Aurora Report: Around The Horn vol.1,85

Malware embedded in pirated versions of Apple's iWork and Adobe Photoshop CS4 for Mac that were available over a peer-to-peer network in January is responsible for what appears to be the first known Mac botnet.......

Verizon Business's 2009 Data Breach Investigations Report (April 14 & 16, 2009)

According to Verizon Business's "2009 Data Breach Investigations Report," the number of records compromised in the breaches it examined in the last year is greater than the totals of the four previous years combined.......

US Sentencing Commission Rejects Notion That Proxies are Evidence of Sophistication (April 15, 2009)

The US Sentencing Commission has rejected a proposal that could have increased prison sentences for those found guilty of committing computer crimes with the use of proxy servers.......

Pirate Bay Verdict In: Guilty (April 17, 2009)

A court on Stockholm has found four men guilty of breaking Swedish copyright law for their involvement with the Pirate Bay website.......

Two Indicted in Login Credential Theft and Abuse Case (April 16, 2009)

Two programmers have been indicted in Seoul, South Korea for breaking into websites and stealing personal information belonging to 2.......

Man Arrested for Stealing Proprietary Source Code (April 14, 2009)

The FBI arrested Yan Zhu, also known as Westerly Zhu, for allegedly providing proprietary source code to the Chinese government.......

Five Arrested in Romania in Connection with Data Theft Scheme (April 14, 2009)

Romanian authorities and the FBI worked together on a data theft case that culminated in the arrest of five people in this country.......

College Student Earns Prison Sentence in Failed Grade Changing Scheme (April 14 & 15, 2009)

A Florida college student has been sentenced to nearly two years in prison for his part in a failed scheme to change his own grades and those of others on the Florida A & M University computer network.......

Western Australia State Government IT Systems' Security Found Wanting (April 15, 2009)

A report from Western Australia's Auditor General Colin Murphy says the state government's IT systems have serious security shortcomings.......

Texas and NC Legislators Address Computer Forensic Specialist Licensing Question (April 2009)

Proposed legislation in Texas would require that computer forensic specialists keep on file statements of ownership for computers they examine; those working for their own employers would be exempt from the requirement.......

Oracle's Quarterly Patch Release Includes 43 Fixes (April 15 & 16, 2009)

Oracle's most recent quarterly patch release includes 43 fixes for vulnerabilities in a variety of products, including Oracle database versions 9i, 10g and 11G, Oracle Application Server, Oracle E-Business Suite, PeopleSoft Enterprise Human Resources Management System and Oracle WebLogic Server and Portal.......

Microsoft's April Security Update Comprises Eight Bulletins (April 15, 2009)

On Tuesday, April 14, Microsoft released eight security bulletins to address 23 vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer (IE), and Microsoft Forefront Edge Security.......

Amazon Won't Allow Phorm to Scan its Pages (April 15 & 16, 2009)

Amazon UK has announced that it will not allow Phorm, the targeted online advertising technology, to scan its websites for content to use in its personalized advertisements.......

Cyber Thieves Profits Falling - Too Much Success

Interesting analysis by Brian Krebs at WashingtonPost.......

Jericho Forum Issues Best Practices For Secure Cloud Computing

"Cloud Cube" model provides criteria for evaluating online services model, provisioning

Rail union ballots for strike over fingerprints

Hands off our dabs

Eurostar cleaners are considering strike action over changes to working practises which mean they must provide fingerprints when they clock on or off.…

Hackers stuff ballot box for Time Magazine's top 100 poll

'World's most influential' list is mooted

Time Magazine's poll of the 100 most influential people has been hacked by a motley band of online troublemakers who have managed to manipulate the top 21 names so their first letters spell "marblecake, also the game."…

Amazon CSRF "hack" in detail?

By Robert A. on IndustryNews

RSnake recently posted an entry linking to the write up on how a Cross-Site Request Forgery flaw in amazon was used to get Gay and Lesbian books banned from amazon's site via their reputation system. From the person "Now from here it was a matter of getting a lot of people...

