Welcome to another edition of our Weekly Rewind – where we summarize all our posts from the last week. The top stories this week were 3) “Top 35 Strategie to Mitigate Targeted Cyber Intrusions Revealed for 2012”, 2) “FBI Website Breached…Not”, and 1) ”DNSRecon from Hack3rCon 3”. If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference.
A la Schneier … you can also use this rewind post to talk about the security stories in the news that we haven’t covered.
Hack3rCon Conference in Charleston this Weekend: Here’s a fun article on a pseudo-local security conferencing starting today. In it they discuss Hack3rCon going on this weekend in Charleston, WV. The talks at the conference, referred to as “Doomsday Eve”, are lighthearted but address serious security issues, such as infrastructure preparation. Rob Dixon, co-founder of 304Geeks.com, states that Doomsday and IT go together because people should protect their home and business infrastructures as IT is a part of our everyday lives. Did you attend the Hack3rCon Conference? Post your comments below. (continued here)
FTC Offering $50K to Get Rid of Robo-Telemarketers: It seems like everyone is getting into crowdsourcing their problems. In the security industry, you usually hear about Google or Facebook paying out bug bounties for vulnerabilities but the Federal Trade Commission (FTC) is bringing things to a new level. They’re offering $50,000 to anyone with a solution to eliminating telemarketing robocalls. What do you think about the contest? Do you plan to enter? Post your comments below. (continued here)
DNSRecon from Hack3rCon 3: At HackerCon today I had a chance to sit in on Carlos “@carlos_perez” Perez’s DNSRecon talk. This awesome tool brings together all the tips and tricks that Carlos has learned and used over the years into one easy-to-use package. Yeah, there are already scripts like Fierce that goes out and dumps almost everything imaginable however Carlos, like many of us, wanted something a little more strategic. He wrote the original DNSRecon script in Ruby several years back however recently ported it to Python due to limited DNS-related libraries in Ruby at the time. And good news is that most of us already have this tool available to us if you have an up to date version of Backtrack. You’ll find it in the /pentest/enumeration/dns/dnsrecon directory. What have your experiences been with DNSRcon? Let us know in the comments below. (continued here)
RFI Leads to Hacked Weather Site: In case you missed this piece late Friday, it looks like a hacking group known as Kosova Hacker’s Security have hacked the Weather … as in Weather.gov … in retaliation for attacks like Stuxnet and family as well as prior bombings. Operated by the U.S. National Weather Service, a local file inclusion weakness in the website led to the disclosure of “potentially sensitive data.” The vulnerability has since been addressed. (continued here)
FBI Website Breached … Not: Another bit of information that came to our attention late last week while we were consumed at Hack3rCon was news that a malicious hacking group had breached the official FBI website. Purportedly the leak included 295 email addresses and plaintext passwords along with other bits of information posted to various Pastebin-like sites. According to OZDC.net the target in question was hXXp://www.fbi.gov.c.footprint.net. We’re at a bit of a loss on how anyone could have confused a FBI sub-domain with the “official” website. Regardless, OZDC.net and other prominent researchers later discovered that this data has been floating around since June. So nothing new here… (continued here)
Cybersecurity Job Growth Expected as Other IT Areas in Decline: GovWin came out with an interesting report late last week regarding job growth in Maryland. At the CyberMaryland conference in Baltimore they predicted that as other areas of government spending will remain flat or decrease, infosec spending is expected to increase with over a 50% growth in the number of jobs and associated dollars over the next four years. This equates to defense and civilian federal agency spending rising from $9.2 billion in 2011 to $14 billion in 2016. The question remains … where should we look for these jobs. The report mentioned the usual suspects – ManTech, SAIC, Lockheed Martin, and General Dynamics – as being the top recruiters. And if you are interested in moving to other locales beyond Baltimore and Maryland, the rest of the top five cybersecurity markets include Palo Alto, San Francisco, Boston, and Denver. Hey … where’s NoVA? Do you agree with the job growth predictions for cybersecurity? Post your comments below. (continued here)
Lawmakers Seeking Limits on Contractor Compensation: We came across this article on how lawmakers are looking to cut compensation that contractors can charge for their employees. From a whopping $700k per employee lawmakers are pushing for something around $230k. Most of us in the contractor biz only make a fraction of that amount with the rest of those charges probably going to multiple layers of bureaucratic management and other overhead costs. Of course the question remains … how could this affect the hiring of critical infosec talent? What effects do you think this would have on contractors hiring infosec experts? Let us know in the comments below. (continued here)
EU Hops on Cyber Awareness Bandwagon: It seems that the EU has hopped on the October-as-cyber-security-awareness-month bandwagon as well. So far organizers, lead by the European Network and Information Security Agency (ENISA), have claimed the first European Cyber Security Month (ECSM) a success with almost 2 million reached on Facebook. I wonder how they measured that … perhaps people that Liked it? Do you think these months-dedicated-to-cause efforts are worth it? Let us know in the comments below. (continued here)
