Josh Schwartz, Salesforce’s director of offensive security, and John Cramb, a senior offensive security engineer, have been fired by the company after they gave talk at the Defcon security conference talk in Las Vegas last month, reports ZDNet. Schwartz and Cramb were presenting the details of their tool, called Meatpistol, a “modular malware implant framework (PDF)” similar in intent to the Metasploit toolkit used by many penetration testers. The tool, “pitched as taking ‘the boring work’ out of pen-testing to make red teams, including at Salesforce, more efficient and effective”, was anticipated to be released as open source at the time of the presentation, but Salesforce has held back the code. From the report: The two were fired “as soon as they got off stage” by a senior Salesforce executive, according to one of several people who witnessed the firing and offered their accounts. The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk, but the message wasn’t seen until after the talk had ended. The talk had been months in the making. Salesforce executives were first made aware of the project in a February meeting, and they had signed off on the project, according to one person with knowledge of the meeting. The tool was expected to be released later as an open-source project, allowing other red teams to use the project in their own companies. But in another text message seen by Schwartz and Cramb an hour before their talk, the same Salesforce executive told the speakers that they should not announce the public release of the code, despite a publicized and widely anticipated release. Later, on stage, Schwartz told attendees that he would fight to get the tool published. Read more of this story at Slashdot.
Read the original post:
Salesforce Fires Red Team Staffers Who Gave Defcon Talk
CNET reports: Amazon just put budget phone maker Blu in the penalty box. The online retailing giant told CNET that it was suspending sales of phones from Blu, known for making ultra-cheap Android handsets, due to a “potential security issue.” The move comes after security firm Kryptowire demonstrated last week how software in Blu’s phones collected data and sent it to servers in China without alerting people. Blu defended the software, created by a Chinese company called Shanghai Adups Technology, and denied any wrongdoing. A company spokeswoman said at the time it “has several policies in place which take customer privacy and security seriously.” She added there had been no breaches. Blu said it was in a process of review to reinstate the phones at Amazon. Read more of this story at Slashdot. 
From a CNET report: Next to DJ Tiesto’s loud image on Wet Republic’s website sits a photo of a bikini model with a beard and an eye patch, with a simple message: “It’s all out war.” Not exactly the type of message you’d expect from a spot that advertises itself as a dance club that doubles as a pool party, but when hackers are in town for Defcon, everything seems to be fair game. The hacker convention, which is in its 25th year in Las Vegas, typically has hotels on alert for its three days of Sin City talk, demos and mischief. Guests are encouraged not to pick up any flash drives lying around, and employees are trained to be wary of social engineering — that is, bad guys pretending to be someone innocent and in need of just a little help. Small acts of vandalism pop up around town. At Caesars Palace, where Defcon is happening, the casino’s UPS store told guests it was not accepting any print requests from USB drives or links, and only printing from email attachments. Hackers who saw this laughed, considering that emails are hardly immune from malware. But the message is clear: During these next few days, hackers are going to have their fun, whether it’s through a compromised Wi-Fi network or an open-to-mischief website. Wet Republic’s site had two images vandalized, both for the “Hot 100” party with DJ Shift. The digital graffiti popped up early Friday morning, less than 24 hours after Defcon kicked off. Read more of this story at Slashdot. 