Black Hat Presentations, Flash App Tools, Free AV and News

The next BlackHat.com webcast will be about Mobility and Security on May 21 1pm PDT (Friday, May 22, 2009 at 4 AM in Manila, according to The World Clock).

Black Hat Webcast 9 (34MB audio, around 79 mins running time; WebSync version is here) is a preview of the Black Hat Conference in Amsterdam that was held from April 16-17, 2009 (see link to presentations below).
The following people and their presentation topic were in this webcast:

Enno Ray – Attacking Backbone Technologies
Charlie Miller and Vincenzo Iozzo – Fun and Games with Mac OS X and iPhone Payloads
Stefano Zanero – Web App Firewall Based on Anomaly Detection
Roberto Gassira’ and Roberto Piccirillo – Hijacking Mobile Data Connections

Past Black Hat Conferences:
Video of Charlie Miller and Vincenzo Iozzo’s presentation on Mac and iPhone payloads (152 MB)
Black Hat Europe 2009 (Amsterdam) Media Archives
Black Hat USA 2008 Archives

---

Flash App Vulnerability Tools

Exposing Flash Application Vulnerabilities with SWFScan
Flare
SWFIntruder

---

Free Anti-Virus

F-Secure Online Scanner Beta Program

---

InfoSec News

(Inquirer.net) Has your e-mail address won in a lottery?
(Computerworld PH) Report: Web continues to rise as security threat

(Inquirer.net) RP gov’t websites vulnerable to hacking
(Inquirer.net) Cyber spies hack into DFA computers
(Inquirer.net) RP needs cybersecurity program–CICT
(Inquirer.net) PNP experts tell how to catch a hacker

(Inquirer.net) Purge 2-M ‘flying’ voters, Comelec told
(Manila Times) Lawmaker to hack Comelec electronic counting machines
(Inquirer.net) Hack poll machines and win P100M
(Inquirer.net) P100M hack reward ‘dishonors’ poll automation
(Inquirer.net) Hacking poll results to take lots of time
(Inquirer.net) Comelec to tap DOST on poll machine testing
(Inquirer.net) Comelec mulls inclusion of more provinces in poll automation

(Inquirer.net) Comelec eyes YouTube stardom to lure voters

(PhilStar) Is quitting Twitter more popular than re-tweeting?
(IT Matters.com) Twitter — a rising marketing channel?

(PhilStar) Globe backs ICT Awards

(Inquirer.net) RP seeks removal from USTR watch list
(Inquirer.net) Twitter, Facebook abuzz over Pacquiao win

(Computerworld) Facebook’s privacy options
(Computerworld) How Facebook mucks up office life
(Wired) PIN Crackers Nab Holy Grail of Bank Card Security

(SecurityFocus) Researcher argues for CERTs with teeth
(Inquirer.net) Cyberspies hack into US fighter project
(H Security) Linux cache poisoning attacks easier than on Windows?
(Computerworld) 20 kick-ass network research projects

(Computerworld) Leaked copies of Windows 7 RC contain Trojan
(Computerworld) Botnet probe turns up 70GB of personal, financial data
(Computerworld) Heartland earns back spot on PCI-approved list

(The Register) Security researchers fret over Adobe PDF flaw
(H Security) Demo exploits for new vulnerabilities in Adobe Reader
(SecurityFocus) Companies slowest to fix Office, Acrobat flaws
(SecurityFocus) JavaScript flaw reported in Adobe Reader

(The Register) US Congress wants hack teams for self-penetration
(Boston.com) US looks to hackers to protect cyber networks
(NY Times) ‘Hackers wanted’ ad fed security misconception

(The Register) Botnet hijacking reveals 70GB of stolen data
(The Register) Twitter breach gives behind-the-scenes Obama peek

(The Register) Firefox finds more pesky bugs
(H Security) Firefox 3.0.10 fixes critical vulnerability

(The Register) Hacker behind P2P botnet gets no jail time
(The Register) US military’s cyberwar rules ‘ill-formed,’ says panel
(NY Times) Panel Advises Clarifying U.S. Plans on Cyberwar
(The Register) Adobe users imperiled by critical Reader flaw

(H Security) Lost+found: Worms, Exploits, Online Scanners
(NY Times) H.P. Labs Pulls Out the Measuring Stick

Advertisement

Opinion: Philippine Cybercrime Bill, wherefore art thou?

For around two years now, Information Security Professionals have been saying that cybercrime is on the rise because of the change from ego-centric (i.e. malware that begs for attention) to financial motivation (i.e. malware that accumulates/sends data, silently evading detection). This financial motivation has led to cyber markets/exchanges wherein hackers and their cohorts transact, and in a more recent development, now specialize on a certain aspect of their trade, which in turn has increased efficiency. For example, some specialize on retrieving credit card numbers and other personal information, others specialize on printing the fake cards, while others use the cards, whether they be an ATM (Citibank hack in NYC) or a credit card (Malaysian’s arrested in Australia for fake credit card use). The current worldwide economic environment has only made matters worse.

The question here is, where is the Philippine version of the Cybercrime bill? Around two months ago, it was still on its second reading in Congress. It’s already taken more than eight years, I could be wrong, but I doubt its finally passed.

