[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 184.mp3[/podcast]
ISDPodcast Episode 184 for July 30, 2010.  Tonight’s podcast is hosted by Rick Hayes and Karthik Rangarajan.  In this episode we will discuss Google Apps, Android Hacked, Defcon contest & Cybercrime Study.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Stories of Interest:
News Item 1: http://www.infoworld.com/d/applications/google-introduces-google-apps-government-suite-788Honing in on the lucrative government market for business applications, Google introduced on Monday Google Apps for Government, featuring its suite of cloud-based business applications equipped with extra security precautions.

The suite, with such applications as Gmail email and Google Calendar, offers U.S. government FISMA (Federal Information Security Management Act) moderate-level certification. Also, government user data is to be maintained on servers segregated from Google’s commercial customers. Google officials emphasized that government agencies are acutely concerned with security and that Google Apps is the first cloud platform certified for use by the federal government.

Google is positioning the suite as a solution for all branches of government, emphasizing cost savings that could be enjoyed by governments now beset by budget shortfalls.

“As we know, the financial pressures on government are enormous, and this is a material cost savings,” said Google CEO Eric Schmidt, during a rollout event at Google headquarters in Mountain View, Calif.

“The government has an enormous opportunity to leverage the Web as a platform,” said Dave Girouard, president of Google Enterprise. Governments at all levels are spending billions on IT; cloud computing offers an opportunity to change these dynamics in the next decade, he said.

Available now, Google Apps for Government costs $50 per user per year, the same price as Google Apps Premier Edition. In addition to Gmail and Google Calendar, Google Apps for Government also features Google applications like Docs, Sites, Video, Groups, and Postini.

Gmail and Calendar data currently is physically segregated from non-government user data and maintained within the United States. Google plans to segregate the other applications in the suite as well, with that work now in progress.

Google’s suite for government will compete with the Microsoft Office suite of applications, Girouard acknowledged. “It’s a pleasant side effect,” he said.

News Item 2:  http://news.techworld.com/security/3233833/hackers-break-into-android-phone-at-black-hat/
Once thought to be unhackable, the Android phone is anything but, according to researchers presenting at Black Hat 2010. Not only has malicious software cloaked in a wallpaper application stolen personal information from infected phones and sent it to a website in China, but researchers from Lookout Mobile  Security have found a way to take the phones over completely – including top-of-the-line models hawked by major wireless carriers.

In one presentation, Lookout’s CEO John Herring said the Jackeey Wallpaper app, which has been downloaded millions of times, can gather passwords, browser history, the subscriber ID and SIM card numbers and text messages.

In a separate presentation, researchers said top-of-the-line Android phones used by Sprint and Verizon can be taken over completely by attacking known flaws in the Linux operating system that underpins Android, researchers reported at Black Hat 2010. “It gives you root control, and you can do anything you want to do” with the phone, says Anthony Lineberry, a researcher for Lookout Mobile Security.

News item 3:  http://www.cio.com/article/601317/FBI_Rings_Organizers_Over_Defcon_Contest
A Defcon contest that invites contestants to trick employees at U.S. corporations into revealing not-so-sensitive data has rattled some nerves.  Contest organizers have been called by the U.S. Federal Bureau of Investigation and seen warnings issued by security groups and the Financial Services Information Sharing and Analysis Center, (FS-ISAC) an industry group that provides information on security threats affecting the banking industry.

“The stories that I’m getting are a lot of financial people were really concerned that we were going to be targeting personal information and stuff like that,” said Chris Hadnagy, the operations manager with Offensive Security, who is organizing the contest. These concerns are unfounded, he says.

Over the next three days participants will try their best to unearth data from an undisclosed list of about 30 U.S. companies. The contest will take place in a room in the Riviera hotel in Las Vegas furnished with a soundproof booth and a speaker, so an audience can hear the contestants call companies and try to weasel out what data they can get from unwitting employees.

