InfoSec Daily Podcast Episode 584 for February 2, 2012. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Adrian Crenshaw, and Karthik Rangarajan.
Announcements:
Unsung Heros
Have you ever stumbled on a tool and wondered “Why didn’t I know this existed!” or “If only I’d had this last week on that test”… Chris John Riley has started to gather suggestions for your “unsung hero” of the tools world. He is looking specifically to gather a list of tools that aren’t on every penetration testers, or forensic investigators list, but that you have respect for. http://blog.c22.cc/2012/01/13/unsung-heros
Information Security Blogger Awards 2012
Since we were over looked again for the Best Podcast on Security you can email ashimmy@hotmail.com with your name, email address and ISD Podcast as your write-in nominee. Please note, you have to provide your blog or podcast URL so that it can be verified that you are a blogger or podcaster. Vote for your favorite blogs as well on http://www.ashimmy.com.
Brad Smith (theNurse)
We all know and love Brad Smith, aka theNurse. His humor and smiling positivity is a wonderful example for our community. At Hacker Halted he had a massive stroke and has been in the hospital ever since.
Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to. Please feel free to check in for status or to donate. Either way we thank you and I know Brad thanks your for your support, prayers and positive thoughts.
http://www.social-engineer.org/brad-smith-updates/
http://www.social-engineer.org/bradsmithdonation/
Metasploit Framework Unleashed Cincinnati
When: February 11, 2012.
Where: Digitorium in Griffin Hall, the home of Northern Kentucky University’s College of Informatics
https://msfucincy.wordpress.com/
$20 donation for #HFC
Social Engineering Training
When: March 5-9, 2012
Where: Seattle, Washington
When: July 21-24, 2012
Where: Black Hat Vegas
When: August 20-24, 2012
Where: Bristol, UK
When: November 12-16, 2012
Where: Columbia, MD
http://www.social-engineer.com/social-engineer-training
Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu
CFP now open!
LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
CFP now open!
DerbyCon 2012 – "The Reunion"
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
Stories
Source: http://threatpost.com/en_us/blogs/apple-ships-huge-set-patches-os-x-020212
One of the more serious vulnerabilities Apple fixed is the flaw that researchers Juliano Rizzo and Thai Duong discovered in the TLS 1.0 and SSL 3.0 protocols last year. The vulnerability, for which they wrote a proof-of-concept exploit tool called BEAST, is fixed in the new version of Apache that Apple included in yesterday's patches. Exploiting the flaw enables an attacker to decrypt some SSL sessions.
"There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. Apache disabled the 'empty fragment' countermeasure which prevented these attacks. This issue is addressed by providing a configuration parameter to control the countermeasure and enabling it by default," Apple said in its advisory.
Apple also pushed out an update that revokes trust in some of the certificates issued by Malaysian CA DigiCert that were found last year to contain weak cryptographic keys.
….
Source: http://www.pcadvisor.co.uk/news/mobile-phone/3334795/htc-vows-fix-android-flaw-revealing-wi-fi-credentials/?olo=rss
HTC is moving quickly to squash a security flaw that could expose Wi-Fi credentials on the company's Android phones.
Using an app that takes advantage of this flaw, an attacker could harvest SSID names and passwords for all wireless networks that the phone has accessed. For average consumers, this isn't a huge concern, but as researchers Chris Hessing and Bret Jordan note, the exploit “exposes enterprise-privileged credentials in a manner that allows targeted exploitation.”
The affected phones are the Desire HD (both "ace" and "spade" board revisions) Versions FRG83D and GRI40; Glacier Version FRG83; Droid Incredible Version FRF91; Thunderbolt 4G Version FRG83D; Sensation Z710e Version GRI40; Sensation 4G – Version GRI40; Desire S – Version GRI40; EVO 3D Version GRI40; and EVO 4G Version GRI40. HTC's MyTouch 3G and Google Nexus One are not affected.
HTC has acknowledged the issue, and says most phones have already received a fix through regular updates. Other phones, however, will require users to manually load the fix. The company says it will have more information on the matter next week.
….
Source: http://news.softpedia.com/news/Hackers-from-US-and-China-Responsible-for-40-of-Hack-Attempts-250311.shtml
A study released by security firm NCC reveals the origins of most hacking operations and the estimated damages they cause to the global economy each year.
