Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Satirical online news magazine The Onion has its Twitter account hacked

• On May 6th, The Onion published an article titled “The Onion’s Tips On How To Prevent Your Major Media Site From Being Hacked”
• That article was featured on TechSNAP 109
• As it turns out, starting on May 3rd, the Syrian Electronic Army, had started its operation to infiltrate The Onion
• The attack starting with a very simple Phishing email, with a link that looked like it went to a story at the Washington Post, but actually went to a hacked wordpress site
• The link then automatically forwarded the user to a different site, which asked for the user’s Google Apps credentials
• “These emails were sent from strange, outside addresses, and they were sent to few enough employees to appear as just random noise rather than a targeted attack. At least one Onion employee fell for this phase of the phishing attack”
• Once the attackers had compromised the account of one Onion employee, they used that account to send a much more convincing email to more employees. This email, coming from a trusted address, had a higher success rate
• Two employees entered their Google Apps credentials in to the rogue website, one of those employees had access to all of The Onions social media accounts
• After this attack was discovered, the IT Security group send out an email to all employees telling them to reset their passwords
• The attackers, using an additional compromised account that the security group did not know about, send a nearly identical email to all employees, this one included a link, disguised as a password-reset link
• The attackers purposely removed all members of the Tech and IT Security Group from the distribution list for the fake password reset email, so it went undetected
• This final attack, compromised another employee who had access to The Onion’s twitter account, which resulted in their account falling into the wrong hands a second time
• “In total, the attacker compromised at least 5 accounts”, but seeing as the security group had no way of telling how many other accounts may have been compromised, they forced a password reset on all Google Apps accounts
• The Onion decided to have some fun at the expense of the attackers and published and article about their impending death
• The SEA responded by posting some confidential emails they had gained access to
• The Syrian Electronic Army has also taken credit for compromising numerous other media outlets’ social media accounts:
  • The BBC
  • The Associated Press
  • The Guardian
  • The Financial Times
  • ITV
  • CBS
  • Sky Broadcasting
• The Financial Times also posted a similar post mortem of the attack against them
• The attack appears to have been nearly identical, using a generic phishing attack with a disguised link to compromise one or more Google Apps accounts, then use the access to send a fake password reset email from a trusted inside address

---

Google Security Team changes stance on Responsible Disclosure

• In 2010, the Google Security Team established its guidelines for responsible disclosure which stated that when a researcher finds a vulnerability, the vendor has 60 days from notification to issue a patch or disclose the vulnerability to the public
• If a patch or disclosure were not made after 60 days, the Google Security Team would support the researcher disclosing the details of the vulnerability to the public themselves
• Based on the growing security risk and some vendors taking unreasonable amounts of time to fix vulnerabilities, the Google Security Team has revised their policy
• If a vulnerability is being actively exploited, the Google Security Team will support researchers disclosing the details of the vulnerability after only 7 days
• The Google team believes that after 7 days, while a vulnerability is being actively exploited, the general public, and specifically the people who are being actively exploited, are better served by knowing about the vulnerability and being able to take steps to mitigate the problem, until a patch can be issued
• “Often, we find that zero-day vulnerabilities are used to target a limited subset of people. In many cases, this targeting actually makes the attack more serious than a broader attack, and more urgent to resolve quickly.”
• “companies should fix critical vulnerabilities within 60 days – or, if a fix is not possible, they should notify the public about the risk and offer workarounds”
• Background on Full Disclosure, Essay by Bruce Schneier

---

Feedback:

• Jails vs Containers
  • [An Overview of Security in the FreeBSD Kernel (https://www.bsdcan.org/2013/schedule/events/417.en.html)

• OAuth / ShmoAuth?

• OSS Load Balancer?
  • relayd
  • relayd ported to FreeBSD
  • nginx (HTTP(S) and Mail only)
  • Varnish (HTTP only)
  • pfSense

• LastPass on Mobile

• 2.4 Petabytes!!!!

Round Up:

• FiOS customer discovers the limits of “unlimited” data: 77TB a month
• Contracter targetted in attack attributed to China, ASIO (Australian Security Intelligence Organisation) building blueprints and security system schematics stolen – Video describing the attack
• Log file vulnerability in Apache server
• A closer look at the recent Linux Kernel exploit CVE–2013–2094
• PayPal.com XSS Vulnerability
• Hard coded credentials in ICS systems (FTP) TURCK BL20 and BL67 Programmable Gateways
• Apple pushes update to Quicktime for Windows, fixes 12 vulnerabilities
• Google researchers find 13 new critical flaws in Flash Player:
• CVE–2013–2728
• CVE–2013–3324
• CVE–2013–3325
• CVE–2013–3326
• CVE–2013–3327
• CVE–2013–3328
• CVE–2013–3329
• CVE–2013–3330
• CVE–2013–3331
• CVE–2013–3332
• CVE–2013–3333
• CVE–2013–3334
• CVE–2013–3335
  • Make sure you are using Flash 11.7.700.202 or newer