ISDPodcast Episode 284 for December 22, 2010. Tonight’s podcast is hosted by Rick Hayes, and Keith Pachulski.
Announcements:
SANS Community:
Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam: http://www.sans.org/mentor/details.php?nid=23493
Wednesday, February 23, 2011 – Wednesday, April 27, 2011
Use the Discount Code: isdpod15 for a 15% discount.
Appalachian Institute of Digital Evidence (AIDE):
AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV
When: February 17 – 18, 2011
http://aide.marshall.edu/default.htm
Personal Announcement: Thanks to Jason Frisvold aka @Xenophage and Endless Mountain Cyberspace for porting and hosting my blog over from my personal server to their servers http://www.protectors.cc/blog/
Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)
Stories:News: http://www.guardian.co.uk/world/2010/dec/22/cia-wikileaks-taskforce-wtf
The CIA has launched a taskforce to assess the impact of 250,000 leaked US diplomatic cables. Its name? WikiLeaks Task Force, or WTF for short.
The group will be charged with scouring the released documents to survey damage caused by the disclosures. One of the most embarrassing revelations was that the US state department had drawn up a list of information it would like on key UN figures – it later emerged the CIA had asked for the information.
“Officially, the panel is called the WikiLeaks Task Force. But at CIA headquarters, it’s mainly known by its all-too-apt acronym: WTF,” the Washington Post reported.
News: http://www.infosecurity-us.com/view/14736/court-blocks-former-bank-of-america-employees-from-using-client-dataMichael C. Brown, a financial adviser with $5.9bn in client assets, Charles Britton, Marcus Wilson, and Amanda Kerley were temporarily blocked by a New York state court from “using or disclosing in any manner the customer lists and any other property or trade secret information taken at the time” of their resignations from U.S. Trust, according to a Bloomberg report, citing court documents provided by Bank of America.The employees argued in court that they were allowed to take client records under a voluntary recruiting agreement among brokers. Bank of America disputed that, saying that neither it nor U.S. Trust signed the agreement that the former employees argue allows them to use the client information, according to the complaint.The court order directs the former employees to return customer lists and any other property to U.S. Trust. It also blocks them from “soliciting, inviting, encouraging, requesting” customer accounts that may have been “wrongfully solicited”, according to the filing.The suit is “a blatant legal tactic in an attempt to portray Mr. Brown and his team in a negative light”, Steven Goldberg, a Dynasty Financial spokesman, said in a statement.“Companies need to be one step ahead of a departing employee”, said Kurt Johnson, vice president of strategy and corporate development for Courion, a provider of identity and access management products, when commenting on the case.”In letting these staff members go, all administrative controls should have been shut off and changed immediately so that there was no opportunity to gain access to these sensitive files. Leaving even a short time gap between notice of termination and closing accounts creates vulnerabilities.”
News: http://www.infosecurity-magazine.com/view/14694/survey-reveals-lack-of-awareness-for-pci-dss-20-/LogLogic, the IT audit data specialist that commissioned the survey, says the results show relatively low visibility of the security requirements amongst retailers, despite the fact that PCI audits are becoming more prevalent.Researchers found that 13.8% of respondents are completely unaware of the new version and 15.5% confirm they are only partially aware of the PCI security standard.The majority (70.7%) confirmed they are aware of the new standard, which the company says implies that the majority are prepared for – or are working towards – meeting PCI requirements.However, says LogLogic, when respondents were asked if they knew that PCI DSS 2.0 contains significant changes and clarifications relative to the expected network architecture and virtualisation, only 36.2% could say yes.Most interesting of all, Infosecurity notes, 63.8% said they were partially or completely unaware of the new requirements, meaning their PCI compliance could be at risk or at the very least isn’t as thorough or as up-to-date as it should be.Equally interesting, when asked how auditing by the payment card issuers has changed in the past twelve months, the survey revealed that 62% said audits were becoming more, or much more, prevalent.The survey also looked at attitudes towards PCI DSS and version 2.0 changes and on the positive side, 50% saw it as a valuable addition that helps them keep up-to-date, and 17.2% said they used it as a way to justify spending on technologies that are useful outside of PCI mandates.On the negative side, however, 17.2% saw it as a continual regulatory headache, and 5.2% viewed it as another costly ‘tick in the box’ exercise with no obvious benefit to the company or its customers.Guy Churchward, LogLogic’s CEO, said that the survey’s findings are very interesting – retailers have come a long way since the introduction of PCI DSS back in 2004, in terms of attitudes and implementation, but there is still a lot more to do.”It’s not just a case of achieving compliance, it’s a matter of completing the audits and staying on top of the requirements”, he said, adding that it is a long-term commitment to the business and to protecting customer data.”The research clearly shows that retailers need to get up to speed with the new version pretty quickly – if they are to meet the increasingly regular audit requirements”, he explained.
