Your daily source of Pwnage, Policy and Politics.

Episode 278 – Crime Sentences, ERPScan, Firefox, Symbian & Really?

Play

ISDPodcast Episode 278 for December 14, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Varun Sharma
.

Announcements:

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Wednesday, February 23, 2011 – Wednesday, April 27, 2011

Use the Discount Code: isdpod15 for a 15% discount.

Appalachian Institute of Digital Evidence (AIDE):

AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV

When: February 17 – 18, 2011

http://aide.marshall.edu/default.htm
Stories:
News: http://bit.ly/h8kLb5
The Department of Homeland Security (DHS) has launched a new cybersecurity center aimed at communicating more efficiently with state and local governments about potential cybersecurity threats to critical U.S. infrastructure. The Multi-State Information Sharing and Analysis Center (MS-ISAC) Cyber Security Operations Center is a 24-hour watch and warning facility aimed at giving government officials at the state and local levels better situational awareness about cybersecurity incidents, according to the DHS. The goal of the new facility is to provide state and local governments with the same critical cyber risk, vulnerability and mitigation data that the federal government is privy to, according to the DHS. The National Cybersecurity and Communications Integration Center (NCCIC) — the cyber incident response hub led by the DHS — will coordinate information for the MS-ISAC Operations Center. The MS-ISAC itself is a way for state and local governments to work together to enhance cyber-threat prevention, protection, and response and recovery.

News: http://www.computerworld.com/s/article/9198380/Scammers_can_hide_fake_URLs_on_the_iPhone_says_researcher
Identity thieves can hide URLs on the iPhone’s limited screen real estate, tricking users into thinking they’re at a legitimate site, a security researcher said today. In a pair of blog posts, Nitesh Dhanjani demonstrated how criminals can easily hide the true URL of a site from users by building a malicious Web application. In a proof-of-concept, Dhanjani showed how legitimate Web applications such as Bank of America’s mobile banking application hide Safari’s address bar after rendering the page. He speculated that developers use this practice to use as much as possible of the limited screen real estate on mobile devices like the iPhone. “Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites,” said Dhanjani on his personal blog and in an entry on the SANS Institute’s blog. Identity thieves and scammers could apply the same practice to conceal the actual URL of a fake site they’ve created and then duped users into visiting, Dhanjani said. The ability to hide the address bar in iOS, Apple’s mobile operating system that powers the iPhone, is by design, noted Dhanjani, who said he had reported the problem to Apple. “I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue,” said Dhanjani. He suggested that Apple modify iOS to prevent Web applications from hiding the URL.

“Given how rampant phishing and malware attempts are these days, I hope Apple chooses to not allow arbitrary Web applications to scroll the real Safari address bar out of view,” he said. “Perhaps Apple may consider displaying or scrolling the current domain name right below the universal status bar, i.e. below the carrier and time stamp. Positioning the current domain context in a location that is unalterable by the rendered Web content can provide the users similar indication that browsers such as IE and Chrome provide by highlighting the current domain being rendered.”

News: http://h30501.www3.hp.com/t5/Following-the-White-Rabbit-A/McDonalds-Database-Compromise-3rd-Party-Lessons/ba-p/15807

The McDonalds Corporation has an interesting FAQ up right now titled “Potential Access to Customer Data by Unauthorized Third Party”.  Luckily, this incident isn’t all that serious, because it only involved email, address and phone number details as well as your birth date and gender …and “certain information about your promotional preferences or web information interests”.  Interested?

Obviously, someone got hacked since the site’s first point reads:

“Unfortunately, a third party was able to defeat the security measures put in place by the email database management firm to protect the information you provided to us.  Law enforcement authorities have been notified and are investigating the matter.”

More specifically, it sounds like someone got their database hacked …maybe through a poorly written web application that had a SQL Injection hole in it?  Dare I speculate?  Hey, a database was involved, data was extracted, you do the math!

