Longform links September 18, 2014

I can't remember if I've already shared this video before, but it's worth sharing again.

This is a documentary on DEFCON, a security conference hackers and security professionals so loving refer to as, "Hacker Summer Camp." It's almost two hours long, but well worth it.

Fun With Funny Money - Brian Krebs - Krebs on Security

Krebs takes a deep dive into counterfeit money: where it's sold and how to identify it.

Finally, we have a three page article on podcasting

10 years of podcasting: Code, comedy, and patent lawsuits - Cyrus Farivar - ars technica

This dives into the history of podcast, where it started, what it's become and some of the challenges podcasters are facing through the legal and patent systems.

 

Impressions from BSides Augusta

Simply awesome!

What a great BSides event. Not only was it a short drive for me, but the event itself was top notch, all at the fantastic price of free. I can't gush enough about how great of an event this was. Excellent talks, great location and wonderful people. I volunteered for the event and you can read my experience from that as well as a rant about how awesome volunteering is by clicking <------- this link.

I love that this BSides decided to go with a blue team and a red team track. It helped define some of the talks that might not have been apparent in the title or in the abstract. Full disclosure: I'm a blue team guy and thus spent most of the day in the blue track. I hear there were some fantastic red team talks like Tim Tomes', The Adobe Guide to Keyless Decryption:

But there were also some fantastic blue team talks like Tim Crothers', Techniques for Fast Windows Investigations:

Or Chris Campbell's, Using Microsoft's Incident Response Language:

What I loved in particular about this talk was the Chris spent the majority of his talk going over actual code and techniques, which is not something I see a lot of talks doing. If you're interested in PowerShell, have it up while you're watching this talk.

There's also Chris Sanders' talk Defeating Cognitive Bias and Developing Analytic Technique which kicked off the blue team track:

Finally, Mark Baggett closed out BSides Augusta with his awesome talk Crazy Sexy Hacking:

These talks were the ones that impacted me the most. Everyone is going to get something different out of each talk. I would recommend you check out all the talks at the BSides Augusta YouTube channel. I don't think you'll be disappointed.

One other awesome thing happened at BSides Augusta in that the local media showed up announced and took footage of the event as well as conducted interviews with some of the organizers of the event. This is not just a good thing for BSides Augusta, but the infosec community as a whole.

We must present ourselves to the world as professionals and BSides Augusta did that very well. I look forward to more BSides, especially at Augusta.

 

Volunteering at BSides Augusta

This past weekend I got an opportunity to volunteer for my first BSides event and I did it at BSides Augusta, which is the closest BSides event to me (approximately an hour away). When I initially signed up to volunteer I was happy to find that I was put on a waiting list. It's pretty awesome that an event that doesn't cost anything and relies heavily on it's organizers and volunteers didn't initially need my services.That changes A few weeks later when I was notified that I would in fact be needed.

I left the house just before 6 a.m. this past Saturday to make it to volunteer orientation at 7 a.m. I showed up and was instantly put to work setting up signs and making sure everything was prepared for the blue team track speakers. BSides participant registration quickly followed and soon after that we were off.

After the initial setup we were free to go to any talks and roam around wherever we wanted to. If someone needed a volunteer they would come find us. I was assigned the duties of helping out the blue track team room, but another volunteer expressed interest in helping out in the room as well, so I ended up splitting time with him. He took the morning sessions and I ended up with the afternoon sessions. This gave me the opportunity to spend my morning walking/running between the blue and red team talks.

When I was working in the blue team room I made sure the speakers got the microphone and computer setup and helped with anything else the track organizer needed. After the conference was over, the signs that were put up in the morning were taken down and I ended up walking around making sure everything was collected that needed to be collected

The great things about most security conferences is that they're recorded and BSides Augusta was no different. At this event they were able to acquire the services of Adrian Crenshaw AKA Irongeek to record all the talks. So you really don't need to go for the talks. Instead you can go for the opportunity to make a connection with other security professionals and volunteering, as it turns out, is an excellent way to make those connections.

Doug Burks ran the blue team track and Mark Baggett ran the red team track. Doug is the creator of Security Onion, which is Linux based network security monitoring tool.  Mark is the owner of In Depth Defense, an author and former Chief Information Security Officer (CISO). Both are SANs instructors and I got to work with both of them and even chat with them a little bit. Well, I didn't chat with Mark a whole lot, but he did mention that he had seen my tweets before (WHAAAA???).

