Episode 389 – Special Guest Will Genovese, Bryon Free?, Turkey Day, WB PSN, Failstation network, Zeus forensics & NIST 800-61

LayerOne 2011
When: Saturday May 28th – Sunday May 29th
Where: Los Angeles, CA
http://www.layerone.org/

My Hard Drive Died
5-Day Data Recovery Expert Certification
Where: Atlanta, Georgia
When: June 6-10, 2011

5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011

#BSidesCT
Where: Meriden, Connecticut
When: June 11, 2011
http://bsidesct.eventbrite.com

eXcon
Where: Meriden, Connecticut
When: June 11-12, 2011
http://excon.eventbrite.com  (email excon@nesit.net for more info)
Begins after BSidesCT Registration cost is $50.00

#BSidesVienna
When: June 18, 2011
Where: Vienna, Austria
http://www.bsidesvienna.com
CFP now closed!

2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
http://aide.marshall.edu/

OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
http://ohioinfosec.org
Adrian Will be there

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
CFP Closed!

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
CFP open now through June 3, 2011! Email submissions to Conference@gaissa.org

EFF:
The ISD Podcast has entered entered into a contest to see who can raise the most money for the Electronic Frontier Foundation.  For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements.  Please click the following link to donate to a vitally important cause:
http://action.eff.org/site/TR/Contest/Advocacy?team_id=1730&pg=team&fr_id=1060

Special Guest:  Will Genovese talks to us about eXcon.

eXcon aims to be a cutting edge security conference presented by Ex-Military, Ex-Secret Service, Ex-CIA, Ex-Cons, along with some of the brightest and most recognizable pen testers, programmers, and systems experts. Tracks will include demos of social engineering, digital tracking, exploit development and implementation, and war stories. eXcon will feature a lockpicking & hackerspace village (email excon@nesit.net for more info)

More Info http://exconference.com

Stories
Source:
http://www.thestar.com/news/article/993296–g20-accused-byron-sonne-finally-released-on-bail

The last person remaining jailed on charges related to last summer’s G20 summit was released on bail Wednesday after spending 330 days in detention.

Byron Sonne, a 38-year-old Internet security expert with no criminal record, is charged with possessing explosive substances and counselling the commission of mischief not committed, for his alleged activities leading up to last summer’s G20 summit.

He was ordered released on a $250,000 bail bond and a number of stringent conditions.
After he was released from court Sonne said the first thing he was going to do is get a double-tall whole milk latte from Starbucks “and then hug my Mom and Dad a few more times.”
He at first resisted discussing his case, but later agreed with a suggestion that the Crown had made an example out of him by keeping him in custody for nearly 11 months.

“I never had any plans to hurt anybody at all – ever,” he said, adding that he is looking forward to trial. “I'm sure I'll be exonerated and everything will turn out for the best.”

Sonne refused to directly discuss his relationship with his ex-wife, who filed for separation while he was in jail and has cut off all ties with him and his family, but he said he had “suffered the loss of people very close to me, that I wish I could be with.”

Sonne also thanked his supporters “from all over the world,” but especially the Toronto-based supporters from Hacklab.TO.

Sonne’s parents, Bue and Valerie, who are both retired, posted bail for their son and will act as sureties.

He must live at their Brampton home and can only leave the residence if accompanied by either his father or mother, except to attend work, school, court or for medical emergencies.
Sonne must also have no contact with his ex-wife, Kristen Peterson, and must remain 500 metres from their matrimonial home in Forest Hill. There are no allegations of domestic disputes or violence of any kind between the couple.

He must also have no contact with anyone accused with G20 conspiracy crimes or anyone associated with a number of anarchist groups or the Toronto Community Mobilization Network. There are no allegations that Sonne has ever associated with those people or groups.
Sonne is barred from accessing the Internet, except for employment purposes, but Justice Ian MacDonnell consented to allowing Sonne to purchase a new laptop, which will be inspected by police, that he will be able to use for employment purposes only and only while in his parents’ house.

He is allowed to access email only for work, and he is not allowed to delete any emails or Internet history. Police will be allowed to inspect computer at any time.
He is also barred from using any wireless telecommunications.

Police will also be allowed to search Sonne’s parents’ home once a week, without a search warrant.

The 361 University Ave. courthouse where he appeared was packed with media and supporters. Arguments made at the bail hearing are under a publication ban.

Sonne arrived late to the proceedings from the Maplehurst jail in Milton. Wearing a red fleece zip-up sweater and blue jeans, he smiled throughout the proceedings and acknowledged several people in the court.

He was arrested on June 22, 2010 — two days before the summit began — at the $1 million Forest Hill home he then shared with Peterson.

Peterson was arrested two days after her husband, but had all her charges dropped earlier this year. She filed for legal separation a few months after the arrest and has cut off all contact with Sonne and his family.

Police allege Sonne planned to detonate a homemade explosive in downtown Toronto to disrupt the meeting of world leaders, and had used social media to encourage people to interfere with the security apparatus.

