InfoSec Daily Podcast Episode 508 [ 41:10 | 18.87 MB ] Play Now | Play in Popup | Download (140)

InfoSec Daily Podcast Episode 508 for October 31, 2011.  Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Beau Woods, Karthik Rangarajan, and Varun Sharma.

Announcements:

BsidesATL 2011
When: November 4th, 2011
Where: Think Inc World HQ, 1375 Peachtree St. Suite 600, Atlanta, Ga (The Earthlink Bldg).
http://www.securitybsides.com/w/page/44893559/BSidesATL-2011
This year there will be 3 tracks, a CISO panel on some good topics recently (Hacker vs Biz Skillset, etc), Lockpick Village by FALE, Prize Giveaway at End.  Of course all day Podcast Area.

SkyDogCon
When: Nov 4th – Nov 6th
Where: Holiday Inn Airport, Nashville, TN
http://www.skydogcon.com

Phreaknic
When: Nov 4th – Nov 6th
Where: Days Inn Stadium, Nashville, TN
http://www.phreaknic.info

BSidesDFW 2011
When: November 5th, 2011
Where:Microsoft Technology Center Dallas
http://www.securitybsides.com/w/page/36779575/BSidesDFW%202011

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org

BSides Delaware
When: November 11-12, 2011
Where: Wilmington University, Delaware Campus
http://www.securitybsides.com/w/page/40113309/BSidesDelaware2010

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Starts November 30, 2011
Where: Atlanta, GA
Discount Code: M1011IPAD (free iPad 2)
http://www.sans.org/mentor/details.php?nid=25504

Stories:
Source:  http://news.discovery.com/tech/gps-shoes-track-kids-alzheimers-prostitutes-111028.html

The first batch of 3,000 shoes with integrated GPS devices — to help track down dementia-suffering seniors who wander off and get lost — just shipped from manufacturer GTX Corp. to the footwear firm Aetrex, two years after plans were announced to develop the product.
The company's first shoes — dreamed up back in 2002 following the Elizabeth Smart case — were intended to locate missing children. And safety is the driving force today behind the company's newest GPS-enabled shoe. According to AFP, The shoes will sell at around $300 a pair and buyers will be able to set up a monitoring service to locate "wandering" seniors suffering from Alzheimer's Disease.

The system is implanted in the heel of an otherwise normal shoe, and lets caregivers or family members monitor the wearer and even set up alerts if a person strays outside of a predefined area.

The shoes were certified by the Federal Communications Commission this year. GTX believes the market has great potential, given the soaring costs of Alzheimer's.
…
"Our first shoe, a demo version of the Platform 001 sandal, was inspired by the prostitutes of ancient Greece and Rome, who enticed clients with their flutes and sandals that left 'follow me' footprints in the earth," explains the website for The Aphrodite Project.

"Our contemporary sandals combine these poetic images from antiquity with promotional and safety features designed to meet the needs of today’s sex workers."

The Aphrodite Project's sandals are designed to protect with a piercing siren to scare off threatening muggers or attackers and a GPS-powered system that can send warnings to police.

Source:  http://smashinghub.com/10-excellent-website-to-check-a-site-down-or-blocked.htm
The list of 10 Best Websites That Let You Check If A Site Is Down Or Blocked:
Just Ping

As the name suggests, this website will ping the domain you entered from 50 locations from across the planet. Unless you see no “Okey” in the result, then that website is blocked in that location where the result comes out to be “Packets lost (100%)”.
But most of the times the results are different every time it is checked, so you should check more than one time.

Watch Mouse

This one is similar to the one mentioned above. It pings your website from 30 locations around the globe, and then lets you know if the website is down or blocked.

Down For Everyone Or Just Me

The name says it all. It lets you check if the a specific site is down for everyone or just you. Simply enter any domain you want to check and get the result!

IsUp.Me

IsUp.Me is similar to the Down For Everyone Or Just Me. It works in exactly the same way.

Down Or Not

Simply enter a website’s domain, press the Return key, then this site will show you if the site is down or not. Simple. Picking up a site listed to check if it is down or blocked is also possible.

Down Or Is It Just Me

This is yet another website that lets you check if a site is really down or not simply by entering its domain.

Checksite.Us

Just enter the domain of the site you wish to check, and then this website will show you if they can access that website.

Up Or Down

This website lets you check if a site is up or down, simply by entering the domain.

DOJ.me

DOJ.me is short for Down Or Just Me, so this site will show you if the specific website you checked is down or not.

Source:   http://www.dailymail.co.uk/news/article-2055311/Hackers-infiltrate-US-satellites-taken-complete-control-achieving-steps-required-command-satellite.html

Chinese hackers are suspected of grabbing the reins of four US government satellites in 2008 potentially crashing them to Earth or stealing valuable information, more than once.
NASA admits one of the two satellites was temporarily accessed twice in the summer and fall that year, though would not comment on the other.

'While we cannot discuss additional details regarding the attempted interference, our satellite operations and associated systems and information are safe and secure' NASA Public Affairs Officer Trent J. Perrotto said in a statement sent to Talking Points Memo.

NASA's admittance of the satellite breach comes one month before a report by the US-China Economic and Security Review Commission is released, detailing the attacks which are consistent with Chinese military writings.

According to the draft report, however, two satellites were infiltrated four times in 2007 and 2008 for 12 or more minutes.

The Terra AM-a which NASA has acknowledged as attacked, studies earth climate change, in addition to weather and surface land use.

