The other day  Apple released a privacy transparency statement discussing, among other things, how they can not decrypt iMessage content sent (or Facetime sessions) between two iOS devices. See their full statement below.

There were some other interesting tidbits to consider in their statement as well. For example regarding the recent PRISM leak, Apple does not mention anything about “direct access” to network gear versus just “servers.” Who cares about servers if you have a direct tap into all the network traffic?

The statement also discusses the number of National Security Letters (NSLs) and “other” law enforcement (LE) requests from the last five months as being between 4,000 to 5,000. Seems high but not too bad if you consider the thousands of LE jurisdictions throughout the country. Of course there could have also just been one of those “other” requests and 4,999 NSLs.

Finally, Apple closes with the comment about iMessage content mentioned above. The way the statement reads it seems to only apply to messages “in motion” between two devices. As most of us in security know … protecting data in motion is only half of the solution. Any system also needs to protect data at rest (e.g., files are servers or content stored in databases). So how does this statement apply to content that iMessage may store in such repositories?

And there is still the mysterious process that Apple goes through to acquire images of password-encrypted content on iPhones and other iDevices… With the proper legal filings and a few months of waiting, any LE entity can gain access to unencrypted iPhone content, including stored or deleted iMessages.

We’re not questioning their actual practices here … just asking them to give more details so privacy-conscience consumers can make more informed purchase decisions.

Apple’s Commitment to Customer Privacy

Two weeks ago, when technology companies were accused of indiscriminately sharing customer data with government agencies, Apple issued a clear response: We first heard of the government’s “Prism” program when news organizations asked us about it on June 6. We do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order.

Like several other companies, we have asked the U.S. government for permission to report how many requests we receive related to national security and how we handle them. We have been authorized to share some of that data, and we are providing it here in the interest of transparency.

From December 1, 2012 to May 31, 2013, Apple received between 4,000 and 5,000 requests from U.S. law enforcement for customer data. Between 9,000 and 10,000 accounts or devices were specified in those requests, which came from federal, state and local authorities and included both criminal investigations and national security matters. The most common form of request comes from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer’s disease, or hoping to prevent a suicide.

Regardless of the circumstances, our Legal team conducts an evaluation of each request and, only if appropriate, we retrieve and deliver the narrowest possible set of information to the authorities. In fact, from time to time when we see inconsistencies or inaccuracies in a request, we will refuse to fulfill it.

Apple has always placed a priority on protecting our customers’ personal data, and we don’t collect or maintain a mountain of personal details about our customers in the first place. There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it.

For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form.

We will continue to work hard to strike the right balance between fulfilling our legal responsibilities and protecting our customers’ privacy as they expect and deserve.

#####

 Today’s post pic is from Benzinga.com. See ya!

This is the case in the discussion that is going on right now (and please join) on the Box and SecureAuth initiated discussion on a more encompassing standard for ENTERPRISE mobile SSO.  (See Image #1 )

Image #1:  The proposed Native App Mobile Transfer Protocol (MTP) Spec - addresses how users can conduct SSO from a mobile app to Box and other mobile apps.

Discussion:  ”Native Authorization Agent”

 What is the Group Trying to Achieve?

Box was good enough to propose this problem to the identity/access comunity:

• How can we create a standard that will enable Service Provider’s, like Box, to support mobile App SSO from a “native” mobile app?

E.G. Box wants to be collaborative – they want to be able to offer convenience, flexibility and security to the enterprise who wish

• To have their users log on with their enterprise-held (A.D. and other) authentication credentials
• Enforce 2-Factor if they wish
• Achieve SSO into the Box Mobile app
• Achieve SSO into other mobile apps (that conform)

Sound Laudable – What Has the Group Proposed?

Yeah – it’s pretty cool.   Look, yourself, at the group submission for the standard:

   SecureAuth & Box “Native Mobile App Authentication & Authorization Mobile Transfer Protocol (MTP) Specification

Let’s Give Credit Due…

A special round of credit to our friends at Box,  Tom Carpel and Greg Curtis, who worked with our team to review the details.   Chris Hayes, SecureAuth’s Chief Solution Architect for initiating the discussion.   And of course to Robert Phillips, SecureAuth’s Director of Pro Services – for all his painstaking efforts for drafting this proposal.

Get enrolled in the SecureAuth Mobile  quick-start program - and join the fun!

Please contact us for more information!

—

Garret Grajek is CTO and the technical founder of SecureAuth.   SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Mobile, Web, VPN and SaaS based solutions.

Get the very latest news all in one place. Become a Facebook fan of RSA Conference. http://on.fb.me/p1hr8l

Stay up to date with our webcast series: http://rsac.me/365-webcasts

The latest patch brings Java 7 to Update 25 (looks like Oracle has finally followed through on its promise to stop shipping updates for Java 6). In its accompanying advisory, Oracle notes that 37 of the 40 vulnerabilities fixed in this update may be remotely exploitable without authentication — that is, they can be exploited over a network without the need for a username and password.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. Keep in mind that updating via the control panel will auto-select the installation of the Ask Toolbar, so de-select that if you don’t want the added crapware.

Other, seriously consider removing Java altogether.  I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). Java 7 lets users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

There are a couple of ways to find out if you have Java installed and what version may be running.  Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

Mac OS X 10.6 (Snow Leopard) users who have Java should check Software Update for any available updates. Mac OS X 10.7 (Lion) and 10.8 (Mountain Lion) users can grab the updated version of Java from Java.com.

