Announcements:
Local Password Exploitation Class:

• The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
• The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
  • Pulling stored passwords from web browsers/IM clients and other apps
  • Hash cracking of Windows passwords, as well as other systems
  • Sniffing plain text passwords off the network
  • How passwords on one box can be used to worm though other hosts on a network
• Seating is limited to 50 people.
• The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

• Atlanta, GA September 18th (http:///www.shoecon.org)
  

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

• This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.
  

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

Karthik Rangarajan is looking for a full-time position. He is graduating in December 2010, and can start immediately after he graduates. He has experience with Static Code Analysis, and has been a developer for a fairly decent amount of time before he got into security. He has a track record of being a fast learner and having a high learning curve. He can be reached at krangarajan@gatech.edu or isdpodcast@gmail.com.

Keith: [EDIT] Its not raining men. That’s ok..I have a gift for you Kar and I`ll wait for ShoeCon to give it to you =)

Keith’s Rant of the Day: Providing employee’s with scripted answers to auditor questions nullifies the point of performing an internal audit….

Stories of Interest:
News Item 1: http://www.theregister.co.uk/2010/08/12/server_based_botnet
A server-based botnet that preys on insecure websites is flooding the net with attacks that attempt to guess the login credentials for secure shells protecting Linux boxes, routers, and other network devices.

According to multiple security blogs, the bot compromises websites running outdated versions of phpMyAdmin. By exploiting a vulnerability patched in April, the bot installs a file called dd_ssh, which trawls the net for devices protected by the SSH protocol.

“This bot then conducts brute force SSH attacks on random IP addresses specified by the bot herder,” a user blogged here. Indeed, DShield, an exploit-monitoring service maintained by the SANS Institute, shows a six-fold increase in the number of sources participating in SSH scanning from July 24 to August 10, and close to a three-fold jump in the number of targets.  For reasons that remain unclear, the number of sources over the past two days has plummeted, even as the number of targets has dropped only moderately.

In addition to posing a threat to unpatched websites and SSH-protected devices, the attacks are also creating headaches for large numbers of non-vulnerable sites. As Reg readers have pointed out in comments to this article, the flood of requests for admin.php, setup.php and other PHP-related files can have the effect of a denial-of-service attack. The queries often hit sites running Microsoft’s IIS and other platforms that have nothing to do with PHP.

News Item 2: http://www.computerworld.com/s/article/9180660/Heartland_denies_systems_involved_in_new_data_breach
Heartland Payment Systems, which last year suffered the largest ever data breach involving payment card data, is downplaying reports out of Austin, Texas linking the payment processor to a data breach at a local restaurant chain.

Heartland CIO Steven Elefant told Computerworld by e-mail late Thursday that the reports out of Austin point to a “localized intrusion initiated within the stores, either in their point-of-sale system or as a result of other fraud.”

“The Heartland system at large and its merchants would not be compromised in any way by this type of attack, and the company is unaware of any broader issue,” he said.

He added that Heartland officials will work closely with business owners to help identify the source of the breach, and help with remediation efforts.

The Austin Statesman reported on Thursday that an “accounting network” at Tino’s Greek Cafe, a local restaurant chain with four locations in Austin, had been breached.

News Item 3: http://www.darkreading.com/shared/printableArticle.jhtml?articleID=226900007

[Notes: Keith - Network segmentation, see news item 4, is often overlooked, improperly implemented and/or not monitored. Along with segmentation, there should be access controls implemented between the individual segments to enforce the segmentation and report on potential issues. Not only does this allow for minimized impact to operations should one segment become under attack/infected/whatever, once properly implemented it will also allow for overall ease of management]

News Item 4: http://www.darkreading.com/shared/printableArticle.jhtml?articleID=226700495

[Notes: Keith - Rouge wireless networks continue to be problematic due to the ease of acquiring wireless access points as well as problems with detection. To discover rogue access points we should be using a combination of both wired and wireless scanning as neither is perfect. Correlation of the results should be able to give a better picture on discovery of potential devices, though even this is questionable. Due to the saturation of wireless in heavily populated areas, even wireless scanning and identification of those devices is nearly impossible. Proper controls between corporate/guest AP, network segmentation - this is something that is often overlooked and when it is implemented it typically turns into Swiss cheese. I love how Verizon is quoted here as blaming insecure wireless networks for the bulk of the incidents and we should be using WPA or WPA2 yet they ship their wireless devices with WEP enabled.]

