Your daily source of Pwnage, Policy and Politics.

Episode 460 – Censorship Averted, Recruitment plan.xls, 10 Years Of XP, Orwellian & Insulin Pump

InfoSec Daily Podcast Episode 460 for August 26, 2011.  Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Karthik Rangarajan, Geordy Rostad, and Mr. B0n3z.

Announcements:

Nashville Infosec
When: Sept 15, 2011
Where: Nashville, TN

http://www.technologycouncil.com/connect/infosec-2011/

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html

Louisville Infosec
When: September 29th
Where: Louisville, KY
http://louisvilleinfosec.com/
If you registered for DerbyCon and want to go to the Louisville Infosec the day before email chair (at) LouisvilleInfoSec.com for a $50 off discount code.

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504

Hack3rCon 2011
When: October 21-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/

SkyDogCon
When: Nov 4th – Nov 6th
Where: Holiday Inn Airport, Nashville, TN
http://www.skydogcon.com
CFP Open Now!

Phreaknic
When: Nov 4th – Nov 6th
Where: Days Inn Stadium, Nashville, TN
http://www.phreaknic.info

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org

Stories:

Source:  http://www.guardian.co.uk/media/2011/aug/25/government-plan-shut-twitter-facebook

The (UK)government has climbed down on plans to ban suspected rioters from using social networking websites in times of civil unrest.

The home secretary, Theresa May, told social networks at a meeting on Thursday that the government had no intention of "restricting internet services".

Research in Motion (RIM, the maker of BlackBerry), Facebook and Twitter were summoned to the meeting with May after David Cameron signalled a clampdown on the sites following the recent riots in England.

The social networks were poised to face down the government on its plans, which they warned could usher in a new form of online censorship in the UK.

However, government ministers sought to back away from the prime minister's comments and instead focus on how law enforcement could better use Twitter and Facebook in emergencies.
A Home Office spokeswoman described the meeting as constructive. May chaired the meeting with the Foreign Office minister Jeremy Browne, and members of the Association of Chief Police Officers.

The Home Office said in a statement: "The discussions looked at how law enforcement and the networks can build on the existing relationships and co-operation to prevent the networks being used for criminal behaviour. The government did not seek any additional powers to close down social media networks."

The possibility of banning suspected rioters from social networks was first raised by Cameron a fortnight ago when he vowed to do whatever it took to prevent a repeat of the riots and looting.
Hours before the meeting human rights groups sent an open letter to government ministers warning that powers restricting the internet could be "susceptible to abuse" and undermine free speech.

May is understood to have opened the meeting by immediately ruling out restrictive measures and indicating that it was a discussion about improving law enforcement online.

According to sources at the meeting, police acknowledged that they "needed to do more" with regard to learning how to use social media. The Metropolitan police are understood to have said they were "slightly behind" other forces when it came to Twitter and Facebook.

Surprisingly, RIM was not forced to explain how its BlackBerry Messenger service differed from other social networks, despite the system reportedly having played a pivotal role for the rioters.
A spokeswoman for Facebook said the discussion was constructive, building on work her firm already did to ensure Facebook was "one of the safest places on the internet". She said: "We welcome the fact this was a dialogue on working together to keep people safe rather than about imposing restrictions on internet services."

A Twitter spokeswoman said: "Governments and law enforcement agencies around the world use Twitter to engage in open, public, communications … we've heard from many that Twitter is an effective way to distribute updates and dispel rumours in times of crisis or emergency."
In a statement RIM said: "RIM continues to maintain an open, positive, dialogue with the UK authorities and continues to operate [within] UK regulations."

The Home Office meeting followed a study of riot-related tweets, compiled by the Guardian, that cast doubt on the rationale behind Cameron's proposal to bar suspect rioters from Twitter and Facebook.

Source:http://www.f-secure.com/weblog/archives/00002226.html

RSA was hacked in March. This was one of the biggest hacks in history.  The current theory is that a nation-state wanted to break in to Lockheed-Martin and Northrop-Grumman to steal military secrets. They couldn't do it, since these companies were using RSA SecurID tokens for network authentication. So, the hackers broke into RSA with a targeted email attack. They planted a backdoor and eventually were able to gain access to SecurID information that enabled them to go back to their original targets and succesfully break into there. In the aftermath of the attack, RSA was forced to replace SecurID tokens for their customers around the world.

Already in April, we knew that the attack was launched with a targeted email to EMC employees (EMC owns RSA), and that the email contained an attachment called "2011 Recruitment plan.xls". RSA disclosed this information in their blog post. Problem was, we didn't have the file. It seemed like nobody did, and the antivirus researcher mailing lists were buzzing with discussion about where to find the file. Nobody had it, and eventually the discussion quieted down.

This bothered Timo Hirvonen. Timo is an analyst in our labs and he was convinced that he could find this file. Every few weeks since April, Timo would go back to our collections of tens of millions of malware samples and try to mine it to find this one file – with no luck. Until this week.

Timo wrote a data analysis tool that analysed samples for flash objects. We knew the XLS file in question used a Flash object to take over the system. The new tool located several relevant samples. However, one of them was not an Excel file. It was an Outlook message file (MSG). When Timo opened it up, he knew he was onto something. The message file turned out to be the original email that was sent to RSA on 3rd of March, complete with the attachment 2011 Recruitment plan.xls

After five months, we finally had the file.

