and secure application development principles Requirements Basic Qualifications 1 years of experience with testing tools, including Nessus, Metasploit, http://www.secuobs.com/revue/news/399512.shtmlhttp://www.secuobs.com/revue/news/399512.shtml Secuobs.com : 2012-09-13 15:44:43 - NovaInfosec.com - Lately there seems to a highly focused intent on cyber warfare Offense, defense, sit on the bench the government wants to get in the game and not just be a part of a fantasy league The government s newest revelation is to build a virtual community that would prompt computers worldwide to instantly, en mass, suppress cyberattacks, sometimes without humans at the keyboard So, like, a giant techno wall that would keep the bad guys from passing through All together, chant with me Red rover, red rover send Philip Reitinger right over Through a recent solicitation PDF Homeland Security and NIST are bringing to life Reitinger s 2011 paper entitled Enabling Distributed Security in Cyberspace PDF The idea is that the dynamics of the cyber ecosystem would imitate the workings of how the human body reacts to infection, first reacting locally but also proceeding with global inoculation to contain any possible damage Of course nothing in life or cyber-economics is free, and there would need to be a substantial worldwide buy-in from consumers, governments, universities, etc To date, there is no official projected launch timeline NIST and DHS are welcoming comments and feedback regarding issues relating to this topic Some questions http://www.secuobs.com/revue/news/399461.shtmlhttp://www.secuobs.com/revue/news/399461.shtml Secuobs.com : 2012-09-13 02:54:55 - NovaInfosec.com - I wish the security vendors would rename this recent strain of malware attacking oil and utility companies in the Middle East Every time I see a story about it I immediately read it as ShmooCon and think there s some big new announcement Unfortunately, although The Shmoo Group announced the dates and location a few weeks back, there haven t been any more details released My second reaction is to read it as Shamu and maybe that s more appropriate given that she s a killer whale In this case the Shamoon malware kills the data on the machines it infects Now, I m no expert on this new malware but fellow NoVA Blogger Richard taosecurity Bejtlich had this to say in a recent interview with DarkReadingcom Richard Bejtlich, chief security officer at Mandiant, says these recent attacks should serve as a cautionary tale for all types of organizations This is something everybody should worry about This ability to destroy people s computers and wipe them clean has been around a couple of decades, but it s taken mass events probably caused by the Iranian government and its proxies, to wake people up, he says Utilities are just one victim, chosen for economic and political reasons http://www.secuobs.com/revue/news/399312.shtmlhttp://www.secuobs.com/revue/news/399312.shtml Secuobs.com : 2012-09-13 01:25:35 - NovaInfosec.com - A few weeks ago we published an article on Darpa s Plan X program and in that we mentioned the Proposers Day Workshop Unfortunately, it has been postponed but that s good we guess as there s so much interest in it they had to rejig their plans Initially planned to be delivered in two session on just one day, it will now be held over two days, October 15th and 16th The format will still consist of an unclassified session in the morning and a classified secret session in the afternoon The second day will merely be a repeat of the first, but allows for the accommodation of more attendees Neither session will be open to the general public, foreign nationals or media, but for those who miss it, the Broad Agency Announcement BAA will be released in October This event will be held at the DARPA Conference Center, 675 N Randolph Street, Arlington, VA from 9 00 am to 4 00 pm Seats are on a first come first serve basis The deadline for registering to attend the classified secret session must have DOD SECRET clearance or higher is noon on September 18th Source Pentagon Receives Overwhelming Response to Plan X Cyber http://www.secuobs.com/revue/news/399304.shtmlhttp://www.secuobs.com/revue/news/399304.shtml Secuobs.com : 2012-09-12 19:01:08 - NovaInfosec.com - Yesterday we came across a pretty convincing phishing message from US Airways As you can see below they ve done their research They know our location as they mention Reagan National airport DCA and have even timed the message well with the flight being for the next day Now, I ve never received a real US Airways confirmation message so we re curious what those look like It would be interesting to compare the two There were a total of six links we thought we d check out using URLVoidcom The domain in the From field, myusairwayscom, came back clean but of course that could have simply been spoofed Looking at the HTML there were four referenced images coming from usairwayscom, businesstravelloguecom, and junipercom All these came back clean as expected but that s where the good ended The final link, which was associated with Online reservation details, came from hXXp 986xcom depdetailshtml This domain lit up only two of the 30 or so engines that URLVoidcom uses while VirusTotalcom s web scanner came back with nothing Digging a little deeper into the URLVoidcom results, the organization that owns this domain is ChinaNet Shanghai Province Network and the IP is based in China We also ran the full depdetailshtml link http://www.secuobs.com/revue/news/399216.shtmlhttp://www.secuobs.com/revue/news/399216.shtml Secuobs.com : 2012-09-12 03:47:29 - NovaInfosec.com - Over the weekend we came across the original post that Phil Zimmerman put out way back in 1991 on why he created PGP In this section of the PGP Users Guide, he touches many topics we are all still too familiar with Phil brings up the postcard vs envelop comparison, mentions the safety in numbers concept, uses a fishing analogy to describe eavesdropping perhaps a reference to his infamous basomatic algorithm , and quotes the often heard You shouldn t care if you don t have anything to hide statement He also provides a nice history up until and beyond 1991 yes, it was updated in 1998 In particular, Phil discusses such topics as CALEA, the beginning of Einstein, the Clipper chip, pseudo- failed export controls, and the outlawing non-approved crypto Overall, it s pretty fascinating to take a look back at someone s thoughts from over 20 years ago and relate them to the current environment In many areas Phil s ideals succeeded in others they did not So the question remains are we any better off Why I Wrote PGP Part of the Original 1991 PGP User s Guide updated in 1999 Whatever you do will be insignificant, but it is very important that http://www.secuobs.com/revue/news/399076.shtmlhttp://www.secuobs.com/revue/news/399076.shtml Secuobs.com : 2012-09-11 23:57:57 - NovaInfosec.com - Since our last article in August regarding NIST drafts, there have been several new publications that we thought we would summarize and bring to your attention While most of these releases are the tried and true drafts or publications of the Special Publications SP we are all familiar with, we did come across an ITL Security Bulletin as well The topics addressed include cryptography, Bluetooth, incident response, and hashing For the drafts we ve also highlighted the date that comments are due SP 800-152 DRAFT A Profile for U S Federal Cryptographic Key Management Systems CKMS NIST is developing a Special Publication SP 800-152 that will be entitled A Profile for U S Federal Cryptographic Key Management Systems CKMS This Profile will be based on the Special Publication 800-130, entitled A Framework for Designing Cryptographic Key Management Systems The Framework covers topics that should be considered by a product or system designer when designing a CKMS and specifies requirements for the design and its documentation The Profile, however, will cover not only a CKMS design, but also its procurement, installation, management, and operation throughout its lifetime An initial draft of the Profile requirements is now available for public comment and for discussion by participants http://www.secuobs.com/revue/news/399053.shtmlhttp://www.secuobs.com/revue/news/399053.shtml Secuobs.com : 2012-09-11 15:07:00 - NovaInfosec.com - After seven long years, the National Institute of Standards and Technology NIST has finally updated the Special Publication 800-40 Now in it s third revision, titled, Guide to Enterprise Patch Management Technologies PDF , NIST encourages management to approach patches as more then part of core IT function and hopefully embrace security by encouraging them to identify, acquire, install and verify security updates for systems and applications NIST guidance recommends for organizations to 1 use a phased approach when deploying patches so any issues can be addressed before the patch is deployed universally 2 using standard techniques when deploying enterprise-wide applications patch management tools can create additional security risks, but the lack of a proper patch management process can create even greater risk and 3 balance the need for security with the need for usability and availability by making provisions that patching solutions work on low-bandwidth or metered networks, for example NIST would love to hear comments and feedback on this patch management draft guidance They need to hear from you by October 5th, so if you would like to see any adjustments or just want to tell them good job, you have less then one month to get it done Send http://www.secuobs.com/revue/news/398920.shtmlhttp://www.secuobs.com/revue/news/398920.shtml Secuobs.com : 2012-09-10 20:26:27 - NovaInfosec.com - Looks like all the hard work paid off for local NoVA Blogger David darthnull Schuetz as he discovered the source of the Apple UDID leak last week Apparently, there s a small Florida-based private company called BlueToad that touches a lot of what we do on our smartphones David, who works with Intrepidus Group on mobile security, contacted BlueToad last week and they immediately began to investigate Earlier today their CEO confirmed that the the data was theirs A small Florida publishing company says the million-record database of Apple gadget identifiers released last week by the hacker group Anonymous was stolen from its servers two weeks ago The admission, delivered by the company s CEO exclusively to NBC News, contradicts Anonymous claim that the hacker group stole the data from an FBI agent s laptop in March Anonymous accusations garnered attention because they suggested that the FBI was using the unique gadget identifiers called UDIDs to engage in high-level spying on American citizens via their iPhones, iPads, and iPod Touch devices The FBI denied the claim, last week, and when asked to comment for this story, referred to last week s denial Paul DeHart, CEO of the BlueToad publishing company, told NBC http://www.secuobs.com/revue/news/398719.shtmlhttp://www.secuobs.com/revue/news/398719.shtml Secuobs.com : 2012-09-10 17:47:19 - NovaInfosec.com - Where do you want to be this week Now you ll always know with our Where You Want to Be This Week feature, which will tell you about infosec meetups happening in your local area as of Sunday night If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to grecs on Twitter Here is our weekly installment of Where do you want to be this week a moderate schedule this week, but we are sure that you are going to enjoy what the week has in-store for you and also be sure to check out grecs weekend best bets later in the week as we might have something else you d be interested in With that said, here are your meetups for this week and as well as a preview for next week This Week Monday 9 10 NoVA Hackers Association Meetup - Normal Meetup at QinetiQ Reston from 5 30 to 8 30 PM more info Wednesday 9 12 ISACA CM Meetup - Security in the Y Generation by Frank Aiello at Chiapparelli s Restaurant from 3 00 to 8 00 PM more info Mindforge Meetup Android Security - Securing Android at Tenacity Solutions from 6 00 to 9 00 http://www.secuobs.com/revue/news/398685.shtmlhttp://www.secuobs.com/revue/news/398685.shtml Secuobs.com : 2012-09-10 16:14:58 - NovaInfosec.com - With less than 7 days left it s getting crunch time for the infosec community s petitioners to get over that magic 500 signature mark so that they can appear on the upcoming ISC2 Board of Directors BoD ballet First things first if you are interested in change at the ISC2 and reconnecting this organization to the professionals that live it, please head over to our petition tracking page and submit your electronic signatures to endorse as many of The Four Horseman gattaca, krypt3ia, jadedsecurity, indi303 as you feel appropriate Note that in the petitioning phase there is no limit on the number of candidates you can endorse Signing simply involves emailing each candidate a pledge for your support from the address you have registered with ISC2 The message also needs to contain your full name and ISC2 registration number Our petition page includes information and links for each of The Four Horseman candidates as well as other articles so you can research each candidate yourself to understand their platforms Now on to the dirt Many of the board members, either on the current board or those coming back after sitting out a year due to term limits, have been intertwined with http://www.secuobs.com/revue/news/398657.shtmlhttp://www.secuobs.com/revue/news/398657.shtml Secuobs.com : 2012-09-09 22:48:29 - NovaInfosec.com - Well maybe not an official leak of the whole document that we can point you to however some good paraphrasing has come about Previously we ve briefly touched on this idea of the president using an Executive Order EO to implement some of his provisions after the failed legislation earlier this year Since then this option looks more and more like the course of action the president will take Overall, we find this EO idea fascinating as it s the first one most of us will probably live through at least in our field as responsible adults It s sort of like the first impeachment some of us had to endure during the Clinton presidency Anyway, based on a report by Jason Miller on Fed News Radio, the Skating on Stilts blog has put together a nice point-by-point summary of the potential EO that may someday in the near future have an affect on how the government and other regulated industries do security The draft EO comes in eight sections, which address everything from who would lead this effort to the controversial information sharing idea Here s a quick rundown of each section Identify Lead DHS will create and chair a council to http://www.secuobs.com/revue/news/398531.shtmlhttp://www.secuobs.com/revue/news/398531.shtml Secuobs.com : 2012-09-08 00:38:37 - NovaInfosec.com - Hey here s something to do with your downtime this weekend between social events As you may remember the Open Web Application Security Project OWASP held it s third annual AppSecDC conference, right here in our backyard this past April This was a much anticipated and talked about conference with speakers coming straight out of our Twitter base and blog authors, including our very own grecs Now, you can relive those moments, or for those who didn t attend, see firsthand what it was all about Below are some of our blog posts that discussed what AppSecDC is as well as provided summaries and materials from several of the talks AppSecDC Coming Up In a Month Where s Grecs At AppSecDC Of Course AppSecDC Recap Old Webshells, New Tricks AppSecDC Recap Python Basics for Web App Pentesters AppSecDC Recap SharePoint Security 101 Slides Career Exploit Kit from AppSecDC Presentation PHPIDS Slides from AppSecDC Presentation For starters why not check out the Fed Panel with Ron Ross below and then head over to the AppSecDC Vimeo channel for everything else Check out the videos and play couch critic it s fun Today s post pic is from AppSecDCcom http://www.secuobs.com/revue/news/398409.shtmlhttp://www.secuobs.com/revue/news/398409.shtml Secuobs.com : 2012-09-07 21:28:14 - NovaInfosec.com - Welcome to another edition of our Weekly Rewind where we summarize all our posts from the last week The top stories this week were 3 USAF Recruiting Trojans Worms , 2 Apple UDID Leak Agency Collection Risks , and 1 Philips, Police Sony at Risk in Latest Breaches If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference A la Schneier you can also use this rewind post to talk about the security stories in the news that we haven t covered Happy International Mailman Day It s time for our monthly reminder that is a reminder of what our cleartext password is for many of the default installs of Mailman out there As we ve mentioned before try contacting the administrators first and tell them to change this setting That way you are not only protecting yourself but also all their other users Here are some instructions you can forward onto them Basically, they need to set the send_reminders configuration value to No If after several months and several reminders you get no response or an outright refusal, maybe try posting an obfuscated screenshot to PlainTextOffenderscom and http://www.secuobs.com/revue/news/398332.shtmlhttp://www.secuobs.com/revue/news/398332.shtml Secuobs.com : 2012-09-07 05:34:09 - NovaInfosec.com - Here it is again another of our weekly Best Bets posts Unfortunately we couldn t find any pure infosec related things going on this weekend however there are lots of related social things going on So while you may not get that malware analysis class, maybe you ll meet a few malware analysts As we ve previously noted most local meetups seem to be crowded into weekday evenings with almost nothing on the weekend The purpose of this post is to advertise some of the smaller events that are occurring over the weekend Most of these events occur at local hackerspaces Usually we don t include hackerspace activities in the full calendar as they tend to bury everything else Anyway, here are some happenings I ve picked through that you might want to attend this weekend You can also use the comments of this Best Bets post to announce or discuss other events happening this weekend that I may have missed Friday 9 7 HAM Radio Night from 6 00 PM at Unallocated Space more info 2600 Arlington Meetup from 7 00 PM at Champps Pentagon Row more info Saturday 9 8 Social Game Night from 8 00 PM at Unallocated Space more info Sunday 9 9 Analog Gaming http://www.secuobs.com/revue/news/398189.shtmlhttp://www.secuobs.com/revue/news/398189.shtml Secuobs.com : 2012-09-06 22:33:17 - NovaInfosec.com - Nothing to see here please move along or so that s what s being said about the whole FBI UDID leak fiasco from earlier this week Based on local blogger darthnull s ongoing analysis there s still no official finding on where the data came from so it could be an FBI computer or a personal computer owned by that cyber security agent or more likely from a popular iOS app developer s machine No one has been able to point the finger to a particular app yet though via InfoRiskTodaycom Owners of Apple iPad, iPhone and iPod Touch devices whose unique device identifiers might have been exposed in an alleged breach of an FBI computer would face little, if any, potential harm as a result, some security experts say The Anonymous-affiliated hacktivist group called AntiSec claims it breached last spring the computer of an FBI agent and downloaded 12 million Apple unique device identifiers, or UDIDs, a string of 40 characters given to each Apple mobile device AntiSec claims it posted 1 million UDIDs on the website Pastebin The FBI denies the breach occurred saying in a tweet that the hacktivists claim was totally false Apple said it did not http://www.secuobs.com/revue/news/398126.shtmlhttp://www.secuobs.com/revue/news/398126.shtml Secuobs.com : 2012-09-06 04:42:24 - NovaInfosec.com - Periodically readers suggest that we should have an iCal feed for our local event calendar The obvious advantage here is that they d just subscribe to