A Daily Dose of Security Pearls of Wisdom
Thanks to our listeners that let us know about the issue. We were finally able to resolve the issue with the RSS feed not displaying the mp3 file size correctly by switching over to Feedburner. Unfortunately, it seems that the issue with the files size was really hit or miss and it never impacted the iTunes xml.
InfoSec Daily Podcast
Announcements:
MyHardDriveDied.com:
SANS Mentoring Program:
Atlanta ISSA:
North Alabama ISSA:
Friends of the Podcast:
Webhosting services:WebSpeedway
Stories of Interest:
News item 1: http://www.computerworld.com/s/article/9176883/P2P_networks_a_treasure_trove_of_leaked_health_care_data_study_finds
Nearly eight months after new rules were enacted requiring stronger protection of health care information, organizations are still leaking such data on file-sharing networks, a study by Dartmouth College’s Tuck School of Business has found.
In a research paper to be presented at an IEEE security symposium Tuesday, a Dartmouth College professor Eric Johnson will describe how university researchers discovered thousands of documents containing sensitive patient information on popular peer-to-peer (P2P) networks.
One of the more than 3,000 files discovered by the researchers was a spreadsheet containing insurance details, personally identifying information, physician names and diagnosis codes on more than 28,000 individuals. Another document contained similar data on more than 7,000 individuals. Many of the documents contained sensitive patient communications, treatment data, medical diagnoses and psychiatric evaluations. At least five files contained enough information to be classified as a major breach under current health-care breach notification rules.
While some of the documents appear to have been leaked before the Obama administration’s Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted, many appear to be fairly recent. A previous study by Dartmouth in 2008 also unearthed files containing health-care data floating on P2P networks, such as Limewire, eDonkey and BearShare. Among the documents found in that study was one containing 350MB of patient data for a group of anesthesiologists and another on patients at an AIDS clinic in Chicago.
News item 2: http://news.cnet.com/8301-1009_3-20005844-83.html?part=rss&subj=news&tag=2547-1_3-0-20
Botnets are available for hire for as little as $8.94 an hour, underscoring how little financial muscle or technical expertise is needed to carry out attacks, according to VeriSign’s cybersecurity intelligence arm.
VeriSign said Monday that it carried out an online investigation into 25 botnet operators in February, targeting botnet services advertised on three Web forums. The study found that hourly botnet rental pricing started at $8.94, while the average price for a 24-hour rental was $67.20.
The services advertised a number of attack vectors, including ICMP, SYN, UDP, HTTP, HTTPS, and Data. The botnet operators plied their wares via the same techniques as legitimate businesses, such as via forums and banner ads. One botnet operator offered a pricing structure for taking down sites that have anti-attack measures installed.
News item 3: http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424
Do you have a PIN code on your iPhone? Well, while that might protect you from someone making a call or fiddling with your apps, it doesn’t prevent access to your data … as long as the person doing the snooping around is using Ubuntu “Lucid Lynx” 10.04.
Security experts Bernd Marienfeldt and Jim Herbeck discovered something really interesting when they hooked up a non-jailbroken, fully up-to-date iPhone 3GS to a PC running Lucid Lynx …
I uncovered a data protection vulnerability [9], which I could reproduce on 3 other non jail broken 3GS iPhones (MC 131B, MC132B) with different iPhone OS versions installed (3.1.3-7E18 modem firmware 05.12.01 and version 3.1.2 -7D11, modem 05.11.07) , all PIN code protected which means the vulnerability bypasses authentication for various data where people most likely rely on data protection through encryption and do not expect that authentication is not in place.
This is what you get via an auto mount without any PIN request:
This data protection flaw exposes music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents… by in my opinion the quickest compromising read/write access discovered so far, without leaving any track record by the attacker. It’s about to imagine how many enterprises (e.g. Fortune 100) actually do rely on the expectation that their iPhone 3GS’s whole content is protected by encryption with an PIN code based authentication in place to unlock it.
This, quite honestly, is a staggering flaw. It basically allows anyone capable of driving a Linux PC to copy data off of an iPhone without the owner of the phone having any idea whatsoever that this has happened.
