NovaInfosecPortal.com » NoVA Email Lists/Networking

Grecs’ Weekly Infosec Ramblings for 2011-06-09

grecs — Fri, 10 Jun 2011 01:00:00 +0000

If you’re not already following some of our excellent NovaInfosec Twits and are wondering where to get the best NoVA-, DC-, and MD-related security tweets, look no further than this post. Published every Friday, our “Infosec Ramblings” post takes many of my security tweets/RTs from the past week and puts them into one easy to digest post. And if you don’t want to wait an entire week, just stop on by my @grecs Twitter account.

There seemed to be quite a few meetups this past week. Did you get to attend any of them?

DC2600: 3 people showed up to the meeting on 06/03/2011. #
OWASPNoVA: Was this past Thursday. #

If you don’t have time to make it to any of the weekly security meetups, why not try attending one of these upcoming conferences? And be sure to check out our event calendar for even more upcoming meetups and conferences.

ISSA International Conference: The agenda is published. #
Maryland Cyber Challenge & Conference #

For those of you that don’t know, we have some pretty awesome infosec bloggers in the local area. You can check out some of their articles below.

In case you missed them, here were some of our blog posts from this week.

You can also keep yourself busy with these interesting newsbites:

Sony has been hit again. A million accts here .. a million there accts there .. no biggie. #
OWASP Mobile Top Ten Project Looking for Volunteers #
Webmail Buggers Attack Yahoo!, Hotmail Users #
Admin: Gmail Phishers Stalked Victims for Months #
Sony Hackers LulzSec Strike FBI Affiliate InfraGard # #
Nice @attritionorg timeline of Sony hacks (12 so far, DoS not included). #
Hackers Attack Nintendo #
Reversing the Incognito Exploit Kit #
Adobe Rushes Out Patch for All-Platform Flash Vuln #
Eric Corley says underground has been so thoroughly infiltrated by FBI that 1/4 is informer #
DHS FISMA Metrics Released #
RSA: Yes, we were breached. Us: Really, that never entered my mind. #
TN Passes Law to Ban Sharing Passwords #
iOS 5 Jailbroken #
Attribution Problems Hinder U.S. Cyberwar Strategy #
Password Reuse Looks Bad #
Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security #
FB Facial Recognition Enabled by Default #
Senators Target Bitcoin Currency #
Nice, the blackhats are targeting the whitehats… #

And in closing, who could forget the tweets of the week?

Mr. President the attack was launched from 127.0.0.1. That’s China right? Unleash the hounds!! (via @iFail) [Lol.] #
RT @derekcslater .. @eric_andersen: how two #security experts verify one other on Twitter: http://twitpic.com/55yqtd <- Nice #

Well, that’s all for this week. Be sure to follow me on Twitter at @grecs for more great tweets during the week! See ya…

Grecs’ Weekly Infosec Ramblings for 2011-06-02

grecs — Fri, 03 Jun 2011 01:00:00 +0000

[Being a lazy blogger once again... At least your getting podcasts now. -Grecs]

#EDU New blogpost “Malicious PDF Analysis Workshop Screencasts” http://j.mp/jQ6Xni (via @DidierStevens @kpyke) #
New ‘MACDefender’ Variant Installs Without Admin Password Requirement http://j.mp/jS0oVG (via @jasonmoliver) #
NIST Sec Bulletin 2011-05 Using Security Config Checklists & National Checklist Prog http://j.mp/kJprXa [PDF] (via @danphilpott) #
Is FISMA-compliance required 4 any cloud computing company doing biz with gov? http://j.mp/iTDHJ9 (via @danphilpott) #
#MEETUP 3 people showed up to the DC2600 meeting on 05/06/2011 #meetup #2600 #dc2600 (via @DC2600) #
iOS 4 hardware encryption cracked http://j.mp/mljrxG (via @regsecurity) [In case U missed.] #
Apple has a real security opportunity, but will it seize moment? http://j.mp/lkRut4 (via @CSOonline) [I only hope.] #
More Sony woes, and the company brings in identity theft service http://j.mp/mqgg33 (via @DarkReading) [Bout time!] #
DHS Hears Gov Infosec Pros’ Concerns http://j.mp/ihZpcs [US govt still planning 2 hire more cybersec folks] (via @DrInfoSec) #
3 Simple Security Principles http://j.mp/kkXu3t [good points; like infosec version of Asimov's 3 laws of robotics] (via @DrInfoSec) #
Wow, @hak5darren & @snubs on Yahoo front page re story on mking some $ blogging. http://www.yahoo.com/ #
#NOVABLOGGER Revisiting Android TapJacking (PoC app included) http://j.mp/iHD9NP (via @jack_mannino) #
BLOGGED: Top 3 NoVA Infosec Blog Posts of the Week http://bit.ly/j3lBq2 #
iPhone crypto issue isn’t all it’s cracked up to be http://j.mp/ip2qjY (via @Nathiet) [Was thinking this too.] #
Linguists use sounds to bypass Skype crypto http://j.mp/jTbEZG (via @regsecurity) #
Holly molly is it raining out… #
Nice piece on Mac Defender/scareware scams fr @briankrebs http://j.mp/kLChLV #
Managing CVE-0: Vuln Advisory: User clicks on something that they sho… http://j.mp/lyUND0 (via @sans_isc) [Lol.] #
Google Chrome OS: Too secure to need security? http://j.mp/ijKMQc (via @Nathiet) [Unbreakable, right?] #
Evidence RSA tokens are compromised. http://bit.ly/jtCbSm The opposition. http://j.mp/jONDTb (via @dmz006 @manicode) #
If U’d like to nominate someone to be a local D-lister, Contact Us http://bit.ly/nispcontact & let us know why they should be featured. #
BTW, here were our previous D-list posts: http://bit.ly/ieVrm1 http://bit.ly/e3caB #
Very interesting piece by @lennyzeltser on importance of rituals in society & their role in infosec. http://j.mp/iCSTR5 #
DHS Advances Einstein Cybersecurity Deployment — InformationWeek http://j.mp/kFVtLo (via @mschafer) #
Obama admin proposes exchange of cyberskills experts w/ private industry http://j.mp/mIH8YM (via @mschafer) #
Charmsec is experimenting with a wiki. feel free to look around and add stuff. http://charmsec.org/wiki/ (via @charmsec) #
Good evening last night talking shop with @cktricky. #
What is Memorial Day? http://j.mp/liUgp5 <- Thanks to all those who have served! (via @ziplock581 @DaKahuna2007) [+10000...] #
Good security assessment of Google Chrome Netbooks http://j.mp/kNqRDS (via @jeffreycarr @briankrebs) #
“@jjx: We’re married!!! @daveminella ”—> congrats!!! Enjoy your special day!!! (via @mschafer) [+1] #
10 simple privacy tricks http://j.mp/lYWbGq (via @eduinfosec @derekcslater) [Excellent write-up fr LifeHacker.] #
Chinese hackers use same backdoor required by US law 2 eavesdrop on Gmail accts. http://j.mp/mAP3LP (via.. @carnal0wnage) #
Updating calendar. Looks to be pretty slow week.. Just 2600 Arlington on Friday.. http://bit.ly/nispfullcal #
#MEETUP NoVA Forensic Meetup: NoVA Forensic Meetup, Wed, 6/1 at ReverseSpace http://j.mp/muZuaI (via @keydet89 @charmsec) #
Just found out about NoVA Forensics Meetup this Wed.. Might be of interest to some of you. http://bit.ly/nispfullcal #
Week 21 in Review http://bit.ly/is90eJ [Good summary as usual.] #
Woot! NoVA Hackers the 6th (bar version at GB) & 13th (regular meeting). http://bit.ly/nispfullcal #
Holy cheatsheets! Here’s a treasure trove. http://j.mp/izgHE7 #
More updates to CSOonline’s security data and survey directory http://j.mp/hN20OV (via @derekcslater) #
#CON EH-Net Global Calendar of Sec Events June http://j.mp/mTXSuv (via @ethicalhacker) #
New Data Proves ‘Please ReTweet’ Generates 4x More ReTweets http://j.mp/mNVFsJ (via @angelinaward) [Lol, plz RT. ] #
Konboot from a USB flash drive files and instructions updated http://j.mp/mdrsFG (via @irongeek_adc) #
#JOB RT @j0emccray: I have 2 clients needing to hire security people. 1 in .., 1 in MD – Information Assurance Manager. (via @jaysonstreet) #
Pentagon: Hack attacks can be act of war http://j.mp/iCOVGe (via @regsecurity) #
NOVAINFOSEC TWITS: .. list is opt-in. List & instructs 2 join at http://bit.ly/nisptwit. (via @novainfosec) cc @securitytwits #
Apple built in an automatic Malware Updater http://j.mp/kxCvPc (via @JoelEsler @sans_isc) [Just the start..] #
Apple Improving OS X Anti-Malware Feature http://j.mp/l4q8ar (via @sans_isc) #
Social Media at Work: Viral Shift towards Information Age http://j.mp/kG6VSn (via @bobgourley) [Interesting.] #
Apple security update targets MacDefender malware http://j.mp/lhC87D (via @briankrebs) #
#CON Announcing the FedCyber.com Government-Industry Computer Security Summit http://j.mp/mx8Aen (via @bobgourley) #
Wave of Trojans breaks over Android http://j.mp/mfmwjw (via @regsecurity) #
BLOGGED: Meetup Reminder http://bit.ly/j73Nhs #
Mac trojan evades Apple’s brand new security fix http://j.mp/ipOwuu (via @regsecurity) [And so cat/mouse game begins.] #
‘Significant’ Facebook attack doesn’t care if you’re a PC or a Mac http://j.mp/jkTRHb [Wonder if Apple has sig 4 this?] #
Eric Schmidt: Want Security? Get a Mac http://j.mp/krfUZD (via @Nathiet) [What, not ChromeOS?] #
#MEETUP One more reminder: Please RSVP for June 9th mtg – http://j.mp/iXqlZd (via @falconsview @OWASPNoVA) #
Google: Hacker in China has obtained access to hundreds of email accounts http://j.mp/jUQKmT (via @jasonmoliver) #
BLOGGED: NISPod 001 Epic Remix http://bit.ly/iU4GAw #
Fed Agencies Embrace iPhones, iPads http://j.mp/mvkaCR (via @mschafer) [Nice. Device mgmt tech finally catching up.] #
BLOGGED: NISPod 001 Epic Remix http://bit.ly/iU4GAw #
#EDU 2011-06-10 Crypto Challenge Posted http://j.mp/gE5HrC Expires June 10th 5:00PM WIN 100$USD! (via @DaKahuna2007) #
FaceNiff is firesheep for mobile: http://j.mp/kPunWF – how cute. (via @EnzOnInfoSec) #

