Security Weekly News 20 January 2011 – Full List

Category Index

Hacking Incidents / Cybercrime

 
The European Union locked all accounts in its carbon market today, after a security breach, seeking to protect the battered reputation of the EU’s main weapon against climate change.
The United States, Japan, and Australia have all delayed implementing similar cap-and-trade programs, and the latest glitch to the EU system could detract further from carbon trading as a global policy.
The trading scheme limits the carbon emissions of all big EU factories and power plants by issuing permits for each tonne of carbon emitted, which companies can then trade among themselves.
 
Trapster is an online service that notifies users of road hazards and helps them avoid speeding tickets. Now it has notified its users of a possible compromise to over 10 million email addresses and passwords — that number is based upon the posted total users on the site.
 
A former TSA worker has been found guilty and has been sentenced to two years in prison and a $60,587.07 fine to be payed to the TSA.
He was accused of tampering with the agency’s databases and trying to inject malicious code into a server containing the Terrorist Screening Database.
 
Spammers have exploited a cPanel vulnerability at a hosting company in order to abuse high profile domains belonging to educational, financial and public institutions.
The compromises began in April 2010 at Hostmonster, an Utah-based hosting company owned by Bluehost, and lasted until earlier this month
Bluehost co-founder Danny Ashworth told Krebs on Security that an attacker exploited the vulnerability to create rogue subdomains on dozens of domain names hosted by the company.
The subdomains pointed to pages used in black hat search engine optimization (BHSEO) campaigns to poison search results.
This method involves creating pages filled with keywords for a particular search topic, a technique referred to as keyword stuffing, on domains with a solid PageRank.
 
Vodafone Customer Database Breached  [www.liquidmatrix.org]
It appears that Vodafone had a rough go of things over the weekend. Apparently a ne’er do well breached their ‘secure’ customer database. No news as to the extent of the damage as a result.
 
Data protection concerns over FG website  [www.thepost.ie]
Fine Gael’s general election campaign got off to a disastrous start last week when hackers broke into its new website.
Days after the party launched the new site, the personal details of 2,000 members of the public were accessed, resulting in investigations by the gardaí and the FBI.
Before the attack, data privacy experts had expressed concern about the site’s compliance with data protection regulations.
Fine Gael billed the new website as ”the biggest consultation exercise to date with the Irish electorate”.
 
A Trojan that tries to obstruct cloud-based antivirus technology present in major AV solutions offered by Chinese security firms is targeting users by posing as a video player and other popular software.
According to Microsoft’s researchers, the attackers use social engineering techniques to get the victims to install the Trojan – called Bohu – on their system.
 
A ransomware-based malware scam allowed Russian cybercrooks to fleece an estimated 2,500 surfers to the tune of almost $30k.
Unwary smut-seekers visiting a porno site found their machines disabled by a Trojan. They were told to solve the problem by sending an SMS to a premium-rate number at a cost of $12 (360 roubles), and a substantial minority did so.
 
An office server on which the New Hampshire Seacoast Radiology had stored sensitive personal and medical information of more than 230,000 patients has been breached in November by hackers who used its bandwidth to play Call of Duty: Black Ops.
 
First Fine Gael, now the DUP. The website of the largest unionist party in Northern Ireland was hacked yesterday by an Irish language activist who replaced the text of the front page with an Irish message saying party leader Peter Robinson supported the Irish Language Act.
The genuine website, now restored, contains a message from assembly member Michelle McIlveen criticising a bilingual consultation on road traffic signs as “a costly waste of money”.
 
Credit card fraud figures worthless  [connexionfrance.com]
AN INQUIRY has found that online frauds have been hugely underestimated because police and gendarmes were not registering complaints properly.
Statisticians said that official figures for frauds were worthless, as many crimes had not been registered and the figures were much lower than the real rate of crime.
The Observatoire National de la Délinquance et des Réponses Pénales (ONDRP) estimated that between 5,000 and 10,000 complaints had disappeared.
 
It has long been clear that a lot of grey matter was exercised in creating Stuxnet. It is equally clear that the highly expert team behind the worm was not simply showing off Windows exploits on Siemens manufacturing control systems, but intended to destroy centrifuges used for uranium enrichment.
 
