ISDPodcast Episode 324 for February 16, 2011. Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski and Varun Sharma.
Announcements:
Appalachian Institute of Digital Evidence (AIDE)
When: February 17 – 18, 2011
Where: Marshall University Forensic Science Center, Huntington, WVw
http://aide.marshall.edu/default.htm
SANS Community
Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam
When: Wednesday, February 23, 2011 – Wednesday, April 27, 2011
http://www.sans.org/mentor/details.php?nid=23493
Use the Discount Code: isdpod15 for a 15% discount.
OWASP February Chapter Meeting:
When: February 28, 2011 6-8pm
Where: Tilted Kilt http://tinyurl.com/4oh2thj
My Hard Drive Died
Data Recovery Expert Certification
When: March 7-11,2011
Where: Washington, DC
Data Recovery Expert Certification
When: June 6-10, 2011
Where: Atlanta, GA
http://www.myharddrivedied.com/data-recovery-training
@BSidesAustin
When: March 11-12, 2011Where: The Walton-Joseph Building, 706-708 6th Streethttp://www.securitybsides.com/w/page/33728032/BSidesAustin2011
#Outerz0neWhen: March 18-19, 2011Where: Atlanta, GACFP open now! http://bit.ly/dJoIM9
Indiana Linux Fest
When: March 25-27, 2011Where: Wynhdam Indianapolis West Hotel Indianapolis, INhttp://www.indianalinux.org/cms/
#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
CFP & CFT open now! http://blog.brucon.org/2011/01/brucon-call-for-papers-2011.html
@DerbyConWhen: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/
Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)
Stories:
Source: http://nakedsecurity.sophos.com/2011/02/09/microsoft-says-good-riddance-usb-autorunHere’s some good news for anyone who has been struck by auto-running malware from a USB stick in the past. Microsoft has rolled-out an “important, non-security update” through Windows Update, changing the behavior of Autorun when you plug a USB stick into your computer. In fact, in a blog post published last week, Microsoft’s Holly Stewart presented statistics which suggested that “Windows XP users were nearly 10 times as likely to get infected by [Autorun malware] in comparison to Windows 7.”
Microsoft rolled out an update via its Windows Update infrastructure, to users running versions prior to Windows 7, which effectively prevents Autorun malware from automatically infecting computers without the user’s permission. Note, however, that this isn’t the death of Autorun entirely. As Microsoft’s Adam Shostack explains on the MSRC blog, Autorun is still available for “shiny media” such as CDs and DVDs.
This most likely will impact your use of tools such as SET (The Social Engineering Toolkit), specifically the “Infectious Media Generator.” That being said, I would still recommend using SET and even the “Infectious Media Generator” as we know most companies are not that diligent in patching and the fact that it’s flagged as an “important, non-security update” makes it even more unlikely that it will be deployed.
Source: http://kara.allthingsd.com/20110210/exclusive-facebook-exploring-tender-offer-for-1-billion-of-employee-shares-at-60-billion-valuation/Facebook is exploring permitting a tender offer up to $1 billion of its employee shares, after being approached by a number of big institutional investors about investing in the company, according to sources close to the situation. The new approximate valuation? An eye-popping $60 billion, sources said, which is a significant increase to a recent $1.5 billion investment round by Goldman Sachs and its international clients that had pegged the social networking behemoth at a $50 billion valuation.
And the reason? Liquidity, allowing Facebook employees to monetize their privately-held shares, since the company is not likely to have an IPO for at least a year. That’s been a big issue for Facebook as it seeks to walk the ever dicier line being a private company and becoming a public company. And managing how its shares are dispersed is critical, especially with regulatory concerns about these private secondary markets increasing.
All the machinating is because Facebook has tried hard–via ever bigger funding rounds and ever larger valuations–to delay its IPO, in order to grow its massive 600-million user base away from scrutiny.The move is not dissimilar to one that the Palo Alto, Calif.-based company did in mid-2009, when one of its major investors, DST, forked over $100 million for employee shares in a transaction that was in addition to a $200 million investment. At that time, current and former employees of Facebook were able to sell up to 20 percent of their common shares at $14.77 per share at a $6.5 billion valuation.If completed, the new tender offer would be at a share price almost 10 times that. But sources said interest is high among big institutional investors who want a piece of Facebook before its inevitable initial public offering.
It’s likely the deal will be split between two or more investors, sources added. A Facebook spokesman declined to comment. The latest wrinkle is part of a massive race to invest in the winners of Web 2.0, often via secondary market sales. Silicon Valley venture firm Andreessen Horowitz, for example, confirmed it had bought $80 million in shares of Twitter, in a story first reported here.
Source: http://www.pcworld.com/businesscenter/article/219707/timing_is_everything_for_new_tax_malware_scam.html
Pretty much any tax-themed phishing scam or malware attack launched in the first half of the year is bound to net a few naïve victims. But, with the right circumstances and the right timing, a message spoofed to appear from the United States Internal Revenue Service (IRS) can be a malware grand slam. I have already put out the obligatory tax season warning to watch out for spam and malware claiming to be from the IRS. However, an AppRiver blog post describes an emerging threat that takes advantage of some unique events regarding tax season in the United States, and appears to have been launched with impeccable timing for maximum effectiveness.
