ISD Podcast Episode 163 for June 30, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
MHDD Data Recovery Class current dates and locations:
Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
Brazilian police seized five hard drives when they raided the Rio apartment of banker Daniel Dantas as part of Operation Satyagraha in July 2008. But subsequent efforts to decrypt files held on the hardware using a variety of dictionary-based attacks failed even after the South Americans called in the assistance of the FBI.
The files were encrypted using Truecrypt and an unnamed algorithm, reportedly based on the 256-bit AES standard. In the UK, Dantas would be compelled to reveal his passphrase under threat of imprisonment, but no such law exists in Brazil.
The Brazilian National Institute of Criminology (INC) tried for five months to obtain access to the encrypted data without success before turning over the job to code-breakers at the FBI in early 2009. US computer specialists also drew a blank even after 12 months of efforts to crack the code, Brazil’s El Globo newspaper reports.
The most prominent victims of the hackers are the Libyan dictator Muammar al-Gaddafi and the Taliban. On 14 June this year, attacked the “Joker” for the umpteenth time, the official Taliban website.
“Power off for 30 minutes, because the online inciting young Muslims to violent jihad”, the sentence of the hacker, who brags about his success with Twitter. End of February announced the “Joker” that he had hacked the website of Libyan leader Gaddafi and off for an hour. The reason for this is Gaddafi’s “call for jihad against Switzerland,” wrote the hacker.
th3j35t3r has posted a transcript of an interview that he gave to German newspaper ‘Die Welt‘.
News item 3: http://nanocr.eu/2010/06/27/googles-mismanagement-of-the-android-market/
Earlier this week, CNET ran an article critical of the permission model of the Android Market. Google’s response to the criticism was that “each Android app must get users’ permission to access sensitive information”. While this is technically true, one should not need a PhD in Computer Science to use a smartphone. How is a consumer supposed to know exactly what the permission “act as an account authenticator” means? The CNET opinion piece “Is Google far too much in love with engineering?” is quite relevant here.
Google does far too little curation of the Android Market, and it shows. Unlike Apple’s App Store, the Android Market has few high quality apps. A study by Larva Labs (the developers of the excellent Slidescreen app) estimates that Apple has paid out 50 times more money to developers than Google has. While the Android Market is available in 46 countries, developers can only offer paid apps in 13 countries (for instance, Canada has only had access to paid apps since March 2010). In addition, the price for foreign apps is not displayed in the user’s local currency and developers do not have the option of customizing pricing by country.
The music downloading app “Tunee” (one of many such apps) is one of the Top Free apps in the Multimedia category with more than 250k downloads. While some would dishonestly try to pretend that such apps are meant for downloading public domain classical music, the developers of Tunee are very clear about their intent. A screenshot in the link above shows copyrighted music by the band Muse (Warner Music Group) being illegally downloaded.
These apps are damaging to companies that are building legitimate Android music apps (e.g Rdio, Spotify and MOG), not to mention Amazon whose MP3 store comes bundled with most Android phones in the U.S. Is Google’s strategy to turn a blind eye to illegal music downloading until they launch their own music store?
News item 4: http://www.owasp.org/index.php/How_to_write_insecure_code
Continuing our coverage of the OWASP “How to write insecure code” with Complexity: Distribute security mechanisms
Security checks should be designed so that they are as distributed as possible throughout the codebase. Try not to follow a consistent pattern and don’t make it easy to find all the places where the mechanism is used. This will virtually ensure that security is implemented inconsistently.
Spread the wealth
Another great way to avoid being found is to make sure your security holes aren’t located in one place in your code. It’s very difficult for analysts to keep all of your code in their head, so by spreading out the holes you prevent anyone from finding or understanding them.
Use dynamic code
The single best way to make it difficult for a security analyst (or security tool for that matter) to follow through an application and uncover a flaw is to use dynamic code. It can be almost impossible to trace the flow through code that is loaded at runtime. Features like reflection and classloading are beautiful features for hiding vulnerabilities. Enable as many “plugin” points as possible.
Texas Health and Human Services Commissioner Tom Suehs says Texas health officials notified his office in early May that a hacker was holding the Texas Cancer Registry hostage and demanding a ransom. Suehs says preliminary investigation results from the FBI indicate the threat may be a hoax, and officials with the Department of State Health Services,which oversees the cancer registry, say they don’t believe the names, dates of birth, Social Security numbers and personal medical information contained in it were stolen. But if the FBI determines private records were revealed, Suehs says, health officials will quickly notify the people listed in the registry.
“This is an incident that makes everybody’s antennas go a little bit higher, and I’m using it as an opportunity to elevate our awareness of our responsibility to protect information,” Suehs says. “Nothing is 100-percent secure. But I think [most of] our systems, our processes, worked. And that’s the positive thing.”
The security scare comes at a sensitive time for the Texas’s health agencies, which are making plans to exchange Texas medical records electronically and expect an influx of federal dollars to help do it. Privacy advocates are already nervous about whether the Texas has the technology safeguards to keep these records out of hackers’ hands.
Google has moved the encrypted version of its search engine to a new Web address. Though the old URL (https://www.google.com) still works, Google announced recently that it launched encrypted.google.com in a nod to school administrators who have blocked encrypted search for their students.
ISD Podcast Episode 162 for June 29, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
MHDD Data Recovery Class current dates and locations:
Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
Stories of Interest:
News item 1: http://www.esecurityplanet.com/features/article.php/3889356/Org-Signed-for-DNSSEC.htm
The .org top-level domain (TLD) has now been signed with Domain Name System Security Extensions (DNSSEC), marking a significant milestone in better securing key elements of the Internet against security vulnerabilities. The move toward securing the .org registry with DNS security started back in September 2008, following the Kaminsky DNS flaw disclosure.
The .org TLD is now the first major generic TLD to be secured with DNSSEC, providing its domain holders with the potential to cryptographically ensure the integrity of DNS information (define). The signing of the .org domain comes ahead of the final signing of the root zone for the Internet, which is set for July.
While the .org domain space is now signed, it’s now up to individual domain registrars that sell and maintain .org domains to implement DNSSEC for their respective customers.
The expense to .org for implementing DNSSEC on its infrastructure and operations has not been a small one. While Alexa Raad, CEO of the Public Interest Registry, did not provide a specific figure as to the cost of DNSSEC implementation, Afilias, which is the technical operator of the .org registry, told InternetNews.com in 2009 that the DNSSEC implementation would be a multi-million dollar effort. But Raad noted that the cost isn’t going to be passed on by .org to domain registrars.
“This was not a commercial motivation for us, but rather more of a public interest motivation,” Raad said. “We’re not passing on any costs — we’re absorbing the cost.” While DNSSEC as a technology has been around for years, the need for it accelerated after vulnerabilities like the Kaminsky DNS flaw came to light. “Up until the Kaminsky bug, there was skepticism about the necessity for DNSSEC,” Raad said. “That bug put a stop to that very quickly.”
News item 2: http://bit.ly/b3tUGN
VeriSign and one of its partners have come under fire for publicly exposing webpages used to process customer security certificates, a practice a competitor claims puts some of the biggest names on the web at risk of serious targeted attacks.
According to Melih Abdulhayoglu, CEO of internet security firm Comodo, publicly accessible pages such as those here and here needlessly disclose sensitive internal information about VeriSign customers Bank of America and the Commonwealth of Massachusetts respectively. By exposing the email address of the organizations’ security certificate managers and providing a comprehensive list of web addresses that use secure sockets layer protection, VeriSign puts them at risk of targeted phishing attacks, he said.
What’s more, Abdulhayoglu pointed to the availability of this page provided by VeriSign partner Getronics.nl of the Netherlands. It allows anyone in the world to search its database and pull up a wealth of information about the digital certificates of not only Bank of America but plenty of other companies, including VeriSign itself. The interface also points to dynamically generated pages like the one captured below, which provide buttons for revoking, renewing, and replacing the digital certificate.
