InfoSec Daily Podcast Episode 419 for June 30, 2011. Tonight's podcast is hosted by Rick Hayes, Adrian Crenshaw, Karthik Rangarajan, and Varun Sharma.
2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
My Hard Drive Died
5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011
SANS Security 464 – Hacker Detection for Systems Administrators with Continuing Education Program – Russell Eubanks
Where: Atlanta, GA
When: Tue, Aug 09 to Wed, Aug 10
When: Sept 19-22, 2011
Where: Brussels, Belgium
When: September 30th – October 2, 2011
Where: Louisville, KY
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
CFP open now through July 1, 2011! Email submissions to Conference@gaissa.org
The ISD Podcast is participating in a contest to see who can raise the most money for the Electronic Frontier Foundation. For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements. Please click the following link to donate to a vitally important cause:
Currently at $1913! We will quit bugging you soon about this fundraiser. The contest ends on July 5th so please get any donations you were planning to make in now!
Security firm Netragard has described an attack during which a modified computer mouse was used to infiltrate a client's corporate network. For this attack, the security experts equipped the mouse with an additional micro-controller with USB support (Teensy Board) to simulate a keyboard, and added a USB flash drive to the setup.
When connected to the PC, the Teensy Board's Atmel controller sent keyboard inputs to the computer and ran software that was stored on the USB flash drive. This allowed Netragard to install the Meterpreter remote control software, which is part of the Metasploit framework. To bypass the target system's McAfee virus scanner, Netragard says it used a previously undisclosed exploit.
The crux of the attack was to find a suitable company employee who would, upon receiving the computer mouse, connect it to a company PC without becoming suspicious. The client who ordered the pen test had excluded social engineering attacks via telephone, social networks and email, but Netragard managed to obtain a list of the company's employees via the Jigsaw service. The security experts selected one of the employees and sent the mouse in its original packaging – camouflaged as a promotional gadget.
Attacks that use specially modified USB devices have been around for a while; USB flash drives that are "accidentally" left lying around are often used in security tests. A current study by the US Department of Homeland Security found that 60 per cent of users will naively connect a USB flash drive to their PC to see what is stored on it.
However, using a computer mouse for such an attack is a new idea. Corporate IT security staff may in future be faced with the problem of having to test peripheral devices before they can allow users to connect them to their PCs. Specially modified Android phones can also present themselves as keyboards, and take control, when they are connected to a PC.
Last year, the U.S. Navy bought 59,000 microchips for use in everything from missiles to transponders that turned out to be counterfeits from China.
Wired reports the chips weren't only low-quality fakes, they had been made with a "back-door" and could have been remotely shut down at any time.
If left undiscovered the result could have rendered useless U.S. missiles and killed the signal from aircraft that tells everyone whether it's friend or foe.
Apparently foreign chip makers are often better at making cheap microchips and U.S. defense contractors are loathe to pass up the better deal.
The problem remains with these "trojan-horse" circuits that can be built into the chip and are almost impossible to detect — especially without the original plans to compare them to.
The Intelligence Advanced Research Projects Agency (IARPA) is now looking for ways to check the chips to make sure they haven't been hacked in the production process.
Expect to see a whole lot more funding directed to this goal. Or, considering IARPA is the research and development section of the intelligence community — expect the money to be spent — don't expect to see where.
Adrian’s Note: Business Insider got it wrong. The chips were not trojaned (as far as anyone seems to know at least), it was just a hypothetical “What if”. Guess they misread the Wired piece, and it ended up like the childhood game of telephone. For more and better information on the case, see: http://www.wired.com/dangerroom/2011/06/chips-oy-spies-want-to-hack-proof-circuits/#more-49990
Ladies and gentlemen, the Web as we know it is about to be flipped upside down. And not in a good way.
Have you heard about this impending disaster? ICANN, the group that oversees the Internet's domain name system, has decided to expand the Web's set of available domain suffixes — you know, the end parts of Internet addresses, where you typically see .com or .net.
Instead of having a limited number of defined suffixes, as we do now, ICANN will soon let anyone apply for their own custom suffix — anything from .microsoft to .manscapingmadness. The suffixes can be as long as 63 characters, meaning I could conceivably move my website from jrstart.com to jr.dancing-chickens-bok-bok-so-many-tiny-feet-look-at-them-shimmy. In fact, I think I might.
