InfoSec Daily Podcast Episode 555 for December 29, 2011. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Adrian Crenshaw, Karthik Rangarajan, and Geordy Rostad.
Announcements:
Brad Smith (theNurse)
We all know and love Brad Smith, aka theNurse. His humor and smiling positivity is a wonderful example for our community. At Hacker Halted he had a massive stroke and has been in the hospital for almost a month.
Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to. Please feel free to check in for status or to donate. Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.
http://www.social-engineer.org/brad-smith-updates/
http://www.social-engineer.org/bradsmithdonation/
CampusCon 2012
When: January 21, 2012
Where: WIT {Waterford Institute of Technology} Sports – Waterford, Ireland
http://campuscon.hackingwit.com
(from Baconzombie)
SANS Mentoring: Security 401 SANS Security Essentials Bootcamp Style
When: Starts January 24, 2012
Where: Atlanta, GA
Discount Code:
http://www.sans.org/mentor/details.php?nid=25484
ShmooCon 2012
When: January 27th-29th, 2012
Where: Washington Hilton Hotel, Washington, DC
http://www.shmoocon.org
Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu
CFP now open!
DerbyCon 2012 – "Dropping the Deuce"
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
Stories
Source: http://mashable.com/2011/12/28/leaked-twitter-subpoena-raises-online-privacy-issues/
The leaked subpoena sent to Twitter this month by the Suffolk District Attorney's Office in Boston is causing some hoopla on the web and raising the issue of law enforcement's access to online personal data. On Dec. 14, the D.A.'s Office issued a subpoena to Twitter in order to access the account information of two users who tweeted a list of personal information they allegedly obtained by hacking into the Boston Police Patrolmens' Association. The hackers stole identifying information and Tweeted it to followers. The subpoena requests "available subscriber information, for the account or accounts associated with the following information, including IP address logs for account creation."
In the subpoena, assistant D.A. Benjamin A. Goldberger requests that the investigation be kept from the Twitter users as to not impede the ongoing probe. But the information was leaked. We reached out to Twitter for comment, but have yet to hear back.
On Dec. 23 one of the accounts under investigation, @p0isAn0N Tweeted, "Haha. Boston PD submitted to Twitter for my information. Lololol? For what? Posting info pulled from public domains? #comeatmebro."
The D.A.'s office requested details of two Twitter users and also listed the name Guido Fawkes, which is the name but not handle listed for one of the accounts under investigation, as well as the hashtags #BostonPD and #d0xcak3.
One of the accounts being probed is listed in the subpoena as @OccupyBoston, however that account appears to be inactive. It's likely they meant @Occupy_Boston, which Tweets about the occupy movement. Targeting this account has lead some to speculate that the police are monitoring the online activity of occupy protestors.
Twitter's website contains an information section for law enforcement. It states that if a subpoena is issued for a user's information, the company will inform that user before they hand the information to the authorities, unless it is prevented from doing so by court order or statute. According to its site, Twitter was following protocol by informing the user of the subpoena, and, perhaps later providing that user's information to the Boston D.A. This isn't the first time Twitter has been reluctant to hand-over user information to law enforcement.
…
Source: http://www.zdnet.com/blog/networking/wi-fi-protected-setup-is-busted/1808
Source: http://seclists.org/fulldisclosure/2011/Dec/484
Source: http://www.tacnetsol.com/news/2011/12/28/cracking-wifi-protected-setup-with-reaver.html
Wi-Fi Protected Setup (WPS; originally Wi-Fi Simple Config) is a computing standard for easy establishment of a wireless home network.
Created by the Wi-Fi Alliance and officially launched on January 8, 2007, the goal of the protocol is to allow home users who know little of wireless security and may be intimidated by the available security options to set up the encryption method WPA, as well as making it easy to add new devices to an existing network without entering long passphrases. The U.S. Computer Emergency Readiness Team (CERT) has confirmed that security researcher Stefan Viehböck has found a security hole big enough to drive a network through WPS.
