ISDPodcast Episode 339 for March 9, 2011. Tonight's podcast is hosted by Rick Hayes, Keith Pachulski and Varun Sharma.
Announcements:
My Hard Drive Died
Data Recovery Expert Certification
When: March 7-11,2011
Where: Washington, DC
Data Recovery Expert Certification
When: June 6-10, 2011
Where: Atlanta, GA
http://www.myharddrivedied.com/data-recovery-training
@BSidesAustin
Unlock Indy Event
When: March 19, 2011 4pm – 8pm
Where: Indiana University-Purdue University Indianapolis, Informatics & Communications Technology Complex building 535 W. Michigan Street Indianapolis, IN
Cost: $30 or more donation to the Hoosier Veterans' Assistance Foundation of Indiana (www.hvaf.org)
http://indysec.blogspot.com/2011/02/unlock-indy-open-registration.html
Indiana Linux Fest
#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
CFP & CFT open now! http://blog.brucon.org/2011/01/brucon-call-for-papers-2011.html
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/
ISDpodcast Mailing List: http://groups.google.com/group/isdpodcast
Information Security Leaders Survey: https://www.surveymonkey.com/s/isl-2011-certsurvey
Hackers for Charity Cookbook is asking the hacker community to contribute their best recipes to be included in a Hackers Cookbook. ALL PROCEEDS GO TO HACKERS FOR CHARITY!!! 100%
We have not picked a publisher yet, but we don’t imagine it will be difficult to find interest. (**hint hint.. interested publishers contact [email protected])
How: Simple. Just submit your best recipes to [email protected] for consideration.
Requirements:
1. Recipe and the story that goes with it.
2. Origin (country/region)
3. Pictures (optional, but desired)
4. Name, contact info and short bio. (Hacker nick will do, but if you want to benefit from the directory..)
We want to give something back to the contributors, so we plan to create a directory for the chefs in the book. We are hoping to receive recipes from all around the world. Yep! If you have some InfoSec friends in other countries, please tell them about this project. We welcome their contribution! First round of submissions are due by 4/1/2011
Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)
Stories
Source: http://www.csmonitor.com/USA/Military/2011/0307/The-new-cyber-arms-race
Follow-On to the above
Source: http://www.infosecurity-us.com/view/16453/dhs-wants-2336-million-to-deploy-einstein-3-system/
The Department of Homeland Security is seeking $233.6 million in FY 2012 funding for deployment of Einstein 3, the latest generation of the network intrusion detection and prevention system for the federal government.
Einstein 3, which was developed by the National Security Agency, would automate the response to unauthorized access to government networks. In addition, Einstein 3 expands information sharing by the US Computer Emergency Readiness Team (US-CERT), enabling automation of the US-CERT alert process. DHS is also seeking $40.9 million in FY 2012 to conduct 66 federal network security assessments to improve cybersecurity across the federal government, DHS Secretary Janet Napolitano told the House Committee on Homeland Security last week.
http://en.wikipedia.org/wiki/Einstein_%28US-CERT_program%29
Researchers at Carnegie Mellon University have developed a reliable method for predicting Social Security numbers, using information from social networking sites, data brokers, voter registration lists, online white pages, and the publicly available Social Security Administration’s Death Master File.
Originally, the first three numbers on a Social Security card represented the state in which a person had initially applied for their card. Numbers started in the northeast and moved westward.
This meant that people born on the East Coast were assigned the lowest numbers and those born on the West Coast were assigned the highest numbers. Before 1986, people were rarely assigned a Social Security number until age 14 or so, since the numbers were used for income tracking purposes.
The Carnegie Mellon researchers were able to guess the first five digits of a Social Security number on their first attempt for 44% of people born after 1988. For those in less populated states, the researchers had a 90% success rate.
In fewer than 1,000 attempts, the researchers could identify a complete Social Security number, “making SSNs akin to 3-digit financial PINs.” The researchers concluded, “Unless mitigating strategies are implemented, the predictability of SSNs exposes people born after 1988 to risks of identity theft on mass scales.”
While the researchers’ work is certainly an accomplishment, the potential to predict Social Security numbers is the least of our problems. Social Security numbers can be found in unprotected file cabinets and databases in thousands of government offices, corporations, and educational institutions.
The problem stems from that fact that our existing system of identification is seriously outdated. We rely on nine digits as a primary identifier, the key to the kingdom, despite the fact that our Social Security numbers have no physical relationship to who we actually are. This problem can only be remedied by incorporating multiple levels of authentication into our identification process.
