2010
09.21

InfoSec Daily Podcast

 
ISDPodcast Episode 217 for September 21, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski and Karthik Rangarajan.

Announcements:

The Louisville Metro InfoSec Conference:
http://www.louisvilleinfosec.com
When: Thursday, October 7th, 2010
Where: Churchill Downs

Bsides Atlanta:
http://www.securitybsides.com/BSidesAtlanta
When: Friday, October 8, 2010
Where: Think Inc World HQ, 1375 Peachtree St.  Suite 600, Atlanta, Ga (The Earthlink Bldg).
http://bsidesatlanta.eventbrite.com/

MyHardDriveDied.com Data Recovery Class:

http://www.myharddrivedied.com
Dallas, TX – October 11th – 15th
Washington, DC – December 6th – 10th
Use the Discount Code: isdpodcast for a $300 discount.


SANS Mentoring Program:

Jason Lawrence – SANS Forensics 508 – Computer Forensics and Investigations in Sandy Springs, GA
http://www.sans.org/mentor/details.php?nid=21538
When: Tuesday, October 12, 2010 – Tuesday, December 14, 2010
Use the Discount Code: isdpod15 for a 15% discount.

Adrian Sanabria
- SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN
http://www.sans.org/mentor/details.php?nid=22258
When: Tuesday, October 12, 2010 – Tuesday, December 14, 2010
Use the Discount Code: isdpod15KY for a 15% discount.

Phreaknic:

http://www.phreaknic.info
When: Oct 15-17 2010
Where: Nashville, TN

Hak3rCon:

http://www.hack3rcon.org
When: Oct 23-24 2010
Where: Charleston, WV

Stories of Interest:
News Item 1:http://fcw.com/articles/2010/09/13/cybererye-targeting-the-head-of-cybercrime.aspx

There appears to be little relief in sight from the relentless onslaught of spam that continues to deliver malicious code and phishing lures to our inboxes day in and day out. According to Symantec’s “State of Spam and Phishing Report” for August, spam made up more than 92 percent of e-mail last month. The percentage of spam has fluctuated from a low of about 79 percent in November to more than 95 percent, but it has held pretty steady around 90 percent for most of the past year.

But there might be a small patch of light on the horizon, coming from – of all places – the U.S. District Court for the Eastern District of Virginia, where a judge has recommended that ownership of 276 Internet domains used by the Waledac botnetbe turned over to Microsoft. If the judgment comes down from the court, it would effectively cut off the botnet’s command and control network.
That action, part of Microsoft’s Operation b49 to use existing federal law against organized cyber crime, will not by itself stop the criminals. Communications within the Waledac botnet have been effectively shut down since March, soon after Microsoft first went to court. But volumes of spam – one of the most effective means of delivering malware and opening doors for criminals – bounce back every time a botnet is taken down. However, the technique of attacking the criminals eventually could prove more effective than improving spam filters and antivirus engines.

News Item 2: http://www.bankinfosecurity.com/articles.php?art_id=2911
Telephone-based phishing, or vishing scams  are quickly ranking among the most popular socially-engineered schemes perpetrated by fraudsters. The latest target: The Federal Deposit Insurance Corp., which last week warned of a vishing scam that is duping consumers.

According to the FDIC’s statement, the criminals behind the vishing calls allegedly told consumers they were delinquent in loan payments that had been applied for over the Internet or made through a payday lender. The loans may or may have not even existed, giving the vishers opportunity to collect personal information to confirm the authenticity of the loans. Recipients of the calls said the vishers requested everything from Social Security numbers to dates of birth.

The FDIC-related vishing scam is but one in a number of targeted vishing attacks reported in recent months – a reflection of the growing sophistication of the criminals who perpetrate socially engineered schemes.

News Item 3: http://www.infosecurity-magazine.com/view/12566/second-qualys-annual-report-shows-increasing-hacker-sophistication/
Qualys Report: http://dvlabs.tippingpoint.com/toprisks2010
Keith: While it’s interesting to read the report and it’s focus not on the passive attacks aimed at certain flaws, but on concerted targeted and persitant attacks against specific entities. True hostiles are technically competent and no longer just the script kiddies playing with windows toys.

interesting points:
1) attackers are no longer single individuals but group and well trained
2) web application developers, database administrators and system administrators continue to lack security training
- PHP RFI and LFI, SQL Injections, etc
3) legacy vulnerabilities continue to exist on production systems
4) client side attacks are on the rise and those responsible are not taking the threats seriously
- PDF, Flash, Quicktime
5) botnets continue to develop

With the slew of free and low cost training and documentation available, it is not being utilized by the responsible parties.

News Item 4:  http://gawker.com/5637234/gcreep-google-engineer-stalked-teens-spied-on-chats
http://gawker.com/5640290/google-spy-could-face-jail-time

We entrust Google with our most private communications because we assume the company takes every precaution to safeguard our data. It doesn’t. A Google engineer spied on four underage teens for months before the company was notified of the abuses. David Barksdale, a 27-year-old former Google engineer, repeatedly took advantage of his position as a member of an elite technical group at the company to access users’ accounts, violating the privacy of at least four minors during his employment, we’ve learned. Barksdale met the kids through a technology group in the Seattle area while working as a Site Reliability Engineer at Google’s Kirkland, Wash. office. He was fired in July 2010 after his actions were reported to the company.
It’s unclear how widespread Barksdale’s abuses were, but in at least four cases, Barksdale spied on minors’ Google accounts without their consent, according to a source close to the incidents. In an incident this spring involving a 15-year-old boy who he’d befriended, Barksdale tapped into call logs from Google Voice, Google’s Internet phone service, after the boy refused to tell him the name of his new girlfriend, according to our source. After accessing the kid’s account to retrieve her name and phone number, Barksdale then taunted the boy and threatened to call her.

In other cases involving teens of both sexes, Barksdale exhibited a similar pattern of aggressively violating others’ privacy, according to our source. He accessed contact lists and chat transcripts, and in one case quoted from an IM that he’d looked up behind the person’s back. (He later apologized to one for retrieving the information without her knowledge.) In another incident, Barksdale unblocked himself from a Gtalk buddy list even though the teen in question had taken steps to cut communications with the Google engineer.