     Firms Take 10 Hours to Spot Data Breaches, Mcafee Finds

http://www.cio.com/article/735080/Firms_Take_10_Hours_to_Spot_Data_Breaches_Mcafee_Finds

Just over a third said they would notice data breaches in a matter of minutes

     Purdue Students Charged with Hacking to Change Grades

http://www.esecurityplanet.com/hackers/purdue-students-charged-with-hacking-to-change-grades.html

The students used keylogging devices to uncover their professors’ passwords

     Most Data Breaches Caused by Human Error, System Glitches

http://www.csoonline.com/article/735078/most-data-breaches-caused-by-human-error-system-glitches

Malicious attacks, however, cause the most expensive breaches

     More Data on Privacy, but Picture Is No Clearer

http://www.nytimes.com/2013/06/18/technology/more-data-on-privacy-but-picture-is-no-clearer.html

Sometimes answers just lead to more questions

     Google Glass privacy concerns raised by international data protection authorities

http://www.pcworld.com/article/2042327/google-glass-privacy-concerns-raised-by-international-data-protection-authorities.html

“Fears of ubiquitous surveillance of individuals by other individuals…have been raised”

US, Russia to install “cyber-hotline” to prevent accidental cyberwar

http://arstechnica.com/information-technology/2013/06/us-russia-to-install-cyber-hotline-to-prevent-accidental-cyberwar/

“Agreement comes as tension builds with China over mutual hacking attacks”

The incoming email has the following subject, ‘Hey <name> your Facebook account has been closed!‘ or ‘Hi <name> your Facebook account is blocked!‘. The email has a ZIP file attachment with name <name>.zip, which contains a downloader file named <name>.exe. <name> stands for a random user name. After a user downloads and executes the executable file, he is presented with the message saying that “Your Facebook connection is now secured! Thank you for your support!” It tries to convince you that there was a problem with your Facebook account, which was later successfully solved by executing the application from the email attachment.

Let’s look inside the executable file!

Unlike many other malware samples, which use various malware cryptors ( see an article about the interesting one), this malware sample does not use any cryptor. Instead, when observing the instruction flow, we notice many useless registry computations and memory operations, which make it harder to analyze the sample. All text strings and names are encrypted in the malicious file and decrypted on the fly, when needed. In the figure below, you can see many registry and memory operations from address 0x408a8c to 0x408aca, whose purpose is to make it difficult to understand the original function of the code.

Whenever I get a suspicious file, I start OllyDbg and begin analyzing the file. In the case of this sample, I loaded it in OllyDbg, made it run and the following error message box appeared.

Then I tried to figure out what could be wrong with the sample I just started to analyze. In the beginning, there is a loop with 0×109 = 265 iterations. In each iteration, a new thread is created.

Each thread executes its own thread function, in which it creates a manual-reset event object ( CreateEventA ), which requires the use of functions ResetEvent or SetEvent to change the event state. Later on, the function WaitForSingleObject with timeout 0×2710 = 10000 ms = 10 seconds makes the thread wait for setting the state of the event manually. If the state of the event is set or if its timeout expires, a DWORD value at addressOfProcedure is XORed with a certain value unique for each thread. These per-thread unique values are taken from arrayOfDwords table, which starts at address 0×422488 ( file offset 0x20a88 ).

An application then sets events for the four given threads, which causes function WaitForSingleObject to end immediately. DWORD at addressOfProcedure is then XORed with the four corresponding values from arrayOfDwords. After these four XOR operations, addressOfProcedure contains the address of function which will be called by the main program.

In our situation, the thread to be woken up are 0xbf, 0xd4x 0xd3x 0xf5. In arrayOfDwords, the thread unique values are stored at addresses
0x20a88 + 0xbf*4 = 0x20d84
0x20a88 + 0xd4*4 = 0x20dd8
0x20a88 + 0xd3*4 = 0x20dd4
0x20a88 + 0xf5*4 = 0x20e5c
from where we can get per-thread unique values, which after being XORed give us the following result:

0x9329c591 XOR 0xc3b12028 XOR 0x732eb78b XOR 0x23f618f2 = 0x00404ac0
Therefore the next address of execution will be 0x404ac0.

While 261 out of 265 created threads are still sleeping (and waiting for the event being set or timeout interval to elapse) just four threads are woken up, and these threads compute the function address which will be called. OllyDbg cannot handle this situation correctly, computes the wrong destination address and therefore displays the above mentioned error message. After 10 seconds, timeouts of all threads will elapse and addressOfProcedure will be modified to an invalid address value, however, it will happen after the program already jumped to address 0x404ac0 and DWORD value at addressOfProcedure is no longer important.

After executing the procedure from address 0x404ac0, the main program body begins. The program flow can be split into three main branches. At first, the program tries to find out, if it was executed with a command line parameter containing string WATCHDOGPROC. If yes, the left (red) branch is chosen. If not, the right (green) branch is executed.

If WATCHDOGPROC string in command line parameters was not found, then there is another branch asking if the name of the current executable is usfqvololjv.exe. If not, we take the left (red) branch.

In this (left) branch, the file copies itself into %APPDATA%\ltrhborczvnt\usfqvololjv.exe, executed itself, establishes persistence via registry key, displays the message “Your Facebook connection is now secured! Thank you for your support! Facebook” and terminates.

The whole process is repeated again, but now the condition where the current program name is compared with usfqvololjv.exe is satisfied. We can see that usfqvololjv.exe copies itself under another name tjsotyw.exe and executes it with commandline parameter “WATCHDOGPROC usfqvololjv.exe”.

Now it becomes clear that usfqvololjv.exe is a master process and tjsotyw.exe is a slave process.

The master process (usfqvololjv.exe) then continues into an internet communication loop, which generates traffic to seemingly legitimate websites. The URL address is always in format <WORD1><WORD2>.net/forum/search.php?email=<EMAIL_ADDRESS>&method=post

The only task of the slave process is to check if the master process is running. If not, it restarts the master process. Similarly, if the master process finds out that the slave process is not running, it restarts the slave process, so both processes keep running all the time, keeping an eye one on another.

Domain names are generated by an algorithm, which uses the value of the current time. It starts with obtaining the current Unix epoch time, which is a system for describing time, defined as the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC), 1 January 1970. This number is then divided by 0×200 = 512. Time is then divided into 512 seconds = 8 minutes 32 seconds long time chunks.

