Real world links August 28, 2014

Aaron's Law Is Doomed Leaving US Hacking Law 'Broken' - Thomas Brewster - Forbes

There is a general agreement, however, that the CFAA needs an urgent update. That’s largely because CFAA is being used against those trying to fix vulnerabilities on the internet. Various members of the security community, which is descending on Las Vegas for 2014’s BlackHat conference this week, have told me they have been threatened with law enforcement action over research efforts that were supposed to shore up the web and the machines connected to it. They include Zach Lanier of Duo Security and HD Moore of Rapid7, both highly-respected security pros. Given simply scanning systems for the infamous Heartbleed bug could have been deemed a felony, it’s become apparent that even those trying to do good are considered criminals.

Police are operating with total impunity in Ferguson - Matthew Yglesias - Vox

Olson was released shortly after his arrest, as were Reilly and Lowery before him. Ryan Devereaux from The Intercept and Lukas Hermsmeier from the German tabloid Bild were likewise arrested last night and released without charges after an overnight stay in jail. In other words, they never should have been arrested in the first place. But nothing's being done to punish the mystery officers who did the arresting.

Researchers Easily Slipped Weapons Past TSA's X-Ray Body Scanners - Andy Greenberg - Wired

More importantly, the glaring vulnerabilities the researchers found in the security system demonstrate how poorly the machines were tested before they were deployed at a cost of more than $1 billion to more than 160 American airports, argues J. Alex Halderman, a University of Michigan computer science professor and one of the study’s authors. The findings should raise questions regarding the TSA’s claims about its current security measures, too.

This post first appeared on Exploring Information Security.

Exploring Information Security: how to use PowerShell for security

In the sixth edition of the Exploring Information Security (EIS) podcast, I talk with PowerShell guru Matt Johnson a founder of PoshSec.

Matt Johnson has spoken at conference's like GrrCon and DerbyCon on using PowerShell for security. He also has his own podcast titled, Leveled up Infosec Podcast and he's the founder of PoshSec. You can catch Matt tweeting about security on Twitter @mwjcomputing.

In this interview we cover:

  • What is PowerShell

  • How to get started using PowerShell

  • How to best utilize PowerShell for security

  • Available resource

  • What mistakes can be made using PowerShell for security

Music by Alan Read

Leave feedback and topic suggestions in the comment section below.

This post first appeared on Exploring Information Security.

InfoSec links August 26, 2014

Father of PGP encryption: Telcos need to get out of bed with governments - Sean Gallagher - Ars Technica

Doing business with US government customers generally requires the use of National Institute of Standards and Technology (NIST) standards for encryption. But by default, Zimmermann said, Silent Circle uses an alternative set of encryption tools.

“It wasn’t because there was anything actually wrong with the NIST algorithms,” Zimmermann explained. “After the Snowden revelations, we felt a bit resentful that NIST had cooperated with the NSA."

Edward Snowden: The most wanted man in the world - James Bamford - Wired

Despite being the subject of a worldwide manhunt, Snowden seems relaxed and upbeat as we drink Cokes and tear away at a giant room-service pepperoni pizza. His 31st birthday is a few days away. Snowden still holds out hope that he will someday be allowed to return to the US. “I told the government I’d volunteer for prison, as long as it served the right purpose,” he says. “I care more about the country than what happens to me. But we can’t allow the law to become a political weapon or agree to scare people away from standing up for their rights, no matter how good the deal. I’m not going to be part of that.”

Why So Many Card Breaches? A Q&A - Brian Krebs - Krebs on Security

Today’s post includes no special insight into this particular retail breach, but rather seeks to offer answers to some common questions regarding why we keep hearing about them.

This post first appeared on Exploring Information Security.

Fun infosec links August 21, 2014

How To Protect Your Personal Information Online - The Onion

A fun list of ways to keep your personal information safe online.

Special Note: for those unfamiliar with The Onion, it is a satirical site and not meant to be taken seriously.

Social Engineering a Telemarketer - Bruce Schneier - Schneier on Security

Telemarketer gets owned and it's wonderful. 

How to Use Your Cat to Hack Your Neighbor's WiFi - Andy Greenberg - Wired

Welcome to the infosec community my feline friend.

