Fwd: NSA reportedly knew about Heartbleed

From: David White 
------------------------------------------------------
Whenever I send these emails to multiple mailing lists and put 'em on the
BCC line, Chugalug always bounces because it's an "implicit" recipient. So
here's my "try again"!


http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
.

This is one of the most critical internet security bugs of all time. If
true, the NSA put billions' of accounts in jeopardy.

Also if true, this proves my point, EXACTLY, as to why the NSA does not
have the best interest of the internet security community:
http://www.davidmartinwhite.com/2014/03/24/how-does-the-nsa-do-what-it-does/

-- 
David White
Founder & CEO

*Develop CENTS *
Computing, Equipping, Networking, Training & Supporting
Nonprofit Organizations Worldwide
http://developcents.com
423-693-4234



-- 
David White
Founder & CEO

*Develop CENTS *
Computing, Equipping, Networking, Training & Supporting
Nonprofit Organizations Worldwide
http://developcents.com
423-693-4234

Major OpenSSL Vulnerability

From: David White 
------------------------------------------------------
I got a security advisory from the CentOS maintainers last night about it,
and I just read this CNET article:
http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/

Here's the security advisory from CentOS:

Earlier in the day today, we were made aware of a serious
issue in openssl as shipped in CentOS-6.5 ( including updates issued
since CentOS-6.5 was released ); This issue is addressed in detail
athttp://heartbleed.com/

Upstream have not released a patched version of openssl, although we
are reliably informed that there is quite a bit of effort ongoing
to release a patched package soon.

As an interim workaround, we are releasing packages that disable the
exploitable code  using the published workaround( tls heartbeat );
Note that these packages do not resolve the issue, they merely
disable the feature that is being exploited.

Notes:
1) All versions of CentOS prior to 6.5 are unaffected.
2) the release tag in these packages is marked in a manner that the next
upstream version will override and replace these packages.

-- 
David White
Founder & CEO

*Develop CENTS *
Computing, Equipping, Networking, Training & Supporting
Nonprofit Organizations Worldwide
http://developcents.com
423-693-4234

OT - Wanting Guest Blog Posts (maybe)

From: David White 
------------------------------------------------------
Hiya folks,
Since I launched Develop CENTS  over a year ago,
I've kept a somewhat active blog. My goal is to post at least twice a
month, although that hasn't always happened.

Since then, I know that I have a few regular readers, but I believe most of
my traffic comes from organic search results, outside of the initial social
media push whenever I publish a new post.

That said, I've tried to gear my blog posts towards content that would be
helpful to the average Joe computer user, with a bent on security. I try to
incorporate simple steps a user can take to solve problems on their own,
but at the end of the day, the goal of my blog has always been to get
people interested in more complicated services Develop CENTS provides.

That said, I've been thinking about opening up the blog to guest posts.

What you'd get:

   - Your picture at the top of the blog post (just like mine -
   http://developcents.com/blog/03142014-1626/securely-discarding-your-old-hard-drives">http://developcents.com/blog/03142014-1626/securely-discarding-your-old-hard-drives
   )
   - A link to your website with a description of who you are and what you
   do, in italics at the end of the post.

What I'd get:

   - Your blog post with the above themes in mind

If you're interested, contact me.

I'm still thinking about this (not sure if I want to do it or not), but I'm
exploring the idea right now.

- David

-- 
David White
Founder & CEO

*Develop CENTS *
Computing, Equipping, Networking, Training & Supporting
Nonprofit Organizations Worldwide
http://developcents.com
423-693-4234

David Byrne:what if we rebuilt a spy-proof internet?

From: Rod 
------------------------------------------------------
What will life be like after the internet? Thanks to the mass surveillance  
undertaken by the National Security Agency and the general creepiness of  
companies like Google and Facebook, I've found myself considering this  
question. I mean, nothing lasts forever, right?

