In this Episode we discuss mental disorders which involve installing Linux, The new Java Exploit and PHPMyAdmin being backdoored.
Also, it is live from NYC and the water is not working at my hotel. WTH?
Links for this episode:
Video Feeds: 
September 2012 Archives
In his new book, Kill Decision, Daniel Suarez focuses exclusively on one technology used in his previous books Daemon and to a larger extent, Freedom (TM): autonomous or semi-autonomous machines. Kill Decision is a technological (or "cyber") thriller which pits a CIA consultant and an academic researcher against the political and military war machine. It's a fun ride and as a reader of Dan's previous books, I looked forward to his deft weaving of action, psychology, socio-politics, hacking and science which I found in Daemon and to a greater extent Freedom(TM). Kill Decision is a great book and fulfills those expectations while providing even greater insight into the War Machine rabbithole which we've recently found ourselves being led (or perhaps leading ourselves?) into since 9/11.
Kill Decision explores the motivations behind the cyber arms race which is taking place around us by placing the reader in the middle of a fictional autonomous drone rollout. Dan does a good job of exploring the various motivations and excuses for the escalating use of infosec or "cyber" warfare. We hear from the proponent: "if we don't build it, someone else will" to the opposing viewpoint: "Just because we *can*, doesn't mean we *should*". In a recent interview, Dan has noted that the use of autonomous drones is a natural manifestation of the supposed state sponsored malware we've seen with Stuxnet and Flame. In that interview, Dan indicates that autonomous drones are "the kinetic cousin of cyberwarfare, in that they are both radically new, low-cost, low-risk methods of waging conflict". Dan further states "The age of 'anonymous war' is upon us - it will be nearly impossible to determine who's attacking you...Anonymity could nullify an adversary's superior firepower, since they won't know whom to target in retaliation". Drone warfare is in essence, an equalizer in armed conflict, and while Kill Decision, as a novel, presents the reader with characters to vilify, one is left to ponder the complications of identifying responsible parties when off-the-shelf warfare is within reach of anyone willing to cull the parts together.
As in his previous books, Kill Decision provides some scenes of hacking, trojans, and malware, but these are seen as tools, nothing more. Meanwhile the technology behind drones is explored rather heavily and is sure to inspire its fair share of hardware hacking projects.
Towards the end of the book, one of the main characters, Odin, presents us with a pragmatic middle ground concerning the use of bleeding edge technology in military applications. He understands the inevitability of drone warfare, but seeks to alter the trajectory towards an implementation that is transparently discussed and vetted publicly, not secretly. I suspect Odin is channeling one of Dan's motivations for writing this book, namely to give the reader a warning that drone warfare technology is here, and is a topic that deserves our attention before its effects are ahead of our influence.
All in all, Dan gives the reader quite a few subjects to digest in a highly entertaining format, all compressed into just under 300 pages. Pick up a *copy of Dan's book today and be sure to catch him on Episode 305 of PaulDotCom Security Weekly at 6PM on Thursday October 11th!
*Support Dan by picking up a legal copy! :)
In this episode we get all gushy about mobile device security. We also talk about target attacks. And we discuss why one should never use stock photos of pirates using computers. http://tinyurl.com/HNTV-OCM-SANS-CDI
Links for this episode:
Video Feeds:
Trojan Horse is Mark Russinovich's second techno thriller. His first one being Zero Day. Mark is a Technical Fellow in the Platform and Services Division at Microsoft; he is very well known in the Information Technology arena as an expert in security, and operating systems. He is also the author of several Microsoft Press books in addition to being a regular contributor to TechNet Magazine and Windows IT Pro magazine.
In the first book Zero Day we meet Jeff Aiken a forensics specialist that runs his own company where he travels from client to client helping them analyze how they were compromised, he covers how Jeff works to determine how malware gets in to the systems and how he is driven by his drive to find the 'where, what and who' of the infections and security breaches he investigates, when he finds that there is more to the malware he is investigating and how it is related with several events around the world we see how Daryl Haugen from the US Computer Emergency Response Teams helps him to put the pieces together, we also see how when the terrorists find out what he is doing the dangers move from the digital to the physical world where now the attacks are no longer viruses and Trojans but a trained soldier-for-hire sent out to get them. We also learn about his past before the fateful attack on September 11 and how it affected his life. The story in that book centers around a plot from the terrorist group al-Qaeda to repeat their attack on the west but instead of planes and bombs, the use of computer malware. Mark covers as part of the story many of the areas that many in the security community know very well and those are:
1. How difficult is for Anti Virus companies to really protect us from all types of malware.
2. How do many criminal and political organizations that may lack the resources to write their own tools and develop new attacks are going out and outsourcing skills from the vast pool of security professionals and coders that are willing to find and sell Zero Day exploits to the highest bidder and are not driven by any political or Religious motives.
