All posts by jb

Defensive Security Podcast Episode 31

August 18, 2013PodcastDOE, Lavabit, Metasploit, vulnerabilities, XPjb

Podcast: Play in new window | Download | Embed

Subscribe: RSS

Windows XP vulnerabilities may be stored up until after end of support on April 8, 2014; Department of Energy hacked for a second time in 2013; using metasploit and exploitDB to prioritize vulnerability patching; and a number of discussions on Lavabit.

Subscribe in iTunes | Podcast RSS Feed | Twitter | Email

Windows XP vulnerabilities may be stored up: http://www.infoworld.com/d/microsoft-windows/xps-retirement-will-be-hacker-heaven-224796?page=0,1

Department of Energy hacked for second time this year; they are out front on the effort to protect critical infrastructure: http://www.theverge.com/2013/8/16/4628284/department-of-energy-hackers-steal-personal-data-from-14000-employees

Prioritizing vulnerabilities http://blog.risk.io/2013/08/stop-fixing-all-the-things-bsideslv/

Lavabit:

http://investigations.nbcnews.com/_news/2013/08/13/20008036-lavabitcom-owner-i-could-be-arrested-for-resisting-surveillance-order?lite

http://www.theguardian.com/commentisfree/2013/aug/10/lavabit-closure-cloud-computing-edward-snowden

Note:

Here is the link to the Society for Information Risk Analysts I mentioned: https://www.societyinforisk.org/ – the mailing list is here: http://lists.societyinforisk.org/mailman/listinfo/sira

Defensive Security Podcast Episode 30

August 11, 2013Podcastcyber framework, dns, insurance, SIDNjb

Podcast: Play in new window | Download | Embed

Subscribe: RSS

Escrow service company forced to close after $1.5M theft resulting from malware, Incentives for complying with cyber framework, Benefits of expanding the cyber insurance market, Thousands of .nl domains redirected to black hole exploit kit

Subscribe in iTunes | Podcast RSS Feed | Twitter | Email

Escrow service company forced to close after $1.5M theft resulting from malware: http://krebsonsecurity.com/2013/08/1-5-million-cyberheist-ruins-escrow-firm/

Incentives for complying with cyber framework: http://www.csoonline.com/article/737795/white-house-considers-incentives-for-cybersecurity?page=1

Benefits of expanding the cyber insurance market: http://nakedsecurity.sophos.com/2013/08/09/will-insurance-firms-be-the-big-winners-in-the-struggle-for-cyber-security/

Thousands of .nl domains redirected to black hole exploit kit: http://www.zdnet.com/dutch-dns-server-hack-thousands-of-sites-serve-up-malware-7000019196/

Defensive Security Podcast Episode 29

August 4, 2013Podcastblack swan, OVH, USBjb

Podcast: Play in new window | Download | Embed

Subscribe: RSS

Cyber Security, cybersecurity or cyber-security? On the need to be wary of USB devices despite having autorun disabled, the hacking of OVH highlights the need to take specific precautions with administrators, large UK companies urged to perform a cyber security review, and the misuse of the term “black swan”.

Subscribe in iTunes | Podcast RSS Feed | Twitter | Email

Cyber security: http://www.digitalcrazytown.com/2013/08/is-it-cybersecurity-cyber-security-or.html

USB security concerns: http://www.zdnet.com/usb-flash-drives-masquerading-as-keyboards-mean-more-byod-security-headaches-7000018737/

OVH hack highlights exposure of administrators: http://www.itpro.co.uk/cloud/20266/ovh-hack-prompts-calls-tigher-system-admin-security-controls

GCHQ & MI5 pushing for security review of UK companies: http://www.computerweekly.com/news/2240201775/MI5-and-GCHQ-call-for-FTSE-350-cyber-health-check

Black swans: http://exploringpossibilityspace.blogspot.com/2013/07/think-you-understand-black-swans-think.html

Defensive Security Podcast Episode 28

July 27, 2013Podcastapplication whitelisting, cyber crime, espionage, malware, VERISjb

Podcast: Play in new window | Download | Embed

Subscribe: RSS

Perception of risk as an art vs science, Estimating the economic impact of cybercrime and espionage, The futility of analyzing malware and the need to get better at detecting its activity, An attempt to link bad metrics to data loss trends, Insurance is getting cyber security savvy, Application whitelisting, Don’t forget about risks from security devices, Verizon releases the VERIS community database.