Let’s look at a particular example. For the time interval between “Fri, 07 Jun 2013 12:45:52 GMT” and “Fri, 07 Jun 2013 12:54:23 GMT”, we get Unix epoch times between 0x51B1D600 and 0x51B1D7FF. After dividing any of the numbers between previously mentioned borders by 0×200 = 512, we get the following result.

The result (0x28d8eb) is then converted to its binary form and its last 15 binary digits are reordered (LSB bit of 0x28d8eb goes to the 3rd position, the second LSB bit goes to 9th position, etc…). From the newly reordered 15 binary digits, the first 7 binary digits form a number, which gives us an index of the first word in the table of words. The last 8 digits form another number, which gives us an index of the second word in the table of words. These two words are then concatenated and a generic top-level domain .net is appended. The following picture illustrates how this domain-generation algorithm works.

The table of words is constant and encrypted in the original file. There are exactly 384 words in this table. As I mentioned above, from the current time stamp, a 15 digit number is generated. From this number, the first 7 digits give us 128 possibilities (2^7), last 8 digits give us 256 possibilities (2^8), which makes a total of 128 + 256 = 384 words. If we choose one word from the first group and one word from the second group, it gives us a total count of 128 * 256 = 32768 possible domains, which may be contacted.

However, the domain-generation algorithm does not try to connect to only one website withing a given 8.5 minute time chunk. It tries 0×55 = 85 domains for numbers following 0x28d8eb, i.e. 0x28d8eb, 0x28d8ec, 0x28d8ed, 0x28d8ee … 0x28D93f. When all 85 possibilities are tried, then the time stamp is taken again and the whole process repeats.

When a payload is downloaded after a successful connection to the generated domain, it is then written to %TEMP% directory, named g52<random>arg.exe and executed.

Conclusion:

Obfuscation does not need to be done with a cryptor. Filling the code with many useless registry and memory instructions can do the same job.

Malware authors often use domain-generation algorithms. If malware connects to just a few websites to get updates or payloads, it is easy to block these domains and make malware ineffective. However, in the case of generating many domain names via domain-generation algorithms, it is often impossible to block all the randomly generated domains, either because of their huge number or because of the fact, that some of these domains may be legitimate websites.

SHAs:
EC8B88A96D1B4917334BDAD7F2E580EAD4D9B71D111A1591BB5B965DA3E27CF6

Now the big question: do we believe them? If we don't, what would it take before we did believe them?

Media and news organizations, like the New York Times and Wall Street Journal, experienced data breaches due to spear fishing and malware.  According to various news articles, certain journalists were targeted based on their story coverage but more interesting to me is the fact that the anti-virus along with the IPS/IDS in place failed to catch the malware.  Unless there is a signature in place for a known piece of evil code, that demon will make it’s way through.

Financial institutions up to and including the Federal Reserve were breached.  While many bank hacks are driven by monetary gain, sometimes they are the targets of political activists.  Humans are very passionate about their beliefs and like to express those feelings.  There have always been protesters and activists – some write letters, some picket on the sidewalk, some throw rocks and with the advent of the internet, now you can protest by creating digital havoc.  Instead of hoping that people boycott a particular entity, you can simply take it out yourself so no one can get to the site. 

Social media networks continue to feel the heat from breaches.  Many social media sites are now deploying two-factor authentication to help reduce password exposures and increase verification checks.  Many news stories have talked about password usage and it’s good that two factor is being deployed…but,in many cases, it is only after the bad news hits the media.  Why wait?

To help organizations understand the various web threats, OWASP has released their Top 10 for 2013 (with changes from 2010 Edition):

• A1 Injection
• A2 Broken Authentication and Session Management (was formerly 2010-A3)
• A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)
• A4 Insecure Direct Object References
• A5 Security Misconfiguration (was formerly 2010-A6)
• A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)
• A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)
• A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)
• A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)
• A10 Unvalidated Redirects and Forwards

Along with their Top 10 Mobile Risks:

• M1: Insecure Data Storage
• M2: Weak Server Side Controls
• M3: Insufficient Transport Layer Protection
• M4: Client Side Injection
• M5: Poor Authorization and Authentication
• M6: Improper Session Handling
• M7: Security Decisions Via Untrusted Inputs
• M8: Side Channel Data Leakage
• M9: Broken Cryptography
• M10: Sensitive Information Disclosure

These are guides to help organizations understand the threats but always make sure you understand you own risks and focus on mitigating those first whether they are on the OWASP Top 10 or not.  Then make sure you’re covered on the rest.

So far, 2013 has been full of breaches that empties an organization’s information.

ps

Related:

• Following New York Times Breach, Wall Street Journal Says China Hacked It, Too
• US Federal Reserve confirms it was hacked during the Super Bowl
• Does Lax Network Security Lead To Cyber Attacks: 2013’s Top Hacks
• Twitter introduces ‘two-factor authentication’ to stop password hacking
• Motorola shows off tattoo and swallowable password hardware
• OWASP Top 10 2013 – PDF
• OWASP Mobile Security Project

Connect with Peter:	Connect with F5:

First, we need to extract the firmware we have. I am using a router that is running dd-wrt, so I figure that would be a good firmware to get and rip apart. First, we run the command ./extract-firmware.sh filename. This will decompress the firmware and put it nicely into a "fmk/" directory.

Next we extract the dd-wrt gui (web sites) by typing ./ddwrt-gui-extract.sh:

We then find our target page Info.htm, open it and add in our XSS beef hook:



We package it all up and with ./ddwrt-gui-rebuild & ./build-firmware. When its done, we flash our router with the new firmware. When we come back to the page... our browser is now hooked and expoited.

Myth #5

Some of the South Korean legislation

If you want to learn more about that, Carnegie Mellon University did a follow-up study, and it’s very enlightening. But they repealed it because that’s 0.9%, and statistical significance is 5% or greater, and they didn’t even have that. So it turns out that pushing a certain type of name on people – maybe they’re douchebags to begin with, right, like the Violentacrez guy?

