InfoSec Daily Podcast Episode 497 for October 18, 2011. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Karthik Rangarajan, Themson Mester, and Varun Sharma.
Announcements:
Hack3rCon 2011
When: October 21-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/
NordSec 2011
When: October 26–28, 2011
Where: Tallinn Science Park “Tehnopol”, Tallinn, Estonia
http://nordsec2011.cyber.ee/
New Hampshire InfoSec Tweetup
When: October 29, 2011
Where: Pawtuckaway State Park in Nottingham, NH
http://nhinfosectweetup.eventbrite.com/
( It is just a gathering of security professionals and their families. No talks, just abunch of likeminded people and some good food.)
SkyDogCon
When: Nov 4th – Nov 6th
Where: Holiday Inn Airport, Nashville, TN
http://www.skydogcon.com
Phreaknic
When: Nov 4th – Nov 6th
Where: Days Inn Stadium, Nashville, TN
http://www.phreaknic.info
BsidesATL 2011
When: November 4th, 2011
Where: Think Inc World HQ, 1375 Peachtree St. Suite 600, Atlanta, Ga (The Earthlink Bldg).
http://www.securitybsides.com/w/page/44893559/BSidesATL-2011
This year there will be 3 tracks, a CISO panel on some good topics recently (Hacker vs Biz Skillset, etc), Lockpick Village by FALE, Prize Giveaway at End. Of course all day Podcast Area.
BSidesDFW 2011
When: November 5th, 2011
Where: Microsoft Technology Center Dallas
http://www.securitybsides.com/w/page/36779575/BSidesDFW%202011
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
BSides Delaware
When: November 11-12, 2011
Where: Wilmington University, Delaware Campus
http://www.securitybsides.com/w/page/40113309/BSidesDelaware2010
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Starts November 30, 2011
Where: Atlanta, GA
Discount Code: M1011IPAD (free iPad 2)
http://www.sans.org/mentor/details.php?nid=25504
Stories:
Source: http://www.isssource.com/a-new-and-frightening-stuxnet/
Facing mounting concern about Iran’s nuclear program, a top U.S. and Israeli technical team has developed a computer “malworm” designed to take down all of Iran’s computer software.
ISSSource has learned leaders of the three major software companies, Sergey Brin at Google, Steve Ballmer at Microsoft and Larry Ellison at Oracle have been working with Israel’s top cyber warriors and have now come up with new version of a Stuxnet-like worm that can bring down Iran’s entire software networks if the Iranian regime gets too close to a breakout, according to U.S. intelligence sources. Google, Microsoft and Oracle had no comment on the issue.
“Cyber warfare is a lot like biological warfare. It’s hard to stop. It’s uncontrollable. It can bite you in the ass,” said one U.S. official.
This new version of Stuxnet was, until recently, seen as a tool to derail any notions of an Israel military surgical strike on Iran with the United States in a supporting role. During his visit to Israel, Secretary of Defense Leon Panetta carried a U.S. message to Tel Aviv that President Barack Obama would not support a military strike on Iran, said a U.S. official, who spoke under the condition of anonymity. Israeli plans for an attack had alarmed the National Security Council and the Senate foreign policy committee when briefed on the Israeli proposal.
“They were in shock afterwards,” the U.S. official said.
Since early June, U.S. intelligence experts have warned of an Israeli attack on Iran before the UN meeting on the question of Palestinian statehood. Those warnings came at the same time as when then Secretary of Defense Robert Gates left office in June or when Joint Chiefs of Staff head Adm. Mike Mullen was preparing for his September retirement.
Throughout the summer, U.S. officials have strenuously resisted the urgings of Israeli Prime Minister Benjamin Netanyahu for a preemptive strike. Several senior U.S. intelligence officials confirmed large contingency planning drills for an intervention if Israel attacked Iran. Planning for such an intervention was seen as “pretty far advanced,” a U.S. official said in August.
These officials reported they were resisting such notions with all the force they can. But one cautioned, “This is no drill.”
