Security Stallions Blog "Musings of all things infosec…"

14Sep/09Off

Daily Digs – 09.14.2009

Well, "daily" has been more like "weekly" as of late, but the digs are back.

I think this one is good on a few fronts, but mostly from a humorous perspective.  Joe Lieberman and Susan Collins should stick to whatever they do best - and that doesn't include addressing "cyber crime".  They're proposing a public / private relationship so that the government (really?) can help them defend against attacks.  OK, didn't the FBIs website just get defaced recently?  Unless the blunt plan is to put up some sort of subsidy (which I'm not at all endorsing) the government is just going to spin up more useless programs that are run by people who just-don't-get-it.
[Committee Examines Growing Cyber Threat to Businesses]
[FBI Jobs Site Gets Hacked]

Unique is not random is not secure.  I'm not sure that's a complete sentence, but it sums up the article on Newsoft's Tech Blog rightfully.  For a run down of examples on the differences in the three concepts hit up the link.
[Unique is Not Random is Not Secure]

The Consumerist ran a story this morning with video from LiveLeak on a man installing a skimmer.  I'd have to say that I'm definitely more cognizant when using ATMs that are non-bank affiliated and portable.  At one point in time I really didn't like ATMs that sucked the card into the machine, however today it makes sense as less risk to me.
[Guy Installing Skimmer on ATM]

I can honestly say I really didn't know much about 'RNS' before I read this article today, but the Fed seems to have cracked down a few of the key members.  I'm not sure why the title references RNS as an '0Day' group however.
[Fed Crackdown on 'RNS' Signals Death to Oldest 0Day Group Online]

Don't have the cash or time to go to one of the big name cons?  ChrisJohnRiley posted an article about the first online hacker con entitled SecurityTubeCon.  There's a call for papers (& vid) out until October 20th, so get your talk ready to go!
[First Online Hacker Conference]

That's all the time we have for comments tonight, but we'll leave you with some other links to ponder.  Thanks for stopping by!

[Windows Autoplay Behavior Updated]
[Gustav, the Hackerspace Twitter Bot]
[Loan Officer Indicted for Fraud and ID Theft]
[Dradis 2.4 Released]
[PhoneCrypt is Available for the iPhone (and entirely overpriced)]
[20 Temporary / Disposable Email Services]
[Hacker's Hideaway ARP Attack Tool Released]
[SourceFire's Vulnerability Report for September Screencast]
[Practical Intrusion Analysis Book Review]

Tagged as: , , , , , , , , , , , , , No Comments
18Aug/09Off

Daily Digs – 08.18.2009

Good evening ladies and gents to a belated round of digs.  Apologies for the lack of a weekend and Monday post, but travels and an unexpected difficulty made posting rather hard.  We're back to our weekly schedule with the exception that the screencast is being pushed back to next week and there may not be a weekend redux.  We'll see how things pan out, but stay tuned regardless!

So what do you get when you cross rookie "cyber crime" law enforcement and some stolen passwords?  Well, everyone seems to have had something to say about it today as law enforcement blew any chance of using underground leads they already had access to.  Check out the nice write up over at the SpywareGuide blog.
[Law Enforcement Altered r00t-y0u]

The Windows Incident Response site has some got a write up around all sorts of tools you should have in your box with regards to forensically collecting information on images.  NetworkMiner is mentioned at the very end and is something that I had, at one time, meant to check out but never got around to.
[Windows Incident Response - Tools and Links]

Only 130 million card numbers?  Really, that's all Sevgec and crew came up with?  Sure you caught the sarcasm but if not, and this trend continues, we're in for the fire storm sure to follow as consumers start to demand better protection in the cardholder space.
[Three Men Charged in 130 Million Credit Card Theft]

Need a good definition to describe insecure cookie handling to, possibly, misguided web devs?  Cenzic has your answer over on their blog.
[Insecure Cookie Handling]

The US-CERT has some useful resources and the weekly security bulletin is definitely one of them.  If you've never checked it out I'd recommend starting now.  Although this of specific interest this is just one of the large volume of feeds we scour for daily insights.
[US-CERT Weekly Bulletins]

Windows 7 -- can it be the saving grace to the flop better known as Vista?  I think surely Microsoft has a decent chance with this revision of their, once, flagship product.  Problem is that the OS is still too big for it's britches and legacy support will be the bane of it's security problems well into the next 5 years.  XP mode is definitely going to be one of the most difficult areas of 7 to swallow because, in essence, one will now have to maintain security patches of two operating systems moving forward and as we all know most people have problems just dealing with one.
[Windows 7's Achilles' Heel]

SANS has an interesting article up entitled "Surviving a Third Party Onsite Audit".  I'm sorry but this is just wrong coming from SANS.  Generally they have their head on straight and are a good resource for information but "surviving" an audit is not something people should be focused on.  The real focus should be doing security the right way every day, not just when one knows the auditor will be knocking on the front door.  I see it time and time again in clients wherein everyone is always in scramble mode and then, if all goes well, it's a celebratory "win".  That is, until next time when you scramble to put in that extra new box with blinky lights that's the saving-grace for today.  Do it right and do it right everyday and if you can't do that then fall back to "the audit survival guide".  At that point, however, you really need to question the abilities and resources you have to do due diligence.
[Surviving a Third Party Audit]

Can you pick a 5-pin in 87 seconds?  I'm guessing not - unless your name is Jos Weyers.  Check this video out of him at LockCon.
[87 Seconds... Jos Weyers!]

Oh Facebook -- you're the favored platform of phishers and skiddies alike!  One more reason to avoid social network platforms, especially those that all of your super security conscious friends from high-school running Windows ME are on.
[Facebook Phishers Cast Multiple Lines]

Today must be a day of definitions because if you've ever really wanted to know what ESAPI was, without digging into it, you've just hit the jackpot.  Although this one's been out for a few weeks it just made its way across my feeds and is definitely a worthy read if you're interested in what it is and some show and tell of how you can help justify implementing it.
[What is ESAPI?]

That's all for tonight's digs folks!  Although I have a ton left in the queue it's about that time to post.  Check out some of the left overs in the grab bag below.

-windexh8er

Tonights grab bag lineup as follows:
[IEEE Connections Program]
[Visualizing IDS Output]
[Routing Redundancy: How much is enough?]
[Personal Responsibility in PCI]
[Useful Security]
[Federated ID, OpenID and OAuth Primer]
[FTC Issues Health Breach Notification Rule]
[Hyperjacking]
[DNS Blacklist Unveiled]

Tagged as: , , , , , , , , , , , , , , , , , , No Comments
   

Tags

Adobe announcement Apple AV Black Hat breach Cheerleader Cisco Cloud Craigslist DDoS DEFCON DHS encryption exploit Facebook forensics google Heartland IDS ie6 Intel iPhone IPv6 linux Lockpick Malware MasterCard Microsoft news OpenDNSSEC pci PIN Pirate Bay Pwnies skimmer Social Engineering SSL tools Tor Twitter Volatility wikileaks X.509 ZF05

 

July 2010
M T W T F S S
« Feb    
 1234
567891011
12131415161718
19202122232425
262728293031  

Random Musings

Previous Next

» Leave A Reply!



Twitter: windexh8er