ISDPodcast Episode 340 for March 10, 2011. Tonight's podcast is hosted by Rick Hayes, Keith Pachulski, Adrian Crenshaw and Varun Sharma.
Announcements:
My Hard Drive Died
Data Recovery Expert Certification
When: March 7-11,2011
Where: Washington, DC
Data Recovery Expert Certification
When: June 6-10, 2011
Where: Atlanta, GA
http://www.myharddrivedied.com/data-recovery-training
@BSidesAustin
Unlock Indy Event
When: March 19, 2011 4pm – 8pm
Where: Indiana University-Purdue University Indianapolis, Informatics & Communications Technology Complex building 535 W. Michigan Street Indianapolis, IN
Cost: $30 or more donation to the Hoosier Veterans' Assistance Foundation of Indiana (www.hvaf.org)
http://indysec.blogspot.com/2011/02/unlock-indy-open-registration.html
Indiana Linux Fest
#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
CFP & CFT open now! http://blog.brucon.org/2011/01/brucon-call-for-papers-2011.html
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/
ISDpodcast Mailing List: http://groups.google.com/group/isdpodcast
Information Security Leaders Survey: https://www.surveymonkey.com/s/isl-2011-certsurvey
Hackers for Charity Cookbook is asking the hacker community to contribute their best recipes to be included in a Hackers Cookbook. ALL PROCEEDS GO TO HACKERS FOR CHARITY!!! 100%
We have not picked a publisher yet, but we don’t imagine it will be difficult to find interest. (**hint hint.. interested publishers contact [email protected])
How: Simple. Just submit your best recipes to [email protected] for consideration.
Requirements:
1. Recipe and the story that goes with it.
2. Origin (country/region)
3. Pictures (optional, but desired)
4. Name, contact info and short bio. (Hacker nick will do, but if you want to benefit from the directory..)
We want to give something back to the contributors, so we plan to create a directory for the chefs in the book. We are hoping to receive recipes from all around the world. Yep! If you have some InfoSec friends in other countries, please tell them about this project. We welcome their contribution! First round of submissions are due by 4/1/2011
Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)
Stories
Source: http://downloadsquad.switched.com/2011/03/10/ie8-and-safari-first-to-fall-at-pwn2own-2011-chrome-and-firefox
Pwn2Own, the annual three-day browser hackathon, has already claimed its first two victims: IE8 on Windows 7 64-bit, and Safari 5 on Mac OS X. Google Chrome looks set to survive for its third year in a row.
Internet Explorer 8 was thoroughly destroyed by independent researcher Stephen Fewer. "He used three vulnerabilities to bypass ASLR and DEP, but also escape Protected Mode. That's something we've not seen at Pwn2Own before," said Aaron Portnoy, the organizer of Pwn2Own.
Safari 5, running on a MacBook Air, was compromised in just five seconds by French security company Vupen. Both attackers netted $15,000 for successfully compromising a browser.
The contest continues today and tomorrow. Firefox 3.6 is yet to be attacked, and tomorrow will see the very first mobile browser deathmatch. Windows Phone 7, iOS, Android and RIM OS, all with their stock browsers, will be attacked by security researchers to find out just how secure mobile browsing is. Again, $15,000 is available for the first person or team to compromise each of the browsers.
Google, Apple and Mozilla, incidentally, all rolled out updates to their browsers just before Pwn2Own. It was not a coincidence.
The FBI broke the news to executives at DuPont Co. late last year that hackers had cracked the company’s computer networks for the second time in 12 months, according to a confidential Dec. 9, 2010, e-mail discussing the investigation.
About a year earlier, DuPont had been hit by the same China- based hackers who struck Google Inc. and unlike Google, DuPont kept the intrusion secret, internal e-mails from cyber-security firm HBGary Inc. show. As DuPont probed the incidents, executives concluded they were the target of a campaign of industrial spying, the e-mails show. The attacks on DuPont and on more than a dozen other companies are discussed in about 60,000 confidential e-mails that HBGary, hired by some of targeted businesses, said were stolen from it on Feb. 6 and posted on the Internet by a group of hacker-activists known as Anonymous. The companies attacked include Walt Disney Co., Sony Corp., Johnson & Johnson, and GE, the e-mails show.
The incidents described in the stolen e-mails portray industrial espionage by hackers based in China, Russia and other countries. U.S. law enforcement agencies say the attacks have intensified in number and scope over the past two years. “We are on the losing end of the biggest transfer of wealth through theft and piracy in the history of the planet,” said Democratic Senator Sheldon Whitehouse of Rhode Island, who chaired a U.S. Senate Select Committee on Intelligence task force on U.S. cyber security in 2010. Its classified report addressed weaknesses in network security.
FBI Deputy Assistant Director Steven Chabinsky, who works in the agency’s cyber division, said it would be hard to imagine that the scale of the current range of cyber attacks could grow larger. “It appears that every industry is being victimized by intrusions,” he said. The companies identified by Bloomberg News from the e-mails never disclosed the security breaches to investors or regulators. Secrecy may be a reason why the dangers of the intrusions are “underappreciated” by investors and regulators, Whitehouse said in an interview.
