ISD Podcast Episode 166 for July 6, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
- MHDD Data Recovery Class current dates and locations:
- Atlanta, GA – July 12th-16th
- Dallas, TX – October 11th – 15th
- Washington, DC – December 6th – 10th
- Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.
SANS Mentoring Program:
- Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
Atlanta ISSA:
- ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)
- SANS 560: Network Penetration Testing and Ethical Hacking – September 17-22, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)
- SANS 577: Virtualization Security Fundamentals – September 17 & 18 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3807)
9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354
Kentuckiana ISSA Meeting
July 9th from 11:30 AM to 1:00 PM at Sullivan University.
(http://www.issa-kentuckiana.org/index.php?option=com_content&view=article&id=13&Itemid=13)
Ohio Information Security Forum:
July 10th, 2010 from 8:30AM-5:30PM at SCC Research Park, Auditorium (http://www.ohioinfosec.org/anniversary.htm)
The Louisville Metro InfoSec Conference
Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
Registration’s made between now and July 16th, 2010 receive a
50% DISCOUNT on the $99 ticket price! After July 16th the ticket price will go back to normal
Friends of the Podcast:
Webhosting services:WebSpeedway
Corrections:
Stories of Interest:
News item 1: http://www.scmagazineus.com/kraken-botnet-re-emerges-318000-nodes-strong/article/173611/
Kraken, a large and difficult-to-detect botnet that peaked in 2008 and was dismantled by early 2009, is back, and anti-virus solutions are struggling to detect it, according to researchers at Georgia Tech Information Security Center.
Paul Royal, research scientist at the Georgia Tech has identified that the botnet started to reappear in April and, as of last week, was made up of more than 318,000 unique IP addresses, or about half its 650,000 maximum size in 2008.
Machines infected by Kraken malware primarily are being used to send spam, and a single member of the botnet is capable of sending more than 600,000 unwanted emails in a 24-hour period, he said. All of the spam is promoting male enhancement or erectile dysfunction products.
Kraken malware is being installed onto already compromised computers by another, larger botnet, which uses so-called “butterfly” bot malware to operate, researchers said. The butterfly bot malware, which was also used to construct the Mariposa botnet, is up for sale as a kit on the criminal black market.
It is currently unclear whether those behind the Kraken botnet are the same group as those operating the botnet that installs Kraken, Royal said. Most likely, the groups are different.
News item 2a: http://www.pcmag.com/article2/0,2817,2365902,00.asp
“The federal government and Hollywood teamed up to seize domain names of seven sites that allegedly trafficked in copyrighted movies without due payment. The so-called ‘Operation in Our Sites‘ sting targeted TVShack.net, Movies-links.tv, Filespump.com, Now-movies.com, PlanetMoviez.com, PirateCity.org, zml.com, NinjaVideo.net, and NinjaThis.net. The operation was run by the US Immigration and Customs Enforcement (ICE) and the US attorney for the Southern District of New York, in conjunction with several Hollywood studios. Unlike past anti-piracy efforts, the sites did not actually offer the movies for download, but instead streamed the movies and TV shows against ads. Previously, movie crackdowns had concentrated on sites that distributed movie files, most recently using the BitTorrent protocol.”
News item 2b: http://techcrunch.com/2010/07/06/tv-shack-piracy/
It only took a few days for at least one of the sites to reappear at a different domain. TVshack.net, for instance, is now at TVshack.cc. There you can watch full streams of bootleg versions of The Twilight Saga:Eclipse, Toy Story 3, True Blood, and other movies and TV shows. The .cc domain is administered by the Cocos Islands, which is a territory of Australia. The company is based in Stockholm, Sweden. Another one of the shuttered sites has reappeared at www.watch-movies-tv.info, but it no longer offers streaming movies.
News item 3: http://www.theregister.co.uk/2010/06/30/unsafe_surfing/
New research pours scorn on the comforting but erroneous belief that Windows surfers who avoid smut and warez on the web are likely to avoid exposure to malware.
A study by free anti-virus firm Avast found 99 infected legitimate domains for every infected adult web site. In the UK, Avast found that more infected domains contained the word “London” (such as the blog section of http://kensington-london-hotels.co.uk) than the word “sex”. Among the domains labelled as infected by Avast was the smart phones section of the Vodafone UK website. The mobile phone operator’s site contained a malicious JavaScript redirect script that attempted to take advantage of an unpatched Windows Help and Support Center flaw (CVE-2010-1885) to infect the machines of visiting surfers.
HTML files from sub-domain blackberry.vodafone.co.uk still contain malicious code at the time of writing but point to a site containing the attack payload site that has been pulled offline.
News item 4: http://mainecampus.com/2010/06/29/um-counseling-center-servers-hacked/
University of Maine police are investigating the breach of two UMaine computer servers holding the names, social security numbers, and clinical information of students who attended the university’s Counseling Center from Aug. 8, 2002 to June 21 of this year.
According to a university press release, data linked to approximately 4,585 students, four to five percent of UMaine students over that time period, was exposed.
Dean of Students Robert Dana said at a Tuesday news conference there was “no indication” that data was viewed or downloaded from the servers, but officials are preparing for a worst-case scenario.
“This is an insidious affront to the rightful privacy expectations of our students,” Dana said. “The criminals who make it their business to exploit our society’s need and ability to store information are beneath contempt. Because of this, we are engaging all possible resources to find the source of these attacks.”
News item 5: http://www.computerworld.com/s/article/9178695/Destination_Hotels_card_processing_system_hacked
Hackers have broken into the payment processing system of Destination Hotels & Resorts, a high-end chain best known for its resort hotels in destinations such as Vail, Colorado; Lake Tahoe, California; and Maui, Hawaii.
Guests who recently stayed at 21 of the resort’s 30 hotels may have been victimized by the scheme, which appears to have compromised point-of-sale systems. The company refused to release many details of the incident — citing an ongoing investigation by the U.S. Federal Bureau of Investigation — but in a note posted to its Web site said that it had “uncovered a malicious software program inserted into its credit card processing system from a remote source.”
Destination Hotels is in the process of notifying victims but will not say how many people have had their credit card numbers stolen. The attackers appear to have hit only point-of-sale processing systems, where credit cards are swiped for purchases. Personal information such as guests’ home addresses was not compromised, the company said.
News item 6: http://www.owasp.org/index.php/How_to_write_insecure_code
Continuing our coverage of the OWASP “How to write insecure code” with Logging
Use your logs for debugging
Nobody will be able to trace attacks on your code if you fill up the logs with debugging nonsense. Extra points for making your log messages undecipherable by anyone except you. Even more points if the log messages look as though they might be security relevant.
Don’t use a logging framework
The best approach to logging is just to write to stdout, or maybe to a file. Logging frameworks make the logs too easy to search and manage to be sure that nobody will ever review them.