Well, that’s all for this week. Be sure to follow me on Twitter at @grecs for more great tweets during the week! See ya…

Grecs’ Weekly Infosec Ramblings for 2011-05-26

grecs — Fri, 27 May 2011 01:00:00 +0000

[Anther lazy blogging week for me again. At least I'll be able to reference these in the future. -Grecs]

BLOGGED: Grecs’ Weekly Infosec Ramblings for 2011-05-19 http://bit.ly/mkqgEb #
Facebook’s CTO: We use privacy by design for all of our products. (via @csoghoian @quine) [Lol, really?] #
Can we get #FF 4 Infosec? #SecFF or #FFSec @securitytwits Wanna monitor hashtag to get best people. (via @Shpantzer) [Nice!] #
#NOVABLOGGER Thoughts On the Dropbox Controversy http://bit.ly/kGG0MK http://j.mp/nispblog (via @novainfosec) #
Keep it Simple Stupid (David Lacey’s IT Security Blog) http://j.mp/jWGpt5 [good pts] (via @DrInfoSec) [+1] #
FB gets publishing rights 2 your pics unless U change setting http://j.mp/kwX1g5 (via @jeremiahg @DrInfoSec) [Another complexity.] #
Google breakthrough makes SSL less painful http://j.mp/kCnknU [Interesting .. but is this really prob anymore?] #
RE prev tweet: SSL sessions last a lot longer than originally implemented. Google’s breakthrough still help some. #
NSA’s hardening tips for OS X 10.6 http://j.mp/l3AaVh [PDF] (via @jeremiahg @danphilpott) [Nice quick 2 pg cheatsheet.] #
BLOGGED: Top 3 NoVA Infosec Blog Posts of the Week http://bit.ly/jli1NU #
Woot! Stopped family member fr being infected with MacDefender. Running ClamXAV on entire drive just in case. Any other suggestions? #
Schmidt: ‘Elites’ not ‘common men’ fret over net privacy http://j.mp/mi1Skf (via @regsecurity) #
We now have a web page that tells a little about SecurityTwits, how to join.. http://j.mp/mOZ9Au (via @securitytwits) #
New Mac Malware Fools Customers, But Threat Still Relatively Small http://j.mp/kIPLaF (via @Nathiet) [What I found.] #
Distributed Denial of Service Cheat Sheet http://j.mp/kOkHR7 (via @sans_isc) [Another 1 from CERT Societe Generale.] #
Common Vulnerability Reporting Framework (CVRF) http://j.mp/lEcktM (via @sans_isc) [Interesting.] #
Firefox add-on with 7m downloads can invade privacy http://j.mp/lrqDXH (via @regsecurity) #
New Mac fake-defenders similar to Windows scareware http://j.mp/kwn48t (via @regsecurity) [More details fr MS.] #
#JOB Any1 hunting C&A gig in DC? if so hit @jasonmoliver up, he has 2 groups looking – one for ISSO & other for C&A spot. #
Since @SGgrc pointed out 1 of my simplest online safety tips, I thought I’d jot down Top 3: http://j.mp/lbpL9G (via @briankrebs) #
Submission period for Exploitable Mobile App Challenge has been extended! http://j.mp/kppjW5 (via @nVisiumSecurity @mubix) #
Checking out “Northern Virginia OWASP” on OWASP: http://j.mp/lEgsha (via @jack_mannino) #
NIST recommends security measures for cloud subscribers http://j.mp/mt7U8w (via @Nathiet) [Nice quick summary.] #
Critics demand halt to “fishing expedition” laptop searches http://j.mp/ljeAIg (via @Nathiet) #
Gr8 writeup by @cyberwar on Google Chrome False Start concept & implications http://j.mp/jrHnUL (via @EnzOnInfoSec) #
It’s called “Air” because Adobe engineers thought it cool to make your laptop’s fans blow full speed (via @rjamestaylor @schuetzdj) #
LinkedIn SSL Cookie Vulnerability. http://j.mp/mPGpS0 (via @hackingexposed @DaKahuna2007) #
#NOVABLOGGER JRuby + Buby + wXf = fun http://bit.ly/lsxyF9 http://j.mp/nispblog (via @novainfosec) #
How to remove MacDefender fake antivirus program http://j.mp/mcCA4N (via @Nathiet) #
My Canadian Television debut: http://j.mp/luGD1O with @haxorthematrix and @parishilton?! (via @vincentkadmon) #
Pst, hey Sony: Forgot Password Cheat Sheet http://j.mp/lmnJcb (via @manicode) #
A botched fix, not legal demands, nixed SCADA security talk http://j.mp/mhGZKH (via @CSOonline) #
The Care and Feeding of your Hacker: A Managers Guide http://j.mp/lVX0HI (via @DaveMarcus @DaKahuna2007) [Nice.] #
http://j.mp/kIkz74 < SCADA researcher adds his thoughts to SCADA mailing list (via @dicipulus @georgevhulme @jaysonstreet) #
#MEETUP Speaking at ISSA DC on 6/21 on Android security. Come listen to/& or heckle me! http://www.issa-dc.org/ (via @jack_mannino) #
BLOGGED: Where You Want to Be This Week for 2011-05-23 http://bit.ly/jSXk0s #
#TOOL Remotely find outdated insecure Acrobat Reader installations w/ AcroScrub: http://j.mp/iitd1q (via @lennyzeltser @sans_isc) #
Fed Agencies Uncertain How to Respond to ‘Cloud 1st’ http://j.mp/iDJA3p (via @danphilpott) [Guess what their big concern is.] #
#JOB Where Are the Ethics in Hacking? http://j.mp/lb5oo3 (via @GovInfoSecurity) #
#MEETUP Intro to Programming Class IS HAPPENING! by Alli: http://j.mp/lWd19i #hacdc (via @hacdc) [Python!] #
Wouldn’t it be ironic if Sony hacks originated from corp machine compromised by their old CD rootkit? (via @danphilpott) #
Week 20 In Review http://bit.ly/ivvj2L [As always an awesome summary of last week.] #
NSA’s Guide to Securing Your PC http://bit.ly/m2hy6g [More goodness from the NSA.] #
#CON We’ve been radio silent 4 while, but stay tuned. We hope to have very exciting announcement in next few weeks! (via @AppSecDC) #
#MEETUP Reminder .. if not on mailing list, #CapSecDC is THIS Wed. Come meet us at Stetsons after work! (via @capsecdc) #
Obama’s car gets stuck at US Embassy http://youtu.be/yo5zH0Il8B0 (via @oneguynick @danphilpott) [Lol.] #
Finished reviewing cal for this week. ISSA/CapSecDC on Wed & CharmSec on Thur. http://bit.ly/nispfullcal #
We officially have no more ethics http://bit.ly/m4bb1P (via @wimremes @jack_daniel) [Lol, nice one.] #
Hey, @Nathiet put out our weekly summary of meetups this morning. Check it out over at http://bit.ly/jSXk0s . #
Researchers find irreparable flaw in popular CAPTCHAs http://j.mp/kq7u2p (via @regsecurity) [Interesting.] #
LinkedIn cookie vulnerable, claims researcher http://j.mp/kcCiLG (via @regsecurity) #
Exploited Hotmail bug stole email without warning http://j.mp/iDyHqB (via @regsecurity) [To the cloud.] #
ElcomSoft Breaks iPhone Encryption, Offers Forensic Access to File Sys Dumps http://j.mp/l0CBDm (via @WeldPond @manicode) [Whoa!] #
Sony’s data breach costs likely to scream higher http://j.mp/jFyvzT via @ZDNet (via @mschafer) [Agreed.] #
Twitter has acquired TweetDeck 4 more than $40 million http://j.mp/mSL9UF (via @mpbailey1911) [Thought alrdy happened.] #
LinkedIn slashes cookie lifespan after research exposes security flaws http://j.mp/iSLjPG [Not bad reaction time.] #
Freebie Blackhole exploit kit appears on file-sharing websites http://j.mp/kS4o5A (via @regsecurity) #
Kaspersky: Android is the new Windows http://j.mp/k5RoBZ [it's not meant as a compliment; ..] (via @DrInfoSec) #
ENISA Secure Software Engineering Initiatives http://j.mp/jhMmNV (via @ebellis @dallendoug) #
#MEETUP Reminder_1 – Please RSVP for June 8th mtg: http://j.mp/iXqlZd (via @falconsview @OWASPNoVA) #
#MEETUP Reminder_2: Please join/move to the new Google Group http://j.mp/kQahPv (via @falconsview @OWASPNoVA) #
#MEETUP er, correct re Reminder_1 – June *9th* mtg… http://j.mp/iXqlZd (via @falconsview @OWASPNoVA) #
#MEETUP Register for OWASP NoVa http://bit.ly/j1xbmC and for my ISSA DC talk in June http://bit.ly/kkIuIL (via @jack_mannino) #
#TOOL Dradis Framework 2.7.1 released! http://j.mp/k4qMyR (via @cktricky) #
#TOOL Introducing msfvenom http://j.mp/mTybay (replaces msfpayload/msfencode) (via @hdmoore @msfbannedit @iFail) #
#EDU Metasploit Unleashed By Offensive Security http://j.mp/jByuRR (via @sec385con @DaKahuna2007) [Free .. as in beer.] #
Apple advisory on “MacDefender” malware http://j.mp/k11Rxd (via @sans_isc) #
Site for learning about FedRAMP/cloud computing FISMA compliance: http://www.fedramp.net/ (via @fedrampgov) (via @danphilpott) #
Apple admits scareware problem, at last http://j.mp/jxe5aQ (via @regsecurity) [Finally.] #
#TOOL Redline–@Mandiant’s new free tool 4 analyzing memory of infected Win sys http://j.mp/l4XEsk (via @lennyzeltser @dallendoug) #
Great looking talk. Quick recap: http://j.mp/lGtGZy @i0n1c: Talk about the iPhone Data Protection (via @schuetzdj) #
How @jonoberheide was able 2 silently push Android malware w/ any perms 2 any phone http://j.mp/kpMYSh (via @dugsong @dallendoug) #
#TOOL Released w3af-1.0-stable! Kudos to all contributors 4 our 1st stable release! http://j.mp/l0YrzI (via @iFail) #