Announcements:

Local Password Exploitation Class:

• The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
• The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
  • Pulling stored passwords from web browsers/IM clients and other apps
  • Hash cracking of Windows passwords, as well as other systems
  • Sniffing plain text passwords off the network
  • How passwords on one box can be used to worm though other hosts on a network
• Seating is limited to 50 people.
• The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

• Atlanta, GA September 18th (http:///www.shoecon.org)
  

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

• This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.
  

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

Stories of Interest:
News Item 1:  http://www.theregister.co.uk/2010/08/20/windows_code_execution_vuln/

http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

About 200 Windows applications are vulnerable to remote code-execution attacks that exploit a bug in the way the programs load binary files for the Microsoft operating system, a security researcher said Thursday.

The critical vulnerability, which has already been patched in Apple’s iTunes media player for Windows and VMware Tools, will be especially challenging to fix, because each application will ultimately need to receive its own patch, Mitja Kolsek, CEO of application security consultancy Acros Security, told The Register. He agreed with fellow researcher H D Moore, who on Wednesday said the critical vulnerability is trivial to exploit.

At the time, Moore estimated 40 programs were vulnerable, but security experts from Slovenia-based Acros have found that about 200 of the 220 applications they’ve tested so far suffer from what they’re calling the binary-planting bug. They have yet to complete their inquiry.

“We are expecting that there should be many more,” Kolsek said. “We were just looking for those vulnerabilities that were exploitable in terms of the user double-clicking a document or doing a couple of things with the menu.”

News Item 2: http://www.nytimes.com/2010/08/12/technology/personaltech/12basics.html

[Notes: Karthik - I think Rick almost got geotagged once, Adrian found the EXIF data in it. He almost did it again last month, he posted a tweet that had the Epoch time, and the geolocation on it, until he removed it and used a different app]

When Adam Savage, host of the popular science program “MythBusters,” posted a picture on Twitter of his automobile parked in front of his house, he let his fans know much more than that he drove a Toyota Land Cruiser.  Embedded in the image was a geotag, a bit of data providing the longitude and latitude of where the photo was taken. Hence, he revealed exactly where he lived. And since the accompanying text was “Now it’s off to work,” potential thieves knew he would not be at home. Security experts and privacy advocates have recently begun warning about the potential dangers of geotags, which are embedded in photos and videos taken with GPS-equipped smartphones and digital cameras. Because the location data is not visible to the casual viewer, the concern is that many people may not realize it is there; and they could be compromising their privacy, if not their safety, when they post geotagged media online.

Adam said he knew about geotags, but he said he had neglected to disable the function on his iPhone before taking the picture and uploading it to Twitter. Adam has since turned off the geotag feature on his iPhone, and he isn’t worried about the archived photo on Twitter because he has moved to a new residence. But others may not be so technologically informed or so blasé about their privacy.

News Item 3: http://www.businessdailyafrica.com/Company%20Industry/-/539550/977138/-/simtwwz/-/
Data has become an invaluable asset in every sector. Yet even as the world’s businesses become interconnected by the same business language, developing nations face an extra cost burden through their almost complete negligence of information security, according to a 2005 Information Economy Report from UNCTAD.

In a clarion call, a full five years ago, to take the value of information more seriously, the report urged criminalising of cyber attacks and the introduction of risk-management policies, as well as constant monitoring of ICT security regulations and the training of skilled staff to run effective security programmes.

The calls have had virtually no impact in Kenya, despite the country’s galloping growth in intellectual property and information held within businesses — from client information, including card numbers and contacts, to sensitive company information such as log in details, mailing lists and security codes.

Not one company or public sector organisation in the country has yet implemented the globe’s international standards — ISO/IEC 17799:2005 and ISO/IEC 27001 — dealing specifically with information security.

News Item 4: http://www.patriotledger.com/lifestyle/health_and_beauty/x316188449/Milton-Caritas-Carney-hospitals-to-patients-about-dumped-medical-records
Four Massachusetts Hospitals will soon be contacting thousands of patients whose medical records were found at a public dump in late July. Two of the hospitals have posted information for patients on their websites and are making plans to send letters to all patients who were involved in the security breach. For patient information, go to Milton Hospital and Carney Hospital’s websites.  Both have direct phone lines that patients can call. Carney’s number is 800-699-1202, and Milton’s is 617-313-1000 followed by 1 and extension 881555.  The dumping also included patients from Milford and Holyoke hospitals. The unshredded records contained Social Security numbers and sensitive information such as cancer-test results. Patients who got pathology tests appear to be the only ones affected. Most records were from 2009, with some as old as 2007.

