[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 163.mp3[/podcast]
ISD Podcast Episode 163 for June 30, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
MHDD Data Recovery Class current dates and locations:
Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
Brazilian police seized five hard drives when they raided the Rio apartment of banker Daniel Dantas as part of Operation Satyagraha in July 2008. But subsequent efforts to decrypt files held on the hardware using a variety of dictionary-based attacks failed even after the South Americans called in the assistance of the FBI.
The files were encrypted using Truecrypt and an unnamed algorithm, reportedly based on the 256-bit AES standard. In the UK, Dantas would be compelled to reveal his passphrase under threat of imprisonment, but no such law exists in Brazil.
The Brazilian National Institute of Criminology (INC) tried for five months to obtain access to the encrypted data without success before turning over the job to code-breakers at the FBI in early 2009. US computer specialists also drew a blank even after 12 months of efforts to crack the code, Brazil’s El Globo newspaper reports.
The most prominent victims of the hackers are the Libyan dictator Muammar al-Gaddafi and the Taliban. On 14 June this year, attacked the “Joker” for the umpteenth time, the official Taliban website.
“Power off for 30 minutes, because the online inciting young Muslims to violent jihad”, the sentence of the hacker, who brags about his success with Twitter. End of February announced the “Joker” that he had hacked the website of Libyan leader Gaddafi and off for an hour. The reason for this is Gaddafi’s “call for jihad against Switzerland,” wrote the hacker.
th3j35t3r has posted a transcript of an interview that he gave to German newspaper ‘Die Welt‘.
News item 3: http://nanocr.eu/2010/06/27/googles-mismanagement-of-the-android-market/
Earlier this week, CNET ran an article critical of the permission model of the Android Market. Google’s response to the criticism was that “each Android app must get users’ permission to access sensitive information”. While this is technically true, one should not need a PhD in Computer Science to use a smartphone. How is a consumer supposed to know exactly what the permission “act as an account authenticator” means? The CNET opinion piece “Is Google far too much in love with engineering?” is quite relevant here.
Google does far too little curation of the Android Market, and it shows. Unlike Apple’s App Store, the Android Market has few high quality apps. A study by Larva Labs (the developers of the excellent Slidescreen app) estimates that Apple has paid out 50 times more money to developers than Google has. While the Android Market is available in 46 countries, developers can only offer paid apps in 13 countries (for instance, Canada has only had access to paid apps since March 2010). In addition, the price for foreign apps is not displayed in the user’s local currency and developers do not have the option of customizing pricing by country.
The music downloading app “Tunee” (one of many such apps) is one of the Top Free apps in the Multimedia category with more than 250k downloads. While some would dishonestly try to pretend that such apps are meant for downloading public domain classical music, the developers of Tunee are very clear about their intent. A screenshot in the link above shows copyrighted music by the band Muse (Warner Music Group) being illegally downloaded.
These apps are damaging to companies that are building legitimate Android music apps (e.g Rdio, Spotify and MOG), not to mention Amazon whose MP3 store comes bundled with most Android phones in the U.S. Is Google’s strategy to turn a blind eye to illegal music downloading until they launch their own music store?
News item 4: http://www.owasp.org/index.php/How_to_write_insecure_code
Continuing our coverage of the OWASP “How to write insecure code” with Complexity: Distribute security mechanisms
Security checks should be designed so that they are as distributed as possible throughout the codebase. Try not to follow a consistent pattern and don’t make it easy to find all the places where the mechanism is used. This will virtually ensure that security is implemented inconsistently.
Spread the wealth
Another great way to avoid being found is to make sure your security holes aren’t located in one place in your code. It’s very difficult for analysts to keep all of your code in their head, so by spreading out the holes you prevent anyone from finding or understanding them.
Use dynamic code
The single best way to make it difficult for a security analyst (or security tool for that matter) to follow through an application and uncover a flaw is to use dynamic code. It can be almost impossible to trace the flow through code that is loaded at runtime. Features like reflection and classloading are beautiful features for hiding vulnerabilities. Enable as many “plugin” points as possible.
Texas Health and Human Services Commissioner Tom Suehs says Texas health officials notified his office in early May that a hacker was holding the Texas Cancer Registry hostage and demanding a ransom. Suehs says preliminary investigation results from the FBI indicate the threat may be a hoax, and officials with the Department of State Health Services,which oversees the cancer registry, say they don’t believe the names, dates of birth, Social Security numbers and personal medical information contained in it were stolen. But if the FBI determines private records were revealed, Suehs says, health officials will quickly notify the people listed in the registry.
“This is an incident that makes everybody’s antennas go a little bit higher, and I’m using it as an opportunity to elevate our awareness of our responsibility to protect information,” Suehs says. “Nothing is 100-percent secure. But I think [most of] our systems, our processes, worked. And that’s the positive thing.”
The security scare comes at a sensitive time for the Texas’s health agencies, which are making plans to exchange Texas medical records electronically and expect an influx of federal dollars to help do it. Privacy advocates are already nervous about whether the Texas has the technology safeguards to keep these records out of hackers’ hands.
Google has moved the encrypted version of its search engine to a new Web address. Though the old URL (https://www.google.com) still works, Google announced recently that it launched encrypted.google.com in a nod to school administrators who have blocked encrypted search for their students.
