Impressions from Bsides Nashville 2015

For the second year in a row, I traveled to Nashville this past weekend for it's local BSides security conference and like last year it was a wonderful conference to be apart of.

I took my camera again this year and I will have pictures from the conference before the end of the month is out. I've got school to wrap-up and several other things going on the next couple weeks. Time is very much at a premium for me right now, but I wanted to take a quick moment to highlight a couple of good things that happened at the conference.

First, I met several wonderful people this year, including: Amanda, Tim, Brett, Shelby, Frank, esSOBi, Adrian, and many many others. I also got to interact a little more with Lauren and Geoff and the rest of the BSides Nashville organizers this year, which was a treat. Putting together a security conference is a lot of work and they did a very good job again this year. I am already looking forward to next year.

The talks were again fantastic, though I didn't get to sit in as many as I did last year. A green track was added to the conference this year and it was completely packed for all the talks. There is a lot of interest in information security right now and there was proof in that track. I hope more security conferences, and in particular BSides, take note and start catering talks and content to people just starting out in security.

The one talk that stuck out to me the most was Johnny Xmas' "That's NOT my RJ45 Jack!: IRL Networking for Humans." The description is in the link and the talk is embedded below so I won't get into what makes the talk great. You'll just have to watch it. The one thing I will say is that this talk isn't just for security professionals. It's for professionals in general.

Watch it!

Almost forgot, the food was amazing again this year!

This post first appeared on Exploring Information Security.

The only thing I'm going to say about the Sony mess

I had a long list of links that I was going to use to put together a longform post about the Sony hack titled, "The massive Sony link dump." I am currently in the process of re-evaluating my priorities and what I want to do with my time in regards to this site. A massive post about Sony lost its luster pretty early in the process and was thus axed in the face. In its place I have something much more fun.

SonyAttribution

The guys over at Data Driven Security, who have a wonderful podcast and were recently guests on the PVC Security Podcast (Episode 7 and 9) I produce, put together a site that finally solves the Sony attribution problem. If you don't like that attribution simply refresh the page and you get a new one. It's called the Sony Hack Attribution generator and it's utterly fantastic!

Give it a whirl or two or 50.

This post first appeared on Exploring Information Security.

Infosec links January 6, 2015

Chip & PIN vs. Chip & Signature - Brian Krebs - Krebs on Security

The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.

Banks' Lawsuits Against Target for Losses Related to Hacking Can Continue - Nicole Perlroth - The New York Times

The ruling is one of the first court decisions to clarify the legal confusion between retailers and banks in data breaches. In the past, banks were often left with the financial burden of a hacking and were responsible for replacing stolen cards. The cost of replacing stolen cards from Target’s breach alone is roughly $400 million — and the Secret Service has estimated that some 1,000 American merchants may have suffered from similar attacks.

Banks: Card Breach at Some Chick-fil-A's - Brian Krebs - Krebs on Security

The source said his institution saw Chick-fil-A locations across the country impacted, but that the bulk of the fraud seemed concentrated at locations in Georgia, Maryland, Pennsylvania, Texas and Virginia.

 This post first appeared on Exploring Information Security.

What I learned about information security in 2014

PVCSec Podcast logo

PVCSec Podcast logo

On New Years Eve the PVC Security podcast had a very impromptu recording session. We decided, on Twitter, five hours before the New Year to record our weekly podcast and discuss what we learned about security in 2014. I was hosting a party at the exact same time of the recording so I didn’t pipe in with what I learned in security last year, so instead I’ll write about it here.

The biggest thing I learned about security in 2014 is that it’s very important to have a solid background in IT. Understanding how a network is put together and how computers and servers work goes a long way in helping to secure them.

It is also extremely helpful in getting security implemented in an organization. Implementing security should not be about telling people their systems or applications are broken and that THEY need to go fix them. It should be about working together to finding the best most secure way of doing things. Understanding the limitations of a network, computer or server is going to help in finding the best solution to an insecure problem.

