Sirius XM Password Insecurity

*Yes, I do choose really long passwords.  I don’t have to remember it though; Lastpass takes care of that.

https://www.ssllabs.com/

I learned of the site by listening to Qualys’ Ivan Ristic, primary author of Apache’s mod_security, on the Eurotrash Security podcast.

Remember, I’ve previously posted a list of:

• Penetration test scenarios (pre-built vulnerable virtual machines)
• Vulnerable web applications and Part II

To the relief of all pr0n addicts, Adobe has finally realized they’re holding up true private browsing and starting with Flash 10.1 they’ll begin to respect private browsing mode when enabled in your browser.  Read more here.

Of note:

• Effects iOS, NOT just the iPhone (this means ipod, touch, and ipads are susceptible)
• Combination of two vulnerabilities: one in PDF software and a kernel privilege escalation bug
• This has nothing to do with Adobe.  PDF support in iOS is built by Apple.  Apple’s PDF implementation is bugged.  Foxit PDF reader has the same vulnerability.
• This risk exists not only via web but also e-mail, sms, and mms.
• Mitigation steps until Apple releases a patch?  You can try the third party PDF Warning Loader here: http://chronic-dev.org/blog/2010/08/pdf-loading-warner/

Highlights:

• Always email a password reset link as another means to verify identity
• Consider use of SMS message for out of band identification (assuming you have Cell # previously stored)
• Secret questions are tricky — personally I say avoid using them
• Never report incorrect username/email error messages on your password lookup page (this allows attackers to harvest emails and determine valid usernames)

There’s an interesting article on Apple Insider which is critical of the findings especially considering Secunia really throws Apple under the bus as “having the most security vulnerabilities.”

Employees at Apple, Google, BP and many other companies spilled secrets in a “social engineering” contest that challenged Defcon attendees to call corporations and trick employees into giving up sensitive information. Contestants sat in a soundproof booth (pictured) while an audience listened to them impersonate journalists, survey takers, fellow employees and customers to wheedle out private data from big corporations’ sales people and call center staffers. The contest was worrisome enough to warrant a call from the FBI to its organizers, and the contestants convinced all but five of their human targets (and, after multiple calls, 100% of the companies) to give up some details, ranging from what software versions the firm used or its paper record disposal methods. Those seemingly innocuous facts would help hackers case a firm for a larger data theft–searching for more private details like credit card or social security numbers was forbidden in the contest rules.

Barnaby Jack, a researcher with security consultancy IOActive, demoed two methods of hacking ATMs to make them literally spew money. One version of the trick on Triton ATMs allowed Jack to insert a USB stick into the machine and cause it to eject cash in a matter of seconds. The second hack, on Tranax machines, connected remotely via the Internet and could either output cash or secretly record credit card numbers and PINs. Both Triton and Tranax have worked with Jack to develop fixes for their ATMs.

Researcher Chris Paget demonstrated what’s likely the world’s cheapest and most accessible system for intercepting GSM phone calls, the protocol used by AT&T and T-Mobile. His hardware and open source software cost just $1,500, far less than previous methods. Paget went ahead with his talk despite legal concerns by the Federal Communications Commission–thanks in part to legal representation from the Electronic Frontier Foundation, he hasn’t been arrested as of yet.

Eavesdropping and social engineering aren’t the only methods Defconners demoed to steal information via phone. Nicolas Percoco and Christian Papathanasiou of consultancy Trustwave showed off a rootkit for the Android operating system that could invisibly give a hacker full control of victim phones running Google’s mobile software. The security firm Lookout also launched an App Genome Project database to monitor which Android and iPhone apps might engage in malicious behavior. One wallpaper app that had been downloaded more than a million times, the company found, collected users’ phone numbers and unique phone identifying numbers, and sent them to a server in China. The company later clarified that while suspicious, that data wasn’t used for anything malicious.

Nearly as significant as what was presented at Black Hat and Defcon this year was what wasn’t. This year’s conferences had at least two controversial talks silenced. One, a breakdown of China’s cyberwarfare capabilities, was pulled from the conference after the presenter, Wayne Huang, was pressured by the Taiwanese and Chinese governments not to reveal his research. Another talk on security vulnerabilities in high-speed trading systems was also snipped after a bank customer of the presenter Varun Uppal’s company, Information Risk Management, expressed concerns about the work.

Verizon 2010 Data Breach Investigations Report (DBIR)

The big news here is that the DBIR now includes data from the U.S. Secret Service, giving the folks at Verizon more data to work with. The report is very well put together and does a great job of presenting the data it contains, including pointing out where the new influx of data from the Secret Service has impacted the data making trends appear different than they have in past DBIRs. The report is available here.

Akamai State of the Internet Q1 2010

Akamai’s large global network certainly allows them to see a lot of traffic, both normal and malicious. Only the second section of the report deals directly with security, but the rest still makes interesting reading. In addition to attack traffic data, the report also contains information on global connection speeds, US connection speeds and mobile connection speeds. The report is availablehere (registration required).

Ponemone/ArcSight Cost of Cyber Crime Study

This study was sponsored by ArcSight, so there is a good amount of mention of SIEM systems and their benefits. The study still contains some interesting data on how much incidents can actually cost organizations (before, during and after an incident), with good information about the methodology used to arrive at the figures presented. The report is available here (registration required).

Digital Forensics Association “The Leaking Vault”

“The Leaking Vault” takes 5 years of data breach information taken from many different sources include FOIA requests, the Open Security Foundation, the Privacy Rights Clearinghouse, Sound Assurance, and the Identity Theft Resource Center. The result is a large amount of data which is sliced and presented in many different ways, providing some interesting incite into data breach notification (and the failures of them in some cases). The report is available here.

Cisco 2010 Midyear Security Report

The Cisco 2010 Midyear Security Report is less numbers focused than the reports listed above, but still interesting. The report is more focused on the changes in enterprises today and how those changes will impact security needs. This includes Mobile Devices, Virtualization and Cloud Computing, Social Media, and Government regulations. The report also includes information on worldwide spam volume. As an added bonus, the report also includes “The Artichoke of Attack” (page 21) which is by far my favorite graphic from any of these reports. The report is availablehere.