InfoSec Daily Podcast Episode 839 for February 5, 2013. Tonight's podcast is hosted by Rick Hayes with Dave Kennedy, Boris Sverdlik, Beau Woods, Adrian Crenshaw, Bill Gardner, Karthik Rangarajan, Geordy Rostad, Justin Brown, Keith Pachulski, Varun Sharma, Adrian Sanabria, and Themson Mester.
We have reached the end of the road. The time has come for us to say goodbye. We'd like to thank all of our listeners and wish each of you nothing but the very best.
For easy use of the Amazon Affiliate link, useAffiliateFox. Configure it for amazon.com with infdaipod05-20, and for amazon.co.uk with infdaipod-21. Thanks for supporting the podcast!
The Homeland Security Department is alerting key businesses to a new hacking technique that guesses the passwords of technology that controls power generation and other complex industrial processes.
The attack kit targets Siemens S7 programmable logic controllers — the same machinery pursued by Stuxnet, a worm discovered in 2010 that disrupted Iranian nuclear production machinery.
A research team publicized the “brute-force password tool” at a security conference, before coordinating with Homeland Security or Siemens, according to DHS’ Industrial Control Systems Cyber Emergency Response Team.
The website of SCADAStrangeLove describes the organization as “a group of security researchers focused on ICS/SCADA security to save Humanity from industrial disaster and to keep Purity Of Essence.”
Affected companies should make sure control system devices are not accessible through the Internet, and should partition those systems from the business network, as well.
Security consultants recently concluded that there are about 7,200 Internet-facing critical infrastructure devices, many of which use default passwords.
“ICS-CERT has notified the affected vendor of the report and has asked the vendor to confirm the attack vector and identify mitigations,” states a DHS alert. “ICS-CERT is issuing this alert to provide early notice of the report.”
The password cracker apparently can “narrow down and expose the credentials” by analyzing captured network traffic, DHS officials stated. It is possible the same code “may be modified to be used against other vendor products,” officials added.
Trend Micro experts say that cybercriminals are turning more and more to legitimate tools in their advanced persistent threat (APT) attacks. The main concern is that some of these tools are “greyware” and they’re not always detected by security solutions.
An additional benefit from using such tools is that the cybercriminals don’t go through the trouble of creating their own.
According to experts, cybercriminals are using tools designed for password recovery, user account cloning, file manipulation, job scheduling, FTP transfers and data compression.
For instance, attackers are using compression tools, such as the popular WinRar, to archive multiple stolen files before uploading them to a remote server they control.
Scheduled job tools can be utilized to disable software updates to make sure the targeted system remains vulnerable, or to program various malicious tasks, such as stealing files.
File manipulation tools can be successfully used to delete certain components in an effort to hide their tracks, or to search for certain files.
So what can organization do to identify an APT that relies on such tools?
Experts say that most of them are command line tools, so checking for unknown command shell processes can help an organization identify an attack before too much damage is caused.
Furthermore, the presence of tools, regardless whether they’re legitimate or not, could be a sign of compromise. Odd-looking files names are another tell-tale sign, since hackers often give their files apparently random names or fake extentions.
Since FTP connections are often used by cybercriminals, it’s important for IT teams to pay attention to network logs.
Finally, reviewing scheduled jobs is highly recommended.
A 20-year-old Canadian computer science student has become, depending on your point of view, a martyr for computer security or a cautionary tale for students and others who take an interest in exposing security flaws in software products. While Ahmed Al-Khabaz said he felt he had a "moral duty" to probe the security of a student information system used by over 250,000 students, the school's administration said his acts were a "serious professional conduct issue" and expelled him. Now, fellow students are demanding his reinstatement, and the college and its software provider are facing a publicity and security backlash.
Al-Khabaz and another student reported finding a security flaw in the mobile application for Omnivox, a Web-based software package developed by Montreal-based Skytech Communications that is used by students to access and manage their personal information and college services—including their Social Insurance numbers, the Canadian equivalent of US Social Security numbers.
Omnivox is used widely by Quebec's general and vocational colleges. Al-Khabaz told the National Post that the software had "sloppy coding" that allowed anyone "with basic knowledge of computers to gain access to the personal information of any student"—including virtually all of the personal data the college had collected on them. Al-Khabaz and fellow student Ovidiu Mija found the flaw by running Acuntetix, a web site security scanning tool.
