Episode 463 - Kernel.org, SW Galaxies, Ex-Anon, Apache Squash, Facebook Bounty & TouchPad Resurection [ 42:33 | 19.48 MB ] Play Now | Play in Popup | Download (163)

InfoSec Daily Podcast Episode 463 for August 31, 2011.  Tonight's podcast is hosted by Rick Hayes, Karthik Rangarajan, Boris Sverdlik, Geordy Rostad, Matthew Romanek, and Varun Sharma.

Announcements:

OWASP NY/NH
When: Sept 8, 2011
Where: New York City, NY
https://www.owasp.org/index.php/NYNJMetro#tab=SEPTEMBER_MEETINGS

Nashville Infosec
When: Sept 15, 2011

Where: Nashville, TN
http://www.technologycouncil.com/connect/infosec-2011/

Wim Remes ISC2 Official Petition
When: Deadline September 19, 2011
What:  CISSP’s can send their e-mail address registered with NAME, EMAIL ADDRESS and CERTIFICATION NUMBER to wim@remes-it.be.
http://blog.remes-it.be/petition.html

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html

Louisville Infosec
When: September 29th
Where: Louisville, KY
http://louisvilleinfosec.com/
If you registered for DerbyCon and want to go to the Louisville Infosec the day before email chair (at) LouisvilleInfoSec.com for a $50 off discount code.

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504

Hack3rCon 2011
When: October 21-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/

SkyDogCon
When: Nov 4th – Nov 6th
Where: Holiday Inn Airport, Nashville, TN
http://www.skydogcon.com
CFP Open Now!

Phreaknic
When: Nov 4th – Nov 6th
Where: Days Inn Stadium, Nashville, TN
http://www.phreaknic.info

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)

http://www.gaissa.org

Stories:

Source: http://pastebin.com/BKcmMd47

As you can guess from the subject line, I've not had what many would consider a "good" day.  Earlier today discovered a trojan existing on HPA's personal colo machine, as well as hera.  Upon some investigation there are a couple of kernel.org boxes, specifically hera and odin1,
with potential pre-cursors on demeter2, zeus1 and zeus2, that have been hit by this.

As it stands right now, HPA is working on cleaning his box, and I'm working on hera (odin1 and zeus1 are out of rotation still for other reasons), mainly so that if one of us finds something of interest, we can deal with it and compare notes on the other box.

Points of interest:

- – Break-in seems to have initially occurred no later than August 12th

- – Files belonging to ssh (openssh, openssh-server and openssh-clients) were modified and running live.  These have been uninstalled and removed, all processes were killed and known good copies were reinstalled.  That said all users may wish to consider taking this
opportunity to change their passwords and update ssh keys (particularly if you had an ssh private key on hera).  This seems to have occurred on or around August 19th.

- – A trojan startup file was added to rc3.d

- – User interactions were logged, as well as some exploit code.  We have
retained this for now.

- – Trojan initially discovered due to the Xnest /dev/mem error message w/o Xnest installed; have been seen on other systems.  It is unclear if systems that exhibit this message are susceptible, compromised or not.  If you see this, and you don't have Xnest installed, please investigate.

- – It *appears* that 3.1-rc2 might have blocked the exploit injector, we don't know if this is intentional or a side affect of another bugfix or change.

- – System is being verified from backups, signatures, etc.  As of right now things look correct, however we may take the system down soon to do a full reinstall and for more invasive checking.

- – As a precaution a number of packages have been removed from the system, if something was removed that you were using please let us know so we can put it back.

- – At this time we do not know the vector that was used to get into the systems, but the attackers had gained root access level privileges.

That's what we know right now, some of the recent instabilities may have been caused by these intrusions, and we are looking into everything.

If you are on the box, keep an eye out, and if you see something please let us know immediately.

Beyond that, verify your git trees and make sure things are correct.

Source:  http://venturebeat.com/2011/08/30/hackers-steal-21000-mostly-weak-user-passwords-from-star-wars-game-fan-site/

A Star Wars Galaxies fan site got hacked today and thieves stole 21,000 email addresses and 23,000 passwords. And judging from an analysis of the passwords, most of them were weak.

