From Paul's Security Weekly
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 306 for Thursday October 25th, 2012
- NEW Register for Offensive Countermeasures: Defensive Tactics That Actually Work being offered at SANS CDI.
- Be sure to check out the The Stogie Geeks Show! For cigar enthusiasts, by cigar enthusiasts.
- Bsides everywhere baby! Likely there is one near you, so check the web site www.securitybsides.com
Tech Segment: Pushpin
Remember pushpin? Yea, the cool tool that pulls all the tweets, Youtube videos, pictures and Shodan info?
It is now public.
Give @Lanmaster53 some love on Twitter.
- Hack3rcon 3 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) - Check out some videos from Hack3rCon, including our very own Larry Pesce and Carlos Perez!
- Big security on a shoe-string budget - This is a "coming soon" type of post, but got me thinking, what do you recommend for smallish business to implement security on a budget? Lets start with the example of you have a small IT staff and you have one person dedicated to security, what's in your toolkit? For one, I gotta have some Linux distribution on cheap hardware that is monitoring the network, and my recommendation is going to be the security onion distro. Put one monitoring Internet traffic and one on the internal network, and monitor stuff. This greatly contributes to "knowing your network". Next, with some more cheap hardware, collect syslog and other logs on a syslog server. Use command line tools to analyze the data, or some open source tools such as OSSIM. Next, and yes I am biased, spend $1500 per year and get a copy of Nessus, you get A LOT of value. You can schedule regular scans, detect missing patches, audit the configuration of your systems, gain insight into mobile, generate reports for people to patch stuff, detect botnet hosts and more. Not only know your network, but scan yourself and fix the problems you find! But more important, what are your suggestions?
- IP theft attacks can hide on networks for years - We've all known this, we tell people all the time, bad guys are in your network. Check this out: A Verizon report [PDF] reports just 101 incidents of intellectual property theft - around 12 percent of the total data breach incidents it documented - during 2011, but attacks that stole intellectual property were both longer-lasting and more complex than other data breach incidents. Attackers commonly relied on both external agents and insiders to carry out the attacks. Insiders eh? How do you detect the malicious insider? How does their behavior patterns change? I think you require a deeper level of intelligence gathering to figure this out, but as an organization in IT, how do you really prevent this from happening? I truly believe that technology aimed at prevention will fail agiainst insiders. Some people just need access to the data, and the problem gets deeper into finding out who may benefit and how from selling your IP.
- 10 steps for writing a secure BYOD policy - I think this really boils down to choosing a technology, setting a policy, enforcing it, and educating your employees. Monitoring is important, how are employees getting at your data? Is it from an Android phone that has no patches? Technology is starting to emerge that will help control this scenario.
- 3Com, HP, and H3C Switches SNMP Configuration Lets Remote Users Take Administrative Actions - Just amazes me how many issues are uncovered with management protocols, such as SNMP. Also amazing is how few peopel really work hard to fix them. This is one of the things that must exist on your network, and it doesn't cost that much. Make sure everything connected to your network is managed securely, it speaks volumes to your security.
- Hackers Steal Customer Data From Barnes And Noble Keypads - This one hit home, stores in RI were affected. Fairly low tech hack, but shows that criminals are going to quickly migrate to using technology to make money.
- Boeing zaps PCs using CHAMP missile microwave attacks - EMP anyone? Yea, this may be a reality
- Huawei gear secure! - [Larry] - How do we know? The government said so! I think that teh congressional report (which I have not read) misses the mark a bit, in that it seemed, from the tone of the article, it addresses more wireless stuff than carrier grade equipment. To also quote FX, you can't play ignorance to a backdoor when your code is OS BAD and vulnerable that you don't need one.
- PS3 Encryptions keys - FINISH HIM! - [Larry] - Ummm, storing static crypto keys in hardware is bad, Mkay!
- B&N payment terminals hacked - [Larry] - This is a story out of NY, but affects us Rhode Islanders as well. All 3 of our B&N stores were affected with "bugs" harvesting magstripe and pin data. Allegedly only one device per store (how do they know?) and that the devices were discovered and the FBI asked to have the devices stay up for a month while they investigated…
- WANT! - [Larry] - Michael Ossman is up to more good things, this time with HackRF, an inexpensive ($300) SDR that will transmit as well.
- PsPing Yeah, a few weeks old now, but in case you missed it- a new tool from Sysinternals. "PsPing is a command-line utility for measuring network performance."
- New old news from Verizon's DBIR the good folks at Verizon have sliced and diced this year's DBIR across a number of industries: Financial and Insurance, Healthcare, Accommodations, Food Service, and Retail. Intellectual Property theft cases were also reviewed.
- The EU is still whining about Microsoft maybe they should stop picking on them and also stop screwing the global economy.
- According to the Register there will be no SP 2 for Windows 7, so get used to applying more and more updates to new systems.
- Top 35 Mitigation Strategies per the Australian Defense Signals Directorate (DSD). A great list, and interesting that application whitelisting has made it to the number one recommendation.
- Security breach reveals PII from thousands of Florida students This one really hits home with me because I made the mistake of graduating from a Florida school during this time period.
- How a Google Headhunter’s E-Mail Unraveled a Massive Net Security Hole This one is very fascinating to me. This was discovered by an "in the wild" e-mail, so I wonder how long this has been going on - and if this recruitment email was real.
- 11 million Facebook details for sale This sale listing created big waves in the internet-o-sphere. It was deleted by the user since this morning but the cached version is still up.
- Blog talking about this Facebook info sale Apparently Facebook gave this guy a phonecall due to his blog post and tried to intimidate him.