Well, that’s all for this week. Be sure to follow me on Twitter at @grecs for more great tweets during the week! See ya…

Grecs’ Weekly Infosec Ramblings for 2011-05-19

grecs — Fri, 20 May 2011 01:00:00 +0000

There seemed to be a few meetups this past week. Here’s one. Did you get to attend any others?

Unallocated Flex Your Rights Night is 5/17 #

There’s also some upcoming meetups for those of you who are interested.

Charmsec 36: Never been? It’s 20 or so security geeks chatting on security news, hacks,… # #
OWASPNoVA: Please RSVP for the June chapter mtg. #

If you don’t have time to make it to any of the weekly security meetups, why not try attending this upcoming conference? And be sure to check out our event calendar for even more upcoming meetups and conferences.

NIST NSTIC Workshop #

For those of you that don’t know, we have some pretty awesome infosec bloggers in the local area. Here are some of my selections…

In case you missed them, here were some of our blog posts from this week.

And in closing, you can also keep yourself busy with these [unorganized again] interesting newsbites:

White House releases cybersecurity legislative proposal fact sheet: http://j.mp/iOnHuP (via @EnzOnInfoSec) #
Twitter for Mac upd to 2.1. http://j.mp/lyIxaq (via @da_BiGKahuna @briankrebs) [Bout time they had multi-column support.] #
WH Unveils Cybersec Legislative Plan: DHS Power Grows, No Senate-OKd Cyberczar, Nt’l Breach Notice Law. http://j.mp/ltQbRQ #
BackTrack 5 – After initial download storm, direct downloads now enabled. http://j.mp/kfzVtv (via @jaysonstreet) #
NIST rel draft SP 800-146 Cloud Computing Synopsis & Recommendations, cmts due 6/13 http://1.usa.gov/lZKaSQ (via @danphilpott) #
Five Guys is ridiculously good food. They should buy McDonald’s & get it over with. #cuzyougottahavedreams (via @Shpantzer) [+1] #
Skype for Mac 0day was XSS?!? *Facepalm* http://bit.ly/jKEYUA (via @dinodaizovi @Wh1t3Rabbit) [Pics showing it in action.] #
Little new in Obama cybersecurity proposal http://j.mp/j1hNG5 (via @jaivijayan @mschafer) #
One thumb up for Facebook security improvements http://j.mp/jHNOXd [Another step in right direction.] #
What New WH Cybersecurity Proposal Means For IT Security Industry, Businesses, & Consum… http://j.mp/kJnt9c #
Hackers turn Cisco phones into remote bugging devices http://bit.ly/jr6FXD [+1 for default settings. ] #
Sony yet to fully secure its networks http://j.mp/k7ozkK (via @Nathiet) [Yeah, pretty hard to do backwards.] #
PlayStation Network Hack Launched from Amazon EC2 http://j.mp/lKrhCQ [Interesting. Will Sony sue Amazon?] #
Password Managers, the good and the ugly: http://j.mp/mvNux5 (via @mubix) [Very nice writeup.] #
Backtrack 5 – Full Disk Encryption How-to Published http://j.mp/ingsin (via @lizborden @jaysonstreet) [Nice.] #
At least I’m also on show with good company. I’m looking at you @vincentkadmon! http://twitpic.com/4xs0pb (via @haxorthematrix) #
Fingerprinting author of Zeus http://j.mp/kukeJy – think he/she is a native speaker of English? (via @briankrebs) #
Report fr @TheHackersNews claims US DoD/NSA Hacked http://j.mp/lqiwyf (via @mikkohypponen @DaKahuna2007) #
Here’s 12s clip of Armitage on Breaking In. http://j.mp/jvxSD8 (via @armitagehacker @mubix) [Nice, Congratz!] #
Outstanding primer on latest vs of TDSS/TDL rootkit, TDL4, which infects 64-bit.. http://j.mp/m5TFXP (via @briankrebs) #
#TOOL killerbee: Framework & tools 4 exploiting ZigBee/IEEE 802.15.4 networks http://j.mp/iM1dU0 (via @stalkr_ @mubix) #
Dropbox Lied to Users a/b Data Security http://j.mp/jz8y6V (via .. @endrazine @jaysonstreet) [This really irks me.] #
The Offline Social Network (YouTube) http://j.mp/iW8nRk (via @ksignal9) [Pretty funny.] #
Hackers used fake info 2 reg server on EC2 cloud service & attack PSN. http://j.mp/kf6x4g (via @stevewerby @angelinaward) #
Anyone out there having probs buying/updating stuff from iTunes/App Store? Recently been getting billing addy errors. #
Something old is new again: Mac RATs, CrimePacks, Sunspots and Zeus leaks http://j.mp/jG13HA (via @briankrebs) #
Evil flash cookies easier to delete with new Adobe player http://j.mp/jOnKp2 (via @regsecurity) [Yeah!] #
Proposed CA Law Would Require Social Networks Private by Default http://j.mp/k3tspy (via @jasonmoliver) #
Week 19 In Review – 2011 http://bit.ly/jBix2x [Good read as always.] #
10 Facebook settings to check right now http://j.mp/l8vCaV (via @Nathiet) [Notes 4 my upcoming book on securing FB. ] #
WH sets global cybersec strategy policy that makes it clear that this is an international effort. http://j.mp/jEqeAZ #
Star-Studded White House Unveiling of Int’l Cybersecurity Strategy. http://j.mp/kCh7b9 [More on this.] #
#IsItJustMe Whenever U read Mother Goose Nursery Rhymes, next line you’re thinking about is always old Dice Clay version. #
Quick Test: Little Boy Blue; ___ ___ ___ ___. #diceclay #isitjustme #
Latest WHID Entries (@wascwhid) – http://bit.ly/lU9QzW (via @ryancbarnett @manicode) [Good ref.] #
#JOB DHS posted some interesting new cybersec jobs, from analysts to directorships http://j.mp/c3To6V (via @danphilpott) #
#TOOL OWASP ESAPI 2.0GA released http://j.mp/j0F7uo via #OWASP (via @endrazine @danphilpott) #
PC emulator in JS. U can run linux on it, right in your browser. http://ljv.me/4Z (via @carnal0wnage) [Can it run msf tho?] #
MS’ security report shows Win7 is safer http://j.mp/iQaQeS [safer than what is better Q] (via @DrInfoSec) [Looks like XP.] #
Well, good. @kriggins now has @securitytwits. (via @quine) [@quine tx 4 your efforts.] #
DoD issued Instruction 8520.03 Identity Authentication for Info Systems http://j.mp/lcvtqa (PDF) (via @danphilpott) #
#CON Follow the MD Cyber Challenge and Conference (@MDC3_2011) http://j.mp/iBzHiI (via @EnzOnInfoSec) #
Journo was arrested, says Qld cop http://j.mp/jVomeh (via @regsecurity) #
RT @SaveBreakingIn: @AlyssaMilano, @LaurenConrad, @MichaelIanBlack don’t want to see us go! #SaveBreakingIn (via @mubix) #
#TOOL OpenDLP 0.2.6 rel w/ pass-the-hash support. Tx @steponequit! http://j.mp/k7HUWF (via @mubix) #
#EDU Wi-Fi Challenge 3 Posted! http://j.mp/kQUwaH Prize: $50 Gift from Amazon! (via @digininja @DaKahuna2007) #
#JOB Information Security Careers Cheatsheet http://j.mp/kkNqJ3 (via @espreto @securitytwits) [Nice!] #
Looking for additional wiki contributions for the OWASP Mobile Security Project. http://j.mp/m5df5X (via @jack_mannino) #
When in-house rivalries, bureaucracies impede security monitoring: http://j.mp/muOw5a [So true.] #
Sony’s PlayStation Network hacked again.. http://j.mp/jpnUpC (via @adrianweckler @jaysonstreet) [Man, tough month.] #
Top Cybersecurity Official Resigns – Wednesday, May 18, 2011 http://j.mp/j6YWJ9 (via @mschafer) [Mmm? Odd?] #
Browse/search security conf spkrs http://cc.thinkst.com/ Speaker timelines & links .. (via @Beaker @haroonmeer @schuetzdj) #
#TOOL EMET 2.1 published http://j.mp/l64L43 (via @fjserna @mubix) #
Cool to see drive-by downloads for Mac OS X http://bit.ly/iq0wlZ who shared this pic http://j.mp/jBvCOZ (via @taosecurity) #
SCADA hack talk canceled after DHS/Siemens complain http://j.mp/jyhgkj (via @elinormills @WeldPond @jaysonstreet) #
.@twitter continues to disappoint with another pointless dick move. http://j.mp/l6zsrZ (via @samerfarha @dallendoug) #
Apple App Store apps are often old, vulnerable versions http://j.mp/k2d0rO [Downside to app stores.] #
#TOOL Release of Gorilla – A Security Tool 4 Apple’s iOS http://j.mp/kDaUin (via @tobiklein @alexhutton) [Required jailbrk.] #
Reitinger quits DHS cybersecurity post http://j.mp/igl4Go [In case U missed.] #
New AWS Security Whitepaper http://j.mp/kiKWWr plus a bonus on risk and compliance (via @justin_foster @danphilpott) #
US CDC has guide on surviving zombie apocalypse http://j.mp/iI51E9 (via @LO_TEK @danphilpott) [What a sense of humor.] #
Consulting 4 Profit: Building Biz on Sec Assessments http://j.mp/m0h797 (via @iFail) [Wait, when did @jack_daniel goto @rapid7?] #
Schmidt: Google will let you erase yourself from it http://j.mp/jr90hM [Let's see how hard they mk it.] #