The numbers show that hackers from the UK cost the global economy over $2 billion (1.4 billion EUR) in the year that passed, counting a total of 23 million hack attempts.
While this puts the United Kingdom on the 15th place on a global chart, the first two positions are occupied by China and the United States, the operations launched by cybercriminals from these countries costing the global economy around $44 billion (31 billion EUR).
“Reading the papers each day, it’s easy to think of hacking as something that happens to us from afar; that we’re victims of foreign criminal gangs in developing countries. Yet hackers can be anywhere in the world, as our research illustrates, including on our own doorstep,” Rob Cotton, NCC Group’s chief executive said.
US and China are followed on the global list by Russia, Brazil, Italy, Netherlands, France, Denmark, Germany and India.
It’s somewhat surprising that so many highly developed European countries have such a great contribution to the hacking attempts recorded worldwide, counting around 200 million attempted hacks with consequences translating into costs of $16 billion (11 billion EUR) each year.
….
Source: http://nakedsecurity.sophos.com/2012/02/02/filevault-encryption-broken/
California-based forensics software vendor Passware has released the latest version of its toolkit, which the company claims can bypass Apple's FileVault 2 disk encryption "in minutes," as well as volumes encrypted with TrueCrypt.
The software is reportedly able to capture the contents of a computer's memory via FireWire (also known as IEEE 1394 or i.LINK), analyze the memory dump, and extract the encryption keys. Passware claims that the software can recover passwords from decrypted Mac OS X keychain files as well.
Previous and current versions of Passware's software are also able to bypass Microsoft's BitLocker encryption which is built into some editions of Windows.
Although Passware seems to mainly market its software to government and law enforcement agencies and military organizations, anyone with US $795 can purchase an edition of Passware Kit that includes these features. Interestingly, Passware also lists Apple, Microsoft, Intel, and several other major tech companies among its customers.
For those who might find all this concerning, it is important to note a few important caveats.
First, Passware's software requires physical access to a computer with a working FireWire port; a remote internet attacker cannot use it to break into your Mac or PC.
….
Source: http://www.pcmag.com/article2/0,2817,2399773,00.asp
VeriSign was hit by hackers in 2010 and its computers and servers were accessed several times, but the breach was not properly reported until late last year.
The information was revealed in an October filing with the Securities and Exchange Commission (SEC) and reported today by Reuters.
"In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers," VeriSign said. "We have investigated and do not believe these attacks breached the servers that support our Domain Name System ('DNS') network."
Information was stolen, though VeriSign did not provide details on what went missing.
But while the hacks occurred in 2010, VeriSign's information security group did not tell management about the attacks until September 2011. VeriSign said it has since changed its reporting policies to make sure the same thing doesn't happen again.
Information was stolen, though VeriSign did not provide details on what went missing.
But while the hacks occurred in 2010, VeriSign's information security group did not tell management about the attacks until September 2011. VeriSign said it has since changed its reporting policies to make sure the same thing doesn't happen again.
"The group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information," VeriSign said in its filing. "In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future."
VeriSign did not immediately respond to a request for additional comment.
….
Source: http://boingboing.net/2012/02/02/french-court-rules-that-its.html
A French court has ruled that Google's free Google Maps application API is anti-competitive and has ordered the company to pay €500,000 to Bottin Cartographes, a for-pay map company, as well as a €15,000 fine. Bottin Cartographes argued that Google was only planning to give away the service for free until all the competitors had been driven out of business and then they would start charging. This seems implausible to me, and contrary to Google's business model (give away services, make money from mining the use of those services). Google says it will appeal.
"This is the end of a two-year battle, a decision without precedent," said the lawyer for Bottin Cartographes, Jean-David Scemmama.
"We proved the illegality of (Google's) strategy to remove its competitors… the court recognised the unfair and abusive character of the methods used and allocated Bottin Cartographes all it claimed. This is the first time Google has been convicted for its Google Maps application," he said.
I wonder what Bottin Cartographes will do when OpenStreetMaps finishes producing high-quality, free, public domain maps of France that can be used to create APIs of the same scope and utility?
