Episode 191 – D-Link,PDF exploits, DHS fail, Zeus & 4Chan

Announcements:

Local Password Exploitation Class:

• The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
• The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
  • Pulling stored passwords from web browsers/IM clients and other apps
  • Hash cracking of Windows passwords, as well as other systems
  • Sniffing plain text passwords off the network
  • How passwords on one box can be used to worm though other hosts on a network
• Seating is limited to 50 people.
• The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

• Atlanta, GA September 18th
  

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

• If you are interested in speaking at this Conference then we are interested in talking with you.  The September DC404 meeting will also be held at the Con.
  
• This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.
  
• We also need volunteers, donations of swag, time, etc.
• The isdpodcast website has made it easy for you to donate.

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

Stories of Interest:
News Item 1: http://www.net-security.org/secworld.php?id=9723

D-Link enhanced its router security to a higher level of protection by incorporating both CAPTCHA and DNSSEC to guard against hacking, worms, viruses and other malicious Web attacks.  CAPTCHA was added to DIR-615, DIR-625, DIR-628, DIR-655, DIR-825, DIR-855, DIR-685, and DGL-4500 models.  Obviously, DNS Security (DNSSEC) adds security to the Internet’s Domain Name System (DNS) to provide assurance that the information received from a Domain Name Server is authentication.

To further consider security while future-proofing its routers, D-Link is migrating to IPv6 certification. With the growing number of Internet-capable devices on the market — including mobile, media, and storage — the pool of IPv4 address has dropped to six percent and is expected to run out sometime in 2011. While this is a major motivation for IPv6, other improvements are also realized. The IPv6 specification now specifies certain security measures that were not defined in IPv4, such as IPSec. IPSec is a method of authenticating and encrypting data transferred between pairs of hosts. Although it was possible to implement IPSec with IPv4, it was not part of the specification. IPSec is now a requirement, not an option, in the IPv6 specification.

D-Link has begun the transition to IPv6 by participating in the ‘IPv6 Logo Testing Program’ to assure that its products support transitional technologies and provide IPv6 connectivity. All new D-Link routers currently ship with the “IPv6 Ready Phase II” certification and logo.

The DNSSEC, CAPTCHA and IPv6 features are currently available on most currently shipping D-Link’s routers, with more being updated. Please consult Dlink for availability of firmware updates.

News Item 2: http://threatpost.com/en_us/blogs/two-unpatched-flaws-show-apple-ios-080410?utm_source=Personalities+Pod&utm_medium=Home+Page+Personalities&utm_campaign=Personalities+Dennis

[Notes: Karthik - If someone was trying to jailbreak their iPhone, searched on Google, and someone engineered the search in such a way that their results came first, and they injected malware, imagine the consequences]

The technique that the Jailbreakme.com Web site is using to bypass the iPhone’s security mechanisms and enable users to run unapproved apps on their phones involves exploiting two separate vulnerabilities.

One of the vulnerabilities is a memory-corruption flaw that affects the way that Apple’s mobile devices, including the iPad and iPod Touch, display PDFs, according to an advisory from VUPEN Security, a French research organization. The second weakness is a problem in the Apple iOS kernel that gives an attacker higher privileges once his code is on a targeted device, enabling him to break out of the iOS sandbox.

The combination of the two vulnerabilities–both of which are unpatched at the moment–gives an attacker the ability to run remote code on the device and evade the security protections on the iPhone, iPad or iPod Touch. The technique became public earlier this week when the Jailbreakme.com site began hosting a set of specially crafted PDF files designed to help users jailbreak their Apple devices and load apps other than the ones approved by Apple and offered in its official App Store.

“These flaws are currently being exploited by jailbreakme to remotely jailbreak Apple devices. The website redirects the browser to the appropriate PDF exploit file depending on the device model and version and then executes a first stage payload. Once done, a second stage payload is executed to gain root privileges on the device by exploiting the kernel vulnerability,” VUPEN said in its advisory.

Security researchers have said that the two vulnerabilities that the site is using to jailbreak devices could be adapted easily to the task of delivering malicious payloads via drive-by downloads on the mobile Safari browser on the iPhone, iPad or iPod Touch. Such an attack would give the attacker the ability to run code on the device and make any other modifications that root privileges allow.

News Item 3: http://www.theinquirer.net/inquirer/news/1727426/us-government-fails-secure-websites
Department of Homeland Security (DHS) is seemingly unable to set up a secure website correctly. The website for the high profile cabinet department that is supposed to
protect the US from terrorists and has a reported budget of $52 billion throws up errors when users try to access the secure site through the HTTPS protocol.

Browsers such as Firefox, Safari and Chrome issue warnings suggesting the site is not quite what it seems. The problem is down to the fact that while the certificate was issued for the official DHS domain name, the technological wunderkind in charge of matters forgot that hosting duties are actually farmed out to Akamai.

So when the content is loaded from Akamai’s servers, which are not covered by the SSL certificate issued for the DHS domain, browsers rightly throw up a warning suggesting something dodgy is going on. While security warnings that the DHS website is some dodgy knock-off might be ironic, in the case of the State Department’s website, it’s of far greater concern.

News Item 4: http://www.net-security.org/malware_news.php?id=1418

[Notes: Karthik - Trusteer's CTO makes it look like the botnet literally has all of Zeus's powers]

Trusteer announced that it has uncovered a large Zeus version 2 botnet being used to conduct financial fraud in the UK which is operated and controlled from Eastern Europe.

The botnet appears to be controlling more than 100,000 infected computers, 98% of which are UK Internet users. The criminals have been harvesting all manner of potentially lucrative and revenue-producing credentials – including online account IDs plus login information to banks, credit and debit card numbers, account types plus balances, bank statements, browser cookies, client side certificates, login information for email accounts and social networks and even FTP passwords.

Trusteer discovered the extent of the botnet after they gained access to the botnet’s drop servers and command and control center which contained the stolen information including hundreds of thousands of stolen credentials. Trusteer are sharing the information with UK law enforcement agencies.

“This is just one out of many Zeus 2 botnets operating all over the world,” says Amit Klein, Trusteer’s CTO. “What is especially worrying is that this botnet doesn’t just stop at user IDs and passwords. By harvesting client side certificates and cookies, the cybercriminals can extract a lot of extra information on the user that can be used to augment their illegal access to those users’ online accounts.”

“Coupled with the ability to remotely control users’ machines, download data and run any file on them, this means that the fraudsters can insert partial or complete Internet pages into a live Web session, enabling to inject transactions at will or extract even more data from the hapless victims,” he added.

News Item 5: http://www.businessinsider.com/4chan-founder-moots-weird-testimony-in-sarah-palin-email-hacking-trial-2010-8
The Smoking Gun has dug up some entertaining testimony from the trial of David Kernell, the 22 year-old hacker convicted of breaking in to then vice-presidential candidate Sarah Palin’s email in 2008.

Specifically, it’s the testimony of Christopher ‘Moot’ Poole, founder and administrator of 4Chan, the image board on which Palin’s password was posted.  Moot was called in to testify about 4Chan and the data he turned over to investigators. But, for some reason, both the prosecution and defense felt the need to question him about 4Chan slang. Nothing in the rest of the testimony makes it clear why these questions needed to be asked, but they’re a lot of fun: