2010
09.02

Episode 206 – China Isolationism, Gmail Flaw, Pushdo & MS SDL

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISDPodcast Episode 206 for September 2, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

  • This is a FREE event for InfoSec and IT professionals to attend to celebrate the life Matthew Shoemaker.

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

Other upcoming cons Adrian will be at:
Phreaknic, Oct 15-17 2010, Nashville, TN
http://www.phreaknic.info
Hak3rCon Oct 23-24 2010, Charleston, WV
http://www.hack3rcon.org
MyHardDriveDied.com:

News Item 1:  http://www.computerworld.com/s/article/9182218/China_policy_could_force_foreign_security_firms_out
China is stepping up efforts to keep the security systems that protect its critical infrastructure in the hands of local firms, and that could be bad news for companies based outside the country.

China has started sending out inspectors to check for compliance with a little-known initiative called the Multi-Level Protection Scheme (MLPS), the Associated Press reported Wednesday. Introduced three years ago by China’s Ministry of Public Security, it mandates that core products used by government and infrastructure companies such as banks and transportation must be provided by Chinese companies.

Over the past year, government inspectors have been telling some companies that they must switch to Chinese firewalls and other types of security technology, the AP said.

The development could force security vendors such as Cisco Systems and Symantec out of important parts of the growing market, or force them to partner with local businesses, said Stephen Kho, senior counsel with Akin Gump Strauss Hauer & Feld, an international law firm based in Washington. “Right now, it seems to only affect the companies that are in the information security sector,” he said.

News Item 2: http://www.crn.com/news/cloud/227100713/google-repairs-gmail-spam-glitch.htm;jsessionid=SPndGhUrW+OHL-2lyGB02Q**.ecappj02
Google downplayed the flaw by contending that the bug affected less than 2.5 percent of its user base, which adds up to a significant number in light of the fact that there are about 160 million Gmail accounts around the world, according to a comScore statistic cited by The Wall Street Journal. All in all, that “could still mean that over 4 million people have been turned into spammers by a bug in their Web e-mail system,” wrote Graham Cluley, senior technology consultant for security firm Sophos, in a blog post Friday.

Affected users were able to access Google Mail, but were treated to error messages and other buggy behavior from Gmail that repeatedly sent messages to people on their contact lists. The repeated messages resulted in many of the Gmail users being added to spam lists after they inadvertently sent messages to spammers.

“The problem with Google Mail should be resolved,” Google said in an Apps Status Dashboard update. “We apologize for the inconvenience and thank-you for your patience and continued support. Please rest assured that system reliability is a top priority at Google, and we are making continuous improvements to make our systems better.”

News Item 3: http://threatpost.com/en_us/blogs/researchers-cripple-pushdo-botnet-082710
Researchers have made a huge dent in a major variant of the Pushdo botnet, virtually crippling the network by working with hosting providers to take down about two thirds of the command-and-control servers involved in the botnet. Pushdo for years has been one of the major producers of spam and other malicious activity, and researchers have been monitoring the botnet and looking for ways to do some damage to it since at least 2007. Now, researchers at Last Line of Defense, a security intelligence firm, have made some serious progress in crushing the botnet’s spam operations.

After doing an analysis of Pushdo’s command-and-control infrastructure, the researchers identified about 30 servers that were serving as C&C machines for a variant of the botnet. Working with the hosting providers who maintained the servers in question, the LLOD researchers were able to get 20 of the C&C servers taken offline, the company said.

The result is that the volume of spam that Pushdo is producing has dropped to nearly zero.
At the time of Pushdo’s appearance several years ago, researchers found evidence that Pushdo’s creators had gone to some lengths to avoid detection and prevent removal of the malware associated withthe botnet. The creators had changed the way that Pushdo made HTTP requests, creating overly long GET requests to make them less identifiable.

Pushdo – Analysis of a Modern Malware Distribution System - http://www.secureworks.com/research/threats/pushdo/

Pushdo Update – http://isc.sans.edu/diary.html?storyid=8131

News Item 4:   http://www.h-online.com/open/news/item/Microsoft-s-Security-Development-Lifecycle-under-Creative-Commons-License-1068172.html
Microsoft is to change the license for its process for developing secure software. In future, the company’s Security Development Lifecycle (SDL) will be available under a Creative Commons license (Attribution-NonCommercial-ShareAlike 3.0 Unported). This should make it easier for others to use and distribute the principles behind SDL and for programmers to integrate SDL components into their own development processes. This has not previously been possible, as documentation and other SDL materials were under an exclusive Microsoft license which precluded such use.

The company hopes that the change will lead to more developers utilising the Microsoft process for developing software more securely across the entire product lifecycle. SDL can trace its origins back to a 2002 Bill Gates memo on “trustworthy computing”. The resulting programme was intended to make security an integral part of the company’s software development process and make its products more persistently secure. All Microsoft software since Windows Vista has been developed in accordance with SDL.

2010
09.01

Episode 205 – Iranian Warez, Data Sharing & AON Oops!

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISDPodcast Episode 205 for September 1, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

  • This is a FREE event for InfoSec and IT professionals to attend to celebrate the life Matthew Shoemaker.

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Other upcoming cons Adrian will be at:

MyHardDriveDied.com:

News Item 1: http://torrentfreak.com/iranian-government-runs-public-warez-server-100824/
The Iranian Research Organization for Science and Technology is directly connected to the Iranian Government.   Aside from evaluating and advising policy makers on science and technology issues, the largest research outfit in the country also provides a warez server where Photoshop, MS Office and many other applications can be downloaded for free, totally legal thanks to Iran’s lenient copyright policy.

