InfoSec Daily Podcast Episode 530 for November 23, 2011. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Geordy Rostad, Dr. Bonez, and Varun Sharma.
Announcements:
No Show on Thursday (11/24) or Friday (11/25).
In order to allow our hosts to enjoy the Holiday and spend time with their families we will not have any shows on Thursday (11/24) or Friday (11/25). Dr. Bonez will have his weekend show on 11/26 9PM EST. The normal show will return on 11/28.
Brad Smith (theNurse)
We all know and love Brad Smith, aka theNurse. His humor and smiling positivity is a wonderful example for our community. At Hacker Halted he had a massive stroke and has been in the hospital for almost a month.
Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to. Please feel free to check in for status or to donate. Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.
http://www.social-engineer.org/brad-smith-updates/
http://www.social-engineer.org/bradsmithdonation/
Vote For Wim Remes & Dan Houser (@1cissp on twitter)
When: Starts November 16, 2011
Where: ISC2
Who: CISSP’s
http://blog.isc2.org/isc2_blog/2011/11/cast-your-vote-isc%C2%B2-board-of-directors-election-begins-nov-16-2011.html
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Starts November 30, 2011
Where: Atlanta, GA
Discount Code: M1011IPAD (free iPad 2)
http://www.sans.org/mentor/details.php?nid=25504
SANS Mentoring: Security 401 SANS Security Essentials Bootcamp Style
When: Starts January 24, 2012
Where: Atlanta, GA
http://www.sans.org/mentor/details.php?nid=25484
ShmooCon 2012
When: January 27th-29th, 2012
Where: Washington Hilton Hotel, Washington, DC
http://www.shmoocon.org
DerbyCon 2012 – "Dropping the Deuce"
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
Stories:
Source: http://moneyland.time.com/2011/10/27/now-credit-card-companies-want-your-dna/
All Your DNA Are Belong To Us
“According to a Visa patent application published in April, the company sees potential to use a wide array of personal details to create profiles that could be used for ad targeting well beyond shopping details. It describes the possibility of also using “information from social network websites, information from credit bureaus, information from search engines, information about insurance claims, information from DNA databanks,” and other sources.”
…
-thanks to Ciphersson for this story
Source: http://www.allvoices.com/contributed-news/10935252-dhs-says-illinois-water-utility-wasnt-hacked
On Tuesday, the Department of Homeland Security said it could not confirm a report from an Illinois intelligence fusion center which stated that an Illinois water utility had been hacked. The DHS and FBI had been working with the Curran-Gardner Public Water District in Springfield, Ill.
Earlier, the Illinois Statewide Terrorism and Intelligence Center had reported an attack from a Russian IP address. The report said that by accessing a SCADA (supervisory control and data acquisition) system, the hackers had burned out a water pump at the facility.
The statement, by DHS spokesman Chris Ortman, said:
"After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois. There is no evidence to support claims made in initial reports–which were based on raw, unconfirmed data and subsequently leaked to the media–that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported. Analysis of the incident is ongoing and additional relevant information will be released as it becomes available."
Authorities are now investigating a claim that a hacker broke into computers that run a South Houston, Texas water system. pr0f said he hacked into the system because he was dismayed that the DHS downplayed the Illinois incident. He later added that the Texas system had been protected with only a three character password.
Joe Weiss, the security expert who first took note of the Illinois Statewide Terrorism and Intelligence Center report, titled, "Public Water District Cyber Intrusion," was suspicious of the DHS' conclusions. He said,
“This smells to high holy heaven, because when you look at the Illinois report, nowhere was the word preliminary ever used. It was just laying out facts. How do the facts all of a sudden all fall apart?”
http://pastebin.com/wY6XD97L
http://pastebin.com/TgRTgrAK
http://pastebin.com/HLNB6SAZ
Source: http://reviews.cnet.com/8301-18438_7-20024644-82/amazons-free-shipping-secret
Want free two-day shipping on Amazon but don't want to pay for it? Well, if you know the right person, you don't have to.
That's right, last year around the holidays I offered up a little Amazon Prime tip for folks planning to do a lot of last-minute online shopping on Amazon.com. Now, with the holidays approaching again and a lot of people interested in the Kindle Fire, I thought I should update the story with some additional info.
Here's the deal. If you own or are considering purchasing an Amazon Prime membership ($79 for the year), which enables you to get free two-day shipping on a whole host of items in Amazon's catalog, you can actually share your Prime membership with up to four "household" members. A lot of people don't know about this option because it's buried in the settings menu under "Your Account."
To get there, just click on your "Your Account" (it's a little link in the top-right corner of your screen when you sign into Amazon). Look at the "Settings" section, and find "Manage Prime Membership." Once you click on that, you'll be able to send invitations to folks you're close to. You just select your relationship, and enter an e-mail address and a birthday of the recipient to send out the invitation.
Of course, some people balk at paying $79 for Amazon Prime, but if you could share the cost with a roommate or just want to be a generous family member, it starts to look like one of the great bargains, especially if you use Amazon a lot. Also, if you're a student, you can pick up six months of Prime with Amazon Student (just enter a .edu address to get your free six months).
It's worth mentioning that Amazon additionally has a program called Amazon Mom. As one reader pointed out in the comments section, the program, which is not gender specific (dads can use it as a primary caregiver), gives you three months of free Prime membership, and for every $25 you spend on "baby" items, you get another month free. Alas, Amazon Mom is currently closed to new members (you can add your name to a wait list).