Chinese approach

And you can see here I bolded it: “Network service providers that handle website access services for users, handle fixed telephone, mobile telephone, and (I like this) other surfing formalities…” It’s really strange phrasing, maybe it’s lost in translation, because it was originally a Chinese law, but I’m not sure what a surfing formality is. And at the end there: “Require users to provide real identity information.”

Californian legal issues

Section 290.014(b): “If any person who is required to register pursuant to the Act (that is anybody who is a sex offender, basically) adds or changes his or her account with an Internet service provider or adds or changes an Internet identifier, is required to send that notification of this to law enforcement within 24 hours of said registration.”

Interesting, isn’t it? How easy is that to enforce? Anyone think that’s easy to enforce? The day after, on November 7, the EFF filed a lawsuit against that. An injunction was granted as of January 11, 2013.

It’s worth noting, by the way, that in the injunction grant one of the cases that was cited was the case McIntyre vs. Ohio Elections Commission from 1995. There’re basically 3 or 4 cases, or case law period in the US regarding anonymity. If you look in Wikipedia for Anonymous, they have this section on case law, and that’s, I think, the most recent – the others are from the 1940s and 1950s, or 50s and 60s or something.

The thing that I really like, I think it was Justice John Paul Stevens who said this, but one of the remarks in the 1995 case law: “Anonymity is a shield from the tyranny of the majority.” Look at Publius – that’s what our country is based on and founded on.

German Telemedia Act

One of the issues we’re running into here is: corporations can set policies, right? But we also have law, and laws are agreed upon by the people, in theory, of represented democracy. What happens when what corporations want to do interferes with the written law of the land? At what point does that intersection meet? I think this is going to become a bigger and bigger issue as more things come online.

This is why all of you guys should get involved in NSTIC. Oh, it turns out Germany lost that case, interesting! So they said it is not a German law because Facebook is not sitting in Germany, so that was the day before yesterday? Ok, I was getting drunk at Shmoocon, I missed this. Wow, that’s fascinating, because there’s this juxtapose: we have a legal institution which people vote, you know. You can’t vote for Facebook, can you? Oh yeah, you can elect not to use it, which is why I don’t. They call it “liking.”

Moving forward

So, if you’re worried about not wanting your legal name to be involved in something like this… I think I’m the first pseudonym actually to be an official member of NSTIC. In fact, I took this screenshot last night to just demonstrate it. It turned out there was somebody else – Snortly, I don’t know who that is. But yay – apparently they saw my Twitter pleas for it and they went ahead and registered with a mononym. So, we’re making a difference.

That’s it, any questions? 5 minutes, I’ll take questions.

So, somebody who is staying totally within the line, not doing anything wrong according to social standards and norms, is it necessary for them to have a pseudonym, is that what you’re asking? I think it depends on the context they’re in, in my opinion, people have the right to choose their own names.

That’s a fantastic question, I’m so glad you asked that. So let me repeat the question just to make sure I have it right: somebody like the Violentacrez guy, if their legal name is not known, how do we build an accountability? If somebody’s doing something illegal or amoral, depending on the social standards of morality, how do we find them?

Two answers to that; fantastic question. The first is that if you’re using the Internet, there’s a bunch of ways to find who you are: you could use it by IP address and access times. I can get more technical, but how many people here know how to find somebody if you don’t know their name? So it is possible, you’ve got a bunch of geeks around here who are happy to help enforce good.

On the other hand, and I’m going to cite William Binney, who is the NSA whistleblower, and in his talk – he gave a keynote at the Hackers on Planet Earth conference last year – he said that names are a really bad way to identify who somebody is. How many Dave Browns are there in the world? If you have like ten Dave Browns, how many of them are going to start using nicknames or pseudonyms and a unique identifier? There’s other ways, like habitual patterns, the schedule somebody keeps, where they work, things like that. There’s all kinds of ways you can identify somebody; an IP address is one of them.

4chan has actually run into issues with this. One of the things that Chris Poole has spoken out about is making sure that if somebody posts child pornography or something illegal on 4chan’s /b/ that they make sure that due process comes to them. Does that answer your question?

What am I really up to? Yes, Pinky, I’m trying to take over the world.

Read previous: An Analysis of the Online Identity Battleground 6: Names Policies of Google and Facebook

Episode 0x2C

This is the 49th time!

All I can hear is the voice of Edward R. Rooney saying “Nine Times”… well, that and the 49th parallel (which is 6 parallels north of where 3/5ths of the gang is hanging out). No one reads the notes so I know that I’m just talking to myself here. It’s probably bad when you start talking to yourself. Perhaps.

1. Upcoming this week…
2. Lots of News
3. Breaches
4. SCADA / Cyber, cyber… etc.
5. finishing it off with DERPs/Mailbag and
6. There will be a DEEP DIVE
7. And there are weekly Briefs – no arguing or discussion allowed

And if you’ve got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.

DISCLAIMER: It’s not that explicit, but you may want to use headphones if you’re at work.

ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 5 opinionated infosec pros who have sufficient opinions of their own they don’t need to speak for anyone except themselves. Ok? Good.

In this episode:

• News and Commentary
1. OWASP Top 10 for 2013 is out
2. What the NSA doesn’t have: iMessages and FaceTime chats
3. Woz: This is not my America
4. This is some cold ass James Bond shit
   (Countries are upset)
   (they even setup fake internet cafes)
5. NSA leaks hint Microsoft may have lied about Skype security
• Breaches
1. Head of U.S. Nuclear Security Agency hacked by “Guccifer”
• SCADA / Cyber, cyber… etc
1. @c7five tweets on Cyberwar
2. US FDA calls on medical device makers to focus on cybersecurity
3. Trove of medical devices found to have password problems
• DERP
1. Zamfoo gets a derp for responsible fail disclosure (also in the mailbag from Graham S)
   (and a reddit thread)
2. TSA agent tells teen to ‘cover herself’
3. Sys-admin selfies courtesy of The Grugq
• Mailbag

1. I’d like to start by saying that I thoroughly enjoy your podcast. It’s a great combination of security news, comedy, and tragedy. It’s great, keep it up. I’m emailing about your podcast to you rather than posting on the appropriate Facebook page, as I find email to be a preferred method of communication. I hope that’s okay.

