InfoSec Daily Podcast Episode 505 for October 27, 2011. Tonight's podcast is hosted by Karthik Rangarajan, Boris Sverdlik, and Varun Sharma
Props to our special co-host for the day: Spridel!
New Hampshire InfoSec Tweetup
When: October 29, 2011
Where: Pawtuckaway State Park in Nottingham, NH
( It is just a gathering of security professionals and their families. No talks, just abunch of likeminded people and some good food.)
When: November 4th, 2011
Where: Think Inc World HQ, 1375 Peachtree St. Suite 600, Atlanta, Ga (The Earthlink Bldg).
This year there will be 3 tracks, a CISO panel on some good topics recently (Hacker vs Biz Skillset, etc), Lockpick Village by FALE, Prize Giveaway at End. Of course all day Podcast Area.
When: Nov 4th – Nov 6th
Where: Holiday Inn Airport, Nashville, TN
When: Nov 4th – Nov 6th
Where: Days Inn Stadium, Nashville, TN
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
When: November 11-12, 2011
Where: Wilmington University, Delaware Campus
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Starts November 30, 2011
Where: Atlanta, GA
Discount Code: M1011IPAD (free iPad 2)
Security researchers have identified a new backdoor trojan targeting systems running Mac OS X. Interestingly enough, Tsunami appears to be a port of Troj/Kaiten, a Linux Trojan that embeds itself on a computer system and monitors an IRC channel for further instructions.
As Sophos Security researcher Graham Cluley notes, trojans like Tsunami/Kaiten are typically used to drag infected computers into coordinated DDoS (distributed denial-of-service) attacks, which flood a targeted website server with a massive amount of traffic.
"It's not just a DDoS tool though. As you can see by the portion of OSX/Tsunami's source code, the bash script can be given a variety of different instructions and can be used to remotely access an affected computer," he explained.
"The big question, of course, is how would this code find itself on your Mac in the first place? It could be that a malicious hacker plants it there, to access your computer remotely and launch DDoS attacks, or it may even be that you have volunteered your Mac to participate in an organized attack on a website."
Cluley also warned that he "fully expected" to see cyber criminals target poorly protected Mac computers in the future.
"If the bad guys think they can make money out of infecting and compromising Macs, they will keep trying," he added.
We've reported here often on efforts to ram through Congress legislation that would authorize massive interference with the Internet, all in the name of a fruitless quest to stamp out all infringement online. Today Representative Lamar Smith upped the ante, introducing legislation, called the Stop Online Piracy Act, or "SOPA," that would not only sabotage the domain name system but would also threaten to effectively eliminate the DMCA safe harbors that, while imperfect, have spurred much economic growth and online creativity.
As with its Senate-side evil sister, PROTECT-IP, SOPA would require service providers to “disappear” certain websites, endangering Internet security and sending a troubling message to the world: it’s okay to interfere with the Internet, even effectively blacklisting entire domains, as long as you do it in the name of IP enforcement. Of course blacklisting entire domains can mean turning off thousands of underlying websites that may have done nothing wrong. And in what has to be an ironic touch, the very first clause of SOPA states that it shall not be “construed to impose a prior restraint on free speech.” As if that little recitation could prevent the obvious constitutional problem in what the statute actually does.
But it gets worse. Under this bill, service providers (including hosting services) would be under new pressure to monitor and police their users’ activities. Websites that simply don’t do enough to police infringement (and it is not at all clear what would qualify as “enough”) are now under threat, even though the DMCA expressly does not require affirmative policing. It creates new enforcement tools against folks who dare to help users access sites that may have been “blacklisted,” even without any kind of court hearing. The bill also requires that search engines, payment providers (such as credit card companies and PayPal), and advertising services join in the fun in shutting down entire websites. In fact, the bill seems mainly aimed at creating an end-run around the DMCA safe harbors. Instead of complying with the DMCA, a copyright owner may now be able to use these new provisions to effectively shut down a site by cutting off access to its domain name, its search engine hits, its ads, and its other financing even if the safe harbors would apply.