“The companies don’t want to disclose it,” he said. “They want to just basically eat the harm that was done to them and pretend that all is well.” HBGary, based in Sacramento, California, is one of a handful of cyber-security firms, including Santa Clara, California-based McAfee Inc. and Alexandria, Virginia-based Mandiant Corp., that are hired by global companies to investigate illegal computer break-ins and advise on how to prevent them. HBGary shares its forensic findings with other security firms and got information on undisclosed break-ins in return, the e-mails show.
The attacks on DuPont were disclosed in some of the stolen HBGary e-mails, which Bloomberg News examined. “DuPont’s concern and comfort factor was puckered when they received external notice of breach by FBI,” Jim Butterworth, HBGary’s vice president for services, wrote colleagues on Dec. 9, 2010, regarding the second attack. “DuPont likes that we have close ties to them and other three letter agencies.”
Earlier, a DuPont internal investigation had discovered that some of its computers were implanted with spyware during a business trip to China where the PC’s were stored in a hotel safe, according to a Feb. 4, 2010, e-mail by HBGary’s Rich Cummings. “To DuPont it’s personal,” HBGary investigator Bob Slapnik wrote after a meeting with company managers in December 2009. “They believe their bad guys are the Chinese who want to catch up and leapfrog them in the global marketplace.” The attacks were done by hackers who represented “people, organizations and countries that strive to do them harm,” in the view of DuPont managers, Slapnik wrote.
A spokesman for China’s embassy in Washington, Wang Baodong, said China is a victim of hacking attacks and “the wrong target of unwarranted blame.” Its government supports international efforts to fight hacking, he said by e-mail. DuPont spokesman Dan Turner said the company doesn’t comment on “cyber security-related risks.” Johnson & Johnson spokeswoman Carol Goodrich declined to comment. Representatives of Disney and GE didn’t return phone calls and e-mails seeking comment. A Sony spokeswoman declined to comment and asked not to be identified because of company policy. Among HBGary’s clients was Houston-based drilling company Baker Hughes Inc., which said it was hacked recently as part of a wide assault on energy companies. Baker Hughes provides advanced drilling equipment and proprietary techniques for assessing the quality and accessibility of oil reserves.
HBGary Chief Executive Officer Greg Hoglund wrote in a January e-mail that his company had been tracking cyber attacks against oil and gas companies aimed at “stealing competitive bids, architectural plans, project definition documents, functional operational aspects to use in competitive bid situations from Siberia to China.” Hoglund wrote in the January e-mail that “when dealing with energy bids the potential loss is billions.” Butterworth, the HBGary vice president, said the company won’t comment on the e-mails, except to say it was the victim of a crime and the e-mails were stolen. A Baker Hughes spokesman, Gary Flaharty, confirmed in an interview last month that his company’s networks were breached. Baker Hughes decided the intrusion was not a material event and so didn’t file a disclosure with U.S. regulators, he said.
A previous review of HBGary e-mails by Bloomberg News showed hackers also stole proprietary data from Exxon Mobil Corp., Royal Dutch Shell Plc, BP Plc, ConocoPhillips, and Marathon Oil Corp, as well as Morgan Stanley. In e-mails mentioning Sony, J&J, GE and other companies, there’s little detail on what was taken or how deeply the hackers penetrated. Much of the e-mail traffic involved the technical work of hunting hackers who have infiltrated computer networks with stealthy tools. HBGary investigator Sam Maccherola said in an e-mail to two company colleagues that Sony had asked for help in dealing with an attack that “looks relatively nasty.”
In the case of GE, disclosure was enough of a concern that the company’s lawyers reviewed whether to approve the release of malware — malicious software — found on their network so that HBGary investigators could analyze it, the e-mails show. Hackers also appear to be widening their targets, stealing information from vendors or contractors that may have strategic data about their clients, including public relations and law firms, Chabinsky said.
Among those attacked, the e-mails show, was Atlanta-based King & Spalding LLP, the 38th biggest law firm in the country in 2010, according to the National Law Journal. The e-mails don’t indicate what information the hackers targeted. Among King & Spalding’s practice specialties is corporate espionage, according to the firm’s website. Les Zuke, spokesman for King & Spalding, didn’t return phone calls seeking comment.
HBGary investigators routinely worked 60 to 80 hours a week to plug holes in networks, often exchanging information about the attacks with other cyber-security firms, as companies fretted they were losing secret data, the e-mails show. “I’ve been battling with APT for the last 6 months,” Matthew Babcock, an employee of the CareFirst BlueCross BlueShield, a health insurance provider in Maryland and Washington, wrote in an e-mail to HBGary investigators as he sought help with the intrusion. APT refers to an “advanced persistent threat,” a sophisticated form of hacking that is difficult to identify and remedy.
“I am sure they are watching me just as I am watching them,” Babcock said.
Security experts say that the hackers’ techniques now surpass the ability of even the most sophisticated companies to catch them easily. The e-mails show that hackers routinely bypassed firewalls with so-called spear-fishing e-mails that target executives, tricking the companies’ own employees into downloading malicious software and infecting their own networks. “You can’t buy enough security to match the threat today,” said Anup Ghosh, chief executive officer of the cyber security firm Invincea Inc.
