The real fallout from the Ashley Madison hack gets personal. The Android StageFright patch that doesn’t cover all of the holes, and turning a KVM into a spying appliance.

Plus a great batch of questions, our answers, and a rocking round up.

All that and a heck of a lot more on this week’s TechSNAP!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Ashley Madison Fallout

• According to security firms and to a review of several emails shared with this author, extortionists already see easy pickings in the leaked AshleyMadison user database.
• Earlier today Krebs heard from Rick Romero, the information technology manager at VF IT Services, an email provider based in Milwaukee. Romero said he’s been building spam filters to block outgoing extortion attempts against others from rogue users of his email service.
• The individual “Mac” who received that extortion attempt — an AshleyMadison user who agreed to speak about the attack on condition that only his first name be used — said he’s “loosely concerned” about future extortion attacks, but not especially this one in particular.
• Mac says he’s more worried about targeted extortion attacks. A few years ago, he met a woman via AshleyMadison and connected both physically and emotionally with the woman, who is married and has children. A father of several children who’s been married for more than 10 years, Mac said his life would be “incredibly disrupted” if extortionists made good on their threats.
• Mac said he used a prepaid card to pay for his subscription at AshleyMadison.com, but that the billing address for the prepaid ties back to his home address.
• Unfortunately, the extortion attempts like the one against Mac are likely to increase in number, sophistication and targeting, says Tom Kellerman, chief cybersecurity officer at Trend Micro.
• The leaked AshleyMadison data could also be useful for extorting U.S. military personnel and potentially stealing U.S. government secrets, experts fear. Some 15,000 email addresses ending in dot-mil (the top-level domain for the U.S. military) were included in the leaked AshleyMadison database, and this has top military officials just a tad concerned.
• According to The Hill, the U.S. Defense Secretary Ash Carter said in his daily briefing Thursday that the DoD is investigating the leak.
• Almost None of the Women in the Ashley Madison Database Ever Used the Site
• A light-weight forensic analysis of the AshleyMadison Hack
• City employees among emails listed in Ashley Madison hack
  
• John McAfee thinks he knows who hacked Ashley Madison
• Leaked AshleyMadison Emails Suggest Execs Hacked Competitors
• The only thing potentially interesting or useful in AshMad CEO’s inbox…

Android StageFright patch doesn’t cover all of the holes

• Google released to the open source Android project a new patch for the Stagefright vulnerability found in 950 million Android devices after researchers at Exodus Intelligence discovered the original patch was incomplete and Android devices remain exposed to attack.
• “We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update,” a Google spokesperson told Threatpost. Last week at Black Hat, Google announced that it would begin
• The original four-line code fix for CVE-2015-3824, one of several patches submitted by researcher Joshua Drake of Zimperium Mobile Security’s zLabs who discovered the flaw in Stagefright, still leads to a crash and device takeover. Jordan Gruskovnjak, a security researcher at Exodus, found the problem with the patch, and Exodus founder Aaron Portnoy today hinted that there could be similar problems in all the patches.
• “They failed to account for an integer discrepancy between 32- and 64 bit,” Portnoy told Threatpost this morning. “They’re not accounting for specific integer types, and [Gruskovnjak] was able to bypass the patch with specific values that cause a heap buffer allocated to overflow.”
• “According to public sources, many more issues have been discovered since they reported the bugs in MPEG4 processing on Android. I expect we will see continuing fixes to the Stagefright code base for the coming months,” Drake said in an email to Threatpost. “The story is long from over.”
• Exodus Intelligence notified Google on Aug. 7, the first day of DEF CON in Las Vegas and two days after Drake’s Stagefright presentation at the Black Hat conference. Google has assigned CVE-2015-3864 to the issue.
• In addition to Nexus devices, Google said it sent the original patches to other mobile providers, including: Samsung for its Galaxy and Note devices; HTC for the HTC One; LG for the G2, G3 and G4; Sony for its Xperia devices; and Android One.
• The vulnerabilities affect Android devices going back to version 2.2; newer versions of Android have built-in mitigations such as ASLR that lessen the effects of Stagefright exploits. Google said last week that 90 percent of Android devices have ASLR enabled, and that the next release of its Messenger SMS app also contains a mitigation requiring users to click on videos in order to play them.
• Additional Coverage: Forbes
• The news is compounded by yet more Android vulnerabilities
• Checkpoint Security: Certifigate
• Major Android remote-access vulnerability is now being exploited