Source:  http://9to5mac.com/2011/10/29/apple-acquired-mind-blowing-3d-mapping-company-c3-technologies-looking-to-take-ios-maps-to-the-next-level/

Apple’s Poly9 purchase obviously means Apple is at least interested in (or considering) the field of three-dimensional mapping solutions. We’ve now confirmed that Apple has purchased a second 3D mapping company. In August of this year it was discovered that 3D mapping company C3 Technologies had been purchased and shut down by its buyer. While there was no true evidence for this, there was speculation that Apple could be one of a handful of companies that could be the buyers of C3 Technologies.

Sure enough, we have now learned Apple is now the owner of C3 Technologies. Sources say that C3 Technologies CEO Mattias Astrom, C3 Technologies CFO Kjell Cederstrand, and lead C3 Technologies Product Manager Ludvig Emgard are now working within Apple’s iOS division. The leading trio, along with most of the former C3 Technologies team, is still working as a team in Sweden (interestingly, the division is now called “Sputnik”), where the C3 Technologies company was located prior to the Apple acquisition.

C3 Technologies creates incredibly high-quality and detailed 3D maps with virtually no input from humans. The 3D mapping is camera based and the technology picks up buildings, homes, and even smaller objects like trees. C3′s solution comes from declassified missile targeting methods. C3 Technologies’ official company description:

C3 Technologies is the leading provider of 3D mapping solutions, offering photo-realistic models of the world for search, navigation and geographic information systems. Since 2007 when it was spun out of the aerospace and defense company Saab AB, venture-backed C3 has redefined mapping by applying previously classified image processing technology to the development of 3D maps as a platform for new social and commercial applications. The Sweden-based company’s automated software and advanced algorithms enable C3 to rapidly assemble extremely precise 3D models, and seamlessly integrate them with traditional 2D maps, satellite images, street level photography and user generated images, that together are forever changing how people use maps and explore the world.

Source:  http://threatpost.com/en_us/blogs/india-seizes-equipment-linked-duqu-attack-102911

Officials in India have seized components from a server as part of an investigation into the Duqu Trojan, according to a report.

According to Reuters, two workers at Web Werks, a web hosting company based in Mumbai, said the country’s Department of Information Technology took the equipment after security vendor Symantec reported the server was communicating with computers infected with Duqu. First publicized earlier this month, Duqu gained widespread attention due to its similarities with the infamous Stuxnet worm.

In their analysis of the malware, researchers at Symantec have contended that Duqu may have been developed to gather information to lay the groundwork for a Stuxnet-style attack on critical infrastructure. While it doesn’t contain code specifically targeting industrial control systems, Duqu does have elements in common with Stuxnet. For example, Dell SecureWorks’ Counter Threat Unit noted that the kernel drivers for Duqu and Stuxnet utilize many similar techniques in the name of stealth and encryption, such as a rootkit for concealing files. Those techniques however are not unique to either Stuxnet or Duqu, according to the Dell SecureWorks' team.

Thus far, security vendors have observed Duqu infections in a number of countries, including Iran and Sudan. The purpose of the malware however remains unclear.

Marty Edwards, director of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, told Reuters his agency is working with its counterparts in other countries to uncover more information about the attack.

InfoSec Daily Podcast Episode 507 [ 1:00:07 | 55.06 MB ] Play Now | Play in Popup | Download (125)

InfoSec Daily Podcast Episode 507 for November 1, 2011.  Tonight's podcast is hosted by Dr. b0n3z and Boris Sverdlik.

InfoSec Daily Podcast Episode 506 [ 39:40 | 18.18 MB ] Play Now | Play in Popup | Download (143)

InfoSec Daily Podcast Episode 506 for October 28, 2011.  Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Karthik Rangrajan, Geordy Rostad, and Dr. Bonez.

Announcements:
New Hampshire InfoSec Tweetup
When: October 29, 2011
Where: Pawtuckaway State Park in Nottingham, NH
http://nhinfosectweetup.eventbrite.com/
(It is just a gathering of security professionals and their families.  No talks, just abunch of likeminded people and some good food.)

BsidesATL 2011
When: November 4th, 2011
Where: Think Inc World HQ, 1375 Peachtree St. Suite 600, Atlanta, Ga (The Earthlink Bldg).
http://www.securitybsides.com/w/page/44893559/BSidesATL-2011
This year there will be 3 tracks, a CISO panel on some good topics recently (Hacker vs Biz Skillset, etc), Lockpick Village by FALE, Prize Giveaway at End.  Of course all day Podcast Area.

SkyDogCon
When: Nov 4th – Nov 6th
Where: Holiday Inn Airport, Nashville, TN
http://www.skydogcon.com

Phreaknic
When: Nov 4th – Nov 6th
Where: Days Inn Stadium, Nashville, TN
http://www.phreaknic.info

BSidesDFW 2011
When: November 5th, 2011
Where: Microsoft Technology Center Dallas
http://www.securitybsides.com/w/page/36779575/BSidesDFW%202011

Cost = FREE

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)

http://www.gaissa.org

BSides Delaware
When: November 11-12, 2011
Where: Wilmington University, Delaware Campus
http://www.securitybsides.com/w/page/40113309/BSidesDelaware2010

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Starts November 30, 2011
Where: Atlanta, GA
Discount Code: M1011IPAD (free iPad 2)
http://www.sans.org/mentor/details.php?nid=25504

Stories:
Source: https://www.defcon.org/html/links/dc-archives/dc-19-archive.html

The videos for DEF CON 19 have been posted.  