Those were two of the many people I got to meet this past weekend. I also got to meet Joanne Sexton (the volunteer coordinator and assistant professor at Georgia Regents University), Lawrence, Phil, Chad, Warren, Don and many others working and participating in the event. Because I got assigned to help out with one of the talk rooms I also got to interact with several of the speakers such as Chris Sanders, Chris Sistrunk, Mike Reeves, Tim Crothers, Chris Campbell and Jeff Murri. All of these guys have a wealth of knowledge and experience within the information security community. I'm not exactly besties with any of them, but I have made a connection and I am following and being followed by several of them on Twitter now.

By the way, Twitter is fantastic for events like this. Not only do you make connections but you can help promote the event and the infosec community by tweeting about some of the cool things happening there. I had over 50 interactions with people via tweets, mentions, retweets and favorites during and hours after the event. If you're an infosec professional (or in any profession, really) you should be on Twitter. You don't have to tweet anything, but there's a lot of smart people you can follow. If you do tweet you can start making a connection with the people you do follow.

Volunteering is something very near and dear to my heart. This was my fourth BSides event, but the first in an official volunteer capacity. The previous two BSides I participated in, Nashville and Ashville, I volunteered my photography "expertise." Those two events benefited me in allowing me to refine my photography skills as well as make connections with the event coordinators. I am currently helping Ed Rojas (BSides Nashville event organizer) with starting up a new security podcast as well as interning this Spring with BSides Nashville. When you volunteer you get just as much as you give.

Up until recently I've been volunteering at my church for the past three years. Every other Sunday morning I would get up and be at church by 7 a.m. I would then spend the next five and half hours helping produce three services. Through that I've been able to gain WordPress, mac and sound design experience, but I've also made connections with other volunteers, musicians and sound engineers. In fact that music for most of my podcasts comes from the sound engineer I was working under as a volunteer. The fence in my backyard was built by another volunteer who runs his own business.

Volunteering is a wonderful thing: You not only give back to a community or a cause, but you also get back just as much if not more. Don't be just a consumer of your hobbies or profession, be a producer. And if your hobby or profession is information security give back to a BSides event near you. You won't regret it.

Exploring Information Security: How to ZAP your websites

In the seventh edition of the Exploring Information Security (EIS) podcast, I talk with Zed Attack Proxy (ZAP) creator and project lead Simon Bennetts.

Simon is the project lead for ZAP an OWASP Open Web Application Security Project. He has a developer background and originally built the tool to help developers build better applications. The tool was so good that it caught the eye of the security community and is now used by developers, people just getting into security and veteran pen testers. You can follow him on Twitter @psiinon and find out more on the tool by going to the project site on OWASP.

In this interview we cover:

  • What is ZAP and how did the project get started?
  • Who should utilize ZAP?
  • What skill level is need to start using ZAP?
  • Where should ZAP be used?
  • How you can get involved in the project.

Music by Alan Read

Leave feedback and topic suggestions in the comment section below.

Late night links September 10, 2014

The last week I've been stressing out over a Spanish project that was due this evening. As such, I was unable to get something up for this morning. I have since submitted my project for grading and I am now free to post some content on this website.

A couple things.

Home Depot confirms breach but stays mum as to size - Robert Lemos - ars technica

Monday Home Depot confirmed what we all suspected, they had their point-of-sale (PoS) terminals compromised. If you have shopped at a Home Depot in either the U.S. or Canada at some point in the last five months, all the way back to April, then your credit card was likely stolen by online criminals. Call your bank and have a new card issued.

Unfortunately, this is one of those situations where you did nothing wrong (other than shop at Home Depot, BAZINGA!) and you got your financial information compromised. However, there are some thing you can do to help protect your financial well-being, which I wrote about yesterday.

We're in the battle for the net - battleforthenet.com

The internet service providers (ISPs) such as Comcast, Verizon, Time Warner Cable and AT&T are trying to have the FCC restructure regulations so that they can provide two lanes with differing speeds for sites on the internet. 

From Wikipedia:

Net neutrality (also network neutrality or Internet neutrality) is the principle that Internet service providers and governments should treat all data on the Internet equally, not discriminating or charging differentially by user, content, site, platform, application, type of attached equipment, and modes of communication.

