del.icio.us
blinklist
digg
Facebook
Furl
ma.gnolia
Newsvine
Pownce
reddit
StumbleUpon
Technorati
Twitter
The nasty Apache Malware we’ve been telling you about has spread to Nginx and others, we’ll update you on the latest.
Plus hackers get access to control systems at Google, a big batch of your questions, and much much more.
On this week’s TechSNAP.
Thanks to:
|
Use our code tech249 to score .COM for $2.49! 32% off your ENTIRE first order just use our code go32off3 until the end of the month! |
 |
Direct Download:HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds:HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed |
Support the Show:
|
Show Notes:
Get TechSNAP on your Android:
Browser Affiliate Extension:
- Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox
- ESET has found more than 400 servers infected with Cdorked in the top 100,000 ranked sites on Alexa
- Thanks to information shared with ESET by system administrators of some of the infected sites, ESET has the modified binaries of nginx and lighttpd as well as apache.
- Originally I thought the story may have been incorrect, that it was just infected apache behind nginx, but there are actually modified nginx binaries as well
- It is still unclear how the servers are being compromised to install the infected binaries, but the small footprint suggests that it is not a ‘class break’, and that the servers may be specifically targeted
- ESET has managed to analyze the configuration of the backdoor and find even more ways that Cdorked attempts to evade detection
- The configuration contains a very long blacklist of ips, who are not directed to the exploit kit, this list may be harvested from administrative logins of the compromised servers
- The servers do not attempt to infect anyone with their language localization set to: Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian
- ESET says 100,000 of its users have browsed to a page with a Cdorked redirection which was then blocked by their software
- Cdorked only seems to target Internet Explorer 7+ and Firefox on windows XP, Vista, 7 and 8, specifically ignoring Chrome, Opera and all devices running Linux or BSD
- Cdorked seems to have a special redirection for iPhone and iPad devices, instead of delivering windows malware, the mobile devices are redirected to a page with links to pornographic pay sites
- The malware currently being delivered by the infected sites is identified as Win32/Glupteba.G
- SHA1 hashes of known-bad binaries:
- a53a30f8cdf116de1b41224763c243dae16417e4 bad-apache
- a51b1835abee79959e1f8e9293a9dcd8d8e18977 bad-nginx
- dd7846b3ec2e88083cae353c02c559e79124a745 bad-lighthttpd
- ee679661829405d4a57dbea7f39efeb526681a7f bad-apache-x64-with-symbols
- 5b87807b4a1796cfb1843df03b3dca7b17995d20 bad-apache-i386
- 03592b8147e2c84233da47f6e957acd192b3796a bad-apache
- Cylance is running a world-wide project to identify vulnerable Industrial Control Systems
- While reviewing the logs of their scans, they stumbled across a particularly interest result
- The Tridium Niagara Building Management Systems (BMS) for Google Wharf 7, exposed on the internet
- They were able to interrogate the device and find out it was running a slightly outdated version of Tridium Niagara, on an embedded QNX machine
- They were also able to extract the config.bog file, which contains the username and ‘encoded’ (just encoded, not hashed) password for every user on the system
- With the administrative password, Cylance could have rooted the device and had persistent access
- The researchers reported the issue to Google, who quickly pulled the ICS system offline
- “At the time of this blog post, this exact issue affects tens of thousands of devices on the Internet and thousands of different organizations”
- Tridium claims on its website that “there are over 245,000 instances of the Niagara Framework deployed worldwide.”
- Cylance scans showed 25,000 similarly vulnerable systems facing the Internet
- “If Google can fall victim to an ICS attack, anyone can.”
- Additional Coverage – ThreatPost
- This story covers some of the interesting information to can get from even just a few packets off of someone elses network
- By analyzing the packet capture RSA releases, a lot of information about RSAs network can be gleaned
- First, the source MAC address in the captured frame starts with 00:50:56, a block assigned to VMWare, this is as you might expect, the researcher at VMWare was testing the exploit in a virtual machine
- Now, the destination MAC address (the router on the local network) is assigned to 2Wire, suggesting a small home-grade router
- The source IP address is 192.168.0.106, what you would expect for a device behind a home router
- The destination IP address is the Command & Control server, 58.64.155.59, in Hong Kong
- Looking at the IP TTL (128), this suggests the source machine (in the VMWare) is Windows, as FreeBSD and Linux use 64 as the default TTL
- Looking at the source port and the fact that it is very low rather than high, suggests that the source OS is Windows XP, rather than a newer version of windows
- Original RSA Story “Lions at the watering hole”
-
Why Intel’s “How Strong is Your Password?” site can’t be trusted
-
Intel’s Page: How Strong is Your Password?
- New tool iSniffGPS released on github allows you to determine where an iPhone owner lives
- FOIA request by MuckRock gets the NSA internal google hacks book released. Untangling the Web – 651 page PDF – Wired Coverage
- Reports: Facebook Is Buying Social Mapping/Traffic App Waze For Up To $1B
- The Onion presents: Tips on how to prevent your major media site being hacked
- Hackers gain access to all .edu domains
- Bruce Schneier – Why Collecting More Data Doesn’t Increase Safety