2010
07.13

Episode 171 – Fanboys, Cybercom, Fake AV, iTunes & OWASP tips

Category: Podcast / Tags: no tag / Comments Off

InfoSec Daily Podcast

 
ISDPodcast Episode 171 for July 13, 2010.  In this episode we will discuss Fanboys, Cybercom, Fake AV, iTunes & OWASP tips.  This podcast was hosted by Rick Hayes and the intern, Karthik Rangarajan.

Announcements:

MyHardDriveDied.com:

SANS Mentoring Program:

  • Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.

Atlanta ISSA:

The Louisville Metro InfoSec Conference
Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
Registration’s made between now and July 16th, 2010 receive a 50% DISCOUNT on the $99 ticket price!  After July 16th the ticket price will go back to normal.

Stories of Interest:
News Item 1: http://www.microsoft.com/technet/security/current.aspx
Microsoft’s monthly Patch Tuesday security update consist of four bulletins. Two of which are aimed at Windows operating systems and two Office. Both Windows bulletins have a critical rating and both address previously disclosed vulnerabilities.   The first (MS10-042) is for Windows XP and 2003 and fixes the Windows Help and Support Center vulnerability published by Google security researcher Tavis Ormandy in June. As an FYI, the zero-day he disclosed was fixed in 33 days.  The second Windows bulletin (MS10-043) fixes a problem in the AERO display driver component for Windows 7 and Windows Server 2008 R2, which was disclosed publicly in May. The two remaining bulletins are for Microsoft Office. MS10-044 is ranked critical and MS10-045 is ranked important.

MS10-042: Vulnerability in Help  SupportandCenter Could Allow Remote Code Execution (http://www.microsoft.com/MS10-042.mspx)
This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must click a link listed within an e-mail message.

MS10-043: Vulnerability in Canonical Display Driver Could Allow Remote Code Execution (http://www.microsoft.com/MS10-043.mspx)
This security update resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.

MS10-044 : Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution (http://www.microsoft.com/MS10-044.mspx)
This security update resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. The vulnerabilities could allow remote code execution if a user opened a specially crafted Office file or viewed a Web page that instantiated Access ActiveX controls. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS10-045 : Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (http://www.microsoft.com/MS10-045.mspx)
This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

News Item 2a: http://www.computerworld.com/s/article/9179004/Researcher_cracks_secret_code_in_U.S._Cyber_Command_logo

A security researcher said last week that he was the first to crack the code embedded in the seal of the U.S. Cyber Command (Cybercom), the group responsible for protecting the country’s military networks from attack.

Sean-Paul Correll, a threat researcher with antivirus vendor Panda Security, said that the characters visible in a gold ring on Cybercom’s official seal represent the MD5 hash of the group’s mission statement. MD5 is a 128-bit cryptographic hash most often used to verify file integrity.

“I knew right away it was an MD5 hash, and I was fairly confident that it wasn’t a specific file,” said Correll, adding that security professionals will often use an MD5 hash as reminders, or to verify that a file’s contents after downloading match the original edition.

Correll said he figured out the mystery shortly after 10 a.m. PT Wednesday, within an hour of Wired.com publishing its story.

At least one other code-breaker came up with the same solution. Buried in the nearly 500 comments added to the Wired.com story was the solution, posted Wednesday at 12:46 p.m. PT by someone identified only as “jemelehill”.

News Item 2b: http://www.wired.com/dangerroom/2010/07/code-cracked-cyber-command-logos-mystery-solved/

In a follow-up story, Wired.com credited jemelehill with first decoding the message.

News Item 3: http://www.securelist.com/en/blog/249/Technical_Support_theyre_not_always_the_good_guys

Securelist has interesting article on the new wave of fake AV products that actually have a “Technical Support” button.  So you might expect this to be some bot driven response, but you would be wrong.  There is actually a person that answers your questions.  They are also offering Technical Support by phone and email. The email is especially useful if you don’t speak English. The live chat tells you (in English) to send an email in your native language to a given email address to receive support in your native language.

News Item 4a: http://www.inc.com/tech-blog/apple-app-store-hacked.html

Two app developers noticed their apps in the books category started dropping in the popularity rankings – dramatically. It quickly became obvious that a “farm” of rogue apps were getting some sort of artificial boost. But that isn’t the worst of it.

Apparantly, these rogue app developers have been hacking into iTunes accounts and buying their way to the top of the charts. If customer comments are to be believed, feedback complaints range from penny-ante amounts charged to their iTunes accounts all the way up to more than $600 in charges on these bogus apps.
Meanwhile, boo to Apple. So far, all they’ve done is advise customers affected to change their iTunes passwords (duh!). They have taken down the “app farm” off of the books category. But according to TNW Apple, there are plenty of others. This episode has apparantly shed a light on a whole new category of Internet scam.

News Item 4b:  http://www.techspot.com/news/39552-apple-confirms-400-itunes-accounts-hacked.html
Apple has confirmed that around 400 iTunes users had their accounts compromised over the weekend in an elaborate scheme to manipulate the App Store rankings. The company said in an emailed statement that Thaut Nguyen and his apps have been “removed from the App Store for violating the developer Program License Agreement.” The Vietnamese developer allegedly used other people’s accounts to purchase his own apps, at one point occupying 42 of the top 50 book apps sold.

News item 5: http://www.owasp.org/index.php/How_to_write_insecure_code
Continuing our coverage of the OWASP “How to write insecure code” with Access Control
Authentication

Build your own authentication scheme
Authentication is simple, so just use your common sense and implement. Don’t worry about esoteric stuff you hear about like session prediction, hashing credentials, brute force attacks, and so on. Only NSA eggheads could possibly ever figure that stuff out. And if users want to choose weak passwords, that’s their own fault.

Sessions are inherantly secure
Sessions timeout after 20 minutes, so don’t worry about them. You can put the SESSIONID in the URL, log files, or wherever else you feel like. What could an attacker do with a SESSIONID anyway? It’s just a bunch of random letters and numbers.

Single Sign-On is easy
If you need to submit a username and password (or other secret knocks) from one site to another, pack it up in an encrypted blob. This way if anyone finds the blob, they’ll have a heck of a time decrypting it, which is what they’ll need to do to be able to encrypt it again and create the blob themselves.
A one-way hash cannot be decrypted. Therefore, this is a way to take the latter approach and make it unbreakable.

News Item 6: http://reviews.cnet.com/8301-18438_7-20010417-82.html?part=rss&subj=news&tag=2547-1_3-0-20

CNET has an interesting article on who is the most annoying fanboy, iPhone or Android users.  What I liked about the article was the posting of stereotypes that one could form:

Android smartphone owner (as viewed by an iPhone fanboy):

  • Resembles Dr. Sheldon Cooper from Big Bang Theory
  • Installed Linux on the PS3
  • Fashionably nerdy
  • Becomes aroused when seeing a DOS command or LINUX shell
  • Views the phone as a purely utilitarian device
  • Chooses his phone based on carrier

iPhone owner (as viewed by an Android fanboy):

  • Resembles Ross from Friends
  • Superficial, insecure douchebag with metrosexual tendencies
  • Drives a BMW or Prius
  • Enters a hypnotic state when seeing the Great Steve
  • Favorite phrase: “You still there? Hello?”
  • Doesn’t actually know how to work a real phone