InfoSec Daily Podcast Episode 655 for April 27, 2012. Tonight's podcast is hosted by Rick Hayes, Dave Kennedy, Boris Sverdlik, Adrian Crenshaw, Geordy Rostad, and Karthik Rangarajan.
Special Guests: Erin Kennedy, and Nick
Announcements
Linuxfest Northwest 2012
When: April 28-29, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center - Huntington, West Virginia
http://www.appyide.org/
LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
Security 504: Hacker Techniques, Exploits & Infcident Handling – Matt Romanek
When: June 20 – 27, 2012
Where: Courtyard Seattle Federal Way, WA
http://www.sans.org/mentor/details.php?nid=28014
Social Engineering Training
When: July 21-24, 2012
Where: Black Hat Vegas
When: August 20-24, 2012
Where: Bristol, UK
When: November 12-16, 2012
Where: Columbia, MD
http://www.social-engineer.com/social-engineer-training
Inside and Out of the Social-Engineer Toolkit (SET)
When: July 21 – 22, 2012
When: July 23 – 24, 2012
Where: Black Hat Vegas
http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html
DerbyCon 2012 – The “Deuce” Reunion
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Skydogcon
When: October 26-28
Where: Hotel Preston in Nashville, TN
http://www.skydogcon.com
Please consider making your Amazon purchases through our affiliate link. If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side.
or simply use our QR Code Links.
Amazon:
Amazon UK:
Stories
Source: http://www.theregister.co.uk/2012/04/27/html5/
HTML5 will allow web designers to pull off tricks that were previously only possible with Adobe Flash or convoluted JavaScript. But the technology, already widely supported by web browsers, creates plenty of opportunities for causing mischief.
During a presentation at the B-Sides Conference in London on Wednesday, Robert McArdle, a senior threat researcher at Trend Micro, outlined how the revamped markup language could be used to launch browser-based botnets and other attacks. The new features in HTML5 – from WebSockets to cross-origin requests – could send tremors through the information security battleground and turn the likes of Chrome and Firefox into complete cybercrime toolkits.
Many of the attack scenarios involve using JavaScript to create memory-resident "botnets in a browser", McArdle warned, which can send spam, launch denial-of-service attacks or worse. And because an attack is browser-based, anything from a Mac OS X machine to an Android smartphone will be able to run the platform-neutral code, utterly simplifying the development of malware.
Creating botnets by luring punters into visiting a malicious web page, as opposed to having them open a booby-trapped file that exploits a security flaw, offers a number of advantages to hackers.
Malicious web documents held in memory are difficult to detect with traditional file-scanning antivirus packages, which seek out bad content stored on disk. JavaScript code is also very easy to obfuscate, so network gateways that look for signatures of malware in packet traffic are trivial to bypass – and HTTP-based attacks pass easily through most firewalls.
Additional dangers involve social engineering using HTML5's customisable pop-ups that appear outside the browser to fool users into believing the wording on an alert box. More convincing phishing attacks can be created using the technique, McArdle said.
"The good stuff in HTML5 outweighs the bad," he added. "We haven't seen the bad guys doing anything bad with HTML5 but nonetheless it's good to think ahead and develop defences."
….
Source: http://www.spamfighter.com/News-17679-Spam-Volume-in-March-2012-Declines-Only-Slightly.htm
Kaspersky Lab, which released its March 2012 spam report, shows that spam volumes from the total e-mail reduced 3.5% during March 2012 over the previous month of February 2012.
The new spam study reveals that the twenty greatest sources of junk e-mails continued to be same in March 2012, with the same countries as of February 2012 occupying the foremost 6 positions although South Korea and Vietnam interchanged ranks -the latter coming 4th and the former coming 5h.
Maria Namestnikov, security researcher at Kaspersky Lab explained that the first 3 ranks went to India (12.3%), Indonesia (7.5%) and Brazil (6.7%). While spam rates might've declined, the menace continued as severe as before with junk e-mail distributors adopting more-and-more refined techniques of scam, she said. Kaspersky.com published this dated April 19, 2012.
Besides, according to Namestnikov, it was ever-since the Calicos/Hlux network-of-bots' latest version got dismantled that the spam rates declined. During March 2012, Kaspersky Lab in combination with companies namely Dell SecureWorks, CrowdStrike, alongside HoneyNet Project dismantled the Kelihos.B botnet.
The spam study thereafter reveals that the topics most commonly utilized within the spam campaigns all through March 2012 related to Easter, St. Patrick's Day as also iPad3's recent launch.
Of the several spam campaigns related to St. Patrick's Day, security company Kaspersky states that the spammers, for acquiring the notice of e-mail recipients, resort to partner programs that abuse any holiday, celebration or same kind of event. Within the current example, it's Leprechaun-festooned spam websites, which present counterfeit designer watches.
….