The Orange County Register has some more information, naming specifically the 3rd party that was compromised – Arc Worldwide – as the entity which likely held the promotions as well as the data in a database on McDonalds’ behalf.  So what we have here is McDonalds stepping up and taking responsibility for a data breach at a partner of theirs … this brings me to 2 interesting points.

First and foremost – big hat-tip to McDonalds Corp. for stepping up and just taking responsibility for what has happened.  The breach is obviously nothing huge – in fact the information is probably not even all that much different than what you’ve already given every FaceBook app you’ve ever clicked “Accept” on – but it does demonstrate that McDonalds is taking responsibility seriously.  They could have simply pushed off responsibility and more importantly, blame, onto Arc Worldwide – but they didn’t.  Partners, affiliates, and cooperating 3rd parties are all a part of the business network that carries our customer data so no matter who ultimately discloses it – it’s the big brand label that takes the trust hit and must step up.  McDonald’s has taken the right step here, and they deserve an applause.

URL: http://www.aboutmcdonalds.com/mcd/our_company/mcd_faq/database.html
News: http://www.eweek.com/c/a/Security/Hacker-Gets-18-Months-in-UK-Prison-112826/
A Scottish man was sentenced to 18 months in prison for spamming out e-mails laced with malware and stealing data. A 33-year-old Scottish man was sentenced today to 18 months in prison in the U.K. for spamming out malware-infected e-mails and stealing data. The sentencing today of Matthew Anderson of Drummuir, Aberdeenshire, Scotland, brought to an end to an investigation first launched four years ago. According to the Metropolitan Police Service (MPS), Anderson was part of a ring that targeted hundreds of businesses in the U.K. with malware starting in 2005. The conspiracy was operated by members of a cyber-crew called m00p that spammed out millions of e-mails laced with malware, authorities said. It was Anderson’s job to manage the operation by composing the e-mails and distributing them with virus attachments, police said. The malware allowed Anderson to access private data stored on computers without the knowledge of the computer’s owner, according to police.

Tools: http://erpscan.com
ERPScan Online Security Assessment for SAP Frontend can help you to check oweral security of your SAP frontend in the context of SAP.

News: http://www.theregister.co.uk/2010/11/26/royal_wedding_spoof_social_engineering/
A benign social engineering experiment has proved how easy it would be to make thousands out of gullible monarchists anxious for a chance to attend next April’s royal wedding. A hoax website selling “Golden Tickets” to the social event of the millennium attracted more than 160 visitors – all willing to pay £250 a head for the privilege of attending the ceremony – in just 12 hours. Even the dubious promise that “one lucky guest will appear in the couple’s wedding photographs” was not enough to deter the delirious Wills’n'Kate fans. Fortunately the exercise was not a genuine con, but an exercise designed to raise scam awareness by website Scam Detectives. “Had this been a real scam, it could have netted up to £33,000 in the first 12 hours,” said Scam Detectives editor Charles Conway. Scam Detectives used a free online website building package top set up a spoof site – http://www.royalwedding.weebly.com – only minutes after the announcement of the royal wedding. The site was promoted using social networks, adverts on classified advertising websites and spam posts on popular forums. The first visitors arrived within three minutes of the site going live. Making use of Google keywords or other tactics, not employed in the exercise, would likely have brought in even more interest. “Visitors to this website were very lucky,” said Charles. “Had this been a real scam they would not only have lost their £250, but would also have handed over their credit card details to criminals who would have gone on a shopping spree, maxing out the credit limit within hours.” In an odd twist, The Sun reported on Thursday that 100 randomly chosen members of the public would get a “golden ticket” to the wedding. Scam Detectives said it was unaware of these plans at the time it ran its exercise, pointing out that the news would have only added credibility to potential scams.

