There will be no podcast tonight!  We’re getting our drunk on, so you do the same.  See Ya Next Year!

InfoSec Daily Podcast Episode 290 [ 35:30 | 16.27 MB ] Play Now | Play in Popup | Download (59)

ISDPodcast Episode 290 for December 30, 2010.  Tonight’s podcast is hosted by  Rick Hayes, Keith Pachulski, Adrian Crenshaw and Varun Sharma.

Announcements:

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Wednesday, February 23, 2011 – Wednesday, April 27, 2011

Use the Discount Code: isdpod15 for a 15% discount.

Appalachian Institute of Digital Evidence (AIDE):

AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV

When: February 17 – 18, 2011

http://aide.marshall.edu/default.htm

THOTCON:

The THOTCON 0×2
Where: Chicago, IL
When:  Friday, April 15th, 2011
http://www.thotcon.org
The CFP will close on January 01, 2011 – Get your talk in NOW

Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)

Reminder:  No Podcast December 31, 2010
Stories:
News: http://www.securityweek.com/geolocation-mobile-and-apple-top-mcafees-list-emerging-threats-2011McAfee Labs Threat Predictions for 2011
Exploiting Social Media: URL-shortening servicesSocial media sites such as Twitter and Facebook have created the movement toward an “instant” form of communication, a shift that will completely alter the threat landscape in 2011. Of the social media sites that will be most riddled with cybercriminal activity, McAfee Labs expects those with URL-shortening services will be at the forefront. The use of abbreviated URLs on sites like Twitter makes it easy for cybercriminals to mask and direct users to malicious websites. With more than 3,000 shortened URLs per minute being generated, McAfee Labs expects to see a growing number used for spam, scamming and other malicious purposes.
Exploiting Social Media: Geolocation servicesLocative services such as foursquare, Gowalla and Facebook Places can easily search, track and plot the whereabouts of friends and strangers. In just a few clicks, cybercriminals can see in real time who is tweeting, where they are located, what they are saying, what their interests are, and what operating systems and applications they are using. This wealth of personal information on individuals enables cybercriminals to craft a targeted attack. McAfee Labs predicts that cybercriminals will increasingly use these tactics across the most popular social networking sites in 2011.
Mobile: Usage is rising in the workplace, and so will attacksThreats on mobile devices have so far been few and far between, as “jailbreaking” on the iPhone and the arrival of Zeus were the primary mobile threats in 2010. With the widespread adoption of mobile devices in business environments, combined with historically fragile cellular infrastructure and slow strides toward encryption, McAfee Labs predicts that 2011 will bring a rapid escalation of attacks and threats to mobile devices, putting user and corporate data at very high risk.
Apple: No longer flying under the radarHistorically, the Mac OS platform has remained relatively unscathed by malicious attackers, but McAfee Labs warns that Mac-targeted malware will continue to increase in sophistication in 2011. The popularity of iPads and iPhones in business environments, combined with the lack of user understanding of proper security for these devices, will increase the risk for data and identity exposure, and will make Apple botnets and Trojans a common occurrence.
Applications: Privacy leaks—from your TVNew Internet TV platforms were some of the most highly-anticipated devices in 2010. Due to the growing popularity among users and “rush to market” thinking by developers, McAfee Labs expects an increasing number of suspicious and malicious apps for the most widely deployed media platforms, such as Google TV. These apps will target or expose privacy and identity data, and will allow cybercriminals to manipulate a variety of physical devices through compromised or controlled apps, eventually raising the effectiveness of botnets.
Sophistication Mimics Legitimacy:Your next computer virus could be from a friend Malicious content disguised as personal or legitimate emails and files to trick unsuspecting victims will increase in sophistication in 2011. “Signed” malware that imitates legitimate files will become more prevalent, and “friendly fire,” in which threats appear to come from your friends but in fact are viruses such as Koobface or VBMania, will continue to grow as an attack of choice by cybercriminals. McAfee Labs expects these attacks will go hand in hand with the increased abuse of social networks, which will eventually overtake email as a leading attack vector.
Botnets: The new face of Mergers & AcquisitionsBotnets continue to use a seemingly infinite supply of stolen computing power and bandwidth around the globe. Following a number of successful botnet takedowns, including Mariposa, Bredolab and specific Zeus botnets, botnet controllers must adjust to the increasing pressure cybersecurity professionals are placing on them. McAfee Labs predicts that the recent merger of Zeus with SpyEye will produce more sophisticated bots due to improvements in bypassing security mechanisms and law enforcement monitoring. Additionally, McAfee Labs expects to see a significant botnet activity in the adoption of data-gathering and data-removal functionality, rather than the common use of sending spam.
Hacktivism: Following the WikiLeaks pathNext year marks a time in which politically motivated attacks will proliferate and new sophisticated attacks will appear. More groups will repeat the WikiLeaks example, as hacktivism is conducted by people claiming to be independent of any particular government or movement, and will become more organized and strategic by incorporating social networks in the process. McAfee Labs believes hacktivism will become the new way to demonstrate political positions in 2011 and beyond.
Advanced Persistent Threats: A whole new categoryOperation Aurora gave birth to the new category of advanced persistent threat (APT)— a targeted cyberespionage or cybersabotage attack that is carried out under the sponsorship or direction of a nation-state for something other than pure financial/criminal gain or political protest. McAfee Labs warns that companies of all sizes that have any involvement in national security or major global economic activities should expect to come under pervasive and continuous APT attacks that go after email archives, document stores, intellectual property repositories and other databases.
Predictions for 2011 from other firms shared similar concerns, with mobile being a top threat across the board.  Data security firm Imperva predicts a rise in mobile devices being compromised resulting in data theft or loss as a result of lagging security measures such as identification and authentication and the spread of mobile malware.

