InfoSec Daily Podcast Episode 447 for August 9, 2011. Tonight's podcast is hosted by Rick Hayes, Karthik Rangarajan, b0n3z, and Varun Sharma.
Announcements:
#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504
Hack3rCon 2011
When: October 21-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
Stories:
Source: http://www.cnn.com/2011/TECH/web/08/05/def.con.hackers/index.html?npt=NP1&on.cnn=1
In the Masquerade wing of the Rio Hotel and Casino in the gambling capital of the world, there's a giant statue of a head hanging over a lobby of slot machines.
The masked figure has two faces and four digital eyes — clairvoyant blue — that track back and forth constantly, as if recording the movements of everyone who enters.
That awkwardly self-conscious — even slightly paranoid — feeling you get from seeing being watched by that enormous casino head is pretty much a steady-state for most of the hackers who attend the DEF CON hacker event, taking place at the Rio this weekend.
Started 19 years ago as an underground gathering of sometimes-nefarious computer wizards, DEF CON has sprawled into a 15,000-person, four-day convention where anyone with $150 — in cash only, please, lest these hackers give up their identities — can learn the latest tricks and trade of computer hacking, lock picking and security breaching.
The aim of the event is to better inform both insiders and everyday people about the risks of operating in our increasingly digital world and to work on solutions. But the practical result of gathering this many highly skilled hackers in one building — in a Las Vegas casino, no less — is that everyone here is experiencing some level of terror.
Insiders say there's no place on Earth where you're more likely to get hacked.
"You're on the most hostile network in the world. If you can perform business here, you can do it anywhere," said Brian Markus, referring to the public Wi-Fi network at DEF CON, which veterans know to steer clear of.
Unlike at other tech events, which tend to focus on Facebook-like concepts such as "sharing" and "connecting," DEF CON is all about who can stay the most private, and therefore, who will remain the most secure in this digital war zone.
Those who don't are shamed into doing so.
Markus, for example, sits in a dark room in the Rio's conference center watching Internet traffic. When he sees a password fly across the connection, which is often, he posts part of it, along with the user's log-in name and the site he or she was using, on a large projection screen, which he calls the "Wall of Sheep."
Within an hour of watching for passwords on Friday morning, his team from Aries Security had racked up 10 half-shaded passwords. (The team, and others, can see the full passwords and usernames, but they choose to protect the victims by only displaying the first three characters of each password. Kind of them, huh?)
So, how does one avoid the "Wall of Sheep"?
Markus suggests scrambling your Internet connection.
There are several free services that will do this, including OpenVPN and Ace VPN. That way, if someone like him is "sniffing" the Wi-Fi connection you're using, they won't be able to see exactly what you're up to.
Another method: Type in "https" instead of "http" in your browser bar. That puts you on a more secure version of many major websites.
Plenty of people, however, are subjected to more sophisticated hacks.
Dan Kaminsky, one of the world's most notable do-gooder hackers, said he had his personal passwords, e-mails and instant messages with a girlfriend dumped out into the public domain at a previous DEF CON event.
"If you walk onto a battlefield, you might get shot," he said.
People still try to dodge the bullets, though.
As he darted through a mob of black-T-shirt-wearing convention attendees, Eli, better known by his hacker handle "Dead Addict," told me how much he hates crowds.
Not only is there the social anxiety, there's also the chance someone with an RFID reader and an antenna in their backpack could swipe your credit card info right out of your pocket.
The readers are the size of an old Walkman and, with a proper antenna, can grab data right off of credit cards that use quick-swipe technology (you can tell if you have one of these cards by looking for a little radio-wave symbol).
Eli, who started hacking in his teens and stopped breaking into corporate sites after all of his friends got arrested for doing the same thing, carries a metal-lined wallet to block this attack.
Other DEF CON veterans said they purchase junk computers they can throw away after the convention because they figure they're going to get infected. Eli says he just leaves the laptop at home.
Most of the attendees carry cash. No one uses the ATMs after an incident in 2009 in which someone rolled a fake ATM machine into the event, according to Wired, and apparently used it to collect credit card information instead of dispensing money.
There's also the anonymity of it all. Some hackers only go by their handles. Others don't want digital records they attended the event, which does not require attendees to register or give their real names.
I got an e-mail warning me about some of these security idiosyncrasies before I got on a plane for Vegas. Written by a DEF CON spokeswoman, and reprinted with her permission, the note was full of jaw-dropping advice:
Hi John,
Great talking with you!
You are about to enter one the most hostile environments in the world. Here are some safety tips to keep in mind …
- Your hotel key card can be scanned by touch, so keep it deep in your wallet.
- Do not use the ATM machines anywhere near either conference. Bring cash and a low balance credit card with just enough to get you through the week.
- Turn off Fire Sharing, Bluetooth and Wi-Fi on all devices. Don't use the Wi-Fi network unless you are a security expert; we have wired lines for you to use.
- Don't accept gifts, unless you know the person very well – a USB device for instance.
- Make sure you have strong passwords on ALL your devices. Don't send passwords "in the clear," make sure they are encrypted. Change your passwords immediately after leaving Vegas.
