Your daily source of Pwnage, Policy and Politics.

Episode 583 – Pentest Lessons, DNT for Google, 7-Step Program, Captcha Cracking Malware & Mobile Device Privacy Act

InfoSec Daily Podcast Episode 583 [ 39:14 | 17.98 MB ] Play Now | Play in Popup | Download (144)

InfoSec Daily Podcast Episode 583 for February 1, 2012.  Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, and Varun Sharma.
 

Announcements:

Unsung Heros

Have you ever stumbled on a tool and wondered “Why didn’t I know this existed!” or “If only I’d had this last week on that test”… Chris John Riley has started to gather suggestions for your “unsung hero” of the tools world.  He is looking specifically to gather a list of tools that aren’t on every penetration testers, or forensic investigators list, but that you have respect for.  http://blog.c22.cc/2012/01/13/unsung-heros

Information Security Blogger Awards 2012
Since we were over looked again for the Best Podcast on Security you can email ashimmy@hotmail.com with your name, email address and ISD Podcast as your write-in nominee.  Please note, you have to provide your blog or podcast URL so that it can be verified that you are a blogger or podcaster.  Vote for your favorite blogs as well on http://www.ashimmy.com.

Brad Smith (theNurse)
We all know and love Brad Smith, aka theNurse.  His humor and smiling positivity is a wonderful example for our community.  At Hacker Halted he had a massive stroke and has been in the hospital ever since.

Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to.  Please feel free to check in for status or to donate.  Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.

http://www.social-engineer.org/brad-smith-updates/
http://www.social-engineer.org/bradsmithdonation/

Metasploit Framework Unleashed Cincinnati
When: February 11, 2012.
Where: Digitorium in Griffin Hall, the home of Northern Kentucky University’s College of Informatics
https://msfucincy.wordpress.com/
$20 donation for #HFC

Social Engineering Training
When: March 5-9, 2012

Where: Seattle, Washington
When: July 21-24, 2012

Where: Black Hat Vegas
When: August 20-24, 2012
Where:  Bristol, UK
When:  November 12-16, 2012

Where:  Columbia, MD
http://www.social-engineer.com/social-engineer-training

Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!

AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu
CFP now open!

LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
CFP now open!

DerbyCon 2012 – "The Reunion"
When:  September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com

Thanks to everyone that has purchased products from Amazon through the affiliate program.  If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.

You don't have a sufficient version of Flash Player to display this animation.

Pentest Lessons:
Adam Compton & Zac Wagle's should get credit for the "Pentest Lessons" idea. They also started a twitter account: https://twitter.com/pentestlessons.

Lesson 1: When having a pentest performed, the customer should not disregard all alerts. While unlikely, an unrelated attack may still be happening.  When alerts occur during a pentest, the customer should always validate them against the pentester's IP addresses.

Lesson 2: When using an exploit during a pentest, only use trusted and tested exploits. Do NOT assume that the exploit you just downloaded is safe.

Lesson 3: When performing physical pentesting (sneaking in, by passing security, picking locks, etc…) ALWAYS have a good GET OUT OF JAIL FREE CARD!
 

Stories

Source: http://howto.cnet.com/8301-11310_39-57368016-285/how-to-prevent-google-from-tracking-you/

 

Much has been made of Google's new privacy policy, which takes effect March 1. If you're concerned about Google misusing your personal information or sharing too much of it with advertisers and others, there are plenty of ways to thwart Web trackers.

 

But what exactly are you thwarting? You don't become anonymous when you block tracking cookies, Web beacons, and the other identifiers as you browse. Your ISP and the sites you visit still know a lot about you, courtesy of the identifying information served up automatically by your browser.

 

The Electronic Frontier Foundation offers the Panopticlick service that rates the anonymity of your browser. The test shows you the identifiable information provided by your browser and generates a numerical rating that indicates how easy it would be to identify you based solely on your browser's fingerprint.

