Episode 195 – Employee Kungfu, dot-matrix, BadB & Manga Fun

Announcements:

Local Password Exploitation Class:

• The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
• The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
  • Pulling stored passwords from web browsers/IM clients and other apps
  • Hash cracking of Windows passwords, as well as other systems
  • Sniffing plain text passwords off the network
  • How passwords on one box can be used to worm though other hosts on a network
• Seating is limited to 50 people.
• The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

• Atlanta, GA September 18th (http:///www.shoecon.org)
  

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

• This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.
  

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

Stories of Interest:
News Item 1:  http://www.csoonline.com/article/print/602925
[Notes: Keith - ah yes, those pesky employees and their creative ways to bypass our systems.]

There may have been a time when blocking certain sites was acceptable in most office environments. But what was once considered off-limits is now essential in many organizations. Social media sites like Facebook are a major part of many companies’ marketing strategy. Sites like YouTube present opportunities to share information about products or services visually. And IM and chat services like G-chat are free and efficient ways for employees to communicate.

“I think generally the business drives the policy,” said Dave Torre, founder and Chief Technology Officer of IT consultancy Atomic Fission. “If you work at the Department of Defense, I don’t think any time at a social networking site on a secure computer is acceptable. But if you work in a marketing department, 15 minutes a day isn’t nearly enough. Obviously you have to use some common sense as an IT manager and say ‘What does our organization look like and how important are these tools on the internet for our users?’”
Workarounds: 5 ways employees try to access restricted sites
Company policy may forbid access to certain web sites, but some employees try creative techniques to view them anyway. Here are five common workarounds and what security can do about them.
Workaround 1: Typing IP address instead of domain name
Workaround 2: Finding a cached version
Workaround 3: Hiding behind encryption
Workaround 4: Using proxy servers and other privacy-friendly tools
Workaround 5: Using smartphones

News Item 2: http://www.theregister.co.uk/2010/08/10/side_channel_printer_attack/
Researchers have devised a novel way to recover confidential messages processed in doctors’ offices and elsewhere by analyzing the sounds made when documents are reproduced on dot-matrix printers.

This so-called side-channel attack works by recording the “acoustic emanations” of a confidential document being printed, and then processing it with software that translates the sounds into words. The method recovers as much as 95 per cent of the printed words when an attacker has contextual knowledge about the text being printed, such as the words included in a medical prescription or a living-will declaration. Up to 72 per cent of the text can be recovered when no context is known.

The attack, which so far works only on English text, was carried out under what the researchers described as “realistic — and arguably even pessimistic — circumstances,” in which there was no shielding from ambient noise such as that made by people chatting in a nearby waiting room. Despite the wide availability of inkjet and laser printers, about 60 per cent of doctors in Germany continue to use dot-matrix devices. About 30 per cent of banks in Germany do so as well, according to the researchers.  Countries such as Germany, Switzerland, and Austria require carbon-copy-capable dot-matrix printers to be used for printing prescriptions for narcotics, they said.

News Item 3: http://www.wired.com/threatlevel/2010/08/badb/
An alleged old-timer in the international carding community and one of the top sellers of stolen bank card data has been arrested in France, and faces extradition to the United States on an indictment unsealed Wednesday in Washington, D.C.

Vladislav Anatolievich Horohorin, 27, aka BadB, holds dual-citizenship in Ukraine and Israel and was one of the earliest members of CarderPlanet, a first of its kind Russian-language carding forum that was launched around 2002 by a group of East Europeans. CarderPlanet was shuttered in 2004, and BadB had more recently been selling his stolen goods at carder.su and on his own websites, dumps.name and badb.biz, where he promoted his product in lighthearted Flash cartoons like the one above.

Authorities say the network created by Horohorin and other CarderPlanet veterans is linked to “nearly every major intrusion of financial information reported to the international law enforcement community.”

According to the indictment, Horohorin bragged online that he was one of the biggest sellers of “dumps” (account and other data stored on a bank card’s magnetic stripe) and had been a card seller for about eight years. Undercover agents from the U.S. Secret Service negotiated purchases of stolen data from him and worked with French authorities to arrest him.

News Item 4: http://www.asahi.com/english/TKY201008040281.html
[Notes: Karthik - You gotta love this virus. Manga fans come up with the craziest of ideas, don't they? ]

A hardened computer hacker has been arrested on suspicion of writing a computer virus that systematically destroys all the files on victims’ PCs and replaces them with homemade manga images of squid, octopuses and sea urchins. Between 20,000 and 50,000 computers may have been infected.

Masato Nakatsuji, 27, of Izumisano, Osaka Prefecture, was quoted as telling police: “I wanted to see how much my computer programming skills had improved since the last time I was arrested.”

He was collared in 2008 for violating copyright laws by creating a computer virus that replaced data with an anime image. He was serving a suspended sentence for that offense when he was arrested in connection with the latest virus.

Police are investigating him on suspicion of property destruction, because the new virus destroyed files on victims’ computers. It is the first time that Tokyo’s Metropolitan Police Department has arrested someone for property destruction in connection with disseminating a computer virus. According to the police, since the virus makes it impossible to retrieve the original computer files, those files have effectively been destroyed.

Specialist police officers handling high-tech crimes said Nakatsuji is suspected of writing the Ikatako (squid-octopus) virus, which was distributed using the Winny file-sharing program in May, disguised as a file for anime songs. A 37-year-old unemployed man downloaded the file to his computer and it became infected with the Ikatako virus. About 11,000 of the 64,000 files on his computer were destroyed. When he realized something was wrong, the man pulled the plug on his computer, preventing further damage.

The virus gets its name because infected files are replaced by manga images of a squid, octopus or sea urchin. If the virus is left unchecked, all files in the computer’s hard disk become infected. When a user tries to open a file, all the individual can access is a manga image of a marine invertebrate. The virus also is programmed to transmit all the files in the infected computer to a server believed to have been set up by Nakatsuji. Police said he had told them that the server contained data from about 50,000 people. Police have confirmed the existence of data for about 20,000 computer users.

Nakatsuji, who was convicted for violating copyrights in his previous case, was quoted as telling police he felt he would not be arrested again because he had created the manga images for Ikatako himself, therefore avoiding a violation of the copyright law.