InfoSec Daily Podcast Episode 585 [ 42:54 | 19.66 MB ] Play Now | Play in Popup | Download (17)

InfoSec Daily Podcast Episode 585 for February 3, 2012.  Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Karthik Rangarajan, Geordy Rostad, and Dr. Bonez,
 

Announcements:

Unsung Heros

Have you ever stumbled on a tool and wondered “Why didn’t I know this existed!” or “If only I’d had this last week on that test”… Chris John Riley has started to gather suggestions for your “unsung hero” of the tools world.  He is looking specifically to gather a list of tools that aren’t on every penetration testers, or forensic investigators list, but that you have respect for.  http://blog.c22.cc/2012/01/13/unsung-heros

Information Security Blogger Awards 2012
Since we were over looked again for the Best Podcast on Security you can email ashimmy@hotmail.com with your name, email address and ISD Podcast as your write-in nominee.  Please note, you have to provide your blog or podcast URL so that it can be verified that you are a blogger or podcaster.  Vote for your favorite blogs as well on http://www.ashimmy.com.

Brad Smith (theNurse)
We all know and love Brad Smith, aka theNurse.  His humor and smiling positivity is a wonderful example for our community.  At Hacker Halted he had a massive stroke and has been in the hospital ever since.

Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to.  Please feel free to check in for status or to donate.  Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.

http://www.social-engineer.org/brad-smith-updates/
http://www.social-engineer.org/bradsmithdonation/

Metasploit Framework Unleashed Cincinnati
When: February 11, 2012.
Where: Digitorium in Griffin Hall, the home of Northern Kentucky University’s College of Informatics
https://msfucincy.wordpress.com/
$20 donation for #HFC

Social Engineering Training
When: March 5-9, 2012

Where: Seattle, Washington
When: July 21-24, 2012

Where: Black Hat Vegas
When: August 20-24, 2012
Where:  Bristol, UK
When:  November 12-16, 2012

Where:  Columbia, MD
http://www.social-engineer.com/social-engineer-training

Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!

AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu
CFP now open!

LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
CFP now open!

DerbyCon 2012 – The “Deuce” Reunion
When:  September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com

Thanks to everyone that has purchased products from Amazon through the affiliate program.  If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.

Stories

Source:

http://www.forbes.com/sites/andygreenberg/2012/02/02/google-gets-serious-about-android-security-now-auto-scans-app-market-for-malware/

Source: http://googlemobile.blogspot.com/2012/02/android-and-security.html

The last year has been a phenomenal one for the Android ecosystem. Device activations grew 250% year-on-year, and the total number of app downloads from Android Market topped 11 billion. As the platform continues to grow, we’re focused on bringing you the best new features and innovations – including in security.

Today we’re revealing a service we’ve developed, codenamed Bouncer, which provides automated scanning of Android Market for potentially malicious software without disrupting the user experience of Android Market or requiring developers to go through an application approval process.

The service performs a set of analyses on new applications, applications already in Android Market, and developer accounts. Here’s how it works: once an application is uploaded, the service immediately starts analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. We actually run every application on Google’s cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior. We also analyze new developer accounts to help prevent malicious and repeat-offending developers from coming back.

…

Source:  http://www.h-online.com/security/news/item/Critical-PHP-vulnerability-being-fixed-1427316.html

The PHP developers are working to fix a critical security vulnerability in PHP that they introduced with a recent security patch. The current stable release is affected; however, it is not yet clear whether the questionable patch was also applied to older versions.

The cause of the problem is the security update to PHP 5.3.9, which was written to prevent denial of service (DoS) attacks using hash collisions. To do so, the developers limited the maximum possible number of input parameters to 1,000 in php_variables.c using max_input_vars. Because of mistakes in the implementation, hackers can intentionally exceed this limit and inject and execute code. The bug is considered to be critical as code can be remotely injected over the web.

…

Source: http://news.softpedia.com/news/Anonymous-Leaks-Passwords-from-Ireland-s-Foreign-Affairs-Site-250514.shtml

Anonymous hackers managed to gain access to the official website of the Irish government’s Department of Foreign Affairs, obtaining passwords used by employees and officials. Some of the passwords were used to administrate the website Irish Aid, an overseas development program.
 

According to The Journal, members of Anonymous Sweden led to believe that these attacks, part of OpIreland, were launched as a protest against the plans to introduce a new SOPA-like legislation.

Of the 19 credential sets leaked, 17 were used by the Department of Foreign Affairs to edit the Irish Aid website, while the other 2 were utilized by the staffers of the company that developed the site.

“We are aware of website user login information being posted online. The website server has been taken offline as a precautionary measure and the matter is being investigated by our IT specialists,” said a Department of Foreign Affairs spokeswoman.

“This is an external service and is separate to the internal Department servers; these have not been affected.”

It seems that Seán Sherlock, the junior minister behind the new law, is one of the main targets, Anonymous revealing that it plans on targeting the Labour Party’s website next, part of which Sherlock is a member.Source: http://news.cnet.com/8301-27080_3-57370710-245/how-to-identify-fake-facebook-accounts

Hello, Facebook friends, I am male, straight, often ridiculously good-looking, and this is a real message: she's not that into you.

And by she, I mean one of those hot girls on Facebook who always seems too desperate and overzealous in trying to connect to you and everyone on your friend list.

Apparently, of some 850 million active Facebook users, a lot are fake profiles created to spread spam and viruses. These are often categorized as spammers or attackers. Security firm Barracuda Networks released today the findings from its most recent study that helps distinguish attackers from real users. Here are the study's four key findings.

….

Source: http://news.softpedia.com/news/Anonymous-Leaks-Passwords-from-Ireland-s-Foreign-Affairs-Site-250514.shtml

Anonymous hackers managed to gain access to the official website of the Irish government’s Department of Foreign Affairs, obtaining passwords used by employees and officials. Some of the passwords were used to administrate the website Irish Aid, an overseas development program.

According to The Journal, members of Anonymous Sweden led to believe that these attacks, part of OpIreland, were launched as a protest against the plans to introduce a new SOPA-like legislation.

Of the 19 credential sets leaked, 17 were used by the Department of Foreign Affairs to edit the Irish Aid website, while the other 2 were utilized by the staffers of the company that developed the site.

“We are aware of website user login information being posted online. The website server has been taken offline as a precautionary measure and the matter is being investigated by our IT specialists,” said a Department of Foreign Affairs spokeswoman.

“This is an external service and is separate to the internal Department servers; these have not been affected.”

It seems that Seán Sherlock, the junior minister behind the new law, is one of the main targets, Anonymous revealing that it plans on targeting the Labour Party’s website next, part of which Sherlock is a member.

At press time, the website of the Department of Foreign Affairs in back online, but Irish Aid displays a message that reveals they’re currently “undergoing essential maintenance.”
 

Source:

https://www.eff.org/deephttps://www.eff.org/deeplinks/2012/02/what-actually-changed-google%27s-privacy-policylinks/2012/02/what-actually-changed-google%27s-privacy-policy

Last week, Google announced a new, simplified privacy policy. They did a great job of informing users that the privacy policy had been changed through emails and notifications, and several experts (including Ontario’s Privacy Commissioner Dr. Ann Cavoukian) have praised the shift toward a simpler, more unified policy. Unfortunately, while the policy might be easier to understand, Google did a less impressive job of publicly explaining what in the policy had actually been changed.  In fact, it took a letter from eight Representatives to persuade them to provide straightforward answers to the public about their new policy.

…

Source:

http://news.cnet.com/8301-13506_3-57370274-17/google-must-pay-$660000-for-offering-google-maps-for-free/?tag=rtcol;dis

A Paris court earlier this week ordered Google France and its parent company Google to pay plaintiff Bottin Cartographes 500,000 euros (about $660,000) for providing its free mapping services to businesses across the country. The court also required Google to pay a 15,000 euro fine for its practice.