Now, there is a catch: The new custom Internet suffixes will cost a cool $185,000 apiece. That's a good bit more expensive than the standard 15-dollar-ish dot-com registration you see out there today. ICANN says it'll also require applicants to prove they have a legitimate reason to own the suffix in question. (I won't go into details, but let's just say my dancing-chickens name is a shoo-in for approval.) The idea is that squatters won't be able to go out and steal companies' trademarks only to try to resell them a short time later.
That's all fine and dandy, but think about what a mess this is going to become. Sure, any average Joe won't be able to grab .ibm, but what's to stop 5,000 different companies from clamoring for .computer? And how confusing is this going to get from a user perspective?
As it stands right now, the vast majority of Web surfers barely understand the structure of a domain; most non-techie people just assume everything is dot-com. What's it going to be like when everyone's suddenly faced with — for a hypothetical example — apple.com, buy.apple, apple.buy, and apple.store? It's going to be a mess.
For businesses, it's going to be an expensive mess, too. Instead of focusing on the current 22 generic suffixes (.com, .net, .org, and so on), companies will be pressured to "own their brands" by buying up every custom suffix that might come in handy. If nothing else, they'll want to buy them simply to prevent someone else from doing so.
Would Microsoft, after all, want any other company to own .microsoft? How about .windows, .software, or .clippymustdie? Okay, that last one might be a stretch — but you get where I'm going here. The point is, no matter how you look at it, this is a Pandora's box with virtually no limits; the only guarantee is chaos, confusion, and costliness.
As users, the one thing we can hope is that this will turn into another Internet innovation the world generally ignores. Past attempts to expand our dot-com-centric society have been forgettable flops (how many people do you know who regularly type .jobs, .museum, or .travel addresses into their browsers?). There's a good chance this could become another revolution in theory that's a failure in practice.
Still, I'm gonna go ahead and grab that dancing-chickens domain just to be safe. If anyone has $185,000 I can borrow, please let me know.
Groupon subsidiary Sosasta.com accidentally published a database containing the email addresses and clear-text passwords of 300,000 users and the cache was indexed by Google.
The trove of personal data was discovered by Australian security consultant Daniel Grzelak as he plugged a handful of query terms into the search engine, he said Tuesday. He contacted Patrick Gray with security blog Risky Biz, which reported that the SQL database contained the details for 300,000 Sosasta account holders.
A Groupon spokesman confirmed that the digital coupon distributor “was alerted to a security issue” on Thursday night and corrected the problem immediately. The issue was limited to Sosasta, which uses its own servers and network and isn't connected to Groupon's systems in other countries.
“We have begun notifying our subscribers and advising them to change their Sosasta passwords as soon as possible,” the spokesman said in a statement. “We will keep our Indian subscribers fully informed as we learn more.”
At time of writing, there was no advisory on either the Groupon or Sosasta websites, although Sosasta's Facebook page contained a notice that came in the form of a JPG image that couldn't easily be indexed by Google or other search engines. Ah the irony.
According to Risky Biz, Grzelak found the massive cache as he was looking for additions to shouldichangemypassword.com, a side project that indexes email addresses included in more than a dozen high-profile privacy breaches carried out by LulzSec and other hacking groups. The query that hit pay dirt included the terms “filetype:sql” “password” and “gmail.”
“I started scrolling, and scrolling and I couldn't get to the bottom of the file,” Grzelak told Risky Biz. “Then I realised how big it actually was.”
The Groupon statement didn't say why passwords weren't encrypted or why such a sensitive file was publicly available.
The snafu is the latest to expose the folly of using the same password on more than one site, a practice still followed by a shockingly high number of people. If you're one of them, you ought to consider using a password-management program such as Password Safe or KeePass.
The Groupon subsidiary sure isn't the first to carelessly expose data it has promised to keep private, and judging from this Google search, it's probably not the last.
Following the disastrous attack on Sony’s PlayStation Network in mid-April and the subsequent announcement by the company that personal information tied to all customers with PSN IDs (said to number above 70 million) was compromised, many account holders understandably freaked out – especially when they considered Sony had waited nearly one week to divulge as much.