When Al-Khabaz and Mija reported the problem to the school's director of Information Services and Technology, Al-Khabaz claimed they were initially congratulated for finding the flaw and were told it would be fixed immediately. But it was Al-Khabaz' next step that landed him in trouble with the school. Two days later, he decided to check to see if the flaw had indeed been fixed, running the scanning software again.
President Vladimir Putin has ordered Russian authorities to protect state computers from hacking attacks, the Kremlin said on Monday, after an Internet security firm said a spy network had infiltrated government and embassy computers across the former Soviet bloc.
Dubbed Red October, the network used phishing attacks – or unsolicited emails to intended targets – to infect the computers of embassies and other state institutions with a program designed to harvest intelligence and send it back to a server.
Putin signed a decree on January 15 empowering the Federal Security Service (FSB) to "create a state system for the detection, prevention and liquidation of the effects of computer attacks on the information resources of the Russian Federation".
State computer and telecommunications networks protected by the cyber security system should include those inside Russia and at its embassies and consulates abroad, according to the decree, which was published on a Kremlin website on Monday.
The Russian Internet security firm Kaspersky Labs said last week that the computer espionage network, discovered last October, had been seeking intelligence from Eastern European and ex-Soviet states including Russia since 2007.
AT&T on Tuesday said it has agreed to buy Alltels U.S. wireless operations, including licenses, network assets, retail stores and about 585,000 subscribers, for $780 million in cash. Technically, AT&T is buying the operation from the lesser known Atlantic Tele-Network, Inc. (ATNI).
The Alltel CDMA network covers approximately 4.6 million people in primarily rural areas across Georgia, Idaho, Illinois, North Carolina, Ohio and South Carolina. The acquisition includes spectrum in the 700 MHz, 850 MHz and 1900 MHz bands, which AT&T says complements its network and will provide customers who roam in these areas improved 3G wireless access. The transaction is subject to review by the FCC and Department of Justice, and AT&T says the deal is expected to close in the second half of 2013.
InfoSec Daily Podcast Episode 827 for January 15, 2013. Tonight's podcast is hosted by Rick Hayes, Bill Gardner, Justin Brown, Keith Pachulski, and Themson Mester.
Announcements
Securi-Tay
When: January 16, 2013
Where: Abertay University in Scotland (drink more scotch)
Tickets are on sale! They're £10 (ten pounds) and can be bought from the website (which is securi-tay.co.uk). It's a student-run security conference and the money goes to cover the cost of running it, and any spare will be put behind the bar – so the more people that buy tickets, the more drunk everyone can get. Plus it's Scotland, so they have good whiskey. Get on it people!
ShmooCon When: February 15-17, 2013
Where: Washington DC http://shmoocon.org Spridel is going, Them is going, IronGeek is going, Bill is going,
BSides Boston
When: February 23, 2013
Where: Microsoft’s New England Research & Development Center (NERD) Cambridge, MA
For easy use of the Amazon Affiliate link, useAffiliateFox. Configure it for amazon.com with infdaipod05-20, and for amazon.co.uk with infdaipod-21. Thanks for supporting the podcast!
Stories
Tonight we’re going to talk about Hack3rCon (http://www.hack3rcon.org). Hack3rCon is a conference where Doomsday preppers and cyber security enthusiasts come together in Charleston, WV.
What is prepping?
prepping (Verb)
Verb
Prepare (something); make ready.
Prepare oneself for an event.
"Prepper" isn't someone sitting around wearing a tin foil hat waiting for the end of the world or a loner up in the mountains all alone waiting for the aliens to land.
Prepping is simply a movement of people who see that the world could possibly be on the verge of a "change" and they're preparing for whatever it may be. We're always hoping for the best but preparing for the worst. Whether it be a natural disaster such as a Tornado, Hurricane, Flood, Solar Flare etc or an Economic Collapse, War etc.
Are preppers crazy? Probably not. They are a lot like you, they see the the events of the world and based upon what they’re seeing they want to ensure that their family and friends are safe and protected. Most try to do this without making any critical mistakes. The value of being prepared even during times where accidents or disasters seem very unlikely is really critical since no one can pinpoint the exact time a disaster will strike, it’s prudent to be prepared.
There are different types of preppers – the short term and the long term preppers. Short term preppers are those that want to be prepared for anywhere between 1 week-3 months. Many government websites such as The American Red Cross and FEMA suggest every family have a short term food supply in the case that food routes are interrupted due to severe storms, or unforeseen circumstances.