News: http://www.wired.com/threatlevel/2010/12/breaking-gsm-with-a-15-phone-plus-smarts

Whatever assurances have been given about the security of GSM cellphone calls, forget about them now.  Use at your own risk.  Speaking at the Chaos Computer Club (CCC) Congress, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network “sniffers,” a laptop computer and a variety of open source software.
While such capabilities have long been available to law enforcement with the resources to buy a powerful network-sniffing device for more than $50,000 (remember The Wire?), the pieced-together hack takes advantage of security flaws and shortcuts in the GSM network operators’ technology and operations to put the power within the reach of almost any motivated tech-savvy programmer.
“GSM is insecure, the more so as more is known about GSM,” said Security Research Labs researcher Karsten Nohl. “It’s pretty much like computers on the net in the 1990s, when people didn’t understand security well.”
Several of the individual pieces of this GSM hack have been displayed before. The ability to decrypt GSM’s 64-bit A5/1 encryption was demonstrated last year at this same event, for instance. However, network operators then responded that the difficulty of finding a specific phone, and of picking the correct encrypted radio signal out of the air, made the theoretical decryption danger minimal at best.
Working the audience through each step of the process, Nohl and OsmocomBB project programmer Sylvain Munaut demonstrated how the way in which GSM networks exchange subscriber location data, in order to correctly route phone calls and SMSs, allows anyone to determine a subscriber’s current location with a simple internet query, to the level of city or general rural area.
Once a phone is narrowed down to a specific city, a potential attacker can drive through the area, sending the target phone “silent” or “broken” SMS messages that do not show up on the phone. By sniffing to each bay station’s traffic, listening for the delivery of the message and the response of the target phone at the correct time, the location of the target phone can be more precisely identified.
To create a network sniffer, the researchers replaced the firmware of a simple Motorola GSM phone with their own alternative, which allowed them to retain the raw data received from the cell network, and examine more of the cellphone network space than a single phone ordinarily monitors. Upgrading the USB connection allowed this information to be sent in real time to a computer.
By sniffing the network while sending a target phone an SMS, they were able to determine precisely which random network ID number belonged to the target. This gave them the ability to identify which of the myriad streams of information they wanted to record from the network.
News:  http://www.infosecurity-magazine.com/view/14857/row-breaks-out-over-alleged-chip-and-pin-security-flaw-censorshipA row that has been brewing between the payment card ‘establishment’ and researchers with Cambridge University, who have previously claimed that the Chip & PIN security system seen in UK bank payment cards is flawed, has spilled out into the open.As reported previously by Infosecurity, in-depth research led by Professor Ross Anderson of Cambridge University’s security engineering department had revealed potentially serious flaws in the way the Chip and PIN system operates.Now Professor Anderson has accused the UK bank card industry of making a “very nasty attempt at censorship” over a flaw in chip and PIN technology.The UK Cards Association (UKCA) apparently wrote to the university to try to remove the online publication of research that shows how a simple hand-held device can be used to buy goods without entering the correct PIN.In a security blog, Professor Anderson said that this step was “absolutely unacceptable. It was a very, very nasty attempt at censorship.”The Press Association quotes Melanie Johnson – a former Labour Treasury Minister who is now chair of the UKCA – as saying the publication of the paper on Chip & PIN insecurity “oversteps the boundaries of what constitutes responsible disclosure”.Infosecurity notes that Omar Choudary’s research paper details the designs of a low-cost device that can exploit a loophole in the security of the Chip and PIN system.This is despite proponents of the card security system having previously described the Chip and PIN system as infallible.In his blog – titled ‘A Merry Christmas to all Bankers’ – Anderson says that the banker’s trade association has complained that Choudary’s paper “contains too much detail of our No-PIN attack on Chip-and-PIN and thus ‘breaches the boundary of responsible disclosure’ “.”There is one piece of Christmas cheer, though: the No-PIN attack no longer works against Barclays’ cards at a Barclays merchant. So at least they’ve started to fix the bug – even if it’s taken them a year. We’ll check and report on other banks later”, he said.According to Anderson, the bankers are also fretting that ‘future research, which may potentially be more damaging, may also be published in this level of detail’.
News:  http://www.joystiq.com/2010/12/29/hackers-claim-discovery-of-ps3-private-key-enabling-unauthori/During the ongoing Chaos Communication Conference 27C3, the hackers responsible for the Wii’s Homebrew Channel, calling themselves fail0verflow, gave a presentation in which they claimed to have figured out the “private key” used by Sony to authorize code to run on retail PS3 systems. This means, as a PSX-Scene forum post puts it, giving a hacker “full control of the PS3 system,” without the use of a USB device.The group will explain more when its website launches, and also plans to show a demo at the conference. This hack is designed not to enable PS3 game piracy (though it might have that effect) but, according to a tweet by fail0verview, to enable Linux to run on all PS3s, “whatever their firmware versions.”
News:  https://threatpost.com/en_us/blogs/skype-client-error-causes-global-outage-122910In response to a 24 hour outage that occurred last week on their internet voice and video chat platform, Skype’s Chief Information Officer has revealed that an error in some versions of the company’s software client is to blame. CIO Lars Rabbe, writing on Skype’s ‘The Big Blog,’ confirmed reports of outtages last week and posted a detailed explanation of what went wrong.  He said the company was taking steps to prevent further outages. On December 22, a cluster of servers responsible for offline instant messaging at Skype became overloaded. As a result, some Skype clients running Windows and the 5.0.0.152 version of the Skype client received delayed response messages from the overloaded servers which were not properly processed, causing them to crash. These crashes affected an estimated 20 percent of total Skype users. Those users then restarted their clients, causing a new flood of traffic to the supernodes that quickly overwhelmed the company’s infrastructure.Skype works on a P2P network where supernodes act as a directory, supporting Skype clients, establishing connections between clients, and creating local node clusters. So, despite that only 20 percent failed, this failure caused a 25 percent reduction in overall supernode resources, which placed too heavy a burden on the remaining supernodes.While Skype plans for failures of this sort, their system was incapable of withstanding the increased load brought on by users restarting windows as they attempted to reconnect. Rabbe believes the increased load triggered a failsafe feature on te Skype Supernodes, causing them to shut down. That, in turn, heaped more traffic on the few remaining Supernodes, causing a domino effect that led to the 24 hour outage.To fix the problem, Skype introduced hundreds of instances of Skype software into the P2P network to act as supernodes and provide the capacity to accelerate the recovery. This process was repeated until the system was completely restored on December 24.Skype is working to prevent future outages like the one that occurred last week by bolstering their automatic update system with more frequent hotfixes, researching ways to detect problems more promptly and recover systems more quickly, reviewing bug testing processes, and continually examining their capacity and increasing its resiliency when necessary.
News:  http://www.infosecurity-magazine.com/view/14855/phoenix-exploit-hacker-kit-methodology-explained-
Websense has posted a detailed analysis of the Phoenix Exploit kit, which is used by hackers to seed and infect users’ PCs across the internet, and then monitor the results for data harvesting.
The kit, which was originally discovered by M86 Security in the summer of 2009, has been disassembled by Chris Astacio, a security researcher with Websense, who reports that the kit’s installation routines are, like a lot of hacker toolkits, obfuscated (hidden).This is, he explains, “probably an attempt by the developers to make it harder for security researchers to understand how to install the kits, especially if there is no ‘readme.txt’ file included.”Looking at the PHP code, Astacio says researchers can see that it’s Base64 encoded and a ZLIB compressed stream of data.”The PHP script uses an ‘eval’ statement with ‘gzuncompress’ and ‘base_64decode’ functions to decode the stream of data. For us to get the clear text code, we can use a simple substitution trick along with the PHP CLI so that we can then analyse the installer’s code”, he said in his security blog.”To do this, we simply need to replace the ‘eval’ with a ‘print’ and run the install.php script on the command line”, he added.Interestingly, despite the widespread use of the hacker toolkit, the Websense researcher says that that there is nothing special about it.”You get to choose the language of the installation instructions, either English or Russian. And on the next page you have a form to fill out for various resources”, he said, adding in his analysis that he has not shown some of the forms as they contain sensitive information.One of the most interesting features of the kit is that it does not contain a current set of exploits, as users must contact the developer and activate the kit, presumably by paying a fee, Infosecurity notes.According to the Websense security researcher, the developers of the Phoenix Exploit kit are working on not only protecting their exploit code from being recognised, but also their installations.”This makes it difficult for researchers to further dissect and understand how the kit works, especially if a researcher comes across just the install script”, he said in his blog.”It also makes things more difficult for others who want to study and report on the statistics found from individual installations of Phoenix by randomising the page names used in the kit installations”, he added.

