InfoSec Daily Podcast Episode 631 for March 28, 2012. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Karthik Rangarajan, and Themson Mester.
Announcements:
InfoSec Southwest
When: March 30-April 1, 2012
Where: Austin, Texas
http://www.Infosecsouthwest.com
Outerz0ne 8
When: April 20-21, 2012
Where: Wellesley Inn, Atlanta GA
http://www.outerz0ne.org
Linuxfest Northwest 2012
When: Saturday, April 28-29, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center - Huntington, West Virginia
http://www.appyide.org/
LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek
When: June 20 – 27, 2012
Where: Courtyard Seattle Federal Way, WA
http://www.sans.org/mentor/details.php?nid=28014
Social Engineering Training
When: July 21-24, 2012
Where: Black Hat Vegas
When: August 20-24, 2012
Where: Bristol, UK
When: November 12-16, 2012
Where: Columbia, MD
http://www.social-engineer.com/social-engineer-training
Inside and Out of the Social-Engineer Toolkit (SET)
When: July 21 – 22, 2012
When: July 23 – 24, 2012
Where: Black Hat Vegas
http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html
DerbyCon 2012 – The “Deuce” Reunion
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Skydogcon
When: October 26-28
Where: Hotel Preston in Nashville, TN
http://www.skydogcon.com
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
Stories
Source: http://news.techworld.com/security/3347019/avg-adds-do-not-track-technology-antivirus/
AVG has become the first antivirus vendor to offer a privacy filter to monitor and block websites and ad networks that silently collect Internet usage data from consumers, the company has announced.
Available from today in a service pack for all paid and free AVG antivirus users, DoNotTrack is a plug-in for Internet Explorer, Mozilla and Chrome that keeps tabs on which sites are collecting data as users browse the web.
Some of this will be fairly innocent web analytics of the sort gathered by every site to monitor how visitors interact with sites, but AVG said users should also be more aware of social media applications that collected extensive data usage information and ad networks. Both of these could be intrusive in search of the information necessary to serve context-aware advertising, AVG said.
AVG users will be able to block or allow these on a case-by-case basis, controlling what data is tracked depending on their assessment of a particular site.
“When you visit a site a lot of data is being collected about you,” said AVG CTO, al Ben-Itzhak. “Our goal is to make you aware of what is being collected.”
The company had designed DoNotTrack as an ‘active’ tracking system after noticing that the passive voluntary approach pioneered by World Wide Web Consortium (W3C) was often being ignored by providers, he said.
A good example of this is Mozilla's Boot to Gecko operating system for smartphones, which will include support for this approach. Longer run, Ben-Itzhak thought standardised efforts were the best approach to the privacy issue but would take time to mature.
…
Would you sooner hand over the key to your house or the password to your cellphone? Your answer now may not be the same in just five years. A report on the future of mobile suggests people's identities are becoming so tied to their phones that surrendering them soon will be akin to ceding financial, personal and professional control. And when you think about how much of your world is already on your cell, that prediction — based on data from top communications executives — seems altogether plausible.
"For the first time, all your identity is going to be in one item. That's an extremely powerful notion," says Alex Pallete, planning director for international business development at the International marketing communications firm JWT.
"There will be a shift in behaviour and trust will be earned through experiences. But we'll do it because this will make our lives easier. We won't have to have five different things in our pockets because everything will be on the mobile: how we switch on our car, how we open our house, how we control our home systems."
…
Source: http://www.pcmag.com/article2/0,2817,2402077,00.asp
One familiar Google search feature known as auto-complete has put the company in hot water with the Japanese legal system.
According to The Japan Times, a Tokyo District Court has approved a petition requesting that Google halt its auto-complete feature. The petition against Google was filed by a Japanese man who claims the feature breached his privacy and eventually led to the loss of his job. According to the man, whose name has been withheld, when his name is typed into the Google search engine auto-complete suggests words associated with criminal behavior. And when those suggested searches are clicked, over 10,000 results are shown that disparage or defame him. According to the plaintiff, this negative Google footprint has prevented him from finding employment since his initial firing several years ago.
The man's lawyer, Hiroyuki Tomita, told the paper, "It could lead to irretrievable damage, such as job loss or bankruptcy, just by displaying search results that constitute defamation or violation of the privacy of an individual person or small and medium-size companies… It is necessary to establish a measure to enable swift redress for damage in the event of a clear breach." According to the plaintiff, when contacted last October about the matter, Google refused to remove the words because they were mechanically generated word suggestions.
…
Source: http://www.zdnet.com/blog/security/lulzsec-hacks-css-corp/11108
Lulz Security (LulzSec), a hacktivist group loosely associated with the hacktivist group Anonymous, returned last night after disbanding back in June 2011. Their first target was Military Singles, a dating website which the group hacked and from which it subsequently exposed 170,937 accounts. Soon after, the group targeted communications technology firm CSS Corp, and publicly posted the company’s entire e-mail database (66 files in total).
Here’s what the group wrote on PasteBin:
http://csscorp.com/ – Global Information & Communication Technology Service
Data base dumped:
Whole database: http://www.embedupload.com/?d=4DLXN2QXWG
As I wrote last night, it’s still not clear if LulzSec plans to go on another 50-day hacking spree like the first time. This second hack, however, shows pretty clearly the group didn’t hack Military Singles just to show they’re still around. While this new LulzSec isn’t exactly like the first group, it is definitely doing everything in the spirit of its predecessor.
There are likely more hacks to come, but there’s no way to know how much more. Less than an hour ago, the group tweeted “Join http://irc.anonops.com chan -> #LulzSecReborn.” Something tells me we can expect a lot more lulz in the next few days.
…
Set your iPhone to require a four-digit passcode, and it may keep your private information safe from the prying eyes of the taxi driver whose cab you forget it in. But if law enforcement is determined to see the data you’ve stored on your smartphone, those four digits will slow down the process of accessing it by less than two minutes.
As the video shows, a Micro Systemation application the firm calls XRY can quickly crack an iOS or Android phone’s passcode, dump its data to a PC, decrypt it, and display information like the user’s GPS location, files, call logs, contacts, messages, even a log of its keystrokes.
Mike Dickinson, the firm’s marketing director and the voice in the videos, says that the company sells products capable of accessing passcode-protected iOS and Android devices in over 60 countries. It supplies 98% of the U.K.’s police departments, for instance, as well as many American police departments and the FBI. Its largest single customer is the U.S. military. ”When people aren’t wearing uniforms, looking at mobile phones to identify people is quite helpful,” Dickinson says by way of explanation.
…
