Your daily source of Pwnage, Policy and Politics.

Episode 276 – @th3j35t3r, WikiLeaks, Zeus, IE 0-day, NIST & CN BG

Play

ISDPodcast Episode 276 for December 10, 2010. Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Varun Sharma.


Announcements:

SANS Community:
Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam: http://www.sans.org/mentor/details.php?nid=23493
Wednesday, February 23, 2011 – Wednesday, April 27, 2011
Use the Discount Code: isdpod15 for a 15% discount.

Appalachian Institute of Digital Evidence (AIDE):
AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV
When: February 17 – 18, 2011
CFP Deadline: December 12, 2010
http://aide.marshall.edu/default.htm

Stories:
News:
http://th3j35t3r.wordpress.com/2010/12/08/time-to-speak-up-part-one
http://th3j35t3r.wordpress.com/2010/12/09/time-to-speak-up-part-two
http://th3j35t3r.wordpress.com/2010/12/10/time-to-speak-up-part-three
Over the past few days, @th3j35t3r has made some postings on his blog with regard to XerXeS, Anonymous and 4Chan. I highly recommend you read his blog and see what he has to say. There are other blog postings regarding th3j35t3r as well as the apparent target folks that they “think” are the th3j35t3r. In one case it seems that they even contacted the Helena Police Department and pretend to be an Indian tech support guy. (http://dc406.com/index.php?option=com_content&view=article&id=446:operation-payback-dialoge)

The Praetorian Prefect blog (http://praetorianprefect.com/archives/2010/12/anonymous-turns-operation-payback-toward-the-jester) indicates that “Jester, or th3j35t3r as he’s known on Twitter, has ostensibly had the identity of either himself or his close associate revealed as a Montana man who works for the state government named Robin Jackson, who is becoming the target of what could be a good deal of unpleasantness from Anonymous and the 4chan/b/ board at large.”

News: http://thenextweb.com/eu/2010/12/09/16-year-old-boy-arrested-in-the-netherlands-over-mastercard-and-visa-website-attacks/

The Dutch High Tech Crimes unit has just announced the arrest of a 16-year-old in connection with hacker attacks on MasterCard and Visa websites, which we reported on earlier this week. The teen, who was arrested in The Hague, Netherlands is due in court Friday in Rotterdam, according to Dutch media. See the official announcement from the Dutch Police here.

“He is probably part of a larger group of hackers, who are under continued investigation,” the Dutch authorities said in a report on CNN. That larger group of hackers includes a group known as “Anonymous” who refer to their communications channel as “The Anon_Ops.” They released a DIY hacking tool earlier today via Twitter, so other WikiLeaks supporters could participate in the attack.

As we reported earlier, this group continued to target PayPal today in support of WikiLeaks because PayPal stopped handling donations to WikiLeaks last week. Amazon is now subject to attack as they shut down their hosting of WikiLeaks last week, saying it violated their terms of service by publishing potentially harmful material it did not own. “We can not attack Amazon, currently. The previous schedule was to do so, but we don’t have enough forces,” Anonymous said on Twitter. And WikiLeaks founder Julian Assange has said in court that not one person has been demonstrably harmed in WikiLeaks’ four years.


News: http://www.switched.com/2010/12/10/wikileaks-military-bans-thumb-drives/
Now that WikiLeaks has leaked thousands of sensitive documents into the world, the U.S. military is stepping up its efforts to make sure that it won’t happen again. According to Wired, the military has decided to ban all personnel from using DVDs, CDs, thumb drives and any other form of removable media that can transfer data from computer to portable device. Anyone who violates the policy will face a court martial.

The move comes in apparent response to Army Private Bradley Manning, who is accused of downloading files from the Defense Department, and handing them over to WikiLeaks. The military is also exploring other ways to limit what its personnel can share, and DARPA has reportedly begun working on a system that can “greatly increase the accuracy, rate and speed with which insider threats are detected… within government and military interest networks.” That project, however, probably won’t be finished for a while. (This explains the military’s decision to implement the recent stop-gap measure.)

Meanwhile, ‘Anonymous’ members continue to attack sites of companies that have severed ties with WikiLeaks, and Julian Assange’s organization apparently wants nothing (officially) to do with them. Spokeswoman Kristinn Hrafnsson tweeted: “We neither condemn nor applaud these attacks. We believe they are a reflection of public opinion on the actions of the targets.”


News: http://www.huffingtonpost.com/2010/12/10/openleaks-wikileaks-rival_n_794939.html

Several key members involved with online whistleblower WikiLeaks are said to be deserting beleaguered founder Julian Assange to form their own rival site, Openleaks, reportedly expected to launch Monday.

According to the Swedish newspaper Dagens Nyheter, the new site will be called “Openleaks,” and like its predecessor, will allow whistleblowers to leak information to the public anonymously. However, the new site will differ in that it won’t be responsible for hosting the information itself directly for the public eye, but will instead act as an intermediary between whistleblowers and media organizations.

