ISDPodcast Episode 280 for December 16, 2010. Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, Adrian Crenshaw and Varun Sharma.
Announcements:
SANS Community:
Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam: http://www.sans.org/mentor/details.php?nid=23493
Wednesday, February 23, 2011 – Wednesday, April 27, 2011
Use the Discount Code: isdpod15 for a 15% discount.
Appalachian Institute of Digital Evidence (AIDE):
AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV
When: February 17 – 18, 2011
http://aide.marshall.edu/default.htm
Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)
Stories:
News: http://www.csoonline.com/article/646713/smartphone-botnets-new-report-predicts-mobile-devices-will-be-part-of-ddos-attacks
Smartphones could soon be used to launch distributed attacks, much like traditional PCs are now used as parts of larger botnet networks, according to a new report from ENISA, the European Network and Information Security Agency. In research that details the many risks of smartphones, the findings claim that while the devices are not currently being targeted for such attacks, this may change as mobile devices are becoming more popular, more connected and the complexity and the number of vulnerabilities in these platforms is increasing.
Smartphone botnets could be used for familiar crimes such as spam, click fraud and DDoS, the report claims. Since smartphones interface with cellular networks, they could also be used for new distributed attack scenarios; such as SMS spam and DDoS on telephony networks. Such attacks could be used to support wider attacks on, for example, other infrastructure.
“Mobile phone coverage is becoming increasingly vital, especially in the event of an emergency, so smartphones open up new possibilities for DDoS attacks with potentially serious impacts,” according to the findings.
In an example, the report cites an example of a 2001 virus that impacted DoCoMo, a Japanese mobile operator. The ‘i-mode virus’ had access to call interfaces, which were available to malicious emails at the time and caused the user’s device to dial emergency numbers.
News: http://bits.blogs.nytimes.com/2010/12/14/f-b-i-memos-reveal-cost-of-a-hacking-attack/
Repelling a hacker attack can be costly as PayPal, Visa and MasterCard undoubtedly found out last week as they tried – with mixed success – to keep their Web sites from being knocked offline by supporters of Wikileaks.
How much money exactly? An unrelated attack several years earlier on Google may provide some insight.
In 2005 Google was battling the Santy worm, a bit of malicious software that caused infected computers across the globe to automatically enter search queries – so many, in fact, that Google was overwhelmed. Details of the episode are chronicled in internal F.B.I. memos obtained by The New York Times through a Freedom of Information Act request.
On Dec. 22, 2005, Google complained to the F.B.I. that the attack had slowed its search engine’s performance. For 12 to 18 months previous, Google said it had been plagued by variants of the worm, which used search queries to find vulnerable Web sites and deface them by exploiting a security hole in community forum software PHP Bulletin Board.
News: http://www.theregister.co.uk/2010/12/15/silverpop_breach_probe/
FBI agents looking into the theft of customer data belonging to McDonald’s are investigating similar breaches that may have hit more than 100 other companies that used email marketing services from Atlanta-based Silverpop Systems.
“The breach is with Silverpop, an email service provider that has over 105 customers,” Stephen Emmett, a special agent in the FBI’s Atlanta field office, told The Register. “It appears to be emanating from an overseas location.”
He declined to provide further details. Over the past week, at least two other sites – one known to have ties to Silverpop and the other that appears to – offered similar warnings to their customers. deviantART, a website that boasts more than 16 million registered accounts, warned its users that their email addresses, user names and birth dates were exposed to suspected spammers as a result of a breach at the email provider.
News: http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches/228800582/china-likely-behind-stuxnet-attack-cyberwar-expert-says.html
Israel and the U.S. so far have been pegged as the most likely masterminds behind the Stuxnet worm that targeted Iran’s nuclear facility, but new research indicates China could instead be the culprit.
Jeffrey Carr, founder and CEO of Taia Global, an executive cybersecurity firm, and author of Inside Cyber Warfare, says he has found several clues that link China to Stuxnet. ”Right now I’m very comfortable with the idea that this is an attack that emanated from China,” Carr says. “I’m fairly certain this was China-driven.”
Carr, who blogged about his new theory today, says Vacon, the maker of one of the two frequency converter drives used in the Siemens programmable logic controller targeted by the Stuxnet worm, doesn’t make its drives in its home country Finland, but rather in Suzhou, China.
Chinese customs officials in March 2009 raided Vacon’s Suzhou offices and took two employees into custody, allegedly due to some sort of “irregularities” with the time line of when experts think Stuxnet was first created, according to Carr. “Once China decided to pursue action against this company and detain two of its employees, they had access to everything — this is where they manufacture the drives, so they would have easy access if they were looking for that material,” such as engineering specifications, he says.