InfoSec Daily Podcast Episode 289 [ 33:22 | 15.3 MB ] Play Now | Play in Popup | Download (67)

ISDPodcast Episode 289 for December 29, 2010.  Tonight’s podcast is hosted by  Rick Hayes, Keith Pachulski, and Varun Sharma.

Announcements:

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Wednesday, February 23, 2011 – Wednesday, April 27, 2011

Use the Discount Code: isdpod15 for a 15% discount.

Appalachian Institute of Digital Evidence (AIDE):

AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV

When: February 17 – 18, 2011

http://aide.marshall.edu/default.htm

Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)
Stories:
Tools:
THC IPv6 Attack Tool v1.4 – http://freeworld.thc.org/thc-ipv6/
v1.4 – December 2010

• (many new tools not included in the public version yet)
• added thcping6
• added fake_mld26 (same as fake_mld6 but for MLDv2)
• added fake_mldrouter6 – fake an mld router
• added exploit6 and the first test cases
• added denial6 and the first test cases
• fake_mld6:

• added query and done MLD types
• new command line option -l = loop
• command line format changed
• added target mac option, needed for new vulnerablity found

• dnsdict6:

• added 87 more entries to the dictionary
• now identified even multiple wildcard IPs and displays them accordingly
• now prints the number of unique IPv6 addresses founds

• fuzz_ip6:

• added fuzzing query, report and done MLD + query and report MLDv2 types
• fuzzing first and last two bytes of IPv6 addresses in the packets
• command line option for specifying an IPv6 address within the packets
• added many options

• trace6:

• added unreachable detection
• added more informative output
• now multiple run save
• fixed a core dump which happened on rare occasions

• changed command line options for fake_router6 to allow specification of DNS
• toobig6: tighter mtu and removed debug output still present in the code, oops
• implementation6: added three more test cases, enhanced four test cases, bugfix
• compile warning fixes (dnsdict6, sendpees6, thc-ipv6-lib)
• Makefile beautification and header fixes by xmwgentooorg

THC Hydra v5.9 – http://freeworld.thc.org/thc-hydra/

• Update for the subversion module for newer SNV versions (thanks to David Maciejak @ GMAIL dot com)
• Mysl module now has two implementations and uses a library when found (again thanks to David Maciejak @ GMAIL dot com – what would hydra be without him)
• camiloculpian @ gmail dot com submitted a logo for hydra – looks cool, thanks!
• Another patch by David to add the LOGIN auth mechanism to the smtpauth module
• Better FTP 530 error code detection
• Bugfix for the SVN module for non-standard ports (again david@)

News:  https://www.infosecisland.com/blogview/10541-FBI-Taps-Mobile-Phone-Mics-for-Surveillance.htmlU.S. District Judge Lewis Kaplan issued an opinion on the use of “roving bugs” for criminal investigations, confirming suspicions that the FBI was employing the technique of listening to nearby conversations via a suspect’s cell phone mic.Judge Kaplan stated that he believed that current U.S. wiretapping laws were broad enough to include the practice of eavesdropping by enabling the microphone in a mobile device even when the device was not being used.According to an article in Cnet:The U.S. Commerce Department’s security office warns that “a cellular telephone can be turned into a microphone and transmitter for the purpose of listening to conversations in the vicinity of the phone.”An article in the Financial Times last year said mobile providers can “remotely install a piece of software on to any handset, without the owner’s knowledge, which will activate the microphone even when its owner is not making a call.”The opinion issued by Judge Kaplan was in regards to several active investigations of organized crime activities, but the use of “roving bugs” is not limited to those cases.The only way to prevent audio monitoring via a mobile phone is to remove the battery, as the microphones in some units can be activated even when the device is powered down.Exactly how the “roving bug” technique is employed is still unclear, and experts disagree on whether the microphone is enabled remotely or by way of physical tampering, according to the cnet article:Court documents, including an affidavit (p1) and (p2) prepared by Assistant U.S. Attorney Jonathan Kolodner in September 2003, refer to them as a “listening device placed in the cellular telephone.” That phrase could refer to software or hardware.If the microphone on the cell phone of a criminal suspect can be activated remotely, then it is more than likely they can be enabled on any cell phone, and not necessarily by law enforcement officials.Security and due diligence expert Greg George of GTI Advisors believes the microphones can indeed be enabled remotely, and has long warned that executives should remove the battery from their mobile devices when in meetings where sensitive and confidential details are discussed.
News: http://www.theregister.co.uk/2010/12/28/mozilla_password_snafu/
http://www.infosecurity-us.com/view/14852/mozilla-admits-to-possible-leak-of-user-information
Mozilla inadvertently exposed the passwords of 44,000 inactive addons.mozilla.org accounts, but says there’s nothing to worry about.

