Your daily source of Pwnage, Policy and Politics.

Episode 451 – 5 Types of Evil, WarSploiting, AT&T-mobile, BigBro vs. Proles, GoogleMoto & BART

InfoSec Daily Podcast Episode 451 for August 15, 2011.  Tonight's podcast is hosted by Rick Hayes, Beau Woods, Boris Sverdlik, Karthik Rangarajan, and Varun Sharma.

Announcements:

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504

Hack3rCon 2011
When: October 21st-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)

http://www.gaissa.org

Stories:

Source: http://corp.sonic.net/ceo/2011/08/11/the-five-levels-of-isp-evil/

Recently a number of ISPs have been caught improperly redirecting end-user traffic in order to generate affiliate payments, using a system from Paxfire. A class action lawsuit has been filed against Paxfire and one of the ISPs.

This is a serious allegation, but it’s the tip of the iceberg. I’m not sure if everyone understands the levels of sneakiness that service providers can engage in. So, while I’m no expert (as we are an ISP who doesn’t do these things), but as a broad overview, here is my quick guide to the five levels of ISP evil, and the various “opportunities to monetize customers” that we’ve passed on:

5: Improper NXDOMAIN handling, also known as “Domain Helper” applications. When a customer attempts to visit an invalid site, instead of returning the RFC standard “no such domain” response, the servers provide a search result which includes sponsored links. Sometimes the results are not well matched to the mis-typed domain, and they promote ads instead with broad commercial appeal like insurance, which will generate a high payout if the customer clicks. Extra evil points for making it difficult to opt out of this, requiring opt-out via a cookie or browser setting rather than providing “clean” DNS servers. (Paxfire’s system is positioned as a search/helper application, but these systems can be easily converted, even without the ISP’s awareness, to an affiliate pumping system.) Evil score: 2 evil points, somewhat evil, but now every major access provider provides helpful results for address typos.

4: Clickstream Tracking. An ISP is in the unique position as the point of traffic origination, creating the opportunity for very in-depth analysis of Internet usage behavior. Tracking the user’s Clickstream, the site to site to site movement as they browse using a set of tools like Phorm allows service providers to create cash out of information about private use of the Internet. Clickstream data buyers are generally ad targetting; if you visited Ford.com and looked at F-250 trucks, then CNN.com, it might make sense to place ads for large Chevy trucks on the CNN page rather than an ad for fabric softener. Absent this prior knowledge that you were a potential truck buyer, the ads might be for something of less interest to you, and thus less likely to be clicked, to “monetize”. Over time, analysis of the complete Clickstream can provide lots of insight to advertisers. Extra evil points for selling the Clickstream data without telling customers. Evil score: 5. What you do online is private!

3: Ad Swapping. Transparently proxy all web traffic, and when ad banners are in transit, perform real-time swaps of the ads for other ads for which the ISP is getting a cut of the revenue. Legitimate advertiser ads are sometimes fetched so that no one notices the decline in impressions. The pitch to ISPs from companies like NebuAd sometimes included claims of “partnerships” with content sites to better target ads. Extra evil points for ISPs who provide demographic data to the firm running the ad-swapping system. Evil score: 6.

2: Affiliate Program Pumping. As alleged in the Paxfire scheme, ISPs or their accomplices take incomplete or incorrect domain entries into the URL bar and direct them to an intermediate page, which redirects transparently to a URL which includes an affiliate tag. So, a consumer types “amazon”, and rather than returning an NXDOMAIN, or even a search result, the ISP DNS server directs them to an IP address which does a content reload toward a URL of the form amazon.com/affiliate-id=XYZ. Purchases made subsequently are compensated as if it was legitimate traffic from an affiliate. Evil score: 8, with a bonus point for poisoning the affiliate ecosystem.

1: Rolling Over. In an attempt to avoid costs or under pressure from government or content creators, ISPs have handed over customer information, and even subjected customer traffic to broad snooping. Allegations range from service providers simply quietly handing over customer info to law firms with improperly filed lawsuits and incorrectly served supoenas, to the physical wire-tapping of major fiber optic lines. We’ve got your back. Evil score: 10. Potential for human rights violation.

Source: http://www.darkreading.com/blog/231400180/warvox-gets-an-overhaul-wardialing-added-to-metasploit.html

In early 2009, HD Moore reinvented the wardialing with the creation of WarVOX. Since then, penetration testers (and mischievous pranksters) have used it to call millions of phone numbers looking for interesting devices plugged into a phone line. HD unveiled the next generation at BSides Las Vegas with WarVOX 2—a complete rewrite of WarVOX with new features and an eye towards full inclusion within Metasploit.