InfoSec Daily Podcast
Announcements:
MyHardDriveDied.com:
SANS Mentoring Program:
Atlanta ISSA:
North Alabama ISSA:
Friends of the Podcast:
Webhosting services:WebSpeedway
Stories of Interest:
News item 1: http://www.itwire.com/business-it-news/security/39109-microsoft-controls-worldwide-physical-security-operations-from-three-sites
What does business continuity mean to you? For Microsoft Global Security it can involve locking a door from the other side of the world.
One part of Microsoft Global Security’s activities is monitoring physical security at the company’s premises around the world. This is carried out from three Global Security Operations Centers (GSOCs), located at Redmond (USA), Reading (UK) and Hyderabad (India), each responsible for their geographical region
The previous approach was decentralized, people-intensive, and involved more than 60 different proprietary systems, inconsistent policies across locations, live video monitoring, VCR recording, and lots of paper.
In contrast, the GSOCs are centralized, automated, highly interoperable, and use generic hardware (notebooks are used so they can be quickly removed if a centre must be evacuated) off-the-shelf software, and digital video. The hardware standardization means that any workstation can be used for any purpose, though in practice seats are associated with particular functions.
InfoSec Daily Podcast
Announcements:
MyHardDriveDied.com:
SANS Mentoring Program:
Atlanta ISSA:
North Alabama ISSA:
Friends of the Podcast:
Webhosting services:WebSpeedway
Stories of Interest:
News item 1: http://blogs.forbes.com/firewall/2010/05/25/android-app-aims-to-allow-wiretap-proof-cell-phone-calls/
Worried about the NSA, the FBI, criminals or cyberspies electronically eavedropping on your private phone calls? There may be an untappable app for that. On Tuesday, an independent hacker and security researcher who goes by the handle Moxie Marlinspike and his Pittsburgh-based startup Whisper Systems launched free public betas for two new privacy-focused programs on Google’s Android mobile platform: RedPhone, a Voice over Internet protocol (VoIP) program that encrypts phone calls, and TextSecure, an app for sending and receiving encrypted text messages and scrambling the messages stored in their inbox.
Marlinspike says the apps will interface with users’ contact lists and other functions on the phone to take the hassle out of making calls and sending texts that can’t be eavesdropped by third parties. “Our main aim is to make this as easy as possible,” he says. “We want it to be a secure and anonymous drop-in replacement for the normal dialing system on your phone.”
RedPhone uses ZRTP, an open source Internet voice cryptography scheme created by Phil Zimmermann, inventor of the widely-used Pretty Good Privacy or PGP encryption. When a caller dials another RedPhone user, the app uses the two users’ keys to create a simple passphrase (“flatfoot eskimo” or “slingshot millionaire,” for example) and display it on each phone, allowing the speakers to verify that the codes match, and that there’s no man-in-the-middle intercepting the call.
News item 2: http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=225200102
The rampant use of default passwords within live database environments continues to plague the security of enterprise data, researchers say.
“It’s a problem that has been around for a long, long time,” says Alex Rothacker, manager of Team SHATTER, Application Security Inc.’s research arm. “A lot of default passwords out there get installed when you deploy a database, you install an add-on to it, or even if you install a third-party application that uses the database.”
As he puts it, the problem of default passwords lingering in the wild has built up during the years as a result of cumulative errors by both vendors and database administrators. In the past, the majority of vendors had no compunction about pushing out installers that automatically created default accounts to expedite the deployment of new databases, add-ons, or applications on top of the database.
“In order to perform some of the installation functions, they need to create database accounts, and some of them simply go and create an account and put a default password on it that’s well-known to the whole world,” he says.
Meanwhile, users did nothing to clean up these default accounts once installation was complete. Rothacker says the situation on the vendor front has improved considerably in recent years, but default passwords continue to be a problem for a number of reasons.
News item 3: http://news.techworld.com/security/3224848/new-undersea-cable-feeds-african-botnets/
Spam coming from Africa could be about to boom thanks to new broadband infrastructure in the Eastern half of the continent, according to Symantec’s MessageLabs division.
