Even security conferences suffer from vulnerabilities

Whoops, it looks like the folks who developed the registration website for the Blackhat security conference have a little security issue themselves. As Michael Coates reported, the website that is used to register for access to some of the live talks from the conference is vulnerable to a hack where an attacker could obtain free access to paid content.

For a fee the conference offers access to select talks that are streamed live. Well Micheal found a vulnerability where he was able to access the stream without providing his credit card. Oops.

The good news out of all of this is the response from the company who developed the website responded quickly to Michael's call and within 4 hours had a fix installed. Further Michael followed responsible disclosure and did not disclose the issue until after the site was fixed.

Rootkit targeting embedded devices in SCADA systems?

A recent malware discovery has many of us security pros very concerned: rootkits targeting embedded devices. The discovery is a rootkit called Rootkit.TmpHider that came with a trojan that infects systems via USB drives. This in itself is not all that concerning, what *is* very concernful is that the driver files that make up the rookit have a legitimate digital signature from....wait for it...an embedded device maker Realtek. Worse it appears to targeted at SCADA control systems. Not good.

Several are discussing this new trojan that has rootkit technologies built into it: Wilders Security, The H-Security site, The Elder Geek.

Why are we concerned you ask? These embedded devices are everywhere controlling everything including critical systems such as water system, power grids, etc. AND in a scary finding made by malware analyst Frank Boldewin of www.reconstructer.org, this rootkit has database queries that target WinCC SCADA systems by Siemens. That's bad news.

To add to this concern is the fact that these devices rarely get updated, if at all, so all bugs and vulnerabilities that existed when they were designed still exist. Furthermore, the trust model in these devices is usually quit open, making it very easy for worms to propagate.

Here's hoping that new embedded systems have stronger security built into them.

Using SQL injection to compromise your internal LAN

I just recently discovered this great post by web app security guru Rafal Los about how via SQL injection he was able to (if he hit the button) compromise an internal LAN. Nice.

Check out Rafal's cool blog.

Replacement for Facebook?

I discovered an interesting project the other day where 4 software developers are embarking on a project this summer to develop an open source, distributed, privacy-aware social network. It sounds kind of like what Tor is for surfing this network is for socializing. In the video on the main page they complain that they don't want a central hub handling their messages to their friends.

It's an intriguing project and one that has attracted quite a few supporters. I know this because they launched a donation website where one can donate to their project and receive certain benefits. They said they need at least $10,000 to fund the development of the project: as of 12:00 PM UTC on Sunday May 16 they have 4,493 backers who donated a total of $168,730. I wonder what they'll do with the extra cash.

One wonders if this will seriously compete with Facebook's 350 million users or maybe it will get Facebook to fix their privacy policy which has gotten a beating recently. Time will tell with this.

Check out the project here.

Call-For-Papers Info Sec Summit in October

I forgot to mention in my last blog post that we are accepting submissions from presenters and trainers for the Information Security Summit on October 11-13 and 14-15, 2010.

CFP submission deadline is May 15, 2010. We look forward to your participation.

http://www.informationsecuritysummit.org

8th Annual Information Security Summit Dates Announced

Dates have been announced for the 8th Annual Information Security Summit. This years event will take place October 14-15, 2010 at Corporate College East in Warrensville Heights, Ohio. Pre-conference training class will take place on October 11, 12, and 13. Corporate College East is located at 4400 Richmond Road between Harvard and Emery Roads In Warrensville Heights. The facility is easily accessible from Interstate 271.

Last years event featured keynote talks from well respected industry leaders Richard Bejtlich, Grady Summers, Joel Snyder, and John O'Leary; over 30 sessions; and attracted over 400 security professionals. The event was a huge success and we will be building on that this year.

Registration is open, take advantage of early bird pricing of $250 before July 1, 2010.

http://www.informationsecuritysummit.org

Another Win for the Good Guys: Bye Bye Mega-D Botnet

I just read this great piece of news over at the Sunbelt Software Blog about a top 10 botnet. The botnet, called Mega-D, was said to have 250,000 bots which has been responsible for nearly 12 percent of the world spam. Wow, this is a great win.

The takedown was coordinated by a researcher at FireEye who working with others in the industry and Internet Service Providers, provided U.S. law enforcement with the information needed for the shut down.

Kudos to the FireEye team and others involved on this win! Keep fighting the good fight.

Check out the Sunbelt Blog entry here.

Satellite Sniffing Software Used to Monitor Drone Video

According to the New York Times, insurgents in Iraq are using cheap satellite sniffing software to monitor the video feed coming from Drone fighter airplanes. This was discovered when laptops from captured insurgents were analyzed. The software they used is called Sky Grabber and costs only $26. It was designed to download music and movies off of satellite transmissions.

What's very disappointing with all this is that the Drones are not using encryption to secure the video feed. I've heard some reports that they aren't equipped to use encryption which if that's the case it's shameful. I don't see any good reason why we would want the insurgents to see the video data showing what the Drones are seeing. C'mon encrypt the data people!

Article here: http://www.nytimes.com/2009/12/18/world/middleeast/18drones.html?scp=1&sq=drone&st=cse

Local northeast Ohio security conference: Summit

It's been a long while since I've posted to my blog, it's been super busy lately. Apologies to my 3 readers - I promise to post more frequently.

This week I'll be at the 7th annual Information Security Summit. This is a 2-day conference held in northeast Ohio, this year it's in Warrensville Heights at Corporate College East, and features over 30 speakers from around the US covering security topics in the areas of governance/risk/compliance (GRC), threats, application security, incident response, network security monitoring, malware, wireless, open source tools, forensics, contingency planning, BCP, phyiscal security, etc. A long list indeed. See complete agenda here.

My role at the Summit is along with several others we help organize, plan, and run the event. I will also be working the NEO Info Sec Forum booth. This is a group I founded 4 1/2 years ago. If you are at the Summit stop by our booth (in room 124 off the atrium) and say hi. Try your hand at a crypto challenge where you can win some cool prizes.

Hope to see you at the Summit.

Side Note: For those of you who can't make it check out the live stream of the conference that Security Justice Podcast is providing!

Banks Receive Fake Training CDs from NCUA...oh wait...

As reported by the SANS Internet Storm Center, some banks reported receiving what appeared to be letters and training materials from the National Credit Union Administration (NCUA). The training materials consisted CDs.

Then you hear this over the PA system:

This was a test of the emergency broadcast system. This was only a test.

Closer inspection reveals that the letters were fake and the CDs contained malware. Pretty interesting scam involving physical world and computer security.

Ha. So Brent Huston from Microsolved contacts the SANS folks letting them know that he sent those as part of a penetration test his company was performing. Wow, good test and probably was successful. I bet some people put those CDs in their computers.

This was a great awareness event for training our users. I fully expect to see the criminals start using this technique more. :(