Here’s a video that demonstrates the features of Tyler’s proof-of-concept spyware. We show how it can be used to dump contacts and messages, intercept text messages, eavesdrop on the room, report on phone usage, and monitor GPS data. To view this in HD resolution, click through to Vimeo and use full screen mode for best results.

When dealing with a web service which for one reason or another cannot or should not be allowed on the web. Apache has several wonderful modules which allows the services to be wrapped and behave like a web app should (working SSL certificates, forced encryption, authentication …)

In this article I will discuss and show some examples on how to create an authenticated reverse proxy with mod_authnz, mod_proxy,mod_rewrite and mod_security.

-=-=-=-=-=-=-=-ToC-=-=-=-=-=-=-=-
1. Prerequisites
2. Installation of Apache
3. Configuration of Apache
4. Configuration of mod_rewrite
5. Configuration of mod_proxy
6. Configuration of mod_authnz(optional)
7. Configuration of mod_security
8. Summary
9. Informative Resources
-=-=-=-=-=-=-=–=-=-=-=-=-=-=-=-=-
1. Prerequisites

In this example you will need:

• Ubuntu Linux
• LDAP compatible server with valid SSL certificate
• Apache2
• Wildcard ssl certificate or valid certificates for each service published
• Apache mod_rewrite
• Apache mod_proxy
• Apache mod_authnz
• Apache mod_security

2. Installation of Apache
Install Apache2 by any of your favorite package managers or at the prompt:

sudo apt-get install apache2

3. Configuration of Apache
Then create a new config file for each of your new relays.
Inside of the virtual host tag:

UseCanonicalName Off
LogFormat “%V %h %l %u %t \”%r\” %s %b” vcommon
#incase you have a self signed certificate on the ldap server
LDAPVerifyServerCert off
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/generic/example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/generic/example.com.key
Servername weirdone_wrapped.example.com
CustomLog /var/log/apache2/access_log.relay-weird.vhost vcommon

4. Configuration of mod_rewrite
(mod-rewrite is included with apache2)
To enable mod_rewrite:

a2enmod rewrite

Then add the following virtual host entry to redirect http traffic:

RewriteEngine On

#Force HTTPS
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L]

5. Configuration of mod_proxy
First install additional mod_proxy:

sudo apt-get install libapache2-mod-proxy-html

Then enable the modules:

a2enmod proxy proxy_connect proxy_html proxy_http

Insert the proxy section and commands into the SSL (port 443) vhost section:

Order deny,allow ProxyPreserveHost On ProxyPass / http://weirdapp.example.com:50281/ ProxyPassReverse / http://weirdapp.example.com:50281/

6. Configuration of mod_authnz(optional)
First install mod_authnz:

apt-get install libapache2-mod-authnz-external

Then insert the following into the proxy block for ldap authentication of the connection:

AuthType Basic AuthBasicProvider ldap
AuthName “Please authenticate your connection using your network login.”
#Some Ldap servers will reject un-encrypted simple authentication, plus this is
#just a good idea any way.
AuthLDAPURL “ldaps://1.2.3.4/?cn” SSL
AuthzLDAPAuthoritative on
AuthLDAPBindDN cn=authbot,ou=users,o=org
AuthLDAPBindPassword password
AuthLDAPRemoteUserAttribute uid
AuthLDAPRemoteUserIsDN on
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group cn=Staff,ou=groups,o=org
Satisfy All

7. Configuration of mod_security
First install mod_security:

apt-get install libapache-mod-security

Then enable it:

a2enmod mod-security

Mod_security is fairly tricky, I am using a default configuration but I am only logging errors and not preventing them. Configuration beyond this is outside the scope of this article.

Edit /etc/apache2/mods-available/mod_security.conf and use the configuration example in
“/usr/share/doc/mod-security-common/examples/” as a template.

If it proves to be too restrictive, you can switch the part which says:

SecRuleEngine On

to

SecRuleEngine DetectionOnly

8. Summary
So, after this is installed, Apache will listen to a static IP then relay a a website to the end user over SSL after authenticating the connection with an LDAP server. And if anything fishy happens it will be logged/(or blocked) with mod-security.

This is not a 100% silver bullet solution. Apache http authentication is generally a bad idea, especially over an unencrypted session. In this example it is partially mitigated with mod_rewrite but at this time Apache does not natively support any modern authentication technologies with hooks for LDAP or any other authentication service. If you have the opportunity to prevent the need to do this then make it so.

The best way is to do it right the first time and write into your web application (or specify in the RFQ) the correct security measures.

9. Informative Resources

Breach Security “Mod Security home page”. (Accessed April 2009)
http://www.modsecurity.org

The Apache Software foundation. “Apache webserver website”. (accessed Jan 2010)
http://httpd.apache.org/

See also :
Asmodian X’s Securing php web applications:
http://www.h-i-r.net/2009/05/securing-php-web-applications.html

Ax0n’s OAMP (Apache, Mysql, PHP on OpenBSD) Article:
http://www.h-i-r.net/2008/12/sysadmin-sunday-amp-on-openbsd-44.html

Asmodian X’s Name based hosting mini-howto:
http://www.h-i-r.net/2008/10/sysadmin-sunday-apache-name-based.html

Asmodian X’s Workbench - Suhosin :
http://www.h-i-r.net/2008/12/asmodians-workbench-suhosin-hardened.html

HiR Information Report is brought you you by Edgeos, Your Network Security Platform. We are proud members of the Security Bloggers Network.

This content originally posted on HiR Information Report. Copyright © 1997-2009, HiR

In what appears to be the latest example of hackers jumping on the coat-tails of a hot trending search topic, criminals have created malicious webpages which pretend to be a CNN news report about Bill Cosby’s supposed death - but really display fake warnings about security problems on your computer.

These poisoned webpages are appearing high in search engine results - bringing the hackers a steady stream of traffic in the form of unsuspecting computer users searching for information about Bill Cosby.

The warning messages attempt to scare unsuspecting users into downloading a fake anti-virus program onto their computers and possibly handing over their credit card details.

The incorrect rumours about Bill Cosby dying appear to have started on Twitter, with innocent users ironically fuelling the flames (and possibly sending others into danger when they searched for more information) by retweeting the “news”).

Bill Cosby himself has posted a message on his website, claiming that he was not dead.