the feed and our listed events would automagically appear in their personal calendars Well, the good news is that we ve always had this feature guess we just did a horrible job at advertising it To add the live feed simply head on over to our events page and look for the iCAL Import link below and to the right of the calendar Copy that URL and just paste it into your calendar s iCal URL subscription area You should be all set to go For your convenience, we ve added it to our Subscribe area in the right column, mentioned it on all calendar pages, and for those very impatient types pasted it right here NovaInfoseccom iCal Feed What other features are you looking for An email list A community wiki Let us know in the comments below We re always looking for new ideas Today s post pic is from NordstromAppscom See ya http://www.secuobs.com/revue/news/397890.shtmlhttp://www.secuobs.com/revue/news/397890.shtml Secuobs.com : 2012-09-05 18:48:49 - NovaInfosec.com - So I happened to be switching to a new computer this past weekend Going into it I was dead set on not installing Flash and Java And I was all good until alexhutton posted a link to a video about the Beetles happy birthday song and I just had to check it out So I clicked on the link and headed over to YouTube Unfortunately, the video didn t work and it displayed a message indicating that I needed a plugin I thought maybe perhaps I had to enable JavaScript for YouTube via NoScript since I still hadn t configured that yet The page reloaded and the video still refused to play I could have fiddled around around YouTube and somehow managed to navigate to the HTML 5 version but I was too lazy Over to Adobecom I headed and in no time I was enjoying my Beetles song followed by an unplanned hour of pointless YouTube surfing The next snag in my plan arose when I was unable to access one of the corporate networks I regularly use They have the typical web portal interface that you log into and with the simple press of a button the VPN starts Unfortunately, http://www.secuobs.com/revue/news/397777.shtmlhttp://www.secuobs.com/revue/news/397777.shtml Secuobs.com : 2012-09-05 03:13:51 - NovaInfosec.com - The United States Air Force is no longer tip-toeing around it s intentions regarding hacking of opponent networks As part of a recent presentation and procurement effort dubbed Cyberspace Warfare Operations Capabilities CWOC their plan of action seems to be to gear out the military with cyber strikes that have the capability of being launched not only by the head honcho big cheese high chief muckamuck but also by an operational commander Should malware really be placed in the hand of local generals as part of their normal toolkit Lt General Richard Mills, who led troops in Afghanistan in both 2010 and 2011, discussed in an August technology conference about the strategies of using cyber warfare while in Afghanistan and his ability to use them with great impact against his foes The Air Force isn t the only branch of the military gearing up for cyber battles As we discussed last week, Darpa released details of Plan X to help war planners assemble and launch online strikes in a hurry The Marines have also put together a company stationed at the National Security Agency NSA headquarters to give the corps members offensive capabilities According to a recent procurement announcement, Invincea, a Washington area cybersecurity http://www.secuobs.com/revue/news/397632.shtmlhttp://www.secuobs.com/revue/news/397632.shtml Secuobs.com : 2012-09-04 17:48:10 - NovaInfosec.com - Where do you want to be this week Now you ll always know with our Where You Want to Be This Week feature, which will tell you about infosec meetups happening in your local area as of Sunday night If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to grecs on Twitter Here is our weekly installment of Where do you want to be this week a light schedule this week, but we are sure that you are going to enjoy what the week has in-store for you and also be sure to check out grecs weekend best bets later in the week as we might have something else you d be interested in With that said, here are your meetups for this week and as well as a preview for next week This Week Wednesday 9 05 CapSecDC Meetup - August Make-Out Edition at Fado Irish Pub Restaurant from 6 30 to 9 30 PM more info Friday 9 07 2600 Arlington Meetup- Normal Meetup at Champps Pentagon Row from 7 00 to 10 00 PM more info And for those who would like to plan ahead, here is a preview of http://www.secuobs.com/revue/news/397526.shtmlhttp://www.secuobs.com/revue/news/397526.shtml Secuobs.com : 2012-09-04 15:27:59 - NovaInfosec.com - If you haven t heard yet apparently the UDIDs of over a million Apple devices have been posted online Worse is that the perpetrators are claiming that this is just a small subset of the data they pulled The entire collection is supposedly around 12 million records and contains other sensitive information, including full names, cellphone numbers, and addresses of Apple customers Supposedly the data was pulled from an FBI cybersecurity agent s laptop using the recent Java vulnerability This episode is a perfect example associated with the risks of government agencies collecting information like this Yes, it may be necessary to do their job but they MUST be extremely careful that the information doesn t get out there We guess the big question is, Can we trust them to properly protect the data they are collecting So far the best coverage we found is over on the Naked Security blog where they detail some of the contents of the dump, including the name of agent, their disgust with the Republican party, and something about victims taking a pic of themselves with a shoe on their heads Whatever Next up is a good post on TheNextWebcom with a form that you can http://www.secuobs.com/revue/news/397482.shtmlhttp://www.secuobs.com/revue/news/397482.shtml Secuobs.com : 2012-09-03 19:44:47 - NovaInfosec.com - Writing password breach posts is getting to be a bit tiring With so many happening it seems we just keep pointing out the same old problems again and again But on the other hand if bloggers and other media types don t keep the pressure up, organizations will have less motivation to correct the problem So with this in mine we d like to bring you two that we had noticed We were going to ignore them see reason above but then The Register put out some low profile posts on Friday so we d figured we highlight those for awareness sake First was Philips According to The Register and some other sources there were about 200,000 email addresses with around 1,000 of these including other sensitive information Everything is pretty much still available for the taking as it s hosted on several mirrors all around the world From a hashed password cracking perspective, reports are that there isn t much to work with on this one maybe 500 or so Still this is a fairly large dump If you are interested in taking a look yourself, add a comment below and we ll email a link over Next, we head over to the UK http://www.secuobs.com/revue/news/397362.shtmlhttp://www.secuobs.com/revue/news/397362.shtml Secuobs.com : 2012-09-01 23:37:01 - NovaInfosec.com - It s time for our monthly reminder that is a reminder of what our cleartext password is for many of the default installs of Mailman out there As we ve mentioned before try contacting the administrators first and tell them to change this setting That way you are not only protecting yourself but also all their other users Here are some instructions you can forward onto them Basically, they need to set the send_reminders configuration value to No If after several months and several reminders you get no response or an outright refusal, maybe try posting an obfuscated screenshot to PlainTextOffenderscom and forwarding that link onto them a few times If none of the above suggestions work, let us know and we ll do a quick post about it and then perhaps we can get that article syndicated and a bunch of people tweeting and liking it Maybe that will get their attention or maybe not If none of the above suggestions work, you know who you have to protect number one, right So from the password reminder email message you just received click the link to the management interface, enter the password they sent you in clear text, http://www.secuobs.com/revue/news/397202.shtmlhttp://www.secuobs.com/revue/news/397202.shtml Secuobs.com : 2012-08-31 06:48:05 - NovaInfosec.com - Welcome to another edition of our Weekly Rewind where we summarize all our posts from the last week The top stories this week were 3 ISC2 Board Petition Snafu , 2 New Java Zero-Day Exploit Released , and 1 200,000 Password Hashes Released If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference A la Schneier you can also use this rewind post to talk about the security stories in the news that we haven t covered Massive Weekend Dumps of Account Records Looks like another productive weekend with the dump of millions of account and record details over on some of the pastebin-like sites Specifically, the attackers were targeting WallStreet, CIA Services, MIT, Consulting Firms, Political Advisors, Security Companies, Corporations, Weapon s Dealers, Laboratories, Internet Hosting Services, Academics, Banks, Police Departments, Aviation, The Navy, Stocks Exchange, Bonds Exchange, Markets, Emirates Organizations, Various Businesses, Hedge Funds, Estate Agencies, Public Affairs, Robotics, etc Have you found any other big hash dumps Let us know in the comments below continued here NIST s New Bios Security Standards Another Industry Tongue Twister In order to deter the growing number of threats, NIST is adding new security http://www.secuobs.com/revue/news/396909.shtmlhttp://www.secuobs.com/revue/news/396909.shtml Secuobs.com : 2012-08-31 06:03:03 - NovaInfosec.com - Here it is again another of our weekly Best Bets posts Unfortunately we couldn t find any pure infosec related things going on this weekend however if you want to learn some Windows development, 3D printing, or crafting there may be a good fit for you As we ve previously noted most local meetups seem to be crowded into weekday evenings with almost nothing on the weekend The purpose of this post is to advertise some of the smaller events that are occurring over the weekend Most of these events occur at local hackerspaces Usually we don t include hackerspace activities in the full calendar as they tend to bury everything else Anyway, here are some happenings I ve picked through that you might want to attend this weekend You can also use the comments of this Best Bets post to announce or discuss other events happening this weekend that I may have missed Friday 8 31 Windows 8 Development Class Part 1 from 6 00 PM at Unallocated Space more info Saturday 9 1 Window 8 Development Class Part 2 from 10 00 AM at Unallocated Space more info 3D-Printing Group Monthly Meeting from 2 00 PM at Nova Labs more info Sunday 9 2 Windows 8 http://www.secuobs.com/revue/news/396901.shtmlhttp://www.secuobs.com/revue/news/396901.shtml Secuobs.com : 2012-08-31 03:14:30 - NovaInfosec.com - For a short time limited edition Defcon 20 human badges will be up for sale for a mere 40 on Hacker Stickers By interacting with each other when not listening to many of the awesome presentations and talks , this year s Defcon attendees were able to determine that there were several different types of badges, and if, and how each of the badges differed from their own The badge is the Swiss Army knife of badges, capable of generating video, VGA and terminal emulation With a little or a lot of knowledge, a USB connection to a computer and a programming environment ASM, C or SPIN , this little gem can be used for a multitude of purposes Auther, LostboY 1o57 states, this year I hope to see more hacks of OTHER things WITH the badges, as opposed to hacking of the badges in previous years In years past, there were not always enough badges to go around I m sure many attendees have fond memories of waiting in line, eagerly anticipating the arrival of the badges Some years, the number of people who attended outnumbered the amount of badges ordered and paper badges were given in substitution This year, there were not http://www.secuobs.com/revue/news/396891.shtmlhttp://www.secuobs.com/revue/news/396891.shtml Secuobs.com : 2012-08-30 20:28:34 - NovaInfosec.com - After several days of nothing from Oracle a new update has just been posted to Javacom and Oracle s Java page Update 7 doesn t include anything significant at quick glance according to the release notes however there s been reports that the recent Java Metasploit modules don t work anymore Here s a link to one of the release notes For those that want a quick peak see the image below And if you look real closely waaaayyyy down at the bottom of the image you ll see This release contains fixes for security vulnerabilities For more information, see Oracle Security Alert for CVE-2012-4681 Well there ya go What do you think about Oracle being so quiet for the past few days and then just randomly releasing a patch Let us know in the comments below Today s post pic is from Oraclecom See ya http://www.secuobs.com/revue/news/396820.shtmlhttp://www.secuobs.com/revue/news/396820.shtml Secuobs.com : 2012-08-30 01:24:57 - NovaInfosec.com - Wow, can you believe this ISC2 does not consider web forms alone suitable for collecting petition signatures Glad we found out about this now and not the night before September 17th Instead, you must email each candidate a pledge for your support from the address you have registered with ISC2 The message also needs to contain your full name and ISC2 registration number Apparently they want to prove authenticity with email headers Here s the relevant section from the Board Election Process For electronic petitions, the candidate must submit an e-mail that contains a original encapsulated emails from supporters using their e-mail address of record and providing their ISC ² member ID number and, b an Excel spreadsheet listing of all such names with corresponding email address of record and ISC ² member ID number So if you ve already sign the web petition, please visit each candidates announcement petition page for instructions on emailing them jadedsecurity added a nice summary of the whole thing to his petition post via JadedSecuritynet Thank you for all of the signatures received thus far I will be sending out individual e-mails with a thank you as well as a request for a reply confirming your signature Spoke to http://www.secuobs.com/revue/news/396635.shtmlhttp://www.secuobs.com/revue/news/396635.shtml Secuobs.com : 2012-08-29 23:42:10 - NovaInfosec.com - In the past, wars were fought by good soldiers, great generals and the best technological weapons of the time But with the rate of technological advancement, wars may not always be fought on terra firma Darpa is putting in motion the ability to be prepared for cyberwarfare and dominate the cyber battlespace Darpa, known for being the Pentagon agency responsible for creating the internet, is heading Plan X, an initiative to improve and normalize America s ability to unleash cyberattacks against it s foes Led by Daniel Roelker, they are looking at this plan as a defensive strategy Roelker is known to have helped start Sourcefire and the DC Black Ops unit of Raytheon SI Government solutions He has devalued the current method of hacker v hacker attacking due to it s lack of scalability and has stated, We don t win wars by out-hiring an adversary, we win through technology Currently, the United States lacks the ability not only to withstand a national-level attack, but also to counterstrike at net speed Plan X seeks to address both issues Aiming to construct battle plans that are easily executed and contained There are some dangers associated with possible collateral damage, though Often attackers will use compromised servers http://www.secuobs.com/revue/news/396623.shtmlhttp://www.secuobs.com/revue/news/396623.shtml Secuobs.com : 2012-08-29 18:34:00 - NovaInfosec.com - Looks like The Shmoo Group just announced the dates for ShmooCon next year In their short post, they noted it ll be held February 15-17 at the Hyatt Regency Washington located on Capitol Hill Note that this location is different from the Hilton the past two years Hopefully, this new venue will have better mobile coverage The Hyatt is about three blocks from Union Station so that ll probably be the closest metro Anyway, here s the announcement from The Shmoo Group ShmooCon 2013 will be held at the Hyatt Regency Washington located on Capitol Hill in Washington DC, February 15-17 Much more information will be forthcoming in the next few days so hold tight we ll get the site updated, cfp posted and sponsorship information up And yes It s the day after Valentine s day AFTER being the key word Read the official post here Today s post pic is from Twittercom See ya http://www.secuobs.com/revue/news/396519.shtmlhttp://www.secuobs.com/revue/news/396519.shtml Secuobs.com : 2012-08-28 07:33:06 - NovaInfosec.com - Came across this article over on Computer World In this ever increasing complex world it s nice to know who your threats are This type of information feeds nicely right into the businessy risk-based approaches to addressing security You could have the most vulnerable system in the world however if there are no threats that want to attack that system it s sort of a waste of money to add security to protect that system If you don t think you have any threats though you ll probably incorrect It may be worth taking a look at these general categories to assist in identifying threats that may affect your organization or system According to the Computer World article, IT s 9 biggest security threats are Cyber Crime Syndicates Small-time cons and the money mules and launders supporting them Hacktivists Intellectual property theft and corporate espionage Malware mercenaries Botnets as a service All-in-one malware The increasingly compromised Web Cyber warfare via ComputerWorldcom Years ago the typical hacking scenario involved a lone attacker and maybe some buddies working late at night on Mountain Dew, looking for public-facing IP addresses When they found one, they enumerated the advertising services Web server, SQL server, and so on , broke http://www.secuobs.com/revue/news/396170.shtmlhttp://www.secuobs.com/revue/news/396170.shtml Secuobs.com : 2012-08-28 04:25:17 - NovaInfosec.com - Looks like the folks over at Kore Logic and their crackmeifyoucan Twitter account have come across several very large hash dumps This release will definitely liven up the cracking community for the next few days Below are links to the three main collections that Kore Logic pulled together as well as some quick notes we took Overall, several of the dumps look familiar so we re guessing that all of this data isn t new Additionally, we re not taking into consideration any duplicates But still there are about 200,000 hash records so even if half of them are old or dupes, you still have 100,000 new ones to put through your rigs CrackMeIfYouCan Aug 21 2012 Hash Finds Around 120,000 hashes from 22 sites Most are cleaned up but a few reveal sensitive info Identified targets include NASA, TorontoHomeStaySearchcom, and a Russian magazine Some hashes appear to already have been cracked CrackMeIfYouCan Aug 25th Hash Finds Over 60,000 hashes from over 20 sites No targets are identified Some of the hashes have already been cracked for you CrackMeIfYouCan Aug 26th Hash Finds Approximately 20,000 or so from 11 sites Like the August 21 dump, most have been cleaned up Identified targets http://www.secuobs.com/revue/news/396154.shtmlhttp://www.secuobs.com/revue/news/396154.shtml Secuobs.com : 2012-08-28 04:25:17 - NovaInfosec.com - If you haven t heard by now there s been a pretty significant Java zero-day released Worst given the WORA Write once, run anywhere capability of Java, this baby is cross-platform The folks over at Metasploit were wicked fast as usual and it s already been incorporated into the repo So given HDMoore s law, we