I’ve been working in information technology since 2002. I’ve done everything from moving phone lines to pulling cable to soldering to workstation troubleshooting to inventorying to server management to network management to now security. I’ve got a very broad IT background and I’m starting to realize that it is helping me become a good security professional. That’s not to say that one can’t jump into security or take another route to security, but I think I’ve benefited from having experience in the areas that I now find myself trying to secure and keep secure.

Happy New Year! I am looking forward to all the new things I will learn in 2015.

This post first appeared on Exploring Information Security.

Console infosec links December 31, 2014

Grinches steal Christmas for Xbox Live, Playstation Network users - Eric Bangeman - ars technica

Hacker group Lizard Squad took credit for the DDoS attack via Twitter, promising to back off once they get a sufficient number of retweets. "Get this tweet 2,000RTS and make sure to follow @iBeZo if you want us NOT to hit XBOX and PSN #offline for the rest of the night! RT," the group tweeted Christmas night.

Darkode - Ode to LizardSquad (The Rise and Fall of a Private Community) - MalwareTech

With darkode as a cybercrime hotspot, it's not really a huge surprise that people working in the security industry gained interest in getting access. Researchers such as Xylitol and Brian Krebs dedicated a big part of their blogs to having the inside scoop on darkode, and although admins were very proactive in seeking out and banning security researchers; there was always another hacker to pay off or account to hijack, resulting in numerous threads hating on researcher and Brian Krebs becoming a meme. 

Who's in the Lizard Squad? - Brian Krebs - Krebs on Security

The core members of a group calling itself “Lizard Squad” — which took responsibility for attacking Sony’s Playstation and Microsoft‘s Xbox networks and knocking them offline for Christmas Day — want very much to be recognized for their actions. So, here’s a closer look at two young men who appear to be anxious to let the world know they are closely connected to the attacks.

This post first appeared on Exploring Information Security.

NSA infosec links December 30, 2014

Over 700 Million People Taking Steps to Avoid NSA Surveillance - Bruce Schneier - Schneier on Security

Even so, I disagree with the "Edward Snowden Revelations Not Having Much Impact on Internet Users" headline. He's having an enormous impact. I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)

NSA waiting until Christmas Eve to reveal its embarrassing self-audit - Kevin Collier - The Daily Dot

The report is a collection of documents, heavily redacted, arranged by quarter, and ranging from the end of 2001 to the end of 2012. They largely catalog individual instances where a National Security Agency employee illegally or mistakenly used the agency’s powerful technology to search an American or a foreigner in the U.S. without a warrant, was caught, reprimanded, and the information deleted.

Prying Eyes: Inside the NSA's War on Internet Security - SPIEGEL Staff - SPIEGEL Online International

Today, NSA spies and their allies do their best to subvert the system their own military helped conceive, as a number of documents show. Tor deanonymization is obviously high on the list of NSA priorities, but the success achieved here seems limited. One GCHQ document from 2011 even mentions trying to decrypt the agencies' own use of Tor -- as a test case.

This post first appeared on Exploring Information Security.

Hacking infosec links December 29, 2014

Hacker Lexicon: What Is an Air Gap? - Kim Zetter - WIRED

Air gaps generally are implemented where the system or network requires extra security, such as classified military networks, the payment networks that process credit and debit card transactions for retailers, or industrial control systems that operate critical infrastructure. To maintain security, payment and industrial control systems should only be on internal networks that are not connected to the company’s business network, thus preventing intruders from entering the corporate network through the internet and working their way to sensitive systems.

Hacker Lexicon: What Is a Backdoor? - Kim Zetter - WIRED

Generally this kind of backdoor is undocumented and is used for the maintenance and upkeep of software or a system. Some administrative backdoors are protected with a hardcoded username and password that cannot be changed; though some use credentials that can be altered. Often, the backdoor’s existence is unknown to the system owner and is known only to the software maker. Built-in administrative backdoors create a vulnerability in the software or system that intruders can use to gain access to a system or data.

Marketing Just Isn't Ready for Hackers - Peter Herzog - Dark Matters

The infosec staff that came through had been talking about it being a potential toehold in the company to reach other systems. But when they saw the compromises didn’t go further than a few servers in marketing, they concluded it was just an employee who brought the infection in from home and that they caught it in time.

