We’ll go inside some clever bank malware, a dedicated server provider our very own Allan uses discovers a backdoor…
Plus: Picking the right virtual machine storage, a big batch of your questions, and much much more!
Thanks to:
|
Use our code tech249 to score .COM for $2.49! 32% off your ENTIRE first order just use our code go32off3 until the end of the month! |
 |
Direct Download:HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds:HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed |
Support the Show:
| <a href=”https://flattr.com/thing/525316/chrislas-on-Flattr” target=”_blank”><br /> <img src=”https://api.flattr.com/button/flattr-badge-large.png” alt=”Flattr this” title=”Flattr this” border=”0″ /></a> |
|
Show Notes:
Get TechSNAP on your Android:
Browser Affiliate Extension:
- Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox
- Security researcher Sherri Davidoff profiles the Blackhole exploit kit
- Walking us step by step through what the malware does once your computer is infected
- It starts with a simple phishing email, in this example just a plain email that says “Hi, as promised your photos.” with a link
- The unsuspecting user follows the link, and nothing much seems to happen and they continue about their day
- In actuality, their computer has not been infected with the Blackhole exploit kit
- A few days later, while visiting the website of their bank, the user is prompted by the page to verify their identity. Over a short period of time, the attack, using a man-in-the-browser attack, was able to gain:
- The victim’s name
- Phone number
- Answers to security questions
- RSA token
- The attacker then used this information to wire themselves $49,500 out of the victim’s bank account
- However, because this was a large corporate account, the bank requires a second person to authorize such a transfer
- The attacker used the MITB attack to ask the victim for the name of that second person, which the user entered
- The attacker then asked for the email address of the second person, however the user got suspicious, called the bank and the account was quickly frozen
- Once the blackhole exploit kit is installed on a computer, it loads updates and then continues to phone home once every 20 minutes, using a simple HTTP POST request
- The researcher also managed to capture a Man-In-The-Browser attack on video, when attempting to login to the BankofAmerica site, the infected computer injects a page after the user submits the login form, but before the information is actually sent to the bank
- The injected page claims that the bank does “not recognize” your computer and asks you for a number of details, including your debit card number, social security number, date of birth and mother’s maiden name
- These details are not sent to the bank, but rather to the attacker, who can use them later to drain your account
- In more sophisticated attacks using this technique, the attacker is actually communicating with your system live, in order to take advantage of the information as you enter it, such as passing on to the victim the secret questions they are prompted for when trying to send a wire transfer
- This also allows the attackers, in the situation where they are actively monitoring your computer when you are attempting to access your account, to take advantage of temporary information such as the output of your RSA security token
- Administrators at Hetzner discovered a backdoor on their nagios monitoring server
- After further investigation, they discovered that their web interface for managing dedicated servers (called the Hetzner Robot) had also been infected
- This means some personal details of customers, including name, email address, phone number, hashed password, last 3 digits of credit card number, credit card type and expiration date
- The actual card number is never stored by Hetzner, it is passed directly to the payment processor who returns a unique token that is used to reference that card in the future
- However, customers using direct debit (debit note) from their bank account, may have been compromised. While the information is stored encrypted in the Hetzner database, the key may have been compromised
- Passwords were SHA256 hashed with a salt, but it does not sound like they used sha256crypt
- “The malicious code used in the “backdoor” exclusively infects the RAM. First
analysis suggests that the malicious code directly infiltrates running Apache
and sshd processes. Here, the infection neither modifies the binaries of the
service which has been compromised, nor does it restart the service which has
been affected.” - Hetzner has hired an external security company to do a more indepth investigation
- English FAQ
- All Videos
- Allan Jude – Managing FreeBSD at Scale
- Paul Chvostek – Switching from Linux to FreeBSD
- Peter Hansteen – The Hail Mary Cloud And The Lessons Learned
- Pawel Jakub Dawidek – FreeBSD, Capsicum, GELI and ZFS as key components of a security appliance
- Kirk McKusick – An Overview of Security in the FreeBSD Kernel
- Shawn Webb – Runtime Process Infection Part 2
- Lenovo opens heavily automated assembly plant in North Carolina
- 0 day exploit for Plesk puts more than 360,000 linux servers at risk, unknown if windows servers are affected. Exposes /usr/bin
- China says it is the USA’s fault that their weapons designs were stolen, “Even following the general principle of secret-keeping, it should not have been linked to the Internet,”
- Vint Cerf worries that we won’t be able to access historical data due to the cost of maintaining backwards compatibility
- NSA collecting phone records of millions of Verizon customers daily
- Google researcher releases a working exploit for the Windows Kernel bug he disclosed earlier
- Car thiefs may have a new device that unlocks many makes and models of vehicles
- Attackers use massive DDoS to mask exploit attack against EVE Online backend servers