In most of the western world the actions of the Iranian Government are often met with skepticism. Foreign governments get an uneasy feeling when Iran opens a nuclear facility, fearing it might lead to a nuclear arms program that would be an international threat.

Aside from nuclear issues, Iran has gained a bad reputation for censoring the public in its own country. These censorship issues reached new highs last year during the election protests, where the Government went as far as cutting citizens’ Internet access.

For copyright holders worldwide, the Iranian Government poses a significant threat. The country’s copyright law is set up to protect all copyrighted works produced by Iranians, but not those by creators from other countries.

News Item 2: http://vmyths.com/2010/08/26/oby/
Let’s cut to the chase. U.S. Deputy Defense Secretary William J. Lynn III wrote an op-ed for a commercial publication in which he claims a single USB thumb drive caused the worst military data breach in history. And according to Wikipedia, that one little USB stick led to the creation of the Pentagon’s new Cyber Command.

Breathless reports like this one say this single specific tiny little USB thumb drive got infected with agent.btz, a tiny little chunk of malware the antivirus world has known about since, what, 2008? Yet it took at least 14 months for the Pentagon to clean it up.

Come on, people — fourteen months?!? The antivirus experts dismiss agent.btz as banal, not brilliant.  I’ll bet it took so long only because it was a classified operation. This malware would have blown over in a week if DoD-CERT had issued an email saying “hey, there’s a new virus running around, please scan your PCs for agent.btz.”

http://www.infragard.net/

News Item 3: http://www.darkreading.com/database_security/security/privacy/showArticle.jhtml?articleID=227200092&subSection=Privacy
[Notes: While another unfortunate example of improperly reviewing and sanitizing data, there are several technologies available to help prevent these types or erroneous mistakes automatically within the databases to obfuscate the data through masking.]

AON Consulting, the state of Delaware’s benefits consultant, mistakenly posted the Social Security numbers, gender, and birth dates of about 22,000 retired state workers on the Web two weeks ago, state officials and the company said yesterday.

Oracle Database Data Masking Information for developers:
http://www.oracle.com/us/products/database/data-masking-161222.html
http://www.oracle.com/us/products/database/042928.pdf

2010
08.31

Episode 204 – Oracle & Google, “Wall of Sheep” & Data leakage

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISDPodcast Episode 204 for August 31, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

  • This is a FREE event for InfoSec and IT professionals to attend to celebrate the life Matthew Shoemaker.

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Other upcoming cons Adrian will be at:
Phreaknic, Oct 15-17 2010, Nashville, TN
http://www.phreaknic.info
Hak3rCon Oct 23-24 2010, Charleston, WV
http://www.hack3rcon.org
MyHardDriveDied.com:

News Item 1:  http://www.techworld.com.au/article/358564/microsoft_won’t_stop_net_androidOracle’s patent and copyright lawsuit against Google for its use of Java in Android won’t be repeated by Microsoft if .Net is used on the Linux-based mobile operating system instead. Director of the open source technology centre at Microsoft Tom Hanrahan said the Community Promise allows projects like Mono to fully support its technology. “The type of action Oracle is taking against Google over Java is not going to happen,” Hanrahan said. Microsoft’s Community Promise has made the .Net runtime and C# specifications available to Miguel de Icaza and the Mono project developers. “If a .Net port to Android was through Mono it would fall under that agreement,” he said. Novell has already developed MonoTouch for Apple’s iOS-based devices like the iPhone and iPad, and a Mono port to Android, dubbed “MonoDroid”, is on the roadmap, due for a preview release in Q3 this year.
Oracle’s complaint against Google centres around its development of the Dalvik virtual machine that can run applications written in Java. Dalvik is not an officially sanctioned Java runtime environment, however Sun did initially praise Google for supporting Java on Android. Mono developer Miguel de Icaza is not concerned about legal challenges by Microsoft over .Net implementations and wrote on his blog that Google could switch from Java. “Google could settle current damages with Oracle, and switch to the better designed, more pleasant to use, and more open .Net platform,” de Icaza wrote.

News Item 2: http://blogs.forbes.com/andygreenberg/2010/08/26/researcher-creates-clearinghouse-of-14-million-hacked-passwords/
The “Wall of Sheep” has become a cherished tradition at the annual Defcon hacker conference in Las Vegas: Anyone foolish enough to use the local wireless network at the hotel will likely have his or her username and password stolen, and later see those vital digital details projected onto a screen for thousands of attendees to see.

Now Canadian researcher Ron Bowes has created a sort of Wall of Sheep for the entire Internet. By simply collecting all the publicly-spilled repositories of users’ passwords from recent hacking incidents, he’s created a clearinghouse for stolen passwords on his Web site – 14,488,929 distinct passwords to be exact, collected from 32,943,045 users.

Bowes didn’t steal these passwords, and they’re not associated with usernames, an extra piece of data that would make listing them far more dangerous. All but 250,000 or so became public after the breach of RockYou.com, a social networking applications site penetrated by cybercriminals using an SQL-injection. Another 180,000 were spilled when the bulletin board software site phpbb was hacked using a vulnerability in one of the site’s plugins. 37,000 more were stolen from MySpace using phishing techniques.