QinetiQ Group Plc, a London-based defense company, found out its secure network had been breached after the FBI noticed suspicious traffic between the Pentagon contractor and an unidentified U.S. government agency, an HBGary report attached to an e-mail shows. The company’s investigation, which HBGary aided, found that the hackers may have gone unnoticed within the breached network for more than a year. “Given that we continue to find malware from early 2009 it may be a matter of them never having left,” one HBGary investigator wrote in September, as the company struggled to contain the intrusion.
“We’ve made changes to ensure we secure everything as well as possible,” said Sophie Barrett, a QinetiQ spokeswoman. “We’d rather not continue to give the story life,” she said, declining to comment further. The investigators followed the hackers’ electronic footprints from QinetiQ to a command-and-control server that appeared to be directing attacks against at least three other Pentagon contractors, including Alliant Techsystems Inc., which makes smart weapons.
A spokesman for Minneapolis-based Alliant, Bryce Hallowell, declined to comment on cyber security matters. “They only steal ITAR restricted data,” HBGary’s CEO wrote in an October 2010 e-mail to the FBI, alerting the agency to the other possible breaches. ITAR refers to International Traffic in Arms Regulations, which limit exports of critical defense-related technology. The FBI supervisor responded that he would send over an agent from the Sacramento office over immediately for more information. “I like to avoid unencrypted e-mail if possible,” the agent wrote back.
The Pentagon has asked for an investigation into threats made by the Anonymous hacking collective against officials at Quantico, the Marine brig that is holding accused WikiLeaker Pfc. Bradley Manning.
The probe was requested following news reports that members of Anonymous were discussing ways to avenge the 23-year-old Manning, who is being forced to strip naked each night while held in solitary confinement and stand at attention in the morning. According to a report published on Monday by Forbes, Anonymous griefers have singled out Department of Defense Press Secretary Geoff Morell and Chief Warrant Officer Denise Barnes as targets.
The goal of the campaign, dubbed “Operation Bradical,” is to “dox” the two officials, whichForbes says is Anonymous lingo for compiling crowdsourced documentation about the individuals with the goal of using it for mass harassment. Reporting the individuals to the police for drug or sex offenses, tricking their ISPs into canceling service, and “messing with their social security numbers” are all on the table, according to the report.
According to a report published on Tuesday by AFP, Pentagon officials have alerted law enforcement agencies to the reported threats.
While Anonymous is best known for orchestrating DDoS, or distributed denial of service, attacks on the websites of groups its members criticize, the group recently perpetrated a devastating hack against the servers of security firm HBGary. The breach, which exposed tens of thousands of proprietary emails discussing the private matters of clients, came shortly after HBGary CEO Aaron Barr, told The Financial Times he planned to unmask the leaders of Anonymous in the next few days.
According to Forbes, Operation Bradical demands that Manning be given “sheets, blankets, any religious texts he desires, adequate reading material, clothes, and a ball.”
According to a blog post published on Saturday by Manning's attorney:
"The Brig has stripped PFC Manning of all of his clothing for the past three nights, and they intend to continue this practice indefinitely. Each night, Brig guards force PFC Manning to relinquish all of his clothing. He then lies in a cold jail cell naked until the following morning, when he is required to endure the humiliation of standing naked at attention for the morning roll call. According to Marine spokesperson, First Lieutenant Brian Villiard, the decision to strip him naked every night is for PFC Manning's own protection. Villiard stated that it would be "inappropriate" to explain what prompted these actions "because to discuss the details would be a violation of PFC Manning's privacy."
Manning, who has been incarcerated since July, has spent much of that time under suicide watch or prevention-of-injury designations. Among other things, they require him to be confined to a 6-by-12-foot cell with a bed, a drinking fountain, and a toilet for about 23 hours a day, and heavily restrict him from reading or exercising. Guards check on him every five minutes by asking him if he's OK. Manning is required to respond in some affirmative manner.
South Korea experienced GPS jamming as part of the attacks that occurred last Friday. These are suspected of being the work of North Korea and has led to a flood of speculation among experts about possible future provocations by the North. Some now fear that it could resort simultaneous cyber attacks against South Korean power, traffic, communication, military and other state infrastructure.
GPS Jamming: With regards to GPS Jamming, most of us only think about that as something that we need to consider during a time of war. Think again! Since GPS works by sending and receiving radio signals from satellites specifically at 1575.42MHz. So to disrupt that all it takes is generate a signal or broadcast noise within that frequency. The dominant provider is still the US military's NavStar network, with at least 24 satellites operating at any given time, positioned so that you can always see four of them from anywhere on the planet's surface. Each satellite continually broadcasts its location and the time as measured by its on-board atomic clock. A GPS receiver compares the time with its own clock, and then calculates how far it must be from each satellite. Once it locks on to at least four satellites and has accounted for errors, it will discover its precise location. Nowadays, many receivers also use GPS for cheap and convenient access to the accurate time given by the satellites' clocks.