Subscribe in iTunes | Podcast RSS Feed | Twitter | Email

Perception of risk as an art vs science: http://www.tripwire.com/ponemon/2013/#riskmetrics

Estimating the economic impact of cyber crime and espionage: http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime.pdf

The futility of analyzing malware and the need to get better at detecting its activity: https://blog.damballa.com/archives/2052

An attempt to link bad metrics to data loss trends: http://www.techrepublic.com/blog/it-security/why-security-metrics-arent-helping-prevent-data-loss/

Insurance is getting cyber security savvy: http://www.tripwire.com/state-of-security/it-security-data-protection/security-controls/enterprise-insurance-policies-and-the-20-critical-security-controls/

Application white listing: http://www.infoworld.com/d/security/the-one-security-technology-actually-works-222763

Don’t forget about risks from security devices: http://krebsonsecurity.com/2013/07/security-vendors-do-no-harm-heal-thyself/

Verizon releases the VERIS community database: http://www.verizonenterprise.com/security/blog/index.xml?postid=4642

Defensive Security Podcast Episode 27

July 21, 2013PodcastICS, Java, SCADA, spear phishing, watering holejb

Podcast: Play in new window | Download | Embed

Subscribe: RSS

Ten year old Java bug, old and vulnerable versions of Java dominate on corporate desktops, a guide on critical infrastructure security, what is wrong with applying standard security approaches to industrial control environments, Lloyds survey finds cyber security is the number 3 concern of business leaders, watering hole attacks are replacing spear phishing as the attack method of choice, the crazy high value of health information dossiers and a cyber exercise performed by some large US banks.

Subscribe in iTunes | Podcast RSS Feed | Twitter | Email

http://podcasts.infoworld.com/d/security/most-enterprise-networks-riddled-vulnerable-java-installations-report-says-222983

http://images.infoworld.com/d/security/new-vulnerability-found-in-java-7-opens-door-10-year-old-attack-researchers-say-223029

http://www.osce.org/atu/103500?download=true

http://www.computerweekly.com/blogs/david_lacey/2013/07/scada_security_requires_a_bett.html

http://www.infosecurity-us.com/view/33436/lloyds-cybersecurity-is-the-no-3-global-business-threat/

http://www.infosecurity-us.com/view/33493/water-hole-replacing-spearphishing-as-statesponsored-weapon-of-choice/

http://www.secureworks.com/resources/blog/general-hackers-sell-health-insurance-credentials-bank-accounts-ssns-and-counterfeit-documents/

http://www.americanbanker.com/issues/178_138/mock-cyberattack-on-banks-a-success-sifma-says-1060721-1.html

Defensive Security Podcast Episode 26

July 14, 2013Podcastdark seoul, eas, EDA, HP, incident response, ipmi, malware, OWASPjb

Podcast: Play in new window | Download | Embed

Subscribe: RSS

Vulnerability market, OWASP top 10 still relevant, HP Storage back door, Default root ssh keys in EAS servers, IPMI Vulnerabilities, Dark Seoul update, Incident response goes horribly wrong, Dropbox and WordPress leveraged by attackers

Subscribe in iTunes | Podcast RSS Feed | Twitter | Email

Vulnerability market: http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html

OWASP top 10 still relevant: http://www.cyberwarzone.com/dutch-domain-registrar-hacked-sqli

HP Storage back door: http://www.infoworld.com/t/data-security/hp-admits-undocumented-backdoors-in-two-separate-storage-lines-222614

Default root ssh keys in EAS servers: http://www.infosecurity-magazine.com/view/33372/eas-vulnerability-bodies-of-the-dead-could-rise-again/

