Podcasts about Syrian Electronic Army

Syria's President Bashar al-Assad was once an avid computer nerd. Now, the Syrian president presides over a ragtag group of hackers ready to unleash cybercrime havoc on a global scale. Created, Produced & Hosted by Keith Korneluk Written & Researched by David Burgis Edited, Mixed & Mastered by Greg Bernhard Theme Song "You Are Digital" by Computerbandit Listen to If the Walls Could Talk Podcast

In today's podcast, we hear that North Korea's Sun Team is rising in Red Dawn. Much PII, mostly out of Japan, appears in the black-market stall of a poorly reviewed vendor. The Mexican bank raid seems, the Central Bank says, to have started with a small brokerage and spread from there. Facebook and Google+ continue to be infested with jihadist inspiration. More charges for alleged Syrian Electronic Army hoods. A man gets fifteen years for, among other things, DDoSing former employers. And mobile app users? XYZ. Ben Yelin from UMD CHHS on controversy involving North Carolina police using overly broad warrants to gather location data from Google. 

We continue with our series with John Carlin, former Assistant Attorney General for the U.S. Department of Justice’s National Security Division. This week, we tackle ransomware and insider threat. According to John, ransomware continues to grow, with no signs of slowing down. Not to mention, it is a vastly underreported problem. He also addressed the confusion on whether or not one should engage law enforcement or pay the ransom. And even though recently the focus has been on ransomware as an outside threat, let’s not forget insider threat because an insider can potentially do even more damage. Transcript Cindy Ng: We continue our series with John Carlin, former Assistant Attorney General for the U.S. Justice Department. This week we tackle ransomware and insider threats. According to John, ransomware is a vastly under-reported problem. He also addressed the confusion on whether or not one should engage law enforcement or pay the ransom. And even though, lately, we've been focused on ransomware as an outside threat, one area that doesn't get as much focus is insider threat. And that's worrisome because an insider can potentially do even more damage. John Carlin: Ransomware, it was skyrocketing when I was in government. In the vast, vast, as I said earlier, majority of the cases, we were hearing about them with the caveat that they were asking us not to make it public, and so it is also vastly under-reported. I don't think there's anywhere near, right now, the reporting. I think Verizon attempted to do a good job. There've been other reports that have attempted to get a firm number on how big the problem is. I think the most recent example that's catching peoples attention is Netflix. Another area where I think too few companies right now are thinking through how they'd engage law enforcement. And I don't think there's an easy answer. I mean, there's a lot of confusion out there as to whether you should or shouldn't pay. And there was such confusion over FBI folks, when I was there, giving guidance saying, "Always pay." The FBI issued guidance, and we have a link to it here, that officially says they do not encourage paying a ransom. That doesn't mean, though, that if you go into law enforcement that they're gonna order you not to pay. Just like they have for years in kidnapping, I think they may give you advice. They can also give back valuable information. Number one, if it's a group they've been monitoring, they can tell you, and do as they've tried to move more towards the customer service model, they can tell you whether they've seen that group attack other actors before, and if they have, whether if you pay they're likely to go away or not. Because some groups just take your money and continue. Some groups, the group who's asking for your money isn't the same group that hacked you, and they can help you on that as well. Secondly, just as risk-reduction, as the example I gave earlier of Ferizi shows, or the Syrian Electronic Army, you can end up, number one, violating certain laws when it comes to the Treasury, so called OFAC, and material support for terrorism laws by paying a terrorist or other group that's designated as a bad actor. But more importantly, I think for many of you, then, that potential criminal regulatory loss is the brand. You do not want a situation where it becomes clear later that you paid off a terrorist. And so, by telling law enforcement what your doing, you can hedge against that risk. The other thing you need to do has nothing to do with law enforcement, but is resilience and trying to figure out, "Okay, what are my critical systems, and what's the critical data that could embarrass us? Is it locked down? What would be the risk?" The most recent public example Netflix has shown, you know, some companies decide season 5 of "Orange is the New Black," it's not worth paying off the bad guy. We've been focusing a lot on outside actors coming inside, and something I think has gotten too little attention or sometimes get too little attention, is the insider threat. That's another trend. As we focus on how, when it comes to outsider threats, the approach needs to change, and instead of focusing so much on perimeter defense, we really need to focus on understanding what's inside a company, what the assets are, what we can do to complicate the life of a bad guy when they get inside your company. Risk mitigation, in other words. A lot of the same expenditures that you would make, or same processes that you put in place to help mitigate that risk, are also excellent at mitigating the risk from insider threat. And that's where you can get a economy of scale on your implementation. When I took over National Security Division, my first, I think, week, was the Boston Marathon attack. But then, shortly after that was a fellow named