There's a broad tech backlash going on right now; I wonder just how deep  
the disillusionment runs. I get the feeling that there are folks out there  
who would relish putting the internet behind us sooner rather than later.  
Imagine that: even the internet could be a thing of the past one day. What  
would that be like? No Facebook. No Google. No government nerds looking  
through your webcam.

But could we become more secure without abandoning the internet? What if  
there's a third way? One that doesn't involve either passive resignation  
to being exploited or a Luddite smash-the-looms fantasy. What if we began  
to develop and encourage the adoption of machines and a network that are  
actually secure – through which neither thieves, corporations, nor the NSA  
could track us – and what if these could be configured by us, to really do  
what we want them to do? To stop the spying, stealing and monitoring, but  
to allow other things to continue.

What would that look like?

http://www.theguardian.com/commentisfree/2014/mar/24/david-byrne-nsa-rebuild-secure-internet

-- 
The unregulated free market is like Yog-Sothoth, a mythical being whose  
followers make bloody sacrifice to hasten its arrival to this world.

Using Opera's mail client: http://www.opera.com/mail/

penetrate me!

From: William Roush 
------------------------------------------------------
I've dealt with pentesters before, it's kind of aggravating when I have 
working exploits they don't find and we're forking over tons of money 
for them to go on some tangent that results in nothing... :\

Though I as I understand it the market is going the way of SEO and the 
like, once valid, now full of a lot of people that barely know how to do 
it and will just run the same tools you found and charge you insane 
amounts of money for it.

Your client will probably want someone that can rubber stamp a pen test 
on you, so sadly it'll take more than someone that just /knows/ security 
but can give you the paperwork to back it up and a company name.

William Roush
william.roush@roushtech.net
423-463-0592

http://www.roushtech.net/blog/


On 3/27/2014 12:58 AM, Ed King wrote:
> Our "network administrator" at the main office quit over a year ago 
> and a replacement was never hired.
> http://www.linkedin.com/pub/christopher-silver/7/6a8/341
>
> Our "network administrator" at our "NOC" quit over a year ago and 
> never got replaced.
> www.linkedin.com/in/mlaman
>
> Our "phone system guy" quit a year ago, a replacement was hired, but 
> I've seen him, like, once.  When the phone/fax systems goes down, they 
> call ME.
> http://www.linkedin.com/profile/view?id=49461976
>
> So guess what?  I and one of the other programmers on my team 
> inherited all these extra support duties (without a single f'ing penny 
> of a pay raise, mind you).
>
> We inherited hardware and software that hasn't been updated in years 
> (insert career-damaging-but-painfully-true 
> my-boss-is-a-cheap-bastard-and-doesn't-spend-money-on-upgrades comment 
> here)
>
> We know basic firewall, iptables, am mindful of sql injection, can 
> install/run/monitor virus scanners etc, but we are not security 
> experts nor do we play one on t.v.
>
> If this situation wasn't stressful enough, it has now come to a boil 
> as a potential (big!) client "demands" proof of pen testing before 
> they will let us host their data.    At this point I'm spread way to 
> thin and told my boss today that he needs to crack open that wallet 
> and hire an outside pen tester.    Anyone on the list "qualified" to 
> do it?    Willing to work for peanuts?
>
> What defines a qualified pen tester?  I see what appears to be "free" 
> software I could download and run myself, if I was inclined to take on 
> more responsibility w/o pay.    I suppose this free software would be 
> a "good start" but is a pen test done by an "internal" employee good 
> enough for the client, I doubt it.
>
>
>
>
>
> 

OT bugs and code quality

From: Christopher Rimondi 
------------------------------------------------------
For those of you are on/lead teams of developers or engineers what do you
do keep everyone focused on reducing bugs and thinking through the impact
of changes? I get there is a lot that can be done with unit and integration
testing and formal QA. However, what I am asking centers more on keeping
quality front and center in the team's mindset.

There is probably no easy answer to this but, how do you separate bugs that
are caused from "moving fast/meeting deadlines" versus we probably should
have caught this one?

-- 
Chris Rimondi | http://twitter.com/crimondi | securitygrit.com

Prepping a Linux server for PCI Compliance..