News: http://threatpost.com/en_us/blogs/mozilla-disables-websockets-firefox-4-over-security-concerns-120810
Officials at Mozilla have decided to disable support for Web Sockets in future versions of Firefox because of concerns over the security of the the current version of the protocol.The group said that demonstrations of serious attacks against WebSockets have spurred the move.Mozilla said that they plan to keep the WebSockets code in the Firefox 4 development tree, which is in beta right now, so that they have the ability to enable it again if the security concerns are cleared up in the future.”We’ve decided to disable support for WebSockets in Firefox 4, starting with beta 8 due to a protocol-level security issue. Beta 7 included support for the -76 version of the protocol, the same version that’s included with Chrome and Safari,” Mozilla’s Christopher Blizzard wrote in a blog post explaining the decision. “Adam Barth recently demonstrated some serious attacks against the protocol that could be used by an attacker to poison caches that sit in between the browser and the Internet. Once we have a version of the protocol that we feel is secure and stable, we will include it in a release of Firefox, even a minor update release. The code will remain in the tree to facilitate development, but will only be activated when a developer sets a hidden preference in Firefox.”

News: http://www.h-online.com/security/news/item/Hacker-plants-back-door-in-Symbian-firmware-1149926.htmlIndian hacker Atul Alex has had a look at the firmware for Symbian S60 smartphones and come up with a back door for it. By modifying version 5 of the original software – which runs on such devices as the Nokia 5800, Nokia X6, Nokia 5530XM, Sony Ericsson Satio and Sony Ericsson Vivaz – he has integrated a back door as a reverse shell, including support for Perl scripts. All of the smartphone’s functions can be remotely controlled, including the camera. Alex wrote the back door itself in Python. He plans to make the firmware available for free soon for downloading.To install a modified operating system, however, an attacker would first have to get hold of a smartphone for a few minutes and connect it to a computer via a USB cable or something similar. Once installed, the back door calls the attacker via a wireless connection and transmits the device’s current IP address. The shell listens in at port 5530 and handles such functions as netcat, mkdir and wget. In addition, it reportedly supports over-the-air installation of additional applications.The back door also includes options to read out email, telephone lists, and text messages from memory, create screenshots, take photos with the phone’s integrated digital camera, and record telephone calls. The stolen data are transmitted via GPRS/UMTS or WLAN to the attacker’s file server.

News:    http://www.computerworlduk.com/news/it-business/3252493/chevron-bags-major-north-sea-oil-contract-despite-safety-software-crashes

The government gave Chevron the go-ahead in September to drill in the North Sea near Shetland, in spite of the US oil giant’s admission that its contractor’s spill prediction software constantly crashed and was not a reliable predictor of how far oil could travel if an accident took place.

The news comes in a week that US investigations into BP’s disastrous Deepwater Horizon oil spill hit the buffers, after an IT contractor firm refused to hand over access to its software.

Before the new North Sea drill, which continues to run without accident, Chevron admitted the serious computing problems in confidential documents sent to the Department of Energy and Climate Change, which approved the drill. A redacted version of the communications was released as part of a Freedom of Information request made by the Guardian newspaper.

The Oil Spill Information System (OSIS), from BMT Argoss and used by services firm Oil Spill Response, crashed repeatedly when Chevron attempted to run it to model a 20 day period. In the end, Chevron ran the Microsoft Windows-based system for 14 days only because it said “no usable information” could be gleaned from the full run.

The system is based on Eurospill, a simulation model developed with grants from the Department for Transport and the European Commission. On its website, BMT Argoss says the system is “a sophisticated tool for predicting oil spill transport and fate”, and builds on 30 years of research and 15 years of modelling technology development.

The modelling system was only able to predict what would happen for a fortnight, even though Chevron said that in reality it could take a further four weeks to cap a well, and even longer in bad weather or without access to the right equipment.

In an email to the Offshore Inspectorate, dated 7 September, Chevron said it was working “at the boundaries of modelling capability”.

According to the models used, a deepwater blowout at Chevron’s Lagavulin rig could spew over a million gallons of oil into the sea over the first two weeks, with the crude polluting most of the Coast of eastern England and Scotland, as well as much of Norway and spreading as far as Iceland and Greenland.
News: http://bit.ly/gbsCbE
Twelve Scams of Christmas

1) iPad Offer Scams – With Apple products topping most shopping lists this holiday season, scammers are busy distributing bogus offers for free iPads. McAfee Labs found that in the spam version of the scam consumers are asked to purchase other products and provide their credit card number to get the free iPad. Of course, victims never receive the iPad or the other items, just the headache of reporting a stolen credit card number.  In the social media version of the scam, users take a quiz to win a free iPad and must supply their cell phone number to receive the results. In actuality they are signed up for a cell phone scam that costs $10 a week.