News: https://www.eff.org/node/12056
In EFF’s second major privacy victory in as many days, the Third Circuit Court of Appeals today denied the government’s request that it reconsider its September decision regarding government access to cell phone company records that reveal your past locations. That means the court’s original opinion — holding that federal magistrates have the discretion to require the government to get a search warrant based on probable cause before obtaining cell phone location records — is now the settled law of the Third Circuit, assuming the government doesn’t seek review by the Supreme Court. Importantly, this victory won’t just provide greater protection for the privacy of your cell phone records but for all other communications records that the government currently obtains without warrants.
As we summarized when we filed our latest brief opposing the government’s petition to the Third Circuit for a rehearing, this appellate case — awkwardly titled In the Matter of the Application of the USA for an Order Directing a Provider of Electronic Communication Service to Disclose Records to the Government — was sparked when the government appealed a lower court judge’s denial of a government request for a court order to obtain cell phone location records without probable cause. In September, we won a great victory when the the three-judge panel reviewing the case agreed with EFF’s arguments and held that federal law gives magistrates the discretion to require warrants for such data. The panel did not reach the question of whether the Fourth Amendment requires warrants in such cases — we think it does — but instead ordered the case back to the magistrate for her to develop a fuller factual record supporting the use of her discretion. However, the government threw a wrench in that plan earlier this month, asking all of the judges in the Circuit — in legal terms, the entire court sitting “en banc” — to review and overturn the panel ruling. And today, the government got its answer from the Third Circuit: no. The decision stands.
This victory is particularly gratifying because the Third Circuit’s decision has implications far beyond cell phone location privacy. The main holding of the case was a general ruling about the federal Stored Communications Act (“SCA”), the portion of the Electronic Communications Privacy Act of 1986 that regulates communications providers disclosure of communications content and records. That statute is regularly used by the government to secretly obtain a broad range of content and records, not just cell phone location records, based not a probable cause warrant but on a much easier to obtain court order that doesn’t require probable cause (often called a “D Order” since they are authorized in subsection (d) of section 2703 of the SCA). For example, the government routinely obtains email content using D orders instead of warrants (you may remember we joined with Yahoo! to beat back such a request just this summer).
The key holding in this case affects the basic operation of the SCA for D Orders. What the Third Circuit held was that, when the government applies for a D Order, the judge has the discretion to deny that application and instead require a warrant in order to avoid potential Fourth Amendment problems. This is an incredibly powerful pro-privacy ruling, especially compared to the government’s position that courts must grant D orders when the government meets the minimal, non-probable cause factual showing that the statute requires. The Third Circuit has clarified that judges can deny D Order applications — for cell phone records, for emails, or anything else — so long as they have reason to believe that the order might violate the Fourth Amendment.
Although this decision is only binding in the Third Circuit, we expect it will newly embolden magistrates across the country to deny government applications that raise serious Fourth Amendment questions. And it certainly will assist EFF and other friends of the court when we fight against such government applications — we no longer have to convince magistrates that the government’s requested order would violate the Fourth Amendment, but only that it might. Meanwhile, the Third Circuit’s decision also strengthened those Fourth Amendment arguments, by being the first federal appellate decision in more than 30 years to hold that you can have a reasonable expectation of privacy in records that a company keeps about you, another key ruling that has implications far beyond cell phone location privacy.
News: https://threatpost.com/en_us/blogs/unauthorized-access-ohio-state-server-affects-760000-121610Ohio State University warned those who have had contact with the University that a server containing personally identifiable data was illegally accessed by a third party and may have exposed data on 760,000 people.The university is notifying past and present students, faculty, staff, and student applicants as well as certain contractors and consultants affiliated with the University of the breach, which was discovered when staff noticed suspicious activity on a server belonging to the office of the university’s CIO in late October, according to Jim Lynch, Director of Media Relations at Ohio State University. Lynch went on to say that the attack may have been going on for a few months by the time they discovered the suspicious activity in the server. University officials maintain that the attackers accessed the server in order to launch cyber attacks on other businesses, whose names they were unable to disclose as they are involved in an ongoing investigation, and that investigators found no evidence to support concerns that the theft of sensitive information stored on it, which includes names, birthdates, addresses, and social security numbers, may have occurred.Following the lead of other data breach victims, Ohio State is offering a year’s worth of credit protection services, which according to Lynch, would cost the university approximately $4 million.Follow up: http://www.thenewnewinternet.com/2010/12/16/4-million-price-tag-to-clean-up-after-osu-hacker-attack$4 Million Price Tag to Clean Up after OSU Hacker Attack