Bowes, a consultant with Dash9 security and a developer for security scanning tool NMap, says he collected the passwords to help researchers figure out how users choose passwords and make the authentication process more secure. The site he’s assembled is a wiki, so anyone can update it with new breached password lists. “Since I created it, I’ve had exceptionally good feedback from researchers around the world.,” Bowes wrote in his blog. ” As far as I know, it’s the best collection of breached passwords anywhere.”
News Item 3: http://www.darkreading.com/insiderthreat/security/storage/showArticle.jhtml?articleID=227101757&subSection=Storage+security

[Notes Keith - While the rise in data leaked continues to increase, many companies still are hesitant to enforce proper egress controls to access social networking sites, implement policies regarding their use or implement multi-level content filtering solutions..checking web traffic for access to playboy is not the sole purpose of a content filtering solution. As with all portions of a properly created security program, the technology must be used to enforce the policies. If the policies don't define the limitations the technology will fail to meet the needs. With that, there needs to be constant monitoring and proactive response by the responsible parties when sensitive information is detected which may be exiting the network. Policies must my definitive, any vagueness in the policies may render them void should a termination turn into an unemployment or criminal proceeding.

Twenty percent of companies investigated the exposure of confidential, sensitive or private information via a post to a social networking site

Seven percent of companies terminated an employee for social networking policy violations.

Twenty percent disciplined an employee for such violations.

Fifty-three percent explicitly prohibit the use of Facebook, while 31 percent explicitly prohibit use of LinkedIn.

Fifty-six percent are highly concerned about data loss via email sent from mobile devices.

Twenty-two percent investigated the exposure of confidential, sensitive or private information via lost or stolen mobile devices or storage media in the past 12 months.

Fifty-eight percent of respondents say that budget constraints have negatively impacted their organization's ability to protect confidential, proprietary, or sensitive information.

For those companies not able to afford commercial offerings due to budgetary restraints, there are numerous open source solutions that are able to perform DLP/Content Management Solutions with little impact and initial monetary funding. (snort/squid/squid guard/ossec]

Despite efforts to keep sensitive data in house, many corporations continue to experience serious data leaks, according to a survey published earlier today.

In its seventh annual study of outbound email and data loss prevention issues, Proofpoint Inc. found that email continues to be the number one source of data loss risks in large enterprises. More than a third (35 percent) or respondents investigated a leak of confidential or proprietary information via email in the past 12 months, the study says.

2010
08.30

Episode 203 – YoYodDos, Code Disclosure, & eNom

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISDPodcast Episode 203 for August 30, 2010.  Tonight’s podcast is hosted by Rick Hayes, Adrian Crenshaw, and Keith Pachulski.

Announcements:

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

  • This is a FREE event for InfoSec and IT professionals to attend to celebrate the life Matthew Shoemaker.

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Other upcoming cons Adrian will be at:
Phreaknic, Oct 15-17 2010, Nashville, TN
http://www.phreaknic.info
Hak3rCon Oct 23-24 2010, Charleston, WV
http://www.hack3rcon.org
MyHardDriveDied.com:

News Item 1: http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=227100032&subSection=Attacks/breaches
Technical Details : http://asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/

A new botnet built for knocking websites offline has attacked mostly Chinese and some U.S. sites, according to researchers.  About 90 percent of the command and control servers running YoyoDdos, the nickname given the botnet by researchers at Arbor Networks who have been studying and tracking it, have IP addresses in China, and two-thirds of its victim websites are out of China. The botnet has attacked around 180 websites so far, including 32 in the U.S.
News Item 2: http://www.zdnet.com.au/hackers-accidentally-give-microsoft-their-code-339305548.htmWhen hackers crash their systems while developing viruses, the code is often sent directly to Microsoft, according to one of its senior security architects, Rocky Heckman.

When the hacker’s system crashes in Windows, as with all typical Windows crashes, Heckman said the user would be prompted to send the error details — including the malicious code — to Microsoft. The funny thing is that many say yes, according to Heckman.

“People have sent us their virus code when they’re trying to develop their virus and they keep crashing their systems,” Heckman said. “It’s amazing how much stuff we get.”

At a Microsoft Tech.Ed 2010 conference session on hacking, Heckman detailed to the delegates the top five hacking methods and the best methods for developers to avoid falling victim to them. Heckman explained how to create malicious code that could be used in cross-site scripting or SQL injection attacks and, although he said it “wasn’t anything you couldn’t pick up on the internet”, he suggested delegates use the code responsibly to aid in their protection efforts.

According to Heckman, based on the number of attacks on Microsoft’s website, the company was only too familiar with what types of attacks were most popular.

News Item 3:  http://www.computerworld.com/s/article/9181278/ICANN_asks_Demand_Media_for_answers_after_report
The group responsible for managing the Internet’s domain name system is asking Demand Media’s eNom division for answers following complaints from Internet security groups.

ENom, the world’s second-largest domain name registrar, came under fire last week in a report from HostExploit, a volunteer-run anti-malware research group. According to HostExploit, eNom is host to an unusually large number of malicious websites and is a preferred domain name registrar for pharmaceutical spammers.

ICANN now says that it is looking into the matter, according to Kurt Pritz, senior vice president of services with the Internet Corporation for Assigned Names and Numbers. Typically, ICANN advises people with information on illegal activity to take their complaints to law enforcement. “However, given the serious nature of some of the allegations made in the HostExploit report, we will ask eNom for their response and will follow up as appropriate,” Pritz said in a statement, e-mailed to IDG News Service.