   Now, my question. I’m a young, ambitious Engineer who finds the topic of Network Security to be exciting and interesting. I work in a network security team in a large company and I am always trying to expand my skills and abilities. Simply put, I’m wondering what advice you have for an inspiring individual in this industry. Also, what resources did you rely on when you were starting out. What resources do you find to be the most valuable now?

   Specifically I struggle with finding friends, co-workers, or online buddies that share the same career interests and passion. After I spend a day troubleshooting a particular security issue I want to have a group of individuals I can spit ball ideas with. I find myself feeling like I am in a silo. This is particularly odd because I know for a fact that the world is full of brilliant network security minds. I’m thinking of attending one of the upcoming security conferences this year just to make some like minded friends. It’s just annoying/expensive because I’d likely have to fly to the US. Any guidance that you could provide would be helpful.

   Anonymous By Request

• The Deep Dive – SETEC ASTRONOMY
1. We Should All Have Something To Hide
• Briefly – NO ARGUING OR DISCUSSION ALLOWED
1. Disconnect raises 3.5mil
2. Pimp My Own Matt – Doing a webinar 6/20
3. CycleOverRide – Security Nerds on Wheels
4. Sixth Annual Movie-Plot Threat Contest Semifinalists
5. Hardvard Business Review talks infosec
6. I’m hiring
7. Loon
8. How to make The Internet (from The IT Crowd)
• Liquidmatrix Staff Projects
1. The Liquidmatrix Vegas Party- You’ve asked when and where – that’d be “We don’t know yet” and “The week of Blackhat/BSides/DEFCON”. You can beg your way onto the list by sending an email to vegas2013party@liquidmatrix.org.
2. The BSidesLV Ticket Give-away-

   Three tickets up for grabs:

   • best original piece of artwork incorporating a security rock star; bonus points for using a unicorn
   • best rap song about a major breach
   • best poem describing a vendor DERP

   Judging will be done by The Liquidmatrix Intern. Mocking will be done by us. I’d suggest you start buying a vote early. Email your submission to bsideslv2013@liquidmatrix.org

3. The Security Conference Library
4. Contribute to the Strategic Defense Execution Standard (#SDES) and you’ll be Doing Infosec Right in no time.
5. If you’re interested in helping out with openCERT.ca, drop a line to info@openCERT.ca
6. Upcoming Appearances: James Training (with Rich Mogull) and Matt Speaking at BHUSA. Dave is attending Black Hat, DEF CON, Secure Asia in Manila and Security Congress 2013 in Chicago. Matt and Wil will be at Blackhat/DEF CON and James, Ben and Dave will be joined by Mike Rothman for SecTor 2013′s return of the (canadian) fail panel.
• In Closing
1. Word of the Week – Cybercentrifuge: vendors spinning stories fast enough to refine uranium. @jack_daniel
2. Movie Review – Time to see Hackers again. And read The Conscience of a Hacker again. Trust me.
3. everyday is CTF! go set up a team
4. Signing up for a SANS course? Be sure to use the code “Liquidmatrix_150″ and save $150 off the course fee! And Liquidmatrix_5 for 5% off a course
5. Seacrest Says: Double ROT13 is NSA proof

Download the MP3

Listen:

Subscribe to us using plain old

Also, we’re now available through

Creative Commons license: BY-NC-SA

The post Liquidmatrix Security Digest Podcast – Episode 2C appeared first on Liquidmatrix Security Digest.

Stay up to date with our webcast series: http://rsac.me/365-webcasts

Subscribe to RSA Conference podcasts in iTunes: http://rsac.me/iTunes-Podcasts

The post Agile Testing appeared first on BruteForce Lab's Blog.

The main window of EMET 4.0

First, a quick overview of what EMET does. EMET allows users to force applications to use several key security defenses built into Windows — including Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). Put very simply, DEP is designed to make it harder to exploit security vulnerabilities on Windows, and ASLR makes it more difficult for exploits and malware to find the specific places in a system’s memory that they need to do their dirty work.

EMET can force a non-Microsoft application to perform ASLR on every component it loads, whether the program wants it or not. Please note that before you install EMET, you’ll need to have Microsoft’s .NET Framwork 4 platform installed. And while EMET does work on Windows XP (Service Pack 3 only), XP users cannot take advantage of mandatory ASLR and a few other notable protections included in this tool.

However, EMET includes several important security features that can help fortify third-party applications on XP. Namely, its “Structured Exception Handler Overwrite Protection,” or SEHOP protection, which guards against the most common technique for exploiting stack overflows on Windows. Microsoft says this mitigation has shipped with Windows ever since Windows Vista Service Pack 1.

In addition to a revised user interface, EMET 4.0 includes a handful of new features that were bundled with the 3.5 tech preview version, such as novel methods of blocking an exploit technique called return-oriented programming (ROP). Attackers can leverage ROP to bypass DEP protections by using snippets of code that are already present in the targeted application.  

One of the much-hyped new capabilities of EMET 4.0 is its “certificate trust” feature, which is designed to block so-called “man-in-the-middle” attacks that leverage counterfeit SSL certificates in the browser. The past few years saw several attacks that impersonated Webmail providers and other top Internet destinations using fraudulent digital certificates obtained by certificate authorities, including Comodo, DigitNotar and Turktrust. This feature is a nice idea, but it seems somewhat clunky to implement, and only works to protect users who browse the Web with Internet Explorer. For tips on configuring and using this feature of EMET, check out this post.

