2010
07.30

Episode 184 – Google Apps, Android Hacked, Defcon contest & Cybercrime Study

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISDPodcast Episode 184 for July 30, 2010.  Tonight’s podcast is hosted by Rick Hayes and Karthik Rangarajan.  In this episode we will discuss Google Apps, Android Hacked, Defcon contest & Cybercrime Study.

Announcements:

MyHardDriveDied.com:

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Stories of Interest:
News Item 1: http://www.infoworld.com/d/applications/google-introduces-google-apps-government-suite-788Honing in on the lucrative government market for business applications, Google introduced on Monday Google Apps for Government, featuring its suite of cloud-based business applications equipped with extra security precautions.

The suite, with such applications as Gmail email and Google Calendar, offers U.S. government FISMA (Federal Information Security Management Act) moderate-level certification. Also, government user data is to be maintained on servers segregated from Google’s commercial customers. Google officials emphasized that government agencies are acutely concerned with security and that Google Apps is the first cloud platform certified for use by the federal government.

Google is positioning the suite as a solution for all branches of government, emphasizing cost savings that could be enjoyed by governments now beset by budget shortfalls.

“As we know, the financial pressures on government are enormous, and this is a material cost savings,” said Google CEO Eric Schmidt, during a rollout event at Google headquarters in Mountain View, Calif.

“The government has an enormous opportunity to leverage the Web as a platform,” said Dave Girouard, president of Google Enterprise. Governments at all levels are spending billions on IT; cloud computing offers an opportunity to change these dynamics in the next decade, he said.

Available now, Google Apps for Government costs $50 per user per year, the same price as Google Apps Premier Edition. In addition to Gmail and Google Calendar, Google Apps for Government also features Google applications like Docs, Sites, Video, Groups, and Postini.

Gmail and Calendar data currently is physically segregated from non-government user data and maintained within the United States. Google plans to segregate the other applications in the suite as well, with that work now in progress.

Google’s suite for government will compete with the Microsoft Office suite of applications, Girouard acknowledged. “It’s a pleasant side effect,” he said.

News Item 2:  http://news.techworld.com/security/3233833/hackers-break-into-android-phone-at-black-hat/
Once thought to be unhackable, the Android phone is anything but, according to researchers presenting at Black Hat 2010. Not only has malicious software cloaked in a wallpaper application stolen personal information from infected phones and sent it to a website in China, but researchers from Lookout Mobile  Security have found a way to take the phones over completely – including top-of-the-line models hawked by major wireless carriers.

In one presentation, Lookout’s CEO John Herring said the Jackeey Wallpaper app, which has been downloaded millions of times, can gather passwords, browser history, the subscriber ID and SIM card numbers and text messages.

In a separate presentation, researchers said top-of-the-line Android phones used by Sprint and Verizon can be taken over completely by attacking known flaws in the Linux operating system that underpins Android, researchers reported at Black Hat 2010. “It gives you root control, and you can do anything you want to do” with the phone, says Anthony Lineberry, a researcher for Lookout Mobile Security.

News item 3:  http://www.cio.com/article/601317/FBI_Rings_Organizers_Over_Defcon_Contest
A Defcon contest that invites contestants to trick employees at U.S. corporations into revealing not-so-sensitive data has rattled some nerves.  Contest organizers have been called by the U.S. Federal Bureau of Investigation and seen warnings issued by security groups and the Financial Services Information Sharing and Analysis Center, (FS-ISAC) an industry group that provides information on security threats affecting the banking industry.

“The stories that I’m getting are a lot of financial people were really concerned that we were going to be targeting personal information and stuff like that,” said Chris Hadnagy, the operations manager with Offensive Security, who is organizing the contest. These concerns are unfounded, he says.

Over the next three days participants will try their best to unearth data from an undisclosed list of about 30 U.S. companies. The contest will take place in a room in the Riviera hotel in Las Vegas furnished with a soundproof booth and a speaker, so an audience can hear the contestants call companies and try to weasel out what data they can get from unwitting employees.

News Item 4: http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=226200272
Organizations are getting hit by at least one successful attack per week, and the annualized cost to their bottom lines from the attacks ranged from $1 million to $53 million per year, according to a newly published benchmark study of 45 U.S. organizations hit by data breaches.

The independent Ponemon Institute’s “The First Annual Cost of Cyber Crime Study”, which was sponsored by ArcSight, showed a median cost of $3.8 million for an attack per year, a price tag that includes everything from detection, investigation, containment, and recovery to any post-response operations. “Information theft was still the highest consequence — the type of information [stolen] ranged from a data breach of people’s [information] to intellectual property and source code,” says Larry Ponemon, CEO of the Ponemon Institute. “We found that detection and discovery are the most expensive [elements].”

And a separate report called “The Leaking Vault” released today by the Digital Forensics Association found that among the 2,807 publicly disclosed data breaches worldwide during the past five years, the cost to the victim firms as well as those whose information was exposed came to whopping $139 billion.

The Digital Forensics Association report says nearly half of all of the reported breaches came from a laptop, which in 95 percent of the cases is stolen. But actual hacks accounted for the most stolen records during 2005 to 2009, with 327 million of the 721.9 million covered in the report, even though hacks accounted for only about 16 percent of the data breaches.

2010
07.29

Episode 183 – fake Facebook, Dell, Wikileaks & Hacker Bounty

Category: Podcast / Tags: no tag / 1 comment

InfoSec Daily Podcast

 
ISDPodcast Episode 183 for July 29, 2010.  Tonight’s podcast is hosted by Rick Hayes and Karthik Rangarajan.  In this episode we will discuss fake Facebook, Dell, Wikileaks & Hacker Bounty.

Announcements:

MyHardDriveDied.com:

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Stories of Interest:
News Item 1: http://www.bbc.co.uk/news/technology-10796584

The torrent is attracting hundreds of downloads. Personal details of 100m Facebook users have been collected and published on the net by a security consultant. Ron Bowles used a piece of code to scan Facebook profiles, collecting data not hidden by the user’s privacy settings.

The list, which has been shared as a downloadable file, contains the URL of every searchable Facebook user’s profile, their name and unique ID.