During HD Moore's talk, the CSO of Rapid7 discussed the evolution of Metasploit since the project was released in 2003 and some of the highlights of the new 4.0 release. Next, he debuted WarVOX 2 discussing some of the major problems with version 1 and its dependencies on various libraries. To deal with those issues, HD rewrote WarVOX and created a VoIP stack in Ruby—a programming language—so WarVOX would have native support to make calls without relying on unreliable third-party code libraries.

In addition to the new Ruby VoIP code and the complete code rewrite, HD moved WarVOX from SQLite3 to PostgreSQL (the same database commercially supported by Metasploit), all voice recordings and images are stored in the database, a new audio fingerprinting system was created, and wardialing functionality has been added to Metasploit.

The move to Postgres makes sense, as that's what Rapid7 officially supports for Metasploit, but where things get really interesting is the new audio fingerprinting. The fingerprinting is described as extremely CPU-intensive during the fingerprint creation process, but matching those fingerprints once generated is incredibly fast.

During the BSides talk, HD demonstrated the fingerprinting features by comparing recordings obtained by calling some of the Las Vegas hotels. He was able to quickly identify numbers where the same people had answered or recorded the voicemail greeting.

Practical purposes? Well, if you're doing recon for a penetration test and social engineering is within scope, imagine if you could call the voicemail of the employee, record their voice from their cell phone, and then call all the phone numbers at their office (or in the nearby residential area) and could identify them automatically.

Source: http://www.csoonline.com/article/687926/riot-suspect-photos-posted-online-by-police-across-the-uk

Police forces across the UK – including in Birmingham, Manchester and London – are shifting their riot investigation tactics, posting large numbers of images of suspected rioters online.

West Midlands Police and Greater Manchester Police are leading the way outside of the capital after London's Metropolitan Police began posting photos of riot suspects on Flickr. Serious riots initially broke out across London at the weekend, and then spread to Manchester, Salford, Birmingham, Liverpool, Nottingham and Bristol.

As prime minister David Cameron vowed to clamp down on the trouble makers, police forces told ComputerworldUK.com they were determined to make better use of technology – in order to interact directly with large numbers of members of the public.

The forces are calling for people to identify the rioters and call them, as well as inviting them to send in their own photos.

"Our website normally gets around 500,000 unique visitors a month but we've had well over 300,000 hits in the first 11 days of August alone, as we put the suspects' photos live," said a spokesperson at West Midlands Police, which is investigating Tuesday's riots in Birmingham.

Around 15 percent of the site's traffic comes from mobile devices, and this number spikes when people want quick information following incidents, according to the force.

West Midlands Police has uploaded 32 pictures from CCTV images, and plans to upload more each day. "We couldn't investigate in the way we're doing it without this technology," said the force's spokesperson. "It's vital for interacting with people."

The force is also closely monitoring Twitter, Facebook and BlackBerry Messenger for potential disruption, and is using social networking sites to update local residents on its work.

Greater Manchester Police, meanwhile, has placed a form on the front of its website in order to enable people to directly upload rioter photos, videos and audio evidence. These pictures are moderated, and the ones that could aid identification are uploaded.

A spokesperson at the force, which is addressing widespread rioting in Manchester city centre on Tuesday, said the force had already uploaded 18 suspect photos to its Flickr stream and was adding the "clearest" and "most useful" photos each day from CCTV and users' cameras.

Source:  http://threatpost.com/en_us/blogs/google-acquires-device-maker-motorola-mobility-125b-081511

Search giant Google announced a major move into the mobile device space on Monday with a $12.5 billion purchase of Motorola Mobility Holdings.
The deal, announced Monday morning, puts Google into the mobile handset manufacturing game and gives the company an arsenal of valuable patents for its mobile handsets and tablets. Google said it would pay $40.00 per share in cash, for a total of about $12.5 billion for the company.
Motorola Mobility spun off from parent company Motorola Inc. in January. The transaction was unanimously approved by the boards of directors of both companies and  represented a premium of about 63% to the closing price of Motorola Mobility shares on Friday, August 12, 2011, Motorola said in a statement.

Source:  http://www.upi.com/Top_News/US/2011/08/15/Hackers-attack-San-Franciscos-BART-site/UPI-32261313418763/

Anonymous said it had broken into a Web site associated with San Francisco's BART train service and released customer data.
The hackers said the attack was in retaliation for BART's decision to block cellular telephone service to prevent an anti-police protest, the San Francisco Chronicle reported Monday.
BART said it is considering doing the same thing later Monday in response to Anonymous' call for a 5 p.m. protest at BART's Civic Center Station where police fatally shot a man brandishing a knife last month.
"We're going to take steps to make sure our customers are safe," agency spokesman Jim Allison said. "The interruption of cell phone service was done Thursday to prevent what could have been a dangerous situation. It's one of the tactics we have at our disposal. We may use it; we may not. And I'm not sure we would necessarily let anyone know in advance either way."