Matters became more complicated when the FBI uncovered an Iranian terrorist operation targeted in Washington, DC, that could have supported long-time American hard liners as well as Israeli supporters of some type of military attack on Iran.
Compounding that is the Saudi position informing President Obama the Saudis strongly support a military campaign against Iran. Saudi officials are now signaling the Israelis Saudi King Abd’allah is in favor of a strike on Iran.
This new Stuxnet worm is being advanced by administration and intelligence officials as a more powerful tool with more range and a stronger capability than the previous version. Officials want this new cyber capability to derail any military action that could result in a regional war.
The Stuxnet attack on Iran’s nuclear plants in Bushehr and Natanz in 2010 was the result of a joint effort between the United States and the cyber warfare experts of Israel’s Mossad and the IDF Unit 8200. The attack wrecked havoc on Iran’s nuclear program for 11 months, U.S. officials confirmed.
These officials verified Israeli assertions that Iran never overcame the disruptions caused by Stuxnet nor did it manage to restore its centrifuges to smooth and normal operation as was claimed.
U.S. intelligence sources current and former, said Iran finally was forced to scrap tainted machines and replace them with new ones.
Iran provided confirmation of this July 19 when a senior Iranian official said improved and faster centrifuge models were being installed.
Sources differ on the number of centrifuges replaced. One former U.S. intelligence official said at least 1,000 machines had been replaced. Israeli intelligence sources put the number as high as 5,000. U.S. sources believe the actual estimate to be lower.
“Iran has an illegal procurement system for the machines and it makes the system vulnerable to attack,” said one former U.S. intelligence official with knowledge of the matter. The reason it is vulnerable to attack is because the CIA has penetrated Iran’s dummy procurement companies in order to plant design and other flaws that will cause the system to malfunction if Iran tries to use it. As a former CIA official said, “When Tehran throws a switch, nothing will happen.”
In spite of U.S. intelligence operations to hamper or thwart any progress on Iran’s nuclear program, Israel continues to claim in recent months Iran has taken advantage of the West’s fixation with the Arab Spring to forge ahead unnoticed with its weapons program.
U.S. officials dismissed this claim by the Israelis, pointing out it was hard to argue on one hand that a “malworm” had severely damaged Iran’s system to the point where it has having to replace its machines and then on the other hand boast of ongoing secret progress. “That nonsense is for Israeli hawks like Netanyau,” one source said.
“Anyone who argues about secret progress in Iran’s program had better come up with hard evidence of it. We do not possess such evidence,” a former senior intelligence official said.
The US Department of Defense is facing a $4.9 billion class-action lawsuit stemming from the breach of computer backup tapes containing the personal information of nearly five million current and former US soldiers.
The data was stolen from unencrypted backup tapes stored inside a car.
The lawsuit was filed last week in US District Court in Washington by four individuals whose information was compromised.
It seeks $1000 in damages for all 4.9 million individuals affected by the incident.
The suit charges that defendants Tricare, a health insurance provider for military personnel and their families, as well as the Defense Department and Leon Panetta, the agency's secretary, violated individuals' privacy rights by failing to protect the stolen information from unauthorised disclosure.
The suit contends that the defendants failed to properly encrypt the data, then “intentionally, willfully and recklessly” allowed an untrained individual to access the information.
Making matters worse, the defendants then authorised this worker to take the data off government premises.
According to the suit, the defendants violated the US Privacy Act that governs the collection, maintenance, use and dissemination of personally identifiable information maintained by federal agencies, as well as other privacy laws.
The breach, first disclosed in late September, affected those who, from 1992 to 7 September this year, sought care at military treatment facilities in the San Antonio, Texas area.
The stolen data belonged to Tricare, but had been entrusted to Science Applications International Corp. (SAIC), a high-tech defense contractor.
The tapes were stolen from a SAIC employee's car. SAIC was not named as a defendant in the lawsuit.
The stolen data included Social Security numbers, addresses and phone numbers, in addition to health assets, such as clinical notes, lab test reports and prescription information.
The plaintiffs of the suit are an Air Force veteran, a military spouse and her two children, all of whom received insurance through Tricare.