This post first appeared on Exploring Information Security.

InfoSec links August 19, 2014

Visit the Wrong Website, and the FBI Could End Up in Your Computer - Kevin Poulsen - Wired

The FBI’s use of malware is not new. The bureau calls the method an NIT, for “network investigative technique,” and the FBI has been using it since at least 2002 in cases ranging from computer hacking to bomb threats, child porn to extortion. Depending on the deployment, an NIT can be a bulky full-featured backdoor program that gives the government access to your files, location, web history and webcam for a month at a time, or a slim, fleeting wisp of code that sends the FBI your computer’s name and address, and then evaporates.

Scientists reconstruct speech through soundproof glass by watching a bag of potato chips - Jacob Kastrenakes - The Verge

While a bag of chips is one example of where this method can be put to work, MIT has found success with it elsewhere, including when watching plant leaves and the surface of a glass of water. While the vibrations that the camera is picking up aren't observable to the human eye, seemingly anything observable to a camera can work here. For the most part the researchers used a high-speed camera to pick up the vibrations, even using it to detect them on a potato chip bag filmed 15-feet away and through a pane of soundproof glass. Even without a high-speed camera though, researchers were able to use a common digital camera to pick up basic audio information.

Android Backdoor disguised as a Kaspersky mobile security app - Vigi Zhang - SecureList

Most email phishing attacks tend to target PC users, but this time the attackers have turned their attention to mobile platforms. We think it's a new trend in spreading virus. Mobile security is related to user privacy. In most cases, a mobile device is more important than PC for users. It contains user contacts, text messages, photos and call logs. And mobile security is generally considered to be a weak point. So, most people will believe these phishing emails and are likely to install the fake mobile security app.

This post first appeared on Exploring Information Security.

Def Con links August 18, 2014

Hackers Unveil Their Plan to Change Email Forever - Denver Nicks - Time

Jon Callas, chief technology officer of Silent Circle and a co-founder of the Dark Mail project, told TIME that “the biggest problem we have today with email is that it was designed in the early 1970s and it was not designed for the problems we have today. Even the standard email encryption that we have today protects the content but not the metadata.”

You cannot 'cyberhijack' an airplane, but you can create mischief - Adam Greenberg - SC Magazine

Ultimately, airlines are very safe, Polstra said, but he added that nearly every protocol used in aviation is unsecured – meaning no encryption – and that there is potential to annoy air traffic control and small aircraft.

Founder of America's Biggest Hacker Conference: 'We Understand the Threat Now' - Denver Nicks - Time

Nothing changed before or after Snowden’s revelations. The security researchers knew that of course that’s what the NSA or any government can do. If you talked to the hackers last year it was like, “Of course you can do that. I’ve been doing that for 10 years.” But now that it’s sunken in at a more policy level you can have the conversation. Before you would say something to your parents and they’d be like, “Oh hahaha. You’re paranoid.” Next thing you know your parents are like, “Oh my God. You were not crazy. You’re not my paranoid son.” Now we’re at a place where people can relate and that’s a much more healthy place for us to be.

 This post first appeared on Exploring Information Security.

Exploring Information Security: What is threat modeling?

In the fifth edition of the Exploring Information Security (EIS) podcast, I talk with J Wolfgang Goerlich, Vice President of Vio Point, about threat modeling.

Wolfgang has presented at many conference on the topic of threat modeling. He suggests using a much similar method of threat modeling that involves threat paths, instead of other methods such as a threat tree or kill chain. You can find him taking long walks and naps on Twitter (@jwgoerlich) and participating in several MiSec (@MiSec) projects and events. 

In this interview Wolfgang covers:

  • What is threat modeling?

  • What needs to be done to threat model

  • Who should perform the threat modeling

  • Resources that can be used to build an effective threat model

  • The life cycle of a threat model

Leave feedback and topic suggestions in the comment section below.

This post first appeared on Exploring Information Security.

Baseball and Information Security: Red Team vs. Blue Team

By day I'm an information security professional; By night I'm a baseball blogger.

I've been thinking a lot over the past few months about some of the similarities between the two very different areas of study. This is meant to be thought exercise to try and get down some of these thoughts as well as further fleshing out the idea.

