InfoSec Daily Podcast Episode 517 for November 8, 2011. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Karthik Rangarajan (aka Shit Eye), Themson Mester, and Varun Sharma.
Announcements:
Brad Smith (theNurse) and his stroke at Hacker Halted:
We all know and love Brad Smith, aka theNurse. His humor and smiling positivity is a wonderful example for our community. At Hacker Halted he had a massive stroke and has been in the hospital in a coma for a few days.
Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to. Please feel free to check in for status or to donate. Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.
http://www.social-engineer.org/brad-smith-updates/
http://www.social-engineer.org/bradsmithdonation/
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
BSides Delaware
When: November 12, 2011
Where: Wilmington University, Delaware Campus
http://www.securitybsides.com/w/page/40113309/BSidesDelaware2010
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Starts November 30, 2011
Where: Atlanta, GA
Discount Code: M1011IPAD (free iPad 2)
http://www.sans.org/mentor/details.php?nid=25504
Stories:
Source:http://www.politico.com/news/stories/1111/67603.html
Google is considering ditching the U.S. Chamber of Commerce out of frustration with its support for legislation that would force Internet companies to police websites that peddle pirated movies and fake Viagra.
The rumblings of a defection — a potentially serious blow to one of Washington’s most powerful lobbies — come weeks after Yahoo left the Chamber in October, largely over its support of Sen. Patrick Leahy’s (D-Vt.) online piracy bill, the PROTECT IP Act.
…
Source: http://sectools.org/
For more than a decade, the Nmap Project has been cataloguing the network security community's favorite tools. In 2011 this site became much more dynamic, offering ratings, reviews, searching, sorting, and a new tool suggestion form. This site allows open source and commercial tools on any platform, except those tools that we maintain (such as the Nmap Security Scanner, Ncat network connector, and Nping packet manipulator).
We're very impressed by the collective smarts of the security community and we highly recommend reading the whole list and investigating any tools you are unfamiliar with. Click any tool name for more details on that particular application, including the chance to read (and write) reviews. Many site elements are explained by tool tips if you hover your mouse over them. Enjoy!
Source: http://www.usajobs.gov/GetJob/PrintPreview/301181700
This position is located in the Department of Homeland Security (DHS), Office of the Chief Information Officer, Information Security Office (ISO), and directs the information security requirements of the Department by ensuring the confidentiality, integrity, and availability of systems, networks, and data through the planning, analysis, development, implementation, maintenance, and enhancement of information security programs, policies, procedures, and tools. The Director is responsible for performing and supervising work that involves applying analytical processes to the planning, design, and implementation of new and improved information systems to meet the business requirements of the agency's line of business and administrative programs. Executes the planning and delivery of secure, high-quality enterprise application services for DHS customers. Provides the security architectural planning and delivery of enterprise Information Technology (IT) services across DHS.
We told you a couple of hours ago about security guru Charlie Miller’s new iOS vulnerability that allows an approved App Store app to run unsigned code remotely. Miller has been hacking Apple’s products for years, and this most recent bug is a particularly nefarious exploit that could be used for all kinds of evil purposes.
Charlie Miller is one of the good guys, however, and he is planning to show his cards at the SysCan conference in Taiwan next week. The ends don’t always justify the means in this case, as Apple has now kicked Miller out of the App Store and iOS Developer Program.
In a series of tweets, Miller announced Apple’s swift decision to ban him from the iOS world. Miller demoed his hack via a sleeper app, called Instastock, that he submitted to the App Store. In a video, he demonstrated running unsigned code from his home server on the Apple-approved app.
The bug involves exploiting javascript code in iOS that Apple didn’t secure enough in the latest release of the operating system. Apple touts iOS as being more stable than its competition, like Android, and this bug that Miller discovered poses a dangerous threat to Apple’s spotless App Store ecosystem.
“Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” says Miller. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”
Since posting the video outlining his hack earlier today, Apple has banned Miller from both the App Store and Developer Program. On his Twitter account, Miller complained that, “First they give researcher’s access to developer programs, (although I paid for mine) then they kick them out.. for doing research.”
As a respected security researcher with a track record of exploiting Apple’s products, one could argue that Miller could have reported the exploit to Apple directly instead of planting a malicious app in the App Store. On the other side of the coin, it’s telling that Miller got his app through Apple’s review team in the first place.
What do you think? Was Apple justified in removing Miller from the App Store entirely (instead of pulling the Instastock app specifically) and kicking him out of the iOS Developer Program?
Charlie’s comment on Twitter:
“For the record, without a real app in the AppStore, people would say Apple wouldn't approve an app that took advantage of this flaw.”
Source:https://developer.apple.com/news/
The vast majority of Mac users have been free from malware and we're working on technologies to help keep it that way. As of March 1, 2012 all apps submitted to the Mac App Store must implement sandboxing. Sandboxing your app is a great way to protect systems and users by limiting the resources apps can access and making it more difficult for malicious software to compromise users' systems. Learn more by visiting theApp Sandbox page.
Source:http://paranoia.dubfire.net/2011/11/two-honest-google-employees-our.html
…
[I]t's very difficult to monetize data when you cannot see it. And so if the files that I store in Google docs are encrypted or if the files I store on Amazon's drives are encrypted then they are not able to monetize it….And unfortunately, these companies are putting their desire to monetize your data over their desire to protect your communications.
Now, this doesn't mean that Google and Microsoft and Yahoo! are evil. They are not going out of their way to help law enforcement. It's just that their business model is in conflict with your privacy. And given two choices, one of which is protecting you from the government and the other which is making money, they are going to go with making money because, of course, they are public corporations. They are required to make money and return it to their shareholders.
…
