Kurt Baumgartner of Kaspersky Labs joins us to talk about Red October, a research paper that he co-authored, along with the other areas that he works on at Kaspersky.

It's time for another Drunken Security News. Much of the gang was on the road this week so Patrick Laverty sat in with Paul and Engineer Steve for the show, plus Jack's epic beard called in via Skype from lovely Maryland.

First, Paul admitted it was a stretch to bring this into a security context but he wanted to talk about an article that he found in The Economist (via Bruce Schneier) about one theory that if the US would simply be nicer to terrorists, release them from Guantanamo Bay, Cuba and stop hunting them down around the world, that they would in turn be nicer to us. Also, fewer would pop up around the world. The thinking is that jailing and killing them turns others into terrorists. So here's the leap. Can the same be said for black hat hackers? If law enforcement agencies stop prosecuting the hackers, will they be nicer and will there be fewer of them? I think we all came to the same conclusion. "Nah."

Paul also found an Adam Shostack article about how attention to the tiniest details can be important to the largest degree. The example given was the vulnerability to the Death Star in the original Star Wars movie was so small and the chances of it being exploited were so remote that the Empire overlooked it, Grand Moff Tarkin even showing his arrogance shortly before his own demise. The same can be said for our systems. It might be a tiny hole and maybe you think that no one would look for it and even if they do, what are the chances they both find it and exploit it? In some cases, it can have quite dire consequences. The Empire overlooked a small vulnerability that they shouldn't have. Are you doing the same with your systems?

Did we happen to mention that Security BSides Boston is May 18 at Microsoft NERD in Cambridge, MA and Security BSides Rhode Island is June 14th and 15th in Providence, RI. Good seats and good conference swag are still available. We all hope to see you there!

The Onion's Twitter account was breached by the Syrian Electronic Army and they handled it a way that only The Onion can, making light of both themselves and the SEA. Additionally, possibly for the first time ever, The Onion published a non-parody post about exactly how the breach occurred.

Additionally, the National Republican Congressional Committee (NRCC) web site got spam hacked/defaced with Viagra ads. The only thing we were wondering is, are we sure it was hacked and not just a convenient online pharmacy for their members?

A new whitepaper was released from MIT talking about "Honeywords". The problem being solved here is creating a way for server admins to know sooner when a passwords file has been breached on a server. In addition to the correct password, this new system would add a bunch of fake passwords as well. When the attacker starts trying usernames and passwords, if they use one of the fake passwords, the server admin would be notified that someone is doing that and it is very likely that the passwords file has been breached. It's an interesting concept to ponder.

Jack had an article from Dennis Fisher at Threatpost, asking the question about what's the point of blaming various people for cyberespionage if we don't have a plan to do something about it.

The NSA also has its own 643 page document telling its members how to use Google to find things like Excel documents in Russian that contain the word "login". Wait, I feel like I've heard of this somewhere before. Oh yeah, that's right. Johnny Long was talking about Google Hacking at least as far back as 2007. It's just interesting some times to see things that the media gets wind of and without the slightest bit of checking, thinks something is "new".

Rob Cheyne is a highly regarded technologist, trainer, security expert and serial entrepreneur.

He was the co-founder and CEO of Safelight Security, a leading provider of information security education programs. He has taught information security training classes to tens of thousands of developers, architects, and managers for industry-leading organizations. He has over 20 years of experience in the information technology field and has been working in information security since 1998.

Rob regularly speaks at security and training conferences, and frequently presents to the local chapters of various security organizations.

PaulDotCom Security Weekly #329
Sumit Sumit Siddarth - "The Art of Exploiting Injection Flaws"
Free Amazon Socks Proxy to Tunnel to Freedom
Drunken Security News

PaulDotCom Security Weekly #329
Interview with Brad Bowers

Mark Baggett is the owner of Indepth Defense, an independent consulting firm that offers incident response and penetration testing services. Mark is the author of SANS Python for Penetration testers course (SEC573) and the pyWars gaming environment. In January 2011, Mark assumed a new role as the Technical Advisor to the DoD for SANS.

Yet another PaulDotCom Security Weekly Drunken Security News! Can I Stop Typing In Caps Yet?

