InfoSec Daily Podcast Episode 627 for March 23, 2012. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Themson Mester, and Dr. Bonez.
Announcements:
InfoSec Southwest
When: March 30-April 1, 2012
Where: Austin, Texas
http://www.Infosecsouthwest.com
Outerz0ne 8
When: April 20-21, 2012
Where: Wellesley Inn, Atlanta GA
http://www.outerz0ne.org
Linuxfest Northwest 2012
When: Saturday, April 28-29, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center - Huntington, West Virginia
http://www.appyide.org/
LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek
When: June 20 – 27, 2012
Where: Courtyard Seattle Federal Way, WA
http://www.sans.org/mentor/details.php?nid=28014
Social Engineering Training
When: July 21-24, 2012
Where: Black Hat Vegas
When: August 20-24, 2012
Where: Bristol, UK
When: November 12-16, 2012
Where: Columbia, MD
http://www.social-engineer.com/social-engineer-training
Inside and Out of the Social-Engineer Toolkit (SET)
When: July 21 – 22, 2012
When: July 23 – 24, 2012
Where: Black Hat Vegas
http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html
DerbyCon 2012 – The “Deuce” Reunion
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Skydogcon
When: October 26-28
Where: Hotel Preston in Nashville, TN
http://www.skydogcon.com
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
Stories
Source: http://mashable.com/2012/03/23/facebook-responds-employers-passwords/
This week, a big AP story captured the nation’s attention by pointing out that some employers are asking job seekers for their Facebook passwords:
“In their efforts to vet applicants, some companies and government agencies are going beyond merely glancing at a person’s social networking profiles and instead asking to log in as the user to have a look around.”
After reading the story, many an American was aghast. But privacy attorney Behnam Dayanim told me earlier this month that, while it may be improper in terms of social conventions, it’s actually legal for employers to do this (unless you want to split hairs about it violating Facebook’s TOS).
…
Source: http://searchengineland.com/firefox-to-use-google-secure-search-by-default-116231
An inconspicuous "s" added to various lines of code in its latest nightly builds means that future versions of Firefox will send all search queries to Google in encrypted form. This means that instead of HTTP, the open source browser will use the HTTPS protocol, which encrypts traffic between the web site and browser using SSL. The nightly builds will feed through, over the next few months, until the feature is, most probably, in Firefox 14.
The change has been prompted by a discussion between Firefox developers which started about a year ago. Then, Google opposed making SSL the default, with Adam Langley, a member of Google's security team, explaining that the encrypted search was slower than the standard unencrypted search.
Google has since made encryption the global default for its own search site, though only for signed-in users. In early February, the Firefox development team gave the green light for the change to go ahead in the browser as well.
The switch to SSL means that only Google will be able to read search queries. According to Danny Sullivan, writing on his Search Engine Land blog, they will, however, continue to be contained in the referrer header which the browser sends to the relevant web site when a user clicks on an advert. He has asked both the Firefox and Internet Explorer development teams whether they would stop sending this critical referrer data, but has not received a response from either browser maker.
…
Source: http://www.cso.com.au/article/417761/zero_damage_from_last_year_rsa_breach
Even though the security breach of RSA last year resulted in the potential compromise of the company's SecurID login tokens — 50 million of which are currently in use — no real harm was done, says the company.
"There hasn't been a single breach that resulted in a loss, not a single one," RSA executive chairman Art Covellio told journalists in Sydney this week.
"There was only one publicly-disclosed breach [where] it was even suggested that information stolen from us was used, and that attack was defeated," he said, referring to the attack on US defence contractor Lockheed Martin.
There were no breaches that weren't publicly disclosed either, said Coviello, because RSA stays very close to law enforcement and "other agencies" who, he said, would tell them about any breaches and work with them to ensure the replacement of tokens "if necessary".
When the Lockheed story broke, RSA told customers that if they thought they were at risk then their SecurID tokens would be replaced. In the case of banks, RSA would provide transaction monitoring.
"Over and above that, there were belts and suspenders in a lot of the Australian banks because they had our transaction monitoring capability which gave them, believe it or not, four factors — the password, the PIN, the passcode, and transaction monitoring — and that story, try as we might, never really got out in the Australian press," Coviello said.