In the past, hackers have exploited rumours of the death of stars such as Kanye West and Johnny Depp.

There are lessons here for everyone: stop spreading “news” of hot breaking stories without checking your facts from a reputable website, be cautious of clicking on links to unknown sites, and always ensure you have up-to-date anti-virus protection in place to scan every webpage you visit.

Sophos is adding detection of the malware as Mal/FakeAV-BW.

read more

Methodology

In order to cover as many bases as possible it was decided to run each scanner in two ways:

1. Point and Shoot (PaS): This includes nothing more than run default scanning options and provide credentials if the scanner supported it and the site used any.

2. Trained: This includes any configurations, macros, scripts or other training determined to be required to get the best possible results. As needed help was requested from the vendors or from acquaintances with expertise in each scanner to make sure that each was given all possible opportunity to get its best possible results.

Therefore he’s defining two modes; Point and Shoot and Trained. In the Point and Shoot mode he’s supposed to use the default scanning options AND provide credentials if the scanner supported it.

Except that for our scanner, he’s not doing this. Let’s take our test PHP website testphp.acunetix.com.

Here is a quick excerpt from his results:

Acunetix is listed as not finding any of the 4 XSS vulnerabilities from userinfo.php (trained or untrained).
That came as a big surprise to me. I’ve quickly made a test and surely, the vulnerabilities were found by Acunetix WVS.

This file “userinfo.php” is only available after you provide valid credentials, it’s not possible to access this file unauthenticated.

They were not found because Larry didn’t authenticated our scanner (didn’t provided any credentials). No wonder that Acunetix didn’t found the vulnerabilities. The same situation with the SQL vulnerability from cart.php (the shopping cart is only available when you are authenticated). He didn’t authenticated our scanner neither in the Point and Shoot mode or in the Trained mode. That’s not fair for us.

I then moved to the Cenzic test website (http://crackme.cenzic.com). Here Acunetix is listed as not finding a number of XSS vulnerabilities in various files such as /Kelev/php/transfer.php (parameters Amount, ToAccountNo), file /kelev/php/accttransaction.php (parameters FromDate, ToDate) and so on.

I’ve started a scan for crackme.cenzic.com and guess what?  All those vulnerabilities were found by Acunetix WVS. I think it’s the same situation as before: the scanner was not authenticated and therefore, it couldn’t access those pages.

Below, I’ve attached a screen shot with those vulnerabilities found by Acunetix WVS:

Therefore, Acunetix WVS was clearly disadvantaged in this comparison report.  It’s not possible to find vulnerabilities in authenticated pages without providing the right credentials.

In the end, I would like to point out a very suspicious log event from our test website. While analyzing the logs from testphp.acunetix.com I’ve found the following entry:

72.25.78.35 – - [20/Jan/2010:08:44:58 +0100] “GET /Flash/add.swf HTTP/1.1″ 200 17418 “file:///C:/NTOBJECTIVES/SOURCE/ntospider_5_0/ntospider/NTOGUI/NtoGui/Debug/Reports/acunetix/
2010_01_19_23_43/DF4D21797A665BCA9B48B5B5F5C37C2″ “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30618)”

This log entry was generated by NTOSpider while scanning our test website. What’s suspicious about this log entry is the Referer field:

file:///C:/NTOBJECTIVES/SOURCE/ntospider_5_0/ntospider/NTOGUI/NtoGui/Debug/Reports/acunetix/
2010_01_19_23_43/DF4D21797A665BCA9B48B5B5F5C37C2

Notice the directory: C:/NTOBJECTIVES/SOURCE/ntospider_5_0/? SOURCE? Debug?

Only NTObjectives employees should have access to the NTOSpider source code. I don’t have enough evidence to directly accuse NTObjectives, however, that log entry looks suspicious to me.

Google and NSA Teams Up, But What About Our Privacy?

Posted using ShareThis

So I fire up Secunia on a PC today, and this alert appears:

But the user seems to be running the latest version:

Only one version appears in add/remove programs:

The extra folder, 3.0.195.38, is over 66 megabytes in size, and almost identical in content to 4.0.249.78.

Questions:

Can the folder 3.0.195.38 be deleted safely?

Can the bad guys use the contents of the old folder 3.0.195.38 to leverage security vulnerabilities, similar to the bad old days of Sun Java, when Java would be updated but old, vulnerable, versions of the application would be left behind which could be accessed by the bad guys and any security vulnerabilities leveraged?  There are various DLLs, a SETUP.EXE, and quite a few JS files in the old folder.

I’ll see what I can do about getting those questions answered.

© Ken Belva at SecurityMaverick.com, 2010. |
Permalink |
No comment |
Add to
del.icio.us


Post tags: tweets

Feed enhanced by Better Feed from Ozh

Priorities are a common parameter in applications. Examples are multiple. In support applications, priorities are used to define the urgency of the reported problem. When you configure softwares, priorities may help to re-order similar actions. In protocol specifications, priorities are also used to perform decisions (routing protocols are a good example) In short, priorities are everywhere!

Did you ever notice that the order of priorities is often depending on the application? Some developers use the priority 1 (one) as the highest while others as the lowest priority. In a given context, two identical rules with respective priorities of “10″ and “20″: Which one will be processed first? Often, you will have to refer to the documentation!

First example, the MX (“Mail eXchange”) in a domain zone. The MX record with the lower priority will be used first:

rootshell.be. 3600	IN	MX	10 mail.rootshell.be.
rootshell.be. 3600	IN	MX	20 mx1.nikita.cx.
rootshell.be. 3600	IN	MX	300 spammers.go.away.

A second example? In the BGP4 protocol. At a given step, the route selection is performed also depending on a priority (called “weight” in this case).

“In the latter case the route selection process moves to the next tie breaker. While LOCAL_PREF is the first rule in the standard, once reachability of the NEXT_HOP is verified, Cisco and several other vendors first consider a decision factor called WEIGHT which is local to the router (ie not transmitted by BGP). The route with the highest WEIGHT is preferred“.

OTRS, a popular open source ticketing system, uses priorities from “1″ (lowest) to “5″ (highest).

In those three examples, we see that the priorities order is different. As everything is standardized in information technology, why not the definition of priorities?

I have to admit, when I talked about this the other day I was rather excited to say the least. So much so that I don’t want to unbox it yet. Thankfully @myrcurial and @securityintern got one as well and sent me the photos of the completed piece. Thanks again!