The site SWGalaxies.net is a Star Wars Galaxies online game fan site owned by LFNetwork, an independently owned network of LucasArts fan sites. Hackers from the group ObSec, a small hacking collective with apparent sympathies for the LulzSec and AntiSec hacktivist groups, broke into the site’s security and posted the addresses and passwords on the web. The threat from this kind of smaller breach is that it can lead to further identity theft that could be devastating for individuals.

Jeff Moeller, editor of LFNetwork, said that the site that got hacked is not actively maintained anymore.

Identity Finder took a look at the post and found there were a lot of weak passwords, which would have been easy to crack because they are short, contain dictionary words, or don’t contain special characters, numbers, or alternating punctuation.

Source:  http://www.cso.com.au/article/399150/ex-anon_good_liars_undermine_information_security

Self-exiled, gun-loving ex-Anon, who goes by the name SparkyBlaze on Twitter, claims that skilled liars are the number one concern for information security.

“We have the software/hardware to defend buffer overflows, malware, DDoS and code execution. But what good is that if you can get someone to give you their password or turn off the firewall because you say you are Greg from computer maintenance just doing testing?” SparkyBlaze told networking giant Cisco on Wednesday.

“It all comes down to lies, everyone does it and some people get good at it.”

The self-described hacker recently severed ties with Anonymous over its supporters’ practice of killing “innocent peoples” anonymity when they leaked San Francisco transport user details, supposedly in support of the transport system's users.

“AntiSec Has Released Gig After Gig Of Innocent Peoples Information. For What? What Did They Do? Does Anon Have The Right To Remove The Anonymity Of Innocent People? They Are Always Talking About Peoples Right To Remain Anonymous So Why Are They Removing That Right?”,SparkyBlaze declared in a post on PasteBin this month.

Source:  http://www.theregister.co.uk/2011/08/30/apache_dos_vuln_patched/

Maintainers of the open-source Apache webserver have fixed a severe weakness that attackers are exploiting to crash websites.

Flaws in Apache's HTTP daemon made it easy to crash servers using publicly available software released last week. The bugs in the way the HTTPD processed multiple web requests that involved overlapping byte ranges allowed attackers to overwhelm servers by sending them a modest amount of traffic.

An advisory on Apache's website said the bug, formally known as CVE-2011-3192 has been fixed in version 2.2.20.

“We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade,” the advisory stated. "Active use" of the attack tool has been observed.

One of the bugs fixed in the update was specific to Apache, while a second flaw has been known since 2007, and possibly involves all webservers, an Apache bulletin said. The Internet Engineering Task Force is considering changing the underlying protocol responsible for the problem, Apache said.

Versions 1.3.x and 2.0.x through 2.0.64 contain the denial-of-service vulnerabilities. They can be triggered by a single web request that contains overlapping byte ranges for a specific page.

Source:  http://threatpost.com/en_us/blogs/facebook-bug-bounties-one-month-later-083011

Just a month into its cash-for-bugs program, social networking giant Facebook doled out some $40,000 in bounties to researchers from 16 countries, according to a company statement.

Joe Sullivan, Facebook’s Chief Security Officer, authored a column on Facebook’s security page yesterday heralding the success of the new program as an overall security improvement on the world’s largest social network. The bounties include $7,000 to one researcher who disclosed six separate bugs.

Facebook followed the lead of companies like Google, Mozilla and a gaggle of vulnerability detection firms in July: offering cold hard cash for the details of security holes in its Web based social networking service. The company is paying $500 as the minimum bug bounty, with more money coming to more valuable (read: exploitable) vulnerabilities. The company paid out $5,000 to one researcher for a particularly good report. These are drops in the bucket to a company whose eventual IPO, if rumors prove true, may exceed $100 billion.

Source:  http://www.theaustralian.com.au/australian-it/exec-tech/the-hp-touchpad-is-back-for-now/story-e6frgazf-1226126401633

IN what seems a resurrection of biblical proportions, Hewlett-Packard will resume manufacturing its TouchPad just 11 days after the tablet was killed off in the market.

The company’s decision follows an unprecedented demand for the TouchPad, which in Australia was axed just four days after its launch due to poor sales in the US.

TouchPads were sold out at Harvey Norman around Australia within an hour of the start of a TouchPad fire sale. Prices were slashed to $98 from $498 for the 16 Gigabyte model, and to $148 for the 32GB version.

