This segment was broken in two parts as the technical segment with Heather Mahalik happened in the middle of it. Heather is a senior digital forensics analyst at Basis Technology. As the on-site project manager, she uses her experience to manage the cell phone exploitation team and supports media and cell phone forensics efforts in the U.S. government. Heather is a certified SANS instructor and teaching the upcoming course Advanced Smartphone and Mobile Device Forensics.
Ok, on to the stories of the week with Paul, Larry, Allison and Jack. What'd you do this summer? Disney? Six Flags? Big Data Land? After much chatter in the Twittersphere (logged here by Space Rogue) last week, Jack brings up the "Popping Penguins" article from Forbes. The article talks about this super vulnerable program that is going to be the downfall of Linux. It's called bash. Would you believe you can use bash to start a listener on your machine and then send some commands over telnet to have someone else's machine connect back to you? Uh oh. Also, beware of another application, one that runs from the desktop that lets you connect to other computers and pull down files from a machine you don't own. Yeah, that one's called a browser. Sounds equally dangerous, no? Should we uninstall bash as a security measure?
Larry threw out there an article on 5 WiFi security myths to abandon. But Larry mentioned that some of these might not actually be very new. Things like don't hide SSID as some newer systems will see them anyway and digging deeper to find the SSID isn't that hard. Plus, if its owner took the steps to hide it, wouldn't that pique your interest that there may be something good running there? Sending out a weak signal may sound like a good idea as if someone can't reach it, they can't connect to it, right? But all that does is annoys its intended users and if someone really wants to get on the network, they'll simply use an antenna. The article ends with the non-myth that if you truly want WiFi security, make sure you use good encryption and a strong password. Simple, eh?
Jack was looking forward to going on a good patch rant. He and Paul have done webinars about really stretching things and getting your patch cycle down to five days from the day of release. Jack said during the good old days, he'd challenge himself to getting his systems patched within 72 hours. Patch Tuesday was to be completed by Friday. In this article by Dr. Anton Chuvakin, he does indicate how it would be good for some big corporations to get their patch cycle down from 90 days to 30 days, but then argues if the bad guys only need 3, then what's the point of all that effort? Jack's feeling is that even the 30 days should be enough in many cases, but it's often politics and other "can't do" attitudes that prevent it from happening. Why is that? Get those patches in place people!
One quick note on a tangent the team went off on. In their experience as pentesters, Larry and Paul mention that all to often the way they end up pwning a system is through some machine that no one knew was running, with services that no one knew were running, with an account that no one knows why it still exists. Do you have a good inventory of where your data is? What machines are in your data center? What services and accounts are on each? If those are gold to a pentester, who has to respect a customer's defined scope, guess what a malicious user is going to do to your network.
Paul's looking for advice on what new phone he should get? Android? iPhone? What say you? Tweet him up with your suggestion at @securityweekly.
Remember that Yahoo bug bounty program? $12.50 credit toward the Yahoo store? A little update from the rants and ridicule from last week, it was actually one guy , Ramses Martinez, Director, Yahoo Paranoids, who was very appreciative of people reporting bugs and was paying them out of pocket. He would send researchers a Yahoo tshirt but would then find out the recipient already had multiple Yahoo shirts. Martinez's idea then was to give the reporter a credit in the Yahoo store matching the value of the shirt, our of his own pocket. Since the uproar, Yahoo has installed its own bug bounty program and Martinez is no longer paying for the reports himself. Good on ya, Yahoo and even better, thank you Ramses Martinez for caring about security.
Speaking of bug bounties, Google has started a bug bounty program for open source software. Repeat that, it's not just Google software that they're paying bounties for, it's software that there really is no organization behind and normally count on volunteers to fix things. Now Google is putting their money behind that effort. As Allison mentions, there hasn't ever been any motivation for anyone to report bugs and now there is.
estrada-sm.jpgPaunch, the alleged author of the Blackhole exploit kit was arrested in Russia last week. Or at least we think so. Some unconfirmed reports have indicated this and Blackhole has not been updated since this time. Or maybe the guy just decided to take an extended vacation and threw the story out there himself. Either way, it might be time for Evil Bob to find a new exploit kit. (Note: Erik Estrada is not "Paunch", he's Ponch, as in Frank Poncharello)
Microsoft has a new disk cleanup where it removes all the old and outdated updates. Jack gained more than 6 GB of space after running the cleanup but a word of caution, it take a concerning long time for the next reboot. You might think you killed your computer but no, it really does take that long.
Check out "Tails" a security and privacy distribution and let us know what you think. Is it good? What makes it a better choice than some others? Though the number of security updates in recent versions is a little concerning. Yeah, I get it that it's good that security holes are fixed and that it's to software that the distro is including. But it's just a little concerning when you pitch it as being for security and privacy yet there are piles of security updates. It makes me wonder just how secure it is and whether it's any better than a secure version of your favorite distribution anyway. But you can certainly let me know and I'll post some comments from you in upcoming week. Tweet me at @plaverty9
There was also some discussion on iOS7 image identification, Larry has a colleague at Inguardians who wrote up an intro to using rfcat and Jack suggests taking a deeper look for yourself before jumping into the patch for MS13-81 and whether your system needs it. If it does, test thoroughly. It's got some deep stuff on it.