Standard Podcast [ 40:26 | 18.53 MB ] Play Now | Play in Popup | Download (84)

Announcements:

Appalachian Institute of Digital Evidence (AIDE)

When: February 17 – 18, 2011
Where:  Marshall University Forensic Science Center, Huntington, WV

http://aide.marshall.edu/default.htm

SANS Community

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam

When: Wednesday, February 23, 2011 – Wednesday, April 27, 2011
http://www.sans.org/mentor/details.php?nid=23493

Use the Discount Code: isdpod15 for a 15% discount.

My Hard Drive Died
Data Recovery Expert Certification
When: March 7-11,2011
Where: Washington, DC

Data Recovery Expert Certification
When: April 11-15, 2011
Where: Atlanta, GA
http://www.myharddrivedied.com/data-recovery-training

@BSidesAustin

When: March 11-12, 2011Where: The Walton-Joseph Building, 706-708 6th Streethttp://www.securitybsides.com/w/page/33728032/BSidesAustin2011

Outerz0ne:When: March 18-19, 2011Where: Atlanta, GACFP open now! http://bit.ly/dJoIM9

Indiana Linux Fest
When: March 25-27, 2011Where: Wynhdam Indianapolis West Hotel Indianapolis, INhttp://www.indianalinux.org/cms/
CFP is currently open!

@THOTCON

When:  Friday, April 15th, 2011
Where: Chicago, IL
http://www.thotcon.org

@DerbyConWhen: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com

Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)

Stories:News: http://news.techworld.com/security/3258312/hackers-break-us-government-smart-card-security/The US government has been stepping up its use of smart cards to help lock down its computer networks, but hackers have found ways around them. Over the past 18 months, security consultancy Mandiant has come across several cases where determined attackers were able to get onto computers or networks that required both smart cards and passwords. In the report Mandiant calls this technique a “smart card proxy.”
The attack works in several steps. First, the criminals hack their way onto a PC. Often they’ll do this by sending a specially crafted email message to someone at the network they’re trying to break into. The message will include an malicious attachment that, when opened, gives the hacker a foothold in the network. After identifying the computers that have card readers, the bad guys install keystroke logging software on those computers to steal the password that is typically used in concert with the smart card. Then they wait.
News: https://www.infosecisland.com/blogview/11416-FBI-Executes-Warrants-for-Anonymous-DDoS-Attacks.html FBI agents today executed more than 40 search warrants throughout the United States as part of an ongoing investigation into recent coordinated cyber attacks against major companies and organizations. Also today, the United Kingdom’s Metropolitan Police Service executed additional search warrants and arrested five people for their alleged role in the attacks. These distributed denial of service attacks (DDoS) are facilitated by software tools designed to damage a computer network’s ability to function by flooding it with useless commands and information, thus denying service to legitimate users. A group calling itself “Anonymous” has claimed responsibility for the attacks, saying they conducted them in protest of the companies’ and organizations’ actions. The attacks were facilitated by the software tools the group makes available for free download on the Internet. The victims included major U.S. companies across several industries.

The FBI also is reminding the public that facilitating or conducting a DDoS attack is illegal, punishable by up to 10 years in prison, as well as exposing participants to significant civil liability. The FBI is working closely with its international law enforcement partners and others to mitigate these threats. Authorities in the Netherlands, Germany, and France have also taken their own investigative and enforcement actions. The National Cyber-Forensics and Training Alliance (NCFTA) also is providing assistance. The NCFTA is a public-private partnership that works to identify, mitigate, and neutralize cyber crime. The NCFTA has advised that software from any untrustworthy source represents a potential threat and should be removed. Major Internet security (anti-virus) software providers have instituted updates so they will detect the so-called “Low Orbit Ion Canon” tools used in these attacks.

News: http://krebsonsecurity.com/2011/01/microsoft-exploit-published-for-windows-flaw/

Microsoft warned that hackers have published instructions for attacking a previously unknown security hole in all versions of Windows that could be exploited to siphon user data or trick users into installing malicious code.

Redmond published an advisory about a vulnerability in the way Windows handles MHTMLcode that could let attackers run Javascript code if the user is browsing a malicious site using Internet Explorer. As Wolfgang Kandek, chief technology officer at Qualys notes, that means that IE is the only known exploit vehicle for this flaw, and that other browsers such asFirefox and Chrome are not affected in their default configuration because they don’t support MHTML without the installation of specific add-ons.

Microsoft said it may issue a patch to fix the flaw, but that in the meantime IE users who are concerned about this threat can use a supplied “FixIt” tool to help shore up the way Windows handles MHTML documents. The enable that fix, visit this link and click the FixIt icon.

News: http://www.zdnet.co.uk/news/security/2011/01/21/attacks-on-lush-website-expose-credit-card-details-40091520/

Cosmetics company Lush has warned customers that its UK website has been hacked repeatedly over the past three months, exposing credit-card details to fraudulent use. The website of cosmetics retailer Lush has been hacked repeatedly over the last three months. Lush did not release technical details of the attack, nor specify the number of customers compromised or the security techniques used to handle the data involved, but anecdotal evidence indicates that some customers have been the victims of fraud. The company sent an email statement to customers on Thursday outlining the incident and urging them to contact their banks.
“Our website has been the victim of hackers,” Lush said in the email. “Twenty-four-hour security monitoring has shown us that we are still being targeted, and there are continuing attempts to re-enter. We refuse to put our customers at risk of another entry — so have decided to completely retire this version of our website.” Lush said it is preparing another version of its UK website to replace the one it has taken offline. The new version will launch within a few days and will initially only accept payments via PayPal, it added. The incident affected customers who placed online orders between 4 October, 2010 and 20 January, 2011, according to Lush. Orders placed in Lush’s shops or via telephone are not affected. Some security experts have questioned Lush’s timing in notifying customers of the breach. The company has acknowledged that it discovered the issue in late December, yet affected transactions include ones placed in January.
In a statement, the cosmetics company said that it had responded to the breach by starting a “thorough investigation” and putting in place “extra security measures”. However, it was only when security monitoring showed the latest hacking attempt that Lush took down its UK website and notified customers, according to the statement.
Lush added that it is working with the police and its credit-card acquirer to carry out a full investigation into the hacking.
The company’s response raises more questions than it answers, according to security researcher Graham Cluley of Sophos.
“Was the customer credit-card information not encrypted?” he wrote in a blog post on Friday. “If it had been strongly encrypted, then although a hack might have been embarrassing, customers would not necessarily be at risk of fraud.”
My card details were used fraudulently, and I had the hassle of needing a new card and no access to my money
– Lush customerWriting on Lush’s Facebook page, several customers confirmed their details had been abused.
“My card details were used fraudulently, and I had the hassle of needing a new card and no access to my money,” wrote a user identifying herself as Jane Sendall on Friday. “It would have been nice to have been warned earlier.”
Another user, identifying herself as Kerry Aldam, wrote on Friday that a purchase in October had resulted in an incident of fraud within “the last few days”.
On its temporary UK website, Lush posted a video of toy lemmings playing music, alongside a note urging users to “click on the video to try and share a smile”. The temporary site also addressed a message to those responsible for the attack.
“To the hacker: If you are reading this, our web team would like to say that your talents are formidable,” the note read. “We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.”