News Item 2: http://www.channelregister.co.uk/2010/07/20/secure_browser_push/

Dell has applied application virtualization technology to Firefox in order to offer corporates what it claims is a more secure browsing experience. The Dell KACE Secure Browser, which is available for download at no charge from Tuesday, aims to boost enterprise security while introducing businesses to the PC maker’s recently acquired systems management appliance division. The technology provides users with a virtual instance of an internet browser application, thereby reducing exposure to drive-by malware attacks from websites hosting malicious code, an increasingly common tactic for malware distribution.

“By running the browser in a virtual instance, the browser and any activity resulting from its use are separated from the endpoint keeping the actual computer and operating system free of changes that would normally occur,” Dell KACE explains. The Secure Browser can be centrally deployed and managed via Dell KACE’s K1000 Management Appliance. The unit intends to deliver an Internet Explorer version of the technology later this year.

News Item 3: http://news.cnet.com/8301-1009_3-20011594-83.html
Wikileaks, the document-leaking organization that has previously released internal U.S. military videos, on Sunday disclosed over 75,000 confidential files related to the war in Afghanistan.

The group gave the documents in advance to the New York Times, Germany’s Der Spiegel, and the U.K.’s Guardian newspaper, which independently confirmed their authenticity. The Guardian called the disclosure a “devastating portrait of the failing war in Afghanistan,” saying it reveals how the U.S.-led coalition has killed hundreds of civilians in unreported incidents, Taliban attacks have risen, and NATO commanders worry that neighboring Pakistan and Iran are aiding the insurgency.

About 76,900 of the files–which the group calls the “Afghan War Diary”–appeared on Wikileaks.org at around 4 p.m. PT. Wikileaks says it has delayed the release of an additional 15,000 files to allow names and other sensitive information to be removed.

The U.K. public service broadcaster Channel 4 performed its own analysis of the dispatches from individual military units, which cover the war from 2004 through the end of 2009, and concluded that 15,506 enemy deaths were reported. At least 4,232 civilians were killed, and 1,138 NATO troops were killed.

News Item 4: http://www.zdnet.com/blog/security/microsoft-no-plans-to-pay-for-security-vulnerabilities/6935
Mozilla and Google may be increasing the bounties to security researchers who find security holes in their software products but don’t expect Microsoft to join the pay-for-flaws party.

According to Threatpost’s Dennis Fisher, a Microsoft security official dismissed any suggestion that the company would start buying rights to security flaws, arguing that its current system of crediting hackers in security bulletins is working very well.

Here’s what Microsoft’s Jerry Bryant told Fisher:

“We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update.”

2010
07.28

Episode 182 – Firefox, Motorola, vBulletin & China

Category: Podcast / Tags: no tag / 1 comment

InfoSec Daily Podcast

 
ISDPodcast Episode 182 for July 28, 2010.  Tonight’s podcast is hosted by Rick Hayes, Matthew Shoemaker and Karthik Rangarajan.  In this episode we will discuss fake Firefox, Motorola, vBulletin & China.

Announcements:

MyHardDriveDied.com:

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Stories of Interest:

News Item 1a:http://news.yahoo.com/s/zd/20100728/tc_zd/253167
Thanks to F-Secure for revealing the latest in rogue anti-malware: A fake Firefox “Just Updated” page which pushes you to install an update to Flash.

The page is roughly a clone of the page you see in Firefox after you update versions. It uses a recent (but not the most recent) update version and tells the user that they really should update their Flash version. Presumably you’d see this even in another browser.


The download starts automatically. Save and run it and you get a rogue antivirus product named “SecurityTool” which starts finding threats which aren’t there and demanding payment in order to remove them.

News Item 1b: http://krebsonsecurity.com/2010/07/rogue-antivirus-victims-seldom-fight-back/
Recently I came into possession of a series of documents showing the financial books of an organization that orchestrates the distribution of rogue anti-virus attacks or “scareware,” programs that hijack victim PCs with misleading security alerts in an effort to frighten the user into purchasing worthless security software. I found many interesting details in this data cache, but one pattern in the data explains why scareware continues to be a major scourge: Relatively few people victimized by it dispute the transaction with their bank.

The documents list the amounts charged to more than 2,000 people around the world (the screen shots show the distribution of victims globally and in the United States). Victims paid anywhere from $50 to $100 for the fake anti-virus software. The file lists the amounts charged, partially obscured credit card numbers, and the names, addresses and e-mails of all victims.

More importantly, they show that only 367 victims — fewer than 20 percent — bothered to contact their bank or the scammers to reverse the fraudulent charges after the fact. A second wave of attacks apparently conducted by the same malware gang in early April shows that only 163 out of 1,678 victims – fewer than 10 percent — initiated chargebacks or disputed the sales (the geographic distribution of victims of this second wave is not included in the Google Maps graphics shown here).
News Item 2: http://www.theregister.co.uk/2010/07/22/motorola_huawei/
Motorola has accused its own engineers of sending confidential documents to the founder of Huawei, and claims that the receiving company was well aware that the information was stolen.

The case, filed in Chicago, is against the Lemko Corp and originally accused five former Motorola workers of taking their secrets with them when they moved to Lemko – a company that has a reselling deal with Huawei. But the case has now been amended to accuse named engineers of sending confidential documents direct to Huawei.

Motorola is pretty explicit: “Huawei and its officers knew they were receiving stolen Motorola proprietary trade secrets and confidential information without Motorola.s authorization and consent,” according to Reuters’ reporting of the complaint. A sent mail was apparently recovered from the engineer’s computer, with attached documents bearing the “confidential” stamp.

It’s not the first time Motorola and Lemko have been at odds – back in 2008 a Motorola employee (who also seems to have been working for Lemko at the time) was picked up boarding a plane at O’Hare airport, on a one-way trip to China packing more than 1,000 Motorola documents and something in the region of $30,000 in cash too.

News Item 3: http://www.bbc.co.uk/news/technology-10714192
A serious flaw in software widely used to power online discussion sites could allow hackers to harvest reams of personal data.  The flaw in a specific version of the vBulletin software allows anyone to easily access the main administrator username and password for a site.  This would also allow hackers to access data, such as e-mail addresses, and edit the site at will.

News Item 4: http://news.cnet.com/8301-1023_3-20011428-93.html
Baidu, China’s leading Internet search company, has a “plausible” case against its U.S.-based domain registry for allegedly allowing a hackingattack that left the site disabled and defaced, a U.S. judge ruled Thursday.