From what I’ve seen and experienced, I find it hard to believe that barely any cybercrime happens here. There are far too many good Filipino hackers and scammers, for nothing to be happening. Maybe audit logs aren’t turned on, maybe no one regularly checks the logs, maybe when people get scammed, they just let it go (feel free to blame the culture). UK’s BERR and PWC InfoSec Breaches Survey of 2008 states that there are fewer incidents reported in 2008 than 2004, however it may be because they’ve been understated since they found out that “companies that carry out risk assessment are four times as likely to detect identity theft as those that do not.” Which begs the question, do Philippine organizations with confidential information actually undertake risk assessments and take appropriate actions and implement controls to protect their assets? Just because an organization doesn’t have “incidents” doesn’t mean that confidential information doesn’t leak. How does one report an information security incident when one isn’t aware on how to identify it? Secondly, would the company in question have a process in place to accommodate what an employee finds suspicious? Third, would that company then have a process and resources (i.e. competence in IT Forensics) to investigate the report? I’m sure that if it happens to more security conscious countries, it must be happening here, we just aren’t aware of it or it isn’t reported… especially with all the useless WEP encryption found in coffee shops, keyloggers found in internet cafes, surreptitious card reader machines used to read credit card information, to stories of scammers at Philippine online auction sites.

Maybe it will take a high profile hacking on one of our few promising industries that is heavily dependent on IT: one of our BPOs. Or maybe even the hacking of private files of one of our lawmakers (Obama, Palin, and McCain got hacked last year) for there to be any progress on this bill. Whether that happens or not, I find it indefensible to wait for something bad to happen to impel lawmakers to do what’s right, and give the country and its people what there’s obviously a need for.

References:
(InfoSec Philippines) Nov 11, 2008 (note: has links to Philippine Cybercime bill news articles)
(TechRepublic, Sep 2007) Cybercrime tools market maturing, and crimes are on the rise
(Newsweek, Dec 2008) The Rise of Black Market Data
(Univ of Mannheim, Germany, Dec 2008) Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones
(Wired, Oct 2008) Cybercrime Supersite ‘DarkMarket’ Was FBI Sting, Documents Confirm
(Symantec, Nov 2008) New Symantec Report Reveals Booming Underground Economy
(ihotdesk Outsourcing News, Dec 2007) Cyber crime market threatens data
(ContactCenterWorld.com, Feb 2009) Japanese Cybercrime at Record Levels as Hackers Crack Web sites
(Computer Crime Research Center, Oct 2008) Recent Stock Market Decline Causes Economic Cybercrime to Hit All Time High
(CBCNews Canada, Mar 2009) Fraud artists, security experts fight sophisticated battle
(ArticSoft, 2004) How Do You Deal With Internet Fraud
(Credit Cards Web UK, Mar 2009) Card fraud refunds being refused by more banks

Info Sec News: Nov 11, 2008

Maybe we should revisit our Cybercrime Bill, which hasn’t been approved and is in our congress for a second reading after a scant 8 years. Why? because Pakistan’s version of the bill, includes cyber-terrorism being punishable by death.

If you’re interested on articles on the Philippine version of the Cybercrime bill, there’s one from MB.com.ph from Nov 2007 by Melvin Calimag, “Cybercrime Law for RP long overdue.” Another article by the same author came out in April of this year on, “NBI exasperated over delay of cybercrime bill, hits CICT.”

News about the former Intel employee who works for AMD, that stole information with an estimated cost of over $1 billion in R&D development, can be found in CNET, and USA Today.

“A New York man has been charged with aiding the alleged leader of the hacking gang accused of stealing more than 40 million credit and debit card numbers from stores owned by TJX Companies and other companies.” reports this article from The Register.

On the Mobile Security front, a researcher says Google’s Android may not need antivirus software. Btw, older versions of G1’s software were vulnerable to an exploit that allows telnet root access discussed here and here.

The New York Times reports that DDOS attacks have been growing more potent, increasing from around half a megabit 7 years ago, to around 40 gigabits.

Three people pleaded guilty to hacking Citibank ATM cards who were able to steal $2 million in a span of four months. Maybe Manny Pacquiao should think about learning how to hack when he retires, especially since the Philippines has no Cybercrime bill, hehehe 🙂

Two Los Angeles traffic engineers admitted to hacking related to contract negotiations. Aren’t we just happy in Manila that our traffic light system uses 60’s technology? 🙂

The Financial Times and SC Magazine US, have reported to computers that were breached in the White House. The prime suspect are Chinese hackers.

Other News:

Security experts reveal details of WPA hack, their 12 page paper can be downloaded in pdf format here.

Vietnamese teams won the first and second prizes in a contest called “Capture The Flags”, part of the Hack in the Box Security Conference 2008 (hackinthebox.org) in Kuala Lumpur, Malaysia in late October

Australian Federal Police have launched a high-level investigation into a security breach involving confidential Australian diplomatic cables and police documents that were left in open files on a computer and read by guests at a hotel in Nepal.

Wouldn’t our government employees wish they have a DRP Site like this on in Bermuda?

A former prison inmate has been arrested and charged with hacking the facility’s computer network, stealing personal details of more than 1,100 prison employees and making them available to fellow inmates.