Snowden deciding to disclose, on bulk, information that was devastating to certain government agencies across the board. And one of my last acts was indicting another insider and contractor at the National Security Agency who'd similarly taken large amounts of information in October of last year. So, if I can share one lesson, having lived through it on the government end of the spectrum, that sometimes our best agencies, who are very good at erecting barriers and causing complications for those who try to get them from outside the wall, didn't have the same type of protections in place inside the perimeter area, in those that were trusted. And that's something we just see so often in the private sector, as well. In terms of the amount of damage they can do, the insider may actually be the most significant threat that you face. This is the kind of version of the blended threat, the accidental or negligent threat that happens from a human error, and then that's the gap that, no matter how good you are on the IT, the actor exploits. In order to protect against that, you really need to figure out systems internally for flagging anomalous behavior, knowing where your data is, knowing what's valued inside your system, and then putting access controls in place. From a recent study that Varonis did, and this is completely consistent with my experience both in government, in terms of government systems in government, in terms of providing assistance to the private sector and now giving advice to the private sector, is that it did not surprise me, this fact, although it's disturbing, that nearly half of the respondents indicated that at least 1,000 sensitive files are open to every employee, and that one fifth had 12,000 or more sensitive files exposed to every employee. I can't tell you how many of these I've responded to in crisis mode, where all the lawyers, etc. are trying to figure out how to mitigate risk, who do they need to notify because their files may have been stolen, whether it's business customers or their consumer-type customers. And then, they realize too late, at this point, that they didn't have any access controls in place. This ability to put in an access control is vital, both when you have an insider and also, it shouldn't matter how the person gained access to your system, whether they were outside-in or it's an insider. It's the same risk. And so, what I've found is that...and this was a given example of this that we learned through the OPM hack. But what often happens is the IT side knows how to secure the information or put in access controls, but there's not an easy way to plug in your business side of the house. So, nearly three-fourths of employees say they know they have access to data they don't need to see. More than half said it's frequent or very frequent. And then, on the other side of the house, on the IT, they know that three-quarters of the issues that they're seeing is insider negligence. So, you combine over-access with the fact that people make mistakes, and you get a witches' brew in terms of trying to mitigate risk. So, what you should be looking for there is, "How can I make it as easy as possible to get the business side involved?" They can determine who gets access or who doesn't get access. And the problem right now, I think, with a lot of products out there, is that it's too complicated, and so the business side ignores it and then you have to try to guess at who should or shouldn't have access. All they see then is, "Oh, it's easier just to give everybody access than it is to try to think through and implement the product. I don't know who to call or how to do it." OPM, major breach inside the government where, according to public reporting, China, but the government has not officially said one way or the other so I'm just relying on public reporting, it breached inside our systems, our government systems. And one of the problems was they were able to move laterally, in a way, and we didn't have a product in place where we could see easily what the data was. And then, it turned out afterwards, as well, there was too much access when it came to the personally identifiable information. I have hundreds of thousands of government employees who ultimately had to get notice because you just couldn't tell what had or hadn't been breached. When we went to fix OPM, this is another corporate governance lesson, three times the President tried to get the Cabinet to meet so that the business side would help own this risk and decide what data people should have access to, recognizing when you're doing risk mitigation, there may be a loss of efficiency but you should try to make a conscious decision over what's connected to the internet, and if it's connect to the internet, who has access to it and what level of protection, recognizing, you know, as you slim access there can be a loss of efficiency. In order to do that, the person who's in charge is not the Chief Information Officer, it is the Cabinet sector. It is the Attorney General or the Secretary of State. The President tried three times to convene his Cabinet. Twice, I know for Justice, we were guilty because they sent me and our Chief Information Officer, the Cabinet members didn't show up because they figured, "This is too complicated. It's technical. I'm gonna send the cyber IT people." The third time, the Chief of Staff to the President had to send a harsh email that said, "I don't care who you bring with you, but the President is requiring you to show up to the meeting because you own the business here, and you're the only person who can decide who has access, who doesn't and where they should focus their efforts." So, for all the advice we were given, private companies, at the time, we were good at giving advice from government. We weren't as good, necessarily, at following it. That's simply something we recommend people do.