[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 162.mp3[/podcast]
ISD Podcast Episode 162 for June 29, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
MHDD Data Recovery Class current dates and locations:
Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
Stories of Interest:
News item 1: http://www.esecurityplanet.com/features/article.php/3889356/Org-Signed-for-DNSSEC.htm
The .org top-level domain (TLD) has now been signed with Domain Name System Security Extensions (DNSSEC), marking a significant milestone in better securing key elements of the Internet against security vulnerabilities. The move toward securing the .org registry with DNS security started back in September 2008, following the Kaminsky DNS flaw disclosure.
The .org TLD is now the first major generic TLD to be secured with DNSSEC, providing its domain holders with the potential to cryptographically ensure the integrity of DNS information (define). The signing of the .org domain comes ahead of the final signing of the root zone for the Internet, which is set for July.
While the .org domain space is now signed, it’s now up to individual domain registrars that sell and maintain .org domains to implement DNSSEC for their respective customers.
The expense to .org for implementing DNSSEC on its infrastructure and operations has not been a small one. While Alexa Raad, CEO of the Public Interest Registry, did not provide a specific figure as to the cost of DNSSEC implementation, Afilias, which is the technical operator of the .org registry, told InternetNews.com in 2009 that the DNSSEC implementation would be a multi-million dollar effort. But Raad noted that the cost isn’t going to be passed on by .org to domain registrars.
“This was not a commercial motivation for us, but rather more of a public interest motivation,” Raad said. “We’re not passing on any costs — we’re absorbing the cost.” While DNSSEC as a technology has been around for years, the need for it accelerated after vulnerabilities like the Kaminsky DNS flaw came to light. “Up until the Kaminsky bug, there was skepticism about the necessity for DNSSEC,” Raad said. “That bug put a stop to that very quickly.”
News item 2: http://bit.ly/b3tUGN
VeriSign and one of its partners have come under fire for publicly exposing webpages used to process customer security certificates, a practice a competitor claims puts some of the biggest names on the web at risk of serious targeted attacks.
According to Melih Abdulhayoglu, CEO of internet security firm Comodo, publicly accessible pages such as those here and here needlessly disclose sensitive internal information about VeriSign customers Bank of America and the Commonwealth of Massachusetts respectively. By exposing the email address of the organizations’ security certificate managers and providing a comprehensive list of web addresses that use secure sockets layer protection, VeriSign puts them at risk of targeted phishing attacks, he said.
What’s more, Abdulhayoglu pointed to the availability of this page provided by VeriSign partner Getronics.nl of the Netherlands. It allows anyone in the world to search its database and pull up a wealth of information about the digital certificates of not only Bank of America but plenty of other companies, including VeriSign itself. The interface also points to dynamically generated pages like the one captured below, which provide buttons for revoking, renewing, and replacing the digital certificate.
News Item 3: http://www.wired.co.uk/news/archive/2010-06/18/huge-privacy-flaw-found-in-vpn-systems
More and more people have attempted to preserve their privacy by signing up for VPN services like the Pirate Bay’s Ipredator and Pirate Party offering Relakks. But it turns out that there’s a gaping security flaw in these services that allows individual users to be identified. The finding was announced at the Cipher conference in Sweden. The flaw is caused by a combination of IPv6, which is a new internet protocol due to replace the current IPv4, and PPTP (point-to-point tunneling protocol)-based VPN services, which are the most widely used. IPv6 is enabled on many computers, and you may well be using it without realizing.
The flaw means that the IP address of a user hiding behind a VPN can still be found, thanks to their connection broadcasting information that can be used to identify them. It’s also relatively easy to find a MAC address (which identifies a particular device) and a computer’s name on the network that it’s on.
It’s possible to re-hide yourself by switching IPv6 off and going back to IPv4, but that does mean losing the benefits that it offers. It’s most dangerous because many users aren’t aware of the issue, so it’s likely that administrators of VPN networks may end up having to warn their users, and offer instructions on how to turn off IPv6. It’s thought that the Swedish anti-piracy bureau could already be gathering data using the exploit.
One alternative to PPTP is OpenVPN and offers a number of advantages, especially as it’s free and open-source. It’s more secure than PPTP, and more stable too, though it doesn’t work on mobile devices natively and isn’t quite as easy to set up on a computer, especially older machines. OpenVPN also has the advantage that it’s often not blocked in countries where PPTP systems are blocked.
News item 4: http://www.owasp.org/index.php/How_to_write_insecure_code
In the interest of ensuring that there will be a future for hackers, criminals, and others who want to destroy the digital future, this web page captures tips from the masters on how to create insecure code.
General Principles
Avoid the tools
If you want to ensure vulnerabilities, simply make them difficult for automated tools to find. This is a lot easier than it sounds. All you have to do is make sure your vulnerabilities don’t match anything in the tool’s database of signatures.
Always use default deny
Apply the principle of “Default Deny” when building your application. Deny that your code can ever be broken, deny vulnerabilities until there’s a proven exploit, deny to your customers that there was ever anything wrong, and above all – deny responsibility for flaws. Blame the dirty cache buffers.
Be a shark
Always be on the move. Leave security problems to operations staff.
