ISDPodcast Episode 290 for December 30, 2010. Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, Adrian Crenshaw and Varun Sharma.
Announcements:
SANS Community:
Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam: http://www.sans.org/mentor/details.php?nid=23493
Wednesday, February 23, 2011 – Wednesday, April 27, 2011
Use the Discount Code: isdpod15 for a 15% discount.
Appalachian Institute of Digital Evidence (AIDE):
AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV
When: February 17 – 18, 2011
http://aide.marshall.edu/default.htm
THOTCON:
The THOTCON 0×2
Where: Chicago, IL
When: Friday, April 15th, 2011
http://www.thotcon.org
The CFP will close on January 01, 2011 – Get your talk in NOW
Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)
Reminder: No Podcast December 31, 2010
Stories:
News: http://www.securityweek.com/geolocation-mobile-and-apple-top-mcafees-list-emerging-threats-2011McAfee Labs Threat Predictions for 2011
Exploiting Social Media: URL-shortening servicesSocial media sites such as Twitter and Facebook have created the movement toward an “instant” form of communication, a shift that will completely alter the threat landscape in 2011. Of the social media sites that will be most riddled with cybercriminal activity, McAfee Labs expects those with URL-shortening services will be at the forefront. The use of abbreviated URLs on sites like Twitter makes it easy for cybercriminals to mask and direct users to malicious websites. With more than 3,000 shortened URLs per minute being generated, McAfee Labs expects to see a growing number used for spam, scamming and other malicious purposes.
Exploiting Social Media: Geolocation servicesLocative services such as foursquare, Gowalla and Facebook Places can easily search, track and plot the whereabouts of friends and strangers. In just a few clicks, cybercriminals can see in real time who is tweeting, where they are located, what they are saying, what their interests are, and what operating systems and applications they are using. This wealth of personal information on individuals enables cybercriminals to craft a targeted attack. McAfee Labs predicts that cybercriminals will increasingly use these tactics across the most popular social networking sites in 2011.
Mobile: Usage is rising in the workplace, and so will attacksThreats on mobile devices have so far been few and far between, as “jailbreaking” on the iPhone and the arrival of Zeus were the primary mobile threats in 2010. With the widespread adoption of mobile devices in business environments, combined with historically fragile cellular infrastructure and slow strides toward encryption, McAfee Labs predicts that 2011 will bring a rapid escalation of attacks and threats to mobile devices, putting user and corporate data at very high risk.
Apple: No longer flying under the radarHistorically, the Mac OS platform has remained relatively unscathed by malicious attackers, but McAfee Labs warns that Mac-targeted malware will continue to increase in sophistication in 2011. The popularity of iPads and iPhones in business environments, combined with the lack of user understanding of proper security for these devices, will increase the risk for data and identity exposure, and will make Apple botnets and Trojans a common occurrence.
Applications: Privacy leaks—from your TVNew Internet TV platforms were some of the most highly-anticipated devices in 2010. Due to the growing popularity among users and “rush to market” thinking by developers, McAfee Labs expects an increasing number of suspicious and malicious apps for the most widely deployed media platforms, such as Google TV. These apps will target or expose privacy and identity data, and will allow cybercriminals to manipulate a variety of physical devices through compromised or controlled apps, eventually raising the effectiveness of botnets.
Sophistication Mimics Legitimacy:Your next computer virus could be from a friend Malicious content disguised as personal or legitimate emails and files to trick unsuspecting victims will increase in sophistication in 2011. “Signed” malware that imitates legitimate files will become more prevalent, and “friendly fire,” in which threats appear to come from your friends but in fact are viruses such as Koobface or VBMania, will continue to grow as an attack of choice by cybercriminals. McAfee Labs expects these attacks will go hand in hand with the increased abuse of social networks, which will eventually overtake email as a leading attack vector.
Botnets: The new face of Mergers & AcquisitionsBotnets continue to use a seemingly infinite supply of stolen computing power and bandwidth around the globe. Following a number of successful botnet takedowns, including Mariposa, Bredolab and specific Zeus botnets, botnet controllers must adjust to the increasing pressure cybersecurity professionals are placing on them. McAfee Labs predicts that the recent merger of Zeus with SpyEye will produce more sophisticated bots due to improvements in bypassing security mechanisms and law enforcement monitoring. Additionally, McAfee Labs expects to see a significant botnet activity in the adoption of data-gathering and data-removal functionality, rather than the common use of sending spam.
Hacktivism: Following the WikiLeaks pathNext year marks a time in which politically motivated attacks will proliferate and new sophisticated attacks will appear. More groups will repeat the WikiLeaks example, as hacktivism is conducted by people claiming to be independent of any particular government or movement, and will become more organized and strategic by incorporating social networks in the process. McAfee Labs believes hacktivism will become the new way to demonstrate political positions in 2011 and beyond.
