Paul's Security Weekly - Episode 359 for Thursday January 23rd, 2014
- New webcast next Tuesday 1PM EST called "Build A Security Program From The Ground Up: Crawl, Walk, Run" Go to http://securityweekly.com/webcasts for registration information!
- Security Weekly will be at the SANS ICS Summit from March 12-18th, doing a live podcast on Sunday night, covering the courses and attending the 2-day summit. Security Weekly subscribers can now enjoy a 20% off discount code! Use SecurityWeekly20 on checkout to get that discount applied. This conference will be held in Orlando at the Contemporary Resort & Convention Center in sunny Orlando, FL REGISTER NOW!
- We are looking for sponsors for our weekly webcasts and shows. Contact paul -at- hacknaked.tv for details, there are still a few slots available!
Guest Interview: James Arlen (@myrcurial)
James Arlen is a senior consultant at Leviathan Security Group, a podcaster for the LiquidMatrix podcast and is a boardmember for the SecTor conference. He's Myrcurial on Twitter and firmly believes that "Han shot first".
James Arlen is a senior consultant at Leviathan Security Group providing security consulting services to the utility and financial verticals. He has been involved with implementing a practical level of information security in Fortune 500, TSE 100, and major public-sector corporations for 18+ years. James is also a contributing analyst with Securosis and has a recurring column on Liquidmatrix Security Digest ( http://www.liquidmatrix.org ) . Best described as: "Infosec geek, hacker, social activist, author, speaker, and parent." His areas of interest include organizational change, social engineering, blinky lights and shiny things.
- Is being a CISO as sexy as it sounds?
- It's been claimed that you are "the originator of the term 'cyberdouchery' ". Tell us how that came about.
- How do you feel about people saying they are experts? Why?
- How important is if for security researchers to both write and present well? How can they improve?
- When we talk about SCADA, it generally encapsulates ICS/DCS&SCADA, what are the differences?
- What are the greatest threats to both ISC/DCS and SCADA?
- What do you mean with the theory Money = C ( the speed of light) as it applies to Security?
- Private MPLS, Frame Relay links that rely on speed, and don't have firewalls or ACLS are still secure, right?Why is this a best practice in some industries?
- In three words or less - Why does everyone want to blame Canada?
- Three words to describe yourself
- True or False: SecTor is ShmooCon but with more snowpocalypse.
- Luke, Leia or Guido? <== Correction, Greedo.
- If you were a serial killer, what would be your weapon of choice?
- If you wrote a book about yourself, what would the title be?
- In the popular game of Ass Grabby Grabby do you prefer to go first or second?
- Stranded in a desert island, which tablet would you bring along: a) iPad b) Surface c) Android d) All of the above e) None of the above?
Special Guest:Kristian Hermansen
- Larry teaching SANS classes: Check out his SANS page for the details" 617 in Orlando in March, Also 571 at RSA
- SEC504 in Mentor format in Downtown Boston coming up in April! Use the discount code "SecOrg" when registering for 10% off the class. Register at http://tinyurl.com/SEC504-Boston Email email@example.com for more info or for a special discount code if you prefer to get the GCIH attempt for free instead.
Kristian joins us in regard to the recent article on healthcare.gov
- Website Launch -- When the healthcare.gov website first launched at around midnight on october 1, the entire site and referenced sites like ObamaCare California were indexed by google, other search engines, and places like shodan. Even before the site officially launched, these same engines were likely scanning the sites and finding content that may have been inadvertently exposed due to the rush to meet the deadline. When a site goes live, the Internet never forgets. Some entity, somewhere, likely has a copy -- whether that entity be google, archive.org, shodan, the NSA, a nation state operative in China, or even some motivated Romanian criminal that deals in identity forging.
- Bug Bounties -- Federal and State websites should all operate bug bounty programs to reward independent researchers for their work that benefits the public interest. Lay out what is allowed and what is not allowed, specifically, and make it easy to contact someone. For example, Google has an excellent bug bounty program, which should probably be considered the model for everyone else on the Internet. For example, Google specifically advises that researchers create test accounts that they control to demonstrate their vulnerabilities. Google specifically disallows using another unwilling user’s account to carry out proof-of-concept security research. If a researcher does discover a vulnerability, Google has a dedicated email address that can be contacted and they generally respond within 24 hours. Depending on the severity of the issue, the researcher could be offered thousands of dollars in rewards. In general though, between $100 and $500 seems like a fair reward for basic issues that most sites would encounter. Compare that minimal cost to hiring just one security analyst for a year in the USA, or even the cost of a large high-profile security audit that is merely a snapshot in time. Bug bounty programs are 24/7 and help organizations even after they make changes to the initial roll-out. They are a great supplement to internal security processes.
- Auditors -- With respect to external auditing companies, it is great to have them, but they are just one perspective of many. Sometimes those auditors have interests that are opposed to the public interest or are just politically entangled with the audited company. As an example, an auditing firm may have a financial or political reason to rubber stamp the audit with a PASSING score. External security researchers are almost certainly not burdened by the same issues and therefore you get feedback that is closer to reality and less biased. What happens if someone involved in a large project refuses to sign off or attest to its security? Is the project halted and the deadline pushed back? Didn’t this happen with HealthCare.gov site? And that person was fired? I’m just going by the testimony to Congress that I watched last week.