News Item 3: http://www.wired.co.uk/news/archive/2010-06/18/huge-privacy-flaw-found-in-vpn-systems
More and more people have attempted to preserve their privacy by signing up for VPN services like the Pirate Bay’s Ipredator and Pirate Party offering Relakks. But it turns out that there’s a gaping security flaw in these services that allows individual users to be identified. The finding was announced at the Cipher conference in Sweden. The flaw is caused by a combination of IPv6, which is a new internet protocol due to replace the current IPv4, and PPTP (point-to-point tunneling protocol)-based VPN services, which are the most widely used. IPv6 is enabled on many computers, and you may well be using it without realizing.
The flaw means that the IP address of a user hiding behind a VPN can still be found, thanks to their connection broadcasting information that can be used to identify them. It’s also relatively easy to find a MAC address (which identifies a particular device) and a computer’s name on the network that it’s on.
It’s possible to re-hide yourself by switching IPv6 off and going back to IPv4, but that does mean losing the benefits that it offers. It’s most dangerous because many users aren’t aware of the issue, so it’s likely that administrators of VPN networks may end up having to warn their users, and offer instructions on how to turn off IPv6. It’s thought that the Swedish anti-piracy bureau could already be gathering data using the exploit.
One alternative to PPTP is OpenVPN and offers a number of advantages, especially as it’s free and open-source. It’s more secure than PPTP, and more stable too, though it doesn’t work on mobile devices natively and isn’t quite as easy to set up on a computer, especially older machines. OpenVPN also has the advantage that it’s often not blocked in countries where PPTP systems are blocked.
News item 4: http://www.owasp.org/index.php/How_to_write_insecure_code
In the interest of ensuring that there will be a future for hackers, criminals, and others who want to destroy the digital future, this web page captures tips from the masters on how to create insecure code.
General Principles
Avoid the tools
If you want to ensure vulnerabilities, simply make them difficult for automated tools to find. This is a lot easier than it sounds. All you have to do is make sure your vulnerabilities don’t match anything in the tool’s database of signatures.
Always use default deny
Apply the principle of “Default Deny” when building your application. Deny that your code can ever be broken, deny vulnerabilities until there’s a proven exploit, deny to your customers that there was ever anything wrong, and above all – deny responsibility for flaws. Blame the dirty cache buffers.
Be a shark
Always be on the move. Leave security problems to operations staff.
News item 5: http://www.mail-archive.com/ibm-main@bama.ua.edu/msg118853.html
The Guardia Civil have arrested three managers of a company that sells customized software for small and medium enterprises which contained “errors controlled” programming to fail at a predetermined date. The company sold software poisoned more than 1,000 customers in Spain, according to sources of the armed. The scam was made from about 1998 and consisted of the introduction of “logic bombs” in the software that they distributed, which causes a computer that paralyzed the normal functioning of business and forced them to contact the service technical, with the consequent economic loss. Users who had not contracted this service were charged for the repair, they introduced other “error controlled” for a new date and were advised to contract the service technician.
Adobe today shipped a critical Reader/Acrobat patch to cover a total of 17 documented vulnerabilities that expose Windows, Mac and UNIX users to malicious hacker attacks.
The update, which affects Adobe Reader/Acrobat 9.3.2 (and earlier versions), includes a fix for the outstanding PDF “/Launch” functionality social engineering attack vector that was disclosed by researcher Didier Stevens.
As previously reported, Didier created a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file.
According to Adobe, the newest version includes changes to resolve the misuse of this command.
We added functionality to block any attempts to launch an executable or other harmful objects by default. We also altered the way the existing warning dialog works to thwart the known social engineering attacks. More information on the security-related improvements in this update can be found in this Adobe blog post
Tools:
UATester Alpha – Chris John Riley’s tool that is designed to automatically check a given URL using a list of standard and non-standard User Agent strings provided by the user.
[ ] Performing initial request and confirming stability
[-] URL (ENTERED) : http://www.jpmc.com
[-] RESPONSE CODE : (200, ‘OK’)
[-] DATE : Tue, 29 Jun 2010 22:16:39 GMT
[-] CONTENT-TYPE : text/html
[-] SERVER : Apache/2.0.52 (CentOS)
[-] LENGTH : 901
[-] DATA : 888e04340e02e9405585c5279d3c468a
[ ] First Pass : . . . .
[ ] Second Pass : . . . .
[ ] Third Pass : . . . .
[-] URL appears stable
[ ] Beginning test
[ ] Using DEFAULT User-Agent Strings
[ ] User-Agent String : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)’,'Mozilla/4.0 (compatible; MSIE 5.5;)
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (Windows; U; Windows NT 5.2; rv:1.9.2) Gecko/20100101 Firefox/3.6
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (X11; U; SunOS sun4v; en-US; rv:1.8.1.3) Gecko/20070321 Firefox/2.0.0.3
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13
[*] All Results returned match the reference connection
[ ] User-Agent String : Opera/9.99 (Windows NT 5.1; U; pl) Presto/9.9.9
[*] All Results returned match the reference connection
[ ] User-Agent String : Googlebot/2.1 (+http://www.google.com/bot.html)
[*] All Results returned match the reference connection
[ ] User-Agent String : Googlebot-Image/1.0
[*] All Results returned match the reference connection
[ ] User-Agent String : Mediapartners-Google
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/2.0 (compatible; Ask Jeeves)
[*] All Results returned match the reference connection
[ ] User-Agent String : msnbot-Products/1.0 (+http://search.msn.com/msnbot.htm)
[*] All Results returned match the reference connection
[ ] User-Agent String : mmcrawler
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (PLAYSTATION 3; 2.00)
[*] All Results returned match the reference connection
[ ] User-Agent String : TrackBack/1.02
[*] All Results returned match the reference connection
[ ] User-Agent String :
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/4.75 (Nikto/2.01)
[*] All Results returned match the reference connection
[ ] User-Agent String : curl/7.7.2 (powerpc-apple-darwin6.0) libcurl 7.7.2 (OpenSSL 0.9.6b)
[*] All Results returned match the reference connection
[ ] User-Agent String : w3af.sourceforge.net
[*] All Results returned match the reference connection
[ ] User-Agent String : HTTrack
[*] All Results returned match the reference connection
[ ] User-Agent String : Wget 1.9cvs-stable
[*] All Results returned match the reference connection
[ ] User-Agent String : Lynx (textmode)
[*] All Results returned match the reference connection
[ ] User-Agent String : .nasl
[*] All Results returned match the reference connection
[ ] User-Agent String : paros
[*] All Results returned match the reference connection
[ ] User-Agent String : webinspect
[*] All Results returned match the reference connection
[ ] User-Agent String : brutus
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (Linux; U; Android 2.1-update1; en-at; HTC Hero Build/ERE27) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17
[*] All Results returned match the reference connection
[ ] User-Agent String : jBrowser-WAP
[*] All Results returned match the reference connection
[ ] User-Agent String : Nokia7650/1.0 Symbian-QP/6.1 Nokia/2.1
[*] All Results returned match the reference connection
[ ] Performing initial request and confirming stability
[-] URL (ENTERED) : https://www.chase.com
[-] RESPONSE CODE : (200, ‘OK’)
[-] DATE : Tue, 29 Jun 2010 23:07:16 GMT
[-] CONTENT-TYPE : text/html
[-] SERVER : JPMC1.0
[-] LENGTH : 23437
[-] DATA : c1bf535b0121c3a602b445d0ef5fa549
[ ] First Pass : . . . .
[ ] Second Pass : . . . .
[ ] Third Pass : . . . .