If ISPs are allowed to regulate the internet, then we essentially lose our freedom on the internet. If you want to get a better understanding of the situation, here is John Oliver's take on the whole issue. It's 15 minutes long, but worth it.

Companies are putting your financial information at risk

As much as I would like to give out a sigh of relief that I don’t shop at Home Depot, I just can’t. While it’s likely that Home Depot has been breached, it’s only one store of many. I shop at its competitor Lowe’s and Sam’s and restaurants and various other services. In the last 10 months we’ve seen several vendors release statements that they have been breached. From Target to Dairy Queen to Goodwill to UPS to Home Depot and several other stores in between. The latest threat to my financial security is the places I shop.

Last month the U.S. government has warned that over 1,000 companies have had their point-of-sale systems compromised with malware intent on stealing credit and debit card information. I shopped at Target during the three weeks they got breached and had to have my card replaced. I’ve managed to dodge the bullet since then, but I expect that at some within the next year I’ll be calling my bank again for a new credit card.

What can be done?

Since it’s not feasible to stop shopping at local stores, here are some of the things that I try to do to protect myself from breaches that could put my financial well-being at risk.

Use a credit card instead of a debit card

Anywhere I shop, be it online or offline, I always try to use a credit card. If my credit card gets stolen in one of these breaches, criminals will have access to by credit line, not my personal bank account. I feel much more confident that I can get the charges on my credit card dropped with less stress and much less hassle than trying to recover money from my drained bank account.

Check your statements

Whether it is credit card or a debit card, I try to keep an eye on my bank statements. At least once a week I will login to my bank account and go through my credit card and checking account statements. Any rogue transactions get reported with the simple click of a button (your bank process may vary). I’ve benefited from this by also finding a couple transactions that a vendor had billed me twice for.

When I go through my bank statements, I am double checking every transaction, not just foreign transactions. Banks have alerts and alarms setup for transactions outside of a customer’s geographical area. Criminals have adjusted to this tactic and now sell and buy cards within a person’s geographical, which make it much tougher for banks to identify credit cards that may have been stolen.

Until companies that we buy from improve the security of their systems my financial well-being and your financial well-being will be at high risk of being compromised. We must remain vigilant in doing what we can to protect it.   

 

 

Tweets worth mentioning September 8, 2014

Looking for celebrity nudes could lead to malware

As is the case with any big news, criminals and nefarious types are taking advantage of the celebrity nude photos news to get malware installed on the machines of the unwitting.

Celeb nude photos now being used as bait by Internet criminals - Sean Gallagher - ars technica

Links are being spread among social media sites such as Twitter and Facebook. I imagine they're also being spread on other social media platforms. Just don't do it, unless you're prepared to lose more than just your dignity.

InfoSec links September 4, 2014

Aaron's Law Is Doomed Leaving US Hacking Law 'Broken' - Thomas Brewster - Forbes

There are various reasons for the impasse. One is that the plans simply haven’t elicited much interest from lawmakers or the general public, said Orin Kerr, professor of law at the George Washington University Law School. “This reform only captured the attention of a small group of people. It’s not an issue that resonates with the public – at least yet,” Kerr told me.

Privacy Under Fire: Aaron Sorkin Saw It Coming In 1999 - Bill Brenner - Liquidmatrix

In the episode, Bartlet has nominated a man for the Supreme Court whose writings suggest a lack of regard for Americans’ right to privacy. During a heated Oval Office discussion, presidential advisor Sam Seaborn explains why their candidate’s views will be dangerous in the first part of the 21st century.

These 3-D Printer Skeleton Keys Can Pick High-Security Locks in Seconds - Andy Greenberg

Even so, bump keys have long been tough to create for high security locks that use obscure, complex key blanks. Many lock makers carefully trademark or patent their key blank designs and prevent them from being sold to anyone outside a small group of verified customers. But with the advent of 3D printing, those restrictions can’t stop lockpickers from 3D printing their own blanks and filing them into bump keys—or simply printing bump keys with their teeth already aligned with a lock’s pins. In this video, Holler demonstrates a 3D-printed and filed bump key for an Ikon SK6, a key that uses restricted, carefully contorted blanks that can’t even be created by many key-milling machines.

