Announcements

EFF DEFCONtest

https://supporters.eff.org/civicrm/pcp/info?reset=1&id=42&ap=1

GraniteSec (formerly The New England InfoSec Tweetup)

When:  May 19, 2012   

Where:  Veasey Memorial Park, Groveland, MA

http://granitesec.org

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center – Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: November 12-16, 2012

Where:  Bristol, UK

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Hack3rCon^3

When: October 19-21, 2012

Where: Charleston, WV

http://hack3rcon.org/

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Hacker Wars — The Movie

Ever wanted to participate in Live action Capture the Flag? Well here is your chance

What: This contest is modeled on so-called "penetration tests" which is when ethical hackers attempt to break in to a company's computer systems with the target's permission.  This is in an effort to find security problems before the bad guys do.  The contest won't just involve sitting at computers, it will also involve other typical activities: performing reconnaissance of physical facilities, surveillance of individuals, urban exploration, infiltration of buildings, and surreptitious contact with moles in the target organization.

http://www.kickstarter.com/projects/278183749/hacker-wars

Stories

Source:  http://www.infoworld.com/d/the-industry-standard/pc-users-admit-pirating-software-193218

Visitors to Wikipedia who see advertisements on the site have most likely fallen victim to a browser-based malware infection, Wikimedia Foundation, the organization operating the website, said on Monday.

"We never run ads on Wikipedia," said Philippe Beaudette, director of community advocacy for the Wikimedia Foundation, in a blog post. "If you're seeing advertisements for a for-profit industry … or anything but our fundraiser, then your web browser has likely been infected with malware."

One example of such malware is a rogue Google Chrome extension called "I want this," Beaudette said. However, similar malicious add-ons might also exist for Mozilla Firefox, Internet Explorer, and other browsers, he said.

This type of malicious software is known as click fraud malware and can target multiple websites at once. In addition to injecting ads into Web pages, such rogue extensions are also known to hijack search queries in order to earn their creators affiliate revenue, said Graham Cluley, a senior technology consultant at Sophos, in a blog post Tuesday.

Spotting this type of rogue behavior on Wikipedia is easier than on other websites because the site doesn't run any commercial advertisements. "We're here to distribute the sum of human knowledge to everyone on the planet — ad-free, forever," Beaudette said.

Wikipedia's operating costs are covered by donations. An online fundraiser is organized every year, and that's usually the only time a banner is displayed on the site's pages.

Users who are seeing commercial ads on Wikipedia should disable all their browser add-ons to determine if they are the source of the problem, Beaudette said.

…

Source:  http://news.cnet.com/8301-1001_3-57434047-92/why-best-buy-ceos-expressed-affection-for-employee-was-problem/

Brian Dunn gave Best Buy's board of directors plenty of reason to doubt that he was the man to engineer the company's comeback.

Dunn, 52, who resigned as CEO of the struggling electronics chain last month while the company was investigating his "alleged misconduct," was taken down by an "inappropriate relationship" with a 29-year-old female employee. That was the finding of investigators who were hired to look into the relationship and Best Buy released their report today.

The four-page audit included details about Dunn loaning the woman money, giving her use of a hotel room and sending her text messages in which he "expressed affection" for the employee (more on this later). According to Best Buy's report, Dunn and the woman deny their relationship was sexual or romantic.

Even if it was romantic, is that a big deal? Plenty of executives from powerful companies are married to former employees. But Best Buy's board claims a line was crossed, a threshold of credibility and honesty. That's the same line Hewlett-Packard's board of directors claimed Mark Hurd, its former CEO, also crossed two years ago.

In 2010, Hurd was pushed out at HP after he was accused of making unwelcome sexual advances towards a public-relations contractor, who was also a former actress and reality television star. Hurd was never accused of flaunting the relationship, but his other, more important relationship with HP's board of directors had soured so badly, he was forced to step down.

…

Source:  http://www.pcmag.com/article2/0,2817,2404504,00.asp

The Pirate Bay is under fire from an unknown attacker in a distributed denial of service (DDoS) strike that has lasted at least 24 hours.

In an early morning post to its Facebook page, The Pirate Bay announced that it was "under a quite big ddos attack."

"We don't know who's behind it but we have our suspicions," the post continued. "Once we've awaken our tech guru Winston Q we'll get on the issue." By 12:20pm, the site said it was "getting back up [and] stronger than ever," and pointed user to its list of proxies.

As of 2pm Eastern time, access to the site was still spotty.

The attack comes after ISPs in the U.K. and the Netherlands were ordered to block access to The Pirate Bay over copyright violations. In retaliation, the hacking group Anonymous struck out at Virgin Media, one of the U.K. ISPs ordered to block to the site, prompting The Pirate Bay to equate the move to censorship.

In a blog post, the team responsible for the Virgin Media attack – AnonAteam – wrote that it had "no involvement" in the DDoS attack on The Pirate Bay.

"It is not a legitimate protest for anyone to be involved with nor does it fall within our objectives," AnonAteam said. "Anyone involved in the attack should stop. It is our understanding Anonymous have no involvement in this attack."

Later in the day, The Pirate Bay said "we KNOW that it is NOT Anonymous who is behind the ddos attack."

As noted by TorrentFreak, "Pirate Bay downtime happens a handful of times each month, [but] it rarely persists for more than a few hours. When it goes beyond that the steady flow of reader emails to TorrentFreak quickly transforms itself into a torrent."

Alternate Sites:  http://pastebin.com/JVGDat6v

…

Source:  http://threatpost.com/en_us/blogs/kickstarter-data-breach-publishes-70000-startup-ideas-051512

An application programming interface (API) error on the popular Kickstarter crowdfunding website exposed the plans and descriptions of more than 70,000 yet-to-be launched projects.

The API bug exposed project descriptions, goals, durations, rewards, videos, images, locations, categories, and usernames for unlaunched projects.

In a statement, Kickstarter said that no account or financial data of any kind was made accessible by the exposure.

It is unlikely that casual users came into contact with any of the unlaunched project data, the company claims, because of the way the API was indexed on the site.

“For those who are unfamiliar, an API is a software interface that allows software to communicate with one another,” reads the statement. "It's not like a webpage that an internet user could point their browser to. It is a feed of data meant to be shared between software. The API in this instance is for Kickstarter's internal use.”

The bug was initially introduced during a site upgrade on April 24. It remained live until it was discovered and fixed at 1:42 PM Friday, May 11.

The company apologized in their statement, calling the bug "completely unacceptable."

The Wall Street Journal reported that Amazon Payments handles all of Kickstarters pledges and that the company never even sees user credit card or other billing information.

Kickstarter had to pull a video game start-up off the site earlier this month when it became clear that the project was a scam.

…

Source:  http://www.net-security.org/secworld.php?id=12935

If you are a user of any of the paid versions of Avira's various antivirus and security software and you have tried to update it/them in the last 24 hours, chances are that you're now sitting before a crippled PC, wondering what happened.

So what did happen?

Well, it seems that the new update makes the AntiVirProActiv component – not present only in the company's free offering – erroneously detect critical Windows processes as malware and automatically terminate them.

It also blocks other popular Microsoft and third party software, and sometimes even prevents Windows from booting at all.

It is unknown how many individuals and businesses were affected by the defective update but, according to Emil Protalinski, it seems to have been downloaded millions of times.

Avira's forums are heaving with users searching for a way to undo the damage, and the company is furiously working on a solution.

So far, they advise users to either temporarily disable the ProActiv component or to add an exception for every blocked application.

For those who can boot Windows only in safe mode, disabling ProActiv requires bringing up the Task Manager, opening a new task and typing “c:\program files\avira\antivir desktop\avconfig.exe”, then running it.

…

Source:  http://www.infoworld.com/d/the-industry-standard/pc-users-admit-pirating-software-193218

More than half of global PC users admit that they pirate software at least occasionally, contributing to a black-market economy estimated at $63.4 billion in 2011, up from $58.8 billion the previous year, according to a new survey from the Business Software Alliance.

The trade group, a leading advocate for stronger intellectual property rules and stricter enforcement practices, for the first time directly asked survey respondents how often they acquire pirated or not fully licensed software in its 2011 Global Software Piracy Study, the ninth installment of the annual report.

Of the 57 percent of survey participants who admitted to using illegal copies of software, 5 percent said they always use pirated software, 9 percent answered "mostly," 17 percent "occasionally," and 26 percent said they "rarely" do. Thirty-eight percent said they never install pirated software, while the remaining 5 percent said they didn't know or declined to answer.

"If 57 percent of consumers admitted they shoplift, authorities would react by increasing police patrols and penalties," Robert Holleyman, president and CEO of the BSA, said in a statement. "Software piracy demands a similarly forceful response — concerted public education and vigorous law enforcement."

The report pegged the overall global piracy rate at 42 percent, roughly the same as the 2010 mark, with much of that activity driven by surging PC usage in emerging markets, where BSA says piracy rates are considerably higher than in developed countries. Emerging countries received 56 percent of PC shipments last year, according to the BSA. In aggregate, users in emerging markets reported a piracy rate of 68 percent, compared to the average figure of 24 percent in mature markets.

….

[end]

Announcements

EFF DEFCONtest

https://supporters.eff.org/civicrm/pcp/info?reset=1&id=42&ap=1

GraniteSec (formerly The New England InfoSec Tweetup)

When:  May 19, 2012   

Where:  Veasey Memorial Park, Groveland, MA

http://granitesec.org

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center – Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Hack3rCon^3

When: October 19-21, 2012

Where: Charleston, WV

http://hack3rcon.org/

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Hacker Wars — The Movie

Ever wanted to participate in Live action Capture the Flag? Well here is your chance

What: Thi contest is modeled on so-called "penetration tests" which is when ethical hackers attempt to break in to a company's computer systems with the target's permission.  This is in an effort to find security problems before the bad guys do.  The contest won't just involve sitting at computers, it will also involve other typical activities: performing reconnaissance of physical facilities, surveillance of individuals, urban exploration, infiltration of buildings, and surreptitious contact with moles in the target organization.

http://www.kickstarter.com/projects/278183749/hacker-wars

Stories

Source:  http://www.theglobeandmail.com/news/politics/cyber-spies-will-target-smartphones-tablets-csis-report/article2429242

Hand-held devices such as smartphones and tablets could be the next frontier for cyber-spies and other rogue players in the digital world, warns a newly declassified assessment from Canada's intelligence agency.

Opportunities for malicious hackers are growing as computer systems move from the back rooms of corporations and government agencies into the palms and laptops of employees, says the Canadian Security Intelligence Service assessment.

“New cyber attack tools and techniques will be developed in efforts to compromise Canadian public- and private-sector systems,” says the report, perhaps the agency's most ominous forecast to date on the perils of cyberspace.

“The cyber-related threat environment will evolve and become more complex, creating ever greater challenges for Canada within the context of national security.”

The 18-page CSIS report, Cyber Threats and Security: An Overview, was obtained by The Canadian Press under the Access to Information Act. Though heavily edited, the November 2011 assessment, originally classified top secret, is another sign of the intelligence service's growing interest in the dangers emerging from cyberspace.

Cyber threats posed by unfriendly states, groups and individuals “affect Canada's national and economic security,” says the report. “This has implications for its critical infrastructure, the operation of its public and private sectors, and its domestic and international interests.”

The computer systems that Canadians rely on every day to work and play also underpin key services including water treatment, and hydro and nuclear power plants, CSIS notes.

While there may be a variety of technical measures and procedures to secure information systems, the “weak point” remains the human being because he or she generally uses the technology “without understanding it,” says the report.

…

Source:  http://www.computerworld.com/s/article/9227155/Apple_ships_first_Leopard_security_update_in_nearly_a_year

Apple on Monday issued its first security-related update for OS X 10.5, or Leopard, in nearly a year, to disable long-outdated versions of Adobe's Flash Player.

Security Update 2012-003 does not patch any known vulnerabilities, but is instead a Leopard-specific version of what Apple released last week for OS X 10.6, or Snow Leopard, and the newer OS X 10.7, better known as Lion.

Like those updates, 2012-003 for Leopard removes versions of Flash Player older than 10.1.102.64. Adobe issued that edition of Flash in November 2010. It was also the final version Apple delivered to its customers before it stopped maintaining Flash.

Monday's update will not be installed on PowerPC-equipped Macs running Leopard.

On May 9, Apple disabled older copies of Flash Player on Snow Leopard and Lion using an update to Safari 5.1.7. Because that version of Apple's browser doesn't support Leopard, the company instead updated the operating system.

The newest version of Flash Player for Leopard is 10.3.183.19, which was released earlier this month. That newest version, which requires an Intel processor, can be downloaded from Adobe's website.

Also on Monday, Apple released a version of the Flashback malware removal tool designed for Leopard. Apple had offered the same tool to Snow Leopard and Lion users on April 12.

The Flashback seek-and-destroy tool was Apple's response to a massive campaign that exploited a Java vulnerability to infect hundreds of thousands of Macs.

Apple still maintains Java for users of Snow Leopard and Lion, but last patched the Oracle software for Leopard users in June 2011.

Unlike the Snow Leopard and Lion Flashback removal tool update, the one for Leopard said nothing about automatically disabling the Java plug-in used by browsers such as Safari, Chrome or Firefox.

…

Source:  http://arstechnica.com/apple/2012/05/apple-reportedly-asked-kaspersky-lab-to-analyze-os-x/

Apple is drawing upon the expertise of security researchers from Kaspersky Lab when it comes to security on OS X, according to Kaspersky CTO Nikolai Grebennikov. In an interview with Computing News, Grebennikov revealed that Apple had asked his firm to begin analyzing OS X in order to help improve its security. The request follows the recent high-profile Flashback scare, and shows that Apple is beginning to take steps to take OS X security more seriously.

"Mac OS is really vulnerable, and Apple recently invited us to improve its security. We've begun an analysis of its vulnerabilities, and the malware targeting it," Grebennikov told Computing News. "Our first investigations show Apple doesn't pay enough attention to security. For example, Oracle closed a vulnerability in Java, which was a target for a major botnet several months ago."

Following reports that more than a half-million Macs were infected by Flashback thanks to a then-unpatched Java vulnerability in OS X, Kaspersky Lab boldly told members of the media that "Mac OS X invulnerability" to malware is a myth. Although the statement generated grousing among the Mac-using community, it's true—security researchers have been arguing for years that Macs were only perceptibly "safer" because of their relatively low market share. It would only be a matter of time before attackers began focusing on the Mac, and Kaspersky argued last month that we have officially reached that point. "Market share brings attacker motivation," the firm said in April. "Expect more drive-by downloads, more Mac OS X mass-malware. Expect cross-platform exploit kits with Mac-specific exploits."

The fact that Apple is consulting Kaspersky now for help doesn't come as a huge surprise, though. As we have learned from our own sources, Apple often brings in outside firms to present and discuss ideas for OS X and iOS. Since Mac hardware is increasingly becoming a target for malicious attackers, it makes sense that Apple would take the input from firms like Kaspersky more seriously as it prepares to move forward with its next version of OS X, Mountain Lion. Although Mountain Lion will allow users to heavily restrict the origin of software installed on their machines for security purposes, attacks like Flashback don't necessarily need users to install anything in order to take advantage of vulnerabilities. (Flashback installed itself on victims' machines via Java after users visited infected WordPress websites.) As such, malware will likely continue to be a concern for Mac users.

Apple did not respond to our request for comment by publication time.

…

Source:  http://blogs.norman.com/2012/security-research/the-shiqiang-gang

In a series of blog posts our colleagues at Trend and AlienVault have detailed recent attacks on NGO’s, and how trojanized RTF files have been used as vehicles to plant various remote access trojans on unsuspecting users using the CVE-2012-0158 vulnerability.

In addition, they both mention that apparently stolen digital  certificates have been used to sign the trojan files. The certificates mentioned were both revoked April 20th:

Shenzhen Xuri Weiye Technology Co., Ltd.

VeriSign Class 3 Code Signing 2010 CA

‎serial no. 3893f13dd39fe088fdf54ee008ae38e1

Valid from 8. December 2011 to 8. December 2012

Revocation Date: Apr 20 18:02:03 2012 GMT

Quanzhou Xiegao Microwave Electronic Co., Ltd

Thawte Code Signing CA – G2

‎serial no. 382d08b7caf01c6b6434c35fe0445b83

Valid from 31. March 2012 to 1. April 2013

Revocation Date: Apr 20 08:57:47 2012 GMT

The Quanzhou Xiegao certificate contains a peculiarity, one that links that attack with many others, and has prompted us to dub the people responsible The Shiqiang Gang.

Digital code signing certificates are often complex. They contain  a lot more information that most people think of, and some which is not very visible up front. Some of this information is found in the SignerInfo structure, which contains important information like issuing Certificate Authority, the certificate’s serial number, and various hashes. It also contains the optional fields programName and moreInfo, where the latter is intended for storing a website link to more information about the signer. However, in this case there is no URL. Instead it says:

“identifierBegin:shiqiang:identifierEnd“.

According to Google, “shiqiang” means something like “Top Ten”. (I hope it does not mean anything nasty).

There’s no particular reason for that string to be there. It is probably an unintended result of reusing a build setup without fully sanitizing it. However, it is interesting to see what shows up once we start querying our malware databases for certificates containing this string:

…

Source:  http://pastebin.com/wamYsqTV

The ZTE Score M is an Android 2.3.4 (Gingerbread) phone available in the United States on MetroPCS, made by Chinese telecom ZTE Corporation.

There is a setuid-root application at /system/bin/sync_agent that serves no function besides providing a root shell backdoor on the device.  Just give the magic, hard-coded password to get a root shell:

$ sync_agent ztex1609523

# id

uid=0(root) gid=0(root)

Nice backdoor, ZTE.

….

Source:  http://illuminat3.blogspot.ca/2012/05/breaking-th3j35t3r-patriot-hacker-to-be.html

Notorious patriotic hacker The Jester, dubbed "th3j35t3r" on Twitter, has reportedly been unmasked by a former colleague in the US Army.

The unnamed colleague (@cubespherical) uploaded what was claimed to be direct message exchanges via Twitter with the hacker, in which it is revealed how the two had met when they served in the US Special Operations Command (SOCOM).

The veracity of exchange cannot yet be verified.

In the exchange, Cubespherical said they knew The Jester because they had come to blows during their time in the military. They also claimed they knew The Jester had gone “toe-to-toe three times a week when [he] was on base”.

Cubespherical also tweeted a photo of a truck purportedly owned by The Jester.

@th3j35t3r sent you a DM. You should check it at your earliest convenience. In your interests.

— Smedley Manning (@cubespherical) May 12, 2012

In the message exchange, Cubespherical said they would publish the hacker's real identity and resume after they had acquired a donation of 20,000 bitcoinc for whistle-blower web site Wikileaks, an organisation The Jester has attacked by denial of service (DoS) and disparaged in a series of tweets.

“Jester's Real Life ID will be given up finally when this bitcoin address 15JDgkwFVXvuxCt66eUQ434ty3jrvwPfGe has 20K BTC (bitcoins),”  - Cubespherical's Twitter account.

About half of the donations would go to Wikileaks, while the remainder would help Cubespherical “hide”, they said.

Both The Jester's twitter account and blog entries have since been deleted.

However, Cubespherical had uploaded a HTML cache file of the Jester's tweets.

The Jester was known for launching DoS attacks against websites the hacker accused of spreading terrorist propaganda. The hacker had also built a DoS tool dubbed XerXes.

….

[end]

Announcements

GraniteSec (formerly The New England InfoSec Tweetup)

When:  May 19, 2012   

Where:  Veasey Memorial Park, Groveland, MA

http://granitesec.org

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center – Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Hack3rCon^3

When: October 19-21, 2012

Where: Charleston, WV

http://hack3rcon.org/

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Stories

Source:  http://www.h-online.com/security/news/item/Adobe-backs-down-will-release-patches-for-critical-holes-1574341.html

Adobe has announced – through changes to the security advisories it issued earlier this week – that it is developing patches for the critical holes in the CS5.x versions of Adobe Photoshop, Illustrator and Flash Professional, after previously advising users that they needed to buy the just-released CS6 versions of the applications.

The revised advisories retain the suggestion that users should upgrade but also now state, for example, "We are in the process of resolving these vulnerabilities in Adobe Photoshop CS5.x, and will update this Security Bulletin once the patch is available". Adobe has given no schedule for the availability of patches.