Source: http://www.darkreading.com/insider-threat/167801100/security/client-security/231901810/social-malice-one-in-100-tweets-and-one-in-60-facebook-posts-are-malicious.html

Here's what social networking looks like on the dark side: one in 100 tweets today are malicious, and one in 60 Facebook posts are as well.

Facebook users are the least confident in social network security, with 40 percent confessing they feel unsafe on Facebook, while 28 percent feel that way about Twitter, and 14 percent on LinkedIn. But that doesn't mean LinkedIn won't eventually become a big target for cybercrime: "When you look at the actual damage that could be done to a business" by hackers targeting LinkedIn accounts, it's high for business disruption and employee misinformation, for example, says Daniel Peck, senior research scientist with Barracuda Labs, who today at HackerHalted in Miami shared Barracuda's latest data on malicious activity on Twitter, Facebook, and on search engines.

According to new Barracuda survey data of social media users, LinkedIn is the least-blocked social network by enterprises, with only 20 percent of organizations preventing their employees from using LinkedIn from work. That in contrast to Twitter (25 percent); Google+ (24 percent); and Facebook (31 percent).

Peck predicts that LinkedIn definitely will be a target for badness. "I think there will be a lot of social attacks there," he says.

Interestingly, most users say the important factors to consider when joining a social network are security (92 percent), that their friends use it (91 percent), privacy (90 percent), and ease of use (87 percent). More than 90 percent have received spam over a social network, and more than half have experienced phishing attacks. More than 20 percent have received malware, 16.6 have had their account used for spamming, and about 13 percent have had their account hijacked or their password stolen. More than half are unhappy with Facebook's privacy controls.
Meanwhile, Barracuda counted 43 percent of Twitter accounts as "true users" with real followers and regular tweets, and 57 percent as "not true users" — either spam bots or inactive accounts.
Attackers abuse Twitter in much the same way that they engage in search-engine poisoning, according to Peck, casting a wide net and hoping to get more eyeballs. "Facebook manipulates trust more – your Friends are people you make eye contact with," he says.

"Facebook is less likely to get hit by a driveby download or to exploit your browser. Twitter is more likely" to get hit that way, he says. "A Facebook [attack] is more likely going after your data, or pushing an affiliate scam sort of thing."

The good news about Facebook abuse, Peck says, is that it's become high-profile enough that word gets out faster when a scam hits. A prime example was this week, when a "Starbucks' anniversary" scam began to spread. "So Starbucks Corporate put out on Twitter that it was a Facebook scam and was not real," Peck says. "This is getting big enough that the big companies are starting to notice the scams."

Barracuda also measures search malware on Google, Bing, Twitter, and Yahoo over a 153-day period and found 34,627 malware samples, with one in 1,000 search results leading to malware. And one in five search topics lead to malware, with "music + video" containing the most malicious links. The number two search term leading to malware: 's "JenniJ-Woww," with 17 percent of the malicious search results.

Source: http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html

When using the Facebook 'Messages' tab, there is a feature to attach a file. Using this feature normally, the site won't allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.
When attaching an executable file, Facebook will return an error message stating:

"Error Uploading: You cannot attach files of that type."

When uploading a file attachment to Facebook we captured the web browsers POST request being sent to the web server. Inside this POST request reads the line:

Content-Disposition: form-data; name="attachment"; filename="cmd.exe"

It was discovered the variable 'filename' was being parsed to determine if the file type is allowed or not.

To subvert the security mechanisms to allow an .exe file type, we modified the POST request by appending a space to our filename variable like so:

filename="cmd.exe "

Source: http://theunderstatement.com/post/11982112928/android-orphans-visualizing-a-sad-history-of-support

The announcement that Nexus One users won’t be getting upgraded to Android 4.0 Ice Cream Sandwich led some to justifiably question Google’s support of their devices. I look at it a little differently: Nexus One owners are lucky. I’ve been researching the history of OS updates on Android phones and Nexus One users have fared much, much better than most Android buyers.
I went back and found every Android phone shipped in the United States1 up through the middle of last year. I then tracked down every update that was released for each device – be it a major OS upgrade or a minor support patch – as well as prices and release & discontinuation dates. I compared these dates & versions to the currently shipping version of Android at the time. The resulting picture isn’t pretty – well, not for Android users:

Source: http://www.newscientist.com/article/dn21095-inside-facebooks-massive-cybersecurity-system.html

FACEBOOK has released details of the extraordinary security infrastructure it uses to fight off spam and other cyber-scams.
                 
Known as the Facebook Immune System (FIS), the massive defence network appears to be successful: numbers released by the company this week show that less than 1 per cent of users experience spam. Yet it's not perfect. Researchers have built a novel attack that evaded the cyber-defences and extracted private material from real users' Facebook accounts.
                 
It took just three years for FIS to evolve from basic beginnings into an all-seeing set of algorithms that monitors every photo posted to the network, every status update– indeed, every click made by every one of the 800 million users. There are more than 25 billion of these "read and write actions" every day. At peak activity the system checks 650,000 actions a second.
                 
"It's a big challenge," says Jim Larus, a Microsoft researcher in Redmond, Washington, who studies large networks. The only network bigger, Larus suspects, is the web itself. That makes Facebook's defence system one of the largest in existence.
                 
It protects against scams by harnessing artificially intelligent software to detect suspicious patterns of behaviour. The system is overseen by a team of 30 people, but it can learn in real time and is able to take action without checking with a human supervisor.
                 