FBI CIPAV Spyware Snaring Extortionists and Hackers for Years

By Robert A. on Worms

"A sophisticated FBI-produced spyware program has played a crucial behind-the-scenes role in federal investigations into extortion plots, terrorist threats and hacker attacks in cases stretching back at least seven years, newly declassified documents show. First reported by Wired.com, the software, called a "computer and internet protocol address verifier," or CIPAV, is...

StealthMBR gets a makeover

By Rachit Mathur on Rootkits and Stealth Malware

New variants of the StealthMBR trojan aka Mebroot rootkit have recently been spotted in-the-wild. These new variants are significantly different from earlier ones. StealthMBR has arguably been dubbed as the stealthiest rootkit ever seen. The new variants are using even ‘deeper’ techniques to evade detection. Broadly speaking, they are hijacking kernel objects (device object) to filter

Chris Wysopal: Good Obfuscation, Bad Code

Good Obfuscation, Bad Code

Brief: NSA oversteps relaxed wiretapping laws

NSA oversteps relaxed wiretapping laws

Google to defend the cloud at RSA Conference

By Neil Roiter

Eran Feigenbaum, director of security for Google Apps is participating in a panel at the 2009 RSA Conference, "Cloud computing – secure enough for primetime today?"

Speaking of Incident Response

By Richard Bejtlich

In my last post I mentioned I will be speaking at another SANS IR event this summer. I just noticed a post on the ISC site titled Incident Response vs. Incident Handling. It states:
Incident Response is all of the technical components required in order to analyze and contain an incident.
Incident Handling is the logistics, communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner.
That's not right, and never was. I tried pointing that out via a comment on the ISC post, but apparently the moderators aren't willing to accept contradictory comments.
Incident response and incident handling are synonyms. If you need to differentiate between the role that does technical work and one which does leadership work, you can use incident response/handling for the former and incident management for the latter.
Ten years ago I took a course at CERT called Advanced Computer Security Incident Handling for Technical Staff. The class covered technical methodologies for responding to and handling incidents. The successor to that class is Advanced Incident Handling. Notice that CERT also offers the CERT®-Certified Computer Security Incident Handler certification. To CERT, incident response and incident handling are synonyms. If anyone should understand incidents, it's CERT.
I think SANS is the organization that needs to examine how it uses the term incident handler or incident handling. The GIAC Certified Incident Handler (GCIH) designation is 83% inappropriate. How do I arrive at that figure? If you review the day-by-day course overview you'll see that only one day, the first, involves Incident Handling Step-by-Step and Computer Crime Investigation. The next four days are Computer and Network Hacker Exploits, with the sixth day being an open lab. So, 5/6 of the class has little to nothing to do with incident response/handling.
This is a problem for three reasons. First, I have met people and heard of others who think they know how to "handle incidents" because they have the GCIH certification. "I'm certified," they say. This is dangerous. Second, respondents to the latest SANS 2008 Salary Survey considered their GCIH certification to be their most important certification. If you hold the GCIH and think it's important because you know how to "handle incidents," that is also dangerous. Third, SANS offers courses with far more IR relevance that that associated with GCIH, namely courses designed by Rob Lee. It's an historical oddity that keeps the name GCIH in play; it really should be retired, but there's too much "brand recognition" associated with it at this point. If you want to learn IR from SANS, see Rob.
To be fair, the title for the course which prepares students for the GCIH is Hacker Techniques, Exploits & Incident Handling. Putting IH at the end does list the subject in the proper context. I will also not deny that one should understand hacker techniques and exploits in order to do incident response/handling, but that knowledge should be its own material -- something to know in addition to the skills required for IR. Also, track 504 is really good; I remember it fondly, before it had that label. The material is kept fresh and the instructors are excellent.
The bottom line is that incident handling and response are synonyms, and those who think they are certified to do incident handling and response via GCIH are kidding themselves.

iWork Trojan horse may be turning Macs into zombies

Over the years, Mac users have been lucky enough that the word "zombie" only conjures up the shambling brain-craving hordes of the undead in movies like Shaun of the Dead, but Windows users have long been dealing with the menace of zombie botnets--networks of PCs corrupted by malware into vectors for malicious attacks. Now two researchers claim to have discovered the first Mac zombie botnet in existence and have published a paper in Virus Bulletin (subscription required).

