InfoSec Daily Podcast Episode 438 for July 28, 2011. Tonight's podcast is hosted by Karthik Rangarajan, Matthew Romanek, Geordy Rostad and Varun Sharma.
Announcements:
SANS Security 464 – Hacker Detection for Systems Administrators with Continuing Education Program – Russell Eubanks
Where: Atlanta, GA
When: Tue, Aug 09 to Wed, Aug 10
https://www.sans.org/mentor/details.php?nid=25573
#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504
Hack3rCon 2011
When: October 21st-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
Stories:
Source: http://gcn.com/articles/2011/08/01/army-soldier-phone-side.aspx
While the Army is leading the way for the Defense Department’s use of commercial smart phones, several security concerns remain unanswered, experts say.
One of the dangers is that compromised smart phones could be used to track soldiers’ movements or spy on meetings via the device’s cameras and microphones. Another risk might be proximity threats — the ability for hackers and other adversaries to remotely compromise a device.
“It’s a pretty scary set of possibilities if you’re an adversary,” said Dmitri Alperovitch, vice president of threat research at McAfee.
Rising threats include rogue applications, dozens of which were recently found in Google’s app store, Alperovitch said. There are also Internet-based threats such as malware and malicious websites.
DOD security concerns center on the government’s limited ability to control unmodified commercial wireless devices. For example, Apple iPhones are a closed system of proprietary software and hardware that cannot be easily modified. Open-source Android-based platforms are somewhat easier to program, but the challenge is that all Android devices are already slightly modified to run on their particular platforms, he said.
Although the government has the option to build its own operating systems, that is expensive, time-consuming and incompatible with the Army’s goal of a flexible, market-based approach, Alperovitch said.
There are techniques that can mitigate outside threats to smart phones. Those include deploying and managing DOD- or government-owned and vetted application stores, using e-mail encryption, and building custom versions of the Android operating system and enforcing them across DOD. The government can also work with vendors such as Google and Apple from the beginning. Alperovitch noted that Google is working with the government to improve the security of its software applications for a number of projects.
Source: http://www.theregister.co.uk/2011/07/28/nuke_scanner_scheme_ditched/
Plans to install nuclear radiation detectors at all US ports of entry have been dropped.
Technical glitches and false alarms with temperamental kit led to a decision to ditch the $1.2bn scheme by Homeland Security officials. Instead of a nationwide rollout, only a few trial deployments of 13 prototypes will now take place: a face-saving move given the millions already ploughed into the programme. Four of the detectors, developed by defence contractor Raytheon, have already been deployed at unspecified locations.
"The [Advanced Spectroscopic Portal] will not proceed as originally envisioned," Warren Stern, director of the Domestic Nuclear Detection Office, told a Congressional Homeland Security technology subcommittee. "We will not seek certification or large-scale deployment of the ASP."
An estimated $230m has been spent over five years to develop equipment capable of detecting radiation in cargo. The project's main aim was to guard against the possibility that terrorists might smuggle nuclear weapons into the US using cargo containers, the sort of scenario that been the staple of shows like 24 for years, and one that US counterterrorism experts still take seriously, despite recent successes in the fight against al Qaeda.
Cargo lorries would have been driven through the portal, which would have detected if anything was amiss, as depicted in a Global Security Newswire story here. However field tests showed that some of the operational requirements set up at the start of the programme were "no longer valid," Stern told Congress.
Doubts about the effectiveness and reliability of the container nuke-detecting kit were first raised in a National Academy of Sciences report released in January. A more recent Government Accountability Office report expressed concerns that the project was running over-budget.
Scaled-back plans call for the use of RadSeeker, a hand-held device, and less sensitive polyvinyl toluene portal monitors.
Source: http://www.theregister.co.uk/2011/07/28/topiary_arrest_rumor/
The 19-year-old Scotsman fingered Wednesday as a central figure of the LulzSec hacking crew is a fall guy who was framed to take the heat off the real culprit, according to unconfirmed claims from a rival group.
“We believe MET Police got the wrong guy and it happens because of lot of disinformation floating on the web,” a Thursday post on the LulzSec Exposed blog said. “LulzSec and Anonymous members are Master trolls and they are good at this.”
According to the post, penned by members of a group calling itself the Web Ninjas, the real LulzSec figure known as Topiary is a 23-year-old Swede, who stole the handle from a low-level member after he ran afoul of its parent group Anonymous. The mistaken identity was part of an elaborate ruse to confuse authorities about Topiary's true identity, the speculation claims.
The post comes a day after the Metropolitan Police said a "pre-planned intelligence-led operation" led them to a residential address in the Shetland Islands, off the North Coast of Scotland. That's where they apprehended an unnamed 19-year-old man and transported him to London for questioning. Police said they also questioned a 17-year-old from Lincolnshire and searched his home.
Thursday's post is devoid of any smoking guns, as is the case with almost all claims made in the shadowy world of anonymous people claiming to be elite hackers. For proof it points to this page purporting to contain information, pictures and videos of the real Topiary. The individual portrayed is almost certainly not that of the Scotsman arrested Wednesday.
Additional evidence comes by way of a chat log published near the bottom of this page purporting to show the real Topiary agonizing over the possibility that police are closing in on him.
“If I go hide then people will assume the dox are right,” he says, referring to the information posted on LulzSec Exposed. “So I'll just act like they failed hard.”
Several lines later, referring to the individual he stole his nick from, Topiary says: “I'm hoping someone will go after him and think it's me, then I'll act all scared etc. ANYTHING to divert attention from that fuckign nameshub.”
Of course, the chat log could have been fabricated by just about anyone, including people who want to generate doubt in the minds of Metropolitan Police investigators. With anonymous figures pursuing multiple levels of subterfuge, separating truth from fiction has become a full-time occupation for those trying to unravel this saga.