Starting with what might be the biggest story of the week, Paul, Larry and Jack begin by talking about Bradley Manning getting 35 years in prison. The guys questioned Manning's defense that Manning knew everything that was being released even in spite of not having read more than 700,000 pages of documents. Manning's lawyers claimed that you could read a page or so of a document and get the general gist of what that document was about. However as Jack mentions, when the first thing you release is the video of the military helicopter and its soldiers inside shooting civilians, one might not be crazy to question the motives for the release. Manning was acquitted of aiding and abetting the enemy but any kind of "no harm, no foul" defense just isn't going to get you too far when that's the first thing you release.
Ok, here are a couple tips from Brian Krebs on what not to do if you decide that you want to launch a Denial of Service (DOS) attack on your former employer. Well, for starters, don't "Like" the Facebook page of the "Booter for Hire" that you hire to do the deed. It's probably also not the brightest idea to contract with a booter that has been infiltrated by and is actively working with the FBI. Things don't end well when you don't properly screen your booter for hire. What could be possibly the best tip in all of this comes near the end of the article. Sure, it was a great idea to wipe your computer drive, knowing that the FBI will eventually show up and want to talk with you. But please don't forget to either A) wipe your backups or B) don't even keep backups. Yep, this guy had the smoking gun sitting right there in his backups, just waiting for the investigators to scoop right up.
While we're on the topic of TLAs and other Three Letter Acronyms, Larry also brought up this article on a tip sheet from the NSA on how to secure your Mac. One line in the article that offers a chuckle is the document is referring to securing your OS 10.5 (~six years old) but of course it's also the irony of the NSA telling you how to secure yourself from those evil hackers and keep them out of your machine and help you keep your privacy. Yeah, somehow I did type that with a straight face.
Let's say that theoretically, you want to hack into a bunch of major media web sites such as Time, CNN and the Washington Post. Let's also say you want to do them all at once. I don't think anyone will ever claim that any site has absolutely perfect security and no one can get in, but getting all of these sites at the same time might be a tall task. That is, unless they all trust one advertising provider and you can then pop the ads that get submitted to the sites. Well, that's what the Syrian Electronic Army (SEA) did this past week as they sent phishing emails to all the employees at Outbrain, purportedly from the company's CEO. The email requested the user's credentials and then the SEA was able to gain a foothold in the advertising network and virtually walk right through the front door of the media sites. As Paul and Larry mention, neither phishing nor going after a trusted third-party is a new technique. It's been covered before in past editions of PaulDotCom Security Weekly. But you have to listen in order to get that info! Hey Outbrain peeps, you listening to PDC now?
Finishing up with a couple quick ones. There's a security update to Pooty (PuTTY). Keep your software up to date! Jack tells us that the FDA is listening to security people now and offering guidelines for security of medical devices. Microsoft had to retract a patch for Exchange. This is never good when you advocate for a fast patch cycle. And if you find a hack in Facebook, is it the best idea to disclose it by using it on Mark Zuckerberg's FB page? Maybe, and it seems in spite of some questions, the researcher will actually receive the offered bounty from Facebook.
Thanks for listening and come on back every Thursday night at 6 pm Eastern (US) time!