Your daily source of Pwnage, Policy and Politics.

Episode 234 – Indian OS?, Voting Pilot, SamuraiWTF, FB & BB Attachment

Play

ISDPodcast Episode 234 for October 14, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, Adrian Crenshaw and Karthik Rangarajan.

Announcements:

MyHardDriveDied.com Data Recovery Class:
http://www.myharddrivedied.com
Washington, DC – December 6th – 10th
Use the Discount Code: isdpodcast for a $300 discount.

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Use the Discount Code: ISDPOD15 for a 15% discount.


Phreaknic:
http://www.phreaknic.info
When: Oct 15-17 2010
Where: Nashville, TN


Hack3rCon:

http://www.hack3rcon.org
When: Oct 23-24 2010
Where: Charleston, WV

Stories of Interest:

News: http://www.theinquirer.net/inquirer/news/1741665/india-plans-write

[Karthik: This just makes me go wtf. All patriotism and such fancy things aside, its just a stupid idea]

THE INDIAN GOVERNMENT wants to write its own PC operating system (OS) rather than rely on Western technologies. India’s Defense Research and Development Organisation (DRDO) wants to build an OS, primarily so India can own the source code and architecture. That will mean the country won’t have to rely on Western operating systems that it thinks aren’t up to the job of thwarting cyber attacks. The DRDO specifically wants to design and develop its own OS that is hack-proof to prevent sensitive data from being stolen. According to the Economic Times in India, the DRDO already has most of the infrastructure to build the OS in place. It has 50 scientists and IT specialists located in New Delhi and Bangalore spearheading a national effort to create the OS. Dr V K Saraswat, scientific adviser to the Defence Minister said that the OS was needed to protect India’s economic framework. “In today’s world where you have tremendous requirements of security on whatever you do … economy, banking and defence … it’s essential that you need to have an operating system,” said Saraswat. “The only way to protect it is to have a home-grown system, the complete architecture … source code is with you and then nobody knows what’s that,” he added.

“Though it will be a real-time system with Windows software, source code and architecture will be proprietary, giving us the exclusivity of owning a system unknown to foreign elements and protect our security system,” he added. The news comes as the Indian government, like others, has been leaning on RIM so it can access communications on Blackberry smartphones.

“We cannot help but both admire such an ambitious undertaking and wonder how well the Indian government has really thought all this out. We also imagine that it might be a few years before it will be worth asking whether India has actually gotten anywhere with this project” says the article.

News: http://gawker.com/5656641/students-hack-washington-dcs-web-voting-system-to-play-college-fight-song
A pilot internet voting program in Washington D.C.  for this November’s elections has been scrapped. Why? Well, officials invited hackers to give the system their “best shot,” and some college kids did—and pulled off a pretty good prank.

During a trial period of the web voting system last week, the Board of Elections and Ethics asked “computer experts” to “prod its vulnerabilities” in preparation for the upcoming elections—in which the system was going to be put to use by some 900 overseas voters in lieu of absentee ballots. But the trial period was quickly put on hold, with the board citing “usability issues.”

“Usability issues,” like the fact that the site would play the University of Michigan fight song, “Hail to the Victors,” after users cast a ballot.

Apparently, U. of Mich. Prof. J. Alex Halderman, who had been working on the project, “unleashed his students” (in the words of the election board’s chief technology officer Paul Stenbjorn) on the system. And this was the result. According to Stenbjorn, that particular hole has been closed, but the board has decided to scrap the “digital vote by mail” pilot program out of concern.

Tool: SamuraiWTF 0.9 has been released! http://sourceforge.net/projects/samurai

News: http://www.networkworld.com/news/2010/100710-facebook-takes-on-privacy-with.html
http://blog.facebook.com/blog.php?post=436800707130
http://www.infosecurity-magazine.com/view/13212/controversy-over-new-facebook-security-feature/
Facebook CEO Mark Zuckerberg announced  several new tools for the social networking site, including one designed to enable users to download any of their information from the site. Another new tool is a dashboard that allows users to monitor what applications they’ve used on Facebook and delete them more easily.

The new feature that’s received the most attention is Facebook Groups, which lets users break up their friends into subgroups. For example, an employee who might not want his boss to see an update about a job interview can make that post available for only a few online friends to see.

Industry analysts note that behind these additions to the popular social site are its users’ festering frustrations over Facebook’s privacy, or lack of it.  “Facebook has shown that they’ve heard the message on privacy and user control,” said Dan Olds, an analyst with The Gabriel Consulting Group. “These new features, along with the privacy control revamp earlier this year, finally give users the ability to fine tune what people on their list can and can’t see. With the Groups feature, Facebook is giving users a much more granular way to set access parameters and to separate their family and close friends from mere acquaintances.”

Olds isn’t alone in thinking that Facebook is working to quell some of its ongoing privacy issues.

News: http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB24547

RIM has released a security advisory to address a security issue in the BlackBerry Attachment Service component of the BlackBerry Enterprise Server. According to RIM, the vulnerability could allow a malicious individual to cause buffer overflow errors, leading to a Denial of Service (DoS) condition or execution of arbitrary code on the computer that the BlackBerry Attachment Service runs on.

The issue relates to a known vulnerability in the PDF distiller component of the BlackBerry Attachment Service that affects how the BlackBerry Attachment Service processes PDF files.

Exploitation of the vulnerability requires a BlackBerry user to open a malicious PDF file on a BlackBerry device that is associated with a user account on a BlackBerry Enterprise Server. The PDF file may be attached to an email message, or the BlackBerry user may retrieve it from a web site using the Get Link menu item on the BlackBerry device.  RIM has given the vulnerability a Common Vulnerability Scoring System (CVSS) score of 7.6