Please follow along at home and check out the show notes to see the stories that Paul, Larry, Jack and Allison have decided to talk about this week! Additionally, have you heard yet that Paul is putting on BSides Rhode Island? Got your ticket yet? Plus, Larry is teaching SEC616 for SANS in May in sunny San Diego. Don't miss that!

And did you check out the latest HackNaked TV by John Strand? It's an introduction to getting started with Recon-NG the new tool by Tim Tomes. If you've ever wanted a great reconnaissance tool that feels a bit like Metasploit, then give Recon-NG a try.

What are the guys busting Steve the Engineers chops about at the beginning? They thought that Steve had deleted the just-completed interview with Bill Cheswick. Much to Paul's pleasant surprise, the raw video survived and we have the interview available for you.

Paul found a story about upgrading a router by removing chips and resoldering new ones and additional ones back on. Want an overview of how this works? Larry educates us on the necessary tools and techniques. Remember, it's all about the tip size and always practice on hardware you don't care about as it's likely you'll screw it up the first time you try.

Larry also discovered the "Dave" video. Dave is a Belgian mindreader that brings people in off the street, into his New Age-y looking tent, invokes various dances, chants and feels people's energy. In the end, he is able to determine what seems like way too much personal information about these strangers. How does Dave do it? I won't reveal the trick here, but you can see the two and half minute video on YouTube for yourself. Be careful out there.

Jack gives a shoutout to Rackspace for taking on the patent trolls and Allison finds an ISP in Texas that is injecting ads in their customers' traffic. She also wonders what would happen if a customers, seeing these ads, were to simply click on them incessantly, driving up the cost to the advertisers, defeating the purpose of the advertising budget.

Hey, you know that whole "hacking back", offensive countermeasures thing? Yeah, so a guy in Russia actually tried it as we know everything's legal in Russia, right? He set up a honeypot on one of his machines that loaded malware on your machine if you went to it. Ok, maybe that doesn't sound very nice, but the only way you could get into it is if you did some SQL injection on the box. So it's not like the people affected had innocent intentions.

If you're reading this far, you're probably a security practitioner to some degree and you're aware of ATM skimmers and give an extra look for them. But do you look anywhere else other than ATMs? Skimmers are starting to pop up in all kinds of credit card terminals from the local grocery store to taxis. So be aware and maybe just pay cash.

Other stories include farting on servers, dressing like a cyberwarrior, the return of Archer and Arrested Development, sniffing, scapy and getting the government to hire security professionals who may not exactly have a pristine past.

See you next week with Mandiant's CSO Richard Bejtlich!

Simon is a Mozilla Security Automation Engineer and ZAP Project Leader. He is also one of the founders of the OWASP Manchester chapter and the OWASP Data Exchange Format project. Simon is on to discuss OWASP's Zed Attack Proxy v2.0.0.

From the OWASP site: The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Are you here to learn something about infosec? Well, you're in luck because this week you get even more. You even get Paul and Larry's beer trivia and find out who has the oldest trademark anywhere!

Can you guess the password on your first try? Of course you'd simply try the default password for the device, right? So would that be illegal to log in to that device and install software/malware? Of course it would be illegal, but it's still pretty neat that they were able to find approximately 1.2 million unprotected devices and turn about 420,000 of those into their botnet, which allowed them to scan the entire IPv4 address space in one hour. Also interestingly, this scan estimated that only about one-third of the IPv4 addresses are actually in use.

Along the same lines, Allison and Paul chatted about an article explaining how the botnet business is booming. One group is paying as much as $500 for 1,000 infections. Also discussed are the costs of a DDOS or 20,000 spam emails. Larry also pulls out $9 and some pocket lint wondering how many people he can spam with his resume.

Allison also brought up the Brian Krebs SWATing story and explains her own forays into this underground black-market subculture. Very interesting explanations of how easy it is to get enough personal information about someone in order to trick various businesses or services into helping the impersonator access their target's account.

NATO decided and published a report that they are justified in killing hackers. John offered his opinion on this that it makes sense. As war moves into new grounds and countries are using hackers to attack other countries, it makes sense that country is going to defend itself against this type of attacker.

Did you finally get your own 3D printer? Can you legally print out your own guns? Would that be legal? I would guess as long as you're the Vice-President and simply creating a double-barrel shotgun to scare people away, then it's all good. Maybe.