Well, that’s all for this week. Be sure to follow me on Twitter at @grecs for more great tweets during the week! See ya…

Grecs’ Weekly Infosec Ramblings for 2011-05-12

grecs — Fri, 13 May 2011 01:00:00 +0000

There seemed to be quite a few meetups this past week. Did you get to attend any of them?

DC 2600 Meeting: It’s today!
Ham Radio Night: Learn about schematic diagrams & building electronic circuits. #

There’s also some upcoming meetups for those of you who are interested.

Official Cloud Security Alliance’s DC Chapter: It’s now official. Can’t wait 4 future events. #
Secure Use of Cloud Computing: ISSA DC event on May 17, 2011 at 6:30 PM

ISACA World Congress: Coming up on 6/27-29 in DC

For those of you that don’t know, we have some pretty awesome infosec bloggers in the local area. Here are some of my picks…

Metasploit Unleashed at Reverse Space (links to each week) #
Recap of framework changes; Message to readers #
Buby Script Basics Part 1 #
Buby Script Basics Part 2 #
A Cloud of Suspicion…: Interesting .. OTF cloud data encryption. #

In case you missed them, here were some of our blog posts from this week. As you can tell we were a little bit more busy than usual.

And in closing, you can also keep yourself busy with these interesting newsbites that I failed to organize this week.

New Incident Response Methodology Cheat Sheet http://j.mp/mkWqDq (via @sans_isc) #
It’s like firesheep of driftnet on Android phone. Piik at what people R doing on wifi near U. http://piik.co/ (via @surbo @jaysonstreet) #
Breaking Down Probable LastPass Breach http://j.mp/m4myvd (via @quine) [Should b good if have hard 2 bruteforce pwd.] #
Spafford .. Sony used old, unpatched Apache w/ no Firewall http://j.mp/jJCk8c (via @EnzOnInfoSec) [Along w/ all other corps.] #
Looking to teach monthly weekend seminars like the Metasploit Unleashed class, looking for venues. (via @vincentkadmon) #
Microsoft readying fixes for Windows, Office flaws http://j.mp/kZnIBP [Wow, just 3 vulns.] #
Tweeting when driving: converting from frustration at not moving to frustration *at* moving. (via @csoandy @schuetzdj) [So true.] #
Java-based malware tries Mac-smacking cross-platform attack http://bit.ly/m6CubD ["Write once, pwn anywhere"] #
New release of Harvester #tool – Emails,Employee names & Subdomain/Hostnames finder. http://j.mp/lowDWP (via @_metalslug_ @indi303) #
Can U imagine bunch of Al Qaeda operative sitting around w/ NIST 800-53 arguing a/b H/M/L ctrls? (via @selil @electricfork) #
#EDU List of Vuln Web Apps for learning (08/2010) http://j.mp/mGY1aB [nice] HT to TJ from my infowar class (via @DrInfoSec) #
http://bit.ly/jaFfVX (via @make1train @jaysonstreet) [No way. I think I've seen him at Paneras in Merrifield (Fairfax, VA) #
Google Experimenting w/ Redesigned Search Results Page http://yhoo.it/lLD3ZC [Yep, noticed this tonight. Caught me off guard.] #
Skype 4 Mac Hole Can be Used in Attack http://cnet.co/ksHWL0 [Since new GUI sux, stayed w/ old vs. Wonder if that's vuln?] #
Alert issued for OpenID attribute exchange flaw: http://j.mp/lK6hjA (via @EnzOnInfoSec) #
Thanks to @wilmutechnology we’ll host #BSidesDE 11/11/11 & 11/12/11 < Sweet! I’ll be there (via @kickfroggy @bbaskin @iFail) #
Metasploit 3.7 Takes Aim at Apple iOS http://j.mp/iUgSz6 [new: iTunes backup file extraction tool] (via @DrInfoSec) #
Web privacy Do-Not-Track laws gain US momentum http://j.mp/liI8e6 (via @regsecurity) #
Some PERSONAL thoughts on the Sophos/Astaro deal: http://j.mp/jUfflH (via @jack_daniel) #
Here is what a Mac malware attack looks like http://j.mp/mEe3rW (via @GetCocoon @r0bertmart1nez @jaysonstreet) #
A list of Armitage (Metasploit GUI) videos on YouTube: http://j.mp/k69qQX (via @armitagehacker @DaKahuna2007) #
Happy Mothers Day to those of that persuasion who celebrate it. (via @jack_daniel) [+ infinity ] #
Visiting Mom today? Why not lock her computer down some per some NSA recommentations. http://bit.ly/lRcg0E #
Seems like a potential #dropbox encrytion solution. http://j.mp/l0aeso (via @EnzOnInfoSec) #
Also lots of funny cmts on Mom’s Day NSA post.. Is this the year of desktop Linux? http://bit.ly/lRcg0E #
Don’t forget NoVA Hackers monthly meeting tomorrow. (via @DaKahuna2007) #
#TOOL http://j.mp/jSV8Re Useful if U don’t want to visit link but want to see whats at end. (via @Pizza1337 @DaKahuna2007) #
Anonymous meets its own insider threat http://j.mp/l0y6D8 (via @CSOonline) #
Security Pros Launch Cybersecurity Index http://j.mp/ka2Q1V [Not a fan of opinion-based surveys but interesting.] #
#NEWS Can Companies Share Security Data? New Report Says Yes http://j.mp/jZmVNl (via @mschafer) #
#NEWS If U use Skype on Mac better get new hotfix to address 0day. http://j.mp/mETIqg (via @shonharris @jaysonstreet) #
Best Pwd is a Sentence, says expert http://bit.ly/mhqZFv (via @Nathiet) [A very long sentence. Good suggestions tho.] #
Microsoft Security Essentials ranked 2nd last in AV-Test’s protection rating http://bit.ly/lUe78w (via @jaysonstreet) #
“Time spent on Twitter” scam spreads virally http://bit.ly/k4Jt5B [Be careful who you give permission to.] #
Week 18 In Review – 2011 http://bit.ly/mhwKPV [As always a good post. Now I just need to get mine out.] #
Getting cash for #NoVAHackers .. #
#JOB Cyber Hiring to Surge by 2015 – Wired Workplace http://j.mp/kJ5eE1 (via @Nathiet) #
Presos at #NoVAHackers starting up… #
Sony delays PSN restart as 3rd breach is discovered http://j.mp/jYLoVO [And the hits just keep on coming.] #
Wow, another awesome #NoVAHackers meeting tonight. 6 great presos! #
Running Skype 2.8? Are U vuln to latest 0-day? Just a quick post of what I’ve found. http://bit.ly/mklAUW #
Free browser-based security assessment http://bit.ly/l6CVHN [Worth checking out.] #
Skype IM (MAC OS X) – Is this the 0day? http://bit.ly/jKEYUA [Looks like Skype 2.8 may be vuln to something too.] #
French researchers demo attack on Chrome http://j.mp/ioOo8l <- Irresponsible if not reported to Google. (via @manicode) #
#TOOL BackTrack 5 Released. The time has come. http://bit.ly/kfzVtv #
#TOOL SWFRETools v.1.1.0 Released http://j.mp/iWqbw1 #tools (via @cktricky) #
#TOOL Burp v1.4beta2 will fully support IPv6. (via @jasonmoliver) #
Tenable NetSec Pod 81 http://j.mp/mPg944 .., Mom’s guide 2 NSA hardening (via @pauldotcom) [Woot, my post. Hopefully it didn't get slammed.] #
Source code leaked for pricey ZeuS crimeware kit http://j.mp/kTztKf (via @regsecurity) #
Finally home and seeding. #bt5 #
WH launches its internl cybersec strategy next Mon 16th. Any1 have info on what it contains? (via @thedarktangent @jaysonstreet) #
Apple & Google Wriggle on US Senate Hot Seat http://bit.ly/ki3Hol [In case you missed the hearing.] #
New graphics engines imperil users of Firefox & Chrome http://bit.ly/jy66xW [Instructs to disable too.] #
Damn, Breaking In cancelled by Fox http://bit.ly/m2gSuI (via @grostad @mruef @jaysonstreet) #
Your photos? Not so according to most popular photo-sharing apps http://tnw.co/jwp78G (via @Zee @jaysonstreet) #
RE http://bit.ly/lLAMIX If U don’t want them to profit from your pics, upload to your own server or use mobypic. #
RE http://bit.ly/lLAMIX Of course ToS change all the time without notice .. such a pain. #
Rising Use of SSL Raises New Risks http://bit.ly/jMOr6B [Guess they'll have 2 install corp certs on all their computers.] #
RE http://bit.ly/lA5bIt Shouldn’t be that hard. Establish baseline & as move forward use that baseline. #
RE http://bit.ly/lA5bIt Overtime most of your org should be covered. & now org has insight into SSL. No privacy sux tho. #
Your Security? Not Our Problem, Say Cloud Providers http://bit.ly/lKHfSu (via @Hfuhs @Nathiet) [Mmm?] #
Sometimes, it is best to burn bridges before you cross them. [Lol, Deep Thoughts with @jack_daniel.] #
#JOB Fed IT Security Workforce to Double? Survey Projects Workforce Expansion by 2015. http://bit.ly/lnHfTK #
FB Apps Found Giving Access to User Accts to 3rd Parties http://bit.ly/mBRM8w [I'm sure you've all seen this by now.] #
#TOOL Demoed Smartlocker on the latest @Hak5 episode, more info about smartlocker here: http://j.mp/fwmTOX (via @mubix) #
Just put up post w/ vids/summary fr Monday’s @novahackers meeting! Thx 2 @vincentkadmon 4 recording! http://bit.ly/kc9vvy #
Hopefully more to come out later this week… #
Obi-Wan Kenobi Is Dead, Vader Says http://bit.ly/mkZWXV (don’t skip the comments) (via @lseltzer @pmhesse) [Toooo funny.] #
US CERT warns of critical industrial control bug http://j.mp/jE4sGh [Wonder how common these type warnings will get?] #
Apple’s Mac OS X NEVER had superior security http://j.mp/iM3DXc (via @CSOonline) [Agree. Nice read.] #
Google & VUPEN spar over 0day used in Chrome hack, but both parties are right @dakami says http://j.mp/iYTD3g #
Can’t believe I missed news–you can now get Metro directions in Google Maps. http://j.mp/jReKfI (via @jad_va) [Cool.] #
Activating Nessus on Backtrack 5 http://bit.ly/kb8f5n (via @RonGula @jasonmoliver) [Nice that this was finally added.] #
Real Story Behind Fed IT Sec #Job Growth http://bit.ly/l8O5ct [Don't see gov being able 2 compete w contractors 4 talent.] #
Here’s @rybolov ‘s comments on http://bit.ly/mO8uuE : “My SWAG is there are only about 20K people working in the field.” #
HIPAA Security Toolkit in the Works http://bit.ly/lAasRj (via @GovInfoSecurity) [Looks interesting.] #
If you’re in Canada check out 16×9 The Bigger Picture on Global TV Sat featuring me. http://bit.ly/ixmmG0 (via @vincentkadmon) #
#JOB Project Manager, an Alternate Project Manager.. http://bit.ly/kG9HRb (via @CSOonline) [Mmm? Don't even include word "cyber".] #
Security still a struggle between usability and safety http://j.mp/lOGpcW (via @Nathiet) [Somethings will never change.] #
MS Security Intelligence Report warns business of social network phishing attack http://j.mp/kTfqbQ (via @Nathiet) #
White House set to unveil cyber plan http://j.mp/jGJHxH <- Oh thank goodness! Another plan! (via @jorisevers @briankrebs) #

