InfoSec Daily Podcast
ISD Podcast Episode 139 for May 27, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
- MHDD Data Recovery Class current dates and locations:
- San Francisco – June 14th -18th
- Atlanta – July – 12th-16th
- Dallas, TX – October – 11th – 15th
- Washington DC – December 6th – 10th
- Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com. Use the Discount Code: isdpodcast for a $300 discount.
SANS Mentoring Program:
- Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
Atlanta ISSA:
North Alabama ISSA:
Friends of the Podcast:
Webhosting services:WebSpeedway
Stories of Interest:
News item 1: http://blogs.forbes.com/firewall/2010/05/25/android-app-aims-to-allow-wiretap-proof-cell-phone-calls/
Worried about the NSA, the FBI, criminals or cyberspies electronically eavedropping on your private phone calls? There may be an untappable app for that. On Tuesday, an independent hacker and security researcher who goes by the handle Moxie Marlinspike and his Pittsburgh-based startup Whisper Systems launched free public betas for two new privacy-focused programs on Google’s Android mobile platform: RedPhone, a Voice over Internet protocol (VoIP) program that encrypts phone calls, and TextSecure, an app for sending and receiving encrypted text messages and scrambling the messages stored in their inbox.
Marlinspike says the apps will interface with users’ contact lists and other functions on the phone to take the hassle out of making calls and sending texts that can’t be eavesdropped by third parties. “Our main aim is to make this as easy as possible,” he says. “We want it to be a secure and anonymous drop-in replacement for the normal dialing system on your phone.”
RedPhone uses ZRTP, an open source Internet voice cryptography scheme created by Phil Zimmermann, inventor of the widely-used Pretty Good Privacy or PGP encryption. When a caller dials another RedPhone user, the app uses the two users’ keys to create a simple passphrase (“flatfoot eskimo” or “slingshot millionaire,” for example) and display it on each phone, allowing the speakers to verify that the codes match, and that there’s no man-in-the-middle intercepting the call.
News item 2: http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=225200102
The rampant use of default passwords within live database environments continues to plague the security of enterprise data, researchers say.
“It’s a problem that has been around for a long, long time,” says Alex Rothacker, manager of Team SHATTER, Application Security Inc.’s research arm. “A lot of default passwords out there get installed when you deploy a database, you install an add-on to it, or even if you install a third-party application that uses the database.”
As he puts it, the problem of default passwords lingering in the wild has built up during the years as a result of cumulative errors by both vendors and database administrators. In the past, the majority of vendors had no compunction about pushing out installers that automatically created default accounts to expedite the deployment of new databases, add-ons, or applications on top of the database.
“In order to perform some of the installation functions, they need to create database accounts, and some of them simply go and create an account and put a default password on it that’s well-known to the whole world,” he says.
Meanwhile, users did nothing to clean up these default accounts once installation was complete. Rothacker says the situation on the vendor front has improved considerably in recent years, but default passwords continue to be a problem for a number of reasons.
News item 3: http://news.techworld.com/security/3224848/new-undersea-cable-feeds-african-botnets/
Spam coming from Africa could be about to boom thanks to new broadband infrastructure in the Eastern half of the continent, according to Symantec’s MessageLabs division.
The proportion of global spam sent by Africa is still a tiny 3 percent, by MessageLab’s reckoning, but that is up from the 2 percent in April 2009. At a time when global spam levels are stable, the extra 1.2 billion spam emails is large enough to count as a new trend.
Although the Western side of Africa, and North-Africa in particular, still account for the overwhelming volume of African spam, the company notes the lighting of a new undersea fibre cable running down the eastern edge of the continent in July 2009 was probably the key development.
Coming ashore in Djibouti, Kenya, Tanzania, Madagascar and Mozambique, the 8,400Km long, 1.2 terabit link could explain why that side of continent has seen its share of the African spam phenomenon rise.
News item 4: http://www.darkreading.com/vulnerability_management/security/privacy/showArticle.jhtml?articleID=225200320
Cell phones and other handheld devices could become a great way to listen in on spoken conversations, researchers at George Mason University said this week.
In a paper (PDF), researchers Ryan Farley and Xinyuan Wang describe several new plays on the concept of “microphone hijacking,” which has been used for years. The idea is to put spyware on mobile devices — including laptops, cell phones, and PDAs — that can use their built-in microphones to eavesdrop on nearby conversations.
In the past, this eavesdropping has usually been done via the victim’s own cell phone or other device. But Farley and Wang describe a way to bug nearby devices belonging to nearby users to achieve similar results.
Under the researchers’ concept, called a “roving bugnet,” the eavesdropper would use a piece of malware called a “bugbot” to listen in on in-person interactions via a nearby smartphone or laptop. Such attacks would be more likely to target specific people (such as an executive or a spouse) than as a broad attack, the researchers say.
Farley and Wang conducted experiments on Windows XP and Mac OS laptops. The researchers directed their bugbot to join an Internet Relay Chat channel so they could remotely enable and disable each laptop’s microphone, streaming real-time conversations nearby. The same thing, they said, could be done on almost any smartphone.