In the original 8 May advisories, the company had said only that users of these products would need to purchase the upgrade from the CS5 and CS5.5 versions to the, just shipping on 7 May, CS6 versions to close the critical holes they were detailing; a move that was seen as effectively charging for security fixes.

Adobe responded to that by saying that it did not believe that Photoshop was a target for attackers and that this was the reason why it did not create fixes for the versions that are two years and one year old, even though they are still on many stores' shelves and in use around the world.

…

Source:  http://securityaffairs.co/wordpress/5190/security/the-unknowns-hackers-revenge-in-the-name-of-security.html

Another group of hacker named The Unknowns has hacked several organizations, including NASA and the U.S. Air Force, and posted evidence of their actions. The complete list has been published in a message on PasteBin:

1. NASA – Glenn Research Center

2. US military

3. US AIR FORCE

4. European Space Agency

5. Thai Royal Navy

6. Harvard

7. Renault Company

8. French ministry of Defense

9. Bahrain Ministry of Defense

10. Jordanian Yellow Pages

In the message published on Pastebin the group has declared war to everybody, they promised hacks against “all the other websites out there,”. Very strange the proposal that the group sent to every company requesting to be contacted by them before they will be target of their attack, they are proposing to help potential victims to fix their potential vulnerabilities.

“Contact us before we take action and we will help you, and will not release anything…. It’s your choice now.”

…

Source:  http://sverigesradio.se/sida/artikel.aspx?programid=2054&artikel=5103862

The Swedish government has decided to pass a hotly debated law regulating the monitoring of phone and internet activity.

The law regulates how and when the police will be able to listen in on phone conversations and monitor internet activity.

According to the law, the police would be able to monitor people's activity on the internet and on the phone in secret, even before those people have been suspected of a crime.

The Social Democrats and the liberal parties are both in favour of the decision to pass the law, and agreed on the importance of being able to listen in on telephone conversations in crime and sexual abuse cases, as well as internet crime.

One of the most controversial issues regarding the new law is whether the police should have to right to crack down on petty internet crime. Jens Holm of the Left Party was one of the MPs who was critical of the law.

"In that case you would end up with the police being allowed to hunt down file-sharers, and then I think you've gone wrong", he told Swedish National Radio.

…

Source:  http://news.softpedia.com/news/US-Government-Issues-Two-New-Anti-Piracy-Warnings-for-DVD-and-Blu-Ray-269349.shtml

In case you were bored with the old FBI warning and anti-piracy notifications that you were presented with before the start of a movie, fear not. The US government issued a couple of brand-new copyright notices that are designed not only to inform users on the fact that piracy is illegal, but also to educate them.

United States authorities have been fighting a long battle against copyright infringers, shutting down their operations and putting many of them behind bars, but now they’ve decided to give movie studios a small present.

ArsTechnica informs that six major studios have already agreed to use the new notices in the motion pictures they sell on DVD and Blu-Ray.

The first new screen features both the FBI’s anti-piracy warning logo and the one of Homeland Security Investigations. It notifies the viewer that the unauthorized reproduction of the material is prohibited by the law, but it also highlights the $250,000 (190,000 EUR) fine and the 5-year prison sentence that awaits those caught pirating copyrighted works.

The second banner, the educational one, bears the logo of the National Intellectual Property Rights Coordination Center, along with a message that says “Piracy is not a victimless crime.”

The purpose of this message is apparently to make the user aware of the fact that many individuals and companies may suffer because of piracy.

According to US Immigration and Customs Enforcement (ICE) representatives, the new screens will be displayed after the previews, when the play button is hit. Each of them will remain on the screen for 10 seconds.

…

Source:  http://rt.com/usa/news/anonymous-us-doyon-world-219/

Businesses have suggested it. The government has all but confirmed it. And according to one alleged member, they both might very well be right. A hacker tied to Anonymous says the loose-knit collective may be the most powerful organization on Earth.

"The entire world right now is run by information,” Chris Doyon tells Postmedia News from an undisclosed location in Canada. “Our entire world is being controlled and operated by tiny invisible 1s and 0s that are flashing through the air and flashing through the wires around us. So if that’s what controls our world, ask yourself who controls the 1s and the 0s”

“It’s the geeks and computer hackers of the world,” says Doyon.

In a world where the most critical of information isn’t locked up in vaults but instead encoded in easily obtainable binary, Doyon says that crackers like those in Anonymous are in possession of some of the most powerful knowledge known to man.

Doyon, who is reported to be in his late 40s, was charged last year for partaking in a Distributed Denial of Service attack on the website for the county of Santa Cruz, California. Since February, however, he has resided in Canada after using what he says is the new “underground railroad” to escape persecution for alleged computer crimes in the States.

Authorities say that, under the handle of Commander X, Doyon acted as a ringleader of sorts of the Anonymous collective, an operation described by its own participants as one that lacks leadership altogether.

"If you are asking me if he's an activist and tried to change the world for better. Yes, he did. I don't know if that makes him a member of Anonymous, but he is certainly an activist working on social change for the betterment of mankind," his attorney, Jay Leiderman, told Cnet in September.

“Yes, I am immensely proud and humbled to my core to be a part of the movement known as Anonymous," Doyon reportedly told reporters upon leaving a California courthouse last year.

Regardless of if he can actually be linked to the organization — and to what degree — Doyon says that the group is capable of more than one might imagine.

“Right now we have access to every classified database in the US government. It’s a matter of when we leak the contents of those databases, not if,” says Doyon.

It wasn’t computer nerds slaving over codes to help crack the system uncover that info either, says Doyon.

“You know how we got access?” asks Doyon. “We didn’t hack them. The access was given to us by the people who run the systems. The five-star general (and) the Secretary of Defense who sit in the cushy plush offices at the top of the Pentagon don’t run anything anymore. It’s the pimply-faced kid in the basement who controls the whole game, and Bradley Manning proved that. The fact he had the 250,000 cables that were released effectively cut the power of the US State Department in half. The Afghan war diaries and the Iran war diaries effectively cut the political clout of the US Department of Defense in half. All because of one guy who had enough balls to slip a CD in an envelope and mail it to somebody.”

“There’s a really good argument at this point that we might well be the most powerful organization on Earth. The entire world right now is run by information,” he adds.

Doyon landed in hot water after he allegedly launched a DDoS attack against authorities the Santa Cruz website after the county imposed a ban on outdoor camping. According to authorities, Doyon engaged in the assault in December 2010, nearly a year before the Occupy Wall Street movement encouraged protestors to camp outdoors in public spaces from coast to coast. In September 2011 he was formally charged in the DDoS attack and fled to Canada five months later. Had he stayed in the US, he would have been prohibited from using social networking sites like Facebook and Twitter, as well as chatroom clients that connect to IRC networks.

"They've taken away my freedom of speech," he explained to the Santa Cruz Sentinel at the time.

[end]

Announcements

GraniteSec (formerly The New England InfoSec Tweetup)

When:  May 19, 2012   

Where:  Veasey Memorial Park, Groveland, MA

http://granitesec.org

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center – Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Hack3rCon^3

When: October 19-21, 2012

Where: Charleston, WV

http://hack3rcon.org/

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Stories

DerbyCon “Dropping the Deuce” courtesy of @jx666jx

Source:  http://www.tgdaily.com/security-features/63303-anonymous-takes-on-putins-russian-kremlin

Cyber activists associated with the Anonymous collective temporarily downed President Vladimir Putin's web site on Wednesday.



The activists said they were protesting the controversial renewal of Putin's presidential term for yet another six years, which has sparked a wave of demonstrations in Moscow's city streets.


The Kremlin's Internet security division responded to the above-mentioned pwnage by telling Reuters: "All the relevant departments are taking the necessary measures to counteract (such) attacks.


"This is routine work. There is always some external influence. Today we are witnessing a splash of activity (by the attackers) … (But) they failed to achieve their goal."

In other Anonymous related news, the Pirate Bay has gone on record as criticizing Anonymous for taking down the Virgin Media website over its blocking of the Pirate Bay file sharing site, as per a recent order from the U.K. High Court .

"We do NOT encourage these actions. We believe in the open and free Internets, where anyone can express their views. Even if we strongly disagree with them and even if they hate us," The Pirate Bay wrote on its Facebook page.



But @AnonAteam defended its decision to target the Bay.


"The attacks are not simply about facilitating access to the Pirate Bay website but to stop the type of order used to block your website being used as a precedent for further censorship on the Internet," AnonAteam wrote on Tumblr.

"The entire reason for the protest is to protect freedom of expression from being blocked without any form of judicial process. ISPs are the gateways to democracy in this technology age, to censor access to websites with such an abuse of the legal process, outside parliament our a Humans Right court is unlaw and an abuse of power."

…

Source:  http://reports.informationweek.com/abstract/21/8815/Security/research-2012-strategic-security-survey.html

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility and software development.

On the mobile device front, a full quarter of respondents say smartphones and tablets represent a significant threat to security. Loss or theft is IT’s greatest concern when it comes to mobile devices, a result unchanged from 2011.

It’s clear from our survey that organizations today take cloud security much more seriously than in the past. The percentage of respondents who conduct their own risk assessments of cloud providers jumped to 29% this year, from 18% in 2011. Even better news is that the percentage of companies that don’t bother with a risk assessment dropped by almost half compared to 2011.

The report drills into data on secure software development. This is an important component of a risk management practice because flaws and defects in software can be exploited by attackers. One recommendation is for organizations to invest in a secure software development life cycle. Only a third of our 946 respondents do so. That’s a number that needs to grow. For those that do use a secure SDLC, 33% rate it to be very effective.

This year’s report also delves into why you should pay more attention to access controls, the importance of user education, the benefits of collecting and analyzing security metrics, and the usefulness (or lack thereof) of cyber-breach insurance.

…

Source:  http://www.computerworld.com/s/article/9227067/Adobe_s_security_chief_praises_Apple_for_Flash_crippling_move

Adobe's head of security yesterday applauded Apple's move to block outdated versions of his company's Flash Player.

"We welcome today's initiative by Apple to encourage Mac users to stay up-to-date," said Brad Arkin, Adobe's senior director of security, products and services, in a post to the company's secure engineering blog.

Arkin was referring to Wednesday's update of Safari, Apple's browser, that patched four vulnerabilities and instituted a new feature that pulls out-of-date copies of Flash Player from the system, forcing users who want to view Flash content to upgrade to the current version of the browser plug-in.

Safari 5.1.7, which runs on OS X Snow Leopard and Lion, as well as on Windows XP, Vista and Windows 7, cripples any copy of Flash older than 10.1.102.64, which shipped in November 2010.

Safari alerts the user, then points him or her to Adobe's download site, where the latest version of Flash Player is available.

"A thank you to the security team at Apple for working with us to help protect our mutual customers," Arkin added.

Arkin's appreciation for Safari's Flash blocking stood in contrast to past disputes between Apple and Adobe over the media player.

In 2010, former Apple CEO Steve Jobs trashed Flash as unsuitable for mobile devices because it was slow, drained batteries and posed security problems.

…

Source:  http://www.computerweekly.com/news/2240150047/Cyber-attackers-increasingly-targeting-applications-research-shows

Web and mobile applications are the new frontiers in the war against cyber attack, according to the latest top cyber security risks report from Hewlett Packard.

The report reveals that SQL injection (SQLi) attacks on web applications have increased sharply from around 15 million in 2010 to more than 50 million in 2011.

In 2011, SQLi attacks represented the most popular technique used against web applications, with three times as many SQLi attacks than PHP file inclusion and cross-site scripting attacks combined.

"Good software should not introduce security vulnerabilities, yet 86% of web applications analysed had some kind of vulnerability," said Simon Leech, presales director, HP Enterprise Security.

Web application vulnerabilities account for 36% of all vulnerabilities, the report said, exacerbated by customisation and add-ons.

Static analysis revealed simple coding mistakes result in significant numbers of vulnerabilities, with 54% containing cross-site scripting flaws and 86% containing injection flaws.

"While not all code level vulnerabilities will be attacked, these can result in loss of compliancy or data sharing that can fuel attacks in other areas," the report said.

Dynamic analysis of the web applications in use showed 74% were vulnerable to cross-site scripting attacks and 12% were vulnerable to injection flaws.

The report said that while these numbers are smaller, they are not less risky, as vulnerabilities are difficult to detect and defend against without hindering business.

…

[end]

Announcements

GraniteSec (formerly The New England InfoSec Tweetup)

When:  May 19, 2012   

Where: Veasey Memorial Park, Groveland, MA

http://granitesec.org

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center – Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Hack3rCon^3

When: October 19-21, 2012

Where: Charleston, WV

http://hack3rcon.org/

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Stories

Source:  http://www.zdnet.com/blog/security/apple-releases-os-x-lion-1074-fixes-filevault-password-bug/12046

Apple today released the OS X Lion v10.7.4 update, which among other things fixes the FileVault password bug. I broke the news about this security vulnerability over the weekend (see Apple security blunder exposes Lion login passwords in clear text). Here’s the introduction:

An Apple programmer, apparently by accident, left a debug flag in the most recent version of the Mac OS X operating system. In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.

Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.

Here are the details of Apple’s fix:

Login Window

Available for: OS X Lion v10.7.3, OS X Lion Server v10.7.3

Impact: Remote admins and persons with physical access to the system may obtain account information

Description: An issue existed in the handling of network account logins. The login process recorded sensitive information in the system log, where other users of the system could read it. The sensitive information may persist in saved logs after installation of this update. This issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories. See http://support.apple.com/kb/TS4272 for more information about how to securely remove any remaining records.

The issue was noted by an Apple user almost three months ago on the Apple Support Communities forum, but nobody got back to him. When security researcher David Emery discovered it as well and posted his findings to the Cryptome mailing list, and then I wrote my report for ZDNet, the story blew up. Apple never got back to my request for comment. Still, the important thing is that the issue has been fixed. In my conclusion, I also wrote this:

Apple needs to fix this issue as soon as possible. Even when a patch is made available, it will be impossible for the company to ensure the log file has been deleted, especially given all the places it may have been backed up. This means your password could still be out there even after you update, so after you do, make sure to change it.

So, patching is not enough. Make sure to change your passwords as well.

The FileVault bug aside, here’s the OS X 10.7.4 changelog:

• Resolve an issue in which the “Reopen windows when logging back in” setting is always enabled.

• Improve compatibility with certain British third-party USB keyboards.

• Addresses permission issues that may be caused if you use the Get Info inspector function “Apply to enclosed items…” on your home directory. For more information, see TS4040.

• Improve Internet sharing of PPPoE connections.

• Improve using a proxy auto-configuration (PAC) file.

• Address an issue that may prevent files from being saved to an SMB server.

• Improve printing to an SMB print queue.

• Improve performance when connecting to a WebDAV server.

• Enable automatic login for NIS accounts.

• Include RAW image compatibility for additional digital cameras.

• Improve the reliability of binding and logging into Active Directory accounts.

• The OS X Lion v10.7.4 Update includes Safari 5.1.6, which contains stability improvements.

…

Source:  http://nakedsecurity.sophos.com/2012/05/09/what-the-rtf-mac-and-windows-users-at-risk-from-boobytrapped-documents/

In the mid-1990s, the emergence of Word macro viruses – capable of infecting both Windows PCs and Apple Macs via Word documents – it was common practice to recommend users avoid sharing .DOC files and use Rich Text Format (.RTF) files instead.

The reasoning was that Rich Text Format didn't support the macro language that Microsoft had embedded inside .DOC files, and so it was a much safer way to share information in the office.

The latest batch of security bulletins issued by Microsoft, however, underline the importance of not thinking that any security advice should be written permanently in stone.

Microsoft has warned Windows and Mac users that they could be at risk from boobytrapped RTF files if they leave their copies of Microsoft Office unpatched:

This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In shorthand that means a malicious attacker could send you a poisoned RTF file, and the simple act of you opening it in MS Word on a Windows or Mac computer could allow them to run malicious code. Potentially, for instance, they could open a backdoor that could allow them to gain remote access to your files or install further malware.

…

Source:  http://www.wbtv.com/story/18245250/unc-charlotte-350000-social-security-numbers-exposed-during-internet-breach

University officials at UNC Charlotte say they now know exactly what was exposed during an Internet breach earlier this year.

School officials alerted students and staff in mid-February that online security breach hit the Charlotte-based college campus. They discovered the breach in January but told WBTV they waited to inform students until they knew more.

An investigation into the incident shows that financial account numbers and approximately 350,000 social security numbers were included among the exposed data.

The exposure has been remediated, officials say, and the University is acting to alert people who may have been affected by this exposure. University staff discovered the exposure.

"I think that's really scary. It makes me feel unsafe to think my information could be out there and that somebody could take my credit and do what they want to with my social security," said student Jennifer Affinito.

Due to a system misconfiguration and incorrect access settings, a large amount of electronic data hosted by the University was accessible from the Internet.

There were two exposure issues, one affecting general university systems over a period of approximately three months, and another affecting the University's College of Engineering systems over a period exceeding a decade.

The University has no reason to believe that any information from either of these incidents was inappropriately accessed or that information was used for identity theft or other crime.

The exposed data involved people connected to the University, and included names, addresses, social security numbers, and/or financial account information provided in association with transactions with the University.

"We're still investigating as to how it came to be," said Stephen Ward, a spokesman with UNCC.

The University involved state and federal regulatory and law enforcement agencies to assist in determining how to proceed, and acted upon their advice. The University continues to monitor the situation carefully and has increased its internal review procedures to watch for any unusual activity.

The university created a website where it will post information and have setup a phone hotline at 855-205-6937 (toll-free).

…

Source:  http://threatpost.com.mx/en_us/blogs/dutch-government-asks-87-reimburse-diginotar-debacle-050912

The Dutch government has asked DigiNotar, the Dutch certificate authority that was broken into last summer, for €8.7 million ($11M USD) to recoup money it spent buying new certificates, according to several Dutch news reports. The Dutch interior ministry asked for €1 million in January, yet the number “has now risen to €8.7 million,” according to the company’s curator Rocco Mulder in an interview with Dutch news site nu.nl.

Mulder stressed however that there’s very little of the company left to seize after it was forced to declare bankruptcy late last fall. Diginotar ceased operations, suspended its certificate business and since then, has been managed by a court-appointed trustee and bankruptcy judge.

Mulder argues that it was the decision of the Independent Post and Telecommunications Authority of the Netherlands (OPTA) that led to the downfall of Diginotar. Mulder claims OPTA acted too fast in suspending the company’s certificates and was heavily swayed by Fox-IT, a consultancy whose audit report on Diginotar detailed the attack and its effects.

Diginotar first made headlines in August after it had falsely issued an SSL certificate for Google to a third party. Additional forged certificates for Mozilla, Yahoo, WordPress and the Tor Project later surfaced, making it clear the authority had been breached earlier that summer.

Diginotar’s parent company, VASCO Data Security International, eventually admitted its CA infrastructure had been compromised that July and the company halted issuing SSL certificates soon after.

…

Source:  http://www.esecurityplanet.com/hackers/teen-teamp0ison-hacker-arrested-in-uk.html

Police have arrested a 17-year-old suspected spokesman for Team Poison, a hacking group that has claimed responsibility for a series of high-profile cyber-attacks.

The boy was arrested on Wednesday in Newcastle in connection with alleged computer misuse offences, London's Metropolitan Police said.

"The suspect, who is believed to use the online 'nic' (nickname) 'MLT', is allegedly a member of and spokesperson for TeaMp0isoN ('TeamPoison')," Scotland Yard said in a statement.

"He has been taken to a local police station for interview. Computer equipment has been seized and is undergoing a detailed forensic examination."

Team Poison, believed to be behind cyber-attacks on Facebook founder Mark Zuckerberg and the Facebook page of outgoing French President Nicolas Sarkozy, "has claimed responsibility for more than 1,400 offences", the statement added.

These offences include "denial of service and network intrusions where personal and private information has been illegally extracted from victims in the UK and around the world," police said.

Scotland Yard itself came under attack from Team Poison last month, when the group uploaded a four-minute recording of conversations between staff manning Britain's confidential anti-terrorist hotline to YouTube.

Police admitted the recordings were genuine, but insisted they were not obtained through hacking and that their internal communication systems were secure.

…

[end]

Announcements

GraniteSec (formerly The New England InfoSec Tweetup)

When:  May 19, 2012   

Where:  Veasey Memorial Park, Groveland, MA

http://granitesec.org

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center – Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Hack3rCon^3

When: October 19-21, 2012

Where: Charleston, WV

http://hack3rcon.org/

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Please consider making your Amazon purchases through our affiliate link.  If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side.