IPMI Vulnerabilities: http://www.infoworld.com/d/security/serious-flaws-found-in-ipmi-server-management-protocol-222107

Dark Seoul update: http://arstechnica.com/security/2013/07/hard-drive-wiping-malware-that-hit-s-korea-tied-to-military-espionage/
http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf

Incident response goes horribly wrong: http://arstechnica.com/information-technology/2013/07/us-agency-baffled-by-modern-technology-destroys-mice-to-get-rid-of-viruses/

Dropbox and WordPress leveraged by attackers: http://www.pcadvisor.co.uk/news/security/3457260/dropbox-wordpress-used-in-cyberespionage-campaign/

Vulnerability Wednesday?

July 11, 2013Securityexploit, patch, Trend Micro, vulnerabilityjb

Here is an interesting article on changing the social contract of vulnerability disclosures from the current, though recent, seven day cycle, to one that follows patch Tuesday, or whatever equivalent date the particular software vendor has for patches.

It’s a good idea, but I think the author missed an important nuance: the short 7 day notice is for situations where the discovering researcher has found evidence that the vulnerability is being actively exploited. In other cases where the vulnerability is not being actively exploited, the time frame is 6o days, which is compatible with the author’s idea. Note that the 7 day recommendation comes from Google and is available to read here.

I do not think that it makes sense to wait until after the next patch Tuesday in cases of active exploitation. The point is that users of the vulnerable technology need to know that there is a vulnerability being actively exploited, whether or not a patch is available, so that the user can take steps to mitigate the problem.

Defensive Security Podcast Episode 25

July 7, 2013Podcastdrive by infection, encryption, ICS, infosec, malware, microsoftjb

Podcast: Play in new window | Download | Embed

Subscribe: RSS

Snowden offered asylum, Germany’s interior minister cautions Germans against using US-based services, California AG urges legislation to require the use of encryption, 85% of virus infections are from drive by download, Attacks on energy sector, Texas government infections, MS Tuesday

Subscribe in iTunes | Podcast RSS Feed | Twitter | Email

85% of virus infections are from drive by downloads: http://www.csis.dk/en/csis/news/3981/

Attacks on energy sector: http://securityaffairs.co/wordpress/15820/security/ics-cert-surge-in-attacks-against-energy-industry.html

Texas government infections: http://www.kens5.com/news/State-computers-compromised-but-theres-not-enough-staff-to-fix-it-214231541.html

MS Tuesday: http://www.theregister.co.uk/2013/07/05/ms_july_2013_patch_tuesday_prealert/

Defensive Security Podcast Episode 24

June 30, 2013PodcastCarberp, FINRA, malware, phishing, stuxnet, Syrian Electronic Armyjb

Podcast: Play in new window | Download | Embed

Subscribe: RSS

Kaspersky study indicates 200,000 malware variants are released daily, the Carberp trojan’s source code is leaked and an 0day is discovered, FINRA reports on prolific cyber attacks against its members, the FT is attacked by the Syrian Electronic Army and gives a play by play on what happened, Kaspersky reports an 87% increase in phishing attacks, Google reports that compromised legitimate sites are more dangerous than malicious sites, Sophos says 30,000 SMB sites are hacked per day to spread malware, the age old debate about administrator rights, password complexity, and the unintended consequences of leaks: foreign companies defect to more hospitable countries, renewed focus on systems administrators, and we can stop pretending to not know where Stuxnet came from. Continue reading Defensive Security Podcast Episode 24 →

Defensive Security Podcast Episode 23

June 24, 2013PodcastEMET, linkedin, OpPetroljb

Podcast: Play in new window | Download | Embed

Subscribe: RSS

The discrepancy between perception and reality when it comes to quantifying risk, the major fail that was OpPetrol, Malvertising, EMET 4 released, How not to be a CSO by the Harvard Business Review, Linked In’s DNS woes, and CSOs are not recognizing reality. Continue reading Defensive Security Podcast Episode 23 →