How's this for bottom-up economics? Larry tells us about a couple guys who owned a Subway sandwich shop and decided to get into the PIN pad business and eventually become a distributor to the parent Subway company. Except that these guys pre-installed remote admin access, and you can guess the rest.

Stick around 'til the end of the show for even more of Paul's beer trivia!

Jonathan leads the Microsoft Security Response Center Engineering team in investigating externally-reported security vulnerabilities and ensuring they are addressed appropriately via Microsoft's monthly security update process. Jonathan also acts as one of the engineering technical leads for the Microsoft company-wide Software Security Incident Response Process. The most important aspect of his work is helping customers find ways to reduce attack surface and protect themselves. Outside Microsoft work, Jonathan participates as a member of a reserve military unit helping to protect DoD networks and has written three-part "Gray Hat Hacking" book series.

Michael Farnum has worked with computers since he got a Kaypro II and an Apple IIc during his middle school years. Michael served in the US Army, where he drove, loaded, and gunned on the mighty M1A1 Abrams main battle tank (which is where he got his "m1a1vet" handle). Michael has worked at Accuvant as a solutions manager and is the founder of HouSecCon, THE Houston Security Conference, which will hold its 4th annual event in October.

Joe McCray is an Air Force Veteran and has been in IT security for over 10 years. His background includes both Network and Web Application penetration testing as well as incident response and forensics within the DoD and commercial sector.

Having a home lab is really key in our field. There always seems to be projects you want to work on that require a specific OS or software. You just need hardware at home, whether you are pen testing or doing security research. I grew tired of using laptops, and especially my own laptop. Having some low-cost servers will open up the possibilities.

Adrian joins the show to talk about his history in security, his co-creation of Derbycon, a primer into how he gets conference videos online so quickly and other tales of fun at conferences.

Joey Peloquin came on to talk about his recent findings with mobile security testing, and the platform he prefers, among iOS, Android and the new MS Surface. Plus, Paul and Larry are in studio to talk about the stories of the week.

Craig Heffner is a Vulnerability Researcher with Tactical Network Solutions in Columbia, MD. He has 6 years experience analyzing wireless and embedded systems and operates the devttys0 blog which is dedicated to embedded hacking topics. He has presented at events such as Blackhat and DEF CON and teaches embedded device exploitation courses.

Have you ever jumped on a random WiFi connection and you didn't know where it was coming from? Probably. Most people have. But if you're one of Josh Wright's neighbors, or even if he's sipping coffee at the local shop, you might want to be careful about which wireless connection you're jumping on. But if you start seeing images that are out of focus or getting a page that seems about five years out of date or even end up on kittenwars.com, Josh might be the one responsible. Or at least his VM. You can get it on his site http://neighbor.willhackforsushi.com/

Josh is also working on something great for BSides Rhode Island. Check out the video below and he'll explain it. But if you hate the long lines at places like Cheesecake Factory and those stupid little buzzers that notify you when your table is ready, Josh might have some help for that. But you'll need to be at BSides RI to hear about it.

As for the stories of the week, we had a little bit of a lean week. However jokes about Jack's balls, I mean bells, were frequent and fun. After all, it was Mardi Gras and Jack brought beads for the whole crew with the one stipulation that we had to keep out clothes on.

Did you know that on Monday, February 18 at 2 pm, Paul and John will hold a free webinar with SANS. Titled "Active Defense Harbinger Distribution - Defense is Cool Again" the guys will be talking about the new offensive security distro that was built by Black Hills Infosec's Ethan Robish and John Strand. It's free, so sign up at the link above.

As for some of the stories, we knew it was going to be a rough week when Paul showed us the 10 ways to reduce security headaches in a BYOD world and #1 was to secure your data. Ohhhhkayyy. Moving on.

Paul also played the audio from a news broadcast from out west where the zombie apocalypse has begun. It's like a modern day War of the Worlds where people were actually calling the police to see if the story was true.

Jack explained how Mega's KimDotCom (isn't it quite egotistical to just take your first name and stick "dotcom" after it? I mean, seriously) continues to show his brilliance. Where else can you get a solid, top to bottom pentest for only about 10,000 euros. He challenged anyone to hack his site and after a few bugs, he began paying up. Pretty smart.

