Episode 204 – Oracle & Google, “Wall of Sheep” & Data leakage

Announcements:

Atlanta ISSA:

• ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

• Atlanta, GA September 18th (http:///www.shoecon.org)
  

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

• This is a FREE event for InfoSec and IT professionals to attend to celebrate the life Matthew Shoemaker.
  

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Other upcoming cons Adrian will be at:
Phreaknic, Oct 15-17 2010, Nashville, TN
http://www.phreaknic.info
Hak3rCon Oct 23-24 2010, Charleston, WV
http://www.hack3rcon.org
MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

News Item 1:  http://www.techworld.com.au/article/358564/microsoft_won’t_stop_net_androidOracle’s patent and copyright lawsuit against Google for its use of Java in Android won’t be repeated by Microsoft if .Net is used on the Linux-based mobile operating system instead. Director of the open source technology centre at Microsoft Tom Hanrahan said the Community Promise allows projects like Mono to fully support its technology. “The type of action Oracle is taking against Google over Java is not going to happen,” Hanrahan said. Microsoft’s Community Promise has made the .Net runtime and C# specifications available to Miguel de Icaza and the Mono project developers. “If a .Net port to Android was through Mono it would fall under that agreement,” he said. Novell has already developed MonoTouch for Apple’s iOS-based devices like the iPhone and iPad, and a Mono port to Android, dubbed “MonoDroid”, is on the roadmap, due for a preview release in Q3 this year.
Oracle’s complaint against Google centres around its development of the Dalvik virtual machine that can run applications written in Java. Dalvik is not an officially sanctioned Java runtime environment, however Sun did initially praise Google for supporting Java on Android. Mono developer Miguel de Icaza is not concerned about legal challenges by Microsoft over .Net implementations and wrote on his blog that Google could switch from Java. “Google could settle current damages with Oracle, and switch to the better designed, more pleasant to use, and more open .Net platform,” de Icaza wrote.

News Item 2: http://blogs.forbes.com/andygreenberg/2010/08/26/researcher-creates-clearinghouse-of-14-million-hacked-passwords/
The “Wall of Sheep” has become a cherished tradition at the annual Defcon hacker conference in Las Vegas: Anyone foolish enough to use the local wireless network at the hotel will likely have his or her username and password stolen, and later see those vital digital details projected onto a screen for thousands of attendees to see.

Now Canadian researcher Ron Bowes has created a sort of Wall of Sheep for the entire Internet. By simply collecting all the publicly-spilled repositories of users’ passwords from recent hacking incidents, he’s created a clearinghouse for stolen passwords on his Web site – 14,488,929 distinct passwords to be exact, collected from 32,943,045 users.

Bowes didn’t steal these passwords, and they’re not associated with usernames, an extra piece of data that would make listing them far more dangerous. All but 250,000 or so became public after the breach of RockYou.com, a social networking applications site penetrated by cybercriminals using an SQL-injection. Another 180,000 were spilled when the bulletin board software site phpbb was hacked using a vulnerability in one of the site’s plugins. 37,000 more were stolen from MySpace using phishing techniques.

Bowes, a consultant with Dash9 security and a developer for security scanning tool NMap, says he collected the passwords to help researchers figure out how users choose passwords and make the authentication process more secure. The site he’s assembled is a wiki, so anyone can update it with new breached password lists. “Since I created it, I’ve had exceptionally good feedback from researchers around the world.,” Bowes wrote in his blog. ” As far as I know, it’s the best collection of breached passwords anywhere.”
News Item 3: http://www.darkreading.com/insiderthreat/security/storage/showArticle.jhtml?articleID=227101757&subSection=Storage+security

[Notes Keith - While the rise in data leaked continues to increase, many companies still are hesitant to enforce proper egress controls to access social networking sites, implement policies regarding their use or implement multi-level content filtering solutions..checking web traffic for access to playboy is not the sole purpose of a content filtering solution. As with all portions of a properly created security program, the technology must be used to enforce the policies. If the policies don't define the limitations the technology will fail to meet the needs. With that, there needs to be constant monitoring and proactive response by the responsible parties when sensitive information is detected which may be exiting the network. Policies must my definitive, any vagueness in the policies may render them void should a termination turn into an unemployment or criminal proceeding.

Twenty percent of companies investigated the exposure of confidential, sensitive or private information via a post to a social networking site

Seven percent of companies terminated an employee for social networking policy violations.

Twenty percent disciplined an employee for such violations.

Fifty-three percent explicitly prohibit the use of Facebook, while 31 percent explicitly prohibit use of LinkedIn.

Fifty-six percent are highly concerned about data loss via email sent from mobile devices.

Twenty-two percent investigated the exposure of confidential, sensitive or private information via lost or stolen mobile devices or storage media in the past 12 months.

Fifty-eight percent of respondents say that budget constraints have negatively impacted their organization's ability to protect confidential, proprietary, or sensitive information.

For those companies not able to afford commercial offerings due to budgetary restraints, there are numerous open source solutions that are able to perform DLP/Content Management Solutions with little impact and initial monetary funding. (snort/squid/squid guard/ossec]

Despite efforts to keep sensitive data in house, many corporations continue to experience serious data leaks, according to a survey published earlier today.

In its seventh annual study of outbound email and data loss prevention issues, Proofpoint Inc. found that email continues to be the number one source of data loss risks in large enterprises. More than a third (35 percent) or respondents investigated a leak of confidential or proprietary information via email in the past 12 months, the study says.