ATM Skimmers, Up Close  [krebsonsecurity.com]
Recently, I found a guy on an exclusive online scammer forum who has hawking variety of paraphernalia used in ATM skimmers, devices designed to be stuck on the outside of cash machines and steal ATM card and PIN data from bank customers. I wasn’t sure whether I could take this person seriously, but his ratings on the forum – in which buyers and sellers leave feedback for each other based on positive or negative experiences from previous transactions – were good enough that I figured he must be one of the few people on this particular forum actually selling ATM skimmers, as opposed to just lurking there to scam fellow scammers.

Unpatched Vulnerabilities

 
Firefox 4, A Huge Pile of Bugs  [it.slashdot.org]
‘Firefox 4.0 beta 9 (AKA ‘a huge pile of awesome’) was released on January 14, 2011. Firefox 4’s release schedule includes a beta 10 and a release candidate before the final launch in late February. However, one wonders if this schedule won’t slip again, since there are still more than 100 ‘hardblocker’ bugs, more than 60 bugs affecting Panorama alone and 10 bugs affecting the just-introduced Tabs-on-Titlebar. Some long-standing bugs wont’ be fixed in time for Firefox 4 final either (example, example). Many startup bugs are currently pending, although Firefox 4 starts much faster than Firefox 3.6. As a side note, it’s unlikely that Firefox 4 final will pass the Acid3 test, despite this being a very popular demand amongst Firefox enthusiasts. Perhaps we’ll have to wait until Firefox 4.1 to have this ‘huge pile of bugs’ (mostly) fixed.’
 
ICQ can be fed crafted updates  [www.h-online.com]
Because the Instant Messaging client ICQ fails to verify the authenticity of updates downloaded from the web, it is possible to substitute trojans for genuine updates. An attacker would, however, need to be able to reroute the resolution of the IP address for update.icq.com to his own server by, for example, interfering with the router or cache poisoning the DNS server.

Software Updates

 
As part of its January patch update, Oracle has released security updates for a number of products. The Critical Patch Update addresses vulnerabilities in, for example, the company’s database server, Application Server, WebLogic Server, PeopleSoft Enterprise and Open Office.
Oracle gives vulnerabilities in Solaris, Fusion Middleware and Audit Vault a Common Vulnerability Scoring System (CVSS) score of 10.0, the highest possible level of severity. The company advises all users to install the updates as soon as possible.
 
When forming an outgoing SIP request while in pedantic mode, a
stack buffer can be made to overflow if supplied with
carefully crafted caller ID information. This vulnerability
also affects the URIENCODE dialplan function and in some
versions of asterisk, the AGI dialplan application as well.
The ast_uri_encode function does not properly respect the size
of its output buffer and can write past the end of it when
encoding URIs.
 
A security update to EAServer from the SAP company Sybase closes two vulnerabilities that could be remotely exploited. According to the manufacturer’s report, attackers could exploit a directory traversal vulnerability to read arbitrary files on the server. Sybase states that it would also be possible to install unauthorised web services on EAServer, making it possible to gain control of the server.
 
Tor Logo The developers of the Tor (The Onion Routing project) anonymisation solution has released version 0.2.1.29 to close a hole that can be remotely exploited. According to the developers, the problem is caused by a heap overflow. Version 0.2.1.28, which was released in late December, had already fixed another heap overflow in Tor. This flaw could be exploited to remotely crash Tor and the developers didn’t rule out that it could also have been exploited to inject and execute arbitrary code.
 
A flaw in the web server components of the free Mono .NET clone potentially allows ASP.NET applications to supply source code or other files from the web server’s application directory. Mono 2.8.2 fixes this as yet unexplained bug. Affected components on the project’s vulnerability list include the XSP web server and the mod_mono Apache module. Both of these execute ASP.NET code.

Business Case for Security

 
Top Performers Invest More Annually in Their Application Security Initiatives, but Realize a Higher Return by Identifying and Remediating More Vulnerabilities Prior to Deployment
In the finale of a four-part study on application security by Aberdeen, a Harte-Hanks Company (NYSE: HHS), Aberdeen’s analysis of companies adopting the ‘secure at the source’ strategy — i.e., the integration of secure application development tools and practices into the software development lifecycle, to increase the elimination of security vulnerabilities before applications are deployed — found that they realized a very strong 4.0-times return on their annual investments, higher than that of both the ‘find and fix’ and ‘defend and defer’ alternative approaches. Although the secure at the source approach is currently the least common to be implemented, Aberdeen’s research confirms that it is maturing and transitioning from early adoption to mainstream use.
As part of its benchmarking process for the Security and the Software Development Lifecycle: Secure at the Source report, Aberdeen adapted a simplified version of the Microsoft Software Development Lifecycle (SDL) as a yardstick for measuring current practices. ‘To be clear, few companies may be in a position for full-scale adoption of the Microsoft SDL framework — nor would they necessarily want to do so,’ said Derek Brink, vice president and research fellow for IT Security, Aberdeen Group. ‘In Aberdeen’s view, the pragmatic approach is to leverage the best features of the Microsoft SDL as they apply to your organization, just as one would leverage the best of any other time-tested industry standard. Discard the rest.’
 