Source: http://www.zdnet.com/blog/bott/report-says-hotmail-exploit-spread-like-wild-fire-is-now-fixed/4892
Microsoft plugged a serious security hole in its Hotmail password reset service last week, after one report claims it was widely exploited.
April 26, 3:00PM PDT: Microsoft confims existence of flaw and fix. See update at end of post.
Microsoft has deployed a fix for a Hotmail password reset vulnerability that was reportedly being exploited in the wild for days.
A report published today at Vulnerability-Lab described the vulnerability and provided a timeline for its disclosure and fix.
The bulletin rated the severity as “Critical,” based on this description:
A critical vulnerability was found in the password reset functionality of Microsoft’s official MSN Hotmail service. The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module.
The bulletin says Microsoft fixed the vulnerability on April 20, 2012. The more detailed timeline puts the Vendor Fix/Patch date one day later:
Report-Timeline:
================
2012-04-06: Researcher Notification & Coordination
2012-04-20: Vendor Notification by VoIP Conference
2012-04-20: Vendor Response/Feedback
2012-04-21: Vendor Fix/Patch
2012-04-26: Public or Non-Public Disclosure
During at least part of that two-week gap, the vulnerability was widely exploited, one source says.
….
Source: http://news.yahoo.com/hackers-hit-philippines-websites-amid-china-dispute-193846510.html
Philippine government websites are under heavy attack from hackers, apparently from China, amid a tense territorial dispute between the two countries in the South China Sea, officials said Thursday.
While some Philippine hackers have reportedly launched retaliatory attacks, the government appealed to them for restraint, said Roy Espiritu, spokesman of the government's information technology office.
"We've actually detected several attacks, including attempts at distributed denial of service," he said, in which a hacker infiltrates computers with which to attack a single target, such as a website, forcing it to shut down.
"They (hackers) are probing into different (Philippine) government domains so we can't say how many attacks there are. But it is a lot," Espiritu told AFP.
"The signatures (of the hackers) indicate they are from Chinese networks."
Espiritu conceded this could be a ruse and the attacks may have actually originated from other sources.
But he said all the attacks came after Philippine ships faced off with Chinese patrol vessels in April 8 in the disputed Scarborough Shoal in the South China Sea. Before that, there had been no such attacks.
The Chinese vessels initially prevented the Philippine Navy from arresting alleged Chinese poachers in the area. The stand-off is continuing.
….
Source: http://nakedsecurity.sophos.com/2012/04/27/carriers-oppose-producing-warrants-for-location-data/
The mobile carriers industry trade group, CTIA–The Wireless Association, is objecting to a proposed bill that would require the police to produce a warrant if it wants access to location data on people's mobile phones.
CTIA are calling the legislation "unduly burdensome" to say no to police who arrive without warrants.
The bill in question, California Location Privacy Bill (SB 1434), doesn't stop the carriers from handing over location data, but it does require that police get a warrant first.
The proposed law also states that carriers must publish reports showing the number of disclosures they've made in a given calendar year, including:
-
how many times each wireless provider disclosed information (and how many times it didn't)
-
how many times the carrier contested data demands
-
how many users' data were disclosed.
And this report is to published on the internet by the following April.
On April 12, the CTIA wrote [PDF] to the bill's sponsor, State Senator Mark Leno, saying that CTIA opposes the proposed legislation due to "serious concerns":
"These reporting mandates would unduly burden wireless providers and their employees – who are working day and night to assist law enforcement to ensure the public’s safety and to save lives."
… and that the legislation would "confuse" them.
For example, an issue the carriers would find confusing is the definition of "location information." CTIA say that it is "so sweeping" that it could overlap basic subscriber information:
"Since the implications of this definition are unclear, wireless providers will have difficulty figuring out how to respond to requests for such information. It could place providers in the position of requiring warrants for all law enforcement requests."
Ars Technica's Cyrus Farivar, for one, is confused about why the CTIA is confused.
Here's what he had to say:
"Earlier this month, the ACLU said it received over 5,500 pages from 200 local law enforcement agenciesabout their tracking policies. The organization concluded that 'while cell phone tracking is routine, few agencies consistently obtain warrants.
Importantly, however, some agencies do obtain warrants, showing that law enforcement agencies can protect Americans' privacy while also meeting law enforcement needs.' In short, it seems like law enforcement can stay within the law, even when it takes the trouble to get a warrant—how is that confusing?"
Regarding the cost and labour involved in putting up reports that tell the public how they are releasing our information: well, if it's really all that costly to the poor, cash-strapped wireless providers, perhaps it's time for them to increase the fees they charge law enforcement agencies for the all-you-can-eat buffet of data they provide.
….
Late Announcement:
Help Brad get a handicap accessible van. http://www.nmeda.com/mobility-awareness-month/heroes/montana/helena/1535/nina-and-brad-smith
[end]
