ISDPodcast Episode 330 for February 24, 2011. Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski and Varun Sharma.
Announcements:
OWASP February Chapter Meeting:
When: February 28, 2011 6-8pm
Where: Tilted Kilt http://tinyurl.com/4oh2thj
My Hard Drive Died:
Data Recovery Expert Certification
When: March 7-11,2011
Where: Washington, DC
Data Recovery Expert Certification
When: June 6-10, 2011
Where: Atlanta, GA
http://www.myharddrivedied.com/data-recovery-training
@BSidesAustin:
When: March 11-12, 2011Where: The Walton-Joseph Building, 706-708 6th Streethttp://www.securitybsides.com/w/page/33728032/BSidesAustin2011
#Outerz0ne:When: March 18-19, 2011Where: Atlanta, GACFP open now! http://bit.ly/dJoIM9
Unlock Indy Event:
When: March 19, 2011 4pm – 8pm
Where: Indiana University-Purdue University Indianapolis, Informatics & Communications Technology Complex building 535 W. Michigan Street Indianapolis, IN
Cost: $30 or more donation to the Hoosier Veterans’ Assistance Foundation of Indiana (www.hvaf.org)
http://indysec.blogspot.com/2011/02/unlock-indy-open-registration.html
Indiana Linux Fest:
When: March 25-27, 2011Where: Wynhdam Indianapolis West Hotel Indianapolis, INhttp://www.indianalinux.org/cms/
CarolinaCon:
When: April 29th, 30th, and May 1st, 2011
Where: Holiday Inn – Glenwood Avenue in Raleigh, NC
http://carolinacon.org
#BruCon:
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
CFP & CFT open now! http://blog.brucon.org/2011/01/brucon-call-for-papers-2011.html
@DerbyCon:When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/
ISDpodcast Mailing List: http://groups.google.com/group/isdpodcast
Information Security Leaders Survey: https://www.surveymonkey.com/s/isl-2011-certsurvey
Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)
Stories:
Source: http://isc.sans.edu/diary.html?storyid=10453
http://technet.microsoft.com/en-us/library/ff817622%28WS.10%29.aspx
Windows 7 SP1 and Windows 2008 R2 SP1 are available, but according the SANS there are a few areas to watch:
- Whitelisting / Blacklisting: Whitelisting software may not have checksums yet to verify all the files that are modified by the service pack. Same for anti-virus: Some anti virus products monitor system files for changes and may sound an alert or block the installation of SP 1
- Firewalls: Third party firewalls may find that some of the low level hooks they use have changed.
- Disk Encryption: In particular full disk encryption that modifies the boot process may find that some of the changes it did are undone by the SP install
- Custom hardware: If you are using drivers other then those that are included in Windows 7 (or 2008 R2), be careful.
Specific examples. Consider them anecdotal but if you run any software mentioned here, or similar software, this list should give you a guide to test.
- Users with old versions of Microsoft Security Essentials may not be able to install SP1. Upgrade first.
- Samsung Galaxy S phone drivers may have problems with SP1
- some users reported very long install times (> 1hr. but not all that unusual for a service pack)
- Chrome 10 and 11 have issues according to some tweets
- Word 2003 VBA
- slower boot times with SP1 then without
- some reports of download issues due to overloaded servers
- Lenovo’s Thinkvantage System Update may not work (update it before applying the SP)
- EVGA Precision Utility 2.0.2 (Graphics card stats program liked by gamers)
- MSI Afterburner
- some issues with Bitlocker are reported. But no confirmation at this point and it may also be due to entering the wrong password on reboot (you have to reboot a couple times in certain situations)
Source: http://www.securestate.com/documents/owa_login.rb
SecureState released a new module for the Metasploit Framework that allows users to brute force credentials on Microsoft OWA servers. The module, written in Ruby, forges HTTP requests (both GET and POST) to simulate a user logging into the web service. By checking the responses, the module determines whether the authentication succeeded and reports the information to the user. This is often useful on penetration tests when the attacker has a list of Active Directory users but no services that are using domain authentication.
The module that SecureState developed can be used to test credentials against both 2003 and 2007 servers. Because the module is implemented within the Metasploit Framework, it takes advantage of the features available within it such as logging credentials to the internal database. SecureState has submitted this module to the Metasploit Developers and is awaiting its integration with the Metasploit Trunk.
According to Matt Neely (@matthewneely), we should look for SecureState to release new tool once every week (or two).
Source: http://www.infosecurity-magazine.com/view/16044/pci-council-to-offer-awareness-training/
The PCI Council has introduced a series of instructor-led PCI Awareness training courses for 2011, the first of which took place in San Francisco on February 18. Another in-person training seminar is slated for March 11 in London. “The awareness training is intended for anybody who wants to learn more about PCI”, said Bob Russo, general manager of the PCI Council. He told Infosecurity that the courses contain four modules that cover all PCI basics, including how the payment system operates straight through to how PCI works and why it is important to be compliant.
We can say confidently that [PCI compliance] is the best defense you will have against a breach, but by no means is this the ceiling”, Russo added. “This is basically the minimum you should be doing – anything you can add to it is an additional layer that makes it more secure.”
Source: http://news.idg.no/cw/art.cfm?id=3F6822FF-1A64-6A71-CE67724BB606D61C
The outage of Dutch bank Rabobank last weekend was caused by a massive DDoS attack. The perpetrators are still unknown. The bank reports the attack to the police.
After two days of mystery surrounding the outage Rabobank gave Dutch IDG-title Webwereld a statement explaining the breakdown of both its website and its e-banking services. The Dutch bank was hit by a large DDoS attack (Distributed Denial of Service). The outage of Rabobank happened saturday evening and again sunday afternoon. The website and e-banking services were inaccessible for desktop and mobile users.
The DDoS attack also caused an outage in the Dutch central payment system iDeal. That alternative to PayPal was flooded with returned transaction messages from the attacked bank. This DoS-’attack’ (Denial of Service) caused the payment system to go partially down. A spokesperson for iDeal-operator Currence tells Webwereld that the buffer of one of its two platforms was filled up. Banks that were connected to that affected platform were also unable to process iDeal payments.
Rabobank has now stated that is was under attack by unknown parties. The website Rabobank.nl was bombarded with large amounts of traffic and subsequently collapsed. This was done with intent, says the bank. It will therefore file a police report about this DDoS attack. A spokesman could not tell Webwereld where the DDoS attack originated. “That is part of the investigation, about which we wil make no statements.”
The bank already suspected that the outage was caused by malicious intent. It did not utter this suspension publicly until tuesday evening after it had confirmed the cause of the breakdown. Questions from Webwereld about the nature of the problem and the countermeasures had therefore not been answered yet.
Rabobank’s e-banking service was unreachable during the weekend on both saturday and sunday. To deflect the attack Rabo altered the DNS (domain name system) records for it’s website. As a result the site was unreachable for the attackers but also for the general public.
Dutch customers of the bank have been complaining about the site and e-banking system being down long after the actual outage had been resolved. The bank was in discussions with local telecoms companies and internet providers to provide connections to Rabobank for their respective customers. This took until monday. Customers outside of the Netherlands were cut of until at least tuesday afternoon.
Last week the centralized website of the Dutch government (Rijksoverheid.nl) was hit by a massive DDoS attack. A spokesperson told Webwereld that the attack originated “from a foreign country”, but refused to specifiy that claim. The government website was offline for several hours. During that attack the website of the government organisation Rijkswaterstaat.nl was also hit, albeit only for a short time. The government has filed a police report.
Source: http://www.bloomberg.com/news/2011-02-24/exxon-shell-bp-said-to-have-been-hacked-through-chinese-internet-servers.html
Attackers from China broke into and stole proprietary information from the networks of six U.S. and European energy companies, including Exxon Mobil Corp., Royal Dutch Shell Plc and BP Plc, according to one of the companies and investigators who declined to be identified.
McAfee Inc., a cyber-security firm, reported Feb. 10 that such attacks had resulted in the loss of “project-financing information with regard to oil and gas field bids and operations.” In its report, Santa Clara, California-based McAfee, assisted by other cyber-security firms, didn’t identify the energy companies targeted. The attacks, which it dubbed “Night Dragon,” originated “primarily in China” and occurred during the past three years.
The list of companies hit, none of which disclosed the attacks in filings with regulators, also includes Marathon Oil Corp., ConocoPhillips and Baker Hughes Inc., according to the people who worked on or are familiar with the companies’ investigations and asked not to be identified because of the confidential nature of the matter.
Chinese hackers broke into the computer network of Baker Hughes, said Gary Flaharty, spokesman for the Houston-based provider of advanced drilling technology. Baker Hughes concluded the incident didn’t need to be disclosed because it wasn’t material to investors, he said, declining to comment further.
In some of the cases, hackers had undetected access to company networks for more than a year, said Greg Hoglund, chief executive officer of Sacramento, California-based HBGary Inc., a cyber-security company that investigated some of the security breaches at oil companies. Hoglund, who was cited by McAfee as a contributor to its report, declined to identify his clients.
“Legal information, information on deals and financial information are all things that appear to be getting targeted,” Hoglund said, summing up conclusions his firm made from the types of documents and persons targeted by the hackers. “This is straight up industrial espionage.”
Hackers targeted computerized topographical maps worth “millions of dollars” that show locations of potential oil reserves, said Ed Skoudis, whose company, Washington-based InGuardians Inc., investigated two recent breaches of U.S. oil companies’ networks. He declined to name his clients or the origin of the hackers.
The McAfee report described the techniques used to get into the energy company computers as “unsophisticated” and commonly used by Chinese hackers. The attacks began in November 2009, McAfee said. Two cyber investigators familiar with the probes said the attacks began even earlier — in 2008 — and involved several well-financed groups. The investigators asked not to be identified because the company investigations are private.
McAfee based the report on information gathered from its own work on the breaches and from others who were directly involved in investigating them. The report, produced on the condition that the affected companies not be identified, was done to “educate the community,” said Ian Bain, a McAfee spokesman.
The thefts of oil company data like those in the McAfee report match the profile of industrial espionage operations that have the backing or consent of the Chinese government, said Joel Brenner, former head of U.S. counterintelligence during the Bush and Obama administrations and now a lawyer with Cooley LLP in Washington. In his former post, one of Brenner’s jobs was tracking spying efforts against U.S. companies from foreign countries.
Source: http://www.theregister.co.uk/2011/02/21/flash_drive_erasing_peril/
In research that has important findings for banks, businesses and security buffs everywhere, scientists have found that computer files stored on solid state drives are sometimes impossible to delete using traditional disk-erasure techniques.
Even when the next-generation storage devices show that files have been deleted, as much as 75 percent of the data contained in them may still reside on the flash-based drives, according to the research, which is being presented this week at the Usenix FAST 11 conference in California. In some cases, the SSDs, or sold-state drives, incorrectly indicate the files have been “securely erased” even though duplicate files remain in secondary locations.
The difficulty of reliably wiping SSDs stems from their radically different internal design. Traditional ATA and SCSI hard drives employ magnetizing materials to write contents to a physical location that’s known as the LBA, or logical block address. SSDs, by contrast, use computer chips to store data digitally and employ an FTL, or flash translation later, to manage the contents. When data is modified, the FTL frequently writes new files to a different location and updates its map to reflect the change.
In the process left-over data from the old file, which the authors refer to as digital remnants, remain.
Source: http://webcache.googleusercontent.com/search?q=cache:esjiUN2ZYlAJ:downloads.westborobaptistchurch.com/+downloads.westborobaptistchurch.com
Anonymous successfully hacked the official website of the controversial Westboro Baptist Church earlier this morning. The group left a map of the internal network of the church on the website, along with a note that blamed the digital infiltration on the congregation’s “recent antics” to gain media attention. Indeed, Westboro had issued a rather bellicose challenge to Anonymous, challenging the group to “bring it.”
Unsurprisingly, Westboro spokesperson Shirley Phelps-Roper attempted to downplay the incident, claiming that Anonymous had been trying to hack the site for at least several days.
“What they did was break into one server. They tried mightily for four days. They got nothing,” she said. “I’m [really quite] sure they worked it all out before.”
Meanwhile, an Anonymous Twitter tweet offered some indication that the Westboro hack may have been slightly more difficult to pull off than the the HBGary breach. “#WBC was more leet than #HBGary… It took #Anonymous a 0day to get in their network, not some public SQL.”
It should be noted that Westboro’s sites were recently knocked offline for a period of several days by an extensive DDoS campaign coordinated by The Jester.
