Your daily source of Pwnage, Policy and Politics.

Episode 428 – Mobile Malware Update, Free Riders, Iranian “Soft war”, Hyung-suk & PayPal

InfoSec Daily Podcast Episode 428 for July 14, 2011.  Tonight's podcast is hosted by Rick Hayes, Karthik Rangarajan, and Varun Sharma.

Announcements:

Speak With EFF Attorneys About Your Security Research
When: Contact EFF by July 15th for presenters or July 22nd for other researchers
Where: Black Hat, BSidesLasVegas, DEF CON
https://www.eff.org/deeplinks/2011/07/speak-eff-attorneys-las-vegas-security-research

OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
http://ohioinfosec.org

My Hard Drive Died
5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011

SANS Security 464 – Hacker Detection for Systems Administrators with Continuing Education Program – Russell Eubanks
Where: Atlanta, GA
When:  Tue, Aug 09 to Wed, Aug 10
https://www.sans.org/mentor/details.php?nid=25573

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)

http://www.gaissa.org

Stories

Source: http://blog.zeltser.com/post/7586804581/malware-for-mobile-devices

Mobile phones are now part of the battlefield that encompasses Internet-based crimes. Recent incidents involved the deployment of trojan Android an iOS apps, as well as ZeuS variants designed for Symbian, Blackberry, Windows Mobile and Android platforms. This is just the beginning. Malware authors are paying attention to such mobile devices because they’re increasingly used for sensitive transactions, including payments, banking and two-factor authentication.

The majority of mobile device infections witnessed to date have involved an element of social engineering, but soon enough exploits will play a role in large-scale distribution of mobile device malware. Attackers have submitted trojan programs to app stores that seemed legitimate but included malicious capabilities. This problem has been plaguing the Android platform, which provides its users with multiple app stores and incorporates minimal oversight over the listed apps.

Source: http://arstechnica.com/tech-policy/news/2011/07/republican-spectrum-bill-reins-in-wireless-free-riders-like-google.ars

The House Energy and Commerce Committee is holding a hearing on Friday on spectrum and public safety communications issues. In advance of the event, key Republican lawmakers have circulated a discussion draft of new spectrum auction and public safety band rules. It's an interesting read for anyone interested in wireless unlicensed broadband.

Among the proposals, the law sets up an auction system for the allocation of spectrum for unlicensed use—think "white space" devices and WiFi. The Federal Communications Commission would be required to conduct auctions in which bidders could declare their intention to buy spectrum for licensed or unlicensed deployment.

But (our italics): "The Commission may only exercise its authority under this Act to allocate a portion of the spectrum for unlicensed use if—the bids for unlicensed use, in the aggregate, exceed the highest bid for such license."

If an unlicensed spectrum sale went through under this condition, the FCC would be forbidden to impose any rules on the sale winner that "limits the ability of a licensee to manage the use of its network, including management of the use of applications, services, or devices on its network, or to prioritize the traffic on its network as it chooses."

Source: http://www.foxnews.com/world/2011/07/14/is-iran-producing-its-own-spy-technology/

Iran may not be importing cyber spy equipment, according to a newly released government report, yet the Iranian regime’s beefed up cyber surveillance abilities have many believing that Tehran has begun producing its own homegrown spy technology.

The report, issued last week by Congress’ investigative division, the Government Accountability Office (GAO), was unsuccessful in tracking specific suppliers selling high-level communications spy technology. Recent government crackdowns, however, have officials certain that Iran is employing sophisticated monitoring equipment in suppressing online opposition.
   
The finding was announced at the end of a four-month study, aimed to enforce broadened sanctions imposed against the Iranian government in July 2010, which forbade the U.S. government from doing business with companies that export sensitive technology to Iran.
The question remains whether communications technology is purchased from abroad or developed by Iranians, making the government self-sufficient in defending itself against the opposition’s ongoing cyber revolution.

Since the 2009 post-election uprisings in Iran, protesters facing brutal government retaliation on the street turned to the Internet and the use of social networking sites such as Facebook, Twitter and YouTube, as well as blogging sites, as effective and popular avenues to unite, organize and voice disenchantment against the government.

Source: http://www.cultofmac.com/apple-pays-just-946-to-settle-first-locationgate-lawsuit/104686

While many of us dismissed the whole ‘Locationgate’ fiasco as being blown way out of proportion, others saw it as an opportunity to claim back a rebate on their iPhones by suing Apple. One Korean lawyer has become the first person to successfully win a Locationgate lawsuit, but we’re guessing Apple can live with the damages: he’ll receive just $946 in compensation.

Two officials have informed Reuters that a Korean court awarded Kim Hyung-suk a modest $946 in compensation following a court order in May. Kim’s law firm, Mirae Law, confirmed that Apple had already made the payment last month.

There’s no mention of why the court ruled in Kim’s favor, but with billions of cash in the bank,

Source:  http://www.scmagazine.com.au/News/263634,paypal-cso-calls-for-antisec-hunt.aspx

PayPal’s chief security officer has called on the industry to reveal the identities of hackers involved in the online Anti Security (AntiSec) movement in order to stop a string of attacks against organisations.
The movement was run by activists, some within the online Anonymous collective, who had banded together with others to attack organisations it accused of corruption and censorship.

Individuals and groups hacked and launched denial of service attacks against US police, defence and intelligence departments, large technology companies and security firms, and dumped troves of sensitive data on public forums.
This had to stop, according to PayPal security chief Michael Barrett.
“I believe it’s crucial for all companies to do what they can to try to identify these individuals,” Barrett said.
“They delude themselves that they are anonymous on the internet. They are not.
"They can be found, and for the continued safety of the internet, we must identify them and have legitimate law enforcement processes appropriately punish them.”

PayPal’s own Electronic Crime and Threat Intelligence Unit, home to a veteran cybercrime investigator and former consultant to the FBI, Scotland Yard and the US Secret Service, had been on the tails of hacktivist groups for years.