Final Debate Fails Cybersecurity: I didn’t get a chance to see the debates last night however I did follow along somewhat on Twitter. Thank goodness Bill “@BillBrenner70” Brenner provided a nice write-up so I could at least get some type of infosec perspective. According to his article on CSO Online I didn’t miss much though. During the entire debate the “C” word was only briefly discussed once. So basically if infosec is your thing and you were hoping that the debates would sway you one way or another … you got nothing. Obviously, Osama … I mean Obama … has a track record of emphasizing infosec but the debate last night failed to provide any foresight into the priority either candidate would place on this important area over the next four years. How much does either candidate’s stance on infosec affect they way you’ll vote? Let us know in the comments below. (continued here)
Cyber Crooks Using Shortened .gov URLs in Scams: Apparently crooks used the USA.gov shortening service to make their phishes look a little bit more legit. Using shorteners in this way isn’t anything new but this instance is worth noting because the flaw wasn’t actually in the Bit.ly-supported service. Rather the bad guys used an existing USA.gov link that points to a vulnerable .vermont.gov website. The vulnerability, an open-redirect, allowed the them to forward spammed users to a financially themed phishing site. Were you aware of this scam? Post your comments below. (continued here)
Executive Order to Establish Standards for Legislation: We have discussed the Cybersecurity Executive Order many times before but it looks as though with the upcoming election the Executive Order will become more fact than fiction. According to a FCW article addressing this issue, Washington insiders attending a Government Events’ cybersecurity conference on October 22 noted that the Executive Order is expected to become reality and should set the standard for future legislation. The article further states that the Executive Order should serve as a guide, regardless of any post-election power shifts in Washington. When do you think the Cybersecurity Executive Order will be official? Post your comments below. (continued here)
PoC Extension to Turn Browsers into Evil Botnets: Years ago I remember having a discussion with a colleague on interesting areas of research in information security. He brought up the idea of malicious browser plugins/extensions and mentioned creating something that could help raise awareness. I poo-pooed the idea at the time but the tides have changed according to a recent article on The Register. It looks like Zoltan Balazs has created a proof-of-concept with the forthcoming release of an extension that offers capabilities that any malicious hacker would jump for. The extension works on most recent browser versions and current operating systems with a notable exception of Internet Explorer. Is the Apple-like closed ecosystem the best way to address the potential of malicious extensions? Post your comments below. (continued here)
The NIST List on Risk Management: FCW.com had a nice article highlighting several of the core National Institute of Standards and Technology (NIST) risk management documents in reading list form. The Federal Information Security Management Act of 2002, and more recently the Federal Risk and Authorization Management Program, had tapped NIST years ago decompose these abstract standards and guidelines into more detailed actionable recommendations so that agencies could effectively assess and manage their security risks. As a result of years to work, NIST has completed quite a comprehensive list of documentation pertaining to risk management. Although reading through these five documents isn’t the most exciting way to learn risk management, it’s probably one of the most comprehensive. What do you think about NIST’s guidelines on risk management? Post your comments below. (continued here)
Top 35 Strategies to Mitigate Targeted Cyber Intrusions Revealed for 2012: The Australian Defense Signals Directorate (DSD) has once again updated their “35 Strategies to Mitigate Targeted Cyber Intrusions” report for 2012. The biggest take-away is that at least 85% of the unsophisticated intrusions they responded to could have been mitigated by simply implementing their top 4 strategies as a package. I don’t know how they could have missed anything given 35 strategies … but do you think they forgot something essential? Let us know in the comments below. (continued here)
DHS Makes Changes to Cybersecurity Office: We came across an interesting article regarding the Department of Homeland Security and the realignment of their cybersecurity office. It’s a few days old but might be useful for those that missed it. It’s interesting that they added two new divisions, expanding from three divisions to five. What do you think about the DHS cybersecurity realignment? Post your comments below. (continued here)
Google DKIM Implementation Fail: This is a very cool story for those crypto geeks out there. Apparently, Zachary Harris, a mathematician by trade, received an email from a Google recruiter. He happened to notice that Google used DKIM to verify the message’s authenticity based on a relatively short 512-bit RSA key. Thinking it was a “challenge” for Google employment, Zachary figured he could crack it in a reasonable time and so he did. He then forged an email to Larry Page from Sergey Brin referencing his website as something they might want to check out. Zackary didn’t hear anything back from the recruiter but a few days later he noticed Google switched to using 2048-bit keys and lots of hits on his website from Google IPs. Seeing Google’s flaws he investigated a few other popular sites and discovered many others, including Amazon, Twitter, eBay and Yahoo, using crackable key lengths. In this day in age sites should at least be using 1024-bit public keys. Do you know of any other sites using crackable key lengths? Post your comments below. (continued here)
Hope everyone had a wonderful week. Have a great weekend!