With more than 11 million victims just last year, identity theft is a serious concern. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Visit CounterIdentityTheft.com to educate and protect yourself.
Source: http://www.computerworld.com/s/article/9213741/French_gov_t_gives_more_details_of_hack_150_PCs_compromised
The French National IT Systems Security Agency released further details of the recent attack on French government computers, saying they were targeted by cyberspies. Around 150 IT staff spent the weekend on a massive cleanup operation to undo the effects of the attack on computers at the French Ministry of Economy, Finances and Industry, the security agency's director-general said Monday night.
The attack compromised around 150 of the ministry's 170,000 PCs, agency director-general Patrick Pailloux said at a press conference.
The attack began with a wave of e-mail messages with malware-laden attachments that exploited then-unknown or unprotected flaws in the software running on the ministry's PCs. The messages were addressed to ministry staff of all levels, and purported to come from colleagues or regular correspondents elsewhere, while the attachments appeared to relate to their work, Pailloux said.
When the attachments were opened, they installed Trojan horse software on the PCs. Under the control of the unidentified attackers, that software was then used to compromise other PCs, to send data out of the ministry hidden in other Internet traffic, and finally to cover up its activities.
The attackers had access to mailboxes and servers over the course of several weeks. It took the agency until last week to figure out what the Trojan horse was doing, and just how far it had spread, Pailloux said. While attacks on other French government computers were made during this time, none of them appeared to have succeeded, he said. The technical level and coordination of the attacks on the Finance Ministry show that the hackers were determined and organized professionals, he said. After disconnecting the ministry from the Internet, it took 150 IT staff all weekend to clean up and strengthen security systems before bringing the Internet connection back up on Monday morning, Pailloux said.
More than forty South Korean government websites were subject to intense distributed denial of service (DDoS) attacks over the weekend. Targets included sites maintained by the Defense Ministry, the National Intelligence Service, the Foreign Ministry, the National Assembly and Office of the President. DDoS attacks are almost commonplace these days, but what makes the botnet employed in this series of attacks special is that it utilizes code that causes the host machines to automatically self-destruct.
Researchers at McAfee have identified a "destructive payload" in the malware controlling the botnet used in the South Korean DDoS attacks.
"Our analysis of the code used in the attack shows that when a specific timezone is noted by the malware it destroys the infected computer’s master boot record. If you want to destroy all the data on a computer and potentially render it unusable, that is how you would do it." wrote McAfee's Georg Wicherski.
Wicherski notes that the command and control (C&C) structure of the botnet uses two layers of control servers, one under direct control of the botnet owner, and the other serving task files downloaded directly to the infected computers that carry additional instructions.
Secondary components of the botnet code seek out these task files to carry out the attack. Based on a timestamp recorded when the files are downloaded, the clock starts running down until the device initiates a self-destruct command which overwrites the hard drive and destroys all data.
"The service checks for task files that can increase the time this computer is allowed to live, so the botmaster can keep the botnet alive as long as needed. However, the number of days is limited to 10. Thus any infected computer will be rendered unbootable and data will be destroyed at most 10 days after infection," Wicherski explains.
Wicherski feels the complexity and destructive nature of the botnet code in an ominous sign of things to come.
"One thing is clear: This is a serious piece of malware. It uses resilience techniques to avoid a takedown and even has destructive capabilities in its payload. This year is quickly shaping up to be a period of serious attacks and escalations on the cyberfrontier," Wicherski stated.
Source: http://www.net-security.org/malware_news.php?id=1660
NSS Labs released two test reports of Endpoint Protection Products (EPP) which reveal new shortcomings in these widely deployed products. They cover multi-vector attacks (malware delivered from the web, email, network file sharing and USB flash drives), memory-only attacks, and anti-evasion techniques.
Key findings from the reports show:
- Malware caught via one entry point may not be detected when introduced via another entry point. E.g. malware that is detected via a web download could be missed if downloaded from a USB drive or network file server.
- Products missed between 10% and 60% of the evasions typically used by cybercriminals.
- Less than a third of the tested vendors had protection for memory-only malware, leaving a significant evasion gap in their products.
All of the products tested had been certified by multiple organizations. However, traditional antivirus test and certification labs are simply not performing this level of gloves-off testing.
Enterprises basing purchasing decisions off such vendor-funded reports are therefore blind to the holes in their endpoint security defenses.
“IT organizations worldwide have a false sense of security in part due to tests that have been too easy,” said Vik Phatak, CTO, NSS Labs. “Our test results point towards the need for more realistic testing based on what cybercriminals are actually doing to breach corporate defenses.”