News Item 4: http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=226200272
Organizations are getting hit by at least one successful attack per week, and the annualized cost to their bottom lines from the attacks ranged from $1 million to $53 million per year, according to a newly published benchmark study of 45 U.S. organizations hit by data breaches.

The independent Ponemon Institute’s “The First Annual Cost of Cyber Crime Study”, which was sponsored by ArcSight, showed a median cost of $3.8 million for an attack per year, a price tag that includes everything from detection, investigation, containment, and recovery to any post-response operations. “Information theft was still the highest consequence — the type of information [stolen] ranged from a data breach of people’s [information] to intellectual property and source code,” says Larry Ponemon, CEO of the Ponemon Institute. “We found that detection and discovery are the most expensive [elements].”

And a separate report called “The Leaking Vault” released today by the Digital Forensics Association found that among the 2,807 publicly disclosed data breaches worldwide during the past five years, the cost to the victim firms as well as those whose information was exposed came to whopping $139 billion.

The Digital Forensics Association report says nearly half of all of the reported breaches came from a laptop, which in 95 percent of the cases is stolen. But actual hacks accounted for the most stolen records during 2005 to 2009, with 327 million of the 721.9 million covered in the report, even though hacks accounted for only about 16 percent of the data breaches.

InfoSec Daily Podcast Episode 183 [ 32:22 | 14.84 MB ] Play Now | Play in Popup | Download (76)

ISDPodcast Episode 183 for July 29, 2010.  Tonight's podcast is hosted by Rick Hayes and Karthik Rangarajan.  In this episode we will discuss fake Facebook, Dell, Wikileaks & Hacker Bounty.

Announcements:
MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET Hilton Atlanta Airport Hotel 1031 Virginia Avenue Atlanta, GA 30354

• Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com) Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Stories of Interest: 
News Item 1: http://www.bbc.co.uk/news/technology-10796584
The torrent is attracting hundreds of downloads. Personal details of 100m Facebook users have been collected and published on the net by a security consultant. Ron Bowles used a piece of code to scan Facebook profiles, collecting data not hidden by the user's privacy settings. The list, which has been shared as a downloadable file, contains the URL of every searchable Facebook user's profile, their name and unique ID.

News Item 2: http://www.channelregister.co.uk/2010/07/20/secure_browser_push/
Dell has applied application virtualization technology to Firefox in order to offer corporates what it claims is a more secure browsing experience. The Dell KACE Secure Browser, which is available for download at no charge from Tuesday, aims to boost enterprise security while introducing businesses to the PC maker's recently acquired systems management appliance division. The technology provides users with a virtual instance of an internet browser application, thereby reducing exposure to drive-by malware attacks from websites hosting malicious code, an increasingly common tactic for malware distribution. "By running the browser in a virtual instance, the browser and any activity resulting from its use are separated from the endpoint keeping the actual computer and operating system free of changes that would normally occur," Dell KACE explains. The Secure Browser can be centrally deployed and managed via Dell KACE's K1000 Management Appliance. The unit intends to deliver an Internet Explorer version of the technology later this year.

News Item 3: http://news.cnet.com/8301-1009_3-20011594-83.html
Wikileaks, the document-leaking organization that has previously released internal U.S. military videos, on Sunday disclosed over 75,000 confidential files related to the war in Afghanistan. The group gave the documents in advance to the New York Times, Germany's Der Spiegel, and the U.K.'s Guardian newspaper, which independently confirmed their authenticity. The Guardian called the disclosure a "devastating portrait of the failing war in Afghanistan," saying it reveals how the U.S.-led coalition has killed hundreds of civilians in unreported incidents, Taliban attacks have risen, and NATO commanders worry that neighboring Pakistan and Iran are aiding the insurgency. About 76,900 of the files–which the group calls the "Afghan War Diary"–appeared on Wikileaks.org at around 4 p.m. PT. Wikileaks says it has delayed the release of an additional 15,000 files to allow names and other sensitive information to be removed. The U.K. public service broadcaster Channel 4 performed its own analysis of the dispatches from individual military units, which cover the war from 2004 through the end of 2009, and concluded that 15,506 enemy deaths were reported. At least 4,232 civilians were killed, and 1,138 NATO troops were killed.