One notable attack took place in April, says Tao Stein, a Facebook engineer who works on the system. It began when several users were duped into copying computer code into their browser's address bar. The code commandeered the person's Facebook account, and started sending chat messages to their friends saying things like "I just got a free iPad", along with a link where the friends could go to get their own. Friends who clicked on the link went to a site that encouraged them to paste the same code into their browsers, further spreading the plague. "Attacks like these can generate millions of messages per minute," says Stein.
                 
Users are less likely to fall for a similar tactic when using email, because the message would probably be sent by a stranger.
                 
But inside Facebook's network it's much more persuasive. "It's easier to exploit trust relationships in online social networks," says Justin Ma, a computer scientist at the University of California, Berkeley, who develops methods to combat email spam.
                 
To tackle the attack, FIS generated a signature that it used to differentiate between spam and legitimate messages. This was based on the links in the spam messages, keywords like "free" and "iPad", and the IP addresses of the computers sending the messages.
                 
But spammers can use multiple machines to switch IP addresses, and link redirection services like bit.ly can change links on the fly. So FIS checked to see which messages were being flagged as spam by users and blocked messages with similar keywords in the text. Together with other features of the message, which Facebook declined to discuss for fear of aiding spammers, the system was able to begin developing a signature to identify the spam within seconds of the attack emerging.
                 
Facebook said this week that, thanks to FIS, less than 4 per cent of the network's messages are spam and that fewer than 1 in 200 users experience spam on any given day. "It's pretty good," says Ma, who has a Facebook account. "I'm pretty happy with the level of security."
                 
Yet like any defence based on patterns of known behaviour, FIS is vulnerable to strategies it has not seen before. Yazan Boshmaf and colleagues at the University of British Columbia in Vancouver, Canada, have exploited this and eluded the system by creating "socialbots"– software that can pose as a human and control a Facebook account.
                 
The bots began by sending friend requests to random users, around 1 in 5 of whom accepted. They then sent requests to the friends of the people they had connected with, and the acceptance rate jumped to almost 60 per cent. After seven weeks the team's 102 bots had made a combined 3000 friends.
                 
Facebook's privacy settings allow users to shield personal information from public view. But because the socialbots posed as friends, they were able to extract some 46,500 email addresses and 14,500 physical addresses from users' profiles– information that could be used to launch phishing attacks or aid in identity theft.
                 
"An attacker could do many things with this data," says Boshmaf, who will present the team's work at the Annual Computer Security Applications Conference in Orlando, Florida, next month.
                 
A socialbot attack is yet to happen, but it's only a matter of time. Socialbots behave differently to humans that enter Facebook for the first time, in part because they have no real-world friends to connect with, and their random requests lead to an unusually high number of rejections. FIS would be able to use this pattern to recognise and block an attack of socialbots, says Stein. That would put Facebook back on top– if only until hackers release their next innovation.

Source:  http://threatpost.com/en_us/blogs/got-pwned-pwnedlistcom-knows-102711

With more and more victims of identity theft minted every day, figuring out if you're one of the unlucky masses with a leaked email password is yeoman's work. Now one security researcher is trying to make it easy with PwnedList.com, a Web site that collects leaked and stolen data, then tells Internet users whether their information is in it.
PwnedList is the brainchild of Alen Puzic, a security researcher who works for HP's TippingPoint DVLabs on the Advanced Security Intelligence team. The biggest challenge, he says, is staying on top of the tsunami of leaked records – which are pouring in at a rate of 40,000 to 50,000 a week. Puzic chatted(*) with Threatpost editor Paul Roberts via Skype this week.

InfoSec Daily Podcast Episode 505 [ 47:50 | 21.9 MB ] Play Now | Play in Popup | Download (150)

InfoSec Daily Podcast Episode 505 for October 27, 2011.  Tonight's podcast is hosted by  Karthik Rangarajan, Boris Sverdlik, and Varun Sharma

Props to our special co-host for the day: Spridel!

Announcements:

New Hampshire InfoSec Tweetup
When: October 29, 2011
Where: Pawtuckaway State Park in Nottingham, NH
http://nhinfosectweetup.eventbrite.com/
( It is just a gathering of security professionals and their families.  No talks, just abunch of likeminded people and some good food.)

BsidesATL 2011
When: November 4th, 2011
Where: Think Inc World HQ, 1375 Peachtree St. Suite 600, Atlanta, Ga (The Earthlink Bldg).
http://www.securitybsides.com/w/page/44893559/BSidesATL-2011
This year there will be 3 tracks, a CISO panel on some good topics recently (Hacker vs Biz Skillset, etc), Lockpick Village by FALE, Prize Giveaway at End.  Of course all day Podcast Area.

SkyDogCon
When: Nov 4th – Nov 6th
Where: Holiday Inn Airport, Nashville, TN
http://www.skydogcon.com

Phreaknic
When: Nov 4th – Nov 6th
Where: Days Inn Stadium, Nashville, TN
http://www.phreaknic.info

BSidesDFW 2011
When: November 5th, 2011
Where: Microsoft Technology Center Dallas
http://www.securitybsides.com/w/page/36779575/BSidesDFW%202011

Cost = FREE

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)

http://www.gaissa.org

BSides Delaware
When: November 11-12, 2011
Where: Wilmington University, Delaware Campus
http://www.securitybsides.com/w/page/40113309/BSidesDelaware2010

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Starts November 30, 2011
Where: Atlanta, GA
Discount Code: M1011IPAD (free iPad 2)
http://www.sans.org/mentor/details.php?nid=25504

Stories:

Source: http://www.tgdaily.com/security-features/59283-tsunami-a-os-x-trojan-spotted-in-the-wild

Security researchers have identified a new backdoor trojan targeting systems running Mac OS X.  Interestingly enough, Tsunami appears to be a port of Troj/Kaiten, a Linux Trojan that embeds itself on a computer system and monitors an IRC channel for further instructions.