The proportion of global spam sent by Africa is still a tiny 3 percent, by MessageLab’s reckoning, but that is up from the 2 percent in April 2009. At a time when global spam levels are stable, the extra 1.2 billion spam emails is large enough to count as a new trend.
Although the Western side of Africa, and North-Africa in particular, still account for the overwhelming volume of African spam, the company notes the lighting of a new undersea fibre cable running down the eastern edge of the continent in July 2009 was probably the key development.
Coming ashore in Djibouti, Kenya, Tanzania, Madagascar and Mozambique, the 8,400Km long, 1.2 terabit link could explain why that side of continent has seen its share of the African spam phenomenon rise.
News item 4: http://www.darkreading.com/vulnerability_management/security/privacy/showArticle.jhtml?articleID=225200320
Cell phones and other handheld devices could become a great way to listen in on spoken conversations, researchers at George Mason University said this week.
In a paper (PDF), researchers Ryan Farley and Xinyuan Wang describe several new plays on the concept of “microphone hijacking,” which has been used for years. The idea is to put spyware on mobile devices — including laptops, cell phones, and PDAs — that can use their built-in microphones to eavesdrop on nearby conversations.
In the past, this eavesdropping has usually been done via the victim’s own cell phone or other device. But Farley and Wang describe a way to bug nearby devices belonging to nearby users to achieve similar results.
Under the researchers’ concept, called a “roving bugnet,” the eavesdropper would use a piece of malware called a “bugbot” to listen in on in-person interactions via a nearby smartphone or laptop. Such attacks would be more likely to target specific people (such as an executive or a spouse) than as a broad attack, the researchers say.
Farley and Wang conducted experiments on Windows XP and Mac OS laptops. The researchers directed their bugbot to join an Internet Relay Chat channel so they could remotely enable and disable each laptop’s microphone, streaming real-time conversations nearby. The same thing, they said, could be done on almost any smartphone.
InfoSec Daily Podcast
Announcements:
MyHardDriveDied.com:
SANS Mentoring Program:
Atlanta ISSA:
North Alabama ISSA:
Friends of the Podcast:
Webhosting services:WebSpeedway
Stories of Interest:
News item 1: http://www.news.com.au/breaking-news/firing-dispatcher-for-facebook-drug-joke-was-right-wisconsin-council-claims/story-e6frfku0-1225870794794
“A city council in Wisconsin defended its decision to fire a Police and Fire Department dispatcher who joked about drug addiction on her Facebook page.”
The arbitrator said the dispatcher could come back after a 30 day suspension but the police chief appears to believe her joke was so inappropriate and “an embarrassment to the city”.
Personally this seems a bit extreme, however social networking users should be aware investigating face book pages of employees is becoming more common. Interested in seeing other status messages or postings then checkout: http://youropenbook.org.
News item 2: http://www.net-security.org/secworld.php?id=8786
Brian Thomas Mettenbrink from Nebraska has been sentenced to a year in federal prison for his participation in the cyber attacks on the Church of Scientology’s servers a couple of years ago.
Metterbrink pleaded guilty in January. Back then, he admitted that he downloaded computer software from an “Anonymous” message board and used that software to bombard Scientology websites to the point that it impaired the integrity and availability of those websites in a variation of a DDoS attack.
News item 3: http://twitter.com/AmericanExpress/status/14717827795
American Express may be in hot water after a computer engineer discovered a portion of the card brand’s website, which claims to be secure, is sending private information in the clear.
Joe Damato wrote in a blog post Tuesday that he received a promotional email from American Express encouraging him to sign up for the Daily Wish service, through which cardholders can receive hefty discounts on a limited amount of merchandise, such as computers and camcorders.
If users click on the “Sign up for Daily Wish” button, they are prompted to enter personal information, such as name, card number, security code, expiration date and billing zip code, into a pop-up box. The box includes a “This page is secure” notification link, but upon further review, Damato found this not to be the case.
The domain for the sign-up box was not using “https,” an encrypted form of information transfer, he said. Damato used the open-source packet analyzer Wireshark to confirm that the (fake) information he entered into the form was delivered in clear text back to American Express’ server.