“On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server,” Mozilla’s director of infrastructure security Chris Lyon wrote in a posting on the Mozilla Security Blog late Monday night.

Although that exposure may seem a wee bit scary, Lyons notes that all the passwords were for inactive accounts, that Mozilla was able to account for every download of the database, and that the password hashes were of the “older md5-based” variety, and that they all have now been deleted, effectively disabling those accounts.

“All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts” since April 9, 2009, Lyons said. “It is important to note that current addons.mozilla.org users and accounts are not at risk.”

Mozilla informed all affected users of the slip-up by email, prompting one Larry Seltzer to add a comment to Lyon’s post, saying: “I got the e-mail a while before this blog post or anything else about the matter was on the web. The e-mail looked legit, but…”
News: http://research.microsoft.com/pubs/52716/tr-2005-135.pdfSingularity is a research project in Microsoft Research that started with the question: what would a software platform look like if it was designed from scratch with the primary goal of dependability? Singularity is working to answer this question by building on advances in programming languages and tools to develop a new system architecture and operating system (named Singularity), with the aim of producing a more robust and dependable software platform. Singularity demonstrates the practicality of new technologies and architectural decisions, which should lead to the construction of more robust and dependable systems.

News: http://arstechnica.com/tech-policy/news/2010/12/flaws-in-tor-anonymity-network-spotlighted.arsAt the Chaos Computer Club Congress in Berlin, Germany on Monday, researchers from the University of Regensburg delivered a new warning about the Tor anonymizer network, a system aimed at hiding details of a computer user’s online activity from spying eyes.

The attack doesn’t quite make a surfer’s activity an open book, but offers the ability for someone on the same local network—a Wi-Fi network provider, or an ISP working at law enforcement (or a regime’s) request, for example—to gain a potentially good idea of sites an anonymous surfer is viewing.

“Developers have to be aware of this kind of attack, and develop countermeasures,” said Dominik Herrmann, a Regensburg PhD student studying profiling and fingerprinting attacks. “But that proves to be very difficult.”

The research, performed by a variety of collaborators in Germany working on anonymity measures, represents a warning for privacy-conscious users wary of spying eyes, whether behind Net-unfriendly borders or simply corporate firewalls.

Tor is essentially an online mask, rather than a tool that hides the fact or content of communication itself. The project’s developers are addressing the problem of traffic analysis—essentially the threat that an attacker or observer might be able to tease out a person’s identity, location, profession, social network or other information about the message content by analyzing a message’s unencrypted headers.

To hide this information, the Tor system routes messages around a winding path of volunteer servers across the Net, with each relay point knowing only the address of the previous and next step in the pathway.

Once this circuit has been established, neither an eavesdropper nor a compromised relay will theoretically have the ability to determine both the source and destination of a given piece of communication. According to theTor project’s latest metrics, the network has drawn between 100,000 and 300,000 users per day over the last several months.

Herrmann and his fellow researchers say there’s a partial flaw in this arrangement, however. A potential eavesdropper on the end user’s own network still has the ability to analyze the patterns of data being returned, and in many cases will be able to develop a reasonable guess about the source of the communication.

An attacker—perhaps an ISP instructed by law enforcement or a government to engage in such surveillance—would first have to develop a list of potential sites that the target might be visiting, or that it was interested in monitoring. It would then run the Tor system itself, testing the way these sites appeared when accessed through Tor, developing a database of “fingerprints” associated with the sites of interest.

Once the target of the surveillance went online, the eavesdropper would capture the packet stream as it crossed the local network and compare the source data with its fingerprint database with the help of pattern recognition software. Any match would be only statistical, giving somewhere between 55 percent and 60 percent certainty, Herrmann said—not enough to provide hard evidence in court, but likely more certainty than many people seeking privacy might be comfortable with.

Different online destinations will carry different susceptibility to fingerprinting, of course. Unusual sites, with characteristics such as very heavy or large graphic use, can be more easily identified, Herrmann said. By the same token, the easiest way for a website to fool such an eavesdropper would be to make its site look as closely as possible like another popular site—mimicking the look of the Google site, for example, one of the most commonly accessed pages on the Web.

Users themselves can guard against this type of fingerprint-based eavesdropping relatively easily, Herrmann noted. Downloading or requesting more than one site at a time through the network will muddy the pattern enough that certainty will be very difficult for the eavesdropper to establish.

The research many not dissuade many from using Tor, which remains one of the most promising approaches for individuals seeking to hide aspects of their identity or online activity. But it may well make them work harder.