To proceed with EMET, download the program and install it (if you are upgrading from an older version of EMET, uninstall the older version first before proceeding with the EMET 4.0 install). This new version of EMET gives users an option to allow a pre-set group of applications to be automatically protected by EMET, including Java, Adobe Acrobat, Internet Explorer and any Office apps that may be installed. Alternatively, users can start from scratch and select their own applications to put behind EMET.

To wrap EMET’s protection around a program — say, Mozilla Firefox — launch EMET and click the “Apps” button in the upper portion of the main EMET window. Selecting the “Add Application” button in the next box that brings up a program selection prompt; browse to C:\Program Files (x86)\Mozilla Firefox, and then add the “firefox.exe” file. It should be okay to accept all of the defaults that EMET adds for you.

While you’re at it, add the rest of your more commonly used, Internet-facing apps. But go slow with it, and avoid the temptation to make system-wide changes. Changing system defaults across the board – such as changing ASLR and DEP settings using the “configure system” tab – may cause stability and bootup problems.

I’ve been using EMET on a 64-bit Windows 7 system and phasing in some of my most-used applications on-by-one with the “configure apps” button just to make sure the added security doesn’t crash the programs.  Microsoft’s support forum has a useful thread on applications that may not play nice with EMET’s default protection settings.

For example, a handful of applications will simply crash or not work with EMET’s “export address table access filtering” (EAF) mitigation turned on. Skype is one well-known example here. I’ve also experienced issues with running EAF on Google Chrome.

This is really where EMET’s unobtrusiveness can be a blessing and a curse. Unlike some security and antivirus tools that periodically pop-up annoying warnings or notifications to let you know they’re still there and doing their job, EMET is likely to do its job unnoticed by most users. I say curse because on one occasion (I can’t recall the name of the application at issue) I spent a few days scratching my head over an app that wouldn’t work properly, only to remember later that I’d set it to use EMET months before.

If you have questions about EMET or run into issues with the program, check out the Microsoft support page for EMET, which lets you to submit questions to the user community if you don’t see your problem addressed in a previous support thread.

The chart above indicates which system- and application-specific protections in EMET 4.0 are available for each supported version of Windows. Visit this link to download EMET 4.0, as well as a detailed user guide on the software.

In remarks to the House Intelligence Committee, Alexander said: “In recent years, these programs, together with other intelligence, have protected the US and our allies from terrorist threats across the globe… helping prevent potential terrorist events over 50 times since 9/11.”

The NSA director was referring to secret surveillance programs whose existence was revealed earlier this month by former CIA employee Edward Snowden, who leaked details to The Washington Post and The Guardian.

Alexander said one of the foiled attacks was “a nascent plot to bomb the New York Stock Exchange.” This plot was detected through the monitoring of a known extremist in Yemen, who was in contact with an individual in the US.

Snowden, who fled to Hong Kong,  has rejected suggestions that he is trying to trade information in return for asylum in China. “This is a predictable smear that I anticipated before going public, as the US media has a knee-jerk ‘Red China!’ reaction to anything involving Hong Kong or the People’s Republic of China,” he said in an online interview hosted by The Guardian.

“It is intended to distract from the issue of US government misconduct,” Snowden said. “Ask yourself: if I were a Chinese spy, why wouldn’t I have flown directly into Beijing? I could be living in a palace petting a phoenix by now.”

Yahoo on Monday (June 17) became the latest internet giant to reveal details of data requests it had received from the US government. Apple, Facebook and Microsoft have made similar revelations since Snowden leaked documents about the PRISM internet spying program.
“We’ve worked hard over the years to earn our users’ trust and we fight hard to preserve it,” Yahoo CEO Melissa Mayer said in a statement.

“To that end, we are disclosing the total number of requests for user data that law enforcement agencies in the US made to us between December 1, 2012, and May 31, 2013.  During that period, we received between 12,000 and 13,000 requests, inclusive of criminal, Foreign Intelligence Surveillance Act (FISA), and other requests.  The most common of these requests concerned fraud, homicides, kidnappings, and other criminal investigations.”

Mayer said Yahoo could not legally divulge FISA request numbers because they were classified. “However, we strongly urge the federal government to reconsider its stance on this issue,” she said. “Democracy demands accountability.  Recognizing the important role that Yahoo can play in ensuring accountability, we will issue later this summer our first global law enforcement transparency report, which will cover the first half of the year.  We will refresh this report with current statistics twice a year.”

Website Security Statistics Report 2013

Clerkendweller

The Onion, the Internet’s favorite parody news site, was recently the victim of a hack that compromised their corporate Google Accounts as well as their Twitter accounts. They were hacked by the Syrian Electronic Army (SEA). [You may have heard of the SEA.]  They’re the group that hacked into the AP Twitter account and announced that two bombs went off in the White House injuring President Obama.  This news sent the DOW plummeting; erasing billions of dollars from the exchanges. [Yeah, those guys.] Using the same method, phishing, the SEA orchestrated a three-staged social engineering attack that yielded access to the The Onion staff Google accounts and Twitter accounts. Let’s take a look at how they did it.

Step one: SEA sent out a limited-audience phishing email targeted at the reporters and writers. The email looked like an email from the Washington Post encouraging the recipients to review the linked article.

Instead of linking to a legitimate Washington Post article, the link presented users with a prompt to enter their Google Account credentials. Because this email was sent from an unknown outside address, not a lot of people clicked on it (let alone enter their credentials), but one did. That’s all it takes.

Step two: Using the Gmail account of the person who entered their credentials, the hackers sent the same email out to different members of The Onion staff. Because this email came from a presumed trusted source, an Onion employee, it had a much higher success rate. One of the users who entered credentials had access to all the company’s social media accounts. Now the hackers had access to all The Onion’s social media.

The Onion IT sent out important emails requiring everyone to reset their passwords. What The Onion staff didn’t realize is the hackers had access to another, previously unknown account and were monitoring things.