guess it s time for a quick svn up or msfupdate whichever is the proper way these days and some testing for most of us so we can understand its impact on our systems before the bad guys get too far Brian Krebs pulled together a great writeup on how to manually disable Java on the various platforms and browsers but the quickest solution might be for the AV vendors to put out a signature already while we wait for an official patch from Oracle There is an interim unofficial patch from DeepEnd Research but it hasn t had too much testing up to this point via TheRegistercouk A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild and because of Oracle s Java patch schedule, it may be some time before a fix http://www.secuobs.com/revue/news/396153.shtmlhttp://www.secuobs.com/revue/news/396153.shtml Secuobs.com : 2012-08-28 01:08:52 - NovaInfosec.com - In order to deter the growing number of threats, NIST is adding new security guidelines for updating the BIOS basic input output system NIST s proposal, which is open for public comment through September 14th, is intended to stop cyber attacks related to unauthorized modification of BIOS firmware by malicious software Andrew Regenscheid, a math researcher and project leader in NIST s computer security division, attributes this in part to concern for computer criminals to mischievously subvert the BIOS in their attacks This concern, among others, led to security standards for desktops and laptops issued by NIST last April in Special Publication 800-147 BIOS Protection Guidelines Federal agencies were notified by the Department of Homeland Security to use these guidelines for purchasing new laptops and desktops beginning this October Reigenscheid has since drafted the Special Publication 800-147B BIOS Protection Guidelines for Servers to include requirements on servers to mitigate the execution of malicious or corrupt BIOS code This does still leave a couple of questions unanswered will cloud providers be asked to support secure BIOS and will NIST also address this issue in regard to mobile devices, such as tablets from Apple and Google Only time will tell how much farther NIST will take their http://www.secuobs.com/revue/news/396115.shtmlhttp://www.secuobs.com/revue/news/396115.shtml Secuobs.com : 2012-08-27 19:18:31 - NovaInfosec.com - Looks like another productive weekend with the dump of millions of account and record details over on some of the pastebin-like sites Specifically, the attackers were targeting WallStreet, CIA Services, MIT, Consulting Firms, Political Advisors, Security Companies, Corporations, Weapon s Dealers, Laboratories, Internet Hosting Services, Academics, Banks, Police Departments, Aviation, The Navy, Stocks Exchange, Bonds Exchange, Markets, Emirates Organizations, Various Businesses, Hedge Funds, Estate Agencies, Public Affairs, Robotics, etc We skimmed some of them and there are several that contain hashes you might want to play with however the majority of the dumps are just tons of data from over 113 sites The perpetrators were also quite smart this time instead of just depending on one paste site, they spread their plunder over multiple repositories including Pastebin, Stikked, Paste HTML, Pastee, SafeBin, Gist, PasteSitecom, PrivatePaste, and Ideonecom This tactic will definitely make it harder to clean up giving the range of jurisdictions involved The four main index posts that list links to all the dumps include PasteBin, GIST, PasteSitecom, and PrivatePastecom Here s a quick rundown of some of the effected sites from our favorite breach-tracking website OZDCnet wwwchesleyconsultingcom wwwcisfiuedu esaorg esaever-feu robotsunizares wwwcdrobotcom wwwdc-eicom wwwtunnellconsultingcom wwwyveccom allbiomedicalcom materialsmitedu wwwwallstreetledgernet wwwwallstreetprepcom winnecom http://www.secuobs.com/revue/news/396071.shtmlhttp://www.secuobs.com/revue/news/396071.shtml Secuobs.com : 2012-08-27 17:42:56 - NovaInfosec.com - Where do you want to be this week Now you ll always know with our Where You Want to Be This Week feature, which will tell you about infosec meetups happening in your local area as of Sunday night If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to grecs on Twitter Here is our weekly installment of Where do you want to be this week No presentation based meet-ups this week, but we are sure that you are going to enjoy what the week has in-store for you and also be sure to check out grecs weekend best bets later in the week as we might have something else you d be interested in With that said, here are your meetups for this week and as well as a preview for next week This Week Thursday 8 30 CharmSec Meetup- Normal Meetup at Slainte Irish Pub Restaurant from 7 00 to 10 00 PM more info And for those who would like to plan ahead, here is a preview of events on our calendar for next week Friday 2600 Arlington Meetup Remember that Baltimore Node, HacDC, Nova Labs, Reverse http://www.secuobs.com/revue/news/396048.shtmlhttp://www.secuobs.com/revue/news/396048.shtml Secuobs.com : 2012-08-24 21:06:36 - NovaInfosec.com - Welcome to another edition of our Weekly Rewind where we summarize all our posts from the last week The top stories this week were 3 Unofficial ISC2 Board Petition Central , 2 Hash Weekend and Some Potential PayPal Passwords , and 1 WoW, New Blizzard Password Dump If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference A la Schneier you can also use this rewind post to talk about the security stories in the news that we haven t covered WoW, New Blizzard Password Dump Yesterday we came across an interesting Pastebin password dump from 8 15 that we noticed on OZDCnet called World of Warcraft Database Hacked 10 NEW It s since been removed however given the possible breach of passwords Blizzard announced last week this particular dump caught our attention With a little bit of Google fu we found that the paste includes 85 usernames, hashed passwords, and email addresses In one of our recent password hash posts we received some good Linux commands to strip out just the hashes Anyone got something in Python that can do the same thing Post your comments below continued here Hash Weekend and Some Potential PayPal Passwords Wow, http://www.secuobs.com/revue/news/395625.shtmlhttp://www.secuobs.com/revue/news/395625.shtml Secuobs.com : 2012-08-24 16:37:32 - NovaInfosec.com - Here it is again another of our weekly Best Bets posts As we mentioned last week, this weekend looks packed with a lot of fun things going on if you live up near Baltimore that is We need to get a little more action going on down here around NoVA though If you re a NoVA hackerspace hint hint Nova Labs and Reverse Space , why not hold a weekend event As we ve previously noted most local meetups seem to be crowded into weekday evenings with almost nothing on the weekend The purpose of this post is to advertise some of the smaller events that are occurring over the weekend Most of these events occur at local hackerspaces Usually we don t include hackerspace activities in the full calendar as they tend to bury everything else Anyway, here are some happenings I ve picked through that you might want to attend this weekend You can also use the comments of this Best Bets post to announce or discuss other events happening this weekend that I may have missed Friday 8 24 Hardware Hacking with Hunter from 6 00 PM at Unallocated Space more info Saturday 8 25 Packet Analysis Class from 11 00 AM http://www.secuobs.com/revue/news/395575.shtmlhttp://www.secuobs.com/revue/news/395575.shtml Secuobs.com : 2012-08-24 00:06:56 - NovaInfosec.com - As was announced on the Spider Labs blog yesterday, researchers discovered an unusual key in the Registry of the latest Windows OSs at HKLM SAM SAM Domains Account Users UserPasswordHint It turns out that this field contained encoded versions of user password hints Of course the cool part was that the researchers quickly extended Metasploit s Hashdump tools to decode and pull this data out But the question remains is this really a big deal As usual in infosec the answer is it depends On one hand if you re local and can t authenticate, you would have access to the password hints anyway And if you were remote this key appears to only be accessible if you have system access So essentially you would have already p0wned the box anyway On the other hand we do see these hints as nice guidelines for customizing your password cracking dictionary to use against hashes extracted from that boxes SAM Overall this disclosure was a very interesting find and it resulted in a nice Metasploit update via SpiderLabscom This past weekend I ended up coming into the SpiderLabs office and nerded out with my good friend Ryan Reynolds to follow-up on the research we released at DEFCON and BlackHat this http://www.secuobs.com/revue/news/395452.shtmlhttp://www.secuobs.com/revue/news/395452.shtml Secuobs.com : 2012-08-23 21:00:41 - NovaInfosec.com - Over the past day or so a few folks in the infosec community have stepped up and tossed their name into the hat to be on the ballet of the upcoming ISC2 board election Following in the footsteps of wimremes last year, gattaca was the first to announce his intent to run After that things just started running together for me Kindly coined the Four Horsemen of the Impending Infosec Apocalypse by j4vv4d, or the ISC2 Board Dream Team by integgroll, here is a table with quick links for all the candidates, including the latest signature count Note that each candidate needs at least 500 valid signatures by September 17, 2012 to be listed on the ballet When you register to sign the petitions you MUST use the email address you have on file with ISC2 Quick Links Name Twitter Announcement Petition Press Sig Count Last Updated Dave Lewis gattaca Vote for Dave Gattaca running for ISC 2 board, vows to restore integrity of CISSP exam 93 8 23 14 00 Name krypt3ia ISC2 Board Candidacy TBD TBD Boris Sverdlik jadedsecurity Vote for Boris TBD TBD Chris Nickerson indi303 ISC4ThePeople TBD TBD FAQs Can I sign the petition for more than http://www.secuobs.com/revue/news/395411.shtmlhttp://www.secuobs.com/revue/news/395411.shtml Secuobs.com : 2012-08-23 00:29:27 - NovaInfosec.com - Loved this post over on Errata Security s blog ErrataRob did a quick analysis of whether it s more cost effective to buy your own password cracking gear or rent some space on EC2 Given his assumptions, it turns out that after 12 hours it is more cost effective to just buy your own gear and throw it all away when your done Just some more fuel to add to the fire regarding the affordability of public clouds via Errata Security Q Should pentesters use Amazon EC2 to crack passwords A Probably not Amazon s cloud computing seems perfect for pentesters for cracking passwords for three reasons 1 Accounting Pentesters can simply stick the Amazon EC2 costs onto the bill they charge customers If they use their own hardware, they have to figure out how to amortize the cost a cross many customers 2 Usage pattern Pentesters only need the compute power the day they are cracking passwords, at which point they need a lot of hardware That s only a few days a year, the hardware will remain unused the rest of the time This fits Amazon s usage model of paying only for the compute power that use 3 Sheer power In theory, http://www.secuobs.com/revue/news/395218.shtmlhttp://www.secuobs.com/revue/news/395218.shtml Secuobs.com : 2012-08-22 21:24:37 - NovaInfosec.com - If you haven t already heard by now the AMD blogs site was compromised over the weekend I guess we missed this while investigating the Blizzard and PayPal dumps The attackers got away with a miniscule 32 KB of SQL data from the WordPress-backed site and dumped it on MediaFirecom The dump included 189 usernames with the possibly accompanying PHPass-hashed passwords The attackers then did a little defacement and that was about it After realizing the compromised, AMD threw its site into maintenance mode and began investigating the problem Since then all the apparent dumps have been removed and the blogs site is back up with a message saying everything is just fine with a bit of commentary AMD Blog Site Back Online, No External Users Exposed Our blog site was the target of an attack on August 19th We do not store any personal user information on the blog site, so the only data exposed were email addresses of AMD employees and their salted, encrypted password hashes grecs Wow, this must be really secure They salt, hash, and encrypt AMD remains committed to data security and user privacy and has launched an investigation into this matter As you probably noticed, http://www.secuobs.com/revue/news/395158.shtmlhttp://www.secuobs.com/revue/news/395158.shtml Secuobs.com : 2012-08-22 18:21:49 - NovaInfosec.com - If you are mid-career, enjoy working in SOCs, and don t have a college degree, then maybe this position is for you It s pretty refreshing to see a company not absolutely requiring a degree Plus the position is located out in Ashburn where all the affordable big housing is And don t forget if your organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details Well anyway on to the job post Title Cyber Security Engineering Team Lead Location Ashburn, VA Company Name SRA International Job Description The Security Engineering Team Lead oversees the daily engineering activities of the TSA Security Operations Center The candidate coordinates security engineering activities with the Security Manager and Program Manager The Security Engineering Lead ensures that daily operations meet the high standards and output required of a world-class SOC The Lead interfaces with the customer on a daily basis and assists the SRA team with final recommendations submitted our client The SM is responsible for the proper accounting of staffing requirements and activities of the Security Engineering Team The Lead is responsible for providing input to the SRA PMas Weekly Program Status meeting, http://www.secuobs.com/revue/news/395126.shtmlhttp://www.secuobs.com/revue/news/395126.shtml Secuobs.com : 2012-08-22 04:07:55 - NovaInfosec.com - There seems to be a question floating around the security industry lately as to whether there truly exists a shortage of skills or simply a failure for businesses to properly invest in training their employees This question doesn t have just one simple answer, other than jack_daniel tweeting Quit whining about the skills shortage TRAIN your way out of it This quote was in response to a very good article in InformationWeekcom that advises businesses to invest in training new and current personnel to get out of the current infosec skill shortage rut Although we feel businesses need to make these investments, responsibility should also fall on individuals as well Aside from certifications and professional training and classes, formal and informal security meetups have been a part of the culture for the last couple of decades Besides the largely known DEFCON, there are often many local meetups in some of the more infosec prevalent cities Locally, a great example of this is NovaHackers shameless plug , which meets every second Monday of the month Local industry members gather and share information and ideas to help further community knowledge Hackerspaces offer another avenue to collaborate and learn from others as well as pick http://www.secuobs.com/revue/news/394985.shtmlhttp://www.secuobs.com/revue/news/394985.shtml Secuobs.com : 2012-08-21 22:14:46 - NovaInfosec.com - Looks like a fun and very challenging mobile hacking job from a smaller company There s no clearance to start out but a Secret is preferred And don t forget if your organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details Well anyway on to the job post Title Mobile Device Ethical Hacker Location Columbia, MD Company Name Tresys Technology Job Description Tresys is looking for a mobile device ethical hacker who is skilled working in the full scope of mobile and embedded device operating systems and applications security analysis The individual will apply their expertise to isolate, research, and exploit vulnerabilities on hardened devices This individual is also responsible for documenting their findings and creating recommendations for improved device security Requirements Foundational Requirements minimums BS degree in computer science, computer engineering, or related field and 4 years experience Candidates with at least 6 years of strong related work experience will also be considered Applicants selected will be subject to a Government security background investigation and must meet the eligibility requirements for access to classified information Eligibility requirements include US citizenship Secret Clearance is Preferred Willing to travel http://www.secuobs.com/revue/news/394941.shtmlhttp://www.secuobs.com/revue/news/394941.shtml Secuobs.com : 2012-08-21 02:36:49 - NovaInfosec.com - We ve heard of this OldAppscom many times before but a recent tweet from taosecurity mentioning it put this resource over the top that we had to write it up for those in pen testing, exploit creation, or just testing overall You re not going to find any licensed software but it s a great place for grabbing that old copy of Firefox or Adobe Reader for you to test against Here s the description from OldAppscom themselves While most web-sites provide downloads of current versions, OldAppscom caters to a different market of interest by providing older versions of the same useful programs Often newer versions are more complicated to use and we understand that it is hard to find older, more user-friendly versions of popular software Many software providers do not include older versions of their software on their sites, therefore, OldAppscom has found its market niche and provides a vital intermediary function for our users software needs We are more than happy to accommodate you with freedom of choice by providing multiple versions for you to choose the optimal software version that is right for you They go on to discuss how these applications may be necessary for older or less http://www.secuobs.com/revue/news/394749.shtmlhttp://www.secuobs.com/revue/news/394749.shtml Secuobs.com : 2012-08-20 17:55:06 - NovaInfosec.com - Where do you want to be this week Now you ll always know with our Where You Want to Be This Week feature, which will tell you about infosec meetups happening in your local area as of Sunday night If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to grecs on Twitter Here is our weekly installment of Where do you want to be this week Only presentation based meet-ups this week that we are sure you are going to enjoy and also be sure to check out grecs weekend best bets later in the week as we might have something else you d be interested in With that said, here are your meetups for this week and as well as a preview for next week This Week Tuesday 08 21 2012 ISSA DC Meetup United States Cyber Defense Liaison to NATO by Curtis Levinson at Government Printing Office Room A138 from 6 30 to 8 00 PM more info 08 22 2012 ISSA Baltimore Meetup Spear Phishing Attack Methods and How to Fight Back by Jim Hansen at Concurrent Technologies Corporation from 5 00 to7 00 PM more info And for those who would like to plan ahead, here is a http://www.secuobs.com/revue/news/394625.shtmlhttp://www.secuobs.com/revue/news/394625.shtml Secuobs.com : 2012-08-20 17:03:11 - NovaInfosec.com - Is it really news to anyone that as a federal employee, communications which take place on government owned machines is monitored Apparently it is news to the Washington Post A recent news report that came out in the Washington Post claims federal agencies have installed monitoring software by SpectorSoft, which can track keystrokes, retrieve files from hard drives and perform keyword searches This has caused an uproar among whistleblowers like Food and Drug Administration scientists who claim in a lawsuit that they were targeted in 2010 by the FDA for blowing the whistle on what they believed was an unethical review process Common sense seems to dictate that a person should have no expectation of