Advanced Persistent Threats: A whole new categoryOperation Aurora gave birth to the new category of advanced persistent threat (APT)— a targeted cyberespionage or cybersabotage attack that is carried out under the sponsorship or direction of a nation-state for something other than pure financial/criminal gain or political protest. McAfee Labs warns that companies of all sizes that have any involvement in national security or major global economic activities should expect to come under pervasive and continuous APT attacks that go after email archives, document stores, intellectual property repositories and other databases.
Predictions for 2011 from other firms shared similar concerns, with mobile being a top threat across the board. Data security firm Imperva predicts a rise in mobile devices being compromised resulting in data theft or loss as a result of lagging security measures such as identification and authentication and the spread of mobile malware.
News: http://www.wired.com/threatlevel/2010/12/breaking-gsm-with-a-15-phone-plus-smarts
Whatever assurances have been given about the security of GSM cellphone calls, forget about them now. Use at your own risk. Speaking at the Chaos Computer Club (CCC) Congress, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network “sniffers,” a laptop computer and a variety of open source software.
While such capabilities have long been available to law enforcement with the resources to buy a powerful network-sniffing device for more than $50,000 (remember The Wire?), the pieced-together hack takes advantage of security flaws and shortcuts in the GSM network operators’ technology and operations to put the power within the reach of almost any motivated tech-savvy programmer.
“GSM is insecure, the more so as more is known about GSM,” said Security Research Labs researcher Karsten Nohl. “It’s pretty much like computers on the net in the 1990s, when people didn’t understand security well.”
Several of the individual pieces of this GSM hack have been displayed before. The ability to decrypt GSM’s 64-bit A5/1 encryption was demonstrated last year at this same event, for instance. However, network operators then responded that the difficulty of finding a specific phone, and of picking the correct encrypted radio signal out of the air, made the theoretical decryption danger minimal at best.
Working the audience through each step of the process, Nohl and OsmocomBB project programmer Sylvain Munaut demonstrated how the way in which GSM networks exchange subscriber location data, in order to correctly route phone calls and SMSs, allows anyone to determine a subscriber’s current location with a simple internet query, to the level of city or general rural area.
Once a phone is narrowed down to a specific city, a potential attacker can drive through the area, sending the target phone “silent” or “broken” SMS messages that do not show up on the phone. By sniffing to each bay station’s traffic, listening for the delivery of the message and the response of the target phone at the correct time, the location of the target phone can be more precisely identified.
To create a network sniffer, the researchers replaced the firmware of a simple Motorola GSM phone with their own alternative, which allowed them to retain the raw data received from the cell network, and examine more of the cellphone network space than a single phone ordinarily monitors. Upgrading the USB connection allowed this information to be sent in real time to a computer.
By sniffing the network while sending a target phone an SMS, they were able to determine precisely which random network ID number belonged to the target. This gave them the ability to identify which of the myriad streams of information they wanted to record from the network.
News: http://www.infosecurity-magazine.com/view/14857/row-breaks-out-over-alleged-chip-and-pin-security-flaw-censorshipA row that has been brewing between the payment card ‘establishment’ and researchers with Cambridge University, who have previously claimed that the Chip & PIN security system seen in UK bank payment cards is flawed, has spilled out into the open.As reported previously by Infosecurity, in-depth research led by Professor Ross Anderson of Cambridge University’s security engineering department had revealed potentially serious flaws in the way the Chip and PIN system operates.Now Professor Anderson has accused the UK bank card industry of making a “very nasty attempt at censorship” over a flaw in chip and PIN technology.The UK Cards Association (UKCA) apparently wrote to the university to try to remove the online publication of research that shows how a simple hand-held device can be used to buy goods without entering the correct PIN.In a security blog, Professor Anderson said that this step was “absolutely unacceptable. It was a very, very nasty attempt at censorship.”The Press Association quotes Melanie Johnson – a former Labour Treasury Minister who is now chair of the UKCA – as saying the publication of the paper on Chip & PIN insecurity “oversteps the boundaries of what constitutes responsible disclosure”.Infosecurity notes that Omar Choudary’s research paper details the designs of a low-cost device that can exploit a loophole in the security of the Chip and PIN system.This is despite proponents of the card security system having previously described the Chip and PIN system as infallible.In his blog – titled ‘A Merry Christmas to all Bankers’ – Anderson says that the banker’s trade association has complained that Choudary’s paper “contains too much detail of our No-PIN attack on Chip-and-PIN and thus ‘breaches the boundary of responsible disclosure’ “.”There is one piece of Christmas cheer, though: the No-PIN attack no longer works against Barclays’ cards at a Barclays merchant. So at least they’ve started to fix the bug – even if it’s taken them a year. We’ll check and report on other banks later”, he said.According to Anderson, the bankers are also fretting that ‘future research, which may potentially be more damaging, may also be published in this level of detail’.
News: http://www.joystiq.com/2010/12/29/hackers-claim-discovery-of-ps3-private-key-enabling-unauthori/During the ongoing Chaos Communication Conference 27C3, the hackers responsible for the Wii’s Homebrew Channel, calling themselves fail0verflow, gave a presentation in which they claimed to have figured out the “private key” used by Sony to authorize code to run on retail PS3 systems. This means, as a PSX-Scene forum post puts it, giving a hacker “full control of the PS3 system,” without the use of a USB device.The group will explain more when its website launches, and also plans to show a demo at the conference. This hack is designed not to enable PS3 game piracy (though it might have that effect) but, according to a tweet by fail0verview, to enable Linux to run on all PS3s, “whatever their firmware versions.”
News: https://threatpost.com/en_us/blogs/skype-client-error-causes-global-outage-122910In response to a 24 hour outage that occurred last week on their internet voice and video chat platform, Skype’s Chief Information Officer has revealed that an error in some versions of the company’s software client is to blame. CIO Lars Rabbe, writing on Skype’s ‘The Big Blog,’ confirmed reports of outtages last week and posted a detailed explanation of what went wrong. He said the company was taking steps to prevent further outages. On December 22, a cluster of servers responsible for offline instant messaging at Skype became overloaded. As a result, some Skype clients running Windows and the 5.0.0.152 version of the Skype client received delayed response messages from the overloaded servers which were not properly processed, causing them to crash. These crashes affected an estimated 20 percent of total Skype users. Those users then restarted their clients, causing a new flood of traffic to the supernodes that quickly overwhelmed the company’s infrastructure.Skype works on a P2P network where supernodes act as a directory, supporting Skype clients, establishing connections between clients, and creating local node clusters. So, despite that only 20 percent failed, this failure caused a 25 percent reduction in overall supernode resources, which placed too heavy a burden on the remaining supernodes.While Skype plans for failures of this sort, their system was incapable of withstanding the increased load brought on by users restarting windows as they attempted to reconnect. Rabbe believes the increased load triggered a failsafe feature on te Skype Supernodes, causing them to shut down. That, in turn, heaped more traffic on the few remaining Supernodes, causing a domino effect that led to the 24 hour outage.To fix the problem, Skype introduced hundreds of instances of Skype software into the P2P network to act as supernodes and provide the capacity to accelerate the recovery. This process was repeated until the system was completely restored on December 24.Skype is working to prevent future outages like the one that occurred last week by bolstering their automatic update system with more frequent hotfixes, researching ways to detect problems more promptly and recover systems more quickly, reviewing bug testing processes, and continually examining their capacity and increasing its resiliency when necessary.
News: http://www.infosecurity-magazine.com/view/14855/phoenix-exploit-hacker-kit-methodology-explained-
Websense has posted a detailed analysis of the Phoenix Exploit kit, which is used by hackers to seed and infect users’ PCs across the internet, and then monitor the results for data harvesting.
The kit, which was originally discovered by M86 Security in the summer of 2009, has been disassembled by Chris Astacio, a security researcher with Websense, who reports that the kit’s installation routines are, like a lot of hacker toolkits, obfuscated (hidden).This is, he explains, “probably an attempt by the developers to make it harder for security researchers to understand how to install the kits, especially if there is no ‘readme.txt’ file included.”Looking at the PHP code, Astacio says researchers can see that it’s Base64 encoded and a ZLIB compressed stream of data.”The PHP script uses an ‘eval’ statement with ‘gzuncompress’ and ‘base_64decode’ functions to decode the stream of data. For us to get the clear text code, we can use a simple substitution trick along with the PHP CLI so that we can then analyse the installer’s code”, he said in his security blog.”To do this, we simply need to replace the ‘eval’ with a ‘print’ and run the install.php script on the command line”, he added.Interestingly, despite the widespread use of the hacker toolkit, the Websense researcher says that that there is nothing special about it.”You get to choose the language of the installation instructions, either English or Russian. And on the next page you have a form to fill out for various resources”, he said, adding in his analysis that he has not shown some of the forms as they contain sensitive information.One of the most interesting features of the kit is that it does not contain a current set of exploits, as users must contact the developer and activate the kit, presumably by paying a fee, Infosecurity notes.According to the Websense security researcher, the developers of the Phoenix Exploit kit are working on not only protecting their exploit code from being recognised, but also their installations.”This makes it difficult for researchers to further dissect and understand how the kit works, especially if a researcher comes across just the install script”, he said in his blog.”It also makes things more difficult for others who want to study and report on the statistics found from individual installations of Phoenix by randomising the page names used in the kit installations”, he added.