"We proved the illegality of (Google's) strategy to remove its competitors," Jean-David Scemmama, attorney for Bottin Cartographes, a company that provides mapping services to businesses, told the AFP in an interview earlier this week. "The court recognized the unfair and abusive character of the methods used, and allocated Bottin Cartographes all it claimed. This is the first time Google has been convicted for its Google Maps application."

According to Scemmama, Bottin has been arguing its case against Google for two years, claiming the search giant was engaging in anticompetitive practices by using its free service to take control over the online-mapping industry.

In a statement to the AFP, Google said that it will appeal the court's decision, adding that Google Maps is still facing competition in that market.

…

InfoSec Daily Podcast Episode 584 [ 38:20 | 17.57 MB ] Play Now | Play in Popup | Download (55)

InfoSec Daily Podcast Episode 584 for February 2, 2012.  Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Adrian Crenshaw, and Karthik Rangarajan.
 

Announcements:

Unsung Heros

Have you ever stumbled on a tool and wondered “Why didn’t I know this existed!” or “If only I’d had this last week on that test”… Chris John Riley has started to gather suggestions for your “unsung hero” of the tools world.  He is looking specifically to gather a list of tools that aren’t on every penetration testers, or forensic investigators list, but that you have respect for.  http://blog.c22.cc/2012/01/13/unsung-heros

Information Security Blogger Awards 2012
Since we were over looked again for the Best Podcast on Security you can email ashimmy@hotmail.com with your name, email address and ISD Podcast as your write-in nominee.  Please note, you have to provide your blog or podcast URL so that it can be verified that you are a blogger or podcaster.  Vote for your favorite blogs as well on http://www.ashimmy.com.

Brad Smith (theNurse)
We all know and love Brad Smith, aka theNurse.  His humor and smiling positivity is a wonderful example for our community.  At Hacker Halted he had a massive stroke and has been in the hospital ever since.

Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to.  Please feel free to check in for status or to donate.  Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.

http://www.social-engineer.org/brad-smith-updates/
http://www.social-engineer.org/bradsmithdonation/

Metasploit Framework Unleashed Cincinnati
When: February 11, 2012.
Where: Digitorium in Griffin Hall, the home of Northern Kentucky University’s College of Informatics
https://msfucincy.wordpress.com/
$20 donation for #HFC

Social Engineering Training
When: March 5-9, 2012

Where: Seattle, Washington
When: July 21-24, 2012

Where: Black Hat Vegas
When: August 20-24, 2012
Where:  Bristol, UK
When:  November 12-16, 2012

Where:  Columbia, MD
http://www.social-engineer.com/social-engineer-training

Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!

AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu
CFP now open!

LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
CFP now open!

DerbyCon 2012 – "The Reunion"
When:  September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com

Thanks to everyone that has purchased products from Amazon through the affiliate program.  If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.

Stories

Source: http://threatpost.com/en_us/blogs/apple-ships-huge-set-patches-os-x-020212

Apple has released a massive set of patches for a wide range of security vulnerabilities in a number of its products and components, including OSX Lion and QuickTime. The patches, which are rolled up in OS X 10.7.3, fix a slew of serious bugs, many of which can be used to execute remote code on vulnerable machines.

One of the more serious vulnerabilities Apple fixed is the flaw that researchers Juliano Rizzo and Thai Duong discovered in the TLS 1.0 and SSL 3.0 protocols last year. The vulnerability, for which they wrote a proof-of-concept exploit tool called BEAST, is fixed in the new version of Apache that Apple included in yesterday's patches. Exploiting the flaw enables an attacker to decrypt some SSL sessions.

"There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. Apache disabled the 'empty fragment' countermeasure which prevented these attacks. This issue is addressed by providing a configuration parameter to control the countermeasure and enabling it by default," Apple said in its advisory.

Apple also pushed out an update that revokes trust in some of the certificates issued by Malaysian CA DigiCert that were found last year to contain weak cryptographic keys.

….

