Merry Christmas to All. Have a Safe and Happy Holiday – The InfoSec Daily Podcast Team

[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 286.mp3[/podcast]
ISDPodcast Episode 286 for December 24, 2010.  Tonight’s podcast is hosted by  Rick Hayes, Keith Pachulski, and Varun Sharma.

Announcements:

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Wednesday, February 23, 2011 – Wednesday, April 27, 2011

Use the Discount Code: isdpod15 for a 15% discount.

Appalachian Institute of Digital Evidence (AIDE):

AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV

When: February 17 – 18, 2011

http://aide.marshall.edu/default.htm
Stories:
News: https://www.infosecisland.com/blogview/10442-DDoS-Attacks-Possible-via-URL-Shortener.htmlSecurity “enthusiast” and computer science major at the University of Tulsa, Ben Schmidt, has introduced a URL shortening service that allows users to participate in distributed denial of service (DDoS) attacks without the need to download a software application.Schmidt was inspired by the recent DDoS attacks carried out by members of Anonymous with their Low Orbit Ion Cannon (LOIC) tool. The JavaScript-based LOIC tool lets users join in the DDoS attack shenanigans by simply visiting a web page which then continuously sends HTTP requests to the targeted server by modifying an image tag’s attributes.Schmidt states the purpose of the tool is to illustrate a proof of concept that demonstrates the unrecognized vulnerabilities inherent in using URL shortening service.The D0z.me shortener does not seek to trick users into participating in a DDoS attack, as the destination link and target URL need to be specified.The purpose of the exercise is to draw attention to the fact that the use of URL shorteners could be exploited to engage users in DDoS attacks without their knowledge.”My implementation of this attack is, at best, a hack job, but was merely meant to illustrate how easy it is to actually implement, how simple it is to launch a DDoS simply by getting people to follow a link, and how seriously our reliance on URL shorteners can affect security.”

Meanwhile, developers associated with Anonymous, the international pro-piracy and pro-WikiLeaks association of hackivists, are said to be working to correct deficiencies in the LOIC software used in recent DDoS campaigns that interfered with the website operation of several business, including MasterCard, Visa, and PostFinance bank.
News:  http://www.pcworld.com/article/214371/microsoft_sells_15m_windows_phone_7.htmlMicrosoft has announced that its manufacturing partners have sold more than 1.5 million Windows Phone 7 devices since the mobile platform’s launch six weeks ago. Achim Berg, Microsoft’s vice president of marketing and business for Windows Phones, made the announcement during a puff interview conducted by Microsoft’s PR team. While the Phone 7 sales numbers sound impressive, the figures are actually not all they’re cracked up to be, at least based on Berg’s statement.”With a new platform, you have to look at a couple of things, first of all customer satisfaction, ” Berg said. “Another is phone manufacturer sales — phones being bought and stocked by mobile operators and retailers on their way to customers. We are pleased that phone manufacturers sold over 1.5 million phones in the first six weeks.”In other words, Windows Phone 7 manufacturers have sold more than 1.5 million devices to retailers and wireless carriers, not customers. So it’s not clear how many people have actually plunked down hard-earned cash for a piece of Windows Phone 7 magic. Manufacturer sales to stores are important, because they indicate the confidence retailers have in the new mobile platform. But the real test of Windows Phone 7 popularity will be how many customers buy the device.For all we know, only 500,000 Windows Phone 7 devices have been sold worldwide and 1 million handsets are sitting on store shelves from New York to Tokyo. Nevertheless, the fact that retailers are buying up Windows Phone 7 devices in large numbers and relatively quickly, shows that some carriers are willing to take big bets on Windows Phone 7.
News: http://www.pcworld.com/article/214367/fcc_net_neutrality_rules_what_the_future_might_look_like.htmlThe Federal Communications Commission is expected to approve new Net neutrality rules that it believes will ensure free and open Internet access for years to come. The new rules will reportedly prevent fixed (ground) line broadband providers from blocking lawful Web content and services. Wireless broadband providers, meanwhile, will have the ability to block access to content and services as they see fit as long as they do not offer a competing service. Wireless carriers could, for example, block YouTube if the carrier did not offer a similar video sharing site.The new rules will also supposedly discourage providers from charging fees to popular Web services such as Facebook or Google to deliver their content to your home faster.The rules have garnered a lot of controversy. Senator Al Franken called the proposed rules “worse than nothing,” but FCC commissioner Mignon L. Clybrun said the proposal “will establish clear rules to protect consumers’ access.”Here’s a look at some possibilities for what your broadband access at home and on your mobile device might look like under the new rules.Skype on 3GYes, you can already get Skype calls over 3G on some wireless networks. But under the new FCC rules wireless providers would not be allowed to block access to Skype, because they offer a competing service (voice calls).Google FeeThe new FCC rules will reportedly discourage, but not prevent, carriers from offering paid prioritization to Web services. In other words, Comcast could offer YouTube the chance to have content from Google’s video site delivered to your computer faster than competing video services. The catch is that Google would have to pay a fee for that to happen.No Torrents For YouFixed-line broadband providers will not be allowed to discriminate against any lawful Web services you want to use. Did you see that little disclaimer in there? That’s right “lawful” Web services, meaning that torrent indexing sites, such as The Pirate Bay, and other sites considered shady could soon disappear from your Web browser. This is not entirely surprising since the government has been coming down hard on copyright infringement in recent weeks. In November, federal authorities seized the domains of 82 websites purportedly selling goods that infringed copyright law such as music, movies and handbags.It will also be interesting to see how the reported FCC rules affect peer to peer torrent sharing programs such as Vuze. There are uses for p2p file sharing software beyond grabbing a screener of, say, Tron Evolution. The site Vodo, for example, lets filmmakers distribute content to prospective audiences via Bit Torrent downloads.Netflix TaxIn November, network management company Sandvine said Netflix streaming takes up about 20 percent of all U.S. fixed-line bandwidth during peak usage periods. Netflix is one of the most popular movie and television viewing services in North America, claiming 16 million users in the United States and Canada. If you’re one of those more than 16 million people — in the US anyway–you could end up paying a higher broadband bill every month after the Net neutrality rules take effect. Under the new rules, broadband providers would be allowed to enact tiered pricing plans based on how much broadband data you consume every month. The all-you-can-eat data buffet may be over.The Network Management Haze LiftsEarlier this month, FCC chairman Julius Genachowski was talking about imposing a “transparency obligation” on broadband providers. It’s not entirely clear if this requirement will make it into the final rules, but the obligation would require broadband providers to offer public information about how they are managing their networks. That means you should be able to see who is blocking which sites and what kind of real-world speeds customers get on any given broadband service. This could make it easier for you to choose a new broadband provider — if you have more than one provider to choose from in your area, that is.
News: http://www.theopeninter.net (Thanks to ZipLock for this one!)

