Your daily source of Pwnage, Policy and Politics.

[display_podcast]

Episode 193 – AT&T, Wikileaks, EMF & PCI Compliant

Play

ISDPodcast Episode 193 for August 16, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski and Karthik Rangarajan.

Announcements:

Local Password Exploitation Class:

  • The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
  • The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
    • Pulling stored passwords from web browsers/IM clients and other apps
    • Hash cracking of Windows passwords, as well as other systems
    • Sniffing plain text passwords off the network
    • How passwords on one box can be used to worm though other hosts on a network
  • Seating is limited to 50 people.
  • The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

  • This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

MyHardDriveDied.com:

Vulnerabilities of Interest:
[Notes: Keith - Of course if its not a requirement in some regulatory document it's something that likely never gets looked at even if it is considered to be "Best Practices" whereas like with PCI it's actually a requirement to disable "autocomplete".]
After the credit card information autofill (and subsequent correction) on erenterplan.com, its now the turn of ATT wireless to autofill Social Security Numbers. I was adding a new line to my account – its stupid how big of a hassle it can be – and I had to fill in my SSN. Thanks to the problems they were giving, I went in a second time to fill it out. I key in the first digit, and it fills out the entire thing for me. Again, granted, its just auto fill, but as we said before, it IS exploitable. How hard is it to mandate to developers that they need to have the “autocomplete=off” for sensitive information?

ATT has been notified through the email they have provided in their privacy policy notes. Hopefully, we won’t get sued.

Stories of Interest:
News Item 1: http://www.wired.com/threatlevel/2010/08/cyberwar-wikileaks/
Should the U.S. government declare a cyberwar against WikiLeaks?  Last week, WikiLeaks founder Julian Assange told a gathering in London that the secret-spilling website is moving ahead with plans to publish the remaining 15,000 records from the Afghan war logs, despite a demand from the Pentagon that WikiLeaks “return” its entire cache of published and unpublished classified U.S. documents.

Last month, WikiLeaks released 77,000 documents out of 92,000, temporarily holding back 15,000 records at the urging of newspapers that had been provided an advance copy of the entire database. On Thursday, Assange said his organization has now gone through about half of the remaining records, redacting the names of Afghan informants. That suggests the final release could still be weeks away.

Pundits, though, are clamoring for preemptive action. “The United States has the cyber capabilities to prevent WikiLeaks from disseminating those materials,” wrote Washington Post columnist Marc Thiessen on Friday. “Will President Obama order the military to deploy those capabilities? … If Assange remains free and the documents he possesses are released, Obama will have no one to blame but himself.”

But a previous U.S.-based effort to wipe WikiLeaks off the internet did not go well. In 2008, federal judge Jeffrey White in San Francisco ordered the WikiLeaks.org domain name seized as part of a lawsuit filed by Julius Baer Bank and Trust, a Swiss bank that suffered a leak of some of its internal documents. Two weeks later the judge admitted he’d acted hastily, and he had the site restored. “There are serious questions of prior restraint, possible violations of the First Amendment,” he said.

News Item 2: http://www.itbusiness.ca/it/client/en/home/News.asp?id=38093&PageMem=1
[Notes: Karthik - I hadn't yet started reading the story yet, when I already decided it was stupid and funny. So I guess I am a little biased here]

There are many benefits to studying at Lakehead University. Ubiquitous wireless Internet access, however, isn’t one of them. That’s because president Fred Gilbert won’t allow it until he’s satisfied EMF (electric and magnetic fields) exposure doesn’t pose a health risk, particularly to young people. Gilbert, who was interviewed last week on the CBC about the university’s policy as stated in a town hall meeting last fall, told ITBusiness.ca he based his decision on scientific literature that indicates the potential for “some fairly significant” health consequences.

“These are particularly relevant in younger people (who have) fast-growing tissues, and most of our student body are late teenagers and still growing, so it’s just a matter of taking precautions and providing an environment that doesn’t have a potential risk associated risk,” he said. Gilbert cited studies done by scientists for the California Public Utilities Commission, whose findings boil down to the fact that while there is no proven link between EMFs exposure and diseases such as leukemia and brain tumours, the possible risk warrants further investigation.

He also said Canadian regulation allows for a higher minimum degree of exposure to EMFs than do some other countries. “All I’m saying is while the jury’s out on this one, I’m not going to put in place what is potential chronic exposure for our students,” he said. “Admittedly that’s highest around the locations of the antenna sites and the wireless hotspots, but those are the places people tend to gravitate to because they get the best reception.”

News Item 3: http://www.csoonline.com/article/print/603079
[Notes: Keith - Self Assessment or self compliance will continue to fail the private regulatory requirements as entities are far too apt to simply select yes to everything just to get the green "You Win" button.]
Claiming PCI or any other compliance – Let’s be honest: Organizations follow compliance and regulatory requirements like PCI because VISA threatens to fine your company or worse, cut you off from credit card processing.  “OMG! I would not be able to process credit card payments, it will cost me untold profit… OMG!”

That is more like it, because we all know that if your organization is truly practicing on a daily basis good information security you would be compliant to PCI (just missing QSA certification of course), and you would most likely be in compliance with just about any compliance or regulatory requirements your organization might have thrust upon it.

All works represented here are compiled from various sources (email, IRC, forums, and original author/websites). If the original work is copyrighted it is presented under the fair use of a copyrighted work, Copyright Act of 1976, 17 U.S.C. § 107, for purposes of criticism, comment, news reporting, teaching, and research. No use is directly intended as an infringement of copyright. Attribution is always given to the original source, if known. To have any copyrighted material removed, please contact isdpodcast[at]isdpodcast[dot]com.