Welcome to another edition of the Drunken Security News, Episode 323. You can find links to all of the stories mentioned, and more in the show notes
Apparently, the 1980s was the ancient times. At least according to Allison, when she started off referring to an article she found that was really, really old. Like, way back in the 1980s. What else happened in the 1980s? Commodore 64 debuts, DNS first created, Microsoft Windows and the Apple MacIntosh are released and of course, Mr. and Mrs. DotCom have a baby and name him Paul. As for the stories of the week...
One of the Australian television networks' web site was hacked and password hashes were pulled out. This is one that has concerned me as well where you think everything is all fine at your company because you don't see any evidence of a hack, you don't have any defacement and you don't hear of your data being displayed anywhere. But in the meantime, someone has your password hashes and is trying to decrypt them over time. It might take someone a couple years to achieve it and all the while you're sitting there with your pants down. Along the same lines, Allison also explained how the LinkedIn password dump got discovered. The attacker who got the password hashes put them on a site and asked someone to help with decrypting them. When the clear-text passwords were returned, many of them included references to LinkedIn. So to the casual bystander, it became obvious as to the source of the list.
Paul also brought up a Dark Reading article
about whether training your developers to write secure code is worth it or is a money pit? To the crew, this wasn't even a real question and came up with the easy solution. You send all of them to training and find out who is excited about it and who complains about it. The complainers are fired. Easy. Done. Which got Jack to repeat the phrase "Don't bother teaching a pig how to sing. It's a waste of your time and just annoys the pig." Instead, just turn the pigs into bacon.
The guys also got into the topic of diversification of backgrounds in your security team. This comes up when people are looking to get into the field of infosec. How diverse do you need to be? What sorts of other skills do you have? If you have a background as a sysadmin, can you write any code? If you're a coder, do you understand how things work below Layer 5? Carlos talks about his experience with a team where some had a very diverse background, but not everyone. Though specialization can be great too, at least having an awareness of other areas should not only be desirable, but required.
One of Allison's interests is in the area of malware as a service. Not that she's selling her own DDOS service (well, maybe for the right fee..kidding) but investigating others that do it. She was able to even track down one such reseller who had a photo in his Facebook page with his DDOS service handle tattooed on his back. That one might be a little tough to explain to authorities some day.
Along the lines of malware as a service, Brian Krebs is chasing down
at least one of the people who are doing things like using DoS to defeat online gamers, or SWATing people's homes. Krebs was able to get on the phone with allegedly the same person who deleted all of Mat Honan's computer content
and that SWATed Krebs' house
Concerned about drone strikes? Apparently al Qaeda has published documents on how to avoid them by tricking the drone's tracking system. Apparently, the drones are attracted to microwaves. Literally, the waves that come out of a microwave oven. Just bypass the door lock on a microwave oven, put it away from some area you care about that a drone could be interested in and start up the microwave. Boom.
Lastly, as you may have heard, TSA is relaxing their ban on some small knives. But you still can't bring in your own bottle of water. Listen in as Jack explains (and I agree with) what he feels might happen today if some people tried to take over an airplane with box cutters or other small knives again. Let's just say it's pretty unlikely that the passengers will stay seated.
Jack also mentioned that the annual Trustwave Global Security Report
is out. Go forth and download it fellow data geeks.
Finally, Paul decided to end this show with a salute to his very own "Pig Vomit". The Howard Stern fans out there that remember Paul Giamatii's character in the movie Private Parts
. Apparently Paul has his own Pig Vomit and the gang all gave their own shout out. We encourage you to do the same.