Inside the business of malware: http://www.computerschool.org/images/malware.jpg
News: http://www.pcworld.com/article/214127/byot_hype_or_a_hiring_dealbreaker.html
Bring Your Own Technology, or BYOT, can strike fear in the hearts of CIOs and security officers, who are split on whether the concept is an urban legend or the wave of the future. Regardless, the CIOs I’ve spoken with say it has not yet become a standard question that applicants ask. Sure, there are CEOs and salespeople who want to sneak tablets onto the network, but at this point, the roar of the consumers is really just a whisper.
Dave Kelble, vice president of technology with MobilexUSA, has been grappling with BYOT because he also serves as the company’s security officer. “There are parts of the organization on-boarded through acquisition where people use their own computer equipment as part of their job. We are looking to transition away from that for security and support reasons.”
MobilexUSA, a leading provider of bedside diagnostics, is a 3,000-person organization that Kelble expects could, through acquisitions and organic growth, grow to 5,000 by the end of 2011. The change in scale will be a challenge, and maintaining HIPAA compliance is imperative. Kelble says he has not received BYOT inquiries from potential new hires, though current employees, including field management, sales and IT, have been asking his group about it. “We are wrestling with how to get our arms around not allowing [employees] to BYOT, but helping them get their job done as effectively and securely as possible.”
Mary Sobiechowski is the CIO of Kantar Health, a healthcare-focused global consultancy and marketing insights company. She recalls only one instance when a new hire pushed hard for BYOT. The company didn’t give in for compliance reasons, but it did build a machine with the employee’s needs in mind.
An employee’s desire to have the latest equipment “is a reflection on the employee and the company,” she says. However, thanks to the threat of data insecurity, viruses and spyware, and the need to maintain Sarbanes-Oxley compliance, “we’ve had to change to a defensive posture.”
News: http://www.spamfighter.com/News-15530-IE-Protected-Mode-Vulnerability-Revealed.htm
According to investigators at Verizon Business, vulnerability exists in the ‘protected mode’ mechanism of Internet Explorer which suggests that other Windows software, along with Adobe’s Reader X and Google’s Chrome, developed on the basis of this technology can be problematic.
Fundamentally, ‘Protected Mode’ requires restricting the privileges obtainable from a particular application process. These privileges result from the IE or OS as per 6 MIC (Mandatory Integrity Control) stages, the first, from down, being relevant for all applications working actively from the Internet a zone most un-trusted.
Nevertheless, Verizon researchers record methods through which an attacker can raise a process’ privileges to zones unsuitable for Protected Mode, like a network’s Intranet that utilizes UNC paths. Alternatively, the privileges can be elevated through phishing sites masquerading as trustworthy websites.
The related assault becomes possible when the privilege level of the browser is elevated to medium integrity from low integrity. State the Verizon researchers that immediately as the first attack code is used remotely to run malware on the target system at an integrity that’s low, the malware manages to set one Web-server taking instructions from a port that has a bearing with a loopback interface. InformationWeek published this on December 6, 2010.
