InfoSec Daily Podcast

 
ISDPodcast Episode 179 for July 23, 2010.  Tonight’s podcast is hosted by Rick Hayes and Matthew Shoemaker.  In this episode we will discuss Microsoft Research, Apple, BurstNET & GSM.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Stories of Interest:News Item 1: http://www.technologyreview.com/computing/25826/
Researchers at Microsoft have come up with a way to create easy-to-remember passwords without making a system more vulnerable to hackers. Instead of enforcing complex passwords, as many organizations do, the new scheme makes sure than no more than a few users can have the same password, which has a similar overall effect on security. Further research from Microsoft also reveals why only some organizations insist on very complex passwords. Increasingly complex password requirements–rules like “passwords must be 14 characters long and contain at least two uppercase letters, two lowercase letters, and three symbols”–make it difficult for attackers to guess passwords using a so-called “dictionary attack,” which involves trying many possible passwords in succession.

Without such restrictions, people tend to pick passwords that are easy to remember, easy to type–and easy to guess. For example, when 32 million passwords from the social media website RockYou were inadvertently released last December, nearly half were found to be “trivial passwords” such as consecutive digits, dictionary words, or common names, according to an analysis last January by the Web security firm Imperva.
The new scheme from Microsoft Research does away with complexity requirements entirely while protecting against both dictionary attacks (not true) and statistical guessing. The service simply counts how many times any user on the service chooses a given password. When more than a small number of users pick a password, the password is banned and no one else is allowed to choose it. The scheme can only be used by organizations with millions of users–websites like Microsoft’s Hotmail, for instance.

The approach is described in a paper written by Microsoft researchers Stuart Schechter and Cormac Herley, due to be published at the Hot Topics in Security conference in Washington, DC, in August.Michael Mitzenmacher at Harvard University is also a coauthor of the paper. “Replacing password creation rules with popularity limitations has the potential to increase both security and usability,” the authors write. “Since no passwords are allowed to become too common, attackers are deprived of the popular passwords they require to compromise a significant faction of accounts using online guessing.

News Item 2: http://www.itworld.com/security/114478/apple-lays-out-location-collection-policies
Apple responded to questions from U.S. lawmakers about what kind of location data it collects from some users every 12 hours.  In a 13-page reply to questions posed by Representative Ed Markey from Massachusetts and Congressman Joe Barton from Texas, Apple said it collects GPS data daily from iPhones running OS 3.2 or iOS 4. The phones collect the GPS data and encrypt it before sending it back to Apple every 12 hours via Wi-Fi. Attached to the GPS data is a random identification number generated by the phone every 24 hours. The information is not associated with a particular customer, Apple said.

Apple uses the data to analyze traffic patterns and density, it said. Apple collects such data from customers who have approved the use of location-based capabilities on the phone and who actually use an application that requires GPS.
News Item 3: http://www.computerworld.com/s/article/9179564/Virus_writers_are_picking_up_new_Microsoft_attack
The Windows attack used by a recently discovered worm is being picked up by other virus writers and will soon become much more widespread, according to security vendor Eset.

Eset reported Thursday that two new families of malicious software have popped up, both of which exploit a vulnerability in the way Windows processes .link files, used to provide shortcuts to other files on the system.  Siemens issued a Security Update for its customers on Thursday, but Microsoft has yet to patch the Windows bug that permits the worm to spread.

News Item 4:  http://www.cio.com/article/600081/Bomb_Making_Tips_Tied_to_Blog_Shut_Down

Execs at BurstNET, the host for the blog platform Blogetery, released a statement this week to put the rumors to rest.  “On the evening of July 9, 2010, BurstNET received a notice of a critical nature from law enforcement officials, and was asked to provide information regarding ownership of the server hosting Blogetry.com,” the statement says.  “It was revealed that a link to terrorist material, including bomb-making instructions and an al-Qaeda ‘hit list’,” had been posted to the site.

“Upon review, BurstNET determined that the posted material, in addition to potentially inciting dangerous activities, specifically violated the BurstNET Acceptable Use Policy,” the statement continues.

“This policy strictly prohibits the posting of ‘terrorist propaganda, racist material, or bomb/weapon instructions.’ Due to this violation and the fact that the site had a history of previous abuse, BurstNET elected to immediately disable the system,” it says.