Here is the Liquidmatrix “Mad Max”-esque LEGO vehicle (minus the bat-shit insane actor). So cool! I feel like a giddy child.

Our goal was to demonstrate how BlackBerry applications can access and leak sensitive information, using only RIM-provided APIs and no trickery or exploits of any sort. We make no assumptions about how the malicious application will be installed on the phone, and we haven’t attempted to sneak a malicious application into BlackBerry App World. BlackBerry apps can be installed from any location, plus, there are so many examples of malware slipping through the screening processes of the various app stores (Symbian, Android, etc.) that we didn’t find it necessary to prove the point again. To some degree, official app stores give users a false sense of security because people will assume that everything in the store must be trustworthy.

Here’s a video that demonstrates the features of Tyler’s proof-of-concept spyware. We show how it can be used to dump contacts and messages, intercept text messages, eavesdrop on the room, report on phone usage, and monitor GPS data. To view this in HD resolution, click through to Vimeo and use full screen mode for best results.

We’re also releasing source code. As far as we know, this is the first public release of source code that demonstrates such a broad range of malicious functionality on a BlackBerry device. Code reviewers and security practitioners can use it as an educational resource to help them recognize malicious behavior and understand the specific risks introduced. This is an important educational asset for those of us working to create more secure software. As for the bad guys, it would be naive to think that they don’t already know how to do this stuff. The code doesn’t go out of its way to be stealthy; in fact, it’s quite the opposite (by design).

Here are the goods:

Slides: Blackberry Mobile Spyware — The Monkey Steals the Berries
Source: txsBBSpy.java

So how can users protect themselves? There are a few places to defend against malware of this nature.

1. Users can configure their default application permissions to be more restrictive. This way, if an application tries to use an API that accesses the user’s email or contact list, the OS will ask for permission. Avoid granting applications “trusted application” status, which grants untrusted applications additional privileges. Tyler’s slide deck shows the default and trusted permission sets in more detail.
2. Corporations using a BlackBerry Enterprise Server can configure their IT policies to restrict their users from installing third-party applications, or whitelist certain approved applications (but brace yourself for the backlash)
3. BlackBerry App World could introduce a rigorous security screening process that submitted applications must pass in order to be listed in the store.

If app stores don’t provide any security testing, the risk reduction responsibility falls to the enterprise. We recommend creating an approved list of applications that have undergone security testing.

Finally, it should be noted that while we chose BlackBerry for our proof-of-concept, this is not just a BlackBerry problem. All mobile platforms provide similar mechanisms for writing applications that have access to the user’s personal, potentially sensitive information. As consumers become increasingly dependent on their mobile devices, we are certain to see an uptick in the volume and sophistication of mobile malware.

First up from Chris Gerling the scene from the hotel this morning.

Here is an image posted by hevnsnt from the ground outside the hotel this morning.

And courtesy of Spagerogue we find the Shmoobus buried in the snow.

Hoping everyone finds their way home safely.

Very Funny.

The event is eligible for CISA/CISM CPE Hours. We are awaiting approval for MIA CPE hours

This event will discuss the value delivery of making effective and efficient use of virtualization to local businesses. Topics to be discussed during the event shall include:

-Virtualization and the value delivery from IT assets
-Cost of ownership and operation
-Achieve more with less IT resources through virtualization
-Improved Business Continuity And Disaster Recovery
-Security & Compliance of virtual workloads
Continue reading “ISACA Event: The Business Value of Virtualization”

http://www.greensql.net/

• Registration
  PacketFence supports an optional registration mechanism similar to “captive portal” solutions. An Acceptable Use Policy can be specified such that users cannot enable network access without first accepting it. The duration of a node registration can be a relative value (eg. “four weeks from first network access”) or an absolute date (eg. “Thu Jan 20 20:00:00 EST 2009″).
• Detection of abnormal network activities
  Abnormal network activities (computer virus, worms, spyware, etc.) can be detected using local and remote Snort sensors. Beyond simple detection, PacketFence layers its own alerting and suppression mechanism on each alert type. A set of configurable actions for each violation is available to administrators.
• Proactive vulnerability scans
  Nessus vulnerability scans can be performed on a scheduled or ad-hoc basis. PacketFence correlates the Nessus vulnerability ID’s of each scan to the violation configuration, returning content specific web pages about which vulnerability the host may have.
• Isolation of problematic devices
  PacketFence supports several isolation techniques, including VLAN isolation with VoIP support (even in heterogeneous environments) for multiple switch vendors.
• Remediation through a captive portal
  Once trapped, all HTTP, IMAP and POP sessions are terminated by the PacketFence system. Based on the nodes current status (unregistered, open violation, etc), the user is redirected to the appropriate URL. In the case of a violation, the user will be presented with removal instructions for the particular infection he/she has.
• 802.1X
  802.1X is supported through a FreeRADIUS module.
• Wireless integration
  PacketFence intregrates perfectly with wireless networks through a FreeRADIUS module. This allows you to secure your wired and wireless networks the same way.
• DHCP fingerprinting
  DHCP fingerprinting can be used to automatically register specific device types (eg. VoIP phones) and to disallow network access to other device types (eg. game consoles).

http://www.packetfence.org

Editor’s notes:
This technique should be useful for short runs of ethernet (6′ or less) and to power pretty much anything that needs 5VDC and doesn’t require a lot of current. I’ve seen USB ports provide up to one amp of current, though it’s usually advised to keep it under 500mW. If you have a dual-USB Power/Data cord like the ones that come with external 2.5″ hard drives, I’d advise using that to help get more power to the Fon, but there are several people running USB power directly to the Fon, and it seems to work fine. This is the first time I’ve seen a POE injector/splitter used in combination with USB before. Pretty clever.

This is a guest post by cyb3rassasin, a student in the midwest that’s interested in security technologies. You can follow him on Twitter.

Okay, so I’m sitting in the coffee shop with my LaFonera router in front of me, and my netbook on my lap. I look at my fon just sitting there with its 4 AA battery pack, pondering how else I could power this little guy. A battery pack is bulky, and I don’t really want to have to carry a wall wart with me everywhere I go.

