InfoSec Daily Podcast

 
ISDPodcast Episode 182 for July 28, 2010.  Tonight’s podcast is hosted by Rick Hayes, Matthew Shoemaker and Karthik Rangarajan.  In this episode we will discuss fake Firefox, Motorola, vBulletin & China.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Stories of Interest:

News Item 1a:http://news.yahoo.com/s/zd/20100728/tc_zd/253167
Thanks to F-Secure for revealing the latest in rogue anti-malware: A fake Firefox “Just Updated” page which pushes you to install an update to Flash.

The page is roughly a clone of the page you see in Firefox after you update versions. It uses a recent (but not the most recent) update version and tells the user that they really should update their Flash version. Presumably you’d see this even in another browser.

The download starts automatically. Save and run it and you get a rogue antivirus product named “SecurityTool” which starts finding threats which aren’t there and demanding payment in order to remove them.

News Item 1b: http://krebsonsecurity.com/2010/07/rogue-antivirus-victims-seldom-fight-back/
Recently I came into possession of a series of documents showing the financial books of an organization that orchestrates the distribution of rogue anti-virus attacks or “scareware,” programs that hijack victim PCs with misleading security alerts in an effort to frighten the user into purchasing worthless security software. I found many interesting details in this data cache, but one pattern in the data explains why scareware continues to be a major scourge: Relatively few people victimized by it dispute the transaction with their bank.

The documents list the amounts charged to more than 2,000 people around the world (the screen shots show the distribution of victims globally and in the United States). Victims paid anywhere from $50 to $100 for the fake anti-virus software. The file lists the amounts charged, partially obscured credit card numbers, and the names, addresses and e-mails of all victims.

More importantly, they show that only 367 victims — fewer than 20 percent — bothered to contact their bank or the scammers to reverse the fraudulent charges after the fact. A second wave of attacks apparently conducted by the same malware gang in early April shows that only 163 out of 1,678 victims – fewer than 10 percent — initiated chargebacks or disputed the sales (the geographic distribution of victims of this second wave is not included in the Google Maps graphics shown here).
News Item 2: http://www.theregister.co.uk/2010/07/22/motorola_huawei/
Motorola has accused its own engineers of sending confidential documents to the founder of Huawei, and claims that the receiving company was well aware that the information was stolen.

The case, filed in Chicago, is against the Lemko Corp and originally accused five former Motorola workers of taking their secrets with them when they moved to Lemko – a company that has a reselling deal with Huawei. But the case has now been amended to accuse named engineers of sending confidential documents direct to Huawei.

Motorola is pretty explicit: “Huawei and its officers knew they were receiving stolen Motorola proprietary trade secrets and confidential information without Motorola.s authorization and consent,” according to Reuters’ reporting of the complaint. A sent mail was apparently recovered from the engineer’s computer, with attached documents bearing the “confidential” stamp.

It’s not the first time Motorola and Lemko have been at odds – back in 2008 a Motorola employee (who also seems to have been working for Lemko at the time) was picked up boarding a plane at O’Hare airport, on a one-way trip to China packing more than 1,000 Motorola documents and something in the region of $30,000 in cash too.

News Item 3: http://www.bbc.co.uk/news/technology-10714192
A serious flaw in software widely used to power online discussion sites could allow hackers to harvest reams of personal data.  The flaw in a specific version of the vBulletin software allows anyone to easily access the main administrator username and password for a site.  This would also allow hackers to access data, such as e-mail addresses, and edit the site at will.

News Item 4: http://news.cnet.com/8301-1023_3-20011428-93.html
Baidu, China’s leading Internet search company, has a “plausible” case against its U.S.-based domain registry for allegedly allowing a hackingattack that left the site disabled and defaced, a U.S. judge ruled Thursday.

The order, signed by Judge Denny Chin of the U.S. District Court for Southern New York, allows Baidu to proceed with a lawsuit it filed against Register.com in January. Baidu’s suit accuses Register.com of breach of contract, gross negligence, and recklessness related to a January 11 hack attack that left Baidu disabled for several hours. Visitors to the site during those hours were redirected to a site where a group calling itself the “Iranian Cyber Army” claimed responsibility for the attack.

“I hold that Baidu has alleged sufficient facts in its complaint to give rise to a plausible claim of gross negligence or recklessness,” Chin said in his ruling. “If these allegations are proven, then Register failed to follow its own security protocols and essentially handed over control of Baidu’s account to an unauthorized intruder, who engaged in cyber vandalism.”

However, Register.com did score a partial victory when Chin dismissed five of Baidu’s seven claims against the domain registry, including contributing to trademark infringement and aiding trespass. Register.com still faces breach of contract and negligence charges.

News Item 5: http://bit.ly/9A397s

Computer files from South Shore Hospital that contain personal information for about 800,000 people may have been lost when they were shipped to a contractor to be destroyed, hospital officials announced yesterday.

The officials declined to identify the contractor, but said that an independent information security consulting firm has determined that specialized software, hardware, and technical knowledge would be required to open and decipher information in the files.
They also said they had no evidence that the information in those files had been improperly used by anyone. The information was on back-up files headed for destruction because they were in a format the hospital said it no longer used. Based on the investigation so far, the hospital said the files contained information on patients, employees, physicians, volunteers, donors, and other business partners associated with South Shore between Jan. 1, 1996, and Jan. 6 of this year.

The files may have included names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, diagnoses, treatments relating to hospital and home health care visits, and other personal information. Aubut said the hospital is still investigating and will be sending letters to each person whose personal information may have been on those files.

Under a 2007 Massachusetts law, companies are required to notify the state attorney general’s office when they know or suspect that data containing personal information from consumers has been breached. Since 2007, the office has received 1,370 such notifications, a spokeswoman said yesterday.