Milton Hospital estimates the dumping affected 8,000 to 12,000 patients and more than 15,000 test results. Murphy said Carney Hospital hasn’t yet determined how many patients there are involved. Spokesman said there’s no evidence to suggest there was a previous case of medical records being left unshredded and unprotected. The records were discovered by a Boston Globe photographer on July 26 at the transfer station in Georgetown, 22 miles northwest of Marblehead. Under the contracts Goldthwait is supposed to dispose of the records. Under state and federal law that generally means the documents are to be shredded or burned.
Spokesman said it’s not clear how much more hospitals can do to prevent a third-party breach from occurring, since the hospitals weren’t directly involved in the handling of these records. But they said the hospital will review their protection procedures to be sure.

Announcements:
Local Password Exploitation Class:

• The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
• The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
  • Pulling stored passwords from web browsers/IM clients and other apps
  • Hash cracking of Windows passwords, as well as other systems
  • Sniffing plain text passwords off the network
  • How passwords on one box can be used to worm though other hosts on a network
• Seating is limited to 50 people.
• The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

• Atlanta, GA September 18th (http:///www.shoecon.org)
  

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

• This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.
  

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

Interview:
We would like to welcome Adrian Sanabria for our podcast.  Adrian is a security consultant, technology enthusiast, and hacker based in Knoxville, Tennessee. He is currently a security consultant for Sword & Shield Enterprise Security, where he enjoys performing penetration tests, PCI assessments, and social engineering exercises for clients from a wide range of industries.

Though Adrian has been working in Information Technology for over ten years, he has a passion for learning and teaching, and dreams of jumping into teaching full-time one of these days. A lifelong interest in how things work has led to a lifetime of disassembling, breaking and hacking all manner of things. Adrian lives for the rewarding experience of explaining complex, difficult concepts to students, children, or anyone else with a love for learning. He looks forward to providing eager students with new skill sets and the answers to those questions that nag at them and keep them up at night.

Announcements:

Local Password Exploitation Class:

• The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
• The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
  • Pulling stored passwords from web browsers/IM clients and other apps
  • Hash cracking of Windows passwords, as well as other systems
  • Sniffing plain text passwords off the network
  • How passwords on one box can be used to worm though other hosts on a network
• Seating is limited to 50 people.
• The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

• Atlanta, GA September 18th (http:///www.shoecon.org)
  

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

• This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.
  

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

Stories of Interest:
News Item 1: http://www.theregister.co.uk/2010/08/19/intel_and_macafee_wtf/
When does a $7B deal get summed up in three little letters “WTF”?  When Geordy freakin says so and when Intel buys McAfee.

Intel and McAfee made a surprise announcement early Thursday that the chip megamaker plans to acquire the security-software giant in a $7.68bn all-cash deal, and across the technical and financial communities, the response was a nearly unanimous “WTF?”

But during a webcast conference with reporters and analysts, Intel CEO Paul Otellini and his crew performed an intricate dance designed to calm investors and explain the wisdom of the move — and to plow the fertile field of fear, and sow hints as to how Chipzilla plans to profit from the deal.

To soothe McAfee investors — who should need little soothing, seeing as how they stand to profit greatly from the deal — Otellini first reported that the acquisition has the unanimous approval of both companies’ boards of directors, that McAfee will maintain its identity as a wholly-owned subsidiary of Intel, and that “Intel is giving its commitment to the McAfee brand and all McAfee product offerings.”

But why McAfee? Intel is a chipmaker, not a “scare ‘em then sell ‘em” security-software outfit. Otellini’s answer was architectural. “We have concluded that security has now become the third pillar of computing,” he told his listeners, “joining energy-efficient performance and Internet conductivity in importance.”

And that third pillar, Otellini believes, will be best implemented in silicon, not software. “We believe that security will be most effective when enabled in hardware,” he said. “Joining the assets of McAfee with Intel will accelerate and enhance the combination of hardware and software solutions.”  McAfee, which competes with Symantec, gives Intel a direct route into one of the most crucial parts of the software sector. With online threats proliferating, Intel has opened up a major source of additional revenue; the deal also allows the company to position itself as more than just a chipmaker.

