InfoSec Daily Podcast Episode 436 for July 26, 2011. Tonight's podcast is hosted by Karthik Rangarajan, Beau Woods, and Varun Sharma.
Announcements:
SANS Security 464 – Hacker Detection for Systems Administrators with Continuing Education Program – Russell Eubanks
Where: Atlanta, GA
When: Tue, Aug 09 to Wed, Aug 10
https://www.sans.org/mentor/details.php?nid=25573
#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504
Hack3rCon 2011
When: October 21st-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
Stories:
Source: http://blog.thoughtcrime.org/sslsniff-anniversary-edition
In one week it will have been 9 years since I first published sslsniff — way back in 2002! While sslsniff has evolved to be a general-purpose MITM tool for SSL connections, I originally published it as a proof of concept exploit for the BasicConstraints vulnerability that I released along with it.
The vulnerability was that, back then, nobody really validated certificate chains correctly. Webkit browsers, as well as the Microsoft CryptoAPI (and by extension Internet Explorer, Outlook ,etc…), validated all the signatures in a certificate chain, but failed to check whether the intermediate certificates had a valid CA BasicConstraints extension set. This meant that you could take any old CA-signed certificate and use it to sign any other certificate.
In other words, if you bought a valid certificate for your website, what you got was the equivalent of a CA certificate. You could use it to create a valid signature for any other website, and (naturally) intercept SSL traffic.
Today, Gregor Kopf and Paul Kehrer released an advisory for iOS, announcing that it is also vulnerable to the BasicConstraints attack. Since this is the anniversary of the bug that prompted the release of sslsniff to begin with, I've updated it to add iOS fingerprinting support. To intercept traffic from vulnerable iPhones, simply run:
sslsniff -a -c <path/to/your/certificate> -f ios -h <httpPort> -s <sslPort> -w iphone.log
Enjoy!
Source: http://www.yomiuri.co.jp/dy/national/T110721005341.htm
Police have arrested a man on suspicion of storing a computer virus on his personal computer without legitimate reasons, the Metropolitan Police Department announced Thursday.
The MPD arrested 38-year-old Yasuhiro Kawaguchi of Ogaki, Gifu Prefecture, at his home Sunday immediately after investigators confirmed he was storing the virus in question on his personal computer.
The revised Penal Code, which was enforced July 14, bans storage of a computer virus for the purpose of infecting other computers. Violators can be sentenced to a maximum of two years in prison or fined up to 300,000 yen.
The virus found on Kawaguchi's computer works by repeatedly copying vast amounts of graphic elements and files on a computer, causing it to freeze or malfunction, according to the MPD.
The MPD suspects about 2,000 users of file-sharing software have been infected with the virus.
According to the MPD, it was the first case in the country after the revised Penal Code, which also prohibits the creation and distribution of viruses, was put into force this month.
Kawaguchi uploaded a file containing the virus, which was titled to suggest child pornography, to the Internet via the file-sharing software Share. People who downloaded the file and opened it on their computers, or activated a DVD onto which the file was saved, would cause their computers to be infected, according to the MPD.
Kawaguchi, unemployed, admitted storing the virus and told the MPD that he did it to punish people who use file-sharing software, according to the MPD.
Source: http://www.pcpro.co.uk/news/security/368851/foreign-spy-masters-could-infiltrate-hacker-groups
Foreign powers could try to infiltrate hacktivist networks in order to manipulate their actions, according to a security expert who advises governments and businesses on internet issues.
The warning comes as governments and corporations - including defence manufacturers – come under widespread attack from hacker groups such as LulzSec and Anonymous, and amid growing fears about cyber espionage from sovereign powers, especially China.
Likening the emergence of the hacktivist movement to the arrival of militant groups such as the Red Brigade during the 1970s, government advisor and chair of the International E-crime Congress, Simon Moores, said that hacker groups could eventually be swayed by outside influences.
“If you have a LulzSec or an Anonymous that is perhaps being manipulated by a foreign actor, it takes us back to the days of the Stasi and the KGB, which were manipulating [anti-nuclear campaign group] CND quite easily from Moscow,” he said, referring to reports that the anti-nuclear peace movement was unwittingly compromised and manipulated by Kremlin
machinations.
According to Moores, mustering popular support for an issue through online hacktivist groups and forums could be used as a tool to drive policy to perform actions that furthered a country's interests.