Source: http://www.pcadvisor.co.uk/news/security/3320374/microsoft-denies-xbox-live-has-been-hacked
Microsoft has denied that accounts belonging to Xbox Live users have been hacked.
Reports began surfacing this week that users of the online gaming service from Microsoft for the Xbox console were finding charges on their credit or debit cards for Microsoft Points, the currency used within the service. The purchases were for Microsoft Points, which allow Xbox Live users to buy extra games, add-ons and in-game items. It is thought the Microsoft Points that were obtained fraudulently had been used to buy extra content for a number of EA Sports games including FIFA 12, Madden and NBA.
This has lead to speculation that the tech giant had suffered at the hands of hackers, in the same way Sony did earlier this year, when the account details of 77 million users of the PlayStation Network were obtained by cybercriminals.
However, Microsoft has denied this is the case and has instead blamed a phishing scam.
"In this case, a number of Xbox Live members appear to have recently been victim of malicious 'phishing' scams (i.e. online attempts to acquire personal information such as passwords, user names and credit card details by purporting to be a legitimate company or person)," Microsoft said.
Source: http://news.cnet.com/8301-30686_3-57329081-266/is-facebook-building-its-own-phone
Rumors of a "Facebook phone" are back in the news with a story from the technology Web site AllThingsD, which reports that the social-networking company is working with a cell phone manufacturer to build it.
The rumor of a Facebook phone, or a smartphone with deeply integrated Facebook social-networking tools in it, first emerged a little more than a year ago. Back then, CNET had confirmed the social network had reached out to hardware manufacturers and carriers seeking input on a Facebook-branded phone. But rumors faded as devices with Facebook buttons were announced this year. Now it looks like Facebook may have revised its plans to build its own phone.
On Monday, the AllThingsD Web site reported that Facebook is working with cell phone maker HTC to build a smartphone with the Facebook social-networking technology built into the core of the device. The new phone is code-named "Buffy" after the television show about a vampire slayer. The phone will be based on a modified version of Android, which has been tweaked by Facebook so that its services are deeply integrated, AllThingsD reported, citing unnamed sources.
Source: http://news.techworld.com/security/3320263/asian-company-hit-by-mega-ddos-attack
DDoS criminals are trying to batter down DDoS defences with larger attacks and new techniques, mitigation outfit Prolexic has said, only weeks after the company detected a huge assault on an Asian company.
The attack on the unnamed organisation and its DNS provider happened between 5 and 12 November and reached 45Gbit/s at peak, equivalent to 69 million packets or 15,000 connections per second, way above the level that can be easily stemmed using standalone appliances, the company claimed.
The assault was sustained over nearly eight days in four different waves, focussing on the vulnerable application layers, a clear attempt to knock the business offline.
“This attack was three times larger in packets per second volume than the biggest attack Prolexic has mitigated previously, which also occurred in 2011” said Prolexic CTO, Paul Sop.
What is new is that the attackers had tried to hit the DDoS defences, which suggests sophistication; attackers assumed that the organisation would have some defences in place that needed to be overcome.
Source: http://news.cnet.com/8301-31921_3-57329001-281/how-sopa-would-affect-you-faq
When Rep. Lamar Smith announced the Stop Online Piracy Act last month, he knew it was going to be controversial.
But the Texas Republican probably never anticipated the broad and fierce outcry from Internet users that SOPA provoked over the last week. It was a show of public opposition to Internet-related legislation not seen since the 2003 political wrangling over implanting copy-protection technology in PCs, or perhaps even the blue ribbons appearing on Web sites in the mid-1990s in response to the Communications Decency Act.
To learn how SOPA, and its Senate cousin known as the Protect IP Act, would affect you, keep reading. CNET has compiled a list of frequently asked questions on the topic:
Q: What's the justification for SOPA and Protect IP?
Two words: rogue sites.
Q: Who's opposed to SOPA?
Much of the Internet industry and a large percentage of Internet users. An informal poll of its readership by BetaNews found that 95 percent oppose SOPA.
Q: How would SOPA work?
It allows the U.S. attorney general to seek a court order against the targeted offshore Web site that would, in turn, be served on Internet providers in an effort to make the target virtually disappear. It's kind of an Internet death penalty.
Q: How is SOPA different from the earlier Senate bill called the Protect IP Act?
Protect IP targeted only domain name system providers, financial companies, and ad networks–not companies that provide Internet connectivity.
Q: What are the security-related implications of SOPA?
One big one is how it interacts with the domain name system and a set of security improvements to it known as DNSSEC.
Q: What will SOPA require Internet providers to do?
A little-noticed portion of the proposed law, which CNET highlighted on Friday, goes further than Protect IP and could require Internet providers to monitor customers' traffic and block Web sites suspected of copyright infringement.
Q: Are there free speech implications to SOPA?
SOPA's opponents say so–a New York Times op-ed called it the "Great Firewall of America–and the language of the bill itself is quite broad. Section 103 says that, to be blacklisted, a Web site must be "directed" at the U.S. and also that the owner "has promoted" acts that can infringe copyright.
Q: Who supports SOPA?
The three organizations that have probably been the most vocal are the MPAA, the Recording Industry Association of America, and the U.S. Chamber of Commerce. A Politico chart shows that Hollywood has outspent Silicon Valley by about ten-fold on lobbyists in the last two years.