News: https://threatpost.com/en_us/blogs/data-breach-could-test-massachusetts-law-122110The Massachusetts Attorney General has been notified that financial data on 1,800 residents was exposed in a database breach linked to the CitySights NY sightseeing firm. Could this be the test case for enforcement of the State’s nine month-old data privacy law?The leak of financial information on more than 100,000 customers of the CitySights sightseeing tour company could prove to be an early test of the nation’s strongest data privacy law.Financial data on 1,850 Massachusetts residents was among that stolen in the breach, which yielded the names, addresses and credit card account information of 110,000 customers of Twin America LLC, the parent company of CitySights NY, according to Amie Breton, Deputy Press Secretary in the Office of Massachusetts Attorney General Martha Coakley.As Threatpost reported yesterday, Twin America has disclosed that it was the victim of a SQL injection attack on a CitySights Web server that provided unknown assailants with access to the company’s customer list, including full credit card account and CVV2 (card verification value) data.The breach, which occurred in September, was discovered by a Twin America Web programmer in October and came to light when the company’s attorney wrote letters to states’ attorneys general disclosing the breach. A copy of the attorney, Theodore P. Augustinos’, letter to the Attorney General of New Hampshire, dated December 9, was published online. Approximately 300 of the victims were New Hampshire residents.A call from Threatpost to the Massachusetts Attorney General’s office confirmed that Coakley’s Office received a similar letter on December 10, specifying that 1,850 victims were Massachusetts residents. The case could be a test of Massachusetts’ new data privacy law, known as 201 CMR 17. That law, which took effect on March 1, 2010, is one of the toughest in the nation, addresses the misuse of personal data by both individuals and companies and third party providers that store, collect or use personal information, including name, social security, driver’s license number or financial information on Massachusetts residents – regardless of whether those organizations are based in or have offices in the state.Among other things, 201 CMR 17.00 requires organizations that store personal information on Massachusetts’ residents to encrypt personal information at rest – in databases, servers, laptops, desktops, mobile devices. Data transmitted over wired or wireless networks also must be encrypted.Attorney General Coakley’s Office said it doesn’t confirm or deny investigations and it is not clear whether there were any violations of 201 CMR 17 in the CitySights case. However, it appears the possibility of cases being brought under 201 CMR 17 or similar state laws at least occurred to Twin America. The letter sent from Attorney Augustinos of Edwards Angell Palmer & Dodge to New Hampshire Attorney General Michael Delaney notes, specifically, that the compromised database did not contain “Social Security numbers, drivers’ license or other state-issued identification or other personal information.”
News: https://threatpost.com/en_us/blogs/sightseeing-firm-overlooks-security-110k-credit-card-numbers-stolen-122010CitySights owner Twin America says the credit card details of 110,000 customers were stolen in a Web based attack and suggests it wasn’t following Payment Card Industry guidelines for storing card data. The parent company of the CitySights sightseeing tours company, Twin America LLC, said in a letter to states’ attorneys general that a SQL injection attack on a company Web server in September resulted in the theft of personal and financial data on 100,000 of the company’s customers.The breach came to light after a letter sent to New Hampshire Attorney General Michael Delaney, dated December 9, 2010, was posted online. Details of the attack suggest that the New York based firm may not have been complying with payment card industry standards for storing financial data at the time of the attack.Twin America did not immediately respond to requests for comment.SQL injection attacks are one of the most common forms of Web based attacks, due to their simplicity and a wealth of poorly defended targets on the Internet.In its letter to the New Hampshire Attorney General, Twin America, speaking through attorney Theodore Augustinos of the firm Edwards Angell Palmer & Dodge LLP, said around 300 New Hampshire residents were among those affected by the attack.The company further said it first became aware of the breach on October 19, when a Web programmer working for Twin America discovered an unauthorized script that had been uploaded to the Company’s Web server. The attack was believed to have taken place on September 26th with “unauthorized access” to the database occurring between the September 26th and the discovery date.The database contained a variety of customer financial data, including the customer’s name, address, e-mail address, credit card number, as well as the expiration date and card verification value (CVV2) data. If true, that would mean that Twin America was in violation of Payment Card Industry (PCI) regulations on data retention, which prohibit retailers from permanently storing the CVV2 data along with other card data, because it makes it far easier to generate fraudulent transactions when combined with the card data. Twin America said it has filed a complaint with the FBI’s Internet Crime Complaint Center and hired Kroll, Inc. to investigate the incident. It has also notified individuals affected by the breach and patch discovered vulnerabilities on its Web server, deployed an application layer firewall, limited access to its Web based administrative panel and changed and hardened administrative passwords throughout its organization.

