I skipped last week but am back for more with another Weekly Rewind post… The industry news is from this past week however our blog posts go back about two weeks to the last Weekly Rewind. Also I didn’t include some of our standard articles due to their time relevancy.

For some of those readers that may not have noticed, I actually tack on commentary to the industry articles … so check out my italicized/bolded opinions and let me know if you agree in the comments. Lastly, take a zoomed up gander at the job application image to the right that @mubix posted earlier this week. North Carolina is probably one state I won’t be applying to…

Industry Articles

Cracking MD5 Passwords with BozoCrack: A couple of weeks ago I saw someone mention a little script called BozoCrack on Twitter and I decided to check it out. What caught my attention is that BozoCrack simply “cracks” md5 hashes by doing a search on Google for that hash. Once it finds the hash and the text that goes with it, it spits it back out on the screen. Not really cracking of course, but its pretty dang effective. (continued here) [@grecs: Here's a useful tool that automates Google hash cracking.]

ARIN Launches WHOWAS: American Registry for Internet Numbers (ARIN) is running a trial service that gives users access to historical IP whois data — that is, it will tell you who was responsible for an IP address or block of IPs. The service is not automated and if you want to access it you will need to submit a request via email with information about not only what you want to know, but why you are interested in accessing the information. (continued here) [@grecs: Might be useful... How would you use this data on a pen test?]

Dutch Researcher Created A Super-Influenza Virus With The Potential To Kill Millions: A Dutch researcher has created a virus with the potential to kill half of the planet’s population. Now, researchers and experts in bioterrorism debate whether it is a good idea to publish the virus creation ”recipe”. However, several voices argue that such research should have not happened in the first place. (continued here) [@grecs: Maybe not an infosec story but it does parallel our disclosure debate some. Of course it's a lot harder to biologically patch people.]

Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep Privacy Promises: The social networking service Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future… (continued here) [@grecs: Finally, someone is stepping up however there's probably so many loopholes that it'll probably be useless. For example, Facebook could simply pop up new mini-ToSs that people are just going to click though without reading.]

BUSTED! Secret app on millions of phones logs key taps: An Android app developer has published what he says is conclusive proof that millions of smartphones are secretly monitoring the key presses, geographic locations, and received messages of its users. In a YouTube video posted on Monday, Trevor Eckhart showed how software from a Silicon Valley company known as Carrier IQ recorded in real time the keys he pressed into a stock EVO handset, which he had reset to factory settings just prior to the demonstration. (continued here) [@grecs: iPhone coverage regarding this came up later in the week. At least it was disabled by default in most cases.]

Our Blog Posts

Job: Security Engineer II in Fairfax, VA: Looks like a great job opportunity has turned up over at the NoVA Hackers Association’s facility host. I know several of the folks that work in their security department over there and it seems like a challenging and rewarding place to work. The Company ICF International (NASDAQ:ICFI) partners with government and commercial clients to deliver professional services and technology solutions in the energy and climate change; environment and infrastructure; health, human services, and social programs; and homeland security and defense markets. (continued here)

Skype and the Enterprise: I read an interesting article this morning over on InfosecIsland.com that discussed the security of using Skype in the enterprise. As expected it didn’t give us the magic “yes” or “no” but instead the typical “it depends.” Overall, I thought the author made a very good point in that we trust a lot of our data to third parties, as I’ve mentioned in my teleconference security post, and Skype is just another third-party. The decision to use Skype should just follow the same considerations you’d normally take when acquiring any new third-party service. (continued here)

Job: Senior Cyber SME in Dulles, VA: This position over at Technica looks like a great opportunity for any of the more seasoned among us. It requires a masters, 5 years experience, and someone that really knows how to reverse engineer malware. And I can tell this manager knows how to hire the right kind of people … “Required Technical Certifications: None Required”. Company Description Technica is an innovative provider of high quality information technology solutions, process engineering and information assurance expertise. (continued here)

Top 5 Tips for Snagging that ShmooCon Barcode: Today’s the day … or at least one of three days throughout the year where we drop everything around 11:55 AM EST, head over over to the ShmooCon registration page, and starting F5ing the hell out of our computers with the hope of getting a barcode. Being someone that’s attended ShmooCon for four or so years now, I thought I’d pull together some of my tips for getting ShmooCon tickets. I’ve written about this previously however the ticket process has significantly changed since 2009. (continued here)

Here’s another edition of the Weekly Rewind, where we post out a quick summary of industry articles you seemed to like as well as our stories from the past week. If you missed anything or happened to be offline, we hope you find this post useful as a reference.