Last week, John P. Carlin, former Assistant Attorney General for the U.S. Department of Justice’s (DOJ) National Security Division, spent an afternoon sharing lessons learned from the DOJ. And because the lessons have been so insightful, we’ll be rebroadcast his talk as podcasts. In part one of our series, John weaves in lessons learned from Ardit Ferizi, Hacktivists/Wikileaks, Russia, and the Syrian Electronic Army. He reminds us that the current threat landscape is no doubt complicated, requiring blended defenses, as well as the significance of collaboration between businesses and law enforcement. John Carlin currently chairs Morrison & Foerster’s global risk and crisis management team. Transcript Cindy Ng: John Carlin, Chair of Morrison and Foerster's Global Risk and Crisis Management Group says the secret to effective crisis management is that you've thought about it before the crisis. We thought we'd put his expertise to good use by having him share with us his experience as Assistant Attorney General for National Security on a wide range of topics. He described the current threat landscape, economic espionage, weaponized information, and what organizations can do to manage their risk. We are re-broadcasting his talk in a series that was held last week by starting with describing what a blended threat looks like, the particular challenges of insider threats, and the significance of the government working collaboratively with the private sector. John Carlin: The threat when it comes to what's facing our private companies has reached a level we haven't seen before. That's true for two reasons really. Some of what we're seeing on the threats are things that in the national security community that we've been monitoring for years, but we've had a change of approach. So in the past, while we were monitoring it, it would stay in classified systems. We would watch what nation states were doing or terrorist groups were doing and we didn't have any method to make it public. So one trend has been governments are starting to make public what they see in cyberspace. The second is that the actual threat itself has increased both in volume and complexity. That's been quite noticeable. In the past year alone, and really the past two years, we've seen cyber incidents that have gotten people's attention from every level. That has caused in government a shift in terms of the regulatory attention that's focused on cyber security breaches. When I recently left government, there was almost an unholy rush across every regulatory and law enforcement agency as they realized what the scope of the threat was and how their existing regulatory or law enforcement authorities were not covering it. That caused them to do two things. One, to try to come up with creative ways to interpret existing regulatory standards so that they can impose liability in the event of a cyber breach, and second, for those who realize that no matter how creative you got, there just was no way to bring it within existing regulations, more countries around the world are adopting data breach laws than ever before, most notably, Europe coming onboard in 2018, but really it's a global phenomenon. And as part of the focus on data breach, they're also having laws that are starting to impose certain standards of care or specific security obligations. I think it's that combination of increased awareness of the threat plus an increasingly complex and potentially punitive regulatory and law enforcement environment that's made this a top-of-mind issue for C-suites in poll after poll, not just here in the United States but in countries throughout the world. It's new and they're not quite sure what the legal regulatory landscape looks like, and accordingly, it's the type of thing that keeps them up at night. For those of you in the information technology space, that could be good news and bad news. It means more scrutiny on what you're doing but then hopefully, as we explain what it is and what can be done, it will also mean more resources. There's the old description of traditional cyber threats, and it's not like any of these have stopped, which would be crooks, nation states, activists, terrorists, everyone who wants to do something bad in the real world moving to cyberspace as we move everything that we value from analog to digital space, and the type of activity that they did ranged from economic espionage type activity to destruction of information, alteration of information, which I think is a trend that we need to watch, this is the idea of the integrity of your data may be at stake. I know, it's top-of-mind for those of us responsible for protecting against criminal and national security threats in government and fraud. I'm not going to spend too much on those traditional buckets. I wanted to highlight two new areas of cyber threat that are here, now. One is the, what I'll call the blended threat and the second is insider threats. Let's start with the blended threat. Imagine you're back at your office, you're in your company, and you spot what looks like a relatively low-level, unsophisticated criminal hack of your system. For many of you, it wouldn't even warrant, as you handle it yourself, informing anyone in the C-suite. It would never reach that high in the company. Now imagine that as a result of that relatively unsophisticated hack, you're a trusted brand name retail company, that the bad guy has managed to steal a relatively small amount of personally identifiable information: some