Announcements:

12th Annual Linux Fest Northwest
When: Saturday April 30th & Sunday May 1st, 2011
Where: Bellingham Technical College
http://www.linuxfestnorthwest.org

CarolinaCon
When: April 29th, 30th, and May 1st, 2011
Where: Holiday Inn – Glenwood Avenue in Raleigh, NC
http://www.carolinacon.org/

8th Annual Charlotte ISSA Security Summit (featuring Ed Skoudis, Paul Asadoorian, and Chris Hadnagy)
When: May 5th, 2011 08:00 – 17:00
Where: Charlotte, NC
http://www.charlotteissa.org/content/8th-annual-charlotte-issa-security-summit-featuring-ed-skoudis-paul-asadoorian-and-chris-had

SANS Mentor:  Security 401: SANS Security Essentials Bootcamp Style (Matthew Romanek)
When: Thursday, May 5, 2011 – Thursday, July 7, 2011
Where: Federal Way, WA 
http://www.sans.org/mentor/details.php?nid=24569
Discount Code:  MRPOD10 for 10% savings

SANS: SANS Security 504: Hacker Techniques, Exploits & Incident Handling (Dave Shackleford)
When:  Sunday, May 15, 2011 – Friday, May 20, 2011
Where: Baltimore, MD
http://www.sans.org/cyber-guardian-2011/description.php?tid=243

My Hard Drive Died
5-Day Data Recovery Expert Certification
Where: Atlanta, Georgia
When: June 6-10, 2011

5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011

#BSidesVienna
When: June 18, 2011
Where: Vienna, Austria
http://www.bsidesvienna.com
CFP open now!

2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
http://aide.marshall.edu/

#BSidesLV
When: August 3-4, 2011
Where: Las Vegas, Nevada
http://www.securitybsides.com/w/page/37015560/BSidesLV-2011

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
CFP & CFT open now!  http://blog.brucon.org/2011/01/brucon-call-for-papers-2011.html

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

Stories

Source:  
Lil’ Chris has been identified and we have been able to capture a photo of him.

Source: http://www.theregister.co.uk/2011/04/11/sony_geohot_settle_playstation_suit/

Sony has agreed to drop a lawsuit against a hacker who published the secret key used to jailbreak the PlayStation 3, in exchange for promises he will drop all future attempts to unlock the game console.

The agreement ending Sony's controversial legal attack on George Hotz, aka GeoHot, was laid out in a permanent injunction filed in federal court on Monday. In it, Sony agreed to dismiss the lawsuit, and the New Jersey-based hacker promised to permanently cease any “unauthorized access to any Sony product”. That means Hotz may never reverse engineer, or disassemble any portion of the product, use any tools to bypass its encryption or security, or design or distribute unauthorized software or hardware for use with a Sony product.

US District Judge Susan Illston, who is presiding over the case, must still approve the settlement for it to be final.

"I am not able to speak on this matter without breaching my settlement agreement,” the 21-year-old Hotz wrote in an email to The Register. “Therefore, I have no comment other than this one. With that said, I do not like censorship, and I do not like censoring myself. Rest assured I am still fighting the good fight, in the best way I know how."

Riley Russell, General Counsel for Sony Computer Entertainment America said in a blog post that the company was satisfied with the agreement.

“Our motivation for bringing this litigation was to protect our intellectual property and our customers, Russell said. “We believe this settlement and the permanent injunction achieve this goal.”

Sony filed the lawsuit in US District Court in San Francisco in January that targeted Hotz and 100 other hackers who independently published technical details used to run PlayStation games and applications not authorized by the Japan-based console maker. Sony accused Hotz of violating provisions of the Digital Millennium Copyright Act that prohibit the trafficking of “circumvention devices” that bypass technology designed to prevent access to copyrighted material.

Sony filed the complaint after Hotz deduced and published the secret “metldr” key that allows the rooting of the PS3. Ironically, it was the secret related key that was tweeted a month later on an official Sony Twitter account reserved for public relations.

The lawsuit represented a major PR problem for Sony because it enraged some of the PS3's most loyal fans, who said they wanted to restore Linux functionality to the console after Sony abruptly removed it.

The critics argued they should be free to modify hardware they legally purchased without running afoul of the DMCA, which carries stiff criminal and civil penalties for violations. Indeed, the US Copyright Office has exempted the jailbreaking of iPhones from the statute, but that move had no bearing at all on the unlocking of game consoles.

During the lawsuit, Sony gained access to Hotz's PayPal, YouTube and Twitter accounts, and also won the right to view the IP addresses of anyone who visited his website for more than two years. Sony also won an order requiring Hotz to turn over his computer and hard drives and remove all online postings about his PS3 hack.