Or simply use our QR Code Links.

Amazon:

Amazon UK:

Pentest Lessons

1. If you identify a vulnerability and the exploit can and most likely will result in a DoS.  Don’t try it without ensuring that DoS are allowed in the Statement of Work.

2. If you’re going to perform brute-forcing, make sure that this allowed in the Statement of Work.  Remember, a low threshold for account lockouts can result in you accidentally locking accounts by just simply using an nmap script or Nessus plugin.

3. Watch you language!  Swearing or cursing in front of a customer not only makes you look unprofessional, but it calls into question everything that you do.

4. When traveling, often times the most difficult and stressful thing that you encounter is trying to get the customers site.  Finding out that you don’t have the Point of Contact (POC) name nor customer’s address when you’re driving is probably less than optimal.  Always make sure that you have this information written down so that if something happens you can still get to where you need to go.

Stories

Source:  http://mashable.com/2012/05/08/twitter-hacked-accounts/

Hackers claiming to be affiliated with the hacktivist group Anonymous claimed this week to have accessed and published the details of about 55,000 Twitter accounts.

But Twitter said Tuesday those claims are largely bogus, and that the group mostly posted duplicate information or username and password information for suspended spam accounts.

An anonymous Pastebin user posted five extremely long pages of alleged Twitter usernames and passwords to the text storage site on Monday. (Here are pages one, two, three, four and five.) The hacking news aggregator Airdemon.net reported the supposed breach on Tuesday, beginning to fuel speculation around the web of a massive successful attack on Twitter’s servers. Airdemon said celebrity accounts were among those compromised, and also claimed to have information from a “Twitter insider” confirming the attack.

Responding to a Mashable comment request Tuesday afternoon, however, a Twitter representative debunked the notion of a hugely successful breach but said the company is still investigating the situation.

The list of accounts posted to Pastebin contains more than 20,000 duplicates and information for many spam accounts that have already been suspended, a spokesperson told Mashable in an email. Furthermore, Twitter says, many of the usernames and passwords do not in fact appear to linked to one another, rendering them essentially useless.

Twitter has sent out password resets to accounts that may have been affected and encourages other concerned users to visit the network’s Help Center to change their passwords and review security settings.

…

Source:  http://keranews.org/post/bill-would-have-businesses-foot-cost-cyber-war

Business executives and national security leaders are of one mind over the need to improve the security of the computers that control the U.S. power grid, the financial system, water treatment facilities and other elements of critical U.S. infrastructure. But they divide over the question of who bears responsibility for that effort.

The disagreement stands as an obstacle to passage of major cybersecurity legislation backed by Sens. Joe Lieberman of Connecticut and Susan Collins of Maine, among others.

Many intelligence and security officials who worked under President George W. Bush, as well as those serving under President Obama, are backing stricter government regulation of cybersecurity, a key part of the Lieberman-Collins legislation. Business leaders, however, generally oppose those provisions.

"The major concern is the vast regulatory structure that would be set up at the Department of Homeland Security," says Larry Clinton, president of the Internet Security Alliance, an association of major U.S. companies with interests in the cybersecurity debate.

It's a concern not shared by Stewart Baker, a top cybersecurity official in the Bush administration who says he generally holds pro-business and anti-regulation views. "I see a big conflict between the desire to avoid regulation and the desire to protect national security," Baker says. "I come down on the national security side of that debate."

…

Source:  http://www.net-security.org/secworld.php?id=12894

The CERT Basic Fuzzing Framework (BFF) is a software testing tool that finds defects in applications that run on the Linux and Mac OS X platforms.

BFF performs mutational fuzzing on software that consumes file input. It automatically collects test cases that cause software to crash in unique ways, as well as debugging information associated with the crashes.

The goal of BFF is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.

Traditionally fuzzing has been very effective at finding security vulnerabilities, but because of its inherently stochastic nature results can be highly dependent on the initial configuration of the fuzzing system. BFF applies machine learning and evolutionary computing techniques to minimize the amount of manual configuration required to initiate and complete an effective fuzzing campaign.

BFF adjusts its configuration parameters based on what it finds (or does not find) over the course of a fuzzing campaign. By doing so it can dramatically increase both the efficacy and efficiency of the campaign. As a result, expert knowledge is not required to configure an effective fuzz campaign, and novices and experts alike can start finding and analyzing vulnerabilities very quickly.

Some of the specific features BFF offers are:

• Minimal initial configuration is required to start a fuzzing campaign

• Minimal supervision of the fuzzing campaign is required, as BFF can automatically recover from many common problems that can interrupt fuzzing campaigns

• Uniqueness determination through intelligent backtrace analysis

• Automated test case minimization reduces the effort required to analyze results by distilling the test case to the minimal changes to the input data required to induce a specific crash

• Online machine learning applied to fuzzing parameter and input file selection to improve the efficacy of the campaign

• Distributed fuzzing support

• Crash severity / exploitability triage.

…

Source:  http://news.techworld.com/personal-tech/3356559/virgin-media-hacked-by-supporters-of-pirate-bay

Virgin Media suffered a DDoS (distributed denial of service) attack on its website at the hands of The Pirate Bay supporters yesterday.

The Virgin Media website was taken down during the DDoS attack, which lasted one hour from 5pm last night.

It is believed that the attack occurred as a protest against the internet service provider (ISP) blocking users’ access to the file-sharing website since 2 May, following a High Court order.

A Virgin Media spokesperson said: “Our website, virginmedia.com, has been the subject of denial of service attacks so we took the site offline for a short period of time.

“We’re aware some groups are claiming the attacks are a result of the recent High Court order which requires ISPs to prevent access to the Pirate Bay.”

It added: “As a responsible ISP, Virgin Media complies with court orders, but we strongly believe that tackling the issue of copyright infringement needs compelling legal alternatives, giving consumers access to great content at the right price, to help change consumer behaviour.”

On its Facebook page, The Pirate Bay has released a statement condemning the Virgin Media hack.

“Seems like some random Anonymous groups have run a DDoS campaign against Virgin Media and some other sites,” it said.

“We do NOT encourage these actions. We believe in the open and free internets, where anyone can express their views. Even if we strongly disagree with them and even if they hate us.

“So don’t fight them using ugly methods. DDoS and blocks are both forms of censorship.”

Instead, it suggested, fans of The Pirate Bay should protest by starting a tracker, arranging a manifestation or “teaching friends the art of bittorent”.

…

Source:  http://nakedsecurity.sophos.com/2012/05/09/google-gets-funky-new-license-plate-from-nevada-dmv

The Department of Motor Vehicles (DMV) in Nevada, USA, has issued its first-ever official Autonomous Vehicle Testing number plates to a Google self-driving car.

The rego reads ∞AU001, in yellow and white characters on a bright red background.

According to the Nevada DMV, "the infinity symbol was the best way to represent the 'car of the future.'"

But that optimistic statement is offset in the DMV's press release by the additional observation that "the unique red plate will be easily recognized by the public and law enforcement."

With that in mind, perhaps an exclamation point, or !, might have been a better choice than infinity?

(Google would no doubt have objected. After all, the exclamation point is rather alarmingly known in British English as the "shriek", and even more disturbingly in American English as the "bang".)

Well done to Google's engineers – even though the red colour denotes that the vehicles are still plated for testing purposes. Only when the plates are issued in green will the vehicles have been licensed for sale to and use by the public.

Sadly, Google's autonomous vehicles aren't yet able to renew their own registrations online.

…

[end]

Announcements

GraniteSec (formerly The New England InfoSec Tweetup)

When:  May 19, 2012   

Where:  Veasey Memorial Park, Groveland, MA

http://granitesec.org

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center – Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Hack3rCon^3

When: October 19-21, 2012

Where: Charleston, WV

http://hack3rcon.org/

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Please consider making your Amazon purchases through our affiliate link.  If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side.

Or simply use our QR Code Links.

Amazon:

Amazon UK:

Stories

Source:  http://www.telegraph.co.uk/technology/picture-galleries/8600909/Dying-technology-modern-hardware-thats-on-the-way-out.html?image=11

1. Blackberry’s

2. Video and digital cameras

3. MP3 Players

4. eReaders

5. Physical Storage Media

6. Keyboards

7. Cables

8. Newspaper

9. Televisions *

10. Landlines

11. Fax Machines

12. Keys

…

Source:  http://news.cnet.com/8301-13579_3-57429285-37/apple-launches-ios-5.1.1-to-address-bugs/

Apple has launched an update to its iOS platform.  The company's iOS 5.1.1 update comes with bug fixes for AirPlay video playback and the "Unable to purchase" error message popping up after users buy something from their device. In addition, Apple fixed a bug that prevented the new iPad from switching between 2G and 3G networks.

Apple's iOS 5.1.1 update comes just a couple of months after the company revealed iOS 5.1. That update delivered a host of new bug fixes, a few interface tweaks, and even a hint that the next iPhone could come with 4G LTE support. Some reports suggested the operating system version also improved the platform's battery life.

iOS 5.1.1 is available now as a free download. Current iOS 5 users can head over to their General > Software Update pane to install the new software.

…

Source:  http://techcrunch.com/2012/05/07/mac-lion-security-passwords/

As you may have seen over the weekend, someone has discovered a security hole in FileVault, which arose with the OS X Lion security update, version 10.7.3, back in February: FileVault encryption passwords are now visible in plain text outside of a computer’s encrypted area.

The hole was apparently spotted by someone back in February, although it was most publicly first pointed out by security consultant David Emery on the Cryptome blog a few days ago and the rest of the blogosphere has run with it.

Now, it appears that the problem could be bigger than previously thought: it turns out that the developer who first noticed the hole back in February has discovered that it exists outside of FileVault, too, with at least one other company’s security encryption software, Lion VM, from VMWare Fusion, showing the same behavior.

From earlier this morning, he wrote, in answer to his own thread started in February:

I’m not sure if I can support the assumption that this is an error in filevault.

I’ve just tried logging in as an network user in an newly setup and updated Lion VM (VMware Fusion) and run into the same behavior. Filevault was never active on this system.

Can someone with the following environment please verify:

- OpenDirectory users with Network Home on AFP

- Lion (10.7.3) Clients

- Snow Leopard or Lion Server

Steps:

- Setup a new machine, or use one that never had filevault enabled

- Login as a (unprivileged!) network user with a Network Home on an AFP share

- logout, login as an admin user

- Check “Console” for log messages containing the string “_premountHomedir”

Please help to get to the bottom of this!

The security hole, as it exists in Apple’s own FileVault (and potentially other) encryption software, means that passwords for the encrypted part of a person’s computer are revealed in plain text to a user who knows where to look. As Sophos’ Naked Security blog notes:

Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents. This could occur through theft, physical access, or a piece of malware that knows where to look.

That is yet another reminder of how, although we hear a lot about passwords needing to be   cryptic enough, ultimately if the encryption falls down on implementation, those passwords will be useless anyway. “How products store, manage and secure keys and passwords is the most common failure point in assuring data protection,” Chester Wisniewski of Sophos points out.

The advice he gives is to upgrade to a full-disc solution, such as FileVault 2 or another, and also to change your passwords if you’re a FileVault user.

…

Source:  http://www.thejakartapost.com/news/2012/05/08/chinese-hackers-steal-private-data-760-firms.html

China-based hackers are reportedly targeting US-based Google Inc and Intel Corp.  An attack hackers launched on iBahn could help them access secret e-mails, even encrypted ones, according to a US senior intelligence official familiar with the matter.

As many as 760 companies have had their data accessed by hackers through iBahn, which runs broadband business and provides entertainment access for guests of Marriott International Inc’s global network and other hotel chains, as well as for multinational companies that hold meetings in the hotels.

Internet security company Trustwave Corp SpiderLabs chief Nick Percoco said what was more concerning was that hackers might have used the iBahn system as a stepping stone to connect to companies linked to the system by creating a “secret backdoor” through employees who had stayed in one of the hotel chains.

Companies were not the only target over the past decade, he said, but also research universities, internet providers and government institutions. Among the victims are Research in Motion Ltd (RIM), Boston Scientific Corp and other innovative companies in the military, semiconductor, pharmaceutical and biotechnology sectors, according to Bloomberg data.

According to Bloomberg, the espionage industry has become an integral part of the Chinese government’s economic policy.

…

Source:  http://www.net-security.org/secworld.php?id=12877

Oculis Labs released results from its “Government Worker Privacy” survey on privacy risks for mobile workers. 104 people were randomly surveyed at this year’s FOSE conference and exposition in Washington D.C., and of those surveyed, 62 percent are concerned about others looking at their displays while 63 percent admit to having looked at other people’s displays.

While it is no surprise that almost everyone (98 percent) claims that privacy is important to them, an astonishing 82 percent of government employees have no security system for protecting their computer screens.

The survey found that 69 percent of respondents use their computers in public places to view sensitive information. In fact, most respondents indicated they work with multiple types of sensitive information.

Fifty-seven percent stated that they work with financial/credit card data; 18 percent work with For Official Use Only (FOUO) information (this is primarily used by the United States Department of Defense as a handling instruction for Controlled Unclassified Information); 18 percent work with human resources data and 19 percent work with classified information.

While protecting data on computers is top of mind for everyone, most organizations are focused on conventional security technologies such as anti-virus software, personal firewalls and spam filters. The WikiLeaks episode clearly revealed one crucial fact – the government did not have adequate protections on sensitive data, and the status quo of traditional security tools and official policy could not stop a breach.

Besides tightening up controls on removable media, WikiLeaks underscores the need for the government to start looking at a system the way an attacker does – by looking for the weakest links. The majority of breaches are made through social engineering attacks that start with simple observation. Adversaries, especially insiders, start by observing computer screens surreptitiously to launch their attacks.

…

[end]

Announcements

GraniteSec (formerly The New England InfoSec Tweetup)

When:  May 19, 2012   

Where:  Veasey Memorial Park, Groveland, MA

http://granitesec.org

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center – Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Hack3rCon^3

When: October 19-21, 2012

Where: Charleston, WV

http://hack3rcon.org/

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Please consider making your Amazon purchases through our affiliate link.  If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side.

Or simply use our QR Code Links.

Amazon:

Amazon UK:

Stories

Source:  http://nakedsecurity.sophos.com/2012/05/06/apple-update-to-os-x-lion-exposes-encryption-passwords/

Apple's had a rough time lately on the security front. Last month it was caught out having delayed the release of a security update for Java, resulting in more than 600,000 Macs being recruited into a botnet. Now a quality assurance mistake can cause OS X users' FileVault encryption passwords to be exposed.

On Friday, David Emery posted to an encryption mailing list disclosing this flaw in the latest OS X Lion security update, 10.7.3, which was released in February.

It appears that a debug option was accidentally left enabled in FileVault, resulting in the user's password being saved in plain text in a log file accessible outside of the encrypted area.

Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents. This could occur through theft, physical access, or a piece of malware that knows where to look.

To my knowledge, this only applies to users of Snow Leopard who used the FileVault encryption option for their home directories. It does not impact users of FileVault2 who have turned on Apple's full disk encryption, nor does it impact users who did not upgrade from Snow Leopard.

The best course of action is to implement a full disk encryption solution like Sophos SafeGuard for Mac or Apple's included FileVault 2.

…

Source:  http://www.theregister.co.uk/2012/05/06/social_network_spam/

Cybercrims have quit pouring barrels of spam into email inboxes in favour of hassling marks on social networks as an easier way to make money.

The dismantling of remote-controllable armies of compromised PCs, the collapse of some shady affiliate advertising networks, and better spam-filtering technology have all resulted in a decrease in traditional email spam delivery.

However, dodgy messaging to promote sites selling knock-off goods, pills to enhance performance beneath the sheets, and other tat, has only been displaced rather than destroyed. Twitter and Facebook have both become primary conduits for spam in the process – and the messages sent usually look far more convincing.

Paul Judge, chief research officer at Barracuda Networks, said that one in 100 tweets on Twitter and one in 60 messages on Facebook were either spam or malicious. The switch from email was an obvious move for crooks because social networks are where the majority of internet users spend their time, Judge told delegates at Barracuda's technical conference in Munich on Friday.

"Wherever users are attackers will follow," he explained.

Judge described automated tools used to set up fake accounts on Facebook. These accounts use like-jacking (a form of click-jacking), among other techniques, to trick users into landing on pages that promote survey scams, earning miscreants affiliate revenue in the process. The nuisance level created by fake accounts is not in proportion to their actual number, which Judge admitted was hard to quantify. He compared the situation to the early days of email spam.

"Tools are available to automatically generate a profile and make it look like a real user by adding likes and places of education attended, for example," Judge explained. Fake profile are very different from legitimate profiles: 97 per cent of fakes are female, compared to 40 per cent of the real population on Facebook, and 58 per cent claim to be bisexual females, compared to 6 per cent of the real female users of the social network who say they like both men and women. Fake profiles also tend to have "more friends", 726 on average compared to the 130 average for the general Facebook population.

…

Source:  http://www.infosecisland.com/blogview/21238-Symantec-Targeted-in-Source-Code-Extortion-Scheme.html

Symantec was the target of an unsuccessful extortion scheme devised by an unknown group on Friday, May 4th.

The extortionists, who go by the name "l3g4nd crew", claimed to be in possession of the complete source code for the company's Norton antivirus product.

In a Pastebin posting, the group threatened to release the code today if Symantec did not engage in negotiations and succumb to a demand for a monetary payoff.

The original Pastebin posting also contained a sample of code, but the page is no longer avalable.

The following Pastebin post, which was still present at the time this article was written, contains a copy of the extortion threat, but no sample of code:

Dear Symantec officials,

We would like to inform you that we finally exploited Norton internet security 2012, this exploit made an error in Norton and by mistake exposed its FULL SOURCE CODE, we then checked it several time to be sure, also we would like to tell you that you fool highness inserted a lot of sensitive information in the code, we actually disclosed the top secret virus protection technique of Symantec Norton 2012 and we will be publishing it on Monday unless we had a little t$lk, the source code will also be published on several paste websites including this site, and also for informational reasons the source code  will be identified by this hashed title:

"bDNnNG5kQHlhaG9vLmNvbQ=="   

search pastebin.com on Monday for it if Symantec didn't just give me the demand$.

l3g4nd crew. our email : l3g4nd@yahoo.com to discus about th$.

Infosec Island editors contacted Symantec officials last Friday and provided them with the link to the Pastebin post after becoming aware of the scheme by way of a Google Alerts notification.

x“Symantec’s internal information security team has analyzed the code that was posted and has determined it is NOT Symantec source code," Cris Paden, Sr. Manager for Corporate Communications at Symantec, said in an email statement provided to Infosec Island.

"Without disclosing our process of testing and tip our hand to hackers for a continued possible workaround, our team has determined, in effect, the program/code in question is a DOS batch file, i.e., a utility, designed to keep Microsoft Office 2010 in a perpetual trial mode.  More information can be found at:  http://forums.mydigitallife.info/threads/23462-IORRT-The-Official-Office-2010-VL-Rearm-Solution," Paden said.

…

Source:  http://www.csmonitor.com/USA/2012/0505/Alert-Major-cyber-attack-aimed-at-natural-gas-pipeline-companies

A major cyber attack is currently under way aimed squarely at computer networks belonging to US natural gas pipeline companies, according to alerts issued to the industry by the US Department of Homeland Security.

At least three confidential "amber" alerts – the second most sensitive next to "red" – were issued by DHS beginning March 29, all warning of a "gas pipeline sector cyber intrusion campaign" against multiple pipeline companies. But the wave of cyber attacks, which apparently began four months ago – and may also affect Canadian natural gas pipeline companies – is continuing.

That fact was reaffirmed late Friday in a public, albeit less detailed, "incident response" report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), an arm of DHS based in Idaho Falls, Idaho. It reiterated warnings in the earlier confidential alerts made directly to pipeline companies and some power companies.

The ICS-CERT is charged with helping secure the nation's industrial control systems – computerized systems that open and close valves, switches, and factory processes vital to the chemical, industrial, and power sectors. Their "fly away" teams visit factories, power plants, and pipeline companies to investigate cyber intrusions.

"ICS-CERT has recently identified an active series of cyber intrusions targeting natural gas pipeline sector companies," the confidential April 13 alert warns. "Multiple natural gas pipeline organizations have reported either attempts or intrusions related to this campaign. The campaign appears to have started in late December 2011 and is active today."

