InfoSec Daily Podcast

 
ISDPodcast Episode 169 for July 9, 2010.  In this episode we will discuss Robin”, Ferma & Google Search Hackers.  This podcast was hosted by Rick Hayes and the intern, Karthik Rangarajan.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Atlanta, GA – July 12th-16th
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics Sep 20th-24th (Mon-Fri) (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)
• SANS 560: Network Penetration Testing and Ethical Hacking – September 17-22, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)
• SANS 577: Virtualization Security Fundamentals – September 17 & 18 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3807)
  9am-5pm US ET
  Hilton Atlanta Airport Hotel
  1031 Virginia Avenue
  Atlanta, GA 30354

Ohio Information Security Forum:
July 10th, 2010 from 8:30AM-5:30PM  at SCC Research Park, Auditorium (http://www.ohioinfosec.org/anniversary.htm)
The Louisville Metro InfoSec Conference
Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
Registration’s made between now and July 16th, 2010 receive a 50% DISCOUNT on the $99 ticket price!  After July 16th the ticket price will go back to normal

Friends of the Podcast:

Webhosting services:WebSpeedway

Update:
The story continues…

Ian let us know that he couldn’t help it and dug in just a bit deeper:
1. No plagiarism. No nothing. All he got is a few shellscripts “compiled” to exe. It doesn’t even have karma. Just stealing your passwords.2. The guy is so lame, he didn’t even pay for his FTP account so it got suspended…
What a moron. Ian has provided some additional details on his blogpost. http://www.iamit.org/blog/2010/07/how-not-to-scam-security-people/

Stories of Interest:

News Item 1:http://www.darkreading.com/insiderthreat/security/privacy/showArticle.jhtml?articleID=225702468

Seasoned red team hacker Chris Nickerson initially accepted Robin Sage’s LinkedIn invitation because several of his colleagues had, but after making a few inquiries he realized something was fishy about “Robin,” a twenty-something woman who purportedly worked for the Naval Network Warfare Command. “Within an hour, I started asking around, ‘Hey did you get a friend request from Robin Sage?’ … and [friends] were saying, ‘I thought you knew her.’ I knew something weird was going on,” Nickerson says.

So Nickerson started hammering away at Robin on Twitter, and quickly figured out it was a fellow red team hacker behind the phony persona. But not everyone caught on as quickly to the phony profile as Nickerson: Robin actually duped an Army Ranger into friending her. The Ranger then inadvertently exposed information about his coordinates in Afghanistan to Robin with his uploaded photos from the field that contained GeoIP data from the camera.

“You could see them talking about where they were going and where they were in Afghanistan and Iraq … some were uploading pictures with geolocation information, and we were able to see them,” says Thomas Ryan, the mastermind behind the social network experiment and co-founder and managing partner of cyber operations and threat intelligence for Provide Security, who will present the findings later this month at Black Hat USA in his “Getting In Bed With Robin Sage” talk.
Robin Sage gained a total of about 300 friends on LinkedIn, counting those who came and went, he says. All three of the phony woman’s social networking accounts remain active — the LinkedIn profile currently has 148 connections, the Facebook profile has 110, and the Twitter account has 141 followers. Ryan officially ran the experiment for 28 days starting in late December and ending in January of this year.

Among Robin’s social networking accomplishments: She scored connections with people in the Joint Chiefs of Staff, the CIO of the NSA, an intelligence director for the U.S. Marines, a chief of staff for the U.S. House of Representatives, and several Pentagon and DoD employees. The profiles also attracted defense contractors, such as Lockheed Martin, Northrop Grumman, and Booz Allen Hamilton.

Lockheed and other firms made job offers to Robin, some inviting her to dinner to discuss employment prospects. “I was surprised at how people in her same command friended her — people actually in the same command and the same building,” Ryan says.

Among the security experts who Ryan says initially accepted Robin’s invitations were Lares Consulting’s Nickerson, Jeremiah Grossman, CTO and co-founder at WhiteHat Security, and Marc Maiffret, who says he figured it out pretty quickly because Ryan used graphics in the profiles that he also uses for his paintball group. Ironically, the once-infamous social engineer Kevin Mitnick is listed as one of “her” connections on LinkedIn as well.

News item 2:   http://www.darkreading.com/smb-security/security/management/showArticle.jhtml?articleID=225701975
Demolition firm Ferma nearly failed because its employees lacked a proper security policy.  In mid-2009, an employee at the California firm clicked on a link in an e-mail message and ended up at a malicious website. The site, run by online thieves, used a vulnerability in Internet Explorer to load a Trojan horse on the employee’s system. With control of the machine, which was used for much of the firm’s accounting, the thieves gathered data on the firm and its finances. A few days later, the thieves used 27 transactions to transfer $447,000 from Ferma’s accounts, distributing the money to accounts worldwide.

“They were able to ascertain how much they could draw, so they drew the limit,” said Ferma president Roy Ferrari in an interview at the time.

Ferma did not go out of business, but many small companies have as a result of a hack. The consequences of an attack should make small and midsize businesses (SMBs) sit up and notice, says Bernard Laroche, senior director of SMB product marketing for security giant Symantec.

“If a small business gets their data stolen, whether customer credit cards or their patient records, then they might … have to close, where a large enterprise could move on,” he says.

News item 3: http://gulfnews.com/business/technology/big-security-lapses-make-mideast-firms-easy-prey-1.648615
It takes nothing more than a simple Google search and the use of an appropriate keyword string to get access to the web server of some of the largest companies in the Middle East, a recent trial of German web hacking experts has shown.

They said they were able to access web servers of the world’s largest oil exploration company, Saudi Aramco, of the Pearl Qatar development and several other regional company networks.

According to a member of the German hacker community, who informed Gulf News but understandably does not want to have his name published, Aramco’s “poorly secured” web server is “like an open book” for those who conduct a specially crafted search query to reach file directories. The web specialists were able to access and download confidential documents such as technical drawings, detailed information on oil rigs and even blueprints of the infrastructure, fire protection system and communication network of the world’s largest oil field, Al Ghawar. Some of the downloaded documents can be viewed on the hackers’ website.