InfoSec Daily Podcast Episode 462 for August 30, 2011. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Karthik Rangarajan, Them, and Varun Sharma.
Announcements:
OWASP NY/NH
When: Sept 8, 2011
Where: New York City, NY
https://www.owasp.org/index.php/NYNJMetro#tab=SEPTEMBER_MEETINGS
Nashville Infosec
When: Sept 15, 2011
Where: Nashville, TN
http://www.technologycouncil.com/connect/infosec-2011/
Wim Remes ISC2 Official Petition
When: Deadline September 19, 2011
What: CISSP’s can send their e-mail address registered with NAME, EMAIL ADDRESS and CERTIFICATION NUMBER to [email protected].
http://blog.remes-it.be/petition.html
#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
Louisville Infosec
When: September 29th
Where: Louisville, KY
http://louisvilleinfosec.com/
If you registered for DerbyCon and want to go to the Louisville Infosec the day before email chair (at) LouisvilleInfoSec.com for a $50 off discount code.
@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504
Hack3rCon 2011
When: October 21-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/
SkyDogCon
When: Nov 4th – Nov 6th
Where: Holiday Inn Airport, Nashville, TN
http://www.skydogcon.com
CFP Open Now!
Phreaknic
When: Nov 4th – Nov 6th
Where: Days Inn Stadium, Nashville, TN
http://www.phreaknic.info
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
Stories:
Source: http://www.theregister.co.uk/2011/08/30/fraudulent_google_cert_update/
A counterfeit credential authenticating Gmail and other sensitive Google services was the result of a network intrusion suffered by DigiNotar, the parent company of the Netherlands-based certificate authority said in a press release that raised disturbing new questions about security on the internet.
Tuesday's disclosure by Chicago-based Vasco Data Security came as a growing roster of companies updated their software products to prevent them from trusting certificates issued by DigiNotar. At least one of them cited reports that the fraudulent certificate that came to light on Monday was used to spy on the electronic communications of people in Iran.
Vasco said in its statement that a July 19 breach of DigiNotar's certificate authority system resulted in fraudulent secure sockets layer certificates being issued for a “number of domains, including Google.com.” The statement didn't specify the names or number of the additional domains, and representatives from both Vasco and DigiNotar didn't respond to emails seeking those details.
“The attack was targeted solely at DigiNotar's certificate authority infrastructure for issuing SSL and EVSSL certificates,” the statement read. The company has suspended certificate services pending additional security audits by third-party firms.
Source:http://www.eweek.com/c/a/Security/Morto-Worm-Infects-Windows-Systems-With-Weak-Passwords-815241/
The latest Internet worm targeting Windows Remote Desktop Protocol attacks the lowest-hanging fruit: weak administrator passwords. A tip: "letmein" is not a good password.
A new worm, called "Morto," has been infecting machines via Remote Desktop Protocol on Windows machines, according to security researchers.
Morto is the first Internet worm to use RDP as an infection vector, Mikko Hypponen, the chief research officer of F-Secure, wrote Aug. 28 on the F-Secure News from the Lab blog. Unlike previous automated worms such as CodeRed, Blaster, Sasser and Slammer, which wreaked havoc on enterprise networks, this worm does not exploit any specific Windows vulnerability. Instead, it looks for machines on the network with port 3389, used by RDP and then tries to brute-force the password to take over the machine, Hypponen said.
Marc Maiffret, CTO of eEye Digital Security called Morto a "silly worm" on eEye's Security In-Focus blog. Morto "appears to simply attempt to compromise systems by trying ~30 common passwords for the Windows Administrator account over RDP," Maiffret said.
Using the following user names:
1
actuser
adm
admin
admin2
administrator
aspnet
backup
computer
console
david
guest
john
owner
root
server
sql
support
support_388945a0
sys
test2
test3
user
user1
user5
The following passwords:
*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
!@#$%^
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user
Source: http://www.itnews.com.au/News/268413,phone-bug-discovered-in-aussie-bank-branch.aspx
A major Australian bank has discovered a telephone bug installed inside a branch, being used to siphon the credit and debit card information of unwitting consumers.
The meticulously handcrafted device, smaller than the palm of a hand, was pinned carefully to telephone cable that ran along the carpet floor of the bank's metropolitan branch office.