News: http://www.malwarecity.com/blog/what-happens-in-vegas-stays-in-vegas-not-998.htmlA study on the delicate subject of Internet users’ access to online adult content and on the associated privacy and data security issues.
We all enjoy the benefits of the Internet, and for many of us this is an indispensable tool for work and communication.  While the time spent on the Internet can be hugely productive, for some people compulsive Internet use can interfere with daily life, work and relationships.
When you feel more comfortable with your online friends than your real ones, or you can’t stop yourself from playing games, gambling, or surfing for adult-content sites, despite these habits’ negative consequences on your life, then you may want to start thinking about forgetting the Internet for a while.
Internet pornography is a multibillion dollar industry, as adult content sites are one of the most searched for categories of pages, with 1 in 4 search engine requests being pornography- related.
As I was curious to find out more about this phenomenon, I set out to do a study on, users’ motivation in accessing adult content sites as well as on the privacy and malware dissemination issues arising from to the use of this kind of sites.
The study contained 2 parts: a survey concerning the psychological background of online adult content use, and a net-research aiming to identify the ensuing malware and privacy related issues.
2,017 persons participated in the survey. The sample was a heterogeneous, with participants originating from 24 countries, ranging between the ages of 18 and 65, and with a sex ratio of about 1:1.
The survey concerned the respondents’ online habits: whether they look for adult-content sites and what type of sites they access (free vs paid ones), the reason for these actions, and if they have ever infected their computers with malware as a result of having accessed this kind of sites.
At the same time, I performed a net research about malware and pornographic sites and links: I looked for and checked for malware the URLs to the free and paid sites returned by different search engines based on a set of keywords such as: ”sex”, “porn”, “adult sites”, etc.  I also searched through blogs and different other “collaborative platforms” to find out if the credentials of users having accounts on the adult content sites were exposed there.
The survey generated the expected results: 72% of the participants admitted that they had searched for and accessed adult-content sites, with 78% of them being men and 22% women. As regards the age, the largest segment of internet pornography consumers is the 35-45 years old one (69%).
The accessed pornographic materials can be broken down into 3 major classes: materials sent via e-mail (31%), videos that can be downloaded from different sources (torrents, web sites, hubs, etc) (91%) and real-time adult content sites such as video-chats, adult dating, etc. (72%).
Within the class of real-time adult content sites, 21% were paid sites and 97% were free ones. When asked how much money they spend on pornographic materials, the respondents declared that they assign between 250 and 500 USD/month. (mean values)
The interviewed persons usually access these sites from home (69%), their work places (25% – men, 13% – women), or from other locations (internet café, etc)(6%) and their main motivations were the need to relax (54%) and curiosity (38%).
As expected, adult-content sites and, in general, sex-related topics are very attractive for cybercriminals. When asked if they infected their computers searching for this kind of materials, 63% of respondents admitted that they had had malware-related problems more than one time. The sources of malware were especially links sent via e-mail and free downloadable videos.
On the other hand, the net research on the safety of URLs leading to pornographic sites revealed that of the 1,000 tested links, 29% were infected with different kinds of malware, especially Trojans and spyware.
Moreover, when looking on blogs and on different other “collaborative platforms”, I could find more than 500 credentials exposed on the Internet (accounts and passwords to paid adult-content sites). The way they were posted, combined with other accounts and passwords of the same user suggested the fact that they were obtained using a malicious piece of software installed on the victim’s computer.
In the end, it’s your decision if you access or not adult content sites. Just be aware of the fact that cybercriminals will take advantage of any “hot” topic and that sex is probably at the top of their list. Safe and relaxed surfing!

InfoSec Daily Podcast Episode 311 [ 32:50 | 15.05 MB ] Play Now | Play in Popup | Download (426)

Announcements:

Dublin Hackerspace – 2yr Anniversary
This Saturday from 19:00 till $Late…. 
http://www.tog.ie

@BSidesSF

When: Monday-Tuesday, February 14-15, 2011

Where:   Zeum, 221 Fourth Street, San Francisco

RSVP is closed.

http://www.securitybsides.com/w/page/30975276/BSidesSanFrancisco

Appalachian Institute of Digital Evidence (AIDE)

When: February 17 – 18, 2011
Where:  Marshall University Forensic Science Center, Huntington, WV

http://aide.marshall.edu/default.htm

SANS Community

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam

When: Wednesday, February 23, 2011 – Wednesday, April 27, 2011
http://www.sans.org/mentor/details.php?nid=23493

Use the Discount Code: isdpod15 for a 15% discount.

My Hard Drive Died
Data Recovery Expert Certification
When: March 7-11,2011
Where: Washington, DC

Data Recovery Expert Certification
When: April 11-15, 2011
Where: Atlanta, GA
http://www.myharddrivedied.com/data-recovery-training

@BSidesAustin

When: March 11-12, 2011Where: The Walton-Joseph Building, 706-708 6th Street
http://www.securitybsides.com/w/page/33728032/BSidesAustin2011
Outerz0ne:
When: March 18-19, 2011Where: Atlanta, GA
CFP open now!
http://bit.ly/dJoIM9

Indiana Linux Fest
When: March 25-27, 2011Where: Wynhdam Indianapolis West Hotel Indianapolis, IN
http://www.indianalinux.org/cms/
CFP is currently open!

@THOTCON

When:  Friday, April 15th, 2011
Where: Chicago, IL
http://www.thotcon.org

12th Annual Linux Fest Northwest
When: April 30th-May 1st, 2011
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org
CFP is currently open!

@BSidesLondon  (SOLD OUT!)

CFP - http://www.securitybsides.com/w/page/34704039/BSidesLondon-Talks

@DerbyConWhen: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)

Stories:

News:
http://news.cnet.com/8301-31921_3-20029862-281.html
http://www.wired.com/threatlevel/2011/01/egypt-isp-shutdown/
In a stunning development unprecedented in the modern history of the Internet, a country of more than 80 million people has found itself almost entirely disconnected from the rest of the world. The near-disconnection–at least one Internet provider is still online–comes after days of street protests demanding an end to nearly three decades of autocratic rule by President Hosni Mubarak. Those followed this month’s revolution in Tunisia, another country with little political freedom and high levels of corruption. Jim Cowie, chief technology officer at Internet-monitoring firm Renesys, said that at approximately 2:34 p.m. PT, his company “observed the virtually simultaneous withdrawal of all routes to Egyptian networks in the Internet’s global routing table.” (See CNET’s earlier coverage of network disruptions.)

“Virtually all of Egypt’s Internet addresses are now unreachable, worldwide,” Cowie wrote in a blog post this evening. A major service provider for Egypt, Italy-based Seabone, reported that there was no Internet traffic going into or out of the country after around 2:30 p.m. PT (12:30 a.m. local time), according to an Associated Press report. Al Jazeera English reported that the Mubarak government “denied disrupting communications networks” in advance of widespread protests planned at more than 30 mosques and churches on Friday, which is a day off in Egypt with banks and many businesses closed. (A spokesman for the Egyptian embassy has also denied that Facebook and Twitter have been blocked.)

While the cause of the disruption remains unknown, it’s clear that yanking Egypt’s Internet addresses was a conscious decision, not a fiber cut or a natural disaster. That means Egypt will be conducting a high-profile experiment in what happens when a country with a $500 billion GDP, one that’s home to the pyramids and the Suez Canal, decides that Internet access should be restricted to a trickle. That trickle can be found at the Noor Group, which appears to be the only Internet provider in Egypt that’s fully functioning. (Cairo-based bloggers are speculating that its unique status grows out of its client list, which includes western firms including ExxonMobil, Toyota, Hyatt, Nestle, Fedex, Coca-Cola, and Pfizer.) An analysis posted by network analyst Andree Toonk, who runs a Web site devoted to monitoring networks, shows that yesterday there were 2,903 Egyptian networks publicly accessible via the Internet. Today, there are only 327 networks. Noor is “the only provider that doesn’t seem to be impacted by this,” Toonk wrote.

The Internet disruptions coincided with activist action. Anonymous, the group that launched distributed denial-of-service attacks on Web sites of financial institutions and others opposing WikiLeaks last year, released a video online in which it threatened to launch DoS attacks on Egyptian government Web sites if the authorities did not curtail censorship efforts. Earlier today, five people were arrested in the U.K. in connection with those attacks.

News: http://www.shmoocon.org/news-streaming_video
Can’t make it to Shmoocon?  Tired of getting
snowed in when heading to DC?  Watch the videos on the live stream!

News:http://www.wired.com/threatlevel/2011/01/sms-suicide-bomber/
An unexpected and unwanted text message from a wireless company prematurely exploded a would-be suicide bomber’s vest bomb in Russia New Year’s Eve, inadvertently thwarting a planned attack on revelers in Moscow, according to The Daily Telegraph. The would-be suicide bomber was planning to detonate a suicide belt bomb near Red Square, a plan that was foiled when her wireless carrier sent her an SMS while she was still at a safe house, setting off the bomb and killing her. The message reportedly wished her a Happy New Years, according to the report, which sourced the info from security forces in Russia. Cell phones are often used as makeshift detonators by terrorist and insurgent groups. If true, the SMS might be the only time that a wireless carrier’s SMS message has ever been useful. The authorities suspect the female bomber was part of the same Jihadist group that is suspected of hitting Moscow’s airport on Monday with a suicide bomb attack that killed 35.