From: Mike Harrison 
------------------------------------------------------

I know there are some security nutcases on the list.. so I am asking:

I'm setting up a system to host a simple,
yet carefully created applications and submit it for PCI Compliance (SAQ C 
and maybe even SAQ D (service provider)) and am wondering what tools were 
available that would simulate the scans that they will be going for..

Or should I just load up Backtrack and such and fire away?

Which I should do anyway.. but I am looking first to emulate what they 
would be doing.

Anyone out there specialize in such things (even for money)?

--Mike--







GnuTLS library Security Flaw

From: Rod 
------------------------------------------------------
http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/

-- 
Using Opera's mail client: http://www.opera.com/mail/

Fwd: Modis.NET

From: Dan Lyke 
------------------------------------------------------
This may actually have come across here already, I haven't been watching
the Chattanooga job postings too closely, but I know some of y'all can get
through notYET code...

---------- Forwarded message ----------
From: Standifer, Joshua 
Date: Tue, Mar 4, 2014 at 8:16 AM
Subject: Modis.NET
To: "danlyke@flutterby.com" 


Dan,



Thanks for taking my call and offering to pass this info along. Below
you'll find the positions that I currently have open. Thanks again!



*CHOICE DATA: Contract to Hire *

Advanced ASP .Net MVC developer, must at least worked on  ASP .Net MVC
projects 3 years and above.

Excellent knowledge and skills with web development tools in C#,
Javascript, HTML, CSS, JSON, AJAX

Excellent knowledge and skills in LINQ ,  .Net 2.0/3.5/4.0/4.5

Excellent knowledge and skills in SQL Server 2005/2008

Good knowledge and experience in C, C++.

Good knowledge and experience in Java is a plus.

Dependable, team oriented, can take on project/task independently



Primary focus: Web services and SQL Server. Experience with security issues
and database maintenance tasks/plans a huge plus. Experience with
encryption routines and replication required. General Definition
Web/Software Developer requires technically strong candidate with expertise
in enterprise-wide application architectures. Candidate should be well
versed in web applications and Microsoft technologies. This position
additionally requires a wide variety of programming bkground, and a strong
programming discipline and database programming knowledge. This job
requires a team player that will be able to work with or lead other
developers and be involved with new application development and
enhancements to existing applications and also assist with maintenance and
support of issues and bug fixes. This position also requires
adherence/familiarity to project delivery lifecycle steps - requirements,
functional design, coding, unit and system testing, user acceptance and
implementation. Responsibilities * Develop technical designs, using text,
use cases, component, sequence, and class diagrams * Build stable,
flexible, enterprise applications that are maintainable * Demonstrate
knowledge of transaction processing and implementation of object-oriented
environment * Define, design and implement enterprise architectures,
technology standards, good coding practices, and quality standards *
Demonstrate expertise in administration and maintenance of IIS Web sites *
Demonstrate ability to create prototypes * Development of specifications
and estimates for intranet applications * Work with team members and users
to analyze and document business requirements * Foster teamwork and a
spirit of collaboration Skills * Exposure to developing Active Server Pages
and ASP.NET, VB.NET, C#, VB/JavaScript, XML and HTML applications *
exposure to developing web-based, n-tier applications using Microsoft
Transaction Server (MTS), Component Server, SQL Server, and Internet
Information Server (IIS) * Knowledge of database architectures, T-SQL and
stored procedures in MS SQL Server 2000 * Experience in ASP with an
in-depth knowledge of .NET framework * Experience working in data modeling
and ERD tools * Experience in XML Web based services and COM/COM+ *
Experience with Active Reports and SQL Reporting Services * Proven ability
to carry a large development task from concept to completion * A BS in
computer science or equivalent experience * Excellent written and oral
communication skills * Works well in a team environment
------------------------------

   1.
*TVA: C# ASP.Net Developer Chattanooga, TN *I year contract with the
   possibility of extension *(REMOTE WORK WITH IN OFFICE VISITS POSSIBLE
   OPTION) *