Analyst seem to think that this deal doesn’t bode well for Check Point Software, Fortinet, Blue Coat Systems or ArcSight.  What does this mean for Symantec? Will they be the next big security acquisition by a giant Hewlett-Packard, Dell or IBM?
News Item 2:  http://www.net-security.org/secworld.php?id=9761
Some 40 Windows applications are affected by a critical vulnerability that can allow attackers to execute malicious code remotely and infect the computers with malware, says HD Moore, CSO at Rapid7 and creator of Metasploit.

He hinted at the existence of the flaw on Twitter, saying “The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,” and linking to a advisory by security firm Acros.

The advisory in question concerns a dynamic link library loading flaw in Apple iTunes for Windows, which allows a remote attacker to “plant a malicious DLL with a specific name on a network share and get the user to open a media file from this network location in iTunes – which should require minimal social engineering.”

“Since Windows systems by default have the Web Client service running – which makes remote network shares accessible via WebDAV -, the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet,” say Acros researchers.

HD did not specify which applications were affected, and offered but a few details about it.  “The vector is slightly different between applications, but the end result is an attacker-supplied .dll being loaded after the user opens a ‘safe’ file type from a network share [either on the local network or the Internet]. It is possible to force a user to open a file from the share, either through their Web browser or by abusing other applications, for example, Office documents with embedded content,” he revealed to ComputerWorld.  HD advises users to block TCP ports 139 and 445 to block outbound SMB connections and to disable the Windows WebDAV client in order to block remote attacks.

News Item 3:  http://www.theregister.co.uk/2010/08/16/adobe_coldfusion_vuln/
A recently patched vulnerability in Adobe’s ColdFusion application server may be more serious than previously thought following the public release of exploit code and blog posts claiming it can be used to take full control of systems running the software.

In a bulletin published last week, Adobe rated the directory traversal vulnerability “important,” the third-highest classification on its four-tier severity scale. “This directory traversal vulnerability could lead to information disclosure,” the company warned. The flaw affects version 9.0.1 and earlier of ColdFusion for machines running Windows, Mac OS X, and Unix operating systems.

But at least two researchers have said the security bug should have been rated critical because it allows attackers to seize control of servers. What’s more, they said attackers can employ simple web searches to find administrators who have carelessly exposed ColdFusion files that make the attacks much easier to carry out.

“This attack can lead to a full system compromise, so let’s make sure we’re clear,” HP researcher Rafal Los wrote here. “It’s not just that you can poke around the system files of the machine you’ve attacked (which is highly likely a MS Windows server); it’s also the ability to upload scripts that can compromise the system or even poke around the database natively if the security is really that bad.”

Announcements:

Local Password Exploitation Class:

• The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
• The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
  • Pulling stored passwords from web browsers/IM clients and other apps
  • Hash cracking of Windows passwords, as well as other systems
  • Sniffing plain text passwords off the network
  • How passwords on one box can be used to worm though other hosts on a network
• Seating is limited to 50 people.
• The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

• Atlanta, GA September 18th (http:///www.shoecon.org)
  

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

• This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.
  

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

Stories of Interest:
News Item 1:  http://www.csoonline.com/article/print/602925
[Notes: Keith - ah yes, those pesky employees and their creative ways to bypass our systems.]

There may have been a time when blocking certain sites was acceptable in most office environments. But what was once considered off-limits is now essential in many organizations. Social media sites like Facebook are a major part of many companies’ marketing strategy. Sites like YouTube present opportunities to share information about products or services visually. And IM and chat services like G-chat are free and efficient ways for employees to communicate.

“I think generally the business drives the policy,” said Dave Torre, founder and Chief Technology Officer of IT consultancy Atomic Fission. “If you work at the Department of Defense, I don’t think any time at a social networking site on a secure computer is acceptable. But if you work in a marketing department, 15 minutes a day isn’t nearly enough. Obviously you have to use some common sense as an IT manager and say ‘What does our organization look like and how important are these tools on the internet for our users?’”
Workarounds: 5 ways employees try to access restricted sites
Company policy may forbid access to certain web sites, but some employees try creative techniques to view them anyway. Here are five common workarounds and what security can do about them.
Workaround 1: Typing IP address instead of domain name
Workaround 2: Finding a cached version
Workaround 3: Hiding behind encryption
Workaround 4: Using proxy servers and other privacy-friendly tools
Workaround 5: Using smartphones

News Item 2: http://www.theregister.co.uk/2010/08/10/side_channel_printer_attack/
Researchers have devised a novel way to recover confidential messages processed in doctors’ offices and elsewhere by analyzing the sounds made when documents are reproduced on dot-matrix printers.