So the options that come to mind are usb power, battery pack, and power over ethernet. The first two aren’t bad ideas but I was kinda looking for something a little more compact and cleaner. I decided to look at some PoE injectors/splitters because they’re inexpensive and compact.

The only problem I could forsee is again I’d have to carry a wall wart around with me. Then I thought why not cut the power adapter off the injector and replace it with a usb plug. It would be simple, clean, and I’d only have to have one cable running to the fon. The Fon can run from 5VDC just fine.

I decided to pick up a set of PoE cables from Passive PoE. I grabbed a usb cable from an old phone that I had, I chopped the end off and stripped all the wires. I then cut the power plug off of the injector and stripped the two wires. ( note: the copper is ground and the red is positive)

Now, don’t make the same mistake I did: put the heatshrink on the injector before soldering the usb plug and the injector together. I soldered up the connections, wrapped each individual connection in electrical tape, and heatshrunk it.

Before testing this with my fon, I thought it would be a good idea to make sure I got the polarity correct. I plugged the injector into my netbook, hooked up an ethernet cable, and then attached the splitter. I took a multi-meter and to the splitter and sure enough, I had the polarity right. Center pin: positive 5VDC, outer barrel: negative

Now it’s time to take a leap of faith and plug in my fon, and woot! It works!

So now I successfully have a compact way to power my fon via usb and PoE. I’ve found one downside to this, it drains my netbook battery faster than if I would use a battery pack. Other than that this is an effective alternative way to power the fon.

cyb3rassasin also showed me the Open-Mesh mini router, which seems to be nearly identical to the original Fon2100 shown here. Since the Fon2100 is no longer available new from the manufacturer, and the newer hardware isn’t as friendly for things like Jasager/Karma, it’s nice to know there is still a comparable piece of gear out there to take its place in our hackpacks. Long live evil wifi! Here are some photos he sent us, comparing the Open-Mesh and the Fon2100.

HiR Information Report is brought you you by Edgeos, Your Network Security Platform. We are proud members of the Security Bloggers Network.

This content originally posted on HiR Information Report. Copyright © 1997-2009, HiR

The Electronic Privacy Information Center (EPIC) based in Washington, DC has filed a request for information on reports of Google’s plan to partner with the U.S. National Security Agency to assist in analyzing a recent cyber-attack that allegedly originated from China in January of 2010. Furthermore, Google will look to partner with the NSA to better understand how and who breached its network and for recommendations on how to better protect its network and users from future cyber attacks. This proposed agreement between Google and the NSA has sparked some controversy.

Read More Here

Get your Faraday bag here. This is not a gimmick site, as these people are aiming at UK law enforcement, who need to shield mobile phones after seizure. You can view testing results here.

It was reported in the Daily Mail this week that a woman bought a carton of half a dozen eggs, which she later found to be all double-yolked, as shown below

Since the chances of getting a single double-yolk egg are  around 1-in-1000, then it appears that we have witnessed an extremely rare event, in fact one that is a practical impossibility. If we assume that the likelihood of each egg being double-yolked is independent, then the picture above is conclusive evidence of a  1-in-10^{18} event manifesting. This is a bit less likely than guessing a DES key at random at 1-in-10^{17}. The Daily Mail article goes on to give reasons why this event is not as unlikely as it seems, because on face value, the event is so unlikely that we would never expect to witness it over the lifetime of all eggs that have ever been produced.

Apparently the eggs are all likely to come from hens in the same flock and of the same age which reduces the likelihood to “only” 1-in-729 million. And the occurrence becomes even more likely (or less unlikely – take your pick) when we account for eggs of a similar weight being sorted into the same boxes.

A bit more detail is given over at the wonderful Understanding Uncertainty blog. If the 1-in-10^{18}  odds were correct then given the number of eggs consumed in Britain each year, we are looking at waiting 500 years to see the photo above, so the independence assumption is not plausible. Factoring in that eggs coming from the same group (who may have a propensity for double yolks), packing by weight, noting that some supermarkets can detect and sell double yolked eggs, then the event seems less impressive. But impressive nonetheless!

Um doce para quem conseguir traduzir “rugged”. Segundo os dicionários significa algo como rugoso, irregular, austero… O que é que isso tem que ver com segurança (num sentido positivo), ignoro.

O site da iniciativa está aqui: http://www.ruggedsoftware.org/ . Tem pouca informação mas há muita conversa sobre o tema pelos blogs.

Já agora, aqui fica:

The Rugged Software Manifesto

• I am rugged… and more importantly, my code is rugged.
• I recognize that software has become a foundation of our modern world.
• I recognize the awesome responsibility that comes with this foundational role.
• I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
• I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
• I recognize these things - and I choose to be rugged.
• I am rugged because I refuse to be a source of vulnerability or weakness.
• I am rugged because I assure my code will support its mission.
• I am rugged because my code can face these challenges and persist in spite of them.
• I am rugged, not because it is easy, but because it is necessary… and I am up for the challenge.

blog Segurança Informática
http://www.seguranca-informatica.net/

According one state government security expert who received multiple copies of the message, the e-mail campaign — apparently designed to steal passwords from infected systems — was sent exclusively to government (.gov) and military (.mil) e-mail addresses.

The messages are spoofed so that they appear to have been sent by the National Intelligence Council (address used was nic@nsa.gov), which serves as the center for midterm and long-range strategic thinking for the U.S. intelligence community and reports to the office of the Director of National Intelligence.

The e-mails urge recipients to download a copy of a report named “2020 Project.” Another variant is spoofed to make it look like the e-mail from admin@intelink.gov. The true sender, as pulled from information in the e-mail header, is nobody@sh16.ruskyhost.ru

My source told me that a significant discussion going on within the U.S. Computer Emergency Readiness Team (US-CERT) suggests that this attack was leveled only at governments, and that a relatively large number of recipients were taken in by the ruse and infected their PCs. For example, the state government agency that my source works at has already confirmed “a couple hundred” infections at their site. US-CERT officials could not be immediately reached for comment, and the organization’s Web site currently does not feature any information about this attack.

The scam e-mails may seem legitimate because the name of the booby-trapped file mimics a legitimate 2020 Project report published by the NIC, which has a stated goal of providing US policymakers “with a view of how the world developments could evolve, identifying opportunities and potentially negative developments that might warrant policy action.”