News: http://www.securityweek.com/geolocation-mobile-and-apple-top-mcafees-list-emerging-threats-2011McAfee Labs Threat Predictions for 2011
Exploiting Social Media: URL-shortening servicesSocial media sites such as Twitter and Facebook have created the movement toward an “instant” form of communication, a shift that will completely alter the threat landscape in 2011. Of the social media sites that will be most riddled with cybercriminal activity, McAfee Labs expects those with URL-shortening services will be at the forefront. The use of abbreviated URLs on sites like Twitter makes it easy for cybercriminals to mask and direct users to malicious websites. With more than 3,000 shortened URLs per minute being generated, McAfee Labs expects to see a growing number used for spam, scamming and other malicious purposes.
Exploiting Social Media: Geolocation servicesLocative services such as foursquare, Gowalla and Facebook Places can easily search, track and plot the whereabouts of friends and strangers. In just a few clicks, cybercriminals can see in real time who is tweeting, where they are located, what they are saying, what their interests are, and what operating systems and applications they are using. This wealth of personal information on individuals enables cybercriminals to craft a targeted attack. McAfee Labs predicts that cybercriminals will increasingly use these tactics across the most popular social networking sites in 2011.
Mobile: Usage is rising in the workplace, and so will attacksThreats on mobile devices have so far been few and far between, as “jailbreaking” on the iPhone and the arrival of Zeus were the primary mobile threats in 2010. With the widespread adoption of mobile devices in business environments, combined with historically fragile cellular infrastructure and slow strides toward encryption, McAfee Labs predicts that 2011 will bring a rapid escalation of attacks and threats to mobile devices, putting user and corporate data at very high risk.
Apple: No longer flying under the radarHistorically, the Mac OS platform has remained relatively unscathed by malicious attackers, but McAfee Labs warns that Mac-targeted malware will continue to increase in sophistication in 2011. The popularity of iPads and iPhones in business environments, combined with the lack of user understanding of proper security for these devices, will increase the risk for data and identity exposure, and will make Apple botnets and Trojans a common occurrence.
Applications: Privacy leaks—from your TVNew Internet TV platforms were some of the most highly-anticipated devices in 2010. Due to the growing popularity among users and “rush to market” thinking by developers, McAfee Labs expects an increasing number of suspicious and malicious apps for the most widely deployed media platforms, such as Google TV. These apps will target or expose privacy and identity data, and will allow cybercriminals to manipulate a variety of physical devices through compromised or controlled apps, eventually raising the effectiveness of botnets.
Sophistication Mimics Legitimacy:Your next computer virus could be from a friend Malicious content disguised as personal or legitimate emails and files to trick unsuspecting victims will increase in sophistication in 2011. “Signed” malware that imitates legitimate files will become more prevalent, and “friendly fire,” in which threats appear to come from your friends but in fact are viruses such as Koobface or VBMania, will continue to grow as an attack of choice by cybercriminals. McAfee Labs expects these attacks will go hand in hand with the increased abuse of social networks, which will eventually overtake email as a leading attack vector.
Botnets: The new face of Mergers & AcquisitionsBotnets continue to use a seemingly infinite supply of stolen computing power and bandwidth around the globe. Following a number of successful botnet takedowns, including Mariposa, Bredolab and specific Zeus botnets, botnet controllers must adjust to the increasing pressure cybersecurity professionals are placing on them. McAfee Labs predicts that the recent merger of Zeus with SpyEye will produce more sophisticated bots due to improvements in bypassing security mechanisms and law enforcement monitoring. Additionally, McAfee Labs expects to see a significant botnet activity in the adoption of data-gathering and data-removal functionality, rather than the common use of sending spam.
Hacktivism: Following the WikiLeaks pathNext year marks a time in which politically motivated attacks will proliferate and new sophisticated attacks will appear. More groups will repeat the WikiLeaks example, as hacktivism is conducted by people claiming to be independent of any particular government or movement, and will become more organized and strategic by incorporating social networks in the process. McAfee Labs believes hacktivism will become the new way to demonstrate political positions in 2011 and beyond.
Advanced Persistent Threats: A whole new categoryOperation Aurora gave birth to the new category of advanced persistent threat (APT)— a targeted cyberespionage or cybersabotage attack that is carried out under the sponsorship or direction of a nation-state for something other than pure financial/criminal gain or political protest. McAfee Labs warns that companies of all sizes that have any involvement in national security or major global economic activities should expect to come under pervasive and continuous APT attacks that go after email archives, document stores, intellectual property repositories and other databases.
Predictions for 2011 from other firms shared similar concerns, with mobile being a top threat across the board.  Data security firm Imperva predicts a rise in mobile devices being compromised resulting in data theft or loss as a result of lagging security measures such as identification and authentication and the spread of mobile malware.
News: http://www.insideline.com/honda/hackers-hit-honda-steal-millions-of-customers-data.html
It sounds bad, but perhaps it’s not as bad as it could have been: American Honda has notified 2.2 million customers that a list including e-mail addresses, VINs and login information has been stolen by unknown hackers. Company officials say the list didn’t include Social Security numbers, birthdates, bank information or other data that would leave people vulnerable to identity theft.

The Columbus, Ohio, Dispatch reported that the list belonged to an outside vendor who was using it to send “welcome” e-mail messages to customers with OwnerLink or MyAcura accounts. Reportedly, 2.7 million Acura owners were on a separate list that was also stolen, but that one had only e-mail addresses on it.

American Honda contacted its customers to apologize and remind them about the possibility that bogus e-mail could come to them asking for private information. Owners can get more information on this FAQ page.

InfoSec Daily Podcast Episode 288 [ 34:38 | 15.88 MB ] Play Now | Play in Popup | Download (55)

ISDPodcast Episode 288 for December 28, 2010.  Tonight’s podcast is hosted by  Rick Hayes, Keith Pachulski, and Varun Sharma.

Announcements:

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Wednesday, February 23, 2011 – Wednesday, April 27, 2011

Use the Discount Code: isdpod15 for a 15% discount.

Appalachian Institute of Digital Evidence (AIDE):

AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV

When: February 17 – 18, 2011

http://aide.marshall.edu/default.htm

THOTCON:

The THOTCON 0×2
Where: Chicago, IL
When:  Friday, April 15th, 2011
http://www.thotcon.org
The CFP will close on January 01, 2011 – Get your talk in NOW

Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)
Stories:
News: http://blog.spiderlabs.com/2010/12/anti-security-and-the-christmas-day-incident.html

On the morning of Dec. 25, yet another anti-security eZine was published, its contents this time targeting some well-known security professionals and projects.

The Anti-Security Movement isn’t anything new, they have been around in various forms for a long time, with different names and different group affiliations, including ~el8, pHC (Phrack High Council), Fluffy Bunny, PR0J3KT M4YH3M, h0no, ZFO and others.

With the release of the “Owned and Exposed” eZine this particular Anti-Security group made claims of that they compromised several different web sites and security projects, providing evidence in the form of configuration files, directory listings, and password files gained mostly via web-server / web application attacks leveraged against the public web servers for these projects. In some cases they targeted other unrelated systems hosted on the same shared environment as their targets.

One of the claims made in the zine was that they compromised the popular ARP-Spoofing toolkit – Ettercap, and implied that the code had been altered several years ago. The implication was that a backdoor was placed in the code.

Now, the Ettercap project itself has been frozen for a few years, and is not currently maintained. So unlike some of the other projects that were “Owned and Exposed” the Ettercap project really doesn’t have anyone to publicly post an analysis of the attack, the impact, and any response to the claims made in the zine.

As a result, this statement created a certain amount of FUD with various people suggesting that Ettercap project was backdoored by someone that hacked their website some years ago.

This anxiety is not exactly unfounded, in the past, different well known systems and applications such as Linux Kernel, OpenSSH and many others were attacked and backdoored, so these sorts of rumors are generally taken seriously in the information security community.

The source code was not modified. They didn’t had access to it in any way.  The CVS is safe and so [are] the downloads.  These are the good SHA1sum:

206972046b7cfc4150e5d08eff18a93dd49b9574  ettercap-NG-0.7.0.tar.gz

13d1353daf97af03b7b72f40c5f6c51ef41d3b3d  ettercap-NG-0.7.1.tar.gz

514760efdca27a45d6486c18679d2b6e9ba67452  ettercap-NG-0.7.2.tar.gz

7a2c3f848ca4f39c07fddeb0d6308641265bc4ff  ettercap-NG-0.7.3.tar.gz

I’ve checked and [these] are the same as those on sourceforge.   Here at SpiderLabs we do not endorse the Anti-Security movement in any way, and we respect and appreciate Ettercap Project and Offensive Security Projects. In fact, even before SpiderLabs developed the tool Thicknet we considered simply resurrecting and modifying the Ettercap project for this purpose.

Our advice is to make sure that your copy of Ettercap has the SHA1sum provided by ALoR.

News: http://www.startribune.com/local/112307894.html
Federal authorities say a Texas hacker stole more than a quarter-million dollars from a subsidiary of Digital River Inc., the Eden Prairie-based  e-commerce company, by redirecting electronic payment transfers to his personal account.
In an indictment unsealed Tuesday in federal court in Minneapolis, Jeremey Parker, 35, of Houston, was charged with computer fraud and wirefraud. According to the indictment: From Dec. 23, 2008, through Oct. 15, 2009, Parker hacked into the computer network to take $274,000 belonging to Digital River through a subsidiary, SWReg Inc.
News: http://www.darkreading.com/database-security/167901020/security/attacks-breaches/228900060/openbsd-project-finds-two-bugs-in-software-s-ipsec-implementation.html
The OpenBSD project has found two bugs in how OpenBSD, a Unix-like open source operating system, implements Internet protocol security (IPsec).  The bugs are of interest given the recent allegation made by Gregory Perry, former CTO of now-defunct Federal Bureau of Investigation contractor Network Security Technology (NetSec), that the FBI created a backdoor in the OpenBSD code base, specifically in how it implements IPsec. He also alleged that multiple developers involved in contributing code to OpenBSD were on the payroll of NetSec, and that the FBI had hired it to create the backdoors.
Are the bugs a smoking gun? According to Theo de Raadt, the founder and leader of the OpenBSD project, one IPsec bug in OpenBSD relates to a “CBC oracle problem,” and was fixed in the software crypto stack by Angelos Keromytis, the architect and primary developer for its IPsec, but ignored in device drivers, overseen by device driver author Jason Wright. Interestingly, both men had worked for NetSec, at different times.
“Neither Jason nor Angelos were working for NetSec at that time, so I think this was just an accident,” said de Raadt. “Pretty serious accident.”
News: http://www.computerworld.com/s/article/9202201/Mattel_disavows_Barbie_Video_Girl_porn_link
Somehow somebody put a link to a pornographic chat site on a Barbie.com page used to promote Barbie Video Girl, a version of the iconic doll that comes with an embedded video camera. Sandra McDermott reported the problem to her local TV news station Tuesday after clicking on the link while trying to upload video on the Barbie.com Web site with her 10-year-old daughter.
Her daughter was uploading the video for a Barbie Video Girl movie contest, where kids enter videos they’ve shot using the toy.
When it looked like the computer might have frozen, McDermott clicked on a navigation link that should have taken her to www.barbie.com/videogirl/. Instead, she was taken to the very not-safe-for-work Camlive.com Web site, which offers “Live Sex Chat – Amateur Cams and Pornstars.”
News: http://status.4chan.org/
4Chan has apparently become a victim of a DDoS.

[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 287.mp3[/podcast]

ISDPodcast Episode 287 for December 27, 2010.  Tonight’s podcast is hosted by  Rick Hayes, Keith Pachulski, and Varun Sharma.

Announcements:

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Wednesday, February 23, 2011 – Wednesday, April 27, 2011

Use the Discount Code: isdpod15 for a 15% discount.

Appalachian Institute of Digital Evidence (AIDE):

AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV

When: February 17 – 18, 2011

http://aide.marshall.edu/default.htm

Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)

Stories:News: http://krebsonsecurity.com/2010/05/fraud-bazaar-carders-cc-hacked/http://krebsonsecurity.com/2010/12/carders-cc-linux-exploit-org-and-exploit-db-org-hacked/http://packetstormsecurity.org/files/view/97044/owned-and-exposed-2.txt
Exploit database exploit-db.org and backtrack-linux.org, the home ofBacktrack, woke to a Christmas morning of being owned by “Happy Ninjas.” The hacks were detailed in the second edition of “Owned and Exposed,” an ezine whose first edition in May included the internal database and thousands of stolen credit card numbers and passwords from Carders.cc. The Christmas version of the ezine doesn’t feature credit card numbers, but it does list the user names and hashed passwords of the carders.cc forum administrators. The carders.cc forum itself appears to be down at the moment.