AppRiver’s Troy Gill describes the threat. “The messages we are seeing, claim to be from the IRS and state that “Your Federal Tax Payment has been rejected”. The message contains an attachment that you are asked to open for more information. The attachments contains an .exe file that if run will infect your computer instantly.” According to analysis by AppRiver, the actual malware appears to be a variant of the ever-popular ZeuS Trojan. AppRiver claims that initial testing found that only one out of forty-one malware detection engines successfully identified the malicious threat. Not great odds.
What makes this threat particularly dangerous, though, is the timing of the attack. Certain tax cuts implemented under the Bush administration should have been allowed to expire, but were a major point of contention between the Obama White House and the GOP-controlled House. A deal was struck enabling those tax cuts to be extended, but it was so last-minute that it forced the IRS to delay processing returns until it could be sure what the rules of engagement are going to be.
Gill explains that many tax returns were held, and that the IRS just began accepting them yesterday. “Most of these individuals would have received an email yesterday stating that their tax return has been “sent” to the IRS and that they would receive another email confirmation once the return had been “accepted” by the IRS. In other words–millions of Americans are likely expecting to hear whether or not their tax return has been accepted or rejected via email within the next 48 hour period, so this attack could really not be better timed.”
If you are one of these millions of Americans, be on guard and don’t fall for this scam. The IRS will not–I repeat, not–send you an e-mail with a file attachment. If you receive any e-mail that you are concerned may be from the IRS, contact the IRS directly to find out the status of your tax return.
Source: http://www.dailymail.co.uk/news/article-1355596/Al-Qaeda-Cyber-warfare-threat-overstated-warns-US-intelligence-chief.html
America’s top intelligence chief warned Congress that the cyber warfare facing the U.S. is increasing in scope and scale. James Clapper said its impact was difficult to ‘overstate’ as he outlined the threat posed by al-Qaeda and its splinter groups and the proliferation of weapons of mass destruction. The Director of National Intelligence was expected to tell the Congressional hearing that al-Qaeda was his No1 priority, according to U.S. officials.
But he is likely to come under fire over missing the signs of Arab revolt in Tunisia and Egypt.
Clapper will face tough questioning about the toppling of the Tunisian leader and the major threat to Egypt’s President Mubarak – two U.S allies. The threat assessment hearing is often described as the most important of the year because the Director lays out the 16 major intelligence agencies’ priorities. It drives the agenda for the intelligence community and the congressional committees that must decide what issues to tackle and what programmes to fund.
Clapper’s focus comes just a day after Homeland Security Secretary Janet Napolitano warned the terrorist threat to the U.S. was at its highest level since the 9/11 attacks almost a decade ago. During the same hearing of the Homeland Security Committee, National Counterterrorism Center director Michael Leiter said al-Qaeda’s offshoot in Yemen was ‘the most significant risk to the U.S.’
Source: http://blogs.forbes.com/andygreenberg/2011/02/10/hackers-build-android-encryption-apps-for-egypt/
Cellphones may be helping to connect and organize the pro-democracy protesters massing in the streets of Cairo and Alexandria. But they’re also offering a new method for authoritarians to track those protesters and monitor their communications.
So one company, Whisper Systems, is releasing a new way for Egyptians to thwart wiretaps on their smartphones. On Thursday, it launched an Egypt-specific version of two applications for Android devices: RedPhone, an encrypted voice-over-Internet calling app, and TextSecure, which encrypts users’ text messages. The Egyptian versions of the apps are available at Whispersys.com.
“When the protests started in Egypt, we stepped up our efforts to get it working there,” says a well-known hacker and spokesperson for Whisper who goes by the name Moxie Marlinspike. “Now we’re ready to release, and hopefully enable some pro-democracy advocates to communicate and coordinate without being surveilled.”
Cellphone carriers in Egypt haven’t admitted to monitoring Egyptian protesters in the recent unrest or handing over their data to the government. But a Vodafone official in 2009 confessed that Vodafone was legally required to give up data on a group of Egyptian dissidents in 2008 who had pulled down a large poster of president Hosni Mubarak. Last week the Vodafone said that it had been forced by the Egyptian government to use its network to send out propaganda text messages to users. And when I asked the carrier if it was giving up users’ data, it responded only that it had “already made made a number of statements in relation to the situation in Egypt facing all of the mobile operators” and would “not comment on national security measures.”
Source: http://www.darkreading.com/vulnerability-management/167901026/security/news/229218575/art-of-defence-launches-new-open-waf-project.html
Art of defence launched the openWAF project — an open source community of web application security professionals working together on the industry’s first open source dWAF. art of defence is going to contribute source code of its enterprise dWAF to this project in order to give the community a good starting point. The source code will be released soon after some necessary rework on code licensed from a third party.
- openWAF allows real multi-tenancy across any number of users and web applications per user, all with a single administration point.
- openWAF provides true cluster awareness and central administration from one, easy to understand GUI.
- openWAF’s protection levels are easily tightened iteratively without risk of unwanted exposure or blocking to the application being shielded.
- openWAF’s ‘detection only mode’ allows rule-sets to be tested but not enforced, alongside with rule-sets in ‘protection mode’ that enforce already proven security policies.
- Binaries are available now for Linux (Red Hat, Ubuntu), FreeBSD, Solaris, and Microsoft Windows Resources
- For more information about openWAF, visit the project website here, www.openwaf.org
- For more about art of defence, visit the website here, www.artofdefence.com
- art of defence will exhibit at the RSA Conference (booth #342), in San Francisco, Feb 15-17
- Follow the openWAF project on Twitter at twitter.com/openwaf
- Follow art of defence on Twitter at twitter.com/hyperguard