Here’s another addition of the Weekly Rewind, where we post out a quick summary of all our stories as well as the industry articles you seemed to like the most from the past week. If you missed anything or happened to be offline, we hope you find this post useful as a quick reference.

Our Blog Posts

Where You Want to Be This Week for 2011-09-19: Where do you want to be this week? Now you’ll always know with our “Where You Want to Be This Week” feature, which will tell you about infosec meetups happening in your local area as of Sunday night. If you would like your event listed in our Calendar and in this post, contact us or mention it to @grecs on Twitter. A very light schedule for this week, and all you need to do is just show up and be ready to talk shop. Anyway, here are your meetups for this week. (continued here)

The Value of a CISSP: Local blogger Laura Raderman put out a great post last week titled “(ISC)2 and the CISSP.” I think she’s right on point in expressing how a lot of us feel regarding the (ISC)2, the CISSP, and the value they add to the security profession. Basically … meh … but need it to keep the job… (continued here)

How to Win Followers & Influence Friends: I had the pleasure of presenting at the inaugural Reverse Space Conference (RSCon) this past Saturday. I hope everyone learned a few things… I also picked up a some additional tips from several of the attendees and am continuing to investigate other ways we can use Twitter more effectively to manage our careers. Thanks! For those that missed it, here is the title and abstract if you want to get a quick synopsis of what the talk was about. (continued here)

Will New Monthly “Continuous” Monitoring FISMA Requirements Work?: According to GovInfoSecurity as well as several other publications, starting next month federal agencies will be required to implement continuous monitoring as part of their obligations under FISMA. At a minimum “continuous” is defined as monthly. All of their reported data needs to be fed into the CyberScope system. Oh and for training and consulting on how to meet this new requirement, agencies are must attend CyberStat sessions. Just a things to ponder here… (continued here)

Mobile Security “Average” Practices: There have been a few articles over the past week describing some general suggestions on protecting mobile devices. Coincidentally, I’ve been doing some research on advice we could provide “average” everyday iPhone users on this topic and these articles confirmed much of what I’ve found. Yeah, we could consider using one of the newfangled commercial MDM solutions but for Mom and her personal iPhone this probably isn’t an option. Below you’ll find my favorite suggestions in priority order with some commentary. Note as with the original articles I’ve kept these suggestions high level as to not focus on any specific platform. (continued here)

Top 3 NoVA Infosec Blog Posts of the Week: It’s that time of the week again: the time where we take a look at what local security bloggers have been up to. You can take a look at what local security bloggers have been up to but if you can’t get enough of the local security scene, check out our NovaInfosec Twits listfor even more great security blogs and people to follow on Twitter. As always feel free to check out what local security bloggers have been up to and also be sure to follow myself (@nathiet), @grecs, and @novainfosec on Twitter if you want to know more about what’s going on in the local security community during the week. (continued here)

A Few News Items that Pissed Me Off: There were several stories this past few weeks that just sort of … well I’ll just say it … pissed me off. I know that’s not too professional of me but it just gets my blood boiling. Companies just seem to be doing the wrong thing lately. Whether it be changing their terms of service (ToS) or downplaying potential serious vulnerabilities, everyone is taking the sleazeball way out instead of standing up and fixing their security problems. (continued here)

Industry Articles

OS X Lion Passwords Can Be Changed by Any Local User: In OS X, user passwords are encrypted and then are stored in files called “shadow files” which are placed in secure locations on the drive. Based on system permissions, the contents of these files can then only be accessed and modified by the user, or by administrators provided they first give appropriate authentication. This means that only the user can change its password, or if needed, then an administrator can do this by first authenticating. Unfortunately, recent discoveries have shown that in OS X Lion this security structure is not intact, and any user on the system can modify the passwords of other local accounts quite easily. (continued here) [Grecs Note: OS X continues to have problems. That's why I'm waiting until 10.7.2.]

Hackers Break SSL Encryption Used by Millions of Sites: Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that’s passing between a webserver and an end-user browser. The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust. (continued here)

Skype for iPhone Makes Stealing Address Books a Snap: If you use Skype on an iPhone or iPod touch, Phil Purviance can steal your device’s address book simply by sending you a chat message. In a video posted over the weekend, the security researcher makes the attack look like child’s play. Type some JavaScript commands into the user name of a Skype account, use it to send a chat message to someone using the latest version of Skype on an iPhone or iPod touch, and load a small program onto a webserver. Within minutes, you’ll have a fully-searchable copy of the victim’s address book. (continued here) [Grecs Note: With two or three similar incidents this year, you'd think Skype would have cleaned all these up already.]

