We’ve all heard about the new software in all of the classrooms in IST. Come out and learn how it works, what it’s capable of doing, and what that means in terms of privacy and legality. We’ll discuss the key logging capabilities of the software (which have now been disabled) and some other potential misuses (such as rogue teacher machines). We’ll end with an open discussion on both Insight and monitoring software in general.

Slides: 2009-11-16-insight-slides.pptx

Learn how to think like a hacker! This seminar will cover the 5 phases of an attack: Reconnaissance, Scanning, Gaining Access, Maintaining Access, and Covering Tracks. It is a great way to prepare for the iCTF competition.

Slides: Anatomy of the Hack
iCTF 2009 Page

The IA Club Executive Board demonstrated seminars from this year in the newly revamped Kimberly-Clark Security Lab, and the Nittany Lion, Dean Foley, and even President Graham Spanier stopped by to watch Saturday at IST’s 10th year anniversary celebration. On October 10th, 2009 the College of IST celebrated its first 10 years at Penn State. President Graham Spanier, Dean Hank Foley, and the Nittany Lion all made an appearance, playing host to an audience of nearly 300 people, including individual and corporate donors, alumni, current and former faculty and staff, and graduate and undergraduate students.

After remarks by President Spanier, Dean Foley, and others, attendees explored the IST building and exhibitions of technology demonstrations. The IA Club received plenty of attention hosting one of many technological attractions, explaining the use of dictionary attack against WPA-PSK, showing the speed of WEP cracking, playing back our Bluetooth headset capture, and other seminars. Even the Nittany Lion stopped by to showcase his hacking skills. Overall, the IA Club got great exposure to a wide audience, and the Dean congratulated us on a job well done.

The goal of this seminar was to raise awareness of increasing use of Adobe PDFs as a vector for other malware. IA Club members learned a little about the history of PDFs as well as the internal workings of the document format. We also explored a few PDF based exploits using /JavaScript and the /OpenAction functions. This seminar gave a very high level overview of buffer overflows and heap sprays and focused more on the practical application of such techniques. We also looked at some detection and mitigation strategies and best practices when dealing with PDFs.

Links
Adobe PDF Seminar Slides
JBIG2Decode Video
PDFID and PDF-Parser Video
Anatomy of Malicious PDFs – Didier Stevens
Hidden Data and Metadata in Adobe PDF Files: Publication Risks and Countermeasures
http://blog.didierstevens.com/

Tuesday, October 13th, 2009
205 IST — 7:00 PM

Insider Threat is a growing problem for today’s organizations. Often overlooked in favor of technological solutions, the “trusted insider” can commit tremendous damage to an organization. CERT has researched hundreds of cases of actual insiders, from a combination of open source reporting, Secret Service case files, and voluntary contributions from organizations. Using these case files, and statistical, psychological, and technical analysis, CERT was able to develop a model of malicious insiders and why they commit their crimes. This presentation will discuss some of the major cases we have studied, profiles of malicious insiders, and best practices for reducing the risk of insider threat.

Afterwards, Christopher will answer questions regarding future careers in government or contractors, and some general advice for “getting ahead” in the information security industry.

Speaker Biography:

Christopher King works for the Threat and Incident Management Team (TAIM) at the Computer Emergency Response Team (CERT), a federally funded research and development organization created by DARPA in 1988 after the first computer worm. TAIM researches insider threats and incident response solutions for the DoD, DHS, and other organizations. He is also a graduate student at Carnegie Mellon University, studying Information Security Policy and Management.

Previously, Christopher worked for the Defense Information Systems Agency (DISA) as an Information Assurance Manager, working in Command and Control technologies. Through his tenure at DISA, he managed multi-million dollar contracts, led a development team on the Net-Enabled Command Capability (NECC), and ensured secure architecture for the NECC program. Christopher has also worked for DHS Office of Inspector General, and CERT’s Vulnerability Analysis team.

Christopher attended Penn State University and received a degree in Information Sciences and Technology in 2007.

