Fun infosec links August 21, 2014

How To Protect Your Personal Information Online - The Onion

A fun list of ways to keep your personal information safe online.

Special Note: for those unfamiliar with The Onion, it is a satirical site and not meant to be taken seriously.

Social Engineering a Telemarketer - Bruce Schneier - Schneier on Security

Telemarketer gets owned and it's wonderful. 

How to Use Your Cat to Hack Your Neighbor's WiFi - Andy Greenberg - Wired

Welcome to the infosec community my feline friend.

Learning a new Language, Spanish

Monday I took my Spanish placement exam. I am down to the last two semesters of my college career and I needed to take three Spanish courses to graduate. I've been putting off Spanish classes because they're one of the classes that are almost always offered in the evenings and being a part time student that's invaluable.

Resources

Anyways, I probably should have done this sooner, but I didn't. A few years ago I decided that i would try to place out of some Spanish but buying Rosetta Stone and studying my butt off over the summer. This past Winter I bought the Rosetta Stone for half price and spent this entire Summer studying 30 minutes to two hours a night four to five days a week.

I supplemented that with a free language learning website called Duolingo. The setup is pretty good and I got the hang of it really quickly. I typically used my lunch breaks to work through the site, but also used the site pretty extensively on my final day of studying. One of the great things is that once you've learned about 50% of the language you can work on real world examples, by helping the site translate them. You can do the translating yourself or review translations from other people and either up vote, down vote or edit a translation. It's a really good resource, especially for the price.

Two other resources I utilized in my studying was Spanish baseball broadcasts and Twitter. Spanish baseball broadcasts are good, because they use a lot of baseball terms I was able to understand and use as points of reference. Twitter also makes for a good reference point, as it gave me a gauge on how much I was learning.

Placement Exam

Of the three courses I needed to graduate, I was able to place out of two of them. I took German in high school, so I was starting from scratch with Spanish. The exam was certainly over my head, but I had learned enough that I was able to pick my way through the exam. There were more questions using excerpts from books and articles than there were questions about what does this word mean. From my understanding the exam apparently got harder as you answered more questions correctly.

If I had to do my studying all over again I would focus more on doing translations using real world examples from Duolingo. I thought Rosetta Stone did a good job of building a base with it's program and Duolingo did a good job of filling in the gaps. However, I think you could get by with just Duolingo. 

Rosetta Stone does have an online resource to further help your learning. Unfortunately, it's only available for free for a month or two. After that it requires a subscription. I waited too long to try the online resources, so I can't really comment on how effective they are.

Final Thoughts

One thing I wish I had done was watch some movies in Spanish to see how effective that would have been on helping me learn the language. But I've really enjoyed my time studying a new language. It's very satisfying and something I would recommend everyone do. I plan to continue learning Spanish. I just won't be doing it as hot and heavy.

If anyone has a suggestions for resources or want to share their experience learning a new language I would love to read them in the comment section below.

InfoSec links August 19, 2014

Visit the Wrong Website, and the FBI Could End Up in Your Computer - Kevin Poulsen - Wired

The FBI’s use of malware is not new. The bureau calls the method an NIT, for “network investigative technique,” and the FBI has been using it since at least 2002 in cases ranging from computer hacking to bomb threats, child porn to extortion. Depending on the deployment, an NIT can be a bulky full-featured backdoor program that gives the government access to your files, location, web history and webcam for a month at a time, or a slim, fleeting wisp of code that sends the FBI your computer’s name and address, and then evaporates.

Scientists reconstruct speech through soundproof glass by watching a bag of potato chips - Jacob Kastrenakes - The Verge

While a bag of chips is one example of where this method can be put to work, MIT has found success with it elsewhere, including when watching plant leaves and the surface of a glass of water. While the vibrations that the camera is picking up aren't observable to the human eye, seemingly anything observable to a camera can work here. For the most part the researchers used a high-speed camera to pick up the vibrations, even using it to detect them on a potato chip bag filmed 15-feet away and through a pane of soundproof glass. Even without a high-speed camera though, researchers were able to use a common digital camera to pick up basic audio information.

Android Backdoor disguised as a Kaspersky mobile security app - Vigi Zhang - SecureList

Most email phishing attacks tend to target PC users, but this time the attackers have turned their attention to mobile platforms. We think it's a new trend in spreading virus. Mobile security is related to user privacy. In most cases, a mobile device is more important than PC for users. It contains user contacts, text messages, photos and call logs. And mobile security is generally considered to be a weak point. So, most people will believe these phishing emails and are likely to install the fake mobile security app.