[-] URL appears stable
[ ] Beginning test
[ ] Using DEFAULT User-Agent Strings
[ ] User-Agent String : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)’,'Mozilla/4.0 (compatible; MSIE 5.5;)
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (Windows; U; Windows NT 5.2; rv:1.9.2) Gecko/20100101 Firefox/3.6
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (X11; U; SunOS sun4v; en-US; rv:1.8.1.3) Gecko/20070321 Firefox/2.0.0.3
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13
[*] All Results returned match the reference connection
[ ] User-Agent String : Opera/9.99 (Windows NT 5.1; U; pl) Presto/9.9.9
[*] All Results returned match the reference connection
[ ] User-Agent String : Googlebot/2.1 (+http://www.google.com/bot.html)
[*] All Results returned match the reference connection
[ ] User-Agent String : Googlebot-Image/1.0
[*] All Results returned match the reference connection
[ ] User-Agent String : Mediapartners-Google
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/2.0 (compatible; Ask Jeeves)
[*] All Results returned match the reference connection
[ ] User-Agent String : msnbot-Products/1.0 (+http://search.msn.com/msnbot.htm)
[*] All Results returned match the reference connection
[ ] User-Agent String : mmcrawler
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (PLAYSTATION 3; 2.00)
[*] All Results returned match the reference connection
[ ] User-Agent String : TrackBack/1.02
[*] All Results returned match the reference connection
[ ] User-Agent String :
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/4.75 (Nikto/2.01)
[*] All Results returned match the reference connection
[ ] User-Agent String : curl/7.7.2 (powerpc-apple-darwin6.0) libcurl 7.7.2 (OpenSSL 0.9.6b)
[*] All Results returned match the reference connection
[ ] User-Agent String : w3af.sourceforge.net
[*] All Results returned match the reference connection
[ ] User-Agent String : HTTrack
[*] All Results returned match the reference connection
[ ] User-Agent String : Wget 1.9cvs-stable
[*] All Results returned match the reference connection
[ ] User-Agent String : Lynx (textmode)
[*] All Results returned match the reference connection
[ ] User-Agent String : .nasl
[*] All Results returned match the reference connection
[ ] User-Agent String : paros
[*] All Results returned match the reference connection
[ ] User-Agent String : webinspect
[*] All Results returned match the reference connection
[ ] User-Agent String : brutus
[*] All Results returned match the reference connection
[ ] User-Agent String : Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3
[!] URL (RETURNED) : https://mobilebanking.chase.com/
[!] RESPONSE CODE : (301, ‘Moved Permanently’)
[!] CONTENT-TYPE : text/html; charset=utf-8
[!] SERVER : Microsoft-IIS/6.0
[!] LENGTH : 3001
[!] DATA : 7846942a4be014155f61efbd45a817df
[!] Differing response was received from the server using this user-agent string
[ ] User-Agent String : Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10
[!] URL (RETURNED) : https://mobilebanking.chase.com/
[!] RESPONSE CODE : (301, ‘Moved Permanently’)
[!] CONTENT-TYPE : text/html; charset=utf-8
[!] SERVER : Microsoft-IIS/6.0
[!] LENGTH : 3001
[!] DATA : 7846942a4be014155f61efbd45a817df
[!] Differing response was received from the server using this user-agent string
[ ] User-Agent String : Mozilla/5.0 (Linux; U; Android 2.1-update1; en-at; HTC Hero Build/ERE27) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17
[!] URL (RETURNED) : https://mobilebanking.chase.com/
[!] RESPONSE CODE : (301, ‘Moved Permanently’)
[!] CONTENT-TYPE : text/html; charset=utf-8
[!] SERVER : Microsoft-IIS/6.0
[!] LENGTH : 3001
[!] DATA : 7846942a4be014155f61efbd45a817df
[!] Differing response was received from the server using this user-agent string
[ ] User-Agent String : jBrowser-WAP
[*] All Results returned match the reference connection
[ ] User-Agent String : Nokia7650/1.0 Symbian-QP/6.1 Nokia/2.1
[!] URL (RETURNED) : https://mobilebanking.chase.com/
[!] RESPONSE CODE : (301, ‘Moved Permanently’)
[!] CONTENT-TYPE : text/html; charset=utf-8
[!] SERVER : Microsoft-IIS/6.0
[!] LENGTH : 3001
[!] DATA : 7846942a4be014155f61efbd45a817df
[!] Differing response was received from the server using this user-agent string
ISD Podcast Episode 161 for June 28, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
MHDD Data Recovery Class current dates and locations:
Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
Stories of Interest:
News item 1: http://www.google.com/hostednews/ap/article/ALeqM5hnlGg0WbQxyqIeXJ_t7-N3aCJheAD9GDV11O0Fighting homegrown terrorism by monitoring Internet communications is a civil liberties trade-off the U.S. government must make to beef up national security, the nation’s homeland security chief said Friday. As terrorists increasingly recruit U.S. citizens, the government needs to constantly balance Americans’ civil rights and privacy with the need to keep people safe, said Homeland Security Secretary Janet Napolitano.
But finding that balance has become more complex as homegrown terrorists have used the Internet to reach out to extremists abroad for inspiration and training. Those contacts have spurred a recent rash of U.S.-based terror plots and incidents.
But finding that balance has become more complex as homegrown terrorists have used the Internet to reach out to extremists abroad for inspiration and training. Those contacts have spurred a recent rash of U.S.-based terror plots and incidents.
Underscoring her comments are a number of recent terror attacks over the past year where legal U.S. residents such as Times Square bombing suspect Faisal Shahzad and accused Fort Hood, Texas, shooter Maj. Nidal Hasan, are believed to have been inspired by the Internet postings of violent Islamic extremists. And the fact that these are U.S. citizens or legal residents raises many legal and constitutional questions.
Napolitano said it is wrong to believe that if security is embraced, liberty is sacrificed. She added, “We can significantly advance security without having a deleterious impact on individual rights in most instances. At the same time, there are situations where trade-offs are inevitable.”
News item 2: http://www.thinq.co.uk/2010/6/18/phantom-data-sent-sleeping-iphones/
Now that just about every airtime provider is rethinking its mobile data plans, with most putting an end to unlimited contracts, it looks like iPhone users are paying more attention to their bills, and in particular how much data they are using. A large number of users in the USA and here in the UK have discovered that their iPhones are apparently sending large chunks of data during the wee small hours using the 3G network.
The simple fact of the matter is – as far as we can tell – that the iPhone’s push notifications and other small transfers of data are totted up throughout the day and the total for all of those notifications is added up after dark and sent to your airtime provider while your phone is sleeping. If these tiny amounts of data were individually listed your bill would probably be the size of a telephone directory.
The reason it is using the 3G network rather than Wi-Fi is that all iPhones up to and including the 3Gs turn off Wi-Fi push functionality while the phone is in sleep mode, in order to preserve battery life. The iPhone 4, incidentally, has better power management so will not need to do this.
News Item 3: https://www.chase.com/ccp/index.jsp?pg_name=ccpmapp/shared/assets/page/Crypto_standard
JP Morgan Chase now reveals that starting July 18, 2010, only certain browsers will be supported. These include IE6 and higher, Firefox 2.0 and higher, and Safari 3.0 and higher (but only if used on a Mac). Google Chrome and Opera are not included in the list. IE6 is a browser which now borders on silly and has several websites dedicated to its demise (www.ie6funeral.com), and has several known security issues. One wonders how JP Morgan Chase came up with the list, even though their explanation indicates “There are two primary reasons—security and popularity. There are dozens of browsers in use today, but not all offer the minimum levels of security that we require while others may not perform well with our site. The security of your accounts and private information is one of our highest priorities and some browsers, especially older versions, are simply higher security risks to use with our site.”
What is interesting in what they write is their explanation of a Page Not Found error: “You may be using an outdated browser that we don’t support. There are dozens of browsers in use today, but not all offer the minimum levels of security that we require while others may not perform well with our site. We strongly recommend that you upgrade your existing browser to one that we support. We strongly recommend that you upgrade your existing browser to one that we support.” Since when did the server start giving out 404 Page Not Found when the browser is not supported? Overall, this move (and page) by JP Morgan Chase doesn’t sound like it passed through anyone in their IT security team, or for that matter, their IT Team itself.