But did they?

This post first appeared on Exploring Information Security.

Policed infosec links December 24, 2014

Pirate Bay Has Been Raided and Taken Down: Here's What We Know - Kim Zetter - WIRED

“There were a number of police officers and digital forensics experts there. This took place during the morning and continued until this afternoon. Several servers and computers were seized, but I cannot say exactly how many,” Swedish prosecutor Fredrik Ingblad told Radio Sweden.

The FBI Used the Web's Favorite Hacking Tool to Unmask Tor Users - Kevin Poulsen - WIRED

Now Metasploit has a new and surprising fan: the FBI. WIRED has learned that FBI agents relied on Flash code from an abandoned Metasploit side project called the “Decloaking Engine” to stage its first known effort to successfully identify a multitude of  suspects hiding behind the Tor anonymity network.

The Limits of Polic Subterfuge - Bruce Schneier - Schneier on Security

The facts are these. In June, Two wealthy Macau residents stayed at Caesar's Palace in Las Vegas. The hotel suspected that they were running an illegal gambling operation out of their room. They enlisted the police and the FBI, but could not provide enough evidence for them to get a warrant. So instead they repeatedly cut the guests' Internet connection. When the guests complained to the hotel, FBI agents wearing hidden cameras and recorders pretended to be Internet repair technicians and convinced the guests to let them in. They filmed and recorded everything under the pretense of fixing the Internet, and then used the information collected from that to get an actual search warrant. To make matters even worse, they lied to the judge about how they got their evidence.

This post first appeared on Exploring Information Security.

InfoSec links December 22, 2014

Hacker Lexicon: What is a Zero Day - Kim Zetter - WIRED

Zero-day vulnerability refers to a security hole in software—such as browser software or operating system software—that is yet unknown to the software maker or to antivirus vendors. This means the vulnerability is also not yet publicly known, though it may already be known by attackers who are quietly exploiting it. Because zero day vulnerabilities are unknown to software vendors and to antivirus firms, there is no patch available yet to fix the hole and generally no antivirus signatures to detect the exploit, though sometimes antivirus scanners can still detect a zero day using heuristics (behavior-tracking algorithms that spot suspicious or malicious behavior).

Finally, a New Clue to Solve the CIA's Mysterious Kryptos Sculpture - Kim Zetter - WIRED

The 12-foot-high, verdigrised copper, granite and wood sculpture on the grounds of the CIA complex in Langley, Virginia, contains four encrypted messages carved out of the metal, three of which were solved years ago. The fourth is composed of just 97 letters, but its brevity belies its strength. Even the NSA, whose master crackers were the first to decipher other parts of the work, gave up on cracking it long ago. So four years ago, concerned that he might not live to see the mystery of Kryptos resolved, Sanborn released a clue to help things along, revealing that six of the last 97 letters when decrypted spell the word “Berlin”—a revelation that many took to be a reference to the Berlin Wall.

How the World's First Computer Was Rescued From the Scrap Heap - Brendan I. Koerner - WIRED

When the Army declared ENIAC obsolete in 1955, however, the historic invention was treated with scant respect: its 40 panels, each of which weighed an average of 858 pounds, were divvied up and strewn about with little care. Some of the hardware landed in the hands of folks who appreciated its significance—the engineer Arthur Burks, for example, donated his panel to the University of Michigan, and the Smithsonian managed to snag a couple of panels for its collection, too. But as Libby Craft, Perot’s director of special projects, found out to her chagrin, much of ENIAC vanished into disorganized warehouses, a bit like the Ark of the Covenant at the end of Raiders of the Lost Ark.

This post first appeared on Exploring Information Security.

InfoSec links December 18, 2014

Spike in Malware Attacks on Aging ATMs - Brian Krebs - Krebs on Security

This author has long been fascinated with ATM skimmers, custom-made fraud devices designed to steal card data and PINs from unsuspecting users of compromised cash machines. But a recent spike in malicious software capable of infecting and jackpotting ATMs is shifting the focus away from innovative, high-tech skimming devices toward the rapidly aging ATM infrastructure in the United States and abroad.