- Don't leave a device out of sight, even for a moment.
- People are watching you at all times, especially if you are new to the scene.
- Talk quietly. Conduct confidential phone calls off site …
That is it for now.
For now?
After seeing that, I left my credit cards, debit card and company laptop in my hotel room — hidden, of course, since I'm on this newly paranoid kick. I kept my iPhone on "airplane" mode for most of Friday, turning it on only to send a couple texts.
I was particularly concerned about this phone hacking stuff, so I asked Austin Steed, another security researcher-slash-hacker about that.
He said mischievous hackers can install their own cell phone towers to intercept your calls before passing them on to the real mobile carrier. These "man-in-the-middle attacks," he said, let hackers eavesdrop, but they can also alter the conversation you're having, without your knowledge.
"You send a text saying 'I love you,' and he (the hacker) says, 'I want to break up with you.'" Or worse than that, Markus said, you could be doing business — maybe the hacker would change "sell it all" to "buy it all," with potentially huge ramifications.
The hackers who attend DEF CON — now in their thirties instead of their teens as they were at the start of the hacker movement — hope, in a strange way, that by teaching people about hacking they will make the tech world safer.
DEF CON is their playground of sorts. Many of the hacks aren't necessarily malicious. They are people toying around just to see what's possible.
If they don't do it, then the really bad guys will, they say. There are sessions on cracking Google, PayPal, Apple — even cars and prison cells.
DEF CON attendees can also learn how to pick locks. On Friday, 17-year-old Cherry Rose de los Reyes picked her first lock while her dad, Roselito, an IT professional, watched admiringly.
"I think I got it," she said, turning a key she had reverse-engineered.
"There, now I don't have to pay Home Depot no more!" her dad said with a laugh.
Some parents might cringe at a dad helping his teenage daughter learn a skill that could be used for breaking and entering. But Roselito de los Reyes says they'd be missing the point.
It's not about breaking the lock, he said, it's about learning the lock can be broken.
"If you educate them not to have a false sense of security just because you have a lock, then being able to open a lock might teach them to use a barbell on the door at home."
So maybe there's a point to the paranoia after all.
Geordy’s comments: Instead of using the ATMs, I went to Whole Foods and got cash back on my groceries. No ATM fee and it’s abour 7 miles from the strip so I’m reasonably sure it didn’t get tampered with. As far as internet goes, I used the 4G mobile hotspot on my cell phone and used www.logmein.com to remote back into my home computer. I brought no data with me at all except my contacts that were synced on my Android phone.
Source: http://www.geekwithlaptop.com/the-history-of-computer-viruses-at-defcon
F-Secure Chief Technical Officer Mikko Hyponnen displayed a floppy disk with a copy of the first PC virus, Brain, and tracked down the virus writers to a town near Lahore, Pakistan.
The original computer virus was called “Brain“, with the brother behind the code now operating the Brain Communications Internet Service Provider from the same house where the virus was written 25 years ago. According to Hyponnen, “There was no real motive” behind the virus, which like most viruses was released as a proof of concept.
Hyponnen then went through a basic history of viruses he had been involved in removing, including details into some of the more famous offerings. One playful but incredibly harmful example was called “Disk Destroyer”, which copied your entire hard disk into RAM and gave you three chances to win it back through a basic slot machine-style game.
According to Hyponnen, things started to change around 2003, when viruses got much more complex and started to cause much more damage. For example, a virus managed to stop the train network in Washington D.C in 2003, which was “the basic reason why serious problems like these were finally taken seriously,” Hyponnen said.
2003 also saw the introduction of “Fizzer”, which was the first virus released with the sole purpose of making money. Fizzer spread email spam as a way to make cash, a method that every computer user today is more than familiar with.
“We also began to see a geographical shift where viruses were written,” said Hyponnen. “From 1986 to 2003, it was mostly Western countries, the U.S., Western Europe, Japan. From 2003 on, it was Russia, Eastern Europe, Ukraine, China, and South America, especially Brazil.”
Geordy’s comments: Really wish I’d seen this.
Source: http://download.cnet.com/8301-2007_4-20089152-12/10-year-old-hacker-finds-zero-day-flaw-in-games
A 10-year-old hacker who goes by the pseudonym CyFi revealed at DefCon 19 a zero-day exploit in games on iOS and Android devices that independent researchers have confirmed as a new class of vulnerability. The girl from California first discovered the flaw around January 2011 because she "started to get bored" with the pace of farm-style games.
Speaking to CNET about an hour before her presentation, CyFi said, "It was hard to make progress in the game, because it took so long for things to grow. So I thought, 'Why don't I just change the time?'" Most of the games she discovered the exploit in have time-dependent factors. For example, planting corn might take 10 real-time hours to mature in the game. Manually advancing the phone or tablet's clock forced the game further ahead than it really was, opening up the exploit.
She is not revealing at this time which games are affected because of reasonable disclosure, thus giving the vendors that make the affected games a chance to respond.
