Cyber Arms Intelligence Report for September 7th
What do you get when you cross hacking with rapping? Well, if you are into computer security and secretly dreamed of being a rap star, now is your chance. Symantec has teamed up with rapper Snoop Dogg to create the website “Hack is Whack!” Just create your own anti-cyber crime rap video and upload it to the site to get a chance to win prizes.
The site has received a lot of criticism from the security world. And by last Friday, only 7 videos have been uploaded (up to about 21 now). The site went down unexpectedly, raising conflicting reports ranging from, the website was down for maintenance, to the site was already hacked.
Several claims have come out saying that the website was full of security issues, but according to an article on The Register, Symantec now says all holes have been plugged:
Hack is Wack site is chock full of holes. For example, there’s the publicly available, indexed cache directory with all that SQL, JSON and other data. There’s the XSS vulns (HTML5 only, though it should be simple enough to rewrite), CSRF holes, and the Flash upload issues in the video upload script (a Joomla module that appears to have been used without any quality control or review despite the fact that it’s currently in Alpha).
The original XSS rickrolling exploit has been blocked and, we take on trust but have not confirmed, Symantec has also mopped up the other flaws on the site
In other news, reports are still coming in on the outcome of Defcon’s Social Engineering contest. The contest was an overwhelming success for the attackers, not so good for their corporate targets. “If any of these targets had hired us to do a social engineering audit, we would have failed them,” Chris Hadnagy, co-founder of Social-Engineer.org said. “There wasn’t one company that successfully demonstrated security awareness.”
The social engineering contest found that former employees were a font of information: “We had a contestant who used job search Web sites to scrape resumes of people who used to work for the company he was targeting. He’d call, pretend to be a headhunter and ask you questions about the technology you used in that past position”
What group was the toughest to get information from? According to an article on Computer World, Of the 135 Fortune 500 employees targeted by social engineering hackers in a recent contest, only five of them refused to give up any corporate information whatsoever. And guess what? All five were women. Nice job ladies!
In Military News, HP Holds Navy Network ‘Hostage’ for $3.3 Billion. Apparently, for the last 10 years, the Navy has been leasing their PC’s:
After 10 years and nearly $10 billion, many sailors are tired of leasing their PCs, and relying on a private contractor to operate most of their data systems. Troops are sick of getting stuck with inboxes that hold 150 times less than a Gmail account, and local networks that go down for days while Microsoft Office 2007 gets installed.
Woohoo! Office 2007! That’s great, but they do know that Office 2010 is out don’t they?
It looks like the government think tank Darpa is getting involved to try to prevent any further massive military information leaks. The project is called CINDER, for Cyber Insider Threat.
The futurists at Darpa are working on a project that would make it harder for troops to funnel classified material to WikiLeaks — or to foreign governments. And that means if you work for the military, get ready to have your web, email and other network usage monitored even more than it is now.
Peiter “Mudge” Zatko (of the Boston’s hacker group L0pht fame) is now working with DARPA on the project. “I don’t want people to be putting out virus signatures after a virus has come out,” he told CNet when Darpa hired him. “I want an active defense. I want to be at the sharp pointy end of the stick.”
It sounds like Peiter is on the right track.
And last, but not least, Nasty Data-Stealing Bug Haunts Internet Explorer 8. Another IE8 flaw has been discovered by the security community that allows simple data stealing attacks against IE8 clients. This flaw may have been known by the bad guys since 2008.
The vulnerability can be exploited through an attack scenario known as cross-domain theft, and researcher Chris Evans originally brought the problem to light in a blog post in December. At the time, all of the major browsers were vulnerable to the attack, but since then, Firefox, Chrome, Safari and Opera all have implemented a simple defense mechanism. Mozilla was the last to fix the issue, in July. But Microsoft has not yet implemented a fix for the vulnerability.
Just Wonderful… 😦
Some other top stories from around the web:
A Strong Password Isn’t the Strongest Security
Mr. Herley said the proposed system hadn’t been tested and that users might become frustrated in trying to select a password that was no longer available. But he said he believed an anything-is-permitted password system would be welcomed by users sick of being told, “Eat your broccoli; a strong password is good for security.”
Twitter Moves to OAuth: The OAuthcalypse Is Nigh
Twitter is killing support for basic user authentication in third-party apps on Tuesday morning, the company says. Instead, Twitter will now require all third-party app developers to use OAuth for user authentication.
Russian government email servers hacked
On Monday it turned out that the Federal Service of Protection (FSO) is not that good at protecting its own privacy. Yesterday internet forums were bubbling with information about a hack into the FSO internal email system.
Hardware hackers defeat quantum crypto
Security researchers using hardware hacking techniques have unearthed generic flaws in supposedly ultra-secure quantum cryptography systems.
Cyber Thieves Steal Nearly $1,000,000 from University of Virginia College
The attackers stole the money from The University of Virginia’s College at Wise, a 4-year public liberal arts college located in the town of Wise in southwestern Virginia.
IBM Describes Fastest Microprocessor Ever
IBM revealed more details of its 5.2-GHz chip on Tuesday, the fastest microprocessor ever announced. Don’t bet that you’ll ever be able to buy it, though.
TWC Hacked: Details
So, I wake up at a leisurely 11:00, and shamble to my computer, only to notice that TWC appears to be gone, except for the staff forum. Then a few minutes later, this email pops up in my inbox:
MS Fix Shores Up Security for Windows Users
Microsoft has released a point-and-click tool to help protect Windows users from a broad category of security threats that stem from a mix of insecure default behaviors in Windows and poorly written third-party applications.
The Future of Cybercrime Forensics
Cybercrime Forensic investigation is a complicated science with its own history, implications and future. It is not sufficient merely to consider it a branch of criminology, or the study of cyber criminal behavior, or research into the relationship between the causes of tech related crime and social policies. For cyber criminals, their knowledge and their crimes are bound together.
~ by D. Dieterle on September 7, 2010.