The order, signed by Judge Denny Chin of the U.S. District Court for Southern New York, allows Baidu to proceed with a lawsuit it filed against Register.com in January. Baidu’s suit accuses Register.com of breach of contract, gross negligence, and recklessness related to a January 11 hack attack that left Baidu disabled for several hours. Visitors to the site during those hours were redirected to a site where a group calling itself the “Iranian Cyber Army” claimed responsibility for the attack.

“I hold that Baidu has alleged sufficient facts in its complaint to give rise to a plausible claim of gross negligence or recklessness,” Chin said in his ruling. “If these allegations are proven, then Register failed to follow its own security protocols and essentially handed over control of Baidu’s account to an unauthorized intruder, who engaged in cyber vandalism.”

However, Register.com did score a partial victory when Chin dismissed five of Baidu’s seven claims against the domain registry, including contributing to trademark infringement and aiding trespass. Register.com still faces breach of contract and negligence charges.

News Item 5: http://bit.ly/9A397s

Computer files from South Shore Hospital that contain personal information for about 800,000 people may have been lost when they were shipped to a contractor to be destroyed, hospital officials announced yesterday.

The officials declined to identify the contractor, but said that an independent information security consulting firm has determined that specialized software, hardware, and technical knowledge would be required to open and decipher information in the files.
They also said they had no evidence that the information in those files had been improperly used by anyone. The information was on back-up files headed for destruction because they were in a format the hospital said it no longer used. Based on the investigation so far, the hospital said the files contained information on patients, employees, physicians, volunteers, donors, and other business partners associated with South Shore between Jan. 1, 1996, and Jan. 6 of this year.

The files may have included names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, diagnoses, treatments relating to hospital and home health care visits, and other personal information. Aubut said the hospital is still investigating and will be sending letters to each person whose personal information may have been on those files.

Under a 2007 Massachusetts law, companies are required to notify the state attorney general’s office when they know or suspect that data containing personal information from consumers has been breached. Since 2007, the office has received 1,370 such notifications, a spokeswoman said yesterday.

2010
07.27

Episode 181 – Badsites, DMCA, China, CVD & Hybrid IP

Category: Podcast / Tags: no tag / 1 comment

InfoSec Daily Podcast

 
ISDPodcast Episode 181 for July 27, 2010.  Tonight’s podcast is hosted by Rick Hayes, Matthew Shoemaker, Adrian Crenshaw and Karthik Rangarajan.  In this episode we will discuss Badsites, DMCA, China & FBI Hybrid.

Announcements:

MyHardDriveDied.com:

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Stories of Interest:

News Item 1: Credit Card Information on http://www.erenterplan.com

I was enrolling for renter’s insurance today, when I came across an interesting “feature” that was “helping” me filling out the form for payment. We’re all aware of auto complete, and possibly use it in a lot of cases to make our lives easier. But what if auto complete filled out our credit card information and CVV number as well? This is exactly what was happening on this website when I was trying to make a payment: I had already accessed it once, and made a payment, when I went in the second time, my credit card number was available in a drop down through auto complete. Now granted, if I disabled auto complete, it wouldn’t be a vulnerability, but what about people who don’t know how to do it? There are a lot of people who use public computers to pay online thinking its perfectly safe as long as there’s a lock in the browser, and there are privacy notifications all over the place. Not disabling the feature would essentially leave the website with the risk of giving away customer’s credit card information.

On emailing the concerned people, they immediately replied with the following:

The issue you’re experiencing relating to stored credit card information is a result of your “Cookie” settings or other web browser configuration.  If you’re using Internet Explorer, you may potentially resolve the issue as follows:

1.       Under “Tools”, select “Internet Options”

2.       In “Internet Options”, select the “Content” tab

3.       Under the “Content” tab, “Auto Complete”, select “Settings”

From the “Settings” menu, you should see a dialogue box similar to that attached.  You’re credit card information is being stored only on your local machine due to having the “Forms” box selected or as a result of your Cookies settings.  For more information relating to Cookie settings on your local machine, please refer to the “Help” portion of the browser toolbar to learn more information about these functions.

Finally, you may read more about our Cookies policy by visiting our Privacy Statement, which may be found here:  http://www.erenterplan.com/privacy.aspx

Thank you.

Ryan P. Grogan, CIPP

Compliance Manager, Legal

RealPage, Inc.

It is not a cookie issue, but it is an auto complete issue. As I said, disabling it is an option on my computer, or if people are aware, on public computers. What about my Uncle in India who is not so tech savvy, who goes to a public computer to do these things? A little Googling gave a possible solution:

“<form METHOD=”Post” autocomplete=”off” ACTION=”http://www.mysite.com/form.cgi“>”

News Item 2a: http://www.courthousenews.com/2010/07/23/29099.htm
A new Orleans judge ruled that it is not a violation of the DMCA to break access control unless it is for the purpose of copyright infringement. So breaking DRM on a DVD I own so I can play it on Linux would no longer be a DMCA violation.

In its lawsuit against GE and PMI, MGE claimed a group of PMI employees had at least one copy of software obtained from a hacked machine. It said GE used the software 428 times between June 2000 and May 2002, even after a judge barred GE from using MGE’s software and trade secrets.

News Item 2b: http://www.engadget.com/2010/07/26/library-of-congress-adds-dmca-exception-for-jailbreaking-or-root/
On the surface it looks like the Library of Congress has added new anti-circumvention exceptions to the DMCA that, among other things, allow people to tweak their handsets for the purpose of installing legally obtained software — known as jailbreaking in iOS land, and rooting in the Android / webOS world. Check out the full statement from the Librarian of Congress, which is mostly an update of existing exceptions on record, after the break, but here’s the primary excerpt:

Computer programs that enable wireless telephone handsets to execute software applications, where circumvention is accomplished for the sole purpose of enabling interoperability of such applications, when they have been lawfully obtained, with computer programs on the telephone handset.

The section pertaining to cracking a DVD video and excerpting scenes for commentary or criticism has been expanded beyond educational use into documentary and non-commercial applications.  Under traditional fair use rights, it has been allowed to use portions of copyrighted materials for teaching, documentary films, and for criticism and commentary. However, under the DMCA these rights didn’t matter as it was illegal to break the DRM no matter what the end use.

News Item 3: http://www.ibtimes.com/articles/37227/20100721/utargeting-china-in-new-anti-piracy-drive.htm

The United States will make China “a significant focus” of its beefed-up efforts to fight global piracy and counterfeiting of U.S. goods ranging from CDs to manufactured products, a U.S. official said on Wednesday.