News Item 4: http://www.zdnet.com/blog/security/microsoft-no-plans-to-pay-for-security-vulnerabilities/6935
Mozilla and Google may be increasing the bounties to security researchers who find security holes in their software products but don't expect Microsoft to join the pay-for-flaws party. According to Threatpost's Dennis Fisher, a Microsoft security official dismissed any suggestion that the company would start buying rights to security flaws, arguing that its current system of crediting hackers in security bulletins is working very well. Here's what Microsoft's Jerry Bryant told Fisher: "We value the researcher ecosystem, and show that in a variety of ways, but we don't think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren't always financial. It is well-known that we acknowledge researcher's contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update."

[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 182.mp3[/podcast]
ISDPodcast Episode 182 for July 28, 2010.  Tonight’s podcast is hosted by Rick Hayes, Matthew Shoemaker and Karthik Rangarajan.  In this episode we will discuss fake Firefox, Motorola, vBulletin & China.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Stories of Interest:

News Item 1a:http://news.yahoo.com/s/zd/20100728/tc_zd/253167
Thanks to F-Secure for revealing the latest in rogue anti-malware: A fake Firefox “Just Updated” page which pushes you to install an update to Flash.

The page is roughly a clone of the page you see in Firefox after you update versions. It uses a recent (but not the most recent) update version and tells the user that they really should update their Flash version. Presumably you’d see this even in another browser.

The download starts automatically. Save and run it and you get a rogue antivirus product named “SecurityTool” which starts finding threats which aren’t there and demanding payment in order to remove them.

News Item 1b: http://krebsonsecurity.com/2010/07/rogue-antivirus-victims-seldom-fight-back/
Recently I came into possession of a series of documents showing the financial books of an organization that orchestrates the distribution of rogue anti-virus attacks or “scareware,” programs that hijack victim PCs with misleading security alerts in an effort to frighten the user into purchasing worthless security software. I found many interesting details in this data cache, but one pattern in the data explains why scareware continues to be a major scourge: Relatively few people victimized by it dispute the transaction with their bank.

The documents list the amounts charged to more than 2,000 people around the world (the screen shots show the distribution of victims globally and in the United States). Victims paid anywhere from $50 to $100 for the fake anti-virus software. The file lists the amounts charged, partially obscured credit card numbers, and the names, addresses and e-mails of all victims.

More importantly, they show that only 367 victims — fewer than 20 percent — bothered to contact their bank or the scammers to reverse the fraudulent charges after the fact. A second wave of attacks apparently conducted by the same malware gang in early April shows that only 163 out of 1,678 victims – fewer than 10 percent — initiated chargebacks or disputed the sales (the geographic distribution of victims of this second wave is not included in the Google Maps graphics shown here).
News Item 2: http://www.theregister.co.uk/2010/07/22/motorola_huawei/
Motorola has accused its own engineers of sending confidential documents to the founder of Huawei, and claims that the receiving company was well aware that the information was stolen.

The case, filed in Chicago, is against the Lemko Corp and originally accused five former Motorola workers of taking their secrets with them when they moved to Lemko – a company that has a reselling deal with Huawei. But the case has now been amended to accuse named engineers of sending confidential documents direct to Huawei.

Motorola is pretty explicit: “Huawei and its officers knew they were receiving stolen Motorola proprietary trade secrets and confidential information without Motorola.s authorization and consent,” according to Reuters’ reporting of the complaint. A sent mail was apparently recovered from the engineer’s computer, with attached documents bearing the “confidential” stamp.