The card company, in a tweet posted this evening said “Aware of situation, under investigation. Site is secure & we’d always contact Cardmembers w any potential acct issue.”
News item 4: http://www.wired.com/threatlevel/2010/05/lanrev/
A controversial remote administration program that a Pennsylvania school district installed on student-issued laptops contains a security hole that put the students at risk of being spied on by people outside the school, according to a security firm that examined the software.
The LANrev program contains a vulnerability that would allow someone using the same network as one of the students to install malware on the laptop that could remotely control the computer. An intruder would be able to steal data from the computer or control the laptop webcam to snap surreptitious pictures.
The vulnerability was discovered by researchers at Leviathan Security Group. They began examining the program after customers who saw media coverage of the Pennsylvania case expressed concern that the program might be exposing their employee computers to intrusion from outsiders. The same software is used by many businesses to monitor and maintain their employee laptops.
InfoSec Daily Podcast
Announcements:
MyHardDriveDied.com:
SANS Mentoring Program:
Atlanta ISSA:
North Alabama ISSA:
Friends of the Podcast:
Webhosting services:WebSpeedway
Stories of Interest:
News item 1: http://www.networkworld.com/news/2010/052410-women-more-likely-to-snoop.html
According to research conducted by the London School of Economics (LSE) and the Nottingham Trent University, 14 percent of wives read their partners emails, while 13 percent snoop at their text messages and 10 percent admitted to looking at their web browsing history.
However, only eight percent of men said they would read their wives emails while just seven percent claimed they would check their text messages and browsing history. “The findings show that wives were indeed more likely to monitor their husbands’ behaviour. This contrasts with general research that suggests women are less technologically skilled than men,” LSE’s Ellen Helsper and Monica Whitty from the Nottingham Trent University told the Sunday Times.
News item 2: http://www.selfstoragepromotions.com
McAfee has released its “McAfee Threats Report: First Quarter 2010,” which reveals that a portable storage device worms are the most dangerous threat to computers.
According to McAfee, threats on portable storage devices took the lead for most popular malware. AutoRun related infections held the first and third spots due to the widespread adoption of portable storage devices. By contrast, portable storage containers are still among the safest places to store industrial goods.
“It’s almost a shame that USB drives have so many names. Some people call them thumb drives. But other people call them portable storage—and these devices tend to carry a security risk for corporations,” says John Finnessy, CMP, Executive Director of the NPSA, a nonprofit membership association dedicated to the advancement of the portable storage industry. “Portable storage as we know it in the portable storage container industry is a means to secure goods rather than a way for malicious hackers to exploit sensitive files.”
From retailers to construction companies to transportation interests to medical facilities and more, portable storage containers are serving the storage and temporary office needs of a myriad of industries. Department stores are a prime example. Along with pharmacies, supermarkets, hospitality and food service venues, department stores have discovered that portable storage can offer much-needed extra space, especially in busy seasons.
“There is seemingly no end for the uses of portable storage,” says NPSA Operations Manager Joel Rathbone. “We continue to see industries large and small discover new ways to use portable storage containers. They are ideal for manufacturers, contractors, auto dealerships, retail outlets. If it’s an industry that needs quick and easy access to storage, these containers are finding a place there.”
InfoSec Daily Podcast
Announcements:
MyHardDriveDied.com:
SANS Mentoring Program:
Atlanta ISSA:
North Alabama ISSA:
Friends of the Podcast:
Webhosting services:WebSpeedway
Stories of Interest:
News item 1: http://news.techworld.com/security/3224283/ibm-red-faced-after-handing-out-usb-drives-stuffed-with-malware/
You might get more than you bargained for if you attend a security conference. IBM shocked delegates at the Australian AusCERT conference in Queensland by handing out USB sticks infected with malware.
The company was forced to write to delegates apologizing for its error. “At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth. Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected.”
It was actually worse than IBM intimated. To make it doubly embarrassing, according to security company Sophos, the company included two examples of malware: W32/LibHack-A. and W32/Agent-FWF.