As one commentator quipped: “The TouchPad sold like a dead tablet strapped to a rocket.”

The sentiment extended to eBay, where buyers willingly were bidding more than $300 per unit in auctions that began well after the fire sale ended, in full knowledge of the retail price cuts.

In the week following the TouchPad’s demise, a flurry of new apps found their way into HP’s app shop, further adding to a view that, despite its hardware limitations, the tablet was killed off too quickly.

InfoSec Daily Podcast Episode 462 [ 34:21 | 15.78 MB ] Play Now | Play in Popup | Download (131)

InfoSec Daily Podcast Episode 462 for August 30, 2011.  Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Karthik Rangarajan, Them, and Varun Sharma.

Announcements:

OWASP NY/NH
When: Sept 8, 2011
Where: New York City, NY
https://www.owasp.org/index.php/NYNJMetro#tab=SEPTEMBER_MEETINGS

Nashville Infosec
When: Sept 15, 2011
Where: Nashville, TN
http://www.technologycouncil.com/connect/infosec-2011/

Wim Remes ISC2 Official Petition
When: Deadline September 19, 2011
What:  CISSP’s can send their e-mail address registered with NAME, EMAIL ADDRESS and CERTIFICATION NUMBER to wim@remes-it.be.
http://blog.remes-it.be/petition.html

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html

Louisville Infosec
When: September 29th
Where: Louisville, KY
http://louisvilleinfosec.com/
If you registered for DerbyCon and want to go to the Louisville Infosec the day before email chair (at) LouisvilleInfoSec.com for a $50 off discount code.

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504

Hack3rCon 2011
When: October 21-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/

SkyDogCon
When: Nov 4th – Nov 6th
Where: Holiday Inn Airport, Nashville, TN
http://www.skydogcon.com
CFP Open Now!

Phreaknic
When: Nov 4th – Nov 6th
Where: Days Inn Stadium, Nashville, TN
http://www.phreaknic.info

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org

Stories:

Source: http://www.theregister.co.uk/2011/08/30/fraudulent_google_cert_update/

A counterfeit credential authenticating Gmail and other sensitive Google services was the result of a network intrusion suffered by DigiNotar, the parent company of the Netherlands-based certificate authority said in a press release that raised disturbing new questions about security on the internet.

Tuesday's disclosure by Chicago-based Vasco Data Security came as a growing roster of companies updated their software products to prevent them from trusting certificates issued by DigiNotar. At least one of them cited reports that the fraudulent certificate that came to light on Monday was used to spy on the electronic communications of people in Iran.

Vasco said in its statement that a July 19 breach of DigiNotar's certificate authority system resulted in fraudulent secure sockets layer certificates being issued for a “number of domains, including Google.com.” The statement didn't specify the names or number of the additional domains, and representatives from both Vasco and DigiNotar didn't respond to emails seeking those details.

“The attack was targeted solely at DigiNotar's certificate authority infrastructure for issuing SSL and EVSSL certificates,” the statement read. The company has suspended certificate services pending additional security audits by third-party firms.

Source:http://www.eweek.com/c/a/Security/Morto-Worm-Infects-Windows-Systems-With-Weak-Passwords-815241/

The latest Internet worm targeting Windows Remote Desktop Protocol attacks the lowest-hanging fruit: weak administrator passwords. A tip: "letmein" is not a good password.

A new worm, called "Morto," has been infecting machines via Remote Desktop Protocol on Windows machines, according to security researchers.

Morto is the first Internet worm to use RDP as an infection vector, Mikko Hypponen, the chief research officer of F-Secure, wrote Aug. 28 on the F-Secure News from the Lab blog. Unlike previous automated worms such as CodeRed, Blaster, Sasser and Slammer, which wreaked havoc on enterprise networks, this worm does not exploit any specific Windows vulnerability. Instead, it looks for machines on the network with port 3389, used by RDP and then tries to brute-force the password to take over the machine, Hypponen said.

Marc Maiffret, CTO of eEye Digital Security called Morto a "silly worm" on eEye's Security In-Focus blog. Morto "appears to simply attempt to compromise systems by trying ~30 common passwords for the Windows Administrator account over RDP," Maiffret said.

