Your daily source of Pwnage, Policy and Politics.

Episode 206 – China Isolationism, Gmail Flaw, Pushdo & MS SDL

Play

ISDPodcast Episode 206 for September 2, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

  • This is a FREE event for InfoSec and IT professionals to attend to celebrate the life Matthew Shoemaker.

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

Other upcoming cons Adrian will be at:
Phreaknic, Oct 15-17 2010, Nashville, TN
http://www.phreaknic.info
Hak3rCon Oct 23-24 2010, Charleston, WV
http://www.hack3rcon.org
MyHardDriveDied.com:

News Item 1:  http://www.computerworld.com/s/article/9182218/China_policy_could_force_foreign_security_firms_out
China is stepping up efforts to keep the security systems that protect its critical infrastructure in the hands of local firms, and that could be bad news for companies based outside the country.

China has started sending out inspectors to check for compliance with a little-known initiative called the Multi-Level Protection Scheme (MLPS), the Associated Press reported Wednesday. Introduced three years ago by China’s Ministry of Public Security, it mandates that core products used by government and infrastructure companies such as banks and transportation must be provided by Chinese companies.

Over the past year, government inspectors have been telling some companies that they must switch to Chinese firewalls and other types of security technology, the AP said.

The development could force security vendors such as Cisco Systems and Symantec out of important parts of the growing market, or force them to partner with local businesses, said Stephen Kho, senior counsel with Akin Gump Strauss Hauer & Feld, an international law firm based in Washington. “Right now, it seems to only affect the companies that are in the information security sector,” he said.

News Item 2: http://www.crn.com/news/cloud/227100713/google-repairs-gmail-spam-glitch.htm;jsessionid=SPndGhUrW+OHL-2lyGB02Q**.ecappj02
Google downplayed the flaw by contending that the bug affected less than 2.5 percent of its user base, which adds up to a significant number in light of the fact that there are about 160 million Gmail accounts around the world, according to a comScore statistic cited by The Wall Street Journal. All in all, that “could still mean that over 4 million people have been turned into spammers by a bug in their Web e-mail system,” wrote Graham Cluley, senior technology consultant for security firm Sophos, in a blog post Friday.

Affected users were able to access Google Mail, but were treated to error messages and other buggy behavior from Gmail that repeatedly sent messages to people on their contact lists. The repeated messages resulted in many of the Gmail users being added to spam lists after they inadvertently sent messages to spammers.

“The problem with Google Mail should be resolved,” Google said in an Apps Status Dashboard update. “We apologize for the inconvenience and thank-you for your patience and continued support. Please rest assured that system reliability is a top priority at Google, and we are making continuous improvements to make our systems better.”

News Item 3: http://threatpost.com/en_us/blogs/researchers-cripple-pushdo-botnet-082710
Researchers have made a huge dent in a major variant of the Pushdo botnet, virtually crippling the network by working with hosting providers to take down about two thirds of the command-and-control servers involved in the botnet. Pushdo for years has been one of the major producers of spam and other malicious activity, and researchers have been monitoring the botnet and looking for ways to do some damage to it since at least 2007. Now, researchers at Last Line of Defense, a security intelligence firm, have made some serious progress in crushing the botnet’s spam operations.

After doing an analysis of Pushdo’s command-and-control infrastructure, the researchers identified about 30 servers that were serving as C&C machines for a variant of the botnet. Working with the hosting providers who maintained the servers in question, the LLOD researchers were able to get 20 of the C&C servers taken offline, the company said.

The result is that the volume of spam that Pushdo is producing has dropped to nearly zero.
At the time of Pushdo’s appearance several years ago, researchers found evidence that Pushdo’s creators had gone to some lengths to avoid detection and prevent removal of the malware associated withthe botnet. The creators had changed the way that Pushdo made HTTP requests, creating overly long GET requests to make them less identifiable.

Pushdo – Analysis of a Modern Malware Distribution System - http://www.secureworks.com/research/threats/pushdo/

Pushdo Update – http://isc.sans.edu/diary.html?storyid=8131

News Item 4:   http://www.h-online.com/open/news/item/Microsoft-s-Security-Development-Lifecycle-under-Creative-Commons-License-1068172.html
Microsoft is to change the license for its process for developing secure software. In future, the company’s Security Development Lifecycle (SDL) will be available under a Creative Commons license (Attribution-NonCommercial-ShareAlike 3.0 Unported). This should make it easier for others to use and distribute the principles behind SDL and for programmers to integrate SDL components into their own development processes. This has not previously been possible, as documentation and other SDL materials were under an exclusive Microsoft license which precluded such use.

The company hopes that the change will lead to more developers utilising the Microsoft process for developing software more securely across the entire product lifecycle. SDL can trace its origins back to a 2002 Bill Gates memo on “trustworthy computing”. The resulting programme was intended to make security an integral part of the company’s software development process and make its products more persistently secure. All Microsoft software since Windows Vista has been developed in accordance with SDL.