It’s not the first time Motorola and Lemko have been at odds – back in 2008 a Motorola employee (who also seems to have been working for Lemko at the time) was picked up boarding a plane at O’Hare airport, on a one-way trip to China packing more than 1,000 Motorola documents and something in the region of $30,000 in cash too.

News Item 3: http://www.bbc.co.uk/news/technology-10714192
A serious flaw in software widely used to power online discussion sites could allow hackers to harvest reams of personal data.  The flaw in a specific version of the vBulletin software allows anyone to easily access the main administrator username and password for a site.  This would also allow hackers to access data, such as e-mail addresses, and edit the site at will.

News Item 4: http://news.cnet.com/8301-1023_3-20011428-93.html
Baidu, China’s leading Internet search company, has a “plausible” case against its U.S.-based domain registry for allegedly allowing a hackingattack that left the site disabled and defaced, a U.S. judge ruled Thursday.

The order, signed by Judge Denny Chin of the U.S. District Court for Southern New York, allows Baidu to proceed with a lawsuit it filed against Register.com in January. Baidu’s suit accuses Register.com of breach of contract, gross negligence, and recklessness related to a January 11 hack attack that left Baidu disabled for several hours. Visitors to the site during those hours were redirected to a site where a group calling itself the “Iranian Cyber Army” claimed responsibility for the attack.

“I hold that Baidu has alleged sufficient facts in its complaint to give rise to a plausible claim of gross negligence or recklessness,” Chin said in his ruling. “If these allegations are proven, then Register failed to follow its own security protocols and essentially handed over control of Baidu’s account to an unauthorized intruder, who engaged in cyber vandalism.”

However, Register.com did score a partial victory when Chin dismissed five of Baidu’s seven claims against the domain registry, including contributing to trademark infringement and aiding trespass. Register.com still faces breach of contract and negligence charges.

News Item 5: http://bit.ly/9A397s

Computer files from South Shore Hospital that contain personal information for about 800,000 people may have been lost when they were shipped to a contractor to be destroyed, hospital officials announced yesterday.

The officials declined to identify the contractor, but said that an independent information security consulting firm has determined that specialized software, hardware, and technical knowledge would be required to open and decipher information in the files.
They also said they had no evidence that the information in those files had been improperly used by anyone. The information was on back-up files headed for destruction because they were in a format the hospital said it no longer used. Based on the investigation so far, the hospital said the files contained information on patients, employees, physicians, volunteers, donors, and other business partners associated with South Shore between Jan. 1, 1996, and Jan. 6 of this year.

The files may have included names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, diagnoses, treatments relating to hospital and home health care visits, and other personal information. Aubut said the hospital is still investigating and will be sending letters to each person whose personal information may have been on those files.

Under a 2007 Massachusetts law, companies are required to notify the state attorney general’s office when they know or suspect that data containing personal information from consumers has been breached. Since 2007, the office has received 1,370 such notifications, a spokeswoman said yesterday.

[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 181.mp3[/podcast]
ISDPodcast Episode 181 for July 27, 2010.  Tonight’s podcast is hosted by Rick Hayes, Matthew Shoemaker, Adrian Crenshaw and Karthik Rangarajan.  In this episode we will discuss Badsites, DMCA, China & FBI Hybrid.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Stories of Interest:

News Item 1: Credit Card Information on http://www.erenterplan.com

I was enrolling for renter’s insurance today, when I came across an interesting “feature” that was “helping” me filling out the form for payment. We’re all aware of auto complete, and possibly use it in a lot of cases to make our lives easier. But what if auto complete filled out our credit card information and CVV number as well? This is exactly what was happening on this website when I was trying to make a payment: I had already accessed it once, and made a payment, when I went in the second time, my credit card number was available in a drop down through auto complete. Now granted, if I disabled auto complete, it wouldn’t be a vulnerability, but what about people who don’t know how to do it? There are a lot of people who use public computers to pay online thinking its perfectly safe as long as there’s a lock in the browser, and there are privacy notifications all over the place. Not disabling the feature would essentially leave the website with the risk of giving away customer’s credit card information.

