GIF me root | TechSNAP 101

Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

[asa]B0095ZMMCK[/asa]

Grab it at Audible.com

Miniduke malware used against European goverments

• A new attack against many european governments has been detected using a new malware called Miniduke
• The malware exploits a sandbox-bypass in Adobe Reader
• The malware targeted a very small (59) but specific number of people from 23 different countries mostly in Europe
• The spear phishing attacks were perpetrated using well crafted PDF files purporting to be NATO membership plans, Ukrainian foreign policy documents or a seminar on human rights
• The malware allowed the attackers to copy and move files from the infected machines to their own servers, as well as kill other processes (like security software) and install additional malware
• The attack was unique because of the unusual nature of the backdoor that was used and how specific and narrow the targets were
• The backdoor contained components written in assembly, a relative rarity in viruses and vulnerabilities
• The malware also used twitter as a command and control system, following specific users and looking for tweets containing encrypted commands prefixed with uri!
• The malware also used .gif files as an update and distribution method, the gif files had regular images (like the RSS icon) but also contained malware binaries embedded in the image using steganography
• The backdoor also gathered system specific information and used it to encrypt communications back and forth with the attacker’s servers (likely to avoid IDS and other forms to detection)
• This system specific information was also used as part of the attack, many parts of the malware that were subsequently loaded on the machines, contained code to make them only work on that specific machine, making the job of the security analysts much more difficult, as they could not run the malware on controlled virtual machines or their own machines in order to analyze it
• The researchers say the style and methods of the attack are reminiscent of attackers from the 90s
• The attack pattern and programming style are reminiscent of hacking group that was thought to have been long disbanded
• The group, called 29A (666 in hex) published their first malware magazine in December of 1996 and were active until February 2008, when the last standing member announced the group’s dismissal
• Digital Underground Podcast – Intricacies of Miniduke
• Full PDF with details

---

Researchers discovered a way to bypass google two-factor authentication

• For the last 7 months, researchers from DuoSecurity and any attackers with knowledge of the vulnerability have been able to bypass Google’s two-factor authentication system, even for Google services such as Gmail
• An attacker who managed to steal or guess a user’s application-specific password could then exploit the Android auto-login feature to take over full control of a user’s entire Google profile, without having to enter the result of the secondary authentication mechanism
• Once they have access to the profile, they could then reset the master password and disable two-factor authentication entirely, allowing them to completely steal the account
• Application specific passwords are a feature created by Google to allow you to use your Google account to authenticate to applications and services that do not support two-step login
• This allows you to use your existing authentication to google to access other apps that do not support web based login (like IMAP/SMTP, Chat and Calendar apps)
• “if a user has linked their Android device to their Google account, the Chrome browser will use local-device authentication to override Google’s two-factor authentication”
• This is a classic case of trading the stronger security that two-factor authentication and strong passwords provide, for the higher convenience factor
• The scary part is that this mechanism allowed an attacker to access the Google ‘Account Settings’ portal, where you can change your backup email address, the phone number linked to your google account, and other other settings that are extremely sensitive and important to the security of your account
• Researchers clarify that the only way for this vulnerability to affect users in a desktop environment, is when their mobile authentication is compromised and used to seize their entire account
• Google patched the vulnerability before it was announced last week
• Researchers Post

---

Google introduces new compression algorithm

• A key feature of Zopfli, is that the compression is deflate compatible, meaning the compressed data can be decompressed using the libraries already built into nearly all existing web browsers
• Zopfli has a compression gain of 3–8% over zlib, but takes 2–3 orders of magnitude longer to compress, making it only really useful for compression of static data, rather than compressing dynamic data for HTTP streams
• For example, to compress a 100mb sample of the english wikipedia, gzip takes 5.6 seconds, 7-zip takes 128 seconds, and zopfli takes 454 seconds
• All three compressed files can be decompressed in under 1 second
• Google’s goal is to save bandwidth and battery life by reducing the size of text and images transmitted to mobile devices
• The research started as an offshoot of the WebP project (advanced lossy and lossless image compression)
• Google has open sourced the code as a C library under the business friendly Apache 2.0 license
• PDF Paper on the compression savings
• Additional Coverage

---

VRT profiles 25 years of software vulnerabilities

• VRT, the Sourcefire Vulnerability Research Team, dug through the CVE (Common Vulnerabilities and Exposures) database and NIST NVD (National Vulnerability Database)
• 2012 was the first year since 2007 where the number of new vulnerability was greater than the previous year
• However the number of vulnerabilities with a score over 7 (out of a possible 10) was still down each year since 2007
• However 2012 had a record high number of vulnerabilities with scores of 10/10
• The top types of vulnerabilities over the last 25 years have been buffer errors (buffer overflow etc), Cross Site Scripting, Access control, SQL Injection, Code Injection and Input Validation
• Top Vendors with high severity vulnerabilities: Mozilla, Apple, Cisco, Sun, Adobe, IBM, Mozilla, HP, Google, and Oracle
• Mobile Vulnerability Share: iPhone: 81%, Android: 9%, Windows: 6%, Blackberry: 4%
• Full PDF

---

Feedback:

• The Risk of Exposing a Security System to the Web?

• What are your thoughts on DMZs? // Slexy 2.0

• Home Server Troubles

• My question mainly has to do with PHP and MySQL

• Sharing the root

+What is the value of a hacked PC?
+ Steal your username/passwords (banking, games, web servers, skype)
+ Steal your CD keys (windows, office, games, etc)
+ Use your computer as a web server (host spam, malware, etc)
+ Join a botnet (click fraud, send spam, launch ddos)
+ Reputation hijacking (using your facebook account to ‘like’ businesses etc that pay the malware author)

Conference Round Up:

• How to ask good questions at RSA
• RSA – Researchers find ‘beta’ of Stuxnet, making it 2 years older than previously thought – Also found more evidence linking the developers of Stuxnet to the developers of Flame – Paper
• Cyber Dialogue – Hacking Back, Signaling and State-Society Relations
• RSA – Analysis of SEC filings under new cyber attack disclosure rules
• RSA – [VIDEO] Key Source International makes Secure Logon Devices
• RSA: [VIDEO] Self encrypting USB hard drive for all operating systems
• RSA: [VIDEO] PwnPad – A steathly penetration testing platform
• RSA: [VIDEO] BehavioSec – Behaviorial Biometrics for Authentication