Using the following user names:
1
actuser
adm
admin
admin2
administrator
aspnet
backup
computer
console
david
guest
john
owner
root
server
sql
support
support_388945a0
sys
test2
test3
user
user1
user5

The following passwords:

*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
!@#$%^
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user

Source: http://www.itnews.com.au/News/268413,phone-bug-discovered-in-aussie-bank-branch.aspx

A major Australian bank has discovered a telephone bug installed inside a branch, being used to siphon the credit and debit card information of unwitting consumers.

The meticulously handcrafted device, smaller than the palm of a hand, was pinned carefully to telephone cable that ran along the carpet floor of the bank's metropolitan branch office.

Two inconspicuous cuts were made in the wire to attach the bug. It would listen for keypad tones as unsuspecting customers keyed in their PIN numbers at the automatic teller.
Each tone woke the device from slumber, which it diligently broadcast over a handpicked radio frequency.

The attacker waited in the bank’s carpark and recorded the tones on a laptop. Each tone was then matched to a number, revealing the customer’s PIN.

Corresponding card information was also being copied and stored. The brazen attacker had swapped the terminal on the teller's desk with a skimming device that was capturing enough bank data for replica cards to be manufactured.

The thief needed only match the time signatures at which the card and PIN number were swiped to have unfettered access to potentially hundreds of accounts.

Source: http://nakedsecurity.sophos.com/2011/08/27/os-x-lion-accused-of-having-huge-network-security-hole/
Late last week, I was in a taxi with a business acquaintance, heading to an event at which we were both speaking.

We're both Mac users, so in the fashion of fanbuoys-in-denial the world over, we started chatting about all things Apple. That led us to Lion, which in turn led to my chum James saying, "Have you seen the recent discussions online about LDAP network authentication on Lion clients? It's a really handy feature – if you forget your password, you can just make one up. A real helpdesk time saver!"

This issue has been brewing in online forums for more than a month, pretty much since Lion's release, but has now hit the news in a big way. Irrepressibly eager Register hack Dan Goodin, for example, describes it as a 'huge hole' threatening enterprise networks.

Unfortunately, exactly how extensive the hole is – and exactly where the fault lies, where the fix should come from, and what can be done in the meantime – isn't terribly clear from the articles I've seen, including the discussions on Apple's own forum.

Geordy’s comments: The issue was reported on July 25th and Lion was still released without any fix or acknowledgement of the issue from Apple. The most recent update,10.7.1 didn't have the fix either.

Source:   http://www.surgeonix.com/blog/index.php/archives/117

WebSurgery 0.6 is a suite of tools for security testing of web applications. It was designed for security auditors to help them with the web application planning and exploitation. Currently, it uses an efficient, fast and stable Web Crawler, File/Dir Brute forcer, Fuzzer for advanced exploitation of known and unusual vulnerabilities such as SQL Injections, Cross site scripting (XSS), Brute force for login forms, identification of firewall-filtered rules, DOS Attacks and WEB Proxy to analyze, intercept and manipulate the traffic between your browser and the target web application.

Source:  https://www.infosecisland.com/blogview/16130-The-Urban-Legend-of-Multipass-Hard-Disk-Overwrite.html

Multipass disk overwrite and  the “DoD 5220-22-M standard 3-pass wipe” are, at best, urban legends. At worst, they are a waste of time and electricity.
Blame Gutmann…
In 1996, Peter Gutmann presented a paper [GUT96] at a USENIX Security Symposium in which he claimed that overwritten data could be recovered using magnetic force microscopy (MFM) and scanning tunneling microscopy (STM) techniques.
This seminal paper alerted many people to the possibility that data which had been overwritten on an HDD could be recovered using such techniques.
Lacking other research in this area, and despite a lack of corroboration, many of those people adopted Gutmann’s conclusions and recommendations and have ever since believed that multiple overwrites are required to effectively render remnant data irretrievable.
Gutmann’s ultimate recommendation was that no fewer than 35 (!) overwrite passes should be performed to ensure that the original data cannot be retrieved.
However, in the context of current HDD technology, there are several problems with Gutmann’s work:

• Gutmann focused on two disk technologies — modified frequency modulation and run-length-limited encoding — that rely on detection of a narrow range of analog signal values and have not been used for HDDs in the last 10-15 years. Modern HDDs use various kinds of partial-response maximum-likelihood (PRML) sequence detection that uses statistical techniques to determine the maximum likelihood value associated with multiple signal detections [WRIG08].