Sonne’s supporters say their friend is non-violent but fiercely critical of state surveillance and restrictions on civil liberties. They say Sonne may have been baiting security officials to intentionally trigger an overreaction by police.

Sonne had posted photos to his Twitter feed of the security fence that surrounded the summit site and of the various surveillance cameras set up downtown. He also took photos of police, which he posted with unflattering captions such as “Bacon on wheels” and “Stationary bacon.”
Evidence heard during bail hearings and during the judicial pre-trial is under publication ban.
Sonne’s supporters — many from Toronto’s hacker community — rallied long and hard for his release. They set up a“Free Byron” website and talked about Sonne’s case at international technology conferences, garnering support from as far away as France and Germany. They accuse police of heavy-handedness and of stifling political dissent.

Upon his arrest, Sonne was also charged with possessing weapons, mischief, attempted mischief, and two counts of intimidating justice officials, but those charges were all dropped at judicial pre-trial, leaving only the explosives offence. The counselling mischief not committed charge was added at that time.

MacDonnell awarded bail earlier this week after defence lawyer Joseph Di Luca argued that the case against his client had changed substantially following judicial pre-trial. He had been denied bail twice before.

Sonne’s trial is now scheduled to begin Nov. 7.

Geordy’s comment: Canada’s penal system certainly seems uneven at best.  Seems like Bryon got to take the fall for all of the Canadian government’s pent up rage.

Source: http://mashable.com/2011/05/16/turkey-protests-internet-censorship/

Disgruntled Turkish Internet users marched through the streets in more than 30 cities on Sunday to protest a new Internet filter system that they consider censorship.

The system will ask all users to choose from a selection of filters, including “family,” “children” and “domestic,” before browsing the Internet in Turkey. It is planned to take effect in August.
Earlier this month, the Information and Communication Technologies Authority (BTK) President Tayfun Acarer told reporters that the organization had introduced the filters in response to requests for better Internet safety. Currently available filters for families and children don’t work that well, he said, and the new system includes a “standard” filter option for those who don’t want their Internet browsing experience to change.

Thousands of Turkish people who used Facebook to organize and attend marches on Sunday see the measure differently.

“You’d enter a channel leading you to the server of the state, which distributes the Internet to millions of users. The system enables the control of citizens … like telephone tapping,” one of the protestors, Serkan Dogan, told The Wall Street Journal.

It’s not surprising that many Turkish people are distrustful of the BTK’s new measures. The country has a history of Internet censorship, famously blocking YouTube in 2007 due to a video that was deemed insulting to the founder of modern Turkey. That ban has been lifted, but thousands of other sites remain blocked.

Source:http://mashable.com/2011/05/17/sony-games-psn/

Twenty-eight days. That’s how long Sony’s PlayStation Network was down after hacker attacks caused a serious privacy breach and a lot of headaches for the company. Now, Sony wants to redeem itself by giving away two PS3 or two PSP games, as well as a number of other freebies, to PSN customers.

As the PlayStation Network comes back online, Sony isoffering a package of free goods and services to all existing registered PlayStation Network and Qriocity users in the U.S. and Canada. This campaign to woo customers is dubbed “Welcome Back.”

The package, available for 30 days after the PlayStation Store is restored, consists of two PS3 games that can be kept forever. Customers can choose from Dead Nation, inFAMOUS, LittleBigPlanet, Super Stardust HD and Wipeout HD + Fury.

PSP owners will be able to download two of these games: LittleBigPlanet (PSP), ModNation Racers, Pursuit Force and Killzone Liberation.

Sony will also offer a selection of free movie rentals, a 30-day free PlayStation Plus membership for non-PlayStation Plus subscribers (and an additional 60 days free for existing PlayStation Plus subscribers), as well as an additional 30 days of free premium subscription for existing Music Unlimited Premium Trial subscription members (and an additional 30 days plus time lost for existing Premium/Basic members).

Finally, PlayStation Home will be offering 100 free virtual items, with additional free content to be released soon.

For customers outside the U.S. and Canada, the “Welcome Back” bag of free goodies from Sony is similar but slightly different for each country. For more info, check out theEuropean andLatin American PlayStation Network blogs.

Geordy’s comments: Someone in the comments pointed out that Sony is also offering free identity protection for a year although I can’t find the reference anywhere.  If you take close notice, they are also playing an angle by offering 30 days of free PlayStation Plus membership to those who don’t already subscribe to PlayStation Plus.  I wonder if it will be one of those auto bill things…

Source:http://www.osnews.com/story/24757/New_Exploit_in_PSN_Sony_Takes_Change-password_Sites_Offline

Like the B-movie that keeps pumping out sequels long after running it’s course, Sony continually finds innovative new ways to fail at security.

Sony just restarted its Playstation Network, after the massive security fail dismissed as a 'hiccup' by Sony CEO Howard Stringer. Well, the PSN has barely been up two days, and a massive security oversight has already been discovered. Yes, Sony just got Sony'd. Again. Unbelievable.