Red team vs. Blue team

St. Louis Cardinals vs. Chicago Cubs; Boston Red Sox vs. Torongto Blue Jays; Texas Rangers vs. Los Angeles Angels of Anaheim;  Washington Nationals vs. Atlanta Braves; Philadelphia Phillies vs. New York Mets; Arizona Diamondbacks vs. Los Angeles Dodgers.

All the matchups above are teams with red vs. teams with blues. The most prolific matchup is probably the first one: Cardinals vs. Cubs. There's a long history of those two fan bases disliking each other. A lot.

It's a little more complicated than that, though. Within each team is offensive players vs. defensive players, so maybe the analogy goes better in a single game, rather than a series. So within a game you have your hitters, red team, and your fielders, blue team. But what does that make pitchers? Would pitching be the business objectives or goals. Depending on the agency it could be sensitive information or the asset that makes the business profitable. So pitchers are the business goals and the ball is the sensitive information that makes the organization operate.

A good defense/blue team is going to help minimize the impact a ball hit into play makes. There are very few no-hitters and even fewer perfect games. The same idea applies to security measures, there is no perfect defense. Someone will, at some point, get a hit or breach the network. The impact of that breach will be based on how good your defense is, but we shouldn't just focus on defense. To win the game you need to score some runs yourself and having a good red team or at least understand red teams tactics is important to win the game.

Baseball players play both sides of the game. Some are good at offense; some are good at defense. They play both sides of the game and that's something that I think also needs to be done in security.

This post first appeared on Exploring Information Security.

'Hacker Summercamp' links August 11, 2014

Meet the Puzzle Mastermind Who Designs Def Con's Hackable Badges - Kim Zetter - WIRED

This is really cool and I am jealous of anyone that got one of these badges.

Dan Geer Touts Liability Policies For Software Vulnerabilities - Sara Peters - Dark Reading

Another angle on Dan Geer’s opening keynote at Black Hat. Rafal Los linked to the full talk on Twitter if you’re interested:

John McAfee: Google and Facebook's Erosion of Privacy is a Tragedy - Phil Muncaster - Infosecurity Magazine

John McAfee had an interesting closing talk at BSides Las Vegas about privacy.

This post first appeared on Exploring Information Security.

Dealing with the ransomware known as CryptoLocker

Ransomware is some pretty nasty stuff and it’s only getting nastier. This particular piece of malware encrypts a person’s drive and then locks it from the user. To unlock it the person must pay, usually by bitcoin, to get access to the freshly encrypted data. Brian Krebs recently called 2014 ‘The Year Extortion Went Mainstream’ and one of the reasons he said that was because of online criminal activities like ransomware. One of the most well known ransomware is called CryptoLocker

There are a couple of ways that ransomware can be combatted:

Take good backups

The backups should be offline. If they’re online then attackers could potentially get access to that device and take it over. Recently, it was found that some Synologys with older firmware versions could be infected with ransomware. Which leads to the next point.

Keep your system up-to-date

This is nothing now and something that has been suggested thousands of times. Still systems are being left unpatched. I know it’s not easy, especially, when there are a lot of other things to do, but one of the easiest ways to keep your system up-to-date is to use a program like Secunia. It does most of the work for you and is fairly user friendly.

Trust your intuition online

Listen to that voice in your head telling you clicking on this link or that link is a bad idea. It’s usually right. If it feels wrong or it’s too good to be true it probably is. I leave it at that, because that’s is something else that gets mentioned a lot in ‘online safety.’

If all else fails, there's an app for that

Recently, Fox IT and FireEye teamed up to offer a free Decrypt service that will get people infected with ransomware their stuff back. I haven’t tried the service, nor do I know how well it works, but both FireEye and Fox IT are legitimate  security companies.

At this point and time, there is not an alternative to getting data back from a ransomware infection. You either need to avoid ransomware altogether, reinstall your operating system and have good backups, or use the FireEye/Fox IT service. If you try the service I would love to hear your experiences with it.

This post first appeared on Exploring Information Security.

What vendors should not do at security conference

This is what not to do if you're a vendor at a security conference.

Sure sex sells, but a lot of the people going to a security conference are PROFESSIONALS. What turns on security professionals at a security conference are products that work well and vendors that can technically explain that product.