 

According the the entropy theory explained by Peter Eckersley on the EFF's DeepLinks blog, 33 bits of entropy are sufficient to identify a person. According to Eckersley, knowing a person's birth date and month (not year) and ZIP code gives you 32 bits of entropy. Also knowing the person's gender (50-50, so one bit of entropy) gets you to the identifiable threshold of 33 bits.

 

Prominent in the Google privacy policy are links to services that let you view and manage the information you share with Google. Some of this personal data you volunteer, and some of it is collected by Google as you search, browse, and use other services.

 

To view everything (almost) Google knows about you, open the Google Dashboard. Here you can access all the services associated with your Google account: Gmail, Google Docs, YouTube, Picasa, Blogger, AdSense, and every other Google property. The dashboard also lets you manage your contacts, calendar, Google Groups, Web history, Google Voice account, and other services.

 

More importantly, you can view and edit the personal information stored by each Google service, or delete the service altogether. To see which other services have access to the account's information, click "Websites authorized to access the account" at the top of the Dashboard. To block an authorized service from accessing the account, click Revoke Access next to the service name.

 

The Google Ads Preferences Manager lets you block specific advertisers or opt out of all targeted advertising. Click the "Ads on the web" link in the left column and then choose "add or edit" under "Your categories and demographics" to select the categories of ads you want to be served or to opt out of personalized ads.

….

Source: http://www.microsoft.com/security/sir/strategy/default.aspx#!malwarecleaning

 

Microsoft has published a 7-step guide for cleaning malware off of an infected system.  This is a welcome contrast to Apple’s policy of denying that OS X could ever be infected in the first place.  The guide makes use of Microsoft’s Sysinternals suite of tools and serves as a good basis of removing infections from any system that you don’t want to reinstall.  

 

“The guidance in IT Pro Advanced Techniques helps IT professionals investigate, analyze, and—when possible—remove malware from an infected computer. This guidance, intended for advanced users, helps IT professionals understand the impact of malware and create a rudimentary roadmap for cleaning infected computers. In addition, this effort provides the user more information about the internal operation of malware.

 

The guidance involves the use of several Windows Sysinternals tools, a suite of advanced diagnostics and troubleshooting utilities for the Windows platform available for download at no charge from the Microsoft Download Center. “

Source: http://searchsecurity.techtarget.com/news/2240114619/Cridex-Trojan-breaks-CAPTCHA-targets-Facebook-Twitter-users

 

A variant of a banking Trojan known as Cridex can communicate with a CAPTCHA-breaking server in order to establish malicious email accounts. Researchers at Websense Security Labs posted a video documenting how Cridex broke a CAPTCHA test and opened a Yahoo email account in six attempts.

 

The Cridex network grows as it infects new machines via malicious emails. The emails contain links to a Black Hole exploit kit, which attacks vulnerabilities in Web browsers and plug-ins. If successful, the kit downloads Cridex onto the machine.

 

“Cridex is a data-stealing Trojan that is similar to Zeus in the way it operates: It logs content from Web sessions and alters them to harvest information from the infected user,” according to the Websense Security Labs blog.

 

Cridex targets information from platforms like Facebook, Twitter and several online banking services. That data is then sent to a remote server.

Source: http://arstechnica.com/tech-policy/news/2012/01/mobile-device-privacy-act-would-prevent-secret-smartphone-monitoring.ars

 

Recent controversy sparked by the installation of monitoring software on millions of smartphones has led US Rep. Edward Markey (D-MA) to propose a requirement that carriers and phone makers inform consumers about the presence of monitoring software and gain their "express consent" before collecting and transmitting information from phones.

 

The controversy started a couple months back when a developer publicized the widespread use of Carrier IQ software, which phone manufacturers and carriers use to monitor what happens on a smartphone. While Apple, Samsung, HTC, AT&T and others all said the software is used only as a diagnostics tool to improve network and service performance, congressmen started denouncing the use of Carrier IQ, and class-action lawsuits were filed.

 

Posted | Comments Off

Read More