“Our long term goal is to build a strong, transparent platform to support whistleblowers–both in terms of technology and politics–while at the same time encouraging others to start similar projects,” a colleague wishing to remain anonymous is quoted by Dagens Nyheter as saying.

In a documentary by Swedish broadcaster SVT, obtained in advance by the Associated Press, former WikiLeaks spokesman Daniel Domscheit-Berg said the new website will work as an outlet for anonymous sources. The AP quotes some excerpts of the documentary:

“Openleaks is a technology project that is aiming to be a service provider for third parties that want to be able to accept material from anonymous sources,” Domscheit-Berg said.

Domscheit-Berg, who during his time with WikiLeaks often went under the pseudonym Daniel Schmitt, said he quit the project after falling out with Assange over what he described as the lack of transparency in the group’s decision-making process. “If you preach transparency to everyone else you have to be transparent yourself. You have to fulfill the same standards you expect from others, and I think that’s where we’ve not been heading in the same direction philosophically anymore,” he said in the documentary.

Members involved in the new site’s formation are also reportedly incensed by what they describe as Assange’s “autocratic” behavior, and believe the rival site will be more “democratically governed.” In addition, many believe Assange’s ongoing rape controversy is damaging WikiLeaks’ reputation worldwide.

News: http://www.wired.com/threatlevel/2010/12/easydns/
A DNS provider that suffered backlash last week after it was wrongly identified as supplying and then dropping DNS service to WikiLeaks has decided to support the secret-spilling site, offering DNS service to two domains distributing WikiLeaks content.

EasyDNS, a Canadian firm, was attacked last Friday after media outlets mistakenly reported it had terminated its service for WikiLeaks. The company sent an e-mail to customers Thursday morning letting them know that it had begun providing DNS service for WikiLeaks.ch and WikiLeaks.nl, two of the primary domain names WikiLeaks relocated to after WikiLeaks.org stopped resolving.

“We’ve already done the time, we might as well do the crime,” Mark Jeftovic, president and CEO of EasyDNS, told Threat Level about his decision.

DNS service providers translate human-friendly domain names to IP addresses, so when someone types www.Amazon.com into their browser, for example, they’re properly connected to 72.21.211.176, the address of the host.

It was actually EveryDNS, a competitor of EasyDNS, that had been providing this service to WikiLeaks.org for free. EveryDNS terminated this service last week after WikiLeaks was hit by prolonged denial-of-service (DoS) attacks by people opposed to the group publishing classified U.S. State Department cables. The company said the denial-of-service attacks against WikiLeaks threatened the stability of service for other EveryDNS customers.

News: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=228800040&subSection=News
The Zeus botnet toolkit has gotten an upgrade: it now has the ability to target large retailers’ credit card users’ accounts.

That warning was issued on Wednesday by Amit Klein, CTO of data security firm Trusteer. “Our research group recently discovered a Zeus botnet that is targeting credit card accounts of major U.S. retailers including Macy’s and Nordstrom just as the holiday gift buying season is in full swing,” he said in a blog post.

Klein said the new capabilities are built into Zeus 2.1.0.8 — the latest version — and appear designed to steal people’s credit card details so criminals can conduct “card not present” (CNP) transactions. Merchants must typically foot the bill for any CNP fraud that occurs on their cards, thus many have invested substantial resources into detecting fraudulent transactions.

Accordingly, the Zeus malware now takes additional steps to circumvent anti-fraud measures. “The attack we discovered uses social engineering to gather additional information beyond the credit card number that will make it easier for the criminal to bypass fraud detection measures used to investigate suspicious transactions,” said Klein.

In particular, Zeus can inject a seemingly legitimate “man-in-the-middle pop-up,” he said, which requests the user’s credit card number — for Macy’s or Nordstrom, as appropriate — as well as card expiration date, CVV security code, social security number, mother’s maiden name, and date of birth. After entering the information, users hit a button that says “verify.” Of course, nothing is being verified; the information is being recorded by Zeus and funneled to the criminals behind this operation.

This latest attack highlights the challenge faced by merchants, as well as security firms, of trying to keep pace with rapidly evolving financial malware. Indeed, the emergence of inexpensive financial malware such as Zeus — apparently available for as little as $3,000 on the black market, though customizing it with other capabilities can easily add another $10,000 — means that criminals without computer expertise now have access to cheap botnets and automated attack toolkits.


News: http://threatpost.com/en_us/blogs/new-remotely-exploitable-bug-found-internet-explorer-121010
Another serious remotely exploitable bug in Internet Explorer has cropped up, this one related to the way that IE handles a specific DLL library on pages that reference CSS files. There also is publicly available exploit code for the new bug. The vulnerability was disclosed initially on the Full Disclosure mailing list on Wednesday when someone posted exploit code for the IE bug. The flaw affects IE 8, IE 7 and IE 6 running on most of the currently supported versions of Windows, including Windows 7, Windows Vista and Windows XP SP3.

