Episode 611 – NASA Gets Pwned 13x, Apple & Google on FTC Watch List and More Flash
InfoSec Daily Podcast Episode 611 for March 5, 2012. Tonight's podcast is hosted by Dave Kennedy and Boris Sverdlik
Special guests: aricon and Spridel
Social Engineering Training
When: July 21-24, 2012
Where: Black Hat Vegas
When: August 20-24, 2012
Where: Bristol, UK
When: November 12-16, 2012
Where: Columbia, MD
When: March 30-April 1
Where: Austin, TX
Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
CFP now open!
When: May 21-25, 2012
Where: MU Forensic Science Center
Huntington, West Virginia
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
CFP now open!
Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek
When: June 20 – 27, 2012
Where: Courtyard Seattle Federal Way, WA http://www.sans.org/mentor/details.php?nid=28014
Inside and Out of the Social-Engineer Toolkit (SET)
When: July 21 – 22, 2012
When: July 23 – 24, 2012
Where: Black Hat Vegas
When: July 26-29, 2012
Where: Rio Hotel and Casino – Las Vegas, NV
CFP & Room reservations now open!
DerbyCon 2012 – The “Deuce” Reunion
When: September 27-30, 2012
Where: Louisville, KY
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
NASA said hackers stole employee credentials and gained access to mission-critical projects last year in 13 major network breaches that could compromise US national security.
National Aeronautics and Space Administration Inspector General Paul Martin testified before Congress this week on the breaches, which appear to be among the more significant in a string of security problems for federal agencies.
The space agency discovered in November that hackers working through an Internet Protocol address in China broke into the -network of NASA's Jet Propulsion Laboratory, Martin said in testimony released on Wednesday. One of NASA's key labs, JPL manages 23 spacecraft conducting active space missions, including missions to Jupiter, Mars and Saturn.
He said the hackers gained full system access, which allowed them to modify, copy, or delete sensitive files, create new user accounts and upload hacking tools to steal user credentials and compromise other NASA systems. They were also able to modify system logs to conceal their actions.
A U.S. Senator has called on the Federal Trade Commission to investigate both Apple and Google over claims that applications running on their mobile operating systems violate user privacy.
In a letter sent to the FTC and reported by Reuters yesterday, Sen. Charles Schumer (D-N.Y.) said recent accusations that personal information is being accessed by mobile applications goes "beyond what a reasonable user understands himself to be consenting to when he allows an app to access data on the phone for purposes of the app's functionality." He asked the FTC to force smartphone makers to implement safeguards that ensure data is not being accessed without a user's expressed consent.
Both Apple and Google came under fire last month after a popular mobile application, Path, was found to be collecting user contact information without permission. After the company issued an apology, several reports cropped up, detailing how a host of other applications across both iOS and Android were accessing data without the user's expressed consent. Soon after, lawmakers sounded off on the issue.
"This incident raises questions about whether Apple's iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts," Rep. Henry A. Waxman (D-Calif.) wrote in a letter sent to Apple CEO Tim Cook last month.
Apple had been quick to respond, telling CNET in a statement that "apps that collect or transmit a user's contact data without their prior permission are in violation of our guidelines." The company also said that a future software update to iOS 5 will prohibit developers from engaging in those activities.
For users, the implications are at least a little worrisome. The flaws found in the operating systems pave the way for developers to access everything from contacts to photos. Allowing an app to do that is one thing, but finding out that an application is allegedly accessing it without permission is another.
Apple faced similar criticisms over iOS privacy last year when researchers found that the operating system was collecting user locations and storing them unencrypted for anyone to see. After Apple classified the issue as a "bug," it updated the software to ensure data was only stored for a period of seven days and wouldn't be kept unencrypted on local machines.
In a statement e-mailed today to CNET, Google explained itself a bit, stating how it designed Android and what it might do to address the flaw in the coming months.
"We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS," a Google representative stated in the e-mail. "At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images.
"As phones and tablets have evolved to rely more on built-in, non-removable memory, we're taking another look at this and considering adding a permission for apps to access images," the spokesperson continued. "We've always had policies in place to remove any apps on Android Market that improperly access your data."
The FTC has so far not publicly responded to Schumer's request. Apple did not immediately respond to CNET's request today for comment on the matter.
Stuxnet took the world by storm two years ago.
The worm was different from previous viruses: it wasn't designed to steal money, identities, or passwords. Instead, the malware targeted the controls at industrial facilities such as power plants, inspiring talk of a top secret, government-sponsored cyberwar.
At the time of its discovery in June 2010, the assumption was that espionage lay behind the effort, but subsequent analysis uncovered the ability of the malware to control plant operations outright–specifically an Iranian nuclear facility.
In addition to showing that a cyberattack could cause significant physical damage to a facility, it also raised concerns that future malware, modeled after Stuxnet, could target critical infrastructure, such as power and water-treatment plants in the United States.
"We have entered into a new phase of conflict in which we use a cyberweapon to create physical destruction, and in this case, physical destruction in someone else's critical infrastructure," Ret. Gen. Michael Hayden told the CBS news magazine "60 Minutes" this evening (see video below).
Hayden, who is a former head of the National Security Agency and served as CIA director under President George W. Bush, says he knows more about the attack on Iran than he can publicly discuss. But he warns that there are potential problems and consequences that come with this new kind of warfare.
"When you use a physical weapon it destroys itself, in addition to the target, if it's used properly," Hayden said. "A cyber-weapon doesn't, so there are those out there who can take a look at this, study it and maybe even attempt to turn it to their own purposes."
Targeted attackers are leveraging a patched Adobe Flash vulnerability and the ongoing tension around Iran's suspected nuclear program to spread a difficult-to-detect trojan.
According to Contagio Malware Dump, a malware sample collection site, emails are spreading that contain an attached Word document titled "Iran's Oil and Nuclear Situation." Clicking on the file sets in motion a series of events that ultimately results in a malicious binary being dropped onto the target system.
"The Word document contains Flash, which downloads a corrupted MP4 file," wrote Contagio IT specialist Mila Parkour in a blog posted Monday. "This MP4 file causes memory corruption and code execution."
The attack takes advantage of a recently fixed Flash bug, CVE-2012-0754. The vulnerability was repaired, along with six others, last month when Adobe released Flash Player 18.104.22.168 for Windows, Macintosh, Linux and Solaris.
As of Saturday afternoon EST, just seven of 42 of the most popular anti-virus products detected the malicious file, according to a VirusTotal reviewcommissioned by Contagio.
Reached by email, Parkour said "someone donated the sample and sounds like a lot of them are already in circulation." An Adobe spokeswoman said the company didn't have any information about the extent of the threat.
Meanwhile, unrelated to this latest exploit, Adobe on Monday releasedanother Flash update, version 22.214.171.124, to address two critical vulnerabilities. The flaws garnered "Priority 2" status under Adobe's newly launched ratings system. Priority 2 means there are no known exploits for any of the bugs being fixed, nor are attacks imminent.