On emailing the concerned people, they immediately replied with the following:

The issue you’re experiencing relating to stored credit card information is a result of your “Cookie” settings or other web browser configuration.  If you’re using Internet Explorer, you may potentially resolve the issue as follows:

1.       Under “Tools”, select “Internet Options”

2.       In “Internet Options”, select the “Content” tab

3.       Under the “Content” tab, “Auto Complete”, select “Settings”

From the “Settings” menu, you should see a dialogue box similar to that attached.  You’re credit card information is being stored only on your local machine due to having the “Forms” box selected or as a result of your Cookies settings.  For more information relating to Cookie settings on your local machine, please refer to the “Help” portion of the browser toolbar to learn more information about these functions.

Finally, you may read more about our Cookies policy by visiting our Privacy Statement, which may be found here:  http://www.erenterplan.com/privacy.aspx

Thank you.

Ryan P. Grogan, CIPP

Compliance Manager, Legal

RealPage, Inc.

It is not a cookie issue, but it is an auto complete issue. As I said, disabling it is an option on my computer, or if people are aware, on public computers. What about my Uncle in India who is not so tech savvy, who goes to a public computer to do these things? A little Googling gave a possible solution:

“<form METHOD=”Post” autocomplete=”off” ACTION=”http://www.mysite.com/form.cgi“>”

News Item 2a: http://www.courthousenews.com/2010/07/23/29099.htm
A new Orleans judge ruled that it is not a violation of the DMCA to break access control unless it is for the purpose of copyright infringement. So breaking DRM on a DVD I own so I can play it on Linux would no longer be a DMCA violation.

In its lawsuit against GE and PMI, MGE claimed a group of PMI employees had at least one copy of software obtained from a hacked machine. It said GE used the software 428 times between June 2000 and May 2002, even after a judge barred GE from using MGE’s software and trade secrets.

News Item 2b: http://www.engadget.com/2010/07/26/library-of-congress-adds-dmca-exception-for-jailbreaking-or-root/
On the surface it looks like the Library of Congress has added new anti-circumvention exceptions to the DMCA that, among other things, allow people to tweak their handsets for the purpose of installing legally obtained software — known as jailbreaking in iOS land, and rooting in the Android / webOS world. Check out the full statement from the Librarian of Congress, which is mostly an update of existing exceptions on record, after the break, but here’s the primary excerpt:

Computer programs that enable wireless telephone handsets to execute software applications, where circumvention is accomplished for the sole purpose of enabling interoperability of such applications, when they have been lawfully obtained, with computer programs on the telephone handset.

The section pertaining to cracking a DVD video and excerpting scenes for commentary or criticism has been expanded beyond educational use into documentary and non-commercial applications.  Under traditional fair use rights, it has been allowed to use portions of copyrighted materials for teaching, documentary films, and for criticism and commentary. However, under the DMCA these rights didn’t matter as it was illegal to break the DRM no matter what the end use.

News Item 3: http://www.ibtimes.com/articles/37227/20100721/utargeting-china-in-new-anti-piracy-drive.htm

The United States will make China “a significant focus” of its beefed-up efforts to fight global piracy and counterfeiting of U.S. goods ranging from CDs to manufactured products, a U.S. official said on Wednesday.

“It’s fair to say China raises a particularly troubling set of issues,” Victoria Espinel, the U.S. intellectual property enforcement coordinator, said in prepared testimony to the House of Representatives Foreign Affairs Committee. “Therefore, China will be a significant focus of our enforcement efforts as we address intellectual property infringement abroad,” Espinel said testifying on the Obama administration’s new intellectual property enforcement strategy, which was mandated by Congress.