Ah, passwords. Love ’em or hate ’em, they’re a necessary evil of the digital age. The reality is we all end up with an alphabet soup of passwords spread over dozens of various sites and services across the internet. Whilst we might not always practice it, we all know the theory of creating a good password; uniqueness, randomness and length. The more of each, the better.
Of course we frequently don’t do this because of all sorts of human factors such as convenience, memory or simple unawareness of the risks. Still, when it’s a case of individuals electing not to create secure passwords, they really only have themselves to blame.
But what happens when the website won’t allow you to create a secure password? Or at least when they severely constrain your ability to create long, random, unique passwords? And what about when they don’t allow you to send it between your computer and their server securely?
 
The recent security breaches on the Fine Gael and DUP websites has once more brought information security to the fore with extensive coverage of both incidents in the media. One of the questions I keep getting asked after such incidents is “how to I ensure my company is secure?”. Making your company, or website, secure is a matter of ensuring the appropriate information security risks have been properly identified and managed. The ISO 27001:2005 Information Security standard provides companies with a structured and proven way to implement and manage an Information Security Management System and provide management and the business with confidence in the security measures that are in place.
 
Why is planning phase of ISO 27001 so important?
If you don’t plan your information security activities carefully, chances are you will miss something important – and that will cost you. This is why ISO 27001 defines very precisely the various steps in the planning phase – the purpose is to set clear direction, but also to take into account everything that can cause security incidents.
According to ISO 27001, the planning phase is rather complex and requires several documents and activities to be done. Risk assessment and treatment are the central part of the planning phase – they set the ground for the implementation phase, by defining which security controls are applicable.
 
By mid-2010, Facebook recorded half a billion active users, making it not only the largest social networking site, but also one of the most popular destinations on the web.
Unsurprisingly, this massive and committed user base is heavily targeted by scammers and cybercriminals, with the number and diversity of attacks growing steadily throughout 2010 – malware, phishing and spam on social networks have all continued to rise in the past year, with a Sophos survey finding that:
 
Getting Ready for PCI 2.0 Compliance  [www.esecurityplanet.com]
The latest version of the Payment Card Industry Data Security Standard (PCI DSS v2.0) went into effect on January 1, 2011. If your work for an entity that stores, processes, or transmits credit card data in electronic form than your organization is required to comply with the standard or risk disciplinary action: being fined for lack of compliance by the acquiring bank or, in very extreme cases, no longer allowed to accept credit card payments.
If your company’s been in business a while, PCI and PCI compliance are nothing new. The standard has been around since December 2004 and the individual card brand compliance programs that form the basis of PCI have been in place even longer. Chances are your company has already been through a few PCI DSS assessment cycles and you have a few successful RoCs (report on compliance) under the belt. However, you may be wondering if the changes in the recently issued v2.0 of the standard will change your compliance process or require new controls or procedures in order for your organization to be compliant. In this short overview, we’ll take a look at the differences between v.1.2.1 and v2.0 of the PCI DSS and what, if anything, that will mean to your company.
 
Officials today revealed that the ‘Advanced Persistent Threat’ (APT) has been completely defeated by vendor marketure, analyst/pundit tweets, and PowerPoint presentations.
‘APT is dead. Totally gone. The term APT is meaningless now’ revealed a senior official under the condition of anonymity, as he was not authorized to discuss the issue with the press — as if anyone believes that anymore.
 
A great deal of online commerce, speech, and socializing supposedly happens over encrypted protocols. When using these protocols, users supposedly know what remote web site they are communicating with, and they know that nobody else can listen in. In the past, this blog has detailed how the technical protocols and legal framework are lacking. Today I’d like to talk about how secure communications are represented in the browser user interface (UI), and what users should be expected to believe based on those indicators.
The most ubiquitous indicator of a ‘secure’ connection on the web is the ‘padlock icon.’ For years, banks, commerce sites, and geek grandchildren have been telling people to ‘look for the lock.’ However, The padlock has problems. First, it has been shown in user studies that despite all of the imploring, many people just don’t pay attention. Second, when they do pay attention, the padlock often gives them the impression that the site they are connecting to is the real-world person or company that the site claims to be (in reality, it usually just means that the connection is encrypted to ‘somebody’). Even more generally, many people think that the padlock means that they are ‘safe’ to do whatever they wish on the site without risk. Finally, there are some tricky hacker moves that can make it appear that a padlock is present when it actually is not.
 
A-class pwnage goes mainstream  [blog.remes-it.be]
Some people still don’t believe a company can get owned from the inside. There are no specific secrets that, when divulged, can bring the company down. When a server gets owned, let’s reinstall it and move on. Yesterday the Belgian TV program “Basta!” showed a tell-tale example of how people with dedication and enough time/budget can do anything they want to bring a company down.
I suppose they are a plague worldwide : telephone games. An annoying presenter shows a riddle and people can call in with the solution (or a wild guess) and can win exuberant amounts of money. The trick is that people rarely find the answer, especially with the mathematical riddles. The “Basta!” team decided to take them on.
 
The company released results of a new study which it says shows large enterprises are still relying on traditional password policies as opposed to stronger, two-factor authentication technologies
Two-thirds (67 per cent) of large North American organizations have not implemented two-factor authentication for the partners and contractors that access their corporate network, according to a Symantec Corp. report.
The study which polled 306 large enterprises was conducted by Forrester Research Inc. on behalf of the security giant. The respondents included companies from both Canada and the U.S., with all of the companies employing at least a thousand people and 30 per cent of the organizations comprising more than 5,000 employees.
 
The EU’s ‘cyber security’ Agency ENISA, (the European Network and Information Security Agency) has today issued a report on Data Breach Notifications. The EU data breach notification (DBN) requirement for the electronic communications sector in the ePrivacy Directive (2002/58/EC) is vital to increase in the long term the level of data security in Europe. The Agency has reviewed the current situation and identified the key concerns of both the telecom operators and the Data Protection Authorities (DPA)s in its new report.
Recent high profile incidents of personal data loss in Europe have prompted wide discussion about the level of security applied to personal information shared, processed, stored and transmitted electronically.
The Executive Director of the Agency, Prof. Udo Helmbrecht, commented:
‘Gaining and maintaining the trust of citizens of that their data is secure and protected is an important factor in the future development and take-up of innovative technologies and online services across Europe.’
 
Cyberwar hype is inhibiting government attempts to develop an appropriate response to cybersecurity threats, say computer scientists.
A heavyweight study by UK computer scientists for the Organisation for Economic Cooperation and Development (OECD) concludes that it is ‘highly unlikely’ there will ever be a ‘pure cyber war”, comparable with recent conflicts in Afghanistan or the Balkans. Suggestions to the contrary are down to ‘heavy lobbying’ by suppliers, the report’s authors – Professor Peter Sommer of the London School of Economics and Dr Ian Brown of the Oxford Internet Institute, University of Oxford – conclude.
 
Security Art’s Iftach Ian Amit discusses targeted attacks and how you should go beyond just technology to defend against them.
Some people might be surprised to hear that most targeted attacks aren’t directed at a specific individual or item of equipment. Although some strive to reach such victims, normally they focus on a small group of individuals or systems in order to carry out their task.
Targeted attacks are also tasked with greater goals than a traditional attack. For instance, they may intend to steal specific documentation, access custom systems, control or modify information, etc.), but they’re not actually that technologically different from ‘traditional’ attacks.
In my experience of the clients we have helped at Security Art, some attacks do utilize some of the most ingenious technologies and techniques. But at the end of the day, when you scrape off the ‘cool cloak’ (custom hiding techniques to make the code bypass security technologies), you realize that we are still dealing with the same vulnerabilities, and the same rootkit and Trojan techniques.

Web Technologies

 
Top Ten Web Hacking Techniques of 2010 (Official)  [jeremiahgrossman.blogspot.com]
Every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. Beyond individual vulnerability instances with CVE numbers or system compromises, we’re talking about actual new and creative methods of Web-based attack. Now it its fifth year the Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work.
 
Spot the Vuln – Sleep  [blogs.sans.org]
It is a common experience that a problem difficult at night is resolved in the morning after a committee of sleep has worked on it.
– John Steinbeck
 
Spot the Vuln – Vegetables  [blogs.sans.org]
People need trouble – a little frustration to sharpen the spirit on, toughen it. Artists do; I don’t mean you need to live in a rat hole or gutter, but you have to learn fortitude, endurance. Only vegetables are happy.
– William Faulkner
Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

Network Security

 
 
You often read about people who use many different security applications to protect their systems. Not only anti-virus, anti-spyware, firewall, HIPS, …, but also some other tools like anti-keyloggers, … And sometimes, when they argue about the additional protection such tools bring, you can read the following: “it does no harm…”.
Well, this time, I’ve a clear example where using a supplemental security tool does harm, even when it adds real protection.
When installed, this tool (which I’m not going to name here because of SEO reasons), installs a Windows explorer shell extension (we’ve discussed the risks of these shells before). The problem with this tool’s shell extension (a DLL), is that it is compiled without the dynamic base flag set. In other words, it doesn’t support ASLR.
 
Researchers provide rare inside peek at the exfiltration methods used in targeted attacks
Incident-response experts specializing in targeted, advanced persistent threats (APTs) here today revealed some common exfiltration techniques by these typically nation-state sponsored attacks.
It’s difficult to know for sure just how many APT attacks actually occur — mainly because victim organizations aren’t required to report them as long as customer data isn’t breached, and many prefer to keep it under wraps. ‘A large percentage of organizations don’t report it to law enforcement. They want to remediate, keep it quiet, and move on,’ says Sean Coyne, a consultant with Mandiant. ‘We have seen attackers that have been there [inside organizations] for months and years,’ for example, he says.
 
Netflow for Incident Response  [blogs.cisco.com]
This is the Forth part in the series “Missives from the Trenches.” (Here are the (first), (second), and(third) parts of the series.) In today’s blog post we will be discussing Cisco IOS Netflow. Netflow has an interesting position as being both the most useful and least used tool. When meeting with other companies I often ask them “do you use Netflow?” By asking this question I am actually asking several different questions-Do you care about the security of your site? Or do you have any hopes in managing/responding to events at your site? Answers to these questions unfortunately tend to be as follows: What is Netflow? The network guys use it but we don’t. I think we capture it somewhere but not really sure where – and so on. I then mention that Netflow is free, they don’t have to buy anything to start using it, and it’s used for every large case we do. At that point they start looking angrily at the sales engineer asking why this is the first they are hearing about it. So what is Netflow and why does Cisco CSIRT say its critical to daily event management? Read on to find out!
 
Cisco Systems is beefing up wireless transaction security with new software features for its Wi-Fi access points. The vendor says the changes add needed protection over and above that mandated by the Payment Card Industry (PCI) standard.
 
VABL 101  [www.infiltrated.net]
The VoIP Abuse Blacklist has been a work in progress as I sought a mechanism to document attackers. With that said, the new layout will hopefully be more beneficial to PBX administrators. Rather than reinvent wheels, VABL looks up an attacker’s information via Shadowserver’s lookup and appends three new fields: type of attacker, address and the letters VABL and a number dialed (when appropriate.)
The type of attacker field may make the biggest difference to those who decide to use this list. There are two specific entries that will appear: BRU, ADN and COM. BRU means that the host attempted to bruteforce a PBX while COM signifies that the attacker managed to compromise either a honeypot or a live machine. ADN is when an attacker places a call and is short for Attacker Dialing Numbers. Whenever you see an entry with ADN, there will be an additional field at the end with the number dialed by the attacker appended to it.
 
Learn more about TCP and UDP ports used by Apple products, such as Mac OS X, Mac OS X Server, AppleShare IP, Network Assistant, Apple Remote Desktop, Macintosh Manager, and MobileMe. Many of these are referred to as ‘well known’ industry standard ports.
 
While the Mac is rarely targeted for security exploits and viruses, it’s no stranger to software piracy-likely because Mac apps are pretty easy to crack. Here’s how it can be done and how to prevent it.
How I’d Crack Your Mac App
Well, not you specifically, but by you I mean the average Mac developer. It’s too easy to crack Mac apps. Way too easy. By walking through how I can hack your app with only one Terminal shell, I hope to shed some light on how this is most commonly done, and hopefully convince you to protect yourself against me. I’ll be ending this article with some tips to prevent this kind of hack.
 
