ISDPodcast Episode 313 for February 1, 2011. Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, Karthik Rangarajan and Varun Sharma.
Announcements:
TOG Dublin Hackerspace
Participating in Engineers Week
When: February 14th-20, 2011
Appalachian Institute of Digital Evidence (AIDE)
When: February 17 – 18, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
http://aide.marshall.edu/default.htm
SANS Community
Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam
When: Wednesday, February 23, 2011 – Wednesday, April 27, 2011
http://www.sans.org/mentor/details.php?nid=23493
Use the Discount Code: isdpod15 for a 15% discount.
My Hard Drive Died
Data Recovery Expert Certification
When: March 7-11,2011
Where: Washington, DC
Data Recovery Expert Certification
When: April 11-15, 2011
Where: Atlanta, GA
http://www.myharddrivedied.com/data-recovery-training
@BSidesAustin
When: March 11-12, 2011Where: The Walton-Joseph Building, 706-708 6th Street
http://www.securitybsides.com/w/page/33728032/BSidesAustin2011
Outerz0ne:
When: March 18-19, 2011Where: Atlanta, GACFP open now!
http://bit.ly/dJoIM9
Indiana Linux Fest
When: March 25-27, 2011Where: Wynhdam Indianapolis West Hotel Indianapolis, IN
http://www.indianalinux.org/cms/
@THOTCON
When: Friday, April 15th, 2011
Where: Chicago, IL
http://www.thotcon.org
@DerbyConWhen: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/
Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)
Stories:
News: http://www.dailycampus.com/news/hackers-steal-co-op-patrons-personal-information-1.1949423
Falling victim to digital maliciousness, HuskyDirect.com was hacked early last week, leaving credit card numbers and other customer information up for the hacker’s grabs. HuskyDirect.com is an official vendor of UConn sports goods that works in cooperation with the UConn Co-op. The site has been taken down, citing on its homepage that it is “undergoing crucial maintenance.” The page is not expected to be operational until Co-op officials have confidence the vendor has fixed any problems that left the site vulnerable in the first place. According to the HuskyDirect homepage, it will be at least “a few days” before confidence is restored and the site is resurrected.
While it has been reported that only those who have made purchases through HuskyDirect were affected (Co-op customers need not worry unless they purchased goods from Huskydirect.com) the tally of victims is not slight. UConn informed 18,000 online shoppers of the breach, and suggested they make efforts to protect their information and, subsequently, themselves. “To help guard against any fraudulent use of your personal information, we are offering you credit monitoring services,” an email issued to all HuskyDirect customers read. “If you detect any suspicious activity on your account, you should promptly notify the institution with which the account is maintained and also contact your local law enforcement.”
News: http://www.independent.ie/national-news/gardai-probe-theft-of-laptops-from-revenue-fraud-squad-2515913.html
Republic of Ireland Police (Gardai) are investigating how 10 laptops were stolen from the headquarters of the Revenue’s fraud and tax evasion section. Internal inquiries were also being carried out into an embarrassing security breach that resulted in three men breaking into the building and then walking to the second floor without being spotted. The break-in took place at the Revenue Commissioners’ offices at Ashtown Gate on the Navan Road in Dublin on Thursday. Three men forced their way in through a fire emergency door at the side of the building at around 7.15pm. The offices are patrolled by security guards and monitored by surveillance cameras. Staff employed at Ashtown Gate include officials from the investigations and prosecutions division, which co-ordinates all Revenue prosecution activity, dealing particularly with serious cases of fraud and tax evasion. The burglars managed to make their way unnoticed up to the second floor where they used cutting equipment to remove 10 laptops that had been chained and padlocked to desks. The gang managed to escape with the laptops before the break-in was spotted. Gardai at Blanchardstown were alerted and last night officers were examining footage from the security cameras. A Revenue spokesman said all of their laptops were encrypted, using a leading brand that complied with the highest international security certifications. The spokesman added: “Revenue contacted the office of the Data Protection Commissioner first thing this morning to report the incident and will be working with the commissioner’s office in the coming days.” Gardai are trying to determine if anything else was taken and are also interviewing officials to compile a dossier of the information contained on the laptops. They are particularly anxious to find out if the laptops contained any sensitive information about serious criminal prosecutions. Officers said it was too early to state whether the theft was a result of a random break-in or was specifically aimed at laptops the criminals believed could be of use to them. Revenue said its officials were providing full co-operation with the garda investigation and were also carrying out their own inquiries.
