InfoSec Daily Podcast Episode 417 for June 28, 2011. Tonight's podcast is hosted by Rick Hayes, Karthik Rangarajan, and Varun Sharma.
2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
Adrian Will be there
My Hard Drive Died
5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011
SANS Security 464 – Hacker Detection for Systems Administrators with Continuing Education Program – Russell Eubanks
Where: Atlanta, GA
When: Tue, Aug 09 to Wed, Aug 10
When: Sept 19-22, 2011
Where: Brussels, Belgium
When: September 30th – October 2, 2011
Where: Louisville, KY
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
CFP open now through July 1, 2011! Email submissions to Conference@gaissa.org
The ISD Podcast is participating in a contest to see who can raise the most money for the Electronic Frontier Foundation. For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements. Please click the following link to donate to a vitally important cause:
Currently at $1813! We will quit bugging you soon about this fundraiser. The contest ends on July 5th so please get any donations you were planning to make in now!
I found a self-XSS in the wordpress core the other day, when you manage to succesfully exploit this vulnerability only imagination can stop you from owning the wordpress installation.
These self-XSS'es require some more user interaction than the classic click-bam-boom effect of a XSS.
The classic way of triggering the "bam" (exploitation of a XSS vulnerability) is by very properly slicing an iframe based on the victim's browser resolution and changing the CSS of the iframe to make it look like a part of the page and then convincing the victim to drag something to that sliced iframe.
On may 17th, in the evening, I received an email from the Gmail account of Charlotte, my significant other. It was written in french (which is normal for her) and looked like this :
How are you ? Would you have time to spend by email on a peculiar situation about me ? I am in deep problems and couldn't cope with your support.
Hoping to hear from you really soon.
You'll find the french original text here under (so that people can find it on Google).
I was quite busy and so immediately dismissed this as spam, and did not bother to check where this email had been sent from. Faking email addresses is way to easy to bother for each suspect email. As many people with a public email address, I often receive fake emails from myself.
But this time, the problem was deeper, as I learnt when Charlotte, the real one, called me to warn me that she could not access her Gmail account anymore and that her phone was constantly ringing because of people worried about her. She also told me about a popup she had in the morning about suspect access to her account from the Ivory Coast. At the time, she was quite busy, clicked on some option that looked reassuring and went on with her day. Damn, that was bad.
<snip> (follow the link for many more details on the hack)
The US government filed more than twice as many demands for data about Google users than another other country in the past six months, according to figures the search behemoth supplied Monday.
What's more, according to the Google Transparency Report, Google fully or partially complied with the US demands in 94 percent of the cases, a rate that was higher than responses to any other government.
From July to December of last year, Google received 4,601 demands from US-based governments for information relating to one or more of its users, Monday's report stated. Brazil and India were second and third with 1,804 and 1,699 requests respectively.
Google at least partially complied with 94 percent of the demands received from US-based agencies. Japan, Singapore, and Australia had the second, third and fourth highest rates of compliance from Google, with 90 percent, 88 percent and 81 percent of demands honored respectively.
“Whenever we receive a request, we first check to make sure it meets both the letter and spirit of the law before complying,” the Google report stated. “When possible, we notify affected users about requests for user data that may affect them. And, if we believe a request is overly broad, we will seek to narrow it.”
Google is by no means alone in supplying information about its users to government agencies that file valid subpoenas or other legal documents demanding it for criminal investigations or other official purposes. What sets Google apart, however, is its reporting of how many times it receives such demands from each country and how many times it complied.
So far, Google competitors have steadfastly refused to say how many demands they receive and how often they are complied with.
The fact that Google on average complies with 19 of 20 US demands to turn over data about its users is cause for concern, but it's probably no more alarming than the compliance rates from Yahoo, Microsoft, and Facebook. Google was the only major search engine to challenge a 2006 Justice Department subpoena for two months of users' search queries.
The Dropbox data hosting service introduced a bug that unlocked its 25 million users' accounts and data for everyone to see, a class action lawsuit claims in California's Northern District.
In the suit filed in U.S. District Court in San Francisco, Dropbox customer Cristina Wong of Los Angeles said she did not learn about the incident until she read a news story about it several days later.