This Fake Log Jams Your Phone So You'll Shut Up and Enjoy Nature - Andy Greenberg - WIRED

Artist and coder Allison Burtch has created a new device to save us from our cellphones and ourselves. It comes in the form of a 10-inch birch log that jams cellular radio signals, and it’s called the Log Jammer. Packed with about $200 of hardware including a power source, a circuit board of her own design, voltage control components, an amplifier, and an antenna, it can produce radio noise at the 1950 megahertz frequency commonly used by cellphones. It’s powerful enough to block all cellphone voice communications in a 20-foot bubble, and its log-like exterior is designed to unobtrusively create that radio-jamming zone in the great outdoors.

'Replay' Attacks Spoof Chip Card Changes - Brian Krebs - Krebs on Security

The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards.

This post first appeared on Exploring Information Security.

InfoSec links December 17, 2014

Pro-Privacy Senator Wyden on Fighting the NSA From Inside the System - Kim Zetter - WIRED

He was surprised again when, six months later, USA Today published a different story revealing for the first time that the NSA was secretly collecting the phone call records of tens of millions of Americans, records that US telecoms were willingly handing over without a warrant. Two of the three identified telecoms denied the allegations, and the story quickly died. But its ghost lingered on, neither fully confirmed nor denied, haunting Wyden. It took another seven years for a document leaked in 2013 by Edward Snowden to end the speculation and finally confirm that the bulk-collection phone records program existed.

Facebook, Google, and the Rise of Open Source Security Software - Cade Metz - WIRED

Arpaia is a security engineer, but he’s not the kind who spends his days trying to break into computer software, hoping he can beat miscreants to the punch. As Sullivan describes him, he’s a “builder”—someone who creates new tools capable of better protecting our computer software—and that’s unusual. “You go to the security conferences, and it’s all about breaking things,” Sullivan says. “It’s not about building things.”

Dark Hotel: A Sophisticated New Hacking Attack Targets High-Profile Hotel Guests - Kim Zetter - WIRED

Kaspersky researchers named the group DarkHotel, but they’re also known as Tapaoux by other security firms who have been separately tracking their spear-phishing and P2P attacks. The attackers have been active since at least 2007, using a combination of highly sophisticated methods and pedestrian techniques to ensnare victims, but the hotel hacks appear to be a new and daring development in a campaign aimed at high-value targets.

This post first appeared on Exploring Information Security.

InfoSec trickery links December 16, 2014

Whisper CTO says tracking "anonymous" users not a big deal, really - Sean Gallagher - Ars Technica

The Guardian was exploring a potential editorial relationship with Whisper, and staff from the news organization spent three days at Whisper’s offices in Los Angeles. While there, the Guardian team witnessed Whisper employees using an in-house geolocation tool to track posts made from various locations and found that the company is tracking specific Whisper users believed to be “potentially newsworthy,” including members of the military, government employees, and employees of companies such as Disney and Yahoo. The company also shares information about posters and their locations with the Defense Department, FBI, and the UK’s MI5, the Guardian’s Paul Lewis and Dominic Rushe reported.

Now Everyone Wants to sell You A Magical Anonymity Router. Choose Wisely - Andy Greenberg - WIRED

Maintaining your privacy online, like investing in stocks or looking good naked, has become one of those nagging desires that leaves Americans with a surplus of stress and a deficit of facts. So it’s no surprise that a cottage industry of privacy marketers now wants to sell them the solution in a $50 piece of hardware promising internet “anonymity” or “invisibility.” And as with any panacea in a box, the quicker the fix, the more doubt it deserves.

How to Tell Data Leaks from Publicity Stunts - Brian Krebs - Krebs on Security

Fortunately, there are some basic steps that companies, journalists and regular folk can take to quickly test whether a claimed data leak is at all valid, while reducing unwarranted damage to reputation caused by media frenzy and public concern. The fact-checking tips come in a paper from Allison Nixon, a researcher with Deloitte who — for nearly the past two years — has been my go-to person for vetting public data breach claims.