- Shooting the messenger -- David Kennedy was invited to Congress last week only to be lambasted by some members of the House. One member even tried to get Dave’s testimony dismissed on the grounds of what sounded like tax evasion charges, which are almost certainly untrue and were merely used as political ammunition to shoot the messenger. This is not helpful, and again, doesn’t serve the public’s interest.
- Reporting vulnerabilities -- With respect to reporting vulnerabilities, it is another difficult process for researchers, especially if there is no reporting program already in place. Combine that with a rushed deadline and lack of capacity for handling customer issues :(
... Now, I am told that the ObamaCare California issue was used as an example in your recent webcast. And that the recommended solution was to contact CERT for any issues relating to government sites. One clarification I wanted to make about that is the fact that ObamaCare California and many local exchanges straddle an interesting position that is somewhere between the state and federal sides. For instance, the main ObamaCare California site is not hosted on a .gov domain at all -- the main site is CoveredCa.com and this is where your experience starts when you interact with the site. It doesn’t end there and yes there are some interactions with .gov domains. I just want to reiterate that CERT was involved in the coordination, but that this straddling is an interesting question to discuss. Does it mean that California state laws about privacy do not apply because this is a federally-associated website? California Online Privacy Protection Act (COPPA) states that only COMMERCIAL sites have to conform to privacy requirements. Does this mean Californians have no expectation of privacy? We already know that they may be exempt from HIPAA requirements. There is also Confidentiality of Medical Information Act (CMIA) that says (in essence) that contractors aren't to disclose personal medical information without authorization, even if HIPAA doesn’t apply. I think it is safe to assume that the public believes these sites should be bound to such policies, but that the sites may in fact have legal exemptions, which is irksome. These are very interesting points to discuss.
- "Target breach shows payment system security needs less talk
- FireEye Finds Six Android Malware Variants Stealing Data
- Bluetooth Hackers Allegedly Skimmed Millions Via Gas Stations
- Read this before you buy another hard drive | HITBSecNews
- How a Math Genius Hacked OkCupid to Find True Love - Wired Science
- Chrome Browser Becomes Eavesdropping Tool
- Critical Infrastructure Protection Bill Passed in Committee
- - Microcorruption - [Larry] - In arguably one of the first of it’s kind, a CTF strictly for embedded devices. You get to participate online, and remotely hack a set of electronic locks. neat stuff. Did I mention that it is free, and provided by matasano and square?
- DEF CON 21 videos - [Larry] - did you sleep in? Hungover? Too busy with hallwaycon or checking out some contests? Now you can catch up on all of the talks that you missed at DEF CON 21 including the FAIL PANEL wher eI drop some fun goodies on Smart Grid stuff.
- Great use for your RTL-SDR - [Larry] - We talked about these inexpensive software defined radios on episode 300, and the use for these just keeps growing. It isn’t jsut for interpreting unknown (or known) signals, it makes a great tool for intercepting YOUR signals as a troubleshooting aid.
- Snapchat, STAHP. - [Larry] - First the “hack”, then the poor response, then the commitment to make things more secure”. What did they do? They added a verification step for queries that require the need to find the Snapchat ghost in one of 9 images and click on it. Too bad it was cracked with 100 lines of code 30 minutes after Steven Hickson investigated it using image recognition libraries. 100% accuracy. Repeat after me in a robot voice; “I AM NOT A COMPUTER!”
- Gas Pump Card skimming - [Larry] - Sure this has been around for a while, but this technique of gathering the track and pin data is becoming more widely adopted by attackers. The device in the pump that captures the data stores it, and then can be transferred to the attacker over bluetooth. Easy peasy; pair the device before install and anytime you are near, it pairs and you can script a download of data. Before you used to have to physically retrieve the device, or be in close proximity to observe the radio signal (such as 900Mhz). Not any more. Now the specific challenge here is how do you monitor for rogue bluetooth devices, at scale? I know of NO commercial rogue bluetooth detection offerings. Not to mention the challenges of false positives…
- Spoiled Onions An interesting study on detecting malicious Tor exit notes, as determined by the use of sslstrip, HTTPS mitm, or other tampering
- An old system and a SWAT team Attackers called in a bomb threat during a computer compromise.
- Kali Linux Amazon EC2 Images You might find this useful. I do
- Dr. Eugene Spafford's ISSA keynote from last fall. Spaf gives a great, if depressing, history lesson on InfoSec. This talk is a painful lesson in our ability to repeatedly solve the same problems without ever actually implementing the solutions.
- - Mobile Malware Memory Lane - [Joff] - 2014 marks the 10th anniversary of Cabir, the world’s first mobile phone malware. To mark this
occasion, Fortinet’s FortiGuard Labs strolls down memory lane to examine the evolution of mobile threats during the last 10 years]
- - HackingTeam expands Galileo to include Windows Phone - [Joff] -HackingTeam is reportedly able to bypass encryption and monitor emails, files, Skype, and other VoIP communications. The firm is able to also remotely control cameras and microphones. It does all this through Galileo.
- - PLCpwn prototype - [Joff] From the S4x14 CONFERENCE A researcher has rigged a programmable logic controller (PLC) with a low-cost hacking tool that can shut down a process control network with a text message.