Well, that’s all for this week. Be sure to follow me on Twitter at @grecs for more great tweets during the week! See ya…

Grecs’ Weekly Infosec Ramblings for 2011-05-05

grecs — Fri, 06 May 2011 01:00:00 +0000

[Hey all ... it was another busy week so there wasn't much time to clean this up. On the other hand I did get a few "real" blog posts out. -Grecs]

ICANN Hires Defcon Founder as Security Chief http://cnet.co/iDbL6N [Damn this guy is busy. ] #
BLOGGED: Clouds, FISMA, and the Lawyers http://bit.ly/mxAagc #
Check out this DC-focused spear phishing survey scam. They’re even offering $25 to 1 lucky person. http://bit.ly/f42Lfy #
U.S. Is Hyping Threat Of Cyber War http://j.mp/kkR2Bn <- full report in my queue (via @georgevhulme @jack_daniel) #
Austin Hackers Anonymous is tonight! Talks R mandatory 4 new attendees. .. (via @hdmoore @jaysonstreet) [Idea 4 NOVAH? cc @mubix] #
#TOOL 10 must-have utilities for small networks http://j.mp/kNNWfB (via @jaysonstreet) #
Google sued over – yes – Android location tracking http://j.mp/mjLe6D (via @regsecurity) [And now it's Google's turn.] #
Interesting take on APT.. Probably underestimated 1,000 grains of sand.. http://j.mp/ikXgLk (via @k_sec @moranned) #
SQLi + plain text pwds = FAIL. DSLReports gets its 15 mins of shame. http://j.mp/k0x78M (via @stevewerby @mubix) #
Toshiba Reveals Write-Once SD Card http://j.mp/kJjepm [interesting, but I'd rather USB w/ write-lock] (via @DrInfoSec) [+1] #
RE AHA: “fwiw, we had 30 people and *10* talks tonight, badass turnout, and three new first talks” (via @hdmoore) [Awesome!] #
Watch How the Police Raid a Cellphone http://j.mp/mBVZ6d (via @jaysonstreet) #
#TOOL 11 days until #BackTrackLinux 5 release! (via @ArchangelAmael @DaKahuna2007) [Nice!] #
“If you’re going to kill it, open source it.” http://j.mp/lLm9Dl (via @evejou) [Great suggestion.] #
BLOGGED: Top 3 NoVA Infosec Blog Posts of the Week http://bit.ly/kucOtM #
NIST rel SP 800-144 BIOS Protection Guidelines final version http://j.mp/mrlOtO (PDF) (via @danphilpott) [Interesting.] #
NIST rel SP 800-147 BIOS Protection Guidelines final version http://j.mp/mrlOtO (PDF) (via @danphilpott) [Wrong number before.] #
NIST rel Sec Bulletin Apr. 2011 Full Virtualization Tech: Guidelines For Secure Implement/Mgmt http://j.mp/lPOEvZ (via @danphilpott) #
#CON NIST/DHS hosting Homeland Security Modeling & Simulation Workshop on 6/14-15 http://j.mp/ixo6gb (via @danphilpott) #
U.S. Gov borrows $188,000,000 every hour. I guess @ramseyshow isn’t on the radio in DC. (via @another71 @jasonmoliver) #
great blog on blackhole exploit kit http://j.mp/kXDkFt #tippingpoint #dvlabs (via @wgragido @Wh1t3Rabbit) #
georgia@reversespace.com is dead. georgia [at] grmn00bs [dot] com me instead. (via @vincentkadmon) [FYI..] #
Schneier TED Talking.. http://j.mp/ju41Cn (via @schneierblog) [Worth a listen.] #
Commentary on Amazon’s post-mortem: http://j.mp/jtKKDg (via @Albatross @falconsview) [Lol.] #
#TOOL Foca: Free metadata extract tool for docs U post online. http://j.mp/js8cdv (via @jabolins @danphilpott) [Nice!] #
Attackers Increasingly Cribbing Code from Existing Exploits http://j.mp/kEn2J9 [Makes sense; a lot faster.] #
Symantec’s Cyber 4 Awards 4 individuals who exemplify excellence in gov cybersec; due 5/6 http://j.mp/jZHKCn (via @danphilpott) #
#MEETUP Please RSVP for May 5th OWASPNoVA mtg: http://j.mp/jEPUoh (via @falconsview @OWASPNoVA) #
List of major national cybersec breaches since 2006: http://j.mp/kbGn6X (via @nils_gilman @mroesch) [Good refs.] #
Seeking feedback on a stealth PHP backdoor that uses.. http://j.mp/lTqAhL (via @madirish2600 @mubix) [Very interesting.] #
Interesting idea, beer pancakes.. http://twitpic.com/4riv8e (via @jasonmoliver) [Mmm .. beer.] #
#EDU Educating Nxt Gen of Sec Pros http://j.mp/l46wF1 < art on value of hacking/sec competitions (via @phat32 @DaKahuna2007) #
#TOOL THC-Hydra network logon cracker version 6.3 released http://j.mp/gMKPGU (via @siatiras @mubix) #
Friendly reminder .. our survey will end this week. Wld appreciate U taking few mins 2 fill out. http://bit.ly/f42Lfy #
Finished reviewing events 4 this week. Nuclear con starting W & OWASP/2600 meetups on R/F. http://bit.ly/nispfullcal #
More cons/training events around the world. One mentioned is in Baltimore. http://bit.ly/lEViNI #
NIST took gr8 little 2-page cloud defs doc & made it 7 pgs without adding actual content or value? WTF. (via @jack_daniel) #
Want to see if Google has your wi-fi location pinpointed? http://j.mp/mpMBoI (via @geekami @kingtuna) [Cool?] #
#MEETUP Charmsec #36 will be on May 26th, a Thursday, at @Slaintepub. (via @charmsec) #
#EDU OWASP’s Hackademic challenge: http://j.mp/eqmRBr (via @DrInfoSec) #
Bin Laden Death Related Malware http://j.mp/mkmw2m (via @sans_isc) [Be careful.] #
“.. never wished man dead, but I have read some obituaries w/ gr8 pleasure.” M Twain http://j.mp/kz5CG8 (via @ignitemsg @GoldbergLawDC) #
“New IDLE scan sees through your firewall to scan hosts inside your network!” http://j.mp/lSkWVL (via @pauldotcom) #
Videos from SOURCE Boston are available http://j.mp/m78mcC #sourceboston (via @mubix) #
Cybercriminals Using Osama Bin Laden’s Death to Spread Malware http://j.mp/jeByEC (via @mschafer) [As expected.] #
Privacy Lost: The amazing benefits of completely examined life http://j.mp/ljJZDg [Interesting POV.] #
I tossed some cloud computing resources up on the bloggy: http://j.mp/m2cXMx (via @jack_daniel) #
“Do It Yourself” Crimeware Kit for OSX http://j.mp/kx3hlQ (via @sans_isc) #
#CON EH-Net’s Global Calendar of Events for May 2011 http://j.mp/lvPfBL (via @ethicalhacker) #
Our demographics survey is winding down next few days. Wld appreciate every1 taking few mins 2 fill out. http://bit.ly/f42Lfy #
And thanks to everyone that have already completed the survey!!! http://bit.ly/f42Lfy #
Rumor: Twitter purchased TweetDeck for $40-50 million http://yhoo.it/mFuORb [I still have no clue how any1 is making $. Tx tho.] #
How to avoid sharing personal info online http://cnet.co/j7zdmW [I always used Mailinator. 10 Min Mail seems more secure.] #
Fake “MacDefender” Brings Malware to Macs http://yhoo.it/iFrYeg [But Macs don't get .. wait .. WTF.] #
Week 17 In Review http://bit.ly/lizdWO [Always a good read.] #
#MEETUP Reminder to register for OWASP NoVa’s Cinco de Mayo meeting: http://j.mp/lXZutK (via @jack_mannino) #
Sony slide on PSN hack shows app flaw used to inject comm tool http://j.mp/jyn6Dk (via @WeldPond @packetwerks) #
Dark Reading launches the Cloud Security Tech Center: http://j.mp/ivHdYh [Looks like good resource to track.] #
#TOOL ModSecurity v2.6.0-rc2 is out! Please help us with testing. http://j.mp/mB20zy (via @manicode) #
BLOGGED: Where You Want to Be This Week for 2011-05-02 http://bit.ly/loiMRv #
EFF obtains new FBI documents on surveillance spyware called CIPAV http://j.mp/mgXj3K (via @jasonmoliver) #
Basic securityzeitgeist.com splash page is up. If you want to know what basic idea of project is check it out. (via @transzorp) #
#TOOL John the Ripper 1.7.7 released http://j.mp/k2jkj3 The Ultimate Password Cracker !!! (via @ToolsWatch @mubix) #
Hacker pwns police cruiser and lives to tell tale http://j.mp/m8y3ca [Can't believe he was able to do this.] #
NoVA 4n6 meetup, 4 May, 7pm, Reston Public Library, mtg rm 1 (via @keydet89 @charmsec) [Anyone know what this is about?] #
#EDU Collegiate Cyber Defense Challenge: Shaping the Cyber Warriors of Tomorrow http://j.mp/mmgsRq (via @vincentkadmon) #
is using info from @grecs ‘s Novainfosecportal for his weekly Transportation Cyber Security Newsletter. (via @sintixerr) [Awesome! Tx!] #
Less than 24 hours to complete NovaInfosecPortal.com demographics survey. Let’s give it a big push! http://bit.ly/f42Lfy #
Also re demographics survey .. 1 lucky person could win $25! And it only takes 2 mins to complete. http://bit.ly/f42Lfy #
Can’t wait to stop bugging everyone about this survey. It’s an necessary evil tho. #
Cloud Security Alliance Makes Case for Cloud Security Standards http://j.mp/mD82YX [Like term minimum baseline instead.] #
NSA Presents “Best Practices for Keeping Your Home Network Secure” http://j.mp/miYS0A (via @darkoperator @jasonmoliver) #
#NOVABLOGGER May Progress Update http://j.mp/lMouJj (via @RedSpartan @cyberhiker) #
Monitor/control what your Android apps R communicating w/ WhisperMonitor http://j.mp/lutnGo (via @securityninja @moxie__ @jaysonstreet) #
Where “Dark Reading” came from–and where it’s going: http://j.mp/jYgFnX [Gr8 folks over there. Look forward to what's coming.] #
Is there anything to find on bin Laden’s hard drive? http://j.mp/lLZwuj (via @regsecurity) [Nice crytpo refs.] #
More on Google image poisoning http://j.mp/iP9iBf (via @sans_isc) [Interesting.] #
5 stories over 5 years: a retrospective on organized crime, USB sticks, “soupnazi,” & APTs. http://j.mp/mDFuOG #
#TOOL Metasploit Framework 3.7.0 Released! http://j.mp/lxqk1p (via @hdmoore @jaysonstreet) [Nice!] #
Forty Years of P=NP? http://j.mp/jzpBjY (via @slashdot @GoldbergLawDC) [I'm gettin old. ] #
Here’s our late “summary” post that was supposed to have gone out over the weekend. http://bit.ly/la0CCZ #
Last chance to fill out NovaInfosecPortal.com survey. Tx 2 all that’ve already completed! http://bit.ly/f42Lfy #
Sony implicates Anonymous in PlayStation Network hack http://j.mp/kUbhqb (via @regsecurity) #
Microsoft Sysinterals Update http://j.mp/kXFR6N (via @sans_isc) [Awesome set of tools.] #
Apple squashes location tracking ‘bugs’ with iOS update http://j.mp/iMVJW7 [Yeah, we are all anonymous now. ] #
LastPass resets passwords following possible hack http://bit.ly/kuhiXs [Whoa.] #
IE gets tough on Flash cookies but ignores homegrown threat http://j.mp/m9gQqh [1 step forward, 2 steps back.] #