Because of the breach, the defendants suffered emotionally and lost money as a result of having to purchase credit monitoring solutions.
Tricare downplayed the impact of the breach in September, noting that the risk of harm to affected individuals was “low” since retrieving data off the tapes would necessitate “knowledge of and access to specific hardware and software, and knowledge of the system and data structure.”
A Defense Department spokesman did not respond to a request for comment on Monday.
Source: http://www.guardian.co.uk/technology/2011/oct/16/email-hacker-identity-rowenna-davis
A hacker has been occupying my email account for the past week. And he or she may still be there. A disembodied intruder, this person has been stalking my inbox, replying to messages, signing off with my nickname and refusing to let me in. They have been going through my personal history and making judgments about my character. In the weirdest twist, the hacker even started writing to me. If it wasn't so unsettling, it could be the plot of a black postmodern comedy.
It started when my phone went crazy in the middle of a crucial meeting. Some 5,000 contacts received an email from my account saying that I'd been held up at gunpoint in Madrid. My internet-savvy friends sent texts to say I'd been hacked, while my elderly, migrant and more vulnerable friends wanted to know where to send the cash. According to the story, my mobile phone and credit cards had been taken and I was badly in need of money. There was a number to call to reach me at my hotel – presumably chargeable – and a Western Union account had been set up in my name to wire a transfer.
Suddenly you're hit with an organisational bombshell – drop what you're doing; freeze your bank account; answer anxious calls; lose crucial, last-minute messages; miss work deadlines; irritate bosses; reset all email-based passwords; forget to pay e-bills; irritate friends who think you're ignoring them. The realisation dawns that the email account is the nexus of the modern world. It's connected to just about every part of our daily life, and if something goes wrong, it spreads. But the biggest effect is psychological. On some level, your identity is being held hostage.
Out of sheer frustration, I fired off an email to my occupied address labelled "to those who hacked my account", laying out how I felt and asking for my contacts. Shockingly, I got an almost instantaneous reply. The hacker said they would return my address book for £500. It was unreal. There I was, sitting at my laptop, alone in my flat, receiving emails from someone claiming to be me. Whoever it was must have been sitting watching my account and responding in real time. Who else was this person replying to in the same way?
I wrote back straight away, saying that I didn't have those kind of finances and pointing out that I had no reason to believe the deal would be kept even if I did send the money. I couldn't help but end with a rhetorical: "Do you ever feel even slightly bad about what you are doing?"
Just for a minute, the hacker seemed anxious to prove that he or she had some sense of morality. According to this individual, it "didn't feel great" to be a hacker. They said they didn't have a choice. I immediately asked why. They said their life "wasn't as nice and sweet" as mine. In what I guess was supposed to be a gesture of magnanimity, this individual said that they would release my contacts for just £300, and even offered to send me 20 contacts upfront as a sign of "goodwill". You could tell this person thought they were being reasonable – they insisted that their actions weren't as bad as robbing people on the streets.
What I wanted to reply, but found difficult to articulate at the time, was that hacking can be worse than that. When someone holds you up in the street, you lose a set of isolated possessions and then get to walk away. But if someone colonises one of your chief platforms of interaction with the world, there's always a feeling of "what next?" They can read your most intimate emails and potentially pass them on. A simple search would allow them to find out not just my address, but also those of my friends and family – something that crossed my mind when I registered my case with the police.
Apparently some 3,000 people reported such scams last year, but too few of these are brought to justice. The police haven't even returned my call for a full report. When I did eventually get access to my account back through Gmail a week later, I found that the hacker had personally written to more than 30 people who had asked about my problems in Madrid. The intruder said I'd had a "terrible experience" and signed off with my nickname, "Row". The fact that someone could be so callous to people who cared about me – all in my name – left me furious.
I was lucky. The only reason I was able to regain access to my account was through chance – a friend of a friend works at Google. Until then, my hacker had given me better feedback than Gmail and Google, following my attempts to get in touch with them. The company that presents itself as the friendly face of the web doesn't have a single human being to talk to in these circumstances. The UK office just cut me off and, after a friend waited 20 minutes to ask the head US team if there was anything that could be done to help, they received a simple "nope".