• Further, areal density (density of data per square unit of area, the product of bit-per-inch linear density and track-per-inch track density) has increase by at least three orders of magnitude [SOBE04] [WIKI08] since the publication the Gutmann paper. To achieve such densities, head positioning actuators have become significantly more accurate and repeatable.

• Moreover, Gutmann’s work paper was theoretical, and I am not aware of any practical validation that data could be recovered using the techniques he described.

InfoSec Daily Podcast Episode 461 [ 45:08 | 20.68 MB ] Play Now | Play in Popup | Download (131)

Episode 461 – Interview with Wim Remes
InfoSec Daily Podcast Episode 461 for August 29, 2011.  Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Beau Woods, Karthik Rangarajan,and Varun Sharma.

Announcements:

OWASP NY/NH
When: Sept 8, 2011
Where: New York City, NY
https://www.owasp.org/index.php/NYNJMetro#tab=SEPTEMBER_MEETINGS

Nashville Infosec
When: Sept 15, 2011
Where: Nashville, TN
http://www.technologycouncil.com/connect/infosec-2011/

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html

Louisville Infosec
When: September 29th
Where: Louisville, KY
http://louisvilleinfosec.com/
If you registered for DerbyCon and want to go to the Louisville Infosec the day before email chair (at) LouisvilleInfoSec.com for a $50 off discount code.

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504

Hack3rCon 2011
When: October 21-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/

SkyDogCon
When: Nov 4th – Nov 6th
Where: Holiday Inn Airport, Nashville, TN
http://www.skydogcon.com
CFP Open Now!

Phreaknic
When: Nov 4th – Nov 6th
Where: Days Inn Stadium, Nashville, TN
http://www.phreaknic.info

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org

Stories:

Wim Remes has an official petition page to have his name added to the ISC2 election ballot on November 16th.  http://blog.remes-it.be/petition.html.  You can support Wim by sending an e-mail from your e-mail address registered with ISC2 mentioning your NAME, EMAIL ADDRESS and CERTIFICATION NUMBER to wim@remes-it.be.

The cut off is September 19, 2011.

All 464 Episodes are available via RSS, iTunes, or wget.  The complete set is around 8.35 GB.   The breakdown for the episodes by year are as follows:

InfoSec Daily Podcast Episode 460 [ 37:56 | 17.39 MB ] Play Now | Play in Popup | Download (114)

InfoSec Daily Podcast Episode 460 for August 26, 2011.  Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Karthik Rangarajan, Geordy Rostad, and Mr. B0n3z.

Announcements:

Nashville Infosec
When: Sept 15, 2011
Where: Nashville, TN
http://www.technologycouncil.com/connect/infosec-2011/

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html

Louisville Infosec
When: September 29th
Where: Louisville, KY
http://louisvilleinfosec.com/
If you registered for DerbyCon and want to go to the Louisville Infosec the day before email chair (at) LouisvilleInfoSec.com for a $50 off discount code.

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504

Hack3rCon 2011
When: October 21-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/

SkyDogCon
When: Nov 4th – Nov 6th
Where: Holiday Inn Airport, Nashville, TN
http://www.skydogcon.com
CFP Open Now!

Phreaknic
When: Nov 4th – Nov 6th
Where: Days Inn Stadium, Nashville, TN
http://www.phreaknic.info

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org

Stories:

Source:  http://www.guardian.co.uk/media/2011/aug/25/government-plan-shut-twitter-facebook

The (UK)government has climbed down on plans to ban suspected rioters from using social networking websites in times of civil unrest.

The home secretary, Theresa May, told social networks at a meeting on Thursday that the government had no intention of "restricting internet services".

Research in Motion (RIM, the maker of BlackBerry), Facebook and Twitter were summoned to the meeting with May after David Cameron signalled a clampdown on the sites following the recent riots in England.

The social networks were poised to face down the government on its plans, which they warned could usher in a new form of online censorship in the UK.

However, government ministers sought to back away from the prime minister's comments and instead focus on how law enforcement could better use Twitter and Facebook in emergencies.
A Home Office spokeswoman described the meeting as constructive. May chaired the meeting with the Foreign Office minister Jeremy Browne, and members of the Association of Chief Police Officers.