This October has been declared National Cyber Security Awareness Month, a month in which Americans are encouraged to learn more about the national security priority that is the U.S. communications infrastructure.

Americans are constantly adopting new and innovative technologies. This exposure has dramatically increased our thirst for computers, smartphones, and other digital solutions at work and at home. Our Nation’s growing dependence on cyber and information-related technologies, coupled with an increasing threat of malicious cyber attacks and loss of privacy, has given rise to the need for greater security of our digital networks and infrastructures. In the Information Age, the very technologies that empower us to create and build also empower those who would disrupt and destroy. During National Cybersecurity Awareness Month, we rededicate ourselves to promoting cybersecurity initiatives that ensure the confidentiality of sensitive information, the integrity of e-commerce, and the resilience of digital infrastructures.

Cyber attacks and their viral ability to infect networks, devices, and software must be the concern of all Americans. This month, we highlight the responsibility of individuals, businesses, and governments to work together to improve their own cybersecurity and that of our Nation. We all must practice safe computing to avoid attacks. A key measure of our success will be the degree to which all Americans educate themselves about the risks they face and the actions they can take to protect themselves and our Nation’s digital infrastructure.

Source: White House Press Release

In honor of National Cybersecurity Awareness Month, the Information Assurance Club would like to highlight two cyber related reports.

First, Websense has released their “State of Internet Security, Q1-Q2 2009” report. This report outlines and reemphasizes many of the things we already know. Today’s threats are leading to the Web, whether as the vector of the attack or simply the route in which stolen, confidential data is transmitted. Further underscoring the growth of the Web as the primary threat vector, during the first half of 2009 Websense Security Labs discovered:

• 233% growth in the number of malicious sites in the last six months and a 671% growth during the last year.
• 77% of Web sites with malicious code are legitimate sites that have been compromised.
• 95% of comments to blogs, chat rooms and message boards are spam or malicious.
• 57% of data-stealing attacks are conducted over the Web.
• 85.6% of all unwanted emails in circulation contained links to spam sites and/or malicious Web sites.

A video summary of the report can be found below (along with Part 2):

Second, the American Bar Association published a paper, “National Security Threats in Cyberspace.” In June of this year, more than two dozen experts with diverse backgrounds – physicists; telecommunications executives; Silicon Valley entrepreneurs; federal law enforcement, military, homeland security and intelligence officials; congressional staffers; and civil liberties advocates – discussed their thoughts on the tenets of cyber policy as they relate to national security. The participants were asked to consider in particular: (1) what national security threats are posed by actors in cyberspace, (2) how the United States is currently addressing threats in cyberspace, (3) potential legal and doctrinal issues in cyberspace, (4) the organizational framework needed for a coherent cyber strategy, (5) the future of cyberspace and (6) metrics for success.

This presentation covered some of the basics of Linux, its history, its business uses, and a hands-on portion encouraging attendees to try out Ubuntu 9.04 for themselves. This event was held in conjunction with the student club Women in IST (WIST) as part of their Successful Women in IT series, and members of both clubs got to interact and learn more about each club over ice cream after the seminar. Thirty Ubuntu 9.04 Live CDs were distributed to encourage members to try Linux on their own computers at home without permanently changing anything. Members also got a look at the powerful command line under the hood of Linux through SSH by using Penn State’s Linux cluster.

Slides: Linux Seminar Slides

More information:
Ubuntu Linux: http://www.ubuntu.com/
Penn State Linux Cluster: CLC Linux – Documentation
Command line cheat sheet: http://files.fosswire.com/2007/08/fwunixref.pdf

Firefox:
http://www.getfirefox.com

Addons:
SQL Inject Me (https://addons.mozilla.org/en-US/firefox/addon/7597)
XSS Me (https://addons.mozilla.org/en-US/firefox/addon/7598)
Tamper Data (https://addons.mozilla.org/en-US/firefox/addon/966)

Playground:
http://www.codecrypt.com/websecurity

Slides:
http://iaclub.ist.psu.edu/files/2009-09-17-slides.pptx