Rocky Mountain Information Security Conference
Co-hosted by the Denver ISSA and ISACA Chapters
When:  May 12 – 13, 2011  (Pre-conference workshops on the 12th.)
Where:  Denver, Co.  Sheraton Downtown Denver.   
http://www.rmisc.org

Central Ohio InfoSec Summit
When: May 12th and 13th, 2011
Where: Columbus, Ohio
http://infosecsummit.org
Adrian Will be there

SANS: SANS Security 504: Hacker Techniques, Exploits & Incident Handling (Dave Shackleford)
When:  Sunday, May 15, 2011 – Friday, May 20, 2011
Where: Baltimore, MD
http://www.sans.org/cyber-guardian-2011/description.php?tid=243

LayerOne 2011
When: Saturday May 28th – Sunday May 29th
Where: Los Angeles, CA
http://www.layerone.org/

My Hard Drive Died
5-Day Data Recovery Expert Certification
Where: Atlanta, Georgia
When: June 6-10, 2011

5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011

#BSidesVienna
When: June 18, 2011
Where: Vienna, Austria
http://www.bsidesvienna.com
CFP open now!

2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
http://aide.marshall.edu/

OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
http://ohioinfosec.org
Adrian Will be there

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
CFP & CFT open now!  http://blog.brucon.org/2011/01/brucon-call-for-papers-2011.html

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
CFP open now through June 3, 2011! Email submissions to Conference@gaissa.org

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
CFP open now through June 3, 2011! Email submissions to Conference@gaissa.org

EFF:
The ISD Podcast has entered entered into a contest to see who can raise the most money for the Electronic Frontier Foundation.  For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements.  Please click the following link to donate to a vitally important cause:
http://action.eff.org/site/TR/Contest/Advocacy?team_id=1730&pg=team&fr_id=1060

Stories

Source:http://krebsonsecurity.com/2011/05/breach-at-michaels-stores-extends-nationwide/

Earlier this month, arts & crafts chain Michaels Stores disclosed that crooks had tampered with some point-of-sale devices at store registers in the Chicago area in a scheme to steal credit and debit card numbers and associated PINs. But new information on the investigation shows that many Michaels stores across the country have discovered compromised payment terminals.

Investigators close to the case, but who asked to remain anonymous because they did  not have permission to speak publicly, said that at least 70 compromised POS terminals have been discovered so far in Michaels stores from Washington D.C. to the West Coast.

Inan alert (PDF) sent to customers, Irving, Texas based Michaels Stores said it learned of the fraud after being contacted by banking and law enforcement authorities regarding fraudulent debit card transactions traced back to specific stores.  The Beacon-News, a Chicago Sun-Times publication, last week cited local police reports from several victims, describing the typical fraud as multiple unauthorized withdrawals of up to $500 made from ATMs at banks on the West Coast. It remains unclear when affected stores were compromised.

It also is not clear yet how the fraudsters compromised the POS devices, or whether the devices were tampered with in-place, or were replaced with pre-compromised look-alikes.  But investigators say the fraudsters have used the stolen data to create counterfeit cards that are used in tandem with stolen PINs to withdraw funds from ATMs.

Detective Jeff Stolzenburg of the Libertyville Police Department just north of Chicago, said most of the fraudulent withdrawals have taken place at cash machines in Las Vegas and other parts of the West. Stolzenburg estimates that actual card losses from the fraud are now in the millions of dollars, and said that the investigation has since been turned over to the U.S. Secret Service.

“The scope of this thing has been pretty wide, coast-to-coast,” Stolzenburg said. “We’re dealing with thousands and thousands of victims,” Stolzenburg said.

Stolzenburg added that the attacks on Michaels Stores are similar to the fraud perpetrated last year against Batavia, Ill. based discount grocer Aldi Inc., which operates 1,110 stores in 31 states. Aldi disclosed on Oct. 1 that hackers tampered with payment terminals at stores in 11 states from June to August. A consultant who worked on that incident described the fraud as the work of a network of criminals who went into stores and somehow distracted store personnel long enough to take out PIN pads and swap them out with retrofitted devices.

Officials from Michaels Stores and the U.S. Secret Service declined to comment.

If you have purchased items from a Michaels store with a debit or credit card, you should watch your statements and account activity closely and report any suspicious or unauthorized activity.

Source:http://www.theregister.co.uk/2011/05/10/zeus_crimeware_kit_leaked/

Source code for the latest version of the ZeuS crimeware kit has been leaked on the internet, giving anyone who knows where to look free access to a potent set of malware-generation tools that normally sell for as much as $10,000.

Complete source code is available in at least three different locations, ensuring that it is now permanently available to the masses, Peter Kruse, a researcher with Danish firm CSIS Security, told The Reg. While the release could erode the paid market for the DIY malware kit, it could also spawn entire new kits that clone the existing code and build new features or services on top of it.

“The source code has until now been shared in very closed communities or bought by criminals with significant funds,” Kruse wrote in an email. “With the release of the entire code it's obvious we will see new versions/rebrands or improvements in general. If this grows outside of the established underground ecosystem it could have a significant impact.”

Selling in the criminal underground for anywhere from $2,000 to $10,000, ZeuS is best known as a tool for developing customized trojans that send victims' banking credentials to servers under control of the attacker. Premium versions include technical support and advanced features, such as the ability to bypass two-factor authentication offered by some financial institutions. Although there are rival crimekits such as one dubbed Eleonore, ZeuS is considered one of the most powerful and widely used of them.

