Episode 186 – CC numbers for comments, SE & New dating techniques

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Registration for these classes by Aug 4th offers both $400 Early Bird savings and registration for the ISSA Conference (existing members). All attendees also receive a one year ISSA membership.  Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Conference:

• We are currently working on a one-day Security Conference where the proceeds will go towards Matthew’s wife and children.  We are narrowing down the dates, but certainly welcome any volunteers, donations, swag, etc.  As this continues to develop we will certainly keep you informed.
• We also have donate buttons on the isdpodcast website if you would like to make a donation to the Matthew Shoemaker Memorial Fund.  Anything you can spare would certainly be appreciated.

Update:
Credit Card Information on http://www.erenterplan.com
We spoke about this on Episode 181: the website had not turned auto complete off for taking in the credit card details. Karthik had sent an email to the vendors with the information and a suggest fix. He recently received an email from the President of realpage.com (the people running the service) notifying him of the fix, and after checking, its actually fixed. So kudos to them for doing it.

<strong>Credit Card Payment Details</strong></p>
</td>
</tr>
<tr>
<td align=”left” bgcolor=”#f0f9ff” width=”25%”>Name on Card:
</td>
<td bordercolor=”#0081c6″ align=”left” width=”75%”>
<input name=”Paymentselection1:CCName” maxlength=”50″ id=”Paymentselection1_CCName” style=”" type=”text”><br>
(Your name exactly as it appears on the card)
</td>
</tr>
<tr>
<td align=”left” bgcolor=”#f0f9ff” width=”25%”>Credit Card Number:
</td>
<td align=”left” width=”75%”>
<input name=”Paymentselection1:CCNum” maxlength=”16″ id=”Paymentselection1_CCNum” autocomplete=“off” style=”" type=”text”>&nbsp;
CVV/CSC
<input name=”Paymentselection1:CVV_Pin” maxlength=”4″ id=”Paymentselection1_CVV_Pin” autocomplete=“off” style=”width: 40px;” type=”text”>
<a id=”Paymentselection1_HyperLink1″ onclick=”window.open(‘/enroll/CVVDesc.htm’,'CVV’,'width=550,height=550′);return false;” href=”CVVDesc.htm” target=”_blank”>What’s this?</a>

Stories of Interest:
News Item 1: http://www.thesunchronicle.com/articles/2010/07/06/columns/7627828.txt
[Notes: Karthik - A dated story, but this is something that made me go WTF?]
The Sun Chronicle will again allow readers to comment online about stories that appear on our website, thesunchronicle.com. Publisher Oreste P. D’Arconte, with the backing of managers and editors, pulled the plug on online comments back in April after a small number of users abused the privilege. They passed hurtful rumors, launched personal attacks and generally drove discussions into the gutter – all while hiding beneath the veil of anonymity.

Well, we’ve ended anonymous comments. As today’s story explains, we will now require users to give us a credit card number before they can comment. We are not doing this to make money (we’re charging 99 cents, one time). Instead, we want the name and community of residence of the user. That name and community will then be attached to any comment the user makes, ending anonymity.

We’ve checked around and found no other news site doing this. It would be great if our idea catches the attention of other news companies and leads to a reduction of anonymous comments on the Web.

News Item 2: http://www.csoonline.com/article/601615/how-to-steal-corporate-secrets-in-20-minutes-ask

[Notes: Rick - I don't think that these results are that surprising.  It just seems that it was probably made cooler by the fact that it was conducted at a Con.]

Contestants got IT staffers at major corporations, including Microsoft, Cisco Systems, Apple and Shell, to give up all sorts of information that could be used in a computer attack, including what browser and version number they were using (the first two companies called Friday were using IE6), what software they use to open pdf documents, their operating system and service pack number, their mail client, the antivirus software they use, and even the name of their local wireless network.

The first two contestants made it look easy.

Wayne, a security consultant from Australia who wouldn’t give his last name, was first up Friday morning. His mission: Get data from a major U.S. company. (IDG News Service has chosen not to report which companies fell for which attacks because of possible security risks.)

Sitting behind a sound-proof booth before an audience, he connected with an IT call center and got an employee named Ledoi talking. Pretending to be a KPMG consultant doing an audit under deadline pressure, Wayne got Ledoi to spill details, big time.

Wayne ignored Ledoi’s request for an employee number and launched immediately into a story about how his boss was on his back, and how he really needed to get this audit finished. He worked his Aussie charm on Ledoi, who’d only been with his new employer for a month. Within minutes, it seemed Ledoi was willing to give Wayne pretty much any information he wanted — at one point Ledoi even visited a fake KMPG Web page that Wayne had set up.
News Item 3: http://www.securityweek.com/hacker-uses-xss-and-google-streetview-data-determine-physical-location
[Notes: Karthik - I didn't know Samy was still active. This is interesting, though it requires you to fool people to visit your malicious site.]
Samy Kamkar, in an incredibly interesting session at Black Hat titled “How I Met Your Girlfriend,” highlighted new types attacks executed from the Web. An interesting hack he demonstrated, was the ability to extract extremely accurate geo-location information from a Web browser, while not using any IP geo-location data.

Kamkar, by convincing the victim to visit his malicious Web site, used remote JavaScript and AJAX to acquire a routers MAC address. When the unsuspecting user visited his malicious Web site, JavaScript remotely scanned for the type of router used, accessed the routers MAC address and sent it directly to him. From there, he was able to utilize Google Street View data to determine the location of a router – in his case, accurate within 30 feet.