InfoSec Daily Podcast Episode 391 for May 20, 2011. Tonight's podcast is hosted by Rick Hayes, Karthik Rangarajan, Geordy Rostad, Keith Pachulski, and Varun Sharma.
When: Saturday May 28th – Sunday May 29th
Where: Los Angeles, CA
My Hard Drive Died
5-Day Data Recovery Expert Certification
Where: Atlanta, Georgia
When: June 6-10, 2011
5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011
Where: 116 Federal St., Sunny Pittsburgh, PA.
When: June 10, 2011
Where: Meriden, Connecticut
When: June 11, 2011
Where: Meriden, Connecticut
When: June 11-12, 2011
http://excon.eventbrite.com (email firstname.lastname@example.org for more info)
Begins after BSidesCT Registration cost is $50.00
2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
Adrian Will be there
When: Sept 19-22, 2011
Where: Brussels, Belgium
When: September 30th – October 2, 2011
Where: Louisville, KY
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
The ISD Podcast has entered entered into a contest to see who can raise the most money for the Electronic Frontier Foundation. For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements. Please click the following link to donate to a vitally important cause:
Source: Coming Soon!
Another Ligatt? We have a huge Ligatt style story that is just developing. We expect to have more news on this as it develops, but we certainly want you to know that some folks never sleep and they will find those folks that are out there.
Apple officials have instructed members of the company's support team to withhold any confirmation that a customer's Mac has been infected with malware or to assist in removing malicious programs, ZDNet's Ed Bott reported on Thursday.
He cited an internal document titled "About 'Mac Defender' Malware," which was last updated on May 16 and says that the trojan, which surfaced earlier this month and masquerades as legitimate security software for the OS X platform, is an "Issue/Investigation In Progress."
"AppleCare does not provide support for removal of the malware," the document, which was labeled confidential, stated. "You should not confirm or deny whether the customer's Mac is infected or not."
The memo's disclosure comes as the number of reported Mac attacks has skyrocketed, Bott said. According to an earlier article he published, he recently found more than 200 separate discussion threads on discussions.apple.com in which users complained of infections that caused their Macs to behave erratically.
"Porn sites just started popping up on my MacBook Pro," one user wrote. "Is this a virus? I have never had a virus on a Mac before and I have been using Macs for years. Please help!"
The con artists behind Mac Defender hook their victims by presenting Mac-using web surfers with images that depict an antivirus scan taking place on their machines. The images falsely claim users are infected with serious malware and urge them to download and install the antivirus package. Those who fall for the ruse are then infected. Similar scams have plagued Windows users for years, often to the delight and scorn of Mac and Linux fans.
According to a third article penned by Bott, AppleCare reps are seeing a four- to five-fold increase in the number of calls requesting support for rogue antivirus scams targeting the Mac.
Website attacks are the biggest concern for companies, yet 88 percent spend more on coffee than securing Web applications, according to a survey by Barracuda Networks, Cenzic and the Ponemon Institute.
According to 74 percent of respondents, Web application security is either more critical or equally critical to other security issues faced by their organizations. Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily Web application firewalls and vulnerability assessment.
“While it is encouraging to see that Web application security is on the minds of most organizations, there still seems to be a real disconnect between the desire and implementation of security countermeasures required for Web application security,” said Dr. Paul Judge, chief research officer and VP for Barracuda Networks.
“The fact that 69 percent of respondents are relying upon network firewalls to secure Web applications is like relying upon a cardboard shield for protection in a sword fight – eventually your shield will prove that it’s insufficient and an attack will reach you that can fly past a network firewall,” he added.
“The fact that a quarter of respondents could not provide a range for how many Web applications they have is a huge red flag right off the bat,” said Mandeep Khera, CMO for Cenzic. “Furthermore, that 20 percent of organizations do not test at all and 40 percent test only 5 percent of their Web applications is shocking. And, most of these companies have been hacked multiple times through insecure Web applications. If you know that burglars come through a broken door repeatedly wouldn’t you want to fix that door?”
Other key findings in the study include:
- Data protection (62 percent) and compliance (51 percent) were the top reasons for securing Web apps. Job protection was also a significant reason cited by 15 percent of respondents.
- Despite 51 percent listing compliance as a key driver for Web application security, 43 percent are not familiar with or have no knowledge of OWASP, a key component to compliance standards like PCI.
- With 41 percent reporting they have over 100 Web applications or more, the majority (66 percent) test less than 25 percent of these applications for vulnerabilities.
- More than half (53 percent) expect their Web hosting provider to secure their Web applications.
- Of those respondents who own a Web application firewall, nearly 2 times agreed that a reverse proxy is a better and more secure technology than a transparent bridge technology.
“While IT practitioners recognize the criticality of secure Web applications, their organizations do not provide adequate resources and expertise to manage the risk,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Over half of the respondents we polled believe they do not have resources to detect and remediate insecure Web applications, and 64 percent said they believe that their organization have inadequate governance and usage policies.
Web Application Configuration Analyzer (WACA) analyzes server configuration for security best practices related to General Windows, IIS , ASP.NET and SQL Server settings.
Web Application Configuration Analyzer (WACA) is a tool that scans a server against a set of best practices recommended for pre-production and production servers. It can be used by developers to ensure that their codebase works within a secure / hardened environment (although many of the checks are not as applicable for developers). The list of best practices is derived from the Microsoft Information Security & Risk Management Deployment Review Standards used internally at Microsoft to harden production and pre-production environments for line of business applications. The Deployment Review standards themselves were derived from content released by Microsoft Patterns & Practices, in particular: Improving Web Application Security: Threats and Countermeasures available at: http://msdn.microsoft.com/en-us/library/ms994921.aspx. It uses an agent-less scan that requires the user to have admin privileges on the target server, as well as any SQL Server instances running on that machine.
This release of WACA we included some new features. They include:
- Suppressions – you can now suppress any rule you feel is not appropriate for your scan.
- Saving of suppression files – once you set up a suppression list you want to use you can save it off for future uses.
- You can change the suppressions and regenerate the report without needing to re-run the scan.
- Reporting – Updated the reporting section to include suppression information so you know what passed, failed, was not applicable and what was suppressed.
- Multiple reports – you can view multiple scans of the same machine or view a single machine’s scan and compare it to other machines.
- Export to the Microsoft RED format.
- Scan multiple systems and SQL instances in one bulk scan.
- Additional rules – we’ve added in additional SQL rules.
- And of course bug fixes that were missed in the last release.
Click here to download WACA
Internet Protocol version 6 (IPv6) is coming soon to an enterprise near you, but few organizations have invested much time or effort into understanding how it works, never mind how to secure it. Yet enterprises could stand to learn something from the students and staff at Virginia Tech, which was recently lauded for an innovative new technology that secures IPv6 network communications.
A team from the Blacksburg, Va.-based university’s Information Technology Security Laboratory was recognized by the National Homeland Defense Foundation, which is a nonprofit forum for responding to terrorism tactics and natural disasters, for creating a security tool called Moving Target IPv6 Defense (MT6D).
MT6D solves one of a number of unique IPv6 security concerns that don’t exist in IPv4. In short, an IPv6 address consists of two parts: a 64-bit network prefix, and a 64-bit host address. The first part is determined by the network, but the host address by default is determined by the device’s MAC address.
According to Stephen Groat, a Ph. D. student in computer engineering at Virginia Tech, in this scenario, a machine’s IPv6 address would expose its MAC address, making a machine easy to track by a potential attacker.
“In IPv6, it takes centuries to scan a single subnet,” Groat said. “But once an attacker knows that MAC address, this lets an attacker pretty much do anything they want to a system.”
Groat said, with a little homework, attackers could use the IPv6 address to learn who the manufacturer of the system is, and also collect traffic over multiple sessions: Even when a device disconnects and reconnects, the MAC address portion of the IPv6 address remains unchanged.
There are mechanisms that exist today to obfuscate IPv6 client addresses to some degree, like IPv6 privacy extensions in Windows 7, but Groat said the Virginia Tech team wanted to protect both ends of a session; privacy extensions may protect clients, but servers can’t change their addresses without terminating a session.