New Twitter worm targets celebrities

A worm referencing celebrities such as Ashton Kutcher and Oprah Winfrey is rapidly spreading across microblogging site Twitter, security firm Sophos said on Friday.

Twitter teen hacker hired by Web app developer

An Oregon-based Web application developer Friday confirmed he has hired the teenager who admitted attacking Twitter with several different worms last weekend.

First Mac OS X botnet activated

The first botnet created with Mac computers running OS X software has been activated, according to reports filtering out across the Internet.

Mortgage, Conflicker, Tax Day malware spams rule the roost

Since the shutdown of hosting company McColo in mid-November 2008, spam volumes have slowly made their way back to "normal," said internet security software company Symantec in its April 2009 monthly spam repot.

Google offers top tip to help beat bots

Google has put a new spin on the CAPTCHA, a way of helping Web sites distinguish between human visitors and bots: It wants people to tell it which way is up in a series of randomly rotated images, a task that humans find easy and computers difficult.

Researcher offers tool to hide malware in .Net

A computer security researcher has released an upgraded tool that can simplify the placement of difficult-to-detect malicious software in Microsoft's .Net framework on Windows computers.

Third annual scare story about the national power system

As far as the headline writers at the Wall Street Journal were concerned the battle was over and the U.S. electricity grid was under control by the enemy -- "Electricity Grid in U.S. Penetrated by Spies."

Court blocks Web streaming order in music piracy case

In a victory for the Recording Industry Association of America (RIAA), a federal appeals court in Boston Thursday overturned a ruling by a trial judge that would have allowed some courtroom proceedings in a high-profile music piracy case to be streamed live over the Internet.

NHS in move to stem data breaches

The U.K. has made a start at shedding its reputation as a data breach hotspot with the news that 100 hospitals are to start using encrypted USB sticks from Swedish company BlockMaster.

NETGEAR Delivers Unparalleled Security and High Performance with New Line of UTM Security Appliances for Small Businesses

The Great Brazilian Sat-Hack Crackdown

By Marcelo Soares

CAMPINAS, Brazil — On the night of March 8, cruising 22,000 miles above the Earth, U.S. Navy communications satellite FLTSAT-8 suddenly erupted with illicit activity. Jubilant voices and anthems crowded the channel on a junkyard's worth of homemade gear from across vast and silent stretches of the Amazon: Ronaldo, a Brazilian soccer idol, had just scored his first goal with the Corinthians.

It was a party that won't soon be forgotten. Ten days later, Brazilian Federal Police swooped in on 39 suspects in six states in the largest crackdown to date on a growing problem here: illegal hijacking of U.S. military satellite transponders.

"This had been happening for more than five years," says Celso Campos, of the Brazilian Federal Police. "Since the communication channel was open, not encrypted, lots of people used it to talk to each other."

The practice is so entrenched, and the knowledge and tools so widely available, few believe the campaign to stamp it out will be quick or easy.

Much of this country's population lives in remote areas beyond the reach of cellphone coverage, making American satellites an ideal, if illegal, communications option. The problem goes back more than a decade, to the mid-1990s, when Brazilian radio technicians discovered they could jump on the UHF frequencies dedicated to satellites in the Navy's Fleet Satellite Communication system, or FLTSATCOM. They've been at it ever since.

Truck drivers love the birds because they provide better range and sound than ham radios. Rogue loggers in the Amazon use the satellites to transmit coded warnings when authorities threaten to close in. Drug dealers and organized criminal factions use them to coordinate operations.

Today, the satellites, which pirates called "Bolinha" or "little ball," are a national phenomenon.

"It's impossible not to find equipment like this when we catch an organized crime gang," says a police officer involved in last month's action.

The crackdown, called "Operation Satellite," was Brazil's first large-scale enforcement against the problem. Police followed coordinates provided by the U.S. Department of Defense and confirmed by Anatel, Brazil's FCC. Among those charged were university professors, electricians, truckers and farmers, the police say. The suspects face up to four years and jail, but are more likely to be fined if convicted.

First lofted into orbit in the 1970s, the FLTSATCOM bird was at the time a major advance in military communications. Their 23 channels were used by every branch of the U.S. armed forces and the White House for encrypted data and voice, typically from portable ground units that could be quickly unpacked and put to use on the battlefield.

