Your daily source of Pwnage, Policy and Politics.

Episode 286 – URL Shortener DDoS, W7 Phone, Net Neutrality & More CitySights fallout

Play

ISDPodcast Episode 286 for December 24, 2010.  Tonight’s podcast is hosted by  Rick Hayes, Keith Pachulski, and Varun Sharma.

Announcements:

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Wednesday, February 23, 2011 – Wednesday, April 27, 2011

Use the Discount Code: isdpod15 for a 15% discount.

Appalachian Institute of Digital Evidence (AIDE):

AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV

When: February 17 – 18, 2011

http://aide.marshall.edu/default.htm
Stories:
News: https://www.infosecisland.com/blogview/10442-DDoS-Attacks-Possible-via-URL-Shortener.htmlSecurity “enthusiast” and computer science major at the University of Tulsa, Ben Schmidt, has introduced a URL shortening service that allows users to participate in distributed denial of service (DDoS) attacks without the need to download a software application.Schmidt was inspired by the recent DDoS attacks carried out by members of Anonymous with their Low Orbit Ion Cannon (LOIC) tool. The JavaScript-based LOIC tool lets users join in the DDoS attack shenanigans by simply visiting a web page which then continuously sends HTTP requests to the targeted server by modifying an image tag’s attributes.Schmidt states the purpose of the tool is to illustrate a proof of concept that demonstrates the unrecognized vulnerabilities inherent in using URL shortening service.The D0z.me shortener does not seek to trick users into participating in a DDoS attack, as the destination link and target URL need to be specified.The purpose of the exercise is to draw attention to the fact that the use of URL shorteners could be exploited to engage users in DDoS attacks without their knowledge.”My implementation of this attack is, at best, a hack job, but was merely meant to illustrate how easy it is to actually implement, how simple it is to launch a DDoS simply by getting people to follow a link, and how seriously our reliance on URL shorteners can affect security.”

Meanwhile, developers associated with Anonymous, the international pro-piracy and pro-WikiLeaks association of hackivists, are said to be working to correct deficiencies in the LOIC software used in recent DDoS campaigns that interfered with the website operation of several business, including MasterCard, Visa, and PostFinance bank.
News:  http://www.pcworld.com/article/214371/microsoft_sells_15m_windows_phone_7.htmlMicrosoft has announced that its manufacturing partners have sold more than 1.5 million Windows Phone 7 devices since the mobile platform’s launch six weeks ago. Achim Berg, Microsoft’s vice president of marketing and business for Windows Phones, made the announcement during a puff interview conducted by Microsoft’s PR team. While the Phone 7 sales numbers sound impressive, the figures are actually not all they’re cracked up to be, at least based on Berg’s statement.”With a new platform, you have to look at a couple of things, first of all customer satisfaction, ” Berg said. “Another is phone manufacturer sales — phones being bought and stocked by mobile operators and retailers on their way to customers. We are pleased that phone manufacturers sold over 1.5 million phones in the first six weeks.”In other words, Windows Phone 7 manufacturers have sold more than 1.5 million devices to retailers and wireless carriers, not customers. So it’s not clear how many people have actually plunked down hard-earned cash for a piece of Windows Phone 7 magic. Manufacturer sales to stores are important, because they indicate the confidence retailers have in the new mobile platform. But the real test of Windows Phone 7 popularity will be how many customers buy the device.For all we know, only 500,000 Windows Phone 7 devices have been sold worldwide and 1 million handsets are sitting on store shelves from New York to Tokyo. Nevertheless, the fact that retailers are buying up Windows Phone 7 devices in large numbers and relatively quickly, shows that some carriers are willing to take big bets on Windows Phone 7.
News: http://www.pcworld.com/article/214367/fcc_net_neutrality_rules_what_the_future_might_look_like.htmlThe Federal Communications Commission is expected to approve new Net neutrality rules that it believes will ensure free and open Internet access for years to come. The new rules will reportedly prevent fixed (ground) line broadband providers from blocking lawful Web content and services. Wireless broadband providers, meanwhile, will have the ability to block access to content and services as they see fit as long as they do not offer a competing service. Wireless carriers could, for example, block YouTube if the carrier did not offer a similar video sharing site.The new rules will also supposedly discourage providers from charging fees to popular Web services such as Facebook or Google to deliver their content to your home faster.The rules have garnered a lot of controversy. Senator Al Franken called the proposed rules “worse than nothing,” but FCC commissioner Mignon L. Clybrun said the proposal “will establish clear rules to protect consumers’ access.”Here’s a look at some possibilities for what your broadband access at home and on your mobile device might look like under the new rules.Skype on 3GYes, you can already get Skype calls over 3G on some wireless networks. But under the new FCC rules wireless providers would not be allowed to block access to Skype, because they offer a competing service (voice calls).Google FeeThe new FCC rules will reportedly discourage, but not prevent, carriers from offering paid prioritization to Web services. In other words, Comcast could offer YouTube the chance to have content from Google’s video site delivered to your computer faster than competing video services. The catch is that Google would have to pay a fee for that to happen.No Torrents For YouFixed-line broadband providers will not be allowed to discriminate against any lawful Web services you want to use. Did you see that little disclaimer in there? That’s right “lawful” Web services, meaning that torrent indexing sites, such as The Pirate Bay, and other sites considered shady could soon disappear from your Web browser. This is not entirely surprising since the government has been coming down hard on copyright infringement in recent weeks. In November, federal authorities seized the domains of 82 websites purportedly selling goods that infringed copyright law such as music, movies and handbags.It will also be interesting to see how the reported FCC rules affect peer to peer torrent sharing programs such as Vuze. There are uses for p2p file sharing software beyond grabbing a screener of, say, Tron Evolution. The site Vodo, for example, lets filmmakers distribute content to prospective audiences via Bit Torrent downloads.Netflix TaxIn November, network management company Sandvine said Netflix streaming takes up about 20 percent of all U.S. fixed-line bandwidth during peak usage periods. Netflix is one of the most popular movie and television viewing services in North America, claiming 16 million users in the United States and Canada. If you’re one of those more than 16 million people — in the US anyway–you could end up paying a higher broadband bill every month after the Net neutrality rules take effect. Under the new rules, broadband providers would be allowed to enact tiered pricing plans based on how much broadband data you consume every month. The all-you-can-eat data buffet may be over.The Network Management Haze LiftsEarlier this month, FCC chairman Julius Genachowski was talking about imposing a “transparency obligation” on broadband providers. It’s not entirely clear if this requirement will make it into the final rules, but the obligation would require broadband providers to offer public information about how they are managing their networks. That means you should be able to see who is blocking which sites and what kind of real-world speeds customers get on any given broadband service. This could make it easier for you to choose a new broadband provider — if you have more than one provider to choose from in your area, that is.
News: http://www.theopeninter.net (Thanks to ZipLock for this one!)