When someone did bother to look into my problem, it only took five minutes to fix. The hacker had doubled the verification process on my password so I couldn't get in. Once Google disabled it from the inside, I was able to reset all my security checks without a problem.
Even now, I'm not sure it's over. In one last message, addressed from myself just two days ago, the hacker wrote: "I see you got the account back. Sorry for the trouble." I never replied, so I guess I'll never know what this individual's circumstances were. But I feel the need to understand them. Perhaps we believe that if we find reasons for things, we'll feel safer. Perhaps it's about restoring a bit more faith in human nature. Either way, my hacker seems to have disappeared back into the 21st-century ether. Although, of course, they could be reading this now.
Source:
Say “mobile wallet” and most people think payment–tapping your phone against a reader instead of swiping a card. But the phrase may soon come to encompass not just your credit card, but your entire wallet: loyalty cards, work ID, access credentials and all–and potentially even the keys jingling in your pocket.
Since NFC uses the same standard as contactless smart cards, the technology could enable employers to take existing smart ID cards that are used to get into the office and transfer it over to the phone–a process called “card emulation.” Making this a reality, however, is not as easy as it sounds, explains to Jeff Fonseca, director of business development and sales at NXP Semiconductors.
“It’s not like you can just take somebody’s badge and put it on a phone and have it just work everywhere,” says Fonseca. “It doesn’t work that way.”
The market is split with different companies providing different “flavors” of contactless technologies in different parts of the world. According to Fonseca, this makes interoperability a big hurdle.
Agreements need to be in place to replicate card types, cryptography and unique IDs to NFC devices. Credential vendors such as NXP, HID Global, LEGIC and Sony will need to authorize one or more parts of the mobile chain–the NFC chip, the handset, the mobile operator–to enable card emulation.
“You can’t just copy the credentials and (use) a different unique ID … it won’t work,” Fonseca says. “You have to have a commercial agreement with the enterprise to replicate and make those credentials virtual onto the phone.”
These obstacles, though relevant, are less daunting for real world physical access systems than for a future globally interoperable vision. Most organizations select a single type of contactless credential to issue to employees. There may also be a preferred mobile operator and handset. Thus it is not a requirement that every flavor of contactless credential be approved for all handsets to have a working solution.
Making all this work together will not fall to the issuing organizations. Rather, contactless providers will work with the mobile chain to offer solutions to issuers. In the near term, it is likely that the contactless provider will have one or more approved handsets and/or mobile operators that issuers can opt to deploy. It is likely that the current network of system integrators that provides hardware and cards to issuers will offer these new emulated NFC cards as a future option.
To be clear, this work is ongoing and it is true that there are very few NFC-enabled handsets on the market today. But these limitations are temporary, according to Fonseca. “The industry is moving in this direction,” he says, adding that there are significant benefits to justify the switch to mobile.
Unlike plastic cards, which are static, a mobile phone can be constantly updated with new permissions and apps for changing needs. Because NFC-equipped handsets can be updated dynamically over the air, new credentials can be provisioned without requiring the employee to physically visit company security or human resources.
Another benefit is that the phone itself acts as another layer of security, explains Fonseca. For starters, each phone comes with an International Mobile Equipment Identity number. Since the IMEI is unique, it can be used to provide another identity aspect to the credential.
The secure element in the phone that stores the credential adds yet another level of security. “You get the added benefits of those two aspects from the phone where you do have more real-time security,” he says. “And more real-time ability to re-commission cards to the phone over the air.”
This dynamic nature of the mobile device will enable security postures to change in real time, says Tam Hulusi, senior vice president of strategic innovation and intellectual property for HID Global.
“You can create a lot more powerful use cases of your access control scenario,” Hulusi says. “Dynamically you will be able to add one, two or three factor identification. If the threat level goes up or the context changes, you can change the number of factors accordingly in real time.”