News:  http://www.infosecurity-magazine.com/view/15427/facebook-ramps-up-security-to-beat-tunisian-government-hacking
Facebook has quietly ramped up security on Tunisian-based accounts on its social networking sites, forcing users, whether verified or not, to use its CAPTCHA security interface. Although most Facebook users rarely get to see a CAPTCHA security screen once their account details have been verified, usually by adding a mobile phone number to their account, Infosecurity notes that casual users of the service can often see a CAPTCHA challenge screen if the system detects users carrying out unusual or repetitive actions. According to security forum reports, it seems that Facebook has triggered CAPTCHA screens for all actions on Tunisian accounts, in order to help prevent the government there from annexing accounts it has reportedly hijacked. Reporting on this interesting turn of events, Softpedia says that, after YouTube and other video-sharing sites were blocked by the Tunisian internet agency – which controls the country’s externally facing connections – activists moved to Facebook. The social networking site, says Lucian Constantine of the IT security wire, “quickly became the primary place for sharing videos of the protests, posting calls to action and relaying the latest news from the streets.” But the Tunisian government, he says, launched a massive Facebook hijacking exercise. “People were systematically redirected to phishing sites, HTTPS connections were blocked, and password stealing code was injected into the login pages of major websites”, he said. Then, he added, after Tunisian bloggers began being arrested, the Electronic Frontier Foundation requested that Facebook, Google and Yahoo should help to keep Tunisian accounts secure. Softpedia quotes Joe Sullivan, Facebook’s CSO, as saying: “In this case, we were confronted by ISPs that were doing something unprecedented in that they were being very active in their attempts to intercept user information.” To counter the problem, Facebook’s security team then started rerouting all requests from Tunisian IP addresses to the HTTPS version of the site, forcing users to use encrypted connections. “In addition, all Tunisian users were asked to verify their account when logging back in after a known attack. The process involved solving so-called social CAPTCHAs, where people have to identify their friends in photographs,” noted Constantin.

News: http://www.cnsnews.com/news/article/next-leak-secret-documents-could-involve
WikiLeaks’ release of secret government communications should serve as a warning to the nation’s biggest companies: You’re next. Computer experts have warned for years about the threat posed by disgruntled insiders and by poorly crafted security policies, which give too much access to confidential data. And there is nothing about WikiLeaks’ release of U.S. diplomatic documents to suggest that the group can’t — or won’t — use the same methods to reveal the secrets of powerful corporations. And as WikiLeaks claims it has incriminating documents from a major U.S. bank, possibly Bank of America, there’s new urgency to addressing information security inside corporations and a reminder of its limits when confronted with a determined insider. At risk are companies’ innermost secrets — e-mails, documents, databases and internal websites that are thought locked to the outside world. Companies create records of every decision they make, whether it’s rolling out new products, pursuing acquisitions, fighting legislation, foiling rivals or allowing executives to sell stock. Although it’s easy technologically to limit who in a company sees specific types of information, many companies leave access far too open. And despite the best of intentions, mistakes happen and settings can become inadvertently broad, especially as networks grow more complex with reorganizations and acquisitions. And even when security technology is doing its job, it’s a poor match if someone with legitimate access decides to go rogue.
With the right access, a cheap thumb drive and a vendetta are the only ingredients an insider needs to obtain and leak secrets. By contrast, outside attackers often have to compromise personal computers at the bottom of the food chain, then use their skills and guile in hopes of working their way up. Employees go rogue all the time — for ego, to expose hypocrisy, to exact revenge or simply for greed. A former analyst with mortgage lender Countrywide Financial Corp., now owned by Bank of America, is awaiting trial on charges he downloaded data on potentially 2 million customers over two years, charging $500 for each batch of 20,000 profiles. Prosecutors say the analyst worked secretly on Sundays, using an unsecured Countrywide computer that allowed downloads to personal thumb drives. Other home loan companies bought the customer profiles, including Social Security numbers, for new sales leads, according to authorities. Also, an employee with Certegy Check Services Inc., a check authorization service, was accused of stealing information on more than 8 million people and selling it to telemarketers for a haul of $580,000. The worker was sentenced in 2008 to nearly five years in prison. Despite the repeated warnings, many large companies lack clear policies on who should have access to certain data, said Christopher Glyer, a manager with the Mandiant Corp., an Alexandria, Va.-based security firm that investigates computer intrusions. WikiLeaks argues that revealing details of companies and governments behaving badly, no matter how the information is obtained, is good for democracy. Julian Assange, WikiLeaks’ founder, told Forbes magazine that the number of leaks his site gets has been increasing “exponentially” as the site has gotten more publicity. He said it sometimes numbers in the thousands per day.
Assange told Forbes that half the unpublished material his organization has is about the private sector, including a “megaleak” involving a bank. He would not name the bank, but he said last year in an interview with Computerworld that he has several gigabytes of data from a Bank of America executive’s hard drive. Assange also told Forbes that Wikileaks has “lots” of information on BP PLC, the London-based oil company under fire for the massive Gulf of Mexico oil spill. Assange said his organization is trying to figure out if its information on BP is unique. WikiLeaks previously published confidential documents from the Swiss bank Julius Baer and the Kaupthing Bank in Iceland. The site also published an operation manual for the U.S. prison in Guantanamo Bay, Cuba. WikiLeaks’ most recent leaks exposed frank and sometimes embarrassing communications from diplomats and world leaders. They included inflammatory assessments of their counterparts and international hot spots such as Iran and North Korea. The prime suspect in the diplomatic leaks, Army Pfc. Bradley Manning, is being held in a maximum-security military brig at Quantico, Va., charged in connection with an earlier WikiLeaks release: video of a 2007 U.S. Apache helicopter attack in Baghdad that killed a Reuters news photographer and his driver.

News: http://edition.cnn.com/2011/US/01/27/siu.fbi.internal.documents/index.html?hpt=C1

An FBI employee shared confidential information with his girlfriend, who was a news reporter, then later threatened to release a sex tape the two had made. A supervisor watched pornographic videos in his office during work hours while “satisfying himself.” And an employee in a “leadership position” misused a government database to check on two friends who were exotic dancers and allowed them into an FBI office after hours. These are among confidential summaries of FBI disciplinary reports obtained by CNN, which describe misconduct by agency supervisors, agents and other employees over the last three years.  Read the FBI documents obtained by CNN. The reports, compiled by the FBI’s Office of Professional Responsibility, are e-mailed quarterly to FBI employees, but are not released to the public. And despite the bureau’s very strict screening procedure for all prospective employees, the FBI confirms that about 325 to 350 employees a year receive some kind of discipline, ranging from a reprimand to suspension. About 30 employees each year are fired. ”We do have a no-tolerance policy,” FBI Assistant Director Candice Will told CNN. “We don’t tolerate our employees engaging in misconduct. We expect them to behave pursuant to the standards of conduct imposed on all FBI employees.” However, she said, “It doesn’t mean that we fire everybody. You know, our employees are human, as we all are. We all make mistakes. So, our discipline is intended to reflect that. ”We understand that employees can make mistakes, will make mistakes. When appropriate, we will decide to remove an employee. When we believe that an employee can be rehabilitated and should be given a second chance, we do that.” Will, who oversees the bureau’s Office of Professional Responsibility, said most of the FBI’s 34,300 employees, which include 13,700 agents, follow the rules.

News: http://www.reddit.com/r/WTF/comments/f96w7/amazon_security_flaw_wtf/

For the sake of argument, assume my password to my amazon account is ‘redditre’. Why can I login with variations of this password? Any combo of numbers on the end, both upper and lower case work, etc. I just had an impossible conversation with someone at Amazon who just couldn’t understand what I was trying to explain.If I try something like ’1redditre’ it fails so it’s not accepting every password in case someone was wondering.

update: it appears I can tag anything on the end of the password and it works, not just numbers

update2: multiple browsers on multiple computers and I can recreate issue (simply to prove it wasn’t some strange caching occuring)

Edit from hamsterdave: Changing my password eliminates this bug. They are handling old passwords in a different manner than new passwords. That’s still a serious issue, but explains why it isn’t working for everyone.

update3: for a more realistic example for the circcumstance, let’s say my password is either ‘redditre’ or ‘redditre1′ .. haven’t updated screenshot with pw examples but you get the drift

update4: just to clarify for some, I can login with both ‘redditre’ and ‘REDDITRE’… and for that matter, ‘ReDdITrE’

update5: changing the password clears this problem. i’m leaving mine as is so I can recreate this until I hear from someone at Amazon. This way they don’t just assume the problem is fixed since my account login works as expected.

It appears that for passwords older than a certain age, (indeterminate at this time) flawed hashing is used. If your password is > 8 characters you may be able to add garbage from the 8th character forward.

For example: Password = newpassword login using newpasswo11 might work

What this means is that all passwords older than X are effectively only 8 characters.

It has also been pointed out that case does not seem to matter. If this flaw affects your password you can use NEWpasswo11, NewPassWo11, NEWPASSWO11, nEWpASSwO11, etc.

What we don’t know: How old does your account have to be for this flaw to be present? ridethewave says his account is ~10 years old, hamsterdave says ~3 years for his, no other solid data available.

Likely fix: change your password. For at least one person this worked prior to changing their password, and did not work after a password change. This lends credence to ajf’s theory that it is a legacy holdover from some time in the past when they were using a weaker hashing algorithm.

The most likely technical explanation of this is that Amazon used to hash their passwords with the following functionold_unix_crypt( toUpperCase (password) )

The man page of crypt states clearly that it truncates the input to 8 characters. (It also truncates each character to 7 bits but the consequences of that are less obvious)

How should Amazon have solved this without user interruption? (Assuming it doesn’t store the cleartext passwords)
implement a better hash function that takes into account every bit of the full input (that it has done)
on the first succesfull login of a user with the old hash function, rehash with the stronger function and update the database (this is hasn’t done)

InfoSec Daily Podcast Episode 310 [ 37:44 | 17.3 MB ] Play Now | Play in Popup | Download (260)

Announcements:

Dublin Hackerspace – 2yr Anniversary
This Saturday from 19:00 till $Late…. 
http://www.tog.ie

@BSidesSF

When: Monday-Tuesday, February 14-15, 2011

Where:   Zeum, 221 Fourth Street, San Francisco

Registrations are closed!

http://www.securitybsides.com/w/page/30975276/BSidesSanFrancisco

Appalachian Institute of Digital Evidence (AIDE)

When: February 17 – 18, 2011
Where:  Marshall University Forensic Science Center, Huntington, WV

http://aide.marshall.edu/default.htm

SANS Community

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam

When: Wednesday, February 23, 2011 – Wednesday, April 27, 2011
http://www.sans.org/mentor/details.php?nid=23493

Use the Discount Code: isdpod15 for a 15% discount.

My Hard Drive Died
Data Recovery Expert Certification
When: March 7-11,2011
Where: Washington, DC

Data Recovery Expert Certification
When: April 11-15, 2011
Where: Atlanta, GA
http://www.myharddrivedied.com/data-recovery-training

@BSidesAustin

When: March 11-12, 2011Where: The Walton-Joseph Building, 706-708 6th Streethttp://www.securitybsides.com/w/page/33728032/BSidesAustin2011

Indiana Linux Fest
When: March 25-27, 2011Where: Wynhdam Indianapolis West Hotel Indianapolis, INhttp://www.indianalinux.org/cms/
CFP is currently open!

@THOTCON

When:  Friday, April 15th, 2011
Where: Chicago, IL
http://www.thotcon.org

@BSidesLondon  (SOLD OUT!)
CFP - http://www.securitybsides.com/w/page/34704039/BSidesLondon-Talks

@DerbyConWhen: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)

Stories:News: http://www.theregister.co.uk/2011/01/27/anon_hacking_suspects_uk_arrest
https://www.infosecisland.com/blogview/11407-Anonymous-Calls-UK-Arrests-a-Declaration-of-War.html
Scotland Yard has arrested five people under the Computer Misuse Act as part of its investigation into alleged attacks by the Anonymous hacking collective.
The five males – aged, 15, 16, 19, 20 and 26 – were arrested in a series of co-ordinated raids on Thursday morning by detectives from Scotland Yard’s Police Central e-Crime Unit (PCeU).
The raids took place in the West Midlands, Northants, Herts, Surrey and London as part of an ongoing investigation into Anonymous. All five unnamed suspects were taken to local police stations for questioning.
“The arrests are in relation to recent and ongoing ‘distributed denial of service’ attacks (DDoS) by an online group calling themselves ‘Anonymous’,” a brief statement by the PCeU explains.
The loose-knit Anonymous collective has invited volunteers to download its LOIC denial of service tool in order to swamp targeted sites with junk traffic. The use of the tool took off with attacks against the entertainment industry and organisations, such as controversial solicitors ACS:Law. Much the same approach was applied against financial service organisations, such as Mastercard and PayPal, which suspended accounts maintained by WikiLeaks.
The LOIC does a poor job of preserving users’ anonymity, hence the risk for anyone using it that they may come to the attention of local law enforcement agencies.
News:  http://www.infosecurity-us.com/view/15382/hackers-sell-access-to-military-and-government-websites/
Dozens of military, government and education websites have been hacked and are up for sale, according to researchers from Imperva’s Hacker Intelligence Initiative (HII).  The firm’s HII – hacker intelligence initiative – has unearthed evidence that dozens of sites are up for sale, including defense and state sites in the US and Europe.According to a team led by Noa Bar Yosef, Imperva’s senior security strategist, high-profile sites such as the official Italian government website (http://itcgcesaro.gov.it), the Department of Defense Pharmacoeconomic center (http://pec.ha.osd.mil/) and even the US Army Communications-Electronics Command (CECOM) (http://cecom.army.mil) are available.In a security blog posting, Rob Rachwald of Imperva says that the hacker has put up a range of sites for anything between $55 and $499.Imperva’s research team also claims to have discovered that the hacker was also offering personal information from the hacked websites.”The hacker is also selling personally identifiable information from hacked sites, for $20 per 1K records”, says the blog, citing an example of “a list of UConn staff”.Imperva’s post is complete with screenshots, which the hacker claims as a proof of access.According to Rachwald, the victim sites’ vulnerabilities were probably obtained by an SQL injection vulnerability automatic scanner and exploited in an automated manner, as the hacker published his Methods in a post in a hacker forum.”In the screen shot we can see IRC chat between the SQLi “master” = @evil, which issues the scanning commands and the exploiting “x0owner” which performs the commands”, says the Imperva blog.”In this specific case @evil issues command for to x0wner to obtain DB tables names (!tbls) from vulnerable link (www.site.gr/athlete.php?id=…) x0wner reports its findings – the tables ‘activities’,'admin’,” the blog notes.Security researcher Brian Krebs picked up Imperva’s research over the weekend, detailing a lot of the site information that Rachwald chose to block out in his blog.In his security blog, Krebs said that he finds it ironic that one of these sites allegedly for sale is the Department of Defense Pharmacoeconomic Center, which is a DoD site tasked with ‘improving the clinical, economic, and humanistic outcomes of drug therapy in support of the military health system’.”In all likelihood, if access to this site is purchased, it will be by someone looking to plant links to rogue online pharmacies of the sort frequently advertised in junk e-mail”, said Krebs.”People who get paid to promote these rogue pharmacies typically do so by hacking legitimate websites and including links back to fly-by-night pharma sites, and they particularly like dot-mil, dot-gov and dot-edu sites because search engines tend to treat links coming from those domains with more authority than random .com sites”, he added.Krebs also noted that the ‘Undetected Private Java Driveby Exploit’ that the hacker is selling is “none other than the social engineering trick I blogged about last week.”