privacy while using a device that does not even belong to them And that s just for starters Federal requirements NIST SP 800-53 AC-8 mandate that a message or banner notify users that system usage may be monitored, recorded and subject to audit Use of the system indicates consent to monitoring and recording Even without the addition of SpectorSoft s monitoring software, the Electronic Frontier Foundation s Seth David Schoen explains that there s always been the ability for a human being to come in after the fact and http://www.secuobs.com/revue/news/394619.shtmlhttp://www.secuobs.com/revue/news/394619.shtml Secuobs.com : 2012-08-19 19:09:58 - NovaInfosec.com - Wow, some people have been busy this weekend Following the supposed Blizzard WoW password dump from yesterday, we just might have just come across three new significant password hash dumps through our periodic review of sites like Pastebin, Pastie, AnonPaste, OZDCnet, InsidePro, and a few Twitter accounts The mother load was over 5,000 from Hotel Horba followed by Corriendo Voy with close to 1,000 Finally, someone posted a paltry 300 more from the gaming site Torn World Below you ll find the data from these three dumps but be sure to read on We ve extended our normal analysis to include some other interesting tidbits we d rather not post direct links to These finds include the likes of almost 1,000 records from PayPal with cleartext passwords and over 24,000 additional records Hotel Horba hXXp hotelhorbaeu Dump Data 5311 usernames and 128-bit password hashes Torn World hXXp wwwtornworldnet Dump Data 343 usernames, 128-bit password hashes, first names, last names, and email addresses Corriendo Voy hXXp wwwcorriendovoycom Dump Data 961 email addresses usernames and 128-bit MD5 password hashes And as always please use these dumps responsibly, ie, for practice offline password cracking only If possible use some ninja scripting to strip the names, usernames and email addresses out http://www.secuobs.com/revue/news/394502.shtmlhttp://www.secuobs.com/revue/news/394502.shtml Secuobs.com : 2012-08-18 22:27:38 - NovaInfosec.com - Yesterday we came across an interesting Pastebin password dump from 8 15 that we noticed on OZDCnet called World of Warcraft Database Hacked 10 NEW It s since been removed however given the possible breach of passwords Blizzard announced last week this particular dump caught our attention With a little bit of Google fu we found that the paste includes 85 usernames, hashed passwords, and email addresses A few of the email addresses repeat several times however the usernames appear unique The title of the paste also suggests that there might be at least nine other pastes but a quick search didn t return anything Additionally, we found practically the same paste from 4 12 and that one hasn t been removed as of today Given the length of the hashes, we re guessing they re probably 128-bit MD5s with a 4-bit salt As you know MD5 is fairly weak and a 4-bit salt is practically useless As usual here is the OZDCnet analysis World of Warcraft Analysis 8 15 Dump removed but cache still exists usernames, hashes password, and email addresses 4 12 Dump usernames, hashes password, and email addresses From the looks of it this dump doesn t appear new however it might be a fun exercise for some of http://www.secuobs.com/revue/news/394454.shtmlhttp://www.secuobs.com/revue/news/394454.shtml Secuobs.com : 2012-08-18 01:37:58 - NovaInfosec.com - Taking a page from theprez98 s book I thought I d put out a quick post that to say that I ll be speaking at DerbyCon in Louisville, KY September 27-30, 2012 Here is my talk info Title PHP Website Security, Attack Analysis, Mitigations Abstract PHP is a very powerful language for easily developing web applications however with this power comes great responsibility and in this case that means not shooting yourself in the foot with lax security practices Issues can arise from everything from language vulnerabilities and weak default settings to insecure coding practices and misconfigurations This presentation plans to address many of these concerns by providing valuable lessons in the security of, attacks against, and management of PHP in your environment The talk begins with an overview of PHP security, including it s known issues and corresponding security enhancements the maintainers have incorporated over time Beginning with an in-depth discussion of Suhosin and how it can be used to lock down your PHP environment, the presentation next details PHPIDS and how it can be used to detect PHP-centric threats The talk closes with a strategy for analyzing the risks in your PHP environment and applying corresponding PHP and platform network mitigations http://www.secuobs.com/revue/news/394397.shtmlhttp://www.secuobs.com/revue/news/394397.shtml Secuobs.com : 2012-08-17 17:07:21 - NovaInfosec.com - Applying for a job should be a private matter There is an expectation that the only people viewing the information you submit on an application would be the ones responsible for hiring you Unfortunately, bad coding on WMATA s Refer A Friend feature of their web site blasted that expectation all to pieces As reported to ABC s 7 On Your Side, simply by knowing an email address for a person who had applied to WMATA and patiently clicking a few times, you could easily access personal information such as home address, telephone number and even application status of individuals, although WMATA does not consider any of this to be sensitive personal information NoVA s own jack_mannino who runs nVisium was contacted by ABC about this critical issue and he explained the importance of fixing this information leak Anyone with a small amount of knowledge and 20 or 30 of minutes of free time could pull all of the information out of the system for everybody that potentially put anything in there After ABC contacted WMATA about this breach, they have since removed the offending Refer a Friend feature They claim that the section had only been live for about two months, and http://www.secuobs.com/revue/news/394310.shtmlhttp://www.secuobs.com/revue/news/394310.shtml Secuobs.com : 2012-08-17 17:07:21 - NovaInfosec.com - Welcome to another edition of our Weekly Rewind where we summarize all our posts from the last week The top stories this week were 3 BackTrack 5 R3 Released , 2 Fixing the Biggest Lie on the Web , and 1 Casual iPhone Anonymity with Burner If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference A la Schneier you can also use this rewind post to talk about the security stories in the news that we haven t covered Casual iPhone Anonymity with Burner Last week we came across an interesting article on ArsTechnicacom covering Ad Hoc Labs release of their latest app, Burner, that provides an affordable way to create disposable contact numbers With an initial investment of only 2, users can create a number with relative anonymity The only information given to the app is the original number that the burner number will be routed to Similar services are offered through Google Voice and Skype but Burner appears to be the first with the ability to be used directly from within the iPhone What are your thoughts on Burner Let us know in the comments below continued here NIST http://www.secuobs.com/revue/news/394309.shtmlhttp://www.secuobs.com/revue/news/394309.shtml Secuobs.com : 2012-08-17 05:50:17 - NovaInfosec.com - Here it is again another of our weekly Best Bets posts Looks like another slow weekend with only one recommended event Still, looks like a fun one Next weekend, on the other hand, looks to have lots in store Be on the lookout for our next post As we ve previously noted most local meetups seem to be crowded into weekday evenings with almost nothing on the weekend The purpose of this post is to advertise some of the smaller events that are occurring over the weekend Most of these events occur at local hackerspaces Usually we don t include hackerspace activities in the full calendar as they tend to bury everything else Anyway, here are some happenings I ve picked through that you might want to attend this weekend You can also use the comments of this Best Bets post to announce or discuss other events happening this weekend that I may have missed Friday 8 17 Nada Saturday 8 18 Monthly Unallocated LAN Party from 12 00 PM at Unallocated Space more info Sunday 8 19 Nada Remember to checkout some of the other activities at Baltimore Node, HacDC, Nova Labs, Reverse Space, and Unallocated Space as they hold several standard activities throughout the http://www.secuobs.com/revue/news/394209.shtmlhttp://www.secuobs.com/revue/news/394209.shtml Secuobs.com : 2012-08-16 22:46:46 - NovaInfosec.com - Imagine checking the box that says I have read and agree to the terms and conditions Come on, we ve all done it First off, those things are as bad as the fine print in newspaper ads Most people don t even have the binocular strength vision let alone the legal knowledge to sort through these nightmares Enter Terms of Service, Didn t Read ToS DR This project was launched in June of this year with people from the group, Unhosted Lead by Hugo Roy hugoroyd , ToS,DR aims at creating a transparent and peer-reviewed process to cut through the average reader s reading time and rate ToS And Privacy Policies They already have prototype browser extensions available for Chrome Chromium and Firefox Unhosted is is funded by non-profits and individual donations All discussions surrounding each rating is done in a public forum and released as free and open data Website terms and polices are rated from A very good to E you have just sold your soul to Satan In addition, sites receive badges, such as Good, Mediocre, Alert and Informative So far the best ratings have gone to SeenThisnet and DuckDuckGocom, both of which were given A ratings The worst offender, so far, is TwitPiccom, http://www.secuobs.com/revue/news/394153.shtmlhttp://www.secuobs.com/revue/news/394153.shtml Secuobs.com : 2012-08-16 18:01:29 - NovaInfosec.com - Instead of another job post this week we thought we d point something out we learned at Defcon several weeks back In one of the discussions General Alexander mentioned that the NSA has a special recruiting page just for hackers like those that attended this conference Unfortunately that page is down now with a Directory Listing Denied error but we ve included much of the original wording below The good news is that the link to the requisition that page mentioned still works though And don t forget if your organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details Well anyway on to the job post Title Cyber Security Spy Location Fort Meade, MD Company Name National Security Agency Job Description If you re up on your game, you already know the National Security Agency and what we do So we won t bother with an explanation And you probably already know why you re here At NSA, we don t crack codes and develop new encryption algorithms just for the fun of it but don t tell our tech teams that Around here, it s all about the endgame keeping you and your family http://www.secuobs.com/revue/news/394059.shtmlhttp://www.secuobs.com/revue/news/394059.shtml Secuobs.com : 2012-08-15 20:22:52 - NovaInfosec.com - Bruce Schneier wrote about the failings of Cryptocat the other day and to a certain extent we re still at a bit of a lost in his conclusion Specifically, the post closed with the following take-away More generally, your security in a host-based encryption system is no better than having no crypto at all Huh First of all, for those that aren t familiar with Cryptocat, here is Wikipedia s definition Cryptocat is an open source web application intended to allow secure, encrypted online chatting Cryptocat encrypts chats on the client side, only trusting the server with data that is already encrypted Cryptocat is served via HTTPS, while also offering a Google Chrome application that loads code locally Cryptocat intends to provide means for impromptu, encrypted communications that offer more privacy than services such as Google Talk, while maintaining a higher level of accessibility than other high-level encryption platforms, and furthermore allows for multiple users in one chat room Now that you know what it is back to our as well as other commenters confusion One of them echoed our thoughts well your security depends entirely on the security of the host does not equal your security in a host-based http://www.secuobs.com/revue/news/393776.shtmlhttp://www.secuobs.com/revue/news/393776.shtml Secuobs.com : 2012-08-15 19:34:37 - NovaInfosec.com - Got a problem with the whole security clearance process that many around DC are forced to go through again and again with each agency What about the continued plea for skilled and cleared infosec professionals yet you already have to be in with one of their existing clearances Well according to an article by Mark Weigelt, where he summarizes the results of a Tech America survey PDF , you re not alone One of the key findings addresses this major issue of non-transferability of clearances to work in between different agencies And of course this drives contractor rates charged to the government significantly higher Simply put clearances are expensive and the leading contributing factor to this cost is the difficulty in transferring personnel with clearances between contracts with different agencies Because there is limited reciprocity between agencies and higher compartmented clearances, large amounts of time are spent on achieving what some believe to be equal clearance from a different agency If the process were magically simplified, these organizations would be able to lower personnel costs and increase their own response time to mission needs and to hire the best and brightest The government has a tough http://www.secuobs.com/revue/news/393758.shtmlhttp://www.secuobs.com/revue/news/393758.shtml Secuobs.com : 2012-08-15 17:58:46 - NovaInfosec.com - Dowless Associates, Inc is looking for three cleared Red Team pen-testers These are not security assessment testers or even your run-of-the-mill penetration testers running typical tools The customer is looking for white-hat hackers, at least one of whom has the capability of developing and coding their own tools and exploits These positions are an immediate need and will last at least one year, if not longer And don t forget if your organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details Well anyway on to the job post Title Senior Penetration Tester Location Herndon, VA Company Name Dowless Associates, Inc Job Description Seeking experienced penetration testers for Red Team activities The ideal candidate will have strong experience that encompasses automated tools such as Backtrack or Metasploit, but also includes more advanced Red Team penetration testing activities techniques where little or nothing is known about the target Must be able to document and demonstrate attack vectors, exploitation methodologies, findings, and recommended mitigations The candidate must understand adversarial capabilities, profiles of adversary types, and have the ability to match adversary type to threat The candidate will report to http://www.secuobs.com/revue/news/393740.shtmlhttp://www.secuobs.com/revue/news/393740.shtml Secuobs.com : 2012-08-14 18:47:47 - NovaInfosec.com - Yeah, this post is from a recruiting company however we don t come across too many infosec jobs for non-profits As typical with non-profits it looks like you ll be THE infosec guy or gal doing everything from policy to all the hands-on tech work They don t mention pay but if you have a good heart and willingness to work hard to make a difference, perhaps this position is a good fit for you And don t forget if your organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details Well anyway on to the job post Title Sr Security Admin Analyst Location Washington, DC Company Name Threat Squad Job Description Great opportunity to work for one of the one of the largest non-profit scientific educational institutions in the world Our client is looking for a Senior Security Admin Analyst This position will be responsible for security operations for all corporate and product infrastructures and applications, reporting to the Director of Technology Some duties include firewall and security systems engineering and administration, monitoring and incident response In addition to daily operations and maintenance, the position will also be responsible for regular http://www.secuobs.com/revue/news/393513.shtmlhttp://www.secuobs.com/revue/news/393513.shtml Secuobs.com : 2012-08-14 15:24:21 - NovaInfosec.com - So after last week Obama is considering an Executive Order EO to implement some of the aspects of the cyber security bill defeated in the Senate This might bode well giving the prevalence of one Executive Order we remember using back in the day Unfortunately no one on our staff can remember or find the exact one but we remember using it to hammer security into non-conforming customers It was the only thing we had to force them into doing ANY security at all I don t know much about the whole political process but you would think EOs would not be as enforceable as laws Perhaps EOs only affect government while laws affect everyone Some sources mention EOs being interpretations of the Constitution or law help us theprez98 you re our only hope Anyway, makes you wonder why we even have a Congress via TheHillcom The Obama administration is considering exercising the White House s executive authority to impose cybersecurity mandates after lawmakers failed to adopt legislation to implement those measures, a top US counterterrorism official said on Tuesday Those options include President Obama possibly introducing several cybersecurity measures via presidential executive orders, according to White House chief counterterrorism adviser John http://www.secuobs.com/revue/news/393470.shtmlhttp://www.secuobs.com/revue/news/393470.shtml Secuobs.com : 2012-08-14 05:46:29 - NovaInfosec.com - In case you missed it NIST released a revised guide on handling IT security incidents last week This updated document, Special Publication 800-61, Revision 2 Computer Security Incident Handling Guide, outlines step-by-step instructions that all levels of incident response teams can follow when creating or updating their related policies and plans Specifically, NIST breaks down the instructions into the following requirements and recommendations Organizations must create, provision, and operate a formal incident response capability Federal law requires Federal agencies to report incidents to the United States Computer Emergency Readiness Team US-CERT office within the Department of Homeland Security DHS Organizations should reduce the frequency of incidents by effectively securing networks, systems, and applications Organizations should document their guidelines for interactions with other organizations regarding incidents Organizations should be generally prepared to handle any incident but should focus on being prepared to handle incidents that use common attack vectors Organizations should emphasize the importance of incident detection and analysis throughout the organization Organizations should create written guidelines for prioritizing incidents Organizations should use the lessons learned process to gain value from incidents via InfoRiskTodaycom The National Institute of Standards and Technology has issued a revision of its guidance to help http://www.secuobs.com/revue/news/393398.shtmlhttp://www.secuobs.com/revue/news/393398.shtml Secuobs.com : 2012-08-13 18:50:09 - NovaInfosec.com - Where do you want to be this week Now you ll always know with our Where You Want to Be This Week feature, which will tell you about infosec meetups happening in your local area as of Sunday night If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to grecs on Twitter Here is our weekly installment of Where do you want to be this week No presentation based meet-ups this week but we are sure you will enjoy what the week has to offer Also be sure to check out grecs weekend best bets