Your daily source of Pwnage, Policy and Politics.

Episode 132 – https, Cyberwar & stupid hackers

Play

ISD Podcast Episode 132 for May 18, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

  • MHDD Data Recovery Class current dates and locations:
    • San Francisco – June 14th -18th
    • Atlanta – July – 12th-16th
    • Dallas, TX – October – 11th – 15th
    • Washington DC – December 6th – 10th
    • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: [email protected] or go to http://www.myharddrivedied.com. Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

  • Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.

Atlanta ISSA:

  • ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University.  The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: [email protected].
  • ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

North Alabama ISSA:

  • Hosting Second annual North Alabama Cyber Security Summit to be held on June 9th in Huntsville AL.  Event is open to ISSA members at a discounted price ($35 full price is $50).
  • For more information please visit the North Alabama ISSA’s web site at: http://northalabama.issa.org/

Friends of the Podcast:

Webhosting services:WebSpeedway

Stories of Interest:
News item 1: http://www.zdnet.co.uk/news/security-management/2010/05/17/google-to-begin-offering-encrypted-search-40088951/?s_cid=938
Google plans to offer encrypted search next week.  Google’s Marissa Mayer, vice president of search products and user experience, hinted that such a feature was coming on Thursday during a question and answer session at Google’s annual stockholder meeting. But the company must have decided it could no longer wait following the disclosure that it had improperly collected internet usage data from Wi-Fi hot spots as part of its Google Street View programme.

“Earlier this year, we encrypted Gmail for all our users, and next week we will start offering an encrypted version of Google Search,” Google said in its blog post on Friday on the Street View issue. Google encrypted all Gmail accounts in response to the hacking incidents that prompted its decision to move its Chinese-language search operation from Beijing to Hong Kong.

News item 2: http://www.securitypronews.com/insiderreports/insider/spn-49-20100517MajorityOfBrowsersLeaveFingerprintsOnline.html
The findings were the result of an experiment EFF conducted with volunteers who visited the EFF’s Panopticlick website.

The website anonymously logged the configuration and version information from each participant’s operating system, browser, and browser plug-ins — information that websites routinely access each time you visit — and compared that information to a database of configurations collected from almost a million other visitors. EFF found that 84% of the configuration combinations were unique and identifiable, creating unique and identifiable browser “fingerprints.” Browsers with Adobe Flash or Java plug-ins installed were 94% unique and trackable.

“We took measures to keep participants in our experiment anonymous, but most sites don’t do that,” said EFF Senior Staff Technologist Peter Eckersley.

“In fact, several companies are already selling products that claim to use browser fingerprinting to help websites identify users and their online activities. This experiment is an important reality check, showing just how powerful these tracking mechanisms are.”

EFF found that some browsers were less likely to contain unique configurations, including those that block JavaScript, and some browser plug-ins may be able to be configured to limit the information a browser shares with the websites users visit. But overall, it is difficult to reconfigure your browser to make it less identifiable. The best solution for web users may be to insist that new privacy protections be built into the browsers themselves.

News item 3:   http://www.theregister.co.uk/2010/05/17/ghost_exodus_guilty_plea/
A former security guard has pleaded guilty to compromising more than a dozen computers that belonged to the hospital he was supposed to be protecting and posting some of his exploits on YouTube.

Jesse William McGraw, 25, called himself Ghost Exodus in videos such as this one as he wandered the halls of the North Central Medical Plaza in Dallas during the graveyard shift. He used his physical access to the facility’s PCs to install bots so he could launch attacks on a rival hacking gang, prosecutors said. The compromised machines included a nurse’s station computer for tracking patients and one that controlled the HVAC, or heating, ventilation and air-conditioning system.

News item 4: http://www.theregister.co.uk/2010/05/13/diy_twitter_botnets/
A security researcher has unearthed a tool that simplifies the process of building bot armies that take their marching orders from specially created Twitter accounts.

TwitterNet Builder offers script kiddies a point-type-and-click interface that forces infected PCs to take commands from a Twitter account under the control of attackers. Bot herders can then force the zombies to carry out denial-of-service attacks or silently download and install software with the ease of their Twitter-connected smartphones.

“All in all, a very slick tool and no doubt script kiddies everywhere are salivating over the prospect of hitting a website with a DDoS from their mobile phones,” Christopher Boyd, a researcher with anti-virus provider Sunbelt Software, writes here.

Alas, TwitterNet Builder requires accounts to be public, so spotting people who use the software is fairly straightforward. A quick search revealed accounts here, here and here that appeared to be using the DIY kit, although it appeared these might be harmless demonstrations rather than brazen attacks.

News item 5: http://www.eweek.com/c/a/Government-IT/Microsoft-Settles-Patent-Infringement-Case-With-VirnetX-607541/
Microsoft announced that it would pay $200 million to settle a patent-infringement suit leveled against it by VirnetX, which builds communication and collaboration technologies, including a method for establishing secure communication links between computers on a virtual network. In March, a Texas jury had found that Microsoft infringed on two U.S. patents held by VirnetX, and ordered the software giant to pay $105.7 million in a substantial legal judgment. East Texas has been the site of much legal trouble for Microsoft as of late, with the company also facing a patent-infringement suit leveled against it by Canadian startup i4i.


News item 6:  http://www.wired.com/dangerroom/2010/05/cyberwar-cassandras-get-400-million-in-conflict-cash/
Booz Allen Hamilton — the defense contractor that’s become synonymous with the idea that the U.S. is getting its ass kicked in an ongoing cyberwar — has racked up more than $400 million worth of deals in the past six weeks to help the Defense Department fight that digital conflict. Strange how that worked out, huh?

Booz Allen’s latest awards were announced last Thursday — nine contracts with the Air Force, totaling over $150 million. One deal gives the firm $24 million to “provide combat-ready forces to conduct secure cyber operations in and through the electromagnetic spectrum.” A $19.8 million contract asks Booz Allen to “define information assurance scientific and technical analysis to be applied to future military satellite communication systems development.” Earlier in the month, the company got $14 million to “provide threat monitoring, detection, characterization, and actionable information for the computer network operations in order to help advance Department of Defense Global Information Grid initiative and nationally oriented cyber security priorities.”