Well, that’s all for this week. Be sure to follow me on Twitter at @grecs for more great tweets during the week! See ya…

Grecs’ Weekly Infosec Ramblings for 2011-04-28

grecs — Fri, 29 Apr 2011 01:00:00 +0000

And before you start reading this, if you could head on over and take our anonymous demographics survey, we’d appreciate it. It should only take a minute or two. Thanks!

There seemed to be quite a few meetups this past week. Did you get to attend any of them?

Unallocated Space CISSP Review Seminars: First monthly review was on 4/27. # # # #
Unallocated LAN Party: Happened last Saturday. Looked like fun. #
CharmSec: Their 35th event happened this past Thursday. # #
CapSecDC: Another fun CitySec event from Wednesday. #

OWASP NoVA is also coming up this week for those of you who are interested. And be sure to check out our event calendar for even more upcoming meetups and conferences.

OWASP NoVA: Coming up on Cinco de Mayo, it’ll be at Akamai in Reston. #

For those of you that don’t know, we have some pretty awesome infosec bloggers in the local area. Here are some of my favorites.

In case you missed them, here were some of our blog posts from this past week.

iPhone, Andriod, Windows Phone … they all store location data … but is it a bad thing? Lots of people expressed their opinions and research last week.

Actually, iPhone Sends Your Location to Apple Twice a Day #
Senator Questions Apple Over iPhone Tracking #
Quick Note on iPhone Location Tracking Disclosure: Hack to clear out location data… #
No, iPhone Location Tracking Isn’t Harmless and Here’s Why #
iPhoneMap: iPhoneTracker port to Linux; Windows version also mentioned in comments. #
New Apple iOS Backup File Post Module: Metasploit … there’s a hack for that. #
Apple Sued Over iPhone Location Tracking: And as expected. Next will be Google. #
Disable Location Tracking on iPhone: Complex for non-jailbroken phones though. #
MS Also Collects Location Data Of Win Phone Users: Everybody’s doing it. #
Apple Q&A on Location Data: Apple finally responds. Look for upd in next 3 weeks. #

Came across lots of hacking challenges last week … I need to try more of these.

OWASP AppSec EU Hackademic Challenge: Win a free ticket to AppSec EU 2011. #
Notacon pwn0 CTF #
Hak5 Crack the Code Challenge #
List of Vulnerable Sites to Learn On #

And as usual … lots of tool releases and updates.

Scalpel 2.0 #
RedSpartan: They’re still looking for alpha testers. #
sslsniff 0.7: Bug fixes & basic BSD support… #
sslstrip: Major speed enhancements & bug fixes… #
SWFREtools #
wXf Update #

There were some government cyber security happenings last week as normal.

Continuous Monitoring Still A Long Way Off For The Feds #
Shielding the Privacies of Life: On limiting gov laptop seizures from US citizens at borders… #
USGCB has Kickstart & Puppet Configs for Redhat Linux: #
NSA Recommendations for RSA SecurID Users a/f Cyber Intrusion #
SecureWorks: Dell has FISMA, NIST & FIPS service offerings. #
Threat Inflation in Cybersecurity Policy: If you read one thing today, make it this. #

Any way not … here’s another section dedicated to the PSN compromise.

PlayStation Hacker Got Personal Data: “if you can’t protect it, don’t collect it.” #
Sony Admits Utter PSN Failure: Includes list of exposed data. #
PlayStation Network Credit Cards Protected by Encryption: Hopefully not easily cracked. #
PSN Hack Triggers Lawsuit: Bring on the lawsuits. #

Here are just some cool things I came across that didn’t fit anywhere else.