According to Viehböck, he took a look at WPS and found “a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide.” CERT agrees.
How bad is it? CERT states that “An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.”
The problem is, as Viehböck explains in detail (PDF Link) is that when the device’s personal identification number (PIN), which is usually implemented as a simple physical or virtual push-button, authentication fails the access point will send an Extensible Authentication Protocol-Negative Acknowledgement (EAP-NACK ), which are sent in away that lets a hacker know if the first half of the PIN is right. Then, armed with that information, the attacker will be able to figure out the PIN’s last digit of the PIN is known since it’s is a checksum number for the entire PIN. What all that means is that it becomes much easier to work out a PIN. To be exact, with the worse luck in the world it would take a cracker 11.000 attempts to break the code.
Source: http://tech2.in.com/news/social-networking/researchers-prove-that-stuxnet-weapon-has-at-least-4-cousins/268302
The Stuxnet virus that last year damaged Iran's nuclear program was likely one of at least five cyber weapons developed on a single platform whose roots trace back to 2007, according to new research from Russian computer security firm Kaspersky Lab.
Security experts widely believe that the United States and Israel were behind Stuxnet, though the two nations have officially declined to comment on the matter.
A Pentagon spokesman on Wednesday declined comment on Kaspersky's research, which did not address who was behind Stuxnet.
Stuxnet has already been linked to another virus, the Duqu data-stealing trojan, but Kaspersky's research suggests the cyber weapons program that targeted Iran may be far more sophisticated than previously known.
Kaspersky's director of global research & analysis, Costin Raiu, told Reuters on Wednesday that his team has gathered evidence that shows the same platform that was used to build Stuxnet and Duqu was also used to create at least three other pieces of malware.
Raiu said the platform is comprised of a group of compatible software modules designed to fit together, each with different functions. Its developers can build new cyber weapons by simply adding and removing modules.
"It's like a Lego set. You can assemble the components into anything: a robot or a house or a tank," he said.
Kaspersky named the platform "Tilded" because many of the files in Duqu and Stuxnet have names beginning with the tilde symbol "~" and the letter "d."
Researchers with Kaspersky have not found any new types of malware built on the Tilded platform, Raiu said, but they are fairly certain that they exist because shared components of Stuxnet and Duqu appear to be searching for their kin.
When a machine becomes infected with Duqu or Stuxnet, the shared components on the platform search for two unique registry keys on the PC linked to Duqu and Stuxnet that are then used to load the main piece of malware onto the computer, he said.
Kaspersky recently discovered new shared components that search for at least three other unique registry keys, which suggests that the developers of Stuxnet and Duqu also built at least three other pieces of malware using the same platform, he added.
Source: http://www.trionworlds.com/en/games/account-notification
Source: http://pc.gamespy.com/pc/heroes-of-telara/1215450p1.html
IMPORTANT NOTIFICATION CONCERNING YOUR TRION WORLDS ACCOUNT
We recently discovered that unauthorized intruders gained access to a Trion Worlds account database.
The database in question contained information including user names, encrypted passwords, dates of birth, email addresses, billing addresses, and the first and last four digits and expiration dates of customer credit cards.
There is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way. We have already taken further action to strengthen our systems, even as we, with external security experts, continue to research the extent of the unauthorized access.
You will notice on your next log in to our website that you will be required to change your password, and existing Mobile Authenticator users will also need to reconnect their Authenticator. When you log in, you will be prompted to provide a new password, security questions and answers, and be given the option to connect your account to our Mobile Authenticator to enhance your account’s security.
If you have used your username and password for other accounts, especially financial accounts or accounts with personal information, we suggest you change your passwords on those accounts as well. We recommend that you carefully review your statements, account activity, and credit reports to help protect the security of those accounts. If you need information on how to obtain your credit report or believe any such accounts have been breached, please see below for more information.