2) “Help! I’ve Been Robbed” Scam – This travel scam sends phony distress messages to family and friends requesting that money be wired or transferred so that they can get home. McAfee Labs has seen an increase in this scam and predicts its rise during the busy travel season.

3) Fake Gift Cards – Cybercrooks use social media to promote fake gift card offers with the goal of stealing consumers’ information and money, which is then sold to marketers or used for ID theft. One recent Facebook scam offered a “free $1,000 Best Buy gift card” to the first 20,000 people who signed up for a Best Buy fan page, which was a look-a-like. To apply for the gift card they had to provide personal information and take a series of quizzes.

4) Holiday Job Offers – As people seek extra cash for gifts this holiday season, Twitter scams offer dangerous links to high-paying, work-at-home jobs that ask for your personal information, such as your email address, home address and Social Security number to apply for the fake job.

5) “Smishing” – Cybercrooks are now “smishing,” or sending phishing SMS texts. These texts appear to come from your bank or an online retailer saying that there is something wrong with an account and you have to call a number to verify your account information. In reality, these efforts are merely a ruse to extract valuable personal information from the targets. Cybercrooks know that people are more vulnerable to this scam during the holiday season when consumers are doing more online shopping and checking bank balances frequently.

6) Suspicious Holiday Rentals – During peak travel times when consumers often look online for affordable holiday rentals, cybercrooks post fake holiday rental sites that ask for down payments on properties by credit card or wire transfer.

7) Recession Scams Continue – Scammers target vulnerable consumers with recession related scams such as pay-in-advance credit schemes. McAfee Labs has seen a significant number of spam emails advertising prequalified, low-interest loans and credit cards if the recipient pays a processing fee, which goes directly into the scammer’s pocket.

8) Grinch-like Greetings – E-cards are a convenient and earth-friendly way to send greetings to friends and family, but cybercriminals load fake versions with links to computer viruses and other malware instead of cheer. According to McAfee Labs, computers may start displaying obscene images, pop-up ads, or even start sending cards to contacts that appear to come from you.

9) Low Price Traps – Shoppers should be cautious of products offered at prices far below competitors. Cyber scammers use auction sites and fake websites to offer too-good-to-be-true deals with the goal of stealing your money and information.

10) Charity Scams – The holidays have historically been a prime time for charity scams since it’s a traditional time for giving, and McAfee Labs predicts that this year is no exception. Common ploys include phone calls and spam e-mails asking you to donate to veterans’ charities, children’s causes and relief funds for the latest catastrophe.

11) Dangerous Holiday Downloads – Holiday-themed screensavers, jingles and animations are an easy way for scammers to spread viruses and other computer threats especially when links come from an email or IM that appears to be from a friend.

12) Hotel and Airport Wi-fi – During the holidays many people travel and use free wi-fi in places like hotels and airports. This is a tempting time for thieves to hack into networks hoping to find opportunities for theft.  McAfee advises Internet users to follow these five tips to protect their computers and personal information:

  • Stick to well-established and trusted sites that include trust marks (icons or seals from third parties verifying that the site is safe), user reviews and customer support. A reputable trust mark provider will have a live link attached to its trust mark icon, which will take visitors to a verification Web site of the trust mark provider.
  • Do not respond to offers that arrive in a spam email, text or instant message.
  • Preview a link’s web address before you click on it to make sure it is going to an established site. Never download or click anything from an unknown source.
  • Stay away from vendors that offer prices well below the norm. Don’t believe anything that’s too good to be true.
  • Make sure to use trusted wi-fi networks. Don’t check bank accounts or shop online if you’re not sure the network is safe.