later in the week as we might have something else you d be interested in With that said, here are your meetups for this week and as well as a preview for next week This Week Monday 08 13 2012 NoVA Hackers Association Meetup Normal Meetup at QinetiQ Reston from 5 30 to 8 30 PM more info Thursday 08 16 2012 ISSA NoVA Meetup Social at Clyde s Tysons Corner from 6 30 to 8 30 PM more info And for those who would like to plan ahead, here is a preview of events on our calendarfor next week Monday NoVA http://www.secuobs.com/revue/news/393247.shtmlhttp://www.secuobs.com/revue/news/393247.shtml Secuobs.com : 2012-08-13 14:36:45 - NovaInfosec.com - Last week we came across an interesting article on ArsTechnicacom covering Ad Hoc Labs release of their latest app, Burner, that provides an affordable way to create disposable contact numbers With an initial investment of only 2, users can create a number with relative anonymity The only information given to the app is the original number that the burner number will be routed to Similar services are offered through Google Voice and Skype but Burner appears to be the first with the ability to be used directly from within the iPhone Ad Hoc Labs has additionally done it s part in trying to minimize the app being used for nefarious purposes Greg Cohn, co-founder and CEO of Ad Hoc Labs, says the company expressly prohibits using the app for unlawful, criminal or otherwise objectionable activities And, as the phone calls are not end-to-end encrypted, Burner would not be recommended to be used in any highly confidential or mission critical situation As to the amount of anonymity offered, the app s privacy policy explicitly states Backup copies of this data are not immediately deleted, however, and some aspects of user history are maintained for longer periods of time so that we can reconcile http://www.secuobs.com/revue/news/393193.shtmlhttp://www.secuobs.com/revue/news/393193.shtml Secuobs.com : 2012-08-10 17:05:25 - NovaInfosec.com - Here it is again another of our weekly Best Bets posts As we ve previously noted most local meetups seem to be crowded into weekday evenings with almost nothing on the weekend The purpose of this post is to advertise some of the smaller events that are occurring over the weekend Most of these events occur at local hackerspaces Usually we don t include hackerspace activities in the full calendar as they tend to bury everything else Anyway, here are some happenings I ve picked through that you might want to attend this weekend You can also use the comments of this Best Bets post to announce or discuss other events happening this weekend that I may have missed Friday 8 10 Hardware Hacking with Hunter from 7 00 PM at Unallocated Space more info Saturday 8 11 Nada Sunday 8 12 Analog Gaming Sunday from 2 00 PM at Unallocated Space more info Remember to checkout some of the other activities at Baltimore Node, HacDC, Nova Labs, Reverse Space, and Unallocated Space as they hold several standard activities throughout the week as well And be sure to subscribe to our RSS feed or follow us on Twitter at novainfosec and grecs to be alerted about any http://www.secuobs.com/revue/news/392859.shtmlhttp://www.secuobs.com/revue/news/392859.shtml Secuobs.com : 2012-08-10 17:05:25 - NovaInfosec.com - Welcome to another edition of our Weekly Rewind where we summarize all our posts from the last week The top stories this week were 3 Naughty Nurse Tries to Catch Defense Contractor with Pants Down , 2 Government Contracts Prohibit Wikileaks Access , and 1 New LastPass Options Disrupts Foreign Attackers If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference A la Schneier you can also use this rewind post to talk about the security stories in the news that we haven t covered Cybersecurity Act Blocked by Senate We ve covered all this cyber legislation stuff before and the big news yesterday was that the Cybersecurity Act of 2012 did not gain the 60 votes needed in the Senate to bring the measure up for a vote This creates a significant setback for those in favor of a comprehensive cybersecurity law happening anytime this year Personally, we have mixed feelings on this situation On the one hand we need something to better protect our nation from cyber attacks The quote Perfection is the enemy of good enough comes to mind How do you feel about the Cybersecurity Act http://www.secuobs.com/revue/news/392858.shtmlhttp://www.secuobs.com/revue/news/392858.shtml Secuobs.com : 2012-08-10 04:42:05 - NovaInfosec.com - If you haven t heard Kaspersky has discovered yet another suspected nation-state sponsored piece of malware floating around Gauss, apparently in homage to famed German mathematician Johann Carl Friedrich Gauss, seems mostly to have been another recon tool for Stuxnet This trait puts it in the same category as Flame however Guess appears much less sophisticated The types of data Gauss has been programmed to collect include technical details about an infected host s network connections, processes and folders, BIOS, CMOS, RAM, and local and removable drives Like Stuxnet, Duqu, and Flame targets mostly focus on the Middle East with the top three countries being Lebanon, Israel, and Palestine Some of Gauss s other interesting characteristics include infection via USB, installation of the Palida Narrow font, and targeting of user bank data eg, Citibank, PayPal, and several Lebanese institutions The ecosystem includes five C C servers that are currently offline, meaning that Gauss is most likely in a dormant state Gauss also carries a mysterious encrypted payload that researchers have yet to unlock Those interested in helping with decryption can email Kapersky s research team at theflame kaperskycom via ArsTecnicacom Researchers have uncovered yet another state-sponsored computer espionage operation that uses state-of-the-art software to extract a http://www.secuobs.com/revue/news/392753.shtmlhttp://www.secuobs.com/revue/news/392753.shtml Secuobs.com : 2012-08-09 21:01:48 - NovaInfosec.com - No, we re not talking about the NFL Supplemental draft Instead it just looks like NIST has just had a busy July with seven new infosec-relevant drafts being released This activity is quite an increase as compared to no drafts in June and one draft in May While most of these releases are the tried and true Special Publications SP we are all familiar with, they intersperse some FIPS and NISTIR documents in as well Some of the many topics addressed include identity, smart meters, mobile, malware, intrusion detection prevention, and BIOS For each we ve also highlighted the date that comments are due Unfortunately the ones released in early July are due about nowish Anyway there s still four more open for commenting FIPS-201 -2 Personal Identity Verification PIV of Federal Employees and Contractors REVISED DRAFT The Revised Draft FIPS 201-2 reflects the disposition of comments received from the first public comment Draft FIPS 201-2 the 2011 Draft published on March 8, 2011 Before recommending FIPS 201-2 to the Secretary of Commerce for review and approval, NIST invites comments from the public concerning the Revised Draft During the public comment period, NIST will also hold a public workshop at NIST in Gaithersburg, MD, to http://www.secuobs.com/revue/news/392697.shtmlhttp://www.secuobs.com/revue/news/392697.shtml Secuobs.com : 2012-08-09 19:26:13 - NovaInfosec.com - Ok having fun with the title of this article but just couldn t pass up the opportunity Appropriately enough we noticed this post over on Naked Security As part of a phishing campaign a defense contractor received an email with an archive called sexpicturerar In it were promises of inappropriate pictures of Japanese model Sakura Shiratori I didn t look but a malware analysis friend mentioned the archive contained several of the aforementioned pics as well as a screen saver file laced with Mal Behav-043 and a document infected with Troj DocDrop-AF Microsoft released a patch for the later as part of a fix for CVE-2012-0158 We re not sure if there is a fix for the screen saver infection Although the article doesn t mention the contractor, it s just a reminder that you need to be vigilant where your pr0n comes from Remember the number one rule of email security If you aren t expecting the delivery of pr0n, scan it with AV before looking via NakedSecuritySophoscom As we have mentioned before, we ve seen a large number of files spammed out to various organisations, exploiting the CVE-2012-0158 vulnerability Victims have not been limited to defence companies, but have also included government departments, charities and recruitment agencies http://www.secuobs.com/revue/news/392670.shtmlhttp://www.secuobs.com/revue/news/392670.shtml Secuobs.com : 2012-08-08 22:09:01 - NovaInfosec.com - I had always heard about this cool tool back in the day that would allow you to easily pwn all those kiosks you see around Then at Defcon 19 I finally got a good look at it as its creator Paul Craig demoed his latest updated called iKAT V Vengeance Edition Some of the improvements he made included But then since I don t do kiosk testing it soon fell into the back of my mind But then just recently I was reminded by a recent tweet from theprez98 and so I decided to finally take a closer look at it We don t necessarily have a kiosk that we are allowed to test this on so we re just going to point out some of its key features and leave that as an exercise to the reader As always make sure you get permission first For a quick intro Paul describes the latest version of iKAT as iKAT was designed to aid security consultants with the task of auditing the security of internet Kiosk terminals iKAT is designed to provide access to the underlying operating system of a Kiosk terminal by invoking native OS functionality This tool should be http://www.secuobs.com/revue/news/392470.shtmlhttp://www.secuobs.com/revue/news/392470.shtml Secuobs.com : 2012-08-07 18:01:26 - NovaInfosec.com - Earlier today mikko tweeted an interesting document Google Docs PDF viewer that stressed US government contractors not visit Wikileaks or similar websites from agency, contractor, or personally owned machines The document, a draft version of Bureau of Reclamation Solicitation No R12PS40020, looks more environmentally focused however security even creeps into these systems in order to protect the underlying support infrastructure eg, emailing, powerpointing, and wording In particular starting on page 40 based on internal document numbering the document notes that as a condition of the potential contract, contractors are order not to visit the Wikileaks website See the red highlighted text below for the pertinent points Ok look we understand that the rules are the rules and all of us should follow them However as in law, there are often two interpretations the spirit of the rule and the letter of the rule First of all there is no risk since it vanished when the event was actualized Second, we are going to spend our hard-earned tax dollars to clean up a data spill and even after the cleanup the data will still be publicly available no matter what we do In this situation it just makes http://www.secuobs.com/revue/news/392176.shtmlhttp://www.secuobs.com/revue/news/392176.shtml Secuobs.com : 2012-08-07 00:08:22 - NovaInfosec.com - Where do you want to be this week Now you ll always know with our Where You Want to Be This Week feature, which will tell you about infosec meetups happening in your local area as of Sunday night If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to grecs on Twitter It is late but it s here Join OWASP NoVA as they have their annual social this week and also be sure to check out grecs weekend best bets later in the week as we might have something else you d be interested in With that said, here are your meetups for this week and as well as a preview for next week This Week Thursday 08 09 2012 OWASP NoVA Meetup Annual Social at Velocity 5 from 6 30 to 8 30 PM more info And for those who would like to plan ahead, here is a preview of events on our calendarfor next week Monday NoVA Hackers Association Meetup Remember that Baltimore Node, HacDC, Reverse Space, and Unallocated Space are four local hacker spaces that also hold several standard activities each week so check them out for more fun http://www.secuobs.com/revue/news/392018.shtmlhttp://www.secuobs.com/revue/news/392018.shtml Secuobs.com : 2012-08-06 18:32:12 - NovaInfosec.com - The next chapter in the story about the recent Yahoo password breach is coming to fruition as a New Hampshire man filed a lawsuit against Yahoo last week He s alleging that a breakdown of Yahoo s security measures allowed hackers to get into their database and steal the previously reported 450,000 passwords This individual is seeking class-action status in his lawsuit, and asking Yahoo to pay those effected for account fraud and identity theft protection This lawsuit could be bad for Yahoo and other companies if consumers decide to litigate more against these types of breaches However, maybe it could help increase security as companies will want to avoid lawsuits and losing customers trying to find the silver lining here Of course more likely companies will simply augment their ToS to prevent such lawsuits via CNETcom A New Hampshire man filed suit against Yahoo this week alleging that lax security measures allowed hackers to get into a Yahoo database and steal passwords from 450,000 accounts In his lawsuit seeking class-action status filed in federal court in San Jose, Calif, on Tuesday PDF Jeff Allan is asking the court to order Yahoo to compensate him and others for resulting account fraud and measures people had to take http://www.secuobs.com/revue/news/391902.shtmlhttp://www.secuobs.com/revue/news/391902.shtml Secuobs.com : 2012-08-06 06:11:12 - NovaInfosec.com - If you can t tell LastPass is one of our favorite authentication tools in terms of always pushing the security envelope As long as you choose a strong master password and enable one of the two-factor authentication methods, you should be pretty safe Yeah, we know some people will never trust the cloud but maybe some of their new security features will change a few of those minds In their latest blog post they tout two new options that provide the ability to restrict logins to specific countries as well as prevent access from TOR exit nodes Probably the most relevant is the ability to select countries that you can login from So for most of us around DC I m thinking we d just select the US and be done with it for about 99999pourcents of the time Now yeah someone abroad could use a service like WiTopia to VPN into their DC gateway or any other US-based one and login that way but I still say bravo for LastPass upping the bar a little more I m guessing LastPass could probably continually research all the different VPN providers and give an option to block those as well Rouge proxies and VPN http://www.secuobs.com/revue/news/391788.shtmlhttp://www.secuobs.com/revue/news/391788.shtml Secuobs.com : 2012-08-03 22:57:16 - NovaInfosec.com - We ve covered all this cyber legislation stuff before and the big news yesterday was that the Cybersecurity Act of 2012 did not gain the 60 votes needed in the Senate to bring the measure up for a vote This creates a significant setback for those in favor of a comprehensive cybersecurity law happening anytime this year Personally, we have mixed feelings on this situation On the one hand we need something to better protect our nation from cyber attacks The quote Perfection is the enemy of good enough comes to mind On the other hand, we feel that there were so many unrelated amendments eg, one that would decrease the effectiveness of Obamacare or exceptions that it significantly diluted its effectiveness via GovInfoSecuritycom Senate supporters of the Cybersecurity Act of 2012 failed Aug 2 to gain the 60 votes necessary to bring the measure up for a vote, a significant setback for those seeking enactment of a comprehensive cybersecurity law this year The vote was 52 to 46 Failure to invoke cloture isn t quite the death knell of cybersecurity legislation this year because senators on both sides of the issue suggested that they would continue behind-the-scene talks Still, with Congress about to http://www.secuobs.com/revue/news/391601.shtmlhttp://www.secuobs.com/revue/news/391601.shtml Secuobs.com : 2012-08-03 18:59:10 - NovaInfosec.com - Welcome to another edition of our Weekly Rewind where we summarize all our posts from the last week The top stories this week were 3 Defcon Day 2 Talk Note The DCWG Debriefing , 2 Defcon Day 1 Keynote Notes Shared Values, Shared Responsibility , and 1 Defcon Day 3 Talk Notes Sploitego If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference A la Schneier you can also use this rewind post to talk about the security stories in the news that we haven t covered Defcon 20 Day 1 of The DC Edition Well it s time and we are transitioning from Black Hat to Defcon Continuing on our theme from Black Hat here is day 1 of our recommendations for those that are looking to get that DC experience here out of Defcon 20 The tracks don t seem to have any specific names just Penn Teller, Track 1, Track 2, Track 3, and Track 4 Of these the Penn Teller and Track 1 seem to take up most where you might want to hang out Beyond these sessions there are some http://www.secuobs.com/revue/news/391558.shtmlhttp://www.secuobs.com/revue/news/391558.shtml Secuobs.com : 2012-08-03 05:28:41 - NovaInfosec.com - Here it is again another of our weekly Best Bets posts As we ve previously noted most local meetups seem to be crowded into weekday evenings with almost nothing on the weekend The purpose of this post is to advertise some of the smaller events that are occurring over the weekend Most of these events occur at local hackerspaces Usually we don t include hackerspace activities in the full calendar as they tend to bury everything else Anyway, here are some happenings I ve picked through that you might want to attend this weekend You can also use the comments of this Best Bets post to announce or discuss other events happening this weekend that I may have missed Friday 8 3 HAM Radio Night from 6 00 PM at Unallocated Space more info 2600 Arlington from 7 00 PM at Champps Pentagon Row more info Saturday 8 4 Laser Cutting Possibilities from 1 00 PM at Nova-Labs more info Linux Admin Study Group from 2 00 PM at HacDC more info Sunday 8 5 Sunday Crafternoon from 3 00 PM at HacDC more info Remember to checkout some of the other activities at Baltimore Node, HacDC, Nova Labs, Reverse Space, and Unallocated Space as they hold several standard http://www.secuobs.com/revue/news/391429.shtmlhttp://www.secuobs.com/revue/news/391429.shtml Secuobs.com : 2012-08-03 05:28:41 - NovaInfosec.com - There are four new smaller password hash dumps that we discovered on OZDCnet over the past few weeks Of course many of the records also contained other interesting data such as emails, usernames, obfuscated credit card numbers, credit card types, names, user ids, and nicknames It appears websites in Australia are being targeted as two of the four dumps we ve found are in the au domain The compromised sites included 782 records from Luxury Homes Australia, 50 from Christchurch Accommodation, and 15 from the City University of New York CUNY Of course the big one is the Australian Fishing Trade Association AFTA with 1,460, bringing the grand total of just over 2,300 recently dumped records Check out the OZDCnet analysis followed by links to the dumps below Luxury Homes Australia hXXp wwwluxuryhomesaustraliacomau Analysis Dump 782 records with emails, usernames, 288-bit hashed passwords guessing 32 of those bits are salt , obfuscated credit card numbers, credit card types, names Christchurch Accommodation hXXp wwwchristchurchtop10conz Analysis Dump 50 records with user ids, usernames, 100-bit hashed passwords guessing it works in a 28-bit salt somehow , nicknames, emails CUNY hXXp wwwcareerqccunyedu Analysis Dump 15 records with user ids, usernames, 160-bit hashed passwords, and emails AFTA hXXp