One story that actually didn't get mentioned on the show but is in the show notes is a quote from Bit9 after their hack this week: "There is no easy answer to a world where there are sophisticated actors continuously targeting every company and individual and whose primary goal is to steal information, whether for profit, power or glory. This is not fear-mongering or hype--everyone in the security business knows this fact. This is the state of cybersecurity today, and we are all frustrated and angered by it." Isn't this exactly why security firms get paid? Because there are bad people out there looking to steal information? If those people didn't exist, then would Bit9 need to exist? That's biting the hand that feeds you.

That's it for this week. We'll be back next week on the usual day, Thursday, February 21 at 6 pm EST! Until then, stay calm and hack naked!

Ethan Robish is a researcher with Black Hills Information Security and is here to give us some of the background on a suite of tools for the Offensive Countermeasures class - Active Defense Harbinger Distribution. The Active Defense Harbinger Distribution (ADHD) is a Linux distro based on Ubuntu 12.04 LTS. It comes with many tools aimed at active defense preinstalled and configured. The purpose of this distribution is to aid defenders by giving them tools to "strike back" at the bad guys.

A lean week in episode 319's Drunken security news, but at least the house was full with PDC staff. With Paul, Larry, Allison and Jack in-studio and John and Carlos via Skype to fill us in on all the fun.

But first, make sure to not miss the other two segments from episode 319. First was 451 Research's Wendy Nather to talk with the team, and then Ethan Robish and John Strand came on to talk about a brand new distribution. If you like distributions like Samurai, Backtrack and others, you might be interested in this one. Titled ADHD (Active Defense Harbinger Distribution) this has been three years in the making and takes on offensive security with many of the tools you love.

As for the stories of the week, Paul started off with a couple quick hits, including a joke about the Federal Reserve hack and bugs in hospital embedded devices. Then follow along as Jack goes a long way to make a joke about prime numbers, after one of the largest only-divisible-by-one-and-itselfs was discovered.

The first story they dig into is one that Larry brought along, about SSL/TLS being broken. After some explanation on the Oracle padding issue and the use of the same key, John and Larry bring up Wright's Law (to be discussed in episode 320 on Tuesday). Larry wonders, who is working on fixing SSL and if there is someone with a fix today, it could take five years until it is fully implemented.

Do you need anything more than six seconds? Apparently if you use Vine for Twitter, that's all you'll need. It's a new video sharing service, but all you get is six seconds of video. And what happens on Vine stays on Vine, right? Umm, no.

What would you do if you were Adobe's CISO? Take the staff out to lunch? Quit? Or actually get things cleaned up. I guess at least they're not Sony.

Congratulations to Allison who is Gold GCIA certified after her paper on digital watermarking to help prevent leaks. You can read the entire thing in the SANS Reading Room.

Lastly, Larry drops an "I told you so" with regard to Universal Plug and Play (uPnP). As Larry wrote, now there is a single Packet UDP exploit for it, for almost every device - of which there are millions of devices connected to the internet based on HD Moore's scanning.

Oh and if your company is looking for their next great employee (or if you get a referral bonus) contact Larry with the opportunity.

Thug is a Python low-interaction honeyclient. All too often in Incident Response you have logs that indicate a client was exploited by an exploit kit and compromised, but retrieving a copy of the the applicable piece of malware is difficult. Thug is designed to mimic a vulnerable web browser and follow the exploit kit back to its malware.

But with all that in the books, the conversation quickly turn to porn, smut and "sextortion." Yup, this was the first time that word had ever been uttered on the PaulDotCom Security Weekly, which required a visit to Urban Dictionary. As Allison noted, you can now get your very own sextortion coffee mugs, bumper stickers and magnets. The article described talks about how someone hacks into girls' computers (password guessing?), finds risqué photos and then uses those to get the girls to either send more pictures or go on video. Another man was recently charged with a similar crime where he'd talk to boys in IRC, get them to reveal themselves in a video chat where he'd then grab screenshots and use that against the victims. Lessons learned? If you are going to take a nude picture of yourself, DON'T INCLUDE YOUR FACE! But if push comes to shove, profit off it. As Paul said, it worked for the Kardashians and the Hiltons.

Did you know you're 182 times more likely to get malware on a news site than on a porn site?