And not only that, we had the original email. Turns out somebody (most likely an EMC/RSA employee) had uploaded the email and attachment to the Virustotal online scanning service on 19th of March. And, as stated in the Virustotal terms, the uploaded files will be shared to relevant parties in the anti-malware and security industry. So, we all had the file already. We just didn't know we did, and we couldn't find it amongst the millions of other samples.

In this video you can see us opening the email to Outlook and launching the attachment. The embedded flash object shows up as a [X] symbol in the spreadsheet. The Flash object is executed by Excel (why the heck does Excel support embedded Flash is a great question). Flash object then uses the CVE-2011-0609 vulnerability to execute code and to drop a Poison Ivy backdoor to the system. The exploit code then closes Excel and the infection is over.

After this, Poison Ivy connects back to it's server at good.mincesur.com. The domain mincesur.com has been used in similar espionage attacks over an extended period of time.

Once the connection is made, the attacker has full remote access to the infected workstation. Even worse, it has full access to network drives that the user can access. Apparently the attackers were able to leverage this vector further until they gained access to the critical SecurID data they were looking for.

The attack email does not look too complicated. In fact, it's very simple. However, the exploit inside Excel was a zero-day at the time and RSA could not have protected against it by patching their systems.

So, was this an Advanced attack? The email wasn't advanced. The backdoor they dropped wasn't advanced. But he exploit was advanced. And the ultimate target of the attacker was advanced. If somebody hacks a security vendor just to gain access to their customers systems, we'd say the attack is advanced, even if some of the interim steps weren't very complicated.

Source:http://www.f-secure.com/weblog/archives/00002222.html

Let's compare the major computer operating systems at the moment. We have Windows XP, Windows Vista and Windows 7. We have various Linux distributions. And we have Mac OS X.

Of these, obviously Windows XP has the weakest security, by far.

And Windows XP has the biggest market share, too. Globally close to half of all computers still run XP.

And today,Windows XP is ten years old.

Ten years is an eternity in this business. So it's no wonder XP's security architecture is not up to date.

As a result, attackers right now would be stupid to spend their time and money targeting any other operating system. That makes no sense as long as they have this huge, easy low-hanging fruit.

Obviously XP is going away. As we can see from this chart, Windows 7 will pass in XP in the near future and will become the most common operating system.

And when XP's market share drops low enough, attackers need to start looking around. Some will focus on Windows 7. Others will look at OS X, Android, iOS and so on.

The attackers have never had it so good. The easiest target is also the most common target. This can't change quick enough.

Do a good deed today. Uninstall an XP.

Source:  https://www.infosecisland.com/blogview/16110-Federal-Judge-Calls-Geolocation-Tracking-Orwellian.html

U.S. District Judge Nicholas Garaufis has ruled that law enforcement must obtain a full-fledged search warrant based on probable cause in order to access the geolocation data of a suspect during the course of an investigation.

Federal law enforcement authorities had sought to obtain the data from the suspect's mobile service provider under the less stringent standard that the information was "relevant" to the investigation.

“While the government’s monitoring of our thoughts may be the archetypical Orwellian intrusion, the government’s surveillance of our movements over a considerable time period through new technologies, such as the collection of cell-site-location records, without the protections of the Fourth Amendment, puts our countryfar closer to Oceania than our Constitution permits,” (.pdf)Judge Garaufis wrote.

“It is time that the courts begin to address whether revolutionary changes in technology require changes to existing Fourth Amendment doctrine. Here, the court concludes only that existing Fourth Amendment doctrine must be interpreted so as to afford constitutional protection to the cumulative cell-site-location records requested here," the judge also wrote.

Source:  http://www.manufacturing.net/News/2011/08/Medical-Hacker–Identifies-Maker-Of-Insecure-Insulin-Pump

Jay Radcliffe revealed three weeks ago that he'd found serious security holes in a popular type of insulin pump that diabetics wear, he kept two important details secret: the pump maker'sname, and the specific technique he used to hack the device.

The problems he found carry exceptional risks, such as being able to program a special remote control to command strangers' pumps to dispense the wrong dosage of insulin. But Radcliffe said he was ignored in repeated attempts to alert the company to the defects. On Thursday he identified the company — Medtronic Inc. — in an effort to apply public pressure to fix the vulnerabilities.

The disclosure raises the risk of attacks on certain Medtronic insulin pumps. But Radcliffe said he hopes that exposure helps fix the problems. He said he tried to handle the disclosure ethically — by working with the company first — and felt "there should have been an ethical response (from the company) to that."

Radcliffe, a diabetic who experimented on his own Medtronic pump, revealed the details to The Associated Press ahead of a planned news conference.

Medtronic would not directly address its interactions with Radcliffe. Spokeswoman Amanda Sheldon said a Medtronic employee attended Radcliffe's presentation at the Black Hat computer security conference this month in Las Vegas and said the company was analyzing his public statements.

"We have to evaluate the sources of the information and figure out what we should do with it," she said.

Radcliffe said his public statements intentionally lacked the specific technical details that Medtronic would need to address the vulnerabilities he's found. After the Department of Homeland Security, which examined his research, helped make the introduction to Medtronic, his calls and e-mails went unanswered, he said, a claim Medtronic wouldn't specifically address.