aftanetau Analysis Dump 1460 http://www.secuobs.com/revue/news/391428.shtmlhttp://www.secuobs.com/revue/news/391428.shtml Secuobs.com : 2012-08-02 04:52:14 - NovaInfosec.com - It seems like today is an appropriate day to write about this whole Tesco fiasco I m sure as I m writing this you all have already noticed receiving your Daily Dave or other mailman-based application password reminders We ve covered this issue at length in other posts The scary thing is that storing passwords in this manner is more often the standard rather than the exception Just check out PlainTextOffenderscom to get an idea of the number of culprits out there As we ve discussed before, step 1 is to at a minimum use a secured hashing algorithm to create hashes instead of storing data that can be reversed into the original passwords And by secure algorithm we re not talking about MD5 as many organizations still seem to use Step 2 is to use salts, including different salts for each user Step 3, and one suggestion that rules them all, is to use a true key derivation function, such as PBKDR2, bcrypt, or scrypt Also if you run a mailmain server, please disable the mailman password reminder feature If you are an end user and receive password reminders in this fashion, try contacting the provider to plead with them to fix the problem Else http://www.secuobs.com/revue/news/391195.shtmlhttp://www.secuobs.com/revue/news/391195.shtml Secuobs.com : 2012-08-01 17:54:53 - NovaInfosec.com - Here s another interesting job if you have the right tickets You ll get to deal with none other than APT Although it s listed as an engineering position, it sounds more like you d be working in a customer s CIRT or SOC And be sure to check out some of the positions listed on the right of this job s requisition as there are a few other interesting ones there as well And don t forget if your organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details Well anyway on to the job post Title Information Security Engineer Location Reston, VA Company Name Tenacity Solutions Job Description This work entails monitoring of customer s Advanced Persistent Threat APT This would involve analyzing anomalous activity, report that to customer s INFOSEC and making recommendations for further action As experience with the tool grows, recommendations should be made to refine the tool s performance and reduce false positives Requirements TS SCI w Poly Windows system administration experience Virus malware analysis Windows system forensic analysis Handling coordinating responses to incidents Providing APT Virus threat briefings to customer Medium level of understanding of LANs and WANs, and on how network http://www.secuobs.com/revue/news/391109.shtmlhttp://www.secuobs.com/revue/news/391109.shtml Secuobs.com : 2012-08-01 06:09:50 - NovaInfosec.com - Subterfuge The Automated Man-in-the-Middle Attack Framework by Christopher Shields and Matthew Toussain As usual, here is the official abstract Walk into Starbucks, plop down a laptop, click start, watch the credentials roll in Enter Subterfuge, a Framework to take the arcane art of Man-in-the-Middle Attacks and make it as simple as point and shoot Subterfuge demonstrates vulnerabilities in the ARP Protocol by harvesting credentials that go across the network, and even exploiting machines through race conditions Now walk into a corporation A rapidly-expanding portion of today s Internet strives to increase personal efficiency by turning tedious or complex processes into a framework which provides instantaneous results On the contrary, much of the information security community still finds itself performing manual, complicated tasks to administer and protect their computer networks The purpose of this presentation is to discuss a new Man-In-The-Middle attack tool called Subterfuge Subterfuge is a simple but devastatingly effective credential-harvesting program, which exploits vulnerabilities in the inherently trusting Address Resolution Protocol It does this in a way that even a non-technical user would have the ability, at the push of a button, to attack all machines connected to the network Subterfuge further provides the framework by which users can http://www.secuobs.com/revue/news/390989.shtmlhttp://www.secuobs.com/revue/news/390989.shtml Secuobs.com : 2012-07-31 17:46:53 - NovaInfosec.com - Welcome to another edition of our Weekly Rewind where we summarize all our posts from the last week The top stories this week were 3 16,000 New Password Hashes Dumped , 2 Much Ado about Nothing We Hope The BlackHat Email Affair , and 1 More Than 8 Million Gamigo Password Hashes Released If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference A la Schneier you can also use this rewind post to talk about the security stories in the news that we haven t covered 68,000 Password Hashes from Fish Enthusiast Forum Ahhh YAPHB yet another password hash breach this time on the Cichlids Forums The site that we originally read this story on is CyberWarNewsinfo where they referenced some basic email address stats from OZDCnet ie, OZ Data Centa This time around it was Yahoo Mail that had the highest registrant count with almost 15K followed closely by Hotmail Clicking on the stats takes you to the information page on OZDCnet that offers quite a treasure trove of interesting data, including those same email stats as well as submission 7 20 and attack 7 21 dates, http://www.secuobs.com/revue/news/390873.shtmlhttp://www.secuobs.com/revue/news/390873.shtml Secuobs.com : 2012-07-30 18:11:30 - NovaInfosec.com - Where do you want to be this week Now you ll always know with our Where You Want to Be This Week feature, which will tell you about infosec meetups happening in your local area as of Sunday night If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to grecs on Twitter Nothing scheduled for this as most of you are returning from Defcon but be sure to check out grecs weekend best bets later in the week as we might have something else you d be interested in With that said, here are your meetups for this week and as well as a preview for next week This Week Nothing Scheduled this week Next Week And for those who would like to plan ahead, here is a preview of events on our calendarfor next week Nothing Scheduled yet Remember that Baltimore Node, HacDC, Reverse Space, and Unallocated Space are four local hacker spaces that also hold several standard activities each week so check them out for more fun stuff to do And be sure to subscribe to our RSS feed or follow us on Twitter http://www.secuobs.com/revue/news/390653.shtmlhttp://www.secuobs.com/revue/news/390653.shtml Secuobs.com : 2012-07-30 05:44:24 - NovaInfosec.com - Sploitego Maltego s Local Partner in Crime by Nadeem Douba As usual, here is the official abstract Have you ever wished for the power of Maltego when performing internal assessments Ever hoped to map the internal network within seconds Or that Maltego had a tad more aggression Sploitego is the answer In the presentation we ll show how we ve carefully crafted several local transforms that gives Maltego the ooomph to operate nicely within internal networks Can you say Metasploit integration ARP spoofing Passive fingerprinting SNMP hunting This all is Sploitego But wait there s more Along the way we ll show you how to use our awesome Python framework that makes writing local transforms as easy as Hello World Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools It also provides a slew of web tools for interacting with public repositories Sploitego and its underlying Python framework will be released at DEF CON as open source yup you can extend it to your heart s content During the presentation we ll show the awesome power http://www.secuobs.com/revue/news/390548.shtmlhttp://www.secuobs.com/revue/news/390548.shtml Secuobs.com : 2012-07-29 03:50:30 - NovaInfosec.com - The DCWG Debriefing How the FBI Grabbed a Bot and Saved the Internet by Paul Vixie Andrew Fried As usual, here is the official abstract In November of 2011 a multinational force of feds and wizards took down Rove Digital s on-line infrastructure including the DNS Changer name servers Under contract to the FBI, employees of Internet Systems Consortium ISC installed clean replacement DNS servers to take care of a half million DNS Changer victims On July 9 2012 the last court order expired and we turned these name servers off, having had only mixed success in getting the malware cleaned up Andrew Fried and Paul Vixie of ISC will present the whole story and talk about some of the hard lessons to be learned And some notes I took based mostly on my tweets during the talk put together in a slightly more intelligible way Overall this talk wasn t too exciting and the speakers mostly mumbling didn t help Still it was good to hear the other site of the story rather than just what the press chose to publish including us unfortunately Overview of Operation Ghost Click This group just wanted to get into the advertising business but http://www.secuobs.com/revue/news/390468.shtmlhttp://www.secuobs.com/revue/news/390468.shtml Secuobs.com : 2012-07-28 21:48:12 - NovaInfosec.com - Bruce Schneier Answers Your Questions by Bruce Schneier As usual, here is the official abstract Bruce Schneier will answer questions topics ranging from the SHA-3 competition to the TSA to trust and society to squid And some notes I took based mostly on my tweets during the talk put together in a slightly more intelligible way Note I did skip the first question on where to find a good but cheap food in LV What is quantum computing s effect on public-key crypto BS Huge deal but this is the only thing quantum computing is good at Just affects certain algorithms though but not practical in our lifetime What advice would you give students entering security BS One aspect is ability to thank like a hacker so maybe not teachable Other aspect is domain expertise What are your thoughts TSA when you opt out and they don t put you through metal detector BS Yeah it s a problem Discussed further Any recommendations on how to improve current international system re application security CC BS Gets back to trust At some point we have to trust One of ways we established trust is through these standards Why don t the people making the http://www.secuobs.com/revue/news/390460.shtmlhttp://www.secuobs.com/revue/news/390460.shtml Secuobs.com : 2012-07-28 19:28:53 - NovaInfosec.com - If yesterday wasn t enough now we are on to the second day of Defcon Continuing on our theme from Black Hat here is day 2 of our recommendations for those that are looking to get that metro DC experience here out of Defcon 20 The tracks don t seem to have any specific names just Penn Teller, Track 1, Track 2, Track 3, and Track 4 Of these the Track 2 seems to be the place to hang out Yeah you may miss some of the big talks but you ll also miss all the lines Beyond these sessions there are some govie-type talks or presentations I personally might be interested in that take place in other defense-based tracks and I point them out below as well 10 00 AM World War 30 The battle for the Internet between the forces of Chaos Control There are those that want order on the Internet and those that think chaos is best This should be an interesting talk to hear the two sides from some of the biggest infosec leaders, including Joshua Corman, Dan Kaminsky, Jess Moss, Rod Beckstrom, and Michael Joseph Gross Track 2 11 00 AM Bruce Schneier Answers http://www.secuobs.com/revue/news/390450.shtmlhttp://www.secuobs.com/revue/news/390450.shtml Secuobs.com : 2012-07-28 03:22:32 - NovaInfosec.com - An Inside Look into Defense Industrial Base DIB Technical Security Controls How Private Industry Protects Our Country s Secrets by James Kirk As usual, here is the official abstract With an ever changing threat of nation states targeting the United States and its infrastructure and insiders stealing information for public release, we must continuously evaluate the procedural and technical controls we place on our national assets This presentation goes into brief detail on how security controls are developed, reviewed, and enforced at a national level for protection of data classified up to Top Secret and some of the major flaws in the security approach to data privacy The purpose of this presentation is to raise awareness of substandard security practices within sensitive areas of the Federal Government and to influence change in how controls and practices are developed and maintained And some notes I took based mostly on my tweets during the talk put together in a slightly more intelligible way Overall James provided some good background about what the DIB is, details on how screwed up the process is, and how the requirements to join the DIB do not achieve it s goal of protecting our nation s security He touched on http://www.secuobs.com/revue/news/390380.shtmlhttp://www.secuobs.com/revue/news/390380.shtml Secuobs.com : 2012-07-27 23:00:38 - NovaInfosec.com - Shared Values, Shared Responsibility by General Alexander As usual, here is the official abstract We as a global society are extremely vulnerable and at risk for a catastrophic cyber event Global society needs the best and brightest to help secure our most valued resources in cyberspace our intellectual property, our critical infrastructure and our privacy DEF CON has an important place in computer security It taps into a broad range of talent and provides an unprecedented diversity of experiences and expertise to solve tough problems The hacker community and USG cyber community share some core values we both see the Internet as an immensely positive force we both believe information increases in value by sharing we both respect protection of privacy and civil liberties we both believe in the need for oversight that fosters innovation, doesn t pick winners and losers, and retains freedom and flexibility we both oppose malicious and criminal behavior We should build on this common ground because we have a shared responsibility to secure cyberspace And some notes I took based mostly on my tweets during the talk put together in a slightly more intelligible way Great Opportunities Internet Commerce Mobile Social Media Defcon Kids Significant Vulnerabilities http://www.secuobs.com/revue/news/390358.shtmlhttp://www.secuobs.com/revue/news/390358.shtml Secuobs.com : 2012-07-27 21:23:08 - NovaInfosec.com - Well it s time and we are transitioning from Black Hat to Defcon Continuing on our theme from Black Hat here is day 1 of our recommendations for those that are looking to get that DC experience here out of Defcon 20 The tracks don t seem to have any specific names just Penn Teller, Track 1, Track 2, Track 3, and Track 4 Of these the Penn Teller and Track 1 seem to take up most where you might want to hang out Beyond these sessions there are some govie-type talks or presentations I personally might be interested in that take place in other defense-based tracks and I point them out below as well 10 00 AM Welcome Badge Talk We always enjoy these welcome talks If this is your first time, I d definitely think it is worth attending this session It s always very interesting to hear about all the work they put in to come up with these great badges You ll also get some great tips on a number of the contests Track 1 Also Mark Weatherford will be re-presenting his Black Hat talk here however I don t recommend attending it as we ve previously blogged 11 00 AM http://www.secuobs.com/revue/news/390342.shtmlhttp://www.secuobs.com/revue/news/390342.shtml Secuobs.com : 2012-07-27 03:12:47 - NovaInfosec.com - Hacking the Corporate Mind Using Social Engineering Tactics to Improve Organizational Security Acceptance by James Philput As usual, here is the official abstract Network defenders face a wide variety of problems on a daily basis Unfortunately, the biggest of those problems come from the very organizations that we are trying to protect Departmental and organizational concerns are often at odds with good security practices As information security professionals, we are good at designing solutions to protect our networks, and the data housed on them That said, we are awful at communicating the need for these controls in a way that the users will either understand or listen to In this presentation, I will discuss using social engineering techniques against your organization s users Through the application of social engineering tactics, I will show how to bridge the gulf between the user and the information security team Allowing for better security awareness, better adherence to information security policy, and fewer difficulties in user acceptance And some notes I took based mostly on my tweets during the talk put together in a slightly more intelligible way James is going over the outline of his talk Define the Problem, Define the Rules of Engagement, Attack, http://www.secuobs.com/revue/news/390160.shtmlhttp://www.secuobs.com/revue/news/390160.shtml Secuobs.com : 2012-07-27 02:27:23 - NovaInfosec.com - There are three new relatively small password hash dumps that we discovered over on OZDCnet yesterday Of course many of the records also contained other interesting data such as phone numbers, email addresses, full names, user ids, usernames, club ids, and user types The compromised sites included 114 records from ReefPhotocom, 140 from PhotoCityGamecom, and 18 from Lancashiregaacouk A few others also contained about 12 records, bringing the grand total of 284 records dump in the past day I think the most scary thing of all this is that fact that the password hashes and other data we ve been blogging about the past few weeks is really only the tip of the iceberg Check out the OZDCnet analysis followed by links to the dumps below ReefPhotocom Analysis Dump phone numbers, email addresses, full names, , and password hashes PhotoCityGamecom Analysis Dump password hashes, user ids, and usernames Lancashiregaacouk Analysis Dump user ids, club ids, usernames, user types, and hashed passwords As always please use these dumps responsibly, ie, for practice offline password cracking only If possible use some ninja scripting to strip the other data out Got any scripting foo to share with us to strip just the password http://www.secuobs.com/revue/news/390154.shtmlhttp://www.secuobs.com/revue/news/390154.shtml Secuobs.com : 2012-07-26 22:43:34 - NovaInfosec.com - The Christopher Columbus Rule and DHS by Mark Weatherford As usual, here is the official abstract Never fail to distinguish what s new, from what s new to you This rule applies to a lot people when they think about innovation and technology in the government At the US Department of Homeland Security, in addition to running the National Cybersecurity and Communication Integration Center NCCIC , the US-CERT and the ICS-CERT, they work daily with companies from across the globe to share critical threat and vulnerability information DHS also supports and provides funding for a broad range of cutting-edge cybersecurity research initiatives, from the development and implementation of DNSSEC to sponsoring the use of open source technologies and from development of new cyber forensics tools to testing technologies that protect the nation s industrial control systems and critical infrastructures This is not your grandfather s Buick Come hear Deputy Under Secretary for Cybersecurity Mark Weatherford talk about research and training opportunities, the growing number of cybersecurity competitions sponsored by DHS, and how they are always looking to hire a few good men and women And some notes I took based mostly on my tweets during the talk put together in a slightly more intelligible way http://www.secuobs.com/revue/news/390112.shtmlhttp://www.secuobs.com/revue/news/390112.shtml Secuobs.com : 2012-07-26 19:32:30 - NovaInfosec.com - Oh no Twitter has been down for quite a while Guess we are just going to have to blog more As of 50 minutes ago Twitter issued the following warning on their status page Twitter Site Issue Users may be experiencing issues accessing Twitter Our engineers are currently working to resolve the issue In the meantime