For longer term needs preppers generally are planning for disasters that have a longer term effect, thus they plan for longer self sufficiency in the event the disaster does occur. Long term preppers have a short term supply to compliment their long term supply. A longer term food supply usually includes dehydrated foods, MRE’s, seeds, hand crank wheat grinders, and equipment to be used in an non-technological environment. For a more detailed list on short term food supplies and longer term food supplies, click here.
Disasters do not happen to other people – they can happen to you, and they can happen to me. As long as you are prepared for a given scenario, then you already have tools in place when you need it most. According to some, prepping has become some sort of a social movement. Preparing for a disaster and being self sufficient has occurred for centuries. It is nothing new. It is simply families trying to make the hard times easier.
As humans, we are naturally aware of possible threats around us, and often the way a person neutralizes that threat is to create a story of the worse case scenario and begin to prep around that. Becoming a person who preps for disasters begins with a level of awareness. A prepper knows that there are possible threats, and it only makes sense to be as prepared as possible beginning with elemental disaster items to sustain basic needs (food, water, clothing and shelter) and then adding more preparedness layers onto it. Basic disaster items are intended to sustain a person and their family for 3-5 days. However, many decide to expand their disaster supplies to encompass a longer duration in the case that emergency response is delayed. This is why preppers believe in having “back ups for their back ups.”
When preparing for a disaster, it is essential to have provisions in place to secure your needs. That being said, beginning a food supply must begin with research. Finding out how many calories a person needs per day in order to survive, and knowing how much food to store is essential when beginning to prepare. Additionally, going to survival/prepping forums to read about what others are doing is another way of finding more research. Preppers are very open to helping others who want to prepare. We have all been at the beginning stage of preparing, and it can be overwhelming at first, but the overall goal is to get people prepared.
When beginning to get preparations in place, concentrate of the basic needs of survival: water, food, shelter, clothing and move on from there. Below are some basic suggestions on items that would be ideal to have in the home:
Water – It is suggested to have 1 gallon of water per person/per day. Having a 3 day supply of water on hand is a great place to start. However, many preppers like to be as thorough as possible in their prepping. Therefore, Ready Nutrition suggests to play it safe and double the amount of water needed. The extra water can be used for other purposes. Additional water storage for longer term use can be reviewed here. Extra water that is stored can also be used if family members such as children or the elderly become dehydrated and need more water. Additionally, having an alternative source for water such as a water filter, frozen water in the freezer, and 5 gallon water containers is suggested. In a disaster situation, a person does not want to run out of water. Lakes and streams can also be a way to find water, but the water needs to be treated. In the case that someone is not near any running streams or lakes, there are places in nature where one can find alternative water sources.
Food – Comparative shopping at the large volume supermarkets typically has better deals than at the smaller stores. Finding local ads from the large supermarket store websites can save on gas money as well as on shopping time. Even the Dollar stores carry canned goods and food products that would be good for short term/long term food supplies. Look for sales at the stores and buy as much of the item as your budget will allow.
Using a food storage calculator will help determine how much food is necessary. There are some considerations to keep in mind before purchasing the food items:
Expiration Dates – It’s best to find items that have expiration dates that are 1-2 years away from expiring, unless that item is used frequently in the home, and can be rotated frequently.
Items on Sale – Go for the deals. Typically, there are deals that are advertised in the newspaper. There are stores that have 10 items for $10, or 2 for 1 offers. You do not have to break the bank to get food items. Just get a little each time you visit the store. In season vegetables are typically cheaper. Larger cans of goods generally have better deals.
Take into consideration the following:
The amount of people in the household.
A wide variety of food will help reduce food fatigue.
The serving amount in the food.
Vitamin content in the food.
Any special health considerations for family members.
Medical Supplies – Medical emergencies can occur at the drop of a hat, and having the necessary supplies can mean the difference between life and death. When an emergency situation arises, one must act calming and decisively. In the case of a severe injury where there is a lot of blood loss, there must be supplies that can stop bleeding, cut the pain threshold and calm the patient if necessary. Find websites online that deal with first aid care and go through each injury to see what medical instruments and items are needed. Moreover, check in your community and see if the Fire Department, American Red Cross or Medical Centers offer classes to assist in medical emergencies. Make a list for supplies that can be added to the disaster medical supplies.
Tickets are on sale! They're £10 (ten pounds) and can be bought from the website (which is securi-tay.co.uk). It's a student-run security conference and the money goes to cover the cost of running it, and any spare will be put behind the bar – so the more people that buy tickets, the more drunk everyone can get. Plus it's Scotland, so they have good whiskey. Get on it people!
