InfoSec Daily Podcast Episode 578 [ 40:02 | 18.33 MB ] Play Now | Play in Popup | Download (24)

InfoSec Daily Podcast Episode 578 for January 26, 2012.  Tonight's podcast is hosted by Rick Hayes, Adrian Crenshaw, Karthik Rangarajan, Geordy Rostad, and Varun Sharma.
 

Announcements:

Unsung Heros

Have you ever stumbled on a tool and wondered “Why didn’t I know this existed!” or “If only I’d had this last week on that test”… Chris John Riley has started to gather suggestions for your “unsung hero” of the tools world.  He is looking specifically to gather a list of tools that aren’t on every penetration testers, or forensic investigators list, but that you have respect for.  http://blog.c22.cc/2012/01/13/unsung-heros

Information Security Blogger Awards 2012
Since we were over looked again for the Best Podcast on Security you can email ashimmy@hotmail.com with your name, email address and ISD Podcast as your write-in nominee.  Please note, you have to provide your blog or podcast URL so that it can be verified that you are a blogger or podcaster.  Vote for your favorite blogs as well on http://www.ashimmy.com.

Brad Smith (theNurse)
We all know and love Brad Smith, aka theNurse.  His humor and smiling positivity is a wonderful example for our community.  At Hacker Halted he had a massive stroke and has been in the hospital ever since.

Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to.  Please feel free to check in for status or to donate.  Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.

http://www.social-engineer.org/brad-smith-updates/
http://www.social-engineer.org/bradsmithdonation/

Schmoocon Epilogue
When: After Schmoocon
Where: Washington, DC
Hit up anyone in NOVA Hackers

Metasploit Framework Unleashed Cincinnati
When: February 11, 2012.
Where: Digitorium in Griffin Hall, the home of Northern Kentucky University’s College of Informatics
https://msfucincy.wordpress.com/
$20 donation for #HFC

Social Engineering Training
When: March 5-9, 2012

Where: Seattle, Washington
When: July 21-24, 2012

Where: Black Hat Vegas
When: August 20-24, 2012
Where:  Bristol, UK
When:  November 12-16, 2012

Where:  Columbia, MD
http://www.social-engineer.com/social-engineer-training

Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!

AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu
CFP now open!

LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
CFP now open!

DerbyCon 2012 – "Dropping the Deuce"
When:  September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com

Thanks to everyone that has purchased products from Amazon through the affiliate program.  If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.

Stories

Source:  http://www.theregister.co.uk/2012/01/25/pcanywhere_patch/

Symantec is urging users to patch pcAnywhere, its remote control application, following the discovery of a brace of serious security flaws.

The most severe of the two holes allows hackers to remotely inject code into vulnerable systems – made possible because a service on TCP port 5631 permits a fixed-length buffer overflow during the authentication process. This line of attack ought to be blocked by a properly configured firewall, but it'd be stupid to rely on that without patching vulnerable systems.

The other flaw relies on overwriting files installed by pcAnywhere in order to escalate a user's privileges, although miscreants will already need access to vulnerable system to do this.

Neither flaw has been weaponised into exploits by hackers, reckons Symantec. The security firm credits Edward Torkington (of NGS Secure) and independent security researcher Tad Seltzer with discovering the flaws.

…

Source: http://research.zscaler.com/2012/01/introducing-project-zulu.html

Our goal in building Zulu, was to provide a simple and straightforward interface accessible to anyone regardless of security knowledge, while still delivering granular results that are of value to those that are more security savvy. I believe we've achieved this by providing a UI that requires no additional input beyond the UI to be analyzed, while allowing a few necessary advanced options, (User-Agent and Referer) when encountering malware triggered only when certain input variables are met. Results also display an overall ranking of Benign, Suspicious or Malicious, but also include details of elements that went into the overall score.

…

Source: https://threatpost.com/en_us/blogs/data-breach-affects-two-million-ny-customers-state-commission-investigate-012412#.Tx8yS3ae0YA.reddit

The New York State Public Service Commission announced yesterday they'll be looking into a data breach that may have exposed the personal information of almost two million customers to unknown attackers.

An employee from a software consulting firm contracted by New York State Electric & Gas (NYSEG) and Rochester Gas and Electric (RG&E) was allowed unauthorized access to the company’s databases, prompting the investigation, according to a statement by the the Commission on Monday.

Both companies are owned by Iberdrola USA of Rochester, N.Y. and serve approximately 1.8 million customers collectively.

While NYSEG and RG&E claim there is no proof customers’ data may have been mishandled, they have begun to send preventive notifications regarding the breach to their customers. The exposed data includes Social Security Numbers, dates of birth and some financial account information, according to a press release (.PDF) issued by the NY Commission on Monday.

…

Source: http://fcw.com/articles/2012/01/24/android-smart-phones-tablets-classified-sipr-network.aspx

New security standards expected to be approved soon would let devices powered by the Android operating system use the Defense Department's classified networks, according to an Army official.

