InfoSec Daily Podcast Episode 600 for February 21, 2012. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Adrian Crenshaw, Karthik Rangarajan, Themson Mester, Dr. Bonez, and Varun Sharma.
Announcements:
Social Engineering Training
When: March 5-9, 2012
Where: Seattle, Washington
When: July 21-24, 2012
Where: Black Hat Vegas
When: August 20-24, 2012
Where: Bristol, UK
When: November 12-16, 2012
Where: Columbia, MD
http://www.social-engineer.com/social-engineer-training
InfoSec Southwest
When: March 30-April 1
Where: Austin, TX
http://www.Infosecsouthwest.com
Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu
CFP now open! If you have some Anti-Forensics talks, that would be awesome.
LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
CFP now open!
Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek
When: June 20 – 27, 2012
Where: Courtyard Seattle Federal Way, WA http://www.sans.org/mentor/details.php?nid=28014
Defcon 20
When: July 26-29, 2012
Where: Rio Hotel and Casino – Las Vegas, NV
http://defcon.org/
CFP & Room reservations now open!
DerbyCon 2012 – The “Deuce” Reunion
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
Stories
Source: http://net-security.org/secworld.php?id=12434
Survey scammers love targeting Facebook users, because the social nature of the network makes sure that the scam will be propagated far and wide.
The latest of these scams has been hitting the Walls of compromised accounts with posts containing a thumbnail suggesting a link to a sex video, accompanied with the following message: "[Video] WOW.. watch what Happened to his Ex Girlfriend!! [LINK] Omg. I cant believe this actually happened to his Ex-Girlfreind!"
According to Sophos, friends of the user whose compromised account posted the message have also been named in it, assuring that at least some of them will surely check out the message.
Those that follow the link are asked to install a "Divx plugin" in order to see the video – which, by the way, is not even the same video they wanted to see:
….
Source: http://www.wired.com/threatlevel/2012/02/anonymous-friday-attacks/
Anonymous, a group not known for discipline, is giving itself a weekly deadline, a new attack every Friday.
Following the Tuesday compromise of the website of tear gas maker Combined Systems, Inc., the Antisec wing of Anonymous struck a Federal Trade Commission webserver which hosts three FTC websites, business.ftc.gov, consumer.gov and ncpw.gov, the National Consumer Protection Week partnership website.
Claiming this hack in opposition of the controversial international copyright treaty known as ACTA, which had been widely protested around the world for its potential to curtail freedom of expression on the internet, Anonymous continued the political messaging that has marked much of its recent high-profile actions.
Anons claiming responsibility for the attack spoke to Wired.com in an online chat just as it happened, freely admitting that there was nothing technically remarkable in this hack. As one remarked, “own & rm and move on.” (rm being a unix command to delete data.)
But this week’s attacks came with a promise, first articulated in the defacement of CSI, and restated on the FTC websites: Every Friday will bring a new attack against government and corporate sites under the theme of #FFF, or Fuck the FBI Friday.
“We are already sitting on dozens of unreleased targets,” said an Antisec anon, who went on to describe an inventory of already compromised servers that could fill five months or more of #FFF releases.
“Yes, each and every Friday we will be launching attacks… with the specific purpose of wiping as many corrupt corporate and government systems off our internet,” the anon continued.
The choice of the FTC is an odd one, given the independent agency has no role in ACTA negotiations. Instead, it’s tasked with fighting unfair business practices, sanctioning companies like Google and Facebook for privacy violations, and running the Do-Not-Call list – hardly the stuff of Big Brother stomping on online rights forever.
….
Source: http://www.theregister.co.uk/2012/02/21/rim_india_bbn_server/
Research In Motion is finally set to offer the Indian authorities a permanent system for access to its consumer-focused messaging services with the installation of new Mumbai-based servers.
The Times of India was given a government briefing on the matter. It claimed that the servers have been inspected by government officials and that permission would shortly be granted by the BlackBerry maker for lawful interception of messages if the intelligence agencies there suspect terrorist or other serious illegal activity is being conducted via the platform.
It is also believed that RIM was co-operating with the authorities before this on ad hoc requests to access any email or BBM messages sent over its consumer service.
The Indian reports also claim that the government has backed down on its demands to gain access to BlackBerry Enterprise Service (BES) messages. RIM rightly always maintained that it couldn’t provide access to content running on its corporate service because it didn’t hold the encryption keys – they reside with the sponsoring organization or business.
