Failure Cascade | TechSNAP 68

Google Talk Outage

• This morning at 06:40 EDT (10:40 UTC) GoogleTalk experienced an outage for nearly all users
• Users were able to access GoogleTalk but would receive an error, and not be able to communicate with other users
• This interrupted a lot of business users who use Google Apps as an integrated document management and messaging platform
• Google reported the issue resolved at 11:25 EDT (15:25 UTC)
• Google Apps Status Page for this Outage
• Google has not released any details about the cause of or the resolution to the outage
• A large number of users took to Twitter to complain about the outage
• This was followed shortly by an outage at twitter, possibly caused by the increased traffic generated by the google outage

---

OSX/Crisis drive-by malware/rootkit for OS X 10.6 and 10.7

• The malware is installed silently, and does not require any user interaction
• The malware detects if it is being run as a privileged user, in which case it also installs a rootkit to hide its existence, if run as a regular user, a different less dangerous payload is used
• Once installed, the malware phones home to a UK Linode instance (I would expect this to be shut down soon, if it hasn’t been already), where it would receive further instructions and/or participate in a botnet (common activities include sending spam, advertising click-fraud, scanning and infecting other computers or websites)
• The payload also attempts to spy on the user’s activities in Firefox, Safari, Adium and Skype (likely stealing passwords and key strokes, and possibly spreading to other mac users via IM and file transfer from trusted contacts)

---

Asus releases first ‘USB Attached SCSI Protocol’ (UASP) Devices

• The new protocol replaces the standard USB BOT (‘Bulk Only Transfer’) mode which is plagued by high command latency and a lack of parallelism
• UASP also allows up to 64k commands to be queued (BOT standard is to send the next command only once the current command completes), and allows commands to complete out of order
• UASP requires a specialized USB controller on both the motherboard and the USB device (hard drive drive enclosures are the target market here)
• However, UASP does not require any specific hard drive, and will work with any off the shelf HDD or SSD (although the performance gains are harder to see with a spinning drive)
• While this is great news, there is still better news, Asus’s devices also support ‘Turbo Mode’ (Optimized BOT, send the next command before the first is acknowledged) that is compatible with many existing USB 3.0 Controllers (Intel, NEC) and offers most of the speed improvement of UASP without replacing your motherboard

---

7500 Blackhat Conference Attendees get password reset email

• It appears that a volunteer working with ITN International, the company that handles the on-site registration and check in for the blackhat conference, accidentally sent a password reset email to all registered users
• The emails include the username, and a new password in plain text (it would probably be much better to direct users to a password reset page, establish their identity with some other bit of information, and then store a new password using a proper cryptographic hashing algorithm, but this is a system by a conference management company, not the Blackhat attendees)
• The email also included a URL to sign in to the Blackhat conference system, which uses an unqualified hostname that only works on the Blackhat registration network
• This caused ZDNet’s tech writer to assume that this was a very poor phishing attempt (neglecting to consider how a phisher would have gotten the attendees email addresses), noted that the url was ‘not even real’, and that the from address was not spoofed
• Official Explaination and Appology

---

Bryan’s RadicalBreeze.com got hacked

• RadicalBreeze.com was running wordpress 2.9.1
• The current version of WordPress is 3.4.1
• Despite Bryan’s rant – ‘Google doesn’t want people to know about better software’ , this was not google claiming that Illumination Software Creator was malware, nor was it a false positive or mistake by Google, but an automated detection of a compromised site
• The compromise was entirely Bryan’s fault, for running an incredibly old version of wordpress, subject to a number of vulnerabilities
• The particular malware that has infested his site appears to be related to some vulnerabilities in Plesk , that were fixed in February 2012 and July 2012 that allowed the automated script to compromise his site and modify the files to inject the iframe
• It is unclear that this time if any customer data was compromised, it very likely could have been, but the attack seems automated rather than targeted
• Google Safe Browsing Report
• Malicious software is hosted on 1 domain(s), including dynapass.ru/
• 1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including sqqkemzgshwnkkrk.waw.pl/
• Google’s “How did this happen?”
• In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message

---

Feedback

• How does pfsense load balancer compare and proper setup?
• To defrag or not to defrag?
  • Contig
  • Defragmenting Linux EXT3 Filesystems Using Shake And Defrag
  • Defraggler – File and Disk Defragmentation
• Mesh Networking for at Sea Tubes

Round Up

• Big brother Microsoft listens in to your Skype IMs Additional Coverage Microsoft Patent for Wiretapping Skype-like services
• Training your subconscious to remember 30 character passwords
• Urgent security update for TeamViewer
• Dirty Deeds: Iranian nuclear program hit by ‘AC/DC virus’? Iranian VPNs compromised by Metasploit based payload
• Apple Plans Presentation at Black Hat
• Commander, US Cyber Command and Director of the NSA to speak at Defcon 2012
• Director of National Intelligence admits FISA (Foreign Intelligence Surveillance Act) warrents violate 4th ammendment
• Insight into the IFPI anti-piracy strategy via leaked memo