Your daily source of Pwnage, Policy and Politics.

Episode 127 – Heartland, iFrames and BitTorrents

Play

ISD Podcast Episode 127 for May 11, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

  • MHDD Data Recovery Class current dates and locations:
    • San Francisco – June 14th -18th
    • Atlanta – July – 12th-16th
    • Dallas, TX – October – 11th – 15th
    • Washington DC – December 6th – 10th
    • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: [email protected] or go to http://www.myharddrivedied.com. Use the Discount Code: isdpodcast for a $300 discount.

SANS Community Atlanta:

SANS Mentoring Program:

  • Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.

Atlanta ISSA:

  • ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University.  The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: [email protected].
  • ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

North Alabama ISSA:

  • Hosting Second annual North Alabama Cyber Security Summit to be held on June 9th in Huntsville AL.  Event is open to ISSA members at a discounted price ($35 full price is $50).
  • For more information please visit the North Alabama ISSA’s web site at: http://northalabama.issa.org/

Friends of the Podcast:

Webhosting services:WebSpeedway

Stories of Interest:
News item 1:  http://www.computerworld.com/s/article/9176507/Heartland_breach_expenses_pegged_at_140M_so_far
The costs to Heartland Payment Systems Inc. from the massive data breach that it disclosed in January 2009 appear to be steadily adding up.

Quarterly financial results released by Heartland last week show that the card payment processor has accrued $139.4 million in breach-related expenses. The figure includes a settlement totaling nearly $60 million with Visa, another of about $3.5 million with American Express and more than $26 million in legal fees.

That total also includes $42.8 million that Heartland has set aside to fund proposed settlements with several other litigants over the breach. One example of what the fund is set up for is Heartland’s offer to settle several consumer class action lawsuits against it for $4 million.

So far, Heartland has recovered about $30 million from insurance companies. Even with the updated figures, Heartland so far has spent considerably less than the staggering $250 million that TJX Companies Inc. estimated it would eventually spend to address its massive 2006 data breach.

News item 2:http://www.theregister.co.uk/2010/05/06/spam_judgment/
A small internet service provider has been awarded nearly $2.6m in a lawsuit it filed against a company that sent just under 25,000 spam messages over an 18-month period.

Although it’s questionable whether Asis Internet Services will ever see a penny of that windfall, the judgment is testament to the awesome power of CAN-SPAM, short for the Controlling the Assault of Non-Solicited Pornography and Marketing Act, which was passed by Congress in 2003. It allows judgments of as much as $100 for every unsolicited email, and damages can be tripled for a variety of reasons.

The judgment was awarded by Magistrate Judge Elizabeth D. Laporte of the US District Court in Northern California. It comes in a case filed against the principals of a business called Find a Quote. A four-employee ISP in Garberville, California, Asis said it receives about 200,000 junk messages per day and spends about $3,000 per month to process them.

Laporte calculated that the ISP was entitled to damages of $865,340, but went on to triple the amount, to 2.596m, because, she said, the Find a Quote spammers, including defendant Edward Heckerson, had employed automatic scripts to send their messages.

News item 3:http://www.theregister.co.uk/2010/05/03/treasury_websites_attack/
Websites operated by the US Treasury Department are redirecting visitors to websites that attempt to install malware on their PCs, a security researcher warned on Monday.

The infection buries an invisible iframe in bep.treas.gov, moneyfactory.gov, and bep.gov that invokes malicious scripts from grepad.com, Roger Thompson, chief research officer of AVG Technologies, told The Register. The code was discovered late Sunday night and was active at time of writing, about 12 hours later.

To cover their tracks, the miscreants behind the compromise tailored it so it attacks only IP addresses that haven’t already visited the Treasury websites. That makes it harder for white hat-hackers and law enforcement agents to track the exploit. Indeed, Thompson initially reported that the problem had been fixed until he discovered the sites were merely skipping over laboratory PCs that had already encountered the attack.

The attack is most likely related to mass infections that two weeks ago hit hundreds of sites hosted by Network Solutions and GoDaddy, said Dean De Beer, founder and CTO of security consultancy Zero(day) Solutions.

News item 4: http://www.theregister.co.uk/2010/04/30/bittorrent_continuous_spying/

Researchers have devised a way to monitor BitTorrent users over long stretches of time, a feat that allows them to map the internet addresses of individuals and track the content they are sending and receiving.

In a paper presented earlier this week at the Usenix Workshop on Large-Scale Exploits and Emergent Threats, the researchers demonstrated how they used the technique to continuously spy on BitTorrent users for 103 days. They collected 148 million IP addresses and identified 2 billion copies of downloads, many of them copyrighted.  The research paper can be found here: http://hal.inria.fr/docs/00/47/03/24/PDF/bt_privacy_LEET10.pdf