HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Tales of an IT professional sailing around the Antarctic loop – sent in by Eric Miller

• CTD device – A CTD or Sonde is an oceanography instrument used to measure the conductivity, temperature, and pressure of seawater (the D stands for “depth,” which is closely related to pressure). The reason to measure conductivity is that it can be used to determine the salinity.

• Had to reinstall software for a winch to get it working

• Registered a new website and webmail and created a custom email solution so scientists would remotely access their email

security.txt – an RFC in the making

• Based on /.well-known/ of RFC5785 and similar in nature to robots.txt

• JSON was discussed, but dismissed

• CWE (Common Weakness Enumeration) will be used

• Versioning of security.txt by third parties

• Generation utilities have been created](https://github.com/EdOverflow/security-txt/issues/10)

Dumping Data from Deep-Insert Skimmers

• Deep-insert skimmers

• Romanian links to US crime

• European data skimmed from cards, then used in US because chip technology is not widely deployed there

• ‘wands’ inserted deep into the ATM to retrieve data

Feedback

• re Database migrations in Episode 332 jungle boogie writes in to mention Sqitch github by David Wheeler. JB says “This is a program written in perl and looks to have support for many databases”. JB also mentioned [pgBackRest](https://www.pgbackrest.org/] github

• Gary Foard writes in about a command line utility called shred. He uses to erase laptops from a live Linux disc. I checked the FreeBSD manual pages to check it’s there also, and it is – although I had to search for gshred instead of shred to find shred which I find weird. – See sysutils/coreutils in the FreeBSD Ports tree. – Dan notes: not recommended for erasing files any more. Not feasible for COW filesystems.

• prime62 mentioned on the TechSNAP sub-reddit mentioned some password hashing/salting resources: Salted Password Hashing – Doing it Right and The definitive guide to form-based website authentication

• Also seen on Reddit: There is no point [on max password lengths] since the field is hashed.

Round Up:

• Mobile operators deploying portable Cell-On-Wheels/Cell-On-Truck units along eclipse path to handle huge data usage of photos and streaming

• Security Keys

• 83601 is a supervisor number

• Brian Krebs Fan Creates New Cryptocurrency Miner for Linux Devices

• Random Thoughts – next release of OpenSSL see Password Strength

• Create randomly insecure VMs

• This algorithm cleverly recreates 3D objects from tiny 2D images

The post Rsync On Ice | TechSNAP 333 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Gas Pump Skimmer Sends Card Data Via Text

• Skimming devices that crooks install inside fuel station gas pumps frequently rely on an embedded Bluetooth component allowing thieves to collect stolen credit card data from the pumps wirelessly with any mobile device. The downside of this approach is that Bluetooth-based skimmers can be detected by anyone else with a mobile device. Now, investigators in the New York say they are starting to see pump skimmers that use cannibalized cell phone components to send stolen card data via text message.

• Skimmers that transmit stolen card data wirelessly via GSM text messages and other mobile-based communications methods are not new; they have been present — if not prevalent — in ATM skimming devices for ages.

• But this is the first instance KrebsOnSecurity is aware of in which such SMS skimmers have been found inside gas pumps, and that matches the experience of several states hardest hit by pump skimming activity.

• see also Gas Theft Gangs Fuel Pump Skimming Scams

Erasing hard drives – dd might be enough – Dan talks about how he erased the drives

• I recently upgraded several 3TB drives to 5TB drives and no longer needs the smaller drives. I usually used DBAN, but this time, it failed to run and I have no idea why

• I started looking around for upgrades in case my newer hardware didn’t work with this version of DBAN

• In September 2012, Blancco of Finland announced its acquisition of DBAN – Windows binary – no use to me

• There is an unofficial fork of DBAN that is actively maintained. The dwipe program that DBAN uses has been forked and is available as a standalone program called Nwipe, which is actively maintained.

• Appears to be more than one unofficial dban fork

• nwipe is included with Parted Magic so I paid my $11 and downloaded UNetbootin and tried to install it

• I failed to get my latest version (2017_06_03) of Parted Magic to boot so I resorted to letting UNetbootin download and install Latest_Live and I think that was 2.4

• I was told DBAN is drive abuse and that dd is sufficient

• Highly recommended NAS configuration – KIds don’t try this at home!

