Episode 640 – Weekend Wrap-up with Dr. b0n3z
InfoSec Daily Podcast Episode 640 for April 7, 2012. Tonight's podcast is hosted by Dr. Bonez.
Guests: aricon, connection, hackett, oncee and spridel
When: April 20-21, 2012
Where: Wellesley Inn, Atlanta GA
Linuxfest Northwest 2012
When: Saturday, April 28-29, 2012
Where: Bellingham Technical College – Bellingham, WA
When: May 21-25, 2012
Where: MU Forensic Science Center - Huntington, West Virginia
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek
When: June 20 – 27, 2012
Social Engineering Training
When: July 21-24, 2012
Where: Black Hat Vegas
When: August 20-24, 2012
Where: Bristol, UK
When: November 12-16, 2012
Where: Columbia, MD
Inside and Out of the Social-Engineer Toolkit (SET)
When: July 21 – 22, 2012
When: July 23 – 24, 2012
Where: Black Hat Vegas
DerbyCon 2012 – The “Deuce” Reunion
When: September 27-30, 2012
Where: Louisville, KY
When: October 26-28
Where: Hotel Preston in Nashville, TN
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
European Union legislators have approved a draft law that would make cyber attacks on IT systems a criminal offense, punishable by at least two years in prison. The proposed law is an update to an existing one, and would also prohibit anyone from producing or selling the kinds of programs that can be used for these attacks — essentially making it impossible for a company to make software that could be used to test its own security, since it could also be used to attack others. While the penalty for these offenses would start at two years, in cases involving "aggravating circumstances" (i.e. a large-scale attack that causes plenty of financial damage), the sentence would be at least five years. The EU voted overwhelmingly in favor of the law, with 50 votes for as opposed to just one against, and a final decision is expected to be made over the summer.
comment by aricon: This is a lot like the german law passed a few years ago which saw a significant amount of brain drain in the security community there. What will other EU countries do when they have even less security knowledge to draw upon in order to compete?
'An estimated 600,000 or more Macs are currently compromised and part of a massive botnet thanks to the Flashback Trojan. To put the size of the threat in some perspective, the Flashback Trojan botnet is even bigger than the massive Conficker botnet…relatively speaking.
The Conficker botnet compromised an estimated seven million plus Windows PCs around the world at its peak. Seven million is obviously much larger than 600,000, but Windows also has a significantly higher number of PCs in use around the world.
According to current data from Net Applications, Mac OS X is the number two desktop OS with 6.54 percent market share. Windows, on the other hand, accounts for 92.48 percent of the market. Based on market share, the Flashback Trojan botnet is equivalent to a Windows botnet of nearly 8.5 million PCs. That makes it an even larger threat than Conficker–just on a much smaller platform.
The Flashback Trojan is actually a misnomer at this point. It was a Trojan horse when it was originally discovered last year. A Trojan horse—as the historical reference implies—is malware that is disguised as something benign. The original threat masqueraded as an update for Adobe Flash that compromised machines when executed.
Web tool checks if your Mac is Flashback-free: http://news.cnet.com/8301-27076_3-57410654-248/web-tool-checks-if-your-mac-is-flashback-free/
Mac Flashback Trojan: Find Out If You’re One of the 600,000 Infected: http://gizmodo.com/5899352/mac-flashback-trojan-find-out-if-youre-one-of-the-600000-infected
One of the most fascinating documents we came across was the BPD's subpoena of Philip Markoff's Facebook information. It's interesting for a number of reasons — for one thing, Facebook has been pretty tight-lipped about the subpoena process, even refusing to acknowledge how many subpoenas they've served. Social-networking data is a contested part of a complicated legal ecosystem — in some cases, courts have found that such data is protected by the Stored Communications Act.
In fact, we'd never seen an executed Facebook subpoena before — but here we have one, including the forms that Boston Police filed to obtain the information, and the printed (on paper!) response that Facebook sent back, which includes text printouts of Markoff's wall posts, photos he uploaded as well as photos he was tagged in, a comprehensive list of friends with their Facebook IDs (which we've redacted), and a long table of login and IP data.
This document was publicly released by Boston Police as part of the case file. In other case documents, the police have clearly redacted sensitive information. And while the police were evidently comfortable releasing Markoff's unredacted Facebook subpoena, we weren't. Markoff may be dead, but the very-much-alive friends in his friend list were not subpoenaed, and yet their full names and Facebook ID's were part of the document. So we took the additional step of redacting as much identifying information as we could — knowing that any redaction we performed would be imperfect, but believing that there's a strong argument for distributing this, not only for its value in illustrating the Markoff case, but as a rare window into the shadowy process by which Facebook deals with law enforcement.