Some quietly changed passwords and carefully checked credit statements for signs of foul play, while others opted to file lawsuits against Sony. A new trio of aggrieved consumers has joined the latter.
According to a legal filing uncovered by video game news and business site Gamasutra, plaintiffs Felix Cortorreal, Jimmy Cortorreal and Jacques Daoud cited one witness, an ex-Sony Online Entertainment (SOE) worker, who said “lavish” spending by SCE on the PS DevNetwork – as well as the mass lay-offs which hit SOE in March – negatively impacted customer security. Perhaps ironically, the PS DevNetwork is essentially part of the greater PSN, albeit one only accessible by game developers.
The lawsuit boasts two other provocative witnesses, both also former Sony employees. One stated that Sony technicians knowingly disregarded implementing stronger security, opting instead for ad-hoc firewalls when necessary. The other admitted that PSN had in fact been breached prior to April.
As for the argument that the SOE lay-offs played a part in the PSN breach, a Sony spokesperson told ComputerWorld that “no [SOE] security people were fired.” The site also spoke with the trio’s legal counsel, Stuart Davidson, who said that while the focus is on earning damages for those who’ve demonstrably “had their identities or personal information compromised,” his firm – Robbins, Gellar, Rudman & Dowd – isn’t ruling out punitive damages as well. “We are always holding [that] in our back pocket,” Davidson said.
Since the April PSN attack, several others have filed complaints against Sony. Kristopher Johns of Alabama alleged several violations by the company within days of its admission that user data had been compromised. In May, a Canadian woman who admitted she was a big Sony fan and avid gamer also launched a class-action suit.
Sony, in an attempt to mollify consumer fear, offered free ID theft protection services (sign-up ended) to those affected by the breach. The company also crafted a “Welcome Back” package – a bevy of content at no cost.
MyCE will update this post with a copy of the legal document when it’s made publicly available.
The U.S. Department of Homeland Security ran a test this year to see how hard it was for hackers to corrupt workers and gain access to computer systems. Not very, it turned out.
Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed.
“There’s no device known to mankind that will prevent people from being idiots,” said Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp. (CSC)
The test showed something computer security experts have long known: Humans are the weak link in the fight to secure networks against sophisticated hackers. The intruders’ ability to exploit people’s vulnerabilities has tilted the odds in their favor and led to a spurt in cyber crimes.
In real-life intrusions, executives of EMC Corp.’s RSA Security, Intel Corp. (INTC) and Google Inc. were targeted with e-mails with traps set in the links. And employees unknowingly post vital information on Facebook or Twitter.
It’s part of a $1 trillion problem, based on the estimated cost of all forms of online theft, according to McAfee Inc., the Santa Clara, California-based computer security company.
Rule No. 1
Hundreds of incidents likely go unreported, said Rasch, who previously headed the Justice Department’s computer crime unit. Corporate firewalls costing millions to erect often succeed in blocking viruses and other forms of malware that infect computers and steal data such as credit card information and passwords. Human error can quickly negate those defenses.
“Rule No. 1 is, don’t open suspicious links,” Rasch said. “Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2.”
A full report on the Homeland Security study will be published this year, Sean McGurk, director of the department’s National Cybersecurity and Communications Integration Center, said at a June 16 conference in Washington.
Tactics such as spear-phishing — sending a limited number of rigged e-mails to a select group of recipients — rely on human weaknesses like trust, laziness or even hubris.
That’s what happened in March, when attackers used a clever ruse to exploit their discovery that RSA — the company that provides network-access tokens using random secondary passwords — was in a hiring campaign.
No stone is left unturned, no option unexplored when it comes to online spamming, and the latest approach has shown that malware authors are not the only ones who have taken advantage of the fact that Android apps are written in Java and are, therefore, easily cloned.
"We've been seeing a rash of repackaged applications posted on the official Android Market," says an F-Secure researcher. "The repackaged application has the same modules as the original, but includes an advertisement module."
He says that most of the spotted repackaged apps don't have any malicious code in them, and they are all made available for download for free. This means that the "developers" of these apps must make money off the clicks on the advertisements.
But, as the researcher points out, most (if not all) of these apps were cloned without the permission of their original developers.
Whether or not they can sue the people behind the repackaged apps is another matter, but technically those people are committing theft of intellectual property.
I wonder if this is going to make Google reconsider a vetting process for new apps.