Safeguarding industrial control systems from cyber attack is a major point of debate right now in Congress, which has been wrangling over whether to grant the federal government authority to require that vital sectors like the electric utility, oil and gas, and chemical industries meet certain levels of cyber security.

Approximately 200,000 miles of these interstate natural gas transmission pipelines in the US supply 25 percent of the nation's energy. Pipeline safety has been a major issue in recent years, highlighted by the San Bruno, Calif. pipeline explosion that killed eight people and destroyed 38 homes in the Bay Area in September 2010.

In Friday's public warning, ICS-CERT reaffirms that its "analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign from a single source." It goes on to broadly describe a sophisticated "spear-phishing" campaign – an approach in which cyber attackers attempt to establish digital beachheads within corporate networks.

…

Source:  http://news.cnet.com/8301-1009_3-57428067-83/fbi-we-need-wiretap-ready-web-sites-now/

The FBI is asking Internet companies not to oppose a controversial proposal that would require firms, including Microsoft, Facebook, Yahoo, and Google, to build in backdoors for government surveillance.

In meetings with industry representatives, the White House, and U.S. senators, senior FBI officials argue the dramatic shift in communication from the telephone system to the Internet has made it far more difficult for agents to wiretap Americans suspected of illegal activities, CNET has learned.

The FBI general counsel's office has drafted a proposed law that the bureau claims is the best solution: requiring that social-networking Web sites and providers of VoIP, instant messaging, and Web e-mail alter their code to ensure their products are wiretap-friendly.

"If you create a service, product, or app that allows a user to communicate, you get the privilege of adding that extra coding," an industry representative who has reviewed the FBI's draft legislation told CNET. The requirements apply only if a threshold of a certain number of users is exceeded, according to a second industry representative briefed on it.

The FBI's proposal would amend a 1994 law, called the Communications Assistance for Law Enforcement Act, or CALEA, that currently applies only to telecommunications providers, not Web companies. The Federal Communications Commission extended CALEA in 2004 to apply to broadband networks.

"Going Dark" timeline

June 2008: FBI Director Robert Mueller and his aides brief Sens. Barbara Mikulski, Richard Shelby, and Ted Stevens on "Going Dark."

June 2008: FBI Assistant Director Kerry Haynes holds "Going Dark" briefing for Senate appropriations subcommittee and offers a "classified version of this briefing" at Quantico.

August 2008: Mueller briefed on Going Dark at strategy meeting.

September 2008: FBI completes a "high-level explanation" of CALEA amendment package.

May 2009: FBI Assistant Director Rich Haley briefs Senate Intelligence committee and Mikulsi staffers on how bureau is "dealing with the 'Going Dark' issue.'" Mikulski plans to bring up "Going Dark" at a closed-door hearing the following week.

May 2009: Haley briefs Rep. Dutch Ruppersberger, currently the top Democrat on House Intelligence, who would later co-author CISPA.

September 2008: FBI staff briefed by RAND, which was commissioned to "look at" Going Dark.

November 2008: FBI Assistant Director Marcus Thomas, who oversees the Quantico-based Operational Technology Division, prepares briefing for President-Elect Obama's transition team.

December 2008: FBI intelligence analyst in Communications Analysis Unit begins analysis of VoIP surveillance.

February 2009: FBI memo to all field offices asks for anecdotal information about cases where "investigations have been negatively impacted" by lack of data retention or Internet interception.

March 2009: Mueller's advisory board meets for a full-day briefing on Going Dark.

April 2009: FBI distributes presentation for White House meeting on Going Dark.

April 2009: FBI warns that the Going Dark project is "yellow," meaning limited progress, because of "new administration personnel not being in place for briefings."

April 2009: FBI general counsel's office reports that the bureau's Data Interception Technology Unit has "compiled a list of FISA dockets… that the FBI has been unable to fully implement." That's a reference to telecom companies that are already covered by the FCC's expansion of CALEA.

May 2009: FBI's internal Wikipedia-knockoff Bureaupedia entry for "National Lawful Intercept Strategy" includes section on "modernize lawful intercept laws."

May 2009: FBI e-mail boasts that the bureau's plan has "gotten attention" from industry, but "we need to strengthen the business case on this."

June 2009: FBI's Office of Congressional Affairs prepares Going Dark briefing for closed-door session of Senate Appropriations subcommittee.

July 2010: FBI e-mail says the "Going Dark Working Group (GDWG) continues to ask for examples from Cvber investigations where investigators have had problems" because of new technologies.

September 2010: FBI staff operations specialist in its Counterterrorism Division sends e-mail on difficulties in "obtaining information from Internet Service Providers and social-networking sites."

FBI Director Robert Mueller is not asking companies to support the bureau's CALEA expansion, but instead is "asking what can go in it to minimize impacts," one participant in the discussions says. That included a scheduled trip this month to the West Coast — which was subsequently postponed — to meet with Internet companies' CEOs and top lawyers.

A further expansion of CALEA is unlikely to be applauded by tech companies, their customers, or privacy groups. Apple (which distributes iChat and FaceTime) is currently lobbying on the topic, according to disclosure documents filed with Congress two weeks ago. Microsoft (which owns Skype and Hotmail) says its lobbyists are following the topic because it's "an area of ongoing interest to us." Google, Yahoo, and Facebook declined to comment.

In February 2011, CNET was the first to report that then-FBI general counsel Valerie Caproni was planning to warn Congress of what the bureau calls its "Going Dark" problem, meaning that its surveillance capabilities may diminish as technology advances. Caproni singled out "Web-based e-mail, social-networking sites, and peer-to-peer communications" as problems that have left the FBI "increasingly unable" to conduct the same kind of wiretapping it could in the past.

In addition to the FBI's legislative proposal, there are indications that the Federal Communications Commission is considering reinterpreting CALEA to demand that products that allow video or voice chat over the Internet — from Skype to Google Hangouts to Xbox Live — include surveillance backdoors to help the FBI with its "Going Dark" program. CALEA applies to technologies that are a "substantial replacement" for the telephone system.

…

[end]

Episode 661 – Weekend Wrap-up with Dr. b0n3z

InfoSec Daily Podcast Episode 661 for May 5, 2012.  Tonight’s podcast is hosted by Dr. Bonez and Themson Mester.

Guests: oncee and spridel

Announcements

GraniteSec (formerly The New England InfoSec Tweetup)

http://granitesec.org

AIDE 2012

http://www.appyide.org/

LayerOne 2012

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

http://www.sans.org/mentor/details.php?nid=28014

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

http://www.derbycon.com

Hack3rCon^3

When: October 19-21, 2012

Where: Charleston, WV

http://hack3rcon.org/

Skydogcon

http://www.skydogcon.com

Please consider making your Amazon purchases through our affiliate link.  If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side.

Or simply use our QR Code Links.

Amazon:

Amazon UK:

Stories

Source:  http://www.wired.com/threatlevel/2012/05/mi6-codebreaker-at-blackhat/

A top British codebreaker who died a mysterious death in his flat two years ago had just returned from a computer security conference in the United States before his death, according to information disclosed during an inquest this week.

The body of Gareth Williams, a codebreaker with Britain’s MI6 spy agency, was discovered stuffed into a sports bag in his bathtub on Aug. 23, 2010, though he’s believed to have been killed Aug. 15.
Williams had just returned to London on Aug. 11 after spending six weeks in the United States, where he attended the annual Black Hat security conference in Las Vegas as part of a contingent of British spies, according to witnesses who spoke at the inquest. He attended Black Hat in 2008 as well.
It’s believed Williams may have also attended Black Hat’s companion hacker conference, DefCon, which follows Black Hat and draws many of the same attendees. In 2010, Black Hat was held July 24 to 29, while DefCon ran from July 30 to Aug. 1.

…

Source:  http://news.cnet.com/8301-1009_3-57428067-83/fbi-we-need-wiretap-ready-web-sites-now/

The FBI is asking Internet companies not to oppose a controversial proposal that would require firms, including Microsoft, Facebook, Yahoo, and Google, to build in backdoors for government surveillance.
In meetings with industry representatives, the White House, and U.S. senators, senior FBI officials argue the dramatic shift in communication from the telephone system to the Internet has made it far more difficult for agents to wiretap Americans suspected of illegal activities, CNET has learned.
The FBI general counsel’s office has drafted a proposed law that the bureau claims is the best solution: requiring that social-networking Web sites and providers of VoIP, instant messaging, and Web e-mail alter their code to ensure their products are wiretap-friendly.
“If you create a service, product, or app that allows a user to communicate, you get the privilege of adding that extra coding,” an industry representative who has reviewed the FBI’s draft legislation told CNET. The requirements apply only if a threshold of a certain number of users is exceeded, according to a second industry representative briefed on it.

…

Source:  http://www.cio.com/article/705760/Ten_Commandments_for_Effective_Security_Training

Information security people think that simply making users aware of security issues will make them change their behavior. But security pros are learning the hard way that awareness rarely equals change.

1. Serve small bites
People learn better when they can focus on small pieces of information that the mind can digest easily. It’s unreasonable to cover 55 different topics in 15 minutes of security training and expect someone to remember it all and then change their behavior.
Short bursts of training are always more effective.
2. Reinforce lessons
People learn by repeating elements over time–without frequent feedback and opportunities for practice, even well-learned abilities go away. Security training should be an ongoing event, not a one-off seminar.
3. Train in context
People tend to remember context more than content. In security training, it’s important to present lessons in the same context as the one in which the person is most likely to be attacked.
4. Vary the message
Concepts are best learned when they are encountered in many contexts and expressed in different ways. Security training that presents a concept to a user multiple times and in different phrasing makes the trainee more likely to relate it to past experiences and forge new connections.
5. Involve your students
It’s obvious that when we are actively involved in the learning process, we remember things better. If a trainee can practice identifying phishing schemes and creating good passwords, improvement can be dramatic.
Sadly, hands-on learning still takes a backseat to old-school instructional models, including the dreaded lecture.
6. Give immediate feedback
If you’ve ever played sports, it’s easy to understand this one. “Calling it at the point of the foul” creates teachable moments and greatly increases their impact. If a user falls for a company-generated attack and gets training on the spot, it’s highly unlikely they’ll fall for that trick again.
7. Tell a story
When people are introduced to characters and narrative development, they often form subtle emotional ties to the material that helps keep them engaged. Rather than listing facts and data, use storytelling techniques. (Editor’s note: see, for example, How to rob a bank.)
8. Make them think
People need an opportunity to evaluate and process their performance before they can improve. Security awareness training should challenge people to examine the information presented, question its validity, and draw their own conclusions.
9. Let them set the pace
It may sound cliche, but everyone really does learn at their own pace. A one-size-fits-all security training program is doomed to fail because it does not allow users to progress at the best speed for them.
10. Offer conceptual and procedural knowledge
Conceptual knowledge provides the big picture and lets a person apply techniques to solve a problem. Procedural knowledge focuses on the specific actions required to solve the problem.
Combining the two types of knowledge greatly enhances users’ understanding. For example, a user may need a procedural lesson to understand that an IP address included in a URL is an indication that they are seeing a phishing URL. However, they also need the conceptual understanding of all the parts of a URL to understand the difference between an IP address and a domain name, otherwise they may mistake something like www4.google.com for a phishing URL.

…

Source: https://torrentfreak.com/judge-an-ip-address-doesnt-identify-a-person-120503/

A landmark ruling in one of the many mass-BitTorrent lawsuits in the US has delivered a severe blow to a thus far lucrative business. New York Judge Gary Brown explains in great detail why an IP-address is not sufficient evidence to identify copyright infringers. According to the Judge this lack of specific evidence means that many alleged BitTorrent pirates have been wrongfully accused by copyright holders.

Mass-BitTorrent lawsuits have been dragging on for more than two years in the US, involving more than a quarter million alleged downloaders.

The copyright holders who start these cases generally provide nothing more than an IP-address as evidence. They then ask the courts to grant a subpoena, allowing them to ask Internet providers for the personal details of the alleged offenders.

The problem, however, is that the person listed as the account holder is often not the person who downloaded the infringing material. Or put differently; an IP-address is not a person.

Previous judges who handled BitTorrent cases have made observations along these lines, but none have been as detailed as New York Magistrate Judge Gary Brown was in a recent order.

In his recommendation order the Judge labels mass-BitTorrent lawsuits a “waste of judicial resources.” For a variety of reasons he recommends other judges to reject similar cases in the future.

The Judge continues by arguing that having an IP-address as evidence is even weaker than a telephone number, as the majority of US homes have a wireless network nowadays. This means that many people, including complete strangers if one has an open network, can use the same IP-address simultaneously.

In other words, the copyright holders in these cases have wrongfully accused dozens, hundreds, and sometimes thousands of people.

Aside from effectively shutting down all mass-BitTorrent lawsuits in the Eastern District of New York, the order is a great reference for other judges dealing with similar cases.

…

Source:  http://cryptome.org/2012/05/apple-filevault-hole.htm

As someone said here recently, carefully built crypto has a unfortunate tendency to consist of three thick impregnable walls and a picket fence in the back with the gate left open.

That seems to have happened to Apple’s older (“legacy”) Filevault in the current release of MacOX Lion (10.7.3)…. something intended to protect sensitive information stored on laptops by providing for encrypted user home directories contained in an encrypted file system mounted on top of the user’s home directory.

Someone, for some unknown reason, turned on a debug switch (DEBUGLOG) in the current released version of MacOS Lion 10.7.3 that causes the authorizationhost process’s HomeDirMounter DIHLFVMount to log in *PLAIN TEXT* in a system wide logfile readible by anyone with root or admin access the login password of the user of an encrypted home directory tree (“legacy Filevault”).

The log in question is kept by default for several weeks…

Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012.

…

[end]

Announcements

GraniteSec (formerly The New England InfoSec Tweetup)

When:  May 19, 2012

Where:  Veasey Memorial Park, Groveland, MA

http://granitesec.org

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center – Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Hack3rCon^3

When: October 19-21, 2012

Where: Charleston, WV

http://hack3rcon.org/

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Please consider making your Amazon purchases through our affiliate link.  If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side.

Or simply use our QR Code Links.

Amazon:

Amazon UK:

Stories

Source:  http://www.theregister.co.uk/2012/05/03/h4n1_flu_study_published/

Strains of bird flu that could spread among humans have been created in the lab – and now full details on just how this was done have been published openly, raising fears that the research could be used by terrorists to craft a deadly bio-weapon plague.

Bird flu, or H5N1, has killed more than half of the 600 people it is known to have infected, but it cannot spread easily between people. So Yoshihiro Kawaoka of the University of Wisconsin-Madison set out to find whether H5N1 could evolve in the wild into a form that was transmissible between humans.

Kawaoka’s FBI-approved team first created thousands of mutant versions of H5N1. From these they identified a version that could stick to cells in the human nose and throat and then combined this with the strain from the wild that caused the 2009 pandemic. With this hybrid virus, the scientists infected ferrets and watched for when the virus evolved a strain that could spread through the air and infect healthy ferrets in neighbouring cages.

According to Kawaoka, the study shows that relatively few mutations are required for the virus to acquire the ability to transmit between mammals, including humans. The strain created during Kawaoka’s research is less severe than the one that caused the 2009 pandemic, it is susceptible to Tamiflu and it did not kill any of the ferrets in the experiments.

But there may be further strains not studied that have the ability to evolve transmissibility. In fact, the researchers have already spotted strains with one of the mutations they identified in Egypt. As Laurence Fishburne’s character in Contagion says: “Someone doesn’t need to weaponise the bird flu. The birds are doing that.”

….

Source:  https://www.adobe.com/support/security/bulletins/apsb12-09.html

Adobe released security updates for Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x. These updates address an object confusion vulnerability (CVE-2012-0779) that could cause the application to crash and potentially allow an attacker to take control of the affected system.

There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only.

….

Source:  http://searchsecurity.techtarget.com/news/2240149475/Oracle-wont-patch-four-year-old-zero-day-in-TNS-listener

Oracle has issued a security bulletin this week, recommending customers consider workarounds to address a long-standing zero-day vulnerability in nearly all versions of its database management system.

The four-year-old Oracle database vulnerability became an issue last week when the researcher who discovered the flaw issued details and proof-of-concept code to carry out a “TNS listener poison attack.” Joxean Koret, a security researcher based in Spain, reported the vulnerability to Oracle in 2008. According to Oracle’s blog, last week Koret, “[had] mistakenly, assuming that the issue had been backported through the CPU… fully disclosed its details.”

The Transparent Network Substrate (TNS) Listener is a feature that routes the connections between a client and the server. According to Koret’s advisory (.pdf), an attacker using a man-in-the-middle technique could hijack legitimate established connections and route all the data being sent from the client to a remote server controlled by the attacker. Without authorization, the attacker could record the data or send simple commands to the server to add, drop or modify data.

“To inject commands, simply wait for the customer to send an SQL query/statement, replace the contents of the statement with our desired command and that's all,” Koret wrote in his blog and in a message on the Full Disclosure mailing list.

The vulnerability is present in Oracle database versions 10.2.0.3 to 11.2.0.3. The Oracle alert for CVE-2012-1675 also warns that “since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle database component that is affected by this vulnerability, Oracle recommends that customers apply the solution for this vulnerability to the Oracle database component.”

Alex Rothacker, director of security research at TeamSHATTER, Application Security Inc.'s research team, said Koret was more patient than other researchers before disclosing his proof-of-concept code. A lack of clarity by Oracle on whether the bug was fixed lead to the disclosure, and Rothacker believes that Koret acted “in good faith.”

Oracle had not yet patched the bug and said it has no plans to, stating that “such backporting is very difficult or impossible because of the amount of code change required, or because the fix would create significant regressions…” The problem has been fixed in the main line of code, according to Rothacker, so new versions of the Oracle database will be secured against this vulnerability.

Rothacker suggests the real problem has nothing to do with the miscommunication that led to the attack code being released. The problem, he said, is that Oracle has known about this very serious vulnerability for four years and done nothing to fix it. “How many other problems do they know about that they haven’t fixed?” he asked.

….

Source:  http://www.pcworld.com/businesscenter/article/254979/smishing_attacks_are_on_the_rise.html

Text messaging is the most common non-voice use of a mobile phone. There are trillions of text messages received around the world each day, and an increasing number of them are spam, or phishing attacks of some sort.

A report from the Pew Internet and American Life Project claims that 73 percent of adults with a mobile phone use text messaging–sending and receiving an average of 41.5 messages per day. That average jumps to a startling 110 messages per day for individuals between 18 and 24.

Think twice about clicking that link in the suspicious text message.Cyber criminals are good at identifying lucrative markets and targeting weak links. Users are conditioned to recognize suspicious messages and security threats on PCs, and there’s generally security software in place to detect and prevent attacks. But, many people assume mobile phones are inherently safe, and don’t realize that malware and phishing attacks are a concern for mobile devices as well.

People are used to receiving text messages, and are not likely to think twice about the security implications of clicking on a link in a text. The major Web browsers have phishing protection built in to alert the user to suspicious sites, and users can generally hover over a link to display the true URL on a PC, but mobile phones aren’t equipped to help users avoid malicious text messages.

….

Source:  http://www.guardian.co.uk/technology/2012/may/03/hackers-breached-secret-mod-systems

Computer hackers have managed to breach some of the top secret systems within the Ministry of Defence, the military's head of cyber-security has revealed.

Major General Jonathan Shaw told the Guardian the number of successful attacks was hard to quantify but they had added urgency to efforts to beef up protection around the MoD's networks.

"The number of serious incidents is quite small, but it is there," he said. "And those are the ones we know about. The likelihood is there are problems in there we don't know about."

Government computer systems come under daily attack, but though Shaw would not say how or by whom, this is the first admission that the MoD's own systems have been breached.

The Serious Organised Crime Agency, took its website offline on Wednesday night after becoming the target of a cyber-attack. A spokesman said the attack did not pose a security risk to the organisation.

Shaw, a veteran of the Falklands and Iraq wars, also said the MoD had to be prepared to embrace unconventional and "wacky" ideas if the military wanted to catch up with, and then stay ahead of, rivals in the cybersphere. Getting "kids on the street" to help the military was vital, he said.

"My generation  … we are far too old for this; it is not what we have grown up with. Our natural recourse is to reach for a pen and paper. And although we can set up structures, we really need to be on listening mode for this one."

He added: "If we want to work the response, if we want to know really what is happening, we really have to listen to the young kids out in the street. They are telling us what is happening out there.