names, some addresses. As you know, happens as we speak to hundreds and thousands of companies across the world. So the vast majority of those companies faced with an unsophisticated hack where it looked like the IT folks had a good control over what had occurred, it would stop there, to the extent it gets reported up to the C-suite, looks like a simple criminal act and will go unreported. The case I'm going through with you now though is a real case and what happened next was several weeks later, this company then received, through email, it was Gmail, so a commercial provider, a notice that said, "Hey, unless you wanna be embarrassed by the release of these names and addresses, you need to pay us $500 through Bitcoin." As these things go, you know, you can't really think of a dollar figure much lower than $500, asking for something through Bitcoin on a Gmail threat also does not look particularly sophisticated, you combine that with great confidence that you've been able to find them on your system and kick them off your system, again, the vast majority of companies, this does not go down as a high risk event and would not be reported. In the case that I'm discussing, which was a real case, the company did work with law enforcement and what they found out that they never would have been able to find out on their own was that what looked like a criminal act, and don't get me wrong, it was criminal, these guys wanted the $500, but it also was something else. And what it also was was it turned out that on the other end of that hack, on the other end of that keyboard was an extremist from Kosovo who had moved from Kosovo to Malaysia and located in Malaysia in a conspiracy with a partner who is still in Kosovo, he'd hacked into this U.S.-based trusted retail company, stolen these names and addresses, and in addition to the $500, he had managed, through Twitter, to befriend one of the most notorious cyber terrorists in the world at the time, a man named Junaid Hussain, who's from the United Kingdom. Junaid Hussain had moved from the United Kingdom to Raqqa, Syria where he was located at the very heart of the Islamic State of the Levant. In my old job, I was the top national security lawyer at the Justice Department responsible for protecting against terrorists and cyber threat, and on the terror side of the arena, this guy, Junaid Hussain along with his cohort in the Islamic State of the Levant, had mastered a new way of trying to commit terrorist acts. Unlike Al Qaeda where they had trained and vetted operatives, what they were doing was crowdsourcing terror. They were using social media against us and consistent with that approach, what Junaid Hussain did is he befriended this individual who moved to Malaysia named Farizi, he communicated with him through U.S. provided technology, Twitter, he got a copy of the stolen names and addresses and then he called those names and addresses into a kill list. He distributed that kill list through Twitter back to the United States and said, totally consistent with their new approach of crowdsourcing terror, "Hey, if you believe in the Islamic State, if you're following me, kill these people," by name, by address, where they live. That's the face of the new threat in a version of the blended threat. I think for any of you, any company, if you knew when you were dealing with the incident, where you'd seen someone breach your system, that the person who breached your system was looking to kill people with the information that they stole, that would immediately be a C-suite event, your crisis risk plans would go into place, you would certainly be contacting law enforcement. The problem with the blended threat, these guys who are both crooks on the one hand and working on behalf of a terrorist or a nation state is you don't. Because they did work together, in this case, Farizi, the guy responsible in Malaysia, was arrested pursuant to U.S. charges, extradited after cooperation from Malaysia, pled guilty and was sentenced this past July to 20 years in Federal prison. And Junaid Hussain, who was operating in ungoverned space in Raqqa, Syria, was killed in a military strike acknowledged by Central Command. This issue that's putting your companies on the frontlines of national security threats in a way that they simply never happened before, there's not another area of threat which has the same effect, requires new approaches in terms of security and in the ways that the Federal government interacts with private companies. Let me go through a little bit of some other examples of this blended threat phenomenon. If you think about what happened with the Wikileaks, you have Wikileaks which acts as a distributor of information but what they do is they end up, it's not necessarily the hacktivist that steals the information. So you see the breach into your system, you're not quite sure how it's gonna be used. Is it gonna be used by someone who wants to make money? Is it gonna be used as someone who has a very specific intelligence purposes? It used to be the case, certainly the assumption for those of us in government working with the private sector that if you had information stolen by a nation state, unless you had some economic espionage type issue, you really didn't need to worry about the nation-state using it against you and that's clearly no longer the case. What you see here with something like Russia and the DNC is information that is taken in one sphere then gets leveraged and used to be put out through another. So a