Source: http://www.pcadvisor.co.uk/news/mobile-phone/3334795/htc-vows-fix-android-flaw-revealing-wi-fi-credentials/?olo=rss

HTC is moving quickly to squash a security flaw that could expose Wi-Fi credentials on the company's Android phones.

Using an app that takes advantage of this flaw, an attacker could harvest SSID names and passwords for all wireless networks that the phone has accessed. For average consumers, this isn't a huge concern, but as researchers Chris Hessing and Bret Jordan note, the exploit “exposes enterprise-privileged credentials in a manner that allows targeted exploitation.”

The affected phones are the Desire HD (both "ace" and "spade" board revisions) Versions FRG83D and GRI40; Glacier Version FRG83; Droid Incredible Version FRF91; Thunderbolt 4G Version FRG83D; Sensation Z710e Version GRI40; Sensation 4G – Version GRI40; Desire S – Version GRI40; EVO 3D Version GRI40; and EVO 4G Version GRI40. HTC's MyTouch 3G and Google Nexus One are not affected.

HTC has acknowledged the issue, and says most phones have already received a fix through regular updates. Other phones, however, will require users to manually load the fix. The company says it will have more information on the matter next week.

….

Source: http://news.softpedia.com/news/Hackers-from-US-and-China-Responsible-for-40-of-Hack-Attempts-250311.shtml

A study released by security firm NCC reveals the origins of most hacking operations and the estimated damages they cause to the global economy each year.

The numbers show that hackers from the UK cost the global economy over $2 billion (1.4 billion EUR) in the year that passed, counting a total of 23 million hack attempts.

While this puts the United Kingdom on the 15th place on a global chart, the first two positions are occupied by China and the United States, the operations launched by cybercriminals from these countries costing the global economy around $44 billion (31 billion EUR).

“Reading the papers each day, it’s easy to think of hacking as something that happens to us from afar; that we’re victims of foreign criminal gangs in developing countries. Yet hackers can be anywhere in the world, as our research illustrates, including on our own doorstep,” Rob Cotton, NCC Group’s chief executive said.

US and China are followed on the global list by Russia, Brazil, Italy, Netherlands, France, Denmark, Germany and India.

It’s somewhat surprising that so many highly developed European countries have such a great contribution to the hacking attempts recorded worldwide, counting around 200 million attempted hacks with consequences translating into costs of $16 billion (11 billion EUR) each year.

….

Source: http://nakedsecurity.sophos.com/2012/02/02/filevault-encryption-broken/

California-based forensics software vendor Passware has released the latest version of its toolkit, which the company claims can bypass Apple's FileVault 2 disk encryption "in minutes," as well as volumes encrypted with TrueCrypt.
The software is reportedly able to capture the contents of a computer's memory via FireWire (also known as IEEE 1394 or i.LINK), analyze the memory dump, and extract the encryption keys. Passware claims that the software can recover passwords from decrypted Mac OS X keychain files as well.
Previous and current versions of Passware's software are also able to bypass Microsoft's BitLocker encryption which is built into some editions of Windows.
Although Passware seems to mainly market its software to government and law enforcement agencies and military organizations, anyone with US $795 can purchase an edition of Passware Kit that includes these features. Interestingly, Passware also lists Apple, Microsoft, Intel, and several other major tech companies among its customers.
For those who might find all this concerning, it is important to note a few important caveats.
First, Passware's software requires physical access to a computer with a working FireWire port; a remote internet attacker cannot use it to break into your Mac or PC.

….

Source: http://www.pcmag.com/article2/0,2817,2399773,00.asp

VeriSign was hit by hackers in 2010 and its computers and servers were accessed several times, but the breach was not properly reported until late last year.

The information was revealed in an October filing with the Securities and Exchange Commission (SEC) and reported today by Reuters.

"In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers," VeriSign said. "We have investigated and do not believe these attacks breached the servers that support our Domain Name System ('DNS') network."

Information was stolen, though VeriSign did not provide details on what went missing.

But while the hacks occurred in 2010, VeriSign's information security group did not tell management about the attacks until September 2011. VeriSign said it has since changed its reporting policies to make sure the same thing doesn't happen again.

