Your daily source of Pwnage, Policy and Politics.

Episode 215 – Naked Presentation, Vetting Data Recovery & JMPC Apple

Play

ISDPodcast Episode 215 for September 17, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski and Adrian Crenshaw.

Announcements:

ShoeCon 2010:

  • When: Saturday, September 18, 2010
  • Where: Wellesley Inn-Atlanta Airport (Google Maps)
  • This is a FREE event for InfoSec and IT professionals to attend to celebrate the life Matthew Shoemaker.

SANS Mentoring Program:

  • Jason Lawrence – SANS Forensics 508 – Computer Forensics and Investigations in Sandy Springs, GA
  • Adrian Sanabria – SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN

The Louisville Metro InfoSec Conference:

Bsides Atlanta:

Phreaknic:

Hak3rCon:

MyHardDriveDied.com Data Recovery Class:

  • Dallas, TX – October 11th – 15th
  • Washington, DC – December 6th – 10th
  • Use the Discount Code: isdpodcast for a $300 discount.

Defcon and Blackhat 2010 videos:

Awesome Search Site:
http://www.shodanhq.com

Stories of Interest:
News Item 1:  http://www.secmaniac.com
Social-Engineer Toolkit version 0.7.1 released, added file format attacks to the USB/DVD attack vector.

News Item 2: http://weblogs.baltimoresun.com/news/crime/blog/2010/09/employee_charged_with_hacking.html
It happened one day last year, as more than a dozen board members of a Baltimore substance abuse center had gathered around a conference room. The CEO was giving a PowerPoint presentation on his accomplishments.

Suddenly, his computer shut down, then restarted, replacing the latest slide with an image of a naked woman onto a 64-inch screen. The board members include city officials and foundation heads and is chaired by Baltimore’s health commissioner.

Today, Baltimore’s State’s Attorney’s Office announced a grand jury had indicted Walter Powell, 51, with hacking into the computer system. They described him as a disgruntled worker who allegedly used his home computer to access the system, distribute confidential emails from his boss and break into the presentation.

The CEO of the Baltimore Substance Abuse System Inc., which distributes public funds to more than 50 substance abuse programs helping thousands of people, told me the attack cost $80,000 — mostly to rebuild the system, replace software and upgrade security measures.

The CEO, Greg Warren, said no confidential information leaked out.

News Item 3: http://gcn.com/articles/2010/09/06/data-recovery-vetting.aspx
Many government and private-sector organizations consider recovering data from damaged laptop PC hard drives to be a minor budget item that third-party vendors can best handle. But a seemingly inexpensive fix could lead to compromised or stolen data, network breaches and other security nightmares because organizations typically do not vet data recovery vendors.

The National Institute of Standards and Technology has issued new guidelines to resolve that problem, but it will be at least a year before agencies are required to fully comply with it.

When recovering intellectual property or sensitive documents stored in damaged equipment, major security problems can arise if agencies or companies have not paid attention to vetting data recovery vendors, experts say.

The NIST guidance, which appeared as part of the institute’s Special Publication 800-34 Rev 1, “Contingency Planning Guide for Federal Information Systems,” represents a small part of the publication that covers the entire breadth of data recovery procedures for federal agencies, said Marianne Swanson, NIST’s senior adviser for information systems security.

News Item 4:  http://blog.skeptikal.org/2010/09/cross-subdomain-session-fixation.html
Last fall I wrote a bit about cross-subdomain cookie attacks. As often as I come across more uses for them, I think that they are a much more serious issue than most people (myself included) have made them sound. Today, I came across a variant which I’d theorized about in the past, but never bothered to find in the wild, and I think it merits some attention.

You may be familiar with Hack Is Wack- a stupid marketing campaign from Norton/Symantec. The premise is simple: users submit videos, which are voted on, and the winner gets to roll with Snoop Dogg…’s manager. You may not know it, but most of Snoop’s music is information security-related. “What’s My Name” is about AuthN, “Drop it like it’s Hot” is about SQL injection, not to mention constant references to cron, gzip, and other unix commands in his lyrics. It’s really a pretty natural match.

At any rate, the Hack is Wack site is chock full of holes. For example, there’s the publicly available, indexed cache directory with all that SQL, JSON and other data. There’s the XSS vulns (HTML5 only, though it should be simple enough to rewrite), CSRF holes, and the Flash upload issues in the video upload script (a Joomla module that appears to have been used without any quality control or review despite the fact that it’s currently in Alpha)