News: http://krebsonsecurity.com/2011/01/experi-metal-vs-comerica-case-heads-to-trial/
A lawsuit headed to court this week over the 2009 cyber theft of more than a half-million dollars from a small metals shop in Michigan could help draw brighter lines on how far banks need to go to protect their business customers from account takeovers and fraud.
The case is being closely watched by a number of small to mid-sized organizations that have lost millions to cyber thieves and have been waiting for some sign that courts might be willing to force banks to assume at least some of those losses.
Nearly two years ago, cyber crooks stole more than $560,000 from Sterling Heights, Mich. based Experi-Metal Inc. (EMI), sending the money to co-conspirators in a half-dozen countries.
On Jan. 22, 2009, EMI controller Keith Maslowski responded to an e-mail that appeared to be from its bank, Comerica. The message claimed the bank needed to carry out scheduled maintenance on its banking software, and instructed the EMI employee to log in at a Web site that looked like Comerica’s online banking site. Maslowski says the email resembled the annual e-mails Comerica used to send, prompting customers to renew EMI’s digital certificates. Trouble was, the year before, Comerica had switched from using digital certificates to requiring commercial customers to enter the one-time passcode from a security token. The site linked to in the e-mail asked for that code, and Maslowski complied.
Almost immediately, the crooks who stole those credentials began wiring money out of EMI’s account. Between 7:30 a.m. and 10:50 a.m. that day, the attackers initiated 47 wire transfers — to China, Estonia, Finland, Russia and Scotland.
Both EMI and Comerica agree on the above version of events, but have very different versions of what happened before and directly after the theft. The two parties met on Tuesday for a pretrial conference, and presented their respective briefs to the court. Comerica’s is here, and Experi-Metal’s is available at this link.
EMI claims Comerica inquired about the transfers at 10:50 a.m., and that EMI asked the banks not to honor any requested wire transfers until future notice. But over the next three hours, thieves would initiate another 38 wires from EMI’s account. EMI also noted that, prior to this burst of fraudulent wires, the company had requested a total of two wire transfers in as many years.
For its part, Comerica said Experi-Metal is not entitled to relief because it cannot prove that Comerica’s actions caused its claimed damages. “The unfortunate events of January 22, 2009 happened because Mr. Maslowski failed to safeguard Experi-Metal’s security information, in breach of Experi-Metal’s contract with Comerica,” Comerica said in its pre-trial brief. “And those losses would not have occurred had Experi-Metal accepted Comerica’s recommendation that Experi-Metal require a different user to approve all wires after one user initiated them.”
Many of the facts to be litigated center around whether Maslowski was authorized to initiate electronic transfers, and did Comerica employees fail to take action with respect to the suspected fraud on a timely basis under industry and commercial standards? Also in question is what portion of Experi-Metal’s claimed losses occurred before Comerica knew of and had a reasonable amount of time to react to the fraudulent wires?

News: http://www.computerworld.com/s/article/9205562/Hackers_steal_150_000_with_malicious_job_application
The U.S. Federal Bureau of Investigation issued a warning about a new twist on a long-running computer fraud technique, known as Automated Clearing House fraud.
With ACH fraud, criminals install malicious software on a small business’ computer and use it to log into the company’s online bank account. They set up bogus fund transfers, adding fake employees or payees, and then move the money offshore.
Scammers can move hundreds of thousands of dollars in a matter of hours using this technique. They often target small businesses that use regional banks or credit unions, which often don’t have the resources to identify and block the fraudulent transfers.
In this latest twist on the scam, the criminals are apparently looking for companies that are hiring online and then sending malicious software programs that are doctored to look like job applications.
An unnamed U.S. company recently lost $150,000 in this way, according to the FBI’s Internet Crime Complaint Center. “The malware was embedded in an e-mail response to a job posting the business placed on an employment website,” the FBI said in a press release. The malware, a variant of the Bredolab Trojan, “allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company.”
This scam has been around at least six months, according to security vendor SonicWall, which reported the Trojan last July.
The typo-filled Trojan that SonicWall spotted looked like a Word document and read: “Hello! I have figured out that you have an available job. I am quiet intrested in it. So I send you my resume, Looking forward to your reply. Thank you.”
In the case reported by the FBI, the Trojan was used to transfer money to Ukraine and two other U.S. bank accounts.
“The FBI recommends that potential employers remain vigilant in opening the e-mails of prospective employees,” the FBI said.
There are a few things consumers and small businesses can do if they’re unsure about e-mail attachments. The safest is to delete the attachment and write back to the sender asking for a plain text version. Alternatively, they can open the document in Google’s Gmail to see if it appears legitimate.
News: http://www.csoonline.com/article/656264/soundminer-android-malware-listens-then-steals-phone-data
Researchers have developed a low-profile Trojan horse program for Google’s Android mobile OS that steals data in a way that is unlikely to be detected by either a user or antivirus software.

The malware, called Soundminer, monitors phone calls and records when a person, for example, says their credit card number or enters one on the phone’s keypad, according to the study.

Using various analysis techniques, Soundminer trims the extraneous recorded information down to the most essential, such as the credit card number itself, and sends just that small bit of information back to the attacker over the network, the researchers said.

The study was done by Roman Schlegel of City University of Hong Kong and Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, XiaoFeng Wang of Indiana University in Bloomington, Indiana.

“We implemented Soundminer on an Android phone and evaluated our technique using realistic phone conversation data,” they wrote. “Our study shows that an individual’s credit card number can be reliably identified and stealthily disclosed. Therefore, the threat of such an attack is real.”

News:  http://www.infosecurity-magazine.com/view/15433/us-comes-in-on-top-in-attack-ip-data-streams-says-report/The latest quarterly internet report from Akamai Technologies claims to show that the Netherlands has achieved the world’s highest percentage of connections in the 5–10 Mbps speed range.On top of this, says the internet caching specialist, during the third quarter of 2010, over 533 million unique IP addresses, from 235 countries/regions, connected to its network – 20% more than in the same quarter a year ago.The Top 10 regions/countries – which account for around 70% of the globally observed IP addresses – again demonstrated strong yearly growth.Spain (ranked #10) achieved 15% year-on-year growth, followed by the UK (ranked #6) up 12%. Germany (ranked #4) saw 5.9% growth, whilst France (ranked #5) was up 9.9% year-on-year.Overall, the Q3 2010 state of the internet report claims that average connection speeds in Europe continued to increase and strong double-digit percentage changes were seen in the year-on-year figures for Romania (12%), Netherlands (14%), and Latvia (27%).Of the six European countries ranked in the Top 10 regions/countries, Akamai says that Romania once again led the way with an average connection speed of 7.0 Mbps, followed by the Netherlands (6.3 Mbps), Latvia (6.0 Mbps), Czech Republic (5.4 Mbps), Switzerland (5.3 Mbps), and Denmark (5.0 Mbps).Analysis of attacking IP traffic monitored by the firm’s servers reveals that the US was the top source of observed attack traffic, followed by Russia.Together, says the report, these two countries accounted for just over 20% of observed attack traffic.”However, the aggregated continental figures reveal Europe was again responsible for the highest percentage (35%) of observed attacks in the third quarter (down from 39% in the second quarter)”, noted the study.With regard to attack traffic from mobile providers, Akamai says that Italy remained in the top spot (28%) while the UK saw the largest quarterly increase (nearly 80%) in observed traffic from known mobile network providers.
News:  http://www.infosecurity-magazine.com/view/15428/verisign-report-says-authentication-being-tapped-to-drive-the-open-enterprise/Research commissioned by Symantec’s VeriSign operation claims to show that organisations are opening up their networks and making information more available, in order to meet the needs of users looking for business agility.But, says the report, analysis for which was carried out by Forrester Research, this trend is creating unwanted and often unforeseen consequences.The aim of the report was to evaluate how enterprises are evolving their authentication and security practices in response to changing business and IT needs, such as the adoption of cloud and software-as-a-service (SaaS) technologies.Tapping more than 300 surveys with enterprise IT professionals, researchers found that organisations are still grappling with how to adapt to more open environments from a security policy and controls standpoint.However, says the report, plans for adopting additional identity and security solutions point to an aggressive program to support these business initiatives.Delving into the study reveals that enterprises have deployed strong authentication selectively because of the low user acceptance it engenders due to the problems caused to users’ productivity, the high per-user costs of acquiring strong authentication credentials, and a management overhead that also contributes to total cost of ownership.The report notes that new methods for strong authentication, meanwhile, are stimulating the expansion of the use cases and user base for strong authentication.”Mobile authentication – either through a smartphone-based application or a one-time password (OTP) sent over SMS – is one such approach”, says the report.The report adds that risk-based authentication – such as behaviour profiling – is another way to provide greater identity assurance in a form of strong authentication that is more user-friendly and cost-effective than traditional tokens or smart cards.Use of these forms of strong authentication, says the VeriSign study, has been steadily climbing.They were, notes the report, traditionally most attractive for business-to-consumer environments, but their simplicity in both implementation and use – there being no hardware for IT to provision or for users to lose – have expanded their appeal to business-to-business and even business-to-employee cases, including network login as well as remote access.