Only 16 of the 39 anti-virus scanners used by Virustotal.com detect the file as malicious, and those that do mostly label it as a variant of the Zeus/Zbot Trojan, a program designed to steal passwords from infected systems and give attackers remote control over sickened PCs.

Another source who asked not to be named said the version of Zeus being distributed in the e-mails is rather dated, but that it includes a configuration utility that allows the malware to be updated with the capability to upload PDF files and other interesting information from infected PCs.

The Zeus Trojan is the primary tool that organized criminals have been using to steal banking information from countless small businesses, as well as dozens of state and local government organizations. In each attack, the thieves use the stolen credentials to siphon the victim organization’s bank accounts, and funnel the money through accomplices in the United States, who then wire the cash overseas to Ukraine and other Eastern European nations.

Earlier this week, the New York town of Poughkeepsie reported that thieves had broken into the town’s bank account and stolen $378,000 in municipality funds. Poughkeepsie officials said $95,000 was recovered from a Ukrainian bank.

Today, eSoft is alerting customers to a new targeted email scam.  This newest twist to the common IRS email scam seems to be targeted to organizations, notifying the recipient of a tax evasion complaint being filed against the company.  Opening the file infects the user’s machine with dangerous trojans that monitor the infected machine, report back to the attacker and download other malicious payloads.

An example of the fraudulent email is below, which prompts the user to open “balance report” attachment.  Because the attachment appears to be a Word file, most users will readily trust the file and proceed to open the file to find out more.

The file is actually in Rich Text Format (RTF) and contains a hidden executable.  Upon opening the file, an error is reported and the user is asked to double click to restart Word.  Doing so will open the executable as shown below, with most unsuspecting users allowing the malicious file to run.

 

Two processes are started and added to Windows startup to run on subsequent boots, microsoft.exe and wks.exe.  These processes send data back to the attacker using HTTP connections to their call home destination.  eSoft is flagging these sites as Malicious to protect any victims of this attack.

These call home destinations are even disguised as a Google search page to evade detection by web filtering companies and automated systems which may detect the site as a search engine.

 

At the time of writing, Virus Total reports only a 25% detection rate on the most recent samples.

Users should be very cautious with any unsolicited emails, particularly those containing an attachment.  The IRS will never email you if they need to contact you, and any emails appearing to come from them are very likely malicous scams.  As noted on the IRS website, “The IRS does not initiate taxpayer communications through email.”

Ellen Nakashima, a reporter for the Washington Post, broke the Google/NSA story on page one of Thursday’s edition of the paper.

The recent incident at Google shook the entire world, but was it merely a one-off incident or a wake-up call? Did the event gather importance just because Google threatened to pull out of China or stop the so called censorship or was there something more sinister? I tried to explore a little.

Speaking of corporate espionage, it’s nothing new to the developed world. Nokia’s so-called attempts to monitor its employees, Porche & VW case are not unknown in the 21st century.  There was another interesting case in 2005 where an employee allegedly transferred product information before he was supposed to switch to that start-up venture.  In 2007 Oracle suspected that SAP had been hacking and stealing secrets from its computer systems. Oracle went to court with the case!

In recent years the focus has shifted with countries realizing the power of internet. It is alleged that corporate espionage has taken a step further with certain developing countries taking the short way out to success in trying to steal the important research papers, innovations, designs etc. By any means investing a few millions on high-tech thieves is cheaper than investing billions in doing R&D and not getting desired results! I guess this is what some countries think nowadays!

As per FBI even though 75% of cases of data theft involve an insider, as we all know our security is only as strong as our weakest link! Still the 25% cases are not a small number to forget about. It is in these 25% cases do countries who want to spy, invest millions to find loopholes & steal data remotely. Firstly it is safer to deny such an act and secondly it’s much harder to prove such a crime’s origin, if the attacker is sophisticated/ cautious enough.

Yes Google did get hacked due to a flaw in the browser one of its biggest current competitors failed to fix since ages, but does Google end its responsibility here. If my email gets hacked and all my bank account details get stolen, does all my responsibility go away? In my opinion NO, I am responsible for all my activities- from setting a password to saving important details on my mail. In case of a breach, no doubt I should take legal recourse, but it should not be my primary objective. Google should have detected such a breach as soon as it had occurred. No one knows the exact monetary estimate of the hack & what all data was lost.

I think there is another side of the coin as well, than just Google crying foul over being broken into. After all Google always knew beforehand what it was treading into once it accepted all regulations that Chinese government asked it for. It chose a little compromise to enter the world’s 3rd biggest economy & now it’s alleging that it’s been compromised! Strange!

Corporate espionage isn’t new, what is new is the method & motivation. After all, we must be prepared with better security than asking people to stop hacking us & crying foul! Risk management is a key business area & Google would have accounted for such risks long ago.

@kakroo

img: datmoney.com

I was interested to see that Google is willing to offer a bounty of $500 per bug that people find in Chrome, Google’s browser.

I am not sure if this is a good thing.

Whilst I admire them for having the confidence in their product to invite deliberate attempts to compromise it and find flaws the cynical part of me is thinking hold on, this is just a cheap way of QA’ing code.

I am in two minds and I can’t decide if this approach is a good or a bad idea. Sure, commercially it is a good idea, you get a multitude of amateur testers working in their spare time, for free, and all it costs is $500 for each flaw they find. Genius!

But I am worried that someone will decide it is cheaper to release minimally tested products and offer a bounty for finding flaws than to properly test it.

I am hoping I am just being cynical and all products that get released are secure and this is just a marketing ploy to grab headlines. Mind you, suppose their product is totally flawed, it could be more expensive than they anticipated!

Thirteen bulletins are scheduled for release, comprising five Critical, seven Important, and one Moderate rating from Microsoft. The thirteen patches will be for Windows and Office vulnerabilities (11 and 2 respectively). Both Office patches are rates as Important. An information disclosure vulnerability in Internet Explorer that was released in early February will not be patched with this release, nor will an SMB vulnerability that allows a Denial of Service and which was identified prior to the January security patch release. What will be patched is a privilege elevation vulnerability that has affected Windows versions since NT 4.0.

It should be noted that the patches applicable to Microsoft Office will also be provided for the OS X versions of Office, particularly Office 2004.

To quote the weather channel

“The storm may reach the top 3 of all-time in the Washington, D.C., area and may rival the record of 28″ from the

“Knickerbocker” storm of 1922.”