News item 5: http://www.mail-archive.com/ibm-main@bama.ua.edu/msg118853.html
The Guardia Civil have arrested three managers of a company that sells customized software for small and medium enterprises which contained “errors controlled” programming to fail at a predetermined date. The company sold software poisoned more than 1,000 customers in Spain, according to sources of the armed. The scam was made from about 1998 and consisted of the introduction of “logic bombs” in the software that they distributed, which causes a computer that paralyzed the normal functioning of business and forced them to contact the service technical, with the consequent economic loss. Users who had not contracted this service were charged for the repair, they introduced other “error controlled” for a new date and were advised to contract the service technician.
Adobe today shipped a critical Reader/Acrobat patch to cover a total of 17 documented vulnerabilities that expose Windows, Mac and UNIX users to malicious hacker attacks.
The update, which affects Adobe Reader/Acrobat 9.3.2 (and earlier versions), includes a fix for the outstanding PDF “/Launch” functionality social engineering attack vector that was disclosed by researcher Didier Stevens.
As previously reported, Didier created a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file.
According to Adobe, the newest version includes changes to resolve the misuse of this command.
We added functionality to block any attempts to launch an executable or other harmful objects by default. We also altered the way the existing warning dialog works to thwart the known social engineering attacks. More information on the security-related improvements in this update can be found in this Adobe blog post
Tools:
UATester Alpha – Chris John Riley’s tool that is designed to automatically check a given URL using a list of standard and non-standard User Agent strings provided by the user.
[ ] Performing initial request and confirming stability
[-] URL (ENTERED) : http://www.jpmc.com
[-] RESPONSE CODE : (200, ‘OK’)
[-] DATE : Tue, 29 Jun 2010 22:16:39 GMT
[-] CONTENT-TYPE : text/html
[-] SERVER : Apache/2.0.52 (CentOS)
[-] LENGTH : 901
[-] DATA : 888e04340e02e9405585c5279d3c468a
[ ] First Pass : . . . .
[ ] Second Pass : . . . .
[ ] Third Pass : . . . .
[-] URL appears stable
[ ] Beginning test
[ ] Using DEFAULT User-Agent Strings
[ ] User-Agent String : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)’,'Mozilla/4.0 (compatible; MSIE 5.5;)
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (Windows; U; Windows NT 5.2; rv:1.9.2) Gecko/20100101 Firefox/3.6
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (X11; U; SunOS sun4v; en-US; rv:1.8.1.3) Gecko/20070321 Firefox/2.0.0.3
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13
[*] All Results returned match the reference connection
[ ] User-Agent String : Opera/9.99 (Windows NT 5.1; U; pl) Presto/9.9.9
[*] All Results returned match the reference connection
[ ] User-Agent String : Googlebot/2.1 (+http://www.google.com/bot.html)
[*] All Results returned match the reference connection
[ ] User-Agent String : Googlebot-Image/1.0
[*] All Results returned match the reference connection
[ ] User-Agent String : Mediapartners-Google
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/2.0 (compatible; Ask Jeeves)
[*] All Results returned match the reference connection
[ ] User-Agent String : msnbot-Products/1.0 (+http://search.msn.com/msnbot.htm)
[*] All Results returned match the reference connection
[ ] User-Agent String : mmcrawler
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (PLAYSTATION 3; 2.00)
[*] All Results returned match the reference connection
[ ] User-Agent String : TrackBack/1.02
[*] All Results returned match the reference connection
[ ] User-Agent String :
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/4.75 (Nikto/2.01)
[*] All Results returned match the reference connection
[ ] User-Agent String : curl/7.7.2 (powerpc-apple-darwin6.0) libcurl 7.7.2 (OpenSSL 0.9.6b)
[*] All Results returned match the reference connection
[ ] User-Agent String : w3af.sourceforge.net
[*] All Results returned match the reference connection
[ ] User-Agent String : HTTrack
[*] All Results returned match the reference connection
[ ] User-Agent String : Wget 1.9cvs-stable
[*] All Results returned match the reference connection
[ ] User-Agent String : Lynx (textmode)
[*] All Results returned match the reference connection
[ ] User-Agent String : .nasl
[*] All Results returned match the reference connection
[ ] User-Agent String : paros
[*] All Results returned match the reference connection
[ ] User-Agent String : webinspect
[*] All Results returned match the reference connection
[ ] User-Agent String : brutus
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (Linux; U; Android 2.1-update1; en-at; HTC Hero Build/ERE27) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17
[*] All Results returned match the reference connection
[ ] User-Agent String : jBrowser-WAP
[*] All Results returned match the reference connection
[ ] User-Agent String : Nokia7650/1.0 Symbian-QP/6.1 Nokia/2.1
[*] All Results returned match the reference connection
[ ] Performing initial request and confirming stability
[-] URL (ENTERED) : https://www.chase.com
[-] RESPONSE CODE : (200, ‘OK’)
[-] DATE : Tue, 29 Jun 2010 23:07:16 GMT
[-] CONTENT-TYPE : text/html
[-] SERVER : JPMC1.0
[-] LENGTH : 23437
[-] DATA : c1bf535b0121c3a602b445d0ef5fa549
[ ] First Pass : . . . .
[ ] Second Pass : . . . .
[ ] Third Pass : . . . .