InfoSec Daily Podcast Episode 309 [ 40:40 | 18.64 MB ] Play Now | Play in Popup | Download (488)

Announcements:

Dublin Hackerspace – 2yr Anniversary
This Saturday from 19:00 till $Late….
http://www.tog.ie

@BSidesSF

When: Monday-Tuesday, February 14-15, 2011

Where:   Zeum, 221 Fourth Street, San Francisco

RSVP:  http://bsidessf.eventbrite.com

http://www.securitybsides.com/w/page/30975276/BSidesSanFrancisco

Appalachian Institute of Digital Evidence (AIDE)

When: February 17 – 18, 2011
Where:  Marshall University Forensic Science Center, Huntington, WV

http://aide.marshall.edu/default.htm

SANS Community

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam

When: Wednesday, February 23, 2011 – Wednesday, April 27, 2011
http://www.sans.org/mentor/details.php?nid=23493

Use the Discount Code: isdpod15 for a 15% discount.

My Hard Drive Died
Data Recovery Expert Certification
When: March 7-11,2011
Where: Washington, DC

Data Recovery Expert Certification
When: April 11-15, 2011
Where: Atlanta, GA
http://www.myharddrivedied.com/data-recovery-training

@BSidesAustin

When: March 11-12, 2011Where: The Walton-Joseph Building, 706-708 6th Streethttp://www.securitybsides.com/w/page/33728032/BSidesAustin2011

Indiana Linux Fest
When: March 25-27, 2011Where: Wynhdam Indianapolis West Hotel Indianapolis, INhttp://www.indianalinux.org/cms/
CFP is currently open!

@THOTCON

When:  Friday, April 15th, 2011
Where: Chicago, IL
http://www.thotcon.org

@BSidesLondon  (SOLD OUT!)
CFP – http://www.securitybsides.com/w/page/34704039/BSidesLondon-Talks

@DerbyConWhen: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)

Stories:
News: https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information
(Careful when you click the link: the site has code to check whether you’re logged in to Gmail, Facebook, Twitter, etc)

“When you visit my website, I can automatically and silently determine if you’re logged into Facebook, Twitter, GMail and Digg. There are almost certainly thousands of other sites with this issue too, but I picked a few vulnerable well known ones to get your attention. You may not care that I can tell you’re logged into GMail, but would you care if I could tell you’re logged into one or more porn or warez sites? Perhaps http://oppressive-regime.example.org/ would like to collect a list of their users who are logged into http://controversial-website.example.com/?

Ignoring the privacy implications for a second, as a website developer, yowau might like to know if your visitors are logged into GMail; you could use that information to automatically fill the email fields in your forms with “@gmail.com”… Perhaps you might want to make your Facebook “like” buttons more prominent if you can tell your visitor is logged into Facebook at the moment? Here’s how I achieve this:First of all. How do I check if you are logged into Gmail? Really, really, easily… I generated a hidden image in my HTML similar to this:

<img style=”display:none;” onerror=”not_logged_in_to_gmail()” src=”https://mail.google.com/mail/photos/static/AD34hIhNx1pdsCxEpo6LavSR8dYSmSi0KTM1pGxAjRio47pofmE9RH7bxPwelO8tlvpX3sbYkNfXT7HDAZJM_uf5qU2cvDJzlAWxu7-jaBPbDXAjVL8YGpI” />

I generated the URL in the “src” attribute by logging into my own GMail account, then going into the general settings and uploading a picture in the “My Picture” section. I then ticked the “Visible to everyone” checkbox, and right clicked the uploaded image to get the image location. Fetching the content at that URL does two different things depending on whether or not you’re logged into GMail. If you are logged into GMail, it returns an image. If you’re not logged into GMail, it redirects to a HTML page. This is why the img tag in my example above works. “onload” is triggered if an image is returned, but “onerror” is triggered otherwise.

I tested this technique in Firefox, Safari, Chrome, Opera and various versions of Internet Explorer and it worked in them all. I reported it to Google and they described it as “expected behaviour” and ignored it.

At this point, you might be wondering why I have “Status Codes” in the title; the method I use for attacking Facebook, Twitter and Digg is slightly different and works because various URLs provide different HTTP status codes depending on your logged in status. Unfortunately, this attack doesn’t seem to work in Internet Explorer or Opera, but does work in Firefox, Chrome and Safari.

If you have JavaScript disabled on twitter.com and facebook.com, the above tests wont work. Here is how they work when you have JavaScript enabled:

<script src=”https://twitter.com/account/use_phx?setting=false&amp;format=text” async=”async” ></script>

<script type=”text/javascript” src=”https://www.facebook.com/imike3″ onload=”logged_in_to_facebook()” async=”async” ></script>

In Firefox, Safari and Chrome, the <script/> tags fire onload if a 200 HTTP status code is returned, even if there was no valid JavaScript and the Content-Type was text/html. But if the status code was one of 404, 403, 406 or 500, then onerror is triggered instead. In the above examples, the Twitter URL returns an error code if you’re logged in, but redirects to the login form with a success status code if you’re not logged in. The Facebook one works because my profile is only visible to people who are logged in and returns a 404 if you’re not. There is a similar problem with Digg. http://digg.com/settings returns a 403 status code if you’re not logged in, but a 200 if you are.”

News: http://gcn.com/articles/2011/01/20/cybersecurity-reports-new-methods.aspx
On the surface, it appears that progress is being made in the struggle for cybersecurity. Several large spammers have been shut down, the number of vulnerabilities reported to the National Vulnerability Database was down in 2010, and an international investigation broke up an online criminal ring that had stolen millions of dollars.

“It was a watershed year,” said Cisco research fellow Patrick Peterson. “The tide began to turn in 2010.”

Seeds of international cooperation planted as long ago as 2005 are beginning to bear fruit, as are efforts to improve the quality of commercial software development.

But several assessments of the IT security landscape show that criminals are adapting by becoming more professional and more selective.

News: http://news.cnet.com/8301-27080_3-20029670-245.html
https://blog.facebook.com/blog.php?post=486790652130
Facebook announced that it is now offering users the ability to use encryption to protect their accounts from being compromised when they are interacting with the site, something security experts have been seeking for a while. The site currently uses HTTPS (Hypertext Transfer Protocol Secure) when users log in with their passwords, but now everything a user does on the site will be encrypted if he turns the feature on, the company said in a blog post. Enabling full-session HTTPS eliminates the ability for attackers to use tools like the Firefox plug-in called Firesheep to snoop on communications between a person’s computer and the site’s server. “Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries, or schools,” the post says. “The option will exist as part of our advanced security features, which you can find in the Account Security section of the Account Settings page.” Using HTTPS may mean that some pages will take a little bit longer to load, and some third-party applications aren’t currently supported, the company said. The option is rolling out over the next few weeks. “We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future,” the post says.

News: http://www.guardian.co.uk/uk/2011/jan/19/london-2012-olympics-cyber-attack
London Olympics organisers today warned of the increased danger of cyber attacks that could fatally undermine the technical network that supports everything from recording world records to relaying results to commentators.

The London Organising Committee of the Olympic Games (Locog) said it was “inevitable” that its systems would have to repel malicious attempts by hackers to bring them down.

Unveiling a new lab that will run simulations of millions of scenarios at venues with 200,000 hours of testing ahead of 2012, Locog chief information officer Gerry Pennell said the threat had increased since the 2008 Beijing Olympics.

“It’s clear that cyber security is rising up the agenda in this country and others. We’re taking it very seriously. It consumes a significant proportion of my time,” he said.

Patrick Adiba, the chief executive of Locog’s IT partner Atos Origin Iberia, said that during the Beijing Olympics there were 14m “events” a day, about 400 of which were “relevant events that could have been an issue that may have impacted on the Games”. All of them were blocked, he said.

News: http://www.grapevine.is/News/ReadArticle/Mysterious-Spy-Computer-In-Parliament-Works-Differently-Than-Being-Reported-Tech-Expert-Says
An unmarked computer found in a spare room of parliament, and connected directly to parliament’s internet system, was most certainly planted there, a computer expert told the Grapevine. However, he says, the media has a few misconceptions about the matter.

The computer in question was found in a spare room shared by the Independence Party and The Movement last February. It was apparently connected directly to parliament’s internet system.

The computer was disconnected and taken to the police. Any identifying serial numbers had been erased from the machine, nor were any fingerprints found, and its origins have not yet been traced. The police believed that the matter was the work of professionals.

