Phish and Chips | TechSNAP 118

We\’ll cover Dropbox’s two-factor authentication flaw, how “Team Telecom” forced fibre providers to enable surveillance, the FBI’s warning about phishing attacks.

A great big batch of your questions our answers, and much much more!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! Get private registration FOR FREE with a .COM! code: free5
Ting.com Visit techsnap.ting.com to save $25 off your device or service credits.

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

Mentioned this Episode:

[asa]0312605536[/asa]
[asa]0307279391[/asa]
[asa]B000BKUSS8[/asa]

Dropbox flaw allows attackers to circumvent two-factor authentication

• If an attacker is able to get the username and password for your dropbox account, they can access your account even if you have enabled two-factor authentication
• Dropbox does not verify the email address used to signup for a new account, because of this, the attacker can signup for a new account with your email address and just append a dot to the end of the domain name
• Login to this new account and enable 2 factor authentication
• Save the ‘emergency override code’, used in case you lose your phone
• Logout and login to the victim account, when prompted for the one-time password, click “I lost my phone”
• Enter the emergency override code (it is the same for both accounts)
• It is not clear why having the dot at the end of the email (valid) is enough to make the account unique, but does not make the override code unique

---

US Government established “Team Telecom” to force foreign owned fibre providers to allow the government access to the data transitting them

• In 2003 the “Network Security Agreement” was signed between the US Government and Global Crossing, one of the largest internet transit providers, connecting 200 major cities in 27 nations on four continents
• “In months of private talks, the team of lawyers from the FBI and the departments of Defense, Justice and Homeland Security demanded that the company maintain what amounted to an internal corporate cell of American citizens with government clearances”
• The FCC would hold up approval of cable licenses until such agreements were in place
• The agreements required the transit providers to maintain a “Network Operations Center” (NOC) on U.S. soil. This NOC must be staffed with U.S. citizens pre-screened by the government and operating under gag orders, preventing the employees for sharing the information even with their bosses.
• Originally a US company, Global Crossing filed for Chapter 11 bankruptcy protection in 2002
• A deal was setup where a partnership between Singapore Technologies Telemedia and Hong Kong-based Hutchison Whampoa would buy Global Crossing
• The Hong Kong side of the partnership was pressured by the US Government and eventually withdrew. The US was worried that the Chinese Government would gain access to the US’s surveillance requests
• Singapore Technologies Telemedia eventually agreed to buy the majority stake in Global Crossing and that half of the new board of directors would consist of American citizens with security clearances
• This agreement has been used as a template for other foreign owned telcos and applied as foreign investors bought existing telcos from US investors
• In 2011 Global Crossing was sold to US Telecom giant Level3, however ST Telemedia maintained a minority stake, resulting in another round of review by “Team Telecom”
• A spokesman for Level 3 Communications declined to comment for this article
• Tapping undersea cables has been a key component of US intelligence collection since WWII, the US Navy used to have a number of submarines specifically outfitted for tapping undersea copper phone lines to listen to sensitive traffic in the Soviet Union
• Infographic

---

FBI issues formal warning about targetted spear phishing

• Many of the very large compromises that we have covered lately were made possible by the attacker establishing an initial beachhead on a single machine, via spear phishing
• The compromises at The Onion and the Financial Times were both explained in detail after the fact and showed just how much damage an attacker can do once they get inside the network, and how easily they can get inside the network with spear phishing
• Many in the defense and aerospace industries have been targeted by highly sophisticated spear phishing campaigns, including professionally produced .pdf flyers for fake conferences that took advantage of flaws in Adobe Acrobat to infect the system
• According to research by AV vendor Trend Micro, 91% of all targeted attacks involved spear phishing in the initial phases
• Training firm PhishMe says their clients usually start at around 60% susceptibility, but training reduces this to single digits
• The PhiseMe system works by sending your users different types of phishing emails, including links, attachments, etc
• When the user falls for the phishing attempt, they are redirected to training pages, teaching them what they did wrong
• Enhanced versions will even disguise themselves to look like your company\’s page, and prompt users to enter sensitive information. If they do, they are admonished and given further training
• This type of ongoing proactive training seems like the only real way to increase security, because typical training does not seem to work

---

MIT Media lab rolls out ‘Immersion’ tool to allow you to visualize your email metadata

• Logs in to your gmail via OAuth
• Looks at only the headers (To, From, CC, and timestamp)
• Builds a visualization of your ‘social graph’
• After you view the report, you have the option to allow them to save it, or ask them to erase it
• If you save a snapshot of your social graph, it is automatically deleted after 30 days

---

Feedback:

• Don’t mount an iSCSI device in two places at once

• File Server Woes

• Starting in Networking Tech?

• What happens if you get hit by a bus?

• NIC Driver Woes in FreeBSD

  • Get a different intel NIC, some of the onboard ones are less good
  • service netif restart; service routing restart

• pfSense Wifi Xtreme

TechSNAP Bitmessage: BM-GuGEaEtsqQjqgHRAfag5FW33Dy2KHUmZ

---

Round Up:

• Attacker who compromised .pk domain root last year, claims to have access to Pakistan’s Federal Investigation Agency (FIA)’s servers that contain files on every citizen
• The problems with debugging software on mars
• Password sharing compromises 24,000 nintendo accounts – More than 15 million login attempts were made, but only those accounts that had a common password with some other unknown (likely related) service were compromised
• 911 dispatch system in Detroit goes down, backup does not kick in. Apparently the backup had not been tested in over 2 years
• Federal Judge rejects “states secrets” claim, allows EFF case against illegal surveillance (originally filed against the GW Bush administration) to proceed
• Root SSH key for Emergency Broadcasting Systems compromised
• Audit finds US Economic Development Administration destroyed hardware after minor malware infection, including uninfected systems, printers, cameras and mice
• Team of famous security researchers write amicus brief in defense of weev in his trial against AT&T for accessing data they accidently placed on their public website
• Android master key vulnerability checker now online
• ARM’s response to high efficency – lower power: one chip for each, use as needed
• PirateBay founder brokep starts encrypted messaging service
• PC-BSD Now Uses a CDN