The Home Office said in a statement: "The discussions looked at how law enforcement and the networks can build on the existing relationships and co-operation to prevent the networks being used for criminal behaviour. The government did not seek any additional powers to close down social media networks."

The possibility of banning suspected rioters from social networks was first raised by Cameron a fortnight ago when he vowed to do whatever it took to prevent a repeat of the riots and looting.
Hours before the meeting human rights groups sent an open letter to government ministers warning that powers restricting the internet could be "susceptible to abuse" and undermine free speech.

May is understood to have opened the meeting by immediately ruling out restrictive measures and indicating that it was a discussion about improving law enforcement online.

According to sources at the meeting, police acknowledged that they "needed to do more" with regard to learning how to use social media. The Metropolitan police are understood to have said they were "slightly behind" other forces when it came to Twitter and Facebook.

Surprisingly, RIM was not forced to explain how its BlackBerry Messenger service differed from other social networks, despite the system reportedly having played a pivotal role for the rioters.
A spokeswoman for Facebook said the discussion was constructive, building on work her firm already did to ensure Facebook was "one of the safest places on the internet". She said: "We welcome the fact this was a dialogue on working together to keep people safe rather than about imposing restrictions on internet services."

A Twitter spokeswoman said: "Governments and law enforcement agencies around the world use Twitter to engage in open, public, communications … we've heard from many that Twitter is an effective way to distribute updates and dispel rumours in times of crisis or emergency."
In a statement RIM said: "RIM continues to maintain an open, positive, dialogue with the UK authorities and continues to operate [within] UK regulations."

The Home Office meeting followed a study of riot-related tweets, compiled by the Guardian, that cast doubt on the rationale behind Cameron's proposal to bar suspect rioters from Twitter and Facebook.

Source:http://www.f-secure.com/weblog/archives/00002226.html

RSA was hacked in March. This was one of the biggest hacks in history.  The current theory is that a nation-state wanted to break in to Lockheed-Martin and Northrop-Grumman to steal military secrets. They couldn't do it, since these companies were using RSA SecurID tokens for network authentication. So, the hackers broke into RSA with a targeted email attack. They planted a backdoor and eventually were able to gain access to SecurID information that enabled them to go back to their original targets and succesfully break into there. In the aftermath of the attack, RSA was forced to replace SecurID tokens for their customers around the world.

Already in April, we knew that the attack was launched with a targeted email to EMC employees (EMC owns RSA), and that the email contained an attachment called "2011 Recruitment plan.xls". RSA disclosed this information in their blog post. Problem was, we didn't have the file. It seemed like nobody did, and the antivirus researcher mailing lists were buzzing with discussion about where to find the file. Nobody had it, and eventually the discussion quieted down.

This bothered Timo Hirvonen. Timo is an analyst in our labs and he was convinced that he could find this file. Every few weeks since April, Timo would go back to our collections of tens of millions of malware samples and try to mine it to find this one file – with no luck. Until this week.

Timo wrote a data analysis tool that analysed samples for flash objects. We knew the XLS file in question used a Flash object to take over the system. The new tool located several relevant samples. However, one of them was not an Excel file. It was an Outlook message file (MSG). When Timo opened it up, he knew he was onto something. The message file turned out to be the original email that was sent to RSA on 3rd of March, complete with the attachment 2011 Recruitment plan.xls

After five months, we finally had the file.

And not only that, we had the original email. Turns out somebody (most likely an EMC/RSA employee) had uploaded the email and attachment to the Virustotal online scanning service on 19th of March. And, as stated in the Virustotal terms, the uploaded files will be shared to relevant parties in the anti-malware and security industry. So, we all had the file already. We just didn't know we did, and we couldn't find it amongst the millions of other samples.

In this video you can see us opening the email to Outlook and launching the attachment. The embedded flash object shows up as a [X] symbol in the spreadsheet. The Flash object is executed by Excel (why the heck does Excel support embedded Flash is a great question). Flash object then uses the CVE-2011-0609 vulnerability to execute code and to drop a Poison Ivy backdoor to the system. The exploit code then closes Excel and the infection is over.

After this, Poison Ivy connects back to it's server at good.mincesur.com. The domain mincesur.com has been used in similar espionage attacks over an extended period of time.