[-] URL appears stable
[ ] Beginning test
[ ] Using DEFAULT User-Agent Strings
[ ] User-Agent String : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)’,'Mozilla/4.0 (compatible; MSIE 5.5;)
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (Windows; U; Windows NT 5.2; rv:1.9.2) Gecko/20100101 Firefox/3.6
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (X11; U; SunOS sun4v; en-US; rv:1.8.1.3) Gecko/20070321 Firefox/2.0.0.3
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13
[*] All Results returned match the reference connection
[ ] User-Agent String : Opera/9.99 (Windows NT 5.1; U; pl) Presto/9.9.9
[*] All Results returned match the reference connection
[ ] User-Agent String : Googlebot/2.1 (+http://www.google.com/bot.html)
[*] All Results returned match the reference connection
[ ] User-Agent String : Googlebot-Image/1.0
[*] All Results returned match the reference connection
[ ] User-Agent String : Mediapartners-Google
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/2.0 (compatible; Ask Jeeves)
[*] All Results returned match the reference connection
[ ] User-Agent String : msnbot-Products/1.0 (+http://search.msn.com/msnbot.htm)
[*] All Results returned match the reference connection
[ ] User-Agent String : mmcrawler
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (PLAYSTATION 3; 2.00)
[*] All Results returned match the reference connection
[ ] User-Agent String : TrackBack/1.02
[*] All Results returned match the reference connection
[ ] User-Agent String :
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/4.75 (Nikto/2.01)
[*] All Results returned match the reference connection
[ ] User-Agent String : curl/7.7.2 (powerpc-apple-darwin6.0) libcurl 7.7.2 (OpenSSL 0.9.6b)
[*] All Results returned match the reference connection
[ ] User-Agent String : w3af.sourceforge.net
[*] All Results returned match the reference connection
[ ] User-Agent String : HTTrack
[*] All Results returned match the reference connection
[ ] User-Agent String : Wget 1.9cvs-stable
[*] All Results returned match the reference connection
[ ] User-Agent String : Lynx (textmode)
[*] All Results returned match the reference connection
[ ] User-Agent String : .nasl
[*] All Results returned match the reference connection
[ ] User-Agent String : paros
[*] All Results returned match the reference connection
[ ] User-Agent String : webinspect
[*] All Results returned match the reference connection
[ ] User-Agent String : brutus
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3
[!] URL (RETURNED) : https://mobilebanking.chase.com/
[!] RESPONSE CODE : (301, ‘Moved Permanently’)
[!] CONTENT-TYPE : text/html; charset=utf-8
[!] SERVER : Microsoft-IIS/6.0
[!] LENGTH : 3001
[!] DATA : 7846942a4be014155f61efbd45a817df
[!] Differing response was received from the server using this user-agent string
[ ] User-Agent String : Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10
[!] URL (RETURNED) : https://mobilebanking.chase.com/
[!] RESPONSE CODE : (301, ‘Moved Permanently’)
[!] CONTENT-TYPE : text/html; charset=utf-8
[!] SERVER : Microsoft-IIS/6.0
[!] LENGTH : 3001
[!] DATA : 7846942a4be014155f61efbd45a817df
[!] Differing response was received from the server using this user-agent string
[ ] User-Agent String : Mozilla/5.0 (Linux; U; Android 2.1-update1; en-at; HTC Hero Build/ERE27) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17
[!] URL (RETURNED) : https://mobilebanking.chase.com/
[!] RESPONSE CODE : (301, ‘Moved Permanently’)
[!] CONTENT-TYPE : text/html; charset=utf-8
[!] SERVER : Microsoft-IIS/6.0
[!] LENGTH : 3001
[!] DATA : 7846942a4be014155f61efbd45a817df
[!] Differing response was received from the server using this user-agent string
[ ] User-Agent String : jBrowser-WAP
[*] All Results returned match the reference connection
[ ] User-Agent String : Nokia7650/1.0 Symbian-QP/6.1 Nokia/2.1
[!] URL (RETURNED) : https://mobilebanking.chase.com/
[!] RESPONSE CODE : (301, ‘Moved Permanently’)
[!] CONTENT-TYPE : text/html; charset=utf-8
[!] SERVER : Microsoft-IIS/6.0
[!] LENGTH : 3001
[!] DATA : 7846942a4be014155f61efbd45a817df
[!] Differing response was received from the server using this user-agent string
[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 161.mp3[/podcast]
ISD Podcast Episode 161 for June 28, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
MHDD Data Recovery Class current dates and locations:
Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
Stories of Interest:
News item 1: http://www.google.com/hostednews/ap/article/ALeqM5hnlGg0WbQxyqIeXJ_t7-N3aCJheAD9GDV11O0Fighting homegrown terrorism by monitoring Internet communications is a civil liberties trade-off the U.S. government must make to beef up national security, the nation’s homeland security chief said Friday. As terrorists increasingly recruit U.S. citizens, the government needs to constantly balance Americans’ civil rights and privacy with the need to keep people safe, said Homeland Security Secretary Janet Napolitano.
But finding that balance has become more complex as homegrown terrorists have used the Internet to reach out to extremists abroad for inspiration and training. Those contacts have spurred a recent rash of U.S.-based terror plots and incidents.
But finding that balance has become more complex as homegrown terrorists have used the Internet to reach out to extremists abroad for inspiration and training. Those contacts have spurred a recent rash of U.S.-based terror plots and incidents.