"That will pose a real challenge to us. This thing is moving too fast. The only people who spot what is happening are people at the coal face and that is the young kids. We have to listen to them and they have to talk to us."

A former director of UK special forces, Shaw, 54, said he thought the military could learn a trick or two from firms such as Facebook.

The company has a "white hat" programme in which hackers are paid rewards for informing them when they have found a security vulnerability.

Nine people in the UK have been paid a total of $11,000 (£6,785) for working with Facebook. Shaw said this was the kind of "waacky idea we need to bring in".

Shaw has spent the last year reviewing the MoD's approach to cyber-security, and the kind of cyber-capability the military will need in the future.

He says next year's MoD budget is expected to include new money for cyber-defence – an acknowledgment that even during a time of redundancies and squeezed budgets, this is now a priority.

….

[end]

Amazon:

Amazon UK:

• NASA – Glenn Research Center
• U.S. military
• U.S. Air Force
• European Space Agency
• Thai Royal Navy
• Harvard University
• Renault
• French ministry of Defense
• Bahrain Ministry of Defense
• Jordanian Yellow Pages

Amazon:

Amazon UK:

Edit: dead link, so here is the original graph from Skype Journal:

• [106413] High CVE-2011-3078: Use after free in floats handling. Credit to Google Chrome Security Team (Marty Barbella) and independent later discovery by miaubiz.
• [117110] High CVE-2012-1521: Use after free in xml parser. Credit to Google Chrome Security Team (SkyLined) and independent later discovery by  wushi of team509 reported through iDefense VCP (V-874rcfpq7z).
• [117627] Medium CVE-2011-3079: IPC validation failure. Credit to PinkiePie.
• [121726] Medium CVE-2011-3080: Race condition in sandbox IPC. Credit to Willem Pinckaers of Matasano.

• [$1000] [121899] High CVE-2011-3081: Use after free in floats handling.

Special Guests: Erin Kennedy, and Nick

Announcements

Linuxfest Northwest 2012

When: April 28-29, 2012

Where: Bellingham Technical College – Bellingham, WA

http://www.linuxfestnorthwest.org/

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center  - Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Infcident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014
 

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Please consider making your  Amazon purchases through our affiliate link.  If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side.

or simply use our QR Code Links.

Amazon:

Amazon UK:

Stories

Source:  http://www.theregister.co.uk/2012/04/27/html5/

HTML5 will allow web designers to pull off tricks that were previously only possible with Adobe Flash or convoluted JavaScript. But the technology, already widely supported by web browsers, creates plenty of opportunities for causing mischief.

During a presentation at the B-Sides Conference in London on Wednesday, Robert McArdle, a senior threat researcher at Trend Micro, outlined how the revamped markup language could be used to launch browser-based botnets and other attacks. The new features in HTML5 – from WebSockets to cross-origin requests – could send tremors through the information security battleground and turn the likes of Chrome and Firefox into complete cybercrime toolkits.

Many of the attack scenarios involve using JavaScript to create memory-resident "botnets in a browser", McArdle warned, which can send spam, launch denial-of-service attacks or worse. And because an attack is browser-based, anything from a Mac OS X machine to an Android smartphone will be able to run the platform-neutral code, utterly simplifying the development of malware.

Creating botnets by luring punters into visiting a malicious web page, as opposed to having them open a booby-trapped file that exploits a security flaw, offers a number of advantages to hackers.

Malicious web documents held in memory are difficult to detect with traditional file-scanning antivirus packages, which seek out bad content stored on disk. JavaScript code is also very easy to obfuscate, so network gateways that look for signatures of malware in packet traffic are trivial to bypass – and HTTP-based attacks pass easily through most firewalls.

Additional dangers involve social engineering using HTML5's customisable pop-ups that appear outside the browser to fool users into believing the wording on an alert box. More convincing phishing attacks can be created using the technique, McArdle said.

"The good stuff in HTML5 outweighs the bad," he added. "We haven't seen the bad guys doing anything bad with HTML5 but nonetheless it's good to think ahead and develop defences."

….

Source:  http://www.spamfighter.com/News-17679-Spam-Volume-in-March-2012-Declines-Only-Slightly.htm

Kaspersky Lab, which released its March 2012 spam report, shows that spam volumes from the total e-mail reduced 3.5% during March 2012 over the previous month of February 2012.

The new spam study reveals that the twenty greatest sources of junk e-mails continued to be same in March 2012, with the same countries as of February 2012 occupying the foremost 6 positions although South Korea and Vietnam interchanged ranks -the latter coming 4th and the former coming 5h.

Maria Namestnikov, security researcher at Kaspersky Lab explained that the first 3 ranks went to India (12.3%), Indonesia (7.5%) and Brazil (6.7%). While spam rates might've declined, the menace continued as severe as before with junk e-mail distributors adopting more-and-more refined techniques of scam, she said. Kaspersky.com published this dated April 19, 2012.

Besides, according to Namestnikov, it was ever-since the Calicos/Hlux network-of-bots' latest version got dismantled that the spam rates declined. During March 2012, Kaspersky Lab in combination with companies namely Dell SecureWorks, CrowdStrike, alongside HoneyNet Project dismantled the Kelihos.B botnet.

The spam study thereafter reveals that the topics most commonly utilized within the spam campaigns all through March 2012 related to Easter, St. Patrick's Day as also iPad3's recent launch.

Of the several spam campaigns related to St. Patrick's Day, security company Kaspersky states that the spammers, for acquiring the notice of e-mail recipients, resort to partner programs that abuse any holiday, celebration or same kind of event. Within the current example, it's Leprechaun-festooned spam websites, which present counterfeit designer watches.

….

Source: http://www.zdnet.com/blog/bott/report-says-hotmail-exploit-spread-like-wild-fire-is-now-fixed/4892

Microsoft plugged a serious security hole in its Hotmail password reset service last week, after one report claims it was widely exploited.

April 26, 3:00PM PDT: Microsoft confims existence of flaw and fix. See update at end of post.

Microsoft has deployed a fix for a Hotmail password reset vulnerability that was reportedly being exploited in the wild for days.

A report published today at Vulnerability-Lab described the vulnerability and provided a timeline for its disclosure and fix.

The bulletin rated the severity as “Critical,” based on this description:

A critical vulnerability was found in the password reset functionality of Microsoft’s official MSN Hotmail service. The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module.

The bulletin says Microsoft fixed the vulnerability on April 20, 2012. The more detailed timeline puts the Vendor Fix/Patch date one day later:

Report-Timeline:

================

2012-04-06: Researcher Notification & Coordination

2012-04-20: Vendor Notification by VoIP Conference

2012-04-20: Vendor Response/Feedback

2012-04-21: Vendor Fix/Patch

2012-04-26: Public or Non-Public Disclosure

During at least part of that two-week gap, the vulnerability was widely exploited, one source says.

….

Source:  http://news.yahoo.com/hackers-hit-philippines-websites-amid-china-dispute-193846510.html

Philippine government websites are under heavy attack from hackers, apparently from China, amid a tense territorial dispute between the two countries in the South China Sea, officials said Thursday.

While some Philippine hackers have reportedly launched retaliatory attacks, the government appealed to them for restraint, said Roy Espiritu, spokesman of the government's information technology office.

"We've actually detected several attacks, including attempts at distributed denial of service," he said, in which a hacker infiltrates computers with which to attack a single target, such as a website, forcing it to shut down.

"They (hackers) are probing into different (Philippine) government domains so we can't say how many attacks there are. But it is a lot," Espiritu told AFP.

"The signatures (of the hackers) indicate they are from Chinese networks."

Espiritu conceded this could be a ruse and the attacks may have actually originated from other sources.

But he said all the attacks came after Philippine ships faced off with Chinese patrol vessels in April 8 in the disputed Scarborough Shoal in the South China Sea. Before that, there had been no such attacks.

The Chinese vessels initially prevented the Philippine Navy from arresting alleged Chinese poachers in the area. The stand-off is continuing.

….

Source: http://nakedsecurity.sophos.com/2012/04/27/carriers-oppose-producing-warrants-for-location-data/

The mobile carriers industry trade group, CTIA–The Wireless Association, is objecting to a proposed bill that would require the police to produce a warrant if it wants access to location data on people's mobile phones.

CTIA are calling the legislation "unduly burdensome" to say no to police who arrive without warrants.

The bill in question, California Location Privacy Bill (SB 1434), doesn't stop the carriers from handing over location data, but it does require that police get a warrant first.

The proposed law also states that carriers must publish reports showing the number of disclosures they've made in a given calendar year, including:

• how many times each wireless provider disclosed information (and how many times it didn't)

• how many times the carrier contested data demands

• how many users' data were disclosed.

And this report is to published on the internet by the following April.

On April 12, the CTIA wrote [PDF] to the bill's sponsor, State Senator Mark Leno, saying that CTIA opposes the proposed legislation due to "serious concerns":

"These reporting mandates would unduly burden wireless providers and their employees – who are working day and night to assist law enforcement to ensure the public’s safety and to save lives."

… and that the legislation would "confuse" them.

For example, an issue the carriers would find confusing is the definition of "location information." CTIA say that it is "so sweeping" that it could overlap basic subscriber information:

"Since the implications of this definition are unclear, wireless providers will have difficulty figuring out how to respond to requests for such information. It could place providers in the position of requiring warrants for all law enforcement requests."

Ars Technica's Cyrus Farivar, for one, is confused about why the CTIA is confused.

Here's what he had to say:

"Earlier this month, the ACLU said it received over 5,500 pages from 200 local law enforcement agenciesabout their tracking policies. The organization concluded that 'while cell phone tracking is routine, few agencies consistently obtain warrants.

Importantly, however, some agencies do obtain warrants, showing that law enforcement agencies can protect Americans' privacy while also meeting law enforcement needs.' In short, it seems like law enforcement can stay within the law, even when it takes the trouble to get a warrant—how is that confusing?"

Regarding the cost and labour involved in putting up reports that tell the public how they are releasing our information: well, if it's really all that costly to the poor, cash-strapped wireless providers, perhaps it's time for them to increase the fees they charge law enforcement agencies for the all-you-can-eat buffet of data they provide.

….

Late Announcement:

Help Brad get a handicap accessible van. http://www.nmeda.com/mobility-awareness-month/heroes/montana/helena/1535/nina-and-brad-smith

[end]

Announcements

Linuxfest Northwest 2012

When: April 28-29, 2012

Where: Bellingham Technical College – Bellingham, WA

http://www.linuxfestnorthwest.org/

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center  - Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014
 

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Please consider making your  Amazon purchases through our affiliate link.  If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side.

Or simply use our QR Code Links.

Amazon:

Amazon UK:

Pentest Lessons

1. Don't cat binary files in cube farms. The beeps sound like alarms, and the natives have to decide whether to evacuate.

2. Determining who is "in the loop" during a penetration test is an important step not best performed when you’re almost finished with an engagement.

3. When you pop a system, always always always grab the critical information first.  

4. When you pop a system, avoid high fives or yelling w00t.  This is critical for maintaining professionalism.

5. When you pop a system, always grab critical information before telling the customer about the access.  There’s nothing worse than the machine being turned off to avoid you collecting data.  See item #3.

Stories

Source:  http://boingboing.net/2012/04/26/sneak-attack-surprise-amendme.html

Source:  http://www.politico.com/news/stories/0412/75670.html

In a sneak attack, the vote on CISPA (America's far-reaching, invasive Internet surveillance bill) was pushed up by a day. The bill was hastily amended, making it muchworse, then passed on a rushed vote. Techdirt's Leigh Beadon does a very good job of explaining what just happened to America:

Previously, CISPA allowed the government to use information for "cybersecurity" or "national security" purposes. Those purposes have not been limited or removed. Instead, three more valid uses have been added: investigation and prosecution of cybersecurity crime, protection of individuals, and protection of children. Cybersecurity crime is defined as any crime involving network disruption or hacking, plus any violation of the CFAA.

Basically this means CISPA can no longer be called a cybersecurity bill at all. The government would be able to search information it collects under CISPA for the purposes of investigating American citizens with complete immunity from all privacy protections as long as they can claim someone committed a "cybersecurity crime". Basically it says the 4th Amendment does not apply online, at all. Moreover, the government could do whatever it wants with the data as long as it can claim that someone was in danger of bodily harm, or that children were somehow threatened—again, notwithstanding absolutely any other law that would normally limit the government's power.

Lawmakers voted to reject a motion to recommit by Rep. Ed Perlmuttter, who sought to add language specifying that nothing in the bill could be construed to allow employers and the government from mandating that employees and job applicants disclose confidential passwords without a court order. The defeated motion also would have added language saying that nothing in the bill could allow the government from blocking access to the Web through “the creation of a national Internet firewall similar to the ‘Great Internet Firewall of China.'

….

Source: http://threatpost.com/en_us/blogs/backdoor-equipment-used-traffic-control-railways-called-huge-risk-042512

Security researchers are warning about the risk posed by an embarrassing security hole in industrial control software by the firm RuggedCom. A hidden administrative account could give remote attackers easy access to critical equipment that is used to manage a wide range of critical infrastructure, including rail lines, traffic control systems and electrical substations.

The undocumented backdoor account was first revealed on Monday in a post to the Full-disclosure security discussion list by a user with the initials "JC." The account uses the login name "factory" and a dynamically generated password that is based on the device's machine address – or MAC, according to the post.

A Ruggedcom spokesperson said the company was working on a response, but could not immediately comment on the post.

The details of the vulnerability could not be independently confirmed and RuggedCom did not immediately respond to a request for comment from Threatpost. However, the use of hard coded account credentials is common in the industrial control space, where remote, administrative access to devices that are deployed in the field has long been a priority for vendors and customers, alike.

The post's author, "JC" was not able to immediately comment on the details of his post. He was identified as is Justin W. Clarke, an independent security researcher based in San Francisco according to Digital Bond blog, a source for information on security issues in SCADA and industrial control systems.

….

Source: http://nakedsecurity.sophos.com/2012/04/26/credit-card-websites/

Cybercrime is big business these days, in fact it's an industry. So it's not a surprise to find that criminals are embracing ecommerce. But I'm sure some will be surprised to discover just how professional and legitimate criminal websites can appear.

For instance, watch the following video to see footage of a website that was selling stolen credit card details.

The UK's Serious Organised Crime Agency (SOCA), working alongside the FBI and the US Department of Justice, has announced that it has seized the domain names of 36 websites used to sell stolen credit card information.

The websites use advanced e-commerce Automated Vending Cart (AVC) platforms to allow them to sell large numbers of credit card and bank details.

Visitors to the websites are now greeted by a message from the authorities:

According to a SOCA statement, two men were arrested early yesterday morning suspected of making large scale purchases of compromised data from websites such as those described above.

….

Source: http://www.theregister.co.uk/2012/04/26/taiwan_spies_smuggle_us_military_tech/

Two suspected Taiwanese drug smugglers have been accused of an ambitious plot to smuggle some pretty serious military technology including a US drone out of the States and into China.

Hui Sheng Shen and Huan Ling Chang, who have been in custody since February for allegedly smuggling methamphetamine into the US, will be formally charged with conspiracy to violate the Arms Export Control Act, according to an AP report.

The two were caught in an undercover FBI sting which caught them on tape claiming that their clients in the Chinese government were keen on acquiring US drones as well as stealth technology, anti-aircraft systems and even an E-2 Hawkeye early warning aircraft.

The two reportedly ignored the undercover Feds’ repeated cautioning that they would not like to profit from any kit which would harm US interests, with Shen saying, “I think that all items would hurt America.”

"The people we met, they come from Beijing. … They work for Beijing government … some kind of intelligence company for Chinese government — like C.I.A," Shen reportedly told the agents. "They are spies."

Shen also boasted that he could use scuba divers to transport parts of the kit underwater from Port Newark-Elizabeth Marine Terminal to a ship waiting offshore – a similar technique to that which he allegedly used to smuggle drugs.

….

Source: http://www.networkworld.com/news/2012/042512-will-obama-preside-over-the-258673.html

If President Barack Obama is going to win a second term, he may have to do it without the support of privacy and civil liberties organizations, including those in information and personal security.

Increasingly the president, who was expected to fulfill the dreams of civil libertarians by creating a more open, transparent and less-intrusive government, is instead being viewed as a nightmare.

Many of the complaints are focused on broken promises regarding the aftermath of 9/11: The president pledged to close the military prison at Guantanamo Bay, Cuba, and it remains open. He attacked the Patriot Act as a candidate, but it also remains. And according to his critics, while he slammed President Bush's tactics in the "war on terror," he has now embraced and expanded most of them, including the killing of U.S. citizens abroad who are deemed to be terrorists.

But for cyber-privacy advocates, the major concern is that they believe the Big-Brother and "thought police" nightmare of George Orwell's "1984" could be a reality by 2013, when the National Security Agency's new data center is due to open at the Utah National Guard's Camp Williams, south of Salt Lake City in Bluffdale.

Some in the infosec and privacy community say it is not so much about who is president as it is about the reach, power and inertia of the intelligence establishment. Whatever, the reason, the coming Utah Data Center is expected to give a whole new meaning to the concept of Big Data.

NSA, which already has vast powers to sift and analyze digital communications by people with the bland job description of "traffic analyst," is expanding those powers to the point where, according to James Bamford, writing last month in Wired magazine, it will be able to intercept, store and analyze, "all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails– parking receipts, travel itineraries, bookstore purchases, and other digital 'pocket litter.'"

….

Source:  http://www.net-security.org/secworld.php?id=12818

A critical security flaw affecting Microsoft's Hotmail has been detected almost simultaneously by Vulnerability Lab researchers and a Saudi Arabia hacker and, until a temporary fix has been put in place by Microsoft on Friday last, it has been used by hackers to hijack users' Hotmail/Live account.

"The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password

and bypass in place protections (token based)," explained Vulnerability Lab's researchers.

"The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values '+++)-'. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module."

Naveen Thakur offers a description of the exploit of which he saw videos propagating online: "It involves using a Firefox addon called Tamper Data which allows the the user to intercept the outgoing HTTP request from the browser in real time and modify the data. All the attacked had to do was to select the 'I forgot my Password' and select 'Email me a reset link' and start the Tamper Data in Firefox and modify the outgoing data."

The bug was to easy to exploit, he says, and it spread like wild fire through the hacking community and forums.

….

Source:

….

[end]

Announcements

Linuxfest Northwest 2012

When: April 28-29, 2012

Where: Bellingham Technical College – Bellingham, WA

http://www.linuxfestnorthwest.org/

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center  - Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014
 

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Please consider making your  Amazon purchases through our affiliate link.  If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side.

or simply use our QR Code Links.

Amazon:

Amazon UK:

Stories

Source: http://www.computerworld.com/s/article/9226521/New_sneakier_Flashback_malware_infects_Macs

A new, sneakier variant of the Flashback malware was uncovered yesterday by the French security firm Intego.

Flashback.S, which Intego described Monday, uses the same Java vulnerability as an earlier version that has infected an estimated 820,000 Macs since its appearance and still plagues over 600,000 machines.

But unlike Flashback.K, the variant that first surfaced last month and has caused consternation among Mac users, Flashback.S never asks the victim to enter an administrative password for installation, but instead relies only on the silent exploit of the Java bug to sneak onto the system.

"The differences are very subtle," Peter James, a spokesman for Intego, said in an interview Tuesday. "There's no password request [by Flashback.S]."

Flashback.K used different infection tactics: Even though it exploited the same Java vulnerability — identified as CVE-2012-0507 — it also displayed the standard OS X password-request dialog. If users entered their password, the malware installed itself in a different location, where it was even harder to detect.

….

Source: http://threatpost.com/en_us/blogs/researcher-causes-endless-restart-loop-samsung-tvs-042412

Italian security researcher Luigi Auriemma was trying to play a trick on his brother when he accidentally discovered two vulnerabilities in all current versions of Samsung TVs and Blu-Ray systems that could allow an attacker to gain remote access to those devices.

Auriemma claims that the vulnerabilities will affect all Samsung devices with support for remote controllers, and that the vulnerable protocol is on both TVs and Blu-Ray enabled devices.

One of the bugs leads to a loop of endless restarts while the other could cause a potential buffer overflow.

Auriemma discovered the issues accidentally. He told Threatpost via email that he was trying to play a trick on his brother. He only wanted to send a remote controller request with a funny message, but he ended up nearly destroying the TV.

To exploit Auriemma’s vulnerabilities requires only that the devices are connected to a wi-fi network.

