Security Stallions Blog "Musings of all things infosec…"

Weekend Redux – 08.09.2009

Really?  It's Sunday night already?  Where has the weekend gone?  Maybe this roundup of weekend security related articles will give you some enlightened reading before Monday jump starts your week yet again.

One slight clarification for the sight on our posting strategy: Daily Digs are Monday through Thursday evenings (should be posted between 6:00pm and 10:00pm Central from now on) and Weekend Redux will be Sunday evenings (before 10:00pm Central).  Weekend Redux will be Friday, Saturday and Sunday's news jam packed into one post.  That being said if we do a post on Friday night Weekend Redux will just be Saturday and Sunday.  We're trying to find the best fit on traffic levels so we'll keep an eye on the traffic logs during different post times to try to maximize the usefulness to the bulk of any readers.

We're also looking forward to starting a sort of weekly challenge that will include an actual prize!  Look forward to more details later in the week and our first shot at it this coming weekend.  Also, as promised last week, we'll have our first screencast based on the winning votes of last week (sslsniff).

So it's a big week and it all starts now...

Generally when we see patents come out of Apple these days they're for new and interesting things that are useful to the customer.  On Friday, however, we ran across a story on CNET about apple patenting some new ways to diagnose abused hardware.
[New Apple Patent Means No More Microwaving Your iPod]

Whether of not you're a fan of PCI it's always a good idea to know both sides of the story.  In that case the post over on Chaordic Mind is some enlightened reading and, if true, makes Dave Hogan (CIO of the National Retail Federation) look like, well, kind of a schmuck.
[Dave Hogan Doesn't Know PAN]

Thinking about IPv6 lately?  It's been one of those on and off topics in the industry for the last ten years, but it's one of those technologies that is great to have in your back pocket for spur-of-the-moment chats.  The more you know, the better you are, so why not stay ahead of the curve, right?  Richard Bejtlich has a review of "IPv6 Security" up on his site.  The guy (Richard) must be a speed reader who can just absorb books because his level of consistency and thoroughness of reviews is second to none.
[Review of IPv6 Posted]

ThreatPost posted an article Friday that had a link to Nate Lawson's Google Tech Talk.  I watched the entirety of it over lunch and was amazed at Lawson's depth of simplifying crypto to some sound fundamentals and got some new insight to the shortcomings of some encryption implementations that have, thus far, been left alone -- but probably won't be in the next twelve months.
[Nate Lawson - Crypto Strikes Back!]

The Security Shoggoth (a new addition to the feeds) has the  announcement of part two to "Automating Malware Analysis" in HAKIN9 (security mag).  I read the first article in the last edition and look forward to picking up the recently released copy.  Either way, the blog post has some insight if you're not up for spending the $$$ on HAKIN9 (which is, in itself, a tad on the expensive side).
[Automating Malware Analysis Part 2]

I wasn't going to post any TWITTER-DDOS-OMG-PONIES-UNICORNS-FAILWHALE-LOLCATZ links, but I read one that kind of got under my skin.  Stefan Tanase posted a guest editorial on ThreatPost that's ripe with hypocrisy.  In paragraph two he states he's "not a political commentator" but implies, a few paragraphs later, that the attack was rooted via a "government".  Sorry Stefan, your piece sucked and just added to the FUD of Twitter crap articles that flooded everyone's readers late last week.
[Cutting Through the Twitter DDOS Hype]

CNET had a very entertaining piece up on Friday about NORAD's alternate command center with some rare photo opportunities.
[NORAD's Alternate Command Center Illustrated]

It seems odd, when everyone is buzzing about shutting down social network access the U.K. is Defence Ministry is, well not exactly encouraging it, but more so encouraging good use of.
[U.K. Defence Ministry Encourages Troops to Use Social Media]

While I haven't had a chance to yet fully read the announcement in the Federal Register, it sounds as if enforcement of HIPAA has shifted from CMS to the Office for Civil Rights.  If you're interested in that sort of news it may (or may not) be a worthy read.
[HIPAA Security Rule Enforcement Shifts to OCR]

The Office of Inadequate Security has a new "Bits 'n Pieces" posted.  Some of the highlights include cloning cards to aggravated identity theft, oh joy!
[Bits 'N Pieces]

Oh Iowa, if it's not enough you're at the butt of my Midwestern jokes (I grew up and live in the Midwest), but you like to hand out SSNs too?  The Des Moines Register has an article up on how hundreds of Iowa's top officials and board members social security numbers were available via a public site.  Guess someone needs to talk to Kevin Riggins down there!
[Social Security Numbers Visible on State Site]

Exotic Liability posts podcast number 30 over the weekend.  Topics for this show include VoIP, Fuzzers, DNS and more!
[Libsyn - Exotic Liability Podcast #30]

Jack Daniel doesn't post a whole lot to the "Uncommon Sense Security" blog, but when he does it's generally entertaining.  Jack's talking about smart people saying dumb things this time and it's all too common.  David Rice of "Geekonomics" are in his sights this time, hit the link for the great post.
[Smart People Saying Dumb Stuff Again]

Cloud for Clunkers?  Only Mr. Hoff could come up with that sort of intro.  While it feels like Hoff's insights have a deeper rooted interest these days (since Cisco - and who can blame him?) his posts are generally great reads.
[The Cloud for Clunkers Program]

More Black Hat presentation videos are being posted the further we drift from when the big event was.  SensePost has part 5 of 5 of the series up, this one focused on XSS in Apple's MobileMe service.  I particularly liked the concise delivery of the message in the conclusion - the unintended consequences directly related to web interfaces for controlling cloud services.  Good stuff!
[Black Hat Presentation Demo: MobileMe]

An old trick, but a good one.  Neighbors stealing your Internet?  Don't cut them off right away, have some fun first! (I know, I know, this isn't new but seemingly it hit Digg again and it's been a while since I've toyed with any traffic on the honey pot AP in my place of residence.)
[Upside-Down-Ternet]

Tr.im gets the axe.    I'm actually rather sad because this means the monopoly of URL shorteners just got, well, shorter.
[URL Shortener Tr.im Gets Cut Off]

Finally we come to our last link.  Dave Kerb, tonight, has released the "Tor Backdoor".  Although not anything earth shattering if you're a security nut, you'll want to be in the know!
[Tor Backdoor Released]

And that's it for the first official installment of the weekend redux!  I truly hope everyone had a safe and enjoyable past couple of days.  Stop back tomorrow for Monday's daily digs!

--windexh8er