[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 213.mp3[/podcast]
ISDPodcast Episode 213 for September 15, 2010. Tonight’s podcast is hosted by Rick Hayes and Keith Pachulski.
- ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)
- Atlanta, GA September 18th (http:///www.shoecon.org)
Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
- This is a FREE event for InfoSec and IT professionals to attend to celebrate the life Matthew Shoemaker.
SANS Mentoring Program:
- Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
- Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258). Use the Discount Code: isdpod15KY for a 15% discount.
The Louisville Metro InfoSec Conference:
- Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).
- MHDD Data Recovery Class current dates and locations:
- Dallas, TX – October 11th – 15th
- SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
- Washington, DC – December 6th – 10th
- Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: email@example.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.
- When: Friday, October 8, 2010
- Where: Think Inc World HQ, 1375 Peachtree St. Suite 600, Atlanta, Ga (The Earthlink Bldg).
Stories of Interest:
News Item 1: http://www.guardian.co.uk/uk/2009/nov/17/t-mobile-phone-data-privacy
[Notes Keith: Another case of proactively reacting to the internal theft of customer information. This time it was an employee of T-Mobile who stole an unnamed number, thousands, of customer records then resold the information to competitors. While they claim this is the biggest breach of its kinda I personally find that claim hard to believe, this isn't the first time data has been stolen then resold by employees. While the ICO is pushing for legislation, fines and jail time for offenders..where is the punishment here for the companies not implementing minimal standards for the protection of the data, controlling access as well as auditing the access to that information. More liability needs to be placed on the companies and less on the legal system which is already overburdened.]
Personal details of thousands of mobile phone customers have been stolen and sold to rival firms in the biggest data breach of its kind, the government’s privacy watchdog said today.
News Item 2:http://www.social-engineer.org/general-blog/defcon-18-social-engineer-ctf-contest-findings-report-summary/
The final report, released today, from the Social Engineering Capture The Flag contest held in August at Defcon: Security companies were just as susceptible to social engineering as nontechnology firms, Internet Explorer 6 was still in use at 65 percent of the Fortune 500 companies targeted in the contest, and nearly 90 percent of the targets willingly opened a URL that the contestants gave them.
The contest, in which the art of social engineering was demonstrated on a rare public stage using real-world targets, was aimed at gauging the vulnerability of major corporations to social engineering. And the 17 contestants, who had to compile a dossier of as much information as they could gather passively on their assigned target company beforehand (no phone calls, email, or direct contact), had little trouble scoring information in the 25 minutes they had to social-engineer someone on the other end of the telephone line during the contest. The event was open to Defcon attendees to watch as the contestants made their calls from a soundproof booth.
Google, BP, McAfee, Symantec, Shell, Microsoft, Oracle, Cisco, Apple, and Walmart were on the list of targeted companies. The contest organizers aren’t saying which company’s employees gave up what information, but they admit the contestants were able to get plenty out of their targets.
News Item 3: http://www.theregister.co.uk/2010/09/09/symantec_hackiwack_rickrolled_again/
Symantec’s hapless HackIsWack cybercrime rap competition site can still be rickrolled, despite assurances to the contrary from the security giant.
A web application filter was deployed to block an earlier cross-site scripting attack, but this filter is configured to allow a YouTube video featuring rapper Snoop Dogg, who has been recruited to promote the project, to be displayed. That means that even though the initial attack no longer works, unresolved vulnerabilities on the site mean that it can still be rickrolled onto YouTube videos, as you can see here.
The apt use of Beaker from the Muppets singing Rick Astley is a fitting tribute to the whole HackIsWack endeavour. The rap competition has the laudable aim of raising cybercrime awareness, but is chiefly noteworthy for security snafus that have made Symantec look rather silly, instead of down with the kidz.
The rickrolling cross-site scripting bug was only the most publicised of the site’s flaws. Other problems included the caching of potentially sensitive data and upload security problems, among others, according to a write-up by security blogger Mike Bailey last week.
News Item 4: http://www.forrester.com/cloudprivacyheatmap
Country-specific regulations governing privacy and data protection vary greatly. To help you grasp this issue at a high level, Forrester created a privacy heat map that denotes the degree of legal strictness across a range of nations.
“Map View” provides a visual representation or choose “List View” for a directory of countries with specific data protection and privacy regulations.
Minimal Restrictions Caution, government surveillance
National Data Protection Law FISMA, GLBA, HIPAA
Scope of Protection Selected personal Information
Covered entities Selected public and private entities
Data transfers to countries w/o Allowed
adequate data protection laws
Meets EU “adequacy” standards Yes- only if the company adheres to US Safe Harbour Privacy Principles
Agency established to enforce law Yes
News Item 5: http://www.avertlabs.com/research/blog/index.php/2010/09/13/world-of-warcraft-spearphishing-and-boting
So there is a story from McAfee where someone is playing WoW with Dwarf paladin named Boulderbrain. He was at the Stormwind bank minding my own business when he suddenly get this whisper.
The message is telling him that Blizzard suspects his account of using third-party tools to cheat and would needs to go to their website, login and check his account settings. In actuality this is an “attacker” pretending to be a Blizzard GameMaster and the website itself is a phishing site:
This particular fake was hosted on an IP address that had pretty questionable report. World of Warcraft has millions of users worldwide, making attacks and techniques like this very common. Many players (myself included) have taken the additional step of using 2 factor authentication (commonly called 2FA or simply tokens) which can add an additional layer of protection to your logon credentials.
Translation: WoW is subject to Phishing attacks.