InfoSec Daily Podcast Episode 547 for December 15, 2011. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Adrian Crenshaw, Karthik Rangarajan, and Varun Sharma.
Announcements:
Brad Smith (theNurse)
We all know and love Brad Smith, aka theNurse. His humor and smiling positivity is a wonderful example for our community. At Hacker Halted he had a massive stroke and has been in the hospital for almost a month.
Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to. Please feel free to check in for status or to donate. Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.
http://www.social-engineer.org/brad-smith-updates/
http://www.social-engineer.org/bradsmithdonation/
CampusCon 2012
When: January 21, 2012
Where: WIT {Waterford Institute of Technology} Sports – Waterford, Ireland
http://campuscon.hackingwit.com
(from Baconzombie)
SANS Mentoring: Security 401 SANS Security Essentials Bootcamp Style
When: Starts January 24, 2012
Where: Atlanta, GA
Discount Code:
http://www.sans.org/mentor/details.php?nid=25484
ShmooCon 2012
When: January 27th-29th, 2012
Where: Washington Hilton Hotel, Washington, DC
http://www.shmoocon.org
Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
http://aide.marshall.edu
CFP now open!
DerbyCon 2012 – "Dropping the Deuce"
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
Stories
Source: http://torrentfreak.com/french-presidents-residence-busted-for-bittorrent-piracy-111215/
Nicholas Sarkozy, the president of France and one of the most powerful men of Europe, was busted today after journalists from a French news site, armed with Élysée Palace IPs, took a peak to see what has been downloaded from the president’s residence.
If the three-strike piracy law adopted by French authorities early this year would be applied, the Palace would be left without an Internetconnection for about two months.
A total of six downloads that can be considered copyright infringement were recorded by the new BitTorrent-use tracking service as coming from Sarkozy’s place, reports TorrentFreak.
Tower Heist, Arthur Christmas and a high quality version of a BeachBoys album were among the pirated materials.
Now, even though the YouHaveDownloaded website’s owners said that their service cannot handle Dynamic IP’s, making the pirate-appointing business less accurate, a quick look at the IP addresses provided by Nicolas Perrier of Nikopik using the Whois service from DomainTools reveals that indeed the addresses belong to “Presidence de la Republique”.
Since the controversial website was launched, a lot of organizations that support anti-piracy movements were caught with their pants down. Yesterday we say how even Sony, Universal and Fox employees spend a lot of time downloading content from torrent sites.
…
Source: http://www.pcadvisor.co.uk/news/security/3325419/visa-investigates-security-breach-at-european-payment-processor
Visa is investigating a potential security breach at an European payment processor that might have affected cardholders in eastern Europe.
"Visa Europe has been informed of a potential data security breach at a European processor and an investigation is underway," the company said in a statement. "We are working closely with our member banks to ensure cardholders are protected," it added.
The potentially affected payment processor is serving an undisclosed merchant chain that does business in several eastern European markets, Visa said.
Multiple banks have been alerted and some have already taken steps to limit the potential fraud. Romanian state-owned CEC Bank is in the process of reissuing 17,000 payment cards as a result of the incident.
The bank received official reports according to which information corresponding to a number of payment cards issued by Romanian and foreign financial institutions had been compromised.
…
Source: http://www.hollywoodreporter.com/thr-esq/ellen-degeneres-facebook-scam-lawsuit-273805
Pretty much everyone with an e-mail account is familiar with the type of scam wherein a person with connections has something valuable to offer, but is experiencing some form of trouble and is willing to provide compensation for needed assistance. Is someone trying to swindle those who would do practically anything for an all expense paid trip to meet their favorite talk show host?
On Tuesday, Telepictures Prods, a subsidiary of Warner Bros. and a producer of The Ellen DeGeneres Show filed a lawsuit against an anonymous individual who allegedly has been posing as Ellen's manager.
According to the complaint, the defendant(s) created fake email accounts and a profile on Facebook in the name of Eric Gold, DeGeneres' manager. After passing himself off as an employee of her show, the fake Eric Gold is said to have solicited and collected personal information from fans. How? Fans were told that they had been selected to appear on the program.
We've collected more info on the scam. A typical message began:
"You have been selected from members of the Ellen DeGenere's Facebook Fan page to be on her talk show because of your comment on the 'Halloween edition'. If you are interested in attending, this offer is an all expense paid trip from Ellen in appreciation of being a fan of Ellen.You are required to reply as soon as possible because we have limited time."