As Sophos Security researcher Graham Cluley notes, trojans like Tsunami/Kaiten are typically used to drag infected computers into coordinated DDoS (distributed denial-of-service) attacks, which flood a targeted website server with a massive amount of traffic.

"It's not just a DDoS tool though. As you can see by the portion of OSX/Tsunami's source code, the bash script can be given a variety of different instructions and can be used to remotely access an affected computer," he explained.

"The big question, of course, is how would this code find itself on your Mac in the first place? It could be that a malicious hacker plants it there, to access your computer remotely and launch DDoS attacks, or it may even be that you have volunteered your Mac to participate in an organized attack on a website."

Cluley also warned that he "fully expected" to see cyber criminals target poorly protected Mac computers in the future. 


"If the bad guys think they can make money out of infecting and compromising Macs, they will keep trying," he added.

Source:  https://www.eff.org/deeplinks/2011/10/disastrous-ip-legislation-back-%E2%80%93-and-it%E2%80%99s-worse-ever

We've reported here often on efforts to ram through Congress legislation that would authorize massive interference with the Internet, all in the name of a fruitless quest to stamp out all infringement online.  Today Representative Lamar Smith upped the ante, introducing legislation, called the Stop Online Piracy Act, or "SOPA," that would not only sabotage the domain name system but would also threaten to effectively eliminate the DMCA safe harbors that, while imperfect, have spurred much economic growth and online creativity.
As with its Senate-side evil sister, PROTECT-IP, SOPA would require service providers to “disappear” certain websites, endangering Internet security and sending a troubling message to the world: it’s okay to interfere with the Internet, even effectively blacklisting entire domains, as long as you do it in the name of IP enforcement. Of course blacklisting entire domains can mean turning off thousands of underlying websites that may have done nothing wrong.  And in what has to be an ironic touch, the very first clause of SOPA states that it shall not be “construed to impose a prior restraint on free speech.” As if that little recitation could prevent the obvious constitutional problem in what the statute actually does.  
But it gets worse. Under this bill, service providers (including hosting services) would be under new pressure to monitor and police their users’ activities.  Websites that simply don’t do enough to police infringement (and it is not at all clear what would qualify as “enough”) are now under threat, even though the DMCA expressly does not require affirmative policing.  It creates new enforcement tools against folks who dare to help users access sites that may have been “blacklisted,” even without any kind of court hearing. The bill also requires that search engines, payment providers (such as credit card companies and PayPal), and advertising services join in the fun in shutting down entire websites.  In fact, the bill seems mainly aimed at creating an end-run around the DMCA safe harbors. Instead of complying with the DMCA, a copyright owner may now be able to use these new provisions to effectively shut down a site by cutting off access to its domain name, its search engine hits, its ads, and its other financing even if the safe harbors would apply.
And that’s only the beginning: we haven’t even started on the streaming provisions.
We’ll have more details on the bill in the next several days but suffice it to say, this is the worst piece of IP legislation we’ve seen in the last decade — and that’s saying something.  This would be a good time to contact your Congressional representative and tell them to oppose this bill!

Source:  http://www.stuff.co.nz/technology/digital-living/5867963/Cybersecurity-mainly-male-domain

There were no lines for the ladies room. That was unusual for an event attended by thousands but typical in the cybersecurity field where a futuristic image clashes with an old-fashioned gender gap.
At cybersecurity and hacker gatherings, women are clearly in the minority among the sea of men lining escalators, filling gigantic hotel ballrooms and networking in hallways. (Some men grumbled about the lack of women at event parties).
While the US government and private sector urgently try to beef up cybersecurity efforts, the information technology field that supplies talent remains largely a male domain.
Experts say the lack of women is not so much a matter of discrimination as the fact that young women do not think of cyber as a career option. They attribute that partly to an unappealing "geek" image from movies and girls' lack of early computer skills that boys develop by playing video games.
The portrayal in movies and television of a nerd loner, wearing thick glasses, soldering circuits together, and living in a dungeon-like room surrounded by computers and eating boxed pizza can be a deterrent.
Phyllis Schneck, chief technology officer for public sector at McAfee Inc, said she was one of the only women in computer science as an undergraduate at Johns Hopkins University and her friends used to make geek jokes. "But when it came time to help them fix their computers because it ate their term paper, I'm the one they called," she said.

Source:  http://syhw.posterous.com/two-amusing-side-channel-attacks

Side channel attacks usually call up timing attacks and electromagnetic (TEMPEST) attacks. But there are different, less and more exotic, forms. I recount two amusing stories that Adi Shamir told during an invited talk in early 2011 at the Computer Security course at Collège de France (Paris).

1) The first story was about ultrasonic waves. Adi and one of his student bought an ultrasonic microphone, like the ones used to study bats. They recorded the sonic spectrum up to 48Khz near a computer performing RSA encryption

2) The second story was about USB devices. Basically, they plugged a very precise voltmeter into an USB port and started recording the very small variations between 4.999V and 5V. With the same assembly-test-program-pattern-matching approach, they broke RSA again. Better yet, they cut off the USB power from the OS USB controls, and they were able to perform exactly the same side channel attack through residual power in the USB port.