meterpreter xor for further av bypass  [0entropy.blogspot.com]
Still on holidays here, and in between sake, beer and shochu i found some time to read and check some things that i wanted to do for some time now. One of that was how to implement a simple binary xor in an .exe file especially for meterpreter. Meterpreter is great tool but is being detected from antivirus engines and that makes it difficult to use it as a standard payload.
Simple way to create one meterpreter binary that will connect back on ip 192.168.11.7:
 
Introduction to Sguil and Squert: Part 1  [securityonion.blogspot.com]
This post is the first in a multi-part series designed to introduce Sguil and Squert to beginners.
1. Download Security Onion 20110116.
2. Boot the ISO and run through the installer.
3. Reboot into your new Security Onion installation and login using the username/password you specified in the previous step.
4. Double-click the Setup script on the Desktop and follow the prompts to configure and start the Sguil processes.
 
The impact of IPv6 on message filtering systems  [www.emailsecuritymatters.com]
An interesting article was posted on Slashdot in December:
“As public IPv4 addresses dwindle and carriers roll out IPv6, a new problem has surfaced. We have to move through a gray phase where the only new globally routable addresses we can get are IPv6, but most public content we want to reach is still IPv4. Multiple-layers of NAT will be required to sustain the Internet for that time, perhaps for years. But use of Large Scale NAT (LSN) systems by service providers will cause problems for many applications and one of them is reputation filtering. Many security filtering systems use lists of public IPv4 addresses to identify ‘undesirable’ hosts on the Internet. As more ISPs deploy LSN systems, the effectiveness of these IPv4 filtering systems will be hurt.”
In the short term, this is definitely going to be a problem for email security companies that rely strongly on DNSBLs or reputation-based systems.

Wireless Security

 
Have you ever asked yourself why you can go online with your laptop in one room but not in another? Or why you get disconnects and a bad signal strength in one room of the house? The reason usually comes down to the wireless coverage of the Wi-Fi network.

Forensics

 
It has often been said that the best things in life are free. Could it be that that old saying can be applied to digital forensics? In many cases, the answer is a resounding yes!
But first, a little history on just how I know the above to be true. I am a police officer in a small, rural mid-western department. As is the case most everywhere, my department started seeing a rise in complaints related to ‘cybercrime’, such as email threats and harassment, child sexual abuse and scams. Since I was already very much into computer use, I took an interest in pursuing these cases and requested various training courses related to their investigation. The farther I got into it, the more I learned about computer forensics and I set up the first lab for my department.

Cloud Computing

 
As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info
Many Recommendations Applicable to U.S. Governments, Hospitals
A paper on how governments and healthcare organizations should approach deploying secure cloud computing was issued Monday by the European Network and Information Security Agency, advice that could be applicable to governments and hospitals in the United States.
The 146-page report from the European Union agency, Security and Resilience in Government Clouds: Making an Informed Decision, identifies a decision-making model that can be used by senior management to determine how operational, legal and information security requirements, can drive the identification of the architectural solution that best suits the needs of their organization.

Privacy and human rights

 
When I last wrote here about Do Not Track in August, there were just a few rumblings about the possibility of a Do Not Track mechanism for online privacy. Fast forward four months, and Do Not Track has shot to the top of the privacy agenda among regulators in Washington. The FTC staff privacy report released in December endorsed the idea, and Congress was quick to hold a hearing on the issue earlier this month. Now, odds are quite good that some kind of Do Not Track legislation will be introduced early in this new congressional session.
 
To fully understand the privacy of Facebook and how it’s likely to evolve, you need to understand one thing – Facebook executives want everyone to be public.
As the service evolves, executives tend to favor our open access to information, meaning information you think is private will slowly become public, but that doesn’t mean you can be private if you want to.
 
Jacob Appelbaum, a security researcher, Tor developer, and volunteer with Wikileaks, reported today on his Twitter feed that he was detained, searched, and questioned by the US Customs and Border Patrol agents at Seattle-Tacoma International Airport on January 10, upon re-entering the US after a vacation in Iceland.
He experienced a similar incident last year at Newark airport.
An archive of his tweeted account from today follows.
 
Zero Day blogger and malware researcher Dancho Danchev (right) has gone missing since August last year and we have some troubling information that suggests he may have been harmed in his native Bulgaria.
Dancho, who was relentless in his pursuit of cyber-criminals, last blogged here on August 18. His personal blog has not been updated since September 11, 2010.
At ZDNet, we made multiple attempts to contact him, to no avail. Telephone numbers are going to Bulgarian language voicemails and our attempts to reach him via a snail mail address also came up empty.
 
