InfoSec Daily Podcast Episode 639 for April 6, 2012. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Geordy Rostad, and Dr. Bonez.
Announcements:
Outerz0ne 8
When: April 20-21, 2012
Where: Wellesley Inn, Atlanta GA
Linuxfest Northwest 2012
When: Saturday, April 28-29, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center - Huntington, West Virginia
http://www.appyide.org/
LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek
When: June 20 – 27, 2012
Where: Courtyard Seattle Federal Way, WA
http://www.sans.org/mentor/details.php?nid=28014
Social Engineering Training
When: July 21-24, 2012
Where: Black Hat Vegas
When: August 20-24, 2012
Where: Bristol, UK
When: November 12-16, 2012
Where: Columbia, MD
http://www.social-engineer.com/social-engineer-training
Inside and Out of the Social-Engineer Toolkit (SET)
When: July 21 – 22, 2012
When: July 23 – 24, 2012
Where: Black Hat Vegas
http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html
DerbyCon 2012 – The “Deuce” Reunion
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Skydogcon
When: October 26-28
Where: Hotel Preston in Nashville, TN
http://www.skydogcon.com
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
Stories
Source: http://nakedsecurity.sophos.com/2012/04/05/ccittfax-pdf-malware/
Security experts are playing a game of cat-and-mouse game with malware authors who are continually looking for ways to bypass detection by anti-malware products.
As regular readers of Naked Security will know, one commonly-seen method of distributing malware is to embed an attack inside a malformed PDF. And, one way to hide code inside a malicious PDF is to use filters.
Filters are used by PDFs to compress or store data to either make the file smaller (Flate, CCITTFax) or allow it to be read as text (ASCIIHex).
By combining the filters in weird ways the malware author hopes to bypass detection by malware scanners and deliver a malicious payload to the victim.
Last April, we saw some PDF malware using /DecodeParams filter to obfuscate malicious code. When I saw it I knew we would see more PDF malware using image filters to obfuscate malicious payloads. Sadly, that prediction appears to have become true.
Late last month, while analysing samples received via the Wepawet project I saw the first use of the CCITTFax filter to hide malicious content (detected as Troj/PDFJs-WT by Sophos products).
…
Hacker groups Anonymous and LulzSec are changing tactics to target firms' corporate data in order to hurt them financially, rather than cause embarrassment by affecting websites, according to new research from security firm Imperva.
In its latest Hacker Intelligence Initiative report Imperva researchers said they had seen a marked change in hacktivists' behaviour, with groups moving away from defacing websites or knocking them offline to stealing data.
Specifically, Imperva researchers reported discovering that 21 per cent of all recorded incidents from June to November 2011 saw hackers mounting local and remote file inclusion (RFI/LFI) attacks.
The statistic was widely attributed to hacktivists, such as the Anonymous collective and LulzSec group.
A form of attack that targets PHP coding, the use of RFI/LFI techniques allows hackers to steal data by manipulating the company's web server, and indicates a step away from their usual tendency to target companies' websites with distributed denial of service (DDoS) assaults.
Speaking to V3, Imperva researcher Tal Be'ery claimed that the behaviour is systematic of evolution within hacktivism that occurred after the high-profile Sony data breach.
"The motivation hasn't changed but rather the method. Pre-Sony, hacktivism's aim was website defacement which could be embarrassing but had no long term impact," he said.
"Stealing data from Sony and exposing it showed hacktivists how to damage companies financially. The data theft at Sony – and other locations – seriously hurt the company. But also the breach inspired hacktivists to make data theft their first objective."
…
Source: http://www.reuters.com/article/2012/04/04/us-hacker-china-idUSBRE8331D720120404
A hacker has posted thousands of internal documents he says he obtained by breaking into the network of a Chinese company with defense contracts, an unusual extension of the phenomenon of activist hacking into the world's most populous country.
The hacker, who uses the name Hardcore Charlie and said he was a friend of Hector Xavier Monsegur, the leader-turned- informant of the activist hacking group, LulzSec, told Reuters he got inside Beijing-based China National Import & Export Corp (CEIEC).
He posted documents ranging from purported U.S. military transport information to internal reports about business matters on several file-sharing sites, but the authenticity of the documents could not be independently confirmed.
The Beijing company, better known by the acronym, CEIEC, did not respond to a request for comment. U.S. intelligence and Department of Defense officials had no immediate comment.
CEIEC's website says the company performs systems integration work for the Chinese military.
Cyber-spying, both economic and political, is a growing concern for companies and governments around the world. The Chinese government is often accused of promoting, or at least tolerating, hacking attacks aimed at Western targets. But Chinese institutions have rarely been publicly identified as victims of such attacks.
…
Variations of the Flashback trojan have reportedly infected more than half a million Macs around the globe, according to Russian antivirus company Dr. Web. The company made an announcement on Wednesday—first in Russian and later in English—about the growing Mac botnet, first claiming 550,000 infected Macs. Later in the day, however, Dr. Web malware analyst Sorokin Ivan posted to Twitter that the count had gone up to 600,000, with 274 bots even checking in from Cupertino, CA, where Apple's headquarters are located.
We have been covering the Mac Flashback trojan since 2011, but the most recent variant from earlier this week targeted an unpatched Java vulnerability within Mac OS X. That is, it was unpatched (at the time) by Apple—Oracle had released a fix for the vulnerability in February of this year, but Apple didn't send out a fix until earlier this week, after news began to spread about the latest Flashback variant.
According to Dr. Web, the 57 percent of the infected Macs are located in the US and 20 percent are in Canada. Like older versions of the malware, the latest Flashback variant searches an infected Mac for a number of antivirus applications before generating a list of botnet control servers and beginning the process of checking in with them. Now that the fix for the Java vulnerability is out, however, there's no excuse not to update—the malware installs itself after you visit a compromised or malicious webpage, so if you're on the Internet, you're potentially at risk.
…
Source: http://www.pcadvisor.co.uk/news/security/3349527/anonymous-planning-attack-on-home-office-website
UK hackers linked to the Anonymous group are encouraging supporters to attack the Home Office website this Saturday (7 April) in protest at the extradition of three UK citizens to the US.
The planned attack, given the Twitter moniker of #OpTrialAtHome is being encouraged by the @AnonOpUK hacktivist group, which has publicised the attack on its Twitter page.
The group says its action is in protest against the extradition of UFO hacker Gary McKinnon, businessman Christopher Tappin and Richard O'Dwyer to the US. O'Dwyer controlled a website that carried links to TV programmes and films that allegedly broke US copyright law.
Supporters have been encouraged to launch denial-of-service attacks on the Home Office's IP address, which Anonymous has revealed. Those not savvy enough to launch automated attacks on the site could contribute to the effect by simply visiting the site in large numbers.
"#OpTrialAtHome has been initiated, we are inviting every #Anon to join us in our fight against #Extradition and the #EAW [European Arrest Warrant]," said the group on it's Twitter account.
McKinnon and O'Dwyer are still fighting extradition, and Tappin is already in the US awaiting trial for allegedly dealing in banned weapons materials to Iran.
…
