Episode 611 – NASA Gets Pwned 13x, Apple & Google on FTC Watch List and More Flash

Special guests: aricon and Spridel

InfoSec Southwest
When: March 30-April 1
Where: Austin, TX
http://www.Infosecsouthwest.com

Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
CFP now open!

AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
http://aide.marshall.edu

LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
CFP now open!

Inside and Out of the Social-Engineer Toolkit (SET)
When: July 21 – 22, 2012
When: July 23 – 24, 2012
Where: Black Hat Vegas
http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

Defcon 20
When: July 26-29, 2012
Where: Rio Hotel and Casino – Las Vegas, NV
http://defcon.org/
CFP & Room reservations now open!

DerbyCon 2012 – The “Deuce” Reunion
When:  September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com

Thanks to everyone that has purchased products from Amazon through the affiliate program.  If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.

NASA said hackers stole employee credentials and gained access to mission-critical projects last year in 13 major network breaches that could compromise US national security.

National Aeronautics and Space Administration Inspector General Paul Martin testified before Congress this week on the breaches, which appear to be among the more significant in a string of security problems for federal agencies.

The space agency discovered in November that hackers working through an Internet Protocol address in China broke into the -network of NASA's Jet Propulsion Laboratory, Martin said in testimony released on Wednesday. One of NASA's key labs, JPL manages 23 spacecraft conducting active space missions, including missions to Jupiter, Mars and Saturn.

He said the hackers gained full system access, which allowed them to modify, copy, or delete sensitive files, create new user accounts and upload hacking tools to steal user credentials and compromise other NASA systems. They were also able to modify system logs to conceal their actions.
…

Source:
http://news.cnet.com/8301-1009_3-57390567-83/new-york-senator-asks-ftc-to-investigate-google-apple/?tag=txt;title
A U.S. Senator has called on the Federal Trade Commission to investigate both Apple and Google over claims that applications running on their mobile operating systems violate user privacy.
In a letter sent to the FTC and reported by Reuters yesterday, Sen. Charles Schumer (D-N.Y.) said recent accusations that personal information is being accessed by mobile applications goes "beyond what a reasonable user understands himself to be consenting to when he allows an app to access data on the phone for purposes of the app's functionality." He asked the FTC to force smartphone makers to implement safeguards that ensure data is not being accessed without a user's expressed consent.
Both Apple and Google came under fire last month after a popular mobile application, Path, was found to be collecting user contact information without permission. After the company issued an apology, several reports cropped up, detailing how a host of other applications across both iOS and Android were accessing data without the user's expressed consent. Soon after, lawmakers sounded off on the issue.
"This incident raises questions about whether Apple's iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts," Rep. Henry A. Waxman (D-Calif.) wrote in a letter sent to Apple CEO Tim Cook last month.

Apple had been quick to respond, telling CNET in a statement that "apps that collect or transmit a user's contact data without their prior permission are in violation of our guidelines." The company also said that a future software update to iOS 5 will prohibit developers from engaging in those activities.
For users, the implications are at least a little worrisome. The flaws found in the operating systems pave the way for developers to access everything from contacts to photos. Allowing an app to do that is one thing, but finding out that an application is allegedly accessing it without permission is another.
Apple faced similar criticisms over iOS privacy last year when researchers found that the operating system was collecting user locations and storing them unencrypted for anyone to see. After Apple classified the issue as a "bug," it updated the software to ensure data was only stored for a period of seven days and wouldn't be kept unencrypted on local machines.
In a statement e-mailed today to CNET, Google explained itself a bit, stating how it designed Android and what it might do to address the flaw in the coming months.
"We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS," a Google representative stated in the e-mail. "At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images.
"As phones and tablets have evolved to rely more on built-in, non-removable memory, we're taking another look at this and considering adding a permission for apps to access images," the spokesperson continued. "We've always had policies in place to remove any apps on Android Market that improperly access your data."
The FTC has so far not publicly responded to Schumer's request. Apple did not immediately respond to CNET's request today for comment on the matter.
…
Source:
http://news.cnet.com/8301-1009_3-57390326-83/60-minutes-profiles-threat-posed-by-stuxnet/?tag=txt;title

Stuxnet took the world by storm two years ago.
The worm was different from previous viruses: it wasn't designed to steal money, identities, or passwords. Instead, the malware targeted the controls at industrial facilities such as power plants, inspiring talk of a top secret, government-sponsored cyberwar.
At the time of its discovery in June 2010, the assumption was that espionage lay behind the effort, but subsequent analysis uncovered the ability of the malware to control plant operations outright–specifically an Iranian nuclear facility.
In addition to showing that a cyberattack could cause significant physical damage to a facility, it also raised concerns that future malware, modeled after Stuxnet, could target critical infrastructure, such as power and water-treatment plants in the United States.
"We have entered into a new phase of conflict in which we use a cyberweapon to create physical destruction, and in this case, physical destruction in someone else's critical infrastructure," Ret. Gen. Michael Hayden told the CBS news magazine "60 Minutes" this evening (see video below).
Hayden, who is a former head of the National Security Agency and served as CIA director under President George W. Bush, says he knows more about the attack on Iran than he can publicly discuss. But he warns that there are potential problems and consequences that come with this new kind of warfare.
"When you use a physical weapon it destroys itself, in addition to the target, if it's used properly," Hayden said. "A cyber-weapon doesn't, so there are those out there who can take a look at this, study it and maybe even attempt to turn it to their own purposes."
…
Source:
http://www.scmagazine.com/purported-iran-nuke-document-contains-trojan/article/230730/