Def Con links August 18, 2014

Hackers Unveil Their Plan to Change Email Forever - Denver Nicks - Time

Jon Callas, chief technology officer of Silent Circle and a co-founder of the Dark Mail project, told TIME that “the biggest problem we have today with email is that it was designed in the early 1970s and it was not designed for the problems we have today. Even the standard email encryption that we have today protects the content but not the metadata.”

You cannot 'cyberhijack' an airplane, but you can create mischief - Adam Greenberg - SC Magazine

Ultimately, airlines are very safe, Polstra said, but he added that nearly every protocol used in aviation is unsecured – meaning no encryption – and that there is potential to annoy air traffic control and small aircraft.

Founder of America's Biggest Hacker Conference: 'We Understand the Threat Now' - Denver Nicks - Time

Nothing changed before or after Snowden’s revelations. The security researchers knew that of course that’s what the NSA or any government can do. If you talked to the hackers last year it was like, “Of course you can do that. I’ve been doing that for 10 years.” But now that it’s sunken in at a more policy level you can have the conversation. Before you would say something to your parents and they’d be like, “Oh hahaha. You’re paranoid.” Next thing you know your parents are like, “Oh my God. You were not crazy. You’re not my paranoid son.” Now we’re at a place where people can relate and that’s a much more healthy place for us to be.

 

Exploring Information Security: What is threat modeling?

In the fifth edition of the Exploring Information Security (EIS) podcast, I talk with J Wolfgang Goerlich, Vice President of Vio Point, about threat modeling.

Wolfgang has presented at many conference on the topic of threat modeling. He suggests using a much similar method of threat modeling that involves threat paths, instead of other methods such as a threat tree or kill chain. You can find him taking long walks and naps on Twitter (@jwgoerlich) and participating in several MiSec (@MiSec) projects and events. 

In this interview Wolfgang covers:

  • What is threat modeling?
  • What needs to be done to threat model
  • Who should perform the threat modeling
  • Resources that can be used to build an effective threat model
  • The life cycle of a threat model

Leave feedback and topic suggestions in the comment section below.

Baseball and Information Security: Red Team vs. Blue Team

By day I'm an information security professional; By night I'm a baseball blogger.

I've been thinking a lot over the past few months about some of the similarities between the two very different areas of study. This is meant to be thought exercise to try and get down some of these thoughts as well as further fleshing out the idea.

Red team vs. Blue team

St. Louis Cardinals vs. Chicago Cubs; Boston Red Sox vs. Torongto Blue Jays; Texas Rangers vs. Los Angeles Angels of Anaheim;  Washington Nationals vs. Atlanta Braves; Philadelphia Phillies vs. New York Mets; Arizona Diamondbacks vs. Los Angeles Dodgers.

All the matchups above are teams with red vs. teams with blues. The most prolific matchup is probably the first one: Cardinals vs. Cubs. There's a long history of those two fan bases disliking each other. A lot.

It's a little more complicated than that, though. Within each team is offensive players vs. defensive players, so maybe the analogy goes better in a single game, rather than a series. So within a game you have your hitters, red team, and your fielders, blue team. But what does that make pitchers? Would pitching be the business objectives or goals. Depending on the agency it could be sensitive information or the asset that makes the business profitable. So pitchers are the business goals and the ball is the sensitive information that makes the organization operate.

A good defense/blue team is going to help minimize the impact a ball hit into play makes. There are very few no-hitters and even fewer perfect games. The same idea applies to security measures, there is no perfect defense. Someone will, at some point, get a hit or breach the network. The impact of that breach will be based on how good your defense is, but we shouldn't just focus on defense. To win the game you need to score some runs yourself and having a good red team or at least understand red teams tactics is important to win the game.

Baseball players play both sides of the game. Some are good at offense; some are good at defense. They play both sides of the game and that's something that I think also needs to be done in security.

'Hacker Summercamp' links August 11, 2014

Meet the Puzzle Mastermind Who Designs Def Con's Hackable Badges - Kim Zetter - WIRED

This is really cool and I am jealous of anyone that got one of these badges.

