SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 316 for Thursday January 17th, 2013
- Offensive Countermeasures in Europe! - March 12-15 in Amsterdam!
- For the first time ever, BSides is coming to Rhode Island. Paul will be co-organizing BSides Rhode Island with the latest PaulDotCom
victimintern Patrick Laverty. Saturday, June 15 in Providence, Rhode Island. You can get in touch with us at BSidesRhodeIsland@gmail.com. Our Twitter handle is http://twitter.com/BSidesRI and our site is at http://www.securitybsides.com/BSidesRI We have two confirmed speakers!
- The Stogie Geeks Show! - For cigar enthusiasts, by cigar enthusiasts.
- Tuesday January 29th 2pm ET
Many organizations use Java as a regular, if not critical, part of the IT infrastructure. Yes, this even applies to applets. Over the past few weeks there have been more than a few new 0-days for Java. Now, we have a large number of Infosec Pros calling for organizations to simply uninstall Java. Recommendations like this are dangerous. Every time we say things like "Don't use IE!! Uninstall Adobe Acrobat!! Uninstall Java!!" we get a little further down the path of total irrelevance to management and the rest of the IT community.
It is time to stop.
In this webcast John and Paul will be discussing some approaches for securing your Java programs. This webcast will be of use to any infosec pro who has to secure the insecure. It will also be of use for any penetration testers looking for ways to document mitigations for their customers beyond simply recommending patches and not using software
Discussion: Gene Kim & Josh Corman talk InfoSec Burnout
Gene Kim, author of the recently released "The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win" and Josh Corman, Director of Security Intelligence at Akamai Technologies give us a possible way to avoid InfoSec Burnout
Some of the InfoSec Burnout research is covered in Jack's presentation at the Louisville InfoSec Conference in October, at Irongeek's site: http://www.irongeek.com/i.php?page=videos/louisville-infosec-issa-2012#Keynote_Jack_Daniel_InfoSec_Stress_&_Community_
The PDC crew were given review copies and you can find our reviews below:
- Join us on our first ever Google+ Hangout! Add PaulDotCom on Google+ and join us in the Google Hangout.
- We are in the process of archiving and cataloging our technical segments, please visit the PaulDotCom Technical Library and we indexed all of the interviews we have conducted. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.
- Larry teaching SANS SEC617 all over and coming to a city near you in 2013
- Disable Java in your browsers now - So, I did. I disabled Java. In all of my browsers too. I use Chrome, Firefox and Safari. Turns out Java wasn't even installed in Chrome, which is the browser I use to access the web. Disabling it is kind of a pain, but I also installed the latest version. Why? You just never know when an application, like an RSS reader, might just load up Java.
- Whistleblower sheds light on global zero day exploit market - So I have an issue with exploits being referred to as weapons. Example: "If I take a gun and ship it overseas to some guy in the Middle East and he uses it to go after American troops - it's the same concept," Its really not, because with people, we are all inherently vulnerable to gun fire. There is little we can do to become Suprman and have guns not work on us humans. With software, there is a patch. The only reason an exploit works, is because there is a flaw in the software or configuration. Not the case for guns, as this would mean that a gun that would only have to fire and kill someone if a programmer made a mistake and didn't patch it. The variable missing here is the software vendor, which can render these "weapons" useless. I'd also argue that a payload is much closer to a weapon than an exploit.
- Security Researchers Expose Bug In Medical System Used With X-ray Machines - Nothing new here, just some important technology that is vulnerable to attack because they never thought of security. Its interesting too, they try to do this whole security in obscurity thing. You don't often get the chance to send packets at an X-Ray machine. So they bought one. And, it came from a hospital, complete with asset tags. Simple fuzzing found vulnerabilities in the management plane, which is separate from the X-ray machine itself (so you can't nuke people). Fun fact: German physicist Wilhelm Röntgen is usually credited as the discoverer of X-rays in 1895, because he was the first to systematically study them, though he is not the first to have observed their effects.
- Microsoft vows to improve security tools after failed evaluation - Microsoft vowed on Wednesday to improve two of its security products after both failed to pass an evaluation by a Germany security software testing organization. Maybe because hacking tools are outlawed in Germany, the company couldn't find any flaws! Ha!
- Verizon Business Security Blog » Blog Archive » Case Study: Pro-active Log Review Might Be A Good Idea - This case study involves Bob, boy he is a popular guy! Bob was last seen working for a software company as a programmer, was praised for his great work and generally considered the best programmer in the company. However, he was secretly outsourcing all his programming work to China! Here's how his day went: 9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos 11:30 a.m. – Take lunch 1:00 p.m. – Ebay time. 2:00 – ish p.m Facebook updates – LinkedIn 4:30 p.m. – End of day update e-mail to management. 5:00 p.m. – Go home
- Bug Bounty ≈ Packet Storm - This is interesting, they have posted a bounty list. Also, they used the term 0.5 day.
- Actively Review Logs - Catch people outsourcing their own job to China and watching cat videos all day. A company discovered open and long term VPN connections to China. Clearly, the first thought is there's some kind of malware connecting and/or someone's credentials have been compromised and someone's in your network stealing things. The credentials idea seemed feasible as the connection was always to one employee's computer. However, after further investigation, this employee (a developer) had simply outsourced his job to someone in China for one-fifth of his own salary! One way to stop this would be two-factor authentication right? Nope. He Fed-Exed his RSA token to the firm in China. Hello kittehs.
- Congress Loves Them Torrents - Another "Do as I say, not as I do" here. A company who monitors IP addresses for BitTorrent companies indicated that IP addresses from the US House have been seen downloading media. Some of the shows downloaded included Dexter (probably just some "anti-violence research), CSI (more research) and Glee (I got nothin' on this one). They are also downloading movies like Dark Knight Rises and Life of Pi. I guess there's nothing like being held to a higher standard than the rest of us.
- Nokia Decrypts HTTPS Traffic - But they say to trust them, they're not reading it. They're decrypting "social networking accounts, online banking, email and other secure sessions -- in order to compress the data and speed up the loading of Web pages." which might be ok under some circumstances, but one problem here is they didn't tell anyone they were doing it, an independent researcher discovered it on his own. Nokia also said "The proxy servers do not store the content of web pages visited by our users or any information they enter into them." Ok, they're not storing it but are they gathering any metrics on the data? Anything that might help them with targeted research? Or who knows what else they could do with the information.
Jack's Rays of ShunShine
- Outsourcing your own job? A great idea, and a great write up from the Verizon Business blog (the folks who bring us the DBIR).
- A SANS ISC Diary entry with a little reality added, just to scare folks.
- Condoms and Castles I don't agree with everything Ben says in this post, but he makes some great points.
- Korea’s Malware Infection Rate Increases Six-fold in Six Months What's up with that? From the Microsoft TechNet blog.
- Oh, noes! The SCADAs are pwned by USB I don't know what to think yet: hype, FUD, same old, a cyber-money-grab?