Your daily source of Pwnage, Policy and Politics.

Episode 441 – Facial (SSN) ID?, MSFT WiFi, Hackers4Hire, Topiary & CDP tool

InfoSec Daily Podcast Episode 441 for August 2, 2011.  Tonight's podcast is hosted by Rick Hayes, Karthik Rangarajan,and Varun Sharma.

Announcements:

SANS Security 464 – Hacker Detection for Systems Administrators with Continuing Education Program – Russell Eubanks
Where: Atlanta, GA
When:  Tue, Aug 09 to Wed, Aug 10
https://www.sans.org/mentor/details.php?nid=25573


#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504

Hack3rCon 2011
When: October 21st-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)

http://www.gaissa.org

Stories

Source: http://www.pcmag.com/article2/0,2817,2389540,00.asp

Your face can give away how you feel about something, but what about your Social Security number? Using a specially developed app that runs facial-recognition software, researchers at Carnegie Mellon claim to have identified complete strangers, as well as some of their personal details, with only a photo.
IT professor Alessandro Acquisti and his research team combined facial-recognition software, cloud computing, and data from social networking sites "to identify individuals online and offline in the physical world."
"Since these technologies are also accessible by end-users, the results foreshadow a future when we all may be recognizable on the street — not just by friends or government agencies using sophisticated devices, but by anyone with a smartphone and Internet connection," they said.
Using a mobile app they developed in-house, the team ran three experiments: identifying people on dating Web sites via photos; identifying students walking across campus using their Facebook profile pictures; and predicting personal interests, and sometimes Social Security numbers, with only a photo.
The app "uses offline and online data to overlay personal and private information over the target's face on the device's screen," researchers said. "The seamless merging of online and offline data that face recognition and social media make possible raises the issue of what privacy will mean in an augmented reality world."
Acquisti did not provide additional details on how exactly someone's Social Security number was revealed from Internet photos. He and his team will be at the Black Hat security conference this week, where more details will be revealed during an August 4 presentation.

Source:  http://news.cnet.com/8301-31921_3-20086489-281/microsoft-curbs-wi-fi-location-database

Microsoft has ceased publishing the estimated locations of millions of laptops, cell phones, and other devices with Wi-Fi connections around the world after a CNET article on Friday highlighted privacy concerns.
The decision to rework Live.com's geolocation service comes following scrutiny of the way Microsoft made available its database assembled by both Windows Phone 7 phones and what the company calls "managed driving" by Street View-like vehicles that record Wi-Fi signals accessible from public roads. Every Wi-Fi device has a unique ID, sometimes called a MAC address, that cannot normally be changed.
Live.com's database, which published the precise geographical locations of Wi-Fi devices, was working normally last Friday. By Saturday morning, Elie Bursztein, a postdoctoral researcher at the Stanford Security Laboratory who had analyzed the Live.com service, noticed that access had been restricted.

Source:  http://krebsonsecurity.com/2011/08/digital-hit-men-for-hire/

Hackers are now openly advertising their illicit services on online forums, where anybody who has a vendetta and a few bucks can hire a hacker to take down the website of their choice.
For his Krebs on Security blog, noted researcher Brian Krebs patrolled several underground forums and found members offering to launch distributed denial-of-service (DDoS) attacks at an average price of $5 to $10 per hour.
For $40 to $50 per hour, the shady computer crooks will launch a day's worth of attacks; the average price for a week is $350 to $400 and $1,200 for a month of havoc.
Hopefully most people will never employ the services of one of these hackers-for-hire. DDoS attacks, however — in which a large network, or "botnet," of automated computers flood a particular website with so much Web traffic that it effectively shuts down — may be using your computer whether you know it or not.

Source:  http://www.brisbanetimes.com.au/technology/security/teen-hacker-bailed-without-net-access-20110802-1i8t4.html
A British teenager charged with hacking offences and believed to be a leading member of the Anonymous and LulzSec online activist groups was released on bail in a London court on condition he did not use the internet.

Jake Davis, 18, who goes by the online nickname of "Topiary", was charged with computer attacks on Sony, UK crime and health authorities and Rupert Murdoch's UK newspaper arm News International.

Anonymous and LulzSec members have been arrested in the United States, Spain, Turkey, Britain and the Netherlands in recent weeks in a crackdown on attacks on targets seen by the activists as hostile to internet freedom of speech.

Advertisement: Story continues below
The arrest of "Topiary" in Scotland's remote Shetland Islands may be the most significant to date in the global effort to end the cybercrime spree by the groups.

Source:  http://www.securestate.com/Documents/cdp.rb

SecureState announced the release of the CDP tool, an additional module for the Metasploit Framework, this time for forging Cisco Discovery Protocol frames.

The Cisco Discovery Protocol has had a history of vulnerabilities in various IOS products. It is used in Cisco environments for devices to advertise information to other Cisco devices, such as versions and capabilities.

Exploiting this protocol has usually resulted in Denial of Service conditions and required using various programs from less than reputable sources. One notable exception to this is Yersinia.

However, the Metasploit Framework has been distributed with the Racket library, that provides an interface for forging raw CDP frames, provided by Jon Hart. SecureState is releasing a module that allows users to take advantage of this functionality.