Information was stolen, though VeriSign did not provide details on what went missing.

But while the hacks occurred in 2010, VeriSign's information security group did not tell management about the attacks until September 2011. VeriSign said it has since changed its reporting policies to make sure the same thing doesn't happen again.

"The group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information," VeriSign said in its filing. "In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future."

VeriSign did not immediately respond to a request for additional comment.

….

Source: http://boingboing.net/2012/02/02/french-court-rules-that-its.html

A French court has ruled that Google's free Google Maps application API is anti-competitive and has ordered the company to pay €500,000 to Bottin Cartographes, a for-pay map company, as well as a €15,000 fine. Bottin Cartographes argued that Google was only planning to give away the service for free until all the competitors had been driven out of business and then they would start charging. This seems implausible to me, and contrary to Google's business model (give away services, make money from mining the use of those services). Google says it will appeal.

"This is the end of a two-year battle, a decision without precedent," said the lawyer for Bottin Cartographes, Jean-David Scemmama.

"We proved the illegality of (Google's) strategy to remove its competitors… the court recognised the unfair and abusive character of the methods used and allocated Bottin Cartographes all it claimed. This is the first time Google has been convicted for its Google Maps application," he said.

I wonder what Bottin Cartographes will do when OpenStreetMaps finishes producing high-quality, free, public domain maps of France that can be used to create APIs of the same scope and utility?

InfoSec Daily Podcast Episode 583 [ 39:14 | 17.98 MB ] Play Now | Play in Popup | Download (99)

InfoSec Daily Podcast Episode 583 for February 1, 2012.  Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, and Varun Sharma.
 

Announcements:

Unsung Heros

Have you ever stumbled on a tool and wondered “Why didn’t I know this existed!” or “If only I’d had this last week on that test”… Chris John Riley has started to gather suggestions for your “unsung hero” of the tools world.  He is looking specifically to gather a list of tools that aren’t on every penetration testers, or forensic investigators list, but that you have respect for.  http://blog.c22.cc/2012/01/13/unsung-heros

Information Security Blogger Awards 2012
Since we were over looked again for the Best Podcast on Security you can email ashimmy@hotmail.com with your name, email address and ISD Podcast as your write-in nominee.  Please note, you have to provide your blog or podcast URL so that it can be verified that you are a blogger or podcaster.  Vote for your favorite blogs as well on http://www.ashimmy.com.

Brad Smith (theNurse)
We all know and love Brad Smith, aka theNurse.  His humor and smiling positivity is a wonderful example for our community.  At Hacker Halted he had a massive stroke and has been in the hospital ever since.

Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to.  Please feel free to check in for status or to donate.  Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.

http://www.social-engineer.org/brad-smith-updates/
http://www.social-engineer.org/bradsmithdonation/

Metasploit Framework Unleashed Cincinnati
When: February 11, 2012.
Where: Digitorium in Griffin Hall, the home of Northern Kentucky University’s College of Informatics
https://msfucincy.wordpress.com/
$20 donation for #HFC

Social Engineering Training
When: March 5-9, 2012

Where: Seattle, Washington
When: July 21-24, 2012

Where: Black Hat Vegas
When: August 20-24, 2012
Where:  Bristol, UK
When:  November 12-16, 2012

Where:  Columbia, MD
http://www.social-engineer.com/social-engineer-training

Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!

AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu
CFP now open!

LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
CFP now open!

DerbyCon 2012 – "The Reunion"
When:  September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com

Thanks to everyone that has purchased products from Amazon through the affiliate program.  If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.

Pentest Lessons:
Adam Compton & Zac Wagle's should get credit for the "Pentest Lessons" idea. They also started a twitter account: https://twitter.com/pentestlessons.

Lesson 1: When having a pentest performed, the customer should not disregard all alerts. While unlikely, an unrelated attack may still be happening.  When alerts occur during a pentest, the customer should always validate them against the pentester's IP addresses.

Lesson 2: When using an exploit during a pentest, only use trusted and tested exploits. Do NOT assume that the exploit you just downloaded is safe.