Source:  http://threatpost.com/en_us/blogs/eff-data-shows-five-cas-compromised-june-102711

The EFF, through the use of its SSL Observatory, has taken a look at the data from certificate revocation lists for SSL certificates in recent months, and found that there were five separate CAs compromised in the last four months.

The data that the EFF looked at was a summary of the reasons that specific certificates were revoked by CAs, as reported by the CAs themselves in CRLs. When a certificate is revoked, the CA specifies a reason for the action, and the EFF looked through the data collected in its SSL Observatory database and found that a scan of CRLs in June showed that 10 individual CAs reported that they were revoking 55 total certificates because of a CA compromise. Another scan in mid-October showed that 15 separate CAs had revoked 248 certificates because of a compromise.

"Those "CA Compromise" CRL entries as of June were published by 10 distinct CAs. So, from this data, we can observe that at least 5 CAs have experienced or discovered compromise incidents in the past four months. Again, each of these incidents could have broken the security of any HTTPS website," Peter Eckersley of the EFF wrote in an analysis of the data.

The only widely known CA compromise since June is the attack on DigiNotar this summer that completely compromised that company's CA infrastructure and eventually led to it being shut down. All of the major browser vendors were forced to revoke their trust in the DigiNotar root certificates and the attacker who claimed credit for the attack said that he also had compromised several other CAs.

Earlier this year, the same attacker said he was responsible for the attack on Comodo that compromised a registration authority in Europe and enabled him to issue rogue certificates for a variety of valuable sites, including Skype, Yahoo and Google. He did the same thing after compromising DigiNotar. Those two incidents spurred a broad discussion in the industry about the inherent problems with the CA system and the dangers of relying on it. No clear solution to the problem has emerged, although the Convergence system designed by Moxie Marlinspike has garnered some attention.

Standard Podcast [ 34:14 | 22.65 MB ] Play Now | Play in Popup | Download (167)

InfoSec Daily Podcast Episode 504 for October 26, 2011.  Tonight's podcast is hosted by Boris Sverdlik, Geordy Rostad, and Varun Sharma.

Announcements:
New Hampshire InfoSec Tweetup
When: October 29, 2011
Where: Pawtuckaway State Park in Nottingham, NH
http://nhinfosectweetup.eventbrite.com/
( It is just a gathering of security professionals and their families.  No talks, just abunch of likeminded people and some good food.)

BsidesATL 2011
When: November 4th, 2011
Where: Think Inc World HQ, 1375 Peachtree St. Suite 600, Atlanta, Ga (The Earthlink Bldg).
http://www.securitybsides.com/w/page/44893559/BSidesATL-2011
This year there will be 3 tracks, a CISO panel on some good topics recently (Hacker vs Biz Skillset, etc), Lockpick Village by FALE, Prize Giveaway at End.  

SkyDogCon
When: Nov 4th – Nov 6th
Where: Holiday Inn Airport, Nashville, TN
http://www.skydogcon.com

Phreaknic
When: Nov 4th – Nov 6th
Where: Days Inn Stadium, Nashville, TN
http://www.phreaknic.info

BSidesDFW 2011
When: November 5th, 2011
Where: Microsoft Technology Center Dallas
http://www.securitybsides.com/w/page/36779575/BSidesDFW%202011

Cost = FREE

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)

http://www.gaissa.org

BSides Delaware
When: November 11-12, 2011
Where: Wilmington University, Delaware Campus
http://www.securitybsides.com/w/page/40113309/BSidesDelaware2010

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Starts November 30, 2011
Where: Atlanta, GA
Discount Code: M1011IPAD (free iPad 2)
http://www.sans.org/mentor/details.php?nid=25504

Stories:

Source: https://www.eff.org/deeplinks/2011/10/fbi-ramps-its-next-generation-identification-roll-out-winter-will-your-image-end

NextGov.com is reporting that the FBI will begin rolling out its Next Generation Identification (NGI) facial recognition service as early as this January.  Once NGI is fully deployed and once each of its approximately 100 million records also includes photographs, it will become trivially easy to find and track Americans.

As we detailed in an earlier post, NGI expands the FBI’s IAFIS criminal and civil fingerprint database to include multimodal biometric identifiers such as iris scans, palm prints, photos, and voice data. The Bureau is planning to introduce each of these capabilities in phases (pdf, p.4) over the next two and a half years, starting with facial recognition in four states—Michigan, Washington, Florida, and North Carolina—this winter.

Despite the FBI’s claims to the contrary, NGI will result in a massive expansion of government data collection for both criminal and noncriminal purposes. IAFIS is already the largest biometric database in the world—it includes 70 million subjects in the criminal master file and more than 31 million civil fingerprints. Even if there are duplicate entries or some overlap between civil and criminal records, the combined number of records covers close to 1/3 the population of the United States. When NGI allows photographs and other biometric identifiers to be linked to each of those records, all easily searchable through sophisticated search tools, it will have an unprecedented impact on Americans' privacy interests.

Although IAFIS currently includes some photos, they have so far been limited specifically to mug shots linked to individual criminal records. However, according to a 2008 Privacy Impact Assessment for NGI’s Interstate Photo System, NGI will allow unlimited submission of photos and types of photos. Photos won’t be limited to frontal mug shots but may be taken from other angles and may include close-ups of scars, marks and tattoos. NGI will allow all levels of law enforcement, correctional facilities, and criminal justice agencies at the local, state, federal and even international level to submit and access photos, and will allow them to submit photos in bulk. Once the photos are in the database, they can be found easily using facial recognition and text-based searches for distinguishing characteristics.