HostExploit says that some eNom resellers are violating ICANN rules by allowing customers to provide false Whois database information, not following ICANN deletion policy and generally not complying with their obligations as resellers.

2010
08.27

Episode 202 – Cyberspace, Rustock, UN SQL & Huawei

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISDPodcast Episode 202 for August 27, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:

Local Password Exploitation Class:

  • The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
  • The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
    • Pulling stored passwords from web browsers/IM clients and other apps
    • Hash cracking of Windows passwords, as well as other systems
    • Sniffing plain text passwords off the network
    • How passwords on one box can be used to worm though other hosts on a network
  • Seating is limited to 50 people.
  • The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

  • ShoeCon is being held as a FREE event for InfoSec and IT professionals to attend to celebrate the life Matthew Shoemaker.  Matthew or “Shoe” was a fellow security professional, DC404 member and InfoSec podcaster.  This event will be held in conjunction with the September DC404 meeting at the Wellesley Inn-Atlanta Airport.

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Other upcoming cons Adrian will be at:
Phreaknic, Oct 15-17 2010, Nashville, TN
http://www.phreaknic.info
Hak3rCon Oct 23-24 2010, Charleston WV
http://www.hack3rcon.org
MyHardDriveDied.com:

Karthik Rangarajan is looking for a full-time position. He is graduating in December 2010, and can start immediately after he graduates. He has experience with Static Code Analysis, and has been a developer for a fairly decent amount of time before he got into security. He has a track record of being a fast learner and having a high learning curve. He can be reached at krangarajan at gatech dot edu or isdpodcast at gmail dot com.

Rant: Monitoring your systems for brute force attacks against SSH/FTP using Open Source tools such as OSSEC.

The attacks are common at this point and only through proper log monitoring can you effectively detect and respond to the attacks. There is no reason to not be monitoring logs generated by public facing services to alert on active attacks against systems. This should be part of the basic incident identification & response capabilities within all organizations.

<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/ftpd.log</location>
</localfile>

Done…with the correct settings in ossec the alarms now get sent to the ossec wui, to the *sql database and/or email

Stories of Interest:
News Item 1: http://www.washingtonpost.com/wp-dyn/content/article/2010/08/25/AR2010082505962.html
[Notes Keith: Government speak at its finest. None of the statements seem to jive with one another. Cyberspace will be treated as a domain of potential warfare. Warfare implies both offensive and defensive actions in concert with one another. Active defenses that are created by using a more robust and redundant environment but then later discusses the offensive capabilities. Sounds like they dont quite have the plan all together that formalized..

News Item 2: http://news.techworld.com/security/3236787/rustock-botnet-ditches-encryption-to-ramp-spam/

The Rustock mega-botnet appears to have ditched the experimental use of TLS (transport layer security) to obscure its activity, Symantec has reported.

Rustock’s use of TLS is now averages between 0.1 and 0.2 percent of all spam, peaking at 0.5 percent, a tiny fraction of the levels seen in March when it reached averages of around 25 percent with a peak of as much as 77 percent.

The key moment was on 20 April, when the volume of spam featuring the tactic suddenly plunged to sub-one percent levels after an equally sudden rise in rates in the weeks prior to that date.

TLS adds a small but cumulative overhead to server email processing, which ties up mail servers but also affects the rate at which spam is sent. Why Rustock’s controllers adopted the technique at all was never clear but might have been connected to a misplaced belief that it would make it harder for servers to filters its activity or detect the command and control system used to direct its activity.

News Item 3:  http://www.darkreading.com/vulnerability_management/security/vulnerabilities/showArticle.jhtml?articleID=226900111
Three years after the United Nations’ website was defaced by activist hackers using a SQL injection attack, the site still contains multiple instances of these vulnerabilities.

Security researcher Robert Graham, CEO of Errata Security, did his now-annual checkup on the UN site and found that while the UN had removed the bug that was exploited in the August 2007 attack, the site is still rife with multiple SQL injection vulnerabilities.

In the 2007 defacement, attackers replaced then-Secretary General Ban Ki-Moon’s speeches with some of their own calling for “peace forever” and “no war.” The attackers exploited a SQL injection bug.

“In what’s become a yearly blogpost, the UN still has not fixed the SQL injection problems that led to their website being hacked back in 2007,” Graham blogged today. “For example, if you click on ‘print this article’, then use that URL instead, the SQL injection still works.”

News Item 4:  http://www.nytimes.com/2010/08/23/business/global/23telecom.html
Warning about a potential threat to national security, eight Republican lawmakers have asked the Obama administration to scrutinize a bid by one of the biggest corporations in China to supply telecommunications equipment to Sprint Nextel in the United States.

In a letter sent last week to top administration officials, including Treasury Secretary Timothy F. Geithner and the director of national intelligence, Lt. Gen. James R. Clapper Jr., the senators expressed concern over claims that the company had sold equipment to the regime of Saddam Hussein and had a close business relationship with the Islamic Revolutionary Guard in Iran.

The senators also said the company, Huawei Inc., had close ties to the People’s Liberation Army in China.

“Sprint Nextel supplies important equipment to the U.S. military and law enforcement agencies, and it offers a broad array of devices, systems, software and services to the private sector,” wrote the group of senators, including Jon Kyl of Arizona, Christopher S. Bond of Missouri and Susan Collins of Maine. “We are concerned that Huawei’s position as a supplier of Sprint Nextel could create substantial risk for U.S. companies and possibly undermine U.S. national security.”