Industry Articles

Steve Jobs: How to Live before You Die: [@grecs: Nuff said...] (watch here)

Computer Virus Hits U.S. Drone Fleet: A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones. The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military’s most important weapons system. (continued here)

Monster Spam Campaigns Lead to Cyberheists: Phishers and cyber thieves have been casting an unusually wide net lately, blasting out huge volumes of fraudulent email designed to spread password-stealing banking Trojans. Judging from the number of victims who reported costly cyber heists in the past two weeks, many small to medium sized organizations took the bait. Security firm Symantec says it detected an unprecedented jump in spam blasts containing “polymorphic malware,” — malicious software that constantly changes its appearance to evade security software. One of the most tried-and-true lures used in these attacks is an email crafted to look like it was sent by NACHA, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services. (continued here)

Massive Security Vulnerability In HTC Android Devices (EVO 3D, 4G, Thunderbolt, Others) Exposes Phone Numbers, GPS, SMS, Emails Addresses, Much More: I am quite speechless right now. Justin Case and I have spent all day together with Trevor Eckhart (you may remember him as TrevE of DamageControl and Virus ROMs) looking into Trev’s findings deep inside HTC’s latest software installed on such phones as EVO 3D, EVO 4G, Thunderbolt, and others. These results are not pretty. In fact, they expose such ridiculously frivolous doings, which HTC has no one else to blame but itself, that the data-leaking Skype vulnerability Justin found earlier this year pales in comparison. Without further ado, let me break things down. (continued here)

Does CISSP trump an MS in Cybersecurity from UMUC?: [@grecs: Not really an article per se but there are some interesting responses here.] (continued here)

Our Blog Posts

Where You Want to Be This Week for 2011-10-03: Where do you want to be this week? Now you’ll always know with our “Where You Want to Be This Week” feature, which will tell you about infosec meetups happening in your local area as of Sunday night. If you would like your event listed in our Calendar and in this post, contact us or mention it to @grecs on Twitter. A very light schedule for this week, with nothing formal and all you need to do is just show up and be ready to talk shop. Anyway, here are your meetups for this week. (continued here)

Balancing the 20 Critical Security Controls: Ben “@falconsview” Tomhave put out a nice post yesterday regarding the SANS 20 Critical Security Controls (CSC). In it he stressed how the they are 1) not actually controls, 2) not scalable, and 3) only designed to sell a product. I don’t know enough to comment on point 1. Point 2 seems right on target. And I somewhat agree with point 3. Regardless, having such a starting list is good in that it provides a pick list of the “basics” we should be doing as mentioned by Ben in point 2. Unfortunately, strictly adhering to the 20 CSCs might end up prescribing costly unnecessary controls while missing critical ones. Pictorially, I am reminded of the security vs. compliance graphic I put out a while ago. What you apply and don’t apply should be based on a risk assessment of your organization rather than a standard list of controls. (continued here)

Happy National Cybersecurity Awareness Month: Wow, can’t believe it’s been a year already… It just seemed like yesterday we were basking in the improved cybersecurity awareness of those around us. Unfortunately, people seemed to fall back into their old routines rather quickly and we had one of the worst years on record. There was the almost daily barrage of breach announcements with umpteen billions of pieces of personal and/or financial information lost. (continued here)

Top 3 NoVA Infosec Blog Posts of the Week: This week we lost one of the greatest visionaries that our generation will ever see, Rest in Peace Steve Job….Technological innovation will never be the same!! It’s that time of the week again: the time where we take a look at what local security bloggers have been up to. You can take a look at what local security bloggers have been up to but if you can’t get enough of the local security scene, check out our NovaInfosec Twits listfor even more great security blogs and people to follow on Twitter. (continued here)

Top Infosec Schools in the Metro DC Area: How do you get started in an information security career? This is a question we get asked a lot. There are several ways … but if you’re looking to take a more formal approach, attending a school accredited as a National Center of Academic Excellence (CAE) is a great place to start. Run by the NSA and DHS this program evaluates educational institutions and designates them as either Information Assurance Education (IAE) or Research (R) schools. The goal, as stated on the program’s page, is “promoting higher education and research in IA and producing a growing number of professionals with IA expertise in various disciplines.” (continued here)

Job Description:

Gemini Security Solutions is looking for a computer hacker. Our employees are all ‘computer hackers’. We don’t ‘hack in’ to systems, we just enjoy spending lots of quality time in front of the computer. We’re looking for a person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to someone who just wants to use software out of the box.

If you wish to be hired in this position, be prepared to explain your ‘hacker’ tendencies — we’re not looking for someone that just uses computers from 9-5.