The International Intellectual Property Alliance, which represents U.S. copyright industry groups, has estimated lost sales in China at more than $3.5 billion in 2009 due to piracy of U.S. music, movies and software.
News Item 4: http://www.networkworld.com/community/node/64031
An FBI investigation has lead a Michigan couple to be charged with stealing hybrid car information from GM to use in a Chinese auto outfit. A federal indictment charged Yu Qin, aka Yu Chin, 49, and his wife, Shanshan Du, aka Shannon Du, 51, of Troy, Michigan with conspiracy to possess trade secrets without authorization, unauthorized possession of trade secrets, and wire fraud. One of the individuals was also charged with obstruction of justice, said Barbara McQuade, United States Attorney for the Eastern District of Michigan in a statement. GM estimates that the value of the stolen documents is over $40 million.

According to the indictment, from December 2003 to May 2006, the defendants conspired to possess trade secret information of General Motors relating to hybrid vehicles, knowing that the information had been stolen, converted, or obtained without authorization. The indictment alleges that Du, while employed with GM, provided GM trade secret information relating to hybrid vehicles to her husband, Qin, for his benefit and for the benefit of a company, Millennium Technology International Inc., that the defendants owned and operated.

Approximately five days after Du was offered a severance agreement by GM in January 2005, she copied thousands of GM documents, including trade secret documents, to an external computer hard drive used for MTI business. A few months later, Qin moved forward on a new business venture to provide hybrid vehicle technology to Chery Automobile, a Chinese automotive manufacturer based in China and a competitor of GM. The indictment further alleges that in May 2006, the defendants possessed GM trade secret information without authorization on several computer and electronic devices located in their residence, according to the statement.

The indictment also charges the defendants dumped plastic bags containing shredded documents in a dumpster after they were subpoenaed by a federal grand jury looking for information relating to MTI and hybrid vehicles.
News Item 5: http://threatpost.com/en_us/blogs/microsoft-shifts-coordinated-vulnerability-disclosure-policy-072210
Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready.

Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready.

The change from Microsoft comes close on the heels of several other major shifts in the landscape recently, including the decisions by both Google and Mozilla to raise their bounties for security bugs to $3,133.7 and $3,000 respectively. Microsoft has steadfastly refused to pay bug bounties in the past, though there are persistent rumors that the company may do so at some point in the near future.

[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 180.mp3[/podcast]
ISDPodcast Episode 180 for July 26, 2010.  Tonight’s podcast is hosted by Rick Hayes, Matthew Shoemaker and Karthik Rangarajan.  In this episode we will discuss GSM, Apple, Web Scraping, Audit Cheating & Firefox.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Stories of Interest:News Item 1:  http://www.computerworld.com/s/article/9179529/New_Kraken_GSM_cracking_software_is_released
A few weeks ago, an open source group released software that cracks the A5/1 encryption algorithm used by some GSM networks. Called Kraken, this software uses new, very efficient, encryption cracking tables that allow it to break A5/1 encryption much faster than before.  They rely upon what is often referred to as the Berlin A5/1 rainbow table set.

GSM was academically broken in 1991. The software is key step toward eavesdropping on mobile phone conversations over GSM networks. Since GSM networks are the backbone of 3G, they also provide attackers with an avenue into the new generation of handsets.

In December, the group released a set of encryption tables designed to speed up the arduous process of breaking A5/1 encryption, but the software component was incomplete. Now the software is done, and the tables are much more efficient than they were seven months ago. “The speed of how fast you could crack a call is probably orders of magnitude better than anything previously,” said Frank Stevenson, a developer with the A5/1 Security Project. “We know we can do it in minutes; the question is, can we do it in seconds?”

News Item 2: http://washington.bizjournals.com/washington/stories/2010/07/12/focus1.html
McLean-based Cvent Inc. filed a $3 million copyright lawsuit against a West Coast competitor this spring, the software company didn’t just allege simple plagiarism. Cvent, which offers a database of venue profiles for corporate event planners, accused rival Eventbrite Inc. of quietly unleashing an automated program — a webbot or “bot,” for short — on Cvent.com to purloin thousands of pages of valuable content.  In its complaint filed May 10 in federal District Court in Alexandria, Cvent alleged the San Francisco company had taken information that cost more than $10 million to create and reproduced it on its own website — errors intact.

