Episode 202 – Cyberspace, Rustock, UN SQL & Huawei

Announcements:

Local Password Exploitation Class:

• The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
• The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
  • Pulling stored passwords from web browsers/IM clients and other apps
  • Hash cracking of Windows passwords, as well as other systems
  • Sniffing plain text passwords off the network
  • How passwords on one box can be used to worm though other hosts on a network
• Seating is limited to 50 people.
• The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

• Atlanta, GA September 18th (http:///www.shoecon.org)
  

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

• ShoeCon is being held as a FREE event for InfoSec and IT professionals to attend to celebrate the life Matthew Shoemaker.  Matthew or “Shoe” was a fellow security professional, DC404 member and InfoSec podcaster.  This event will be held in conjunction with the September DC404 meeting at the Wellesley Inn-Atlanta Airport.

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Other upcoming cons Adrian will be at:
Phreaknic, Oct 15-17 2010, Nashville, TN
http://www.phreaknic.info
Hak3rCon Oct 23-24 2010, Charleston WV
http://www.hack3rcon.org
MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

Karthik Rangarajan is looking for a full-time position. He is graduating in December 2010, and can start immediately after he graduates. He has experience with Static Code Analysis, and has been a developer for a fairly decent amount of time before he got into security. He has a track record of being a fast learner and having a high learning curve. He can be reached at krangarajan at gatech dot edu or isdpodcast at gmail dot com.

Rant: Monitoring your systems for brute force attacks against SSH/FTP using Open Source tools such as OSSEC.

The attacks are common at this point and only through proper log monitoring can you effectively detect and respond to the attacks. There is no reason to not be monitoring logs generated by public facing services to alert on active attacks against systems. This should be part of the basic incident identification & response capabilities within all organizations.

<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/ftpd.log</location>
</localfile>

Done…with the correct settings in ossec the alarms now get sent to the ossec wui, to the *sql database and/or email

Stories of Interest:
News Item 1: http://www.washingtonpost.com/wp-dyn/content/article/2010/08/25/AR2010082505962.html
[Notes Keith: Government speak at its finest. None of the statements seem to jive with one another. Cyberspace will be treated as a domain of potential warfare. Warfare implies both offensive and defensive actions in concert with one another. Active defenses that are created by using a more robust and redundant environment but then later discusses the offensive capabilities. Sounds like they dont quite have the plan all together that formalized..

News Item 2: http://news.techworld.com/security/3236787/rustock-botnet-ditches-encryption-to-ramp-spam/

The Rustock mega-botnet appears to have ditched the experimental use of TLS (transport layer security) to obscure its activity, Symantec has reported.

Rustock’s use of TLS is now averages between 0.1 and 0.2 percent of all spam, peaking at 0.5 percent, a tiny fraction of the levels seen in March when it reached averages of around 25 percent with a peak of as much as 77 percent.

The key moment was on 20 April, when the volume of spam featuring the tactic suddenly plunged to sub-one percent levels after an equally sudden rise in rates in the weeks prior to that date.

TLS adds a small but cumulative overhead to server email processing, which ties up mail servers but also affects the rate at which spam is sent. Why Rustock’s controllers adopted the technique at all was never clear but might have been connected to a misplaced belief that it would make it harder for servers to filters its activity or detect the command and control system used to direct its activity.

News Item 3:  http://www.darkreading.com/vulnerability_management/security/vulnerabilities/showArticle.jhtml?articleID=226900111
Three years after the United Nations’ website was defaced by activist hackers using a SQL injection attack, the site still contains multiple instances of these vulnerabilities.

Security researcher Robert Graham, CEO of Errata Security, did his now-annual checkup on the UN site and found that while the UN had removed the bug that was exploited in the August 2007 attack, the site is still rife with multiple SQL injection vulnerabilities.

In the 2007 defacement, attackers replaced then-Secretary General Ban Ki-Moon’s speeches with some of their own calling for “peace forever” and “no war.” The attackers exploited a SQL injection bug.

“In what’s become a yearly blogpost, the UN still has not fixed the SQL injection problems that led to their website being hacked back in 2007,” Graham blogged today. “For example, if you click on ‘print this article’, then use that URL instead, the SQL injection still works.”

News Item 4:  http://www.nytimes.com/2010/08/23/business/global/23telecom.html
Warning about a potential threat to national security, eight Republican lawmakers have asked the Obama administration to scrutinize a bid by one of the biggest corporations in China to supply telecommunications equipment to Sprint Nextel in the United States.

In a letter sent last week to top administration officials, including Treasury Secretary Timothy F. Geithner and the director of national intelligence, Lt. Gen. James R. Clapper Jr., the senators expressed concern over claims that the company had sold equipment to the regime of Saddam Hussein and had a close business relationship with the Islamic Revolutionary Guard in Iran.

The senators also said the company, Huawei Inc., had close ties to the People’s Liberation Army in China.

“Sprint Nextel supplies important equipment to the U.S. military and law enforcement agencies, and it offers a broad array of devices, systems, software and services to the private sector,” wrote the group of senators, including Jon Kyl of Arizona, Christopher S. Bond of Missouri and Susan Collins of Maine. “We are concerned that Huawei’s position as a supplier of Sprint Nextel could create substantial risk for U.S. companies and possibly undermine U.S. national security.”

A campaign to block Huawei’s bid to sell equipment in the United States would almost certainly aggravate American-Chinese trade relations and intensify a longstanding debate over whether big Chinese companies will be allowed to invest in sensitive industries in the United States.