“A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to take complete control of a vulnerable system. This issue is caused by a use-after-free error within the ‘mshtml.dll’ library when processing a web page referencing a CSS (Cascading Style Sheets) file that includes various ‘@import’ rules, which could allow remote attackers to execute arbitrary code via a specially crafted web page,” an analysis of the bug by Vupen says. “VUPEN has confirmed this vulnerability with Microsoft Internet Explorer 8 on Windows 7, Windows Vista SP2 and Windows XP SP3, and with Internet Explorer 7 and 6 on Windows XP SP3.” There is no patch available for the vulnerability right now. Microsoft is fixing a separate remotely exploitable Internet Explorer bug in next week’s monthly Patch Tuesday update.

“Over the past month, Microsoft and our MAPP partners actively monitored the threat landscape surrounding this vulnerability and the total number of exploit attempts we monitored remained pretty low. Furthermore, customers running Internet Explorer 8 remained protected by default due to the extra protection provided by Data Execution Prevention (DEP),” Microsoft’s Mike Reavey said in a blog post about the December patch release.

http://www.exploit-db.com/exploits/15708/

News: http://www.infosecurity-magazine.com/view/14426/visa-taps-cardholders-mobile-location-to-tackle-fraud/
Visa Europe has announced plans to use the location of a cardholder’s mobile phone to better detect fraud using its payment cards. The card company has reportedly contracted with ValidSoft, part of the ElephantTalk telecoms group, for the service. The linkup – which has significant issues on the privacy front, Infosecurity notes – means that the users’ mobile location, which can be triangulated from the cellular base stations it is logged into, may be used when assessing the risk element of a given transaction. For example, if a cardholder is trying to draw cash at an ATM in Germany, whilst their mobile is in the UK, there are grounds for suspicion. “After all, our mobile phone is practically tied to our umbilical cords – we rarely leave home without it. Visa knows it and so do the rest of us. Why shouldn’t it serve as a useful tool for preventing fraud against us?” she said.


Scary quote: In July of this year, Litan and fellow analyst William Clark penned an analysts’ note predicting that, by 2015, at least 15% of all payment card transactions “will be validated using mobile location and profile information”.


Good followup story: http://www.csoonline.com/article/644515/as-smart-phones-become-wallets-pickpockets-circle-security-expert-warns?source=rss_cso_exclude_net_net


News: http://www.infosecurity-us.com/view/14560/federal-agencies-banks-agree-to-cooperate-on-cybersecurity/

The Commerce Department’s National Institute of Standards and Technology (NIST), the Department of Homeland Security, and the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security signed a memorandum of understanding this week to facilitate innovation, identify and address cybersecurity vulnerabilities, and develop effective cybersecurity processes to keep financial institutions safe from cyber attack.

The public and private organizations plan to combine their cybersecurity expertise, research and development capabilities and other resources to test new cybersecurity technologies and develop new processes that protect financial services functions. This cybersecurity research could also be applied to the health care and smart grid areas, NIST noted.


Keith: So what ever became of the use of Infragard which was meant to perform this public/private function? Is DHS, which has absorbed it, now planning on ignoring the already established members and functionality?


News: http://www.networkworld.com/news/2010/120710-chinese-internet-traffic-fix.html?hpg1=bn

Policymakers disagree about whether the recent Chinese hijacking of Internet traffic was malicious or accidental, but there’s no question about the underlying cause of this incident: the lack of built-in security in the Internet’s main routing protocol. Network engineers have been talking about this weakness in the Internet infrastructure for a decade. Now a fix is finally on the way.

Beginning Jan. 1, Internet registries will add a layer of encryption to their operations so that ISPs and other network operators can verify that they have the authority to route traffic for a block of IP addresses or routing prefixes known as Autonomous System Numbers. The fix – known as Resource Public Key Infrastructure (RPKI) – is not perfect. It will require adoption by all of the Internet registries as well as major ISPs before it can provide a significant amount of protection against incidents such as when China Telecom hijacked 15% of the world’s Internet traffic in April. Proponents of RPKI say it is a much-needed first step in improving the security of the Border Gateway Protocol (BGP), which is the core routing protocol of the Internet.

Not everyone believes it will work. At a minimum, RPKI, if widely adopted, should prevent ISPs from accidentally disrupting the flow of Internet traffic with erroneous routing information. Geoff Huston, chief scientist at the Asia Pacific Network Information Centre (APNIC), says RPKI will eliminate many routing incidents including the China Telecom hijacking when it is coupled with follow-on work aimed at securing BGP routes. “The intent of the overall work, which involves the RPKI as the underlying security platform and secure BGP as a way of introducing signed credentials into the routing system, is to make lies in the routing system automatically detectable and, therefore, automatically removable,” Huston says. “It will eliminate a large class of problems…Such a system would directly address the [China Telecom] incident.” The RPKI development effort was funded in part by the U.S. Department of Homeland Security, which has made bolstering the security of the Internet’s routing system a key cybersecurity initiative. How quickly RPKI will be adopted is unknown. Among the companies that have helped design RPKI are Cisco, Google, Deutsche Telecom, NTT, Sprint and Equinix.