According to bulgarian newspaper Dnevnik (http://www.dnevnik.bg/tehnologii/2011/01/17/1026425_ekspertut_po_it_sigurnost_dancho_danchev_e_nastanen_v/) IT security expert Dancho Danchev is placed in a psychiatric hospital.
Dancho Danchev, an expert on cybersecurity, is placed in a psychiatric hospital in Bulgaria. The information was confirmed by two sources of ‘Dnevnik’, although from the hospital refused comment.
 
Developers kicked back out of your undie drawer
Facebook has ‘temporarily disabled’ a controversial feature that allowed developers to access the home address and mobile numbers of users.
The social network suspended the feature, introduced on Friday, after only three days. The decision follows feedback from users that the sharing of data process wasn’t clearly explained and criticism from security firms that the feature was ripe for abuse.
Individual users had to grant permission before developers could hook into the API on Facebook’s platform. However, because many users often click through permission dialogue boxes without paying attention, concerns were raised by net security firms such as Sophos that the feature might make life easier for the developers of rogue applications.

Mobile Security

 
Back in November, Thomas Cannon brought to light an issue within the Android operating system. Specifically, he found that it was possible to obtain the contents of files on an Android device by simply persuading its owner to visit a web site under attacker control. The issue only garners a 3.5 CVSS score, but yet it’s still fairly serious.
Thomas reported this issue responsibly to Google and they took it seriously. However, since then they have come back with a ridiculous remediation plan. Granted, its probably not entirely Google’s fault, but the overall situation looks very bleak for Android.
 
If you notice that the network icon in the corner of your smartphone’s screen just switched from “3G” to an “E,” then you may want to watch where you browse. Some nearby snoop may be watching already.
That possibility, at least, is one lesson of the work of Spanish cybersecurity researchers David Perez and Jose Pico, who at the Black Hat security conference in Arlington, Virginia Wednesday demonstrated a new, cheaper system for intercepting the data sent to and from smartphones that run Android, iOS, Windows Mobile and other operating systems, practically any laptop or tablet that can connect to the Internet via a 2G cell connection, or spy on surveillance cameras or industrial control systems that use those connections.
 
One can only hope that security software provider Trend Micro saw a nice sales boost after the proclamation of its chairman earlier this week that Android phones are more vulnerable to hacking than iPhones are. If it didn’t, those blatantly self-serving statements were made for nothing.
After all, they’re certainly not true. Not only that, but they were made immediately after the company launched its brand-new security software for Android. There’s no way that was a coincidence.
The statements were, however, a classic example of the FUD that’s so often resorted to by companies that earn their bread by instilling fear in the hearts of computer users.
 
Backgrounding and Snapshots
In iOS when an application moves to the background the system takes a screen shot of the application’s main window. This screen shot is used to animate transitions when the app is reopened. For example, pressing the home button while using the logon screen of the Chase App results in the following screen shot being saved to the application’s Library/Caches/Snapshots/com.chase directory.
 
RIM identified new security flaws in both its BlackBerry handheld software and its corporate BlackBerry Enterprise Server (BES). CIO.com’s Al Sacco provides details for BlackBerry users and admins on how to address the issues, one of which has been deemed ‘severe.’

Physical Security

 
Devices from those used to track nuclear materials to warranty seals on Xbox consoles easily circumvented
Security devices used in transportation, packaging and even in accounting for nuclear materials are very vulnerable to attack, two security researchers warned on Tuesday at the Black Hat security conference.
The physical security devices , known as ‘tamper-evident devices,’ aren’t intended to prevent theft but to alert inspectors that something has been broken into.
The devices are wide-ranging in design and application, and are used to seal everything from evidence bags, large shipping containers and even things like the warranty seal on an Xbox gaming console.

General

 
 
Today we’re excited to announce that on Thursday, January 20, Yahoo! opens to third-party user authentication with Facebook and Google logins (via OpenID) across the Yahoo! Network. Hundreds of millions of Facebook and Google users will be able to easily sign in and interact on Yahoo! using their Facebook or Google IDs. This eliminates the proverbial necessity of registering for yet another new ID and remembering yet another password. From Yahoo!’s perspective, any signed-in user engaging with Yahoo! services is a valued user, whether she authenticates using a Yahoo!, Facebook, or Google ID.
 
We’ve looked at removing DRM from iTunes movies and TV shows on Windows, but what about Mac OS X? Here’s how to rip out the DRM and turn that copy-protected M4V file into a regular old MP4 on your Mac.
 