“It’s fair to say China raises a particularly troubling set of issues,” Victoria Espinel, the U.S. intellectual property enforcement coordinator, said in prepared testimony to the House of Representatives Foreign Affairs Committee. “Therefore, China will be a significant focus of our enforcement efforts as we address intellectual property infringement abroad,” Espinel said testifying on the Obama administration’s new intellectual property enforcement strategy, which was mandated by Congress.

The International Intellectual Property Alliance, which represents U.S. copyright industry groups, has estimated lost sales in China at more than $3.5 billion in 2009 due to piracy of U.S. music, movies and software.
News Item 4: http://www.networkworld.com/community/node/64031
An FBI investigation has lead a Michigan couple to be charged with stealing hybrid car information from GM to use in a Chinese auto outfit. A federal indictment charged Yu Qin, aka Yu Chin, 49, and his wife, Shanshan Du, aka Shannon Du, 51, of Troy, Michigan with conspiracy to possess trade secrets without authorization, unauthorized possession of trade secrets, and wire fraud. One of the individuals was also charged with obstruction of justice, said Barbara McQuade, United States Attorney for the Eastern District of Michigan in a statement. GM estimates that the value of the stolen documents is over $40 million.

According to the indictment, from December 2003 to May 2006, the defendants conspired to possess trade secret information of General Motors relating to hybrid vehicles, knowing that the information had been stolen, converted, or obtained without authorization. The indictment alleges that Du, while employed with GM, provided GM trade secret information relating to hybrid vehicles to her husband, Qin, for his benefit and for the benefit of a company, Millennium Technology International Inc., that the defendants owned and operated.

Approximately five days after Du was offered a severance agreement by GM in January 2005, she copied thousands of GM documents, including trade secret documents, to an external computer hard drive used for MTI business. A few months later, Qin moved forward on a new business venture to provide hybrid vehicle technology to Chery Automobile, a Chinese automotive manufacturer based in China and a competitor of GM. The indictment further alleges that in May 2006, the defendants possessed GM trade secret information without authorization on several computer and electronic devices located in their residence, according to the statement.

The indictment also charges the defendants dumped plastic bags containing shredded documents in a dumpster after they were subpoenaed by a federal grand jury looking for information relating to MTI and hybrid vehicles.
News Item 5: http://threatpost.com/en_us/blogs/microsoft-shifts-coordinated-vulnerability-disclosure-policy-072210
Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready.

Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready.

The change from Microsoft comes close on the heels of several other major shifts in the landscape recently, including the decisions by both Google and Mozilla to raise their bounties for security bugs to $3,133.7 and $3,000 respectively. Microsoft has steadfastly refused to pay bug bounties in the past, though there are persistent rumors that the company may do so at some point in the near future.

2010
07.26

Episode 180 – GSM, Apple, Web Scraping, Audit Cheating & Firefox

Category: Podcast / Tags: no tag / 1 comment

InfoSec Daily Podcast

 
ISDPodcast Episode 180 for July 26, 2010.  Tonight’s podcast is hosted by Rick Hayes, Matthew Shoemaker and Karthik Rangarajan.  In this episode we will discuss GSM, Apple, Web Scraping, Audit Cheating & Firefox.

Announcements:

MyHardDriveDied.com:

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Stories of Interest:News Item 1:  http://www.computerworld.com/s/article/9179529/New_Kraken_GSM_cracking_software_is_released
A few weeks ago, an open source group released software that cracks the A5/1 encryption algorithm used by some GSM networks. Called Kraken, this software uses new, very efficient, encryption cracking tables that allow it to break A5/1 encryption much faster than before.  They rely upon what is often referred to as the Berlin A5/1 rainbow table set.

GSM was academically broken in 1991. The software is key step toward eavesdropping on mobile phone conversations over GSM networks. Since GSM networks are the backbone of 3G, they also provide attackers with an avenue into the new generation of handsets.

In December, the group released a set of encryption tables designed to speed up the arduous process of breaking A5/1 encryption, but the software component was incomplete. Now the software is done, and the tables are much more efficient than they were seven months ago. “The speed of how fast you could crack a call is probably orders of magnitude better than anything previously,” said Frank Stevenson, a developer with the A5/1 Security Project. “We know we can do it in minutes; the question is, can we do it in seconds?”

News Item 2: http://washington.bizjournals.com/washington/stories/2010/07/12/focus1.html
McLean-based Cvent Inc. filed a $3 million copyright lawsuit against a West Coast competitor this spring, the software company didn’t just allege simple plagiarism. Cvent, which offers a database of venue profiles for corporate event planners, accused rival Eventbrite Inc. of quietly unleashing an automated program — a webbot or “bot,” for short — on Cvent.com to purloin thousands of pages of valuable content.  In its complaint filed May 10 in federal District Court in Alexandria, Cvent alleged the San Francisco company had taken information that cost more than $10 million to create and reproduced it on its own website — errors intact.

The lawsuit highlights a prime fear of companies whose stock in trade is a mass of publicly available data: Web scraping. The widespread but sometimes legally hazy practice — in which tailor-made programs mimic a human user to harvest content from the Web — runs the gamut from benign to malicious.

In some cases, scraping is used to help market researchers or create Web mashups that stitch together data in new and creative ways.

In others, it serves as a vehicle for corporate espionage and piracy. The demand for scraping has spawned a market for custom-built bot software, as well as for software to thwart those bots.

Looking at the two sites, is it any wonder that they might want someone else’s content?
http://replay.waybackmachine.org/20080115032045/http://www.eventbrite.com/
http://replay.waybackmachine.org/20080115233613/http://www.cvent.com/

News Item 3:  http://www.securitypark.co.uk/security_article264914.html
According to a survey conducted by Tufin Technologies of 242 IT professionals mainly from organizations employing 1000 to 5000+ employees, 1 in 10 admitted that either they or a colleague have cheated to get an IT audit passed.  However it isn’t all bad news; compared to a similar survey conducted in 2009 the number of people admitting to cheating has halved in number.

Amongst those who have cheated lack of time and resources are cited as the main reasons, underlining the ever increasing pressure on today’s IT departments. With 25% responding that firewall audits take a week to conduct attempting to avoid this painful process is understandable if not excusable.