I am taking a little break in the festivities to let you all know that it has officially snowed pretty hard at ShmooCon VI. My flight has been canceled for Sunday, so with any luck at all I will be arriving back in Chicago (aka, the land that can handle 6″< of snow) sometime early next week.
With that, I have to say that the spirits of all the con goers is absolutely amazing! Trash-bag sleds are being used as well as certain individuals who have snowboards and snowshoes. The content of the event has started out with a bang, and the actual tracks tomorrow look exceptionally promising!

Thank you to @quine ’s employer for hosting the Securitytwits meet-up this afternoon, it was VERY enjoyable! Syngress held a very nice happy-hour meet-up, and the DC949 party was absolutely killer! Festivities are still commencing as I type, but sometimes one must just call it an evening!

This is what I said back here, so I am glad that someone did a study on it.  Very interesting what the future holds for this form factor of device.  I think the early critics are going to be eating their words in a year or so.

From the Minneapolis Star Tribune:

“A hacker attack at payroll processing firm Ceridian Corp. of Bloomington has potentially revealed the names, Social Security numbers, and, in some cases, the birth dates and bank accounts of 27,000 employees working at 1,900 companies nationwide”

A corporation gets hacked, ordinary citizens get screwed. It happens so often that it’s hardly news.

This is interesting to me because Ceridian is a local company and the local media picked up the story. That’s a good thing. I’m glad our local media is still able to hire professional journalists. The executives of a company that fail like that need to read about themselves in their local paper and watch themselves on the evening news. They might learn something. If we’re lucky, the hack might even get mentioned at the local country club and the exec’s might get a second glance from the other suits.

We aren’t that lucky.

In a follow up story, the Star Tribune interviewed a man who claims that he has not had a relationship with Ceridian for 10 years, yet Ceridian notified him that his data was also stolen. The Star Tribune reports that Ceridian told the victim that the compromise of 10 year inactive customer data was due to a ‘computer glitch’:

“a Ceridian software glitch kept it in the company’s database long after it should have been deleted.”

Sorry to disappoint the local media, but computer glitches are not the reason that 10 year old data is exposed to hackers.

Brain dead management is the cause.

But even brain dead management occasionally shows sings of life. According to the customer whose 10 year old data was breached:

"The woman from Ceridian said they’re working on removing my information from the database now,”

Gee thanks. What’s that horse-barn-door saying again?

Given corporate America’s aversion to ‘DELETE FROM…WHERE…’ queries, my identity and financial information is presumably vulnerable to exposure by any company that I’ve had a relationship with at any time since computers were invented.

That’s comforting.

Hi Folks,

Here is this weeks round up of jobs that we had sent in to us (tips SHIFT2 liquidmatrix DOT org). As with any of these jobs be sure to do your homework. We guarantee…nothing. That being said, good hunting!

(Note: These links will spawn new browser windows)

I’d like to invite all of you to join me for a webcast I am doing Feb 24th, 2010 with TechRepublic titled “5 Best Practices to Protect Windows 7 Computers”. This webcast will be broadcast 2:00 PM ET / 11:00 AM PT / 7:00 PM GMT.

I will be going through some of the new security features in Windows 7 and presenting 5 key points to consider when rolling out Windows 7 in your organization. There are a lot of new features in Windows 7 and some of them have a significant impact on the security of your desktops.

I will share with you some of our best practices for positioning a Windows 7 deployment in the most secure manner, along with tips and tricks you can use to think through your plans. I hope you can join me and ask some great questions during the Q&A session as well.

One important consideration we will discuss is how to manage your heterogeneous environment as you migrate to Windows 7, and of course a number of machines may require you to keep some legacy operating systems.

If you like to attend, please register with TechRepublic.

Related posts:

1. Protect your web assets - Is Linux still safe? The Register is reporting today that Linux servers have been…
2. Is Windows 7 safe? Sophos is ready, are you? October 22nd, 2009 is the official public launch of…
3. Windows 7 vulnerable to 8 out of 10 viruses Now that we in the northern hemisphere have had some…

We just introduced the latest member of the UTM family the UTM5. It contains all the security found in the UTM10 and UTM25 at slightly slower speeds. It’s a great fit for smaller office networks and basically gives you the high level of protection found in high end Web/Email security gateways, plus the functionality and connectivity options of a good firewall.

One thing we didn’t compromise on is the security effectiveness. What good is a security appliance if it doesn’t effectively do what it was brought in to do? The UTM5 is a great value, but there is nothing “economy class” about the coverage and performance of the UTM5.

Contact your local VAR or sign up at prosecure.netgear.com for a risk free 30 day eval.

I’m pleased to say that firmware version 1.0.16-0 for our UTM family contains patched versions of SSL. There are many components within the UTM that uses SSL so getting this patch was very important.
It’s a good thing this vulnerability was discovered by researchers with good intentions as this could have resulted in a disaster (with the economy the way it is, even if the bad guys did exploit the vulnerability there probably wasn’t that much to steal ;-))

You can read the release notes here.

In early January Heise Security reported that a German security firm had discovered a vulnerability in the password authentication process of several USB sticks that are rated as being highly secure. The discovery has been widely reported, and lead to various responses from USB vendors Sandisk, Verbatim and Kingston, including patching and recalling their devices from the field. The full list of effected sticks has been reported by Simon Hunt for example. Steve Ragan of the TechHerald has commented that the whole incident is “"quickly becoming the first FUD-based news cycle for 2010”.

What was the vulnerability?

Well when a user plugs in a password-protected USB stick their desktop starts the stick by launching a popup application prompting the user for their password. You would expect that the user supplied password is then transferred to the stick for verification, and the stick grants access if the password is correct.

What German security company SySS, discovered is that the verification of the user supplied password is actually performed in the popup application itself , and an acknowledgment code is sent back to the stick indicating if the candidate password is correct or not. By sniffing this traffic SySS determined that the acknowledgment code granting access is static, and in particular does depend on the password entered by the user. Essentially the desktop popup verifies the user supplies password and then returns "yes" or "no" to the stick.

SySS captured the acknowledgment code, and then wrote some proof-of-concept code which injects the acknowledgement code into the memory space of the desktop popup so that the value returned to the stick is always the positive acknowledgement code. Thus regardless of what password the user enters the hack ensures that only the positive acknowledgement code is returned, and the stick will always therefore grant access.