First they showed up in your e-mail. Then they found their way onto Facebook. Now ads are coming to your checking account.
As banks test new ways to make money and attract customers, they are tucking ads onto the list of recent purchases on consumers’ online bank statements. The charge for your breakfast at McDonald’s, for example, might be followed with an offer for 10 percent cash back on your next meal at the Golden Arches. There’s no need to print a coupon – just click the link, and the chain will recognize your debit card the next time it is swiped.
 
Keyless car entry and start systems make it easy to get on the road, but they could also make it easier for criminals to take off with your car. And strong encryption won’t solve the problem.
Armed with antennas, researchers at ETH Zurich in Switzerland were able to trick 10 models from 8 manufacturers into thinking the car key fob was within proximity and drive away with these ‘stolen’ vehicles. No scratched doors, no broken glass, and no busted ignitions
 
The government is planning to put a smart meter in every home in the UK by 2017 as a step towards a smart grid, but what are the security implications of such a move and how can the pitfalls be avoided?
Security must be embedded in the smart grid
Availability is often the poor cousin when compared with confidentiality; however, the impact of a major outage is often quantifiable and of staggering proportions. For example, the US north-east blackout of 2003 resulted in a $6 billion economic loss to the region. All this was caused by the loss of something that is often taken for granted: power.
 
25 Most Common Mistakes in Email Security  [www.emailsecuritymatters.com]

Tools

 
Have you ever asked yourself why you can go online with your laptop in one room but not in another? Or why you get disconnects and a bad signal strength in one room of the house? The reason usually comes down to the wireless coverage of the Wi-Fi network.
 
REMnux v.2.0 Released  [security-sh3ll.blogspot.com]
REMnux: A Linux Distribution for Reverse-Engineering Malware
REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser.REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that’s listening on the appropriate ports.
 
inguma  [code.google.com]
A Free Penetration Testing And Vulnerability Research Toolkit
 
Armitage Changelog  [www.fastandeasyhacking.com]
18 Jan 11 Changes
– Added a Migrate Now! item to Meterpreter Access menu. Runs migrate -f.
– Right-click in Meterpreter console now shows menu as before (silly bugs).
– Armitage now detects hashdump failure and reports possible causes to you.
– Armitage now binds default handler to 0.0.0.0.
 
Maltego version 3.0.3 Released  [security-sh3ll.blogspot.com]
Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet – whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits, Maltego can locate, aggregate and visualize this information.
 
If you are a frequent user of virustotal service, you might find useful as I did the firefox plugin they have to interact with their service. It allows to scan suspicious links, scan downloads before storing them, scan websites being displayed and search for a file/url report. Saves time to use their service.
 
Since our latest release back in November, the w3af team has focused on making the framework better, stronger and faster. By downloading this release you’ll be able to enjoy new vulnerability checks, more stable code and a about 15% performance boost in the overall speed of your scan.
 
BinScope Binary Analyzer  [www.microsoft.com]
BinScope is a Microsoft verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations.
 
I wanted to write a quick post to let you know of an interesting new tool that Microsoft is releasing at Blackhat DC.
Microsoft has required attack surface validation of applications prior to release for years – however assessing the attack surface of an application or software platform can be an intimidating process at first glance.
 
backtrack menu (hack linux)  [sourceforge.net]
add backtrack tools with Backtrack Menu on ubuntu (all versions) ,,,,, ,,,simple run this script this will install backtack tools automatic
 
Unhide  [www.unhide-forensics.info]
Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.

Funny

 
HTML 5 logo  [www.businessinfo.co.uk]
 
The PCI-DSS Song  [fishermansenemy.com]
 
programming languages  [www-users.cs.york.ac.uk]
Perl is the only language where you can bang your head on the keyboard and it compiles.
 
This is so funny I laughed until I cried! Definitely NSFW. OMG it’s hilarious, but it’s also not a bad overview of the issues. Especially loved: You read the latest post on HighScalability.com and think you are a f*cking Google and architect and parrot slogans like Web Scale and Sharding but you have no idea what the f*ck you are talking about. There are so many more gems like that.
 
 
Julian Assange Colouring book  [www.julianassangecoloringbook.com]
 
How to Stop Wikileaks  [www.makeuseof.com]
 
Find the weak link  [i.imgur.com]
 
 
Hacker vs Cracker  [yfrog.com]
 
Welsh encryption  [yfrog.com]