 The contracts could last between 6-18 months and there is the potential
for converting to a full time employee. TVA is a well-respected employer
within our market!  *The right fit is key!*

-          .NET experience - Specifically, ASP.Net
-          Web page development experience

o        JavaScript
o        JQuery
o        CSS
o        HTML

-          SQL Server knowledge, 200/2005/2008

-          We are also looking for someone with the right attitude to come
in and be excited to solve problems.  We want people who are eager and able
to troubleshoot and look for ways to improve existing systems

Analyzes business or scientific system delivery specifications or purchased
software and develops the technical design. Develops and tests the
application software and implements it for use in a configuration managed
environment. Acts as a source of direction, training, and guidance for less
experienced Analysts. Position leads development efforts for complex and
technical systems. Requires advanced knowledge of Information Technology
and someone who serves as a technical expert. Must be able and willing to
assume on-call rotational assignments which may include 24 hour on 7-day
per week availability. Additionally must be willing and able to travel to
carry out project work.

Development of the technical design includes:
* Establish and design technical framework for system
* Design System components including user interfaces
* Design data conversion requirements
* Define operational requirements including scheduling, capacity planning
and resource requirements
* Define test environment including development of test cases

Responsible for the development and testing which includes:
* Generation of executable code based on accepted programming standards
* Unit testing of executable code
* Integration testing of executable code
* Develop operational procedures
* Follows change control procedures and quality assurance standards
* Verification that system meets all business requirements, including
reliability and process volumes
* Receive approval from user that system is ready for production and
prepares associated documents for production release

Job Modifier
Utilizes client-based or web development tools to develop solutions for a
variety of complex and difficult problems or systems.
List of additional technologies in their environment NOT REQUIRED
The technologies and techniques that we use here are:

-          WCF
o   SOAP
o   REST

-          ASP.NET
-          LINQ
-          C#
-          Entity Framework
-          ASP.NET MVC3
-          SQL Server 2008

o   SSIS
o   SSRS
o   SSAS

-          Business Intelligence

o   We're trying to get into this more... .we want to build some cubes and
change the way we store data, but we need people!
o   Star Schemas
o   Data Cubes

-          Windows Services
-          High Availability Clustering
-          Telerik third-party control sets for Silverlight and ASP.NET
-          Silverlight
-          Tibco Enterprise Service Bus and web services


*------------------------------*

*2. TVA Programmer Analyst Chattanooga, *

I year contract with the possibility of extension *(REMOTE WORK WITH IN
OFFICE VISITS A POSSIBLE OPTION)*

THIS IS THE ENTRY LEVEL FOR PROGRAMMER ANALYSTS. BASED ON DEFINED
SPECIFICATIONS PROVIDES THE FOLLOWING: DEVELOPS EXECUTABLE CODE USING
ADOPTED PROGRAMMING STANDARDS PREPARES TEST DATA UNIT TESTS CODE DOCUMENTS
PROGRAMS FOLLOWS CHANGE CONTROL PROCEDURES UTILIZES CLIENT/SERVER AND/OR
WEB DEVELOPMENT TOOLS TO DEVELOP SOLUTIONS FOR A VARIETY OF MODERATE TO
WELL DEFINED BUSINESS PROBLEMS, OR SEGMENTS OF MODERATELY DEFINED, BUT
COMPLEX AND DIFFICULT PROBLEMS OR SYSTEMS. BS OR BA DEGREE IN COMPUTER
SCIENCE, BUSINESS ADMINISTRATION OR RELATED FIELD OR EQUIVALENT IS
REQUIRED. SOFT SKILL SET INCLUDES TEAM BUILDING AND LISTENING. KNOWS
FUNDAMENTAL CONCEPTS, PRACTICES AND PROCEDURES RELATED TO APPLICATION
DEVELOPMENT MUST BE KNOWLEDGEABLE OF AND HAVE EXPERIENCE WITH 1 OR MORE OF
THE LANGUAGES AND OS LISTED ABOVE. MAY REQUIRE 24-HOURS-A-DAY,
7-DAYS-A-WEEK AVAILABILITY VIA A BEEPER OR OTHER COMMUNICATION MECHANISMS.
TRAVEL MAY BE REQUIRED TO CARRY OUT PROJECT WORK.