Mati Aharoni, the main administrator for both exploit-db.org and backtrack-linux.org, confirmed that the hacks against his sites were legitimate. Shortly after my e-mail, Aharoni replied with a link to a short statement, noting that a hacking team called inj3ct0rinitially took credit for the attack, only to find itself also targeted and shamed in this edition of Owned and Exposed.

“There’s nothing like having your butt kicked Christmas morning, which is exactly what happened to us today. We were owned and exposed, in true fashion,” Aharoni wrote. “Initially, the inj3ct0r team took ‘creds’ for the hack, which quickly proved false as the original ezine showed up – and now inj3ct0r (their new site) is no longer online. As a wise Chinese man once said: ‘do not anger one who has shell on your server’. The zine also mentioned other sites, as well as the ettercap project being backdoored.”

To his credit, Aharoni posted a link to the 2nd edition of Owned and Exposed. “The irony of posting your zine in our papers section is not lost on us,” Aharoni wrote.

In addition, Free-Hack, Inj3ct0r, and Ettercap were also owned. According to the ezine:

“We owned ettercap because we were tired of people firing that shit up and pretending to be a l33th4x0r sheep who think they are the greatest hackerz with their ARP spoofing toolkitz.. If you have installed ettercap in the last 5 years you may want to check yo shit (;p). We owned offsec including backtrack and exploit-db because they are fucking security “expert” maggots (oops s/m/f/) who just fail so hard at security that we wonder why people really take their training courses. We imagine it’s like open mic night at the laughatorium. We owned inj3ct0r because they are lameass wannabe milw0rm kids whose sole purpose in life is to disclose XSS 0dayz in Joomla (RSnake anyone?). We owned carders.cc (AGAIN) because they are unable to learn from their mistakes and keep spreading garbage around the underground. We owned free-hack because they are developing into one of the largest, most arrogant script-kiddie breeding grounds on the intertubez.”

News: https://threatpost.com/en_us/blogs/google-and-godaddy-head-coalition-against-rogue-pharmacies-121710
Herbal Viagra peddlers beware: Google and GoDaddy are coordinating the establishment of a non-profit organization dedicated to curbing the spread of illegal online pharmaceutical companies.The two firms plan to share information and work together to educate consumers about the dangers of buying drugs online, where rogue pharmacies are unregulated and often linked to criminal activity, according to a report on Dark Reading.Google and GoDaddy will be joined by other prominent companies with a hand in online commerce, including American Express, eNom, MasterCard, Microsoft, Network Solutions, Neustar, PayPal, Visa, and Yahoo.The decision to form the group stemmed from the recent White House Intellectual Property Health and Safety Forum in June. That gathering pledged to encourage cooperation between government and industry to address illegal online activity, and specifically mentioned “illegal Internet pharmacies.” It comes amid rising concerns pertaining to widespread advertisement for and consumption of medication obtained online without a prescription.“The announced collaboration is a huge win for public health, and marks the first time that so many Internet commerce stakeholders have worked together on a comprehensive solution to address the rogue online drug sellers posing as Internet pharmacies,” said Libby Baney, advisor at B&D Consulting who counsels the Alliance for Safe Online Pharmacies (ASOP).The sale of phony pharmaceuticals has been linked to prominent  cyber criminal organizations and specific families of malware, such as Gumblar – with infected computers used to push out spam e-mail containing offers for fake Viagra, knockoff Rolex watches and other good
News: http://blogs.houstonpress.com/hairballs/2010/12/the_ten_most_spectacular_cyber.php

From Gawker to Visa, virtually no one is safe. Here are the ten most spectacular attacks of 2010:

10. Gene SimmonsTechnically, Gene Simmons, the man, wasn’t hacked, but GeneSimmons.com and SimmonsRecords.com were shut down after comments he made in an interview about illegal file trading of music. “Be litigious. Sue everybody. Take their homes, their cars,” the KISS bassist said 24 hours before his websites were downed by the hacker vigilante campaign Operation Payback. Given Simmons’ giant ego, we doubt this will be last time he says something stupid and gets hacked as a result.
9. Motion Picture Association of America (MPAA) and Recording Inudstry of America (RIAA)There is one basic rule of the internet that should always be obeyed: don’t fuck with4chan. The popular internet site is “home” to a group that calls themselves “Anonymous” who execute attacks on websites via the “Operation Payback” campaign mentioned above. The group takes it very personally when you do something to offend them, whether it bethrowing puppies in a river or going after a popular BitTorrent website like Pirate Bay. The retaliation for the latter came in the form of a DDoS attack on both the MPAA and RIAA websites keeping them offline for nearly a full day. Bottom line, 4chan is like a hornets nest filled with angry nerds. Don’t poke at it and you won’t get stung.
8. Pirate BayArgentinian hacker Ch Russo cracked the administrative section of the popular file trading website and managed to delete files and expose user information. Russo claimed he was trying to demonstrate how vulnerable the information was. Point taken. There was a rumor that Russo planned to sell the user information to a third party, perhaps even groups like the RIAA or MPAA, who would certainly like to have it, but Russo denied the report, which is fortunate for him, because God only knows what 4chan would have done to him.
7. YouTubeIn still more 4chan-related news, they really don’t like Justin Bieber. Not only did they manage to push “Justin Bieber Syphilis” to the top of Google Trends, but in July, they hacked YouTube posting pop-up windows on video pages and, for Bieber, re-directing his video pages to porn or malware websites.
6. TwitterIf back in March you wondered why a bunch of your friends on Twitter thought you were fat, it wasn’t because of your pudgy midsection. Hundreds of Twitter accounts were hacked and links to weight loss websites were posted in their feeds. In May, hackers hit Twitter again dropping celebrity follow lists to zero and forcing them to follow people they didn’t request, which was more funny than tragic.5. ImageShackWithout ImageShack, how would we be able to see animated GIF’s of Katy Perry’s bouncing Elmo boobs or professional soccer fails? For a while, we almost found out as one of the world’s largest image sharing sites, which includes the popular YFrog service used by many on Twitter, was hacked creating chaos for MySpace commenters who wanted to leave sparkly images on their friends’ profile pages and Twitter food nerds who just had to Tweet iPhone images of their lunch. Fortunately for all of us, no files were lost and ImageShack was soon returned to normal. God knows, we couldn’t live without pictures of fairies and frito pie.
4. GawkerIf there was ever an example of why everyone should use a variety of passwords with varying degrees of complexity, Gawker’s comment database getting hacked would be it. The Gawker family of sites, which includes Gizmodo, Jalopnik, Jezebel, Lifehacker and Deadspin, saw its entire user database sliced and diced, compromising user names and passwords meaning if you had a Gawker account and used the same password there as you did in other places, you might want to change that like now.
3. Tea PartyThe Tea Party’s rancorous political fury paved the way for a shift in the balance of power in Congress making them, as you might imagine, a prime target for hackers. A little over a month before the election, that pesky 4chan managed to hack TeaParty.org and replace photos in their photo section with LOLCat-style images like bears covered in show with the words “I FUCKING LOVE COCAINE!” on them by users named “dick licker.” The Tea Party managed to straighten things out and it didn’t seem to affect their performance at the polls.
2. MasterCard and Visa.comEarlier this month, Anonymous and their Operation Payback set their sites on anyone who didn’t fully support WikiLeaks. In this case, it was MasterCard and Visa, who suspended donations for the online document leak organization. Both sites were crippled by DDoS attacks prompted by Anonymous. PayPal managed to block similar attacks made by the same group in retaliation for cutting off donations to WikiLeaks, but Visa and MasterCard weren’t so lucky.
1. WikileaksIronic that the source of one of the greatest leaks of confidential government information of all time was itself compromised. According to WikiLeaks, in early December, their website was taken down by a cyber attack they claim was instigated by the Chinese government. Apparently, the Chinese were upset about revelations that they may no longer fully support North Korea. The attack, along with Amazon.com dropping WikiLeaks from its servers, prompted the organization to create hundreds of mirror sites around the world to prevent the site from being easily targeted again. Now, if they could just reveal what “secret sauce” is, we’ll all be safe from terror.
News: http://www.pcadvisor.co.uk/news/index.cfm?NewsID=3254182
Nearly four in five (79 percent) web users admit to using personal information and phrases in passwords, says Check Point.  Research by the security firm, which created the ZoneAlarm software, revealed more than a quarter (26 percent) reuse the same passwords for email, online banking or social networking accounts, while 8 percent claim they copy passwords from online lists of ‘good’ passwords.
Furthermore, more than 22 percent have had their social networking accounts hacked, and the same amount have experienced email hacking.
“Especially now, with online shopping on the rise this holiday season, consumers need to be aware of the importance of passwords and the fact that hackers are getting more and more sophisticated in cracking them,” said Bari Abdul, vice-president of consumer sales at Check Point.
News: http://inaudit.com/audit/it-audit/system-glitch-confuses-bank%E2%80%99s-customers-3704/
Grupo Santander, a banking firm based in Spain, has reported to the Financial Services Authority (FSA) a system glitch with its printers that led to the distribution of 35,000 bank statements to wrong recipients, risking millions of pounds in fine for the data breach.
The erroneously released bank statements containing personal information of Santander customers, such as name, address, bank details and recent transactions, came after one of the bank’s printers experienced system glitch and produced more or less 35, 000 copies, according to a Santander employee.
The Information Commissioner’s Office said it has been receiving similar instances of report about Santander’s system glitch but added that the bank did not give any official statement regarding the blunder.
Grupo Santander has already confirmed that the system glitch would not affect all its 35, 000 customers whose bank statements were sent to third parties as the printer failure occurred only on December 18. The bank has also vowed to answer questions and calls from the customers affected by the system glitch, even to the extent of refunding any losses that could be incurred from the blunder.
News: http://www.controlengeurope.com/article/38793/Secure-SCADA-set-to-prosper-in-the-future.aspx
New analysis from Frost & Sullivan indicates that the SCADA market is among the most rapidly growing control systems markets in the world.The report: ‘Strategic Analysis of the World SCADA Market,’ finds that the market earned revenues of $4,584.5 million in 2009 and estimates this to reach $6,902.4 million in 2016. Markets in Western Europe and North America will continue expanding over the next few years due to the increasing demand to modernise power and water and wastewater infrastructure. New infrastructure investments in the Middle East, Africa, Asia Pacific, Latin America and Russia in sectors like oil and gas, power, water and wastewater, will also spur SCADA markets to grow rapidly in these regions. The key market challenge manufacturers have to face is ensuring enhanced cyber security.Industry sectors covered as part of this research includes oil and gas, power, water and wastewater and others covering plant level SCADA (food and beverage, pharmaceuticals, chemicals, pulp and paper) and automotive and transportation. Software, hardware and services are some of the product categories covered in this research.
“Oil exploration in Siberia, the North Sea, the Gulf of Mexico and North Western Africa has gained renewed interest,” said Frost & Sullivan Research Analyst Katarzyna Owczarczyk. “The need to control geographically dispersed assets drives cash rich oil majors to invest in SCADA systems, thereby supporting market expansion.”

WTF:  http://www.bloomberg.com/video/65411846/
Gregory Evans interviewed by BloombergGregory Evans, founder of Ligatt Security International, talks about Bank of America Corp.’s decision to stop processing transactions for the WikiLeaks website and security issues for corporate computer networks. WikiLeaks founder Julian Assange, who told Forbes magazine that he’ll release documents from a U.S. bank next year, said in 2009 that his group had a hard drive from a Bank of America executive. Evans speaks with Betty Liu on Bloomberg Television’s “In the Loop.”