InfoSec Daily Podcast Episode 550 for December 20, 2011. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Beau Woods, Karthik Rangarajan, and Themson Mester.
Announcements:
Brad Smith (theNurse)
We all know and love Brad Smith, aka theNurse. His humor and smiling positivity is a wonderful example for our community. At Hacker Halted he had a massive stroke and has been in the hospital for almost a month.
Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to. Please feel free to check in for status or to donate. Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.
http://www.social-engineer.org/brad-smith-updates/
http://www.social-engineer.org/bradsmithdonation/
CampusCon 2012
When: January 21, 2012
Where: WIT {Waterford Institute of Technology} Sports – Waterford, Ireland
http://campuscon.hackingwit.com
(from Baconzombie)
SANS Mentoring: Security 401 SANS Security Essentials Bootcamp Style
When: Starts January 24, 2012
Where: Atlanta, GA
Discount Code:
http://www.sans.org/mentor/details.php?nid=25484
ShmooCon 2012
When: January 27th-29th, 2012
Where: Washington Hilton Hotel, Washington, DC
http://www.shmoocon.org
Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu
CFP now open!
DerbyCon 2012 – "Dropping the Deuce"
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
Stories
Source: http://dl.packetstormsecurity.net/papers/general/Armitage-hacking_made_easy_Part-1.pdf
….
Source: http://threatpost.com/en_us/blogs/gaining-remote-shell-android-122011
The security of Android devices has come under quite a lot of scrutiny in recent months, with researchers identifying various root exploits and permission leaks that could be exploited. In this video, researcher Thomas Cannon of ViaForensics demonstrates a method for setting up a remote shell on an Android device without using any exploits or vulnerabilities. The method works on various versions of Android, up to and including Gingerbread.
….
Source: http://blog.trendmicro.com/new-unfollowed-you-scam-hits-twitter-trending-topics
Twitter‘s list of trending topics appears to have been hit hard by another variant of the familiar “see who unfollowed you” scam:
Significant numbers of Tweets are being sent out that contain the above message: saying that a certain number of people have unfollowed them, and to find out who unfollowed you, click on the link. A few hashtags were generally attached to the end of the tweet.
What happens when you click on the link? You are redirected to a page for a “Followers Monitor”, which leads eventually to a page asking you to authorize an application to use your Twitter account. This rogue application is able to carry out such “minor” operations as reading your tweets, updating your profile, and even posting tweets on your behalf. If you actually give the app access, of course, the first thing it will do is post its own version of the spammed Tweet.
….
Source: http://www.cnn.com/2011/12/20/us/bradley-manning-hearing/index.html
A convicted computer hacker from California testified Tuesday in Pfc. Bradley Manning's preliminary hearing about six days of chats he conducted with someone who claimed to have leaked classified information and was "looking to brag about what they had done."
Adrian Lamo said he traded instant messages in a chat format with someone self-identified as Bradass87. Lamo testified that based on an e-mail he received from Manning, as well as an examination of Manning's Facebook page, that Bradass87 was Manning.
The testimony came on the fourth day of the preliminary hearing, which will determine if Manning proceeds to a full military court-martial.
Manning is accused of stealing and leaking more than a quarter of a million classified documents from the State Department and the Defense Department to the WikiLeaks website, the biggest intelligence leak in U.S. history.
Army Criminal Investigation Command Special Agent David Shaver later testified that the chat logs that Lamo provided to the Army largely matched chat logs found on Manning's computer in Iraq.
The prosecution did not ask Lamo any specific questions about the chats themselves, but did establish that he was diagnosed with Asperger's syndrome and takes medication for it. At one point he admitted overusing his medication to the point that his parents became concerned and he eventually was put in an involuntary psychiatric hold for three days.
….
Source: http://miguelalmeida.net/2011/12/what-will-change-in-security-in-2012.html
What will change in security in 2012? In essence, in one word: nothing. The attacks will be essentially the same, although it is likely they'll become more sophisticated, and the defenses, in practice, will also be the same. Why? Because security is only strengthened when people are afraid. This is a fact. Fear. Fear for your life or the life of your relatives and friends, fear for the loss of financial assets, and fear for the loss of power and peer recognition. And despite the evolution of current threats and attacks, we've not yet reached a level of chaos, widespread chaos, which would trigger those emotions. In 2012? No. Not yet. But I don't think we're improving our defenses substantially to avoid this scenario. Why? Because, oddly enough, we're not afraid to be afraid.
….
Source: http://threatpost.com/en_us/blogs/researchers-warn-new-windows-7-vulnerability-122011
Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia.
In a message on Twitter, a researcher named w3bd3vil said that he had found a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari. The exploit gives the attacker the ability to run arbitrary code on the victim's machine.
"A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges," the Secunia advisory said.
Microsoft officials have not confirmed the vulnerability, but said that they're looking into it.
….
Source: http://css.csail.mit.edu/cryptdb/
For the last three decades or so, the big problem in using encryption hasn’t been whether strongly encrypted files can be cracked. The problem remains that to actually do anything with encrypted data—search it, sort it, or perform computations with it–that data must be decrypted and exposed to prying eyes.
Now the Google- and Citigroup-funded work of three MIT scientists holds the promise of solving that long-nagging issue in some of the computing world’s most common applications. CryptDB, a piece of database software the researchers presented in a paper (PDF here) at the Symposium on Operating System Principles in October, allows users to send queries to an encrypted set of data and get almost any answer they need from it without ever decrypting the stored information, a trick that keeps the info safe from hackers, accidental loss and even snooping administrators. And while it’s not the first system to offer that kind of magically flexible cryptography, it may be the first practical one, taking a fraction of a second to produce an answer where other systems that perform the same encrypted functions would require thousands of years.
Cryptographers have long sought to implement a system they call “fully homomorphic encryption,” in which a user can encrypt data into indecipherable strings of numbers, do math with those strings, and then decrypt the results to get the same answer he or she would have if the data hadn’t been encrypted at all. That’s a useful trick if you need to perform operations on health care or financial data in a situation like cloud computing, where the computer (or the IT administrator) doing the calculations can’t always be trusted to access the private numbers being crunched. IBM cryptographer Craig Gentry compares the idea to “one of those boxes with the gloves that are used to handle toxic chemicals,” as he once put it. “All the manipulation happens inside the box, and the chemicals are never exposed to the outside world.”