DOD and National Institute of Standards and Technology are close to approving the standards, according to Michael McCarthy, program manager and director of operations, Army Brigade Modernization Command. The standards will allow service members, DOD personnel and other government users to use the devices on classified networks, including the military’s Secret Internet Protocol Router Network (SIPRNet).

McCarthy spoke Jan. 24 at the Soldier Technology 2012 conference in Arlington, Va. He said the goal is to have Android smart phones and tablets able to connect to SIPR-level systems by the summer. This development marks a critical step forward for tactical operations and represents the high priority that mobile communications have become, he said.

“There were going to be no information assurance [standards issued] until 2014, but with the groundswell of interest and needs, the agencies responsible for certification are giving this a higher priority,” McCarthy said. “The key is that it allows users from DOD and other agencies to access databases that in the past they couldn’t get to using a smart phone.”

…

Source: http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/html-01.aspx

In 2011, a number of highly visible cyberattacks made news headlines around the world, but the underlying problem affects us all. It seems that the cybercriminals are getting bolder in their attacks as the availability of commercial tools makes mass generation of new malicious code campaigns and exploits easier. The net result has been significant growth in volume of malware and infections.

And for 2012, I anticipate growing sophistication in web-borne attacks, even broader use of mobile and smart devices, and rapid adoption of cloud computing bringing new security challenges.

The web will undoubtedly continue to be the most prominent vector of attack. Cybercriminals tend to focus where the weak spots are and use a technique until it becomes far less effective. We saw this with spam email, which is still present but less popular with cybercriminals as people deploy highly effective gateways. The web remains the dominant source of distribution for malware—in particular malware using social engineering, or targeting the browser and associated applications with exploits. Social media platforms and similar web applications have become hugely popular with the bad guys, a trend that is only set to continue.

…

InfoSec Daily Podcast Episode 577 [ 38:58 | 17.84 MB ] Play Now | Play in Popup | Download (58)

InfoSec Daily Podcast Episode 577 for January 25, 2012.  Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Karthik Rangarajan, and Varun Sharma.
 

Announcements:

Unsung Heros

Have you ever stumbled on a tool and wondered “Why didn’t I know this existed!” or “If only I’d had this last week on that test”… Chris John Riley has started to gather suggestions for your “unsung hero” of the tools world.  He is looking specifically to gather a list of tools that aren’t on every penetration testers, or forensic investigators list, but that you have respect for.  http://blog.c22.cc/2012/01/13/unsung-heros

Information Security Blogger Awards 2012
Since we were over looked again for the Best Podcast on Security you can email ashimmy@hotmail.com with your name, email address and ISD Podcast as your write-in nominee.  Please note, you have to provide your blog or podcast URL so that it can be verified that you are a blogger or podcaster.  Vote for your favorite blogs as well on http://www.ashimmy.com.

Brad Smith (theNurse)
We all know and love Brad Smith, aka theNurse.  His humor and smiling positivity is a wonderful example for our community.  At Hacker Halted he had a massive stroke and has been in the hospital ever since.

Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to.  Please feel free to check in for status or to donate.  Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.

http://www.social-engineer.org/brad-smith-updates/
http://www.social-engineer.org/bradsmithdonation/

ShmooCon 2012
When: January 27th-29th, 2012
Where: Washington Hilton Hotel, Washington, DC
http://www.shmoocon.org

Schmoocon Epilogue
When: After Schmoocon
Where: Washington, DC
Hit up anyone in NOVA Hackers

Metasploit Framework Unleashed Cincinnati
When: February 11, 2012.
Where: Digitorium in Griffin Hall, the home of Northern Kentucky University’s College of Informatics
https://msfucincy.wordpress.com/
$20 donation for #HFC

Social Engineering Training
When: March 5-9, 2012

Where: Seattle, Washington
When: July 21-24, 2012

Where: Black Hat Vegas
When: August 20-24, 2012
Where:  Bristol, UK
When:  November 12-16, 2012

Where:  Columbia, MD
http://www.social-engineer.com/social-engineer-training

Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!

AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu
CFP now open!

LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
CFP now open!

DerbyCon 2012 – "Dropping the Deuce"
When:  September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com

Thanks to everyone that has purchased products from Amazon through the affiliate program.  If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.

Pentest Lessons:
Adam Compton & Zac Wagle's should get credit for the "Pentest Lessons" idea. They also started a twitter account: https://twitter.com/pentestlessons.

Lesson 1: If you are beginning to freelance, make sure you have solid contracts and have a lawyer read the contract drafts.  Core released some boilerplate examples about a year ago that are floating around on the internet available to freely use.  Also, when you talk to a lawyer, don’t make small talk.  The rates they charge make pentesters look like a bunch of chumps, and they charge for every minute you have their attention.

Lesson 2: Depending on the nature of your pentest, consider adding geography into the scope agreement.  Shortly after Firesheep was released, I caught an executive of the company I was testing as he accessed wifi at the Starbucks down the street.  The company attempted to invalidate the results because I did not have a specific clause stating that I could act outside of the physical building.