Studying for Spanish Quiz 1

Spanish is turning out to be one of the tougher classes I've taken at USC. At this point I would rank it second behind the histology course (500 level biology) I decided to take several semesters back. The good news is that I got through histology and I think I can get through Spanish, but it's going to take a lot of hard work.

One of the things I would like to do is blog about and in Spanish to help me better understand the language. If you speak español I would love your feedback on anything I put up on the site. For this post, I will be going through some of the material that will be on the quiz tomorrow. Hopefully this can be a reference point for others as well as give me an opportunity to better understand and learn the material.

La ropa habla - The clothes speak

Me visto para el trabajo - I dress for work

Me gusta llevar ropa profesional - I like to wear professional clothing

Me gusta usar camisas azules - I like to wear blue shirts

de cuadros - is a pattern that uses a lot of perpendicular lines

con lunares - is a dotted pattern

de rayas - is a pattern that uses a slanted lines with alternating colores

estampado - is a pattern with many different shapes

Los Astros llevar jerseys blancos, pantalones blancos y gorras de béisbol naranjas - The Astros wear white jerseys, white pants and orange baseball caps.

In Spanish the color of something goes after the object. While we say white pants in Spanish it's pantalones blancos.

Los numeros ordinales - The ordinal numbers

Primero - first

Segundo - second

Tercero - third

Los adjectivos demostrativos - The demonstrative adjectives

Este/esta - this

Estos/estas - these

Ese/esa - that

Esos/esas - those

The first word there is the masculine version and the second word is the feminine version. In Spanish words can have the same meaning but depending on the word and gender it can be spelled slightly different. As a general rule (a) is considered feminine, (o) and (e) are masculine.

Palabras difícil - Difficult words

For some reason I'm struggling a little bit to remember words such as encantar or to love and parecer or to seem/appear. Quedar is also another tricking one but it means to stay or remain or even to fit. If it's to fit then words like bien (well) or mal (poorly) will follow it. Both parecer (to seem) and quedar (to fit) can have the subject placed in front of them instead of at the end of a sentence.

That's about all I've got for now. I'll try to update on how the quiz went and hopefully I'll have something more constructive next time.

Presentation in the information security community

I am a media arts student who works in information security. 

Coming out of high school I knew I was going into the military. I didn't know a lot about myself back then, but I knew that if I went to college it would be a waste of my parents money. Once I completed my service in the Navy, I decided that I was going to go straight into the workforce. I mean who wouldn't want a fresh military veteran with six years of experience working on electronics instead of some wet behind the ears kid fresh out of college. So I naively entered the workforce and things didn't go exactly as I planned as far as landing a job, but I eventually worked my way up the IT ladder to the security position I currently hold.

During that climb I did make the decision to apply for college on a part-time basis. I had paid into the GI Bill so there was no reason not to. One class a semester was easy enough, but likely meant I wouldn't be finishing college in under 20 years. That changed when the government decided to change the way the GI Bill worked. Instead of just getting my classes paid for, I was going to get my classes paid for and extra money each month I was in school. The only catch was that I needed to take over six hours a semester which was roughly three classes. Not exactly easy, but also not impossible.

Initially, when I started taking classes I had decided that I wasn't going to go for a tech degree. I had worked with electronics and IT systems for six years while in the Navy. If I was going to take classes, I wanted to learn something new. I ended up in the media arts degree program.

I don't regret the choice.

I would love to have a tech degree for career advancement purposes, but most job postings include the 'or education can be substituted with experience' caveat and I have plenty of that. A media arts degree isn't ideal for a technical career and I wouldn't recommend it to anyone, however, I do think it has it's benefits. Attention to detail is something the military taught me and my media arts degree has helped me refine. Every excellent piece of work you see or hear has attention to detail. Every little detail in the work has a purpose and a reason. You might not pick it out, but it's there and can subconsciously elicit enjoyable responses from you, or if there is a lack of attention to detail a piece of work can elicit a negative response from you.

What I'm getting at is presentation, and more specifically presentation within the infosec community. The infosec community has a tough job, not only technically but also in getting people and organization to buy into information security ideas and solutions. Presentation is very important, not only within the community but also outside the community. I don't think the community's presentation is bad, in fact I've seen a lot of good presentations, but I do think it can be improved and I'm hoping that's something I might be able to contribute to.