News: https://threatpost.com/en_us/blogs/data-breach-could-test-massachusetts-law-122110The Massachusetts Attorney General has been notified that financial data on 1,800 residents was exposed in a database breach linked to the CitySights NY sightseeing firm. Could this be the test case for enforcement of the State’s nine month-old data privacy law?The leak of financial information on more than 100,000 customers of the CitySights sightseeing tour company could prove to be an early test of the nation’s strongest data privacy law.Financial data on 1,850 Massachusetts residents was among that stolen in the breach, which yielded the names, addresses and credit card account information of 110,000 customers of Twin America LLC, the parent company of CitySights NY, according to Amie Breton, Deputy Press Secretary in the Office of Massachusetts Attorney General Martha Coakley.As Threatpost reported yesterday, Twin America has disclosed that it was the victim of a SQL injection attack on a CitySights Web server that provided unknown assailants with access to the company’s customer list, including full credit card account and CVV2 (card verification value) data.The breach, which occurred in September, was discovered by a Twin America Web programmer in October and came to light when the company’s attorney wrote letters to states’ attorneys general disclosing the breach. A copy of the attorney, Theodore P. Augustinos’, letter to the Attorney General of New Hampshire, dated December 9, was published online. Approximately 300 of the victims were New Hampshire residents.A call from Threatpost to the Massachusetts Attorney General’s office confirmed that Coakley’s Office received a similar letter on December 10, specifying that 1,850 victims were Massachusetts residents. The case could be a test of Massachusetts’ new data privacy law, known as 201 CMR 17. That law, which took effect on March 1, 2010, is one of the toughest in the nation, addresses the misuse of personal data by both individuals and companies and third party providers that store, collect or use personal information, including name, social security, driver’s license number or financial information on Massachusetts residents – regardless of whether those organizations are based in or have offices in the state.Among other things, 201 CMR 17.00 requires organizations that store personal information on Massachusetts’ residents to encrypt personal information at rest – in databases, servers, laptops, desktops, mobile devices. Data transmitted over wired or wireless networks also must be encrypted.Attorney General Coakley’s Office said it doesn’t confirm or deny investigations and it is not clear whether there were any violations of 201 CMR 17 in the CitySights case. However, it appears the possibility of cases being brought under 201 CMR 17 or similar state laws at least occurred to Twin America. The letter sent from Attorney Augustinos of Edwards Angell Palmer & Dodge to New Hampshire Attorney General Michael Delaney notes, specifically, that the compromised database did not contain “Social Security numbers, drivers’ license or other state-issued identification or other personal information.”
News: https://threatpost.com/en_us/blogs/sightseeing-firm-overlooks-security-110k-credit-card-numbers-stolen-122010CitySights owner Twin America says the credit card details of 110,000 customers were stolen in a Web based attack and suggests it wasn’t following Payment Card Industry guidelines for storing card data. The parent company of the CitySights sightseeing tours company, Twin America LLC, said in a letter to states’ attorneys general that a SQL injection attack on a company Web server in September resulted in the theft of personal and financial data on 100,000 of the company’s customers.The breach came to light after a letter sent to New Hampshire Attorney General Michael Delaney, dated December 9, 2010, was posted online. Details of the attack suggest that the New York based firm may not have been complying with payment card industry standards for storing financial data at the time of the attack.Twin America did not immediately respond to requests for comment.SQL injection attacks are one of the most common forms of Web based attacks, due to their simplicity and a wealth of poorly defended targets on the Internet.In its letter to the New Hampshire Attorney General, Twin America, speaking through attorney Theodore Augustinos of the firm Edwards Angell Palmer & Dodge LLP, said around 300 New Hampshire residents were among those affected by the attack.The company further said it first became aware of the breach on October 19, when a Web programmer working for Twin America discovered an unauthorized script that had been uploaded to the Company’s Web server. The attack was believed to have taken place on September 26th with “unauthorized access” to the database occurring between the September 26th and the discovery date.The database contained a variety of customer financial data, including the customer’s name, address, e-mail address, credit card number, as well as the expiration date and card verification value (CVV2) data. If true, that would mean that Twin America was in violation of Payment Card Industry (PCI) regulations on data retention, which prohibit retailers from permanently storing the CVV2 data along with other card data, because it makes it far easier to generate fraudulent transactions when combined with the card data. Twin America said it has filed a complaint with the FBI’s Internet Crime Complaint Center and hired Kroll, Inc. to investigate the incident. It has also notified individuals affected by the breach and patch discovered vulnerabilities on its Web server, deployed an application layer firewall, limited access to its Web based administrative panel and changed and hardened administrative passwords throughout its organization.