8 Scenes That Prove Hollywood Doesn’t Get Technology #
Hackertyper: Hack like movie star – just type random keys. #
Love Bug Malware-Inspired Film Gets Big Screen Premiere: Mmm? First I heard of this. #
State of Security from 1971 – 2020 Video #

And in closing, you can also keep yourself busy with these interesting newsbites:

MSP Statement on Use of Cell Phone DEDs: Only with search warrant or if consent given… #
Amazon Crash Reveals ‘Cloud’ Computing Actually Based on Data Centers #
Many AWS Sites Recover, Some Face Longer Wait: Roundup of notable stories… #
Week 16 In Review: Good recap as always. #
Iran is Seeing Stars: New virus already pegged as ‘cyber attack’. #
UK Firm Offered Spy Software to Egypt #
SETI Institute Suspends Search for Aliens: But the truth is out there. #
MSP Seem to be Hiding Information: Whether surreptitiously copied motorists’ phone data… #
Kind of a Mess: SSL inventor says need better authentication. #

Well, that’s all for this week. Be sure to follow me on Twitter at @grecs for more great tweets during the week! See ya…

Grecs’ Weekly Infosec Ramblings for 2011-04-21

grecs — Fri, 22 Apr 2011 01:00:00 +0000

[Sorry for the unorganized data dump this week. New projects are keeping me busy. -Grecs]

New Magazine Dedicated to Penetration Testing http://j.mp/fUA5wW #PTES #InfoSec (via @indi303) [Fr the Hackin9 guys.] #
“@grecs @cktricky updated deck from troopers11 is here http://bit.ly/fIlIyz"; (via @carnal0wnage) #
An Interview With Twitter’s Forgotten Founder, Noah Glass http://j.mp/hzegzn <– Interesting Read. (via @jasonmoliver) #
Lolz, checking out @vincentkadmon on @pauldotcom. #
Still looking 4 part-time website ad sales/marketing person or agency. If you know of someone, wld appreciate an intro. #
Ok, finally got that 800-53 article out. Thanks to @Raelyn75 for the initial draft. #
Now to prep another post from @cktricky. This is going to be a good one. #
Apple releases Safari, Snow Leopard security updates http://bit.ly/gB7j9k [Isn't this 2 major updates in 3 weeks?] #
Apple iOS 4.3.2 released http://bit.ly/gPXhCc [Not Mac .. but another one for i* devices.] #
BLOGGED: NIST Calls on Public for Security Controls Input http://bit.ly/gWt4hE #
#JOB IT security salaries remain flat even in wake of high-profile breaches http://j.mp/dKHqcb (via @DarkReading) #
White House cybersecurity announcement today: http://j.mp/i8YkWY by @BillBrenner70 @CSOonline (via @mschafer) #
#TOOL THC-Hydra v6.2 released http://j.mp/gMKPGU (via @maxisoler @mubix) #
#MEETUP April 19th is next Flex Your Rights Night at @Unallocated Space! http://j.mp/eGXLtc (via @Unallocated) #
Still looking 4 part-time website ad sales/marketing person or agency. If you know of someone, wld appreciate an intro. #
BLOGGED: NIST Calls on Public for Security Controls Input http://bit.ly/gWt4hE #
WordPress Hack Puts Government and Commercial Clients at Risk: http://j.mp/fiwVXI (via @mschafer) #
Happy 40th b-day FTP! But how secure is protocol written in 1971, last upd in 1985? http://j.mp/efaQbc (via @virusbtn @iFail) #
Here is NSTIC Explanatory Video.. with fancy 3d graphics http://j.mp/gy5L5s (via @EnzOnInfoSec) #
The NSTIC Strategy http://j.mp/edBZGW (via @EnzOnInfoSec) #
Administration unveils strategy to create single digital pwd credential.. http://j.mp/eh0GA8 (via @GovInfoSecurity) #
Scores Drop in AV-Test Lab Results http://j.mp/efuA8P (via @DrInfoSec) [Let the AV company complaints begin.] #
Oracle readies 73 patches in security update http://j.mp/hBgoNz [Not bad considering they patch quarterly.] #
AT&T changed unlimited texting plan 2 include free mobile 2 mobile calling w/ any carrier in US U MUST call 2 change (via @jasonmoliver) #
#TOOL Just released SET v.1.3.4, adds set-proxy, .. may be buggy (via @dave_rel1k @jasonmoliver) #
#NEWS In Google-Microsoft dustup, what does ‘FISMA-certified’ mean? http://j.mp/i2x7JF (via @danphilpott) [Good read.] #
Execute Metasploit payloads bypassing any anti-virus http://j.mp/fHkGEu (via @carnal0wnage) [Nice.] #
#TOOL New Versions of Wireshark released http://j.mp/g1CpXV #sansisc (via @sans_isc) #
Yesterday in 1971 RFC 114 was published. http://j.mp/gISnt7 (via @bobgourley) [Some good Sunday morning reading.] #
http://j.mp/f5lt3E. “5 of 6 firewalls failed to handle a TCP Split Handshake or Sneak ACK attack.” (via @taosecurity) #
Titans Battle over $20B Annual GovCloud Market (by @GovCloud) http://j.mp/hhjZzK (via @DrInfoSec) [More FISMA stuff.] #
Good overview of proposed cybersec id plan from @DarkReading http://j.mp/gFtzSO (via @IdentityG_Steve @mschafer) #
#EDU Plaid CTF http://www.plaidctf.com/ starts next weekend … yay (via @bojanz @DaKahuna2007) #
Grecs’ Weekly Infosec Ramblings for Last Week http://bit.ly/hqF3vN [Finally finished this. Recap of last week.] #
Finished reviewing meetups for this week. Looks like there are 3. Plus SANS con still going on. http:/bit.ly/nispfullcal #
#EDU 4/27 will b 1st of our monthly CISSP Seminars at @Unallocated. All R welcome! http://j.mp/ecx5Ed (via @Unallocated) #
Apple faces class action lawsuit over in-app purchases http://j.mp/fOiqqC [Why don't they just let us do returns?] #
#MEETUP ISSA-DC 4/19 meeting speaker: Georgia #Weidman (@vincentkadmon) on mobile exploits. RSVP at http://www.issa-dc.org. (via @issa_dc) #
Dropbox has updated its privacy policy to acknowledge that it can decrypt users’ files when compelled to do so. (via @csoghoian) #
Locking OS/X Computer http://bit.ly/eSxDVT (via @DaveMarcus @DaKahuna2007) [Cool, locks when your iPhone is out of range.] #
BLOGGED: Where You Want to Be This Week for 2011-04-18 http://bit.ly/gY2xnK #
(ISC)2 is accepting U.S. Gov Infosec Leadership Awards (GISLA) nominations http://bit.ly/feJ4Q2 (via @danphilpott) #
Grecs’ Weekly Infosec Ramblings for Last Week http://bit.ly/hqF3vN [Recap of last week.] #
Yahoo Extends Data Retention fr 90 Days to 18 Months http://huff.to/esNtw9 (via @jaysonstreet) [Any thoughts on this?] #
RE http://bit.ly/hk6s6s I just find it odd that Google decreased their retention period few months back. I guess it wasn’t a trend. #
NIST issued draft 800-76-2 Biometric Data Specification for PIV http://1.usa.gov/i36n6J (via @danphilpott) #
#JOB Shortage of skilled cyber specialists fuels debate over pay http://bit.ly/hQFNz8 (via @DrInfoSec) [Good news.] #
#MEETUP Come watch me talk bots (possibly while still red..) @ issa-dc Tues 6:30 http://bit.ly/dOz2Bp (via @vincentkadmon) #
redsn0w updated to include 4.3.2 untether by @i0n1c: http://bit.ly/fQQaCM (via @MuscleNerd @jaysonstreet) #
#TOOL Windows Credentials Editor (WCE) v1.2 released http://bit.ly/eCeyLh (via @carnal0wnage) #
Ten-Year-Old, 2 Million PC Botnet Finally Killed; Stole up to $100M #USD http://bit.ly/ihYG9I (via @bobgourley) #
Verizon 2011 Data Breach Investigations Report http://j.mp/h3CNzj (via @mschafer) [Looks like it is here.] #
Dear Facebook: your privacy sucks http://j.mp/dGRCZF (via @regsecurity) [Go Sophos. ] #
97% drop in data theft leaves sec experts worrying how 2 sell shit http://j.mp/eIMyzr (via @iamleeg @Security_FAQs @jaysonstreet) #
Lost records down even though breach incidents soared http://j.mp/hWg8uA (via @regsecurity) [More on odd trends.] #
BLOGGED: The Web Exploitation Framework (wXf) Project http://bit.ly/hmMQHh #
#TOOL Dradis Framework 2.7 is out http://bit.ly/eMZcfJ (via @cktricky) #
How to Read & Act on 2011 Verizon DBIR http://bit.ly/hxsYH1 (via @EvilFingers @DaKahuna2007) [Some good actionable info.] #
#MEETUP Tonight is Flex Your Rights Night at @Unallocated Space! http://bit.ly/eGXLtc (via @Unallocated) #
Rogue Twitter Counter App Punts Survey Ccam http://bit.ly/hgPkCf (via @regsecurity) [Be on the lookout this morning.] #
2011 TDBIR (Twitter #DBIR : Attacks change, but still exploit poor security; breaches avoidable via basic controls. Do ‘em. (via @DrInfoSec) #
#NOVABLOGGER Data Breach Report Overload http://bit.ly/h5LU4P http://j.mp/nispblog (via @novainfosec) #
Skytalks CFP now open http://bit.ly/egcmmR (via @dcskytalks @carnal0wnage) #
RT @iamnowonmai: Anyone have any guesses what “heavily encrypted” means and how they “cracked it?” http://goo.gl/nIU7x <- +1 #
Crazy idea: hybrid light w/ traditional incandescant filament that shuts off once CFL component warms. (via @schuetzdj) <- Nice! #
RT @skynetOFFICIAL: JUST REALIZED I’M THE SHIT. #HELLOWORLD (via @nonrational) #
Get with IT: Once More Into the Breach http://j.mp/hHikJ1 [good read] (via @DrInfoSec) #
#NOVABLOGGER Had some fun making flat files from NMAP XML output .. http://j.mp/gNJlN2 (via @jasonmoliver) #
MI police extracting data from cell phones when they stop motorists: http://bit.ly/eu0G2Y (via @alexhutton) [Mmm?] #
#MEETUP ONE WEEK until next #capsecdc Hope to see U all at Stetson’s on 27th! http://bit.ly/g3xeLx (via @capsecdc) #
Facebook adds 2-factor authentication http://j.mp/dG1BKt (via @DarkReading) [Woot! Now need private by default.] #
iphone logging your location http://j.mp/e4Oqvx <- very interesting! (via @johullrich @agent0x0 @cktricky) [Why?] #
Mmm? iPhone4 self-tracking .. MI police imaging your phone .. Hopefully, data on phone is encrypted without pwd. Anyone know? #
If I recall only a portion of data on iPhone4s are encrypted. Everything else is available to MI police dept. #
iPhones secretly track ‘scary amount’ of your movements http://bit.ly/hsbrO2 [Mmm? Get pwned & they download this data.] #
Looking 4 part-time website ad sales/marketing person or agency. If you know of someone, wld appreciate an intro. #
Anyone got suggestions for native Pandora OS X app (not AIR-based)? AppStore has Musicality. Also found PandoraJam. #
Just finished a quick post. Nothing important .. just trying to find out more about the readers. http://bit.ly/f42Lfy #
Oh and there’s a $25 prize .. just to lure you all in. http://bit.ly/f42Lfy #
BLOGGED: Who are you all? http://bit.ly/f42Lfy #
Would appreciate all U in DC metro area taking this 2min survey. http://bit.ly/f42Lfy RTs are of course welcomed. Tx! #
Oh & there’s a $25 sweepstakes prize as well. http://bit.ly/f42Lfy #
More on cops snarfing cellphone data.. http://bit.ly/hdK09T [One solution .. carry an old charged phone in the car. ] #
#NOVABLOGGER Is the iOS 4 location tracking privacy issue overblown? http://bit.ly/dK6NWi #
USDA awards FISMA certification for Microsoft’s Business Productivity Online Suite http://bit.ly/hzlMVS (via @danphilpott) #
RE http://bit.ly/dHLdLc I think they mean “accreditation” (not “certification”). Right, @danphilpott ? #

