The Internet suffers from some growing pains, we explain how some old assumptions have come back to haunt us, victims of a cyberheist go after the bank that failed them, and we go deep on the Synology crypto-malware.

Then it’s a great big batch of your emails and much more!!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Internet suffers growing pains as global routing table exceeds 500,000 entries

• High end routers use a special system called TCAM Ternary Content-Addressable Memory to store the routing tables for faster lookups
• CAM memory works different than regular memory, basically working like an associative array, or hash, where the information can be looked up based on a ‘key’ or ‘tag’. Rather than the data living at a specific address in memory, and the application having to keep track of that address, the application can simply ask for the data stored with a specific key
• A TCAM works similar, except it is ternary, meaning it has three possible states. Similar to binary, except in addition to on and off bits, it has a ‘do not care’ bit. This makes it perfect for storing routing information, because network addresses are binary addresses split into two parts, the network part (that the router cares about), and the host part (that the router does not care about)
• So using a TCAM, a router can lookup the destination address for any network by simply requesting the data stored with the key of the destination network address
• Because of the way TCAMs work, they have to be of a fixed size. The default on some older internet core routers is too small to hold the current global routing table
• On some routers, if the TCAM gets full, the router can callback to software routing mode, where it has to search the entire routing table in regular memory for the most specific matching network address. This is much slower, and uses a lot of CPU time, which most core routers have very little of
• To resolve this issue, the size of the TCAM must be changed (if there is enough memory in the device to support a larger size), and the router must be reloaded, causing downtime
• This issue is further complicated by a manufacturing defect with the memory in the routers and on the line cards, which can fail catastrophically during a reboot, leaving the device unbootable or unable to access the network via the line card. Cisco: Memory Component Issues page
• This issue was brought up at NANOG – North American Network Operators Group on May 6th
• Heads Up on the FreeBSD mailing list
• Cisco announced the problem ahead of time
• Cisco: How to adjust the TCAM allocation on Catalyst 6500 and 7600

Tennessee based company sues bank over cyberheist

• Tennessee Electric was the target of a cyberheist, where Russian or Ukrainian based mal-actors took over their corporate bank account and proceeded to siphon $327,804 out of the companies accounts at TriSummit Bank
• The company had an agreement with their bank, that the bank would phone and verify all transfers of funds
• The company only became aware that they had been the victims of a heist when they were called by Brian Krebs
• “According to the complaint, the attackers first struck on May 8, after Tennessee Electric’s controller tried, unsuccessfully, to log into the bank’s site and upload that week’s payroll batch (typically from $200,000 to $240,000 per week). When the controller called TriSummit to inquire about the site problems, the bank said the site was probably undergoing maintenance and that the controller was welcome to visit the local bank branch and upload the file there. The controller did just that, uploading four payroll batches worth $202,664.47”
• “On May 9, Tennessee Electric alleges, TriSummit Bank called to confirm the $202,664.47 payroll batch — as per an agreement the bank and the utility had which called for the bank to verbally verify all payment orders by phone. But according to Tennessee Electric, the bank for some reason had already approved a payroll draft of $327,804 to be sent to 55 different accounts across the United States — even though the bank allegedly never called to get verification of that payment order.”
• “Tennessee Electric alleges that the bank only called to seek approval for the fraudulent batch on May 10, more than a day after having approved it and after I contacted Tennessee Electric to let them know they’d been robbed by the Russian cyber mob.”
• Tennessee Electric’s account appears to have been compromised using a Man-in-the-Browser attack
• Malware on the computer changed what was displayed to the user when they visited the online banking site
• “the controller for the company said she was asked for and supplied the output of a one-time token upon login.”
• The man-in-the-browser virus will then return either a modified version of the regular account balance page (only, showing the amount the user expects there to be in the account, basically adding back the stolen monies)
• In this case, the virus returned a “down for maintenance” page
• Asking the user to try again in a few minutes may allow the attacker access to a series of one-time tokens, allowing them to complete more transactions
• TriSummit Bank was able to get back $135,000 of the stolen funds, leaving the company out almost $200,000.
• The company is now suing the bank for that money and the interest they would have earned on it
• Unlike personal accounts, corporate bank accounts do not enjoy the same liability protection from unauthorized transactions that personal accounts do
• Krebs also mentions his Online Banking Best Practises for Businesses

Synolocker for sale, plus in-depth look at how it works

• F-Secure does an in-depth look at how Synolocker encrypts your files
• F-Secure was looking to see if there were many similarities between CryptoLocker and SynoLocker, but found that there were not
• It appears that SynoLocker may be using better encryption, and uses a unique key pair per victim, which will most likely prevent an online service like the one that is rescuing the files on CryptoLocker victims
• SynoLocker appears to take additional steps to ensure that the original file is only destroyed
• It appears the author of the Synolocker virus is looking to get out of the business
• Posted online that the website will be closing soon, and if you want the keys to decrypt your data you better pay soon
• If you updated DSM software to try to fix the vulnerability, then you’ll need to use a custom tool to decrypt your data
• The author is also willing to sell the remain ~5500 decryption keys to someone else for 200 bitcoins
• It seems he wants to get out before he gets caught, but is willing to let someone else attempt to continue selling the decryption keys (which sold for 0.6 bitcoin previously)

Feedback:

• Allan’s Firefox OS phone

• Job possibilities and lack of a college degree

• Building a private cloud for IaaS

• HP takes OpenVMS off deathrow

Round Up:

• Google spends a ton of money just to keep sharks from eating its underwater cables
• Researchers at French graduate school Eurecom find firmware plagued by poorly implemented encryption and badly hidden backdoors, find 38 unique vulnerabilities across 123 different devices – Paper from USENIX – Available Monday Aug 18th
• Snowden: The NSA, not Assad, took Syria off the Internet in 2012
• Why spam and scam emails are so poorly written
• Microsoft Black Tuesday Patches Bring Blue Screens of Death
• Biggest security risk for your iPhone is connecting it to a computer or enabling wifi sync
• Russia PM’s Twitter hacked, posts ‘I am resigning’
• Chinese smartphone steals your data
• Password guessing bots fall for a spam trap
• Understanding Targeted malware attacks by looking at those against NGOs by the Chinese government