The lawsuit highlights a prime fear of companies whose stock in trade is a mass of publicly available data: Web scraping. The widespread but sometimes legally hazy practice — in which tailor-made programs mimic a human user to harvest content from the Web — runs the gamut from benign to malicious.

In some cases, scraping is used to help market researchers or create Web mashups that stitch together data in new and creative ways.

In others, it serves as a vehicle for corporate espionage and piracy. The demand for scraping has spawned a market for custom-built bot software, as well as for software to thwart those bots.

Looking at the two sites, is it any wonder that they might want someone else’s content?
http://replay.waybackmachine.org/20080115032045/http://www.eventbrite.com/
http://replay.waybackmachine.org/20080115233613/http://www.cvent.com/

News Item 3:  http://www.securitypark.co.uk/security_article264914.html
According to a survey conducted by Tufin Technologies of 242 IT professionals mainly from organizations employing 1000 to 5000+ employees, 1 in 10 admitted that either they or a colleague have cheated to get an IT audit passed.  However it isn’t all bad news; compared to a similar survey conducted in 2009 the number of people admitting to cheating has halved in number.

Amongst those who have cheated lack of time and resources are cited as the main reasons, underlining the ever increasing pressure on today’s IT departments. With 25% responding that firewall audits take a week to conduct attempting to avoid this painful process is understandable if not excusable.

What’s more 30% of respondents only audit their firewalls once every 5 years and even more worrying 7% never even conduct an audit. With this in mind it’s less surprising to find out that 36% of IT professionals admit their firewall rule bases are a messincreasing  their susceptibility to hackers, network crashes and compliance violations.

The survey also found that:

• 31% only audit their firewalls once a year
• 22% don’t know how long it takes to audit their firewalls
• Of those that admit their firewall rule base is a mess, 25% believe this makes their network susceptible to crashes and 38% susceptible to compliance violations
• 56% responded that automation tools would save them a lot of time.  While companies pay a lot of attention to the firewalls selection process, and invest millions in acquiring it, much less attention and resources are invested in making sure the firewalls are optimized at all times for potential security risks and compliance breaches

News Item 4: http://www.h-online.com/security/news/item/Mozilla-releases-Firefox-3-6-8-to-close-critical-vulnerability-1044973.html
Just a couple of days after the arrival of Firefox 3.6.7, the Mozilla development team has released version 3.6.8 of its popular open source web browser to close a single, critical rated, vulnerability. According to the developers, a previous fix in 3.6.7, aimed at addressing a plug-in parameter array crash, can itself cause a crash that could lead to memory corruption. The developers say that, “In certain circumstances, properties in the plug-in instance’s parameter array could be freed prematurely leaving a dangling pointer that the plug-in could execute, potentially calling into attacker-controlled memory.”

Further information about the vulnerability (CVE-2010-2755) have yet to be detailed in the change log, which currently shows “Zarro Boogs found”. All users are advised to upgraded as soon as possible.

A number of Firefox users are reporting that the built-in update service used by Firefox is still initially being flagged by Symantec’s Norton Anti-Virus and Norton Internet Security 2010. The same problem occurred shortly after the release of Firefox 3.6.7 but took care of itself after a sufficient number of Norton users downloaded the browser and marked the file as trustworthy. Following the 3.6.6 update, Norton generates a false positive indicating that some of the applications files are infected with malware, resulting in various files being quarantined after the Firefox update was installed.

More details about the release can be found in the release notes. Firefox 3.6.8 is available to download for Windows, Mac OS X and Linux. Alternatively, Firefox 3.6 users can upgrade to the new version, either by waiting for the automated update notification or by manually selecting “Check for updates” from the Help Menu.