CUISPA
Podcast #27 – Goodbye to the Noughties!
Panelists:
John Brozycki, Alex Rams, Larry Porres
Recorded: 12/27/2009
Questions, comments, or something youÕd like us to cover? Contact us at: podcast@cuispa.org
I. News stories
A1) Update on the TJX/Hannaford/Hartland.
As it stands now, Albert ŌSegvecĶ Gonzalez, one of the primaries in a string of high profile hacking cases, is set to plead guilty and receive no less than 17 years of jail time. In a recent twist, his attorney filed a psychological evaluation saying that Gonzalez suffers from AspergerÕs Disorder. Gonzalez is due back in court before the end of the year. As part of the agreement, he is spilling the beans on the others involved in the hacks. IsnÕt it kind of ironic that Gonzalez was an informant for the Secret Service, reportedly while he was doing some of these hacks? Regardless, it is good to see the bad guys caught and hopefully will make a difference.
http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland/
L2) CSO OnlineÕs
Predictions for 2010.
ItÕs
always interesting to read otherÕs predictions and compare them to what we
think might happen, as well as to see what seems to come completely out of left
field. Recruiting, training, and retaining security/IT talent seems accurate.
As the economy improves it will likely provide opportunities for people to
move. We also agree that social media will be a major consideration. Not only
in how users will be exploited, but in how HR departments will have to deal
with major issues resulting from social networking that arenÕt adequately
covered in employee handbooks or court decisions. As conversations about
moving processes Ōinto the cloudĶ escalate, someone within each organization
must remind everyone of the consequences of putting your data into something
that may not be that well defined. What do think of these predictions? Any
that you would add?
http://www.csoonline.com/article/510776/10_Predictions_for_2010_Kaminsky_and_Weatherford
Symantec MessageLabs has also posted their predictions for 2010. ItÕs brief and we think it looks pretty good. Social engineering emerging as a primary attack vector, social networking 3rd party apps being used for fraud, Mac and mobile malware increase, Win7 gets more attention of criminals, etc. sound highly probable to us. If you havenÕt seen this yet, check it out. ItÕs a quick read and good food for thought for thinking about security in 2010.
http://downloads.messagelabs.com/dotcom/2010MessageLabsPredictions.pdf
L3) Inmate Gets 18
Months for Hacking Prison Computer.
PCs set up for inmates to perform legal research were used by one inmate to
access personal information for more than 1,100 prison employees. Tip for the
prison: NEVER put public terminals on private networks. If your infrastructure
requires that you do this, tunnel the traffic, monitor it, and filter these
systemsÕ IP addresses from your internal servers. Otherwise, this is likely to
eventually happen. Do you have any public systems on your network?
http://www.csoonline.com/article/511574/Inmate_Gets_18_Months_for_Hacking_Prison_Computer
A4) Update on Wyoming
Bank email case (or rather, lack of an update.)
Back in September, we talked about a Wyoming bank (Rocky Mountain Bank) that
sent an e-mail containing sensitive customer data to the wrong Gmail account,
and now wants Google to reveal the identity of the account holder[1]. The
legal document is available online[2]. The case ended when the court granted
GoogleÕs motion to dismiss[3]. As far as we can tell, there hasnÕt been any
more information released. Who was the Gmail account owner? Was the bankÕs
data in jeopardy? It appears only the shadow knows.
[1] http://www.wired.com/threatlevel/2009/09/bank-sues-google/
[2] http://www.docstoc.com/docs/11790402/Rocky-Mountain-Bank-v-Google
[3] http://news.cnet.com/8301-27080_3-10362913-245.html?part=rss&subj=news&tag=2547-1_3-0-20
J5) iPhone worm shape of things to come?
The iPhone worm started as a prank. On iPhones that were ŌjailbrokenĶ (had AppleÕs security removed) and an SSH service was installed and the default password (alpine) wasnÕt changed, one hacker scanned for open systems and changed the screen to a picture of 80s singer Rick Astley. It didnÕt take long for a hacker with more malicious intent to modify this into something worse. So, as smart phones essentially become small, fully functioning computers used by 10s of millions of people, is it surprising that mobile platforms will garner much attention from criminals in the near future?
II. Tech Segment
None this podcast.
III. Cooltility (Cool + Utility = Cooltility)
1)
Microsoft Security Essentials
ItÕs
nice to see that Microsoft has finally done something to address one of the
biggest drawbacks to the Windows platforms: viruses and malware! No, this
isnÕt perfect. In our unscientific testing, it appears to work as well as many
commercial offerings, and it is free. It also appears to have less impact on
performance than several commercial offerings. All home users should be using
this. The biggest drawback is no management console, which mostly precludes
this from business use.
http://www.microsoft.com/security/
IV. Smarter U.
Amazon used books. Ok, this isnÕt high tech. Is there something youÕre looking to learn about, perhaps on your own time? Technical books can easily run $50+. If youÕve searched for a book on Amazon, youÕve probably already seen the option to buy a used copy, if one exists. You can save a significant amount of money if a used copy exists. Additionally, you can search on eBay, although the deals arenÕt usually as good.
Got a suggestion for this space? Please send it to podcast@cuispa.org.