[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 285.mp3[/podcast]
ISDPodcast Episode 285 for December 23, 2010.  Tonight’s podcast is hosted by  Rick Hayes, Keith Pachulski, Adrian Crenshaw and Varun Sharma.

Announcements:

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Wednesday, February 23, 2011 – Wednesday, April 27, 2011

Use the Discount Code: isdpod15 for a 15% discount.

Appalachian Institute of Digital Evidence (AIDE):

AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV

When: February 17 – 18, 2011

http://aide.marshall.edu/default.htm

Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)
Stories:News: http://www.microsoft.com/technet/security/advisory/2488013.mspxMicrosoft is investigating new, public reports of a vulnerability in all supported versions of Internet Explorer. The main impact of the vulnerability is remote code execution. This advisory contains workarounds and mitigation’s for this issue.The vulnerability exists due to the creation of uninitialized memory during a CSS function within Internet Explorer. It is possible under certain conditions for the memory to be leveraged by an attacker using a specially crafted Web page to gain remote code execution.On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs. Currently, Microsoft is unaware of any active exploitation of this vulnerability.We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we are actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability.Microsoft continues to encourage customers to follow the “Protect Your Computer” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.Mitigating Factors:

• Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems helps to limit the impact of currently known exploits. An attacker who successfully exploits this vulnerability would have very limited rights on the system.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, which disables script and ActiveX controls, reducing the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

Exploit code: http://www.exploit-db.com/exploits/15746

News: http://www.infosecurity-us.com/view/14840/va-facilities-violate-prohibition-on-using-online-tools-to-share-patient-data/

The most recent incident involved the posting of patient information on Yahoo Calendar by the Chicago Health Care System’s Orthopedics Department, according to the VA’s monthly report to Congress.

According to the November report, the full names of over 1000 patients, along with their dates of surgery, types of surgery, and last four numbers of their social security numbers were placed on the Yahoo Calendar.

So…where is this fabulous EINSTEIN 2 that Janet Napolitano is praising so…
News: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=228800744No one likes to think about database breaches, but the fact is, they happen. Rather than cross your fingers and hope for the best, create an incident response plan ahead of time. Without a plan, you may destroy critical evidence that could be used to prosecute the offender. You might also overlook just how the incident occurred, leaving you exposed to future breaches.
Log analysis is an essential component of an incident response plan.  You’ll want to review logs from the compromised machine or machines and from other sources, including network devices and access control systems.
A number of log types–transaction, server access, application server, and OS–can all provide valuable information to retrace what occurred.  If your database administrator has enabled transaction logs–and it’s a big if–start there because they’re a rich source of information.  Your first goal is to understand what data has been extracted, which will help you gauge the current risk to the company. Then examine what else the attacker may have tried to do. As you review logs, look for queries that would match the data known to be exported. If you don’t have any evidence to match against, gather up the database administrator, application developer, and anyone else who knows normal application and database activity. Get a conference room, display the logs on a projector, and have them help you look for anomalies such as unusual queries that applications or administrators wouldn’t normally make.

Keith: Shameless plug of OSSEC for database log monitoring

News: http://www.theregister.co.uk/2010/12/18/gawker_hack_aftermathGawker Media plans to overhaul its web infrastructure and require employees to use two-factor authentication when accessing sensitive documents stored online, following an embarrassing attack that completely rooted the publisher’s servers. The publisher of Gawker, Gizmodo, and seven other popular websites also plans to, gasp, mandate the use of secure sockets layer encryption for all users with Gawker Media accounts on Google Apps, according to a memo written by Gawker tech boss Tom Plunkett and published Friday by The Next Web. The company-wide message conceded a point first made by the perpetrators of the hack: That Gawker Media’s security was utter crap.
“It is clear that the Gawker tech team did not adequately secure our platform from an attack of this nature,” Plunkett wrote. “We were also not prepared to respond when it was necessary.”
Indeed, security researchers who examined the web platform’s source code were amazed as just how poorly the site was put together.
News: http://www.independent.co.uk/news/media/online/sas-man-to-take-charge-of-cyberwarfare-defences-2164842.htmlA former chief of the SAS has been appointed to head the military’s cyber-warfare operations amid rising concern about the risk of attacks on official websites endangering Britain’s defences.

