12.06
InfoSec Daily Podcast
ISDPodcast Episode 272 for December 6, 2010. Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.
Announcements:
SANS Cyber Defense Initiative 2010
Washington, DC.
Marriott Wardman Park
Dec 10-17, 2010
http://washingtontechnology.com/calendar/2010/12/sans-cyber-defense-initiative-2010.aspx
SANS Community:
Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam: http://www.sans.org/mentor/details.php?nid=23493
Wednesday, February 23, 2011 – Wednesday, April 27, 2011
Use the Discount Code: isdpod15 for a 15% discount.
DojoCon:
13699 Dulles Technology Dr
Herndon, VA 20171
Dec 11-12, 2010
Appalachian Institute of Digital Evidence (AIDE):
AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV
When: February 17 – 18, 2011
CFP Deadline: December 12, 2010
http://aide.marshall.edu/default.htm
Ultimate Pentesting VM: /resources/upv/ Stories:
Tools: http://packetstormsecurity.org/files/view/96419/ZAP-1.1.0.tgz Zed Attack Proxy Update to 1.1.0; The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. Mac OS X, Windows and Cross Platform releases are all included in this file.
Lots of changes: http://code.google.com/p/zaproxy/wiki/HelpReleases1_1_0
Tools: http://packetstormsecurity.org/files/view/96421/xplico-0.6.1.tgz Xplico Network Forensic Analysis Tool 0.6.1 ;Xplico is an open source Network Forensic Analysis Tool (NFAT) that allows for data extraction from traffic captures. It supports extraction of mail from POP, IMAP, and SMTP, can extract VoIP streams, etc. This is the version that has a GUI allowing you to view photos, texts and videos contained in MMS messages.
In this version new dissectors, new features and obviously many bugfix:
- Paltalk chat dissector
- MSN dissector (beta basic version)
- XI Cookie hijacking
- XI pagination for Images and Web
- XI XSS fixed
- XI bugfix
News: How real is online dating? http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202475722883&rss=ltn
The case began with former Coral Springs resident Robert Anthony. He paid month to month on his Yahoo Personals membership. Anthony would send messages to women he was interested in but get no response. When his membership was about to expire, however, there would be a flurry of activity. Anthony would renew his membership to get in touch. When he tried to pursue these supposedly interested women, he would get no responses until his membership was again about to expire. Ultimately, 37,000 Yahoo members filed claims. All of them were paid the same amount, the equivalent of one month’s membership for a total payout to class members of $4 million. Yahoo also agreed to warn members of the potential for fake profiles in the database. The provider also agreed to use photo imaging software and employ staff to ferret out fakes. Those remedies already were implemented before the conclusion of the settlement, said Darren Weingard, an attorney for Yahoo. “Unrelated to the case, Yahoo transferred its dating product by entering into an agreement with Match.com to get out of the personals business,” he said.
News: http://news.softpedia.com/news/Hacker-Compromises-US-Navy-Memorial-Website-and-Mocks-Admin-169047.shtml
A hacker broke into the U.S. Navy Memorial website and left a message for the administrator ridiculing him for the weak security and offering his assistance. The United States Navy Memorial is located on Pennsylvania Avenue, N.W., in Washington, D.C., and honors everyone who served or currently serve in the U.S. Navy, Marine Corps, Coast Guard, as well as the Merchant Marine. The Navy Memorial website, located at www.navymemorial.org, is operated by the U.S. Navy Memorial Foundation and provides visitors with information about the memorial, as well as news, annual reports and other services. The compromise was identified by Christopher Boyd, a senior threat researcher at GFI Software (formerly Sunbelt), who reports that the hacker left his message in a .txt file inside a directory on the server. However, since this folder was accessible to search engine crawlers, the message got indexed and became available on Google. It read:
“Hello Admin your Site Security ’0′. [CENSORED] Fix your Website Or you will get Another [CENSORED] By A Hacker” The attacker even offered to help and left his Yahoo! and MSN contact information, something that overly confident hackers sometimes do. “We’ve notified the admins, and the page in question is currently blank with the site running normally so hopefully they now have things under control,” Mr. Boyd said. “There doesn’t seem to be any intention of placing malicious files there, but it might be worth being careful if visiting navymemorial(dot)org for a few days until it has a 100% clean bill of health,” he advised.
Website compromises of this kind are rather common, although the hackers usually post the message taking responsibility for the attack on the front page. The attacks are commonly referred to as “defacements” and are usually performed either in protest (hacktivism) or to earn respect from other members of the hacking community.
News: http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=228400108
Google is working to patch a new data-stealing vulnerability that affects all versions of the Android operating system. The vulnerability was discovered by security researcher Thomas Cannon. “While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,” he said on his blog. “It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.” In other words, a successful exploit wouldn’t provide the attacker with root access to all device data.
Cannon said that after he emailed Google about the bug, the company made contact to discuss the issue just 20 minutes later. Google also asked him to withhold some details while it works on a fix. “As my intention is to inform people about the risk, not about how to exploit users, I’ve agreed,” he said.
[...] This post was mentioned on Twitter by Kevin Johnson, ISDpodcast. ISDpodcast said: [Podcast]: Episode 272 – ZAP, Xplico, Fake Relationships – All Money, No Love, A$$Hat & Droid http://bit.ly/gMCZdT [...]