[podcast]http://www.isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 160.mp3[/podcast]
ISD Podcast Episode 160 for June 25, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
- MHDD Data Recovery Class current dates and locations:
- Atlanta, GA – July 12th-16th
- Dallas, TX – October 11th – 15th
- Washington, DC – December 6th – 10th
- Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: firstname.lastname@example.org or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.
SANS Mentoring Program:
- Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
- ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)
- SANS 560: Network Penetration Testing and Ethical Hacking – September 17-22, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)
- SANS 577: Virtualization Security Fundamentals – September 17 & 18 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3807)
9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354
Kentuckiana ISSA Meeting
July 9th from 11:30 AM to 1:00 PM at Sullivan University.
Ohio Information Security Forum:
Event Date: July 10th, 2010
Location: SCC Research Park, Auditorium
Friends of the Podcast:
Stories of Interest:
News item 1: http://blogs.forbes.com/firewall/2010/06/21/researcher-builds-mock-botnet-of-twilight-loving-android-users/
A word of caution to any Android users who downloaded an app over the past weekend promising pictures of the next Twilight film: Next time, your obsession with vampires might just turn your phone into a zombie.
In a talk at the hacker conference SummerCon last Friday, researcher Jon Oberheide gave a demonstration of just how easy it may be to infect large numbers of phones running Google’s Android OS with hidden software that turns the devices into a zombie-like “botnet” under the control of a cybercriminal–particularly if that software associates itself with a phenomenon as popular and tween-entrancing as the upcoming Twilight Eclipse film.
Oberheide focused on what may be a serious security weakness in Android’s App Market: that apps don’t have to ask permission from a user to fetch new executable code. Even after an app has been approved for downloads in Google’s market, Oberheide says, it can still metamorphose at will into a much less friendly program.
Oberheide, who works for security startup Scio Security, developed an application called “RootStrap” to demonstrate that trust problem for Android apps. After it’s installed, Rootstrap periodically “phones home” to check for any new code that Oberheide wants to add to the program, including any hidden control program or “rootkit” that he wished to install–hence the program’s name. “This is probably the most effective way to build a mobile botnet,” Oberheide told SummerCon’s audience of hackers and security researchers.
News item 2: http://www.theregister.co.uk/2010/06/24/google_lifts_two_apps_from_android/
Google has reached out over the airwaves and removed a pair of applications from users’ Android phones, saying the two apps violated its terms of service.
Like Apple, Google has a “kill switch” that allows it to remotely remove mobile apps that have already been installed by end users. The tool is mentioned in the terms and conditions for Google’s app store, the Android Market, as the press noticed when the store debuted.
In a Wednesday blog post, Google confirmed the existence of its “Remote Application Removal Feature” and said it had recently exercised this tool after discovering two apps that “intentionally misrepresented their purpose in order to encourage user download.”
According to the company, users are notified when apps are removed. In this case, Google removed two free applications built by a security researcher. According to the company, the apps were used for research purposes. “They were not designed to be used maliciously, and did not have permission to access private data — or system resources beyond permission. As the applications were practically useless, most users uninstalled the applications shortly after downloading them.”
Google insists that the tool will only be used for good. “The remote application removal feature is one of many security controls Android possesses to help protect users from malicious applications,” the company said. “In case of an emergency, a dangerous application could be removed from active circulation in a rapid and scalable manner to prevent further exposure to users. While we hope to not have to use it, we know that we have the capability to take swift action on behalf of users’ safety when needed.”
An alleged hacker who declined a 2-year plea deal is facing decades behind bars after federal authorities Thursday added multiple charges, including possession and distribution of child pornography.
Barry Ardolf, 45, of Blaine, Minnesota, had rejected a plea deal in connection to charges accusing him of sending Vice President Joe Biden a threatening e-mail from his neighbor’s computer, a computer he is accused of hacking. The decision to reject the offer, his lawyer said Monday, “was a difficult one.”