Morgunblaðið and other media outlets have reported that the computer was set up in such a way that disconnecting it would erase any files on the hard drive. But a computer expert The Grapevine spoke to said that this is highly unlikely.

News: http://www.wired.com/threatlevel/2011/01/morphed-child-porn/

Keith: The demise of digital photographs as demonstrative evidence through douche-baggery

[Karthik: This part is hilarious - “[N]o constitutional principle … allows a criminal defendant to defend one criminal charge by urging his lawyer or witness to commit another,” wrote the three-judge panel, in an unanimous ruling Wednesday. “Otherwise, an individual on trial for a murder-by-stabbing charge could try to prove that the knife was not long enough to kill someone by using it to stab someone else in the middle of the trial.”]

An Ohio lawyer who serves as an expert witness in child pornography cases might be on the hook for hundreds of thousands of dollars in civil damages for Photoshopping courtroom exhibits of children having sex.

Attorney Dean Boland purchased innocent pictures of four juvenile girls from a Canadian stock-image website, and then digitally modified them to make it appear as if the children were engaged in sexual conduct. Boland was an expert witness for the defense in half-a-dozen child porn cases, and he made the mock-ups to punctuate his argument that child pornography laws are unconstitutionally overbroad because they could be applied to faked photos.

The parents learned of the photo morphing from the FBI, according to the girls’ attorney. They’re suing over Boland transforming a picture of a 5-year-old girl eating a doghnut into one of her having oral sex. Another photo was of a 6-year-old girl’s face placed on the body of an adult woman having sex with two men. Boland purchased the pictures from iStockPhoto, according to court records.

“Their faces have been abused and misappropriated in the most disgusting manner,” Rosenbaum said. “How would you like this to happen to your children?”
News:  http://www.pcworld.com/businesscenter/article/217507/carberp_banking_malware_upgrades_itself.html
A piece of banking malware that researchers have been keeping an eye on is adding more sophisticated capabilities to stay hidden on victims’ PCs, according to the vendor Seculert.Carberp, which targets computers running Microsoft’s Windows OS, was discovered last October by several security companies and noted for its ability to steal a range of data as well as disguise itself as legitimate Windows files and remove antivirus software. It has been billed as a rival to Zeus, another well-known piece of malware.Carberp communicates with a command-and-controller (C&C) server using encrypted HTTP Web traffic. Previous versions of Carberp encrypted that traffic using RC4 encryption but always used the same encryption key.Using the same key meant it was easier for intrusion protection systems to analyze traffic and pick out possible communication between the infected Carberp computers and the C&C servers, said Aviv Raff, CTO and co-founder of Seculert. Seculert runs a cloud-based service that alerts its customers to new malware, exploits and other cyberthreats.A new version of Carberp is mixing it up, using a randomly different key when it makes an HTTP request, said Raff. When it uses the same key, there are some static patterns that can be detected. Even Zeus, which is begrudgingly respected for its high-quality engineering, uses the same key that is embedded in the malware.”Most network based security solutions are using traffic signatures to detect bots trying to connect to the C&C,” Raff said. “This new feature is used to evade this type of detection and make it hard and almost impossible to create such signatures.”Seculert has posted a writeup about Carberp.Carberp has also expanded the scope of the victims it seeks to infect. The latest version is targeted users in Russian-speaking markets, Raff said. Previous versions targeted banks in the Netherlands and the U.S., he said.

InfoSec Daily Podcast Episode 308 [ 38:18 | 17.55 MB ] Play Now | Play in Popup | Download (416)

Episode 308 – ISDPodcast Episode 308 for January 25, 2011.  Tonight’s podcast is hosted by  Rick Hayes, Varun Sharma, Karthik Rangarajan and Scott Moulton.

Announcements:

Appalachian Institute of Digital Evidence (AIDE)

When: February 17 – 18, 2011
Where:  Marshall University Forensic Science Center, Huntington, WV

http://aide.marshall.edu/default.htm

SANS Community

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam

When: Wednesday, February 23, 2011 – Wednesday, April 27, 2011
http://www.sans.org/mentor/details.php?nid=23493

Use the Discount Code: isdpod15 for a 15% discount.

My Hard Drive Died
Data Recovery Expert Certification
When: March 7-11,2011
Where: Washington, DC

Data Recovery Expert Certification
When: April 11-15, 2011
Where: Atlanta, GA
http://www.myharddrivedied.com/data-recovery-training

@BSidesAustin

When: March 11-12, 2011Where: The Walton-Joseph Building, 706-708 6th Streethttp://www.securitybsides.com/w/page/33728032/BSidesAustin2011

Indiana Linux Fest
When: March 25-27, 2011Where: Wynhdam Indianapolis West Hotel Indianapolis, INhttp://www.indianalinux.org/cms/
CFP is currently open!

@THOTCON

When:  Friday, April 15th, 2011
Where: Chicago, IL
http://www.thotcon.org

@BSidesLondon  (SOLD OUT!)
CFP – http://www.securitybsides.com/w/page/34704039/BSidesLondon-Talks

@DerbyConWhen: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)

Stories:
Tools: THC Hydra v6 Released – http://freeworld.thc.org/releases/hydra-6.0-src.tar.gz
v6 contains a lot of new code for IPv6, 5.9.x is kept and maintained further until v6 is stable. It was tested to work on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1 and OSX.

• Added GPL exception clause to license to allow linking to OpenSSL – debian people need this
• IPv6 support finally added. Note: sip and socks5 modules do not support IPv6 yet
• Bugfix for SIP module, thanks to yori(at)counterhackchallenges(dot)com
• Compile fixes for systems without OpenSSL or old OpenSSL installations
• Eliminated compile time warnings
• xhydra updates to support the new features
• Added CRAM-MD5, DIGEST-MD5 auth mechanism to the smtp-auth module
• Added LOGIN, PLAIN, CRAM-(MD5,SHA1,SHA256) and DIGEST-MD5 auth mechanisms to the imap and pop3 modules
• Added APOP auth to POP3 module
• Added NTLM and DIGEST-MD5 to http-auth module and DIGEST-MD5 to http-proxy module
• Fixed VNC module for None and VLC auth
• Fixes for LDAP module
• Bugfix Telnet module linemode option negotiation using win7
• Bugfix SSH module when max auth connection is reached