• Originally thought to be serial, butlater confirmed to work in parallel

• Discussion on: when you power cycle, how long do you want to power on?

• Next, tried nwipe but found that that took too long

• Going back to Parted Magic, I found the disk erase UI to have a few interesting features

• Then, I managed to get my SAS2008 card to work, and started doing 8 drives at a time

• dd is always an option, but I found it more convenient to use Parted Magic. Why? I didn’t have to script it and I can use the Secure Erase feature

Feedback

• A question about database migrations – apgdiff SQL Manager – SQLFairy – Dan used to use a tool for designing the database, but hasn’t use one lately. Now he constructs the DDL on the fly to amend the database and keeps them aside for upgrading the production database. Dan once kept the DDL for FreshPorts in a repo, but no longer does. Now he just backs up.

• ZFS Configuration new System76 Oryx pro

• Nigel Brownsey wrote in about Password security all about length

• PostgreSQL password hashing & backups

Round Up:

• The HDFS Juggernaut – Hadoop Distributed File System

• Plans for Partitioning in PostgreSQL v11

• debian-policy: Packages should be reproducible

• Everything You Always Wanted to Know
  About Optical Networking –
  But Were Afraid to Ask
  slides – Youtube video

• Looking at public Puppet servers

• Airbnb’s preferred smart lock vendor accidentally bricks 500 door-locks

• I Bought a Book About the Internet From 1994 and None of the Links Worked

The post Leaky Pumps | TechSNAP 332 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Dropbox Kept Files Around For Years Due To ‘Delete’ Bug

• Dropbox has fixed a bug that caused old, deleted data to reappear on the site. The bug was reported by multiple support threads in the last three weeks and merged into one issue here. An anonymous Slashdot reader writes
• In some of the complaints users reported seeing folders they deleted in 2009 reappear on their devices overnight. After seeing mysterious folders appear in their profile, some users thought they were hacked. Last week, a Dropbox employee provided an explanation to what happened, blaming the issue on an old bug that affected the metadata of soon-to-be-deleted folders. Instead of deleting the files, as users wanted and regardless of metadata issues, Dropbox choose to keep those files around for years, and eventually restored them due to a blunder. In its File retention Policy, Dropbox says it will keep files around a maximum 60 days after users deleted them
• If you have sensitive data, do not rely on delete, rely on encryption.
• If you have sensitive data, you shouldn’t have it on third-party systems without encryption.
• The encryption and decryption should occur on your system, not theirs.
• Imagine you deleted those risky files just before an international trip, you get requested to power up your laptop, and bang, there’s those deleted files back….!

Twitter Activist Security – Guidelines for safer resistance

• We’ve covered privacy on the Internet before. We’ve stated very clearly that using privacy tools such as Tor is not illegal nor is it suspicious, no more so than someone paying cash at the grocery store.
• This guideline is specfically for Twitter, but many of the suggestions can be apply to other social media as well, but I am not sure how well they will travel. Chose carefully
• Many people are starting to get politically active in ways they fear might have negative repercussions for their job, career or life. It is important to realise that these fears are real, but that public overt resistance is critical for political legitimacy. This guide hopes to help reduce the personal risks to individuals while empowering their ability to act safely.
  I am not an activist, and I almost certainly don’t live in your country. These guidelines are generic with the hope that they will be useful for a larger number of people.
• Security Principles To Live By The basic principles of operational security are actually very simple, they’re what we call the three Cs: Cover, Concealment, Compartmentation