3. He covers how companies many times do not take the security of their products seriously enough and do not prioritize the patching of security holes.
4. The complexity and political motivations of the Federal government trying to control, regulate security and react to emerging threats.
He does all this with what I found to be a very good mix of technical information, plausible scenarios, drama, actions and a bit of romance. On this his second book is a continuation of the adventures of Jeff Aiken and Daryl Haugen as they run their own company and are called to help investigate an infection on government system changing information so as to influence the politics and events in the Middle East. We see how Jeff Aiken is driven again with his fascination to discover who is behind the infection and what they are doing. This brings Jeff to the attention of Governments that want to stop his work and silence him so their agenda is not affected and they can succeed in their goals. This book differs from the original in terms that instead of covering a Terrorist organization we are seeing how governments like China and Iran use the Internet as their new battle ground and are of operation for covert action. We also see how even the US government is moving in the advancement in the technologies to be able to address threat not in a kinetic manner but thru technological means to infiltrate and take proper actions in covert manners using the internet and even how to jump in to systems deemed secured and air gaped. Marks covers in addition several areas of interest for security professionals in our industry, these are:
* How private companies help the government by providing the appropriate skill set to develop exploits and security research that can be use offensively in covert actions.
* The shift of malware from collecting information to modifying so as to alter event and actions in the physical realm.
* How digital supremacy affects and influences the politics and actions of governments.
* How governments use their offensive technological resources in the aid of other governments for political gains.
* He also covers how many governments are willing to shift from a digital to a kinetic approach to protect such secrets and actions.
The story takes us thru Europe as Jeff moves from country to country trying to save the women he loves and stop the plans of the Iranian government and the Chinese government who are providing them with the technology means to carry out their plans for economic gain. The book keeps the reader engaged at all times and we see how the writing style of Mark has improved and morphed in this second book. The book has the right mix of action and technology making it one of my favorites books this year. Hope to see more books from Mark that continue with Jeff Aiken and his adventures in the digital and physical
Join us for Episode 302 with SANS Instructor and Web Application Defender Jason Lam tonight at 6PM ET. Sit back and enjoy the show live and participate in the live chat on our Ustream channel:
NOTE: The video will play the most recent show up until we are live!
Special Guest: Mark Baggett
In this technical segment we will look at how to tap into the vast amounts of data logged by Windows Communication Foundation (WCF) and fed to Event Tracing for Windows (ETW). ETW Provider will sometimes log information excesive amounts of information giving an attacker access to sensitive data. By tapping into these otherwise silent logging mechnisms an attacker can find all kinds of useful information.
Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.
Special Guests: Dave Aitel, Lance Spitzner, Javvad Malik, Dameon Welch-Abernathy (aka "Phoneboy"), SpaceRogue
Of all the topics we discussed for this episode none sparked more passionate debate than the effectiveness of end user security awareness training. On one side, its something that we must do in order to help our organization's be resilient to attack. Users must be trained not to "click shit", succumb to social engineering and ignore malicious behavior. On the other side of the fence, its a waste of time. Not all users will "Get it", and the attackers may only need one user to be a victim. The threats are constantly changing, so users will need constant training, and security will just "get in the way". Somewhere in the middle perhaps is a happy medium.
Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.
Special Guests: Charlie Miller, Collin Mulliner, Zach Lanier, Joshua Wright
Without question the security of mobile devices, both old and new, has suffered its share of problems. Since the first phones came on the market sporting the shiny new Bluetooth protocol, attackers moved to take advantage of the mobile device platform (The Cabir worm may be one of the first examples almost 7 years ago to the day). Since then, mobile devices have gained so much more functionality, including Wifi, NFC, SMS (which saw early adoption long before Bluetooth), more robust operating systems, more storage, smaller form factors, and lower cost. Then of course Apple had to get in the mix, then Google, and now, everyone has a smartphone. The really scary part is that we rely on it for communications so heavily, I mean where would we be without a phone that could TXT, email, Tweet and read your Facebook updates? All this functionality has made it essential to have a phone, and even given birth to new buzzwords such as BYOD. With all of this user adoption, functionality, and accessibility comes security FAIL for sure.
Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.
Less than a week after our Breast Cancer Research fundraiser/Episode 300 shindig, we are back with an interview with BeyondTrust's (formerly eEye Digital Security) CTO and wunderkind Marc Maiffret. You can find more information on tonight's episode via our Episode 301 wiki page.
Sit back and enjoy the show live and participate in the live chat on our Ustream channel:
NOTE: The video will play the most recent show up until we are live!