ShmooCon
When: February 15-17, 2013
Where: Washington DC http://shmoocon.org
Spridel is going, Them is going, Bill is going
BSides Boston
When: February 23, 2013
Where: Microsoft’s New England Research & Development Center (NERD) Cambridge, MA
For easy use of the Amazon Affiliate link, use AffiliateFox. Configure it for amazon.com with infdaipod05-20, and for amazon.co.uk with infdaipod-21. Thanks for supporting the podcast!
President Barack Obama has signed into law a five-year extension of the U.S. government's authority to monitor the overseas activity of suspected foreign spies and terrorists.
The warrantless intercept program would have expired at the end of 2012 without the president's approval. The renewal bill won final passage in the Senate on Friday.
Known as the Foreign Intelligence Surveillance Act, the law allows the government to monitor overseas phone calls and emails without obtaining a court order for each intercept.
The law does not apply to Americans. When Americans are targeted for surveillance, the government must get a warrant from a special 11-judge court of U.S. district judges appointed by the Supreme Court.
Arizona could soon become the latest state in the union to pass state legislation that would make online impersonation, or e-personation, a crime.
According to the Arizona Republic, State Rep. Michelle Ugenti, (R-Scottsdale) will introduce a bill that would make it a felony to use another person’s name with the intention to “harm, defraud, intimidate or threaten,” including spoofing an e-mail or text with similar devious motives.
The paper cited “about a dozen other states” that have similar legislation on the books, including California, Washington, New York, and Texas.
“If you’re going to impersonate someone and you’re going to threaten, harm or defraud them, it should be against the law because of the ramifications to the individual,” Ugenti told the paper.
That said, the state appears to already have existing laws on the books to deal with this problem. Last year, the paper added, "a disgruntled Gilbert parent created a fake profile of his son’s assistant principal on a pornographic website and chatted online under the administrator’s name." The man was convicted of two felonies and ordered to serve three months in jail as a result.
Clearly, though, the concern is that if the law is not defined narrowly enough, it could stifle legitimate speech like the Fake Sen. John McCain (R-AZ) Twitter account.
Tickets are on sale! They're £10 (ten pounds) and can be bought from the website (which is securi-tay.co.uk). It's a student-run security conference and the money goes to cover the cost of running it, and any spare will be put behind the bar – so the more people that buy tickets, the more drunk everyone can get. Plus it's Scotland, so they have good whiskey. Get on it people!
CFP is CLOSED!
ShmooCon
When: February 15-17, 2013
Where: Washington DC http://shmoocon.org
BSides Boston
When: February 23, 2013
Where: Microsoft’s New England Research & Development Center (NERD) Cambridge, MA
For easy use of the Amazon Affiliate link, useAffiliateFox. Configure it for amazon.com with infdaipod05-20, and for amazon.co.uk with infdaipod-21. Thanks for supporting the podcast!
Oracle has released a new version of the Java Development Kit which includes a number of security improvements. The major change in JDK 7u10 is the ability to prevent any Java application from running in the browser, a big shift for the Java environment, which is a constant target of attacks.
The new release of Java also includes some additional security enhancements, most notably a feature that enables developers to set a specific level of security for any unsigned Java applets. Java applications and Java itself have become high-priority targets for attackers in the last couple of years, and a number of significant attacks have focused on Java bugs recently. In August, researchers identified a group from China known as the Nitro crew as one of the groups that was using a pair of Java zero-day vulnerabilities in targeted attacks.
Exploits for Java bugs often are added to the major exploit kits such as Black Hole, Eleonore and the Cool exploit kit. Attackers favor Java as a target for a number of reasons, but the key attraction for them is Java's enormous installed base. Java sits on hundreds of millions of machines worldwide, and a good percentage of those installations are older, out-of-date versions that include vulnerabilities that are easy pickings for attackers.
Oracle's decision to give people the ability to disable Java applications from running in the browser could be an important step in helping to prevent some of the widespread Java attacks.
"This mode can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument," Oracle said in the release notes for Java SE Development Kit 7u10.
Yesterday the Iranian CERT made an announcement about a new piece of wiper-like malware. We detect these files as Trojan.Win32.Maya.a.
This is an extremely simplistic attack. In essence, the attacker wrote some BAT files and then used a BAT2EXE tool to turn them into Windows PE files. The author seems to have used (a variant of) this particular BAT2EXE tool.