Move over skimmers, ‘shimmers’ are the newest tool for stealing credit card info

• Consumers and retailers be on guard: there’s a new and more devious way for fraudsters to steal your credit and debit card information.
• “Shimmers” are the newest form of credit card skimmers, only smaller, more powerful and practically impossible to detect. And they’re popping up all over the place, says RCMP Cpl. Michael McLaughlin, who sounded the alarm after four shimmers were extracted from checkout card readers at a Coquitlam, B.C., retailer.
• “Something this sophisticated, this organized and multi-jurisdictional has all the classic hallmarks of organized crime,” said McLaughlin.
• Unlike skimmers, a shimmer — named for its slim profile — fits inside a card reader and can be installed quickly and unobtrusively by a criminal who slides it into the machine while pretending to make a purchase or withdrawal.
• Once installed, the microchips on the shimmer record information from chip cards, including the PIN. That information is later extracted when the criminal inserts a special card — also during a purchase or cash withdrawal — which downloads the data. The information is then used to make fake cards.
• Shimmers have rendered the bigger and bulkier skimmers virtually obsolete, according to Const. Alex Bojic of the Coquitlam RCMP economic crime unit.
• “You can’t see a shimmer from the outside like the old skimmer version,” Bojic said in a statement. “Businesses and consumers should immediately report anything abnormal about the way their card is acting … especially if the card is sticking inside the machine.”
• McLaughlin said the Coquitlam retailer detected the shimmers through its newly introduced daily testing of point-of-sales terminals. A test card inserted into the machines kept on getting stuck and the shimmers were found when the terminals were opened.
• “We want to get the word out,” said McLaughlin. “Businesses really need to be checking for these kinds of devices and consumers need to be aware of them.”
• Bojic said using the tap function of a chip card is one way to avoid being “shimmed.”
  “It’s actually very secure. Each tap transfers very limited banking information, which can’t be used to clone your card,” Bojic said.
• Krebs wrote about this and has a post which is all about skimmer and shimmer
• Not new tech, been around since at least 2015

Feedback:

• FreeBSD + Bacula as a portable VM
• Bank security or lack of!

Round Up:

• Hotel ransomed by hackers as guests locked out of rooms
• ShmooCon 2017 Videos
• Google – Site Reliability Engineering
• Booted up in 1993, this server still runs — but not for much longer
• Digital Ocean re-enabling password authentication for snapshot-based droplets
• HP recalls 101,000 laptop batteries due to fire concerns.
• A Shakeup in Russia’s Top Cybercrime Unit
• Hardening Windows 10 With Zero Day Exploit Mitigations Under The Microscope
• Delta Airlines cancels at least 150 flights due to IT issue
• Texas Police Department Loses Years Worth of Evidence in Ransomware Incident
• A crowd funded effort to review “Secure HTTP without HTTPS”, from the Unity Asset Store, finds it critically flawed
• Backblaze Hard Drive Stats for 2016

The post Three C's to Tweet By | TechSNAP 304 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Source Code for IoT Botnet ‘Mirai’ Released

• “The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.”
• “The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.”
• “Vulnerable devices are then seeded with malicious software that turns them into “bots,” forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline.”
• A quote from the person who released the code: “When I first go in DDoS industry, I wasn’t planning on staying in it long,” Anna-senpai wrote. “I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”
• “Sources tell KrebsOnSecurity that Mirai is one of at least two malware families that are currently being used to quickly assemble very large IoT-based DDoS armies. The other dominant strain of IoT malware, dubbed “Bashlight,” functions similarly to Mirai in that it also infects systems via default usernames and passwords on IoT devices.”
• “According to research from security firm Level3 Communications, the Bashlight botnet currently is responsible for enslaving nearly a million IoT devices and is in direct competition with botnets based on Mirai.”
• “Infected systems can be cleaned up by simply rebooting them — thus wiping the malicious code from memory. But experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot.”
• It is surprising that the botnets are not changing the default passwords to prevent reinfection by competing botnets. Of course, if you are scanning using the new secret password, every honeypot is going to get that password and be able to recapture your devices
• “In the days since the record 620 Gbps DDoS on KrebsOnSecurity.com, this author has been able to confirm that the attack was launched by a Mirai botnet. As I wrote last month, preliminary analysis of the attack traffic suggested that perhaps the biggest chunk of the attack came in the form of traffic designed to look like it was generic routing encapsulation (GRE) data packets, a communication protocol used to establish a direct, point-to-point connection between network nodes. GRE lets two peers share data they wouldn’t be able to share over the public network itself. One security expert who asked to remain anonymous said he examined the Mirai source code following its publication online and confirmed that it includes a section responsible for coordinating GRE attacks.”
• “My guess is that (if it’s not already happening) there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems.”
• “On the not-so-cheerful side, there are plenty of new, default-insecure IoT devices being plugged into the Internet each day. Gartner Inc. forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected each day, Gartner estimates.”