nation state steals it and then they have this shield of Wikileaks for the distribution of the information. You also have with Russia, we tried in terms of the blended threat, you have what look like nation state actors and let's use the most recent Justice case against the Russian actors who attacked Yahoo. What you had there were crooks, I mean, straight up crooks who were Russian who were out to make a profit, and there was an attempt at law enforcement to law enforcement cooperation and U.S. law enforcement authorities passed information to the Russians to try to hold those crooks responsible. What you get instead of cooperation, this is all laid out in the complaint, is that the Russians then signed up the crooks as intelligence assets and used them to continue to steal information and to take some of the information they'd stolen so that the guy was both making a profit on one hand but also was providing it for state purposes. That version of the blended threat has a slight variation on it which his day job is Russian State Security Service Hacker or Chinese State Security Service hacker but there's a lot of corruption in both countries. You wanna make a buck on the side, same actor, same system, daytime working on behalf of the state, night time, looking to line their pockets with profits, what you're trying to figure out on the back end of that attack, "Hey, what type of risk am I dealing with?" It can be incredibly complicated to figure out. Am I in a national security situation or a criminal situation. And that's combined then with the deliberate blending. As we've moved toward doing attribution, you'll see state actors, whether Russian, Chinese or others, they will not use the same sophisticated tools that they used to use in the past to breach your system that were identifiable. So you can tell by the tactics, the TTP, the tactics, the techniques, the procedures that you were dealing with a state actor from Russia or China or another sophisticated state actor. Now they're using the same easily available tools that low-level crooks are using in the first instance looking to see if they can get in through human error or weaknesses in the defenses and that makes it much harder to do the attribution. Final version of the blended threat would be Syrian Electronic Army. Now many of you may be familiar with this group. This was the group who, and, you know, it's in vogue now, everyone's talking about fake news. Well, they're the original fake news case that we did. When we prosecuted the Syrian Electronic Army, what they had done was they spoofed a terrorist attack on the White House by defacing the White House, public facing site. That was very successful and caused the loss of billions of dollars in the stock market until people realized that it was a hoax. That same group though was regularly committing ransomware type offenses, they just weren't calling themselves the Syrian Electronic Army. And so for many of your companies, you would have a policy in place that would again spot it at a high area of risk and say, "We're not gonna make a payment if we knew we were paying off the Syrian Electronic Army," or in the case of Farizi, if we knew we were paying off a terrorist, but the problem is you don't know. And as it was laid out in that complaint when we arrested one of those individuals in Germany, I don't think even their, the people operating them, running them from the Syrian Electronic Army knew that they were using the same tools on the side to make a buck. So what lessons can you learn or how can we help protect our systems recognizing this change in threat? Well, one is as the criminal groups, as the sophisticated type of programs and vulnerabilities that you can sell on the dark web become more and more blended with nation states and terrorist groups taking advantage of them, we need to ask ourselves, "Are our defenses as blended as the threat?" And inside the company, that means making sure that we crosscut those who are responsible for preventing and minimizing the risk from a threat where it doesn't stop and say, "Hey, maybe we could build a wall that's high enough or deep enough to keep someone out," because that doesn't exist, but once they're inside and we're dealing with the actual threat, who do I have in my company who has evolved? Is there a way to make easily available to the business side so we can get their informed views as to what and how information should be protected to mitigate risk on the front end and then how to respond? And similarly, are we working together as companies and as a government with companies as the bad guys are with nation states who are sponsoring them or a terrorist group and that's where there's focus now, on figuring out a better way to do cooperation between business and law enforcement is vital. The division I used to head, the National Security Division, we were created as one of the reforms post-September 11th and the idea was post-September 11th, we gotta get better at sharing information across law enforcement and intelligence divide. The failure to share that type of information led to the death of thousands of people on September 11th. This challenge of how to share information in terms of what the government is seeing on the threat and how to receive information is exponentially more complicated because it's not just about sharing information better within government or within your company, it's how to share information across government to the private sector and back again.