Major General Jonathan Shaw will lead a unit combating internet assaults on vital strategic installations, including nuclear facilities and communications networks, The Independent has learnt. The Strategic Defence and Security Review identified cyber-warfare as “tier one” in a league table of threats facing the UK. Last week Sir Peter Ricketts, the National Security Advisor, asked government departments to take precautions over hackers promising revenge attacks over the WikiLeaks affair. The director of GCHQ, Iain Lobban, has stated that cyber warfare, some orchestrated by foreign governments, is one of the biggest challenges faced by the intelligence services.  But it is the WikiLeaks threats which have become the most pressing in the field, according to Whitehall sources. “Hacktivist” supporters of the website have hit companies that withdrew services from WikiLeaks such as Visa, Mastercard and PayPal. Some supporters of WikiLeaks blame the UK for what they see as complicity in a campaign against its founder, Julian Assange.
News: http://www.computerworld.com/s/article/9201822/Hackers_hit_New_York_tour_firm_access_110_00_bank_cardsHackers have broken into the website of the New York tour company CitySights NY and stolen about 110,000 bank card numbers.  They broke in using a SQL Injection attack on the company’s Web server, CitySights NY said in a Dec. 9 breach notification letter published by New Hampshire’s attorney general. The company learned of the problem in late October, when, “a web programmer discovered [an] unauthorized script that appears to have been uploaded to the company’s web server, which is believed to have compromised the security of the database on that server,” the letter said.
CitySights NY believes that the SQL injection compromise occurred about a month earlier, on Sept. 26. In a SQL injection attack, hackers find ways to sneak real database commands into the server using the Web. They do this by adding specially crafted text into Web-based forms or search boxes that are used to query the back-end database.
This was one of the techniques used by Albert Gonzalez, who in March received the longest-ever U.S. federal sentence related to hacking the systems of Heartland Payment Systems, TJX and other companies.

News: http://www.darkreading.com/database-security/167901020/security/attacks-breaches/228800912/university-of-wisconsin-madison-leaves-60-000-ssns-unprotected-for-two-years.htmlA recent database breach that potentially exposed the Social Security Numbers of 60,000 former students and staff at the University of Wisconsin is bringing attention to the way higher education institutions store and protect SSNs — even after they’ve been discontinued as a student identification number.
The breach came to light earlier in the month when affected victims were informed by a letter from the university that their data might have been breached after sitting in an unsecure database for more than two years.  Like many universities around the nation, University of Wisconsin had discontinued the use of SSNs in student identification numbers in 2008 to better protect student identities. Unfortunately, the university retained information about affected individuals within the poorly protected database even after their IDs were deactivated.
University officials say they were made aware of an intrusion into the database in October and have not found the individuals responsible for the hack. Though sensitive data was stored within the database, it claims its forensic investigation didn’t provide evidence that former student data was accessed.
“During our investigation and examination, we reviewed the available logs dating back to January 2008 and discovered the system suffered unauthorized accesses a number of times. However, supplemental logs available for a shorter time period did not show any evidence of file transfers consistent with the size of the database file that contained your personal information. Further, our investigation found no evidence that the unauthorized individuals were aware of your personal data in the database or that it has been retrieved or misused,” the University of Wisconsin wrote in its letter to potential victims.

[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 284.mp3[/podcast]
ISDPodcast Episode 284 for December 22, 2010.  Tonight’s podcast is hosted by  Rick Hayes, and Keith Pachulski.

Announcements:

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Wednesday, February 23, 2011 – Wednesday, April 27, 2011

Use the Discount Code: isdpod15 for a 15% discount.

Appalachian Institute of Digital Evidence (AIDE):

AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV

When: February 17 – 18, 2011

http://aide.marshall.edu/default.htm
Personal Announcement: Thanks to Jason Frisvold aka @Xenophage and Endless Mountain Cyberspace for porting and hosting my blog over from my personal server to their servers http://www.protectors.cc/blog/

Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)
Stories:News: http://www.guardian.co.uk/world/2010/dec/22/cia-wikileaks-taskforce-wtf

The CIA has launched a taskforce to assess the impact of 250,000 leaked US diplomatic cables. Its name? WikiLeaks Task Force, or WTF for short.

The group will be charged with scouring the released documents to survey damage caused by the disclosures. One of the most embarrassing revelations was that the US state department had drawn up a list of information it would like on key UN figures – it later emerged the CIA had asked for the information.

