InfoSec Daily Podcast Episode 605 for February 27, 2012. Tonight's podcast is hosted by Rick Hayes, Beau Woods, and Karthik Rangarajan.
Social Engineering Training
When: March 5-9, 2012
Where: Seattle, Washington
When: July 21-24, 2012
Where: Black Hat Vegas
When: August 20-24, 2012
Where: Bristol, UK
When: November 12-16, 2012
Where: Columbia, MD
When: March 30-April 1
Where: Austin, TX
Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
CFP now open!
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
CFP now open! If you have some Anti-Forensics talks, that would be awesome.
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
CFP now open!
Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek
When: June 20 – 27, 2012
Where: Courtyard Seattle Federal Way, WA http://www.sans.org/mentor/details.php?nid=28014
Inside and Out of the Social-Engineer Toolkit (SET)
When: July 21 – 22, 2012
When: July 23 – 24, 2012
Where: Black Hat Vegas
When: July 26-29, 2012
Where: Rio Hotel and Casino – Las Vegas, NV
CFP & Room reservations now open!
DerbyCon 2012 – The “Deuce” Reunion
When: September 27-30, 2012
Where: Louisville, KY
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
Microsoft has performed an about-turn in India and revealed that a recent hack of its online store may have compromised credit card details belonging to customers in the country.
When the Microsoft India Store was hacked earlier this month, the company emailed its customers to assure them that “databases storing credit card details and payment information were not affected during this compromise”. However, it now appears that this is incorrect.
As Wall Street Journal columnist Amit Agarwal writes on his own blog, a new update from Microsoft, which was sent to its customers today, has rather different news:
Further detailed investigation and review of data provided by the website operator revealed that financial information may have been exposed for some Microsoft Store India customers.
Furthermore, the store itself is still down, some two weeks after the incident, suggesting that there are serious problems afoot.
Agarwal claims that Quasar Media, the company responsible for managing the online store, may have held customer data in plain text within the database. If true, it would allow the perpetrators of the attack to gain the information, and serious questions must asked as to why credit card details were not properly secured.
As Facebook grows ever bigger, its popularity among persons seeking financial gains through digital deception increases commensurately. Witness the lawsuit filed this week by Washington State Attorney General Rob McKenna against the co-owners of Adscend Media, LLC. The complaint alleges that the ad network operated by Adscend Media was intended to “encourage others to spread spam through misleading and deceptive tactics.”
Foremost among these tactics was “life-jacking“ which is a variation on “click-jacking” or tricking people into clicking links that do something other than what the clicker expects. Because legitimate companies often pay ad agencies “per click” for the display of digital ads or delivery of website traffic, a click-jacking scam rips-off the advertiser and may also deceive the ad agency that bought traffic or clicks on behalf of the advertiser, not to mention deceiving the consumer who does the clicking. This fraudulent triple-play can be very profitable. If you recall the DNSchanger scam to which the FBI put an end last November, the estimated profits were $14 million in just a few years. The click-jacking revenue figure quoted In the Adscend complaint is “gross monthly revenues of up to $1.2 million.”
For details of this scam, check out the news release from the Washington State Office of the Attorney General. Because “likes” on Facebook have considerable perceived value to advertisers, a variety of fraudulent techniques were used to generate clicks on the "Like" button, including bogus “Click here to continue” links. Facebook users temped by such salacious News Feed posts as “OMG! See what happened to his Ex Girlfriend”were fed a series of intermediary pages that harvested clicks and Likes while never presenting the promised content. At the same time, their friends were being fed links to the same bogus pages to spread and perpetuate the scam. There is an excellent description of the entire business model in the fascinating Adscend complaint filed in U.S. District Court, Seattle (pdf file).
A report from Mac security specialist Intego describes the Mac Flashback trojan as malware that “patches web browsers and network applications essentially to search for user names and passwords.” The assumption is that the target is bank details for immediate use, and passwords for longer term use. “Hint:” says Intego, “don’t use the same password for all websites!” Intego first reported on this Flashback variant earlier this month, but has now seen increasing signs of its success.
If the trojan cannot install itself directly – for example if Java is fully patched – Flashback attempts to trick the user into doing so. An “applet displays a self-signed certificate, claiming to be issued by Apple. Most users won’t understand what this means, and click on Continue to allow the installation to continue.” But the trojan won’t attempt to install itself if the Mac has anti-virus. “It seems that the malware writers feel it is best to avoid Macs where the malware might be detected, and focus on the many that aren’t protected.”
Apart from attempting to steal user credentials, Flashback also introduces instability causing a number of applications such as Safari and Skype to crash, “because the injected code interferes with the program making it unstable.” The two defenses are to install anti-virus and keep applications such as Java fully patched – advice that should be heeded by all computer users all of the time. Mac users, however, should also take this as a warning that Macs are not as secure as their reputation suggests.
A significant vulnerability affecting all versions of the Webkit mobile browser could give malware complete control of your phone. The malware could listen in on your conversations, view through your camera and record everything in your email and messages. It can also track your locations at the time. George Kurtz, CEO of the new security company CrowdStrike, has told CSO he'll demonstrate how the vulnerability works at a presentation at RSA Wednesday.
According to Kurtz, the new vulnerability affects all Android, iOS and newer BlackBerry devices. It does not affect devices running Microsoft Windows Phone 7. Kurtz said this means virtually every smartphone and tablet in use globally shares this vulnerability. Worse, security software currently available for mobile devices won't detect such malware and won't protect against it.
Kurtz is perhaps best known for his revelations regarding the Chinese Shady Rat operation that compromised US government and defense contractors in 2011. Kurtz discovered the Chinese cyber attacks on the US while he was CTO at McAfee. He left that company after the Intel acquisition.
Facebook admitted reading text messages belonging to smartphone users who downloaded the social-networking app and said that it was accessing the data as part of a trial to launch its own messaging service, The (London) Sunday Times reported.
Other well-known companies accessing smartphone users' personal data – such as text messages – include photo-sharing site Flickr, dating site Badoo and Yahoo Messenger, the paper said.
It claimed that some apps even allow companies to intercept phone calls – while others, such as YouTube, are capable of remotely accessing and operating users' smartphone cameras to take photographs or videos at any time.
Security app My Remote Lock and the app Tennis Juggling Game were among smaller companies' apps that may intercept users' calls, the paper said.
Emma Draper, of the Privacy International campaign group, said, "Your personal information is a precious commodity, and companies will go to great lengths to get their hands on as much of it as possible."
Facebook statement: "Facebook is currently running a limited test of mobile features which integrate with SMS functionality. SMS read/write is not currently implemented for most users of the mobile app. As part of this test, we declared the presence of that functionality within our app store permissions starting with the 1.7 version of our application. If Facebook ultimately launches any feature that makes use of these permissions, we will ensure that this is accompanied by appropriate guidance/educational materials."