The new NGI database will also allow law enforcement to submit public and private security camera photos that may or may not be linked to a specific person’s record. This means that anyone could end up in the database—even if they’re not involved in a crime— by just happening to be in the wrong place at the wrong time or by, for example, engaging in political protest activities in areas like Lower Manhattan that are rife with security cameras.

The biggest change in NGI will be the addition of non-criminal photos. If you apply for any type of job that requires fingerprinting or a background check, your potential employer could require you to submit a photo to the FBI. And, as the 2008 PIA notes, “expanding the photo capability within the NGI [Interstate Photo System] will also expand the searchable photos that are currently maintained in the repository.” Although noncriminal information is ostensibly kept separate from criminal, all the data will be in the NGI system, and presumably it would not be difficult to search all the data at once. The FBI does not say whether there is any way to ever have your photo removed from the database.

According to an FBI presentation on facial recognition and identification initiatives (pdf, p.5) at a biometrics conference last year, one of the FBI’s goals for NGI is to be able to track people as they move from one location to another. Recent advancements in camera and surveillance technology over the last few years will support this goal. For example, in a National Institute of Justice presentation (pdf, p.17) at the same 2010 biometrics conference, the agency discussed a new 3D binocular and camera that allows realtime facial acquisition and recognition at 1000 meters. The tool wirelessly transmits images to a server, which searches them against a photo database and identifies the photo's subject. As of 2010, these binoculars were already in field-testing with the Los Angeles Sheriff’s Department. Presumably, the backend technology for these binoculars could be incorporated into other tools like body-mounted video cameras or the MORIS (Mobile Offender Recognition and Information System) iPhone add-on that some police officers are already using.

Source: https://www.scmagazineus.com/google-closes-18-chrome-holes/article/215297

Google on Tuesday pushed out a new version of its Chrome web browser to rectify 18 vulnerablities, including 11 that are deemed "high" in severity. Version 15, part of the "stable" channel of Chrome, also includes protection against Browser Exploit Against SSL/TLS (BEAST), a JavaScript hacking tool disclosed last month at a security conference in Argentina that can decrypt HTTPS requests and encrypted cookies. Microsoft has since issued an advisory that acknowledges the issue, along with a Fix-It solution. Meanwhile, researchers who disclosed the flaws in Chrome received more than $26,000 combined for their finds as part of Google's bug bounty program.

Source: http://www.techdirt.com/articles/20111021/11554216450/eu-politician-wants-internet-surveillance-built-into-every-operating-system.shtml

"Think of the children" has become the rallying cry of politicians around the world trying to push for ever-increasing Internet surveillance powers. Since nobody wants to run the risk of being branded as soft on crimes like paedophilia, resistance to such measures is greatly reduced as a result.

This approach was used in the "Declaration of the European Parliament of 23 June 2010 on setting up a European early warning system (EWS) for paedophiles and sex offenders" which:
2. Asks the Council and the Commission to implement Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and extend it to search engines in order to tackle online child pornography and sex offending rapidly and effectively;

3. Calls on the Member States to coordinate a European early warning system involving their public authorities, based on the existing system for food safety, as a means of tackling paedophilia and sex offending;

The two European politicians behind the Declaration, which seeks to extend the already intrusive Data Retention Directive, were Tiziano Motti and Anna Zaborska. Motti now wants to go even further by monitoring and storing all Internet activity in the European Union. The press release about the launch of this new initiative was entitled "Data Retention Directive: the fight against paedophiles and sexual predators on the net, respecting citizens' right to privacy"; it explained:

The press conference will focus on the most discussed part of the Data Retention Directive, which is under revision, and on the 'Motti Resolution' approved by Parliament in 2010, asking to extend this Directive to content providers (social networks etc) in order to identify more easily those who commit crimes, including paedophilia through sexual harassment on the Net (recognised as a crime by the legislative Resolution to be voted at the next plenary session in Strasbourg). This is a request which does not regard specifically the online content, which falls under the Regulation of wiretapping, but to the traffic data developed by the person uploading material of any kind on the net: comments, pictures, videos.

During this press conference, Mr Motti will present the solutions that can make possible the enforcing of the Resolution approved in June 2010, through a study provided by computer expert Fabio Ghioni, and he will answer to the objections, especially from northern Europe, to the Resolution asking for the broadening of the Directive.

As this indicates, in order to forestall the usual accusations of technical cluelessness, Motti was joined by Fabio Ghioni, described by the press release as "World Expert on security and non-conventional technologies, author of the book 'Hacker Republic'". Ghioni's site carries more details about the ambitious plans, reproducing an article (in Italian) that comes from the web site of Famiglia Cristiana (Christian Family).

Strangely, there Ghioni's project is presented not as a way to catch paedophiles, but as being about keeping personal data safe. The article talks about the fact that users willingly hand over all kinds of information to Facebook but have no control over what the company's employees might do with it. Because of this, Famiglia Cristiana says:

it is worthwhile to evaluate the system developed by Ghioni, which is called LogBox and provides data storage for two years with features that aim to ensure fundamental rights and freedoms of citizens.

It's not exactly clear from the article how a black box that logs all your online activities and stores the data for two years will ensure those fundamental rights and freedoms, but the general drift seems to be that you will have a record of everything that you did, which you could use in court, for example, if you are wrongly accused of some misuse of the computer. What this overlooks, of course, is that it will also be a tempting target for governments who want to keep a tight rein on their citizens, or for companies that want to enforce copyright laws by monitoring alleged file sharing activities.

