Episode 196 – Intel, The E. F. Hutton of Security & Cold Fusion Rant

Announcements:

Local Password Exploitation Class:

• The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
• The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
  • Pulling stored passwords from web browsers/IM clients and other apps
  • Hash cracking of Windows passwords, as well as other systems
  • Sniffing plain text passwords off the network
  • How passwords on one box can be used to worm though other hosts on a network
• Seating is limited to 50 people.
• The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

• Atlanta, GA September 18th (http:///www.shoecon.org)
  

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

• This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.
  

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

Stories of Interest:
News Item 1: http://www.theregister.co.uk/2010/08/19/intel_and_macafee_wtf/
When does a $7B deal get summed up in three little letters “WTF”?  When Geordy freakin says so and when Intel buys McAfee.

Intel and McAfee made a surprise announcement early Thursday that the chip megamaker plans to acquire the security-software giant in a $7.68bn all-cash deal, and across the technical and financial communities, the response was a nearly unanimous “WTF?”

But during a webcast conference with reporters and analysts, Intel CEO Paul Otellini and his crew performed an intricate dance designed to calm investors and explain the wisdom of the move — and to plow the fertile field of fear, and sow hints as to how Chipzilla plans to profit from the deal.

To soothe McAfee investors — who should need little soothing, seeing as how they stand to profit greatly from the deal — Otellini first reported that the acquisition has the unanimous approval of both companies’ boards of directors, that McAfee will maintain its identity as a wholly-owned subsidiary of Intel, and that “Intel is giving its commitment to the McAfee brand and all McAfee product offerings.”

But why McAfee? Intel is a chipmaker, not a “scare ‘em then sell ‘em” security-software outfit. Otellini’s answer was architectural. “We have concluded that security has now become the third pillar of computing,” he told his listeners, “joining energy-efficient performance and Internet conductivity in importance.”

And that third pillar, Otellini believes, will be best implemented in silicon, not software. “We believe that security will be most effective when enabled in hardware,” he said. “Joining the assets of McAfee with Intel will accelerate and enhance the combination of hardware and software solutions.”  McAfee, which competes with Symantec, gives Intel a direct route into one of the most crucial parts of the software sector. With online threats proliferating, Intel has opened up a major source of additional revenue; the deal also allows the company to position itself as more than just a chipmaker.

Analyst seem to think that this deal doesn’t bode well for Check Point Software, Fortinet, Blue Coat Systems or ArcSight.  What does this mean for Symantec? Will they be the next big security acquisition by a giant Hewlett-Packard, Dell or IBM?
News Item 2:  http://www.net-security.org/secworld.php?id=9761
Some 40 Windows applications are affected by a critical vulnerability that can allow attackers to execute malicious code remotely and infect the computers with malware, says HD Moore, CSO at Rapid7 and creator of Metasploit.

He hinted at the existence of the flaw on Twitter, saying “The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,” and linking to a advisory by security firm Acros.

The advisory in question concerns a dynamic link library loading flaw in Apple iTunes for Windows, which allows a remote attacker to “plant a malicious DLL with a specific name on a network share and get the user to open a media file from this network location in iTunes – which should require minimal social engineering.”

“Since Windows systems by default have the Web Client service running – which makes remote network shares accessible via WebDAV -, the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet,” say Acros researchers.

HD did not specify which applications were affected, and offered but a few details about it.  “The vector is slightly different between applications, but the end result is an attacker-supplied .dll being loaded after the user opens a ‘safe’ file type from a network share [either on the local network or the Internet]. It is possible to force a user to open a file from the share, either through their Web browser or by abusing other applications, for example, Office documents with embedded content,” he revealed to ComputerWorld.  HD advises users to block TCP ports 139 and 445 to block outbound SMB connections and to disable the Windows WebDAV client in order to block remote attacks.

News Item 3:  http://www.theregister.co.uk/2010/08/16/adobe_coldfusion_vuln/
A recently patched vulnerability in Adobe’s ColdFusion application server may be more serious than previously thought following the public release of exploit code and blog posts claiming it can be used to take full control of systems running the software.

In a bulletin published last week, Adobe rated the directory traversal vulnerability “important,” the third-highest classification on its four-tier severity scale. “This directory traversal vulnerability could lead to information disclosure,” the company warned. The flaw affects version 9.0.1 and earlier of ColdFusion for machines running Windows, Mac OS X, and Unix operating systems.

But at least two researchers have said the security bug should have been rated critical because it allows attackers to seize control of servers. What’s more, they said attackers can employ simple web searches to find administrators who have carelessly exposed ColdFusion files that make the attacks much easier to carry out.

“This attack can lead to a full system compromise, so let’s make sure we’re clear,” HP researcher Rafal Los wrote here. “It’s not just that you can poke around the system files of the machine you’ve attacked (which is highly likely a MS Windows server); it’s also the ability to upload scripts that can compromise the system or even poke around the database natively if the security is really that bad.”