Your daily source of Pwnage, Policy and Politics.

RSS feed issues resolved

Thanks to our listeners that let us know about the issue.  We were finally able to resolve the issue with the RSS feed not displaying the mp3 file size correctly by switching over to Feedburner.   Unfortunately, it seems that the issue with the files size was really hit or miss and it never impacted the iTunes xml.

Episode 141 – Ubuntu 1 – Apple 0

Play

ISD Podcast Episode 141 for May 31, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

  • MHDD Data Recovery Class current dates and locations:
    • San Francisco – June 14th -18th
    • Atlanta – July – 12th-16th
    • Dallas, TX – October – 11th – 15th
    • Washington DC – December 6th – 10th
    • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: [email protected] or go to http://www.myharddrivedied.com. Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

  • Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.

Atlanta ISSA:

North Alabama ISSA:

  • Hosting Second annual North Alabama Cyber Security Summit to be held on June 9th in Huntsville AL.  Event is open to ISSA members at a discounted price ($35 full price is $50). For more information please visit the North Alabama ISSA’s web site at: http://northalabama.issa.org/.  Email [email protected].

Friends of the Podcast:

Webhosting services:WebSpeedway

Stories of Interest:
News item 1: http://www.computerworld.com/s/article/9176883/P2P_networks_a_treasure_trove_of_leaked_health_care_data_study_finds
Nearly eight months after new rules were enacted requiring stronger protection of health care information, organizations are still leaking such data on file-sharing networks, a study by Dartmouth College’s Tuck School of Business has found.

In a research paper to be presented at an IEEE security symposium Tuesday, a Dartmouth College professor Eric Johnson will describe how university researchers discovered thousands of documents containing sensitive patient information on popular peer-to-peer (P2P) networks.

One of the more than 3,000 files discovered by the researchers was a spreadsheet containing insurance details, personally identifying information, physician names and diagnosis codes on more than 28,000 individuals. Another document contained similar data on more than 7,000 individuals. Many of the documents contained sensitive patient communications, treatment data, medical diagnoses and psychiatric evaluations. At least five files contained enough information to be classified as a major breach under current health-care breach notification rules.

While some of the documents appear to have been leaked before the Obama administration’s Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted, many appear to be fairly recent. A previous study by Dartmouth in 2008 also unearthed files containing health-care data floating on P2P networks, such as Limewire, eDonkey and BearShare. Among the documents found in that study was one containing 350MB of patient data for a group of anesthesiologists and another on patients at an AIDS clinic in Chicago.

News item 2:  http://news.cnet.com/8301-1009_3-20005844-83.html?part=rss&subj=news&tag=2547-1_3-0-20

Botnets are available for hire for as little as $8.94 an hour, underscoring how little financial muscle or technical expertise is needed to carry out attacks, according to VeriSign’s cybersecurity intelligence arm.

VeriSign said Monday that it carried out an online investigation into 25 botnet operators in February, targeting botnet services advertised on three Web forums. The study found that hourly botnet rental pricing started at $8.94, while the average price for a 24-hour rental was $67.20.

The services advertised a number of attack vectors, including ICMP, SYN, UDP, HTTP, HTTPS, and Data. The botnet operators plied their wares via the same techniques as legitimate businesses, such as via forums and banner ads. One botnet operator offered a pricing structure for taking down sites that have anti-attack measures installed.

News item 3: http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424

Do you have a PIN code on your iPhone? Well, while that might protect you from someone making a call or fiddling with your apps, it doesn’t prevent access to your data … as long as the person doing the snooping around is using Ubuntu “Lucid Lynx” 10.04.

Security experts Bernd Marienfeldt and Jim Herbeck discovered something really interesting when they hooked up a non-jailbroken, fully up-to-date iPhone 3GS to a PC running Lucid Lynx …

I uncovered a data protection vulnerability [9], which  I could reproduce on 3 other non jail broken 3GS iPhones (MC 131B, MC132B) with different iPhone OS versions installed (3.1.3-7E18 modem firmware 05.12.01 and version 3.1.2 -7D11, modem 05.11.07) , all PIN code protected which means the vulnerability bypasses authentication for various data where people most likely rely on data protection through encryption and do not expect that authentication is not in place.

This is what you get via an auto mount without any PIN request:

This data protection flaw exposes music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents… by in my opinion the quickest compromising read/write access discovered so far, without leaving any track record by the attacker. It’s about to imagine how many enterprises (e.g. Fortune 100) actually do rely on the expectation that their iPhone 3GS’s whole content is protected by encryption with an PIN code based authentication in place to unlock it.

This, quite honestly, is a staggering flaw. It basically allows anyone capable of driving a Linux PC to copy data off of an iPhone without the owner of the phone having any idea whatsoever that this has happened.