You should have continued, uninterrupted access to RIFT, and we do not anticipate any disruptions to your playing time.
Nevertheless, if you own the RIFT game, you will be granted three (3) days of complimentary RIFT game time once you update your password and security questions.
Additionally, once you update your account and set a new password, your account will be granted a Moneybags’ Purse, which increases your looted coin by 10%, even if you have not yet purchased RIFT.
Please log in to https://rift.trionworlds.com (and we recommend that you copy and paste this link into your browser to access the site) to update your password, security questions and Authenticator.
We apologize for any inconvenience this may have caused you. If you have further questions, please visit our website,www.trionworlds.com/AccountNotificationFAQ.
ADDITIONAL INFORMATION
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. Provided below are the names and contact information for the three major U.S. credit bureaus and additional information about steps you may take to obtain a free credit report and/or place a security freeze on your credit report. If you believe those accounts may have been breached or that your identity may have been stolen, you should contact law enforcement, including the Federal Trade Commission. If you believe you are the victim of identity theft, you also have right to file a police report and obtain a copy of it.
Today we released Security Update MS11-100 to address the issue described in Security Advisory 2659883.
The security update has a severity rating of Critical and resolves a publicly disclosed remote unauthenticated Denial of Service issue in ASP.NET versions 1.1 and above on all supported versions of .NET Framework. Of note, the new method of hash collision attacks used to exploit this vulnerability is an industry-wide issue affecting various Web platforms, including ASP.NET.
While we have seen no attacks attempting to exploit this vulnerability, we encourage affected customers to test and deploy the update as soon as possible. Consumers are not vulnerable unless they are running a Web server from their computer. More technical details can be found at the Security Research & Defense Blog.
Karthik’s Top 5:
5. Driving Cross Country
While this isn’t security related at all, it should still figure in the Top 5 for the year. Moving from California to North Carolina, especially with a damaged door, was a great experience. It was a very very long drive, but I guess it was kinda worth it because now I spend ~10 hours lesser in flights, every trip…unless I travel to the west.
4. Rejoining ISD Podcast
I wasn’t a regular crew member on the podcast for a while, thanks to Georgia Tech, and then my visit to India. Not being on the podcast felt weird, and felt like I wasn’t doing something right. Getting back to it in January once I started my job in California felt good, and I’ve been on ever since. Its been a great experience recording in the absence of Rick (or sometimes in his presence, as well), and as always, I learn new things everyday
3. Being a Security Consultant
As I am sure Rick will agree, being a security consultant has a few perks (and quite a few downsides too). It gave me a lot of exposure into work that I’d never done before, gave me a lot of airline miles, and more importantly, taught me a whole lot about penetration testing, and what goes behind it. Before taking up the job, it was what I had studied in books, or read in articles, but doing the job itself was very rewarding
2. Live Podcasts
We’ve done live podcasts before, where people at a particular conference join us and talk aout what’s happening there. That changed a little this year, where we were at security conferences and did live podcasts from there. It was easily one of the biggest highlights of the year, and gave a new dimension to the podcasts. I still remember the introduction show at Defcon, the snoring show at Derbycon, and the more recent ISD/EL crossover at BSides ATL.
1. Speaking at Derbycon
I guess this is one thing I have in common with both Boris’ and Rick’s lists. I would have said Geordy’s, but he wasn’t there, so I doubt it will appear. Speaking at Derbycon was a huge learning experience, not just in terms of speaking in front of a very well informed crowd, but also in terms of writing most of the tool in Panera Bread two hours before the talk. While it wasn’t my first talk at a security conference (there was that quick fire talk at ShoeCon, and a talk attended by 7 people at BSides ATL 2010), it was definitely something I will remember for a long time, and maybe a few years later when DerbyCon becomes as big as Schmoocon, I will point at my speaker badge and say “Yeah, I spoke there in the first ever edition.”
