Your daily source of Pwnage, Policy and Politics.

Episode 131 – DoS Servers, ATM and a Breach

Play

ISD Podcast Episode 131 for May 17, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

  • MHDD Data Recovery Class current dates and locations:
    • San Francisco – June 14th -18th
    • Atlanta – July – 12th-16th
    • Dallas, TX – October – 11th – 15th
    • Washington DC – December 6th – 10th
    • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: [email protected] or go to http://www.myharddrivedied.com. Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

  • Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.

Atlanta ISSA:

  • ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University.  The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: [email protected].
  • ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

North Alabama ISSA:

  • Hosting Second annual North Alabama Cyber Security Summit to be held on June 9th in Huntsville AL.  Event is open to ISSA members at a discounted price ($35 full price is $50).
  • For more information please visit the North Alabama ISSA’s web site at: http://northalabama.issa.org/

Friends of the Podcast:

Webhosting services:WebSpeedway

Stories of Interest:
News item 1:  http://news.cnet.com/8301-27080_3-20004855-245.html
Researchers have uncovered a botnet that uses compromised Web servers instead of the usual personal computers to launch denial-of-service (DoS) attacks.

Security firm Imperva said on Wednesday it uncovered a botnet of about 300 Web servers after one of its “honeypot” servers was used in an attack and based on a search of attack code via Google. Web servers were commonly used in such attacks a decade ago but had been replaced by the more ubiquitous Windows-based PCs, said Amachai Shulman, chief technology officer at Imperva.

In the DoS attack Imperva observed, two Web servers were targeting an unnamed hosting provider based in The Netherlands, he said. The hosting provider was aware of the situation, Shulman said.

It appeared that the Web servers were being compromised with code that exploits a vulnerability in PHP, a computer language used for processing Web pages, and it can affect servers running Apache, Microsoft Internet Information Services (IIS), or other server software, he said.

The attack employs a simple user interface that allows someone to specify the victim’s IP address and port as well as the how long the attack should last. The information is submitted on a form that includes a message in Indonesian that says “don’t use it on your friends,” according to a screenshot provided by Shulman.

News item 2: http://www.computerworld.com/s/article/9176371/Hacker_develops_multi_platform_rootkit_for_ATMs
Security researcher Barnaby Jack plans to deliver the talk and disclose a new ATM rootkit at the computer security conference.   He plans to give the talk, entitled “Jackpotting Automated Teller Machines,” at the Black Hat Las Vegas conference, held July 28 and 29.   Jack will demonstrate several ways of attacking ATM machines, including remote, network-based attacks. He will also reveal a “multi-platform ATM rootkit,” and will discuss things that the ATM industry can do to protect itself from such attacks, he writes in his description of the talk, posted this week to the Black Hat Web site.

Jack was set to discuss ATM security problems at last year’s conference, but his employer, Juniper Networks, made him pull the presentation after getting complaints from an ATM maker that was worried that the information he had discovered could be misused. The security researcher found a straightforward way of getting around Juniper’s objections, however. Last month, he took a new job as director of security research with IOActive.

News item 3: http://www.theregister.co.uk/2010/05/07/argument_switch_av_bypass/
Researchers say they’ve devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.

The method, developed by software security researchers at matousec.com,works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it’s executed, swaps it out with a malicious payload.

The exploit has to be timed just right so the benign code isn’t switched too soon or too late. But for systems running on multicore processors, matousec’s “argument-switch” attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.

All that’s required is that the AV software use SSDT, or System Service Descriptor Table, hooks to modify parts of the OS kernel.

News item 4: http://www.macon.com/2010/05/15/1128909/officials-hacking-was-outside.html
A security breach that has compromised the credit and debit cards of recent customers at the Mellow Mushroom in Warner Robins is believed to have occurred outside the restaurant, police and the restaurant.s lawyer said Friday.

“The breach happened either with the computing end of it or at the payment processing center. That’s what the (U.S.) Secret Service is going to work to figure out,” said attorney Kelly Burke, who has been hired to represent the restaurant.

Warner Robins-based Robins Federal Credit Union said Thursday it had blocked about 2,000 debit and credit cards that were used at a local merchant, though it did not name the Mellow Mushroom. By Friday, customers of at least one other bank had been notified not to use their cards.

The breach is believed to have occurred sometime since March 11, said Tabitha Pugh, public information officer with the Warner Robins Police Department.