While many games will detect and block this kind of manipulation, CyFi said that she discovered some ways around those detections. Disconnecting the phone from Wi-Fi made it harder to stop, as did making incremental clock adjustments.
CyFi's mother, who must remain anonymous to protect her daughter's identity, told CNET that at the end of CyFi's presentation at DefCon Kids they would offer a $100 reward to the young hacker who found the most games with this exploit over the following 24 hours. The reward is sponsored by AllClearID, a identity protection company that is also sponsoring the DefCon Kids. This is the first year of DefCon Kids programming at the conference, a reflection of the fact that members of the hacking community are getting older and raising families.
Already an artist who has performed an improvised, 10-minute-long spoken word piece in front of 1,000 people at the San Francisco Museum of Modern Art, a Girl Scout, and a state-ranked downhill skier, CyFi revealed that she was only a little bit nervous about having to speak in front of the 100 or so expected attendees. She admitted that while it was probably different publicly speaking about a topic with such a specific focus, it would be hard for her to imagine what those differences might be. "Well, I haven't done it yet," she said.
As various governments have tried to clamp down, censor and/or filter the Internet, all it's really done is increase interest and usage of encryption tools such as VPNs. Every so often we have commenters who insist that outlawing encryption is the obvious next step for governments, though that suggests an ignorance of the practical impossibility of truly banning encryption — which, after all, is really just a form of speech. The US, of course, famously toyed with trying to block the export of PGP in the 90s, but finally realized that it would likely lose big time in a court battle. While I could certainly see some politicians here trying to ban certain forms of encryption, I couldn't see any such effort being successful long term.
In other countries, however, they seem ready to make a go of it. Privacy International is reporting that Pakistan is trying to ban the use of encryption, including for VPNs, as part of the implementation of a new telco law which requires telcos to spy on their customers. Obviously, encryption makes that tougher, so the response is just to ban it entirely.
But here's the big question: can any such ban really be effective? I mean, if you and I agree on using a simple cipher between us, that's "encryption," but is indistinguishable from "speech" in most contexts. That means any such ban on encryption is effectively and practically useless the moment it goes into effect. There will always be incredibly simple ways around it. Trying to ban encryption is like trying to ban language. You can't reasonably do it.
Source: http://mashable.com/2011/08/07/nuance-ios5/
Apple’s iOS 5 for iPhone, iPad and iPod touch is on the way, and now that the iOS5 beta software is available to developers, clues of a partially hidden feature have been uncovered: Nuance speech recognition, rumored to be tightly integrated within iOS 5.
Although the upcoming speech-recognition features are not operational yet in the iOS 5 beta, parts of it are currently visible in the interface. As you can see in the graphic above, 9to5 Mac points out the microphone icon, placed next to the space bar on the iOS keyboard that’s used throughout the operating system. When a user touches that microphone icon, it opens the speech recognition interface that you see on the right of the graphic above.
So far, it appears the speech recognition capability is only built into the iPhone and iPod Touch, but 9to5 Mac says it’s not too late for it to also appear in the iPad version of iOS 5 by the time it’s released.
Not surprisingly, the secretive Apple is trying to hide the existence of the new features. In the case of the Nuance speech recognition integration, that secrecy probably also has something to do with the incomplete negotiations between Apple and Nuance, the company behind the Dragon speech recognition engine for Mac and PC that we favorably reviewed last month.
Although last year Apple bought the Siri speech recognition-capable app, according to MacRumors, Apple is still in negotiations with Nuance, which also owns the speech recognition tech behind Siri and many other iOS apps.
We spoke with Nuance officials couple of weeks ago, and while they strongly hinted at ongoing negotiations with Apple involving the Nuance’s ubiquitous speech recognition engine, they weren’t talking specifics yet.
In my view, Nuance has been consistantly upgrading the accuracy of its speech recognition engine, and if it were able to facilitate accurate speech recognition throughout the iOS interface, it would significantly enhance all iOS devices.
Geordy’s comments: Can anyone say, “My voice is my passport, verify me”? So many potential lulz here…
Source: http://news.softpedia.com/news/Gordon-Ramsay-Claims-His-Email-Was-Hacked-215873.shtml
British celebrity chef and restaurant chain owner Gordon Ramsay is accusing members of his wife's family of planting spyware on his company's computers to intercept his personal and business email.
In a lawsuit filed this month, he claims that his father-in-law and former CEO of Gordon Ramsay Holdings, Chris Hutcheson, defrauded the company together with his son and other members of their family.
The complaint which is the result of months of investigations by a team of specialists hired by Ramsay, claims that Hutcheson stole £1.42 million of company money as direct withdrawals or transfers to his private bank account.
Hutcheson's son Adam, brother of Gordon Ramsay's wife Tara and the company's former managing director is also accused of misusing company funds and helping his father cover up the fraud.
According to the Daily Mail, Ramsay also discovered that his father-in-law has been living a second life for over over 30 years with a secret wife and two grown-up children.
More importantly from an information security perspective, are the chef's claims that Hutcheson with the help of a computer expert named Kevin Fung, installed spyware on the company's computers and monitored his business and personal emails.