News item 4: http://www.cultofmac.com/research-20-percent-of-android-apps-steal-private-data/47994
About one-in-five (or 20 percent) of third-party Android apps available through its marketplace can steal and share private user data, researchers said Tuesday. Akin to spyware, the apps can place calls and send text messages without the owners’ knowledge. As a result of the growth of smartphones and associated stores, “applications are currently available that have the potential to cause serious harm to devices, customers and to the broader cellular network,” Daniel V. Hoffman, technology chief for SMobile Systems, an Android security vendor. The report, although taken with a grain of salt because of the source, does cause Apple fans to reconsider their opposition to Cupertino’s oft-criticized app approval methods.
“Dozens of these Android apps — and don’t forget, there are 48,000 Android apps in all, with just under 10,000 risky ones — are able to access the kind of data that spyware likes to grab,” according to a Computerworld blog.
News item 5: http://www.computerworld.com/s/article/9178498/Senate_committee_approves_controversial_cybersecurity_bill
A U.S. Senate committee has approved a wide-ranging cybersecurity bill that some critics have suggested would give the U.S. president the authority to shut down parts of the Internet during a cyberattack.
Senator Joe Lieberman and other bill sponsors have refuted the charges that the Protecting Cyberspace as a National Asset Act gives the president an Internet “kill switch.” Instead, the bill puts limits on the powers the president already has to cause “the closing of any facility or stations for wire communication” in a time of war, as described in the Communications Act of 1934, they said in a breakdown of the bill published on the Senate Homeland Security and Governmental Affairs Committee Web site.
The committee unanimously approved an amended version of the legislation by voice vote Thursday, a committee spokeswoman said. The bill next moves to the Senate floor for a vote, which has not yet been scheduled.
The bill, introduced earlier this month, would establish a White House Office for Cyberspace Policy and a National Center for Cybersecurity and Communications, which would work with private U.S. companies to create cybersecurity requirements for the electrical grid, telecommunications networks and other critical infrastructure.
ISD Podcast Episode 160 for June 25, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
MHDD Data Recovery Class current dates and locations:
Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
In a talk at the hacker conference SummerCon last Friday, researcher Jon Oberheide gave a demonstration of just how easy it may be to infect large numbers of phones running Google’s Android OS with hidden software that turns the devices into a zombie-like “botnet” under the control of a cybercriminal–particularly if that software associates itself with a phenomenon as popular and tween-entrancing as the upcoming Twilight Eclipse film.
Oberheide focused on what may be a serious security weakness in Android’s App Market: that apps don’t have to ask permission from a user to fetch new executable code. Even after an app has been approved for downloads in Google’s market, Oberheide says, it can still metamorphose at will into a much less friendly program.
Oberheide, who works for security startup Scio Security, developed an application called “RootStrap” to demonstrate that trust problem for Android apps. After it’s installed, Rootstrap periodically “phones home” to check for any new code that Oberheide wants to add to the program, including any hidden control program or “rootkit” that he wished to install–hence the program’s name. “This is probably the most effective way to build a mobile botnet,” Oberheide told SummerCon’s audience of hackers and security researchers.
News item 2: http://www.theregister.co.uk/2010/06/24/google_lifts_two_apps_from_android/
Google has reached out over the airwaves and removed a pair of applications from users’ Android phones, saying the two apps violated its terms of service.
Like Apple, Google has a “kill switch” that allows it to remotely remove mobile apps that have already been installed by end users. The tool is mentioned in the terms and conditions for Google’s app store, the Android Market, as the press noticed when the store debuted.
In a Wednesday blog post, Google confirmed the existence of its “Remote Application Removal Feature” and said it had recently exercised this tool after discovering two apps that “intentionally misrepresented their purpose in order to encourage user download.”
According to the company, users are notified when apps are removed. In this case, Google removed two free applications built by a security researcher. According to the company, the apps were used for research purposes. “They were not designed to be used maliciously, and did not have permission to access private data — or system resources beyond permission. As the applications were practically useless, most users uninstalled the applications shortly after downloading them.”
Google insists that the tool will only be used for good. “The remote application removal feature is one of many security controls Android possesses to help protect users from malicious applications,” the company said. “In case of an emergency, a dangerous application could be removed from active circulation in a rapid and scalable manner to prevent further exposure to users. While we hope to not have to use it, we know that we have the capability to take swift action on behalf of users’ safety when needed.”
An alleged hacker who declined a 2-year plea deal is facing decades behind bars after federal authorities Thursday added multiple charges, including possession and distribution of child pornography.
Barry Ardolf, 45, of Blaine, Minnesota, had rejected a plea deal in connection to charges accusing him of sending Vice President Joe Biden a threatening e-mail from his neighbor’s computer, a computer he is accused of hacking. The decision to reject the offer, his lawyer said Monday, “was a difficult one.”
A federal grand jury substantially upped the ante against the computer technician Thursday, ringing him up on additional charges of identity theft and two kiddie-porn accusations carrying lifetime sex-offender registration requirements. The authorities said he faces a maximum 20 years for the alleged porn distribution, 10 years for the porn-possession charge and five years each for the two hacking charges. Ardolf maintains his innocence, and federal judges are not bound by sentencing guidelines.
News item 4: http://infoworld.com/d/networking/googles-street-view-wi-fi-data-included-passwords-email-679
Wi-Fi traffic intercepted by Google’s Street View cars included passwords and email, according to the French National Commission on Computing and Liberty (CNIL). CNIL launched an investigation last month into Google’s recording of traffic carried over unencrypted Wi-Fi networks, and has begun examining the data Google handed over as part of that investigation.
Google revealed on May 14 that the fleet of vehicles it operates to compile panoramic images of city streets for its Google Maps site had inadvertently recorded traffic from unencrypted Wi-Fi networks. Google’s intention was only to record the identity and position of Wi-Fi hotspots in order to power a location service it operates, the company said. However, the software it used to record that information went much further, intercepting and storing data packets too.At the time, Google said it only collected “fragments” of personal Web traffic as it passed by, because its Wi-Fi equipment automatically changes channels five times a second. However, with Wi-Fi networks operating at up to 54Mbps, it always seemed likely that those one-fifth of a second recordings would contain more than just “fragments” of personal data.
“It’s still too early to say what will happen as a result of this investigation,” CNIL said Thursday.
“However, we can already state that Google did indeed record email access passwords [and] extracts of the content of email messages,” CNIL said.
Data protection authorities in Spain and Germany have also asked Google for access to Wi-Fi traffic data intercepted in their countries, but the CNIL was the first to have its request granted, it said.
The breach affected members who had pending insurance applications in an Anthem system that allows users to track the status of their application online.
Anthem spokesperson Cynthia Sanders said the information was accessed briefly, primarily by attorneys seeking information for a class-action lawsuit against the insurer. Sanders said Anthem sent the letters out of “an abundance of caution,” adding that it is unclear how many records were viewed.
News item 6: https://www.eff.org/https-everywhere
HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.
Some of those sites still include a lot of content from third party domains that is not available over HTTPS. As always, if the browser’s lock icon is broken or carries an exclamation the user remains vulnerable to some adversaries that use active attacks or traffic analysis. However, the effort required to monitor browsing should still be usefully increased.
News item 7: http://news.bbc.co.uk/2/hi/technology/10349001.stm
Security experts have found that many of the kits used by cyber criminals are riddled with bugs and vulnerabilities. Exploiting the bugs might mean that the attack tools can be turned against those using them. The bugs found by the researchers could be used to identify who is using the tools and even launch a counter-attack.
While some cyber criminals handcraft their own attack tools, many others take advantage of the so-called malware kits that are widely available online. These programs bundle into one convenient package everything the budding cyber criminal needs to get started. French computer security researcher Laurent Oudot from Tehtri Security has analysed the inner workings of many of these malware kits to see how secure they are. Mr Oudot found that that many of the kits, which have names such as Neon, Eleonore and Sniper, sport significant loopholes that are relatively easy to exploit. In a presentation at the SyScan 2010 security conference in Singapore, Mr Oudot released details of 13 separate unpatched vulnerabilities he found in some of the most popular malware kits used to attack websites. In many cases, said Mr Oudot in his presentation, exploiting these vulnerabilities would allow security researchers to “hack the web hackers”. http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0423.html (TEHTRI-Security released 13 0days against web tools used by evil attackers)
ISD Podcast Episode 159 for June 24, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
MHDD Data Recovery Class current dates and locations:
Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
The Internet Corporation for Assigned Names and Numbers (ICANN), which oversees the Internet on behalf of the U.S. government, has in the past resisted creating a .xxx generic domain name system akin to those for .com and .net.
