Sunday, December 22, 2013

#09: ISSA, name change, macbook networking, data breaches, and the podcast

Yep, the blog name has been changed.  I figured that the original title was too wordy, and I'd be stupid not to use my given name... it's just too perfect.  So, I registered the domain to point here for the time being, the podcast will also be called 'Brakeing Security'.

It reminds me of the Simpsons episode, probably about 50 years ago, where Homer, Apu, Barney, and Moe were in a barbershop quartet called "The B Sharps".  It was funny the first few times, and it gets progressively less funny...  It's just like that...

I have decided that I need to stop being one of those guys who sit on the outside of their security organization and say 'Well, I'd have done it like this...'.  I have been elected by my peers as the Recording Secretary of the Capital of Texas ISSA chapter. I still don't understand the full powers I have, other than, you know... recording meetings/timekeeping, and making sure the rest of the board don't stab each other.  Sounds like fun!!!

My Mid-2012 Macbook Retina Pro is unable to access the wireless at work, so I decided that I would re-purpose my Minipwner (TP-703N) travel router to be a wireless AP for my work wireless.  It came rooted, so it wasn't that difficult.  I had to setup the travel router to allow for it to connect to the wireless AP at the office, get an IP of 192.168.1.x/24, but then turn around and forward packets to/from my Macbook Retina.

(generated using draw.io)


With all the info on the OpenWRT site, much of it is not updated, or is found in other spots all over the website.  The best info I was able to get all in one place was the "Routed Client" using MASQUERADE (http://wiki.openwrt.org/doc/recipes/routedclient#using.masquerade)

Well, after a few issues, mainly that they use newer 'iw' Linux commands, but other than most everything is the same.  My Macbook connects with a static 192.168.2.x address, and everything just works.

The real shame is that I had to sacrifice my MiniPwner to do it. It's a USB bus powered, which is nice, because it's small, and a portable battery pack will last days if you aren't plugging it directly into the PC/Laptop.  I was using it for a Kismet capture device, as well as doing some reverse SSH tunneling on the inside of our network back to my house, just to try it.

Nowadays, there's PwnPlug, Pineapples, and even Raspberry Pi running Kali to use these days.  The best thing about them is: They are very small, and you can hide them in out of the way places to attack networks, assuming you can get into an out of the way place in the business you are attempting to pentest.

In the past few weeks, we've heard about major data breaches, both from JP Morgan Chase (link), and then the uber heist of 40 million cards from Target (link). It really stops and gives me pause, cause any person in Information Security should be wondering 'When is my company next?' or worse 'Is my company already compromised, and I don't know it?'  What can be done?  IDS? log file analysis? firewall audits looking for connectivity no longer needed?  Are proper methods and processes in place to keep unauthorized connections from occurring?  The answer is all of this and more.  Your organization must want to be secure.  Forcing it on them like an older brother scaring your kid brother is only going to breed resentment down the line.  And if you suffer from chronic PCI requirements, it's the same thing.

Martin McKeay made a point that I did not realize previously...


It is unfortunate in our day and age, that we can do very little to fix the issue, and companies will still make out better than they were previously.  Is it because stock traders believe that they've learned their lesson, and it will never happen again?  Target and JP Morgan will survive, lick their wounds, and suffer no long lasting effects, until it happens again.  Companies should be made to suffer fines or perhaps additional scrutiny from the SEC when they do their yearly filings.  At a minimum, they should sign up all cards with fraud protection, instead of being an opt-in.  This would be costly for the orgs involved, because very few people opt-in to the fraud protection offered to them, but by not doing so, they are showing that they care very little for the security mess that they themselves have caused.

The new podcast "Brakeing Security" will start the week of January 6th.  I hope to have interviews, at least once a month (hopefully made up of Speakers from our ISSA meeting).  I want it to be no more than 30 minutes.  I don't have a PhD in sound editing, so it's gonna be a bit rough to start out.  I'm hoping to do a little bit of news, some opinion, technical segments, and an interview if I can scrounge one up.

My idea is that there is enough IS/Privacy/Security/Healthcare talent in the Austin area that I should be able to gain an audience from someone anyone.

If you are interested in doing an interview, or have a topic you'd like to talk about on 'Brakeing Security', I would like for you to contact me at 'brakeb@gmail.com' with a subject of "Brakeing Security", and we'll get together and talk about it. I'm pretty democratic, as the 10 domains of CISSP cover a vast amount of IS/IT and Regulatory items, if we can put a security bent on it, we can talk about it.  If you have a technical segment about a new security tool that you may be developing, or you are speaking at a convention soon, I'd be greatly pleased to have you on my podcast.

Have a great holiday and remember, tear up the boxes with all the TVs, Xbox, Laptops, etc.  Don't just put them out by the trash.  People don't need a reason to want to get into your house...