InfoSec Daily Podcast Episode 439 for July 29, 2011. Tonight's podcast is hosted by Karthik Rangarajan, Geordy Rostad, Mr Bones and Varun Sharma.
Announcements:
SANS Security 464 – Hacker Detection for Systems Administrators with Continuing Education Program – Russell Eubanks
Where: Atlanta, GA
When: Tue, Aug 09 to Wed, Aug 10
https://www.sans.org/mentor/details.php?nid=25573
#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504
Hack3rCon 2011
When: October 21st-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
Stories:
Aaron Barr, the former HBGary Federal CEO, has withdrawn from participation in a panel discussion slated for the DEFCON security conference next week in Las Vegas.
SC Magazine reports Barr's decision was hastened by the threat of legal action by his former employer for a potential breach of his separation agreement with the company.
Barr had resigned from HBGary Federal in the wake of a devastating breach and subsequent criticism regarding some of the company's business practices.
The DEFCON session, titled “‘Whoever Fights Monsters…' Aaron Barr, Anonymous, and Ourselves," will examine the impact hacktivism is having on the security industry.
The session, which is still scheduled to occur, will be moderated by ThreatPost editor Paul Roberts and will include and Attrition.org's 'Jericho' – an Infosec Island contributor – and The 451 Group's Joshua Corman.
"Barr withdrawing from the panel is an obvious disappointment to the other panelists. It is especially unfortunate, as he had worked out issues with speaking on the topics with his new employer, only to get hit with an injunction from his former employer, HBGary," 'Jericho' told Infosec Island via email.
"HBGary's choice to go the legal route to block Aaron from speaking in general about topics that are relevant to our industry is sad, and demonstrates that HBGary is not committed to advancing the information security field."
Organizers indicate that they are contacting other viable candidates for participation in the session. According to SC Magazine's report, HBGary Federal's attorney Tanya Forsheit of The Information Law Group – also Infosec Island contributors – could not be reached for comment,
In January of this year, HBGary Federal's systems were breached in an operation conducted by the rogue movement Anonymous, and the subsequent release of tens-of-thousands of company emails revealed multiple instances of ethically questionable covert operations involving the security company.
The leaked emails showed that HBGary Federal, Palantir Technologies and Berico Technologies were involved in developing WikiLeaks counter-operations strategies for Bank of America and proposed disinformation campaigns, cyber attacks against network systems, and strong-arming journalists.
Other information released in the breach show the companies were engaged in developing strategies to infiltrate other civil activist groups, and plans to use social media for distributing government propaganda. There was also evidence that HBGary Federal was involved in developing an undetectable, full command and control cyber offensive weapon called Magenta.
In April, HBGary, Inc., sister company to HBGary Federal, released an open letter addressed to their customers and the defense marketplace in an effort to set the record straight in the wake of the devastating breach.
While some details in the brief letter correspoded to the information contained in the leaked emails, the letter for the most part came off as a generic attempt to rewrite the record and further distance HBGary Inc. from the activities of Aaron Barr and HBGary Federal.
The letter, which was widely covered in the press, has subsequently been removed from the company's website, although a Google search of the defunct URL (http://www.hbgary.com/open-letter-from-hbgary) reveals it's distribution.
Source: http://www.theregister.co.uk/2011/07/29/facebook_bug_bounties/
Facebook has joined Google and Mozilla in paying cash rewards to researchers who privately report vulnerabilities that could jeopardize the privacy or security of their users.
The social network said Friday it would pay $500 for the disclosure of most website flaws, such as XSS, or cross-site scripting errors. The company may pay more for specific bugs, which weren't elaborated on in Facebook's announcement. To qualify, the researcher must be the first person to privately report the bug and reside in a country not under any current US sanctions.
The move comes as good news to legions of researchers who spend considerable time and expertise finding and reporting serious vulnerabilities in the websites and software they use. More often than not, they receive little more than a public acknowledgement in return. Microsoft, Oracle and virtually every other software manufacturer and website steadfastly refuse to pay for private bug reports, even though their products also benefit from it.
Microsoft recently offered a $250,000 reward for information that leads to the conviction of the operators of Rustock, a recently dismantled botnet that in its heyday was one of the biggest sources of illegal spam. Although the software maker has rebuffed calls to offer cash rewards for bug reports, it has publicly pledged not to sue or press charges against hackers who responsibly find security flaws in its online services.
Mozilla was among the first software makers to offer a bug bounty program when, years ago, when it began offering $500 rewards. Google eventually followed suit. The two outfits have gradually increased the bounties, which Mozilla paying as much as $3,000 and Google paying $3,133.70 for the most serious bugs.
To date, Google has paid $300,000 under the program for bugs found in its its various web properties. That doesn't include bounties paid for vulnerabilities reported in Google's Chromium browser.
“We're very happy with the success of our vulnerability reward program so far,” a Google spokesman said in an email.
To qualify for the Facebook bounties, researchers must privately report them here and give the company's security team a reasonable time to respond before publicly disclosing the flaws. Denial-of-service vulnerabilities, spam and social engineering techniques, and bugs in third-party apps and websites and in Facebook's corporate infrastructure don't qualify.