It has in recent years repeately rejected a request by U.S. company ICM Registry Inc. to sign off on the .xxx domain. But members of ICANN’s board have argued that in order to maintain neutrality in dealing with domain name assignations, it should create .xxx and allow websites with sexually explicit content to start using the suffix on a voluntary basis.
“If expedited due diligence results are successful, then staff will proceed into contract negotiations with ICM (over .xxx),” ICANN’s general counsel John Jeffrey told delegates at a week-long ICANN meeting in Brussels on Thursday.
Online pornography is a vast industry. Figdures collated by Internet Pornography Statistics suggest more than $3,000 is spent on Internet pornography every second, with “sex” the number one search term in the world, accounting for 25 percent of all Internet searches.
With an estimated 370 million pornographic websites on the Internet, .xxx could become one of the largest domain name repositories, as big if not bigger than .com.
San Francisco is set to be the first city in the US to require mobile phone retailers to post radiation levels next to handsets they sell. The board of supervisors, or council, voted 10-1 to approve the measure, with final approval expected next week.
“This is about helping people make informed choices,” said the law’s chief sponsor, Supervisor Sophie Maxwell.
The mobile phone industry said studies showed cell phone radiation was not harmful to people. The Federal Communications Commission has adopted limits that set out safe exposure to these kinds of emissions. The measurement defines the amount of radio waves that people can safely absorb into their bodies when talking on a mobile phone. Some researchers have claimed such emissions can be linked to cancer and brain tumours but there remains little scientific consensus on the matter.
“This is not about discouraging people from using their cell phones,” said Tony Winnicker, spokesman for San Francisco Mayor Gavin Newsom, who has said he will sign the legislation into law.
News item 3:http://www.wired.com/dangerroom/2010/06/darpa-taking-fire-for-its-cyberwar-range/
Two years ago, the White House and the Pentagon launched a massive, secretive $17 billion effort to shore up the nation’s defenses, and assigned Darpa a crucial role: build a replica Internet – a “National Cyber Range” – that could not only be used to test out information attacks, but could “emulate human behavior on all nodes,” as well.
The project, personally guided by then-director Tony Tether, was supposed to be one of the most important in Darpa’s history, on par with the agency’s missions at the dawn of the space race. “Congress has given Darpa a direct order; that’s only happened once before – with the Sputnik program in the ’50s,” one defense official told Danger Room. The New York Times went even further, breathlessly proclaiming that “the Cyber Range is to the digital age what the Bikini Atoll – the islands the Army vaporized in the 1950s to measure the power of the hydrogen bomb – was to the nuclear age.”
But now, some in the armed services are grumbling that Darpa isn’t working quickly enough on this all-important, $130 million mission. A few agencies are even looking to build their own ranges, Aviation Week reports.
“The services didn’t want to wait around for Darpa,” a senior official tells the magazine. “Everybody wanted a range, but Darpa’s program was a 6-to-7-year effort to put a national cyber range in place. That’s why support eroded. Everybody wanted it quicker.” The Navy, the National Security Agency, and the Air Force are all pursuing ersatz Internet programs, according to AvWeek.
News item 4: http://www.tampabay.com/news/courts/criminal/article1104151.ece
A woman who was accused of setting a fire at her office to get off work early pleaded guilty to a lesser charge this week. Pasco sheriff’s investigators said Michelle Perrino, 40, started a fire at Bayonet Point Oxygen on May 12, 2009. Perrino drew suspicion when she mentioned the fire’s origin — a filing cabinet — during an employee meeting. Employees had not been told where the fire started. Sheriff’s reports also quoted Perrino’s friend, who said she told him she also tripped the main breaker for the office building so it would lose power and adjusted the phones so no calls could come in, all so she would be sent home from work early with pay.
News item 5: http://www.darkreading.com/vulnerability_management/security/perimeter/showArticle.jhtml?articleID=225700674
The biggest vulnerabilities in the enterprise might be items we see every day — and just don’t think about. Experts say that vulnerability assessments often overlook the everyday dangers: Network-attached devices that aren’t computers. Paper documents. Passwords posted in plain view. Portable storage devices.
Most of these are technologies that would never be taken into account by a traditional vulnerability scan. Yet they could lead to data leaks just as surely as a keylogger or a data-stealing Trojan, experts say.
“Peripheral devices on the network may have capabilities the business doesn’t know of,” says Kevin Brown, delivery manager for custom testing at security assessment firm ICSA. “And those capabilities can create security vulnerabilities.”
for June 24, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
MHDD Data Recovery Class current dates and locations:
Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
The Internet Corporation for Assigned Names and Numbers (ICANN), which oversees the Internet on behalf of the U.S. government, has in the past resisted creating a .xxx generic domain name system akin to those for .com and .net.
It has in recent years repeately rejected a request by U.S. company ICM Registry Inc. to sign off on the .xxx domain. But members of ICANN’s board have argued that in order to maintain neutrality in dealing with domain name assignations, it should create .xxx and allow websites with sexually explicit content to start using the suffix on a voluntary basis.
“If expedited due diligence results are successful, then staff will proceed into contract negotiations with ICM (over .xxx),” ICANN’s general counsel John Jeffrey told delegates at a week-long ICANN meeting in Brussels on Thursday.
Online pornography is a vast industry. Figdures collated by Internet Pornography Statistics suggest more than $3,000 is spent on Internet pornography every second, with “sex” the number one search term in the world, accounting for 25 percent of all Internet searches.
With an estimated 370 million pornographic websites on the Internet, .xxx could become one of the largest domain name repositories, as big if not bigger than .com.
San Francisco is set to be the first city in the US to require mobile phone retailers to post radiation levels next to handsets they sell. The board of supervisors, or council, voted 10-1 to approve the measure, with final approval expected next week.
“This is about helping people make informed choices,” said the law’s chief sponsor, Supervisor Sophie Maxwell.
The mobile phone industry said studies showed cell phone radiation was not harmful to people. The Federal Communications Commission has adopted limits that set out safe exposure to these kinds of emissions. The measurement defines the amount of radio waves that people can safely absorb into their bodies when talking on a mobile phone. Some researchers have claimed such emissions can be linked to cancer and brain tumours but there remains little scientific consensus on the matter.
“This is not about discouraging people from using their cell phones,” said Tony Winnicker, spokesman for San Francisco Mayor Gavin Newsom, who has said he will sign the legislation into law.
News item 3:http://www.wired.com/dangerroom/2010/06/darpa-taking-fire-for-its-cyberwar-range/
Two years ago, the White House and the Pentagon launched a massive, secretive $17 billion effort to shore up the nation’s defenses, and assigned Darpa a crucial role: build a replica Internet – a “National Cyber Range” – that could not only be used to test out information attacks, but could “emulate human behavior on all nodes,” as well.
The project, personally guided by then-director Tony Tether, was supposed to be one of the most important in Darpa’s history, on par with the agency’s missions at the dawn of the space race. “Congress has given Darpa a direct order; that’s only happened once before – with the Sputnik program in the ’50s,” one defense official told Danger Room. The New York Times went even further, breathlessly proclaiming that “the Cyber Range is to the digital age what the Bikini Atoll – the islands the Army vaporized in the 1950s to measure the power of the hydrogen bomb – was to the nuclear age.”
But now, some in the armed services are grumbling that Darpa isn’t working quickly enough on this all-important, $130 million mission. A few agencies are even looking to build their own ranges, Aviation Week reports.