For example (and the reason for this post):

I came across this website from CarolinaCon, a security conference in North Carolina.

CarolinaCon

Now, before I critique this site I want to make note that I am trying to provide constructive feedback here. I am not calling the creator a dunderhead or the event stupid. I simply think the site can be improved. I absolutely love the logo. I think it's creative and unique to other security conference logos. I even like the colors, but what I don't like is using the colors for the rest of the website. Black on red or red on black or any other dark on dark colors is never a good combination for a website. Same goes for bright on bright colors. Gray on black is also not the best idea, but it's workable. The color scheme is a real eye sore and makes the whole website hard to read.

If we look at DefCon's, another security conference, website that uses black for it's background we see that they're using a lot of light blues and light purples. Which is much more pleasing to the eye. 

They are using grey, but it's a much lighter grey in most places and the other light colors help balance it out.

Not to totally rag on CarolinaCon, it has built some pretty good websites in the past. At the bottom of their main page are links to some of the previous iterations of the site. Last years site was pretty good.

The light blue and orange on black is a good combination and the site is much more pleasing to navigate. The 2012 site is also much more pleasing to the eyes.

Like with anything we do in life, how much thought and effort you put into something is what you're going to get out of it. In regards to content you are presenting to others, it's also what other people are going to get out of it. If you want to get your message across, content needs to be created with the viewer in mind. They will essentially get out of it what you put into it. If content is just slapped on then it's going to feel like a slap to the face of the viewer and that can have a negative impact on your message.

Getting a media arts degree probably wasn't the smartest decision I made for my career, but I think I can make some use of it. I hope to do more posts like this that highlight and discuss some of the good and bad things done in presenting the information security message. If you have comments or questions please leave them in the comment section below or contact me directly. I would love to hear your thoughts.  

How to make a GIF: recording

How to make a GIF: the tools

I usually use FireFox to record MLB.TV with FRAPS. When you launch a game using MLB.TV it opens it’s own Flash player window. Flash is recordable, the rest of FireFox is not. For ESPN3 and some other stuff I used to us Chrome, because FRAPS would record the entire browser window. Unfortunately, it looks like an update to Chrome has taken that function away. If I manage to get it working again I'll make sure to update this post.

When FRAPS is launched there will be taps for Frames Per Second (FPS) display, Movies and Screenshots.

On the FPS tab, You can hide the FPS or place it one of the four corners of your browser. I like to have it up so I can see when it’s recording and when it’s not. When Fraps is recording it will turn the FPS numbers red and record at the rate you have selected. I record at 30 FPS. I’ve found that any higher you’ll start to get into some performance issues and space issues with your computer. Any lower and you’re taking some quality hit. What’s best for you may depend on your hardware. Feel free to play around with the setting, but I’ve found 30 FPS to be the sweet spot for me.

I would recommend that you set the storage setting to break up your recorded video to 4GB increments. You can put it all in one big file, which is fine for short videos, but sucks for a three hour long game that you might need to go back through. 4GB increments will make it much easier to find and trim your video.

For recording you’ll want to set a hotkey. Go to the Movies tab and click in the 'Video Capture Hotkey' field. Then type the key you want to set as your hotkey. When you want to record hit the hotykey and you should see the color of the FPS numbers change from yellow to red, indicating the recording has started. A three hour game will fill up your hard drive quickly so make sure you have plenty of hard drive space to do the recording, if you intend to record the whole game. I have a 4TB drive that I use for my recording and that lasts me several games. Which has come in handy when GIF requests were made for several games back.

And that's recording in a nutshell. Leave questions or comments on the software you use for recording video in the comment section below.

WARNING: Nude celebrity photos leaked

Nude photos of several female celebrities has apparently been leaked on 4chan, a message board that allows users to post content anonymously

Jennifer Lawrence's Nude Photos Leak Online, Other Celebs Targeted - Stephanie Marcus - Huffington Post.

