We’ve got the details about critical vulnerabilities in LastPass and other popular password managers, Russian hackers attack the NASDAQ, and how to pull off an SSH Man in Middle attack.

Plus a fantastic batch of your questions, our answers & much, much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Critical vulnerabilities found in online password managers including LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword

• Four researchers from the University of California, Berkeley, did a manual analysis of some of the most popular online password managers
• Their findings are troubling, showing problems with all of the popular services
• “Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem. After all, a vulnerability in a password manager could allow an attacker to steal all passwords for a user in a single swoop”
• The researchers found problems with each of the services they investigated, including bookmarklet vulnerabilities, web vulnerabilities (CSRF and XSS), user interface vulnerabilities, and authorization vulnerabilities.
• The paper shows how an attacker might be able to steal a LastPass users’ dropbox password when the user visits the attackers site
• The paper also discusses a vulnerability in the LastPass OTP (One Time Password) feature, where an attacker specifically targeting you (requires knowing your lastpass username) could access the encrypted LastPass database. While the attacker would have to resort to an offline brute force attack to decrypt it and get the passwords, they would also have a list of all of the sites that the user has saved passwords for. In addition, the attack can delete saved credentials from the database, possibly allowing them to lock the user out of other sites.
• An authorization vulnerability in the password sharing system at My1login could allow an attack to share a web card (url/username/password) they do not own with another user, only needing to know the unique id#, which is a globally unique incrementing counter, so can be predicted. It also allows an attacker to modify another users’ web cards once they are shared
• “Since our analysis was manual, it is possible that other vulnerabilities lie undiscovered”
• “Of the five vendors whose products were tested, only the last one (NeedMyPassword) didn’t respond when they contacted them and responsibly shared their findings. The other four have fixed the vulnerabilities within days after disclosure.”
• Research Paper

How Russian Hackers stole the Nasdaq (2010)

• In October 2010, a Federal Bureau of Investigation system monitoring U.S. Internet traffic picked up an alert. The signal was coming from Nasdaq
• The October alert prompted the involvement of the National Security Agency, and just into 2011, the NSA concluded there was a significant danger.
• The Secret Service had notified NASDAQ of suspicious activity previously and suspected the new activity may be related, and requested to take the lead on the investigation, but was denied and shut out of the investigation.
• “We’ve seen a nation-state gain access to at least one of our stock exchanges, I’ll put it that way, and it’s not crystal clear what their final objective is”
• Bloomberg Businessweek spent several months interviewing more than two dozen people about the Nasdaq attack and its aftermath, which has never been fully reported. Nine of those people were directly involved in the investigation and national security deliberations; none were authorized to speak on the record. “The investigation into the Nasdaq intrusion is an ongoing matter,” says FBI New York Assistant Director.
• The hackers had used two zero-day vulnerabilities in combination to compromise machines on the NASDAQ network
• The NSA claimed they had seen very similar malware before, designed and built by the Federal Security Service of the Russian Federation (FSB), that country’s main spy agency.
• Later in the investigation, some U.S. officials questioned whether the NSA had pushed the evidence too far. Malware often changes hands—it’s sold, stolen, or shared. And the technical differences between attack code and something less destructive can be surprisingly small. At the time, NSA Director Keith Alexander and his agency were locked in a fight with government branches over how much power the NSA should have to protect private companies from this new form of aggression. Such a brazen attack would certainly bolster its case.
• “While the hack was successfully disrupted, it revealed how vulnerable financial exchanges—as well as banks, chemical refineries, water plants, and electric utilities—are to digital assault. One official who experienced the event firsthand says he thought the attack would change everything, that it would force the U.S. to get serious about preparing for a new era of conflict by computer. He was wrong.”
• What the investigators found inside Nasdaq shocked them, according to both law enforcement officials and private contractors hired by the company to aid in the investigation. Agents found the tracks of several different groups operating freely, some of which may have been in the exchange’s networks for years, including criminal hackers and Chinese cyberspies. Basic records of the daily activity occurring on the company’s servers, which would have helped investigators trace the hackers’ movements, were almost nonexistent. Investigators also discovered that the website run by One Liberty Plaza’s building management company had been laced with a Russian-made exploit kit known as Blackhole, infecting tenants who visited the page to pay bills or do other maintenance.
• an FBI team and market regulators analyzed thousands of trades using algorithms to determine if information in Director’s Desk could be traced to suspicious transactions. They found no evidence that had happened
• By mid-2011, investigators began to conclude that the Russians weren’t trying to sabotage Nasdaq. They wanted to clone it
• Without a clear picture of exactly what data was taken from Nasdaq and where it went—impossible given the lack of logs and other vital forensics information—not everyone in the government or even the FBI agreed with the finding

Tutorial: SSH MITM Downgrade Attack

• This is a tutorial on how to perform an SSH Man-In-The-Middle downgrade attack
• This attack involves tricking the user connecting to the SSH server you are intercepting into using the old version 1 of the SSH protocol
• SSH1 uses a separate SSH Fingerprint from SSH2, so the user will be prompted to accept the different key
• Many users will blindly accept this warning
• If the user can be tricked into dropping to SSH1, it may be possible to steal the username and password they use to login with
• Luckily, most modern SSH servers do not allow SSH1
• However, some clients, including PuTTY, allow both SSH1 and SSH2, with a preference for the latter
• Users are encouraged to change the setting on their server and in their client to only allow SSH2
• Many embedded devices still allow SSH1, including many older Cisco Security Appliances
• These devices are perfect targets for this type of downgrade attack

Feedback

• ZFS Transaction Log (ZIL)

• WWAD (What Would Allan Do?)
  • ZFS Stripe Width

• building a new PC

• How to Sysadmin?

• DNS Made Easy (Email backups), and tiny war story

Round-Up:

• US claims jurisdiction over all servers on the internet. “any company with operations in the United States must comply with valid warrants for data, even if the content is stored overseas”
• Only a few days old, OpenSSL fork LibreSSL is declared “unsafe for Linux”
• Canadian ISP Rogers updates privacy policy, promises to require a warrant to turn over data
• Microsoft tells users to stop using strong passwords everywhere
• Sony forgets to renew a domain name (SonyOnline.net) where all of the name servers are hosted, takes out all of SOE (Sony Online Entertainment), including forums and websites. Did not have a valid email address on the domain registration
• Cisco Security Advisory: Cisco Wireless Residential Gateway Remote Code Execution Vulnerability
• Where do online services go when they die?
• fail2ban security update
• Robert Watson and SRI/Cambridge University open source the CHERI secure processor design