Evil DNS is Evil | TechSNAP 106

Posted on: April 18, 2013

Posted in: Featured, TechSNAP, Video

Comment on This Video

Share This Video

Embed This Video

Evil DNS is Evil | TechSNAP 106

13 of the most popular home routes are wide open to attack, is your’s one of them? Tune in to find out.

Plus details on the Malwarebytes update that rendered some systems unbootable, the latest on CISPA, your questions our answers…

And so much more, On this week’s episode of… TechSNAP!

Thanks to:

Use our code tech295 to score .COM for $2.95!

35% off your ENTIRE first order just use our code go35off4 until the end of the month!

  

Catch episode 137 for the TechSNAP 100 T-Shirt awards. Angela and Chris share stroies, pictures, and jokes sent in by the TechSNAP audience!

  

Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

   

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

  • Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

    • Hacking 13 of the most popular home routers

    • Research firm ISE (Independent Security Evaluators) has published their case study on the vulnerabilities in common SOHO (Small Office / Home Office) routers
    • The report resulted in 17 confirmed CVEs and 21 candidates
    • Some of the information has not been disclosed yet, pending fixes from the vendors
    • They tested 13 different routers and found that each could be taken from from the local network
    • 11 of the 13 could also be taken over remotely, 2 of them without an active management session
    • Half of the devices they tested that had NAS capabilities turned out to be accessible by a remote attacker
    • Although it is not enabled by default, if remote management is enabled, a number of these routers can be compromised remotely via authentication bypasses or CSRF (Cross-Site Request Forgery, a form that submits to your router rather than the site the form is on)
    • Once compromised, the attacker has remote control over your router, allowing them to change the settings, or even overwrite the firmware
    • If an attacker changes the DNS server settings on a router, that means all devices that receive DNS configuration (via DHCP) from that router, now use the evil DNS servers
    • These evil DNS servers can be the key to a MITM (Man In The Middle) attack, when you try to visit facebook, they return the IP address of an evil server, that pretends to be facebook, and steals your credentials
    • Facebook uses HTTPS (SSL/TLS) for login, however the evil server can strip that part from the page you actually receive and do the SSL only on its side as it proxies your requests to the real facebook
    • A new browser system called HSTS (HTTP Strict Transport Security) which allows websites to send a header saying they will ALWAYS have SSL was designed to solve this problem, however if users do not know any better and ignore the warnings, they can still be vulnerable. Also, the header includes a TTL (Time to live), after that time SSL is no longer required (the TTL is refreshed each time the header is seen, so it only expires if it is not seen for that period of time). The problem with HSTS is that if you have never gotten the header, because you have not been to the site before you were MITM’d, then you are not protected
    • If an attack has full control over your router, then they can also overwrite the firmware with their own, which might not allow any further firmware updates, meaning the router would have to be physically replaced. They could also purposely write invalid firmware to your router, bricking it
    • With custom firmware on your router, they could do additional traffic interception and manipulation, blocking your access to software updates (OS Updates, Java, Flash, etc), or injected malware into legitimate websites or downloads
    • The biggest concern is that most users never update the firmware on their router, so even if these vulnerabilities are patched, most of these devices will be vulnerable until they are replaced
    • The researchers have some advice for router vendors to make these types of problems easier to fix
      • Digitally sign firmware, so the routers will not accept malicious firmware (The downsize of this is that is may prevent projects like DD-WRT)
      • Design an automated update system for routers, since most users are not savvy enough to update the firmware themselves, and even if they are, there is no mechanism to notify them that an update is available/required. This should have an opt-out option, so power users can disable automatic updates
      • Make sure all requests actually validate the HTTP Authentication data
      • Implement Tokens in HTML forms to prevent CSRF
    • As an administrator of a SOHO router, the researchers recommend the following:
      • Never enable the remote administration options
      • Upgrade the firmware regularly
      • Do not enable unused network services, even on the LAN side (Telnet, FTP, SMB, UPnP)
      • Log out from and restart the router after each administrative session, this will ensure the session cannot be hijacked via your browser later
      • Clear browser cookies and active logins after you log out of the router (only login to router in private browsing mode)
      • Use a non-standard LAN IP range (still an RFC 1918, just something like 192.168.13.0/24) to prevent attacks based on common ranges from malicious sites and software
      • Enable HTTPS on your router’s administrative interface if it supports it
      • Use WPA2 for your WLAN, if an attack gains access to your wireless, it is much easier to attack your router
      • Only install firmware from the router manufacturers websites (there are many ‘driver’ and ‘firmware’ download sites on the internet that are malicious
      • Choose a strong administrative password that is at least 12 characters, most routers do not rate limit attacks over the LAN
    • CNET Interviews Researchers

    Malwarebytes issues faulty update that cripples computers

    • Antivirus vendor Malwarebytes issues a definition update that mistakenly identified legitimate windows system files as Trojan.Downloader.ED
    • The offending update was v2013.04.15.12, and was only available on their site for 8 minutes before it was pulled when the error was discovered
    • This is not the first time an AV vendor has made such a mistake, in fact most all vendors have had such an incident
    • In the constant battle to ensure users are protected against the latest threat, the chances of false positives and faulty updates causing issues is only increasing
    • MBAM has promised to enact new protocols to ensure updates are tested more thoroughly
    • MBAM Blog Post

    Inside Winnti, the Asian game hackers

    • Kaspersky Labs has published the results of their 18 month investigation of ongoing attacks against online game publishers and their users
    • The investigation started when a huge number of computers were found to contain malware, and the common thread between them all was that they were players on a specific online game from a publisher in Japan
    • It was later determined that the malware was installed on their computers as part of a legitimate update of the game software, from the official update servers
    • The publishers of the game were originally suspected of spying on their users, but it was quickly determined that it had been an attack on their servers, and that they were just being used as a trusted conduit to their userbase
    • When Kaspersky was asked to investigate the trojan that was found on the update server, they discovered that is contained a properly signed windows 64bit driver
    • The digital signature that was used belonged to another game publisher, KOG, from South Korea
    • Kaspersky notified the KOG and Verisign (who had issued the code signing certificate to KOG) and the certificate was revoked
    • As the investigation progressed, Kaspersky found that the Winnti group had infact managed to compromise more than a dozen different certificates
    • The Winnti group also appears to have sold access to these certificates to other attackers, as the certificates were used in attacks against Tibetan and Uyghur activists
    • The attackers also had three different ways to monetize their attacks:
      • The unfair accumulation of in-game currency/“gold” in online games and the conversion of virtual funds into real money.
      • Theft of source code from the online games server to search for vulnerabilities in games – often linked to the above
      • Theft of source code from the server part of popular online games to further deploy pirate servers
    • Technical Analysis
    • 95 page PDF Report

    Feedback

    Round Up:

Question? Comments? Contact us here!