As background, Auriemma explains that when the device receives a controller packet it displays message informing users that a new ‘remote’ has been detected, and prompts the user to ‘allow’ or ‘deny’ access. Included with this remote packet is a string field used for the name of device. Auriemma found that if he altered the name string to contain line feed and other invalid characters, the device would enter an endless loop.

Auriemma claims that nothing really happens for the first five seconds, but then he lost control of the TV, both manually on the control panel and with the remote. Then after another five seconds, he claims, the TV automaticall restarts. Then the process repeats itself forever, even after unplugging the TV. Eventually, Auriemma managed to reset the TV in service mode. He writes that users can avoid the situation altogether by hitting ‘exit’ when prompted to ‘allow’ or ‘deny’ the new remote device.

….

Source:

http://bits.blogs.nytimes.com/2012/04/24/nissan-is-latest-company-to-get-hacked/

Nissan confirmed its computer systems were hacked two weeks ago.  The Japanese automaker said that hackers broke into its network and stole employees’ usernames and encrypted passwords. The company said it first noticed an abnormality on its network Friday, April 13, when it discovered a piece of malicious malware had targeted employees’ log-in credentials and was transmitting them back to an outside computer server. Nissan did not say which employees had been targeted, what division they worked in or what the intruders may have been after. The company tracked the intrusions back to an Internet protocol address, but said it did not give much indication of who was behind the attack.

“We do know the I.P. addresses but it really does not tell you a whole lot,” said David Reuter, a Nissan spokesman. “Hackers can bounce things off servers all over the world, so the entry I.P. address is not necessarily where the hack originates. The trail goes cold pretty quickly.”

Nissan said it waited a week to disclose the attack to customers and employees while it closed open holes in its network and cleaned up its systems with the help of outside security consultants. On Friday, Andy Palmer, a Nissan executive vice president, disclosed the attack in a statement and said there was no indication any customer, employee or intellectual property data had been stolen.

….

Source: http://threatpost.com/en_us/blogs/e-mail-source-code-vmware-bubble-compromised-chinese-firm-042412

Source: http://blogs.vmware.com/security/2012/04/vmware-security-note.html

Source: http://www.crn.com/news/security/232900903/anonymous-hacker-claims-credit-for-vmware-esx-code-leak.htm

April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.

The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers. VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today. We take customer security seriously and have engaged internal and external resources, including our VMware Security Response Center, to thoroughly investigate. We will continue to provide updates to the VMware community if and when additional information is available.

VMware's ESX hypervisor source code leak may stem from an attack on a Chinese import-export firm last month in which an anonymous hacker claims to have made off with more than one terabyte of confidential documents.

On Tuesday, Kaspersky Lab's Threatpost blog reported the details of its recent IRC conversation with "Hardcore Charlie," the anonymous hacker who posted the purported VMware ESX source code online on April 8.

Hardcore Charlie claims to have obtained the VMware ESX source code after breaching the corporate network of the China National Electronics Import-Export Corporation (CEIEC), a Beijing-based firm. He also broke into and stole documents from the networks of China North Industries Corporation (Norinco) WanBao Mining Ltd, Ivanho and PetroVietnam, according to the Threatpost report.

VMware could not be reached for comment.

In a security bulletin issued earlier on Tuesday, VMware warned that a single file from its ESX server hypervisor source code had been posted online and said it is possible that more proprietary files could be leaked.

The leaked ESX code is from the 2003 to 2004 period, and security experts told CRN the potential impact of the breach depends on how much VMware has changed the code base since then.

VMware said it shares source code with industry partners, but other vendors, including Cisco, have had source code leaks in the past without problems, said Charlie Winckless, senior security architect at Presidio Networked Solutions, Greenbelt, Md.

Still, a zero-day vulnerability in ESX could pose significant problems for VMware and the legions of cloud service providers whose infrastructure runs on the hypervisor. Winckless said the availability of ESX source code could give hackers a better chance to find undiscovered vulnerabilities.

"How serious this exposure is depends on the level of code audit performed," Winckless said. "There almost certainly will be some bugs and issues exposed, but it's far from certain that they are exploitable."

VMware spends a lot of effort guarding against the disaster scenario of attackers compromising multiple virtual servers on a single piece of hardware, which makes it less likely that such an attack could stem from the leaked source code, according to Winckless.

….

[end]

Guest Co-Host Varun Sharma.

Announcements

Linuxfest Northwest 2012

When: April 28-29, 2012

Where: Bellingham Technical College – Bellingham, WA

http://www.linuxfestnorthwest.org/

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center  - Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014
 

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Please consider making your  Amazon purchases through our affiliate link.  If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side. Or simply use our QR Code Links.

Amazon:

Amazon UK:

Stories

Source:  http://blogs.mcafee.com/mcafee-labs/cve-2012-0158-exploit-in-the-wild

Since last week, we have seen many specially crafted files exploiting CVE-2012-0158, a vulnerability in MSCOMCTL.OCX in Microsoft Office and some other Microsoft products. This exploit can be implemented in a variety of file formats, including RTF, Word, and Excel files. We have already found crafted RTF and Word files in the wild. In the malicious RTF, a vulnerable OLE file is embedded with \object and \objocx tags.

The following image shows an example of a crafted RTF file containing a vulnerable OLE file. You can see the signature of the OLE file in D0CF11E0. …

Upon opening a crafted file with the vulnerable application, as in other document exploit files, we see an innocent file posing as bait, while in the background, the Trojan files are installed. Here are typical malware installation steps triggered by the vulnerable application, Word in this example:

1. The crafted document is opened by a Word process.

2. Exploiting the vulnerability triggers the shellcode in the OLE file.

3. The shellcode installs the Trojan(s) on the victim’s machine. Typically, the Trojan is installed in the following path:

%userProfile%\Local Settings\Temp\(filename).exe

4. The shellcode start a new process of Word and opens as bait an innocent document file embedded in the document. Typically the bait file is dropped at:

%userProfile%\Local Settings\Temp\(filename).doc

5. The shellcode terminates the Word process that opened the crafted document.

Because of steps 4 and 5, users will see Word quit and then immediately relaunch with the bait file. If you see this symptom, check with your system administrator.

….

Source:  http://www.theinquirer.net/inquirer/news/2169403/100-million-users-affected-social-network-vulnerability

DO IT YOURSELF social networking company Ning is reportedly suffering from a slight security problem that could affect 100 million users.

Ning lets people set up their own gasbag social networking channels and is used by people like the pop group Radiohead. According to a Dutch report a problem with its security could leave them wide open to account hijackers.

A Dutch web site called Web Wereld says that two students, Angelo Geels and Alex Brouwer have exploited cookies to gain login control over Ning user accounts. They used a proof of concept that showed they could access 90,000 accounts and 100 million users, but had no intention of exploiting it for malicious purposes.

They did suggest that if others were able to use it then they could take over Ning accounts. "You can build an application that automates acquisition of an identity," said Geels in the report.

The students told Ning about the exploit last month and since then the firm has worked to fix it. This is not the first time that security students have worked with Ning, and last year students reported five vulnerabilities that included the threat of credit card theft.

….

Source:  http://news.softpedia.com/news/Experts-Find-Control-Panel-for-Ransomlock-Powered-Ransomware-265732.shtml

Researchers have come across another Trojan that fuels such campaigns. The novelty in this scenario is that the control panel that’s being utilized in the scheme has been found.

Identified by Symantec as Trojan.Ransomlock.K, the malicious element communicates with a command and control server from which it receives its orders.

The interface that allows the cybercrooks to communicate with their Trojan is called Silent Locker Control Panel and according to the experts, it is somewhat similar to other control panel used for pieces of malware such as ZeuS and SpyEye.

The Russian variant of the Silent Locker Control Panel found by experts offers a number of options. First of all, it tracks the infected computer’s location and date, information that can be used for billing.

Also based on the location, the cybercriminal can choose what picture the ransomware displays when it takes over a computer. For instance, if the victim resides in the UK, a picture of the Metropolitan Police can be used, the default image being the one shown in the screenshot.

If notifications that rely on the reputation of a law enforcement agency don’t work, the fraudsters can always turn to fake Windows Security Checks or other scams that may convince the victim that his/her device is being blocked for performing illegal activities, or even because of some phony system errors.

….

Source:  http://www.computerworld.com/s/article/9226476/Google_boosts_Web_bug_bounties_to_20_000

Google today dramatically raised the bounties it pays independent researchers for reporting bugs in its core websites, services and online applications.

The search giant boosted the maximum reward from $3,133 to $20,000, and added a $10,000 payment to the program.

The Vulnerability Reward Program (VRP) will now pay $20,000 for vulnerabilities that allow remote code execution against google.com, youtube.com and other core domains, as well as what the company called "highly sensitive services" such as its search site, Google Wallet, Gmail and Google Play.

Remote code flaws found in Google's Web apps will also be rewarded $20,000.

The term "remote code execution" refers to the most serious category of vulnerabilities, those which when exploited allow an attacker to hijack a system and/or plant malware on a machine.

A $10,000 bounty will be paid for SQL injection bugs or "significant" authentication bypass or data leak vulnerabilities, Google said in the revised rules for the program.

Other bugs, including cross-site scripting (XSS) and cross-site request forgery (XSRF) flaws, will be compensated with payments between $100 and $3,133, with the amount dependent on the severity of the bug and where the vulnerability resides.

….

Source:  http://www.bbc.com/news/technology-17811565

Iran has been forced to disconnect key oil facilities after suffering a malware attack on Sunday, say reports.

The computer virus is believed to have hit the internal computer systems at Iran's oil ministry and its national oil company.

Equipment on the Kharg island and at other Iranian oil plants has been disconnected from the net as a precaution.

Oil production had not been affected by the attack, said the Mehr news agency.

However, the attack is believed to have been responsible for knocking offline the websites of the Iranian oil ministry and national oil company.

The Ministry website was back in action on Monday but the oil company site has remained unreachable.

An Iranian oil ministry spokesperson was quoted as saying that data about users of the sites had been stolen as a result of the attack. Core data about Iran's oil industry remained safe because it was on computer systems that remain separate from the net, they added.

The terminal on Kharg Island handles about 90% of Iran's oil exports.

….

[end]

Announcements

Linuxfest Northwest 2012

When: April 28-29, 2012

Where: Bellingham Technical College – Bellingham, WA

http://www.linuxfestnorthwest.org/

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center  - Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014
 

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Please consider making your  Amazon purchases through our affiliate link.  If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side.

or simply use our QR Code Links.

Amazon:

Amazon UK:

Stories

Source:  http://news.softpedia.com/news/Researchers-Make-Firewall-to-Protect-Medical-Devices-Against-Hackers-265970.shtml

There has been a lot of buzz lately around the vulnerabilities that expose wireless medicald evices to cybercriminals, but researchers from Princeton and Purdue universities may have found a solution to these issues. They have created a firewall that's specially designed for these types of apparatus.

The firewall, dubbed MedMon, is only a prototype, but initial tests have demonstrated that it’s highly effective when it comes to protecting insulin pumps, pacemakers and even the brain implants on which so many people currently rely.

The research team is composed of Anand Raghunathan, professor of electrical and computer engineering at Perdue, Niraj K. Jha, a Princeton professor of electrical engineering, and two graduate students in electrical engineering from the same university, Chunxiao Li and Meng Zhang.

“You could imagine all sorts of scary possibilities. What motivated us to work on this problem was the ease with which we were able to break into wireless medical systems,” Raghunathan said.

One of the advantages of the new security system is that it can function with existing devices.

“This could be worn as a necklace, or it could be integrated into yourcell phone, for example,” he explained.

The experts have developed MedMon because, even though the risks of a breach are low, when it comes to medical devices, every small incident could have a fatal outcome.

The firewall relies on “multi-layered anomaly detection” to look for signs of potentially malicious activity and when a hazardous situation is detected, MedMon can block the ill-intended packets and notify the user.

While the system isn’t completely bulletproof, it’s a great step forward and its creators are confident that in certain situations it could be highly effective.

….

Source:  http://www.computerworld.com/s/article/9226429/Flashback_botnet_not_shrinking_huge_numbers_of_Macs_still_infected

Source: http://news.drweb.com/show/?c=5&i=2386&lng=en

Doctor Web's virus analysts continue to monitor the largest to date Mac botnet discovered by Doctor Web on April 4, 2012. The botnet statistics acquired by Doctor Web contradicts recently published reports indicating a decrease in the number of Macs infected by BackDoor.Flashback.39 The number is still around 650,000.

According to Doctor Web, 817 879 bots connected to the BackDoor.Flashback.39 botnet at one time or another and average 550 000 infected machines interact with a control server on a 24 hour basis. On April 16, 717004 unique IP-addresses and 595816 Mac UUIDs were registered on the BackDoor.Flashback.39 botnet while on April 17 the figures were 714 483 unique IPs and 582405 UUIDs. At the same time infected computers, that have not been registered on the BackDoor.Flashback.39 network before, join the botnet every day. The chart below shows how the number of bots on the BackDoor.Flashback.39 botnet has been changing from April 3 to April 19, 2012.

….

Source:  http://nakedsecurity.sophos.com/2012/04/23/india-becomes-the-king-of-the-spammers-stealing-americas-crown/

The experts at SophosLabs have released their latest "dirty dozen" report detailing the world's top spam-relaying countries – and we've discovered that in the space of a year, India has overtaken the United States to become the top global contributor to the junk email problem.

If you have a spam in your inbox, there's an almost one in ten chance that it was relayed from an Indian computer.

The top twelve spam relaying countries for January – March 2012

1. India    9.3%

2. USA    8.3%

3. S Korea    5.7%

4= Indonesia    5.0%

4= Russia    5.0%

6. Italy        4.9%

7. Brazil    4.3%

8. Poland    3.9%

9. Pakistan    3.3%

10. Vietnam    3.2%

11. Taiwan    2.9%

12. Peru    2.5%

Other    41.7%

The vast majority of spam comes from home computers that have been compromised by hackers, and commandeered into a botnet. Remote hackers can send spam from recruited computers, as well as potentially steal information or install other malicious code.

….

Source:  http://www.zdnet.com/blog/security/anonymous-hacks-formula-1/11661

The hacktivist group Anonymous yesterday performed a Distributed Denial of Service (DDoS) attack against Formula 1’s main website (formula1.com), which is operational again today. The group also hacked and defaced a Formula 1 fan site ( f1-racers.net), which is still not operational today. Other websites attacked include f1officialpartners.com, live-timing.formula1.com, and totalf1.com.

The attack comes less than two weeks after Anonymous hacked three UK government websitesover what it called the country’s “draconian surveillance proposals” and “derogation of civil rights.” While writing this article, I noticed Anonymous today is also trying to take down gchq.gov.uk. Okay, now back to Formula 1.

This time, Anonymous blamed the controversial hosting of the Formula 1 Grand Prix on Sunday in Bahrain, where protests are still taking place. The group sent out a press release the day before in regards to Operation Bahrain, posted on AnonPaste. In a second AnonPaste post, the group called for its supporters to telephone bomb and e-mail bomb Formula 1 executives.

As you can see in the screenshot above, the group posted a message as part of the website’s defacement. It starts by saying the people of Bahrain have struggled against the oppressive regime of King Hamad bin Al Khalifa for over a year:

For over one year the people of Bahrain have struggled against the oppressive regime of King Hamad bin Al Khalifa. They have been murdered in the streets, run over with vehicles, beaten, tortured, tear gassed, kidnapped by police, had their businesses vandalised by police, and have tear gas thrown in to their homes on a nightly basis.

….

Source:  http://www.israelnationalnews.com/News/News.aspx/155010#.T5VMH7-ASaB

A top Saudi hacker who targeted Israel and Jews has died at age 28, Saudi media reported Sunday. The man, who was not named, died of an asthma attack brought on by summer sandstorms.

The hacker, who called himself “Cyber Terrorist,” was known for hacking well-protected sites including Microsoft. He targeted Jewish and Israeli sites in particular, as well as a site belonging to Danish cartoonists who drew cartoons of Mohammed.

A fellow Saudi hacker calling himself “hell cyber” told the media that “Cyber Terrorist” had put “defending Islam and the Prophet” as his top priority.

“One company had shown interest in working with him for a large sum of money, but he rejected the offer because it came from a Jewish company,” he related.

Israeli experts have warned that cyber warfare, already an active part of the Israeli-Arab conflict, will become more important with time. While Arab hackers have so far created financial problems, in the future enemies could crack Israeli military or healthcare systems, they say.

A second Saudi hacker, calling himself OxOmar, gained notoriety in Israel for attacking the El-Al website and stock exchange and publishing the details of thousands of Israelis’ credit cards.

….

[end]

Announcements

Outerz0ne 8

When: April 20-21, 2012

Where: Wellesley Inn, Atlanta GA

http://www.outerz0ne.org

Linuxfest Northwest 2012

When: April 28-29, 2012

Where: Bellingham Technical College – Bellingham, WA

http://www.linuxfestnorthwest.org/

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center  - Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014
 

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Please Help these two sibling dogs stay alive

You won't even believe this story or this absolutely beautiful dog relationship. Just check out the photos below. My heart is breaking. A pit bull and chihuahua -both just 6 years old – have given their entire lives to taking care of their human owners. Now the owners have had a second baby last week – and they want both of their dogs to be KILLED IMMEDIATELY because they "don't have time for them anymore". They want nothing to do with their poor animals, and have given a person in our group, Sloane, just a few more days to find a foster or permanent home for them. They plan to have the dogs euthanized this weekend. Sloane has been trying to find a foster home for both of them, to keep them together. But the owners said that they don't care if the dogs are split up – they just want them gone from their house or dead. Please, if there was ever a time when maybe you could help foster a dog, THIS IS THE TIME!! The chihuahua is so teeny tiny that he is barely an extra inconvenience at all. And these dogs are so bonded, that they will take care of each other and keep each other company. The pit bull is named Dozer and the chiuahahua is named Biggie. They are being kicked out of the only home they have ever known. This experience will be so traumatic for them, especially if they are split up. If any of you have ever volunteered or worked at a shelter, or were around when people were dropping off their dogs to the shelter, you know how horrifying it is to watch a dog be ripped from the life they knew, and thrown into a cage, in a room full of other crying and screaming animals. Great with KIDS and CATS!! Both dogs are apparently great around kids and the owner said that her nieces and nephews hang all over the dogs all of the time, and the dogs are wonderful with them. No aggression AT ALL. Owners used to have 3 cats several years ago, and dogs got along perfectly fine with the cats at that time. They are also good when they see other dogs on the street, but haven't been given many opportunities to play or socialize. They would of course need to be tested with other dogs/cats, if you have a dog or cat. But it sounds like it is likely there would not be an issue.

CONTACT IMMEDIATELY: Sloane 917-648-9808 bslnews2011@gmail.com

Please consider making your  Amazon purchases through our affiliate link.  If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side.

or simply use our QR Code Links.

Amazon:

Amazon UK:

Stories

Source:  http://searchconsumerization.techtarget.com/news/2240148725/Windows-Intune-goes-mobile-with-iOS-Android-management?asrc=EM_NLN_17080078

Microsoft has finally acknowledged that it’s in its best interests to offer a way to manage Apple and Android devices alongside Windows.

The next version of Windows Intune, Microsoft’s cloud-based desktop management tool, will also manage employee-owned iPads, iPhones and Android devices, in addition to Windows phones and tablets.

It’s a significant move for Microsoft — especially now, as the company pushes its new generation of Windows phones and tablets.

Some IT administrators have been waiting for a multiplatform mobile management tool from Microsoft and are pleased that the company has finally developed a bring your own device (BYOD) support strategy.

Microsoft announced the next version of Windows Intune on Wednesday at the Microsoft Management Summit (MMS) in Las Vegas, and a pre-release version is now available for download.

Intune will provide MDM capabilities through Active Directory (AD) and Exchange ActiveSync. It will also help IT and end users deploy applications to mobile devices. In addition, employee-owned devices that aren’t connected to the corporate AD can be deemed “domain trusted,” which will still allow them to access corporate data and apps.

“It’s not just about enabling your users on Windows anymore,” said Brad Anderson, Microsoft’s corporate vice president for management and security, during the MMS keynote. “We are doing deep, deep integration with iOS and Android.”