“Officially, the panel is called the WikiLeaks Task Force. But at CIA headquarters, it’s mainly known by its all-too-apt acronym: WTF,” the Washington Post reported.
News: http://www.infosecurity-us.com/view/14736/court-blocks-former-bank-of-america-employees-from-using-client-dataMichael C. Brown, a financial adviser with $5.9bn in client assets, Charles Britton, Marcus Wilson, and Amanda Kerley were temporarily blocked by a New York state court from “using or disclosing in any manner the customer lists and any other property or trade secret information taken at the time” of their resignations from U.S. Trust, according to a Bloomberg report, citing court documents provided by Bank of America.The employees argued in court that they were allowed to take client records under a voluntary recruiting agreement among brokers. Bank of America disputed that, saying that neither it nor U.S. Trust signed the agreement that the former employees argue allows them to use the client information, according to the complaint.The court order directs the former employees to return customer lists and any other property to U.S. Trust. It also blocks them from “soliciting, inviting, encouraging, requesting” customer accounts that may have been “wrongfully solicited”, according to the filing.The suit is “a blatant legal tactic in an attempt to portray Mr. Brown and his team in a negative light”, Steven Goldberg, a Dynasty Financial spokesman, said in a statement.“Companies need to be one step ahead of a departing employee”, said Kurt Johnson, vice president of strategy and corporate development for Courion, a provider of identity and access management products, when commenting on the case.”In letting these staff members go, all administrative controls should have been shut off and changed immediately so that there was no opportunity to gain access to these sensitive files. Leaving even a short time gap between notice of termination and closing accounts creates vulnerabilities.”
News: http://www.infosecurity-magazine.com/view/14694/survey-reveals-lack-of-awareness-for-pci-dss-20-/LogLogic, the IT audit data specialist that commissioned the survey, says the results show relatively low visibility of the security requirements amongst retailers, despite the fact that PCI audits are becoming more prevalent.Researchers found that 13.8% of respondents are completely unaware of the new version and 15.5% confirm they are only partially aware of the PCI security standard.The majority (70.7%) confirmed they are aware of the new standard, which the company says implies that the majority are prepared for – or are working towards – meeting PCI requirements.However, says LogLogic, when respondents were asked if they knew that PCI DSS 2.0 contains significant changes and clarifications relative to the expected network architecture and virtualisation, only 36.2% could say yes.Most interesting of all, Infosecurity notes, 63.8% said they were partially or completely unaware of the new requirements, meaning their PCI compliance could be at risk or at the very least isn’t as thorough or as up-to-date as it should be.Equally interesting, when asked how auditing by the payment card issuers has changed in the past twelve months, the survey revealed that 62% said audits were becoming more, or much more, prevalent.The survey also looked at attitudes towards PCI DSS and version 2.0 changes and on the positive side, 50% saw it as a valuable addition that helps them keep up-to-date, and 17.2% said they used it as a way to justify spending on technologies that are useful outside of PCI mandates.On the negative side, however, 17.2% saw it as a continual regulatory headache, and 5.2% viewed it as another costly ‘tick in the box’ exercise with no obvious benefit to the company or its customers.Guy Churchward, LogLogic’s CEO, said that the survey’s findings are very interesting – retailers have come a long way since the introduction of PCI DSS back in 2004, in terms of attitudes and implementation, but there is still a lot more to do.”It’s not just a case of achieving compliance, it’s a matter of completing the audits and staying on top of the requirements”, he said, adding that it is a long-term commitment to the business and to protecting customer data.”The research clearly shows that retailers need to get up to speed with the new version pretty quickly – if they are to meet the increasingly regular audit requirements”, he explained.

Inside the business of malware: http://www.computerschool.org/images/malware.jpg
News: http://www.pcworld.com/article/214127/byot_hype_or_a_hiring_dealbreaker.html

Bring Your Own Technology, or BYOT, can strike fear in the hearts of CIOs and security officers, who are split on whether the concept is an urban legend or the wave of the future. Regardless, the CIOs I’ve spoken with say it has not yet become a standard question that applicants ask. Sure, there are CEOs and salespeople who want to sneak tablets onto the network, but at this point, the roar of the consumers is really just a whisper.

Dave Kelble, vice president of technology with MobilexUSA, has been grappling with BYOT because he also serves as the company’s security officer. “There are parts of the organization on-boarded through acquisition where people use their own computer equipment as part of their job. We are looking to transition away from that for security and support reasons.”

MobilexUSA, a leading provider of bedside diagnostics, is a 3,000-person organization that Kelble expects could, through acquisitions and organic growth, grow to 5,000 by the end of 2011. The change in scale will be a challenge, and maintaining HIPAA compliance is imperative. Kelble says he has not received BYOT inquiries from potential new hires, though current employees, including field management, sales and IT, have been asking his group about it. “We are wrestling with how to get our arms around not allowing [employees] to BYOT, but helping them get their job done as effectively and securely as possible.”

Mary Sobiechowski is the CIO of Kantar Health, a healthcare-focused global consultancy and marketing insights company. She recalls only one instance when a new hire pushed hard for BYOT. The company didn’t give in for compliance reasons, but it did build a machine with the employee’s needs in mind.

An employee’s desire to have the latest equipment “is a reflection on the employee and the company,” she says. However, thanks to the threat of data insecurity, viruses and spyware, and the need to maintain Sarbanes-Oxley compliance, “we’ve had to change to a defensive posture.”

News: http://www.spamfighter.com/News-15530-IE-Protected-Mode-Vulnerability-Revealed.htm

According to investigators at Verizon Business, vulnerability exists in the ‘protected mode’ mechanism of Internet Explorer which suggests that other Windows software, along with Adobe’s Reader X and Google’s Chrome, developed on the basis of this technology can be problematic.

Fundamentally, ‘Protected Mode’ requires restricting the privileges obtainable from a particular application process. These privileges result from the IE or OS as per 6 MIC (Mandatory Integrity Control) stages, the first, from down, being relevant for all applications working actively from the Internet a zone most un-trusted.