check out our Day 2 DC-centric picks for Black Hat Is Twitter down for you or is it just us Let us know in the comments blow See ya http://www.secuobs.com/revue/news/390071.shtmlhttp://www.secuobs.com/revue/news/390071.shtml Secuobs.com : 2012-07-26 06:06:43 - NovaInfosec.com - Continuing on our theme from yesterday here is day 2 of our recommendations for those that are looking to get that Black Hat DC experience here out of Black Hat USA Overall the tracks for Black Hat on Thursday include Big Picture, Web Apps, Malware, Enterprise Intrigue, 922pourcents Market Share, Over the Air and in the Device, Mass Effect, Applied Workshop I, and Applied Workshop II Of these the Big Picture track takes up everything so that makes today s recommendations pretty easy Beyond these sessions there are some govie-type talks or presentations I personally might be interested in that take place in other defense-based tracks and I point them out below as well 9 00 AM Although the keynote during this timeframe looks interesting with An Interview with Neal Stephenson, I m not too much of a science fiction fan so I ll probably take this opportunity to catch up on some sleep 10 15 AM Trust, Security, and Society I ve been a Bruce Schneier fan for a while however have not had a chance to see him speak Well here s your chance if you re in the same boat as me It looks to be an interesting talk discussing how societies run off http://www.secuobs.com/revue/news/389925.shtmlhttp://www.secuobs.com/revue/news/389925.shtml Secuobs.com : 2012-07-26 00:44:20 - NovaInfosec.com - STIX The Structured Threat Information eXpression by Sean Barnum As usual, here is the official abstract This Turbo Talk will give a brief introduction and overview of an ongoing effort to define a standardized integrated information architecture for representing structured cyber threat information The effort known as the Structured Threat Information eXpression STIX is a work in progress among a broad community of industry, government, academic and international experts This representation, as a whole or in parts, is actively being pursued as a basis for automation and information sharing within several active communities And some notes I took based mostly on my tweets during the talk put together in a slightly more intelligible way Reiterating points from this morning s keynote STIX helps organizations be more proactive instead of reactive Focuses more in intelligence driven security And this is a team sport so information sharing is very important as well as automation So need a standard representation of what the threats are And this is what STIX is History All started with CVE but this just focuses on vulnerabilities Evolved into CWE to address weaknesses Evolved into CAPEC to describe attack patterns a b 6 years ago Next was MAEC to describe http://www.secuobs.com/revue/news/389875.shtmlhttp://www.secuobs.com/revue/news/389875.shtml Secuobs.com : 2012-07-25 20:45:43 - NovaInfosec.com - Changing the Security Paradign Taking Back Your Network and Bringing Pain to the Adversary by Shawn Henry First, here is the official abstract The threat to our networks is increasing at an unprecedented rate The hostile environment we operate in has rendered traditional security strategies obsolete Adversary advances require changes in the way we operate, and offense changes the game Former FBI Executive Assistant Director Shawn Henry explores the state of the industry from his perspective as the man who led all cyber programs for the FBI And some notes I took based mostly on my over-tweeting during the talk I ve highlighted some of the pertinent points Overall there was a theme of translating lessons learned Shawn had in the physical world leading a group within the FBI into the cyber realm We need to focus on training day in and day out You play the way you practice Talking about humans attacking humans not computers attacking computers Can take lessons learned from his experiences in the kinetic world at the FBI into cyber People are mostly concerned with PII but that s just tip of the iceberg Vast majority of what occurs is in the classified world Unclassified http://www.secuobs.com/revue/news/389733.shtmlhttp://www.secuobs.com/revue/news/389733.shtml Secuobs.com : 2012-07-25 06:33:46 - NovaInfosec.com - Wow some people have been busy the past few days There are three new significant password hash dumps that we discovered over on OZDCnet this evening There is the relatively small count of 691 records from ElevateMagazinecom followed by the slightly larger count of 1,475 from KaaBonggoug But wait there s more almost 14,000 from TorontoHomeStaySearchcom What is it with rental connection sites Check out the OZDCnet analysis followed by links to the dumps below ElevateMagazinecom Analysis Dump email addresses, usernames, and password hashes KaaBonggoug Analysis Dump email addresses, usernames, and password hashes TorontoHomeStaySearchcom Analysis Dump names, hashed passwords, and emails As always please use these dumps responsibly, ie, for practice offline password cracking only If possible use some ninja scripting to strip the names, usernames and email addresses out Got any scripting foo to share with us to strip just the password hashes out Let us know in the comments below Today s post pic is from Wikipediaorg See ya http://www.secuobs.com/revue/news/389572.shtmlhttp://www.secuobs.com/revue/news/389572.shtml Secuobs.com : 2012-07-25 04:16:07 - NovaInfosec.com - In light of the fact that there was no Black Hat DC this year, we thought it would be nice to pull together a quick post on perhaps what talks at Black Hat USA would have happened there To figure all this out we ve been pursuing the Black Hat schedule, following the special events, and reading up on Twitter and have pulled together some suggestions for those working in the federal space Overall the tracks for Black Hat on Wednesday include Defining the Scope, Upper Layers, Lower Layers, Mobile, Defense, Breaking Things, Gnarly Problems, Applied Workshop I, and Applied Workshop II Of these the Defining the Scope track seems to be the most relevant to security professionals around DC Beyond these sessions there are some govie-type talks or presentations I personally might be interested in that take place in other defense-based tracks and I point them out below as well 9 00 AM Changing the Security Paradign Taking Back Your Network and Bringing Pain to the Adversary I m not a morning person but this keynote by Shawn Henry, former FBI Executive Assistant Director, may get me out of bed early to heard his thoughts on the recent openness on offense http://www.secuobs.com/revue/news/389542.shtmlhttp://www.secuobs.com/revue/news/389542.shtml Secuobs.com : 2012-07-24 05:07:18 - NovaInfosec.com - Last week we posted a number of articles on the recent rash of password hash disclosures related to NVIDIA, several oil companies, and a Wall Street IT recruiting firm and unfortunately today there has been yet another HUGE password hash dump At more the 8 million usernames, email addresses, and encrypted passwords we hope they meant hashed there , this has been one of the largest stockpiles of hashes we ve heard of It all started back in March when the Gamigo gaming site reported a security breach that included usernames and passwords for a portion of its users They subsequently forced all users to reset their passwords as a precaution Fortunately for Gamigo users the dump released today has been taken down from the original site mentioned in the oft used InsideProcom forums If anyone out there is concerned that the bad guys have your password, you can head over to PwnedListcom to check if your account was included as they grabbed a copy of the dump before it was taken down Unfortunately for those amateur password crackers out there looking for hash files to test their skills on, this list would have kept us busy for quite a long http://www.secuobs.com/revue/news/389296.shtmlhttp://www.secuobs.com/revue/news/389296.shtml Secuobs.com : 2012-07-23 17:32:51 - NovaInfosec.com - Where do you want to be this week Now you ll always know with our Where You Want to Be This Week feature, which will tell you about infosec meetups happening in your local area as of Sunday night If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to grecs on Twitter Only one presentation-based meetup and two non-presentation meetups that we are sure you are going to enjoy Also be sure to check out grecs weekend best bets later in the week as we might have something else you d be interested in With that said, here are your meetups for this week and as well as a preview for next week This Week Nothing Scheduled Next Week And for those who would like to plan ahead, here is a preview of events on our calendarfor next week Nothing Scheduled yet Remember that Baltimore Node, HacDC, Reverse Space, and Unallocated Space are four local hacker spaces that also hold several standard activities each week so check them out for more fun stuff to do And be sure to subscribe to our RSS feed or follow http://www.secuobs.com/revue/news/389133.shtmlhttp://www.secuobs.com/revue/news/389133.shtml Secuobs.com : 2012-07-22 23:48:08 - NovaInfosec.com - Being a BlackHat attendee this year, the big news the the first two days of the conference seems to be an apparent hack of the registration email system Yesterday apparently attendees starting receiving an email with their new usernames and passwords as shown in the picture to the right The folks at BlackHat have been investigating this problem closely and the latest is that it appears to have been a staff member messing around This person has been spoken to and the part of the registration app that allowed such abuse has been disabled Here s their official statement via BlackHatcom Hanlon s Razor states, Never attribute to malice that which is adequately explained by stupidity Greetings, from one of the most hostile, and accountable networks on earth Today approximately 7,500 of you received an email from Black Hat 2012, email address itn-internationalcom We love to tease people that your systems need to be ready to hold their own if joining the Black Hat network In this frame of mind, the community very correctly expected a prank or act of malice The far more concerning thought would be how is ANYONE other than Black Hat emailing the registered delegates for the 2012 http://www.secuobs.com/revue/news/388941.shtmlhttp://www.secuobs.com/revue/news/388941.shtml Secuobs.com : 2012-07-22 01:02:41 - NovaInfosec.com - Ahhh YAPHB yet another password hash breach this time on the Cichlids Forums The site that we originally read this story on is CyberWarNewsinfo where they referenced some basic email address stats from OZDCnet ie, OZ Data Centa This time around it was Yahoo Mail that had the highest registrant count with almost 15K followed closely by Hotmail Clicking on the stats takes you to the information page on OZDCnet that offers quite a treasure trove of interesting data, including those same email stats as well as submission 7 20 and attack 7 21 dates, dump size 1324 KB and type Breached Email Accounts , and attack method SQLi Included in this data is also a Source s reference with a link to a dump index on AnonPaste That paste contains links to the three more dumps that include 30K, 30K, and 7,686 usernames, emails, and MD5 hashes Our first thought was what the heck are Cichlids Well apparently it s some type of hobby that people seem to really enjoy Here s how the Cichlid Forums describe it Cichlid-Forum is dedicated to being the most extensive and accurate source for cichlid information on the internet Cichlid-Forum is committed to promoting the cichlid hobby http://www.secuobs.com/revue/news/388869.shtmlhttp://www.secuobs.com/revue/news/388869.shtml Secuobs.com : 2012-07-20 18:39:13 - NovaInfosec.com - Welcome to another edition of our Weekly Rewind where we summarize all our posts from the last week The top stories this week were 3 More Password Hashes to Crack from Wall Street IT Recruiter , 2 NVIDIA Hashes Courtesy the Apollo Project , and 1 More Password Hashes to Crack The Oil Company Edition If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference A la Schneier you can also use this rewind post to talk about the security stories in the news that we haven t covered NVIDIA Hashes Courtesy the Apollo Project For those that might not be familiar with this whole NVIDIA thing, apparently they discovered ie, someone likely reported it to them a potential breach of their Forums, Developer Zone, and Research sites This brouhaha all started apparently late Thursday when NVIDIA communicated they were deactivating their forums for security reasons As the investigation continued NVIDIA discovered that the bad guys potentially gained access to usernames, hashed passwords, random salts, emails, and other data associated with these forums Note the random salts part more on that later Where you affected by NVIDIA s http://www.secuobs.com/revue/news/388694.shtmlhttp://www.secuobs.com/revue/news/388694.shtml Secuobs.com : 2012-07-20 05:43:28 - NovaInfosec.com - We came across an interesting job posting from Tenacity Solutions for a Security Analyst position Looks like a great opportunity to get into the door of an established smaller government contractor doing fun stuff in a SOC such as network monitoring and malware analysis You don t need a clearance to start off but getting one while there seems like it could open up other interesting opportunities they have to offer see the right side of the job post page And don t forget if your organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details Well anyway on to the job post Title Security Analyst Location Washington, DC Company Name Tenacity Solutions Job Description Do you have an analytical mind towards information security and the desire to make the world a safer place Do you enjoy learning about new technologies and how they can be manipulated for nefarious purposes We are looking for a Network Security Analyst to work with our team supporting a major government civilian agency Computer Security Incident Response Center CSIRC As a Security Analyst, you will be given the opportunity to learn from an http://www.secuobs.com/revue/news/388564.shtmlhttp://www.secuobs.com/revue/news/388564.shtml Secuobs.com : 2012-07-20 05:43:28 - NovaInfosec.com - Here it is again another of our weekly Best Bets posts As we ve previously noted most local meetups seem to be crowded into weekday evenings with almost nothing on the weekend The purpose of this post is to advertise some of the smaller events that are occurring over the weekend Most of these events occur at local hackerspaces Usually we don t include hackerspace activities in the full calendar as they tend to bury everything else Anyway, here are some happenings I ve picked through that you might want to attend this weekend You can also use the comments of this Best Bets post to announce or discuss other events happening this weekend that we may have missed Friday 7 20 DangerCon from 7 00 PM to Sunday being sponsored by Nova-Labs FredHack more info Saturday 7 21 Soiree the Mini-Con from 5 00 PM at Unallocated Space blog, more info Sunday 7 22 Nada Remember to checkout some of the other activities at Baltimore Node, HacDC, Nova Labs, Reverse Space, and Unallocated Space as they hold several standard activities throughout the week as well And be sure to subscribe to our RSS feed or follow us on Twitter at novainfosec and grecs to be http://www.secuobs.com/revue/news/388563.shtmlhttp://www.secuobs.com/revue/news/388563.shtml Secuobs.com : 2012-07-19 05:34:57 - NovaInfosec.com - As reported on CIOcom s Hacker Claims Breach of 50,000 Accounts From Wall Street IT Recruiting Firm article originally from ComputerWorldcom , it looks like hashes from ITWallStreetcom may have been released into the wild for all you amateur password crackers out there Word is they aren t too difficult to crack though At this point there is no official confirmation from ITWallStreetcom that these dumps are valid Wonder if we re just being duped again Anyway, the original dumps came in 12 parts as formally listed at this PasteSitecom post Unfortunately, this data has since been removed but Google cache returned the following ___ ____ _ ______ _ ___ _ __ __ _ ___ _ __ _ _ __ __ _ _ __ ___ _ '_ _ _ ,_ ,____ ,__ __ Hello there My name is Masakaki, part of the Far-Eastern Financial District of TeamGhostShell I m here today to bring you all something fascinating, but before http://www.secuobs.com/revue/news/388326.shtmlhttp://www.secuobs.com/revue/news/388326.shtml Secuobs.com : 2012-07-18 19:59:16 - NovaInfosec.com - We ve been getting a great response from our More Password Hashes to Crack The Oil Company Edition post the other day and I just wanted to take this opportunity to update everyone with information we ve learned since the initial post and set of updates First of all there have been some articles misinterpreting our original intention regarding the term email Some have commented saying that entire email messages were exposed on the Pastebin This is incorrect the dump only contained email addresses and not email messages That s what we get for not qualifying emails as either email addresses or email messages The second point is that we think that the dumps may have been faked HackersMediacom had a great breakdown of each company s dumps however one of the commenters, Jeremi Gosney, mentioned that he cracked the hashes and they all turned out to be random six character passwords only containing a-zA-Z0-9 Here s what Jeremi has to say I cracked all of the passwords in that dump, and every single password for each user at each company was exactly six characters long, all contained only a-zA-Z0-9, and all appeared to be random Extremely suspicious like someone generated 727 random http://www.secuobs.com/revue/news/388190.shtmlhttp://www.secuobs.com/revue/news/388190.shtml Secuobs.com : 2012-07-18 06:33:46 - NovaInfosec.com - We came across this press release requesting comments on National Institute of Standards Technology s NIST latest document and thought we d pass it onto you The announcement we saw on InfosecIslandcom discusses the second draft release of their security guidance for Personal Identification Verification PIV cards All federal employees and contractors would be required to use cards that adhere to this guidance But before NIST publishes the final draft they are looking for your input The document, Personal Identity Verification of Federal Employees and Contractors, is available at on their FIPS publication page Comments on the document should be submitted by email to piv_comments nistgov, and must be received by August 10, 2012 For those that are interested, NIST has organized the Revised Draft FIPS 201 2 Workshop for July 25th to exchange information on Revised Draft FIPS 201-2, answer questions, and provide clarifications regarding the Draft Let NIST know what you think via InfosecIslandcom The National Institute of Standards and Technology NIST has released the second-round draft version of its updated security standard for identity credentials in the Personal Identity Verification cards PIV cards that all federal employees and contractors must use NIST is requesting comments from the public on the document, which is intended http://www.secuobs.com/revue/news/388053.shtmlhttp://www.secuobs.com/revue/news/388053.shtml Secuobs.com : 2012-07-17 22:05:37 - NovaInfosec.com - We came across a very interesting job post from Deloitte Touche They are seeking a Senior Consultant to manage threat intelligence and vulnerabilities This seems like a good opportunity for someone with strong technical skills, a financial background, and a willingness to travel It doesn t look like a formal government clearance is needed however I m sure they ll be pretty thorough as the finance sector can sometimes be more stringent And don t forget if your organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details Well anyway on to the job post Title Cyber Threat Intelligence Vulnerability