Underscoring her comments are a number of recent terror attacks over the past year where legal U.S. residents such as Times Square bombing suspect Faisal Shahzad and accused Fort Hood, Texas, shooter Maj. Nidal Hasan, are believed to have been inspired by the Internet postings of violent Islamic extremists. And the fact that these are U.S. citizens or legal residents raises many legal and constitutional questions.
Napolitano said it is wrong to believe that if security is embraced, liberty is sacrificed. She added, “We can significantly advance security without having a deleterious impact on individual rights in most instances. At the same time, there are situations where trade-offs are inevitable.”
News item 2: http://www.thinq.co.uk/2010/6/18/phantom-data-sent-sleeping-iphones/
Now that just about every airtime provider is rethinking its mobile data plans, with most putting an end to unlimited contracts, it looks like iPhone users are paying more attention to their bills, and in particular how much data they are using. A large number of users in the USA and here in the UK have discovered that their iPhones are apparently sending large chunks of data during the wee small hours using the 3G network.
The simple fact of the matter is – as far as we can tell – that the iPhone’s push notifications and other small transfers of data are totted up throughout the day and the total for all of those notifications is added up after dark and sent to your airtime provider while your phone is sleeping. If these tiny amounts of data were individually listed your bill would probably be the size of a telephone directory.
The reason it is using the 3G network rather than Wi-Fi is that all iPhones up to and including the 3Gs turn off Wi-Fi push functionality while the phone is in sleep mode, in order to preserve battery life. The iPhone 4, incidentally, has better power management so will not need to do this.
News Item 3: https://www.chase.com/ccp/index.jsp?pg_name=ccpmapp/shared/assets/page/Crypto_standard
JP Morgan Chase now reveals that starting July 18, 2010, only certain browsers will be supported. These include IE6 and higher, Firefox 2.0 and higher, and Safari 3.0 and higher (but only if used on a Mac). Google Chrome and Opera are not included in the list. IE6 is a browser which now borders on silly and has several websites dedicated to its demise (www.ie6funeral.com), and has several known security issues. One wonders how JP Morgan Chase came up with the list, even though their explanation indicates “There are two primary reasons—security and popularity. There are dozens of browsers in use today, but not all offer the minimum levels of security that we require while others may not perform well with our site. The security of your accounts and private information is one of our highest priorities and some browsers, especially older versions, are simply higher security risks to use with our site.”
What is interesting in what they write is their explanation of a Page Not Found error: “You may be using an outdated browser that we don’t support. There are dozens of browsers in use today, but not all offer the minimum levels of security that we require while others may not perform well with our site. We strongly recommend that you upgrade your existing browser to one that we support. We strongly recommend that you upgrade your existing browser to one that we support.” Since when did the server start giving out 404 Page Not Found when the browser is not supported? Overall, this move (and page) by JP Morgan Chase doesn’t sound like it passed through anyone in their IT security team, or for that matter, their IT Team itself.
News item 4: http://www.cultofmac.com/research-20-percent-of-android-apps-steal-private-data/47994
About one-in-five (or 20 percent) of third-party Android apps available through its marketplace can steal and share private user data, researchers said Tuesday. Akin to spyware, the apps can place calls and send text messages without the owners’ knowledge. As a result of the growth of smartphones and associated stores, “applications are currently available that have the potential to cause serious harm to devices, customers and to the broader cellular network,” Daniel V. Hoffman, technology chief for SMobile Systems, an Android security vendor. The report, although taken with a grain of salt because of the source, does cause Apple fans to reconsider their opposition to Cupertino’s oft-criticized app approval methods.
“Dozens of these Android apps — and don’t forget, there are 48,000 Android apps in all, with just under 10,000 risky ones — are able to access the kind of data that spyware likes to grab,” according to a Computerworld blog.
News item 5: http://www.computerworld.com/s/article/9178498/Senate_committee_approves_controversial_cybersecurity_bill
A U.S. Senate committee has approved a wide-ranging cybersecurity bill that some critics have suggested would give the U.S. president the authority to shut down parts of the Internet during a cyberattack.
Senator Joe Lieberman and other bill sponsors have refuted the charges that the Protecting Cyberspace as a National Asset Act gives the president an Internet “kill switch.” Instead, the bill puts limits on the powers the president already has to cause “the closing of any facility or stations for wire communication” in a time of war, as described in the Communications Act of 1934, they said in a breakdown of the bill published on the Senate Homeland Security and Governmental Affairs Committee Web site.
The committee unanimously approved an amended version of the legislation by voice vote Thursday, a committee spokeswoman said. The bill next moves to the Senate floor for a vote, which has not yet been scheduled.
The bill, introduced earlier this month, would establish a White House Office for Cyberspace Policy and a National Center for Cybersecurity and Communications, which would work with private U.S. companies to create cybersecurity requirements for the electrical grid, telecommunications networks and other critical infrastructure.
[podcast]http://www.isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 160.mp3[/podcast]
ISD Podcast Episode 160 for June 25, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
MHDD Data Recovery Class current dates and locations:
Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
In a talk at the hacker conference SummerCon last Friday, researcher Jon Oberheide gave a demonstration of just how easy it may be to infect large numbers of phones running Google’s Android OS with hidden software that turns the devices into a zombie-like “botnet” under the control of a cybercriminal–particularly if that software associates itself with a phenomenon as popular and tween-entrancing as the upcoming Twilight Eclipse film.