Turning a KVM into a spying appliance

• Researchers presented their work at BlackHat on how to teach a keyboard switch to spy on its users
• “When it comes to large systems, there are a lot more computers than there are people maintaining them. That’s not a big deal since you can simply use a KVM to connect one Keyboard/Video/Mouse terminal up to all of them, switching between each box simply and seamlessly. The side effect is that now the KVM has just as much access to all of those systems as the human who caresses the keyboard. [Yaniv Balmas] and [Lior Oppenheim] spent some time reverse engineering the firmware for one of these devices and demonstrated how shady firmware can pwn these systems, even when some of the systems themselves are air-gapped from the Internet.”
• Early KVM switches were just physical hardware switches that allowed more than one computer to be controlled by a single Keyboard, Video (Monitor), and Mouse
• By the year 2000, we had Matrix KVMs that could be chained together and used to control more than 1000 computers from a single keyboard
• USB Stacks, Video Transcoding, Virtual Media (mount an ISO from your workstation as if it was a usb cdrom drive) drove KVMs towards being entire computers in and of themselves, with an operating system, that could be hacked
• The firmware shipped with the device was obfuscated, and at the start, the researchers were unable to find anything useful. Not a single string in the firmware
• By comparing a number of different firmware versions, they were able to figure out which part of the firmware image was the version number. This gave them a starting point
• Looking at the circuit board of the KVM they found some common ASICs, which provided more clues
• Once they cracked the obfuscation, they now had code they could analyze
• “Of course reading the firmware is only the first step, you need to show that something useful (insidious) can be done with it. During the talk the pair demonstrated their custom firmware switching to a different system, “typing” in the password (which would have been logged earlier when a human typed it in), and echoing out a binary file which was then executed to load malware onto the system.”
• “Yes, you need physical access to perform this attack with the KVM used during the talk. But some KVMs allow firmware updates over IP, and many of them have web interfaces for configuration. There are many vectors available here and knowing that, the discussion turns to prevention. Keystroke statistics are one way to prevent this kind of attack. By logging how fast characters are being typed, how tight the cadence is, and other human traits like use of backspace, the effectiveness of this type of attack can be greatly reduced.”
• This is interesting research, and makes me even more suspicious of the 16 port, 2 user, IP-KVM I use to manage some of my servers.

Feedback

• Get your BSDNow 2 year anniversary t-shirt before time runs out

• Corporate email being hacked?

• PfSense vs cheap off-the-shelf router for home network

• Self-Hosted RMM Software

• Allan and Chris: Your personal SSH key management methodologies?
  • Allow storage of SSH private keys in LastPass, and use lpass CLI to retrieve and load into ssh-agent. The general idea is to store the private key armored ASCII in an “SSH Key” Secure Note, in a specific folder (i.e.: “Secure Notes\SSH” ). · GitHub
  • SSH Authentication with YubiKey | LAS 373 | Jupiter Broadcasting
• FUDO

Round Up:

• Microsoft has no plans to tell us what’s in Windows patches
• DNSSEC – Fighting the FUD
• Researcher catches AT&T injecting ads on free airport Wi-Fi hotspot
• OpenSSH privilege separation accidently disabled on pkgsrc platforms, for the last 9 years
• A data center of liquid cooled servers
• GitHub attacked again as Chinese developers forced by police to pull code
• UK Police investigate first instance of “Cyber Flashing”, iOS AirDrop
• The security content of the latest OS X update