While the settlement is likely to end the most controversial battle in Sony's campaign to control how customers use the console, other skirmishes continue. One pending lawsuit brought by PS3 customers challenges Sony's removal of the “otherOS” feature that allows it to run Linux applications. While a judge recently gutted most of that suit, plaintiffs' attorneys have since amended their complaint, giving them another shot. In February, a German PS3 hacker published a jailbreaking “bible” after Police raided his home.

What's more, Sony has yet to announce any settlement with members of a hacking collective known as fail0verflow, which spoke about hacking the PS3 in December at the Chaos Communication Congress in late December. The fail0verflow members were named as DOES in the same suit that targeted GeoHot.

So while Sony's campaign against PS3 hackers is likely to become much lower profile, don't expect it to end anytime soon.

Source:  https://www.infosecisland.com/blogview/12959-Worlds-Greatest-Hacker-Sanctioned-in-Worlds-Worst-Lawsuit.html

A Superior Court judge in Georgia has further sanctioned LIGATT Security and its majority owner Gregory Evans for what amounted to frivolous subpoenas and other illegitimate legal actions.
LIGATT Security had suffered an embarrassing hack in January that resulted in the public release of as many as 80,000 company emails and internal communications.
The breach event and details revealed in the leaked communiques was covered by several bloggers and online organizations including LIGATTLeaks and Attrition.org.

Evans and LIGATT Security have now been ordered by the court to pay fines and legal fees to multiple defendants in the case.
TheFinal Order and Judgment issued in the case, similar to others handed down by the court, states:

“The Court finds that Plaintiffs filed this case as a pretext for a discovery fishing expedition, which Plaintiffs conducted through the illegal means described in the Court’s prior Order Awarding Fees.

The Court bases this finding on the reasons stated on the record during the March 28, 2011 hearing (as reflected in the transcript thereof), and on (a) the testimony of Plaintiff Evans respecting his intentions for filing this case; (b) the fact that Plaintiffs never filed a written response to any motion filed by Defendants; (c) the fact that, after multiple hearings, Plaintiffs finally stated in open court that they did not oppose the relief requested in the Motion to Dismiss; and (d) the fact that, after the Court entered its Order Awarding Fees, which quashed Plaintiffs’ illegal subpoenas, Plaintiffs voluntarily dismissed this case to pursue litigation in other courts.

Based on the foregoing, the Court finds that, by improper conduct including, without limitation, the issuance of illegal subpoenas, Plaintiffs unnecessarily expanded this proceeding, which was itself initiated and conducted without substantial justification, for the purposes of harassment, and as part of an illegal discovery fishing expedition.”

For the reasons stated in the Order Awarding Fees and further pursuant to O.C.G.A. § 9-15-14(b), Defendant Morris is entitled to an award of reasonable and necessary attorneys’ fees and expenses incurred in preparing and pursuing both his Motion to Dismiss and Motion to Quash.
Security industry pundits have been highly critical of both LIGATT and Gregory Evans, the self-proclaimed "world's greatest hacker", who has been the subject of welldocumented allegations of plagiarism and questionable business practices.

"Greg Evans has hopefully finally learned that the use of the courts system as a means to silence his critics is a costly one… to himself," defendant Scot Terban told Infosec Island.

"Frankly, if Mr. Evans wants to be considered a credible source of information or technical security, he needs to actually work at getting certifications and accrue respect through solid work within the community. Until he does this, he will always have critics that will call him a charlatan," Terban said.

Source:http://www.theregister.co.uk/2011/04/14/federal_research_hacker_guilty/

A Malaysian national has admitted hacking a computer network operated by the US Federal Reserve Bank and possessing stolen payment card data.

Lin Mun Poo, 32, entered a guilty plea on Wednesday in US District Court in Brooklyn. In November, prosecutors brought a four-count indictment against him that charged him with fraud, aggravated identity theft, unlawful transmission of computer code, and unauthorized access involving government information.

According to prosecutors, Poo made a career of hacking financial institutions, defense contractors and corporations and selling the data he stole. One of his victims included FedComp, a data processor for more than 2,500 credit unions. The attack allowed Poo to access data from multiple credit unions across the country.

He was arrested in arrested in October a few hours after arriving at John F. Kennedy International Airport in New York. Federal agents recovered a “heavily encrypted laptop computer” that included account data for more than 400,000 credit card, debit card and bank account numbers, prosecutors said in court documents. Just prior to apprehending Poo, agents observed him selling stolen credit card numbers for $1,000 at a diner in Brooklyn.
Poo pleaded guilty only to the charge of access device fraud, but admitted hacking in to the Federal Reserve and installing malicious code on a server. He faces a maximum of 10 years in prison. Sentencing is scheduled for September.