Oberheide focused on what may be a serious security weakness in Android’s App Market: that apps don’t have to ask permission from a user to fetch new executable code. Even after an app has been approved for downloads in Google’s market, Oberheide says, it can still metamorphose at will into a much less friendly program.
Oberheide, who works for security startup Scio Security, developed an application called “RootStrap” to demonstrate that trust problem for Android apps. After it’s installed, Rootstrap periodically “phones home” to check for any new code that Oberheide wants to add to the program, including any hidden control program or “rootkit” that he wished to install–hence the program’s name. “This is probably the most effective way to build a mobile botnet,” Oberheide told SummerCon’s audience of hackers and security researchers.
News item 2: http://www.theregister.co.uk/2010/06/24/google_lifts_two_apps_from_android/
Google has reached out over the airwaves and removed a pair of applications from users’ Android phones, saying the two apps violated its terms of service.
Like Apple, Google has a “kill switch” that allows it to remotely remove mobile apps that have already been installed by end users. The tool is mentioned in the terms and conditions for Google’s app store, the Android Market, as the press noticed when the store debuted.
In a Wednesday blog post, Google confirmed the existence of its “Remote Application Removal Feature” and said it had recently exercised this tool after discovering two apps that “intentionally misrepresented their purpose in order to encourage user download.”
According to the company, users are notified when apps are removed. In this case, Google removed two free applications built by a security researcher. According to the company, the apps were used for research purposes. “They were not designed to be used maliciously, and did not have permission to access private data — or system resources beyond permission. As the applications were practically useless, most users uninstalled the applications shortly after downloading them.”
Google insists that the tool will only be used for good. “The remote application removal feature is one of many security controls Android possesses to help protect users from malicious applications,” the company said. “In case of an emergency, a dangerous application could be removed from active circulation in a rapid and scalable manner to prevent further exposure to users. While we hope to not have to use it, we know that we have the capability to take swift action on behalf of users’ safety when needed.”
An alleged hacker who declined a 2-year plea deal is facing decades behind bars after federal authorities Thursday added multiple charges, including possession and distribution of child pornography.
Barry Ardolf, 45, of Blaine, Minnesota, had rejected a plea deal in connection to charges accusing him of sending Vice President Joe Biden a threatening e-mail from his neighbor’s computer, a computer he is accused of hacking. The decision to reject the offer, his lawyer said Monday, “was a difficult one.”
A federal grand jury substantially upped the ante against the computer technician Thursday, ringing him up on additional charges of identity theft and two kiddie-porn accusations carrying lifetime sex-offender registration requirements. The authorities said he faces a maximum 20 years for the alleged porn distribution, 10 years for the porn-possession charge and five years each for the two hacking charges. Ardolf maintains his innocence, and federal judges are not bound by sentencing guidelines.
News item 4: http://infoworld.com/d/networking/googles-street-view-wi-fi-data-included-passwords-email-679
Wi-Fi traffic intercepted by Google’s Street View cars included passwords and email, according to the French National Commission on Computing and Liberty (CNIL). CNIL launched an investigation last month into Google’s recording of traffic carried over unencrypted Wi-Fi networks, and has begun examining the data Google handed over as part of that investigation.
Google revealed on May 14 that the fleet of vehicles it operates to compile panoramic images of city streets for its Google Maps site had inadvertently recorded traffic from unencrypted Wi-Fi networks. Google’s intention was only to record the identity and position of Wi-Fi hotspots in order to power a location service it operates, the company said. However, the software it used to record that information went much further, intercepting and storing data packets too.At the time, Google said it only collected “fragments” of personal Web traffic as it passed by, because its Wi-Fi equipment automatically changes channels five times a second. However, with Wi-Fi networks operating at up to 54Mbps, it always seemed likely that those one-fifth of a second recordings would contain more than just “fragments” of personal data.
“It’s still too early to say what will happen as a result of this investigation,” CNIL said Thursday.
“However, we can already state that Google did indeed record email access passwords [and] extracts of the content of email messages,” CNIL said.
Data protection authorities in Spain and Germany have also asked Google for access to Wi-Fi traffic data intercepted in their countries, but the CNIL was the first to have its request granted, it said.
The breach affected members who had pending insurance applications in an Anthem system that allows users to track the status of their application online.
Anthem spokesperson Cynthia Sanders said the information was accessed briefly, primarily by attorneys seeking information for a class-action lawsuit against the insurer. Sanders said Anthem sent the letters out of “an abundance of caution,” adding that it is unclear how many records were viewed.
News item 6: https://www.eff.org/https-everywhere
HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.
Some of those sites still include a lot of content from third party domains that is not available over HTTPS. As always, if the browser’s lock icon is broken or carries an exclamation the user remains vulnerable to some adversaries that use active attacks or traffic analysis. However, the effort required to monitor browsing should still be usefully increased.
News item 7: http://news.bbc.co.uk/2/hi/technology/10349001.stm
Security experts have found that many of the kits used by cyber criminals are riddled with bugs and vulnerabilities. Exploiting the bugs might mean that the attack tools can be turned against those using them. The bugs found by the researchers could be used to identify who is using the tools and even launch a counter-attack.