A tale of a dns packet

• “BIND is the most used DNS server on the internet. It is the standard system for name resolutions on UNIX platforms and is used in 10 of the 13 root servers of the Name Domain System on the internet. Basically, it is one of the main function of the entire Internet.”
• “The tests done by ISC (Internet Systems Consortium) discovered a critical error when building a DNS response.”
• “This assertion can be triggered even if the apparent source address isn’t allowed to make queries (i.e. doesn’t match ‘allow-query’)”
• “Following the tradition of having errors in the necessary software for the survival of humanity, CVE-2016-2776 came to light. With details of the problem basically nowhere to be found, nor what was the mysterious “Specifically Constructed Request”, we decided to see what exactly was modified in the repository of Bind9.”
• “Now that we are convinced that msg->reserved is potentially dangerous when 500 < msg->reserved <= 512, it is time to see how we can manipulate this variable. Tracking the use of dns_message_renderreserve() in lib/dns/message.c we find that msg->reserved is used to track how many bytes will be necessary to write the Additional RR (OPT, TSIG y SIG(0)) once the response is finished rendering on dns_message_renderend().”
• “The most direct way we’ve found of manipulating an Additional RR included on the response is sending a query with a TSIG RR containing an invalid signature. When this happens, the server echoes practically all the record when responding.”
• “The following script sends a query A to the server with a TSIG large enough so as to make the server reserve 501 bytes on msg->reserved when writing the response.”
• “When it gets to dns_message_renderbegin() we have the context we’ve looked for: msg->reserved on 501 and r.length on 512. The if condition which should throw ISC_R_NOSPACE in the patch is not triggered.”
• And BIND crashes
• “We can see now with the instruction immediately after the validation why it was so important to consider DNS_MESSAGE_HEADERLEN. Immediately after validating that the buffer has the sufficient space to store msg->reserved bytes, it allocates DNS_MESSAGE_HEADERLEN (12) bytes in it. In other words it didn’t check if after reserving msg->reserved, there is enough space to store 12 bytes more. What happens in the end is that when returning from the function, the available space on buffer is of 500 bytes (buffer->length – buffer->used = 512 – 12 = 500) but we’re reserving 501.”
• “This leaves the integrity of the isc_buffer_t msg->buffer structure corrupt: now msg->buffer->used is BIGGER than msg->buffer->length. All the ingredients are here, we just need to put them in the oven.”
• “Publishing a fix about a lethal bug where you would have to patch the whole internet, doesn’t leave a lot of time to find elegant solutions. So if you review the fix it’s possible that a new similar bug appears in dns_message_renderbegin(). while the use of msg->reserved is quite limited. It continues being a complex software. Meanwhile msg->reserved is still being used, the existence of a bug like CVE-2016-2776 is quite probable.”

4 ways to hack ATMs

• “We have already told you about a number of hacker groups jackpotting money from ATMs. Now you can see it with your own eyes! Our experts shot four videos of ATM hack demos.”
• Method 1: Fake processing center
• Disconnect the network cable for the ATM, and connect it to your rogue device (a Raspberry Pi will do)
• When the ATM asks “the bank” (your rpi) if it is ok you give the person money, always say yes

• “The box is used to control the cash trays and send commands to the ATM, requesting money from the chosen tray. It’s as simple as that: The attacker can now use any card or input any PIN code, and the rogue transactions will look legitimate.”

• Method 2: A remote attack on several ATMs
• “This method involves an insider working in the target bank. The criminal purchases a key from the insider that opens the ATM chassis. The key does not give an attacker access to the cash trays, but it exposes the network cable. The hacker disconnects the ATM from the bank’s network and plugs in a special appliance that sends all of the data to their own server.”
• “Networks connecting ATMs are often not segmented (separated for security), and ATMs themselves can be configured incorrectly. In that case, with such a device a hacker could compromise several ATMs at once, even if the malicious device is connected to only one of them.”
• This method works when the network cables are not exposed

• Then the rest is the same as Method 1

• Method 3: The black box attack
• In this attack, the bad guys directly connect their black box to the cash trays, and send them the commands to spit out the money
• “As previously described, the attacker obtains the key to the ATM chassis and accesses it, but this time puts the machine into maintenance mode. Then the hacker plugs a so-called black box into the exposed USB port. A black box in this case is a device that allows an attacker to control the ATM’s cash trays.”

• “While the attacker tampers with the ATM, its screen displays a service message like “Maintenance in progress” or “Out of service,” although in reality the ATM can still draw cash. Moreover, the black box can be controlled wirelessly via a smartphone. The hacker just taps a button on the screen to get the cash and then disposes of the black box to hide the evidence that the machine was compromised.”

• Method 4: Malware attack
• “There are two ways to infect a target ATM with malware: by inserting a malware-laced USB drive into the port (requiring the key to the ATM chassis) or by infecting the machine remotely, having first compromised the bank’s network.”
• “If the target ATM is not protected against malware or does not employ whitelisting, a hacker can run malware to send commands to the ATM and make it dispense cash, repeating the attack until the cash trays are empty.”
• “Of course, not all ATMs are hackable. The attacks described above are feasible only if something is misconfigured. It could be that the bank’s network is not segmented, or authentication is not required when the ATM’s software exchanges data with the hardware, or there is no whitelist for apps, or the network cable is easily accessible.”

• So there are a number of ways to address these issues
• Method 1 and 2 should normally be defeated by proper use to SSL/TLS. Of course you want the messages exchanged with the bank’s processing center to be encrypted, integrity checked (guaranteed not to have been modified by the bad guy), but TLS also provides authentication, assurance that the remote end is actually the trusted bank, not a bad guy. The ATM should have a list of trusted certificates, and refuse to process transactions with any other party.
• Method 3 requires some way to establish trust between the ATM software, and the cash box hardware. Even if the messages between the computer and the cash box were encrypted, authenticated, and integrity checked, the issue is that the private key used to ‘sign’ the messages to the cashbox would need to be stored on the ATM computer. Maybe the commands to the cash box should be signed by the bank’s processing center.
• To solve Method 4 will require software whitelisting. If the ATM will only run software signed by the trusted certificates of the bank or ATM manufacturer, then it is much harder for the bad guys to get their malware to work on the ATM

Feedback:

• MySQL Replication

• Hard drive fail. Help, please.

• Good ZFS Question

Round Up:

• N.S.A. Contractor Arrested in Possible New Theft of Secrets
• Backdoored D-Link Router Should be Trashed, Researcher Says
• Encryption App Signal Wins Fight Against FBI Subpoena And Gag Order
• Apparently every browser did TLS 1.2 wrongg
• BadKernel Vulnerability Affects One in 16 Android Smartphones
• New credit cards with auto-changing CVVs appearing in France and Poland
• Spotify Free Service Caught Dropping Malware on User Browsers
• Hack warnings prompt cyber ‘security fatigue’
• Major Outage Knocks Out All Top Phone Providers on the East Coast
• UNIX recovery master class
• Fax machines’ custom Linux allows dial-up hack
• The worst phonetic alphabet

The post Open Source Botnet | TechSNAP 287 first appeared on Jupiter Broadcasting.

On this weeks episode we cover a UEFI firmware bug that is affecting computers including ThinkPads, tell you how your windows box can be totally pwned even if it’s fully encrypted & talk about the shortcomings of the MD5 checksum. Plus the feedback, the roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

ThinkPwn, Lenovo and possible other vendors vulnerable to UEFI bug

• “This code exploits 0day privileges escalation vulnerability (or backdoor?) in SystemSmmRuntimeRt UEFI driver (GUID is 7C79AC8C-5E6C-4E3D-BA6F-C260EE7C172E) of Lenovo firmware. Vulnerability is present in all of the ThinkPad series laptops, the oldest one that I have checked is X220 and the neweset one is T450s (with latest firmware versions available at this moment). Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do others evil things.”
• an attacker can “disable flash write protection and infect platform firmware, disable Secure Boot, [and] bypass Virtual Secure Mode
• “Vulnerable code of SystemSmmRuntimeRt UEFI driver was copy-pasted by Lenovo from Intel reference code for 8-series chipsets.”
• “Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability’s presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code”
• Lenovo Advisory
• The vulnerable code has also been found in HP Pavilion Laptops, some Gigabyte Motherboards (Z68, Z77, Z87, Z97), Fujitsu, and Dell.
• Exploring and exploiting Lenovo firmware secrets
• ThinkPWN, proof of concept exploit

