Your daily source of Pwnage, Policy and Politics.

Episode 236 – CALEA, Demand for InfoSec, ZAP & Aldi

Play

ISDPodcast Episode 236 for October 18, 2010.  Tonight’s podcast is hosted by Rick Hayes, Karthik Rangarajan and Keith Pachulski.

Announcements:

MyHardDriveDied.com Data Recovery Class:
http://www.myharddrivedied.com
Washington, DC – December 6th – 10th
Use the Discount Code: isdpodcast for a $300 discount.

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Use the Discount Code: ISDPOD15 for a 15% discount.

SANS Cyber Defense Initiative 2010
Washington, DC,
Marriott Wardman Park
Dec 10-17
http://washingtontechnology.com/calendar/2010/12/sans-cyber-defense-initiative-2010.aspx


Hack3rCon:

http://www.hack3rcon.org
When: Oct 23-24 2010
Where: Charleston, WV

BSidesDelaware:

When: Saturday November 6, 2010
Where: Wilmington University, New Castle Campus
320 N. DuPont Highway, New Castle, DE 19720
Cost: Free – RSVP is REQUIRED for entry!
Eventbrite: http://bsidesde-Wiki.eventbrite.com
Schedule – CFP is open

Vuln of Interest:

Weak NTLM NONCE Vulnerability http://www.exploit-db.com/exploits/15266/

Patch was released back in February – if you havent patched, now is probably a good time. Code on the exploit DB site is for both detecting and exploiting the vuln.

MS Patch – http://www.microsoft.com/technet/security/bulletin/ms10-012.mspx

Stories of Interest:

News: http://www.skype.com/intl/en-us/get-skype/on-your-mobile/skype-mobile/android/
Skype announced the long-awaited release of the Android version of its messaging software. On Thursday, it was cracked and ready to be used via 3G.  Users with phones running Android 2.1 and 2.2 can download the free app to make free Skype-to-Skype calls. In the US, calls are limited to just Wi-Fi. In Europe and elsewhere, however, users can also make Skype calls over GPRS, EDGE, or 3G.

The US limitation is now gone, thanks to hackers who have managed to enable the VoIP calling over 3G networks. The 3G-enabled app, posted on DroidForums.net (via Engadget, requires users to manually install the hacked .apk file).

In addition to free Skype-to-Skype calls, users can also make low cost calls to landlines or mobile phones, instant message their contacts, and receive calls through a Skype online phone number. Skype contacts can also be synced to Android’s native address book. Skype for Android has been successfully tested on a range of handsets including the HTC Desire, HTC Legend, the Google Nexus One, and the Motorola Droid. It also supports a range of languages including English, French, German, Italian, Japanese, Chinese, Spanish, Swedish, and Russian.

News: http://www.darkreading.com/security_monitoring/security/government/showArticle.jhtml?articleID=227900053

Two top intelligence officials last week warned that tech-savvy terrorists are using the Web to recruit for, plan, facilitate, and even accelerate their criminal acts. Their comments set the stage for what’s likely to become a heated national debate over wiretapping the Internet.

James Clapper, the new U.S. director of national intelligence, and Robert Mueller, the director of the FBI, gave a sobering account of the growing use of the Web by violence-prone adversaries. Their statements take on added significance in light of the Obama administration’s push for legislation, being drafted now, that would force communications service providers to establish the capability to intercept and unscramble communications traveling over their networks. Clapper and Mueller spoke at the Bipartisan Policy Center’s State of Domestic Intelligence Reform conference.
Seriously? What ever happened to CALEA? http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act

CALEA’s purpose is to enhance the ability of law enforcement and intelligence agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic in real-time.

The original reason for adopting CALEA was the Federal Bureau of Investigation’s worry that increasing use of digital telephone exchange switches would make tapping phones at the phone company’s central office harder and slower to execute, or in some cases impossible. Since the original requirement to add CALEA-compliant interfaces required phone companies to modify or replace hardware and software in their systems, U.S. Congress included funding for a limited time period to cover such network upgrades. CALEA was passed into law on October 25, 1994 and came into force on January 1, 1995.

In the years since CALEA was passed it has been greatly expanded to include all VoIP and broadband internet traffic. From 2004 to 2007 there was a 62 percent growth in the number of wiretaps performed under CALEA — and more than 3,000 percent growth in interception of internet data such as email. By 2007, the FBI had spent $39 million on its DCSNet system, which collects, stores, indexes, and analyzes communications data.
News: http://www.theepochtimes.com/n2/content/view/44016/
Symantec Corp has released a survey that indicates that more than half of the critical infrastructure providers have been attacked.   The critical information infrastructure is defined as businesses and industries that could cause a threat to national security if their cybernetworks were breached or disabled, according to Internet security company Symantec.

The survey was conducted by Symantec in August 2010, and included 1,580 enterprises in 15 countries. It focused on six segments of the critical infrastructure: energy, banking & finance, communications, IT, health care, and emergency services, according to Symantec.

Participants in the study who said they were hit by such attacks reported that they were targeted an average of 10 times over the last five years, which cost them an average of $850,000, according to Symantec.

It adds that the energy industry was the best prepared for such attacks, while the communications industry was the least prepared. Only a third of the critical infrastructure providers said they feel “extremely prepared against all types of attacks,” with 31 percent saying they “felt less than somewhat prepared,” according to Symantec.

News: http://www.infosecurity-us.com/view/13263/information-security-products-and-services-market-to-surpass-125-billion-by-2015/

The demand for information security products and services will be fuelled by increasing frequency and intensity of cyber attacks against enterprises, government institutions, and consumers, as well as by the need of companies to comply with industry and government mandates.

The United States and Europe are expected to account for the lion’s share of the revenues in the global market, according to Information Security Products and Services: A Global Strategic Business Report, which profiles 482 companies.
Tool: http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

ZAP is actually a fork from Paros Proxy that features

* Intercepting proxy
* Automated scanner
* Passive scanner
* Spider

News: http://www.computerworld.com/s/article/9189982/Aldi_data_breach_shows_payment_terminal_holes
A debit card breach disclosed late last week by discount grocer Aldi Inc. shows how hardware hacks are starting to pose as much of a threat to payment card data as software-based attacks.

Batavia, Ill.-based Aldi, which operates 1,100 stores in 31 states, disclosed on Oct. 1 that hackers tampered with payment terminals at stores in 11 states from June to August.

The hackers gained access to various debit card data, such as name, account data and personal identification numbers (PINs) of an undisclosed number of customers, the company said.

So far, officials said that hacked terminals were discovered at Aldi stores in Connecticut, Georgia, Illinois, Indiana, Maryland, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, and Virginia. All the hacked terminals have been replaced, the company said.