Cindy M. wrote this paper and is asking for it to be disseminated. It will be published in the winter issue of DF Magazine. Enjoy.
Truecrypt 7.0 Released
Jul 29
Truecrypt 7.o has been released. One of the interesting new features is it takes advantage of Intel’s hardware accelerated AES. The new Intel i5 and i7 core’s include additional x86 instructions for hardware based AES block ciphering and key generation. If you take advantage of this there should be no performance disadvantage to running full disk encryption. I don’t think software encryption is as big a performance hit anymore unless you’re running antiquated hardware in which case you probably can’t afford the new Intel cores anyways.
There’s some other cool new features including Favorites and support for new large sector disks (waiting for these to come down in price). You can read the full Truecrypt change log here.
Authors need thick skin
Jul 28
Richard Bejtlich has been postingAmazon book reviews like a mad man over on his Tao Security blog. One of those reviews was for “Digital Forensics for Network, Internet, and Cloud Computing“. Richard gave the book two stars and one of the authors, Clint Garrison, isn’t happy. The two of them were exchanging messages via Twitter.
When I checked this morning it looks like Clint’s Twitter account, cpsec, has been deleted. Also Clint’s comment on Amazon was removed. If you’re going to create something you need to realize not everyone is going to love it. That’s okay. You don’t want to be the person who never learned to accept constructive criticism.
I read this on the Internet Storm Center yesterday. Sophos has released a tool that will provide detection against the Windows shortcut exploit announced last week (originally being used to exploit Siemens SCADA machines). Be careful, this is a nasty vulnerability with a large scope — the entire Windows family of OS going back to NT as far I’m aware. If you want to play with the vulnerability yourself it has to be added to Metasploit — thanks hd!
SophosLabs has made a video available on what is the exploit and how the tool works here and the tool is available for downloaded here.
REMnux: Distro for Reversers
Jul 26
Lenny Zeltser, SANS Instructor, has released a customized distribution targeted at malware reverse engineers. From the REMnux page:
REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that’s listening on the appropriate ports.
REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab.
LastPass is a cloud based password manager. There’s no worries as your master password is used to symmetrically encrypt your information before it it sent to LastPass. You don’t have to worry about passwords lying around unencrypted on your disk. The really great thing about LastPass is they support just about every known device: BlackBerry, iPhone, Android, Mac, Windows, Linux, Firefox, IE, Chrome, etc……..
LastPass is free!
LastPass Premium (no ads, mobile support) is only $1 a month!
LastPass imports from over 20 password managers
Go check it out now. I’ve already switched from KeePassX and Firefox Password Manager. I’ll be getting the rest of my family moved on to it this weekend. If you still need more convincing Episode 256 of Security Now, Steve Gibson walks listeners through the LastPass architecture. Also don’t forget to run the LastPass Security Challenge — it will score you based on your average password strength, use of two factor authentication, blank passwords, duplicate passwords, etc.
In a recent Exotic Liability podcast (not PG13) Chris and Ryan interview folks from Paterva, the makers of Maltego. You should definitely try Maltego if you’ve never used it. They have a free version and it runs on both Windows and Linux. The software allows you to create a visual mapping of gathered intel. The tool is a must have for penetration testing as well as gathering intel on persons of interest, a la dossier. Maltego includes a powerful feature called transforms which allow you to rapidly pivot from one piece of valuable information to another.
FYI: Chris and Ryan hosted TruTV’s Tiger Team show which had a shorter life then the Microsoft Kin.
Episode #205 of the Network Security Podcast has an interview with the General Manager of Payment Card Industry (PCI)’s, Bob Russo. In case you’re not familiar with PCI this is from Wikipedia “standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise.” The standard is tiered depending on how many credit card transactions your organization processes. The more transactions you process monthly then the more controls you must implement. We mostly avoid PCI at work by using a punch out solution where we send customers to a PayPal clone for payment and therefore we don’t store or transmit any credit card data.
There’s a’ new PCI standard being released in the fall. The big change is moving to a three year life cycle vs. the 2 year which has been followed to date. This will give organizations an extra year to implement any changes in the standard. This is also a positive indication that the standard has matured to the point where it is effective at reducing data breaches. Let’s keep our fingers crossed there is not another TJX or Heartland breach occurring as I type this…
VoIP Security
Jul 17
The latest edition of free online magazine Hakin9 has a great article about VoIP security. I learned that NIST has a paper on VoIP security, 800-58 ‘Security Considerations for Voice over IP Systems’. I’m still in the process of reviewing this information so stay tuned for a review.
The High Tech Crime Investigation Association (HTCIA) has released their 2010 Report on Cyber Crime Investigation. Nothing earth shattering here. Security professionals report:
- Increase in criminal use of digital technology
- Lack of dedicated personnel
- Need for better training at multiple levels
- Need for improvements in information sharing and collaboration
- Need for better reporting, strategy and policy