While some cyber criminals handcraft their own attack tools, many others take advantage of the so-called malware kits that are widely available online. These programs bundle into one convenient package everything the budding cyber criminal needs to get started. French computer security researcher Laurent Oudot from Tehtri Security has analysed the inner workings of many of these malware kits to see how secure they are. Mr Oudot found that that many of the kits, which have names such as Neon, Eleonore and Sniper, sport significant loopholes that are relatively easy to exploit. In a presentation at the SyScan 2010 security conference in Singapore, Mr Oudot released details of 13 separate unpatched vulnerabilities he found in some of the most popular malware kits used to attack websites. In many cases, said Mr Oudot in his presentation, exploiting these vulnerabilities would allow security researchers to “hack the web hackers”. http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0423.html (TEHTRI-Security released 13 0days against web tools used by evil attackers)
[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 159.mp3[/podcast]
ISD Podcast Episode 159 for June 24, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
MHDD Data Recovery Class current dates and locations:
Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
The Internet Corporation for Assigned Names and Numbers (ICANN), which oversees the Internet on behalf of the U.S. government, has in the past resisted creating a .xxx generic domain name system akin to those for .com and .net.
It has in recent years repeately rejected a request by U.S. company ICM Registry Inc. to sign off on the .xxx domain. But members of ICANN’s board have argued that in order to maintain neutrality in dealing with domain name assignations, it should create .xxx and allow websites with sexually explicit content to start using the suffix on a voluntary basis.
“If expedited due diligence results are successful, then staff will proceed into contract negotiations with ICM (over .xxx),” ICANN’s general counsel John Jeffrey told delegates at a week-long ICANN meeting in Brussels on Thursday.
Online pornography is a vast industry. Figdures collated by Internet Pornography Statistics suggest more than $3,000 is spent on Internet pornography every second, with “sex” the number one search term in the world, accounting for 25 percent of all Internet searches.
With an estimated 370 million pornographic websites on the Internet, .xxx could become one of the largest domain name repositories, as big if not bigger than .com.
San Francisco is set to be the first city in the US to require mobile phone retailers to post radiation levels next to handsets they sell. The board of supervisors, or council, voted 10-1 to approve the measure, with final approval expected next week.
“This is about helping people make informed choices,” said the law’s chief sponsor, Supervisor Sophie Maxwell.
The mobile phone industry said studies showed cell phone radiation was not harmful to people. The Federal Communications Commission has adopted limits that set out safe exposure to these kinds of emissions. The measurement defines the amount of radio waves that people can safely absorb into their bodies when talking on a mobile phone. Some researchers have claimed such emissions can be linked to cancer and brain tumours but there remains little scientific consensus on the matter.
“This is not about discouraging people from using their cell phones,” said Tony Winnicker, spokesman for San Francisco Mayor Gavin Newsom, who has said he will sign the legislation into law.
News item 3:http://www.wired.com/dangerroom/2010/06/darpa-taking-fire-for-its-cyberwar-range/
Two years ago, the White House and the Pentagon launched a massive, secretive $17 billion effort to shore up the nation’s defenses, and assigned Darpa a crucial role: build a replica Internet – a “National Cyber Range” – that could not only be used to test out information attacks, but could “emulate human behavior on all nodes,” as well.
The project, personally guided by then-director Tony Tether, was supposed to be one of the most important in Darpa’s history, on par with the agency’s missions at the dawn of the space race. “Congress has given Darpa a direct order; that’s only happened once before – with the Sputnik program in the ’50s,” one defense official told Danger Room. The New York Times went even further, breathlessly proclaiming that “the Cyber Range is to the digital age what the Bikini Atoll – the islands the Army vaporized in the 1950s to measure the power of the hydrogen bomb – was to the nuclear age.”
But now, some in the armed services are grumbling that Darpa isn’t working quickly enough on this all-important, $130 million mission. A few agencies are even looking to build their own ranges, Aviation Week reports.
“The services didn’t want to wait around for Darpa,” a senior official tells the magazine. “Everybody wanted a range, but Darpa’s program was a 6-to-7-year effort to put a national cyber range in place. That’s why support eroded. Everybody wanted it quicker.” The Navy, the National Security Agency, and the Air Force are all pursuing ersatz Internet programs, according to AvWeek.
News item 4: http://www.tampabay.com/news/courts/criminal/article1104151.ece
A woman who was accused of setting a fire at her office to get off work early pleaded guilty to a lesser charge this week. Pasco sheriff’s investigators said Michelle Perrino, 40, started a fire at Bayonet Point Oxygen on May 12, 2009. Perrino drew suspicion when she mentioned the fire’s origin — a filing cabinet — during an employee meeting. Employees had not been told where the fire started. Sheriff’s reports also quoted Perrino’s friend, who said she told him she also tripped the main breaker for the office building so it would lose power and adjusted the phones so no calls could come in, all so she would be sent home from work early with pay.
News item 5: http://www.darkreading.com/vulnerability_management/security/perimeter/showArticle.jhtml?articleID=225700674
The biggest vulnerabilities in the enterprise might be items we see every day — and just don’t think about. Experts say that vulnerability assessments often overlook the everyday dangers: Network-attached devices that aren’t computers. Paper documents. Passwords posted in plain view. Portable storage devices.