The message then promises that the recipient will receive a $3,000 check to cover travel expenses. To receive the check, the recipients have to give their full name, address, cell phone number and e-mail address.
…
Source: http://www.darkreading.com/database-security/167901020/security/news/232300536/five-big-database-breaches-of-2011-s-second-half.html
Though the second half of the year has been comparably calmer than the first half's excitement over database breaches at RSA, Sony, and Epsilon, the breach numbers continued to roll in — especially at healthcare organizations, which made up a disproportionate number of exposed records. Here are some of the biggest breaches that went down in the second half of the year, along with a few database security lessons learned.
1. The Breach Victim: Nemours
Assets Stolen/Affected: Names, addresses, dates of birth, Social Security numbers, insurance data, medical treatment data, and bank account information for 1.6 million patients, vendors, and employees.
2. The Breach Victim: Tricare/SAIC
Assets Stolen/Affected: Protected health information from 5.1 million patients of U.S. military hospitals and clinics.
3. The Breach Victim: Sutter Physicians Services and Sutter Medical Foundation
Assets Stolen/Affected: Personally identifiable information of 3.3 million patients supported by Sutter Physicians Services and medical information of another 934,000 Sutter Medical Foundation patients.
4. The Breach Victim: SK Communications
Assets Stolen/Affected: Thirty-five million names, email addresses, phone numbers, and resident registration numbers of social media users at South Korean sites Cyworld and Nate.
5. The Breach Victim: Valve, Inc.
Assets Stolen/Affected: Personally identifiable information for 35 million users of Valve's online gaming site.
…
Source: http://abcnews.go.com/Technology/wireStory/us-set-soldier-leaks-targets-assange-15162032
As the suspected source for the biggest intelligence leak in American history faces his first hearing Friday, U.S. prosecutors have their eye on another prize: the man who disclosed the documents to the world.
When WikiLeaks' spectacular disclosures of U.S. secrets exploded onto the scene last year, much of Washington's anger coalesced around Julian Assange, the silver-haired globe-trotting figure whose outspoken defiance of the Pentagon and the State Department riled politicians on both sides of the aisle. Pfc. Bradley Manning, long under lock and key, hasn't attracted the same level of ire.
The pair's fates have been intertwined, however, even if the Australian-born computer hacker says he didn't know the private's name until after news of his arrest emerged in June 2010. Manning's alleged disclosures put Assange at the epicenter of a diplomatic earthquake.
Assange in turn has worked energetically to drum up support for the imprisoned soldier — all while emphasizing that the way his anti-secrecy site was set up meant he could not be sure if Manning was his source.
U.S. investigators have been scrutinizing links between the two as they explore the possibility of charging the Australian with serious crimes under U.S. law. A Virginia grand jury is studying evidence that might link Assange to Manning, but no action has yet been taken.
Source: http://www.wired.com/threatlevel/2011/12/internet-war-2/
The House and Senate agreed to give the U.S. military the power to conduct “offensive” strikes online — including clandestine attacks, via a little-noticed provision in the military’s 2012 funding bill.
The power, which was included in the House version but not the Senate version, was included in the final “reconciled” bill that is all but guaranteed to pass into law.
Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to–
(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and
(2) the War Powers Resolution (50 U.S.C. 1541 et seq.).
While “offensive” action isn’t defined, that’s likely to include things like unleashing a worm like the Stuxnet worm that damaged Iran’s nuclear centrifuges, hacking into another country’s power grid to bring it down, disabling websites via denial-of-service attacks, or as the CIA has already done with some collateral damage, hacking into a forum where would-be terrorists meet in order to permanently disable it.
Source: http://www.ft.com/cms/s/2/bf962998-1d01-11e1-a26a-00144feabdc0.html
Businesses breaching European Union privacy rules will face fines of up to 5 per cent of their global turnover under sweeping proposals to be unveiled next month.
In the first significant update of data protection legislation since 1995, companies found to have mishandled any personal data they hold – be it of their customers, suppliers or their own employees – will face the highest levels of fines, which could extend to billions of euros for large multinationals.
The measures are being finalised within the European Commission. They will have to be approved by national governments, some of which – especially Germany – will be reluctant to lose oversight on privacy matters to Brussels. The process is likely to take at least two years, with another two before the measures come into effect.
The proposals would bolster significantly the EU’s powers on combating data protection breaches, such as when companies sell customer data to third parties without authorisation or fail to adequately protect information held by social networks and “cloud computing” services.