Sophos’s senior technology consultant, Graham Cluley had a guess how the error occurred. “My guess is that they didn’t check the USB sticks before handing them out. Maybe they out-sourced the creation of the USB content to a third party, and they weren’t careful enough. After all, if an infected PC was used to create the “image” of the USB drive then it would have been easy for that disk image to be infected and copied onto every USB stick they handed out.”
News item 2: http://www.chicagotribune.com/classified/automotive/ct-met-eisenhower-travel-times-0521-20100523,0,7325891.story
Whoever thought that talking on a cell phone while driving would be considered a public service?
But that will be the case in one respect starting within the next few weeks on the Eisenhower Expressway, where travel times have soared since a resurfacing project began this spring between Thorndale Avenue in the western suburbs and the Circle Interchange near downtown Chicago.
To generate travel-time information on the torn-up highway, the state has hired a Wisconsin company to monitor signals sent from motorists using Bluetooth-enabled personal electronic devices such as hands-free headsets for cell phones, wireless headphones and computer peripherals.
Each device has a unique identification marker that will be tracked anonymously at various points on the Eisenhower to determine travel times and pinpoint areas of congestion, according to the Illinois Department of Transportation.
InfoSec Daily Podcast
Announcements:
MyHardDriveDied.com:
SANS Mentoring Program:
Atlanta ISSA:
North Alabama ISSA:
Friends of the Podcast:
Webhosting services:WebSpeedway
Stories of Interest:
News item 1: http://www.news.com.au/business/breaking-news/hacker-stole-7m-game-code-at-tech-show/story-e6frfkur-1225868939880
A BOSTON man appeared in court today charged with trying to download the code of a soon-to-be released video game at a tech convention. Justin May, 20, of Delaware, was attending the March PAX East 2010 in Boston where he allegedly used his laptop to hack into an Xbox 360 Test Kit that was demonstrating the game Breach, and downloaded the code, WBZ reported.
Breach, an unreleased game due out this northern summer worth $US6m ($7.1m), was being shown for the first time at the convention by Atomic Games, a subset of Destineer.
“Breach, and our Hydrogen game engine, are the result of millions of dollars of investment and years of hard work,” said Peter Tamte, President of Atomic Games. “It would have been very harmful if Breach had been posted on the internet months before its planned release.”
News item 2: http://www.khaleejtimes.com/DisplayArticle09.asp?xfile=data/theuae/2010/May/theuae_May541.xml§ion=theuae
The UAE should have a strategy to defend itself against cyber crimes, cyber espionage and the possibility of a cyber war, an expert on security said. “We should know who can and will attack us and we should be able to defend ourselves,” Richard A. Clarke, who has served three consecutive US presidents as senior White House advisor, said in a lecture, “Cyber War: The next Threat to the UAE’s National Security”, at the Emirates Centre for Strategic Studies and Research.
Praising the UAE’s role at the UN and GCC level against cyber threats, he said, “Diplomacy is one way to deal with these threats at the international level. Diplomacy and dialogue can be used to control them. The UAE has a great role to play in creating an international system of cyber teeth.”
Every nation is vulnerable to cyber threat, including the UAE, since it is one of the most wired nations in the world, he said. Masdar’s (Abu Dhabi Future Energy Company) work on alternativee energy, for instance, could be of interest to many and espionage in a modern society can come from anywhere in the world.
News item 3: http://www.theaustralian.com.au/australian-it/us-hypocrisy-in-china-cyberwar-says-expert/story-e6frgakx-1225868338373
The recent China-US “cyberwar” exposed American hypocrisy on the issues of government surveillance and censorship, according to a US-based expert on security system design.
“Why is the country with the best technology for online surveillance of its citizens’ communications taking other nations to task over censorship and free speech?” Mr Ranum, chief security officer of Tenable Network Security, challenged a packed forum at AusCERT 2010.
“For years, the US has embraced portions of the hacker community into our labs to build cyber-weapons, and there’s government funding connections between our offensive weapons writers and our defensive weapons writers.
“We own the search engines everybody uses, and the incredibly valuable data they produce.
“So it’s bizarre that in the recent exchange of accusations over China targeting dissident supporters of the Dalai Lama, no country asked the US to rein in its own cyber-hackers.”