Infographic: Two Decades of Malware: In the last two decades, malware has evolved from a simple, contained software virus to an unstoppable plague that can spread to millions of smartphone users in one foul click. Last year, Trend Micro’s analysts found that consumers were being targeted by up to 100,000 threats–a number that has tripled to 300,000 threats this year. (continued here) [Grecs Note: I always love these infographics. Print them out and post them on your cube wall. They make great conversation starters.]

Security Duo Finds Another Pair of Vulnerabilities in Android: Remember the duo who released an Angry Birds spoof application last fall in effort to highlight some of Android’s vulnerabilities? If so, perhaps you also recall hearing that Google had to implement the remote kill feature in Android about the same time. Well, those guys are back and, judging by their latest finding, things still don’t look to be all that secure. (continued here) [Grecs Note: The article includes a nice video showing their exploits in action.]

OnStar Tracks Your Car Even When You Cancel Service: Navigation-and-emergency-services company OnStar is notifying its six million account holders that it will keep a complete accounting of the speed and location of OnStar-equipped vehicles, even for drivers who discontinue monthly service. OnStar began e-mailing customers Monday about its update to the privacy policy, which grants OnStar the right to sell that GPS-derived data in an anonymized format. (continued here) [Grecs Note: No need to comment here; check out my "A Few News Items that Pissed Me Off" post above.]

IPv6: The End of Security As We Know It: Many people have seen IPv6 as a simple addressing extension to the existing internet and see few changes to the way we secure systems. These people cannot be further from the truth. IPv6 will change the way we think about security. We need to start planning now or we will be left in the dust. This is another topic I will be addressing in the coming weeks and months (so many security topics, so little time). (continued here)

The good folks over at Reverse Space have been planning a mini-con happening tomorrow (Saturday) starting around noon. It’ll mostly consist of NoVA peeps giving the presentations they gave in Las Vegas last month. This includes me presenting my “How to Win Followers and Influence Friends: Hacking Twitter to Boost Your Security Career” from BSidesLV. Anyway, here is their official “press release” with all the info.

#####

RSCon

Saturday, September 17, 2011, starts at 12PM

RSCon is the first mini-convention organized by Reverese Space members.

This isn’t a normal ‘con’ in the sense of DefCon, Blackhat, etc. This is more a chance for those that gave talks over the summer to give them again to those people that are here locally and couldn’t make it. The idea started when a few people who where speaking said they wouldn’t mind giving the talks again here in the fall. With that we consolidated those people together and arranged one day for them to all give their talks.

• Grecs: How to Win Followers and Influence Friends: Hacking Twitter to Boost Your Security Career
• Tiffany Rad: SCADA & PLCs in Correctional Facilities: The Nightmare Before Christmas
• Joe Klient: Your first IPv6 Pen Test – Discovering the Target
• Joey (l0stknowledge): We’re (The Government) Here To Help: A Look At How FIPS 140 Helps (And Hurts) Security
• DeKahuna: Wireless Contest (bring your BackTrack installs!)

#####

I hope to you can make it. See ya!

Just a quick reminder that the ISSA – Baltimore Chapter infosec meetup event is tomorrow. For more information about the ISSA – Baltimore Chapter, see its description in our Infosec Meetups section. View our Calendar for a list of similar infosec events in and around the NoVA area. See our original post for more information about this meetup.

###

Keep the local security community going strong by becoming a subscriber of our site. You can also spread the word about NovaInfosecPortal
 by passing this post along to a friend.

A vendor-natural discussion of IPv6 risks and benefits, the upcoming ISSA – Baltimore Chapter meetup on Wednesday, March 25th, counts toward 2 CPE hours for those who are interested.

But it’s important to note that if you are looking to learn how to use or implement IPv6, this meetup will not teach you how. If you are looking to learn IPv6, the ISSA – Baltimore Chapter website highly recommends that you take a class or read a book.

For more information on this meetup, please continue reading below.

• Who: Joseph S. Klein of Command Information
• What: “Security Implication of IPv6″
• When: 03-25, 4:30 – 6:30 PM EST
• Where: SPARTA (7110 Samuel Morse Drive, 2nd Floor; Columbia, MD 21046)

For more information on the ISSA – Baltimore Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

###

Keep the local security community going strong by becoming a subscriber of our site. You can also spread the word about NovaInfosecPortal
 by passing this post along to a friend.

Here is some information regarding this week’s Thursday NoVA Sec infosec meetup event.

• Who: Joe Klein, Command Information
• What: IPv6 Security
• When: 5/22, 7:30 PM EST
• Where: Fishnet Security (13454 Sunrise Valley Dr. Suite 230; Herndon, VA 20171; 703.793.1440)

For more information on NoVA Sec, see its description in our NoVA Meetups section. Here are links to the post about this meetup.