HID Global’s iCLASS contactless cards are widely used in physical access and other applications. This fall the company will launch its first iCLASS emulation, enabling contactless credentials to be loaded onto NFC phones, Hulusi says.
HID will provide applications to enhance its mobile security offerings, adds Hulusi, including a virtual pin pad on the phone in lieu of traditional wall mounted devices. This will enable companies to provide two-factor authentication and eliminate the need for added hardware.
Hulusi says the company is working on a future architecture in which the NFC chip is embedded in the door lock itself and the handset acts as a reader. In this mode, the standard key/lock relationship is essentially inverted; the key is already in the lock, it just needs the right phone to “turn” it.
According to Hulusi, it is similar to accessing information from NFC tags and posters, only in this case the tag is encrypted to ensure only authorized handsets can access the information.
So there seems to be plenty of projects on the horizon, but what will we have in the mean time? Fonseca says to expect a transition period during which we’ll be carrying both our phones and smart cards as access devices.
“From an enterprise security standpoint, most (issuers) do not yet accept a virtual security credential as the only ID,” Fonseca explains. “There are ways on the phone to tie a photo to the credential, but that part hasn’t been (completely) solved yet, so in the interim you’ll likely have physical cards that are carrying the employee’s credential and photo in case they don’t have a phone. And then eventually the phone becomes the redemption vehicle for everything.”
Source: http://www.secureidnews.com/2011/10/17/keying-in-to-nfc
Say “mobile wallet” and most people think payment–tapping your phone against a reader instead of swiping a card. But the phrase may soon come to encompass not just your credit card, but your entire wallet: loyalty cards, work ID, access credentials and all–and potentially even the keys jingling in your pocket.
Since NFC uses the same standard as contactless smart cards, the technology could enable employers to take existing smart ID cards that are used to get into the office and transfer it over to the phone–a process called “card emulation.” Making this a reality, however, is not as easy as it sounds, explains to Jeff Fonseca, director of business development and sales at NXP Semiconductors.
“It’s not like you can just take somebody’s badge and put it on a phone and have it just work everywhere,” says Fonseca. “It doesn’t work that way.”
The market is split with different companies providing different “flavors” of contactless technologies in different parts of the world. According to Fonseca, this makes interoperability a big hurdle.
Agreements need to be in place to replicate card types, cryptography and unique IDs to NFC devices. Credential vendors such as NXP, HID Global, LEGIC and Sony will need to authorize one or more parts of the mobile chain–the NFC chip, the handset, the mobile operator–to enable card emulation.
“You can’t just copy the credentials and (use) a different unique ID … it won’t work,” Fonseca says. “You have to have a commercial agreement with the enterprise to replicate and make those credentials virtual onto the phone.”
These obstacles, though relevant, are less daunting for real world physical access systems than for a future globally interoperable vision. Most organizations select a single type of contactless credential to issue to employees. There may also be a preferred mobile operator and handset. Thus it is not a requirement that every flavor of contactless credential be approved for all handsets to have a working solution.
Making all this work together will not fall to the issuing organizations. Rather, contactless providers will work with the mobile chain to offer solutions to issuers. In the near term, it is likely that the contactless provider will have one or more approved handsets and/or mobile operators that issuers can opt to deploy. It is likely that the current network of system integrators that provides hardware and cards to issuers will offer these new emulated NFC cards as a future option.
To be clear, this work is ongoing and it is true that there are very few NFC-enabled handsets on the market today. But these limitations are temporary, according to Fonseca. “The industry is moving in this direction,” he says, adding that there are significant benefits to justify the switch to mobile.
Unlike plastic cards, which are static, a mobile phone can be constantly updated with new permissions and apps for changing needs. Because NFC-equipped handsets can be updated dynamically over the air, new credentials can be provisioned without requiring the employee to physically visit company security or human resources.
Another benefit is that the phone itself acts as another layer of security, explains Fonseca. For starters, each phone comes with an International Mobile Equipment Identity number. Since the IMEI is unique, it can be used to provide another identity aspect to the credential.