The next version of Intune will let IT create links to apps within their devices’ respective app stores, and Anderson said it will also allow for the side-loading of apps — that is, the installation of apps directly from Intune, without going through each device’s app store. Apple does not allow side-loading on iOS; in response to a question about how iOS side-loading will work through Intune, a Microsoft spokesperson cited this passage from the Windows for Your Business blog:

….

Source: http://www.reuters.com/article/2012/04/16/us-aircanada-incident-idUSBRE83F10120120416

A sleepy Air Canada pilot first mistook the planet Venus for an aircraft, and then sent his airliner diving toward the Atlantic to prevent an imaginary collision with another plane, an official report said on Monday.

Sixteen passengers and crew were hurt in the January 2011 incident, when the first officer rammed the control stick forward to avoid a U.S. plane he wrongly thought was heading straight toward him.

"Under the effects of significant sleep inertia (when performance and situational awareness are degraded immediately after waking up), the first officer perceived the oncoming aircraft as being on a collision course and began a descent to avoid it," Canada's Transportation Safety Board said.

"This occurrence underscores the challenge of managing fatigue on the flight deck," said chief investigator Jon Lee.

The incident occurred at night on board a Boeing 767 twin engine passenger plane flying from Toronto to Zurich in Switzerland with 95 passengers and eight crew.

The report said the first officer had just woken up, disoriented, from a long nap, when he learned from the pilot that a U.S. cargo plane was flying toward them.

"The FO (First Officer) initially mistook the planet Venus for an aircraft but the captain advised again that the target was at the 12 o'clock position (straight ahead) and 1,000 feet below," said the report.

"When the FO saw the oncoming aircraft, the FO interpreted its position as being above and descending towards them. The FO reacted to the perceived imminent collision by pushing forward on the control column," the report continued.

The airliner dropped about 400 feet before the captain pulled back on the control column. Fourteen passengers and two crew were hurt, and seven needed hospital treatment. None were wearing seat belts, even though the seat-belt sign was on.

….

Source: http://news.cnet.com/8301-1035_3-57415324-94/oracle-ceo-larry-ellison-i-dont-know-if-java-is-free/

Among the highlights emanating from U.S. District Court in San Francisco courtroom 8 today was Oracle CEO Larry Ellison's response to a question regarding the status of the Java programming language, which his company acquired when it bought Sun Microsystems in 2010.

Asked by Google's lead attorney, Robert Van Nest, if the Java language is free, Ellison was slow to respond. Judge William Alsup pushed Ellison to answer with a yes or no. As ZDNet reporter Rachel King observed in the courtroom, Ellison resisted and huffed, "I don't know."

In other words, it's complicated.

Java is free, but it also has a set of licenses that are required for specific use cases. Google's defense is that the 15 million lines of code in its Android smartphone software contains only the parts of Java that are freely available and not restricted by licensing or copyright. Google's strategy, in part, was to fork from the standard Java implementation to ensure that Android provided a differentiated platform for app developers.

A license to Java is required when class libraries based on Java API designs are used and when Java software components are download. Oracle disputes Google's claim that Android doesn't use any Java code, and it asserts that the company also used documentation and developer tools that would legally require a license from Oracle (see the slideshow below with Oracle's case against Google).

Google asserts that Android doesn't use any Java code or documentation not in the public domain, and it says the 37 APIs in Android that Oracle has identified as infringing on its intellectual property are not subject to copyright. Therefore, Google says, it doesn't need to pay Oracle licensing fees.

….

Source: http://www.infoworld.com/d/security/spoiler-alert-your-tv-will-be-hacked-191013?page=0,0

[KR: I put this story in because of the way the author has addressed this. He says “I got root from directory traversal and XSS!” I might be ignorant here, but that a directory traversal vulnerability and a reflected XSS != root shell. They might have found vulnerabilities in the box, and TVs might be truly hackable, but the story reads like FUD to me, honestly.]

Last week you may have read a headline that blared "100 million TVs will be Web-connected by 2016." Will Internet TVs will be hacked as successfully as previous generations of digital devices?

Of course they will!

Nothing in a computer built into a TV makes it less attackable than a PC. Internet-connected TVs have IP addresses, always-on network interfaces, CPUs, storage, memory, and operating systems — the details that have offered hackers a bounty of attack choices for the last three decades.

Can we make Internet TVs more secure than regular computers? Yes. Will we? Probably not. We never do the right things proactively. Instead, we as a global society appear inclined to accept half-baked security solutions that are more like Band-Aids than real protection.

….

Source: http://www.infowars.com/mandatory-big-brother-black-boxes-in-all-new-cars-from-2015/

A bill already passed by the Senate and set to be rubber stamped by the House would make it mandatory for all new cars in the United States to be fitted with black box data recorders from 2015 onwards.

Section 31406 of Senate Bill 1813 (known as MAP-21), calls for “Mandatory Event Data Recorders” to be installed in all new automobiles and legislates for civil penalties to be imposed against individuals for failing to do so.

“Not later than 180 days after the date of enactment of this Act, the Secretary shall revise part 563 of title 49, Code of Federal Regulations, to require, beginning with model year 2015, that new passenger motor vehicles sold in the United States be equipped with an event data recorder that meets the requirements under that part,” states the bill.

Although the text of legislation states that such data would remain the property of the owner of the vehicle, the government would have the power to access it in a number of circumstances, including by court order, if the owner consents to make it available, and pursuant to an investigation or inspection conducted by the Secretary of Transportation.
Given the innumerable examples of both government and industry illegally using supposedly privacy-protected information to spy on individuals, this represents the slippery slope to total Big Brother surveillance of every American’s transport habits and location data.

The legislation, which has been given the Orwellian title ‘Moving Ahead for Progress in the 21st Century Act’, sailed through the Senate after being heavily promoted by Democrats Harry Reid and Barbara Boxer and is also expected to pass the Republican-controlled House.

….

Source: http://blog.trendmicro.com/fake-skype-encryption-software-cloaks-darkcomet-trojan/

Source: http://edition.cnn.com/2012/02/17/tech/web/computer-virus-syria/index.html

As the conflict in Syria persists, the Internet continues to play an interesting role. As we reported in a previous post, there have been targeted attacks against Syrian opposition supporters. With activists’ continued use of social media, it is not surprising to read reports of targeted phishing attempts to steal Facebook and YouTube credentials. A CNN report also revealed that a malware was being propagated through Skype, which brings us to another Skype-themed attack that we have uncovered.

We discovered a webpage that advertises a software that purports to provide encryption for Skype. This page is hosted in Syria on {BLOCKED}encription.sytes.net, which resolves to {BLOCKED}.{BLOCKED}.0.28 – the same server that acted as a command-and-control (C&C) server for previous attacks. The webpage features an embedded YouTube video that claims to be from “IT Security Lab” and to encrypt voice communications.

If users are tricked into downloading the file, a program does appear that is supposed to encrypt users’ Skype data. The said file, Skype Encription v 2.1.exe, is detected by Trend Micro as BKDR_METEO.HVN. During the analysis, we did not find any evidence that the software actually provides any security properties.

….

[end]

Announcements

Outerz0ne 8

When: April 20-21, 2012

Where: Wellesley Inn, Atlanta GA

http://www.outerz0ne.org

Linuxfest Northwest 2012

When: April 28-29, 2012

Where: Bellingham Technical College – Bellingham, WA

http://www.linuxfestnorthwest.org/

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center  - Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014
 

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Thanks to everyone that has purchased products from Amazon through the affiliate program.  If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.

Stories

Source:  http://news.techworld.com/personal-tech/3352311/anonymous-launches-anonpaste-alternative-pastebincom

Source:  http://www.peoplesliberationfront.net/anonpaste/index.php?f77e6760ee863006#GZIF9S28dOZ7Qhs4FhbEAftRk5NPIFDqlstEzF9hR2A=

The Anonymous hacking collective has launched a new site that it claims will allow users to post material without fear of being tracked down.

Anonymous described the new site, dubbed AnonPaste, as a safer site than Pastebin.com, which has been used by hackers to post evidence of their exploits.

In a joint statement issued Tuesday, Anonymous and a group calling itself the People's Liberation Front said the new site will allow people to post any material with complete anonymity.

The statement said posts to the new site would not be censored or moderated in any way.

The two groups said AnonPaste offers 256-bit AES encryption at the browser layer. All data posted to the site will be encrypted and decrypted in the browser so no "usable paste data [is] stored on the server for the authorities or anyone else to seize," the statement claimed.

"There will be no need for us to police this service, and in fact we don't even have the ability of deleting any particular paste," it said.

AnonPaste supports a URL shortening feature and allows users to post up to 2MB of text snippets at a time. Users can specify how long they want the text to remain available on the site.

Pastebin.com was originally created for programmers to temporarily store and share snippets of code and configuration information. Over the years, people have used the site to post and share all sorts of documents and has become a favorite for hackers looking to publicize details of their exploits.

Anonymous, LulzSec and other groups routinely post documents obtained from hacking attacks. Often, the documents posted on Pastebin have included personal, financial and confidential information of individuals and businesses.

Anonymous and the People's Liberation Front said AnonPaste was launched after learning that Pastebin.com may move to censor content and pass on the IP addresses of people posting on its site to law enforcement authorities.

….

Source: http://www.networkworld.com/community/node/80324

Source: http://cee.mitre.org/docs/overview.html

Enter the Common Event Expression (CEE) standard, a group effort being championed by Mitre Corporation.  Other participants include Cisco, HP/ArcSight, McAfee, NIST, and Microsoft.  CEE seeks to solve a basic problem that doesn't get enough attention.  Every IT device and application generates log files but there really are no standards for how these logs present their data.  As a result, you either have to learn what the log files are telling you or develop technologies to normalize these logs into some common and useable format.  It's easy to see how this has become such a big problem — more IT stuff, more logs of different flavors that needs to be collected, normalized, processed, etc.

CEE is designed to address this problem from cradle to grave by defining common event definitions, enumeration, classification, languages, transport protocols, etc.  In other words, everything to event/log production to event/log consumption is covered.

Mitre is no stranger to security standards, think CVE (Common Vulnerability Enumeration).  That said, CEE is not the only game in town.  The Linux community has something called "Project Lumberjack," Verizon touts a standard called Verizon Enterprise Risk and Incident Sharing (VERIS), and the IETF is playing in this space as well.  CEE doesn't necessarily compete with these other efforts however since it is extensible and could work in concert with other standards.

I noticed that Sensage and Tripwire have announced support for CEE and would encourage others to do the same.  CEE is not a panacea by any means, but enterprise organizations need better security intelligence and analytics ASAP and no one should expect them to invest years of time and tens of millions of dollars to piece together customer solutions.  Security standards like CEE can go a long way toward expediting common security data standards, wider data exchange, and deeper analysis.  For that reason alone, the security technology industry should be much more engaged.

….

Source:  http://www.11alive.com/news/article/238755/40/Emory-Healthcare-missing-info-on-patients-from-17-year-period

Emory Healthcare says they are missing 10 data disks of information on surgical patients from between 1990 and 2007 from a storage location at Emory University Hospital.

Officials released a statement Wednesday afternoon that said as soon as they discovered the disks were missing, that an exhaustive search began. The search and investigation is continuing.

According to the university, the disks were removed from their storage location at some point between February 7 and February 20, 2012. The disks came from an old computer system that was deactivated in 2007.

Officials insist there is no indication the information has been misused in any way. They also insist this is not a breach or hacking of their systems.

….

Source:  http://www.zdnet.co.uk/blogs/security-bulletin-10000166/anonymous-to-launch-attacks-on-govt-mcdonalds-10025916/?s_cid=938

Groups of Anonymous hacktivists from around the world plan to focus distributed denial-of-service attacks on organisations including the Home Office, GCHQ, and McDonald's on Saturday.

Activists from Sweden, Brazil, the US and Russia will participate in attacks on the websites of the Home Office, GCHQ, MI5, MI6, Theresa May, Number 10, the Supreme Court, McDonald's, EDL, BNP, the Be my Parent adoption agency, and Justice, members of UK Anonymous group AnonAteam told ZDNet UK via an internet radio broadcast on Wednesday.

"We've scanned [GCHQ and the Home Office]," Anonymous hacker 'Winston Smith' said. "We've uncovered paths we didn't realise were available, from the scans that we've done."

A hacker identified as 'Murdoch' directed ZDNet UK to a Pastebin document — purportedly the results of scans of systems of the organisations to be targeted.

"GCHQ is running on Linux 2.6.18 and has got port 80 open," Smith told ZDNet UK. "We will try to attack four [GCHQ] ports."

Smith said that Anonymous had gleaned information from a failed attempt to take down the GCHQ website last weekend.

"[GCHQ] moved around some of the pages we were attacking before — we couldn't analyse the traceroutes," said Smith. "There will be three or four types of attack, using three or four types of technology. We have agreed with other groups to attack together."

The Home Office website was attacked during the course of the radio broadcast on Wednesday, and was intermittently up and down, according to checks made by ZDNet UK.

Before those disruptions, a Home Office spokesman said the government department was bracing itself for attacks.

….

Source:  http://www.thenewstribune.com/2012/04/18/2111929/facebooks-rite-of-passage-into.html

"Welcome to Facebook!"

Underneath, printed in big, bold, red letters, are slogans like: "We Hack Therefore We Are," or "Move Fast and Break Things." Within days, your software code will be in front of our more than 845 million users.

And so begins the six-week journey of a new employee class in Facebook's "Bootcamp," an experience shared by every engineering hire, whether they are a grizzled Silicon Valley veteran or a fresh-faced computer science grad. Since 2008, hundreds of Facebook's engineers have passed through Bootcamp, which may lack the physical tests of military basic training but does provide the same kind of shared experience and cultural indoctrination into the world's largest social network.

Bootcamp is one part employee orientation, one part software training program and one part fraternity/sorority rush. When new engineering recruits are hired at Facebook, they typically do not know what job they will do. They choose their job assignment and product team at the culmination of Bootcamp, a program that exemplifies Facebook's adherence to founder and CEO Mark Zuckerberg's "Hacker Way," an organizational culture that is supposed to be egalitarian, risk-taking, self-starting, irreverent, collaborative and creative.

Each new recruit needs to take a deep breath. Within a few days, all are expected to be pushing live software updates out to the better part of a billion users. If a Bootcamper crashes part of Facebook doing that, well, it won't be the first time.

"I would describe it as a way for us to educate our engineers not only on how we code and how we do our systems, but also how to culturally think about how to attack challenges and how to meet people," said Joel Seligstein, the head of the Bootcamp program, who might be described as Facebook's answer to Yoda. "We like to teach what's important very early on, on Day 1. I would say it's even more of a cultural program than it is a teaching program."

From "the HP Way" at Hewlett-Packard to Google's sense of what's "Googley," company culture is a mainstay of Silicon Valley life. With workplace perks like free gourmet food and other amenities, life at Facebook doesn't look much different on the surface from Google, Zynga, Twitter or many other young, fast-growing Internet companies.

….

Source:  

http://www.nbcbayarea.com/news/local/Berkeley-High-School-Uncovers-Attendance-Scam-148023145.html

About 50 Berkeley High School students will be suspended and up to four could be expelled for a recently discovered scheme in which students hacked into the school's attendance system and sold cleared absences to classmates, school administrators said Wednesday.

School staff discovered the breach in the school's attendance system while reviewing student data a few weeks ago, according to Principal Pasquale Scuderi. Administrators found that several student accounts in the school's attendance database, called Powerschool, appeared to have unauthorized changes to their attendance records last fall.

Further investigation revealed that at least four students got their hands on an administrative password that allows access to Powerschool, then logged in and cleared absences or tardy marks on classmates' records for a fee, Scuderi said. The principal did not disclose how much money the students exchanged, but said an investigation by district technical staff and administrators showed that about 50 students participated in the scam.

"The degree of involvement ranged from what we now know was a few students literally selling the clearance of absences to those who may have accepted having a few absences or tardies cleared by a friend or acquaintance who gained access," the principal said in a statement.

Scuderi said he believes the expulsion of those students who launched the scam is an appropriate response, considering the number of administrative hours spent to investigate the scheme as well as the "flagrant dishonesty exhibited".The principal said that while he is disappointed in the students, he hopes the incident will be a teachable moment for staff and parents and is encouraged by current attendance records for the school's 3,200 students.

The school's attendance record rose to 94 percent for the first seven months of the school year compared to 92 percent during the same period last year. Over the past year, the school has made attendance a top priority, hiring a dean of attendance to oversee the school's attendance process and crack down on chronic truancy, the principal said. Scuderi credited the school's addition this year of a dean of attendance as well as the school's teachers for keeping attendance levels high.

….

Announcements

Outerz0ne 8

When: April 20-21, 2012

Where: Wellesley Inn, Atlanta GA

http://www.outerz0ne.org

Linuxfest Northwest 2012

When: April 28-29, 2012

Where: Bellingham Technical College – Bellingham, WA

http://www.linuxfestnorthwest.org/

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center  - Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014
 

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Thanks to everyone that has purchased products from Amazon through the affiliate program.  If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.

Stories

Source:  http://arstechnica.com/tech-policy/news/2012/04/study-shows-cybercrime-estimates-to-be-overblown.ars

Since the first zero met the first one, people have been shrilly overestimating the effects of computers on our day-to-day lives. Most instances of wild exaggeration are eventually brought back down to earth (at least for a while). It happened with the wild estimates of economic harm done by piracy. The latest aspect of our shared interaction to be punctured is cybercrime, the extent and pervasiveness of which has been described in terms of near-Apocalyptic overstatement, according to the authors of a new report.

The report, "Sex, Lies and Cyber-crime Surveys" (PDF), by Dinei Florencio and Cormac Herley of Microsoft Research, has now been released.

In an op-ed in the New York Times that coincided with the report's release, they wrote, "One recent estimate placed annual direct consumer losses at $114 billion worldwide. It turns out, however, that such widely circulated cybercrime estimates are generated using absurdly bad statistical methods, making them wholly unreliable."

What initially attracted the authors' attention was the disparity between the huge figures and the fact that access to these resources (money, via hacking) is relatively easy.

"The demand for easy money outstrips supply. Is cybercrime an exception?" Florencio and  Herley asked. "If getting rich were as simple as downloading and running software, wouldn't more people do it, and thus drive down returns?"

The problem, they discovered, was in the manner of gathering the cybercrime loss figures. They were put together via surveys.

"First, losses are extremely concentrated," they wrote in the report, "so that representative sampling of the population does not give representative sampling of the losses. Second, losses are based on unverified self-reported numbers. Not only is it possible for a single outlier to distort the result, we find evidence that most surveys are dominated by a minority of responses in the upper tail."

Because the survey results are not representative of the population as a whole, each reported loss in one of the surveys is extrapolated to a large, and unsupported, amount in the general population.

"One unverified claim of $7,500 in phishing losses translates into $1.5 billion."

A combination of the remarkably enduring fiction that anything with an "e" or an "i" in front of it is terra incognita, a land of mystery where precedents are nonexistent and the normal rules of space and time do not hold, combined with, well, lazy thinking, have, the authors maintained, created a common wisdom wildly out of sync with simple facts and basic mathematics.

….

Source: http://www.forbes.com/sites/andygreenberg/2012/04/17/hackers-tiny-spy-computer-cracks-corporate-networks-fits-in-an-altoid-tin/

The next time an unexpected “repairman” cruises past your company’s security desk, you might want to check inside his tin of mints or pack of cigarettes. Especially if he’s also carrying an ethernet cable.

Kevin Bong, a Wisconsin-based security researcher and penetration tester, has developed what he calls the Mini Pwner, a spy computer smaller than a smartphone designed to be inconspicuously plugged into an ethernet port to gain access to a corporate network, feeding information back to a nearby hacker over its wifi signal. Bong sells a kit for the mini spy node for $99, but he also explains on his website how to put one together independently with just a TP-Link router running the open source OpenWRT software, a USB thumb drive, and a battery pack–components that add up to less than $40.

The result is a network cracking tool that’s just two inches square by one inch thick. Or with a bit more hardware fiddling, the Mini Pwner can even be removed from the TP-Link router’s plastic case and reassembled small enough to fit in an Altoids tin–a variant that Bong calls the “Minty Pwner.” (He admits the metal case might interfere with the router’s signal if it’s left inside.)

Bong says he built the Mini Pwner, whose name refers to the hacker lingo “to pwn” meaning to hack or gain control of a target, to aid in his day-to-day work sussing out clients’ security vulnerabilities as a penetration tester for the Brookfield, Wisconsin consultancy Synercomm. “The easiest way to get into a company is still to walk in looking professional and talk your way into a wiring closet,” says Bong. “Once this thing is configured, you can plug it in to the network you’re attacking and connect back to the router itself from the parking lot.”