Two inconspicuous cuts were made in the wire to attach the bug. It would listen for keypad tones as unsuspecting customers keyed in their PIN numbers at the automatic teller.
Each tone woke the device from slumber, which it diligently broadcast over a handpicked radio frequency.
The attacker waited in the bank’s carpark and recorded the tones on a laptop. Each tone was then matched to a number, revealing the customer’s PIN.
Corresponding card information was also being copied and stored. The brazen attacker had swapped the terminal on the teller's desk with a skimming device that was capturing enough bank data for replica cards to be manufactured.
The thief needed only match the time signatures at which the card and PIN number were swiped to have unfettered access to potentially hundreds of accounts.
Source: http://nakedsecurity.sophos.com/2011/08/27/os-x-lion-accused-of-having-huge-network-security-hole/
Late last week, I was in a taxi with a business acquaintance, heading to an event at which we were both speaking.
We're both Mac users, so in the fashion of fanbuoys-in-denial the world over, we started chatting about all things Apple. That led us to Lion, which in turn led to my chum James saying, "Have you seen the recent discussions online about LDAP network authentication on Lion clients? It's a really handy feature – if you forget your password, you can just make one up. A real helpdesk time saver!"
This issue has been brewing in online forums for more than a month, pretty much since Lion's release, but has now hit the news in a big way. Irrepressibly eager Register hack Dan Goodin, for example, describes it as a 'huge hole' threatening enterprise networks.
Unfortunately, exactly how extensive the hole is – and exactly where the fault lies, where the fix should come from, and what can be done in the meantime – isn't terribly clear from the articles I've seen, including the discussions on Apple's own forum.
Geordy’s comments: The issue was reported on July 25th and Lion was still released without any fix or acknowledgement of the issue from Apple. The most recent update,10.7.1 didn't have the fix either.
Source: http://www.surgeonix.com/blog/index.php/archives/117
WebSurgery 0.6 is a suite of tools for security testing of web applications. It was designed for security auditors to help them with the web application planning and exploitation. Currently, it uses an efficient, fast and stable Web Crawler, File/Dir Brute forcer, Fuzzer for advanced exploitation of known and unusual vulnerabilities such as SQL Injections, Cross site scripting (XSS), Brute force for login forms, identification of firewall-filtered rules, DOS Attacks and WEB Proxy to analyze, intercept and manipulate the traffic between your browser and the target web application.
Source: https://www.infosecisland.com/blogview/16130-The-Urban-Legend-of-Multipass-Hard-Disk-Overwrite.html
Multipass disk overwrite and the “DoD 5220-22-M standard 3-pass wipe” are, at best, urban legends. At worst, they are a waste of time and electricity.
Blame Gutmann…
In 1996, Peter Gutmann presented a paper [GUT96] at a USENIX Security Symposium in which he claimed that overwritten data could be recovered using magnetic force microscopy (MFM) and scanning tunneling microscopy (STM) techniques.
This seminal paper alerted many people to the possibility that data which had been overwritten on an HDD could be recovered using such techniques.
Lacking other research in this area, and despite a lack of corroboration, many of those people adopted Gutmann’s conclusions and recommendations and have ever since believed that multiple overwrites are required to effectively render remnant data irretrievable.
Gutmann’s ultimate recommendation was that no fewer than 35 (!) overwrite passes should be performed to ensure that the original data cannot be retrieved.
However, in the context of current HDD technology, there are several problems with Gutmann’s work:
- Gutmann focused on two disk technologies — modified frequency modulation and run-length-limited encoding — that rely on detection of a narrow range of analog signal values and have not been used for HDDs in the last 10-15 years. Modern HDDs use various kinds of partial-response maximum-likelihood (PRML) sequence detection that uses statistical techniques to determine the maximum likelihood value associated with multiple signal detections [WRIG08].
- Further, areal density (density of data per square unit of area, the product of bit-per-inch linear density and track-per-inch track density) has increase by at least three orders of magnitude [SOBE04] [WIKI08] since the publication the Gutmann paper. To achieve such densities, head positioning actuators have become significantly more accurate and repeatable.
- Moreover, Gutmann’s work paper was theoretical, and I am not aware of any practical validation that data could be recovered using the techniques he described.