ISD Podcast Episode 161 for June 28, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
- MHDD Data Recovery Class current dates and locations:
- Atlanta, GA – July 12th-16th
- Dallas, TX – October 11th – 15th
- Washington, DC – December 6th – 10th
- Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.
SANS Mentoring Program:
- Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
Atlanta ISSA:
- ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)
- SANS 560: Network Penetration Testing and Ethical Hacking – September 17-22, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)
- SANS 577: Virtualization Security Fundamentals – September 17 & 18 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3807)
9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354
Kentuckiana ISSA Meeting
July 9th from 11:30 AM to 1:00 PM at Sullivan University.
http://www.issa-kentuckiana.org/index.php?option=com_content&view=article&id=13&Itemid=13
Ohio Information Security Forum:
Event Date: July 10th, 2010
Location: SCC Research Park, Auditorium
Time: 8:30AM-5:30PM
Friends of the Podcast:
Webhosting services:WebSpeedway
Corrections:
http://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/
Stories of Interest:
News item 1: http://www.google.com/hostednews/ap/article/ALeqM5hnlGg0WbQxyqIeXJ_t7-N3aCJheAD9GDV11O0Fighting homegrown terrorism by monitoring Internet communications is a civil liberties trade-off the U.S. government must make to beef up national security, the nation’s homeland security chief said Friday. As terrorists increasingly recruit U.S. citizens, the government needs to constantly balance Americans’ civil rights and privacy with the need to keep people safe, said Homeland Security Secretary Janet Napolitano.
But finding that balance has become more complex as homegrown terrorists have used the Internet to reach out to extremists abroad for inspiration and training. Those contacts have spurred a recent rash of U.S.-based terror plots and incidents.
But finding that balance has become more complex as homegrown terrorists have used the Internet to reach out to extremists abroad for inspiration and training. Those contacts have spurred a recent rash of U.S.-based terror plots and incidents.
Underscoring her comments are a number of recent terror attacks over the past year where legal U.S. residents such as Times Square bombing suspect Faisal Shahzad and accused Fort Hood, Texas, shooter Maj. Nidal Hasan, are believed to have been inspired by the Internet postings of violent Islamic extremists. And the fact that these are U.S. citizens or legal residents raises many legal and constitutional questions.
Napolitano said it is wrong to believe that if security is embraced, liberty is sacrificed. She added, “We can significantly advance security without having a deleterious impact on individual rights in most instances. At the same time, there are situations where trade-offs are inevitable.”
News item 2: http://www.thinq.co.uk/2010/6/18/phantom-data-sent-sleeping-iphones/
Now that just about every airtime provider is rethinking its mobile data plans, with most putting an end to unlimited contracts, it looks like iPhone users are paying more attention to their bills, and in particular how much data they are using. A large number of users in the USA and here in the UK have discovered that their iPhones are apparently sending large chunks of data during the wee small hours using the 3G network.
The simple fact of the matter is – as far as we can tell – that the iPhone’s push notifications and other small transfers of data are totted up throughout the day and the total for all of those notifications is added up after dark and sent to your airtime provider while your phone is sleeping. If these tiny amounts of data were individually listed your bill would probably be the size of a telephone directory.
The reason it is using the 3G network rather than Wi-Fi is that all iPhones up to and including the 3Gs turn off Wi-Fi push functionality while the phone is in sleep mode, in order to preserve battery life. The iPhone 4, incidentally, has better power management so will not need to do this.
News Item 3: https://www.chase.com/ccp/index.jsp?pg_name=ccpmapp/shared/assets/page/Crypto_standard
JP Morgan Chase now reveals that starting July 18, 2010, only certain browsers will be supported. These include IE6 and higher, Firefox 2.0 and higher, and Safari 3.0 and higher (but only if used on a Mac). Google Chrome and Opera are not included in the list. IE6 is a browser which now borders on silly and has several websites dedicated to its demise (www.ie6funeral.com), and has several known security issues. One wonders how JP Morgan Chase came up with the list, even though their explanation indicates “There are two primary reasons—security and popularity. There are dozens of browsers in use today, but not all offer the minimum levels of security that we require while others may not perform well with our site. The security of your accounts and private information is one of our highest priorities and some browsers, especially older versions, are simply higher security risks to use with our site.”
What is interesting in what they write is their explanation of a Page Not Found error: “You may be using an outdated browser that we don’t support. There are dozens of browsers in use today, but not all offer the minimum levels of security that we require while others may not perform well with our site. We strongly recommend that you upgrade your existing browser to one that we support. We strongly recommend that you upgrade your existing browser to one that we support.” Since when did the server start giving out 404 Page Not Found when the browser is not supported? Overall, this move (and page) by JP Morgan Chase doesn’t sound like it passed through anyone in their IT security team, or for that matter, their IT Team itself.
News item 4: http://www.cultofmac.com/research-20-percent-of-android-apps-steal-private-data/47994
About one-in-five (or 20 percent) of third-party Android apps available through its marketplace can steal and share private user data, researchers said Tuesday. Akin to spyware, the apps can place calls and send text messages without the owners’ knowledge. As a result of the growth of smartphones and associated stores, “applications are currently available that have the potential to cause serious harm to devices, customers and to the broader cellular network,” Daniel V. Hoffman, technology chief for SMobile Systems, an Android security vendor. The report, although taken with a grain of salt because of the source, does cause Apple fans to reconsider their opposition to Cupertino’s oft-criticized app approval methods.
“Dozens of these Android apps — and don’t forget, there are 48,000 Android apps in all, with just under 10,000 risky ones — are able to access the kind of data that spyware likes to grab,” according to a Computerworld blog.
News item 5: http://www.computerworld.com/s/article/9178498/Senate_committee_approves_controversial_cybersecurity_bill
A U.S. Senate committee has approved a wide-ranging cybersecurity bill that some critics have suggested would give the U.S. president the authority to shut down parts of the Internet during a cyberattack.
Senator Joe Lieberman and other bill sponsors have refuted the charges that the Protecting Cyberspace as a National Asset Act gives the president an Internet “kill switch.” Instead, the bill puts limits on the powers the president already has to cause “the closing of any facility or stations for wire communication” in a time of war, as described in the Communications Act of 1934, they said in a breakdown of the bill published on the Senate Homeland Security and Governmental Affairs Committee Web site.
The committee unanimously approved an amended version of the legislation by voice vote Thursday, a committee spokeswoman said. The bill next moves to the Senate floor for a vote, which has not yet been scheduled.
The bill, introduced earlier this month, would establish a White House Office for Cyberspace Policy and a National Center for Cybersecurity and Communications, which would work with private U.S. companies to create cybersecurity requirements for the electrical grid, telecommunications networks and other critical infrastructure.
