InfoSec Daily Podcast Episode 529 for November 22, 2011. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Themson Mester, and Varun Sharma.
No Show on Thursday (11/24) or Friday (11/25).
In order to allow our hosts to enjoy the Holiday and spend time with their families we will not have any shows on Thursday (11/24) or Friday (11/25). Dr. Bonez will have his weekend show on 11/26. The normal show will return on 11/28.
Brad Smith (theNurse) and his stroke at Hacker Halted:
We all know and love Brad Smith, aka theNurse. His humor and smiling positivity is a wonderful example for our community. At Hacker Halted he had a massive stroke and has been in the hospital in a coma for a few days.
Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to. Please feel free to check in for status or to donate. Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.
Vote For Wim Remes
When: Starts November 16, 2011
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Starts November 30, 2011
Where: Atlanta, GA
Discount Code: M1011IPAD (free iPad 2)
When: January 27th-29th, 2012
Where: Washington Hilton Hotel, Washington, DC
DerbyCon 2012 – "The Reunion"
When: September 27-30, 2012
Where: Louisville, KY
Did you know that Google offers 2-step login verification for Gmail accounts? The feature has been around a while, and now Google has written a reminder for all users who need an extra layer of security for their Gmail account and other services connected to it.
In addition to logging into Gmail with your email and password, with 2-step verification you’ll have to go through the added trouble of entering a code Google will send to your phone. This will “approve” the computer you’re currently logging in from for 30 days, so you don’t have to do this every time you log in.
If you have a smartphone, you can also generate the code on your phone using the Google Authenticator app.
Yes, entering an additional code is somewhat of a nuisance, but it would also greatly complicate matters for anyone who has gotten a hold of your password. To successfully log into your Gmail account, that person would also need to obtain your phone.
In its blog post, Google emphasizes that this reminder is just “general security advice, not an indication of an attack or compromise,” but one has to wonder if the Redmond giant is seeing an increased number of complaints from users whose Gmail accounts have been compromised.
To enable 2-step verification for Gmail, go here.
Available for: Mac OS X v10.5 or later, Windows 7, Vista, XP SP2 or later
Impact: A man-in-the-middle attacker may offer software that appears to originate from Apple
Description: iTunes periodically checks for software updates using an HTTP request to Apple. This request may cause iTunes to indicate that an update is available. If Apple Software Update for Windows is not installed, clicking the Download iTunes button may open the URL from the HTTP response in the user's default browser. This issue has been mitigated by using a secured connection when checking for available updates. For OS X systems, the user's default browser is not used because Apple Software Update is included with OS X, however this change adds additional defense-in-depth.
CVE-2008-3434 : Francisco Amato of Infobyte Security Research
Last week, security researcher Trevor Eckhart posted an analysis of software produced by Carrier IQ, which describes itself as "the world's leading provider of Mobile Service Intelligence solutions." Eckhart concluded that the software, which comes by default on many mobile devices and runs quietly in the background, logs extensive details about users' activities. Eckhart not only documented the functionality of the software, but learned even more about how it works through training materials posted on the Carrier IQ website. Fearing the company would take the files offline after he posted his analysis, he mirrored the training materials to let others independently verify his conclusions.
Eckhart was right: Carrier IQ immediately made the files unavailable, but it didn't stop there. Carrier IQ fired off a cease-and-desist letter (pdf) to Eckhart, claiming that he infringed its copyrights and made unspecified "false allegations" about its software. Among other things, the company demanded that Eckhart turn over contact information for every person who had obtained the files from him, and that he replace his analysis with a statement—written for him by Carrier IQ—disavowing his research.
Happily, Eckhart was not cowed by this ham-fisted effort to suppress his findings. Instead, he reached out to EFF. We're glad he did. As we explained in a letter (pdf) to Carrier IQ today, Eckhart's research is protected by fair use and the First Amendment right to free expression. He posted the training materials to teach the public about software that many consumers don't know about, even though it monitors their everyday activities and raises substantial privacy concerns. As the Copyright Act says, "the fair use of a copyrighted work . . . for purposes such as criticism, comment, news reporting . . . or research, is not an infringement of copyright." Furthermore, Eckhart's analysis is just the kind of speech that that the First Amendment is meant to protect—public commentary that will help consumers better understand the products they use and help researchers investigate those products.