As the original FLTSAT constellation of four satellites fell out of service, the Navy launched a more advanced UFO satellite (for Ultra High Frequency Follow-On) to replace them. Today, there are two FLTSAT and eight UFO birds in geosynchronous orbit. Navy contractors are working on a next-generation system called Mobile User Objective System beginning in September 2009.

Until then, the military is still using aging FLTSAT and UFO satellites — and so are a lot of Brazilians. While the technology on the transponders still dates from the 1970s, radio sets back on Earth have only improved and plummeted in cost — opening a cheap, efficient and illegal backdoor.

To use the satellite, pirates typically take an ordinary ham radio transmitter, which operates in the 144- to 148-MHZ range, and add a frequency doubler cobbled from coils and a varactor diode. That lets the radio stretch into the lower end of FLTSATCOM's 292- to 317-MHz uplink range. All the gear can be bought near any truck stop for less than $500. Ads on specialized websites offer to perform the conversion for less than $100. Taught the ropes, even rough electricians can make Bolinha-ware.

"I saw it more than once in truck repair shops," says amateur radio operator Adinei Brochi (PY2ADN) "Nearly illiterate men rigged a radio in less than one minute, rolling wire on a coil."

Brochi, who assembled his first radio set from spare parts at 12, has been tracking the Brazilian satellite hacking problem (.pdf) for years.

Brochi says the Pentagon's concerns are obvious.

"If a soldier is shot in an ambush, the first thing he will think of doing will be to send a help request over the radio," observes Brochi. "What if he's trying to call for help and two truckers are discussing soccer? In an emergency, that soldier won't be able to remember quickly how to change the radio programming to look for a frequency that's not saturated."

When real criminals use these frequencies, it's easy to tell they're hiding something, but it's nearly impossible to know what it is. In one intercepted conversation posted to YouTube, a man alerts a friend that he should watch out, because things are getting "crispy" and "strong winds" are on their way.

Sometimes loggers refer to the approach of authorities by saying, "Santa Claus is coming," says Brochi.

When the user's location is stable, the signal can be triangulated. That's how the Defense Department got the coordinates to feed Brazilian authorities in March's raids.

While Brazil may be the world capital of FLTSATCOM hijacking, there have been cases in other countries — even in the United States. In February of last year, FCC investigators used a mobile direction-finding vehicle to trace rogue transmissions to a Brazilian immigrant in New Jersey. When the investigators inspected his radio gear, they found a transceiver programmed to a FLTSAT frequency, connected to an antenna in the back of his house. Joaquim Barbosa was hit with a $20,000 fine.

A technician with Anatel, speaking on condition of anonymity, says the chief problem with ending the satellite abuse in this country is that U.S. and Brazilian authorities simply waited too long to start. Thousands of users are believed to have the know-how to use the system. After a bust, the airwaves always go quiet for a while, but the hijackers always return.

One week after the "Operation Satellite," Brochi met with Wired.com at a gathering of amateur radio enthusiasts in a bucolic square in Campinas, about 60 miles north of Sao Paulo. Brochi switches on his UHF receiver and scans through the satellite frequencies.

It's relatively quiet now on the satellite underground, except for the static-like sound of encrypted military traffic. But eventually, a lone creaky voice cuts through. It's a man in Porto Velho, the capital of Rondônia, a day's drive north into the upper Amazon basin. He's making small talk with a friend in Portuguese. The satellite pirates are creeping back on the air.

More FBI Hacking: Feds Crack Wi-Fi to Gather Evidence

By Kevin Poulsen

The FBI's elite Cryptographic and Electronic Analysis Unit offers to help Pittsburgh agents "with a wireless hack" to access files on a suspect's hard drive. A newly released FBI document provides the first hint that the bureau has added Wi-Fi hacking to its investigative arsenal.

Monday, April 20, 2009

Around The Horn vol.1,85

Hands off our dabs

'World's most influential' list is mooted

No comments:

Post a Comment

My Blog List

Schneier on Security

Blog Archive

Subscribe To Aurora Report

TaoSecurity

Notes: