Your daily source of Pwnage, Policy and Politics.

Episode 269 – th3j35t3r, Amazon, Schneier, ha.ckers.org & Rootkits

Play

ISDPodcast Episode 269 for December 1, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:

MyHardDriveDied.com Data Recovery Class:
http://www.myharddrivedied.com
Washington, DC – December 6th – 10th
Use the Discount Code: isdpodcast for a $300 discount.

SANS Cyber Defense Initiative 2010
Washington, DC.
Marriott Wardman Park
Dec 10-17, 2010
http://washingtontechnology.com/calendar/2010/12/sans-cyber-defense-initiative-2010.aspx

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Wednesday, February 23, 2011 – Wednesday, April 27, 2011

Use the Discount Code: isdpod15 for a 15% discount.

DojoCon:
13699 Dulles Technology Dr
Herndon, VA 20171
Dec 11-12, 2010

http://www.dojocon.org/

Appalachian Institute of Digital Evidence (AIDE):
AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV
When: February 17 – 18, 2011
CFP Deadline: December 12, 2010

http://aide.marshall.edu/default.htm

Ultimate Pentesting VM: /resources/upv/

Stories:
News: https://www.infosecisland.com/blogview/9916-Hacker-The-Jester-Reports-Raid-By-Law-Enforcement.html
The Jester (th3j35t3r), who earlier this week claimed responsibility for a denial of service attack that temporarily disabled the WikiLeaks website, reported that he was the subject of a search and equipment seizure by law enforcement.

According to The Jester’s blog, the raid occurred Monday, just one day after he made national headlines for unleashing the XerXeS DoS attack on the WikiLeaks website, forcing them to move operations to servers hosted by Amazon.  Details are few, but The Jester did post the following message Tuesday night:

So much for being quiet around here. The fire is starting to stir.. as many of you already are aware my door was kicked in and all of my equipment was seized. The weird thing is it was the local sheriffs office not the government. Hmmm..
In the mean time, my email and WordPress accounts are probably jeopardized so I decided to launch on my own server since nothing can be trusted at this time. I still have copies of all utilities, code, and web backups.  I am trying to raise money from my supporters for attorney fees. If I can raise the required $10k, I will release XerXes along with a port to Win32.  I will keep everyone posted as things start to unfold. I am not sure whats going to happen, no charges have been filed as of yet. Thanks for all your support! Don’t forget, Follow the new ‘th3j35t3r‘ Twitter!

Now According to th3j35t3r, this new Jester is a fake!  @th3j35t3r: The raid story = fabricated by the imposter (@th3j3st3r – www.th3j35t3r.net) to facilitate him capitalizing on the name, or to draw me out.

News: http://mashable.com/2010/12/01/amazon-wikileaks/
Whistleblower website WikiLeaks has been kicked off Amazon.com’s U.S. servers after moving its operations just a day ago.  The move by Amazon comes after questioning from U.S. Senator Joe Lieberman, the chairman of the House Security Committee.  “This morning Amazon informed my staff that it has ceased to host the Wikileaks website,” Senator Lieberman said in a statement.

“I wish that Amazon had taken this action earlier based on Wikileaks’ previous publication of classified material. The company’s decision to cut off Wikileaks now is the right decision and should set the standard for other companies Wikileaks is using to distribute its illegally seized material.”  WikiLeaks has been the center of attention this week due to its release of more than 250,000 sensitive U.S. diplomatic cables. As a result, the U.S. government has been stepping up pressure against the website, which has also been the target of of multiple distributed denial of service (DDoS) attacks. Yesterday, in an attempt to thwart the DDoS attacks, WikiLeaks moved its operations from its Swedish servers to Amazon Web Services, the e-commerce giant’s cloud computing and hosting platform. That didn’t even last for a day though; the whistleblower website is once again hosted on its Swedish servers. Amazon isn’t saying why it kicked WikiLeaks to the curb. While it could have been to protect its servers from inevitable DDoS attacks, we suspect pressure from the U.S. government probably had something to do with it.

That’s not the only problem plaguing it, either. Yesterday, founder Julian Assange was placed on Interpol’s wanted list for sex crimes he’s accused of committing in Sweden.

News: http://www.nytimes.com/roomfordebate/2010/11/22/do-body-scanners-make-us-safer/a-waste-of-money-and-timeBruce Schneier got it right!
A short history of airport security: We screen for guns and bombs, so the terrorists use box cutters. We confiscate box cutters and corkscrews, so they put explosives in their sneakers. We screen footwear, so they try to use liquids. We confiscate liquids, so they put PETN bombs in their underwear. We roll out full-body scanners, even though they wouldn’t have caught the Underwear Bomber, so they put a bomb in a printer cartridge. We ban printer cartridges over 16 ounces — the level of magical thinking here is amazing — and they’re going to do something else. Take all the money spent on new security measures and spend it on investigation and intelligence. This is a stupid game, and we should stop playing it. It’s not even a fair game. It’s not that the terrorist picks an attack and we pick a defense, and we see who wins. It’s that we pick a defense, and then the terrorists look at our defense and pick an attack designed to get around it. Our security measures only work if we happen to guess the plot correctly. If we get it wrong, we’ve wasted our money. This isn’t security; it’s security theater.

There are two basic kinds of terrorists. The are the sloppy planners, like the guy who crashed his plane into the Internal Revenue Service building in Austin. He’s going to be sloppy and stupid, and even pre-9/11 airplane security is going to catch him. The second is the well-planned, well-financed, and much rarer sort of plot. Do you really expect the T.S.A. screeners, who are busy confiscating water bottles and making people take off their belts — and now doing uncomfortable pat-downs — to stop them? Of course not. Airport security is the last line of defense, and it’s not a very good one. What works is investigation and intelligence: security that works regardless of the terrorist tactic or target. Yes, the target matters too; all this airport security is only effective if the terrorists target airports. If they decide to bomb crowded shopping malls instead, we’ve wasted our money.

News: http://ha.ckers.org/blog/20101201/and-beyond/
ha.ckers.org is coming to an end.  This really shouldn’t come as much of a surprise to anyone, but it’s sad nonetheless.

News: http://bit.ly/fqz2Gr
Security researchers have demonstrated how it might be possible to place backdoor rootkit software on a network card.  Guillaume Delugré, a reverse engineer at French security firm Sogeti ESEC, was able to develop proof-of-concept code after studying the firmware from Broadcom Ethernet NetExtreme PCI Ethernet cards. He used publicly available documentations and open source tools to develop a firmware debugger. He also reverse-engineered the format of the EEPROM where firmware code is stored, as well as the bootstrap process of the device. Using the knowledge gained from this process, Delugré was able to develop custom firmware code and flash the device so that his proof-of-concept code ran on the CPU of the network card. The technique opens the possibility of planting a stealthy rootkit that lives within the network card, an approach that gives potential miscreants several advantages over conventional backdoors.

Chief among these is that there will be no trace of the rootkit on the operating system, as it is being hidden inside the network interface card.  “The network card natively needs to perform Direct memory access (DMA) accesses, so that network frames can be exchanged between the driver and the device,” Delugré explains. “From the firmware point of view, everything is operated using special dedicated device registers, some of them being non-documented. An attacker would then be able to communicate remotely with the rootkit in the network card and get access to the underlying operating system thanks to DMA.” Delugré gave a presentation on his research at the hack.lu conference last month. A write-up of his research, along with slides on his presentation and a demo are available:  http://bit.ly/f1yLhg