InfoSec Daily Podcast

Episode 175 for July 19, 2010.  Tonight’s podcast is hosted by Rick Hayes and the intern, Karthik Rangarajan.  In this episode we will discuss Microsoft acknowledgement, Turkish hackers, WTF, Apple & “personal device”.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17-22, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
• Registration is $99 ticket price!

Stories of Interest:News item 1: http://www.computerworld.com/s/article/9179299/Microsoft_confirms_nasty_Windows_zero_day_bug
Microsoft on Friday warned that attackers are exploiting a critical unpatched Windows vulnerability using infected USB flash drives. The bug admission is the first that affects Windows XP Service Pack 2 (SP2) since Microsoft retired the edition from support, researchers said. When Microsoft does fix the flaw, it will not be providing a patch for machines still running XP SP2.

In a security advisory, Microsoft confirmed what other researchers had been saying for almost a month: Hackers have been exploiting a bug in Windows “shortcut” files, the placeholders typically dropped on the desktop or into the Start menu to represent links to actual files or programs.

“In the wild, this vulnerability has been found operating in conjunction with the Stuxnet malware,” Dave Forstrom, a director in Microsoft’s Trustworthy Computing group, said in a post Friday to a company blog. Stuxnet is a clan of malware that includes a Trojan horse that downloads further attack code, including a rootkit that hides evidence of the attack.

News Item 2: http://www.torontosun.com/news/world/2010/07/18/14750191.html

The number of Israelis whose personal information was stolen by Turkish Internet hackers has risen to at least 100,000, Haaretz newspaper reported Sunday. Erez Wolf, an Israeli blogger who operates We-CMS website, reported Friday that tens of thousands of e-mail addresses, passwords and personal details of Israeli web surfers are in the hands of Turkish hackers. In a Turkish hackers online forum, Wolf found a document containing the e-mail addresses and passwords of more than 30,000 Israeli web users.

On Sunday, Haaretz said TheMarker.com website has learned another file circulating on the internet contains the e-mail addresses of an additional 70,000 Israeli web users. Among the websites from which information was stolen for the first Turkish hacker posting was Israel’s Pizza Hut.  Pizza Hut confirmed Saturday that e-mail addresses and passwords of 26,476 customers who ordered pizza from the company’s website in early June had been stolen.
News Item 3: http://www.theregister.co.uk/2010/07/11/school_id_fake_ruse/
A devious mother posed as another parent in an attempt to remove a rival child’s name from a school waiting list. The woman created a fraudulent Gmail account to fool school authorities at the “outstanding” Coleridge primary school in Crouch End, London. Using this fake account and quoting the name and correct date of birth of the child, she wrote to education officials at Haringey council and told them to remove the four year-old girl from the list. Which they did.  The ruse unravelled when the victim’s mother phoned to inquire about the progress of her child’s application.
Police have launched an investigation and the council is to improve admission procedures.

News Item 4: http://www.scmagazineuk.com/one-in-three-employees-would-continue-to-use-a-personal-device-at-work-that-poses-a-security-risk-even-if-told-not-to/article/174377/

One in three employees would continue to use a personal device for work purposes, despite 83 per cent admitting that it could pose a security risk to their company.  Research by Sourcefire and Dynamic Markets found that 69 per cent of UK employees who use a computer at work use their own personal devices for work-related purposes. The most commonly used personal devices were laptops (48 per cent) and home PCs (44 per cent). Smartphones are used by 16 per cent, 32 per cent use their own USB sticks and 17 per cent use their own CD-ROMs.  It also found that 71 per cent of people surveyed move data on and off the corporate network via these devices, and almost all carry out activities that could put company data at risk.
News Item 5: http://www.theregister.co.uk/2010/07/12/secunia_threat_report/
According to Secunia reports, Apple ranks first, ahead of runner-up Oracle, and Microsoft in the number of security bugs found in all their products in 1H 2010. During the first six months of 2010, Secunia logged 380 vulnerabilities within the top-50 most prevalent packages on typical end-user PCs, or 89 per cent of the figure for the entire year of 2009.

Secunia reckons the security threat landscape is shifting from operating system vulnerabilities to bugs in third-party applications. Secunia reckons a typical end-user PC with 50 programs installed will be faced with 3.5 times more security bugs in the 24 third party programs running on their systems than in the 26 Microsoft programs installed. Secunia expects this ratio to increase to 4.4 in 2010.

Between 2007 to 2009 the number of vulnerabilities affecting a typical client PC almost doubled from 220 to 420. Secunia reckons that will almost double again to reach 760 for 2010 as a whole.  Secunia’s study can be found here (PDF)

http://www.owasp.org/index.php/How_to_write_insecure_code
Continuing our coverage of the OWASP “How to write insecure code” with  Documentation and Coding.

If you can build it and it appears to work then why describe it?
The most successful applications do not waste time with requirements, security or otherwise. Optimize the development by keeping the developers from having to read.

Security is just another option
Assume that your sysadmins will RTFM and change the default settings you specified in a footnote on page 124.

Don’t document how security works
There is no point in writing down all the details of a security design. If someone wants to figure out if it works, they should check the code. After all, the code may change and then the documentation would be useless.

Freedom to innovate
Standards are really just guidelines for you to add your own custom extensions.

Print is dead
You already know everything about security, what else is there to learn? Books are for lamers, mailing lists and blogs are for media whores and FUD-tossing blowhards.

Coding

Most APIs are safe
Don’t waste time poring through documentation for API functions. It’s generally pretty safe to assume that APIs do proper validation, exception handling, logging, and thread safety.

Don’t use security patterns
Make sure there’s no standard way of implementing validation, logging, error handling, etc… on your project. It’s best when developers are left free to express themselves and channel their inner muse in their code. Avoid establishing any security coding guidelines, that’ll just inhibit creativity.

Make sure the build process has lots of steps
You want to maximize the number of steps in the build process that have to occur in the right order to make a successful build. It’s best if only one person knows how to actually set up all the config files and build the distribution. If you do have steps written down, you should have lots of notes distributed across a bunch of files and howto’s in lots of locations.