Dan Geer Touts Liability Policies For Software Vulnerabilities - Sara Peters - Dark Reading

Another angle on Dan Geer’s opening keynote at Black Hat. Rafal Los linked to the full talk on Twitter if you’re interested:

John McAfee: Google and Facebook's Erosion of Privacy is a Tragedy - Phil Muncaster - Infosecurity Magazine

John McAfee had an interesting closing talk at BSides Las Vegas about privacy.

Dealing with the ransomware known as CryptoLocker

Ransomware is some pretty nasty stuff and it’s only getting nastier. This particular piece of malware encrypts a person’s drive and then locks it from the user. To unlock it the person must pay, usually by bitcoin, to get access to the freshly encrypted data. Brian Krebs recently called 2014 ‘The Year Extortion Went Mainstream’ and one of the reasons he said that was because of online criminal activities like ransomware. One of the most well known ransomware is called CryptoLocker

There are a couple of ways that ransomware can be combatted:

Take good backups

The backups should be offline. If they’re online then attackers could potentially get access to that device and take it over. Recently, it was found that some Synologys with older firmware versions could be infected with ransomware. Which leads to the next point.

Keep your system up-to-date

This is nothing now and something that has been suggested thousands of times. Still systems are being left unpatched. I know it’s not easy, especially, when there are a lot of other things to do, but one of the easiest ways to keep your system up-to-date is to use a program like Secunia. It does most of the work for you and is fairly user friendly.

Trust your intuition online

Listen to that voice in your head telling you clicking on this link or that link is a bad idea. It’s usually right. If it feels wrong or it’s too good to be true it probably is. I leave it at that, because that’s is something else that gets mentioned a lot in ‘online safety.’

If all else fails, there's an app for that

Recently, Fox IT and FireEye teamed up to offer a free Decrypt service that will get people infected with ransomware their stuff back. I haven’t tried the service, nor do I know how well it works, but both FireEye and Fox IT are legitimate  security companies.

At this point and time, there is not an alternative to getting data back from a ransomware infection. You either need to avoid ransomware altogether, reinstall your operating system and have good backups, or use the FireEye/Fox IT service. If you try the service I would love to hear your experiences with it.

What vendors should not do at security conference

This is what not to do if you're a vendor at a security conference.

Sure sex sells, but a lot of the people going to a security conference are PROFESSIONALS. What turns on security professionals at a security conference are products that work well and vendors that can technically explain that product.

Leave the half naked women at home. 


Terrifying 'Hacker Summercamp' links August 7, 2014

BSides Las Vegas - Incidents happen, react and learn from them - Dan Raywood - IT Security Guru

Adam Shostack opened the BSides Las Vegas conference with a talk titled "Beyond good and evil." The gist of the talk is to be more open about incidents that occur within the organization. The idea is that the transparency will not only benefit the breached but also those looking to learn from a breach.

Black Hat 2014 and Media Fud - Bill Brenner - Liquidmatrix

Read this and you'll understand why I the word 'terrifying' led the title of this post.

CIA Insider: U.S. Should Buy All Security Exploits, Then Disclose Them - Kim Zetter - WIRED

In the opening keynote at Black Hat, Dan Greer suggested, among other things, that the U.S. government buy up all the zero-day vulnerabilities and release them to the public. This would allow companies to close a lot of vulnerabilities in their software and applications. I like the idea, I just don't think we'll ever see it happen.

InfoSec links August 6, 2014

The NSA's Cyber-King Goes Corporate - Shane Harris - Foreign Policy

Join Army -> Rise to four-star general ->Become head of NSA -> Setup surveillance state -> Retire -> Create new security software to detect “cyber-intruders” -> profit

Why the Security of USB Is Fundamentally Broken - Andy Greenberg - WIRED

Welcome to my paranoia. USB drives are a wonderful thing. They really are. Unfortunately, they can be configured or programmed to be an awful thing and that is a scary thing. Never plug an untrusted, or unknown, USB anything into your computer. Ever!

Announcing EMET 5 - Security Research and Defense Blog - Microsoft

EMET is a fantastic tool and one of the easiest, quickest and cheapest ways to improve the security on your computers. I would highly recommend downloading it and giving it a try at home and at work.

Podcasting tips: editing and processing

Previously, I talked about equipment tips for podcasting. In this post I want to give some basic tips on editing and processing audio files. These are some of the things I’ve learned along the way:

Editing

Always edit from the end of the audio to the beginning, especially if you have time markers for editing. If you start at the beginning and edit to the end you'll change any time markers you set.