But over the past year, ZeuS has undergone a fair amount of upheaval. In September, security researcher Billy Rios disclosed a serious vulnerability in ZeuS that allows whitehats and blackhats alike to seize control of botnets built using the crimekit. Around the same time, authorities in the UK, US and Eastern Europe accused dozens of individuals of laundering millions of dollars siphoned out of ZeuS-compromised bank accounts.

More recently, researchers have found evidence that the ZeuS code base has been merged with a separate crimekit known as SpyEye. And in March, CSIS's Kruse discovered ZeuS source code for sale in underground forums.

The general release of the ZeuS source code makes it all but certain that no one will pay money for the standalone version of the program, at least until its creators add must-have features to it that aren't available now. It's not clear who released the code or why.

ZeuS's growing pains resemble in many ways the challenges legitimate software packages experience as they grow in popularity.

“I do like the fact that as these crimeware softwares become more mature, the developers and maintainer will start to face the same challenges as traditional software – security patches, piracy, protecting IP, feature requests, even PR,” said Rios, who is a former security researcher for Microsoft. “I find this funny having spent some of my life worrying about the same issues as a proper security/software engineer.”

Geordy’s comments: There is a growing concern that some newer versions of Zeus will start showing up on the market and they will be backdoored so your shiny new botnet can be stolen from you after you grow it to a sufficient size.  Also, I found this nifty flowchart showing how the C++ and header files are all intertwined.  

Source:http://www.aclu.org/blog/national-security/fbi-if-we-told-you-you-might-sue-1

Often when the government tries to suppress information about its surveillance programs, it cites national-security concerns. But not always.

In 2008, a few years after the Bush administration's warrantless-wiretapping program was revealed for the first time by the New York Times, Congress passed the FISA Amendments Act. That act authorizes the government to engage in dragnet surveillance of Americans' international communications without meaningful oversight. As we've explained before (including in our lawsuit challenging the statute), the FISA Amendments Act is unconstitutional.
In 2009, we also filed a Freedom of Information Act request to learn more about the government's interpretation and implementation of the FISA Amendments Act. Last November, the government released a few hundred pages of heavily redacted documents. Though redacted, the documents confirmed that the government had interpreted the statute as broadly as we had feared and even that the government had repeatedly violated the few limitations that the statute actually imposed.

Two weeks ago, as part of our FOIA lawsuit over those documents, the government gave us several declarations attempting to justify the redaction of the documents. We've been combing through the documents and recently came across this unexpectedly honest explanation from the FBI of why the government doesn't want us to know which "electronic communication service providers" participate in its dragnet surveillance program. On page 32:

There you have it. The government doesn't want you to know whether your internet or phone company is cooperating with its dragnet surveillance program because you might get upset and file lawsuits asserting your constitutional rights. Would it be such a bad thing if a court were to consider the constitutionality of the most sweeping surveillance program ever enacted by Congress?

Source: http://www.theregister.co.uk/2011/05/09/openid_security_bug/

OpenID has warned of bugs in its authentication technology that create a possible means for hackers to modify data sent between sites.

The flaw is noteworthy because many high-profile sites — including Google, Yahoo! and Flickr — use the technology so that once users have logged into one site, they aren't constantly prompted for passwords.  Thousands of smaller sites also use the technology.

The security weakness stems from an implementation flaw in authentication exchange, an extension to the OpenID system that gives sites the ability to exchange identity information between endpoints. The bug meant that proper checks on whether authentication information had been correctly signed were not carried out in some cases, thus creating a mechanism for hackers to offer false information that is accepted as genuine.

The security bug has been confirmed in OpenID4Java and Kay Framework, but is not necessarily limited to them. Both libraries have been updated. Janrain, Ping Identity and DotNetOpenAuth are immune from the bug.

Source: http://www.informationweek.com/news/security/encryption/229403079

One-third of security professionals who handle encryption don't understand self-encrypting hard disk drives. In particular, they're unsure whether the drives are better or worse than software-based encryption for preventing tampering, managing encryption, or handling authentication keys.

Those findings come from a recent survey of 517 IT practitioners who are at least familiar with self-encrypting drives, conducted by Ponemon Institute, and sponsored by the Trusted Computing Group (TCG), which promotes hardware-based, vendor-neutral security specifications.

Today, when full disk encryption is used on a PC, software-based approaches are the norm, with 85% of survey respondents saying that's their primary approach. According to the survey, however, 70% of IT professionals also think that self-encrypting drives would help their organization to protect data, but many worry about the related hardware cost. Perhaps counter-intuitively, 37% of respondents also said that they "would pay a premium" for related data security improvements, according to the study.

As that range of responses and awareness levels suggests, self-encrypting drives currently face an awareness challenge. "There are real advantages to hardware-based encryption solutions, which are obvious, but there are perceptions that they're costly, unwieldy, … or might even cause diminished end-user productivity," said Larry Ponemon, chairman and founder of the Ponemon Institute, in a telephone interview.

Source: http://www.computerworld.com/s/article/9216555/NASA_Stanford_sites_hit_by_search_engine_scammers

Scammers looking to flog cheap software have hacked Web pages on high-profile websites, including those belonging to NASA and Stanford University.

NASA, just a week away from its penultimate space shuttle launch, has now removed dozens of Web pages that popped up on its Jet Propulsion Laboratory website. They were used to flog low-cost versions of Adobe's Creative Suite and other products, according to cached versions of the pages, still viewable on Google.

The scammers loaded up the Web pages with nonsense text (a sample: "Edit buy adobe premiere pro cs4 some callouts and balloons to make this time it took you and saved you a long time") and links to many other hacked pages.

Affected sites included those for NASA, Stanford University, Syracuse University and Northeastern University. NASA had cleaned up its site Monday, but others, including Stanford, had not. Visitors to those sites could encounter the hacked pages even if they weren't looking for cheap software.