From zero to SYSTEM on a fully encrypted Windows machine

• “Whether you want to protect the operating system components or your personal files, a Full Disk Encryption (FDE) solution allows you to keep track of the confidentiality and integrity. One of the most commonly used FDE solutions is Microsoft Bitlocker®, which due to its integration with the Trusted Platform Module (TPM) as well as the Active Directory environment makes it both user-friendly and manageable in a corporate environment.
  When the system is protected with a FDE solution, without a pre-boot password, the login or lock screen makes sure attackers with physical access are not able to gain access to the system.”
• “In this post we will explain how an attacker with physical access to an active directory integrated system (e.g. through stealing) is able to bypass the login or lock screen, obtain a clear-text version of the user’s password and elevate his privileges to that of a local administrator or SYSTEM. This can be accomplished via two security vulnerabilities which affects all Windows versions (from Vista to 10) and abusing a standard “security” feature.”
• “These two vulnerabilities, discovered with the help of my colleague Tom Gilis were reported to Microsoft however only one vulnerability is patched at the time of writing CVE-2016-0049 / MS16-014.
• “The other one, which allows you to elevate your privileges to that of a local administrator or SYSTEM is still under investigation by Microsoft and is not yet disclosed here.”
• Acknowledgement by Microsoft
• Since the time of this post, the patch has been released. It turns out, it is MS16-072
• You might remember MS16-072 from TechSNAP #272 as the Windows Update that broke Group Policies!
• “Step 1 – Hibernation – Your friendly neighbourhood password dumper”
• “Speaking for myself, and probably a lot of other users, shutting down a laptop has become a thing of the past. In order to be able to rapidly start using your system when travelling from one place to another, we put it into sleep (or hibernation) mode, essentially putting all processes on hold to be easily resumed when needed. Although in order to resume your session after sleep or hibernation, you’ll have to enter your password on the lock screen (or at least I hope so), the system has your password stored somewhere in memory in order to resume the different processes. We want the system to dump the contents of the memory on disk so we can recover it later. Hibernation is there to the rescue, but we need to be able to force the system into hibernation, creating the HIBERFIL.SYS.”
• “Luckily, the default configuration of a laptop running Windows depicts going into hibernation if the battery hits a critical low. This feature, by default at set 5%, ensures you don’t lose any unsaved documents when your battery dies. Once we force the laptop into hibernation mode we reboot it and move to the next step”
• “Step 2 – Bypassing the login or lock screen”
• “If the computer is a member of an AD Domain, and the user has logged in on this machine before, so their password is cached locally, all an attacker needed to do is create a rogue Kerberos server with the targets user account’s password set to a value of choice and indicated as expired. Upon login attempt, Windows would then prompt the user to change the password before continuing”
• “Once the password change procedure is completed, the cached credentials on the machine are updated with the new password set by the attacker. Because the system is not able to establish a secure connection, the password is not updated on the Kerberos server but still allows the attacker to login when the system no longer has an active network connection (using the cached credentials)”
• So, since the attacker set the new password on the Domain Controller (not really, but the computer things they did), they know this password, and when they attempt to login with it, and windows cannot reach the domain controller, it uses this locally cached password, and allows them to login
• “Although the authentication has been bypassed, we still only have the (limited) privileges of the victim’s account (taking into consideration this is not an local administrator). This is where the next step comes in, in which we explain how you can obtain full local administrative privileges just by using standard Windows functionalities and thus not relying on any vulnerable installed software.”
• “Step 3 – Privilege escalation to SYSTEM”
• “We know that the trust between the client and Domain Controller (DC) is not always properly validated, we have a working Active Directory set-up and we have a working rogue DC. The question is are there any other Windows functionality that is failing to properly validate the trust?”
• “How about Group Policies? It works on all supported Windows versions. There is no need for any additional (vulnerable) software. No specific configuration requirements”
• “There are 2 types of Group Policy Objects (GPO), Computer Configuration and User Configuration Policies.”
• “Computer Configuration Policies are applied before logon, the machine account is used to authenticated to the DC in order to retrieve the policies and finally all policies are executed with SYSTEM privileges. Since we don’t know the machine account password using Computer Configuration Policies is not an option.”
• “User Configuration Policies are applied after a user is logged in, user’s account is used to authenticated to the DC to retrieved the User Configuration Policies and the policies are either executed as the current logged-on user or as SYSTEM.”
• “Now this last type of Policy is interesting because we know the password of the user as we reset it to our likings.”
• “Let’s create a Scheduled Task GPO that will execute NetCat as SYSTEM and finally will connect to the listening NetCat service as a the current user.”
• On Windows 7, Immediately game over, you own the system
• “Windows 7 fails to validate if the DC from where the Group Policies are being applied is indeed a trusted DC. It is assumed that the user credentials are sufficient to acknowledge the trust relationship. In this attack all encrypted traffic remains intact and doesn’t require any modification whatsoever.”
• On Windows 10, it didn’t work right out of the box
• It turns out, the Rouge DC needs to have a user object matching the SID of the user that is logging in. Luckily, with Mimikatz, you can edit the SID of the user on the Rouge DC to make it match
• Additional Coverage: Part 2
• Slides
• So, Microsoft has patched both of these vulnerabilities, and we are all safe again, right?
• “Bypassing patch MS16-014: Yes, you’ve read it right! There is still a way to bypass the Windows Login screen and bypass Authentication More details will be released soon!”
• The author has not released the details yet, as they are waiting on Microsoft to release another patch