And because the hacker groups are distributed, anonymous and at least in part consist of ideologists – as shown with hacks against financial institutions when they blocked payments to WikiLeaks – Moores believed they were especially vulnerable to interference from outside sources.
“So you could have the teenaged hacker who thinks they’re doing something for the greater good by revealing information or attacking greedy billionaires, but in fact they are being manipulated for more sinister purposes by someone who has infiltrated their network,” he said. “If you were a spy master wouldn’t you be doing that?”
Comment from boboon:
“This misses a basic point, which is that in order to infiltrate agents would have to profess and act on the ideals, values and public goals of the organisations they're infiltrating, so they'd make no effective difference.
The CND example is telling in that regard – whether it was infiltrated or not, it did what it said on the tin – campaigned for nuclear disarmament.
The national security expert's fears of foreign interference amount to a bizarre fear of pollution or contamination – 'omg, there's a gru agent in Lulzsec, ergo they are a tool of the russian state'.
This is magical thinking, arguing that the hacker groups are contaminated on and by contact as such.
They could be steered of course, but only if agents intervened in the internal discourse of the organisation, and with any ideological group you'd find there are core organising principles that prove remarkably sticky. Infiltrating agents end up acting for those ends, often more diligently and competently than ordinary members.
Of course there's the possibility of agent provocateur type actions, but those would be to destroy the group, not use it as a foreign policy tool. And groups can police and defend themselves from such internal sabotage, albeit imperfectly.
This is more about attempting to negate radical, ideological groups by conceptually reducing them to cynical instruments of foreign puppetmasters in the shadows – hardly a new tactic, the idea that Lenin worked for the Kaiser is still trotted out – which as a rhetorical strategy veers dangerously close to the paranoid style.
It's also to get a hold some of the national security funding pie by constructing a new vector for geopolitical threats (no different from endless pentagon satellite thinktanks spinning tales about space militarisation).”
Source: http://debka.com/article/21133/
Intelligence sources report that the Stuxnet malworm which played havoc with Iran's nuclear program for eleven months was not purged after all. Tehran never did overcome the disruptions caused by Stuxnet or restore its centrifuges to smooth and normal operation as was claimed. Indeed, Iran finally resorted to the only sure-fire cure, scrapping all the tainted machines and replacing them with new ones.
Iran provided confirmation of this Tuesday, July 19 in an announcement that improved and faster centrifuge models were being installed.
Iran would clearly not have undertaken the major and costly project of replacing all its 5,000-6,000 centrifuges with new ones if they were indeed functioning smoothly. The announcement was made by the Iranian Foreign Ministry spokesman at a press briefing although no one present had raised the nuclear issue. He said: "The installation of new centrifuges with better quality and speed is ongoing… this is another confirmation of the Islamic republic's successful strides in its nuclear activities."
Britain and France immediately condemned the announcement. It proved, official spokesmen commented, that Iran plans to triple the amount of uranium it enriches in contravention of six UN Security Council Resolutions and defiance of ten International Atomic Energy Agency decisions in Vienna. The announcement also "confirmed suspicions that the Iranian nuclear program had no credible civilian application."
There is an afterlife–for electronics, anyway. Ever wonder what it's like? Researchers at MIT tracked used computers to find out. The project gives you a glimpse of where cast-off laptops and smartphones end up.
Rather than simply providing statistics about the global flows of secondhand electronics and e-waste, the MIT Senseable City Lab researchers produced a series of images of the gadgets' new owners and their surroundings. The images hail from Indonesia, South Asia, and Africa.
For the project, dubbed Backtalk, researchers sent refurbished Netbooks to developing countries via nonprofit organizations. They set up the computers to record location and pictures, and send the data home to MIT–with their new owners' consent. The Netbooks carried stickers explaining the project in the local language.
The researchers captured the data using the open-source antitheft software Prey, which records a computer's GPS coordinates and takes a picture with the computer's camera every 20 minutes.
The MIT team used the data to build visual narratives about the computers' new lives. Here's a summary from the project Web site:
“The information [the Netbooks] report back offers firsthand perspectives–glimpses into e-waste recycling villages, local thrift stores, public schools, and libraries–that prompt a reflection on our society's relationship with our electronic devices.”
The images are random windows into the everyday lives of people in developing countries. At once dreamlike and voyeuristic, they introduce an exotic remoteness to otherwise mundane scenes: a home in India, a classroom in Ghana, a shop in Nepal.