Thanks,


*Joshua Standifer*
Talent Sourcer

*Modis*

633 Chestnut Street ST1350
Chattanooga, TN 37450

T: 423-763-4084
C:865-307-4193
joshua.standifer@modis.com
[image: Signature Logo]
Proud Sponsor of the U.S. Olympic Team.

personal cloud

From: Christopher Rimondi 
------------------------------------------------------
Someone passed this link on to me about setting up your own "personal
cloud". I was more interested in it for this guys use of ansible. But I
might give it a shot because it looks pretty interesting.

https://github.com/al3x/sovereign


-- 
Chris Rimondi | http://twitter.com/crimondi | securitygrit.com

[OT] Flash Player 11.1.102.55

From: "Robert A. Kelly III" 
------------------------------------------------------
Supposing an organization was running Flash Player 11.1.102.55 on a
large number of work stations and routinely advised employees to
disregard and bypass browser security certificate warnings. On a scale
of 1 to "nuclear holocaust", how bad would you rate the security risk in
that scenario?

anyone using Elasticsearch

From: Christopher Rimondi 
------------------------------------------------------
Anyone in Chatt using Elasticsearch? I saw there was a user group in
Atlanta.

-- 
Chris Rimondi | http://twitter.com/crimondi | securitygrit.com

upstart vs systemd

From: Christopher Rimondi 
------------------------------------------------------
http://www.markshuttleworth.com/archives/1316

I have been into Upstart a bit lately and it is a kind of love/hate
relationship.  Interesting to get people's perspective.

-- 
Chris Rimondi | http://twitter.com/crimondi | securitygrit.com

Reverse Engineer Positions

From: AverageSecurityGuy 
------------------------------------------------------
Eric,

 If this headhunter is on Twitter, he should tweet about the open =
positions and include the hashtag #securitytwits or @securitytwits in =
the tweet.

--
Stephen Haywood
Owner, ASG Consulting
CISSP, OSCP
423.305.3700
asgconsulting.co



On Feb 5, 2014, at 1:13 AM, Eric Wolf  wrote:

> A headhunter called me today mostly to ask for some information on =
what "reverse engineering" meant. He's trying to place an entire team of =
people at a company in Melbourne, FL. The salaries are generous because =
it sounds like they are looking for some real talent:
>=20
> ---------- Forwarded message ----------
> From: David Blackburn 
> Date: Tue, Feb 4, 2014 at 11:12 AM
> Subject: Reverse Engineer Positions
> To: "ebwolf@gmail.com" 
>=20
>=20
> Eric,
>=20
> =20
>=20
> Thanks for taking time out of your day to speak with me.  Please pass =
this info on to anyone in your network you think might be a fit.  If I =
can ever re-pay the favor and be a resource to you in any way please =
don=92t hesitate to reach out.=20
>=20
> =20
>=20
> They would like this team of 15 Engineers to live in Melbourne, Fla.  =
Comp is between $100k - $200k base yearly salary depending on =
experience.  Looking for all skill levels with experience in :
>=20
>=20
> * Reverse Engineering
> * Vulnerability Research
> * Wireless and Network Communications
> * Hypervisors
> * Malware
> * Mobile/Embedded Development
> * Win32/Linux Kernel development
> * Constraint Solving
> * Exploit mitigation techniques
>=20
> =20
>=20
> Thanks for the help.  My number is 720-746-2522
>=20
> =20
>=20
> All the best
>=20
> =20
>=20
> David
>=20
> =20
>=20
> =20
>=20
> David Blackburn
>=20
> Senior Account Executive|Information & Technology
>=20
> Bradsby Group
>=20
> dblackburn@bradsbygroup.com
>=20
> Office:  (720) 746-2522
>=20
> Fax:  (303) 813-8101
>=20
> =20
>=20
> Bradsby Group has been ranked as the #1 Staffing Agency by the Denver =
Business Journal for 2008, 2009, 2010, 2011, 2012, and 2013
>=20
> =20
>=20
> The information contained in this email message is privileged and =
confidential information intended only for the use of the individual =
named above.  If the reader of this message is not the intended =
recipient, or the employee or agent responsible to deliver it to the =
intended recipient, you are hereby notified that any dissemination, =
distribution or copying of this communication is strictly prohibited.  =
If you have received this communication in error, please immediately =
notify us by telephone (call collect if you are outside our area code).  =
Thank you.
>=20
> =20
>=20
>=20
> 