A federal grand jury substantially upped the ante against the computer technician Thursday, ringing him up on additional charges of identity theft and two kiddie-porn accusations carrying lifetime sex-offender registration requirements. The authorities said he faces a maximum 20 years for the alleged porn distribution, 10 years for the porn-possession charge and five years each for the two hacking charges. Ardolf maintains his innocence, and federal judges are not bound by sentencing guidelines.
News item 4: http://infoworld.com/d/networking/googles-street-view-wi-fi-data-included-passwords-email-679
Wi-Fi traffic intercepted by Google’s Street View cars included passwords and email, according to the French National Commission on Computing and Liberty (CNIL). CNIL launched an investigation last month into Google’s recording of traffic carried over unencrypted Wi-Fi networks, and has begun examining the data Google handed over as part of that investigation.
Google revealed on May 14 that the fleet of vehicles it operates to compile panoramic images of city streets for its Google Maps site had inadvertently recorded traffic from unencrypted Wi-Fi networks. Google’s intention was only to record the identity and position of Wi-Fi hotspots in order to power a location service it operates, the company said. However, the software it used to record that information went much further, intercepting and storing data packets too.At the time, Google said it only collected “fragments” of personal Web traffic as it passed by, because its Wi-Fi equipment automatically changes channels five times a second. However, with Wi-Fi networks operating at up to 54Mbps, it always seemed likely that those one-fifth of a second recordings would contain more than just “fragments” of personal data.
“It’s still too early to say what will happen as a result of this investigation,” CNIL said Thursday.
“However, we can already state that Google did indeed record email access passwords [and] extracts of the content of email messages,” CNIL said.
Data protection authorities in Spain and Germany have also asked Google for access to Wi-Fi traffic data intercepted in their countries, but the CNIL was the first to have its request granted, it said.
News item 5: http://www.californiahealthline.org/articles/2010/6/24/anthem-blue-cross-says-security-breach-might-have-affected-230000.aspx
Anthem Blue Cross has sent letters informing 230,000 members that their personal information might have been accessed during a recent security breach of the company’s website, the Orange County Register reports.
The breach affected members who had pending insurance applications in an Anthem system that allows users to track the status of their application online.
Anthem spokesperson Cynthia Sanders said the information was accessed briefly, primarily by attorneys seeking information for a class-action lawsuit against the insurer. Sanders said Anthem sent the letters out of “an abundance of caution,” adding that it is unclear how many records were viewed.
News item 6: https://www.eff.org/https-everywhere
HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.
Some of those sites still include a lot of content from third party domains that is not available over HTTPS. As always, if the browser’s lock icon is broken or carries an exclamation the user remains vulnerable to some adversaries that use active attacks or traffic analysis. However, the effort required to monitor browsing should still be usefully increased.
News item 7: http://news.bbc.co.uk/2/hi/technology/10349001.stm
Security experts have found that many of the kits used by cyber criminals are riddled with bugs and vulnerabilities. Exploiting the bugs might mean that the attack tools can be turned against those using them. The bugs found by the researchers could be used to identify who is using the tools and even launch a counter-attack.
While some cyber criminals handcraft their own attack tools, many others take advantage of the so-called malware kits that are widely available online. These programs bundle into one convenient package everything the budding cyber criminal needs to get started. French computer security researcher Laurent Oudot from Tehtri Security has analysed the inner workings of many of these malware kits to see how secure they are. Mr Oudot found that that many of the kits, which have names such as Neon, Eleonore and Sniper, sport significant loopholes that are relatively easy to exploit. In a presentation at the SyScan 2010 security conference in Singapore, Mr Oudot released details of 13 separate unpatched vulnerabilities he found in some of the most popular malware kits used to attack websites. In many cases, said Mr Oudot in his presentation, exploiting these vulnerabilities would allow security researchers to “hack the web hackers”.
http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0423.html (TEHTRI-Security released 13 0days against web tools used by evil attackers)