Anonymous. WikiLeaks. The Syrian Electronic Army. Edward Snowden. Bitcoin. The Arab Spring. In every aspect of international affairs, digitally enabled actors are changing the way the world works and disrupting the institutions that once held a monopoly on power. In "Disruptive Power: The Crisis of the State in the Digital Age," Taylor Owen asks: How does the rise of hackers, digital humanitarians, cyber activism, automated violence and citizen journalists change the way we understand and act in the world? Are digital diplomacy and cyberwar the future of statecraft, or a sign of the crisis of the state? What new institutions will be needed to moderate emerging power structures and ensure accountability and the rule of law?

On today’s show: Gunfighter moment with Larry Vickers – What is acceptable accuracy?  Navy’s got 99 problems and it’s starts with corrosion. Syrian Electronic Army takes down Army.mil website.   You can see the results here: https://twitter.com/official_SEA16 Over four million current and former government employee accounts get compromised by hackers in China. Chinese tank manufacturer getting […] The post China Takes To Social Media To Sell Main Battle Tank appeared first on Military News Talk Radio and Military Podcast - Chairborne Commandos.

“Ignorance is not innocence but sin.” – Robert Browning Spear phishers abuse Word programming feature to infect targets http://www.scmagazine.com/spear-phishers-abuse-word-programming-feature-to-infect-targets/article/359387/ C-IT Recommendation Ensure your company has an effective spam gateway or email content filter solution that quarantines junk mail, detects viruses. Consult with your email security team to validate the email security solution is running on […]

Advice from Bob; Acoustical covert communication channel; Researchers recreate some NSA spy tools based on catalog descriptions; Why cyber insurance is such a mess; Code Spaces hacked out of business; Reuters defaced by the Syrian Electronic Army; Aviva hacked by Heartbleed bug, or was it? Subscribe in iTunes | Podcast RSS Feed | Twitter | Email http://www.tripwire.com/state-of-security/top-security-stories/covert-acoustical-mesh-networks-present-new-attack-vector/ http://www.theregister.co.uk/2014/06/19/hackers_reverseengineer_nsa_spying_devices_using_offtheshelf_parts/ http://www.slate.com/articles/technology/future_tense/2014/06/target_breach_cyberinsurance_is_a_mess.html http://www.cnbc.com/id/101770396 https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761 … Continue reading Defensive Security Podcast Episode 73 →

Mandiant put out their 2014 Threat Report, and we got into all the meaty goodness.  From the Syrian Electronic Army, Iran, and China's APT1 and APT12. Find out if the bad guys are getting smarter, or if we are just making it easier for them? Have a listen and find out.     Mandiant 2014 report (registration required):  http://connect.mandiant.com/m-trends_2014       Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

Advice for the criminals from Bob; Pwn2Own results are in; Target ignored it’s FireEye alerts; Integrating threat intelligence into your operations; The problem with threat intelligence; Advanced endpoint protection advice; Workers are apathetic about lost mobile devices and company data; Lessons to learn from the hack of some Navy servers; How the Syrian Electronic Army … Continue reading Defensive Security Podcast Episode 59 →

Syrian Electronic Army strikes again!  PayPal and eBay are the latest to come under attack. The Dark side o f WiFi. Chaos Computer Club is suing the German government. Orange, telecommunications company hit by data breach. Job of the day!

In this episode we look at a rash of gas pump credit card skimmers, the Syrian Electronic Army keeps itself in the headlines, Guccifer has been arrested, the FBI issues a warning about POS Malware. I also continue my POS malware interview series with expert Josh Grunzweig, Malware Analyst for TrustWave SpiderLabs. 

Unauthorized Digital Certs, BIND Updates, Patches, Patches and More Patches, More From the Target Breach and the Internet Weather Report. Originally recorded January 14th,2014.

Adobe Source Gone, Bitcointalk.org epic defacement, IE 0day, more bug bounty Drama, Operation Payback, Syrian Electronic Army, UN dot HN, Nigeria busts scammer, Trustwave MST, Lisa Marie Presley, 

The hacker group Syrian Electronic Army was able to hijack the websites of the New York Times, HuffingtonPost and Twitter, redirecting traffic, causing lost revenue and confusing hundreds of thousands of people. Are our websites and email safe?Chief Technology Officer Bruce Tonkin from Melbourne IT answers this question and tells us how we can secure our domain names from a similar fate.

