[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 181.mp3[/podcast]
ISDPodcast Episode 181 for July 27, 2010.  Tonight’s podcast is hosted by Rick Hayes, Matthew Shoemaker, Adrian Crenshaw and Karthik Rangarajan.  In this episode we will discuss Badsites, DMCA, China & FBI Hybrid.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Stories of Interest:

News Item 1: Credit Card Information on http://www.erenterplan.com

I was enrolling for renter’s insurance today, when I came across an interesting “feature” that was “helping” me filling out the form for payment. We’re all aware of auto complete, and possibly use it in a lot of cases to make our lives easier. But what if auto complete filled out our credit card information and CVV number as well? This is exactly what was happening on this website when I was trying to make a payment: I had already accessed it once, and made a payment, when I went in the second time, my credit card number was available in a drop down through auto complete. Now granted, if I disabled auto complete, it wouldn’t be a vulnerability, but what about people who don’t know how to do it? There are a lot of people who use public computers to pay online thinking its perfectly safe as long as there’s a lock in the browser, and there are privacy notifications all over the place. Not disabling the feature would essentially leave the website with the risk of giving away customer’s credit card information.

On emailing the concerned people, they immediately replied with the following:

The issue you’re experiencing relating to stored credit card information is a result of your “Cookie” settings or other web browser configuration.  If you’re using Internet Explorer, you may potentially resolve the issue as follows:

1.       Under “Tools”, select “Internet Options”

2.       In “Internet Options”, select the “Content” tab

3.       Under the “Content” tab, “Auto Complete”, select “Settings”

From the “Settings” menu, you should see a dialogue box similar to that attached.  You’re credit card information is being stored only on your local machine due to having the “Forms” box selected or as a result of your Cookies settings.  For more information relating to Cookie settings on your local machine, please refer to the “Help” portion of the browser toolbar to learn more information about these functions.

Finally, you may read more about our Cookies policy by visiting our Privacy Statement, which may be found here:  http://www.erenterplan.com/privacy.aspx

Thank you.

Ryan P. Grogan, CIPP

Compliance Manager, Legal

RealPage, Inc.

It is not a cookie issue, but it is an auto complete issue. As I said, disabling it is an option on my computer, or if people are aware, on public computers. What about my Uncle in India who is not so tech savvy, who goes to a public computer to do these things? A little Googling gave a possible solution:

“<form METHOD=”Post” autocomplete=”off” ACTION=”http://www.mysite.com/form.cgi“>”

News Item 2a: http://www.courthousenews.com/2010/07/23/29099.htm
A new Orleans judge ruled that it is not a violation of the DMCA to break access control unless it is for the purpose of copyright infringement. So breaking DRM on a DVD I own so I can play it on Linux would no longer be a DMCA violation.

In its lawsuit against GE and PMI, MGE claimed a group of PMI employees had at least one copy of software obtained from a hacked machine. It said GE used the software 428 times between June 2000 and May 2002, even after a judge barred GE from using MGE’s software and trade secrets.

News Item 2b: http://www.engadget.com/2010/07/26/library-of-congress-adds-dmca-exception-for-jailbreaking-or-root/
On the surface it looks like the Library of Congress has added new anti-circumvention exceptions to the DMCA that, among other things, allow people to tweak their handsets for the purpose of installing legally obtained software — known as jailbreaking in iOS land, and rooting in the Android / webOS world. Check out the full statement from the Librarian of Congress, which is mostly an update of existing exceptions on record, after the break, but here’s the primary excerpt:

Computer programs that enable wireless telephone handsets to execute software applications, where circumvention is accomplished for the sole purpose of enabling interoperability of such applications, when they have been lawfully obtained, with computer programs on the telephone handset.

The section pertaining to cracking a DVD video and excerpting scenes for commentary or criticism has been expanded beyond educational use into documentary and non-commercial applications.  Under traditional fair use rights, it has been allowed to use portions of copyrighted materials for teaching, documentary films, and for criticism and commentary. However, under the DMCA these rights didn’t matter as it was illegal to break the DRM no matter what the end use.

News Item 3: http://www.ibtimes.com/articles/37227/20100721/utargeting-china-in-new-anti-piracy-drive.htm

The United States will make China “a significant focus” of its beefed-up efforts to fight global piracy and counterfeiting of U.S. goods ranging from CDs to manufactured products, a U.S. official said on Wednesday.

“It’s fair to say China raises a particularly troubling set of issues,” Victoria Espinel, the U.S. intellectual property enforcement coordinator, said in prepared testimony to the House of Representatives Foreign Affairs Committee. “Therefore, China will be a significant focus of our enforcement efforts as we address intellectual property infringement abroad,” Espinel said testifying on the Obama administration’s new intellectual property enforcement strategy, which was mandated by Congress.

The International Intellectual Property Alliance, which represents U.S. copyright industry groups, has estimated lost sales in China at more than $3.5 billion in 2009 due to piracy of U.S. music, movies and software.
News Item 4: http://www.networkworld.com/community/node/64031
An FBI investigation has lead a Michigan couple to be charged with stealing hybrid car information from GM to use in a Chinese auto outfit. A federal indictment charged Yu Qin, aka Yu Chin, 49, and his wife, Shanshan Du, aka Shannon Du, 51, of Troy, Michigan with conspiracy to possess trade secrets without authorization, unauthorized possession of trade secrets, and wire fraud. One of the individuals was also charged with obstruction of justice, said Barbara McQuade, United States Attorney for the Eastern District of Michigan in a statement. GM estimates that the value of the stolen documents is over $40 million.

According to the indictment, from December 2003 to May 2006, the defendants conspired to possess trade secret information of General Motors relating to hybrid vehicles, knowing that the information had been stolen, converted, or obtained without authorization. The indictment alleges that Du, while employed with GM, provided GM trade secret information relating to hybrid vehicles to her husband, Qin, for his benefit and for the benefit of a company, Millennium Technology International Inc., that the defendants owned and operated.

Approximately five days after Du was offered a severance agreement by GM in January 2005, she copied thousands of GM documents, including trade secret documents, to an external computer hard drive used for MTI business. A few months later, Qin moved forward on a new business venture to provide hybrid vehicle technology to Chery Automobile, a Chinese automotive manufacturer based in China and a competitor of GM. The indictment further alleges that in May 2006, the defendants possessed GM trade secret information without authorization on several computer and electronic devices located in their residence, according to the statement.

The indictment also charges the defendants dumped plastic bags containing shredded documents in a dumpster after they were subpoenaed by a federal grand jury looking for information relating to MTI and hybrid vehicles.
News Item 5: http://threatpost.com/en_us/blogs/microsoft-shifts-coordinated-vulnerability-disclosure-policy-072210
Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready.

Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready.

The change from Microsoft comes close on the heels of several other major shifts in the landscape recently, including the decisions by both Google and Mozilla to raise their bounties for security bugs to $3,133.7 and $3,000 respectively. Microsoft has steadfastly refused to pay bug bounties in the past, though there are persistent rumors that the company may do so at some point in the near future.