Link to MP3

Episode 21 is up and going. Looks like Jim and I are back on a regular cycle again. Hopefully it stays that way! Here are the show notes:

InfoSec News Update -

• Goldman Sachs looses its secret sauce online – Link Here
• Fed gets and F on Physical Security – Link Here
• North Korea Blamed in Cyber Attacks over July 4th – Link Here
• Juniper Pulls ATM hacking preso from BH – Link Here
• Month of Twitter Bugs – Link Here
• 10 Things Your Auditor Isn’t Telling Your – Link Here
• New head of MI6 wears Speedos on Facebook – Link Here
• Algorithm for Predicting and guessing SSNs – Link Here
• Iphone SMS Vulnerability – Link Here
• Study – Oracle Users struggle with patch management – Link Here

Discussion Topic - Cloud Computing – is it a security nightmare waiting to happen? – Link Here

Consultants Corner - Developing an offering before going public!

Music Notes:

• Intro/Outro – Digital Breaks – "Therapy"
• Segway 1 – Eric Kauschen – "Speed of Light"
• Segway 2 – The WaterMarks – "Shut Down"
• Segway 3 – Megaphone – "Not your enemy"

Vet

Link to MP3

The long-awaited episode 20 is finally here. Sorry for the crazy long wait!

InfoSec News Update –

• Data Breach Suit Targets Auditor – Link Here
• Exobox data leak detection coming out – Link Here
• "CloudBurst" allows attackers to break VM guest OS and attack Host – Link Here
• Obama creates the office of Cyber Czar – Link Here
• Twitter and Iran – Link Here
• IOSCAT talk from SANS – Link Here
• Tmobile Breached….Maybe? – Link 1 / Link 2
• Wireless Keyboard sniffing just got alot easier – Link Here
• LC6 is Officially Released – Link Here
• Trojan Attack on ATMs – Link Here
• Patch Your Blackberry Servers – Link Here

Discussion Topic -Whats the difference between an Auditor and a Assessor?

Consultant’s Corner - To Scope or Not to Scope

Music Notes:

• Intro/Outro – Digital Breaks – "Therapy"
• Segway 1 – PawnShop Diamonds – "High Road Low Down"
• Segway 2 – Woodfish – "Melody"
• Segway 3 – The WaterMarks – "Shut Down"

Link to MP3

So, we officially have our first lost episode. I recorded episode 18 a while back with Michael Santarcangelo, but we had some crazy technical problems. When I tried to get everything edited together to make it work, I started having some major problems. Without getting into all the details, the recording was not salvageable. Sorry to Michael for this since I know he took his valuable time to record with me.

So know we have episode 19. I guess we could have just said this one was episode 18 and went on, but we are honest people over here at An Information Security Place Podcast. And as far as episode 19 goes, Jim and I have been balls-to-the-wall busy lately, and I have had a crazy schedule for over a month. Jim got a break in his schedule (probably more like forced a break) and coerced Kirk Greene to help him out in my place. And then Jim had some technical problems as well and ended up recording the last 15 minutes by himself (or Kirk pissed him off – not sure which). Yes, it has been a crazy time for us. But we are back, and hopefully we will get back on a regular schedule.

Now, here are the show notes for episode 19:

InfoSec News Update –

• Warm Fuzzy Story – Many Users say they’d sell company info for the right price! – Link Here
• Another Twitter Admin Account Compromised – Link Here
• New Tools Emerge To Ease Enterprise Fear Of Firewall Swapping – Link Here
• Acrobat with Yet Another 0-day – Link Here
• Feb Bank Worker charged with Data Theft – Link Here
• More Federal Reg ‘a’ Coming for Power companies – Link Here
• Thats gonna leave a mark! – Multiple Vulns found on Mcaffee’s website – Link Here
• Hacker’s demand: $10M for Virginia prescriptions database – Link Here
• Economy Note – Security Suffers Cuts but fares better than most – Link Here

Geek Toys -

• Interceptor – Hak5 Episode – DigiNinja’s Page
• Acer Aspire One 10.1 Netbook
• Wifi Card of Choice – Alfa Network AWUS036H
• Need a second NIC on a laptop? – Apple USB Ethernet is rather inexpensive and works with Windows / Linux / and OSX (duh). / Windows Driver
• NAS From Heaven – QNAP TS-809

Consultants Corner - DIY Security Testing Lab

Music Notes:

• Intro/Outro – Digital Breaks – “Therapy”
• Segway 1 – Dave Stanley Band – “Lights Out”
• Segway 2 – John Taglieri – ” Make A Mistake With Me”
• Segway 3 – Junior – “What Was I Thinking?”

Vet

1. If you have 200 external IPs and you want to have those scanned for vulnerabilities, and then you want to have those vulnerabilities used for penetration testing, I have to know that in order to scope.
2. If you have some applications on those servers, I need to know if I will have credentials or if this is going to be totally black-box testing.  I also need to have SOME idea of how many apps I am going to run up against.
3. If you want me to scan your internal network for vulnerabilities, I have to know how many machines I am going to be scanning.
4. Etc, etc, etc

If you would provide this quantity type of information up front, I would not have to write up a bunch of questions and send them to you.  You would not have to take the time to answer these questions (and probably send them to me 2 days before the responses are due).  It really is simple: if I don’t have this information, I have to guess, and you are going to get an inaccurate response (of course, you might be looking for a completely black-box test where I am blind to any information – the effectiveness and efficiency of that is for another blog post on another day).