Source: http://www.networkworld.com/slideshows/2011/nww-ipv6-survey-ciscosubnet.html
2011 is the year that IPv6 moved among the top priorities for many enterprises. Network World wanted to know where organizations stood in their implementation plans. So we asked and 210 readers, representing businesses of all sizes, responded. We expected people to tell us that they were making progress on IPv6 for their websites, and they are. We were surprised at how far along many are with IPv6 on their internal networks as well. And we were blown away by how many agreed that IPv6 isn't just hype, but fundamentally important to the growth of the Internet and that they didn't want their companies to be left behind.
Source: http://www.networkworld.com/news/2011/072711-war-texting-lets-hackers-unlock.html
Software that lets drivers unlock car doors and even start their vehicles using a mobile phone could let car thieves do the very same things, according to computer security researchers at iSec Partners.
Don Bailey and fellow iSec researcher Mathew Solnik say they've figured out the protocols that some of these software makers use to remote control the cars, and they've produced a video showing how they can unlock a car and turn the engine on via a laptop. According to Bailey, it took them about two hours to figure out how to intercept wireless messages between the car and the network and then recreate them from his laptop.
Bailey will discuss the research at next week's Black Hat conference in Las Vegas, but he isn't going to name the products they've hacked — they've looked at two so far — or provide full technical details of their work until the software makers can patch them.
Probably the best known of this type of product is the OnStar RemoteLink app, which can be used to start up and unlock many late-model General Motors vehicles, but similar software is available for other makes of cars, including Mercedes and BMW.
Bailey calls his technique "war texting," a reference to another hacking technique called "war driving," which involves driving around cities looking for data on wireless networks.
War texting is technically complex. First of all, the researchers have to identify cars that are using these mobile applications. Then they have to find a way to connect with them. With these mobile car apps, the phone connects to a server that then sends secret numerical keys to the car in order to authenticate itself, but the iSec researchers figured out ways to get around this by looking at the messages sent between the server and the car over the mobile network, Bailey said in an interview. "We reverse-engineer the protocol and then we build our own tools to use that protocol to contact that system," he said.
The iSec researchers believe that they are uncovering symptoms of a much more widespread problem. In recent years, mobile networking has been built into an astonishing range of devices — everything from picture frames to cars to smart meters — giving them a cheap and easy way to communicate. According to Bailey, however, security has often been an afterthought, and many of these products can be hacked and misused.
Research in this area has taken off in recent years as open-source tools have given hackers an inexpensive way of setting up their own mobile-phone test networks.
In April, Bailey used similar techniques to hack Zoombak's personal locator devices, and there are hundreds of other similar products that have not been examined. "This architectural flaw expands to so many engineering industries," he said.
Source: http://news.yahoo.com/minnesota-wi-fi-hacker-gets-18-years-prison-032803295.html
Minnesota hacker Barry Ardolf was sentenced to an 18-year term in a federal prison this Tuesday. Ardolf had terrorized a neighboring family for two years through a carefully planned campaign involving a hijacked Wi-Fi network to harass, frame and embarrass the next-door neighbors in every facet of their lives.
Ardolf’s obsessive passive-aggression was apparently ignited in late 2008 when his neighbors, Matt and Bethany Kostolnik, filed a police report against him. The Kostolniks had a 4-year old son who wandered over to their next-door-neighbors property shortly after moving into the Minnesota suburb of Blaine. Ardolf, 46 and a father of two, had reportedly picked the boy up carried him back to the couple and then kissed the child on the lips. Ardolf was offended when the cops were called and vowed his revenge like every good villain.
The man, a Medtronic computer technician, downloaded a Wi-Fi hacking program to tear into his neighbors WEP encryption. Ardolf created a fake Myspace page as well as several fake emails for Matt Kostolnik. The hacker then posted child porn on the Myspace page and emailed the same child porn to co-workers at Kostolnik’s law office.
To top it all off, the Blaine hacker sent death threats to Vice President Joe Biden and other politicians from Kostolnik’s Yahoo account. This granted Kostolnik a visit from the secret service who had traced the emails back to his IP address. One of the emails told Biden, “I swear to God I’m going to kill you!”
Ardolf’s mischief was detected when a frustrated Kostolnik told bosses he had no clue as to what was going on. The law office hired a firm to poke around the Wi-Fi network and install a packet sniffer to figure it all out. Eventually Ardolf’s name and Comcast account were found which gave the FBI a reason to obtain a search warrant for Ardolf’s house. They found massive evidence that led to the Blaine hacker being slapped with charges for identity theft, making threats against Biden, possession of child pornography as well as distribution of kiddie-porn.
The FBI also found evidence that Ardolf had staged a similar attack against in a family in Brooklyn Park for parking their cars in front of his house. Ardolf’s charges will tag him with lifetime-sex-offender registration requirements and after his release he’ll be supervised for 20 years. According to the Pioneer Press, he’ll also be restricted when working with computers by his parole officers.
