Your daily source of Pwnage, Policy and Politics.

Episode 213 – T-Mobile, SE CTF, HackIsWack, DP HeatMap & WoW Phishing

Play

ISDPodcast Episode 213 for September 15, 2010.  Tonight’s podcast is hosted by Rick Hayes and Keith Pachulski.

Announcements:

Atlanta ISSA:

ShoeCon 2010:

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

  • This is a FREE event for InfoSec and IT professionals to attend to celebrate the life Matthew Shoemaker.

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

Other upcoming cons Adrian will be at:
Phreaknic, Oct 15-17 2010, Nashville, TN
http://www.phreaknic.info
Hak3rCon Oct 23-24 2010, Charleston, WV
http://www.hack3rcon.org
MyHardDriveDied.com:

Bsides Atlanta:

Stories of Interest:
News Item 1: http://www.guardian.co.uk/uk/2009/nov/17/t-mobile-phone-data-privacy
[Notes Keith: Another case of proactively reacting to the internal theft of customer information. This time it was an employee of T-Mobile who stole an unnamed number, thousands, of customer records then resold the information to competitors. While they claim this is the biggest breach of its kinda I personally find that claim hard to believe, this isn't the first time data has been stolen then resold by employees. While the ICO is pushing for legislation, fines and jail time for offenders..where is the punishment here for the companies not implementing minimal standards for the protection of the data, controlling access as well as auditing the access to that information. More liability needs to be placed on the companies and less on the legal system which is already overburdened.]

Personal details of thousands of mobile phone customers have been stolen and sold to rival firms in the biggest data breach of its kind, the government’s privacy watchdog said today.

News Item 2:http://www.social-engineer.org/general-blog/defcon-18-social-engineer-ctf-contest-findings-report-summary/
The final report, released today, from the Social Engineering Capture The Flag contest held in August at Defcon: Security companies were just as susceptible to social engineering as nontechnology firms, Internet Explorer 6 was still in use at 65 percent of the Fortune 500 companies targeted in the contest, and nearly 90 percent of the targets willingly opened a URL that the contestants gave them.
The contest, in which the art of social engineering was demonstrated on a rare public stage using real-world targets, was aimed at gauging the vulnerability of major corporations to social engineering. And the 17 contestants, who had to compile a dossier of as much information as they could gather passively on their assigned target company beforehand (no phone calls, email, or direct contact), had little trouble scoring information in the 25 minutes they had to social-engineer someone on the other end of the telephone line during the contest. The event was open to Defcon attendees to watch as the contestants made their calls from a soundproof booth.

Google, BP, McAfee, Symantec, Shell, Microsoft, Oracle, Cisco, Apple, and Walmart were on the list of targeted companies. The contest organizers aren’t saying which company’s employees gave up what information, but they admit the contestants were able to get plenty out of their targets.

News Item 3: http://www.theregister.co.uk/2010/09/09/symantec_hackiwack_rickrolled_again/
Symantec’s hapless HackIsWack cybercrime rap competition site can still be rickrolled, despite assurances to the contrary from the security giant.

A web application filter was deployed to block an earlier cross-site scripting attack, but this filter is configured to allow a YouTube video featuring rapper Snoop Dogg, who has been recruited to promote the project, to be displayed. That means that even though the initial attack no longer works, unresolved vulnerabilities on the site mean that it can still be rickrolled onto YouTube videos, as you can see here.

The apt use of Beaker from the Muppets singing Rick Astley is a fitting tribute to the whole HackIsWack endeavour. The rap competition has the laudable aim of raising cybercrime awareness, but is chiefly noteworthy for security snafus that have made Symantec look rather silly, instead of down with the kidz.

The rickrolling cross-site scripting bug was only the most publicised of the site’s flaws. Other problems included the caching of potentially sensitive data and upload security problems, among others, according to a write-up by security blogger Mike Bailey last week.

News Item 4: http://www.forrester.com/cloudprivacyheatmap

Country-specific regulations governing privacy and data protection vary greatly. To help you grasp this issue at a high level, Forrester created a privacy heat map that denotes the degree of legal strictness across a range of nations.

“Map View” provides a visual representation or choose “List View” for a directory of countries with specific data protection and privacy regulations.
US-

Minimal Restrictions                     Caution, government surveillance
National Data Protection Law            FISMA, GLBA, HIPAA
Scope of Protection                        Selected personal Information
Covered entities                        Selected public and private entities

Data transfers to countries    w/o            Allowed
adequate data protection laws

Meets EU “adequacy” standards            Yes- only if the company adheres to US Safe Harbour Privacy Principles

Agency established to enforce law        Yes

News Item 5:  http://www.avertlabs.com/research/blog/index.php/2010/09/13/world-of-warcraft-spearphishing-and-boting
So there is a story from McAfee where someone is playing WoW with Dwarf paladin named Boulderbrain. He was at the Stormwind bank minding my own business when he suddenly get this whisper.

The message is telling him that Blizzard suspects his account of using third-party tools to cheat and would needs to go to their website, login and check his account settings. In actuality this is an “attacker” pretending to be a Blizzard GameMaster and the website itself is a phishing site:

This particular fake was hosted on an IP address that had pretty questionable report. World of Warcraft has millions of users worldwide, making attacks and techniques like this very common. Many players (myself included) have taken the additional step of using 2 factor authentication (commonly called 2FA or simply tokens) which can add an additional layer of protection to your logon credentials.

Translation:  WoW is subject to Phishing attacks.