“The services didn’t want to wait around for Darpa,” a senior official tells the magazine. “Everybody wanted a range, but Darpa’s program was a 6-to-7-year effort to put a national cyber range in place. That’s why support eroded. Everybody wanted it quicker.” The Navy, the National Security Agency, and the Air Force are all pursuing ersatz Internet programs, according to AvWeek.
News item 4: http://www.tampabay.com/news/courts/criminal/article1104151.ece
A woman who was accused of setting a fire at her office to get off work early pleaded guilty to a lesser charge this week. Pasco sheriff’s investigators said Michelle Perrino, 40, started a fire at Bayonet Point Oxygen on May 12, 2009. Perrino drew suspicion when she mentioned the fire’s origin — a filing cabinet — during an employee meeting. Employees had not been told where the fire started. Sheriff’s reports also quoted Perrino’s friend, who said she told him she also tripped the main breaker for the office building so it would lose power and adjusted the phones so no calls could come in, all so she would be sent home from work early with pay.
News item 5: http://www.darkreading.com/vulnerability_management/security/perimeter/showArticle.jhtml?articleID=225700674
The biggest vulnerabilities in the enterprise might be items we see every day — and just don’t think about. Experts say that vulnerability assessments often overlook the everyday dangers: Network-attached devices that aren’t computers. Paper documents. Passwords posted in plain view. Portable storage devices.
Most of these are technologies that would never be taken into account by a traditional vulnerability scan. Yet they could lead to data leaks just as surely as a keylogger or a data-stealing Trojan, experts say.
“Peripheral devices on the network may have capabilities the business doesn’t know of,” says Kevin Brown, delivery manager for custom testing at security assessment firm ICSA. “And those capabilities can create security vulnerabilities.”
ISD Podcast Episode 158 for June 23, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
MHDD Data Recovery Class current dates and locations:
Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
The US International Trade Commission (USITC) describes itself as “an independent, quasijudicial Federal agency with broad investigative responsibilities on matters of trade”. It has been asked by the US Senate’s Finance Committee to investigate the effect of China’s ineffective intellectual property protection and enforcement on the US economy.
At a hearing on the topic, many of the witnesses were sceptical of the claims and assumptions made by the affected US industries, including the MPAA and RIAA-commissioned reports. Harvard Business School Professor Fritz Foley called the basic assumption behind the industry loss figures into doubt.
“To assume that someone who would pay some low amount for a pirated product would be the type of customer who’d pay some amount that’s six or 10 [times] that amount for a real one.” While some companies, such as EA (at times), don’t follow this ‘a copy equals a lost sale’ system, the majority do.
“Be careful about using information the multinational [companies] provide you,” cautioned Foley. “I would imagine they have an incentive to make the losses seem very, very large.”
In a 9-0 ruling, the justices rejected a broad right of privacy for workers and said a supervisor may read through a public employee’s text messages if he or she suspects work rules are being violated. The decision was the high court’s first to consider the privacy rights of employees who send messages on the job. It comes at a time when millions of American workers spend at least part of their day talking on phones or sending messages on computers or cell phones, many of which are supplied by their employers.
At issue was whether the Fourth Amendment’s ban on “unreasonable searches” puts any limits on searches by public employers. The court said the limits were minimal, so long as the employer had a “work-related purpose” for inspecting an employee’s desk or reading the messages sent by the employee on its paging system.
News item 4: http://www.salon.com/news/opinion/glenn_greenwald/2010/06/18/wikileaks/index.html
On June 6, Kevin Poulsen and Kim Zetter of Wiredreported that a 22-year-old U.S. Army Private in Iraq, Bradley Manning, had been detained after he “boasted” in an Internet chat — with convicted computer hacker Adrian Lamo — of leaking to WikiLeaks the now famous Apache Helicopter attack video, a yet-to-be-published video of a civilian-killing air attack in Afghanistan, and “hundreds of thousands of classified State Department records.” Lamo, who holds himself out as a “journalist” and told Manning he was one, acted instead as government informant, notifying federal authorities of what Manning allegedly told him, and then proceeded to question Manning for days as he met with federal agents, leading to Manning’s detention.
ISD Podcast Episode 157 for June 22, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
MHDD Data Recovery Class current dates and locations:
Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
Stories of Interest:
News item 1: http://www.avertlabs.com/research/blog/index.php/2010/06/22/mcafees-secret-life-of-teens-survey
McAfee released results from their Secret Life of Teens survey which provides a detailed snapshot of online teen behavior. It reveals that 85 percent of teens go online somewhere other than at home and under the supervision of their parents, nearly a third (32 percent) of teens say they don’t tell their parents what they do while they are online, and 28 percent engage with strangers online. The survey results should serve as a wake up call for many parents.
Kids today are using mobile devices more than ever to get connected, which means increased opportunities for unsupervised usage. Is this a bad thing? Not necessarily but it can become one easily. I truly believe it comes down to values. It is not that young people today do not value privacy or security but rather that they value openness much more. It takes both education and technology to keep young people protected, both of which are firmly in the hands of us as parents. Kids cannot teach themselves to be safe online.
McAfee commissioned Harris Interactive to conduct the survey and it it we detail some pretty startling facts:
69 percent of teens divulged their physical location
28 percent chatted with strangers
Of those teens who chatted with strangers, defined as people whom they did not know in the offline world:
43 percent shared their first name
24 percent shared their email address
18 percent post photos of themselves
12 percent post their cell phone number
Girls make themselves targets more often than boys eye-opening: 32% of the girl respondents indicated they chat with strangers online vs. 24% of boy respondents.
News item 2: http://it.tmcnet.com/news/2010/06/16/4849639.htm
U.S. District Judge Donovan Frank was in a quandary: In an age where computers are everywhere and even cell phones have Internet access, how do you keep a man accused of hacking into his neighbors’ e-mails away from computers? In the case of Barry Vincent Ardolf, you send court officers out to his home in Blaine and seize every device capable of getting online, including his three teens’ computers.
Frank warned Ardolf on Tuesday that if he’s caught online, “the next stop will not be a halfway house. It’ll be the Sherburne County jail.” Ardolf, 45, was charged June 7 with aggravated identity theft and with threatening the vice president and other elected officials. Prosecutors allege a couple living near Ardolf reported him to police for inappropriately touching one of their children, so to retaliate, he created e-mail accounts in their names, hacked into their wireless computer routers and sent threats, child pornography and other vile messages.
He was scheduled for arraignment before Frank in St. Paul on Tuesday, and he was planning to accept a plea offer from Assistant U.S. Attorney Tim Rank. But before the hearing, Ardolf rejected the offer because it contained a recommendation that he be sentenced to a minimum of two years in prison.
The investigation began in February 2009 when an Ardolf neighbor complained to the Anoka County sheriff’s office that he was being harassed. The man claimed an anonymous e-mail account in his name was used to send messages to the neighbor’s co-workers, according to an affidavit by FBI Special Agent Robert Cameron.
The e-mails contained incriminating messages and child pornography, Cameron wrote.
Ardolf is also alleged to have used the neighbor’s name to set up an account on the social networking website MySpace. The page included child pornography, as well as this entry under “Who I’d like to meet”: “Any ladies looking for a good time. I’m married but my spouse bites big time. I’m looking for a new love of my life. I can afford to let her go and start new. After all … I’m rich!” “From training and experience, I know that individuals who post child pornography images do not typically do so under their true name,” Cameron noted in his affidavit.
When Anoka County investigators checked into the origins of the e-mails, they showed they had come from the neighbor. When they questioned him, he said he feared Ardolf had hacked into his wireless Internet router.
One of the first breaks in the case came after an e-mail in March, the affidavit asserts. Investigators discovered that someone had created an e-mail account at 5:29 p.m. March 17 from a computer with one Internet protocol address but had logged out of the account seven minutes later from a different IP address.
The first address belonged to a neighbor who lived across the street from Ardolf; the second belonged to a neighbor who lived in the next house over from Ardolf. It indicated someone was shifting between wireless accounts, Cameron said.
The e-mails took a more ominous turn May 6. One of the victim’s e-mail addresses was used to send a threat to Vice President Joe Biden, Gov. Tim Pawlenty, Minnesota State Rep. Tim Sanders and a Blaine police captain.