News: http://www.datacenterdynamics.com/focus/archive/2011/01/linkedin-ipo-filing-reveals-poor-disaster-recovery-set-up
Although it has recently implemented a disaster recovery program, the professional social networking company LinkedIn does not currently have a way to quickly shift production workload to a back-up data center. In documents filed with the US Securities and Exchange Commission, the company disclosed that downtime at its primary data center means downtime for LinkedIn. “Although this program is functional, it does not yet provide a real-time back-up data center, so if our primary data center shuts down, there will be a period of time that the website will remain shut down while the transition to the back-up data center takes place,” the document read. The document cited is LinkedIn’s statement of registration for an Initial Public Offering, which aims to raise up to US$175m. The offering’s underwriters are Morgan Stanley, Bank of America Merill Lynch, JP Morgan, Allen and Company and UBS.
News: http://www.theregister.co.uk/2011/01/31/sorceforge_hack_response/
Open-source code repository SourceForge has advised users to change their passwords following a concerted hacking attack. The attack, launched last Wednesday, targeted developer infrastructure and involved the compromise of SourceForge.net servers. SourceForge detected the attack and quickly disabled CVS, ishell, file uploads, and project web updates as a precaution against deeper compromise. The open-source outfit reckons it nipped the attack before it got very far. However, analysis of server logs after the attack revealed that an SSH daemon had been modified to carry out a password-sniffing attack. SourceForge reckons it was unlikely any developer passwords were actually compromised, though it can’t be absolutely sure. As a precaution, the open-source site applied an across-the-board password reset, as explained in an email to developers sent over the weekend and forwarded to El Reg. We recently experienced a directed attack on SourceForge infrastructure (http://sourceforge.net/blog/sourceforge-net-attack) and so we are resetting all passwords in the sf.net database – just in case. We’re emailing all sf.net registered account holders to let you know about this change to your account. Our investigation uncovered evidence of password sniffing attempts. We have no evidence to suggest that your password has been compromised. But, what we definitely don’t want is to find out in two months that passwords were compromised and we didn’t take action.
So, as a proactive measure we’ve invalidated your SourceForge.net account password. To access the site again, you’ll need to go through the email recovery process and choose a shiny new password. An update on the SourceForge blog, published on Saturday, provides a detailed update on the attack and SourceForge’s response thus far. SourceForge hopes to fully restore services later this week. It’s unclear who carried out the attack or what exactly their motives might have been, although uploading back-doored versions of open source software is the most obvious motive for such a stealthy and fairly sophisticated attack. SourceForge is in the process of validating updates to guard against potentially nasty surprises further down the line. It is also in the process of locking down servers and adding extra defences as a precaution against further attack. The attack against SourceForge followed days after an attack on Fedora, another open-source outfit. Miscreants gained access through a team member’s account, but there’s no evidence that this compromised access was used to upload rogue code. Two months ago the main source code repository of the Free Software Foundation was taken offline following an attack targeting website login credentials.
News: http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=298
There are thousands of hackers assaulting Defense Department networks at any given time. Detecting those intrusions and removing them from military systems remains problematic because program managers cannot acquire tools and infrastructure fast enough. “The adversary reacts in days and hours. Today, we react in years,” said Kevin P. McNally, program manager for information assurance and cybersecurity (PMW 130) at the Space and Naval Warfare Systems Center. “We’re doing whatever we can to speed that up,” he told reporters during an industry conference sponsored by the Armed Forces Communications and Electronics Association and the U.S. Naval Institute. The program office acquires computer technologies for the Navy and specifically supports Fleet Cyber Command and 10th Fleet, which were established last year to oversee and execute Navy cyberspace operations. McNally’s goal is to rapidly deploy new network infrastructure and capabilities to cyberwarriors within months. “We’re trying to get to the point where we’re looking at providing defensive capabilities on a six-month to a year basis, which is pretty uncommon if you look at how we do acquisitions in the Defense Department,” he said. “That’s going to be one of our biggest challenges.” It’s no secret that the Pentagon often takes years, sometimes decades, to buy a weapon system. The acquisition model works for procuring large-scale, high-stakes programs such as aircraft carriers and jet fighters. But when it comes to cyberwarfare, officials are learning the hard way that the lengthy development cycle will not cut it.
“This is a different paradigm. Cyber is much faster and the technology is getting better and cheaper. At some point, we have to be willing to streamline that process even if it means there’s some risk associated with that, because otherwise you lose. You can’t react fast enough,” McNally said. The Defense Department in 2008 banned the use of USB flash media for 15 months after a virus swept through Pentagon networks via infected thumb drives and memory sticks. That was a particular scenario in which officials should have been able to react faster, but could not because of the acquisition system. “It has got to move a lot faster,” said Elissa J. Huffstetler, division head for the information assurance and engineering division at Space and Naval Warfare Systems Center Pacific. “We need to start looking at how to use what we already have to start picking up speed to block those threats. It’s a major initiative we need to be working on.”
