CUISPA Podcast #22 - Numb with Oddness over reasonable expectation of privacy…

CUISPA Podcast #23 - Conficker those cyberspies
Panelists: John Brozycki, Alex Rams, Larry Porres
Recorded: 4/11/2009

Questions, comments, or something you’d like us to cover? Contact us at: podcast@cuispa.org

Our thanks to Steve and Kelly for getting this up on RSS and iTunes. We hope that all of you are now able to download the podcast much easier!

I. News stories

1) Cyberspies in our Infrastructure? Maybe we should secure it.
Internet connectivity is far reaching. Much of the infrastructure that controls our power and other utilities is connected directly or indirectly and more systems that come online in the future will be ready for online connections. This makes for some prime targets for those that would do us harm. Are recent stories about foreign hackers infiltrating power utilities something to be alarmed about[1], or is it more FUD (Fear, Uncertaintly, and Doubt) to influence us to someone else’s agenda[2]. Regardless, it CAN be done[3], and easily, and we need to consider WHAT we connect to the Internet and ensure that it is being secured and tested. It doesn’t have to be a Chinese hacker, it could be a kid who lives on the same street as you. Most companies have done a good job of securing their perimeters and now face the threats from their users opening attachments and clicking on links. Monitoring systems don’t do this, so why aren’t we doing a better job of securing them? Take away: Users are often given Internet access as well as access to back end systems that don’t need Internet access, but now become bridged. Consider the security risks this poses and mitigate.

[1] http://www.msnbc.msn.com/id/30107040/
[2] http://www.schneier.com/blog/archives/2009/04/us_power_grid_h.html
[3] http://www.networkworld.com/news/2008/040908-rsa-hack-power-grid.html

2) New Bill to Mandate Security Standards and Certifications
A new bill in the Senate is looking at isolating computer networks that are considered “critical network infrastructure” in nature both in public and private sectors along with a proposal to licensing and certification programs for cyber security professionals[1]. "We must protect our critical infrastructure at all costs, from our water to our electricity, to banking, traffic lights and electronic health records," said John D. Rockefeller IV[2]. "America's vulnerability to massive cyber crime, global cyber espionage, and cyber attacks has emerged as one of the most urgent national security problems facing our country today," said Olympia J. Snowe[2].

[1] http://www.washingtonpost.com/wp-dyn/content/article/2009/03/31/AR2009033103684.html
[2] http://www.vnunet.com/vnunet/news/2239646/plans-national-cybersecurity

3) Internet-wide Security Hole to be Revealed at Conference
You may have heard some stories over the past couple of months regarding a flaw in TCP that researchers have found, similar to weaknesses in DNS that were revealed last fall. This is due to be revealed at the Blackhat Europe conference on April 16^th. While we don’t know what exactly will be revealed, this is something you’ll definitely want to follow as it could impact us all. Unlike with the DNS flaw, there is so far no indication that vendors have been working on patches to address the issue.

http://www.csoonline.com/article/488697/Internet_wide_Security_Hole_to_be_Revealed_at_Conference

4) Conficker signature detected
It’s the weekend before the April 1^st date where conficker is supposed to “do something special” and update itself, when security researches come up with a method to detect infected systems. Seems that pre-patched, patched, and conficker infected systems are respond differently, and thus a signature is developed for a stand-alone python tool as well as existing tools like Nessus, Nmap, and Foundstone Enterprise. Takeaways? You can immediately scan for infected machines. This cooperation and collaboration of a group now known as the Conficker Working Group is a positive sign of HOW we can fight the bad guys. Let’s hope this continues and keeps us one step ahead of the bad guys, and goes beyond just Conficker.

*Why scan for this? Why not build up a botnet and farm credit card numbers, bank accounts and identities for as many victims as possible? See Technical Report: http://honeyblog.org/junkyard/reports/impersonation-attacks-TR.pdf

http://www.theregister.co.uk/2009/03/30/conficker_signature_discovery/

5) Data mining is latest tool in Spam arms race.
The University of Alabama at Birmingham wages war with spam with its Spam Data Mine. While this project may be able to track spammers down, it may not be able to do much against foreign spammers. Domestic spam reduction would certainly help, so we wish this project much success.

http://www.npr.org/templates/story/story.php?storyId=102800939

6) Congress Investigates Effectiveness of PCI DSS
With the recent breaches the Payment Card Industry Data Security Standards (PCI DSS) is being questioned about the effectiveness by the US House of Representative’s Committee on Homeland Security, concerned over compromised credit card details like the Heartland Payment Systems breach and Hannaford. The PCI DSS was developed put an emphasis in regards to responsibility on the retailers yet representatives for retailers state high cost of implementing and complying with the standard. Rep. Yvette Clark, D-N.Y recognizes that PCI standards are not worthless and believes that the PCI is also not a catch all for keeping a company secure[1]. Robert Russo, director of the PCI Data Security Standards Council says, "We have never found a breached entity to be in full compliance at the time of breach.[2]" Dave Hogan, senior vice president and chief information officer for the National Retail Foundation said ‘the PCI Security Standards Council has ignored a number of other recommendations from the retail industry, such as allowing consumers to enter a personal identification number for credit card transactions.[2]’

There is also the argument about encryption which Russo says is an “expensive proposition… If we make this mandatory in the standard, there are a number of merchants that will not be able to afford this immediately.[1]”

[1] http://www.forbes.com/2009/03/31/visa-mastercard-security-technology-security-visa.html
[2] http://news.cnet.com/8301-13578_3-10208827-38.html?part=rss&subj=news&tag=2547-1_3-0-20

7) Visual Security Analysis.
Larry has been reading Raffael Marty's Applied Security Virtualization, and is discussing visually analyzing security data, reporting, historical analysis, and real-time monitoring, as well as some of the open-source/freeware tools he uses in this book and accompanying CD.

http://media.techtarget.com/searchSecurity/downloads/Appliedsecurity0321510100_Sample1.pdf

II. Tech Segment

Scenario: One of your IT employees leaves and happens to know the Administrator Password to your workstations. What do you do when a password falls into the wrong hand? There is a simple solution.

Using a script and pspasswd.exe that comes with the Sysinternals PSTools: http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

Export a list of all the workstations on the network using Active Directory and put them into a text file – pspasswd.exe will read the directory from the list in the text file and change the password of the specific account on each computer. For this example run the script within the directory containing the pspasswd.exe program:

>set /p filename=”Please enter name of computer list (ie: computers): “

>pspasswd @%filename%.txt -u administrator@domain.com -p password

administrator newpassword >> %filename%-results.txt

III. Cooltility (Cool + Utility = Cooltility)

Conficker is out partying. Are you going to wake up with a hang over? Detection Tool; eEye is providing a free scanner to look for vulnerable, patched, as well as infected machines. So, are you protected or not?!
http://www.eeye.com/html/downloads/other/ConfickerScanner.html

IV. Smarter U.

One investment you can never lose on is the investment of yourself.

J1. Blackhat conference presentations from 2008 are available online with podcasts and PDFs for each presentation. Learn something new and likely cutting edge at: https://www.blackhat.com/html/bh-usa-08/bh-usa-08-archive.html

L2. IEEE Computer Society, the world's largest membership organization for computing professionals offers access to over 3,000 e-learning course modules through element-k and access to 1,100 books and magazines, 600 of them through safari. New membership for six months is $49.

A3. Thousands of video lectures from the world’s top scholars: http://academicearth.org/

L4. Brainbench offers some free testing: http://www.brainbench.com/xml/bb/common/testcenter/freetests.xml

Got a suggestion for this space? Please send it to podcast@cuispa.org.