SSDs in your Network Attached Storage? Maybe! We’ll share our thoughts. Two Million passwords stolen by Keylogging malware, but the data is where the fun is at.

Plus a great batch of your questions, our answers!

Thanks to:

Show Notes:

D-Link finally released fix for some vulnerable routers, over a month late

• In TechSNAP 132 (October 17 2013) we told you about a flaw in D-Link routers that allowed an attacker to entirely bypass the authentication system
• Any user accessing a vulnerable device with the string “xmlset_roodkcableoj28840ybtide” (backwards: edit by 04882 joel backdoor) as their useragent is granted administrative privileges
• D-Link promised to issue fixed firmware by the end of October
• That updated firmware has finally be released, in December
• Newer firmware does not seem to be available for all of the devices

2 Million passwords stolen by Key logging malware

• Spider Labs managed to take over a Pony botnet controller
• The botnet of infected machines was harvesting passwords with a keylogger
• Total Haul:
• ~1,580,000 website login credentials stolen
• ~320,000 email account credentials stolen
• ~41,000 FTP account credentials stolen
• ~3,000 RDP credentials stolen
• ~3,000 SSH account credentials stolen
• Top Domains:
  • 325,000 Facebook
  • 70,000 Google
  • 60,000 Yahoo
  • 22,000 Twitter
  • 8,000 Linkedin
• While the statistics make it look like many of the compromised machines were from the Netherlands, it seems most of the traffic was from a few IP addresses that seem to have been acting as reverse proxies for the infected machines
• Strength of the observed passwords:
  • 6% Terrible
  • 28% Bad
  • 44% Medium
  • 17% Good
  • 5% Excellent
• Conclusion: Even have years of being told to pick good unique passwords, and after multiple breaches like MySpace, Gawker, LinkedIn, and Adobe etc, people still choose terrible passwords
• Additional Coverage

• GoDaddy ad: https://hostcabi.net/hosting_infographic Godaddy hosts one of the largest proportion of the 100,000 most popular websites on the Internet

Hackers courted by Governments for Cyber Warfare jobs

• Rolling Stone does profiles and Interviews at HackMiami, a meetup for hackers to show off their skills to corporate and government recruiters. There is also a ‘Cyber War Games’, where hackers simulate attacks against various targets and networks
• One recruiters pitch: “We built an environment that allows people to legally do the things that would put them in jail”
• “A leaked report from the Department of Homeland Security in May found “increasing hostility” aimed online against “U.S. critical infrastructure organizations” – power grids, water supplies, banks and so on. “
• Dave Marcus, director of threat intelligence and advance research at McAfee Federal Advanced Programs Groups, says the effects would be devastating. “If you shut off large portions of power, you’re not bringing people back to 1960, you’re bringing them back to 1860,” he says. “Shut off an interconnected society’s power for three weeks in this country, you will have chaos.”
• In one profile, Rolling Stone looks at ‘Street’, an expert at social engineering. “Government agencies and corporations fly Street around the world to see if he can bullshit his way into their most sensitive data centers. He has scammed his way into a bank in Beirut, a financial center across from Ground Zero, a state treasury department. He usually records his infiltrations on a spy watch, a 16-gigabyte HD video recorder with infrared lights, then turns over the footage to his clients. When I ask Street the tricks of his trade, he tells me there are two keys to stealing data in person: act like you’re supposed to be there and carry a tablet PC, which convinces victims he’s a tech-support worker. “People see this thing,” he says, waving his tablet, “and think it’s magical.”” — The digital equivalent to a clipboard
• “To see what the front line of cyberwar really looks like, I visit the National Cybersecurity and Communications Integration Center in Arlington, Virginia, the Department of Homeland Security’s mission control. It’s one of our most important hubs in digital warfare, alongside the FBI and NSA. A wall of video screens show online the attacks on the IRS and NASA – both agencies were compromised by a Distributed Denial of Service Attack, a technique that floods a site with access requests, slowing or downing it completely. “

Feedback:

• Dedup in ZFS is a bad implementation

• Using SSD drives for storage?

  • Enterprise Drive Pricing:
  • Intel DC S3700 100, 200, 400 and 800GB: $2.50/GB
  • WD NL SAS: 1TB: $0.135/GB
  • WD NL SAS: 2TB: $0.115/GB
  • WD NL SAS: 3TB: $0.106/GB
  • WD NL SAS: 4TB: $0.092/GB
  • Seagate Barracuda SATA (Desktop): 3TB: $0.030/GB

• Forward Secrecy

• Web Site Hosting

• Google and DNS reflection attacks

• Worst leak in Icelands history

• Contact Server?

Round Up:

• Hack on JPMorgan website exposes data for 465,000 card holder
• Brazilian ISP appears to be suffering DNS poisioning or hijack causing users to received malware instead of Google Analytics
• USB 3.1 connector will be square, fit either way up
• Ways the NSA might break SSL/TLS
• Microsoft blogs about their renewed commitment to privacy and security, expanded encryption
• A paper describing DANE to augment or replace SSL CAs using DNSSEC
• Court: Open Source Project Liable For 3rd Party DRM-Busting Coding
• Why people are so bad at picking passwords
• US Nuclear launch code was 00000000
• Yet Another PoS Skimmer
• OCZ the SSD and computer peripheral manufacturer going out of business