[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 163.mp3[/podcast]
ISD Podcast Episode 163 for June 30, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
- MHDD Data Recovery Class current dates and locations:
- Atlanta, GA – July 12th-16th
- Dallas, TX – October 11th – 15th
- Washington, DC – December 6th – 10th
- Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.
SANS Mentoring Program:
- Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
Atlanta ISSA:
- ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)
- SANS 560: Network Penetration Testing and Ethical Hacking – September 17-22, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)
- SANS 577: Virtualization Security Fundamentals – September 17 & 18 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3807)
9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354
Kentuckiana ISSA Meeting
July 9th from 11:30 AM to 1:00 PM at Sullivan University.
http://www.issa-kentuckiana.org/index.php?option=com_content&view=article&id=13&Itemid=13
Ohio Information Security Forum:
Event Date: July 10th, 2010
Location: SCC Research Park, Auditorium
Time: 8:30AM-5:30PM
Friends of the Podcast:
Webhosting services:WebSpeedway
Corrections:
Stories of Interest:
News item 1:
http://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/
Brazilian police seized five hard drives when they raided the Rio apartment of banker Daniel Dantas as part of Operation Satyagraha in July 2008. But subsequent efforts to decrypt files held on the hardware using a variety of dictionary-based attacks failed even after the South Americans called in the assistance of the FBI.
The files were encrypted using Truecrypt and an unnamed algorithm, reportedly based on the 256-bit AES standard. In the UK, Dantas would be compelled to reveal his passphrase under threat of imprisonment, but no such law exists in Brazil.
The Brazilian National Institute of Criminology (INC) tried for five months to obtain access to the encrypted data without success before turning over the job to code-breakers at the FBI in early 2009. US computer specialists also drew a blank even after 12 months of efforts to crack the code, Brazil’s El Globo newspaper reports.
News item 2: http://th3j35t3r.wordpress.com/2010/06/30/unredacted-original-interview-with-die-welt-english/?utm_source=Jester%27s+Court+Blog
A mysterious hacker makes for months successfully hunt for Islamist websites. He calls himself the “Joker”, and hardly a website to spread their propaganda on the radical Islamists, is safe from him. Fearing revenge, the man will not give his name or otherwise disclose any of his identity.
The most prominent victims of the hackers are the Libyan dictator Muammar al-Gaddafi and the Taliban. On 14 June this year, attacked the “Joker” for the umpteenth time, the official Taliban website.
“Power off for 30 minutes, because the online inciting young Muslims to violent jihad”, the sentence of the hacker, who brags about his success with Twitter. End of February announced the “Joker” that he had hacked the website of Libyan leader Gaddafi and off for an hour. The reason for this is Gaddafi’s “call for jihad against Switzerland,” wrote the hacker.
th3j35t3r has posted a transcript of an interview that he gave to German newspaper ‘Die Welt‘.
News item 3: http://nanocr.eu/2010/06/27/googles-mismanagement-of-the-android-market/
Earlier this week, CNET ran an article critical of the permission model of the Android Market. Google’s response to the criticism was that “each Android app must get users’ permission to access sensitive information”. While this is technically true, one should not need a PhD in Computer Science to use a smartphone. How is a consumer supposed to know exactly what the permission “act as an account authenticator” means? The CNET opinion piece “Is Google far too much in love with engineering?” is quite relevant here.
Google does far too little curation of the Android Market, and it shows. Unlike Apple’s App Store, the Android Market has few high quality apps. A study by Larva Labs (the developers of the excellent Slidescreen app) estimates that Apple has paid out 50 times more money to developers than Google has. While the Android Market is available in 46 countries, developers can only offer paid apps in 13 countries (for instance, Canada has only had access to paid apps since March 2010). In addition, the price for foreign apps is not displayed in the user’s local currency and developers do not have the option of customizing pricing by country.
The music downloading app “Tunee” (one of many such apps) is one of the Top Free apps in the Multimedia category with more than 250k downloads. While some would dishonestly try to pretend that such apps are meant for downloading public domain classical music, the developers of Tunee are very clear about their intent. A screenshot in the link above shows copyrighted music by the band Muse (Warner Music Group) being illegally downloaded.
These apps are damaging to companies that are building legitimate Android music apps (e.g Rdio, Spotify and MOG), not to mention Amazon whose MP3 store comes bundled with most Android phones in the U.S. Is Google’s strategy to turn a blind eye to illegal music downloading until they launch their own music store?
News item 4: http://www.owasp.org/index.php/How_to_write_insecure_code
Continuing our coverage of the OWASP “How to write insecure code” with Complexity:
Distribute security mechanisms
Security checks should be designed so that they are as distributed as possible throughout the codebase. Try not to follow a consistent pattern and don’t make it easy to find all the places where the mechanism is used. This will virtually ensure that security is implemented inconsistently.
Spread the wealth
Another great way to avoid being found is to make sure your security holes aren’t located in one place in your code. It’s very difficult for analysts to keep all of your code in their head, so by spreading out the holes you prevent anyone from finding or understanding them.
Use dynamic code
The single best way to make it difficult for a security analyst (or security tool for that matter) to follow through an application and uncover a flaw is to use dynamic code. It can be almost impossible to trace the flow through code that is loaded at runtime. Features like reflection and classloading are beautiful features for hiding vulnerabilities. Enable as many “plugin” points as possible.
News item 5: http://www.texastribune.org/texas-state-agencies/department-of-state-health-services/fbi-investigating-possible-dshs-hacker/
The FBI is investigating whether a hacker broke into the Texas confidential cancer registry, possibly holding personal information and medical records hostage.
Texas Health and Human Services Commissioner Tom Suehs says Texas health officials notified his office in early May that a hacker was holding the Texas Cancer Registry hostage and demanding a ransom. Suehs says preliminary investigation results from the FBI indicate the threat may be a hoax, and officials with the Department of State Health Services,which oversees the cancer registry, say they don’t believe the names, dates of birth, Social Security numbers and personal medical information contained in it were stolen. But if the FBI determines private records were revealed, Suehs says, health officials will quickly notify the people listed in the registry.
“This is an incident that makes everybody’s antennas go a little bit higher, and I’m using it as an opportunity to elevate our awareness of our responsibility to protect information,” Suehs says. “Nothing is 100-percent secure. But I think [most of] our systems, our processes, worked. And that’s the positive thing.”
The security scare comes at a sensitive time for the Texas’s health agencies, which are making plans to exchange Texas medical records electronically and expect an influx of federal dollars to help do it. Privacy advocates are already nervous about whether the Texas has the technology safeguards to keep these records out of hackers’ hands.
News item 6: http://www.eweek.com/c/a/Security/Google-Moves-Encrypted-Web-Search-668624
Google has moved the encrypted version of its search engine to a new Web address. Though the old URL (https://www.google.com) still works, Google announced recently that it launched encrypted.google.com in a nod to school administrators who have blocked encrypted search for their students.
Google recently launched a beta version of encrypted (SSL) search at https://www.google.com to prevent people from intercepting our users’ search terms and results.
A side effect of blocking encrypted search is that it also blocks other services hosted on the secure URL, such as Google Apps
