August 2010 – CYBER ARMS – Computer Security

Cyber Arms Intelligence Report for August 31st

Cyber War issues were in the news a lot last week. The Washington Post had a very interesting article titled “Pentagon’s cybersecurity plans have a Cold War chill“. Although the US working with allies gives the cyberarms race a Cold Waresque feeling, the government wants to harden our infrastructure and has created offensive cyber weapons as a path of deterrence to cyber attack.

It also mentions the threats of providing the US with cheap electronics. “A U.S. laptop maker that once would have boasted that its components were assembled in 50 countries must now worry about 50 points where an intruder could plant malicious code. The Defense Department calls this problem “supply chain vulnerability.”

The White house is trying to rein in 26 high risk IT project where costs are getting out of hand. A little “whodunnit” action going on today when a British code breaker who helped the NSA intercept Al-Qaeda communications was found dead in his apartment.

An Army Colonel in Afghanistan was relived of duty after criticising the military’s reliance on Power Point presentations. “For headquarters staff, war consists largely of the endless tinkering with PowerPoint slides to conform with the idiosyncrasies of cognitively challenged generals in order to spoon-feed them information, even one tiny flaw in a slide can halt a general’s thought processes as abruptly as a computer system’s blue screen of death.“

Talking about the military, the DOD released information on a major cyber attack that occurred in 2008. “The most significant breach of U.S. military computers was caused by a flash drive inserted into a U.S. military laptop on a post in the Middle East in 2008“

Just how dangerous are USB and removable media to computer security? Recently, Security company PandaLabs, claimed that 1 in 4 worms spread through USB flash drives.

In other news, Cisco patches a bug that crashed 1% of the internet. And Google continues growing as it acquires its 5th company this month.

Some other top stories from around the web:

First rootkit targeting 64-bit Windows spotted in the wild
Alureon rootkit is back, and has acquired the ability to hijack computers running 64-bit versions of Microsoft Windows, proclaimed Marco Giuliani, security researcher with security company Prevx.

The penultimate guide to stopping a DDoS attack – A new approach
In this post we (UNIXY) are going to share our experience fending off a large Distributed Denial of Service (DDoS) attack for a client.

DEFCON survey reveals vast scale of cloud hacking
An in-depth survey carried out amongst 100 of those attending this year’s DEFCON conference in Las Vegas recently has revealed that an overwhelming 96 percent of the respondents said they believed the cloud would open up more hacking opportunities for them.

Scam preys on required TweetDeck update
On Monday, TweetDeck warned that some Twitter messages were advising people to upload an untrustworthy executable file, called tweetdeck-08302010-update.exe.

Rustock Botnet Responsible for 40 Percent of Spam
More than 40 percent of the world’s spam is coming from a single network of computers that computer security experts continue to battle, according to new statistics from Symantec’s MessageLabs’ division.

Social Engineering 101 (Q&A)
Today, people get duped over the phone, but also over e-mail and via Facebook and other online avenues. In this edited interview CNET talked to Chris Hadnagy, operations manager at Offensive Security, which organized the Defcon social-engineering contest and does security auditing and training for companies, about the risks to this type of attack, what people can do to protect themselves, and why women might be less susceptible.

How to Build a Virtual System with VMWare Workstation

Well, recently the power board on my laptop smoked. Maybe it was over worked, maybe it just needed a break, not sure. The problem is, I used said laptop as my virtual hacking playground. It had 3 OS’s available at the boot menu, 4 virtual Microsoft OS’s and several virtual versions of Linux. Yeah, I know, I need a hobby.

Well, I have backups of the virtual machines, but I wanted to create some new ones anyways. So, I figured I would create a follow along type blog post for those who have not created a Virtual Machine yet. So, if you want to know how to create a virtual operating system and run it on top of your current one, here goes!

1. Get VMWare Workstation. (Others are available, but I like this, it is quick and easy). If you do not own VMWare workstation you can get a 30 day trial key. Once you create a virtual machine, you can run it in the free version of VMWare player. You can also download “VMWare appliances”. These are virtual machines that someone else has already made. I prefer to make my own, as I know what is in it and that it is safe.

You will need to create an account with VMWare to get the 30 day trial key. After installing VMWare workstation, go ahead and run it. You will get a screen that looks like this:

2. Now, click “Create a new Virtual Machine”. We are just creating a Windows 7 Pro Virtual Machine, so just hit “Typical” at the next prompt and select “Next”.

Step 3. We are going to install from Disk, so go ahead and put your OS disk in. You can also install from an ISO if you have one. Select Next.