Of course, many people will tell you that RFP’s are often written in such a way to discourage responses because the company writing the RFP already has a partner in mind, and that partner probably already has the answers to any questions.  The RFP writer is simply going through the motions because of company policy.  I get that.

But if you are writing an honest RFP, one that is simply inspired by a need and is seeking multiple responses from which the best is chosen, then please include the information needed in the RFP itself so things can proceed smoothly.  Thank you for your consideration.

Vet

There are already some great posts up by some of our uber-smart assessment consultants.  We have some very high-end research guys on our team, plus just some of the best all around assessment people.  There is no weak link on that team, and they continue to amaze me.

Some of you may not be aware that Dave Maynor joined our team at the beginning of the year.  I was fortunate enough to sit next to him at a client down here in Houston as he smacked around their AS400 environment.  And not only is Dave smart, he is friggin’ hilarious as well. 

So anyway, go take a gander at the blog.  Look for more great stuff to pop up on there.

Oh, and Accuvant has a Twitter account as well at http://twitter.com/Accuvant.  It will likely be mostly reflecting blog posts right now, but there might be more in the future.

Vet

As most of you know, Twitter was hit with a series of worms this past weekend.  They were created by 17 year old, Mikey Mooney, creator of the website StalkDaily.com (don’t visit the site).  The original worm seemed fairly innocuous, with messages that were created to drive traffic to the StalkDaily website.

I wrote a Computerworld blog post, where I detailed the original attack as well as provided a list of security recommendations.  In that post, I commented that Twitter users should be on the lookout for modified worms, especially as additional details of the original attack come to light.

After Twitter patched the original cross site scripting (XSS) flaw, which exploited the “link” field in a user profile, another variant of the worm appeared.  This time, the worm exploited the “color” setting of the user profile.   Modifying the worm highlighted that the XSS vulnerability was not limited to a single field and that Twitter would have to institute a comprehensive patch, not a band-aid solution.

The variant of the worm automatically generated tweets with the term “mikeyy”. These were sarcasitic in nature and seemed to be tounge-in-cheek.  Examples include:

• Mikeyy I am done…
• Mikeyy is done…
• Twitter please fix this, regards Mikeyy

The general consensus today is that the “StalkDaily” and “Mikeyy” worms have been adequately addressed.   However, I am not fully convinced. Four days after the original worm, I am still seeing suspicious behavior.  A colleague of mine has a Twitter account that automatically started generating tweets saying “I am not here right now.”

Using a third party iPhone application, TweetStack, I am conducting periodic searches on the string “I am not here right now.”  I found that this is not nearly as wide spread as the “StalkDaily” Twitter worm, but has affected at least a couple dozen accounts.

While this could be yet another variant of worm created by Mikey Mooney, my suspicion is that this is a copycat worm created by another party (most likely a Scriptkiddie).

Are YOU still seeing anomalous behavior on Twitter?  I would love to hear about it!  Please comment below as well as notify the Internet Storm Center if you see anything noteworthy.

- WiFiJedi

Douglas J. Haider is a Principal Technologist with Xirrus.  He hosts a personal blog at WiFiJedi.com, and micro-blogs on Twitter @wifijedi (which was not infected by the Twitter worm at the time of this writing…)

Vet

Sometimes I like doing booth duty just because it enables me to do what I like doing, which is talking to people.  I like the interaction, and I enjoy helping people find what they need.  Of course, a security evangelist-type of job is what I would really enjoy, and this falls into that.  Maybe one day.

Vet

Link to MP3

Here is Episode 17. Sorry for the delay in getting it out. Last week was extremely rough for Jim and I, but we are back at full strength now. Well, maybe 85% strength anyway.

In this show Jim and I relate the latest news as always, then we have some discussion about layoffs and how that is causing a lot of orphaned hardware and software. Then we discuss some challenges for the consultant in walking the mind field of politics at client companies.

Also, we had some listener feedback from Geir. He was busting on us a bit about our saying you need to patch your stuff when we were talking about 0day. Thanks for keeping us straight Geir.  If you want to send feedback, you can send it to podcast-at-infosecplace.com.

Here are the show notes:

InfoSec News Update:

• Follow up – Another Payment Processor Has Been Hacked – Visa says JUST KIDDING! – Link Here – This Just In – A new timeline of the Unnamed Processor – Link Here
• Gartner – Nearly 8 Percent of U.S. Adults Lost Money To Financial Fraud in ‘08 – Link Here
• Federal cybersecurity director quits, complains of NSA role – Link Here
• Health Records Show Up in Yard – Link Here
• Study: Antivirus Software Catches About Half Of Malware – Link Here
• MS Finally killing off AutoRun – Link Here
• Marine One data leak – Link Here
• The Return of L0phtCrack!! – Link Here
• WarVox Released – Link Here
• Theives Steal the Show at Cebit – Link Here
• Checklist for complying with PCI security standard – Link Here / Link To Checklist

Discussion - Orphaned hardware and Software – Link Here

Consultant’s Corner - Dealing with political landscapes at your client’s company

Music Notes:

• Intro/Outro – Digital Breaks – “Therapy”
• Segway 1 – Beth Thornley – “Mr. Lovely”
• Segway 2 – Munk – “DirtyWork”
• Segway 3 – By The Wayside – “Do You Ever Notice”

Vet

Vet