There's no connection to any of the previous wiper-like attacks we've seen. We also don't have any reports of this malware from the wild.
The destructive payload is very simple. The malware checks if the date matches with a number of pre-defined dates. If the date matches it will wait for 50 minutes and then try to delete all files from drive D through I. It will also wipe all files from the user's desktop.
Dates:
2012/12/10-12
2013/01/21-23
2013/05/06-08
2013/07/22-24
2013/11/11-13
2014/02/03-05
2014/05/05-07
2014/08/11-13
2015/02/02-04
Clearly, the attacker was trying to think ahead.
After trying to delete all the files on a particular partition the malware runs chkdsk on said partition. I assume the attacker is trying to make the loss of all files look like a software or hardware failure.
Researchers have uncovered some links between Dexter, the custom-made malware targeting point-of-sale systems, and Zeus, the notorious banking Trojan.
In active development since September, earlier versions of Dexter communicated with IP addresses belonging to Zeus-related domains, according to researchers from Verizon's Research Investigations Solutions Knowledge (RISK) team. Dexter also shared similar behavioral patters with some Zeus versions.
At least four variants dating back to September have been identified and submitted to VirusTotal between September and October, Verizon found. Some antivirus solutions had detected those Dexter variants as Zeus, according to the RISK team.
"We feel it is likely that additional samples exist in the wild," Verizon's Keith Gilbert wrote.
As SecurityWatch reported recently, Dexter targets point-of-sale systems such as electronic cash registers, kiosks, and automatic teller machines (ATMs). Dexter has infected hundreds of systems from businesses in 40 countries and intercepted data for tens of thousands of payment cards, according to Israel-based Seculert, who first issued an alert about the malware. The researchers said the gang behind Dexter is likely using the harvested track 1 and track 2 data to create cloned cards.
This post I am going to look at the relationship between a malicious SWF and its calling JavaScript. Earlier in the week, I was playing around with Cool Exploit Kit. I didn’t go down the rabbit hole of looking into the SWF file. I’m a novice when it comes to Adobe Action Script, but the structure can be figured out with patience. Yesterday, I was playing with the latest Blackhole exploit. It’s JavaScript is almost verbatim in the exploit, though the SWF file does differ.
When reviewing malicious SWF, most example output I have seen is using SWF Tools (http://www.swftools.org). Recently, I have been trying out Adobe’s SWF Investigator (http://labs.adobe.com/technologies/swfinvestigator/). My reasoning is that if Adobe can keep up improving this investigation and debugging tool, there will be a long term solution for providing forensics on SWF files, and I really do not like learning too many tools.
A Microsoft-commissioned report published last week said companies can save tens of thousands of dollars in support and development costs by standardizing on one browser.
Although the report, conducted by Forrester Research and paid for by Microsoft, never used the words "Internet Explorer," "Windows," "Chrome" or "Firefox," there was little doubt of its focus: Microsoft's Internet Explorer (IE).
"The study revealed that IT pros overwhelming prefer to standardize on the browser that ships with their desktop OS," Forrester said. IE, of course, is the browser bundled with Windows, the planet's most popular business desktop operating system.
According to surveys of 133 IT decision makers at North American enterprises, 96% of the companies have standardized on one browser for workers' PCs. But they're split over whether to support others.
China has begun reinforcing its infamous firewall with new tech designed to prevent encrypted communication.
To prevent the more enterprising citizens of China from exploiting holes in the country's firewall through the use of virtual private networks and circumventors, the Chinese government is using new technology to block encryption, according to The Guardian.
The publication reports that both consumers and businesses are being hit by the new Internet barrier, which is able to "learn, discover and block" encrypted channels provided by VPN companies. According to one company that has a customer base in the Asian country, one of the largest telecom providers in the area, China Unicorn, is now automatically killing connections to the Internet when a virtual private network is detected.
For Chinese residents, this could mean that access to Western reading material and Web sites, including social networks, could become even harder to access. By using Blockedinchina.net, you can see which sites are currently inaccessible through standard Internet access — and this includes Facebook, Twitter, and YouTube — which may contain content that goes against China's policies or ethos.
Support our show by clicking here by making hosting donations:
Support our show by clicking here before you make your purchases on Amazon. You pay the same price and it helps us offset the costs of doing the show. US visitors, please use the following:
UK visitors, please use the following:
If you are unable to see any images above, turn off Ad Block.