Sweet! Look at this next screen, it recognizes the Windows 7 Pro CD, and it allows an EASY install. This means that the VMWare system knows the OS and the install will be pretty much automated.

Step 4. Put in your Windows key, and choose your version of Windows 7 from the pull down menu. Next, put in your username & password and confirm password. You can put in the product key later if you want. Hit next.

Step 5. Name your virtual Machine and give it a location to save the data files. Click Next.

Step 6. Specify how big you want the virtual drive to be and if you want it to be a single file or split. I just chose the defaults here. Click Next.

Step 7. VMWare workstation is now ready to create the virtual machine. Check out the virtual hardware settings. I want to be able to do more than just log in so I want to allocate more memory. To do so, click “Customize Hardware…”

Step 8. Select Memory and then slide the memory button up to 2 GB. Hit “OK”. Alright! almost done, Click “Finish”.

Step 9. Now, Click on POWER ON THE VIRTUAL MACHINE

Step 10. That’s it! When the Virtual Machine is power up, it will install the OS from your source disk. The next screen shots are of the install in progress:

And when the install finishes, Viola! Done!

If you click the Full Screen button, on the menu bar you get this, a full OS running on top of your current OS:

From here you can finish setting it up just like a regular OS install. Security updates, anti-virus, auto-updates, etc. To shutdown the virtual machine, you can shutdown the virtual OS, or to suspend the OS, just close the whole virtual OS window.

That is all there is to it. I hope you enjoyed this.

Pen Testing Perfect Storm Part V: “We Love Adobe!”

Part V of the Pen Testing Perfect Storm webcast series will be held on August 31, 2010 at 2PM EDT / 11AM PDT. This will be presented by Ed Skoudis, Kevin Johnson and Joshua Wright. Ed is one of my favorite presenters, and authors, so this is a definite must see.

Webcast Information (From Coresecurity):

It’s no secret that Adobe’s ubiquitous applications provide a broad attack surface for criminals seeking to gain access to sensitive IT networks. During this webcast, security experts Ed Skoudis, Kevin Johnson and Joshua Wright will demonstrate penetration testing techniques that you can use to proactively assess the security of systems relying on Adobe technologies throughout your organization.

You’ll learn how to …

    * Assess Adobe Reader and Flash for exploitable vulnerabilities
    * Extend testing with escalation and session management techniques
    * Impersonate network infrastructure and simplify wireless hijacking
    * Gain remote control of exposed clients

Like all Perfect Storm webcasts, part V will go beyond simple vulnerability exploitation and show you how to replicate multiple stages of an attack – from identifying and profiling exposed systems to gaining root and gathering data for reporting and remediation.

*Bonus: Register now and you’ll also get on-demand access to the slide decks for The Pen Testing Perfect Storm Trilogy Parts I-V.

How to be a Victim of Cyberstalking on Twitter & Facebook

Today we have a tutorial on how to make it easier to become a victim of a cyber stalker on any of your favorite social media sites. To simplify things, I have included step by step directions, please follow along.

STEP 1: Take a picture using any smart phone – iPhone, Blackberry, Android, etc. This can be a picture of your dog, cat, wife, kids, computer, house, favorite pet, annoying neighbor, or a combination of any two.

STEP 2: Upload the picture to your social media site.

That’s it, thanks for joining us. Today’s broadcast was brought to you by… What? You want to know more? How does just taking a picture and uploading it to a social media site give away any personal data?

Okay, I will tell you, here is the problem. Most new “smart phones” come with geo tracking enabled by default. So, when you take a picture, your location, in longitude and latitude is automatically added to the metadata of the picture. Metadata is just additional information that is tagged onto the picture and can be viewed. Kind of like the picture “properties”.

When the picture is uploaded, the metadata goes right along with it. So basically, every picture taken with a smart phone gives away the location where it was shot and it can be viewed by anyone on the web.

Now, what if someone were to make a program to sweep the social media sites just looking for pictures that contain geo location data? Then, what if, hypothetically speaking, they take your name, the picture and your profile picture and post it? Now, since we started down this bunny trail, what if they also were nice enough to also include a Google Map showing exactly where the picture was taken?

No one would be that sinister you say? Oh contraire, let me introduce you to I Can Stalk You. The website was created by security specialists to raise the awareness of inadvertant information sharing. Though I am not 100% sure that they are truly revealing the actual location data, it is still kind of creepy.

How can you stop giving away your location with each photograph? The “I Can Stalk You” site contains instructions on how to turn off the Geo Tagging on the most popular phones.

It is amazing how much personal information we give away online, and sometimes we don’t even know it.