The Web-server subsequently helps to launch an attack that the local browser characteristically assigns medium integrity as it is within the Local Intranet Zone. Executing the attack again leads to stubborn malware as the medium-integrity configuration lets the malicious program to persist.
Still, according to Verizon researchers, Protected Mode is handy as presently the majority of malware, which are active when low integrity prevails, may fail to stay during reboots as they remain unaware of the low integrity level, during their execution. For instance, the Metasploit Framework, the open-source program for penetration testing, which has tested the greatest number of exploits worldwide, rarely knows about the level of integrity.
Says Verizon that the latest vulnerability doesn’t straight away affect other software, which utilize Protected Mode like Chrome or Reader X. However, it does indicate the way such safeguards are vulnerable to assaults given that a mechanism must be trusted somewhat at least.
News: http://androidcommunity.com/android-malware-infection-has-the-highest-growth-overall-infection-lower-than-other-platforms-20101217/
AdaptiveMobile, a mobile security vendor, has stated that it has seen the highest number of mobile malware infections this year. In fact, the number of reports has grown a significant 33-percent over 2009 figures. Google’s Android platform has seen the greatest rise in infection with a four-fold increase in the number of exploits in 2010.
However, it’s not all bad news for Android. AdaptiveMobile goes on to claim that although it has seen the biggest rise in infection, Android exploits are still relatively low in comparison to other platforms.
The rise is said to be due to cyber criminals targeting what will have the highest market share in the coming years, and with Android growing heavily, it’s not surprising that’s it has been so heavily targeted.
Tools: http://www.melcara.com
Cody Dumont has released a new version of the ACL parser (v0.04) has been release. There are apparently a lot of issues with this version. The object groups are expanded for the PIX and ASA. I have added the attributes for ACL entries for log level, time, and inactive state. Other than finding that it tells he that it’s “compelted” when it’s done it works like a charm. You can see that I’ve added it to my pentesting VM as it’s extremely useful to have around.
root@pentest:/pentest/cisco/acl2csv# perl acl2csv.0.04.pl asa01.txtcompelted
News: http://www.thestar.com/business/article/908968–facebook-to-hold-hacker-cupHacking, the reclusive sport of individuals with socially crippling intelligence is being pulled from the depths of the suburban basement and thrust onto the podium. Well, there might not be a podium, but there is talk of a cup. Facebook has created a page containing details about a Hacker Cup in 2011. People can apply and compete online and a final 25 will be flown to compete in the algorithmic programming contest in California in the New Year for (U.S.) $5,000 and the title. The tests are designed by Facebook engineers. Inside the Facebook universe “hacking” or “Hack” is used as terms for all night coding benders, rather than for the more popular interpretation of someone who creates codes or viruses to interfere with or destroy computer programs.Alan Middleton, a marketing guru housed at the Schulich School of Business at York University, was admittedly a bit baffled at the prospect, given the elevated public perception of hacking of the more nefarious kind.“In a world where we are getting increasingly concerned about privacy (does Facebook) want to be associated with hacking?” asked Middleton.He said there are two possible options for the contest. “They are trying to get some buzz to remain cool with a rebellious and youthful segment of their population,” said Middleton. “In which case, I think it is a really bad strategy.”Facebook he said is likely just holding a skills competition to seek out new talent.Registration opens Dec 20. In an email response to questions about motivation, a Facebook spokesperson said “Hacking is a central part of Facebook’s culture. We want to bring engineers from around the world together to compete in a multi-round programming competition.”When asked if they were concerned about the brand being linked with hacking of the more nefarious kind, the spokesperson said “For us, Hack means to find a better way of doing things.”Hackers who use their skills for destruction are enjoying a bit of a folk hero moment. Supporters of WikiLeaks founder Julian Assange have crashed corporate websites, including MasterCard, in retribution for Assange’s arrest.“Maybe in a new world where WikiLeaks and hackers are the new heroes and we hate government and establishments . . . maybe we are now trying to celebrate the rebels,” said Middleton.