Nevertheless, Verizon researchers record methods through which an attacker can raise a process’ privileges to zones unsuitable for Protected Mode, like a network’s Intranet that utilizes UNC paths. Alternatively, the privileges can be elevated through phishing sites masquerading as trustworthy websites.

The related assault becomes possible when the privilege level of the browser is elevated to medium integrity from low integrity. State the Verizon researchers that immediately as the first attack code is used remotely to run malware on the target system at an integrity that’s low, the malware manages to set one Web-server taking instructions from a port that has a bearing with a loopback interface. InformationWeek published this on December 6, 2010.

The Web-server subsequently helps to launch an attack that the local browser characteristically assigns medium integrity as it is within the Local Intranet Zone. Executing the attack again leads to stubborn malware as the medium-integrity configuration lets the malicious program to persist.

Still, according to Verizon researchers, Protected Mode is handy as presently the majority of malware, which are active when low integrity prevails, may fail to stay during reboots as they remain unaware of the low integrity level, during their execution. For instance, the Metasploit Framework, the open-source program for penetration testing, which has tested the greatest number of exploits worldwide, rarely knows about the level of integrity.

Says Verizon that the latest vulnerability doesn’t straight away affect other software, which utilize Protected Mode like Chrome or Reader X. However, it does indicate the way such safeguards are vulnerable to assaults given that a mechanism must be trusted somewhat at least.
News: http://androidcommunity.com/android-malware-infection-has-the-highest-growth-overall-infection-lower-than-other-platforms-20101217/

AdaptiveMobile, a mobile security vendor, has stated that it has seen the highest number of mobile malware infections this year. In fact, the number of reports has grown a significant 33-percent over 2009 figures. Google’s Android platform has seen the greatest rise in infection with a four-fold increase in the number of exploits in 2010.

However, it’s not all bad news for Android. AdaptiveMobile goes on to claim that although it has seen the biggest rise in infection, Android exploits are still relatively low in comparison to other platforms.

The rise is said to be due to cyber criminals targeting what will have the highest market share in the coming years, and with Android growing heavily, it’s not surprising that’s it has been so heavily targeted.

Tools: http://www.melcara.com

Cody Dumont has released a new version of the ACL parser (v0.04) has been release.  There are apparently a lot of issues with this version.  The object groups are expanded for the PIX and ASA. I have added the attributes for ACL entries for log level, time, and inactive state.  Other than finding that it tells he that it’s “compelted” when it’s done it works like a charm.  You can see that I’ve added it to my pentesting VM as it’s extremely useful to have around.

root@pentest:/pentest/cisco/acl2csv# perl acl2csv.0.04.pl asa01.txtcompelted

News: http://www.thestar.com/business/article/908968–facebook-to-hold-hacker-cupHacking, the reclusive sport of individuals with socially crippling intelligence is being pulled from the depths of the suburban basement and thrust onto the podium. Well, there might not be a podium, but there is talk of a cup.  Facebook has created a page containing details about a Hacker Cup in 2011. People can apply and compete online and a final 25 will be flown to compete in the algorithmic programming contest in California in the New Year for (U.S.) $5,000 and the title. The tests are designed by Facebook engineers. Inside the Facebook universe “hacking” or “Hack” is used as terms for all night coding benders, rather than for the more popular interpretation of someone who creates codes or viruses to interfere with or destroy computer programs.Alan Middleton, a marketing guru housed at the Schulich School of Business at York University, was admittedly a bit baffled at the prospect, given the elevated public perception of hacking of the more nefarious kind.“In a world where we are getting increasingly concerned about privacy (does Facebook) want to be associated with hacking?” asked Middleton.He said there are two possible options for the contest. “They are trying to get some buzz to remain cool with a rebellious and youthful segment of their population,” said Middleton. “In which case, I think it is a really bad strategy.”Facebook he said is likely just holding a skills competition to seek out new talent.Registration opens Dec 20. In an email response to questions about motivation, a Facebook spokesperson said “Hacking is a central part of Facebook’s culture. We want to bring engineers from around the world together to compete in a multi-round programming competition.”When asked if they were concerned about the brand being linked with hacking of the more nefarious kind, the spokesperson said “For us, Hack means to find a better way of doing things.”Hackers who use their skills for destruction are enjoying a bit of a folk hero moment. Supporters of WikiLeaks founder Julian Assange have crashed corporate websites, including MasterCard, in retribution for Assange’s arrest.“Maybe in a new world where WikiLeaks and hackers are the new heroes and we hate government and establishments . . . maybe we are now trying to celebrate the rebels,” said Middleton.

[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 283.mp3[/podcast]
ISDPodcast Episode 283 for December 21, 2010.  Tonight’s podcast is hosted by  Rick Hayes, Keith Pachulski, and Varun Sharma.

Announcements:
SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Wednesday, February 23, 2011 – Wednesday, April 27, 2011

Use the Discount Code: isdpod15 for a 15% discount.