As far as we can tell, nobody's ever seen what one of these looks like — and we're hoping the social media, law, and privacy experts out there can glean insight from it:
Any Defense contractor — and now, a few security vendors — can tell you that even the best security technology and expertise can't stop a well-funded and determined attacker.
That new reality, which has been building for several years starting in the military sector, has shifted the focus from trying to stop attackers at the door to instead trying to lessen the impact of an inevitable hack. The aim is to try to detect an attack as early in its life cycle as possible and to quickly put a stop to any damage, such as extricating the attacker from your data server — or merely stopping him from exfiltrating sensitive information.
It's more about containment now, security experts say. Relying solely on perimeter defenses is now passe — and naively dangerous. "Organizations that are only now coming to the realization that their network perimeters have been compromised are late to the game. Malware ceased being obvious and destructive years ago," says Dave Piscitello, senior security technologist for ICANN. "The criminal application of collected/exfiltrated data is now such an enormous problem that it's impossible to avoid."
Attacks have become more sophisticated, and social engineering is a powerful, nearly sure-thing tool for attackers to schmooze their way into even the most security-conscious companies. "Security traditionally has been a preventative game, trying to prevent things from happening. What's been going on is people realizing you cannot do 100 percent prevention anymore," says Chenxi Wang, vice president and principal analyst for security and risk at Forrester Research. "So we figured out what we're going to do is limit the damage when prevention fails."
There are certain types of attackers you cannot prevent from getting in if they are determined to do so, says Richard Bejtlich, chief security officer at Mandiant Security. "They will get into your company, but that doesn't mean you should give up," he says.
For organizations like the military that are constantly under siege by cyberattackers, this is nothing new.
"Twenty years ago, we thought we could keep these guys out," Bejtlich says. But the Air Force was the first to realize that was not the case after it began instrumenting its networks with custom sensors to detect the attackers, he says. The Air Force quickly realized it wasn't so much a matter of keeping them out, but finding them as quickly as possible and extricating them, he says.
"The military changed from [a strategy] of prevention to one of hunting," Bejtlich says. "This sort of idea has not been widespread."
Several security industry heavyweights flexed their muscle and star power to warn attendees of the 2012 InfoSec World Conference and Expo that relying on technology alone to secure networks is a damning IT security strategy.
The security luminaries — Marcus Ranum, CSO of Columbia, Md.-based Tenable Network Security Inc.; Chris Nickerson, founder and principal security consultant at Lares Consulting in Denver; and Alex Hutton, a former risk analyst at Verizon and currently director of operational risk at a financial institution — didn't mince words. They told attendees they are failing at securing their networks and will continue to fail if they don't shed their compliance mentality, understand how their business works, and become more proactive about security. Instead of buying another appliance to automate security processes, the panelists said CISOs should figure out what their company’s core assets are, and hire and train talented people to analyze their system logs and protect the data at the heart of the company.
“This stuff isn’t rocket science; it’s about attention to detail,” Ranum said. “The security industry has a tendency of moving something from having smart people to dumb processes… Big data is not going to save you it’s the people examining your big data that are going to save you.”
The U.S. government recently posted a project asking for the “Development of Tools for Extracting Information from Video Game Systems.” The listing was posted just two months ago, and last week a contract was signed with the California-based company Obscure Technologies. The U.S. is willing to pay $177,237.50 for the job.
Obscure Technologies will have to perform the following online monitoring tasks:
- Provide monitoring for 6 new video game systems, a maximum of 2 of any type from any given vendor.
- Generate clean data (data that does not contain any identifiable information from real people) from new video game systems.
- Design a prototype rig for capturing data from new video game systems.
- Implement the prototype rig on the new video game systems.
- Provide data captured by the prototype rig in the following formats: Packets shall be delivered in PCAP format, Disk images shall be delivered in E01/EWF format.
- Write a final report, between 10 and 20 pages, to include details of work performed, the engineering approach used and the reason why, any engineering decisions that were made and why, what work remains to be done, and any failings of the approaches followed.
It will also be required to implement the following offline monitoring tasks:
- Provide used video games systems purchased on the open market.
- Used systems provided shall be likely to contain data from previous users.
- Extend tool development to implement creating signatures over sections.
- Survey console chat room technology and identify potential chokepoints where data may be committed to storage.
- Identify data storage points on used video game systems and attempt to demonstrate proof of concept.
- Extract real data from used video game systems.