Most of these are technologies that would never be taken into account by a traditional vulnerability scan. Yet they could lead to data leaks just as surely as a keylogger or a data-stealing Trojan, experts say.
“Peripheral devices on the network may have capabilities the business doesn’t know of,” says Kevin Brown, delivery manager for custom testing at security assessment firm ICSA. “And those capabilities can create security vulnerabilities.”
for June 24, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
MHDD Data Recovery Class current dates and locations:
Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
The Internet Corporation for Assigned Names and Numbers (ICANN), which oversees the Internet on behalf of the U.S. government, has in the past resisted creating a .xxx generic domain name system akin to those for .com and .net.
It has in recent years repeately rejected a request by U.S. company ICM Registry Inc. to sign off on the .xxx domain. But members of ICANN’s board have argued that in order to maintain neutrality in dealing with domain name assignations, it should create .xxx and allow websites with sexually explicit content to start using the suffix on a voluntary basis.
“If expedited due diligence results are successful, then staff will proceed into contract negotiations with ICM (over .xxx),” ICANN’s general counsel John Jeffrey told delegates at a week-long ICANN meeting in Brussels on Thursday.
Online pornography is a vast industry. Figdures collated by Internet Pornography Statistics suggest more than $3,000 is spent on Internet pornography every second, with “sex” the number one search term in the world, accounting for 25 percent of all Internet searches.
With an estimated 370 million pornographic websites on the Internet, .xxx could become one of the largest domain name repositories, as big if not bigger than .com.
San Francisco is set to be the first city in the US to require mobile phone retailers to post radiation levels next to handsets they sell. The board of supervisors, or council, voted 10-1 to approve the measure, with final approval expected next week.
“This is about helping people make informed choices,” said the law’s chief sponsor, Supervisor Sophie Maxwell.
The mobile phone industry said studies showed cell phone radiation was not harmful to people. The Federal Communications Commission has adopted limits that set out safe exposure to these kinds of emissions. The measurement defines the amount of radio waves that people can safely absorb into their bodies when talking on a mobile phone. Some researchers have claimed such emissions can be linked to cancer and brain tumours but there remains little scientific consensus on the matter.
“This is not about discouraging people from using their cell phones,” said Tony Winnicker, spokesman for San Francisco Mayor Gavin Newsom, who has said he will sign the legislation into law.
News item 3:http://www.wired.com/dangerroom/2010/06/darpa-taking-fire-for-its-cyberwar-range/
Two years ago, the White House and the Pentagon launched a massive, secretive $17 billion effort to shore up the nation’s defenses, and assigned Darpa a crucial role: build a replica Internet – a “National Cyber Range” – that could not only be used to test out information attacks, but could “emulate human behavior on all nodes,” as well.
The project, personally guided by then-director Tony Tether, was supposed to be one of the most important in Darpa’s history, on par with the agency’s missions at the dawn of the space race. “Congress has given Darpa a direct order; that’s only happened once before – with the Sputnik program in the ’50s,” one defense official told Danger Room. The New York Times went even further, breathlessly proclaiming that “the Cyber Range is to the digital age what the Bikini Atoll – the islands the Army vaporized in the 1950s to measure the power of the hydrogen bomb – was to the nuclear age.”
But now, some in the armed services are grumbling that Darpa isn’t working quickly enough on this all-important, $130 million mission. A few agencies are even looking to build their own ranges, Aviation Week reports.
“The services didn’t want to wait around for Darpa,” a senior official tells the magazine. “Everybody wanted a range, but Darpa’s program was a 6-to-7-year effort to put a national cyber range in place. That’s why support eroded. Everybody wanted it quicker.” The Navy, the National Security Agency, and the Air Force are all pursuing ersatz Internet programs, according to AvWeek.
News item 4: http://www.tampabay.com/news/courts/criminal/article1104151.ece
A woman who was accused of setting a fire at her office to get off work early pleaded guilty to a lesser charge this week. Pasco sheriff’s investigators said Michelle Perrino, 40, started a fire at Bayonet Point Oxygen on May 12, 2009. Perrino drew suspicion when she mentioned the fire’s origin — a filing cabinet — during an employee meeting. Employees had not been told where the fire started. Sheriff’s reports also quoted Perrino’s friend, who said she told him she also tripped the main breaker for the office building so it would lose power and adjusted the phones so no calls could come in, all so she would be sent home from work early with pay.
News item 5: http://www.darkreading.com/vulnerability_management/security/perimeter/showArticle.jhtml?articleID=225700674
The biggest vulnerabilities in the enterprise might be items we see every day — and just don’t think about. Experts say that vulnerability assessments often overlook the everyday dangers: Network-attached devices that aren’t computers. Paper documents. Passwords posted in plain view. Portable storage devices.
Most of these are technologies that would never be taken into account by a traditional vulnerability scan. Yet they could lead to data leaks just as surely as a keylogger or a data-stealing Trojan, experts say.
“Peripheral devices on the network may have capabilities the business doesn’t know of,” says Kevin Brown, delivery manager for custom testing at security assessment firm ICSA. “And those capabilities can create security vulnerabilities.”
Support our show by clicking here by making hosting donations:
Support our show by clicking here before you make your purchases on Amazon. You pay the same price and it helps us offset the costs of doing the show. US visitors, please use the following:
UK visitors, please use the following:
If you are unable to see any images above, turn off Ad Block.
