Downclimb: Summit Route's Weekly Infosec News Recap
2014.11.28 – 2014.12.05: https://SummitRoute.com
"When I said DJB is the new NIST I was not actually kidding." Dan Kaminsky: This seems to be in reference to D. J. Bernstein and his recent comments regarding proposed crypto curves: http://www.ietf.org/mail-archive/web/cfrg/current/msg05619.html
Sony Pictures hack
It will be interesting to see how the Sony hack plays out. In the case of hacks on Target and others recently, it hit customers' credit cards, and although annoying to customers and costly to the companies, those companies are continuing on. In this case of the Sony hack though, it is impacting the company and it's employees. Private employee data is being released which could result in law suits or people quitting. This concern is not often raised in consideration of cyber threats.
The popular news story is that this was North Korean hackers, but it's probably more likely to have been a disgruntled employee or just some random hackers. Saying it was North Korean hackers that were directed by Kim Jun Un makes it sound more exciting, provides advertising for their upcoming movie, and makes Sony Pictures sound helpless. Who can defend against a whole nation?
(CVE-2014-6324) The Microsoft bulletin MS14-068 discusses a Kerberos vulnerability that allows any domain user to become domain admin. This was seen exploited in the wild. The pykek project is a python project being developed to exploit this.