A screenshot taken by New York Daily News of the forums post shows a list that includes:

  • Jennifer Lawrence - Hunger Games
  • Kate Upton - Model
  • Lea Michele - Glee
  • Lady Sybil [potentially Jessica Findlay] - Downton Abbey
  • Ariana Grande - actress/singer
  • Victoria Justice - actress/singer
  • Brie Larson - Don Jon
  • Kristen Dunst - Spiderman
  • Becca Tobin - Glee
  • Jessica Brown Findlay
  • Hope Solo - Soccer player
  • Teresa Palmer - Warm Bodies
  • Kristen [Krysten] Ritter - actress/model
  • Mary Elizabeth Winstead - actress/recording artist
  • McKayla Maroney - gymnast and internet meme
  • Yvonne Strahovksi - Chuck

Celebrity responses have ranged from acceptance, prosecution threats and outrage to straight up denials.

notmine

From what I've gathered so far, it appears as if the photos may have been uploaded to iCloud via Photo Stream and then compromised by someone. As we wait for more details, there are some warnings and lessons to be learned here.

WARNING

Searching for nude photos on the celebrities above will increase your chances of getting some sort of malware on your computer. This is exactly the kind of big news that nefarious people will take advantage of to get something installed on your computer that could compromise it. Which could lead to several awful scenarios including your own nude photos being made publicly available.

Automatic Uploads

Turn it off.

Unless you don't mind your photos being backed up on a server you have no control over, turn the automatic upload feature off. Googling 'disable Photo Stream automatic upload' should get you to some resources that will tell you how to do this.

Taking nude photos with a device that can potentially upload it to the internet is bad enough; having it upload automatically is simply not a very good idea.

Two-Factor Authentication

Turn it on.

While we don't have all the details yet on how the pictures got stolen, it's possible that the theft could have been avoided if two-factor authentication was enabled. In cases like these, most of the time it's found that had two-factor authentication been enabled the compromise would not have happened. Two-factor authentication isn't perfect nor the ultimate solution, but it does increase difficulty of a compromise significantly.

Most applications and services you use have two-factor authentication available, use it. Apple and it's iCloud server has it available and it's fairly easy to setup.

Get On Twitter

#ifmyphonegothacked

Hash tags are the best thing since sliced bread and for events like these make the world a little brighter.

Get on Twitter and join in the fun.

Real world links August 28, 2014

Aaron's Law Is Doomed Leaving US Hacking Law 'Broken' - Thomas Brewster - Forbes

There is a general agreement, however, that the CFAA needs an urgent update. That’s largely because CFAA is being used against those trying to fix vulnerabilities on the internet. Various members of the security community, which is descending on Las Vegas for 2014’s BlackHat conference this week, have told me they have been threatened with law enforcement action over research efforts that were supposed to shore up the web and the machines connected to it. They include Zach Lanier of Duo Security and HD Moore of Rapid7, both highly-respected security pros. Given simply scanning systems for the infamous Heartbleed bug could have been deemed a felony, it’s become apparent that even those trying to do good are considered criminals.

Police are operating with total impunity in Ferguson - Matthew Yglesias - Vox

Olson was released shortly after his arrest, as were Reilly and Lowery before him. Ryan Devereaux from The Intercept and Lukas Hermsmeier from the German tabloid Bild were likewise arrested last night and released without charges after an overnight stay in jail. In other words, they never should have been arrested in the first place. But nothing's being done to punish the mystery officers who did the arresting.

Researchers Easily Slipped Weapons Past TSA's X-Ray Body Scanners - Andy Greenberg - Wired

More importantly, the glaring vulnerabilities the researchers found in the security system demonstrate how poorly the machines were tested before they were deployed at a cost of more than $1 billion to more than 160 American airports, argues J. Alex Halderman, a University of Michigan computer science professor and one of the study’s authors. The findings should raise questions regarding the TSA’s claims about its current security measures, too.

Exploring Information Security: how to use PowerShell for security

In the sixth edition of the Exploring Information Security (EIS) podcast, I talk with PowerShell guru Matt Johnson a founder of PoshSec.

Matt Johnson has spoken at conference's like GrrCon and DerbyCon on using PowerShell for security. He also has his own podcast titled, Leveled up Infosec Podcast and he's the founder of PoshSec. You can catch Matt tweeting about security on Twitter @mwjcomputing.

In this interview we cover:

  • What is PowerShell
  • How to get started using PowerShell
  • How to best utilize PowerShell for security
  • Available resource
  • What mistakes can be made using PowerShell for security

Music by Alan Read

Leave feedback and topic suggestions in the comment section below.