Welcome to another edition of our Weekly Rewind – where we summarize all our posts from the last week. The top stories this week were 3) “iPhone Pen Testing Tools without Jailbreaking”, 2) “Failure of Bitcoin Hacking”, and 1) “Noriben – Your Personal, Portable Malware Sandbox ”. If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference.
A la Schneier … you can also use this rewind post to talk about the security stories in the news that we haven’t covered.
Sequester Shmuester – Obama Budget Grows Cyber Security: Well this is good news for those of us in the world of government cyber security. Of course this plan is only Obama’s proposed budget … still a lot more wrangling ahead of us. The Department of Defense would receive $800 million more than last year for a total of $4.7 billion. The Department of Homeland Security would also get a $44 million boost to spend on cyber security information sharing and research. (continued here)
NIST Publishes Cybersecurity Framework RFI Comments: NIST is just in the starting phases to responding to Executive Order 13636 to develop a framework that reduces risks for critical infrastructure. They held the first of four industry workshops nine days ago, released the video from that session, and are in the process of consolidating all the feedback they received from the RFI that was due on April 8th. Did you respond to the RFI? Let us know in the comments below. (continued here)
Microsoft Pulls ‘Blue Screen of Death’ Patch: Microsoft has recommended holding off on installing the MS13-036 security update due to incompatibilities with certain software that can cause the dreaded ‘blue screen of death.’ And if your organization already has the patch installed, they urge its uninstallation if possible. Microsoft originally pushed the offending patch this past Tuesday to address four vulnerabilities in the Windows kernel-mode driver. (continued here)
Do it if you love it… Otherwise what’s the point?: @krypt3ia put out a great post yesterday on one tough-love approach to answering the question we often get, “How Do I Get Into INFOSEC?” He goes through the “type” of person you have to be, the long process of getting your skillz up to par, and then finally the frustrations you’ll have in your actual job. I couldn’t agree more … so … “Do it if you love it… Otherwise what’s the point?” (continued here)
Failure of Bitcoin Hacking: Dan “@dakami” Kaminsky recently put out an excellent post on his attempt to “hack” Bitcoin two years ago. As with many crypto-based applications, the Bitcoin protocol (and even its core implementation) is pretty solid … it’s all the technology around it that most likely to fail. In this case this surrounding tech includes vulnerabilities like users with no or weak wallet passwords and faults in Bitcoin exchanges. (continued here)
WordPress Installs Getting Slammed with Password Guessing, Self-Propagaint Botnet: Being one of the most popular CMSs has its benefits … and disadvantages. In this case you become a big target. In this particular attack the bad guys are attempting brute-force logins on the default admin account using 1,000 common passwords. After successfully gaining access to the WordPress backend, they appear to install a backdoor that incorporates the site into a botnet that continues to self-propagate using the same password guessing attack. Have any other advice for protecting those WordPress installs? Let us know in the comments below. (continued here)
CFP for BSidesDC Opens: After you get done filing your taxes today, why not take part in the inaugural BSidesDC conference by submitting a CFP on opening day. You will have until June 30, 2013 to “submit your brilliant ideas, receive accolades, cheers, and possibly beers.” Additionally, they are still looking for sponsors. Interested companies can check out their sponsorship kit here (PDF). Are you planning to submit to BSidesDC? Let us know in the comments below. (continued here)
VA MACH37™ Cyber Security Startup Accelerator Announced: Last week the governor of Virginia announced a first of its kind accelerator program dedicated cyber security startups. And the program, named MACH37™, will take place right in our backyard at the Center for Innovative Technology in Herndon, VA. Modeled after incubators like Y Combinator, TechStars, and 500 Startups, the goal is to support two 90-day sessions per year with eight to ten companies per session. The application process opens in June with the first 90-day session planned for September. Watch MACH37.com for details…(continued here)
25% Discount for Intro to Exploit Development Class: Good friend and former NoVA Blogger Georgia Weidman of Bulb Security LLC will be giving a one day online class covering exploit development next month for $100. Several years ago when Georgia was just starting out I took her instruction of the Metasploit Unleashed class. She helped me pop my first box and I haven’t looked back since. (continued here)
NSA Top Secret Cryptolog Crossword Puzzles: Saw this a few weeks ago and we’re just having time now to publish it. As you may remember back in March we covered the release of the NSA’s internal super-secret Cryptolog newsletter archive. In the comments of the Bruce Schneier post we referenced some of his readers picked out several interesting tidbits but that’s nothing compared to a PopSci.com article he later found that references several crossword puzzles. According to the comments of that article the puzzles seem pretty challenging. I’d like to see David “@DarthNull” Schuetz take a shot at these challenges.
FISMA Reform Passes House on 416-0 Vote: We hadn’t really heard too much about this lately … and then bam … the House unanimously passed the Federal Information Security Amendments Act of 2013 earlier today. There’s still the Senate and President to go but this legislation will be interesting to watch over the next few weeks and months. The bill updates the Federal Information Security Management Act of 2002 to focus on transitioning federal government security practices from the ineffective decade-old, checkbox-based, document-heavy approach to continuous monitoring of threats. (continued here)
Where’s Grecs? At AIDE of Course.: Just wanted to put out a quick post that to say that I’ll be attending AIDE on Friday in Huntington, WV. If anyone is up for meeting up, getting some drinks, or just arguing the intricacies of infosec, just hit me up on Twitter at @grecs. I always enjoy meeting new people so please don’t be shy … come up and introduce yourself! Hope to see you there…(continued here)
Noriben – Your Personal, Portable Malware Sandbox: Well less to do with Japanese lunches and more to do with analyzing malware… Local malware analyst extraordinaire Brian “@bbaskin” Baskin, recently released a new Python-based tool called Noriben. The problem Brian was trying to solve revolved around being called out to do malware analysis with only the Windows resources he was given onsite. Often these computers lacked his standard arsenal of tools so he needed something portable to use in these situations. (continued here)
iPhone Pen Testing Tools without Jailbreaking: Although you can get almost any security tool imaginable if you jailbreak your iPhone, we were curious what was out there for non-jailbroken iPhones. Given that my iPhone is setup to be my primary home and work device, I don’t want risk jailbreaking it. We’ve searched around on iTunes and across the interwebs for anything we could find and below is a list of what I came up with so far. To make the list more manageable we’ve tried to categorize them per the ISSAF framework. If an app fell into more then one group, we placed it in the earliest phase. With some exceptions we also didn’t include ones that haven’t been updated in the last year. So here are our picks for “official” iPhone apps for security professionals. Have any experiences with or thoughts on any of the above apps? Let us know in the comments below. (continued here)
DARPA Cyber Chief Moves to Google: In case you missed this news … former L0pht member and DARPA Cyber Fast Track founder Peiter “Mudge” Zatka is leaving government for the next step in his career … at Google. Last week he announced his new gig on Twitter – “Given what we all pulled off within the USG, let’s see if it can be done even better from outside. Goodbye DARPA, hello Google!” There he’ll be joining Motorola Mobility’s Advanced Technology & Projects (ATAP) group, a DARPA-like organization recently acquired by Google, to focus on “breakthrough innovations to the company’s product line on seemingly impossible short timeframes.” Congrats! (continued here)
Hope everyone had a wonderful week. Have a great weekend!