Step three: When the hackers saw the password reset email go out, they immediately sent another phishing email, to all staff except IT, with a password reset link! This duplicate message compromised even more accounts and the SEA began posting editorials under The Onion’s Twitter account. The final step was a forced reset of every Onion employee account.

Consistent, real world education is the only way to protect your organization from the threats of social engineering. Once again we see another high profile hack, perpetrated by sophisticated hackers, utilizing the tried and true methods of social engineering… a relatively low-tech approach.

The lack of tangible results regarding cyber espionage is not surprising and, despite hopes that confronting mainland China diplomatically might result in changes to their behavior, it may be too early in this process to expect any real progress. There are three main reasons why Beijing will likely not submit to U.S. diplomatic pressure to curtail cyber espionage efforts in the short-term:

• Beijing appears to believe that positive attribution is not possible or, at the very least, provides a considerable amount of plausible deniability. This can be seen in Xi’s response when, even in the face of a direct accusation in a diplomatic setting, he sidestepped the issue and sought to paint the PRC as a victim. This approach mirrors that of PRC officials in the past and seems to be the official party line.

• The PRC is still probably studying the fallout over the accusations and has not yet decided on or sees the need for adjustments to its policies. Beijing is undoubtedly monitoring and analyzing the response and impact of U.S. accusations in real-time. As in past scenarios, such as their handling of the Taiwan issue in the late 1990s/early 2000s, it is likely that they are adhering to a “two steps forward, one step back” approach to see how far they can push the boundaries without suffering serious consequences. If the impact of these accusations does result in serious long-term economic or political damage, we can expect Beijing to make a more visible effort to curtail PRC-based CNO.

• Washington and Beijing have different visions for the future; cyber espionage is one of the obstacles that prevent these two visions from being compatible. While Washington has attempted to shape Beijing into a responsible global partner in its own image over the last decade, the PRC has its own vision for the future including former PRC President Hu Jintao’s “Peaceful Rise” and now Xi’s “China Dream.” Although Beijing does not openly advocate corporate espionage, this tool has and will likely continue to be a key component in allowing the PRC to achieve its long-range economic and technology goals in a timely manner. For that reason, Beijing probably will not be willing to give up cyber espionage easily and it would take more than moderate diplomatic pressure to make them change this position.

In this post Tim McCreight, the CISO of the province of Alberta, Canada, shares his insights on his organization’s move to a risk-based security program.

We began our conversation with the move from “security by compliance” to “security by risk.” I contend that many organizations are so focused on meeting the letter of regulations that they lose sight of the risks that the individual control mandates are intended to mitigate – what I call “insecure compliance.”

McCreight:  Unfortunately many organizations are checking off boxes on a compliance spreadsheet and assuming that they are secure. This check box approach leads to a major failing of examining “all” the technical and business risks associated with things that range from configuration of encryption to BYOD.

My organization has expanded the approach to assessing IT risks beyond tactical IT issues to include all business functions. This gives us a holistic view of our overall business and IT risk posture.

For example, on any project we begin by first asking business questions of the business leaders. We do this to understand what the leader believes the risks are associated with their request. Many times we see that a business leader’s perception of organizational and IT risks are nowhere near reality.

This starts a transformational education process that creates a common understanding of the information and process risks that are under their control. At the end of the day, as the CISO I need their insight as to what is important to the organization so that we can allocate our limited resources in the best way to protect those items that matter the most and pose the greatest risk.

Musthaler:  How are your business leaders reacting to your business risk-based approach?

McCreight:  It took a while for our leaders to realize that we are serious about risks associated with business processes. Now they understand the purpose behind the questions we ask of them.

BYOD was one of the first areas we applied an IT risk focus on business decisions. We asked, “What’s the purpose of your team using iPads? Are they in your day-to-day operations? What information do you use on these devices? Is this technology really the right fit?”

We left it open to them to answer the questions. As expected, the initial response was “Why are you asking us this?  All we want to do is increase productivity.” From here we began the education process.

Business leaders now anticipate our questions on business and IT risks and engage us early on. For example, with cloud implementations there is a heightened awareness around having sensitive information in the cloud. They may not know what controls are needed. But, they engage us to perform privacy impact assessments to have a better understanding of the risks, the controls needed, and the overall costs. All of this helps us as a team make better risk-based decisions.

Musthaler:  It appears that you have senior management endorsement. Unfortunately many organizations struggle with communicating IT risk at the C-level. How did you get management support?

McCreight:  Yes, many organizations face the “communications gap” you allude to. To that end, our approach truly benefits the entire organization. We look at the relationship between IT and businesses risks holistically and recognize every action has a risk, and that IT risks are not the only ones that must be addressed. Most importantly we present the issues in business context that our leaders understand. As a result, we now have senior management buy-in.

Musthaler:  Can you talk about the risk framework and technology you are using?

McCreight:  As we both know, risk management technology is not a panacea. It is a tool to gather information, document risks, and put structure behind the questions asked regarding risk.

One of the most important things this technology gives us is a view into the interdependencies within our IT operations and business units. With these tools, we easily catalog, measure, and communicate our risk posture.

As far as frameworks, risk management solutions have a series of authoritative sources and structures that can be adapted such as ISO, COBIT and virtually all the authoritative risk sources available on the market. As a result, our risk questions are geared to these frameworks. With these tools we can also apply criticality to assets and the areas that we are trying to measure so that we have a clear picture of our risk posture.

Musthaler:  If you could, what do’s and don’ts do you have for the readers and your peers?

McCreight:  Most importantly, know your business. What do I mean by this? I believe many CSOs see their roles as being a security officer only. In reality they are running a business unit as well and being accountable for the security over all of the business. To effectively manage business risk, you must know every aspect of the business.

Two, get to know your internal peers. You need both critical input and support from these leaders as you work to transform your organization to a risk-based approach to security.

Third, get to know senior management. You need both their business insights and their support.