The secure element in the phone that stores the credential adds yet another level of security. “You get the added benefits of those two aspects from the phone where you do have more real-time security,” he says. “And more real-time ability to re-commission cards to the phone over the air.”
This dynamic nature of the mobile device will enable security postures to change in real time, says Tam Hulusi, senior vice president of strategic innovation and intellectual property for HID Global.
“You can create a lot more powerful use cases of your access control scenario,” Hulusi says. “Dynamically you will be able to add one, two or three factor identification. If the threat level goes up or the context changes, you can change the number of factors accordingly in real time.”
HID Global’s iCLASS contactless cards are widely used in physical access and other applications. This fall the company will launch its first iCLASS emulation, enabling contactless credentials to be loaded onto NFC phones, Hulusi says.
HID will provide applications to enhance its mobile security offerings, adds Hulusi, including a virtual pin pad on the phone in lieu of traditional wall mounted devices. This will enable companies to provide two-factor authentication and eliminate the need for added hardware.
Hulusi says the company is working on a future architecture in which the NFC chip is embedded in the door lock itself and the handset acts as a reader. In this mode, the standard key/lock relationship is essentially inverted; the key is already in the lock, it just needs the right phone to “turn” it.
According to Hulusi, it is similar to accessing information from NFC tags and posters, only in this case the tag is encrypted to ensure only authorized handsets can access the information.
So there seems to be plenty of projects on the horizon, but what will we have in the mean time? Fonseca says to expect a transition period during which we’ll be carrying both our phones and smart cards as access devices.
Source: www.securitytracker.com/id/1026196
Skype Bugs Permit Cross-Site Scripting and Denial of Service Attacks
SecurityTracker Alert ID: 1026196
SecurityTracker URL: http://securitytracker.com/id/1026196
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Oct 18 2011
Version(s): 5.2.x, 5.3.x
Description: Several vulnerabilities were reported in Skype. A remote user can cause denial of service conditions. A remote user can conduct cross-site scripting attacks. A remote user may be able to execute arbitrary code on the target system.
Several parameters do not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Skype software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A remote user can send specially crafted data to cause the target user's client to crash.
A remote user can send specially crafted data to trigger a memory corruption error and potentially execute arbitrary code on the target user's system.
The original advisory (presented at HITBSecConf) is available at:
http://www.vulnerability-lab.com/get_content.php?id=293
Benjamin Kunz Mejri (Rem0ve) and Pim J.F. Campers (X4lt) of Vulnerability Research Laboratory reported these vulnerabilities.
Impact: A remote user can cause denial of service conditions.
The Department of Homeland Security has evaluated Anonymous and found that while the collective currently may not be able to take over critical IT infrastructure today, they may be able to someday. The “hacktivist” collective Anonymous is capable of crippling critical infrastructure, but the odds of developing a Stuxnet-style attack on industrial Supervisory Control and Data Acquisition (SCADA) systems were slim, according to a Department of Homeland Security bulletin.
The four-page report from the department's National Cyber-Security and Communications Integration Center was posted on the Public Intelligence Website on Oct. 17. The Department of Homeland Security evaluated the collective's potential to disrupt critical infrastructure in the "Assessment of Anonymous Threat to Control Systems" report, dated Sept. 17.
Even though hacktivist groups are increasingly more active in their attacks, DHS said actual threats to control systems don't seem to have increased. Anonymous currently has a "limited ability" to conduct attacks that target industrial control systems, the DHS found. The group has the capability to disrupt operations with distributed denial of service attacks, but it doesn't currently have the necessary skills to take over critical infrastructure, according to the DHS.
"However, experienced and skilled members of Anonymous…could be able to develop capabilities to gain access and trespass on control system networks very quickly," according to the DHS bulletin.
DHS evaluated the group after a known Anonymous member posted on Twitter on July 19 a directory tree for Siemens SIMATIC control system software, according to the report. "This is an indication in a shift toward interest in control systems by the hacktivist group," the report said.
Critical infrastructure refers to the systems and networks that power communications, energy, financial systems, food, government operations, health care systems, transportation and water.