Syrian Electronic Army takes out DNS, Underground Intelligence Agency, Yahoo header, YAZDIJ, OSX sudo, Chinese DDoS, Google.ps, Anonymous x 4

Talking Hacksymetric Warfare 2013 as Webcology looks at how the late August DNS hack by the Syrian Electronic Army was executed against the New York Times, Twitter and Huffington Post. Guests Kristine Schachinger and Josh Dennis are Def Con alumni. They take us through the attack from the initial phishing expedition to what information the hackers might have accessed with control of the DNS. We also cover methods of avoiding hacks and how to secure your Internet properties against attacks.

Talking Hacksymetric Warfare 2013 as Webcology looks at how the late August DNS hack by the Syrian Electronic Army was executed against the New York Times, Twitter and Huffington Post. Guests Kristine Schachinger and Josh Dennis are Def Con alumni. They take us through the attack from the initial phishing expedition to what information the hackers might have accessed with control of the DNS. We also cover methods of avoiding hacks and how to secure your Internet properties against attacks.

New York Times hacked? NOT!, Android, Android, Android, Java SecureRandom, 1 Million Malicous Apps, Bug Bounty Wars, Home Video Cams still vulnerable, Joomla!, Serious Organized Crime Agency is serious, Syrian Electronic Army hits everyone, Miss Teen USA, Lady Gaga's shovel - Bring It!, Tusteer

Barnaby Jack RIP, Apple Dev site rotten to the core, 2M Ubuntus owned, broken SIMs, Paypal youngun's, Touring Not Guilty, Syrian Electronic Army goes mobile, OVH Down, Japan and Poker and malware, Cisco/Sourcefire and the SpiderLabs talk round up.

Tumblr tumbles, Konami follows Nintendo, Guccifer and the Syrian Electronic Army returns, femtocalls still vulnerable, SCADA bug bounty that isn't, Morningstar, Roys of Hawaii, Cedars-Sinai,  India/Pakistan  trading defacements, SpiderLabs in Vegas.

Liberty Reserve, Syrian Electronic Army pranks SkyNews, Guccifer, Cher and Alec Baldwin lose weight, Drupal, Chinese cyber espionage, You must be 18 to ride PayPal, Jamaica Man,  Turkish Ajan Went back to Ohio, Cain&Able,  AirCrack-NG

Yahoo Japan, Syrian Electronic Army, Finincial Times, 2-factor won't stop stupid, Aura attacks targeted LE database, Scripps hackers, Operation Hangover, OperationGitmo, OpMarikanaMiners, Akron says attack was perplexing, Attack back, NYPD pays for email attacks, WebSense goes private.