Dropbox, which claims to have more than 25 million subscribers, is a popular “cloud” storage service that lets Internet users easily keep all of their data online so that it is accessible to all of their devices.
The company also assures customers that it keeps their data secure from theft and unauthorized disclosure. “We believe that storing data in Dropbox is fare more safe than the alternatives,” the company said in an April 21 blog posting.
The suit notes that Dropbox actively encourages consumers to store their sensitive personal and business data on its system because of its supposedly superior security.
Yet, Wong says that on June 20, Dropbox announced via a blog post that it had “introduced a bug” on June 19, allowing users to log into other users' accounts and access their data but did not notify all of its clients of the problem.
Instead, in a breezily written blog, the company said:
“Hi Dropboxers, Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm.”
The company's blog posting said that only “a very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password.”
Dropbox said that as a precaution it ended all logged in sessions and launched an investigation of all activity at the time the system was compromised.
“If we identify any specific instances of unusual activity, we’ll immediately notify the account owner,” the posting said.
“This should never have happened,” the blog post said, words that may come back to haunt Dropbox.
The suit charges the San Francisco company with violating the California Unfair Competition Law, invasion of privacy and negligence.
Three months ago, Mozilla released the long-awaited Firefox 4. Last week, the organization shipped the follow-up release: Firefox 5. Firefox 5 was the first version of the browser to be released using Mozilla's new Firefox product lifecycle, which would see a new version of the browser shipping every three months or so. The new policy has been publicized for some months, and so the release of Firefox 5 was not itself a big surprise. What has caught many off-guard is the support, or lack thereof. With the release of Firefox 5, Firefox 4—though just three months old—has been end-of-lifed. It won't receive any more updates, patches, or security fixes. Ever. And corporate customers are complaining.
The major problem is testing. Many corporations have in-house Web applications—both custom and third-party—that they access through their Web browsers, and before any new browser upgrade can be deployed to users, it must be tested to verify that it works correctly and doesn't cause any trouble with business-critical applications. With Mozilla's new policy, this kind of testing and validation is essentially impossible: version 5 may contain critical security fixes not found in version 4, and with version 4 end-of-lifed, the only way to deploy those fixes is to upgrade to version 5. That may not be an issue this time around, but it's all but inevitable that the problem will crop up eventually.
The U.S. Patent and Trademark Office published a Microsoft patent application that reaches back to December 2009 and describes “recording agents” to legally intercept VoIP phone calls.
The “Legal Intercept” patent application is one of Microsoft’s more elaborate and detailed patent papers, which is comprehensive enough to make you think twice about the use of VoIP audio and video communications. The document provides Microsoft’s idea about the nature, positioning and feature set of recording agents that silently record the communication between two or more parties.
The patent was filed well before Microsoft’s acquisition of Skype and there is no reason to believe that the patent was filed with Skype as a Microsoft property in mind. However, the patent mentions Skype explicitly as an example application for this technology and Microsoft may now have to answer questions in which way this patent applies to its new Skype entity and if the technology will become part of Skype.
In the patent descriptions, the company justifies such a feature with the fact that monitoring of calls has been around for a long time for traditional calls, but devices that were used for plain old telephone service (POTS) simply do not work with VoIP anymore. Recording agents are designed to take the place of those outdated devices, but are – not surprisingly – much more capable, can be placed in different locations and automate call interceptions. For example, Microsoft says that recording will be triggered by “events”, or a “sequence of events” – for example when specific callers are involved.
The patent does not mention an eavesdropping module that is integrated into the client software. However, it describes recording agents that can be placed in a multitude of devices, including routers (see image, RA = recording agent). There is also the note of a recording agent software that represents “a software module that logically and/or physically sits between the call server and the network.” According to Microsoft, the agent will have access “to each communication sent to and from the call server,” which clearly refers to the general infrastructure of a VoIP service and network.
The patent lists the following process of a silently recorded call (we removed references to drawings in the description for easier reading):
1. A delivery endpoint is registered with a call server. For example, the intercept requestor may register an IP address/port for delivery of copies of recorded communications associated with a designated VoIP entity.
2. A request to monitor a selected VoIP entity is sent by the requestor to the call server. For example, the intercept requestor may request that the call server record communications for the VoIP entity.