What’s more 30% of respondents only audit their firewalls once every 5 years and even more worrying 7% never even conduct an audit. With this in mind it’s less surprising to find out that 36% of IT professionals admit their firewall rule bases are a messincreasing  their susceptibility to hackers, network crashes and compliance violations.

The survey also found that:

  • 31% only audit their firewalls once a year
  • 22% don’t know how long it takes to audit their firewalls
  • Of those that admit their firewall rule base is a mess, 25% believe this makes their network susceptible to crashes and 38% susceptible to compliance violations
  • 56% responded that automation tools would save them a lot of time.  While companies pay a lot of attention to the firewalls selection process, and invest millions in acquiring it, much less attention and resources are invested in making sure the firewalls are optimized at all times for potential security risks and compliance breaches

News Item 4: http://www.h-online.com/security/news/item/Mozilla-releases-Firefox-3-6-8-to-close-critical-vulnerability-1044973.html
Just a couple of days after the arrival of Firefox 3.6.7, the Mozilla development team has released version 3.6.8 of its popular open source web browser to close a single, critical rated, vulnerability. According to the developers, a previous fix in 3.6.7, aimed at addressing a plug-in parameter array crash, can itself cause a crash that could lead to memory corruption. The developers say that, “In certain circumstances, properties in the plug-in instance’s parameter array could be freed prematurely leaving a dangling pointer that the plug-in could execute, potentially calling into attacker-controlled memory.”

Further information about the vulnerability (CVE-2010-2755) have yet to be detailed in the change log, which currently shows “Zarro Boogs found”. All users are advised to upgraded as soon as possible.

A number of Firefox users are reporting that the built-in update service used by Firefox is still initially being flagged by Symantec’s Norton Anti-Virus and Norton Internet Security 2010. The same problem occurred shortly after the release of Firefox 3.6.7 but took care of itself after a sufficient number of Norton users downloaded the browser and marked the file as trustworthy. Following the 3.6.6 update, Norton generates a false positive indicating that some of the applications files are infected with malware, resulting in various files being quarantined after the Firefox update was installed.

More details about the release can be found in the release notes. Firefox 3.6.8 is available to download for Windows, Mac OS X and Linux. Alternatively, Firefox 3.6 users can upgrade to the new version, either by waiting for the automated update notification or by manually selecting “Check for updates” from the Help Menu.

2010
07.23

Episode 179 – Microsoft Research, Apple, BurstNET & GSM

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISDPodcast Episode 179 for July 23, 2010.  Tonight’s podcast is hosted by Rick Hayes and Matthew Shoemaker.  In this episode we will discuss Microsoft Research, Apple, BurstNET & GSM.

Announcements:

MyHardDriveDied.com:

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Stories of Interest:News Item 1: http://www.technologyreview.com/computing/25826/
Researchers at Microsoft have come up with a way to create easy-to-remember passwords without making a system more vulnerable to hackers. Instead of enforcing complex passwords, as many organizations do, the new scheme makes sure than no more than a few users can have the same password, which has a similar overall effect on security. Further research from Microsoft also reveals why only some organizations insist on very complex passwords. Increasingly complex password requirements–rules like “passwords must be 14 characters long and contain at least two uppercase letters, two lowercase letters, and three symbols”–make it difficult for attackers to guess passwords using a so-called “dictionary attack,” which involves trying many possible passwords in succession.

Without such restrictions, people tend to pick passwords that are easy to remember, easy to type–and easy to guess. For example, when 32 million passwords from the social media website RockYou were inadvertently released last December, nearly half were found to be “trivial passwords” such as consecutive digits, dictionary words, or common names, according to an analysis last January by the Web security firm Imperva.
The new scheme from Microsoft Research does away with complexity requirements entirely while protecting against both dictionary attacks (not true) and statistical guessing. The service simply counts how many times any user on the service chooses a given password. When more than a small number of users pick a password, the password is banned and no one else is allowed to choose it. The scheme can only be used by organizations with millions of users–websites like Microsoft’s Hotmail, for instance.

The approach is described in a paper written by Microsoft researchers Stuart Schechter and Cormac Herley, due to be published at the Hot Topics in Security conference in Washington, DC, in August.Michael Mitzenmacher at Harvard University is also a coauthor of the paper. “Replacing password creation rules with popularity limitations has the potential to increase both security and usability,” the authors write. “Since no passwords are allowed to become too common, attackers are deprived of the popular passwords they require to compromise a significant faction of accounts using online guessing.

News Item 2: http://www.itworld.com/security/114478/apple-lays-out-location-collection-policies
Apple responded to questions from U.S. lawmakers about what kind of location data it collects from some users every 12 hours.  In a 13-page reply to questions posed by Representative Ed Markey from Massachusetts and Congressman Joe Barton from Texas, Apple said it collects GPS data daily from iPhones running OS 3.2 or iOS 4. The phones collect the GPS data and encrypt it before sending it back to Apple every 12 hours via Wi-Fi. Attached to the GPS data is a random identification number generated by the phone every 24 hours. The information is not associated with a particular customer, Apple said.

Apple uses the data to analyze traffic patterns and density, it said. Apple collects such data from customers who have approved the use of location-based capabilities on the phone and who actually use an application that requires GPS.
News Item 3: http://www.computerworld.com/s/article/9179564/Virus_writers_are_picking_up_new_Microsoft_attack
The Windows attack used by a recently discovered worm is being picked up by other virus writers and will soon become much more widespread, according to security vendor Eset.

Eset reported Thursday that two new families of malicious software have popped up, both of which exploit a vulnerability in the way Windows processes .link files, used to provide shortcuts to other files on the system.  Siemens issued a Security Update for its customers on Thursday, but Microsoft has yet to patch the Windows bug that permits the worm to spread.

News Item 4:  http://www.cio.com/article/600081/Bomb_Making_Tips_Tied_to_Blog_Shut_Down

Execs at BurstNET, the host for the blog platform Blogetery, released a statement this week to put the rumors to rest.  “On the evening of July 9, 2010, BurstNET received a notice of a critical nature from law enforcement officials, and was asked to provide information regarding ownership of the server hosting Blogetry.com,” the statement says.  “It was revealed that a link to terrorist material, including bomb-making instructions and an al-Qaeda ‘hit list’,” had been posted to the site.

“Upon review, BurstNET determined that the posted material, in addition to potentially inciting dangerous activities, specifically violated the BurstNET Acceptable Use Policy,” the statement continues.