“This is a terrorist threat! Take this seriously,” the e-mail read. “I hate the way people are spending money you don’t have…. I’m assigning myself to be judge jury and executioner… Don’t bother trying to trace this e-mail…..” The e-mail was signed, which prompted Cameron to note in his affidavit, “I know, through training and experience, that violent threats to the Vice President of the United States are not typically conducted in one’s true name.” After the threat to the officials, the FBI got involved.
Banks in Russia and Ukraine are under continued siege by criminal gangs wielding a sophisticated, next-generation exploitation kit that hacks the financial institutions’ authentication system and then hits it with a denial-of-service attack.
The attacks are being carried out with the help of a top-to-bottom revision of BlackEnergy, a popular hack-by-numbers toolkit that until recently was used primarily to launch DDoS, or distributed denial-of-service, attacks. Eastern European criminal gangs are using the expanded capabilities of BlackEnergy 2 to siphon funds out of electronic bank accounts and then assault the financial institutions with more data than they can handle, said Joe Stewart, a researcher with security firm SecureWorks’ Counter Threat Unit.
The attacks, which also use a BlackEnergy 2 module to bypass a Java-based application the banks use to authenticate customers online, began near the end of 2009. They show no signs of letting up, said Stewart, who observed the same modus operandi earlier this week.
“Over the months that I’ve been monitoring this botnet, it’s attacked probably a dozen or more banks with the same type of pattern of attacking the java authentication app,” Stewart told The Register. “All we see is, yes, this group has the plug-in that does the banking theft and then we see them also hacking that same banking authentication with the DDoS attack.”
BlackEnergy came to prominence in 2008 when it was reportedly used to disrupt internet communications in Georgia during the armed conflict between the former Soviet republic and Russia. It quickly became a major staple among Eastern European thugs, selling online for about $40 until free, pirated copies became widely available.
The dream of bolting security onto the Internet’s Domain Name System takes one step closer to reality on June16th as Internet policymakers host a ceremony in northern Virginia to generate and store the first cryptographic key that will be used to secure the Internet’s root zone.
This key ceremony is one of the final steps in the deployment of DNS Security Extensions (DNSSEC) on the Internet’s root zone. DNSSEC is an emerging Internet standard that prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
The key ceremony generated the master root key, the key that signs all the other keys. This was being done a month before the actual roll-out of DNSSEC so that we have a valid key and that folks can test with it.
The key ceremony’s demonstrate the set of procedures that the Internet engineering community has created to generate and store keys for the root zone in a secure way. Attendees will include ICANN staff and DNS experts from around the world. The key generation and storage process will be audited.
“People from all over the world will be part of the process of creating the key for the top level of the DNS,” explains Steve Crocker, an Internet security expert and CEO of Shinkuro. “They will witness and be able to report that the proper procedure was carried fairly and scrupulously.”
The two key ceremonies are among the last steps before production-scale deployment of DNSSEC on the root zone, which is scheduled for July 15.
News item 5: http://www.eweek.com/c/a/Security/ATandT-Investigating-User-Account-Complaints-by-iPhone-4-Customers-375228
AT&T said it is investigating reports that customers were able to view other people’s information when placing advance orders for Apple iPhone 4. The issue came as AT&T was dealing with a huge amount of interest in the device, with preorders totaling 600,000 in a single day. According to Gizmodo, the issue appeared when some customers tried to log into their AT&T account to order a new iPhone 4. Even though the user entered their username and password, they would be taken to another user’s account. Gizmodo posted screenshots from several readers that reported experiencing the issue.
“We have received reports of customers inadvertently seeing the wrong account information during the iPhone 4 purchasing process,” the AT&T spokesperson told eWEEK. “We have been unable to replicate the issue, but the information displayed did not include call-detail records, social security numbers, or credit card information.”
AT&T did not give any information about what could have caused the problem, which in turn follows the leak of e-mail addresses belonging to Apple iPad 3G owners.
Citing high demand, AT&T has halted sales of the new iPhone until inventory can be restocked. AT&T said it logged more than 13 million visits to a Web page where current customers can check if they’re eligible to upgrade to the new phone – three times more than the previous single-day record for eligibility upgrade checks.
ISD Podcast Episode 156 for June 21, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
MHDD Data Recovery Class current dates and locations:
Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
Corrections: IBM XT: First, we may have incorrectly stated that the IBM XT has an 8086 processor, when in fact it they usually shipped with the Intel 8088 @ 4.77 MHz. ChrisJohnRiley: By our definition prolific means “producing abundant works or results; intellectually productive” certainly nothing to do with fertility. Internet Kill Switch: The main concerns expressed by listeners were that if you have a single “kill switch” what’s to stop someone from hacking it and DOSing, if as Adrian pointed out such a single kill switch is in fact even possible. How would Obama issue such a command for it to be implemented? Would it be over the internet? Or would it be over some out of band mechanism to all ISP’s? What about Einstein 3 does it include this type of capability?
Stories of Interest:
News item 1: http://www.theregister.co.uk/2010/06/15/most_blighted_darknet/
Researchers probing a previously unused swath of internet addresses say they’ve stumbled onto the net’s most blighted neighborhoods, with at least four times as much pollution as any they’ve ever seen.
The huge chuck of more than 16.7 million addresses had never before been allocated and yet the so-called darknet was the dumping ground sustained barrages of misdirected data as high as 150 Mbps, with a peak as high as 870 Mbps, said Manish Karir, director of research and development at the non-profit group Merit Network. That was about four times higher than most darknets and 20 times higher than a previously unallocated address block of addresses set up as a control group.
The block is referred to as a 1/8 (pronounced one slash eight) or 1.0.0.0/8 because it comprises 1.0.0.0 through 1.255.255.255. Almost as soon as it was allocated by IANA, or the Internet Assigned Numbers Authority, in late January, the researchers noticed it was absorbing huge amounts of garbage traffic, making many of the addresses largely unusable.
“It’s basically like an unallocated plot of land and you don’t know what’s there because nobody has paid attention to it before,” Karir told The Register. “The concept of pollution is the same whether you’re looking at a plot of land or whether you’re looking at address space. And in both cases, it limits or it impacts the person who actually buys or owns that plot of land.”
News item 2: http://www.net-security.org/secworld.php?id=9421
More than 420,000 scam emails are sent every hour in the UK according to a report by the life assistance firm CPP which estimates that Brits were targeted by 3.7 billion phishing emails in the last 12 months alone. A quarter of us admit to falling victim to e-fraudsters, with the average victim losing over GBP285 each.
Fake banking emails are the most common method used by criminals, with 55 per cent of those targeted receiving seemingly legitimate e-correspondence from high street banks. Over half received false lottery or competition prize draws, while a further one in two was targeted by foreign cons such as the renowned “Nigerian 419 advance fee fraud” scam.
And consumers must take caution, as latest industry figures show that online banking fraud rose by 14 per cent in the last 12 months. In fact, nearly half of Brits (46 per cent) worry their card details could be used to make illegal online purchases.
Fraudsters are also exploiting the explosion of social networking sites and current defaults in privacy settings to target victims. Nearly one fifth of Brits have received phoney Facebook messages claiming to be from friends or family. One in 10 fear that fraudsters are using Twitter to follow them and a third are concerned their social networking account could be hacked.
How many minutes, or hours, did you spend on Facebook today? Even if you spent just a few minutes on the popular social networking site during office hours, you’re not alone. Data from Nucleus Research finds 77 percent of workers who have a Facebook account use it during work hours.
Sports events, online games, and entertainment sites, many of which cross the line between interesting and inappropriate, are all common distractions in today’s office. It’s not that these things are entirely new, but the Web 2.0 era–think social networks, URL shortners, video sites and more–presents wrinkles that require rethinking acceptable use policies.