Intelligence Bureau director Nehchal Sandhu admitted to the paper that such corporate communications were not of “high concern” anyway from a security standpoint.
However, RIM has reportedly reached an agreement with the government which effectively pushes responsibility for providing access to BES communications down to the service provider level.
….
Source: http://www.troyhunt.com/2012/02/scamming-scammers-catching-virus-call.html
[Karthik: I watched the first 30 minutes and last 20 minutes of the video, and in all honesty, its very embarrassing given that the guy on the other end is from my end of the world. He is everything you can define in a stupid defensive scammer, and gives even scammers a bad name, let alone all of the “technical support” people we have back home.”]
A few months back I got a call one evening which was clearly a virus call centre scam; you know, the ones that call you out of the blue, tell you your PC is infected with all sorts of nasties and offer to fix it for you? Or maybe you don’t know, which of course is why these scams have been going on for quite some time and are still very active today.
Fortunately I did know about such things so rather than summarily dismissing them with a level of disdain I normally reserve only for telemarketers, I recorded the audio of the call right up until the point where they were ready to take control of my PC. I published the whole episode in my post titled Anatomy of a virus call centre scam.
But I was left wondering; what exactly were they going to do to my PC once they got remote control? Try and squeeze some cash out of me for “fixing” things? Install their own variant of “antivirus”? Or just plain old enslave my PC into being part of a botnet? So I decided to find out by letting them do whatever they wanted whilst recording the audio and the screen so the entire experience could be shared.
…….
Let give you the abridged version here in case you (quite rightly) didn’t feel like sitting through the entire thing:
- The operator explains that the PC is infected with malicious files.
- He directed me to Ammyy which he then used to gain remote control of my PC.
- He started the Event Viewer then explained that errors and warnings are signs of serious problems with the PC.
- He then had me go the LogMeIn website and attempted to start a remote support connection without entering a PIN code. Naturally this failed after which he explained it’s the “software loyalty key” for the computer and its expiration is the cause of all the “problems”.
- Next, I was assured numerous times that there is absolutely no cost involved for him to “fix” the warranty.
- I was then told the free warranty would cost a one-time payment of $160. Annually.
- After explicitly prompting him, he confirmed this payment is for the software key for my Windows.
- A PIN was given to me which I then entered into the LogMeIn website and granted them remote control to my machine. Again (on top of the Ammyy session).
- The operator then controlled my PC and downloaded Advanced SystemCare 3, a legitimate (albeit twice superseded) product. He explicitly told it not to create a restore point when prompted.
- SystemCare made numerous findings which the operator leveraged to explain the poor health of my PC, including an explanation that fragmented files indicated “These are all of the hardware problems”.
- I was directed to a registration form where I registered with false information.
- I was then forwarded to a payment gateway where credit card information was requested using a service provided by India’s Bank of Baroda.
- At this stage I came clean and confronted the operator. Numerous excuses were made with the general gist of it being that they are honest, have not misled me and are providing a legitimate service.
- When reviewing the system the next day whilst disconnected from the internet, the LogMeIn software loads automatically and attempts to re-establish a connection. It appears that there is now a persistent ability for Comantra to take remote control of the machine.
…
Source: http://thehackernews.com/2012/02/iran-will-develop-their-own-security.html
According to latest report, Iran's Information and Communications Technology Minister announce that – Iran has prohibited import of foreign computer security software.
Because International sanctions stopped Iran from obtaining anti-virus software. So, Iran stressed that no foreign software for computer security will be imported into the country, adding that Iran will rely on its own software, made by local developers. The Bonian Daneshpajouhan Institute has about 25 smaller firms that develop domestic security software of various nature, and country will rely on it.
A senior Iranian intelligence official has claimed that an estimated 16,000 computers were infected by the Stuxnet virus, which targeted the country's nuclear facilities and other industrial sites in 2010. The ban is intended to push Iran into the production of its own malware defense instruments.
Whether the Stuxnet virus affected only computers within Iran, or whether the virus has infected computers outside the country as well. The virus, specifically designed to target Iran's nuclear facilities and other industrial sites, was created in 2010. Two more espionage viruses were recently uncovered by Iranian officials, The Stars virus embeds itself in the file systems of government institutions, and the Duqu virus gathers information.
….