That’s where MT6D comes in. It serves to create an algorithm that allows a pair of network hosts to change their addresses dynamically in a way that each host can predict the other’s next address, creating a network tunnel. The technology could be deployed as a stand-alone appliance on a network to secure a subnet or be built into specialized network devices like smart grid electric meters, but it’s likely to be made available to vendors for inclusion in commercial networking and security products.
While MT6D solves one IPv6 security problem, there are still a number of others. Few network security products today offer robust support for IPv6, Groat said, and those that claim to often haven’t been tested in a large-scale IPv6 environment like the Virginia Tech network, which has been in place since 2005 and features 30,000 nodes. Often, organizations have IPv6-enabled devices and don’t realize it, opening the door for malware to use IPv6 as an unmonitored back-channel. And that’s just for starters.
“We have someone here who also works for a hosting firm, and at the hosting firm they can’t turn on v6 support for their mail servers because they have v4-only blacklists,” Groat said. “So if they turn on v6, they’ll suddenly get all this spam. The other question is, ‘How do you create a blacklist for v6?’ Since hosts can change their addresses so frequently, do you block whole subnets? These are real problems people haven’t solved yet.”
Fortunately, with World IPv6 Day coming on June 8 – a one-day IPv6 connectivity awareness initiative where many global network and website operators like Google and Facebook will turn on IPv6, just to see what happens — everyone will get a chance to see what an IPv6 Internet looks like. Though some believe the event will mostly be a PR stunt and simply raise awareness for the upcoming transition across the Internet, count the Virginia Tech team among those who believe it could be a disruptive event.
“I think a lot of websites will break,” said William Urbanski, a security analyst with the Virginia Tech IT security office. “I think end users are going to see misconfigurations on commerical ISPs.”
Still, World IPv6 day and the MT6D tool should serve to help enterprise security teams ponder how their security tactics must evolve as IPv6 takes hold.
Norwegian military personnel were the targets of what’s being described as a "massive" cyber attack this spring, one day after Norway started bombing Libya with other UN- and NATO-backed forces. Newspaper VG reported Thursday that they fended off the attack, which was considered the most serious ever experienced.
It came in the form of an e-mail written in what was said to be "good Norwegian" that looked like it had been sent by another Norwegian government agency. It contained an attachment, however, that when opened unleashed a computer virus that could have opened up military PCs to the attackers.
Several hundred defense ministry employees received the same e-mail, reported VG. One employee opened the attachment, allowing the unknown attackers to gain access to that employee’s PC, but the virus was then quickly discovered and warnings issued.
The attackers didn’t succeed with further infiltration, claimed Major General Roar Sundseth, adding that they also failed to obtain classified information before the attack was discovered.
North Korea has as many as 30,000 electronic warfare specialists as part of the elite core of the North`s military, Fox News said Tuesday.
Quoting U.S. and South Korean intelligence, the U.S. network said Washington and Seoul believe that the U.S. CIA can match Pyongyang`s capability in cyber warfare.
Fox quoted North Korean leader Kim Jong Il as telling his military several years ago, “Modern war is electronic warfare. Victory or defeat in a modern war depends on how to carry out electronic warfare.” He has since made cyber warfare a top albeit secret priority of his paranoid regime, it added.
Among the most frequent visitors to U.S. military websites are computers traced to North Korea, according to the U.S. Defense Department. Much like the clandestine nuclear program run by the rogue state, its cyber warfare capability is shrouded in secrecy.
May 21st begins “The Rapture of 2011”. This is the day that Jesus Christ will come back to earth (but probably not Kentucky) and resurrect the dead bodies of true “saved” Christians while simultaneously lifting still living Christians into the air, while plaguing the rest of us with earthquakes, floods, and locusts that will sting the shit out of us…FOR 5 FUCKING MONTHS! There will be a rapture party, clothing optional, at the Hard Rock in Las Vegas at 6 pm local time for those that are interested.
With all this talk of Rapture, it amazes me that there hasn’t been any malware. Then occurred to me that the event or notion of the even is malware enough and perhaps those hedonistic developers thought that maybe we needed a break. Maybe not, but only time will tell.