Episode 189 – Droid Malware, Temporal Analytics Engine & Seal Stupidity

ISDPodcast Episode 189 for August 10, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski and Karthik Rangarajan.  In this episode we will discuss Droid Malware, Temporal Analytics Engine & Seal Stupidity

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

DerbyCon 2011

• Louisville, KY September 29th – October 2nd (http://www.derbycon.com)

ShoeCon 2011:

• Atlanta, GA September 18th
• The September DC404 meeting will be held at the Con
• Details coming soon, but keep in mind that all the proceeds will go towards Matthew’s wife and children.  We are exact location, but will be opening a call of presenters shortly.  Of course we also need volunteers, donations of swag, time, etc.
• The isdpodcast website has made it easy for you to donate to the Matthew Shoemaker Memorial Fund.  Anything you can spare would certainly be appreciated.

Stories of Interest:

News Item 1: http://mashable.com/2010/08/10/android-trojan/
[Notes: Rick - This is different approach but quite frankly if you install any app off the Market or iTunes store, then you really should understand what you're doing.  That being said, more people will probably be screwed by this just based upon stupidity][Notes: Karthik - And we all know how stupid people are, don't we?]

Kaspersky has confirmed the file is named “Trojan-SMS.AndroidOS.FakePlayer.a” and is downloaded as a typical .APK Android app that is also the first known Android-specific trojan.

The malware works by posing as a media player app. Once the app is installed on the mobile device, the trojan begins to send SMS messages to premium rate numbers without the device owner’s knowledge. Since the trojan’s creators are usually the ones on the other end of those premium numbers, they end up profiting from the scam. This SMS-based type of malware is currently one of the most common forms of mobile viruses. SMS trojans have been around for years on mobile phones, even predating the smartphones we all know and love. The first mobile SMS virus appeared in 2004, and the first-ever Android malware (isolated incidents of spyware) popped up in 2009.
The trojan “media player” that’s causing concern today isn’t available in the Android Market. Rather, it is “being distributed from a malicious website,” according to Kaspersky researcher Denis Maslennikov. “You have to click it manually, there is no drive-by download. If you try to install it, the smartphone will ask you to grant permission for the application to send SMS messages, read or delete data from SD and collect the data about the phone and phone ID.”

News Item 2: http://www.zdnet.co.uk/news/security/2010/08/02/google-and-cia-join-funds-on-predictive-analysis-project-40089700/?s_cid=938
[Notes: Rick - This is just so freaking badass when you really start to get into the canonical relations and momentum.  If this is real then this will be a game changer, however I am concerned that it might be used to predict that someone will do something and therefore be used against them preemptively.]

Google recently announced the following:

Google Ventures and In-Q-Tel, the investment arm of the CIA, have provided funding to a company that monitors all the noise on the web looking for connections between people, groups and events, according to Wired.

The company, Recorded Future, offers a Temporal Analytics Engine for predictive analysis, allowing people to “visualise the future, past, or present”.

In addition, In-Q-Tel and Google Ventures both have seats on the board Recorded Future and have been “very helpful”, providing advice to the Cambridge, Massachusetts-based start-up, chief executive Christopher Ahlberg, an ex-Swedish Army ranger, told Wired in an article this week.

This may be the first time Google and the CIA have funded the same firm, but it’s not the first time they’ve worked together. Google has sold servers to intelligence agencies and reportedly sought aid from the NSA after it was targeted in attacks it said originated in China. In-Q-Tel also had provided backing to Keyhole before Google acquired the mapping company to use in its technology in Google Earth.
So what does all this mean?   Traditional search engines do the following:

1. Scour the web – We continually scan thousands of news publications, blogs, niche sources, trade publications, government web sites, financial databases and more.
2. Extract, rank and organize – We extract information from text including entities, events, and the time that these events occur. We also measure momentum for each item in our index, as well as sentiment.
3. Make it accessible and useful – You can explore the past, present and predicted future of almost anything. Powerful visualization tools allow you to quickly see temporal patterns, or link networks of related information.

Temporal Analytics Engine goes beyond traditional search, explicit link analysis and adds implicit link analysis, by looking at the “invisible links” between documents that talk about the same, or related, entities and events. By separating the documents and their content from what they talk about – the “canonical” entities and events.

Documents contain references to these canonical entities and events, and we use these references to rank canonical entities and events based on the number of references to them, the credibility of the documents (or document sources) containing these references, and several other factors (for example, co-occurrence of different events and entities in the same or in related documents is also used for ranking). This ranking measure – called momentum – is our aggregate judgment of how interesting or important an entity or event is at a certain point in time – note that over time, the momentum measure of course changes, reflecting a dynamic world. Temporal Analytics Engine also analyzes the “time and space dimension” of documents – references to when and where an event has taken place, or even when and where it will take place – since many document actually refer to events expected to take place in the future. We are also adding more components, e.g. sentiment analyses, which determine what attitude an author has towards his/her topic, and how strong that attitude is – the affective state of the author.

The semantic text analyses needed to extract entities, events, time, location, sentiment etc. can be seen as an example of a larger trend towards creating “the semantic web”.

The time and space analysis described above is the first way in which Recorded Future can make predictions about the future – by aggregating weighted opinions about the likely timing of future events using algorithmic crowd sourcing. In addition to this, we can use statistical models to predict future happenings based on historical records of chains of events of similar kinds.

News Item 3:  http://news.cnet.com/8301-1023_3-20012575-93.html

[Notes: Rick - This is just another example of interpreting a statue to make it suit one's desire. Also, a little Googling revealed that there are approximately 266,000 results when you search for Images of "FBI seal".]

In a letter to Wikipedia (PDF) dated July 22 and posted by The New York Times, the FBI demanded that its official seal be removed from a Wikipedia article about the FBI because the agency had not approved use of the image.

“The FBI has not authorized use of the FBI seal on Wikipedia,” the letter said. “The inclusion of a high quality graphic of the FBI seal on Wikipedia is particularly problematic, because it facilitates both deliberate and unwitting” copying and reprinting of the FBI’s seal.

The letter goes on to threaten legal action if its demand is ignored: “Failure to comply may result in further legal action. We appreciate your timely attention to this matter.”

Wikipedia thinks the law-enforcement agency may have misread the law it cited in its letter and is willing to go to court to prove it, if necessary.

“While we appreciate your desire to revise the statute to reflect your expansive vision of it, the fact is that we must work with the actual language of the statute, not the aspirational version of Section 701 that you forwarded to us,” Mike Godwin, general counsel for Wikimedia Foundation, the nonprofit company that runs Wikipedia, wrote the FBI in response.

(18 U.S.C. 701 prohibits the manufacture, sale, or possession of any badge, identification card, or other insignia, of the design prescribed by the head of any department or agency of the United States for use by any officer or employee of that agency.)

An FBI spokesperson defended the message of the letter. “You can’t use the FBI seal, by law, unless you have the permission of the FBI director,” William Carter told the Times.  Cindy Cohn, the legal director of the Electronic Frontier Foundation, told the Times that Wikipedia has a First Amendment right to display the seal with the accompanying article and called the dispute “silly” and “troubling.”

All works represented here are compiled from various sources (email, IRC, forums, and original author/websites). If the original work is copyrighted it is presented under the fair use of a copyrighted work, Copyright Act of 1976, 17 U.S.C. § 107, for purposes of criticism, comment, news reporting, teaching, and research. No use is directly intended as an infringement of copyright. Attribution is always given to the original source, if known. To have any copyrighted material removed, please contact isdpodcast[at]isdpodcast[dot]com.