News: http://www.wired.com/threatlevel/2011/01/email-attorney-client-privilege/
E-mails between a client and attorney are no longer considered privileged and confidential if the client writes the messages from a work e-mail account, a California court of appeals has ruled.
The 3-0 decision Thursday by the Sacramento Third Appellate District means that if you intend to sue your employer, don’t discuss the suit with an attorney using company e-mail. The company has a right to access it and use it against you in a court.
“… [T]he e-mails sent via company computer under the circumstances of this case were akin to consulting her lawyer in her employer’s conference room, in a loud voice, with the door open, so that any reasonable person would expect that their discussion of her complaints about her employer would be overheard,” the court wrote.
Case law on electronic privacy in the workplace is slowly evolving, and not always for the best.
The U.S. Supreme Court in July ruled that a police officer’s texts on department pagers were not private. But that ruling was based on grounds other than the Ontario Police Department’s policy that said text messages on work pagers were not private.
The New Jersey Supreme Court said e-mail messages on a personal web-based e-mail account accessed from an employer’s computer were private. But that decision was contingent on the fact that use of such an account was not clearly covered by the company’s policy, and the e-mails in question contained a standard warning that the communications were personal, confidential, attorney-client communications.
In this most recent California appeals case, a secretary claimed her small-business employer became hostile when it found out she was pregnant shortly after being hired in 2004.
The company, Petrovich Development of Sacramento, California, introduced the e-mail at trial “to show Holmes did not suffer severe emotional distress, was only frustrated and annoyed, and filed the action at the urging of her attorney,” the court noted. On appeal, Holmes claimed the lower courts erred in allowing the e-mail into the case, which the developer had won.
The appeals court said Gina Holmes’ e-mails to her lawyer were not confidential because her employer had a written policy that company e-mail was not private and subject to audit.
The court said Holmes “used her employer’s company e-mail account after being warned that it was to be used only for company business, that e-mails were not private, and that the company would randomly and periodically monitor its technology resources to ensure compliance with the policy.”
News: http://www.computerworld.com/s/article/9205663/Verizon_files_lawsuit_over_FCC_net_neutrality_order?taxonomyId=17
Broadband provider Verizon Communications has filed a lawsuit challenging the U.S. Federal Communications Commission’s authority to enforce net neutrality rules.
Verizon filed the lawsuit Thursday in Court of Appeals for the District of Columbia Circuit, the company said. The FCC voted Dec. 21 to prohibit broadband providers from selectively blocking or slowing Web content and applications.
Court challenges to the FCC’s vote were widely expected.
Verizon is committed to preserving an open Internet, but the lawsuit comes after a “careful review” of the FCC order, Michael Glover, Verizon’s senior vice president and deputy general counsel, said in a statement.
“We are deeply concerned by the FCC’s assertion of broad authority for sweeping new regulation of broadband networks and the Internet itself,” he added. “We believe this assertion of authority goes well beyond any authority provided by Congress, and creates uncertainty for the communications industry, innovators, investors and consumers.”
An FCC spokesman declined to comment on the Verizon lawsuit.
In addition to exceeding its statutory authority, the FCC acted in an arbitrary and capricious manner in approving the rules, Verizon’s lawyers wrote in their five-page court document filed Thursday. The FCC’s rules are also “contrary to constitutional right,” Verizon said.
Verizon also argued that its mobile spectrum licenses were unlawfully modified by the FCC in the net neutrality order, suggesting that the company will focus on the FCC’s modest net neutrality rules for mobile broadband carriers. The FCC’s rules put stronger net neutrality rules on wireline broadband service than on mobile service.
Backers of strong net neutrality rules said they weren’t surprised by the challenge.
“Verizon’s decision demonstrates that even the most weak and watered-down rules aren’t enough to appease giant phone companies,” said Aparna Sridhar, policy counsel at Free Press, a media reform group that has criticized the FCC’s actions as too weak. “It’s ironic that Verizon is unhappy with rules that were written to placate it, and it’s now clear that it will settle for nothing less than total deregulation and a toothless FCC in the relentless pursuit of profit.”
In the bulk of the document Verizon filed Thursday, the company argues that the D.C. Circuit court of appeals has exclusive jurisdiction over challenges to the net neutrality rules because the FCC modified its mobile licenses. In early 2010, that same court threw out an FCC attempt to enforce informal net neutrality principles in a case involving Comcast throttling peer-to-peer traffic.
That’s a “very bizarre theory” about jurisdiction, said Andrew Jay Schwartzman, senior vice president and policy director at the Media Access Project, a digital rights group supporting strong net neutrality rules.
“This is a blatant effort to locate their challenge in a favorable forum,” he said. “Under Verizon’s bizarre theory, all agency actions changing rules are modifications of hundreds of thousands of licenses.”
Tools: http://www.secmaniac.com/The Social-Engineer Toolkit (SET) v1.2 “Shakawkaw”. This version of SET does not include any new attack vectors however does incorporate two new exploits from Metasploit, has some bug fixes, but most importantly introduces a significant step in allowing individuals build and automate additions onto the toolkit.

News: http://ligattleaks.wordpress.com
1. As of January 1, 2011 there will be no more medical or dental benefits for any employee who has been with LIGATT less than 2 years. If you are already getting benefit your benefits will be cut off January 1, 2001.
2. Any employee who is found opening the door for any employee with a door code between 8:45am and 9:20am will be fired.
3. Any employee who comes in the office 1 minute late more than 2 times in 1 week will be fired.
4. Any employee who does not meet their deadline or quota will be fired.
5. There will be no more pets allowed in the office beside LIGATT.
6. All pay checks will be handed out at 5:45pm on payday.
7. There will be know pay raises for at least the next 6 months.
8. All employees will work on Christmas Eve as well as New Years Eve.
9. There are no more vacation days for any employee who have been with LIGATT less than 2 years.

What you have before you is an internal memo from Greg Evans to all of his employees at Ligatt Security on the 9th of December 2010. As you can see, he is laying down the law in his own way and showing just how much trouble the company is in as opposed to the flush life he would like everyone outside to believe. I could go on, but the memo does speak for itself. As for provenance of the document, this was pushed to a pastebin back in Dec and with some checking, it seems to be legit.

Pastebin: http://www.webcitation.org/5utqKdf5d

Things aren’t going so well for #LIGATT and it would seem someone inside was unhappy with their Christmas bonus.

News: http://www.wired.com/threatlevel/2011/01/wikileaks-and-p2p/
The secret-spilling site WikiLeaks may also have used file sharing networks to obtain some of the documents it has published, according to a computer-security firm.

The allegations come from Tiversa, a Pennsylvania peer-to-peer investigations firm, that claims it passed information of WikiLeaks’ file sharing activity to U.S. government officials, according to Bloomberg.

Tiversa asserts that on Feb. 7, 2009 it monitored four computers based in Sweden, where WikiLeaks’ primary servers were based, as they conducted 413 searches on peer-to-peer networks seeking Microsoft Excel files and other data-heavy documents, some of which were subsequently published online by WikiLeaks.

If the allegations are true, it would not be the first time that WikiLeaks published documents that were obtained through hacking or online surveillance rather than from a whistleblower or other insiders.

The site published data in 2008 that a hacker obtained from the private e-mail account of then vice-presidential candidate Sarah Palin. And, according to a New Yorker story published last year, the site also possesses a cache of more than a million documents that were grabbed by a WikiLeaks activist in 2006 after they traveled through the Tor anonymizing network. At least one of these documents was published on the WikiLeaks site, according to the magazine.

Those siphoned documents, supposedly stolen by Chinese hackers or spies who were using the Tor network to transmit data taken from victim computers, were the basis for WikiLeaks founder Julian Assange’s assertion in 2006 that his organization had already “received over one million documents from 13 countries” before his site was launched that year, according to The New Yorker. WikiLeaks disputedThe New Yorker’s article after it was published, but the magazine, known for rigorous fact-checking, has never issued a correction to its story.

Regarding Tiversa’s claims that WikiLeaks obtained documents from file sharing networks, the company says that one of the files was a PDF siphoned from a computer in Hawaii, which revealed sensitive security information about the Pentagon’s Pacific Missile Range Facility. Tiversa says the document was renamed before it was published on WikiLeaks two months later.

Although the original WikiLeaks site is not currently online, a mirror of the site indicates that the document “was first publicly revealed by WikiLeaks working with our source.”

Mark Stephens, the attorney defending WikiLeaks’ Assange in an extradition case involving sex-crime allegations, did not immediately respond to an inquiry from Threat Level. But he told Bloomberg that Tiversa’s assertion was “completely false in every regard.”

Tiversa CEO Robert Boback told Bloomberg that his company discovered an ongoing pattern of documents being siphoned from file sharing networks to the WikiLeaks site. In some cases the documents had been on the file sharing network two months before they were published. In other cases they were exposed on the networks for many months before finding their way to the WikiLeaks site.

Boback estimated that “as much as half” of the documents posted by WikiLeaks might have come from file sharing networks instead of from whistleblowers. “There are not that many whistleblowers in the world to get you millions of documents,” Boback told Bloomberg. “However, if you are getting them yourselves, that information is out there and available.”
News: http://www.bbc.co.uk/news/uk-england-humber-12219652
Hull and East Yorkshire Hospitals NHS Trust has apologised after confidential data of more than 1,000 patients was stolen from a doctor’s home. The trust said the medic broke regulations by taking away the unencrypted medical records and was now facing a disciplinary hearing.  The information was contained on a laptop and was stolen from the doctor’s home in November. It includes patients’ names, dates of birth and hospital treatment.

Mary Holmes, 12, is among the patients whose records were stolen.

Her mother Cathie said she wanted to see changes to ensure other patients did not end up in a similar situation.

“Things that you wouldn’t tell anyone else you’d tell a doctor because you know they can’t or they are not supposed to share information elsewhere,” she said.

“But now some bloke at the end of the road could have Mary’s details and know exactly what treatment she receives.”

Dr David Hepburn, medical director for Hull and East Yorkshire NHS Trust, said steps had been taken to prevent patient details being downloaded from computers but it was more difficult to control information being sent by email.

“This particular employer used email to send the information to himself and then stored it on a non-encrypted laptop.”

Mr Hepburn added: “We have already written to anyone affected by this to inform them of these incidents and therefore anyone who has not received a letter has no cause for concern.

“The trust takes data protection issues very seriously and this member of staff is currently the subject of a disciplinary process.”