A campaign to block Huawei’s bid to sell equipment in the United States would almost certainly aggravate American-Chinese trade relations and intensify a longstanding debate over whether big Chinese companies will be allowed to invest in sensitive industries in the United States.

2010
08.26

Episode 201 – Deep Anal Theater, Apple Info, Cyber Information Security & Leakage

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISDPodcast Episode 201 for August 26, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:
Local Password Exploitation Class:

  • The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
  • The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
    • Pulling stored passwords from web browsers/IM clients and other apps
    • Hash cracking of Windows passwords, as well as other systems
    • Sniffing plain text passwords off the network
    • How passwords on one box can be used to worm though other hosts on a network
  • Seating is limited to 50 people.
  • The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

  • This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Other upcoming cons Adrian will be at:
Phreaknic, Oct 15-17 2010, Nashville, TN
http://www.phreaknic.info
Hak3rCon Oct 23-24 2010, Charleston WV
http://www.hack3rcon.org
MyHardDriveDied.com:

Karthik Rangarajan is looking for a full-time position. He is graduating in December 2010, and can start immediately after he graduates. He has experience with Static Code Analysis, and has been a developer for a fairly decent amount of time before he got into security. He has a track record of being a fast learner and having a high learning curve. He can be reached at krangarajan at gatech dot edu or isdpodcast at gmail dot com.

Rant: Not understanding that protecting sensitive information should be part of a basic security program such as proper authentication, accounting, authorization and auditing indicates you`ve made 0 forward movement with your program.

Stupid Phrase of the day: Cyber Information Security

Stories of Interest:
News Item 1:  http://www.csoonline.com/article/603542/deep-theater-defense-?source=rss_cso_exclude_net_net

As an executive, do you ever get worried wondering if your corporate brand is properly protected from a lack of technological integrity? Corporations today have sensitive HR data, financial data, and often consumer data. If this data is compromised, often the outside world finds out about it, lawsuits are initiated and the corporate brand is tarnished. This could lead to consumers thinking twice about purchasing your products or services.

In the case of retail organizations, how does one effectively protect customer credit card data? Consider deploying an IT architecture that information security professionals call a deep-theater defense. Let’s investigate the design of this protective architecture:
News Item 2: http://www.zdnet.co.uk/news/security/2010/08/16/apple-manager-accused-of-1m-kickback-scheme-40089826/?s_cid=938

Paul Shin Devine was indicted on Friday on suspicion of obtaining confidential Apple information which he transmitted to iPod and iPhone accessory suppliers, according to the San Jose Mercury News. In return, Devine allegedly received kickbacks, which he allegedly shared with Andrew Ang of Singapore, an employee of one of the suppliers.

“Apple is committed to the highest ethical standards in the way we do business,” Apple spokesman Steve Dowling said in a statement. “We have zero tolerance for dishonest behaviour inside or outside the company.”

According to the indictment, the information allegedly shared by Devine included product specifications, sales forecasts and details of competitors’ bids.

The six suppliers allegedly involved were not named in a federal court indictment, which the US District Court in San Jose ordered to be unsealed on 13 August, according to a court docket. However, the Wall Street Journal named three of the suppliers allegedly involved as China’s Kaedar Electronics, South Korea’s Cresyn, and Singapore’s Jin Li Mould Manufacturing.
News Item 3: http://gcn.com/articles/2010/08/23/cybereye-cybersecurity-jobs.aspx
Cybersecurity is a growth industry, with rapidly increasing demand for qualified professionals in government and industry and a growing number of schools offering courses and degrees. But a couple of security bloggers warn that cybersecurity jobs in large enterprises, especially government, are likely to be frustrating.

Mike Subelsky, who describes himself as a hacker and entrepreneur who has worked in cybersecurity for eight years in the military, as a government civilian and as a contractor, describes the work as uncreative, bureaucratic and restrictive.

“In classified settings, you are severely restricted in the sources and kinds of technologies you use,” he writes. “You won’t have admin permissions on the machine you’re working on. Forget installing Chrome with the latest extensions, you’ll be lucky to get Version 2 of Firefox!  Or you might not have access to the Internet at all!”

A like-minded blogger identified as NetSecGuy wrote that “the government leads in cyber-boring.” Not only is the technology outdated, but management has no clue and information is seen as something to be hoarded rather than shared.

News Item 4:  http://joongangdaily.joins.com/article/view.asp?aid=2924915
Leaked military information is becoming a common occurrence here in large part because of a lack of security awareness among defense officials, despite the increasing severity of cyber attacks at the hands of North Korean hackers.

Some senior defense officials have lost sensitive and classified information after transferring files to USB drives – even though the military prohibits the use of such technology to store data because it can easily be stolen.

Strong disciplinary measures are needed to ratchet up security awareness among defense officials.

According to a Defense Security Command report to the National Assembly, the number of military officials punished for violating security codes and leaking – both intentionally and accidentally – confidential military information has been increasing sharply every year. The number was 510 in 2005 and rose to 879 in 2006, 965 in 2007, 1,164 in 2008, 1,512 in 2009 and 886 through the first six months of this year.

There have been some serious cases this year as well. The computers of 13 soldiers stationed at one particular base were hacked from January to March, exposing 1,715 files.