InfoSec Daily Podcast
Announcements:
MyHardDriveDied.com:
SANS Mentoring Program:
Atlanta ISSA:
North Alabama ISSA:
Friends of the Podcast:
Webhosting services:WebSpeedway
Stories of Interest:
News item 1: http://www.theregister.co.uk/2010/05/19/bill_oreilly_ddos_attacks/
Federal prosecutors have accused a man of carrying out a series of botnet offenses including attacks that brought down the websites of conservative talking heads Bill O’Reilly, Ann Coulter, and Rudolph Giuliani.
Mitchell L. Frost was an undergraduate student at the University of Akron at the time of the DDoS, or distributed denial-of-service, attacks, which lasted over a five-day period in March 2008, prosecutors alleged in court documents. The attacks on billoreilly.com, anncoulter.com and joinrudy2008.com “rendered each website inoperable, at least temporarily, and required intervention and repair by the owners of such sites, and caused damages or losses which exceeded $5,000,” they wrote.
Frost, who went by the handle “FrostAie,” also stands accused of using his botnet to launch a much bigger assault on a University of Akron server that knocked out the college’s entire network, depriving “tens of thousands of students, faculty and staff members” of connectivity for more than eight hours. Prosecutors said the attack appeared to be a mistake and that the intended target was an unnamed gaming server that was hosted on the university network. The outage cost the university more than $10,000.
News item 2: http://www.wired.com/threatlevel/2010/05/lifelock-identity-theft/
Apparently, when you publish your Social Security number prominently on your website and billboards, people take it as an invitation to steal your identity.
LifeLock CEO Todd Davis, whose number is displayed in the company.s ubiquitous advertisements, has by now learned that lesson. He’s been a victim of identity theft at least 13 times, according to the Phoenix New Times. That’s 12 more times than has previously been known.
In June 2007, Threat Level reported that Davis had been the victim of identity theft after someone used his identity to obtain a $500 loan from a check-cashing company. Davis discovered the crime only after the company called his wife’s cellphone to recover the unpaid debt.
About four months after that story published, Davis. identity was stolen again by someone in Albany, Georgia, who opened an AT&T/Cingular wireless account using his Social Security number, according to a police report obtained by the New Times. The perpetrator racked up $2,390 in charges on the account, which remained unpaid. Davis, whose real name according to police reports is Richard Todd Davis, only learned a year later that his identity had been stolen again after AT&T handed off the debt to a collection agency and a note appeared on his credit report.
InfoSec Daily Podcast
Announcements:
MyHardDriveDied.com:
SANS Mentoring Program:
Atlanta ISSA:
North Alabama ISSA:
Friends of the Podcast:
Webhosting services:WebSpeedway
Stories of Interest:
News item 1: http://www.computerworld.com/s/article/9176949/Symantec_to_buy_VeriSign_s_security_unit_for_1.3B_reports_say
Security vendor Symantec Corp. is reported to be close to buying Internet infrastructure services vendor VeriSign Inc.’s security business for $1.3 billion. The Wall Street Journal quoted unidentified sources who are said to be close to the deal as saying it would give Symantec control of VeriSign’s $410 million authentication business, which provides a range of encryption technologies and services. A Reuters report late Tuesday also quoted an unnamed source as saying that VeriSign had been shopping for a buyer for its security unit recently. Meanwhile, other news reports fuled the speculation by adding that VeriSign CFO Brian Robins had abruptly pulled out of a JP Morgan investors conference on Tuesday afternoon.
News of the possible deal pushed VeriSign’s shares up by $1.39 or 5.18% to $28.23 Tuesday afternoon. But with the expected deal not announced until late Tuesday, VeriSign’s shares yielded back some of that gain in after hours trading. Shares of Symantec meanwhile were down 2.03% to $15.95 on news of the rumored deal.
News item 2: http://www.metasploit.com/
Version 3.4.0 of the Metasploit penetration testing framework has been released, encompassing major improvements to the Meterpreter payload, an expansion of the framework’s brute force capabilities, and the complete overhaul of the backend database schema and event subsystem.
In addition, more than 100 new exploit modules and over 40 auxiliary modules have been added since version 3.3. The full release notes are online.