Given the weakness of its legal position, we have to conclude that Carrier IQ's real goal is to suppress Eckhart’s research and prevent others from verifying his findings. But as we've long said, the best way to counter speech you don't like is more speech—not baseless legal threats to silence your critics. Carrier IQ didn't get the memo on this. (Nor, apparently, has it heard of the Streisand Effect.) Hopefully it has now.
The European Union on (last)Monday prohibited the use of X-ray body scanners in European airports, parting ways with the U.S. Transportation Security Administration, which has deployed hundreds of the scanners as a way to screen millions of airline passengers for explosives hidden under clothing.
The European Commission, which enforces common policies of the EU's 27 member countries, adopted the rule “in order not to risk jeopardizing citizens’ health and safety.”
As a ProPublica/PBS NewsHour investigation detailed earlier this month, X-ray body scanners use ionizing radiation, a form of energy that has been shown to damage DNA and cause cancer. Although the amount of radiation is extremely low, equivalent to the radiation a person would receive in a few minutes of flying, several research studies have concluded that a small number of cancer cases would result from scanning hundreds of millions of passengers a year.
European countries will be allowed to use an alternative body scanner, on that relies on radio frequency waves, which have not been linked to cancer. The TSA has also deployed hundreds of those machines – known as millimeter-wave scanners – in U.S. airports. But unlike Europe, it has decided to deploy both types of scanners.
The TSA would not comment specifically on the EU’s decision. But in a statement, TSA spokesman Mike McCarthy said, “As one of our many layers of security, TSA deploys the most advanced technology available to provide the best opportunity to detect dangerous items, such as explosives.
“We rigorously test our technology to ensure it meets our high detection and safety standards before it is placed in airports,” he continued. “Since January 2010, advanced imaging technology has detected more than 300 dangerous or illegal items on passengers in U.S. airports nationwide.”
Body scanners have been controversial in the United States since they were first deployed in prisons in the late 1990s and then in airports for tests after 9/11. Most of the controversy has focused on privacy because the machines can produce graphic images. But the manufacturers have since installed privacy filters.
As the TSA began deploying hundreds of body scanners after the failed underwear bombing on Christmas Day 2009, several scientists began to raise concerns about the health risks of the X-ray scanner, noting that even low levels of radiation would increase the risk of cancer.
As part of our investigation, ProPublica surveyed foreign countries’ security policies and found that only a few nations used the X-ray scanner. The United Kingdom uses them but only for secondary screening, such as when a passenger triggers the metal detector or raises suspicion.
Under the new European Commission policy, the U.K. will be allowed to complete a trial of the X-ray scanners but not to deploy them on a permanent basis when the trial ends, said Helen Kearns, spokeswoman for the European transport commissioner, Siim Kallas.
“These new rules ensure that where this technology is used it will be covered by EU-wide standards on detection capability as well as strict safeguards to protect health and fundamental rights,” Kallas said.
Five-hundred body scanners, split about evenly between the two technologies, are deployed in U.S. airports. The X-ray scanner, or backscatter, which looks like two large blue boxes, is used at major airports, including Los Angeles International Airport, John F. Kennedy in New York and Chicago's O’Hare. The millimeter-wave scanner, which looks like a round glass booth, is used in San Francisco, Atlanta and Dallas.
Within three years, the TSA plans to deploy 1,800 backscatter and millimeter-wave scanners, covering nearly every domestic airport security lane. The TSA has not yet released details on the exact breakdown.
Update: “In spite of the European Commission formally adopting new limits on airport body scanners and outright banning backscatter x-ray scanners pending further studies, the UK will not allow passengers to “opt out” if they are selected to go through the machines, which will remain in use.”
AT&T announced Monday that hackers made an “organized and systematic attempt” to gain access to nearly one million of their customers’ online accounts.
According to a Bloomberg report, the phone company assured customers in an e-mail their accounts were intact.
“We do not believe that the perpetrators of this attack obtained access to your online account or any of the information contained in that account.”
While no information appears to have been breached here, AT&T spokesman Mark Siegel announced the company has launched an ongoing investigation to further identify the hack’s intent.
AT&T, the largest phone company in the world, has 100.7 million wireless subscribers, yet only 1 percent of them, approximately one million customers, were targeted by the attack, in which hackers used automated scripts to try to match up customers telephone numbers with account numbers and gain access to accounts.