"So there was very, very, very, very, very little risk in those particular instances," he said. "I don't think we ever hyped the threat."
…
Source: http://www.h-online.com/security/news/item/Embarrassing-security-failure-at-PayPal-1477905.html
Until just a few days ago, web sites belonging to the world's largest online payment service contained a security vulnerability in a key component that could have been exploited by fraudsters to steal information from customers. PayPal fixed the vulnerability shortly after being notified of its presence by The H's associates at heise Security. The eBay subsidiary was, however, unable to give any information on how such a serious security problem could have remained undetected.
A heise Security reader noticed that the search function on PayPal web pages was not filtering user input correctly, making it a simple matter to inject code into PayPal pages via a crafted URL. The problem affected pages at https://www.paypal.com which use SSL security. Customers log in to the site from these pages and also use them to make payments. For more information on why cross-site scripting vulnerabilities are a very real security problem, see the article Password stealing for dummies on The H.
PayPal emphasises its security credentials in its advertising and presents itself as a certified payment system, in part based on a certificate issued by TÜV Saarland in Europe. Reinhold Scheffel, managing director of tekit Consult, which certified PayPal, could only offer the following explanation for the problem, "When the inspection was carried out, the flaw described by … was not necessarily present". PayPal did not consider itself able to answer specific questions on the incident.
…
Source: http://www.mister-info.com/?cmd=displaystory&story_id=10401
An internet forum, run by the non-profit Epilepsy Foundation, was attacked last week by a group of hackers. The attack, first reported by Wired News, exploited a function of the forums to post JavaScript code. The code injected by the hackers flashed two images repeatedly and tried to lead users off to external websites showing flashing lights and shapes intended to trigger off epileptic fits. The Epilepsy Foundation had to shut down the forum, and took some measures to prevent future attacks.
In a press release, the Foundation stated that several users of the forum, sufferers of epilepsy, experienced harsh migraines and seizures as a result of the attack. One lady, RyAnne Fultz, was paralyzed by the flashing images in what she calls her worst attack in over a year, until her 11-year old son managed to get her to stop looking at the screen and close the flashing images.
They also posted a message regarding new measures saying "In our upping of security on the forums, we have established the following new rules: No animated images are allowed to be used anywhere from now on. No GIFs are allowed at all anymore as well. No rich text is allowed in the body of messages at all, either."
Wired News additionally reports that there is "circumstantial evidence" linking the perpetrators of the attack to the internet group "Anonymous", who are most well known for their recent protests and attacks against the Church of Scientology, and their members created a reputation as "griefers" in the virtual worlds Second Life, and Habbo Hotel. The Austrian paper Krone reports that the "usual goal of their attacks is to raise a fuss or disturb others". Following critical reports about the attack, members of the group blamed the attack on the Church of Scientology.
…
Source: http://www.eweek.com/c/a/Security/New-Android-Malware-Threatens-Users-Personal-Data-237273/
Google's Android mobile operating system continues to attract a growing number of malware threats as creators discover the ease of working with an open software environment. The result, as eWEEK noted, is a huge jump in malware over the last year. Some of these threats can be innovative in their efforts to extract financial data from unsuspecting users.
One such threat, discovered by malware researchers at McAfee, found a new remotely controlled man-in-the-middle attack that can steal the initial password from a mobile device without actually infecting the user's device.
The malware uses its man-in-the-middle activity to pose as a token generator for a bank, using the bank's logo, according to McAfee researcher Carlos Castillo. The fake token-generator is really intended to look like the user's bank log-in screen, and it asks for the initial password. When it receives this, it runs XML code that captures additional access information, as well as the user's contact list. The initial contact that leads to a man-in-the-middle attack is usually a Short Messaging Service (SMS) text sent to the user's phone that appears to be from the bank.
Once the XML commands are run, the malware creates a system event that executes at a future time and then listens for commands from control servers that cause the device to send the required information, and to add updates that allow the malware to update itself and to initiate spyware. This, in turn, allows the control server to gather additional credentials that will allow the server operator to gain access to the user's bank accounts.
“This threat is basically a phishing attack so the user can be tricked into believing that it is a legitimate application from a real bank,” Castillo wrote in an email interview.
…
