ISDPodcast Episode 237 for October 19, 2010. Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.
Announcements:
MyHardDriveDied.com Data Recovery Class:
http://www.myharddrivedied.com
Washington, DC – December 6th – 10th
Use the Discount Code: isdpodcast for a $300 discount.
SANS Community:
Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam: http://www.sans.org/mentor/details.php?nid=23493
Use the Discount Code: isdpod15 for a 15% discount.
SANS Cyber Defense Initiative 2010
Washington, DC,
Marriott Wardman Park
Dec 10-17
http://washingtontechnology.com/calendar/2010/12/sans-cyber-defense-initiative-2010.aspx
Hack3rCon:
http://www.hack3rcon.org
When: Oct 23-24 2010
Where: Charleston, WV
BSidesDelaware:
When: Saturday November 6, 2010
Where: Wilmington University, New Castle Campus
320 N. DuPont Highway, New Castle, DE 19720
Cost: Free – RSVP is REQUIRED for entry!
Eventbrite: http://bsidesde-Wiki.eventbrite.com
Schedule – CFP is open
Stories of Interest:
News: http://cyberinsecure.com/microsoft-dns-hijacked-ip-addresses-are-used-to-push-farma-spam/
For the past three weeks, internet addresses belonging to Microsoft have been used to route traffic to more than 1,000 fraudulent websites maintained by a notorious group of Russian criminals, publicly accessible internet data indicates. The 1,025 unique websites — which include seizemed.com, yourrulers.com, and crashcoursecomputing.com — push Viagra, Human Growth Hormone, and other pharmaceuticals though the Canadian Health & Care Mall. They use one of two IP addresses belonging to Microsoft to host their official domain name system servers, search results from Microsoft’s own servers show. The authoritative name servers have been hosted on the Microsoft addresses since at least September 22, according to Ronald F. Guilmette, a researcher who first uncovered the hijacking.
The 1,025 unique websites — which include seizemed.com, yourrulers.com, and crashcoursecomputing.com — push Viagra, Human Growth Hormone, and other pharmaceuticals though the Canadian Health&Care Mall. They use one of two IP addresses belonging to Microsoft to host their official domain name system servers, search results from Microsoft’s own servers show. The authoritative name servers have been hosted on the Microsoft addresses since at least September 22, according to Ronald F. Guilmette, a researcher who first uncovered the hijacking.
By examining results used with an internet lookup tool it was determined that 131.107.202.197 and 131.107.202.198 — which are both registered to Microsoft — are housing dozens of DNS servers that help convert the pharmacy domain names into the numerical IP addresses that host the sites.
The most likely explanation, they say, is that a machine on Microsoft’s campus has been programmed to do so, probably after it became infected with malware.
“The important part seems to be some sort of compromise appears to be in play,” said Randal Vaughn, a professor of information systems at Baylor University. “It could be an NS compromise, an OS compromise, a rogue customer machine, or something else entirely. In order to get the DNS zones entered in there, they must have pwned the box.”
Vaughn also held out the possibility that servers connected to the Microsoft IPs might be part of a honey pot that’s deliberately hosting the name servers so that researchers can secretly monitor the gang’s operations. Another possibility is that the pharmacy operators have subscribed to some sort of managed service offered by Microsoft.
A Microsoft spokeswoman said she was investigating the findings and expected to provide a statement once the investigation was completed.
News: http://forum.kaspersky.com/index.php?showtopic=189198
Even reputable security providers fall victim to cyber attacks. Over the weekend, anti-virus software maker Kaspersky Lab experienced an attack in which a third party application on the company’s servers was exploited in order to redirect a would-be downloader of Kaspersky’s anti-virus software, to download fake anti-virus malware.
“Kaspersky Lab reports that at 11:05 PM GMT on Sunday, October 17, 2010 the kasperskyusa.com domain experienced a hacker attack that exploited a vulnerability on a third party application. As a result of the attack, users trying to download Kaspersky Lab’s consumer products were redirected to a malicious website. The website was simulating a Windows XP Explorer window and a popup window showing scanning process on the local computer and offering the user a fake antivirus program to install. The domain was making these redirections for 3.5 hours in total.
Upon being notified about the vulnerability, company personnel took immediate action to address the issue, and the affected server was taken offline within 10 minutes. Immediately following, all vulnerable components were removed from the server and clean files were restored from the central repository. A complete audit of the kasperskyusa.com domain, as well as all of the other Kaspersky Lab domains, was done to ensure they’re running fully updated code. Currently the server is secure and fully back online, and Kaspersky products are available for download.
Kaspersky Lab also wants to confirm that no individual’s details were compromised from the company’s web servers during this attack. However, Kaspersky Lab takes any attempt to compromise its security seriously. Our researchers are currently working on identifying any possible consequences of the attack for affected users, and are available to provide help to remove the fake antivirus software.”
News: http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html
Facebook’s privacy rules aren’t as watertight as the company would have its users believe, after the Wall Street Journal uncovered that some of the social network’s most popular apps have siphoned off personal information to ad firms and internet tracking outfits.
According to the report, many Facebook apps have transmitted identifiable details about individual users to around 25 companies, in effect breaking the terms laid down by the Mark Zuckerberg-run website.
The privacy breach, which gives advertising and internet tracking firms access to people’s names, affects a huge number of Facebook app users.
Worse still, the newspaper found that users whose profiles have rigorous privacy settings have also had their details exposed.
It said that the 10 most popular Facebook apps, including Farmville and Texas HoldEm Poker, were transmitting users’ IDs to external firms.
Game Network Inc’s Farmville was found to also be transmitting personal details about a user’s Facebook “friends” to advertisers and internet tracking companies.
Facebook, which claims to have around 500 million users of its service, told the WSJ that the social network would bring in new tech to close the breach.
One company, RapLeaf Inc, was found to have linked Facebook ID details taken from apps to its own database of internet users, which it sells on to companies.
RapLeaf insisted that the transmission of data hadn’t been intentional.
News: http://www.infosecurity-magazine.com/view/13297/nuclear-secrets-revealed-after-unencrypted-usb-stick-found-in-cumbria-hotel-room/
Local media reports in the Lake District have revealed that an unencrypted USB stick – apparently containing details on the Sellafield nuclear site’s operations – have been found by a coach driver in a Cumbria hotel room.
Fortunately for the security of the Sellafield nuclear materials handling site, the USB stick has been handed in to the authorities.
Commenting on the incident, Credant Technologies, the endpoint data security specialist, said that the stick contained details of the nuclear firm’s proposed workforce transfer from its Capenhurst operation in Cheshire to pan-European uranium specialist Urenco.one. “This fact alone is from heaven to enemies of the UK, especially since the data on the USB stick suggested that International Atomic Energy technicians visiting the site were not sufficiently up to speed”, said Sean Glynn, the firm’s vice president.
Corporate USB sticks, says Glynn, should always include encryption and other forms of security as a basic requirement because, as this incident clearly shows, unencrypted data can, and does, fall into the wrong hands. And in the case of Sellafield, he added that the data on the USB stick falls firmly into the kind of information which has national security implications, especially with the UK currently being on heightened terrorist alert. The discovery of this data on a USB stick in a hotel room, said Glynn, is the kind of plot that would do justice to a John Le Carre thriller novel, rather than real-life hotel in deepest Cumbria.
Encrypt USB…what a novel concept…