Lesson 3: When performing physical pentesting (sneaking in, by passing security, picking locks, etc…) ALWAYS have a good GET OUT OF JAIL FREE CARD!
 

Stories

Source: http://howto.cnet.com/8301-11310_39-57368016-285/how-to-prevent-google-from-tracking-you/

Much has been made of Google's new privacy policy, which takes effect March 1. If you're concerned about Google misusing your personal information or sharing too much of it with advertisers and others, there are plenty of ways to thwart Web trackers.

But what exactly are you thwarting? You don't become anonymous when you block tracking cookies, Web beacons, and the other identifiers as you browse. Your ISP and the sites you visit still know a lot about you, courtesy of the identifying information served up automatically by your browser.

The Electronic Frontier Foundation offers the Panopticlick service that rates the anonymity of your browser. The test shows you the identifiable information provided by your browser and generates a numerical rating that indicates how easy it would be to identify you based solely on your browser's fingerprint.

According the the entropy theory explained by Peter Eckersley on the EFF's DeepLinks blog, 33 bits of entropy are sufficient to identify a person. According to Eckersley, knowing a person's birth date and month (not year) and ZIP code gives you 32 bits of entropy. Also knowing the person's gender (50-50, so one bit of entropy) gets you to the identifiable threshold of 33 bits.

Prominent in the Google privacy policy are links to services that let you view and manage the information you share with Google. Some of this personal data you volunteer, and some of it is collected by Google as you search, browse, and use other services.

To view everything (almost) Google knows about you, open the Google Dashboard. Here you can access all the services associated with your Google account: Gmail, Google Docs, YouTube, Picasa, Blogger, AdSense, and every other Google property. The dashboard also lets you manage your contacts, calendar, Google Groups, Web history, Google Voice account, and other services.

More importantly, you can view and edit the personal information stored by each Google service, or delete the service altogether. To see which other services have access to the account's information, click "Websites authorized to access the account" at the top of the Dashboard. To block an authorized service from accessing the account, click Revoke Access next to the service name.

The Google Ads Preferences Manager lets you block specific advertisers or opt out of all targeted advertising. Click the "Ads on the web" link in the left column and then choose "add or edit" under "Your categories and demographics" to select the categories of ads you want to be served or to opt out of personalized ads.

….

Source: http://www.microsoft.com/security/sir/strategy/default.aspx#!malwarecleaning

Microsoft has published a 7-step guide for cleaning malware off of an infected system.  This is a welcome contrast to Apple’s policy of denying that OS X could ever be infected in the first place.  The guide makes use of Microsoft’s Sysinternals suite of tools and serves as a good basis of removing infections from any system that you don’t want to reinstall.  

“The guidance in IT Pro Advanced Techniques helps IT professionals investigate, analyze, and—when possible—remove malware from an infected computer. This guidance, intended for advanced users, helps IT professionals understand the impact of malware and create a rudimentary roadmap for cleaning infected computers. In addition, this effort provides the user more information about the internal operation of malware.

The guidance involves the use of several Windows Sysinternals tools, a suite of advanced diagnostics and troubleshooting utilities for the Windows platform available for download at no charge from the Microsoft Download Center. “

…

Source: http://searchsecurity.techtarget.com/news/2240114619/Cridex-Trojan-breaks-CAPTCHA-targets-Facebook-Twitter-users

A variant of a banking Trojan known as Cridex can communicate with a CAPTCHA-breaking server in order to establish malicious email accounts. Researchers at Websense Security Labs posted a video documenting how Cridex broke a CAPTCHA test and opened a Yahoo email account in six attempts.

The Cridex network grows as it infects new machines via malicious emails. The emails contain links to a Black Hole exploit kit, which attacks vulnerabilities in Web browsers and plug-ins. If successful, the kit downloads Cridex onto the machine.

“Cridex is a data-stealing Trojan that is similar to Zeus in the way it operates: It logs content from Web sessions and alters them to harvest information from the infected user,” according to the Websense Security Labs blog.