What was the impact?

Given the injection code, the password-protection can be defeated on sticks susceptible to the attack, which turns out to be a reasonably large class of commercial sticks that are marketed as being highly secure. All things being equal, the risk of a data breach from lost sticks is increased, since the password-protection of the sticks can be bypassed with the right software. And losing sticks is increasing. CSO Online recently reported on a UK survey conducted by Credant which revealed that 4,500 memory sticks have been forgotten in people’s pockets as they take their clothes to be washed at the local dry cleaners.

The impact is not limited to a single vendor product. The vulnerability exists in several families of secure USB devices across the major USB vendors because they all rely on a common USB chipset whose security properties have not been properly vetted.

FIPS Certification

The incident is all the more telling in that the vulnerability impacts devices that use AES 256-bit encryption and are rated as secure by the FIPS 140-2 certification process. Users are paying quite a premium over vanilla sticks for the advertised additional assurance that their data are protected by a certified device using strong cryptography, and for some US government agencies such purchases are mandatory. The relative ease with which the password protection was bypassed calls into question the value of the FIPS 140-2 process.

In Computerworld NIST is quoted as saying "From our initial analysis, it appears that the software authorizing decryption, rather than the cryptographic module certified by NIST, is the source of this vulnerability," a statement read. "Nevertheless, we are actively investigating whether any changes in the NIST certification process should be made in light of this issue”.

To be fair, the FIPS 140-2 focuses on verification of cryptographic modules and not the supporting software, however the incident highlights the narrowness of the approach and the expectation that certification is more than secure cryptography. Chris Merrit at Lumension has a good post on the fine print of the certification FIPS 140-2 process, and he concludes

So, bottom line: while this discovery seems to suggest an area to which NIST might want to bring some clarity and rigor, it does not mean that FIPS 140-2 is fatally flawed. It’s up to you, as the buyer, to understand what (potentially critical) functions occur inside & outside the cryptographic boundary, and how that might impact the security of the device in your case. And since what you’re looking for is what’s not certified, it might be useful to have an expert review the vendor security policy (posted with the certification on the NIST website) to help you understand the nuances.

AES-256 and Passwords

As I explained in Are AES 256-bit keys too Large? it is very unrealistic to equate password security with the security of AES-256. To achieve the equivalent of 256-bit security users would need to select 40 character passwords at random, and we are a long way from that. In fact so far away that we will never get there. So USB devices that protect their data using AES-256 encryption sound impressive, but when access control to those devices and the underlying keys is controlled by a password, then this setup sounds a lot less secure. The SySS vulnerability now shows that the whole AES-256 encryption process can be bypassed in the presence of weak password handling.

Conclusion?

Is there a useful conclusion from this incident? There is a lot of embarrassment all round and we have little confidence that a similar issue will not arise in the future. Security is just done poorly in general, and blatant examples are uncovered whenever someone takes the time to look under the hood. Some  articles and posts have focussed on verifying passwords in software as the culprit, which is partly true, but the real issue is not software but insecure programming of software - the password verification should never have been done on the desktop, and a static acknowledgement code should never have been used to unlock the USB device.

A trusted path should be established between the desktop keyboard and the USB device, and for smart cards this needs to be done with a secure reader. But this is at odds with the plug-and-play semantics of USB sticks where the portability of the ubiquitous USB connector is the selling point.

You’d think that a company trying to raise several hundred million with an initial public offering of stock would tell their affiliates to be on their best behavior for a while.

For example, maybe they’d discourage them from hacking government web sites to attract search engine hits on the word “bestiality,” then redirect browsers to the company’s site.

The sites:

The code:

Remember Adult Friend Finder? Penthouse Media Group (which also owns Penthouse magazine) purchased the online adult… ah… dating service in 2007 for $500 million. Well now they’re called FriendFinder Networks, Inc. In December, 2008 they filed with the U.S. Security and Exchange Commission for permission to make an initial public offering $460 million of stock.

That timing wasn’t too good given the near collapse of the global economy back then, so last month they amended their IPO filing in hopes of raising $220 million. Lead underwriters are Renaissance Capital and Ledgemont Capital Markets LLC. Co-managers are Merriman Curhan Ford and Lighthouse Financial.

See story “FriendFinder Still Sees IPO, But Less Capital Raised (FFN)”

In 2007 AdultFriendFinder.com settle an enforcement action by the Federal Trade Commission that charged that their explicit online pop-up ads violated federal law. The settlement bared them from “displaying sexually explicit online ads to consumers who are not seeking out sexually explicit content.” (Story here.)

Thanks Eric Howes.

Tom Kelchner

Here, my friends is an opportunity to BUY IN to the program and WALK the WALK instead of just talking the talk. Ladies and gentleman, I introduce to you The Rugged Software Manifesto.  

What’s in a meme?
A rose called by any other meme.. No, seriously. A meme is a postulated unit of cultural ideas, symbols or practices, which can be transmitted from one mind to another through speech, gestures, rituals or other imitable phenomena. (The etymology of the term relates to the Greek word ?????????? (pronounced /m?met?smos/) for “something imitated”.) … so says Wikipedia

The Rugged Software Manifesto

• I am rugged… and more importantly, my code is rugged.
• I recognize that software has become a foundation of our modern world.
• I recognize the awesome responsibility that comes with this foundational role.
• I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
• I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
• I recognize these things - and I choose to be rugged.
• I am rugged because I refuse to be a source of vulnerability or weakness.
• I am rugged because I assure my code will support its mission.
• I am rugged because my code can face these challenges and persist in spite of them.
• I am rugged, not because it is easy, but because it is necessary… and I am up for the challenge.

Join

If you want Rugged Software, join us and help define the principles, and technologies that will help others become Rugged too. Our first project is to define how people and organizations can know if they are Rugged.

Learn more and join at http://www.ruggedsoftware.org/.
Follow on twitter http://twitter.com/ruggedsoftware.
OWASP Rugged page at http://www.owasp.org/index.php/Rugged.

# # #

The U.S. Federal Trade Commission today announced that next Tuesday they will hold a news conference to make public details of “a law enforcement sweep cracking down on job and work-at-home fraud fueled by the economic downturn.”