This so-called side-channel attack works by recording the “acoustic emanations” of a confidential document being printed, and then processing it with software that translates the sounds into words. The method recovers as much as 95 per cent of the printed words when an attacker has contextual knowledge about the text being printed, such as the words included in a medical prescription or a living-will declaration. Up to 72 per cent of the text can be recovered when no context is known.

The attack, which so far works only on English text, was carried out under what the researchers described as “realistic — and arguably even pessimistic — circumstances,” in which there was no shielding from ambient noise such as that made by people chatting in a nearby waiting room. Despite the wide availability of inkjet and laser printers, about 60 per cent of doctors in Germany continue to use dot-matrix devices. About 30 per cent of banks in Germany do so as well, according to the researchers.  Countries such as Germany, Switzerland, and Austria require carbon-copy-capable dot-matrix printers to be used for printing prescriptions for narcotics, they said.

News Item 3: http://www.wired.com/threatlevel/2010/08/badb/
An alleged old-timer in the international carding community and one of the top sellers of stolen bank card data has been arrested in France, and faces extradition to the United States on an indictment unsealed Wednesday in Washington, D.C.

Vladislav Anatolievich Horohorin, 27, aka BadB, holds dual-citizenship in Ukraine and Israel and was one of the earliest members of CarderPlanet, a first of its kind Russian-language carding forum that was launched around 2002 by a group of East Europeans. CarderPlanet was shuttered in 2004, and BadB had more recently been selling his stolen goods at carder.su and on his own websites, dumps.name and badb.biz, where he promoted his product in lighthearted Flash cartoons like the one above.

Authorities say the network created by Horohorin and other CarderPlanet veterans is linked to “nearly every major intrusion of financial information reported to the international law enforcement community.”

According to the indictment, Horohorin bragged online that he was one of the biggest sellers of “dumps” (account and other data stored on a bank card’s magnetic stripe) and had been a card seller for about eight years. Undercover agents from the U.S. Secret Service negotiated purchases of stolen data from him and worked with French authorities to arrest him.

News Item 4: http://www.asahi.com/english/TKY201008040281.html
[Notes: Karthik - You gotta love this virus. Manga fans come up with the craziest of ideas, don't they? ]

A hardened computer hacker has been arrested on suspicion of writing a computer virus that systematically destroys all the files on victims’ PCs and replaces them with homemade manga images of squid, octopuses and sea urchins. Between 20,000 and 50,000 computers may have been infected.

Masato Nakatsuji, 27, of Izumisano, Osaka Prefecture, was quoted as telling police: “I wanted to see how much my computer programming skills had improved since the last time I was arrested.”

He was collared in 2008 for violating copyright laws by creating a computer virus that replaced data with an anime image. He was serving a suspended sentence for that offense when he was arrested in connection with the latest virus.

Police are investigating him on suspicion of property destruction, because the new virus destroyed files on victims’ computers. It is the first time that Tokyo’s Metropolitan Police Department has arrested someone for property destruction in connection with disseminating a computer virus. According to the police, since the virus makes it impossible to retrieve the original computer files, those files have effectively been destroyed.

Specialist police officers handling high-tech crimes said Nakatsuji is suspected of writing the Ikatako (squid-octopus) virus, which was distributed using the Winny file-sharing program in May, disguised as a file for anime songs. A 37-year-old unemployed man downloaded the file to his computer and it became infected with the Ikatako virus. About 11,000 of the 64,000 files on his computer were destroyed. When he realized something was wrong, the man pulled the plug on his computer, preventing further damage.

The virus gets its name because infected files are replaced by manga images of a squid, octopus or sea urchin. If the virus is left unchecked, all files in the computer’s hard disk become infected. When a user tries to open a file, all the individual can access is a manga image of a marine invertebrate. The virus also is programmed to transmit all the files in the infected computer to a server believed to have been set up by Nakatsuji. Police said he had told them that the server contained data from about 50,000 people. Police have confirmed the existence of data for about 20,000 computer users.

Nakatsuji, who was convicted for violating copyrights in his previous case, was quoted as telling police he felt he would not be arrested again because he had created the manga images for Ikatako himself, therefore avoiding a violation of the copyright law.