“This policy strictly prohibits the posting of ‘terrorist propaganda, racist material, or bomb/weapon instructions.’ Due to this violation and the fact that the site had a history of previous abuse, BurstNET elected to immediately disable the system,” it says.

2010
07.22

Episode 178 – Safari, Cloud Backups & Video Social networking

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISDPodcast Episode 178 for July 22, 2010.  Tonight’s podcast is hosted by Rick Hayes, Matthew Shoemaker and Adrian Crenshaw.  In this episode we will discuss Safari, Cloud Backups & Video Social networking.

Announcements:

MyHardDriveDied.com:

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Stories of Interest:News item 1:  http://blogs.computerworld.com/16579/horrible_safari_privacy_bug_take_action_now

Jeremiah Grossman, the CTO of WhiteHat Security, has discovered some very bad news for Safari users. Here’s his shtick:

Right at the moment a Safari user visits a website, even if they’ve never been there before … a malicious website can uncover their first name, last name, work place, city, state, and email address. Safari v4 & v5 … has [this] … enabled by default.

This feature works even though a user never entered this data on any website. … a malicious website would … dynamically create form text fields … probably invisibly, and then simulate … keystroke events using JavaScript. When data is … AutoFill’ed, it can be accessed and sent to the attacker. … The entire process takes mere seconds.

What’s going on here? Form data can be auto-suggested in Safari, just like in other browsers. However, the data doesn’t usually get entered into the form unless the user actually selects the suggested input from the drop-down list. But in Safari, the suggestions are programmatically available.

News Item 2: http://www.zdnet.com/blog/mobile-gadgeteer/its-time-to-backup-your-cloud-too/3580?
Many people don’t think about having to backup their cloud based data.  Do you backup your Contacts from Google?  Do you change your passwords often? Do you check to see if you have any unauthorized visitors poking around your cloud?

  • If you use Gmail, you could create a Gmail account whose only purpose is to fetch messages from your main account. Set up mail fetcher in the backup account and add the main account as a custom From address. This way, you’ll be able to read all the messages from your account and even send mail.
  • Add the backup account as a Google Talk friend from Gmail Chat or from other Google Talk interface.
  • For Blogger, add the backup account in the blog authors section: Settings > Permissions > Add authors. The account should have admin privileges so that you can create, edit and delete posts.
  • In Google Analytics, go to Access Manager and add the account as an admin. You’ll have access to all reports and profiles in the backup account.
  • Google Calendar lets you share the main calendar with other people and even give them the right to edit events. Click on “Manage calendars” at the bottom of the window, share the main calendar and add the backup account. You should select “make changes and manage sharing” from the drop-down.  The best solution is to set up a complete bi-directional Gcal sync using the cross-platform GCalDaemon. With GCalDaemon, not only can you ensure that you’ve always got a backup of your latest and greatest Google Calendar appointments and events, but you also get to add, edit, or delete those events from your desktop and watch as they sync back to Gcal.
  • If you’re the owner of a group in Google Groups, go to the member invitation section, select “Add members directly” and add the backup account. Then change the membership type of the new account to “owner”. It’s also a good idea to select “no email” in the subscription type.
  • Add the backup account as a collaborator for some of the most important Google documents and notebooks.  Firefox users can back up all or select chunks of Google Docs and Spreadsheet files in various formats (including MS Office or Open Office formats, PDF, plain text, or CSV) in one fell swoop using the Google Docs Download Greasemonkey script.
  • Other Google services only allow you to export your data: Google Reader (Settings > Import/Export), iGoogle (share each tab with the backup account), Gmail contacts, Google News personalization (scroll to the bottom of the homepage and click on “Share your personalized news with a friend”).

News Item 3: http://www.cs.colorado.edu/department/publications/reports/docs/CU-CS-1068-10.pdf
Security researchers have demonstrated that there are some potenitally serious security and privacy issues with various Video Social networking sites.  They also assert that security on these systems have been neglected.  This privacy issues in Chatroulette expose users to risks in phishing, man-in-the-middle attacks & other threats.

News Item 4: http://www.hammerofgod.com/tgp.aspx
The Windows crypto tool Thor’s Godly Privacy (TGP) informs users about the estimated time required for a successful brute-force attack on the chosen password.

2010
07.21

Episode 177 – Copy Machine, Dell Malware, OISF & ZeuS

Category: Podcast / Tags: no tag / 1 comment

InfoSec Daily Podcast

 
ISDPodcast Episode 177 for July 21, 2010.  Tonight’s podcast is hosted by Rick Hayes, Matthew Shoemaker and Karthik Rangarajan.  In this episode we will discuss Copy Machine, Dell Malware, OISF & ZeuS.

Announcements:

MyHardDriveDied.com:

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

Stories of Interest:News item 1:  http://www.nbc12.com/Global/story.asp?S=12802532
Almost everyone has used a copy machine, they’re most likely at your job, or at your doctor, or dentists office. They’re in almost every business and used several times a day. Copy machines can do just about everything these days. Now more than ever though, many people are concerned that a quick photo copy can lead to someone stealing your identity. The secret is in the copy machine’s hard drive. Just a like a computer, these machines can now store information. Chances are, the very image you copy could be saved to the machine’s memory.

“It has evolved over the last few years,” said Christopher. “Every year the manufactures make a new machine with new features just like cars. They’re multi-functional devices. You can scan, fax, print, store information, and connect to the network security.” And the hard drive your documents are stored on isn’t too hard to get to by hackers or someone looking to commit identity theft.  “You can remove a couple panels and see the hard drive,” said IT expert, Tracy Short, with Cobb Technologies. “We remove two panels and there it is. Four more screws and you can have the hard drive out.”
News Item 2: http://en.community.dell.com/support-forums/servers/f/956/t/19339458.aspx
Dell is apparently warning customers that “a small number” of its PowerEdge R410 server motherboards may contain malicious software.  “The potential issue involves a small number of PowerEdge server motherboards sent out through service dispatches that may contain malware,” according to post on a Dell support forum. “This malware code has been detected on the embedded server management firmware.”

