2010
07.29

Episode 183 – fake Facebook, Dell, Wikileaks & Hacker Bounty

Category: Podcast / Tags: no tag / 1 comment

InfoSec Daily Podcast

 
ISDPodcast Episode 183 for July 29, 2010.  Tonight’s podcast is hosted by Rick Hayes and Karthik Rangarajan.  In this episode we will discuss fake Facebook, Dell, Wikileaks & Hacker Bounty.

Announcements:

MyHardDriveDied.com:

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Stories of Interest:
News Item 1: http://www.bbc.co.uk/news/technology-10796584

The torrent is attracting hundreds of downloads. Personal details of 100m Facebook users have been collected and published on the net by a security consultant. Ron Bowles used a piece of code to scan Facebook profiles, collecting data not hidden by the user’s privacy settings.

The list, which has been shared as a downloadable file, contains the URL of every searchable Facebook user’s profile, their name and unique ID.

News Item 2: http://www.channelregister.co.uk/2010/07/20/secure_browser_push/

Dell has applied application virtualization technology to Firefox in order to offer corporates what it claims is a more secure browsing experience. The Dell KACE Secure Browser, which is available for download at no charge from Tuesday, aims to boost enterprise security while introducing businesses to the PC maker’s recently acquired systems management appliance division. The technology provides users with a virtual instance of an internet browser application, thereby reducing exposure to drive-by malware attacks from websites hosting malicious code, an increasingly common tactic for malware distribution.

“By running the browser in a virtual instance, the browser and any activity resulting from its use are separated from the endpoint keeping the actual computer and operating system free of changes that would normally occur,” Dell KACE explains. The Secure Browser can be centrally deployed and managed via Dell KACE’s K1000 Management Appliance. The unit intends to deliver an Internet Explorer version of the technology later this year.

News Item 3: http://news.cnet.com/8301-1009_3-20011594-83.html
Wikileaks, the document-leaking organization that has previously released internal U.S. military videos, on Sunday disclosed over 75,000 confidential files related to the war in Afghanistan.

The group gave the documents in advance to the New York Times, Germany’s Der Spiegel, and the U.K.’s Guardian newspaper, which independently confirmed their authenticity. The Guardian called the disclosure a “devastating portrait of the failing war in Afghanistan,” saying it reveals how the U.S.-led coalition has killed hundreds of civilians in unreported incidents, Taliban attacks have risen, and NATO commanders worry that neighboring Pakistan and Iran are aiding the insurgency.

About 76,900 of the files–which the group calls the “Afghan War Diary”–appeared on Wikileaks.org at around 4 p.m. PT. Wikileaks says it has delayed the release of an additional 15,000 files to allow names and other sensitive information to be removed.

The U.K. public service broadcaster Channel 4 performed its own analysis of the dispatches from individual military units, which cover the war from 2004 through the end of 2009, and concluded that 15,506 enemy deaths were reported. At least 4,232 civilians were killed, and 1,138 NATO troops were killed.

News Item 4: http://www.zdnet.com/blog/security/microsoft-no-plans-to-pay-for-security-vulnerabilities/6935
Mozilla and Google may be increasing the bounties to security researchers who find security holes in their software products but don’t expect Microsoft to join the pay-for-flaws party.

According to Threatpost’s Dennis Fisher, a Microsoft security official dismissed any suggestion that the company would start buying rights to security flaws, arguing that its current system of crediting hackers in security bulletins is working very well.

Here’s what Microsoft’s Jerry Bryant told Fisher:

“We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update.”