3. An initiating entity negotiates candidate network paths with a media relay. For example, the VoIP entity may talk to a STUN, TURN, and/or other servers to determine what IP address/port of the VoIP entity is visible from the network. For example, if the VoIP entity is connected to a NAT, the NAT may translate IP addresses and port numbers. In STUN/TURN environments, the call gateway may act as a STUN and/or TURN server. The SDP parameters indicated previously are an example of what may result as the entity negotiates candidate communication points with a media relay.
4. The initiating entity sends an invite to the call server. The invite includes data regarding establishing a communication session between at least two entities via a switched packet network for a communication that includes audio. For example, the VoIP entity sends an invite (such as the SDP parameters mentioned previously) to the call server to communicate with a VoIP entity in the enterprise.
5. A copy of the invite is sent to the delivery point. For example, the call server may send a copy of the invite to the intercept requestor or another endpoint designated by the intercept requestor.
6. An invite with no local candidates is sent to the remote entity. For example, the call server sends an SDP with the local candidates deleted to the remote entity of the enterprise . Having no local candidates is synonymous with having “no direct paths.” In STUN/TURN terminology, this means that the VoIP entity needs to employ a TURN server to communicate with the remote entity.
7. The remote entity responds to the invite by sending “OK.” For example, the remote entity in the enterprise responds to the invite by sending an OK to the call server.
8. A copy of the OK is sent to the delivery point. For example, the call server sends a copy of the OK to the intercept requestor or another endpoint designated by the intercept requestor.
9. The OK is sent to the initiating entity. For example, the call server sends the OK to the VoIP entity.
10. The agent that will be recording the subsequent communication between the entities is configured so that it will create a copy of the communication. For example, the call server, the call gateway, or some other server may configure the router to create a copy of the communication to and from the VoIP entity. Note, that the recorded may be configured to record a communication for an entity any time after a monitoring request for the entity is received.
11. The VoIP entity sends a packet to the media relay. For example, the VoIP entity may send a packet to the call gateway.
12. The packet passes to the recorder. For example, the packet may pass to the router.
13. The packet is sent to the remote entity. In addition, a copy of the packet is sent to the delivery point and/or stored for later sending to the delivery point or retrieval by a law enforcement agent. For example, the router sends the packet to the VoIP entity in the enterprise and sends a copy of the packet to the intercept requestor or another endpoint designated by the intercept requestor. This continues until the communication is terminated.
14. Upon termination, the delivery endpoint may be informed that the communication has terminated.
The patent clearly addresses the need of governments and law enforcement to record Internet calls. There is also a certain sense that especially closed networks are targeted with this technology, yet the clear notion that VoIP applications targeted by this patent “may include audio messages transmitted via gaming systems, instant messaging protocols that transmit audio, Skype and Skype-like applications, meeting software, video conferencing software, and the like” may raise privacy concerns and surely the question of how Microsoft intends to use such a patent now that it owns Skype.
So, Microsoft: Will Skype officially include eavesdropping capability in the future?
A request for clarification we sent to Microsoft has remained unanswered so far.
Germany is the latest country to build itself its very own cyber-defense center to build a strategy to defend against cyber-warfare, a hot issue this year. The National Cyber-Defense Center is located in Bonn at the Federal Office for Information Security building.
For now, it had ten permanent employees with the German Federal Police, Federal Intelligence Service and Armed Forces to join the effort in the coming months. The Interior ministry said it recorded a record number of attempted cyber attacks last year, nearly double the number of attempts in 2009.
"At the heart of cyber-security is the protection of critical infrastructures," said Federal Interior Minister Friedrich. "Stuxnet and the most recent example of the hacker attack on the French nuclear company EDF (Electricité de France) have shown that IT systems represent critical infrastructure in the context of cyber-attacks."
Germany's move follows other's around the world, including the UK's Cyber Security Operations Center (CSOC) and the United States' Cyber Command center. Estonia, which was the victim of a country-wide cyber-attack in 2007 in a dispute over the moving of a soviet-era war monument, is also planning to build its own cyber defenses.
Geordy’s comments: This move oddly coincides with Germany recently banning “hacking tools”. WTF Germany?!?