This is just unbelievable. You may recall that as part of the PSN's relaunch, Sony released a new firmware version that forced you to change your password as an additional security measure. The problem is that before the first massive security fail, if you had honestly forgotten your password, you could create a new password by going to a Sony website and entering your email address and date of birth. Nothing special, and this site was still working just fine after PSN's relaunch to aid people in changing their passwords.

Until you realise that your email address and date of birth were among the leaked information. This means that hackers can simply go to the change-password website, enter your email address and date of birth form the stolen data, et voilà, your account has just been re-exploited. It doesn't matter if you have already changed your password following the recent firmware release.

Nyleveia discovered the exploit, and confirmed that it does, indeed, work. They contacted Sony immediately, and sure enough, the web-based change-password function was taken offline by Sony shortly after. Remember that the change-password functionality on the PS3 itself is still working just fine, since it cannot be used for the exploit.

"Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being," Sony told EuroGamer, "This is due to essential maintenance and at present it is unclear how long this will take. In the meantime you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information."
No system is ever safe, huh, Stringer? It was just a hiccup, huh, Stringer? I'm no security expert, but I'm starting to a structural problem here.

Update: The problem has been fixed.  http://blog.us.playstation.com/2011/05/18/update-on-psn-password-reset-process/

Source: http://shape-of-code.coding-guidelines.com/2011/05/11/fingerprinting-the-author-of-the-zeus-botnet/

The source code of the ZeuS Botnet is now available for download. I imagine there are a few organizations who would like to talk to the author(s) of this code.

All developers have coding habits, that is they usually have a particular way of writing each coding construct. Different developers have different sets of habits and sometimes individual developers have a way of writing some language construct that is rarely used by other developers. Are developer habits sufficiently unique that they can be used to identify individuals from their code? I don’t have enough data to answer that question. Reading through the C++ source of ZeuS I spotted a few unusual usage patterns (I don’t know enough about common usage patterns in PHP to say much about this source) which readers might like to look for in code they encounter, perhaps putting name to the author of this code.

The source is written in C++ (32.5 KLOC of client source) and PHP (7.5KLOC of server source) and is of high quality (the C++ code could do with more comments, say to the level given in the PHP code), many companies could increase the quality of their code by following the coding standard that this author seems to be following. The source is well laid out and there are plenty of meaningful variable names.

So what can we tell about the person(s) who wrote this code?

• There is one author; this is based on consistent usage patterns and nothing jumping out at me as being sufficiently different that it could be written by somebody else.
• The author is fluent in English; based on the fact that I did not spot any identifiers spelled using unusual word combinations that often occur when a developer has a poor grasp of English. Update 16-May: skier.su spotted four instances of the debug message “Request sended.” which suggests the author is not as fluent as I first thought.
• The author is not a newbie developer, perhaps sometime in the past they were badly bitten by a Microsoft C++ compiler bug, found that this usage worked around the problem and have used it ever since.
• (see original article for a much deeper analysis -geordy)

Could the source have been processed by an code formatter to remove fingerprint information? I think not. There are small inconsistencies in layout here and there that suggest human error, also automatic layout tends to have a ‘template’ look to it that this code does not have.
Update 16 May: One source file stands out as being the only one that does not make extensive use of camelCase and a quick search finds that it is derived from the ucl compression library.

Source:  http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf

NIST has released Special Publication 800-61 Rev 1.  Computer Security Incident Handling Guide.  Here’s a short excerpt from this 147 page guide that fairly well explains what it’s about:

Computer security incident response has become an important component of IT programs. Security-related threats have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. Preventative activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services. To that end, this publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.

Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. Continually monitoring threats through intrusion detection and prevention systems and other mechanisms is essential. Establishing clear procedures for assessing the current and potential business impact of incidents is critical, as is implementing effective methods of collecting, analyzing, and reporting data. Building relationships and establishing suitable means of communication with other internal groups (e.g., human resources, legal) and with external groups (e.g., other incident response teams, law enforcement) are also vital.

This publication seeks to help both established and newly formed incident response teams. This document assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. More specifically, this document discusses the following items:

Organizing a computer security incident response capability
– Establishing incident response policies and procedures
– Structuring an incident response team, including outsourcing considerations
– Recognizing which additional personnel may be called on to participate in incident response.

Handling incidents from initial preparation through the post-incident lessons learned phase

Handling specific types of incidents
– Denial of Service (DoS)—an attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources
– Malicious Code—a virus, worm, Trojan horse, or other code-based malicious entity that successfully infects a host
– Unauthorized Access—a person gains logical or physical access without permission to a network, system, application, data, or other IT resource
– Inappropriate Usage—a person violates acceptable use of any network or computer policies
– Multiple Component—a single incident that encompasses two or more incidents; for example, a malicious code infection leads to unauthorized access to a host, which is then used to gain unauthorized access to additional hosts.