Once it’s plugged into an open ethernet port on a wall, in a server closet or even into one of a company’s IP phones, the Mini Pwner is designed to run simple scanning tools including Nmap and dSniff that allow a hacker to map out a company’s network and passively collect information. More importantly, it can create a VPN connection so that a nearby hacker can connect to the tiny router’s wifi signal, tunnel into the target network, and run hacking tools like Metasploit to gain further access. The battery pack offers at least four hours of hacking time, Bong says, but a USB port on the Pwner can also be hooked up to power the device indefinitely.

….

Source: http://www.zdnet.com/blog/security/15-year-old-arrested-for-hacking-259-companies/11585

Austrian police have arrested a 15-year-old student suspected of hacking into 259 companies across the span of three months. Authorities allege the suspect scanned the Internet for vulnerabilities and bugs in websites and databases that he could then exploit. As soon as he was questioned, the young boy confessed to the attacks, according to Austria’s Federal Criminal Police Office (BMI).

The boy allegedly stole data and published it publicly after breaching the security infrastructures of 259 firms. He also defaced many company websites and boasted about his accomplishments on Twitter, where he also posted links to his data dumps.

The firms were attacked between January 2012 and March 2012, and they were not limited to just Austria. He didn’t seem to target specific types of industries: everything from sports companies, to tourism services, to adult entertainment, to search services were attacked.

The young man reportedly admitted to being responsible, saying that he was bored and wanted to prove himself. He was described as anti-social, and so looked to the online world for praise and affirmation, possibly being inspired by reports about the hacktivist group Anonymous.

After finding a hacker forum that gave members points for successful attacks, the boy went to work. Three months later, the 15-year-old was in the top 50 hackers of the approximately 2,000 users registered on the forum.

The teenager used various hacking tools widely available on the Internet, including software that helped him remain anonymous. Now and then, he left messages in the systems he hacked, or simply signed them with the hacker name ACK!3STX (a search for the handle on Twitter gave me no results).

Eventually, however, ACK!3STX’s anonymizing software failed him and his IP address was visible to BMI’s C4 (Cyber Crime Competence Centre) unit. C4 had been receiving multiple complaints from companies since the beginning of the year, so they started monitoring the hacker. At the end of last month, the unit traced his location to a residence in Lower Austria, and then obtained a search warrant.

….

Source: http://www.securitynewsdaily.com/1742-fbi-arrests-cabin-crew-hacker.html

Federal agents have arrested another member of the Cabin Cr3w hacking group, an offshoot of the Anonymous hacktivist network, for breaching two Utah police websites.

John Anthony Borell III of Toledo, Ohio, has been charged with two counts of computer intrusion, according to an indictment unsealed yesterday (April 16) in a federal court in Utah. The indictment states that on two separate occasions in January, Borell hacked into the servers of the Utah chiefs of police and the Salt Lake City Police Department and leaked classified documents.

Borell, 21, pleaded not guilty to the charges, the Associated Press reported. He faces 10 years in prison and a $250,000 fine if convicted.

….

Source:  http://threatpost.com/en_us/blogs/google-warns-20000-webmasters-about-weird-redirects-041812

The head of Google's Web spam team says that the company has pushed warning messages to some 20,000 Web site owners that their sites may be compromised and are performing "weird" redirections, possibly to malicious Web sites.

Matt Cutts used a Twitter message on Tuesday to announce that the company sent "your might be hacked' messages to the sites, which are in "dozens of different languages." The notices from the company's Search Quality Team, are visible on the Web sites in question and warn web masters that their site "may be hacked" and that JavaScript may have been injected into the site to "redirect users to malicious sites."

"You should check your source code for any unfamiliar JavaScript and in particular any files containing "eval(function(p,a,c,k,e,r). The malicious code may be placed in HTML, JavaScript or PHP files so it's important to be thorough in your search," Google warns.

A search turned up only a handful of non-english Web sites displaying the warning text, though Cutts said that 20,000 Webmasters received the notice.

It's not the first time Google has taken action to weed out compromised Web sites from those that may turn up in search results. In July, 2011, the company removed Web sites hosted on .co.cc free Web hosting service from its search results, saying that because such a large percentage of the sites on that free hosting provider are low-quality or spammy.

….

Special Guest Co-Host SkyDog.

Announcements:

Outerz0ne 8

When: April 20-21, 2012

Where: Wellesley Inn, Atlanta GA

http://www.outerz0ne.org

Linuxfest Northwest 2012

When: April 28-29, 2012

Where: Bellingham Technical College – Bellingham, WA

http://www.linuxfestnorthwest.org/

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center  - Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014
 

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Thanks to everyone that has purchased products from Amazon through the affiliate program.  If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.

Stories

Source: http://averysawaba.blogspot.com/2012/04/uncrackable-quantum-encryption-unicorns.html

http://www.zdnet.com/blog/security/researchers-develop-quantum-encryption-method-to-foil-hackers/11326

I'm only going to address uncrackable quantum encryption though. I'm not touching unicorns or perpetual motion.

This article over at ZDNet was responsible for sending me down this rabbit hole, though I've been rolling my eyes at "Uncrackable Quantum Encryption" articles for at least a decade.

First off, most of the "uncrackable quantum encryption" claims refer to encrypting data for transmitting across networks, between endpoints. The idea is that you can make a tamper-evident system due to the nature of quantum mechanics. If an attacker attempts to manipulate or observe data in a quantum system, the data will be altered. Once altered, we're aware of the attacker and can take countermeasures.

It is more likely that companies and researchers trying to sell the idea of quantum encryption are depending on its Sci-Fi "WOW" factor to sell it as the next big thing in cryptography. In reality there are many issues with quantum cryptography.

1. It is new, and largely untested

2. We already have uncrackable encryption…

3. The real problem in most encryption failures is poor implementation

4. Aside from researchers, no one is attacking cryptography

Show me some uncrackable quantum encryption that keeps your data safe, and I'll show you the treadmill I use to power my house. He never gets tired.

….

Source: http://threatpost.com/en_us/blogs/uk-teen-teamp0ison-member-arrested-phone-bomb-attack-041712

A British teenager beleived to be the hacker TriCk, a founding member of TeaMp0isoN has reportedly been arrested after launching a denial of service attack against an anti-terrorism hotline in the UK.

The 17 year-old, a resident of Birmingham in the UK, was arrested on April 12 in connection with a high profile "phone bomb" attack on a telephone hotline used to collect reports of possible terrorist activities. The attack, on April 11th, used an automated system to flood the hotline with calls in which a computerized voice said TeamP0ison," overwhelming phone operators. He and another 16 year old UK teen were arrested by members of the Metropolitan Police's eCrime Unit and charged with one count of causing a public nuisance and one count of violating the UK's 1990 Computer Misuse Act, according to Richard Jones, a spokesman for the Metropolitan Police.

The Metropolitan Police would not identify the youth by name, citing legal protections for minors. Nor would the agency confirm that either youth was TriCk or a TeaMp0ison member. However, in a post attributed to TeaMp0ison on the Web site Pastebin, the group identified one of the arrested teenagers as founding member TriCk.

"We've lost the first and most important member of our team; our founder, our brother, our family member. Most importantly we lost a fighter for freedom, a fighter against corruption," the statement reads.

Prior to the arrrests, the group and the member known as TriCk had been outspoken about their role in the attack on online. In an interview on the Web site Softpedia, someone claiming to be TriCk said the phone bomb attack was run using a software program known as Asterisk running on a compromised server in Malaysia. The attack was launched in retaliation for UK treatment of terrorism suspects and moves recently to extradite suspected terrorists to the U.S.

…

Source: http://www.pcadvisor.co.uk/news/security/3351453/website-vulnerabilities-fall-but-hackers-become-more-skilled

The number of coding mistakes on websites continues to fall but companies are slow to fix issues that could be exploited by hackers working with improved attack tools, a security expert said.        

The average number of serious vulnerabilities introduced to websites by developers in 2011 was 148, down from 230 in 2010 and 480 in 2009, said Jeremiah Grossman, chief technology officer for WhiteHat Security, which specializes in testing websites for security issues. Grossman spoke on the sidelines of the Open Web Application Security Project conference in Sydney on Monday.

The vulnerabilities are contained within custom website code and are not issues that can be fixed by applying patches from, for example, Microsoft or Oracle, Grossman said. According to WhiteHat Security statistics, it takes organizations an average of 100 days to fix about half of their vulnerabilities.

The risk is that vulnerabilities which haven't been speedily remedied could be found by a hacker, resulting in a high-profile data breach such as those that affected Sony, the analyst firm Stratfor Global Intelligence, and AT&T.

Hackers are honing their skills and are becoming better focused. They are using a wider array of improved tools in order to find coding problems in websites. "Offense gets better every year," Grossman said.

…

Source:  http://cyberarms.wordpress.com/2012/04/16/remotely-recovering-windows-passwords-in-pl

There has been a lot of buzz across the web the last few months about a program called “Mimikatz”. It is an interesting program that allows you to recover Windows passwords from a system in clear text. Why spend hours, days, or months trying to crack a complex password when you can just pull it from Windows memory as unencrypted text?

We have seen in the past that most Windows passwords less than 15 characters can be cracked in just a few seconds if the attacker can get the Windows Hashes. This is due to the fact that Windows stores these passwords in an easy to crack LM hash. An old encryption used for backwards compatibility. Microsoft allows you to disable the older LM Hash, but as Mike Pilkington discusses on the SANS blog, Microsoft still creates the hash and stores it in memory.

No big deal, just make your passwords 15 characters or greater and problem solved. The LM hash will not be created, only the more secure NTLM hash. Well, not so fast. It seems that the LM hash is not the only version of the passwords Windows keeps in memory, it also keeps a copy of the passwords in plain text.

Which you can even recover remotely…

Pauldotcom.com has a great article explaining how to use Mimikatz to recover remote passwords. In this example, I used the website Java attack through the Social Engineering Toolkit (SET) to obtain a remote shell. First thing you will want to do is download Mimikatz and place the files you need (Windows 32 or 64 bit) in a directory on your Backtrack system. Then run SET and pick the website java attack option.

…

Source: http://www.h-online.com/security/news/item/Oracle-accidentally-release-MySQL-DoS-proof-of-concept-1526146.html

Recently Oracle accidentally released a MySQL denial-of-service (DoS) proof of concept in the process of fixing the same problem. In March, the company released updates to MySQL, versions 5.5.22 and 5.1.62, which referred in their changes to "Security Fix: Bug #13510739 and Bug #63775 were fixed" with no other details on the problems. It is a common practice to keep details of issues which could be used to against older versions of software; even the bug reports for 13510739 and 63775 are not yet publicly available.

But, as security researcher Eric Romang found, Oracle also shipped the new MySQL versions with a development script "mysql-test/suite/innodb/t/innodb_bug13510739.test" in the source which appears to be not only part of the automated testing for MySQL, but also a proof of concept for the flaw which crashes MySQL 5.5.21 and earlier versions. Romang posted the script on Pastebin; it requires authenticated access and appropriate privileges to be run which mitigates the problem somewhat.

This incident demonstrates that, especially with applications where the buildable and testable source code is released, if a company is going to adopt a non-disclosure policy, it really is necessary to make sure that absolutely no information leaks out in the form of test scripts. A better path for companies is to adopt a policy where they fully document what they have fixed and release test scripts for administrators to test their installations; trying to hide security bug fixes makes no sense when criminals and other bad actors are already looking for them and will find plenty of hints in the code itself.

…

Source: http://www.phrack.org/issues.html

If not talked about yet, should note that Phrack issue #68 is out.

….

Special Co-Host Varun Sharma.

Announcements:

Outerz0ne 8

When: April 20-21, 2012

Where: Wellesley Inn, Atlanta GA

http://www.outerz0ne.org

Linuxfest Northwest 2012

When: April 28-29, 2012

Where: Bellingham Technical College – Bellingham, WA

http://www.linuxfestnorthwest.org/

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center  - Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014
 

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Thanks to everyone that has purchased products from Amazon through the affiliate program.  If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.

Stories

Source: http://arstechnica.com/tech-policy/news/2012/04/great-firewall-hiccup-china-loses-internet-connectivity-for-an-hour.ars

Thursday Internet traffic dropped off substantially to and from China. Paul Mozur of the Wall Street Journal's China Real Time blog tracked the outage as a data dropoff lasting from 11:00am to 1:00pm local time.

The interruption spawned a host of possible explanations. These included the powerful 8.6 magnitude earthquake the day before off the coast of Indonesia, a cinching down of the "Great Firewall of China" censorship system, a failure in the country's network backbone, and a software upgrade.

There is a bottleneck of undersea cables in the Malacca Straits which could have been affected by the quake. China is connected to the Internet from only three major points, as the Guardian notes in its coverage. This makes the country arguably more vulnerable than countries like the US.

However, Xu Chuanchao, an executive with Sohu, one of China's largest Web portals, posted to his microblog his opinion that "This malfunction is caused by the failure of China's backbone network and is under renovation."

The publication also pointed out that many "lesser known VPNs seemed to connect without any problems." and quoted David Wolf of Wolf Group Asia as saying, "It's possible they were short of capacity and that's why some people got through, but given that obscure VPNs were working I find that hard to believe."

…

Source: http://www.cio.com/article/704343/Two_More_Mac_Trojans_Discovered_but_Don_t_Panic

Following the outbreak of the Flashback Mac Trojan, security researchers have spotted two more cases of Mac OS X malware. The good news is most users have little reason to worry about them.

Both cases are variants on the same Trojan, called SabPub, Kaspersky Lab Expert Costin Raiu wrote on Securelist.

The first variant is known as Backdoor.OSX.SabPub.a. Like Flashback, this new threat was likely spread through Java exploits on Websites, and allows for remote control of affected systems. It was created roughly one month ago.

Fortunately, this malware isn't a threat to most users for a few reasons: It may have only been used in targeted attacks, Raiu wrote, with links to malicious Websites sent via e-mail, and the domain used to fetch instructions for infected Macs has since been shut down.

Furthermore, Apple's security update for Flashback helps render future Java-based attacks harmless. In addition to removing the Flashback malware, the update automatically deactivates the Java browser plug-in and Java Web Start if they remain unused for 35 days. Users must then manually re-enable Java when they encounter applets on a Web page or a Web Start application.

The second SabPub variant is old-school compared to its sibling. Instead of attacking through malicious Websites, it uses infected Microsoft Word documents as vector, distributed by e-mail.

…

Source: http://www.zdnet.com/blog/facebook/google-facebook-and-apple-threaten-internet-freedom/11805

Back in September 2011, a Google executive said Facebook was becoming “a closed walled garden”. Google co-founder Sergey Brin has now taken that comment further, saying that Facebook is becoming a threat to the Internet, along with Apple, and of course the various governments trying to censor their citizens. Just last week, the hacktivist group Anonymous hacked three U.K. government websites over what it called the country’s “draconian surveillance proposals” and “derogation of civil rights.”

Brin’s comments were made to The Guardian:

The threat to the freedom of the internet comes, he claims, from a combination of governments increasingly trying to control access and communication by their citizens, the entertainment industry’s attempts to crack down on piracy, and the rise of “restrictive” walled gardens such as Facebook and Apple, which tightly control what software can be released on their platforms.

He said he was most concerned by the efforts of countries such as China, Saudi Arabia and Iran to censor and restrict use of the internet, but warned that the rise of Facebook and Apple, which have their own proprietary platforms and control access to their users, risked stifling innovation and balkanising the web.

“There’s a lot to be lost,” he said. “For example, all the information in apps – that data is not crawlable by web crawlers. You can’t search it.”

Brin argued he and co-founder Larry Page would not have been able to create Google if Facebook had been there first. This is because search engines require an open Web, and too many rules not only close it down, but they “stifle innovation,” Brin said. He of course didn’t mention anything about Google’s Search plus Your World (SPYW) feature, which mainly prioritizes Google+ over other social networks.

…

Source: http://www.geekwire.com/2012/how-nathan-myhrvold-almost-invented-the-iphone/

A cover story in Men’s Journal, called “How a Geek Grills a Burger,” casts the former Microsoft chief technology officer as a “mad scientist” living out a “nerd fantasy.”

He has a bestselling six-volume cookbook, he studied astrophysics with Stephen Hawking, and his giant Tyrannasaurus rex skeleton has turned his waterfront home into a tourist attraction.

And yes, by the way, he tried to convince Microsoft to make the iPhone, basically, more than two decades ago. From the piece …

In 1991, Myhrvold predicted the emergence of the iPhone down to the smallest detail, describing a “digital wallet” that would consolidate all personal communication — telephone, schedule manager, notepad, contacts, and a library of music and books, all in one. It would record and archive everything you asked it to, he surmised. “The cost will not be very high,” he wrote. “It is pretty easy to imagine a $400 to $1,000 retail price.” Microsoft, however, was too cost conscious and risk averse to execute Myhrvold’s vision. “Hey, it was better than predicting the wrong thing,” Myhrvold says now.

….

Source: http://www.examiner.com/computers-in-denver/boeing-prepares-an-ultra-secure-smartphone

Earlier this week, it was revealed that aerospace firm Boeing was working on a high security mobile device for the various intelligence departments. This device will most likely be released later this year, and at a lower price point than other mobile phones targeted at the same communities. Typically, phones in this range cost about $15,000-$20,000 per phone, and use custom hardware and software to get the job done. This phone will most likely use Android as its main operating system of choice, which lowers the cost per phone, since Boeing's developers don't have to write their own operating system from scratch. Click here to see pictures.

This is a welcome move by Boeing, as there are not many high security devices out on the market today. Additionally, any lowering of the price point for these phones is refreshing, as that would make it slightly cheaper to run operations. Boeing also stated that this is the first time that they have ever designed a mobile phone. It is also unknown which version of Android the phone will be running, but one would assume that it will be a version of Android 4.0.

The reasoning Boeing provided for this move was that it noticed a trend among its own employees that they have been wondering why the technology that they use at work isn't as good as the technology they use at home. This used to not be the case, and that's the main reason why Boeing choose to use Android as the Operating System.

Boeing also refused to give details on what the device will be named. Additionally, they also refused to name who they were partnering with on this project. This makes sense, however, since it is supposed to be a high security device. Boeing does not want information to get out about who they are talking to for this project so that there can't be any pre-emptive breaches of security for their hardware/software.

…

Source: http://arstechnica.com/tech-policy/news/2012/04/feds-shutter-online-narcotics-store-that-used-tor-to-hide-its-tracks.ars

Federal authorities have arrested eight men accused of distributing more than $1 million worth of LSD, ecstasy, and other narcotics with an online storefront that used the TOR anonymity service to mask their Internet addresses.

"The Farmer's Market," as the online store was called, was like an Amazon for consumers of controlled substances, according to a 66-page indictment unsealed on Monday. It offered online forums, Web-based order forms, customer service, and at least four methods of payment, including PayPal and Western Union. From January 2007 to October 2009, it processed some 5,256 orders valued at $1.04 million. The site catered to about 3,000 customers in 35 countries, including the United States.

To elude law enforcement officers, the operators used software provided by the TOR Project that makes it virtually impossible to track the activities of users' IP addresses. The alleged conspirators also used IP anonymizers and covert currency transactions to cover their tracks. The indictment, which cited e-mails sent among the men dating back to 2006, didn't say how investigators managed to infiltrate the site or link it to the individuals accused of running it.

Prosecutors said in a press release that the charges were the result of a two-year investigation led by agents of the Drug Enforcement Administration's Los Angeles field division. "Operation Adam Bomb, " as the investigation was dubbed, also involved law enforcement agents from several US states and several countries, including Colombia, the Netherlands, and Scotland.

….

Source:  http://www.securityweek.com/antisec-targets-michigan-law-enforcement-agency

AntiSec supporters, branding themselves the LulzKnights, targeted the Berrien County Sheriff's Department on Sunday. The St. Joseph, MI, law enforcement agency lost their internal emails and documents due to the incident, and they were published online. However, this breach could lead to more damage due to the number of hosted accounts that shared space with AntiSec’s victim.

Little was said about the reasoning for the attack against the Berrien County Sheriff's Department, other than the fact that it was related to one of AntiSec’s oldest traditions – Shooting Sheriff Saturday. This time however, Saturday was pushed forward a day, but the results were the same.