Kurt Baumgartner of Kaspersky Labs joins us to talk about Red October, a research paper that he co-authored, along with the other areas that he works on at Kaspersky. It's time for another Drunken Security News. Much of the gang was on the road this week so Patrick Laverty sat in with Paul and Engineer Steve for the show, plus Jack's epic beard called in via Skype from lovely Maryland. First, Paul admitted it was a stretch to bring this into a security context but he wanted to talk about an article that he found in The Economist (via Bruce Schneier) about one theory that if the US would simply be nicer to terrorists, release them from Guantanamo Bay, Cuba and stop hunting them down around the world, that they would in turn be nicer to us. Also, fewer would pop up around the world. The thinking is that jailing and killing them turns others into terrorists. So here's the leap. Can the same be said for black hat hackers? If law enforcement agencies stop prosecuting the hackers, will they be nicer and will there be fewer of them? I think we all came to the same conclusion. "Nah." Paul also found an Adam Shostack article about how attention to the tiniest details can be important to the largest degree. The example given was the vulnerability to the Death Star in the original Star Wars movie was so small and the chances of it being exploited were so remote that the Empire overlooked it, Grand Moff Tarkin even showing his arrogance shortly before his own demise. The same can be said for our systems. It might be a tiny hole and maybe you think that no one would look for it and even if they do, what are the chances they both find it and exploit it? In some cases, it can have quite dire consequences. The Empire overlooked a small vulnerability that they shouldn't have. Are you doing the same with your systems? Did we happen to mention that Security BSides Boston is May 18 at Microsoft NERD in Cambridge, MA and Security BSides Rhode Island is June 14th and 15th in Providence, RI. Good seats and good conference swag are still available. We all hope to see you there! The Onion's Twitter account was breached by the Syrian Electronic Army and they handled it a way that only The Onion can, making light of both themselves and the SEA. Additionally, possibly for the first time ever, The Onion published a non-parody post about exactly how the breach occurred. Additionally, the National Republican Congressional Committee (NRCC) web site got spam hacked/defaced with Viagra ads. The only thing we were wondering is, are we sure it was hacked and not just a convenient online pharmacy for their members? A new whitepaper was released from MIT talking about "Honeywords". The problem being solved here is creating a way for server admins to know sooner when a passwords file has been breached on a server. In addition to the correct password, this new system would add a bunch of fake passwords as well. When the attacker starts trying usernames and passwords, if they use one of the fake passwords, the server admin would be notified that someone is doing that and it is very likely that the passwords file has been breached. It's an interesting concept to ponder. Jack had an article from Dennis Fisher at Threatpost, asking the question about what's the point of blaming various people for cyberespionage if we don't have a plan to do something about it. The NSA also has its own 643 page document telling its members how to use Google to find things like Excel documents in Russian that contain the word "login". Wait, I feel like I've heard of this somewhere before. Oh yeah, that's right. Johnny Long was talking about Google Hacking at least as far back as 2007. It's just interesting some times to see things that the media gets wind of and without the slightest bit of checking, thinks something is "new".

It's another beautiful Monday (somewhere) and we've got the news of the last 2 weeks covered, and we're breaking it down for you. The news this week is, well, quite frankly kind of dark. Everything tells us we're in for a rough ride for the rest of the year, and it's only getting worse. If I sound a little funny, it's because I'm talking through a massive sinus infection and it's making me talk funny and stuffy.  Also the recording you hear is take 2 ... I had a major technology fail so we had to re-record, with less sadness. Topics Covered We are happy to report that Justin Beiber is in fact, not coming out of the closet and E! Online was only hacked by those wacky military hackers from the Syrian Electronic Army. Apparently they've been on quite the hacking spree of media outlets and even put a major - albeit brief - dent in the stock market! - http://www.nydailynews.com/entertainment/e-online-twitter-account-hacked-article-1.1335214 The US Department of Labor was hacked, in what appears to be a very targeted 'watering hole' attack aimed at Nuclear employees. The attackers, if the stories are true, burned an IE8 0-day on this one, and of course they are Chinese - http://www.eweek.com/security/zero-day-exploit-enabled-cyber-attack-on-us-labor-department/ Anonymous is threatening a massive attack against the White House (the political entity not the ...nevermind), Bank of America, Citibank and other targets on May 7th. Are these folks just becoming part of the 'background noise' of the Internet? Are security professionals just starting to become numb to the DDoS attacks? - http://pastebin.com/TyvAK20F Chinese hackers have apparently ransacked QinetiQ, a defense contractor with ties to global cyber intelligence operations, spooks,and other interesting things. Bloomberg's write-up was not kind to these guys - http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.html In the perfect illustration of the fact that insider threats are real a systems manager returned to the company he was no longer employed at and wreaked havok. Folks, there is no magic 1U box that will stop this sort of attack, be vigiland and have good auditing and processes! - http://www.computerworld.com/s/article/9238874/Systems_manager_arrested_for_hacking_former_employer_39_s_network

Steve Hewlett discusses the rival Royal Charters with acting Times editor John Witherow and Christopher Jefferies, wrongly named by some in the press following Jo Yeates' murder. Is this really a time for further consultation and negotiation? Charlotte Raven tells Steve more about her plans to bring back Spare Rib, the feminist magazine, 20 years after it closed.And, as more media Twitter accounts are temporarily taken over by the Syrian Electronic Army, is this becoming as much of a problem for the social media company as it is for the people being hacked? Rupert Goodwins, former editor of technology news website ZDNet, looks at the issues. Presenter: Steve Hewlett Producer: Simon Tillotson.