InfoSec Daily Podcast

 
ISDPodcast Episode 178 for July 22, 2010.  Tonight’s podcast is hosted by Rick Hayes, Matthew Shoemaker and Adrian Crenshaw.  In this episode we will discuss Safari, Cloud Backups & Video Social networking.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17-22, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Stories of Interest:News item 1:  http://blogs.computerworld.com/16579/horrible_safari_privacy_bug_take_action_now

Jeremiah Grossman, the CTO of WhiteHat Security, has discovered some very bad news for Safari users. Here’s his shtick:

Right at the moment a Safari user visits a website, even if they’ve never been there before … a malicious website can uncover their first name, last name, work place, city, state, and email address. Safari v4 & v5 … has [this] … enabled by default.
…
This feature works even though a user never entered this data on any website. … a malicious website would … dynamically create form text fields … probably invisibly, and then simulate … keystroke events using JavaScript. When data is … AutoFill’ed, it can be accessed and sent to the attacker. … The entire process takes mere seconds.

What’s going on here? Form data can be auto-suggested in Safari, just like in other browsers. However, the data doesn’t usually get entered into the form unless the user actually selects the suggested input from the drop-down list. But in Safari, the suggestions are programmatically available.

News Item 2: http://www.zdnet.com/blog/mobile-gadgeteer/its-time-to-backup-your-cloud-too/3580?
Many people don’t think about having to backup their cloud based data.  Do you backup your Contacts from Google?  Do you change your passwords often? Do you check to see if you have any unauthorized visitors poking around your cloud?

• If you use Gmail, you could create a Gmail account whose only purpose is to fetch messages from your main account. Set up mail fetcher in the backup account and add the main account as a custom From address. This way, you’ll be able to read all the messages from your account and even send mail.
• Add the backup account as a Google Talk friend from Gmail Chat or from other Google Talk interface.
• For Blogger, add the backup account in the blog authors section: Settings > Permissions > Add authors. The account should have admin privileges so that you can create, edit and delete posts.
• In Google Analytics, go to Access Manager and add the account as an admin. You’ll have access to all reports and profiles in the backup account.
• Google Calendar lets you share the main calendar with other people and even give them the right to edit events. Click on “Manage calendars” at the bottom of the window, share the main calendar and add the backup account. You should select “make changes and manage sharing” from the drop-down.  The best solution is to set up a complete bi-directional Gcal sync using the cross-platform GCalDaemon. With GCalDaemon, not only can you ensure that you’ve always got a backup of your latest and greatest Google Calendar appointments and events, but you also get to add, edit, or delete those events from your desktop and watch as they sync back to Gcal.
• If you’re the owner of a group in Google Groups, go to the member invitation section, select “Add members directly” and add the backup account. Then change the membership type of the new account to “owner”. It’s also a good idea to select “no email” in the subscription type.
• Add the backup account as a collaborator for some of the most important Google documents and notebooks.  Firefox users can back up all or select chunks of Google Docs and Spreadsheet files in various formats (including MS Office or Open Office formats, PDF, plain text, or CSV) in one fell swoop using the Google Docs Download Greasemonkey script.
• Other Google services only allow you to export your data: Google Reader (Settings > Import/Export), iGoogle (share each tab with the backup account), Gmail contacts, Google News personalization (scroll to the bottom of the homepage and click on “Share your personalized news with a friend”).

News Item 3: http://www.cs.colorado.edu/department/publications/reports/docs/CU-CS-1068-10.pdf
Security researchers have demonstrated that there are some potenitally serious security and privacy issues with various Video Social networking sites.  They also assert that security on these systems have been neglected.  This privacy issues in Chatroulette expose users to risks in phishing, man-in-the-middle attacks & other threats.

News Item 4: http://www.hammerofgod.com/tgp.aspx
The Windows crypto tool Thor’s Godly Privacy (TGP) informs users about the estimated time required for a successful brute-force attack on the chosen password.