We tend to not list specific skills we are looking for, because we are interested in hiring smart people who enjoy learning new things, working with computers, and are able to share their knowledge with others. We prefer people with software development education and experience, or information security experience, but we’re not too picky. Sales experience wouldn’t hurt; in a small company, every employee must be part salesperson to keep the company growing.

Job Requirements:

We’re looking for individuals with any amount of experience, whether you are fresh out of school or been working for 10 years. As a result, the salary offer we make will really depend on your experience. Here are some things we’re looking for in an employee. The more of these that match you, the better–but the most important is that you are a hacker who can communicate ideas well.

• You have experience developing in C/C++/C#, Java, or .NET.
• You have a bachelor’s degree in computer science, computer engineering, or a related field.
• You love learning new things.
• You can write technical documents (in English).
• You have any information security experience.
• You are familiar with Regulations such as HIPAA, SOX, NIST SP800-37
• You play with computers as a hobby, not just a job.
• You have an MCSE, MCSD, CISSP, and/or CISA Certification.
• You have experience with HP-UX, IBM AS/400, and/or Oracle JDEdwards EnterpriseOne
• You have Systems Certification & Accreditation experience

How to Apply:

If this job describes what you want to do, please email your resume and contact information to job@geminisecurity.com. If you don’t include the following, your email won’t be read:

• Your resume
• Your salary requirements
• Your citizenship status (some of our work requires citizens)
• Dates in the next few weeks when you are available to interview
• Date when you would be able to start
• Reference job #CHNI1 in your submission so we know not to just delete it as spam.

Contact:

It’s not fair that we just find out information about you. You probably want some information about us, as well. Please visit our website to find out the types of work we do, and to learn about our customer base. And while you wait to hear back about your application, go to our blog securitymusings.com and join in the discussion of information security-related topics.

o o o o o
Are you a local company and have an infosec job to post? If so, contact us or visit our Advertise With Us page.

There were some interesting blog posts from local NoVA infosec bloggers this week, discussing everything from customer service to what IT Security jobs will look like 20 years from now. But since we can’t highlight them all, we picked the best 3 blog posts of the bunch.

As always, be sure to tell us what you think by leaving a comment below. You can also send us a tweet @grecs.

#3 – Revisiting the Golden Rule: Depending on who you talk to, the ‘golden rule’ can mean many different things; to Wade Woolwine however, the golden rule that’s been missing from the security field is customer service. Wade writes, “when you’re involved in security, specifically for a product, or a company who builds products, you should be listening to your customers!” While that can sometimes be difficult for those of us who are a little reserved, Wade’s right: Part of dealing with people is helping them. While it’s easy to think that having a job in security means that you’ll never have to interact with people again, the reality is that you will. Even if you sit alone in a room with a computer for most of your day, chances are you still report to someone, work with someone on projects, or deal with outside companies or customers. Unless you’re one of the 1% of people who somehow manage to avoid all human contact, Wade provides some useful tips on how security professionals can polish their customer service skills. You can view Wade’s full blog post here.   

#2 – Security Careers for the Next Generation: Like everything else in the world, the security field is also changing. It’s unrealistic, as Richard Bejtlich points out, to think that the next generation of security professionals will be able to find the same positions that are available today. Why? According to Bejtlich, it’s due to a shift that’s happening not only in the security field, but the IT field in general. He writes, “I’d like to know which of you manage a 3G network? Chances are if you answer yes, you work for a telecoms provider. How many of you keep the operating system on your Blackberry or iPhone patched? If you answer yes you work for a telecoms provider or Apple.” Basically, Bejtlich believes that the next generation of security and IT professionals will find less variety of jobs to chose from, limited mainly to providers and vendors. You can read the full blog post on Bejtlich’s Tao Security blog.

#1 – A Little Extra Heat: It turns out that the “Cyber Security Coming to a Boil” blog post by Michael Smith of the Guerilla CISO created a fair amount of controversy. In case you didn’t read our post about it last week, Smith talked about the political side of cyber security. (And yes; anytime you involve politics in anything, it is bound to cause controversy). But in an interesting twist, Smith let one of his commenter’s (Ian99) write an entire post explaining why he didn’t agree with Smiths’ blog post. It makes for an interesting read, and it’s nice to see both sides of the issue. You can read Ian99’s response to Smith here.

Well, that’s all for this week; be sure to check back next week for more of the best from local infosec bloggers.

###

Speaking of local bloggers… we here at NovaInfosecPortal are locals too. If you’d like to support
 our site and keep the local infosec community going strong, why not consider subscribing to NovaInfosecPortal?