China hacked the New York Times! Or did they? Wait, China did it? How in the world did a country of one billion people hack the NY Times. Isn't that the same thing as my blog getting hacked by the kid down the street and saying "The United States did it!" Maybe it was someone in China, maybe it was someone hired by Chinese government officials maybe it was someone who does things the same way that Chinese hackers have done it in the past. But as Allison and Jack noted, it's good that the Times is being so public with the situation.

As we begin adding more technology to embedded devices like televisions, we're not paying any additional attention to the security on them. Researchers are reporting having seen televisions and CCTV cameras pop up in their honeypots.

Paul talked about fifty million Universal Plug and Play network devices being open to packet attack. As he noted: "This is not a shock to me at all. UPnP is horrible, there just had to be a flaw in there somewhere. HD Moore found some, and turns out there are millions of vulnerable devices on the Internet. I am so happy to see this research come to light, it needs to happen. Free tools exist to check for the vulnerabilities, and details are forthcoming."

Speaking of forthcoming, the new version of Backtrack Linux is coming...

Oracle now cares about fixing the flaws in Java. Really? What could have possibly spurred this on? Maybe when the US Department of Homeland Security is telling everyone to stop using it? Maybe when they say they're patching the flaws and then a few minutes later, someone already has a new vulnerability for it? Good to know that this is what it takes for Oracle to finally care about security. Now imagine if such a company were involved in things like databases? Oh wait.

Wrapping this up with just a few more things. Paul talks about an XSS vulnerability in the VMware Management Interface. Free environment snapshots? Yes please!

Allison brings up the new law making it more illegal to jailbreak your mobile device if the carrier says you can not. But what about if you buy an unlocked phone for full price? That's ok, right?

Oh yeah, that grad student who was expelled from a Canadian university for telling them about their bad security practices? Well, it's actually a little worse. According to his expulsion letter, he was twice caught and admitted to using SQL injection to break into their informational systems. Yeah, that's a little more than just informing the school about their bad security practices, that's rubbing their nose in it. So lesson for the day, if you're paying someone thousands of dollars for a graduate degree, don't rub their nose in their bad security practices and expect to stick around.

Did you hear that Security BSides Rhode Island tickets are now on sale? Get them at http://bsidesri.eventbrite.com

Alissa Torres is a certified SANS Instructor and Incident Handler at Mandiant, finding evil on a daily basis. Alissa began her career in information security as a Communications Officer in the United States Marine Corps and is a graduate of University of Virginia and University of Maryland. She's on tonight to talk to us about Bulk Extractor.

Cisco responds to the WRT54GL Linksys router hack. They're working on a fix for people being able to remotely get a root shell, but their recommendation in the meantime? Only let friends use your router. Oh yeah, with friends like these...

Have you signed up for the SANS webinar titled "Uninstall Java? Realistic Recommendation? No. Insanity? Yes!" with John Strand, Paul Asadoorian and Eric Conrad? It's coming up, this Tuesday at 2 pm EST.

Do you have all the HTTP response codes memorized? Someone is proposing a new range of 700-level codes Some that might be helpful: HTTP 725: It Works On My Machine. And I fear how often the PaulDotCom web server will return an HTTP 767. It simply reads "Drunk".

Former Dawson College graduate student, Ahmed Al-Khabaz, who was expelled for allegedly hacking the university's infrastructure, has received multiple job offers. The guys talks about the situation with a little more detail than is often reported. He found a vulnerability and reported it. So far, so good. But then a little while later, he pointed a scanner at the vulnerability that he found, presumably setting off alarms. Even worse, the noise from the scanner pointed back to him. Once he reported the vulnerability, what's he doing going back to it, and as "evil" Jack mentions, why didn't Al-Khabaz cover his tracks better when he switched his hat color? Nonetheless, lots of weirdness abounds in this story. The university overreacted (what?!? a university overreacted? never!) instead of using this as a learning opportunity. Plus, the student may have made some mistakes along the way, yet he comes out better for it. So is the lesson here to hack your way to a job? Is that what the universities are for? Umm, no. Never go after something that you don't have explicit, written permission to hack. Plus there's Paul's suggestion of punishment here, the student should have been required to work the help desk for three months. That's enough to teach anyone a good lesson.