2010
08.25

Episode 200 – USB Stupidity, More Apps, GPU, SQL Injection & Scurvy Naive

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISDPodcast Episode 200 for August 25, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:

Local Password Exploitation Class:

  • The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
  • The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
    • Pulling stored passwords from web browsers/IM clients and other apps
    • Hash cracking of Windows passwords, as well as other systems
    • Sniffing plain text passwords off the network
    • How passwords on one box can be used to worm though other hosts on a network
  • Seating is limited to 50 people.
  • The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

  • This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

Other upcoming cons Adrian will be at:
Phreaknic, Oct 15-17 2010, Nashville, TN
http://www.phreaknic.info
Hak3rCon Oct 23-24 2010, Charleston WV
http://www.hack3rcon.org
MyHardDriveDied.com:

Karthik Rangarajan is looking for a full-time position. He is graduating in December 2010, and can start immediately after he graduates. He has experience with Static Code Analysis, and has been a developer for a fairly decent amount of time before he got into security. He has a track record of being a fast learner and having a high learning curve. He can be reached at krangarajan at gatech dot edu or isdpodcast at gmail dot com.

Rant: Having multiple sets of physical access controls to a facility makes no sense when you don’t check to see if a person has identification to access the facility

Stories of Interest:
News Item 1: http://www.washingtonpost.com/wp-dyn/content/article/2010/08/24/AR2010082406154.html
Now it is official: The most significant breach of U.S. military computers was caused by a flash drive inserted into a U.S. military laptop on a post in the Middle East in 2008.

In an article to be published Wednesday discussing the Pentagon’s cyberstrategy, Deputy Defense Secretary William J. Lynn III says malicious code placed on the drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military’s Central Command.

“That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control,” he says in the Foreign Affairs article.  “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.”

News Item 2: http://news.cnet.com/8301-27080_3-20014625-245.html
A flaw in the way Windows handles DLL (dynamic-link library) and related files likely affects hundreds of applications and has already been used in malicious attacks in the wild, a security researcher said on Tuesday.

Microsoft acknowledged in an advisory on Monday a type of attack mechanism known as DLL preloading, or binary planting and said that while it is not new it does have a new remote-attack vector. Malicious code can now be planted on a network share instead of just on a local system, making it much easier to attack vulnerable systems by duping people into clicking on malicious Web links or opening malicious documents.

Security firm Acros disclosed the issue last week after finding that it affects iTunes, and Rapid7 Chief Technology Officer HD Moore published additional information about it this week here and here. Moore, creator of the Metasploit database and framework, also released a tool to test whether applications are vulnerable.

Now, the Exploit-db.com exploit database is getting flooded with submissions of applications that people say are vulnerable, including Windows Live Mail, Windows Movie Maker, Microsoft PowerPoint 2010, Office 2007, and non-Microsoft applications like Firefox 3.6.8, Foxit Reader, Wireshark and uTorrent, said Mati Aharoni, founder of security firm Offensive Security, which runs the exploit database.  A post to the Full Disclosure mailing list claims that the Windows Address Book in Windows XP is also vulnerable.

News Item 3: http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=226700303
Passwords with fewer than 12 characters can be quickly brute-force decoded using a PC graphics processing unit (GPU) that costs just a few hundred dollars, according to researchers at the Georgia Institute of Technology.

“We’ve been using a commonly available graphics processor to test the integrity of typical passwords of the kind in use here at Georgia Tech and many other places,” said Richard Boyd, a senior research scientist at the university’s research institute, in a statement. “Right now we can confidently say that a seven-character password is hopelessly inadequate.”

Today’s top graphics processors offer about two teraflops of parallel processing power. For comparison, “in the year 2000, the world’s fastest supercomputer, a cluster of linked machines costing $110 million, operated at slightly more than 7 teraflops,” he said.

The barrier to using multi-core graphics processors — available from Nvidia or AMD’s ATI division — for compute-intensive processes other than graphics processing, said Boyd, first fell in 2007, when Nvidia released a C-based software development kit. “Once Nvidia did that, interest in GPUs really started taking off,” he said. “If you can write a C program, you can program a GPU now.” Or use it to crack a password.

News Item 4: http://www.japantoday.com/category/crime/view/hackers-steal-customer-data-by-accessing-supermarket-database
Hackers stole customer data from eight online supermarkets in Japan, including Uny Co. and Neo Beat Co, in July using a hacking technique called SQL injection to access their databases, sources familiar with the matter said Saturday.
A source close to Neo Beat, which also operates the websites of these online supermarkets, said it believes that the approximately 30,000 unauthorized accesses to its database server were likely ‘‘perpetrated by a group of professional hackers.’‘

The accesses, which were conducted from Japan and China on July 24-26, resulted in the theft of data on a total of 12,191 customers of the Osaka-based company as well as its seven business partners including supermarket chains Izumiya Co, Maruetsu Inc and Ryukyu Jusco Co.

Neo Beat has since filed a damage report with the Osaka prefectural police, and the companies have closed their online markets since late last month. Police investigators are now looking into the case and gathering relevant information.

2010
08.24

Episode 199 – SSHBot, Heartland & One Helluva Network Rant

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISDPodcast Episode 199 for August 24, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:
Local Password Exploitation Class:

  • The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
  • The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
    • Pulling stored passwords from web browsers/IM clients and other apps
    • Hash cracking of Windows passwords, as well as other systems
    • Sniffing plain text passwords off the network
    • How passwords on one box can be used to worm though other hosts on a network
  • Seating is limited to 50 people.
  • The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

  • This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

MyHardDriveDied.com:

Karthik Rangarajan is looking for a full-time position. He is graduating in December 2010, and can start immediately after he graduates. He has experience with Static Code Analysis, and has been a developer for a fairly decent amount of time before he got into security. He has a track record of being a fast learner and having a high learning curve. He can be reached at krangarajan@gatech.edu or isdpodcast@gmail.com.