And that’s only the beginning: we haven’t even started on the streaming provisions.
We’ll have more details on the bill in the next several days but suffice it to say, this is the worst piece of IP legislation we’ve seen in the last decade — and that’s saying something. This would be a good time to contact your Congressional representative and tell them to oppose this bill!
There were no lines for the ladies room. That was unusual for an event attended by thousands but typical in the cybersecurity field where a futuristic image clashes with an old-fashioned gender gap.
At cybersecurity and hacker gatherings, women are clearly in the minority among the sea of men lining escalators, filling gigantic hotel ballrooms and networking in hallways. (Some men grumbled about the lack of women at event parties).
While the US government and private sector urgently try to beef up cybersecurity efforts, the information technology field that supplies talent remains largely a male domain.
Experts say the lack of women is not so much a matter of discrimination as the fact that young women do not think of cyber as a career option. They attribute that partly to an unappealing "geek" image from movies and girls' lack of early computer skills that boys develop by playing video games.
The portrayal in movies and television of a nerd loner, wearing thick glasses, soldering circuits together, and living in a dungeon-like room surrounded by computers and eating boxed pizza can be a deterrent.
Phyllis Schneck, chief technology officer for public sector at McAfee Inc, said she was one of the only women in computer science as an undergraduate at Johns Hopkins University and her friends used to make geek jokes. "But when it came time to help them fix their computers because it ate their term paper, I'm the one they called," she said.
Side channel attacks usually call up timing attacks and electromagnetic (TEMPEST) attacks. But there are different, less and more exotic, forms. I recount two amusing stories that Adi Shamir told during an invited talk in early 2011 at the Computer Security course at Collège de France (Paris).
1) The first story was about ultrasonic waves. Adi and one of his student bought an ultrasonic microphone, like the ones used to study bats. They recorded the sonic spectrum up to 48Khz near a computer performing RSA encryption
2) The second story was about USB devices. Basically, they plugged a very precise voltmeter into an USB port and started recording the very small variations between 4.999V and 5V. With the same assembly-test-program-pattern-matching approach, they broke RSA again. Better yet, they cut off the USB power from the OS USB controls, and they were able to perform exactly the same side channel attack through residual power in the USB port.
The EFF, through the use of its SSL Observatory, has taken a look at the data from certificate revocation lists for SSL certificates in recent months, and found that there were five separate CAs compromised in the last four months.
The data that the EFF looked at was a summary of the reasons that specific certificates were revoked by CAs, as reported by the CAs themselves in CRLs. When a certificate is revoked, the CA specifies a reason for the action, and the EFF looked through the data collected in its SSL Observatory database and found that a scan of CRLs in June showed that 10 individual CAs reported that they were revoking 55 total certificates because of a CA compromise. Another scan in mid-October showed that 15 separate CAs had revoked 248 certificates because of a compromise.
"Those "CA Compromise" CRL entries as of June were published by 10 distinct CAs. So, from this data, we can observe that at least 5 CAs have experienced or discovered compromise incidents in the past four months. Again, each of these incidents could have broken the security of any HTTPS website," Peter Eckersley of the EFF wrote in an analysis of the data.
The only widely known CA compromise since June is the attack on DigiNotar this summer that completely compromised that company's CA infrastructure and eventually led to it being shut down. All of the major browser vendors were forced to revoke their trust in the DigiNotar root certificates and the attacker who claimed credit for the attack said that he also had compromised several other CAs.
Earlier this year, the same attacker said he was responsible for the attack on Comodo that compromised a registration authority in Europe and enabled him to issue rogue certificates for a variety of valuable sites, including Skype, Yahoo and Google. He did the same thing after compromising DigiNotar. Those two incidents spurred a broad discussion in the industry about the inherent problems with the CA system and the dangers of relying on it. No clear solution to the problem has emerged, although the Convergence system designed by Moxie Marlinspike has garnered some attention.