Truncate silence is a wonderful option in audacity. Effect -> Truncate Silence and define the amount of space allowed between audio waves. Once the process is started it will remove all the dead air in the audio file. Again, if editing markers are set make sure those are taken care of before hitting truncate silence.

Setting markers. In audacity it’s CTRL + M. It will set a mark during recording for you to go back to later.

Processing

Levelator is great for processing audio: http://web.archive.org/web/20130729204551id_/http://www.conversationsnetwork.org/levelator/

Export the audio as a wave and drop it in the levelator box and it will clean up and level everything in the audio.

Once that's done put the wav file in iTunes and convert it to an MP3 file. Here on instructions on how to set that in iTunes: http://support.apple.com/kb/ht1550

iTunes does a good job of converting wav files to MP3s and is the simplest method I know.

Ask questions or leave any audio editing and processing tips in the comment section below.

 

Podcasting tips: equipment

was recently asked for some tips on podcasting via email and I decided it would be a good idea to throw them up my website here for anyone else interested. Podcasting can be as simple as recording from your phone and putting it online or as complicated as getting a $300 microphone, a mixer and professional software. How you podcast is based on how much effort you plan to put into it and how much you’re willing to spend. I would suggest starting simple and cheap and then build on that as you get more into it.

Below you’ll find podcasting tips for a single person setup that costs about $50. The person I was giving tips to was for equipment and software ONLY. If you’re planning on podcasting you’ll need to consider hosting options for your audio files.

Get Audacity, a microphone and a headset or earphones.

Audacity is a really good free audio editing software: http://audacity.sourceforge.net/

It's what I use for my podcasts and fairly intuitive to learn.

Just about any mic available will work for recording a voice, whether it's a headset, a built-in laptop microphone or even a phone if it has recording capabilities. Your quality mileage will vary depending on how much is spent on the microphone.

I would recommend audacity, any headset or earphones and an ATR2100 USB mic: http://www.amazon.com/Audio-Technica-ATR2100-USB-Cardioid-Dynamic-Microphone/dp/B004QJOZS4

It's under $50 bucks but will improve the quality of the audio significantly and because it's USB all you have to do is plug it into the computer and go. And because it has an XLR connection it can also be hooked up to other more advanced audio devices. It's the same microphone David, Sean and I use for Crawfish Boxes: Astros Baseball Show. I would also recommend some sort of screen for the microphone. A cheap option would be a simple screen for the microphone. http://www.amazon.com/Stage-Foam-Ball-Type-Windscreen-Black/dp/B0002GXF8Q/ref=sr_1_2?s=musical-instruments&ie=UTF8&qid=1406421196&sr=1-2&keywords=microphone+windscreen

A more expensive option would be to get a desktop mic stand ($15) and a pop filter ($10-15).

$3 is about the cheapest you can go and again will improve the quality of the audio. Something I take very seriously if you hadn’t noticed.

Gaming headset also have decent microphones, but won’t be better than the ATR2100.

Examples:

12th episode:

This is me with a gaming headset.

127th episode:

This is me with the ATR2100.

Now I have refined my editing and audio processing techniques, but this still should give you a good idea on the quality difference in microphones.

Next: editing and processing tips

Tweets worth mentioning July 31, 2014

Exploring Information Security: What is cryptography

JustinTroutman

In the fourth edition of the Exploring Information Security (EIS) podcast, I talk to the smooth sounding Justin Troutman a cryptographer from North Carolina about what cryptography is.

Justin is a security and privacy research currently working on a project titled, "Mackerel: A Progressive School of Cryptographic Thought." You can find him on Twitter (@JustinTroutman) discussing ways in which crypto can be made easier for the masses. Be sure to check out his website for more information.

In the interview Justin talks about

  • What cryptography is
  • Why everyone should care about cryptography
  • What some of it's applications are
  • How someone would get started in cryptography and what are some of the skills needed

Leave feedback and topic suggestions in the comment section below.

InfoSec links July 29, 2014

Banks: Card Breach at Goodwill Industries - Brian Krebs - Krebs on Security

Who steals from Goodwill? Honestly.

What's the worst thing you can say to a sysadmin? - Naked Security - Sophos

I had no idea there was such a thing as SysAdmin day, let alone that it’s been going on for the past 15 years.

The Barnaby Jack Few Knew: Celebrated Hacker Saw Spotlight as 'Necessary Evil' - Jordan Robertson - Bloomberg

A profile on Barnaby Jack whom I’ve heard only good things about.