Your daily source of Pwnage, Policy and Politics.

Episode 172 – Account takeover, Skype, Rewards & Source Code

Play

ISDPodcast Episode 172 for July 14, 2010.  Tonight’s podcast is hosted by Rick Hayes, Matthew Shoemaker and the intern, Karthik Rangarajan.  In this episode we will discuss Account takeover, Skype, Rewards & Source Code.

Announcements:

MyHardDriveDied.com:

SANS Mentoring Program:

  • Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.

Atlanta ISSA:

The Louisville Metro InfoSec Conference
Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
Registration’s made between now and July 16th, 2010 receive a 50% DISCOUNT on the $99 ticket price!  After July 16th the ticket price will go back to normal.

Stories of Interest:
News Item 1:  http://www.thestarpress.com/article/20100712/BUSINESS/7120340/Microsoft+to+stop+some+updates
Microsoft has stop issuing security fixes for computers running the Windows XP operating system updated with Service Pack 2.  The switch-off will result in hundreds of millions of PCs worldwide, including tens of millions in the U.S., instantly becoming riper targets for hackers.

XP SP2 desktops and laptops are still widely used in corporate networks. A service pack is a collection of feature upgrades and security fixes delivered in a single download.

Tech services firm Softchoice recently surveyed 117 financial, health care, manufacturing and educational organizations in the U.S. and Canada. It found eight of 10 organizations continue to use XP SP2 computers widely.

Now security experts worry that companies won’t pay much attention to Microsoft dropping all tech support for SP2. “It’s a virtual guarantee laggards will miss this deadline,” says Dean Williams, services development manager at Softchoice. XP SP2 computers will “become fair game,” he says. “There will just simply be more ways to hack in.”

News Item 2:  http://www.bankinfosecurity.com/articles.php?art_id=2728
This year’s disturbing trend of corporate account takeover incidents continues unabated – and with a new wrinkle.  Michele Marisco, owner of Village View Escrow Inc., Redondo Beach, CA, says her company fell prey to fraud after hackers were able to break into the company’s network, steal bank credentials and send 26 consecutive wire transfers out of the country, totaling $465,000.

Dual controls were not used by the business, but an email verification service offered by Professional Business Bank, Pasadena, CA, was successfully disabled by the criminals.  This scheme, which occurred in March, is currently under investigation, and no litigation has yet been filed. But security experts familiar with the Village View Escrow case say there are lessons to be learned by other institutions and businesses to avoid corporate account takeover via ACH and wire fraud.

News Item 3:  http://www.theregister.co.uk/2010/07/09/skype_crypto/
Cryptoanalysts have published what they claim is the secret recipe behind a Skype encryption algorithm.  A group of code breakers led by Sean O’Neil reckon they have successfully reverse engineered Skype’s implementation of the RC4 cipher, one of several encryption technologies used by the consumer-oriented VoIP service. The proprietary encryption technology is used by the VoIP service to protect communications exchanged between its its clients and severs. It also restricts what clients can access the service, a restriction Skype had plans to ease with the upcoming publication of an API.

Even if independent research proves that the proprietary RC4 algorithm has been exposed it doesn’t follow that Skype is open to eavesdroppers, not least because the service uses a variety of encryption techniques.

O’Neil justified the publication of an open source emulation of the algorithm by arguing that Skype’s technology is already under exploitation by instant message spammers, so his work only levels the playing field for security researchers. He criticised Skype for practising “security by obscurity” in keeping its algorithm secret for so long. O’Neil reportedly plans to explain his research in greater depth at a presentation before the Chaos Communication Congress (27C3) in Berlin in December.

News Item 4:

http://www.denbighshirevisitor.com/news/denbighshire-news/2010/07/07/10-years-of-work-down-the-drain-after-laptop-stolen-from-firm-105722-26797145/
A REWARD is being offered for the safe return of a stolen laptop containing 10 years of a company’s work.  Thieves broke into DB Liquid Ltd in Ruthin and made off with two laptops.  One contained specialised software in which the firm had invested over $381,300.

Company director Geoffrey Williams said the programs would be no use to anyone else, but means systems of work spanning 10 years could be lost to the database constructing firm. He said a reward would be paid if the Dell Inspiron 1300 laptop could be returned. “We’d developed a lot of our system software on the laptop which was backed up on a flash drive,” he said.  “But unfortunately that was stolen too which means 10 years of work has gone down the drain”.

News item 5: http://www.zdnet.co.uk/news/security/2010/07/08/microsoft-opens-source-code-to-russian-secret-service-40089481/
Microsoft has signed a deal to open its Windows 7 source code up to the Russian intelligence services. Russian publication Vedomosti reported on Wednesday that Microsoft had also given the Russian Federal Security Service (FSB) access to Microsoft Windows Server 2008 R2, Microsoft Office 2010 and Microsoft SQL Server source code, with hopes of improving Microsoft sales to the Russian state.

The agreement will allow state bodies to study the source code and develop cryptography for the Microsoft products through the Science-Technical Centre ‘Atlas’, a government body controlled by the Ministry of Communications and Press, according to Vedomosti.

Microsoft Russia president Nikolai Pryanishnikov told Vedomosti that employees of Atlas and the FSB will be able to share conclusions about Microsoft products.  The agreement is an extension to a deal Microsoft struck with the Russian government in 2002 to share source code for Windows XP, Windows 2000 and Windows Server 2000, said Vedomosti.

News Item 6: http://www.owasp.org/index.php/How_to_write_insecure_code
Continuing our coverage of the OWASP “How to write insecure code” with Authorization

Forget about it
See Authentication. Only ivory tower knuckleheads think there’s a difference between authentication and authorization.

Just let your authorization scheme evolve
It’s really hard to figure out all the access control rules for your application, so use a just in time development methodology. This way you can just code up new rules when you figure them out. If you end up with hundreds or thousands of lines of authorization code scattered throughout your application, you’re on the right track.

Privilege makes code just work
Using the highest privilege levels makes your product easier to install and run.

Optimize the developer… always
Each developer, independent of one another, must decide where authorization decision and enforcement is made.

Trust the client
RIA clients and fat clients that use remote services can make decisions about what the end-user can or can’t see.

Volunteer to authorize access to other systems
When a service you are calling, for example, has inappropriate access controls just be nice and live with it. After all it will be your fault when a direct object reference permits any user of your system to see any data on their service. Should that happen, it will be a chance for you to show your dedication when you’re up at 3 AM on a Saturday morning sorting out a breach.

Posted | Comments Off

Read More