Keith: [EDIT] Its not raining men. That’s ok..I have a gift for you Kar and I`ll wait for ShoeCon to give it to you =)

Keith’s Rant of the Day: Providing employee’s with scripted answers to auditor questions nullifies the point of performing an internal audit….

Stories of Interest:
News Item 1: http://www.theregister.co.uk/2010/08/12/server_based_botnet
A server-based botnet that preys on insecure websites is flooding the net with attacks that attempt to guess the login credentials for secure shells protecting Linux boxes, routers, and other network devices.

According to multiple security blogs, the bot compromises websites running outdated versions of phpMyAdmin. By exploiting a vulnerability patched in April, the bot installs a file called dd_ssh, which trawls the net for devices protected by the SSH protocol.

“This bot then conducts brute force SSH attacks on random IP addresses specified by the bot herder,” a user blogged here. Indeed, DShield, an exploit-monitoring service maintained by the SANS Institute, shows a six-fold increase in the number of sources participating in SSH scanning from July 24 to August 10, and close to a three-fold jump in the number of targets.  For reasons that remain unclear, the number of sources over the past two days has plummeted, even as the number of targets has dropped only moderately.

In addition to posing a threat to unpatched websites and SSH-protected devices, the attacks are also creating headaches for large numbers of non-vulnerable sites. As Reg readers have pointed out in comments to this article, the flood of requests for admin.php, setup.php and other PHP-related files can have the effect of a denial-of-service attack. The queries often hit sites running Microsoft’s IIS and other platforms that have nothing to do with PHP.

News Item 2: http://www.computerworld.com/s/article/9180660/Heartland_denies_systems_involved_in_new_data_breach
Heartland Payment Systems, which last year suffered the largest ever data breach involving payment card data, is downplaying reports out of Austin, Texas linking the payment processor to a data breach at a local restaurant chain.

Heartland CIO Steven Elefant told Computerworld by e-mail late Thursday that the reports out of Austin point to a “localized intrusion initiated within the stores, either in their point-of-sale system or as a result of other fraud.”

“The Heartland system at large and its merchants would not be compromised in any way by this type of attack, and the company is unaware of any broader issue,” he said.

He added that Heartland officials will work closely with business owners to help identify the source of the breach, and help with remediation efforts.

The Austin Statesman reported on Thursday that an “accounting network” at Tino’s Greek Cafe, a local restaurant chain with four locations in Austin, had been breached.

News Item 3: http://www.darkreading.com/shared/printableArticle.jhtml?articleID=226900007

[Notes: Keith - Network segmentation, see news item 4, is often overlooked, improperly implemented and/or not monitored. Along with segmentation, there should be access controls implemented between the individual segments to enforce the segmentation and report on potential issues. Not only does this allow for minimized impact to operations should one segment become under attack/infected/whatever, once properly implemented it will also allow for overall ease of management]

News Item 4: http://www.darkreading.com/shared/printableArticle.jhtml?articleID=226700495

[Notes: Keith - Rouge wireless networks continue to be problematic due to the ease of acquiring wireless access points as well as problems with detection. To discover rogue access points we should be using a combination of both wired and wireless scanning as neither is perfect. Correlation of the results should be able to give a better picture on discovery of potential devices, though even this is questionable. Due to the saturation of wireless in heavily populated areas, even wireless scanning and identification of those devices is nearly impossible. Proper controls between corporate/guest AP, network segmentation - this is something that is often overlooked and when it is implemented it typically turns into Swiss cheese. I love how Verizon is quoted here as blaming insecure wireless networks for the bulk of the incidents and we should be using WPA or WPA2 yet they ship their wireless devices with WEP enabled.]

2010
08.23

Episode 198 – HD Moore, EXIF data, Kenya & HIPPA Fail

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISDPodcast Episode 198 for August 23, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:

Local Password Exploitation Class:

  • The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
  • The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
    • Pulling stored passwords from web browsers/IM clients and other apps
    • Hash cracking of Windows passwords, as well as other systems
    • Sniffing plain text passwords off the network
    • How passwords on one box can be used to worm though other hosts on a network
  • Seating is limited to 50 people.
  • The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

  • This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

MyHardDriveDied.com:

Stories of Interest:
News Item 1:  http://www.theregister.co.uk/2010/08/20/windows_code_execution_vuln/

http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

About 200 Windows applications are vulnerable to remote code-execution attacks that exploit a bug in the way the programs load binary files for the Microsoft operating system, a security researcher said Thursday.

The critical vulnerability, which has already been patched in Apple’s iTunes media player for Windows and VMware Tools, will be especially challenging to fix, because each application will ultimately need to receive its own patch, Mitja Kolsek, CEO of application security consultancy Acros Security, told The Register. He agreed with fellow researcher H D Moore, who on Wednesday said the critical vulnerability is trivial to exploit.

At the time, Moore estimated 40 programs were vulnerable, but security experts from Slovenia-based Acros have found that about 200 of the 220 applications they’ve tested so far suffer from what they’re calling the binary-planting bug. They have yet to complete their inquiry.