Studies reveal a great deal of employee internet use is for personal, not professional, reasons. As much as 40 percent of internet surfing done during work hours is personal, according to IDC Research. Managers at companies that find new ways of communicating, and younger employees that demand access to varied online content, are leading to a redefining of acceptable computer use in the workplace. Research from security firm Clearswift found 79 percent of workers in several countries around the globe value being trusted to manage their own time, and being trusted to use the Internet as they wish, over pay. Additionally, 62 percent of employees feel they should be able to access web/social networking content from their work computer for personal reasons in order to complete personal tasks. In fact, many said they would decline to work at a company with anti-Facebook restrictions.
Google has introduced a command line utility for accessing various Chocolate Factory services, including YouTube, Blogger, Google Docs, Calender, and Contacts.
Google CL is a Python application that uses the gdata Python client library to make Google Data API calls from the command line. Currently, it supports Blogger, Picasa, YouTube, Google Docs, Contacts, and Calendar.
ISD Podcast Episode 155 for June 18, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
MHDD Data Recovery Class current dates and locations:
Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
The service, combining a small agent — Norton Safety Minder — running on a PC with Norton’s cloud-based scanning service, allows parents to set rules, review a log of the Web sites their children visit, view a list of the search terms they employ, as well as monitor their social networking habits.
Globally, kids spend an average of 1.6 hours per day online and nearly two-thirds of them report that they’ve had a negative experience online. For example, 41% said that strangers tried to add them as a social networking friend, 33% said they accidentally downloaded a virus, and 25% admitted to seeing violent or nude images online.
Those findings come from a new report released by Symantec, based on surveys of more than 7,000 adults and 2,800 children — aged eight to 17 — in 14 countries. From a control standpoint, 61% of adult respondents in Canada and the United States, versus 44% globally, indicated that they wanted full control over their children’s online activities.
News item 2:http://www.foxnews.com/politics/2010/06/15/clyburn-claims-hacking-greenes-surprise-win-sc-senate-race/
A top government watchdog on Tuesday called on the South Carolina attorney general to probe whether Democratic Senate nominee Alvin Greene was “induced” to run, as speculation continued to build over how the candidate with no money and no campaign infrastructure pulled out a victory over a local lawmaker last week.
Rep. James Clyburn, D-S.C., in an interview with Fox News, suggested that hackers must have fiddled with the results. He said the touch-screen voting machines used by the state are notoriously unreliable and, without citing evidence, said the voting machines could have been compromised.
“I believe there was some hacking done into that computer,” Clyburn told Fox News, repeating his claim that Greene was a “plant.”
The watchdog group Citizens for Responsibility and Ethics in Washington cited Clyburn’s “plant” allegation in its complaint to state Attorney General Henry McMaster on Tuesday. The organization called on the prosecutor to launch an investigation to determine whether Greene “violated South Carolina law by accepting an inducement to file as a candidate … and if any individual violated South Carolina law by offering such an inducement.”
The organization also filed a complaint with the Federal Election Commission alleging that Greene and three other candidates in the state’s primary failed to follow FEC regulations. CREW said Greene did not file a statement of candidacy or organization and did not disclose his campaign’s contributions or expenses.
Goatse Security — the group that discovered that particular hole — isn’t best pleased to be described as malicious by AT&T’s response to the matter, and has requited with its own missive to the world. Letting us know that the breach in question took “a single hour of labor,” the GS crew argues that AT&T is glossing over the fact it neglected to address the threat promptly and is using the hackers’ (supposedly altruistic) efforts at identifying bugs as a scapegoat. As illustration, they remind us that the iPad is still wide open to hijacking thanks to a bug in the mobile version of Safari. Identified back in March, this exploit allows hackers to jack in via unprotected ports, and although it was fixed on the desktop that same month, the mobile browser remains delicately poised for a backdoor entry — should malevolent forces decide to utilize it. This casts quite the unfavorable light on Apple as well, with both corporations seemingly failing to communicate problematic news with their users in a timely manner.
A compromised Web site is serving an exploit of the bug in Windows’ Help and Support Center to hijack PCs running Windows XP, said Graham Cluley, a senior technology consultant at antivirus vendor Sophos. Cluley declined to identify the site, saying only that it was dedicated to open-source software.
“It’s a classic drive-by attack,” said Cluley, referring to an attack that infects a PC when its user simply visits a malicious or compromised site. The tactic was one of two that Microsoft said last week were the likely attack avenues. The other: Convincing users to open malicious e-mail messages.
News item 5: http://news.cnet.com/8301-27080_3-20007827-245.html
A hacker in a group that discovered the AT&T iPad-related flaw was arrested following the execution of an FBI search warrant of his home in Arkansas on Tuesday, authorities told CNET.
Andrew Auernheimer, 24, was being held in Washington County Detention Center in Fayetteville, Ark., according to Lt. Anthony Foster of the Washington County Sheriff’s office in that state. The drugs were found during the execution of the warrant, said Lt. Mike Perryman, of the Fayetteville Police Department. However, Perryman could not say what prompted the warrant.
Auernheimer, who goes by the name “Escher” and the hacker handle “Weev,” faces four felony charges of possession of a controlled substance and one misdemeanor possession charge, Foster said. The drugs included cocaine, ecstasy, LSD, and schedule 2 and 3 pharmaceuticals, he said.
In March, Auernheimer was arrested for giving a fake name to law enforcement officers responding to a parking complaint in Fayetteville, Perryman said.
ISD Podcast Episode 154 for June 17, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
MHDD Data Recovery Class current dates and locations:
Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
Stories of Interest:
News item 1: http://news.techworld.com/security/3226965/fake-facebook-app-hands-over-access-to-your-profile/
A rogue Facebook app is spamming newsfeeds and tricking users into handing over profile access. According to security firm Sophos, hundreds of thousands of Facebook users have already fallen victim to the rogue application, this one identified as a video claiming to show a teacher nearly killing a boy.
With the lure of the message “Teacher nearly kills a 13-year-old boy. SHOCKING!,” the rogue app can take control over the victim’s Facebook profile page and spread by appearing on the victim’s Facebook wall, according to security company Sophos.
News item 2:http://www.msnbc.msn.com/id/37703822/ns/local_news-indianapolis_in/
Computer hackers accessed the home e-mail account of Indiana University South Bend’s arts dean over the weekend and sent dozens of e-mails to students and others containing links to a drug designed to treat sexual dysfunction.
Arts dean Marvin Curtis says he noticed the problem Saturday and placed a notice on his Facebook wall to alert friends that he had found a computer virus on his laptop and that e-mails linking to Viagra marketing sites were not from him. Curtis says he has downloaded antivirus software and hopes that fixes the problem.
News item 3: http://www.prisonplanet.com/new-bill-gives-obama-kill-switch-to-shut-down-the-internet.html
The federal government would have “absolute power” to shut down the Internet under the terms of a new US Senate bill being pushed by Joe Lieberman, legislation which would hand President Obama a figurative “kill switch” to seize control of the world wide web in response to a Homeland Security directive.
Lieberman has been pushing for government regulation of the Internet for years under the guise of cybersecurity, but this new bill goes even further in handing emergency powers over to the feds which could be used to silence free speech under the pretext of a national emergency.
“The legislation says that companies such as broadband providers, search engines or software firms that the US Government selects “shall immediately comply with any emergency measure or action developed” by the Department of Homeland Security. Anyone failing to comply would be fined,” reports ZDNet’s Declan McCullagh.
The 197-page bill (PDF) is entitled Protecting Cyberspace as a National Asset Act, or PCNAA.
Technology lobbying group TechAmerica warned that the legislation created “the potential for absolute power,” while the Center for Democracy and Technology worried that the bill’s emergency powers “include authority to shut down or limit internet traffic on private systems.”
The bill has the vehement support of Senator Jay Rockefeller, who last year asked during a congressional hearing, “Would it had been better if we’d have never invented the Internet?” while fearmongering about cyber-terrorists preparing attacks.
The largest Internet-based corporations are seemingly happy with the bill, primarily because it contains language that will give them immunity from civil lawsuits and also reimburse them for any costs incurred if the Internet is shut down for a period of time.
