Show Notes:

Man in the Browser attack used against Airport employees to gain credentials for VPN

• In what appears to be a highly targeted attack, some airport employees had their machines infected with Man-in-the-Browser malware
• This allowed the attackers to use form-grabbing and screen capturing to steal the airport employee’s login credentials for the airport VPN
• The attack also compromised the single channel mode of the airports two-factor authentication system, where an image was displayed and used by the user to transform their password into a temporary one-time code. Because this one-time code is based on the password, an attacker who is able to capture a number of these (the image and the response) can calculate what the original static password was
• A more secure two-channel mode, sends a one-time code via SMS or a Mobile Application, but apparently was not used by many airport employees
• It is unclear what type of VPN this was, or why the VPN involves logging in via a browser (layer 7), rather than the more typical layer 2 or 3 type VPN
• It is not known what the attackers were after, but with access to the internal airport network, they may have been able to gain information on employees, the hiring process (to get their own people employed at the airport), or the ability to flag specific luggage, cargo or persons such that it is not subjected to normal security screenings
• Additional Coverage

Adobe releases Flash 11.4, critical update to fix 6 security vulnerabilities

• This update resolves a number of memory corruption vulnerabilities that could lead to code execution
• CVE–2012–4163 Score: 10.0
• CVE–2012–4164 Score: 10.0
• CVE–2012–4165 Score: 10.0
• CVE–2012–4166 Score: 10.0
• This update also resolves an integer overflow vulnerability that could lead to code execution CVE–2012–4167 Score: 10.0
• And this update also resolves a cross-domain information leak vulnerability that could expose information from a the site you are visiting to other sites CVE–2012–4168 Score: 4.3
• With the end of Flash support for Android, A fake flash player laden with malware and adware has been found in the wild. It rooms your phone and floods it with advertisements, including a popup every 15 minutes

Hard coded SSL Keys in RuggedCom Switches

• RuggedCom and their Rugged OS has caused headlines again with a massive security flaw
• The rugged devices are used in many very sensitive installations, including military bases, train switches, power distribution systems, and traffic signals
• The systems are designed to be rugged, insofar as standing up to harsh climate conditions, however it appears that many of these devices have been connected to the internet to allow for remote management, and the security of these systems has again been compromised
• In this case, the RuggedCom devices use a hardcoded SSL private key, meaning that the secret used to decrypt the data sent from the user to the device, can be known by anyone who has ever had access to such a device, or has otherwise gotten access to the key (I am sure it has been posted online somewhere by now)
• SSL uses PKI and asymmetric encryption, meaning there is one key to encrypt data (the public key, published as part of the SSL Certificate), and a private key, used to decrypt information encrypted with the public key
• It seems that all RuggedCom devices uses the SAME SSL key. This is such a large security fiasco as to defy classification. In order for this to have happened, every single person involved with the RuggedCom OS must have entirely lacked any understanding of how SSL works
• The researcher who discovered the vulnerability (Justin W. Clarke, also discovered the previous vulnerability) was able to get the SSL key from various RuggedCom devices he bought on eBay, and discovered that the key on each device was the same
• In addition to being able to decrypt the communications between users and the device, in order to get the login credentials or other sensitive information, an attacker with access to the SSL private key could also send modified responses from the device, making it appear to be normal, or even alter the responses from the device such that they compromise the computer of the administrator who is accessing the RuggedCom device, with something like one of the Flash exploits mentioned earlier in the show
• ICS-CERT is recommending that all RuggedCom devices be isolated from the internet, and only accessed over VPNs to reduce the risk of an attack being able to decrypt the SSL session
• Why any of these devices were connected directly to the public Internet in the first place boggles the mind
• Additional Coverage
• Additional Coverage
• Coverage on Previous Flaw
• TechSNAP 55 – Obscurity is not Security

New financial malware demostrates interesting new feature, blocks users from accessing their bank account after it is compromised with friendly error message

• Normally, a man-in-the-browser or keylogger style malware that targets your banking credentials would steal them, and send them to the fraudster, who would use them to gain access to your bank account
• In a later iteration, the MitB attacks would prompt you for the answers to your secret questions
• This level of MitB attacks was confounded by 2 factor authentication, because once the user entered the short-lived PIN, it was no longer useful, so the key-logged information did not allow the fraudster to gain access to the account
• This newest version of the attack now stops your browser from actually communicating with the bank at all
• When you go to the banks site in your browser, and enter your username, password and the one-time PIN, the form details are taken by the malware, and the fraudster then uses them from his computer, and drains your bank account, meanwhile you are given a friendly error message, informing you that the banks website is down for a short maintenance and will be back later
• The reason for this, is the banks fraud-screening system
• The banks automated defense systems monitor where you log in to your online banking from, and if you login from two very distant locations within such a short amount of time that it is not possible for you to have traveled that far, it flags your account as possibly compromised
• By preventing the legitimate user from accessing their account, it prevents this alarm being tripped, giving the fraudster more time to drain the account before being detected

Feedback:

• Chef vs Puppet?
• David Suggests we Check out Salt Stack!

• Sean has some FreeBSD question

FreeBSD has a ‘linux compatibility layer’, a kernel module called the Linuxulator, that basically translate system called from Linux to BSD. If you install the basic libraries from CentOS into /usr/local/compat under BSD (there are packages that do this for you), you can run compiled linux binaries on FreeBSD. The target of this system is commercial linux applications, like game servers, scientific software and all kinds of not-open-source stuff.

If you create a jail (a second copy of the OS installed in a chroot, which uses the host OS’s kernel), and your freebsd kernel has the linux module loaded, then you could install CentOS in the jail chroot instead of FreeBSD, and have CentOS boot (with its boot scripts etc). It would be CentOS, except with a FreeBSD kernel (although CentOS will think it is using a linux kernel). All of the system binaries, and the package binaries would run through the translation layer (there is no real performance penalty for this, some apps even run faster under FreeBSD)

If you google for it, there are some how-tos on running linux in a FreeBSD jail, for some commercial software like Adobe Flash Media Server, that only want to run on CentOS (doesn’t even like to run on other Linux distros, let alone BSD), it can provide an easy out.

Apparently PC-BSD’s new ‘Warden’ jail management GUI includes the option to deploy a linux jail automatically, but I have not tried it yet

• How to setup proper virtual networking?

What I wish the new hires “knew”

Round-Up:

• VMware virtual machines targeted by “Crisis” espionage malware
• Amazon’s Glacier Offers Archival Storage in the Cloud
• Australia Passes ‘Lite’ Data Retention Laws
• New financial Man-In-The-Browser malware still not reliably detected by AV due to self-mutation
• Own someone’s email, and you own them