Cridex targets information from platforms like Facebook, Twitter and several online banking services. That data is then sent to a remote server.

…

Source: http://arstechnica.com/tech-policy/news/2012/01/mobile-device-privacy-act-would-prevent-secret-smartphone-monitoring.ars

Recent controversy sparked by the installation of monitoring software on millions of smartphones has led US Rep. Edward Markey (D-MA) to propose a requirement that carriers and phone makers inform consumers about the presence of monitoring software and gain their "express consent" before collecting and transmitting information from phones.

The controversy started a couple months back when a developer publicized the widespread use of Carrier IQ software, which phone manufacturers and carriers use to monitor what happens on a smartphone. While Apple, Samsung, HTC, AT&T and others all said the software is used only as a diagnostics tool to improve network and service performance, congressmen started denouncing the use of Carrier IQ, and class-action lawsuits were filed.

…

InfoSec Daily Podcast Episode 582 [ 43:58 | 20.15 MB ] Play Now | Play in Popup | Download (71)

InfoSec Daily Podcast Episode 582 for January 31, 2012.  Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Themson Mester and Dr. Bonez.
 

Announcements:

Unsung Heros

Have you ever stumbled on a tool and wondered “Why didn’t I know this existed!” or “If only I’d had this last week on that test”… Chris John Riley has started to gather suggestions for your “unsung hero” of the tools world.  He is looking specifically to gather a list of tools that aren’t on every penetration testers, or forensic investigators list, but that you have respect for.  http://blog.c22.cc/2012/01/13/unsung-heros

Information Security Blogger Awards 2012
Since we were over looked again for the Best Podcast on Security you can email ashimmy@hotmail.com with your name, email address and ISD Podcast as your write-in nominee.  Please note, you have to provide your blog or podcast URL so that it can be verified that you are a blogger or podcaster.  Vote for your favorite blogs as well on http://www.ashimmy.com.

Brad Smith (theNurse)
We all know and love Brad Smith, aka theNurse.  His humor and smiling positivity is a wonderful example for our community.  At Hacker Halted he had a massive stroke and has been in the hospital ever since.

Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to.  Please feel free to check in for status or to donate.  Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.

http://www.social-engineer.org/brad-smith-updates/
http://www.social-engineer.org/bradsmithdonation/

Metasploit Framework Unleashed Cincinnati
When: February 11, 2012.
Where: Digitorium in Griffin Hall, the home of Northern Kentucky University’s College of Informatics
https://msfucincy.wordpress.com/
$20 donation for #HFC

Social Engineering Training
When: March 5-9, 2012

Where: Seattle, Washington
When: July 21-24, 2012

Where: Black Hat Vegas
When: August 20-24, 2012
Where:  Bristol, UK
When:  November 12-16, 2012

Where:  Columbia, MD
http://www.social-engineer.com/social-engineer-training

Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!

AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu
CFP now open!

LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
CFP now open!

DerbyCon 2012 – "The Reunion"
When:  September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com

Thanks to everyone that has purchased products from Amazon through the affiliate program.  If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.

Stories

Source: http://news.cnet.com/8301-27080_3-57367842-245/antiphishing-standard-in-the-works-from-google-facebook-others/

Google, Facebook, Microsoft, Yahoo, PayPal and others are working together on a standard that can be used across the Internet for blocking phishing e-mails.

The 15 companies will be announcing on Monday DMARC.org, which stands for Domain-based Message Authentication, Reporting, and Conformance–a system for verifying that e-mails are coming from legitimate companies and not imposters trying to trick people into clicking a phishing link. Basically, the system offers a common way for companies to authenticate their legitimate communications with customers.

Also in the DMARC working group are AOL, Bank of America, Fidelity Investments, American Greetings, LinkedIn, and e-mail security providers Agari, Cloudmark, eCert, Return Path, and Trusted Domain Project.

…

Source: http://www.tgdaily.com/software-brief/61138-man-denied-entry-to-us-because-of-a-tweet

Apparently the Department of Homeland Security has nothing better to do than to monitor what vacationing tourists post on Twitter.

A 26-year-old bar manager by the name of Leigh Van Bryan, an Irish citizen, decided to take a trip to Los Angeles. Before he left, he wrote this message on Twitter:

"Free this week, for quick gossip/prep before I go and destroy America."

Then, to his surprise, when he arrived at LAX he was treated like a criminal, interrogated by government officials, and then forced to return back to his home.

News reports compared the Twitter message to passengers who joke about having a bomb at the airport and are then escorted off the premises. But obviously, Bryan's message was not even a joke about violent activity.

Anyone with a normal sense of the English language would realize the context implied he was going to "tear it up" or go wild, you know, have a good time. For anyone to even think that was any sort of potential threat is ridiculous.

In another tweet, Bryan apparently wrote that while in LA he would be "diggin' Marilyn Monroe up," a reference to an episode of Family Guy.

…

Source: http://www.networkworld.com/research/2012/012712-how-to-prevent-thumb-drive-255414.html

For such a small device, the plastic, handheld USB flash drive can cause big security headaches. Even if you have robust end-point security and establish rigid policies about employee use of these drives, employees still find a way to copy financial reports and business plans for use at home. While other security breaches are more traceable, a flash drive is more difficult to monitor, especially after the employee leaves work.

Here we profile four organizations that have taken slightly different approaches to dealing with thumb-drive security to match the organizations' specific needs and policies.

1. City of ColumbusApproach: Uses Intelligent ID software to categorize files, and then assign a level of encryption on the fly.

2. TurkcellApproach: Uses classification software from Titus that monitors Microsoft Office business documents and alerts users when they try to copy that data to a thumb drive.

3. CIGNAApproach: Allows employees to copy encrypted data, but they are prompted to type in a reason why they're copying. The reasons are later compared to the actual file transfers.

4. University of Alabama, Birmingham Health SystemApproach: Uses DeviceLock to monitor ports and encrypt data. Allows staff and students to use thumb drives at will, but all file transfers are monitored and recorded.

…

Source: http://www.symantec.com/connect/blogs/insight-sykipot-operations-0

The Sykipot campaign has been persistent in the past few months targeting various industries, the majority of which belong to the defense industry. Each campaign is marked with a unique identifier comprised of a few letters followed by a date hard-coded within the Sykipot Trojan itself. In some cases the keyword preceding the numbers is the sub-domain's folder name on the Web server being used.

Here are some examples of the campaigns we have seen so far:

• alt20111215
• auto20110413
• auto20110420
• be20111010
• chk20111219
• chksrv20111122
• easy20110720w
• easy20110926n
• good20110627
• help20110908
• help20110926
• info20111025
• info20111028
• info20111031G
• insight20111122
• pretty20111101
• pretty20111122
• pub2011124x
• server20111212
• webmail20111122
• world20111205

These campaign markers allow the attackers to correlate different attacks on different organizations and industries.
 

The attackers also left additional clues allowing us to gain insight into what appears to be a staging server that is used prior to the delivery of new binaries to targeted users. In addition, we were able to confirm that the server was also used as a command and control (C&C) server for a period of time as well. The server is based in the Beijing region of China and was running on one of the largest ISPs in China. Furthermore, on one occasion one of the attackers connected from the Zhejiang province. The server has hosted over a hundred malicious files from the past couple of months, many of which were used in Sykipot campaigns.

…

Source: www.bloomberg.com/news/2012-01-31/china-based-hackers-target-law-firms.html

China-based hackers looking to derail the $40 billion acquisition of the world’s largest potash producer by an Australian mining giant zeroed in on offices on Toronto’s Bay Street, home of the Canadian law firms handling the deal.

Over a few months beginning in September 2010, the hackers rifled one secure computer network after the next, eventually hitting seven different law firms as well as Canada’s Finance Ministry and the Treasury Board, according to Daniel Tobok, president of Toronto-based Digital Wyzdom. His cyber security company was hired by the law firms to assist in the probe.

…