Part of the solution is to buck the traditional defense acquisition system, officials said. Currently, procurement is accomplished by awarding large contracts to a single integrator who then assembles subcomponents into a weapon over the course of several years. The program office is trying to cut out the middleman on future acquisitions. “I’m looking at products rather than large integrator contracts,” said McNally, who declined to elaborate further on any forthcoming requests for proposals. The program office, which has responsibility for procuring architectures and tools for shore-based and at-sea networks, is striving to beef up the Navy’s computer network defense capabilities. Part of that is developing better sensors and filtering systems to give cyberwarriors better “situational awareness” of what takes place on the service’s networks.
News: http://www.theregister.co.uk/2011/01/31/ligatt_security_subpoena_quashed
A judge in Georgia has scolded a controversial security figure for improperly subpoenaing Yahoo! and Twitter in an attempt to get user names and passwords belonging to some 25 researchers. Gregory D. Evans, CEO of Ligatt Security and the self-proclaimed “World’s No. 1 Hacker”, sought the the highly personal information in a lawsuit he brought last year accusing the researchers of bashing his company’s penny stock. Over the past year, shares have fallen from about $2.80 to $0.0004, public information shows. Most of that precipitous drop happened prior to claims that surfaced in June that huge chunks of an e-book purportedly written by Evans were lifted from other hacking manuals without the original authors’ permission. The suit named Chris John Riley, Ben Rothke, and other security professionals who publicly claimed their works were plagiarized. Shortly after it was filed, attorneys for Evans subpoenaed Yahoo! and Twitter for information that included the defendants’ usernames, passwords, emails sent and received, and blog postings. Last week, the judge hearing the case squashed the subpoenas and said they violated several provisions of Georgia law.
“The court finds it extremely troubling that plaintiffs issued and served subpoenas to which plaintiffs’ counsel had no access for such a long period of time,” Karen E. Beyers, superior court judge for Georgia’s Gwinnett County wrote. Under the Official Code of Georgia Annotated, she said, Randolph Morris and the 24 other people named in the suit were entitled to copies. She also uncovered other legal deficiencies, including their inclusion of the wrong case number and failure to notify plaintiffs that two subpoenas had been filed rather than just one. What’s more, Beyers said the subpoenas were “overbroad” because they sought passwords and emails. “This is exceedingly overbroad, and is also wholly inconsistent with the representations of plaintiffs’ counsel regarding the scope of the subpoenas,” she wrote. Beyers went on to dismiss Morris from the lawsuit because she found the California resident had no ties to Georgia. She scheduled a hearing for March 1 to decide how much Evans should pay in sanctions for the improper subpoenas. Shortly after filing his lawsuit in July, Evans cast himself as the aggrieved party. “We are sure that once this total investigation is over we will find that not only were these people bashers, but they were also day traders and market makers,” Evans was quoted in a press release. “We are prepared to go after them due to the fact that they took part in manipulating the stock,” says Evans.
News: http://www.prlog.org/11266432-information-security-researchers-discover-vulnerability-in-android-gingerbread.html
Several security research reports have cautioned users against increased attack on Mobile phones and applications during this year. Recently, security researchers at North Carolina State University (NCSU) discovered vulnerability in Android 2.3 (Gingerbread). The identified vulnerability in the latest version of the mobile operating system causes attackers to gain unauthorized access to files and documents on the microSD card (storage card) in the mobile phone. The vulnerability has been identified by a team of information security professionals led by Xuxian Jiang, an assistant professor in the University’s computer science department. The recently release Gingerbread version comes with improved features over the earlier version Froyo. The new version comes with features such an improved on-screen key board and better user interface. Gingerbread is a minor version and may be replaced with Android 3.0 (Honeycomb) during the course of this year. Usually, software developers use ethical hacking to ascertain security flaws. In this case, researchers identified the vulnerability by testing a Nexus S device installed with Gingerbread. The researchers launched attacks on the operating system through a proof-of-concept exploit code.
Fortunately, the purpose of the exploit was to alert developers on the security flaw in the operating system. Attackers may exploit the vulnerability by alluring users to click a fake and malicious link. When unsuspecting users click on the link, the malicious code is executed on their phones. By exploiting the vulnerability attackers may acquire list of applications installed on the mobile device. The executed malicious code may allow attackers to open, view and upload files, photos, voicemails and applications stored in the microSD card partitions to a remote server. Therefore, the attack poses information security risk for users of Nexus S. The extracted information may be misused by the attackers to indulge in identity theft, fraud, blackmail and other forms of cybercrime. Google, the vendor of product has not yet issued any patch for the vulnerability. Earlier patches were issued for similar vulnerabilities in the previous versions of Android. The current vulnerability may be fixed in the newer versions or during the release of the next major version Honeycomb. Security professionals have advised users of Nexus S to disable Javascript or install a different web browser such as firefox to safeguard sensitive personal information.