The malware issue affects a limited number of replacement motherboards in four servers, the PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410 models, wrote Forrest Norrod, vice president and general manager of server platforms at Dell, in an email. It only potentially manifests itself when a customer has a specific configuration and is not running current antivirus software, Norrod wrote.  “Dell is aware of the issue and is contacting affected customers. This issue does not affect systems as shipped from our factory and is limited to replacement parts only. Dell has removed all impacted motherboards from its service supply chain and new shipping replacement stock does not contain the malware,” Norrod wrote.  Dell provided no further details on the malware, how it affects servers and potential ways to fix it, but said further details will be posted soon at Dell’s website.

News Item 3:  http://www.openinfosecfoundation.org/index.php/download-suricata
The Open Information Security Foundation (OISF), a group funded by the U.S Department of Homeland Security (DHS) and several security vendors, this week released an open source engine built to detect and prevent network intrusions.  The somewhat oddly named Suricata 1.0 engine is touted as a replacement for the 12-year-old Snort open source technology that over the years has emerged as a sort of de facto standard for detecting and preventing intrusions. Snort currently claims close to 300,000 registered users and over 4 million downloads. Nearly 100 vendors currently have added Snort to network security devices. Earlier this month Amazon announced that it has selected Snort to deliver IPS protection for its Web services customers.

News Item 4:  http://www.networkworld.com/news/2010/071310-zues-mastercard.html

The notorious ZeuS banking Trojan is showing off a new trick: Popping up on infected computers with a fake enrollment screen for the “Verified By Visa” or “MasterCard SecureCode Security” programs.

The real and legitimate Visa and MasterCard card-fraud prevention programs have cardholders use a password when making card-based purchases online as an additional means of security.

The Zeus Trojan, with its ever-growing capability to steal financial information and execute unauthorized funds transfers, has recently been seen attacking banking customers on infected machines by displaying a fake “Verified by Visa” enrollment screen, or its MasterCard counterpart SecureCode, trying to lure victims into a fraudulent online enrollment action that would end up giving criminals their sensitive financial data.

2010
07.20

Episode 176 – SANS, OpenID, Grade Changing & Pakbugs

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISDPodcast Episode 176 for July 20, 2010.  Tonight’s podcast is hosted by Rick Hayes and Matthew Shoemaker.  In this episode we will discuss SANS, OpenID, Grade Changing & Pakbugs.

Announcements:

MyHardDriveDied.com:

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

Stories of Interest:News item 1:  http://isc.sans.edu/diary.html?storyid=9208

SANS made the call to go Code Yellow to help raise awareness of the zero-day flaw being used in targeted attacks against organizations worldwide — most notably on SCADA systems with “LNK” vulnerability. SANS ISC handler and security consultant Lenny Zeltser today. “Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time. The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools’ ability to detect generic versions of the exploit have not been very effective so far.”   The Infocon has since been lowered back down to green.
News item 2: http://www.computerworld.com/s/article/9179224/Researchers_Password_crack_could_affect_millions
A well-known cryptographic attack could be used by hackers to log into Web applications used by millions of users, according to two security experts who plan to discuss the issue at an upcoming security conference. Researchers Nate Lawson and Taylor Nelson say they’ve discovered a basic security flaw that affects dozens of open-source software libraries — including those used by software that implements the OAuth and OpenID standards — that are used to check passwords and user names when people log into websites. OAuth and OpenID authentication are accepted by popular Web sites such as Twitter and Digg.

They found that some versions of these login systems are vulnerable to what’s known as a timing attack. Cryptographers have known about timing attacks for 25 years, but they are generally thought to be very hard to pull off over a network. The researchers aim to show that’s not the case.

The attacks are thought to be so difficult because they require very precise measurements. They crack passwords by measuring the time it takes for a computer to respond to a login request. On some login systems, the computer will check password characters one at a time, and kick back a “login failed” message as soon as it spots a bad character in the password. This means a computer returns a completely bad login attempt a tiny bit faster than a login where the first character in the password is correct.

News Item 3:  http://english.people.com.cn/90001/90776/90882/7065613.html
Hackers are claiming online they can break into computer systems belonging to universities and certification institutes and change the scores of students. An online search in Chinese of “hackers editing scores” results in dozens of pages of hits. The hackers say they can change students’ scores for a price – and charge between a few thousand yuan and more than 10,000 yuan for the illegal service, depending on the majors and universities involved.

A person answering the phone at one such site, who refused to reveal his name, indicated that he had helped several students. The slogan of his website was: “If you did badly in an examination, come to our hacker team.”  When asked whether he could change the score for a failed subject at the University of International Business and Economics, he said it would not be a problem after checking out the university’s homepage.  The man was very cautious and asked for the caller’s “student number” before he would reveal the price.

News Item 4:  http://www.theregister.co.uk/2010/07/13/pakbugs_crackdown/
Five alleged hackers have been arrested by the Pakistani authorities in raids that led to the closure the Pakbugs hacking and carding forum.  The operation, run by Pakistan’s Cyber Crime department of Federal Investigation Agency (FIA), followed complaints by “national and multinational organisations” over a series of website defacement and hack attacks. Pakbugs is blamed for running amok across thousands of websites belonging to various governmental and non-governmental organisations in Pakistan and elsewhere, local telecoms blog PakSpider reports.

Police seized computer equipment during the arrests of the five suspects. Others suspects remain at large, including Jawaad Ehsan, thought to live in Riyadh, Saudi Arabia.  A Pakistani government press statement explains that the suspects are thought to have expertise in a range of cybercrime techniques, including botnet management, phishing and carding.

News Item 5: http://www.newsnet5.com/dpp/lifestyle/relationships/she-said-he-said-is-it-ever-okay-to-snoop-through-your-lover%27s-things%3F-ews-original-knxv-201007131279069583502

Can snooping ever be validated in relationships?

News Item 6:
Be careful what you post online!

Orlando SentinelFoes may use your Facebook info against you in divorce, custody fights:

Facebook and other social networks, such as Twitter, Flickr, Photobucket and MySpace, are becoming the latest legal tool in divorce and child-support battles.

Attorneys and private investigators collecting background on a client’s ex-spouse are trolling the websites as a quick and easy way to catch someone doing something they don’t want brought up in court — snapshots of snuggling with a mistress, semi-nude photos with children nearby or drunken party pictures from a bar on a weekend a child is visiting.

Wall Street JournalIs ‘Friending’ in Your Future? Better Pay Your Taxes First:

Tax deadbeats are finding someone actually reads their MySpace and Facebook postings: the taxman.

State revenue agents have begun nabbing scofflaws by mining information posted on social-networking Web sites, from relocation announcements to professional profiles to financial boasts.