Once the connection is made, the attacker has full remote access to the infected workstation. Even worse, it has full access to network drives that the user can access. Apparently the attackers were able to leverage this vector further until they gained access to the critical SecurID data they were looking for.

The attack email does not look too complicated. In fact, it's very simple. However, the exploit inside Excel was a zero-day at the time and RSA could not have protected against it by patching their systems.

So, was this an Advanced attack? The email wasn't advanced. The backdoor they dropped wasn't advanced. But he exploit was advanced. And the ultimate target of the attacker was advanced. If somebody hacks a security vendor just to gain access to their customers systems, we'd say the attack is advanced, even if some of the interim steps weren't very complicated.

Source:http://www.f-secure.com/weblog/archives/00002222.html

Let's compare the major computer operating systems at the moment. We have Windows XP, Windows Vista and Windows 7. We have various Linux distributions. And we have Mac OS X.

Of these, obviously Windows XP has the weakest security, by far.

And Windows XP has the biggest market share, too. Globally close to half of all computers still run XP.

And today,Windows XP is ten years old.

Ten years is an eternity in this business. So it's no wonder XP's security architecture is not up to date.

As a result, attackers right now would be stupid to spend their time and money targeting any other operating system. That makes no sense as long as they have this huge, easy low-hanging fruit.

Obviously XP is going away. As we can see from this chart, Windows 7 will pass in XP in the near future and will become the most common operating system.

And when XP's market share drops low enough, attackers need to start looking around. Some will focus on Windows 7. Others will look at OS X, Android, iOS and so on.

The attackers have never had it so good. The easiest target is also the most common target. This can't change quick enough.

Do a good deed today. Uninstall an XP.

Source:  https://www.infosecisland.com/blogview/16110-Federal-Judge-Calls-Geolocation-Tracking-Orwellian.html

U.S. District Judge Nicholas Garaufis has ruled that law enforcement must obtain a full-fledged search warrant based on probable cause in order to access the geolocation data of a suspect during the course of an investigation.

Federal law enforcement authorities had sought to obtain the data from the suspect's mobile service provider under the less stringent standard that the information was "relevant" to the investigation.

“While the government’s monitoring of our thoughts may be the archetypical Orwellian intrusion, the government’s surveillance of our movements over a considerable time period through new technologies, such as the collection of cell-site-location records, without the protections of the Fourth Amendment, puts our countryfar closer to Oceania than our Constitution permits,” (.pdf)Judge Garaufis wrote.

“It is time that the courts begin to address whether revolutionary changes in technology require changes to existing Fourth Amendment doctrine. Here, the court concludes only that existing Fourth Amendment doctrine must be interpreted so as to afford constitutional protection to the cumulative cell-site-location records requested here," the judge also wrote.

Source:  http://www.manufacturing.net/News/2011/08/Medical-Hacker–Identifies-Maker-Of-Insecure-Insulin-Pump

Jay Radcliffe revealed three weeks ago that he'd found serious security holes in a popular type of insulin pump that diabetics wear, he kept two important details secret: the pump maker'sname, and the specific technique he used to hack the device.

The problems he found carry exceptional risks, such as being able to program a special remote control to command strangers' pumps to dispense the wrong dosage of insulin. But Radcliffe said he was ignored in repeated attempts to alert the company to the defects. On Thursday he identified the company — Medtronic Inc. — in an effort to apply public pressure to fix the vulnerabilities.

The disclosure raises the risk of attacks on certain Medtronic insulin pumps. But Radcliffe said he hopes that exposure helps fix the problems. He said he tried to handle the disclosure ethically — by working with the company first — and felt "there should have been an ethical response (from the company) to that."

Radcliffe, a diabetic who experimented on his own Medtronic pump, revealed the details to The Associated Press ahead of a planned news conference.

Medtronic would not directly address its interactions with Radcliffe. Spokeswoman Amanda Sheldon said a Medtronic employee attended Radcliffe's presentation at the Black Hat computer security conference this month in Las Vegas and said the company was analyzing his public statements.

"We have to evaluate the sources of the information and figure out what we should do with it," she said.

Radcliffe said his public statements intentionally lacked the specific technical details that Medtronic would need to address the vulnerabilities he's found. After the Department of Homeland Security, which examined his research, helped make the introduction to Medtronic, his calls and e-mails went unanswered, he said, a claim Medtronic wouldn't specifically address.