Leave the half naked women at home. 

This post first appeared on Exploring Information Security.

Terrifying 'Hacker Summercamp' links August 7, 2014

BSides Las Vegas - Incidents happen, react and learn from them - Dan Raywood - IT Security Guru

Adam Shostack opened the BSides Las Vegas conference with a talk titled "Beyond good and evil." The gist of the talk is to be more open about incidents that occur within the organization. The idea is that the transparency will not only benefit the breached but also those looking to learn from a breach.

Black Hat 2014 and Media Fud - Bill Brenner - Liquidmatrix

Read this and you'll understand why I the word 'terrifying' led the title of this post.

CIA Insider: U.S. Should Buy All Security Exploits, Then Disclose Them - Kim Zetter - WIRED

In the opening keynote at Black Hat, Dan Greer suggested, among other things, that the U.S. government buy up all the zero-day vulnerabilities and release them to the public. This would allow companies to close a lot of vulnerabilities in their software and applications. I like the idea, I just don't think we'll ever see it happen.

This post first appeared on Exploring Information Security.

InfoSec links August 6, 2014

The NSA's Cyber-King Goes Corporate - Shane Harris - Foreign Policy

Join Army -> Rise to four-star general ->Become head of NSA -> Setup surveillance state -> Retire -> Create new security software to detect “cyber-intruders” -> profit

Why the Security of USB Is Fundamentally Broken - Andy Greenberg - WIRED

Welcome to my paranoia. USB drives are a wonderful thing. They really are. Unfortunately, they can be configured or programmed to be an awful thing and that is a scary thing. Never plug an untrusted, or unknown, USB anything into your computer. Ever!

Announcing EMET 5 - Security Research and Defense Blog - Microsoft

EMET is a fantastic tool and one of the easiest, quickest and cheapest ways to improve the security on your computers. I would highly recommend downloading it and giving it a try at home and at work.

This post first appeared on Exploring Information Security.

Exploring Information Security: What is cryptography

JustinTroutman

In the fourth edition of the Exploring Information Security (EIS) podcast, I talk to the smooth sounding Justin Troutman a cryptographer from North Carolina about what cryptography is.

Justin is a security and privacy research currently working on a project titled, "Mackerel: A Progressive School of Cryptographic Thought." You can find him on Twitter (@JustinTroutman) discussing ways in which crypto can be made easier for the masses. Be sure to check out his website for more information.

In the interview Justin talks about

  • What cryptography is

  • Why everyone should care about cryptography

  • What some of it's applications are

  • How someone would get started in cryptography and what are some of the skills needed

Leave feedback and topic suggestions in the comment section below.

This post first appeared on Exploring Information Security.

InfoSec links July 29, 2014

Banks: Card Breach at Goodwill Industries - Brian Krebs - Krebs on Security

Who steals from Goodwill? Honestly.

What's the worst thing you can say to a sysadmin? - Naked Security - Sophos

I had no idea there was such a thing as SysAdmin day, let alone that it’s been going on for the past 15 years.

The Barnaby Jack Few Knew: Celebrated Hacker Saw Spotlight as 'Necessary Evil' - Jordan Robertson - Bloomberg

A profile on Barnaby Jack whom I’ve heard only good things about.

This post first appeared on Exploring Information Security.

InfoSec Links July 28, 2014

Here's How Easy It Could Be for Hackers to Control Your Hotel Room - Kim Zetter - Wired

The attack surface for hotels will increase as more electronic amenities are added to rooms. Security should be kept in mind from both the hotel side and the guest side.

How Thieves Can Hack and Disable Your Home Alarm System - Kim Zetter - Wired

It looks like some home security companies have some work to do in the security arena. Codes are being transmitted in a way that allows someone with the right equipment to capture your home alarm system code and they don’t necessarily need to be standing in front of your house. I like the idea of rotating numbers similar to what you get with two-factor authentication.

The App I Used to Break Into My Neighbor's Home - Andy Greenberg - Wired

This is scary. And even more scary is the fact that the company who designed an app to make keys with a picture seems to downplay some of the concerns surrounding that technique.

This post first appeared on Exploring Information Security.