Source:  http://www.androidpolice.com/2011/04/14/exclusive-vulnerability-in-skype-for-android-is-exposing-your-name-phone-number-chat-logs-and-a-lot-more

Justin Case at AndroidPolice.Com says he has discovered a major flaw in some versions Skype for Android which could affect up to 10 million Skype for Android users.
The vulnerability stems from how Skype stores data, such as your contacts, profile, instant message logs, and more. Case says that Skype mistakenly left these files completely unencrypted and with improper permissions, allowing anyone or any application to read them.
Case says it’s possible that a rogue developer could modify an existing application with code to exploit the vulnerability and distribute the application on via the Android Market. From there, Case says, “just watch as all that private user information pours in.”
Skype Mobile for Verzion appears to be safe and not have the vulnerability. I have contacted Skype and am waiting for a response. Justin Case put together a good blog post describing the vulnerability in more detail on a technical level.

Inside the Skype data directory is a folder with the same name as your Skype username, and it’s here where Skype stores your contacts, your profile, your instant message logs, and more in a number of sqlite3 databases.

# ls -l /data/data/com.skype.merlin_mecha/files/jcaseap
-rw-rw-rw- app_152  app_152331776 2011-04-13 00:08 main.db
-rw-rw-rw- app_152  app_152119528 2011-04-13 00:08 main.db-journal
-rw-rw-rw- app_152  app_152 40960 2011-04-11 14:05 keyval.db
-rw-rw-rw- app_152  app_152  3522 2011-04-12 23:39 config.xml
drwxrwxrwx app_152  app_152       2011-04-11 14:05 voicemail
-rw-rw-rw- app_152  app_152     0 2011-04-11 14:05 config.lck
-rw-rw-rw- app_152  app_152 61440 2011-04-13 00:08 bistats.db
drwxrwxrwx app_152  app_152       2011-04-12 21:49 chatsync
-rw-rw-rw- app_152  app_152 12824 2011-04-11 14:05 keyval.db-journal
-rw-rw-rw- app_152  app_152 33344 2011-04-13 00:08 bistats.db-journal

Skype mistakenly left these files with improper permissions, allowing anyone or any app to read them. Not only are they accessible, but completely unencrypted.
But how do we find this directory from another app if we don’t know the username? Well, Skype stored the username in a static location, we can parse this file, get the username and find the path to Skype’s stored data.

# ls -l /data/data/com.skype.merlin_mecha/files/shared.xml
-rw-rw-rw- app_152  app_152 56136 2011-04-13 00:07 shared.xml
# grep Default /data/data/com.skype.merlin_mecha/files/shared.xml
 <Default>jcaseap</Default>

The most interesting file one can gain access to is main.db. The accounts table in this database holds information such as account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, your webpage, your bio, and more.
The Contacts table holds similar information, but on friends, family and anyone else in your contact list (that is, more than Skype exposes on other users publicly). Moving further along, looking into the Chats table, we can see your instant messages – and that’s just the tip of it. Scary.

Source: http://www.cutimes.com/2011/04/15/us-dept-of-justice-shuts-down-coreflood-botnet
Source: https://www.infosecisland.com/blogview/12992-US-Department-of-Justice-and-FBI-Foil-Botnet-Operation.html

Earlier this week we talked about the U.S. Department of Justice and FBI having disabled Coreflood.  Coreflood is a botnet that’s infected more than 2 million private computers.  It seems that we were focused so much on the time that it took to bring down the botnet, that we neglected to point out that the DoJ and FBI actually seized and replace the five Coreflood C&C servers as well as the 29 domain names used by the botnet.

While Coreflood has compromised numerous bank accounts by stealing victims user names, passwords and other personal financial information. The malware is designed to record keystrokes and control a victim’s computer remotely via one of its command and control servers.

The temporary restraining order (TRO) that was issued allowed U.S. authorities to send each infected computer a command that would shut off the malware’s operations.  This according to the government.  

“The actions announced <snip> are part of a comprehensive effort by the department to disable an international botnet, while at the same time giving consumers the ability to take necessary steps to protect themselves from this harmful malware”  According to reports by Wired, the non-profit organizationInternet Systems Consortium would replace the botnet’s servers, collect the IP addresses of computers infected by the malware and execute the “stop” commands to the infected computers under government supervision.

The government promised that the Coreflood intervention would not compromise infected computer users’ private information, stating, “At no time will law enforcement authorities access any information that may be stored on an affected computer.”

Source: http://english.donga.com/srv/service.php3?bicode=040000&biid=2011041541348

Prosecutors have begun an investigation into the National Agricultural Cooperative Federation, also called Nonghyup or NH Bank, which has suffered a major network crash. The Financial Supervisory Service will start a probe into this as early as Friday.

Prosecutors said Thursday that they suspect an outside hacker disrupted Nonghyup’s network system. The federation has yet to pinpoint the cause of the crash since the incident occurred three days ago.

The network has not been fully recovered yet, increasing the damage to its 30 million customers.