Management Consultant Location Arlington, VA Company Name Deloitte Touche Job Description We are seeking the best Vulnerability Management talent to join our Security and Privacy Services team To succeed in today s network economy requires more than simply a focus on IT issues it also requires a focus on security strategy and management Deloitte Touche s Security and Privacy Services practice provides services that address how to take advantage of this dynamic situation while managing risks and are based on an enterprise-wide approach that focuses on security through seven areas Application Integrity http://www.secuobs.com/revue/news/387869.shtmlhttp://www.secuobs.com/revue/news/387869.shtml Secuobs.com : 2012-07-16 20:52:27 - NovaInfosec.com - Where do you want to be this week Now you ll always know with our Where You Want to Be This Week feature, which will tell you about infosec meetups happening in your local area as of Sunday night If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to grecs on Twitter Only one presentation-based meetup and two non-presentation meetups that we are sure you are going to enjoy Also be sure to check out grecs weekend best bets later in the week as we might have something else you d be interested in With that said, here are your meetups for this week and as well as a preview for next week This Week Tuesday 7 17 ISSA DC Meetup- TBD by Marcus Ranum at Government Printing Office Room A138 from 6 30 to 8 30 PM more info Next Week And for those who would like to plan ahead, here is a preview of events on our calendarfor next week Nothing Scheduled yet Remember that Baltimore Node, HacDC, Reverse Space, and Unallocated Space are four local hacker spaces that also hold several standard activities each week so check them out for more fun http://www.secuobs.com/revue/news/387564.shtmlhttp://www.secuobs.com/revue/news/387564.shtml Secuobs.com : 2012-07-16 07:35:29 - NovaInfosec.com - Nothing super large but digitalsec4u pointed out some recent postings on Pastebin by Anonymous with a good possible supply of hashes you may want to test your cracking skillz against The data includes emails and passwords from various oil companies including Shell and BP Phase I of the dump occurred on June 26 and included 317 emails and corresponding MD5 hashed passwords along with some cool ASCII art Phase II, posted on July 13th also with aforementioned cool ASCII art, contained 26 emails and clear text passwords as well as 724 emails and hashed passwords There wasn t a clear indication of the hashing algorithm used in the second dump Here are links to the two dumps for any password cracking hobbyists out there Phase I pastebinc0m 1ca3BR19 Phase II pastebinc0m b79cJV5f That s all for now Today s post pic is from tumekeblogspotcom See ya http://www.secuobs.com/revue/news/387407.shtmlhttp://www.secuobs.com/revue/news/387407.shtml Secuobs.com : 2012-07-15 00:23:34 - NovaInfosec.com - A few people have asked me if I came across these hashes After skimming Twitter and asking for some assistance, the it looks like the perpetraters of the Nvidia admin forum posted all the data over on Pastebin Thanks to dinosn for the original tweet, mubix for retweeting, and unlockedwheel for the info According to the post it is a dump of the users table of this particular app The data held in the app includes, among other things, the username and their associated password hash and email So for all those those password crackers out there here ya go http pastebinc0m G21ytATD Here s the warning provided to some of the developers courtesy CyberCrimesUnitcom Enjoy the rest of your weekend See ya http://www.secuobs.com/revue/news/387307.shtmlhttp://www.secuobs.com/revue/news/387307.shtml Secuobs.com : 2012-07-14 22:16:37 - NovaInfosec.com - Welcome to another edition of our Weekly Rewind where we summarize all our posts from the last week The top stories this week were 3 Internet Blackout Looming Like Tonight , 2 How-To Nikto 101 , and 1 Formspring Breach Let the Password Cracking Commence If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference A la Schneier you can also use this rewind post to talk about the security stories in the news that we haven t covered Internet Blackout Looming Like Tonight Ok maybe the title is a little sensationalist it deals with the whole DNSChanger thing the FBI announced back in November that we ve written about before As a reminder this whole debacle is the result of Operation GhostClick As part of the take-down the FBI took over a botnet back in November and as a shim they setup temporary DNS servers to keep DNSChanger Trojan-infected computers running properly The servers were set to go offline back in March but for various reasons the FBI extended the deadline to July 9th What s your take on this Let us know continued here How-To Nikto 101 Being http://www.secuobs.com/revue/news/387302.shtmlhttp://www.secuobs.com/revue/news/387302.shtml Secuobs.com : 2012-07-13 22:12:12 - NovaInfosec.com - Here it is again another of our weekly Best Bets posts As we ve previously noted most local meetups seem to be crowded into weekday evenings with almost nothing on the weekend The purpose of this post is to advertise some of the smaller events that are occurring over the weekend Most of these events occur at local hackerspaces Usually we don t include hackerspace activities in the full calendar as they tend to bury everything else Anyway, here are some happenings I ve picked through that you might want to attend this weekend You can also use the comments of this Best Bets post to announce or discuss other events happening this weekend that we may have missed Friday 7 13 x86 and ARM assembly from 6 30 PM at Unallocated Space more info Saturday 7 14 LAN Party at Unallocated Space more info Sunday 7 15 Nada Remember to checkout some of the other activities at Baltimore Node, HacDC, Nova Labs, Reverse Space, and Unallocated Space as they hold several standard activities throughout the week as well And be sure to subscribe to our RSS feed or follow us on Twitter at novainfosec and grecs to be alerted about any last-minute events or to http://www.secuobs.com/revue/news/387181.shtmlhttp://www.secuobs.com/revue/news/387181.shtml Secuobs.com : 2012-07-13 19:06:03 - NovaInfosec.com - So while we ve been focusing on the whole Formspring password hash release thing it seems there was yet another huge password dump of a service I may or may not use This time there wasn t any SHA256 hashing with pretend random salt or even the poster stripping out other useful information such as emails and usernames It is a raw text file dump with a bunch of information extracted from what appears to be some kind of database dump, including over 450K emails and passwords all in clear text Of course the victim this time is Yahoo mubix uncovered the effected domain as dbb1acbf1yahoocom and then someone else figure out this domain was mapped to Yahoo s Voices service Based on the information gathered it appears that the attacker used SQLi to extract the information The dump appears to be a bit older however since most people use the same emails and passwords for years, this probably doesn t matter that much And as usual Yahoo has forced a password reset so I d advise heading on over there is resetting your password Many of the other writeups on this breach focus on the fact that all this data was available http://www.secuobs.com/revue/news/387147.shtmlhttp://www.secuobs.com/revue/news/387147.shtml Secuobs.com : 2012-07-11 16:37:30 - NovaInfosec.com - Some of you may have seen my tweet late last night around midnight that I received a cryptic email an hour so earlier from Formspring, a service that I once used to help answer other peoples questions, saying that they were requiring a password reset upon the next login No real explanation as to why as you can see in the email screenshot below but I just figured they had a password breach Sure enough a quick scan of the news this morning and I came across the story on CNET below mentioning that over 420K password hashes showed up in an underground forum Note And as far as I can tell I haven t found any links to the hash dumps yet but I m sure they ll turn up soon Reading a little further on Formspring s related blog post, the good news is that all passwords were salted using SHA-256 Hopefully they were using unique salts per user as well This is much better than SHA-1 previously used at LinkedIn however weak passwords will still most likely fall fairly quickly And effective immediately Formspring is upgrading the authentication algorithm to bcrypt, something we ve discussed before Assuming that Formspring just found http://www.secuobs.com/revue/news/386620.shtmlhttp://www.secuobs.com/revue/news/386620.shtml Secuobs.com : 2012-07-11 15:49:10 - NovaInfosec.com - We came across this job post for a Cyber Security Lead at Northrop Grumman, and thought it might be a good fit for a more experienced IT professional if you have the right tickets Looks like it could be a good opportunity for someone with management and advanced network operations experience And don t forget if your organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details Well anyway on to the job post Title Cyber Security Lead Location Herndon, VA Company Name Northrop Grumman Job Description Northrop Grumman is seeking a Cyber Security Lead Red Team Lead to join our team of qualified and diverse individuals to lead a Cyber Red Team s activities in support of our customers This position will be located at Herdon, VA The qualified applicant will become a leader in Northrop Grumman s Cyber Non-Kinetic Effects Team and be responsible for managing Red Team activities around the world in support of vulnerability assessments, penetration testing, and training training development Additional responsibilities may include Designs, tests, and implements state-of-the-art secure operating systems, networks, and database products Conducts risk assessment and provides recommendations for http://www.secuobs.com/revue/news/386613.shtmlhttp://www.secuobs.com/revue/news/386613.shtml Secuobs.com : 2012-07-10 21:18:59 - NovaInfosec.com - It s been a while since we ve done a poll and given the big Internet blackout scare on Sunday night it seemed like the right time If you aren t familiar with this whole brouhaha, it is the result of the FBI s Operation GhostClick, which involved arresting six Estonian nationals charged with infecting users with the DNSChanger Trojan for Internet fraud purposes As part of the take-down the FBI took over their botnet back in November and as a shim they setup temporary DNS servers to keep DNSChanger Trojan-infected computers running properly The servers were set to go offline back in March but for various reasons the FBI extended the deadline to right after midnight Sunday earlier this week Anyway, we thought we d run a quick survey to see how many people you know that lost Internet access because of the recent shutdown of the FBI-run DNS servers Yeah, we know many ISPs have setup servers to continue to let these infected machines communicate but we ll ignore those for now If there are other answers I may have missed or opinions you want to mention, please add them to the comments below And as usual let us know if http://www.secuobs.com/revue/news/386433.shtmlhttp://www.secuobs.com/revue/news/386433.shtml Secuobs.com : 2012-07-10 16:30:01 - NovaInfosec.com - We came across an interesting article from InfoRiskTodaycom, which states that the job growth in the information security field is now flat according to the most recent quarterly Bureau of Labor Statistics BLS data Hmmm this contradicts many other articles we ve recently highlighted on our website stating the opposite that infosec job growth is actually on the rise, and significant growth is being predicted for the future The article goes on to state that the lack of growth may not be due to a lack of jobs, but a lack of qualified IT professionals to fill those slots Or that in many cases, security positions are filled by someone with a different title, such as a CIO or a network administrator Near the end of the article, the ISMG Network tries to more accurately interpret the BLS data but it still looks flat Either way, it begs to question, given the predictions for dramatic growth in the infosec field that we come across previously via InfoRiskTodaycom What the new United States Bureau of Labor Statistics data on IT security employment fail to show is the demand for those with information security know-how Information Security Media Group s analysis of BLS statistics reveals virtually no growth in http://www.secuobs.com/revue/news/386333.shtmlhttp://www.secuobs.com/revue/news/386333.shtml Secuobs.com : 2012-07-09 17:39:54 - NovaInfosec.com - Where do you want to be this week Now you ll always know with our Where You Want to Be This Week feature, which will tell you about infosec meetups happening in your local area as of Sunday night If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to grecs on Twitter Only one presentation-based meetup and two non-presentation meetups that we are sure you are going to enjoy Also be sure to check out grecs weekend best bets later in the week as we might have something else you d be interested in With that said, here are your meetups for this week and as well as a preview for next week This Week Monday 7 9 NoVA Hackers Association Meetup- Normal Meetup at QinetiQ Reston from 5 30 to 8 30 PM more info Tuesday 7 10 OWASP DC Meetup- OWASP Top Ten Tools and Tactics by Russ McRee Ninja Assessments Stealth Security Testing for Organizations by Kevin Johnson at Hilton Hotel Washington from 7 15 to 9 30 PM more info Thursday 7 12 OWASP NoVA Meetup- Normal Meetup at Living Social Reston from 6 30 to 9 00 PM more info Next Week And for those who would like to plan http://www.secuobs.com/revue/news/386125.shtmlhttp://www.secuobs.com/revue/news/386125.shtml Secuobs.com : 2012-07-09 16:03:20 - NovaInfosec.com - Being the owner of a website and a security pro I felt I really needed to refresh my memory on Nikto for an upcoming test It s been a fairly long time since I last needed to use it Since I have a blog now I thought it may be a good idea to write up my notes as a reference for myself Being at RVASec and getting to meet the original creator chrissullo was the final motivation to relearn this useful tool and pull everything together as a reference For the impatient types, you just need to execute the following three commands in BackTrack 5 R2 to perform a basic scan cd pentest web nikto niktopl -update niktopl -host -output Now for those that want to learn the ins-and-outs here are some more details First if you aren t familiar with this awesome tool, checkout this description form the Nikto website Nikto is an Open Source GPL web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers It also checks for server configuration items such http://www.secuobs.com/revue/news/386103.shtmlhttp://www.secuobs.com/revue/news/386103.shtml Secuobs.com : 2012-07-08 17:28:56 - NovaInfosec.com - Ok maybe the title is a little sensationalist it deals with the whole DNSChanger thing the FBI announced back in November that we ve written about before As a reminder this whole debacle is the result of Operation GhostClick As part of the take-down the FBI took over a botnet back in November and as a shim they setup temporary DNS servers to keep DNSChanger Trojan-infected computers running properly The servers were set to go offline back in March but for various reasons the FBI extended the deadline to tomorrow July 9th Wow, from November 2011 that s a full nine months of potentially virus-laden computers beyond that of just DNSChanger on the Internet causing even more havoc Additionally so far 87,000 of our taxpaying dollars have gone to setting up and running these DNS servers Given these two facts from one point of view our government may have actually paid to keep this other malware active on those computers I can see maybe keeping the servers going for a few months as the malware previously infested millions of computers but nine months is a bit extreme Still, over the past few months we ve made create strides in helping reduce http://www.secuobs.com/revue/news/386003.shtmlhttp://www.secuobs.com/revue/news/386003.shtml Secuobs.com : 2012-07-07 15:43:06 - NovaInfosec.com - Welcome to another edition of our Weekly Rewind where we summarize all our posts from the last week The top stories this week were 3 Wickr Looks Promising But Will It Catch On , 2 Mock Infosec Job Board , and 1 Incident Response and Malware Analysis Keys to Solid Network Security Career If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference A la Schneier you can also use this rewind post to talk about the security stories in the news that we haven t covered Reminder Always Use More than One AWS Zone The storm this past weekend and knocked out power for hundreds of thousands in and around NoVA including four popular websites using Amazon s NoVA data center These sites included Netflix, Instagram, Pinterest, and Heroku Although the services were back up in no time, it did cause problems Did the storm affect any of your AWS hosted services Let us know continued here Mock Infosec Job Board A few weeks ago we came across a great little service started by elizmmartin called the Mock Infosec Job Board As noted in the description on their site, http://www.secuobs.com/revue/news/385946.shtmlhttp://www.secuobs.com/revue/news/385946.shtml Secuobs.com : 2012-07-06 17:17:22 - NovaInfosec.com - It s been a while since I pulled one of these Kid Hacking posts I previously discussed ways to introduce your kids to the wonderful world of programming and computers With DefCon just a few short weeks away, I wanted to touch on an effort started last year called Defcon Kids As noted on their homepage DEFCON Kids is a not-for-profit dedicated to teaching kids around the world how to love being a white-hat hacker A white-hat hacker is someone who enjoys thinking of innovative new ways to make, break and use anything to create a better world Last year s event was a huge success with over 200 parents and kids attending and two full days of classes eg, puzzlesolving, Google hacking, and meet the feds , workstations eg, eggbots and codebreaking , and contests eg, CTF and lockpicking You can read about some of the activities from last year as the event received a fare about of press coverage The following are just a few of the many articles noted on their site DefCon Kids Guides Young Hackers to do Good USATodaycom Children Learn to Be Hackers at DefCon Kids Event RollingStonecom Tween Hacker s Time-Travel Trick DarkReadingcom 10-Year-Old Hacker http://www.secuobs.com/revue/news/385830.shtmlhttp://www.secuobs.com/revue/news/385830.shtml Secuobs.com : 2012-07-06 16:25:04 - NovaInfosec.com - We came across this job post on and thought it might be a good fit for some of those more experienced out there No clearance is required so that s a nice refreshing feel for a job around DC Plus the position is located out in Reston, which sounds like a good location for those that may live further out And don t forget if you organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details Well anyway on to the job post Title SOC Manager Location Reston, VA Company Name Fannie Mae Job Description Code, test, and debug new software and make enhancements to existing software and systems to render their use more efficient Using knowledge of systems engineering or computer programming, troubleshoot existing systems and streamline their operation Maintain, patch, and program operating systems to allow applications running on them to function efficiently May document standard operation of a system or technical measures taken or recommended to improve a system s functionalities Key Job Functions Assign staff and monitor their conduct of platform or operating system vulnerability scans that assess exposure of system to attacks or hacking Monitor http://www.secuobs.com/revue/news/385820.shtmlhttp://www.secuobs.com/revue/news/385820.shtml