Internet Over Packet Loss | TechSNAP 162

Posted on: May 15, 2014

We’ve got the definitive report on the Target breach, a flaw in single sign used all over the net, Level3 calls out broadband monopolies, and tech giants unite to save net neutrality.

Plus a huge batch of your question, our answer, and much much more!

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

Kill-Chain analysis of the Target breach

A report was prepared for the Senate Committee on Commerce, Science, and Transportation
Kill-Chain analysis involves looking at all of the things that could have been done to stop the attack from succeeding, and how or why they were not done. Kill-chain analysis was developed by security researchers at Lockheed Martin in 2011
“This analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach.“
“Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.”
“Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s system.”
“Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets.”
“Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network”
“According to reports by Brian Krebs, a tailored version of the “BlackPOS” malware – available on black market cyber crime forums for between $1,800 and $2,300 – was installed on Target’s POS machines.“
“This malware has been described by McAfee Director of Threat Intelligence Operations as “absolutely unsophisticated and uninteresting.””
“Target’s FireEye malware intrusion detection system triggered urgent alerts with each installation of the data exfiltration malware. However, Target’s security team neither reacted to the alarms nor allowed the FireEye software to automatically delete the malware in question. Target’s Symantec antivirus software also detected malicious behavior around November 28, implicating the same server flagged by FireEye’s software”
The phases in the kill-chain:
- Recon – Research, identify and select targets
- Weaponize – Pair remote access malware with exploits (PDF files, Office files, Flash or Java exploits)
- Deliver – Transmission of weapon to target (email attachment/phishing, website/watering hole, USB drive)
- Exploit – Once delivered, weapon code is triggered, exploiting the vulnerable application or system
- Install – The weapon installs a backdoor allowing persistent access
- Command & Control – Outside server communicates with the weapon, allowing attackers inside the network
- Action – Attacker works to achieve objective, maybe exfiltration of data (credit cards, plans/designs, intelligence data), destruction of data, or further intrusion/island hopping
Background on Kill-Chain Analysis
Paper: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains

Serious vulnerability in OAuth and OpenID could leak information

A vulnerability in the OAuth and OpenID protocols has been found that count be used to trick a user into being redirected to a malicious site.
OAuth and OpenID are commonly used to allow a user to login or authenticate on a site using credentials from another site. For example many websites allow you to login using your existing Facebook, Google or Microsoft ID, rather than registering separately
OAuth is also used to authorize 3rd parties to perform actions on your behalf, such as allowing an application access to your Twitter account
The flaw could allow attackers to steal personal data from users and redirect them to questionable sites
This is especially dangerous, since a user on a trusted site, such as Facebook, could be tricked into loading content from an unsafe site, and doing so may also leak private data from Facebook to that unsafe site
“for OAuth 2.0, the attacks could primarily jeopardize the token of site users. If a user were to authorize the login the attackers could then use that to access that user’s personal data. When it comes to OpenID, the attacker could get a user’s information directly, as it’s immediately transferred from the provider upon request”
“An attacker could exploit the affected protocols and via a pop-up message through Facebook for example and trick users into giving up their information on otherwise legitimate websites”
Thus the attacker makes it look to the user as if the request is from Facebook, not the attacker
Researcher Blog
Researcher site about the vulnerabilties

Mozilla recommends a new approach to net neutrality to the FCC

Mozilla filed a petition with the FCC suggesting a new approach to net neutrality
PDF: Petition
The new approach involves looking at the entire question from the opposite direction
Rather than Comcast providing Netflix, Amazon, Youtube etc access to its customer, Carol, Comcast is instead providing its customers, Alice, Carol, David, etc access to ‘remote services’, like Netflix and Dropbox
Under this new ‘understanding’ of the shape of the Internet, Mozilla believes that the FCC already has the authority to impose strong net neutrality rules, resolving the question of authority raised when the courts struck down the old net neutrality rules
Level 3 Blog Post – ISPs play chicken with the future of the Internet
Level 3 Blog Post – Observations from an Internet Middleman
There are “six peers with congestion on almost all of the interconnect ports between us. Congestion that is permanent, has been in place for well over a year and where our peer refuses to augment capacity. They are deliberately harming the service they deliver to their paying customers. They are not allowing us to fulfil the requests their customers make for content.”
“All six are large Broadband consumer networks with a dominant or exclusive market share in their local market. In countries or markets where consumers have multiple Broadband choices (like the UK) there are no congested peers.”
Level 3 claims 6 big ISPs purposely degrading traffic
Level 3 and Cogent ask FCC for protection from ISP “Tolls”
“While ISPs say the traffic loads are too heavy, Level 3, Cogent, and Netflix argue that ISPs are abusing their market power, since customers often have little to no choice of Internet provider. That means there’s only one path for Netflix traffic to reach consumers, at least over the last mile”
Level 3 and Cogent both filed comments with the FCC
Level 3 said “the Commission should require last-mile ISPs to interconnect on commercially reasonable terms, without the payment of an access charge.”
Cogent proposed much harsher terms, reclassifying ISPs to be subject to common carrier rules, and requesting that “When interconnection points become congested, the FCC should have authority to intervene, Cogent said. This would force the broadband provider “to show cause why it should not be required to implement prompt remedial measures to relieve the sustained state of congestion”
Cogent claims Comcast should have to pay for network connections
In 2010, Internap network architecture manager Adam Rothschild said, “Comcast runs its ports to Tata at capacity, deliberately, as a means of degrading connectivity to networks which won’t peer with them or pay them money”