ICANN haz keys? | TechSNAP 152 | Jupiter Broadcasting

ICANN haz keys? | TechSNAP 152

Posted on: March 6, 2014

Posted in: Featured, TechSNAP, Video

Comment on This Video

Share This Video

Embed This Video

Bad sysadmin habits lead to a major data breach, DNS gets weaponized, and ICANN holds their grand key ceremony.

Plus a great batch of your questions, our answers, and much much more!

All this week, on TechSNAP!

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

Hackers who breached the Neiman Marcus payment system set off 60,000 monitoring alerts that were ignored

The attackers who breached the Neiman Marcus network remained inside the network, undetected for at least 8 months
Throughout that time, they were detected by automated systems, but the alerts were never acted upon
In some cases, the malware was removed from the systems, but the attackers just installed it again
It is unclear if the removal was due to anti-virus software, or more likely by the sound of the article, which says it was “removed daily”, the cash register systems were ‘deep frozen’, and reset to a standard configuration upon reboot, at which time the attackers just reinfected them
It appears the attackers were not the same ones as those who breached Target’s network
The malware used was significantly different, appeared less sophisticated, but was also tailored with a name very similar to the PoS software to avoid detection
“These 60,000 entries, which occurred over a three-and-a-half month period, would have been on average around 1 percent or less of the daily entries on these endpoint protection logs, which have tens of thousands of entries every day,” Ginger Reeder, a spokeswoman for Neiman Marcus said
It is important to eliminate, filter, or suppress false positives in order to make alerts useful
What is the point of have the alerts if there are so many that they cannot be read, let alone investigated or dealt with
This is a common flaw in monitoring systems, where too many false positives cause “the boy who cried wolf” syndrome
NASA recently released the results of its investigation into a mishap where an astronauts helmet filled with water while on a space walk (EVA) – It found that the issue should have been identified sooner, when there were problems on a previous EVA. The conclusion that the water in the suit during the previous EVA was from a leaking drink bag was never challenged or investigated
“The occurrence of minor amounts of water in the helmet was normalized.”
When small amounts of water collected in the helmet on numerous previous missions, it became considered normal and ignored. The great risk was never considered, and the root cause was never investigated nor solved

Intel announces new SSD 730, Enterprise SSD overclocked for desktop (Controller: 50%, NAND: 20%)

SSD 730 480GB: 550/470 MB/s read/write, 89000/74000 read/write random IOPS, 70GB/day (128 TB/5yr) endurance
SSD DC S3500 480GB: 500/410 MB/s read/write, 75000/11000 read/write random IOPS, 150GB/day (275 TB/5yr) endurance
New Intel SSD 730 series reviewed

Security vendor Team Cymru releases whitepaper on SOHO Pharming

Attack has changed the DNS settings on as many as 300,000 routers
Models Include: AirLive, D-Link, Micronet, Tenda and TP-Link
Some of the attacks use a javascript attack to make your computer login to your router and change the DNS settings
It is possible some of the attacks make use of CSRF and other techniques, including one that can resell the admin password on the router to null, allowing the first attack to then change the DNS settings
One variant is mostly targeting users in Vietnam and India, while a second targets users in Poland and Russia
The targets may have more to do with the infection vector, if the malicious code that compromises the router is placed on specific websites, it would in fact act as a waterhole attack
Users in Poland were having the banking sessions hijacked as the DNS servers returned an incorrect IP for the banks site and allowed the attackers to perform a MitM attack
The last page of the PDF includes an informative timeline of attacks against SOHO devices
Researcher PDF
Additional Coverage

I know why you went to the Clinic – An attack on HTTPS privacy

“HTTPS is far more vulnerable to traffic analysis than has been previously discussed by researcher”
Novel attack technique capable of achieving 89% accuracy over 500 pages
hosted at the same website, as compared to 60% with previous techniques
Impact of caching and cookies on traffic characteristics and attack performance, affecting accuracy as much as 18%
Novel defense reducing accuracy to 27% with 9% traffic increase; significantly increased effectiveness of packet level defenses in the HTTPS context
This new type of attack could allow an attacker to figure out which specific pages of a site you visited
The paper also proposes defensive systems to make the attack harder
The paper postulates a number of scenarios where this type of information is extremely private and possible valuable. Examples include health care info about Politicians and CEOs (citing how both true and false rumors about Steve Jobs’ health moved Apple’s stock price) or learning if an individual is considering filing for divorce, or if a company is filing for bankruptcy protection.
The attacks may have a number of motivations, including: Advertising (especially by ISPs), employee and security monitoring, (NSA style) surveillance, or even censorship (a number of countries have attempted to attack HTTPS in order to censor specific content or messages).
PDF