Go Daddy & Paypal implicated in domain snatch

From: Rod 
------------------------------------------------------
The Domains were used as leverage to get a rare single twitter handle.
That Paypal gave up the dudes last four of his credit card and Godaddy  
used it as verification are really bad.
http://it.slashdot.org/story/14/01/29/1527247/developer-loses-single-letter-twitter-handle-through-extortion

The other take away seems to be acvoid custom e-mail logins. Is there away  
to secure your own e-mail login?
Does good security demand you use a big brother corp e-mail account?



-- 
Using Opera's mail client: http://www.opera.com/mail/

Chattacon!

From: Dee Holtsclaw 
------------------------------------------------------
Chattacon is this weekend!!

Cyndi and I will be heading out around 1-2 Wednesday -- 840 miles, made
it in 13.5 hours last time but we're supposed to have snow tomorrow
night ... hopefully that won't delay getting across the RFK or GW bridges.

I'll probably be helping out in Registration on Friday afternoon/evening
and around Operations a lot otherwise (Cyndi's running it this year).
Hope I get to see a few of y'all at least.

Um ... I might also mention that Registration and Security could use
some staff if anyone is so inclined ... staff rate is $25 ... had to ask.

OT: Unix Administrator in Atlanta

From: Matt Keys 
------------------------------------------------------
Forwarded message and job description below that :

---

From: Dana McSpadden 
Sent: Monday, January 13, 2014 11:51 AM
To: Matt Keys
Subject: Infosys McCamish - Job Opportunity

Hi Matt,

My name is Dana McSpadden and I am a Recruiter with Infosys =

BPO/McCamish. We are currently seeking an experienced Unix/Linux/HP-UX =

Administrator to join our Data Center Services organization at our =

Atlanta, GA office. A job description is attached for your review.

Please let me know if you are interested in learning more about this =

opportunity. To express interest or to answer any questions you may =

have, I can be contacted via email at Dana

Backdoor Discovered In Netgear and Linkys Routers

From: Rod 
------------------------------------------------------
 From Slashdot:"A hacker has found a backdoor in the Linksys WAG200G  
router, that gives access to the admin panel without authentication.  
Further research shows that these devices are made by Sercomm, meaning  
that Cisco, Watchguard, Belkin and various others maybe affected as well.  
 From the article: 'The backdoor requires that the attacker be on the local  
network, so this isn’t something that could be used to remotely attack DSL  
users. However, it could be used to commandeer a wireless access point and  
allow an attacker to get unfettered access to local network resources.'"

Here is the original article.
http://arstechnica.com/security/2014/01/backdoor-in-wireless-dsl-routers-lets-attacker-reset-router-get-admin/

-- 
Using Opera's mail client: http://www.opera.com/mail/

[Bulk] OT: Twitter

From: Christopher Rimondi 
------------------------------------------------------
@crimondi


On Sat, Dec 7, 2013 at 7:41 AM, John Aldrich  wrote:

>  On Fri December 6 2013 12:01:01 PM AverageSecurityGuy wrote:
>
> For any of you who are on Twitter, my handle is @averagesecguy. I would
> like to follow as many of you as possible. Will you either send me your
> Twitter handle or follow me so that I can follow you? I also hang out on
> Freenode as avrgsecguy.
>
> Sorry, I don't tweet. :)
>
>
>