Well, that’s all for this week. Be sure to follow me on Twitter at @grecs for more great tweets during the week! See ya…

Grecs’ Weekly Infosec Ramblings for 2011-04-14

grecs — Fri, 15 Apr 2011 01:00:00 +0000

There were a few meetups this past week. Did you get to attend any of them?

There’s also some upcoming meetups for those of you who are interested.

OWASP NoVA: They’re looking for speaker(s), host(s), & food sponsors for 5/5 meeting. # #
Charmsec: Looks to be set for 4/28. #

National Cyber Security Innovations Conference: A SANS thing… #

For those of you that don’t know, we have some pretty awesome infosec bloggers in the local area. Here are some of my picks.

Some Comments on SP 800-39 #
Why The New School Is Important: Metrics won’t solve your probs… #
Sharing on a Need-to-Know Basis: Word. #
Announcing RedSpartan #
What is Risk (again)? #
If It Were Simple, We’d Do It All the Time #

In case you missed them, here were some of our blog posts from this week.

As usual … lots of government related things happening in the “cyber security” area.

Although despite all the money we are spending, the various breaches and compromises continue to flood the news streams.

Epsilon worries it may lose business after major data breach #
Infographic: Anatomy of a Phishing Attack: Good awareness poster to pass around. #
Opt Out of All Epsilon Email Lists #
Blackhole Exploit Posted on US Postal Service Site #
Epsilon Breach Highlights Cloud Computing Sec Concerns #
WordPress.com Hack Exposes Confidential Code: More WordPress woes. #
VMWare Customer Detail Lookup: VMware responded quickly on this 1. #

Of course with all these new and updated tools, no wonder it’s so easy.

Security Onion 20110321 #
Cain & Abel 4.9.40 Released #
Maltego 3.0.4 Released #
Armitage 04.10.11 is out: Post-expl host discovery, nmap in a tab, loot viewer, … #
BEEF Documentation Update #
RawCap Released: A 17kb Win packet capture tool that doesn’t need WinPcap… #
YUMI – Multiboot USB Creator #
SQLMap 0.9 Released #
RedSpartan Announced #
wXf / Dradis New Logger Function #
OllyDbg 2.01 alpha 3 Released #
Toshiba Self-Wiping Hard Drives: Now we just need SSDs that do same. #

But if you still want to make a difference, here are some job and educational opportunities.

Unconventional Methods Needed to Recruit Cyberwarriors #
Supervisory Information Technology Specialist: DHS job working cybersec ctrl systems… #
US Cyber Challenge Seeks Competitors for Online Quest: Great opp for students. #
Cyber Forensics – SRA International: Position in Leesburg, VA… #

Or you could write some good analysis, opinion, or research pieces like these people.

Security and Ultra Violence:Use CM to replace sec products. Nice! #
Pros/Cons of “Secure” Wi-Fi Access: Excellent post! #
How is SSL hopelessly broken? Let us count the ways. #
Lack of Admin Rights Mitigates Most Microsoft Vulnerabilities #
Security Researcher Warns over Dropbox Authentication Security Flaw #
Taming Your “Unknown Unknowns” through Network Traffic Analysis #

You can also keep yourself busy with these interesting newsbites:

Microsoft’s April Patch Batch to Address 64 Flaws #
EFF Uncovers Evidence Of Certificate Authority Apathy: Nother chink in SSL. #
4Square Enhances Security by Moving to HTTPS: So glad 2 see this happening. #
Apple AirPlay Private Key Exposed #
TheOpenGroup Releases Maturity Model for Infosec Mgmt #
Google Says It Has FISMA – DOJ Says No… # (Google’s Response #)
Cloud Security: Amazon’s EC2 Serves Up ‘Certified Pre-Owned’ Server Images #

And in closing, who could forget the tweets of the week?

Me: Have you ever heard a busy signal? My friend’s 15 year-old son: What’s that? Me: … My friend: … His son: …what? (via @wilw) #
Hmm … Beltway software = Beltware? <- CyberBeltWare (via @451wendy @andrewsmhay) [Lol.] #

Well, that’s all for this week. Be sure to follow me on Twitter at @grecs for more great tweets during the week! See ya…

Grecs’ Weekly Infosec Ramblings for 2011-04-07

grecs — Fri, 08 Apr 2011 01:00:00 +0000

There seemed to be quite a few meetups this past week. Did you get to attend any of them?

2600 Arlington: Met the 1st Fri of the month. 4 people showed up. # #
OWASP NoVA: They talked XSS this month. #
Unallocated Space: Ran their monthly lock picking session and installed a loft. #

If you don’t have time to make it to any of the weekly security meetups, why not try attending one of these upcoming conferences? Except for DEFCON (which I had to make an exception for) everything else is local. And be sure to check out our event calendar for even more upcoming meetups and conferences.

Cyber Warfare & Security Summit 2011 #
DEFCON: CTF qualifier registration is now open. #
Health Info Security Conference #
Information Security Events For April : Here are some other events. Only one in NoVA. #

For those of you that don’t know, we have some pretty awesome infosec bloggers in the local area. Here were some of my top picks.

In case you missed them .. our blog posts from this week. Hopefully, we can get this up some. Anyone want to guest post?

The infosec job market continues to look good.

Info Security Analysts Jobless Rate: Zilch: No 100% true. I know a few. #
How do you begin an information security career? #
Web App Security Consultant: Here’s a possible telecommuting position. #
Supervisory Information Technology Specialist #
Mandiant Positions: They’re hiring in DC too. #
Nmap Summer of Code: Seeking students for their annual project. Earn $5,000! #
Global Cyber Security Market to Reach $80.02 Billion by 2017 #
10 Top Gov IT Security Certs: There’s a few infosec certs there too. #

As usual the government continues to be active in this new field called “cyber security.” It’s like information security except that it involves the government.

Advanced Persistent Threat Definition Evolves #
White House IT Dashboard Released as Open Source # (also #)
NIST issued SB 2011-03 Managing Info Sec Risk: Org, Mission & Info Sys View (PDF) #
OPM Provides Shutdown Briefing: Thank goodness this didn’t happen … this week. #
Laptops Brought into US May Be Seized & Sent to Secondary Site 4 Forensic Inspection #

Lots of interesting new and updated security tools and resources were released or updated this past week.

Creepy App Warns of End to Privacy #
New Metasploit Website: Good place to learn, download & contribute. #
Metasploit Exploit Browser: Want more info on an exploit module? #
SET v.1.3.1 Released: Got a great tutorial on this at Metasploit Unleashed class. #
Bizploit is First Opensource ERP Penetration Testing Framework #

You can also keep yourself busy with these interesting newsbites:

DNSSEC Finally Goes Mainstream: .com finally gets signed. #
Identity Theft’s Next Frontier: Your Kids: This is sooooo not cool. #
Lizamoon Strikes Millions of URLs: SQLi seems to be so “in” right now. # (more #)
New Privacy Rules re Buzz Settlement: Man, is this still going on? #
Untethered iOS 4.3.1 Jailbreak: Why does Apple even try anymore? #
E-mail Compromised at Epsilon: Way too much media # attention #. #
NetWitness acquired by EMC (RSA): The security industry continues to consolidate. #
Attack Hijacks Sensitive Data using Windows Features: Bad defaults as usual. #
Pandora Subpoenaed Over Privacy of iPhone/Android Apps: Why Pandora? Why? # (more #)
No Such Thing as Bad Publicity: RSA Breach Might Help Drive Sales: Interesting thoughts. #
Storing Passwords as Hashes Instead of Plaintext Now Illegal in France: Really? #

And in closing, who could forget the tweets of the week?

RT @Shpantzer: Artist’s rendering of .gov/.mil infosec holy grrrrrrail.. http://twitpic.com/4h26ua Inspired by @bbaskin #
APTaaS (via @jack_daniel) [Nice.] #

Well, that’s all for this week. Be sure to follow me on Twitter at @grecs for more great tweets during the week! See ya…