Lastly, communication and education are critical for everyone from the C-suite to the line managers.

If you do not or cannot do these things, your move to an organizational risk view of security will be met with resistance and may ultimately fail.

via the indisputable logic of Randall Munroe at XKCD.

㎕

Flagging a legitimate user as malicious (false positive) results in the denial of service for legitimate users; conversely, identifying a malicious user as legitimate (false negative) may open the door for additional, undetected cyber-attacks. How then, do DDoS mitigation solutions distinguish between legitimate and malicious users?

Rate limitation is not the way to go

First, I’ll explain why outdated anti-DDoS solutions that base their protection on rate limitation methods cannot address this challenge.

The rate limit mechanism is based on a pre-defined, static threshold of traffic and has two main drawbacks:

1. It does not mitigate attacks until the attack traffic reaches the predefined threshold. This results in slow detection of attacks or failure to detect attacks below the threshold.
2. Once the rate based mechanism starts to mitigate suspected traffic, it impacts the quality of experience for all users, including legitimate ones. Not every increase in traffic rate is a result of an attack; there are other cases, such as flash crowd events, that look like attacks to outdated anti-DDoS solutions. As a result, the solution can mistakenly block legitimate traffic.

It is clear that outdated anti-DDoS solutions cannot distinguish properly between attackers and legitimate users. Advanced DDoS mitigation solutions deploy more sophisticated methods, such as behavioral analysis or challenge-response mechanisms to deal with this challenge.

Behavioral Analysis

Behavioral analysis follows application transactions and builds an understanding of the application in order to distinguish between legitimate and malicious users. A baseline application behavior is defined after considering both the amount and frequency of events.

During an attack, data is gathered and compared to the baseline behavior model. If a suspicious behavior is detected, a deeper inspection process is triggered, which analyzes application-level parameters and resolves whether the suspicious behavior is a result of a legitimate burst of application traffic or a result of a malicious application abuse.

For example, a PDF file in a certain website is normally downloaded 10 times per hour. If the same file is downloaded 1000 times per hour, an attacker may be involved, so further security measures must be taken.

Challenge Response

A challenge response (C/R) mechanism sends challenges to suspicious sources and based on the response, determines if the source is a Bot or a real user. An example of a challenge response mechanism is CAPTCHA, which requires the user to type letters and/or digits from a distorted image that appears on the screen. The CAPTCHA test prevents unwanted internet bots from accessing websites, since a normal human can easily read the CAPTCHA, while the bot cannot process the image letters.

To use the C/R mechanism, an attack mitigation system launches a series of queries to the source of a request in question, and according to the responses received, it decides whether to send an additional, more sophisticated challenge, or flag the source as a malicious user. C/R mechanisms use automated processes, and require no human intervention from the mitigation system or from the source. The intelligent usage of a C/R mechanism and network behavioral analysis can almost completely eliminate false positives, guaranteeing an excellent quality of experience for legitimate users.

In summary, anyone can rate limit the traffic to a specific application and prevent floods on the applications, but this will result in denying the service from your legitimate users, which was the original objective of the attackers. Only advanced anti-DDoS solutions can successfully distinguish between attackers from legitimate users during an attack and guarantee proper service to online customers.

Of course, if the government is trying to gather data about a particular suspect, keeping the specifics of surveillance efforts secret will decrease the likelihood of that suspect altering his or her behavior.

But secrecy at the level of an individual suspect is different from keeping the very existence of massive surveillance programs secret. The public must know about the general outlines of surveillance activities in order to evaluate whether the government is achieving the appropriate balance between privacy and security. What kind of information is gathered? How is it used? How securely is it kept? What kind of oversight is there? Are these activities even legal? These questions can't be answered, and the government can't be held accountable, if surveillance programs are completely classified.

This distinction is also becoming important as Snowden keeps talking. There are a lot of articles about Edward Snowden cooperating with the Chinese government. I have no idea if this is true -- Snowen denies it -- or if they're part of an American smear campaign designed to change the debate from the NSA surveillance programs to the whistleblower's actions. (It worked against Assange.) In anticipation of the inevitable questions, I want to change a previous assessment statement: I consider Snowden a hero for whistleblowing on the existence and details of the NSA surveillance programs, but not for revealing specific operational secrets to the Chinese government. Charles Pierce wishes Snowden would stop talking. I agree; the more this story is about him the less it is about the NSA. Stop giving interviews and let the documents do the talking.

Back to Daniel Solove, this excellent 2011 essay on the value of privacy is making the rounds again. And it should.

Many commentators had been using the metaphor of George Orwell's 1984 to describe the problems created by the collection and use of personal data. I contended that the Orwell metaphor, which focuses on the harms of surveillance (such as inhibition and social control) might be apt to describe law enforcement's monitoring of citizens. But much of the data gathered in computer databases is not particularly sensitive, such as one's race, birth date, gender, address, or marital status. Many people do not care about concealing the hotels they stay at, the cars they own or rent, or the kind of beverages they drink. People often do not take many steps to keep such information secret. Frequently, though not always, people's activities would not be inhibited if others knew this information.

I suggested a different metaphor to capture the problems: Franz Kafka's The Trial, which depicts a bureaucracy with inscrutable purposes that uses people's information to make important decisions about them, yet denies the people the ability to participate in how their information is used. The problems captured by the Kafka metaphor are of a different sort than the problems caused by surveillance. They often do not result in inhibition or chilling. Instead, they are problems of information processing -- the storage, use, or analysis of data -- rather than information collection. They affect the power relationships between people and the institutions of the modern state. They not only frustrate the individual by creating a sense of helplessness and powerlessness, but they also affect social structure by altering the kind of relationships people have with the institutions that make important decisions about their lives.

The whole essay is worth reading, as is -- I hope -- my essay on the value of privacy from 2006.

I have come to believe that the solution to all of this is regulation. And it's not going to be the regulation of data collection; it's going to be the regulation of data use.