Appalachian Institute of Digital Evidence (AIDE):

AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV

When: February 17 – 18, 2011

http://aide.marshall.edu/default.htm

Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)
Stories:
News: http://www.infosecurity-us.com/view/14755/onequarter-of-consumers-have-turned-off-their-antivirus-software
http://webcache.googleusercontent.com/search?q=cache:WfMPpgH1twoJ:www.infosecurity-us.com/view/14755/onequarter-of-consumers-have-turned-off-their-antivirus-software-/+http://www.infosecurity-us.com/view/14755/onequarter-of-consumers-have-turned-off-their-antivirus-software&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a
Twenty-five percent of consumers surveyed by anti-virus software provider Avira turned off their anti-virus software because it was slowing down the computer, while 12% considered abandoning the internet because of safety concerns.

In addition, 63% of consumers have tried multiple anti-virus security products in a one-year span on the same computer, according to the survey of 9091 Avira customers worldwide.

“It’s not surprising that consumers try multiple security products each year since everyone is trying to find the right security product which can effectively balance protection and a computer’s resource usage”, said Sorin Mustaca, data security expert with Avira.

“The scary take-away from this survey is that 25% of the respondents admitted to turning off their security products because they feel that it hurt the performance of the machine. That’s not a good idea because such a practice leaves the computer totally exposed to the even simplest of viruses, allowing the bad guys to include it in a botnet used to distribute malware and phishing”, he warned.

Mustaca said that vendors need to be careful not to overload their anti-virus software with features that could have a significant effect on system performance. Anti-virus vendors should focus on offering products that provide the minimum necessary protection, rather than protection “with all the whistles and bells” that users deactivate in order to use their computers.

News: http://cybersecuritynews.org/2010/12/16/dhs-secretary-napolitano-cybersecurity-is-a-collaborative-effort/
Attaining an Internet that is both open and secure is a challenge that must be confronted, US Department of Homeland Security Secretary Janet Napolitano stated last week.   Cyberspace is fundamentally a civilian space,” Napolitano said during a keynote speech before a cybersecurity forum at the National Press Club. “And government has a role to help protect it.”

But according to Napolitano, that role should extend beyond DHS and other federal agencies and into the private sector, as well, where she said new public-private partnerships are already being formed to protect control systems that operate the nation’s critical infrastructure.

Noting that teams have been deployed to work with and respond to cyber incidents, Napolitano said DHS has extended its partnerships to reach chemical plants, communications systems and systems controlling the nation’s electric, water and utilities in its latest cybersecurity efforts.

“At the same time, I recognize that much more needs to be done in this critical area,” Napolitano stated. “We need to be working together to create a national culture that provides that [Internet] users at every level know that they are part of a system and know what they need to do to help protect security… users, businesses, technology industry, government, everybody has a role.”

Napolitano also extended her cyber reach out to Congress and academia, where she said a more transparent and inclusive cybersecurity policymaking process and more higher education programs are needed, “so that we have policymakers who understand technology, but we also have technologists who understand policy.”

Including DHS’ National Cybersecurity Challenge, the “Stop. Think. Connect.” Campaign, the deployment of Einstein 2 and the launch of the National Cybersecurity and Communications Integration Center in her list of the Department’s accomplishments over the past year, Napolitano went on to add, “It is our goal to build one of the best teams that we can to tackle the cybersecurity challenge, but this has got to be a team effort. No single agency or industry, quite frankly, can manage it.”

And while reasserting that it will be a challenge to continue to build partnerships and to keep the Internet open but also secure, in her closing statement Napolitano added, “Those are the kinds challenges our country has confronted before, and by putting our best minds together, that’s how we have met those challenges. This one may be bigger, more complex and may require more of our effort than anything we’ve ever dealt with, but we’re going to have to make sure that we deal with it the right way because we’re laying the foundation for our future.”

News: http://www.pctools.com/security-news/top-cities-cybercrime
Cybercrime is not confined by city, state or national borders. Anyone with a computer and an internet connection is susceptible to online fraud. However, where you choose to surf the Web can put you at great risk for a cyberattack. A recent study by internet security company Symantec lists the US cities at the greatest risk for cybercrime. If you’re a resident of one of these vulnerable locales, you might want to watch where you click.

Symantec partnered with independent research firm Sperling’s BestPlaces to complete the study. Using their own internal research and third-party data, such as risky online behavior, number of Wi-Fi hotspots and rate of cybercrime per capita, the two companies compiled the “Norton Top 10 Riskiest Online Cities.”

Seattle received the dubious distinction of being the city most vulnerable to cybercrime. Seattleites led the way in several categories used in the study, including frequency of internet usage and the percentage of residents who check their bank accounts and pay bills online. Detroit was named the least risky US city due to factors such as low rates of cybercrime and wireless internet access.

The Norton Top 10 Riskiest Online Cities:

1. Seattle
2. Boston
3. Washington, D.C.
4. San Francisco
5. Raleigh, NC
6. Atlanta
7. Minneapolis
8. Denver
9. Austin, TX
10. Portland, OR

While their findings have been widely publicized, the authors of the study reiterated the fact that anyone using the Internet is susceptible to cybercrime. “Despite people’s familiarity with technology and the Internet, this study shows that everyone is exposed to a certain level of risk when they are online,” said Bert Sperling, founder and researcher of Sperling’s Best Places. “No matter where you live – be it Seattle or Detroit – it’s important to be vigilant in everyday online behavior in order to protect yourself against cybercrime of all types.”

News: http://googlewebmastercentral.blogspot.com/2010/12/new-hacked-site-notifications-in-search.htmlGoogle has added a new notification to our search results that helps people know when a site may have been hacked. We’ve provided notices for malware for years, which also involve a separate warning page. Now we’re expanding the search results notifications to help people avoid sites that may have been compromised and altered by a third party, typically for spam. When a user visits a site, we want her to be confident the information on that site comes from the original publisher.

Here’s what the notification looks like:

Clicking the “This site may be compromised” link brings you to an article in our Help Center which explains more about the notice. Meanwhile, clicking the result itself brings you to the target website, as expected.

We use a variety of automated tools to detect common signs of a hacked site as quickly as possible. When we detect something suspicious, we’ll add the notification to our search results. We’ll also do our best to contact the site’s webmaster via their Webmaster Tools account and any contact email addresses we can find on the webpage. We hope webmasters will also appreciate these notices, because it will help you more quickly discover when someone may be abusing your site so you can correct the problem.

Of course, we also understand that webmasters may be concerned that these notices are impacting their traffic from search. Rest assured, once the problem has been fixed, the warning label will be automatically removed from our search results, usually in a matter of days. You can also request a review of your site to accelerate removal of the notice.

News: http://www.thetechherald.com/article.php/201051/6590/Worm-forces-survey-participation-on-Facebook-usersStephen Doherty, security researcher for Symantec, has posted a warning and analysis of a new Worm that spreads via instant messaging platforms. Once a system is infected, the Worm will download a variant of itself, which in turn prevents access to Facebook unless a survey is completed.While Yahoo Instant Messenger is the messaging platform that gave rise to the Worm, dubbed Yimfoca by Symantec, it can target several others, including AOL and MSN. The Worm works by using infected systems to spam messages to the messenger application’s friends list.The messages target 44 countries, including the U.S., the U.K., Canada, Mexico, Spain, Germany, France, Russia, and more. In addition to location targets, the messages that contain the malicious URL can appear in more than 20 languages. If the host language is unknown, the Worm will default to using English.Example Messages:mira esta fotografa [MALICIOUS LINK]seen this?? [MALICIOUS LINK]pogledaj to slike [MALICIOUS LINK]guardare quest’immagine [MALICIOUS LINK]If the system is infected, Yimfoca will download additional Malware, including a variant of its own code. This variant will force users to complete surveys before they are allowed access to Facebook.The Worm uses an overlay message on the Facebook homepage, which explains that your account is suspended. “To make your account active you need to complete one of these surveys,” the message concludes.“If you fail to fill out the survey you will be locked out while W32.Yimfoca is running. So long as W32.Yimfoca is running on your computer and you haven’t completed a survey you will be blocked from accessing facebook.com. Every time the malware restarts, its state is reset and you will be prompted to fill out a survey again to gain access (for example after a reboot),” Doherty explained.If there is any good news to this Worm it could be that it is Internet Explorer centric, so other browsers will access Facebook with no problems. The down side is that most of the planet uses Internet Explorer to access the Web.“If you receive an unexpected link from a contact through an instant message you can always respond with a question about the link to verify it’s not malware spreading them. If you receive a link promoting a deal that sounds too good to be true—whether on a social network, via email or via Instant message—then usually it is,” added Doherty.Facebook surveys generate a good deal of money for scammers, and there have been countless examples of scams linked to them reported this year. Symantec says that Yimfoca is using surveys promoted by cpaleads.com, which pays up to $1.00 USD per completed survey.

News: http://techcrunch.com/2010/12/20/under-arrest-the-author-of-that-pedophilia-book-amazon-banned/
Remember that vile ebook “The Pedophile’s Guide to Love and Pleasure: A Child-Lover’s Code of Conduct” that briefly topped Amazon’s top 100 bestsellers lists, only to be pulled following massive customer and media pressure on the Internet retailer?

Well, according to Florida’s News 13, the author of the book, Phillip R. Greaves II, was arrested today for violation of obscenity laws.  According to the news outlet, Polk County Sheriff’s Office, along with authorities in Pueblo, Colorado, have arrested the mentally unstable man on third-degree felony charges, which are punishable by up to 30 years in prison in the state of Florida.  Polk Sheriff Grady Judd told News 13 that detectives who were investigating the case researched the book and inquired about receiving a copy, ultimately leading to the arrest.

“He wrote this book specifically to teach people how to molest and rape children,” Judd said. “You cannot engage in or depict children in a harmful light.”

Greaves could be extradited to Polk County as soon as today.

News: http://anonymousdown.wordpress.com/2010/12/21/101-ways-to-use-a-bot/
Not all bots are used for bad purposes. Unfortunately Anonymous uses bots for their Ddos LOICS Cannon, Hives and in their IRC’s alike. Did you know bots can be used for other means and purposes.  Here are some really cool servers/sites that Anonymous Down has fetched.

News: http://ohmygov.com/blogs/general_news/archive/2010/12/21/us-cybersecurity-predictions-resolutions-and-wishes-for-2011.aspx
OhMyGov asked a variety of cyber experts what they predict will happen, what they wish will happen, and what they resolve to do (and think we should all resolve) to help protect the nation against our digital adversaries.   Good Read!