“We are expecting that there should be many more,” Kolsek said. “We were just looking for those vulnerabilities that were exploitable in terms of the user double-clicking a document or doing a couple of things with the menu.”

News Item 2: http://www.nytimes.com/2010/08/12/technology/personaltech/12basics.html

[Notes: Karthik - I think Rick almost got geotagged once, Adrian found the EXIF data in it. He almost did it again last month, he posted a tweet that had the Epoch time, and the geolocation on it, until he removed it and used a different app]

When Adam Savage, host of the popular science program “MythBusters,” posted a picture on Twitter of his automobile parked in front of his house, he let his fans know much more than that he drove a Toyota Land Cruiser.  Embedded in the image was a geotag, a bit of data providing the longitude and latitude of where the photo was taken. Hence, he revealed exactly where he lived. And since the accompanying text was “Now it’s off to work,” potential thieves knew he would not be at home. Security experts and privacy advocates have recently begun warning about the potential dangers of geotags, which are embedded in photos and videos taken with GPS-equipped smartphones and digital cameras. Because the location data is not visible to the casual viewer, the concern is that many people may not realize it is there; and they could be compromising their privacy, if not their safety, when they post geotagged media online.

Adam said he knew about geotags, but he said he had neglected to disable the function on his iPhone before taking the picture and uploading it to Twitter. Adam has since turned off the geotag feature on his iPhone, and he isn’t worried about the archived photo on Twitter because he has moved to a new residence. But others may not be so technologically informed or so blasé about their privacy.

News Item 3: http://www.businessdailyafrica.com/Company%20Industry/-/539550/977138/-/simtwwz/-/
Data has become an invaluable asset in every sector. Yet even as the world’s businesses become interconnected by the same business language, developing nations face an extra cost burden through their almost complete negligence of information security, according to a 2005 Information Economy Report from UNCTAD.

In a clarion call, a full five years ago, to take the value of information more seriously, the report urged criminalising of cyber attacks and the introduction of risk-management policies, as well as constant monitoring of ICT security regulations and the training of skilled staff to run effective security programmes.

The calls have had virtually no impact in Kenya, despite the country’s galloping growth in intellectual property and information held within businesses — from client information, including card numbers and contacts, to sensitive company information such as log in details, mailing lists and security codes.

Not one company or public sector organisation in the country has yet implemented the globe’s international standards — ISO/IEC 17799:2005 and ISO/IEC 27001 — dealing specifically with information security.

News Item 4: http://www.patriotledger.com/lifestyle/health_and_beauty/x316188449/Milton-Caritas-Carney-hospitals-to-patients-about-dumped-medical-records
Four Massachusetts Hospitals will soon be contacting thousands of patients whose medical records were found at a public dump in late July. Two of the hospitals have posted information for patients on their websites and are making plans to send letters to all patients who were involved in the security breach. For patient information, go to Milton Hospital and Carney Hospital’s websites.  Both have direct phone lines that patients can call. Carney’s number is 800-699-1202, and Milton’s is 617-313-1000 followed by 1 and extension 881555.  The dumping also included patients from Milford and Holyoke hospitals. The unshredded records contained Social Security numbers and sensitive information such as cancer-test results. Patients who got pathology tests appear to be the only ones affected. Most records were from 2009, with some as old as 2007.

Milton Hospital estimates the dumping affected 8,000 to 12,000 patients and more than 15,000 test results. Murphy said Carney Hospital hasn’t yet determined how many patients there are involved. Spokesman said there’s no evidence to suggest there was a previous case of medical records being left unshredded and unprotected. The records were discovered by a Boston Globe photographer on July 26 at the transfer station in Georgetown, 22 miles northwest of Marblehead. Under the contracts Goldthwait is supposed to dispose of the records. Under state and federal law that generally means the documents are to be shredded or burned.
Spokesman said it’s not clear how much more hospitals can do to prevent a third-party breach from occurring, since the hospitals weren’t directly involved in the handling of these records. But they said the hospital will review their protection procedures to be sure.

2010
08.20

Episode 197 – Interview with Adrian Sanabria

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISDPodcast Episode 197 for August 20, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.

Announcements:
Local Password Exploitation Class:

  • The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
  • The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
    • Pulling stored passwords from web browsers/IM clients and other apps
    • Hash cracking of Windows passwords, as well as other systems
    • Sniffing plain text passwords off the network
    • How passwords on one box can be used to worm though other hosts on a network
  • Seating is limited to 50 people.
  • The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

SANS Community:

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

  • Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

  • This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.

SANS Mentoring Program:

  • Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
  • Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

  • Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
    Use the     Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

MyHardDriveDied.com:

Interview:
We would like to welcome Adrian Sanabria for our podcast.  Adrian is a security consultant, technology enthusiast, and hacker based in Knoxville, Tennessee. He is currently a security consultant for Sword & Shield Enterprise Security, where he enjoys performing penetration tests, PCI assessments, and social engineering exercises for clients from a wide range of industries.

Though Adrian has been working in Information Technology for over ten years, he has a passion for learning and teaching, and dreams of jumping into teaching full-time one of these days. A lifelong interest in how things work has led to a lifetime of disassembling, breaking and hacking all manner of things. Adrian lives for the rewarding experience of explaining complex, difficult concepts to students, children, or anyone else with a love for learning. He looks forward to providing eager students with new skill sets and the answers to those questions that nag at them and keep them up at night.

« Previous Entries