The business of selling 0day exploits is booming, we’ll explain how this shady market works, and how a couple guys turned a Verizon Network Extender into a spy listening post.

A huge batch of your questions…

And much much more, on This week’s TechSNAP!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! Get private registration FOR FREE with a .COM! code: free5
Ting.com Visit techsnap.ting.com to save $25 off your device or service credits.

Yahoo to start recycling disused email addresses, introduces new security feature to prevent abuse

• Yahoo’s email server has been running for a very very long time
• As such, many of the best usernames are taken, even though many of them have not been used in a decade
• So, Yahoo plans to start recycling those addresses that are no longer used
• The obvious problem with a move like this is that if there are any accounts still tied to this old email address, the new owner can request a password reset to the email address that they now control, and take over that account
• Yahoo’s Developers have come up with a rather ingenious way to prevent this, although the implementation is dependant on the 3rd party services to implement it (Facebook already has)
• Yahoo’s mail servers will now respect the non-standard header ‘Require­-Recipient­-Valid­-Since’
• The idea is that when Facebook sends a password reset email, they include this header with the date that the facebook account was created, if the yahoo email address is NEWER than that date, it may not belong to the same person any more, and yahoo will send a bounce message back to Facebook, rather than delivering the email
• This prevents someone from acquiring the disused email address and performing the password reset
• Yahoo has created an IETF Draft specification for this header, if ratified, it will become an internet standard and be added to the IANA Permanent Message Header Field registry
• It is not yet clear if other services such as Twitter will implement this
• It seems unlikely that Online Banking and other services will implement this system, so make sure all of your online services have a valid current email address, preferably one you plan to keep for the long term
• Yahoo Developers Blog

The business of selling 0day exploits is booming

• There are a number of businesses selling zero day exploits including: Vupen in Montpellier, France; Netragard in Acton, Mass.; Exodus Intelligence in Austin, Tex.; and ReVuln in Malta
• There is as a Virginia startup called Endgame, apparently involving a former director of the NSA which is doing a lot of undisclosed business with the US Government
• The USA, Israel, Britain, Russia, India and Brazil spend staggering amounts of money buying these exploits
• Many other countries including North Korea, a number of Middle Eastern intelligence agencies, Malaysia and Singapore are also in the market
• These exploits have value both offensively and defensively, if you know the details of a zero day exploit, you can better protect yourself from others who may know about it as well
• However if you report it to the vendor so it gets patched, you protect everyone, but lose the offensive value
• The average zero-day exploits goes undetected for 312 days, before it gets used enough that AV vendors notice it and it gets reported and patched
• Services like Vupen charge $100,000/year for access to their catalogue, with varying prices of the actual exploits
• Netragard only sells to US clients, and reports that the average flaw now sells from $35,000 to $160,000
• In years past, rather than selling these flaws to companies like Vupen and ReVuln, who then sell them to governments, security researchers would report them to vendors like Microsoft and Google, just for the recognition and sometimes a t-shirt
• Many vendors now have bug bounty programs to reward researchers for reporting vulnerabilities, rather than keeping them, using them or selling them
• To counter this, Microsoft recently raised its bug bounty reward program, now up to $150,000

Feedback:

TechSNAP Bitmessage: BM-GuGEaEtsqQjqgHRAfag5FW33Dy2KHUmZ

• A few weeks ago someone asked about creating a system to automatically route all of their traffic over TOR. A FreeBSD developer has created a simple system to do just that

• Runs FreeBSD? Mcafee Sidewinder enterprise firewall

• Submit the best security finds and the biggest fails to the pwnies – Awards Ceremony to be held at Blackhat USA 2013

• laptop/live-sd for cautious traveler

• Google\’s solution if you get hit by a bus.

• Roll Your Own CrashPlan

• pfSense Freezing

• Needs to start at square one to remotely login into his FreeNAS

• Seafile the OSS Dropbox Killer?

• Basically another Question

• Just wondering if either of you has used \’verified execution\’ or \’veriexec\’?

  • I have never used it, but there has been a lot of interesting discussion of it at BSD Conferences, and if I was trying to make an exceptionally secure system, it would definitely be something I would consider implementing
  • Introduction to Verified Exec – Brett Lymn – BSDCan 2012
  • Extension to veriexec to use digital signatures – Alistair Crooks – EuroBSDCon 2012
  • And for some other considerations to building a secure appliance: FreeBSD, Capsicum, GELI and ZFS as key components of a security applaince – Pawel Jakub Dawidek – BSDCan 2013

Round Up:

• Russia cites Snowden type leaks as basis for government control of the Internet
• Blackberry 10 devices send your email passwords in the clear back to BlackBerry HQ
• The EFF awards Yahoo a gold star for fighting to preserve users’ privacy against government spying
• 9 traits of a veteran network admin
• DuckDuckGo provides privacy, but only from advertisers, not governments
• Turning a Verizon Network Extender into a spy listening post
• Amazon 1 button sniffing your HTTPS traffic?
• Why collecting all data does not work – Lessons from Medical Tests
• Network Solutions posted on facebook that they were experiencing a large DDOS at 10:57 – Followup post said issue was resolved at 13:22
• Who has the most Web Servers – Updated July 2013
• Google backs up your wifi passwords in plain text?