The media advisory said that the news conference would feature the director of the FTC’s bureau of Consumer Protection David C. Vladeck, an assistant attorney general and the Ohio Attorney General. The advisory listed as “also attending” representatives of the U.S. Postal Inspection Service, Monster.com and Microsoft.

People who sign on as work-at-home employees from Internet ads (also called “money mules”) often are used as conduits for stolen funds that are transferred from the bank accounts of victim individuals or companies who have been scammed by phishing or spear-phishing. The money mules set up bank accounts into which stolen funds are transferred. They are instructed to keep a portion of the funds and wire the remainder to the scammers, who are generally outside the U.S.

In November, the FBI reported that it had been notified of about $100 million in attempted losses from such scams.

Prominent computer security blogger Brian Krebs ( http://www.krebsonsecurity.com/ ), formerly of the Washington Post, has reported extensively about losses from similar scams from small and medium size businesses in the last few months.

A blog piece he did in January “Top 10 Ways to Get Fired as a Money Mule” is not only a good description of the work-at-home scam, but is very funny as well.

FTC media advisory here.

Tom Kelchner

In response, last year we started up the Disaster Recovery Breakfast, and it went over pretty well. It’s a nice quiet breakfast with plenty of food, coffee, recovery items (aspirin & Tums), and even the hair of the dog for those of you not quite ready to sober up. No marketing, no presentations, no sales types trolling for your card. Sit where you want, drop in and out as much as you want, and if you’re really a traditionalist, blast your iPod and stand in a corner staring at us while nursing a Bloody Mary.

This year we will be holding it Thursday morning at Jillian’s in the Metreon from 8-11. It’s an open door during that window, and feel free to stop by at any time and stay as long as you want. We’re even cool if you drive through just to mooch some quick coffee.

Please RSVP by dropping us a line at rsvp@securosis.com, and we’ll see you there!

- Rich
(2) Comments

I was standing on a stage giving a speech at a military base, in about 2004.  The people I was giving a speech to were about 200-250 different “network” and “Systems” administrators from all over this military base in tons of different units.  In this audience I had military, civilian, and contractor.  I was asked to give a speech to the system administrators because some of them didn’t see the value in security in their systems.  It was an afterthought and people weren’t terribly excited about having to follow $regulation that ensured proper lock down of various controls in the operating system and network.

I asked this question:  ”If you never knew it occurred, did it occur in the first place?”  I paused for effect, waiting for an answer.  One didn’t come.  Obviously they had no idea was I was talking about.

I proceeded to explain the importance of reviewing logs, system and network information, explaining to them the importance of what I had found that week upon a security audit I was doing of their Army post.

Hundreds of compromised machines, botnets, poor security controls, inadequate permissions, etc.  This was all from about 3 days of work.  I didn’t even get into the trenches trying to find things, this was just surface level scanning and network monitoring.  Not even penetration testing, just scanning.

They didn’t know.  They thought their network was perfect.  They thought it was clean.  They didn’t need to review logs.  They thought wrong.

If you aren’t going to review logs, if you aren’t going to look at the system logs, the firewall logs, the IDS/IPS logs, then why collect them?  The problem is, we have things like SOX compliance now that mandates that we have some kind of logging system.  Which is fine, it’s a great idea, but people are missing the point.  The point of the SOX compliance and log review is for people to REVIEW the logs.  Otherwise what is the point?  So you can go back and see when you were compromised?

Some people will agree with me here and say “Yes, I’d like to have historical information so I can go back and see when the intrusion occurred.”

That’s fine, I don’t disagree, but stop for a second while reading this and meditate on this question “Why?”  What are you going to do about it?

If you are going to look at your logs and dismiss them, instead of looking at your logs and doing something about the mistakes that you find, then what’s the point in looking at the logs.  Don’t waste your time.

It’s your JOB to be looking at these things, if you aren’t going to DO your job, then quit.  We don’t need you in our industry because it’s people like YOU that are messing things up for the rest of us.

I’m going to do it…  I am going to use APT (Advanced Persistant Threat).  APT was found by looking at logs.  APT has been around for a long time.  Before I worked at Sourcefire, I worked for the Department of the Army in computer security, and we were dealing with APT (only it wasn’t called that back then) then.  We didn’t have an advanced term for the threat, we used terms like ‘rootkit’ and ‘trojan’.  We were looking at hacks that we had never thought possible offloading information to countries that weren’t ours.  Some of the techniques were so interesting and secret, they haven’t been made public to this day, so I can’t talk about them here.

But we found the compromises by looking through logs.  I’ve said this before, and I’ll say it again, what’s the point in having a security device that keeps logs if you aren’t going to LOOK at it?

This is really bad for so many reasons.  It certainly doesn’t help their security.

And yes, it’s completely legitimate.

Alex Eckelberry

If you’re up for a bit of audible Friday humour, check out the SFSP (Southern Fried Security Podcast) Episode 5, where I try to terrorize Martin with off-the-wall responses while he’s interviewing me. I definitely caught him off guard on a few early replies. While I was mildly successful in that piece, I was even more successful in dodging Andy’s harassment by confirming the scheduling on super short notice.

Martin caught me on a day when absolutely nothing was going as it should. I was at the office late, fighting with what seemed to be a firmware issue and what turned out to be a VM issue, after two days of wrestling with it.

All I have to say for myself is:
1. Who doesn’t like Asian women, really?
2. Newfirmware is only two words if you add space there. It’s like Newfoundland; that’s one word.
3. Sorry Andy, I was working on a tight schedule. *cough*
4. I slipped Valentino Rossi into my security interview.
5. NAC isn’t dead. NAC isn’t dead. NAC isn’t dead.

What did we talk about? We started with their customary (non-IT) 10 preliminary questions, followed by more serious discussions of information security, dealing with management, and of course NAC.

Interview with Jennifer Jabbusch
    - Martin sits down with JJ to talk about life, security, and Asian women
    - Notice how Martin conveniently schedules interviews when Andy isn’t available.
    - Notice how Martin is the person all of the nice interviewees *want* to talk to… 
    - In all seriousness, the audio quality of the interview isn’t 100% (Skype drops and Martin thinking he was muted) but what Jennifer has to say is so good we want to be sure you get a listen

Here are the links you’ll be looking for:

• Southern Fried Security, Episode 5 Page
• Audio in RSS, scroll down to the headphones and .mp3
• Audio in iTunes subscription format

# # #