2010
07.19

Episode 175 – Microsoft acknowledgement, Turkish hackers, WTF, Apple & “personal device”

Category: Podcast / Tags: no tag / 1 comment

InfoSec Daily Podcast

 

Episode 175 for July 19, 2010.  Tonight’s podcast is hosted by Rick Hayes and the intern, Karthik Rangarajan.  In this episode we will discuss Microsoft acknowledgement, Turkish hackers, WTF, Apple & “personal device”.

Announcements:

MyHardDriveDied.com:

SANS Mentoring Program:

  • SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

Stories of Interest:News item 1: http://www.computerworld.com/s/article/9179299/Microsoft_confirms_nasty_Windows_zero_day_bug
Microsoft on Friday warned that attackers are exploiting a critical unpatched Windows vulnerability using infected USB flash drives. The bug admission is the first that affects Windows XP Service Pack 2 (SP2) since Microsoft retired the edition from support, researchers said. When Microsoft does fix the flaw, it will not be providing a patch for machines still running XP SP2.

In a security advisory, Microsoft confirmed what other researchers had been saying for almost a month: Hackers have been exploiting a bug in Windows “shortcut” files, the placeholders typically dropped on the desktop or into the Start menu to represent links to actual files or programs.

“In the wild, this vulnerability has been found operating in conjunction with the Stuxnet malware,” Dave Forstrom, a director in Microsoft’s Trustworthy Computing group, said in a post Friday to a company blog. Stuxnet is a clan of malware that includes a Trojan horse that downloads further attack code, including a rootkit that hides evidence of the attack.

News Item 2: http://www.torontosun.com/news/world/2010/07/18/14750191.html

The number of Israelis whose personal information was stolen by Turkish Internet hackers has risen to at least 100,000, Haaretz newspaper reported Sunday. Erez Wolf, an Israeli blogger who operates We-CMS website, reported Friday that tens of thousands of e-mail addresses, passwords and personal details of Israeli web surfers are in the hands of Turkish hackers. In a Turkish hackers online forum, Wolf found a document containing the e-mail addresses and passwords of more than 30,000 Israeli web users.

On Sunday, Haaretz said TheMarker.com website has learned another file circulating on the internet contains the e-mail addresses of an additional 70,000 Israeli web users. Among the websites from which information was stolen for the first Turkish hacker posting was Israel’s Pizza Hut.  Pizza Hut confirmed Saturday that e-mail addresses and passwords of 26,476 customers who ordered pizza from the company’s website in early June had been stolen.
News Item 3: http://www.theregister.co.uk/2010/07/11/school_id_fake_ruse/
A devious mother posed as another parent in an attempt to remove a rival child’s name from a school waiting list. The woman created a fraudulent Gmail account to fool school authorities at the “outstanding” Coleridge primary school in Crouch End, London. Using this fake account and quoting the name and correct date of birth of the child, she wrote to education officials at Haringey council and told them to remove the four year-old girl from the list. Which they did.  The ruse unravelled when the victim’s mother phoned to inquire about the progress of her child’s application.
Police have launched an investigation and the council is to improve admission procedures.

News Item 4: http://www.scmagazineuk.com/one-in-three-employees-would-continue-to-use-a-personal-device-at-work-that-poses-a-security-risk-even-if-told-not-to/article/174377/

One in three employees would continue to use a personal device for work purposes, despite 83 per cent admitting that it could pose a security risk to their company.  Research by Sourcefire and Dynamic Markets found that 69 per cent of UK employees who use a computer at work use their own personal devices for work-related purposes. The most commonly used personal devices were laptops (48 per cent) and home PCs (44 per cent). Smartphones are used by 16 per cent, 32 per cent use their own USB sticks and 17 per cent use their own CD-ROMs.  It also found that 71 per cent of people surveyed move data on and off the corporate network via these devices, and almost all carry out activities that could put company data at risk.
News Item 5: http://www.theregister.co.uk/2010/07/12/secunia_threat_report/
According to Secunia reports, Apple ranks first, ahead of runner-up Oracle, and Microsoft in the number of security bugs found in all their products in 1H 2010. During the first six months of 2010, Secunia logged 380 vulnerabilities within the top-50 most prevalent packages on typical end-user PCs, or 89 per cent of the figure for the entire year of 2009.

Secunia reckons the security threat landscape is shifting from operating system vulnerabilities to bugs in third-party applications. Secunia reckons a typical end-user PC with 50 programs installed will be faced with 3.5 times more security bugs in the 24 third party programs running on their systems than in the 26 Microsoft programs installed. Secunia expects this ratio to increase to 4.4 in 2010.

Between 2007 to 2009 the number of vulnerabilities affecting a typical client PC almost doubled from 220 to 420. Secunia reckons that will almost double again to reach 760 for 2010 as a whole.  Secunia’s study can be found here (PDF)

http://www.owasp.org/index.php/How_to_write_insecure_code
Continuing our coverage of the OWASP “How to write insecure code” with  Documentation and Coding.

If you can build it and it appears to work then why describe it?
The most successful applications do not waste time with requirements, security or otherwise. Optimize the development by keeping the developers from having to read.

Security is just another option
Assume that your sysadmins will RTFM and change the default settings you specified in a footnote on page 124.

Don’t document how security works
There is no point in writing down all the details of a security design. If someone wants to figure out if it works, they should check the code. After all, the code may change and then the documentation would be useless.

Freedom to innovate
Standards are really just guidelines for you to add your own custom extensions.

Print is dead
You already know everything about security, what else is there to learn? Books are for lamers, mailing lists and blogs are for media whores and FUD-tossing blowhards.

Coding

Most APIs are safe
Don’t waste time poring through documentation for API functions. It’s generally pretty safe to assume that APIs do proper validation, exception handling, logging, and thread safety.

Don’t use security patterns
Make sure there’s no standard way of implementing validation, logging, error handling, etc… on your project. It’s best when developers are left free to express themselves and channel their inner muse in their code. Avoid establishing any security coding guidelines, that’ll just inhibit creativity.

Make sure the build process has lots of steps
You want to maximize the number of steps in the build process that have to occur in the right order to make a successful build. It’s best if only one person knows how to actually set up all the config files and build the distribution. If you do have steps written down, you should have lots of notes distributed across a bunch of files and howto’s in lots of locations.

« Previous Entries