The LogBox system devised by Ghioni encrypts data, placing the decryption key in the hands of the authorities, a notary [lawyer] and the user of the system. Thus the digital certificate is guaranteed by the three entities, including the user, who is in control.

That sounds as if a digital hash of the connection data is encrypted with one or three separate keys – it's not entirely clear. In theory, having three different keys, all of which were required to decrypt, could be quite secure, but it's no proof against court orders demanding your decryption key. On the other hand, having only one shared key would be an invitation for the police to snoop through your online logs all the time. And yet the article insists:

Let's be clear that this has nothing to do with interceptions: here we are talking about digital data, not contents. Currently the two main issues that result in a "wild west Internet" are digital identity and authentication of both the users and the service providers. Let's take the example of social networks: currently anyone can create a fake personal profile. Let's take the example of online paedophiles: they can be traced only if they use their own account but if, as is easy to do, they connect from a different IP address in some other country, they will never be held responsible for the criminal actions they carry out.

From this it seems that one of the key features of the black box is to make pseudonymous or anonymous activity online impossible. Again, it's hard to see any benefits whatsoever for users – in what way is this "respecting citizens' right to privacy"? – but plenty for governments and the copyright industry.

Even more surprising is exactly how Ghioni wants the black box idea implemented:
The LogBox system would clarify these issues through a precise mechanism that involves the "collaboration" of the operating systems. Therefore the help of Windows, Apple, Linux will be needed. The operating systems will have to store the characteristics of all the activity logs (in practice, tables) generated by the computer that is running the operating system. That's no small thing, because the logs would be signed digitally in such a way as to relate to a specific computer and its user. And this will be independent of any attempt to anonymize illegal activities. Ghioni insists that the costs of this operation will be extremely low.

Cost is hardly the issue. Even if the EU were to insist that Microsoft and Apple implement this black box "feature" in their products, this is simply unworkable for GNU/Linux-based systems. By its very nature, open source lets you hack the code, and so removing any such digital black boxes – even assuming they were put there in the first place by the likes of Red Hat and Canonical – would be relatively easy. Hacked versions would circulate online almost immediately.

The only way to stop that happening would be to forbid people from installing "unauthorised" versions or from making "unauthorised" changes to the system code once installed – which would effectively make open source operating systems illegal in Europe. Given that the Linux kernel was created in Finland, that would be ironic to say the least.

There are other problems that will make this approach unworkable. Already people are accessing the Internet increasingly through mobile devices and e-readers; that presumably means that these too will require black boxes to track users' every online move. In the longer term, we are moving to an Internet of things, which means that many objects in our home will have an IP address and be hooked up to the Net: does that mean there will be a black box for our toasters, perhaps?

And then there is the fact that a 2 Terabyte portable external hard drive costs around $100, making the sharing of vast numbers of files trivial even without the Internet. Do we add black boxes to hard drives? What about USB drives?

What's worrying is that a politician can be naive enough to believe that solving this complex problem is really as easy as adding a few lines of code to an operating system – and that he hopes to convince the European Parliament to mandate such a thing. Far better to stop invoking the "think of the children" mantra as a way to short-circuit rational discussion and instead to encourage a rational, mature debate about how these serious problems can be solved with real-world solutions.

Source:   http://hmi.ucsd.edu/wireless_disconnect_2011_10_26.php

The new report is out today from the Global Information Industry Center at the University of California at San Diego. The paper and its author, UCSD fellow and infrastructure expert Michael Kleeman, lay out some dizzying figures on the growing stresses placed on mobile networks–including those below and in the box to the right.

To keep up with demand, U.S. wireless networks have traditionally doubled their capacity every 30 months, but this trend may not keep up with future demand… the volume of data traffic on U.S. networks is expected to increase by 1,800 percent over the next four years.
The report says the inevitable result of demand outstripping capacity so dramatically will be painful network congestion.

The report says the inevitable result of demand outstripping capacity so dramatically will be painful network congestion.
"We must understand and accept the trade-offs we will face for the convenience of accessing limited wireless capacity," report author Kleeman says in a statement. "Alternatively, as citizens we need to dramatically lower our expectations for wireless services in the future."
Yikes. This guy actually expects we Americans to lower our expectations? We have to rewind the technological advances of the past decade and go back to the days when we spent half of our commuting time buffering YouTube videos? Re-embrace the Edge network?

Source:  http://www.infoworld.com/t/data-center/free-cooling-lures-facebook-arctics-edge-177233

In a move that will further bolster Facebook's green data center credentials, the social networking giant plans to build an enormous new 120MW data center in Luleå, Sweden, just 62 miles south of the Arctic Circle. The company will make the official announcement Thursday, according to the Telegraph.

The allure of the locale is three-fold: First, it's a prime location for taking advantage of free cooling — that is, using outside air to chill machines instead of running costly CRAC (computer room air conditioner) units 24/7. Second, dams on the Luleå river generate an abundance of renewable electricity — enough so that half is exported — so Facebook needn't worry about an energy shortfall any time soon. Third, Sweden has a dense fiber-optic network, which means data can flow reliably and easily through Finland and on into Eastern Europe and Russia.
For the past few years now, organizations have struggled with strategies to cut costs and energy consumption within their data centers. Free cooling has proven a paricularly desirable technique as the cost of generating artificially chilled air can be quite considerable. Facebook employs free cooling at its data center in Prineville, Ore., for example, though the AC sometimes needs to be turned on during the summer. That contributes to the facility's remarkably low PUE (Power Utilization Effectiveness); Facebook claims the figure is 1.07.