 This post first appeared on Exploring Information Security.

Doing shady things - infosec links December 10, 2014

DEA Sets Up Fake Facebook Page in Woman's Name - Bruce Schneier - Schneier on Security

A woman has her phone seized by the Drug Enforcement Agency and gives them permission to look at her phone. Without her knowledge or consent, they steal photos off of the phone (the article says they were "racy") and use it to set up a fake Facebook page in her name.

Verizon's 'Perma-Cookie' Is a Privacy-Killing Machine - Robert McMillian - WIRED

The company—one the country’s largest wireless carriers, providing cell phone service for about 123 million subscribers—calls this a Unique Identifier Header, or UIDH. It’s a kind of short-term serial number that advertisers can use to identify you on the web, and it’s the lynchpin of the company’s internet advertising program. But critics say that it’s also a reckless misuse of Verizon’s power as an internet service provider—something that could be used as a trump card to obviate established privacy tools such as private browsing sessions or “do not track” features.

Be Wary of 'Order Confirmation' Emails - Brian Krebs - Krebs on Security

If you receive an email this holiday season asking you to “confirm” an online e-commerce order or package shipment, please resist the urge to click the included link or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.

This post first appeared on Exploring Information Security.

InfoSec breach links December 8, 2014

I'm back. I passed my Spanish course and will have some thoughts on that experience next week. I still have two final projects to complete for two other classes so the posts for this week will be simple and probably mostly link dumps. I have been keeping up with security news and saved several links from this past month. Needless to say, some of them are quite dated, but it's interesting look at all the security stuff that happens in a month to two-month time-frame.

Malware Based Credit Card Breach at Kmart - Brian Krebs - Krebs on Security

“Yesterday our IT teams detected that our Kmart payment data systems had been breached,” said Chris Brathwaite, spokesman for Sears. “They immediately launched a full investigation working with a leading IT security firm. Our investigation so far indicates that the breach started in early September.”

Banks: Credit Card Breach at Staples Stores - Brian Krebs - Krebs on Security

According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.

Sony Got Hacked Hard: What We Know and Don't Know So Far - Kim Zetter

As so often happens with breach stories, the more time that passes the more we learn about the nature of the hack, the data that was stolen and, sometimes, even the identity of the culprits behind it. A week into the Sony hack, however, there is a lot of rampant speculation but few solid facts. Here’s a look at what we do and don’t know about what’s turning out to be the biggest hack of the year—and who knows, maybe of all time.

This post first appeared on Exploring Information Security.

InfoSec privacy links October 23, 2014

How to restore privacy - fix macosx

It appears that Apple's Spotlight app, which helps search for various items, on Max OS X Yosemite devices sends your search data to Apple. This website will show you how to disable the features that send this information. I went ahead and disabled everything, because I don't use Spotlight. For more information click here. To open Spotlight, simply swipe down on the home screen.

Bahraini Activists Hacked by Their Government Go After UK Spyware Maker - Kim Zetter - WIRED

Not long after the phantom Facebook messages, Ali discovered spyware on his computer—a powerful government surveillance tool called FinFisher made by the UK firm Gamma International. Human rights groups and technologists have long criticized Gamma International and the Italian firm Hacking Team for selling surveillance technology to repressive regimes, who use the tools to target political dissidents and human rights activists. Both companies say they sell their surveillance software only to law enforcement and intelligence agencies but that they won’t sell their software to every government. Gamma has, in fact, denied selling its tool to Bahrain, which has a long history of imprisoning and torturing political dissidents and human rights activists.

More Crypto Wars II - Bruce Schneier - Schneier on Security

I'm not sure why he believes he can have a technological means of access that somehow only works for people of the correct morality with the proper legal documents, but he seems to believe that's possible. As Jeffrey Vagle and Matt Blaze point out, there's no technical difference between Comey's "front door" and a "back door."

This post first appeared on Exploring Information Security.