Lesson 3: Many small-business IT outsourcing firms are now tacking “Security” onto their product offerings (for example “Bob’s Computers: Service, Sales, Security”).  As a result, many young techs are being shovelled into security audits without having any clue that security extends beyond asking if backups are being stored offsite, and that user drives have appropriate permissions.  Fear not, there’s a resource for this: THE PTES.  Read it; use the appropriate sections, google the shit out of everything you don’t understand.

[Thanks listener Adam]
 

Stories

Source:   http://www.computerworld.com/s/article/9223667/Accused_Kelihos_botnet_maker_worked_for_two_security_firms

A Russian man who was accused Monday by Microsoft of creating the Kelihos botnet worked for a pair of security-related firms from 2005 to 2011, according to evidence on the Web.

In an amended complaint filed yesterday in federal court, Microsoft identified the man as Andrey Sabelnikov of St. Petersburg.

According to his LinkedIn profile, Sabelnikov worked for two Russian companies that specialize in security, including the antivirus firm Agnitum, for the last six years.

Agnitum, which is based in St. Petersburg, develops and sells a Windows antivirus product called OutPost Antivirus Pro as well as a personal firewall for Windows PCs. A company spokesman confirmed today that Sabelnikov worked for the firm from September 2005 until November 2008.

Sabelnikov held a number of tiles, ending his time with Agnitum as a project manager responsible for everything from "designing the product architecture" to "implementing … critical parts of code."

In an emailed reply to questions, the Agnitum spokesman said that Sabelnikov "resigned by his own will in late 2008."

From November 2008 until December 2011, Sabelnikov worked for another Russian company, Retunil, which also markets security software. Returnil's primary product, Virtual System Pro, clones an existing copy of Windows in a virtual machine as a way to protect users from malware.

….

Source: http://www.thinkbroadband.com/news/4990-o2-shares-your-mobile-phone-number-with-every-website-you-visit.html

If you're reading this news article using your O2 mobile phone, you'll be pleased to know that O2 have already sent us your mobile phone number within the HTTP headers which normally contain information about how content can be displayed on your device. These headers are not normally seen by users, and usually not logged by most websites, but the flaw allows malicious sites to get more personal information about you than you may be willing to share.

For example, if you open an e-mail which includes references to external images, the mere action of opening the e-mail would divulge your phone number. This could be used by anyone undertaking a phishing attack or other scam to get more information from you. The opportunity to abuse this is potentially endless.

…

Source: http://blogs.ft.com/fttechhub/2012/01/google-faces-norwegian-public-sector-ban/#axzz1kPjBMnTo

Norwegian public sector organisations will be banned from using Google Apps after the Norwegian data protection authorities ruled that the service could put citizens’ personal data at risk.
 

The data protection authority said Google Apps did not comply with Norwegian privacy  laws because there was insufficient information about where data was being kept. The decision came from a test case in Narvik, where the local council had chosen to use Google Apps for their email.

The Norwegian ban comes just as things were going so well for Google Apps in Europe, with the company winning its largest ever contract with BBVA, the Spanish bank.

Now, however, Google could find access to swathes of public sector work effectively closed. Early last year, there was a similar decision in Denmark, where the town of Odense was banned from using Google Apps in its schools. Privacy regulators were concerned that if teachers used Google’s document and calendar functions for lesson planning, student assessment and communicating with parents, it would leave some sensitive personal data at risk.

…

Source: https://www.net-security.org/secworld.php?id=12267

For individuals and companies that have a bad online reputation, online reputation management (ORM) services might sound like a good investment. Such services are not illegal, even though search engines such as Google do not look favorably upon them.

But every now and then, some firms offering those services succumb to the temptation of using illegal means to achieve their goal. And, according to Fox News, California-based Rexxfield is currently being accused of belonging to that group.

As Darren Meade, a former CEO of another California-based company, tells it, Rexxfield owner Michael Roberts shared with him his intent of buying and using hacking code to surreptitiously modify websites containing negative comments and make them drop down in search results.

The code in question allegedly allows users to inject a "noindex" tag into the source code of these sites, which makes search engine crawlers skip indexing them and, thus, effectively hiding them from the great majority of users. Roberts even demonstrated to Meade the effectiveness of the code in question by hacking Ripoff Report, a popular online consumer complaint site.

…

Source: https://www.networkworld.com/news/2012/012412-authorities-prepare-to-close-down-255242.html

German authorities are advising victims of DNSChanger Trojan programs to fix their computers' Domain Name System settings using a free tool developed by antivirus company Avira, because the servers resolving DNS queries on their behalf will be closed down on March 8.

DNSChanger is a family of Trojans for Windows and Mac OS X whose primary function is to replace the DNS servers defined on the victim's computer with rogue ones operated by the malware's authors.

The DNS is a vital part of the Internet infrastructure and is used to resolve domain names into numerical IP addresses. By controlling DNS responses, the DNSChanger gang was able to redirect victims to rogue websites that distributed fraudulent software or displayed money-generating advertisements.

The DNSChanger operation was shut down by the U.S. Federal Bureau of Investigation in November last year following a two-year long investigation. The authorities estimated the number of computers infected with this type of Trojan at 500,000 in the U.S. and over 4 million worldwide.

…