The MD5 collision is here

• “A while ago a lot of people visited my site (~ 90,000 ) with a post about how easy it is to make two images with same MD5 by using a chosen prefix collision. I used Marc Steven’s HashClash on AWS and estimated the the cost of around $0.65 per collision.”
• “Given the level of interest I expected to see cool MD5 collisions popping up all over the place. Possibly it was enough for most people to know it can be done quite easily and cheaply but also I may have missed out enough details in my original post”
• A 2014 blog post showed how to create two php scripts with the same MD5
• An early 2015 blog post showed two JPGs with the same MD5
• So, this version of the tools was able to make two different .jpg images, that had the same MD5 checksum, but different contents, while still being perfectly valid JPG images
• The post included instructions and an Amazon AWS images to do the number crunching
• That a later follow up post on how to do the same thing with executable files
• Same Binaries Blog Post
• This example shows a C binary that prints an Angel if a condition is true, and a Devil if it is false
• It contains a bunch of filler that can be changed to make the hashes the same in a second version of the file, where the condition is false. The end result is a pair of binaries, with the same MD5 hash, but different output
• Using this same technique, Casey Smith (@subtee) managed to make an Angel.exe that is a copy if mimikatz, a windows password dumping utility, and a devil.exe that just says ‘nothing to see here’
• Demo of the attack
• This means all I need to do is run this tool against my malware, and say, regedit.exe that is on the whitelist in Windows, and now I have a malware binary that will be trusted

Feedback:

• Pete asks about Owncloud

• John tries to troll Noah

• Matt is having ZFS problems

Round Up:

• New Edge Switch
• Reverse engineering the default WPA2 password on UPC UBEE routers
• ViewSonic ThinClient
• Post intrusion, most attackers use the same everyday admin tools that you do
• TP Link Forgets to Renew Domain
• What Air conditioning Tech can teach us about innovation and laziness
• 10 Million Android Phones Rooted
• Your SmartWatch can steal your ATM pin
• Microsoft’s attempt to recruit interns is a barrel of cringe
• Password sharing ruled a crime under the terrible CFAA (Computer Fraud and Abuse Act)
• Avast Acquired AVG for $1.3 billion, now has 400 million endpoints
• Wendy’s POS malware disclosure page, pwned with XSS
• Passthoughts, a new type of password?
• The definition of a sophishticated attack
• Frontier and AT&T to Block Google Fiber
• This cyber security guide from “The Guardian”, is full of AWEFUL advice, don’t do it
• Man builds $53,000 computer that plays Tetris, to visualize the internals

The post Windows Exploit Edition | TechSNAP 274 first appeared on Jupiter Broadcasting.

The bloatware shipping on those new computers is way, way worse than you probably thought, Internet exposed printers & the thrilling story of reverse engineering an ATM skimmer. Yes that’s really a thing.

Plus great questions, our answers & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Nice brand new computer you have there, would be a shame if something happened to it

• “According to a report published by two-factor authentication service Duo Security, third-party updating tools installed by Dell, HP, Lenovo, Acer, and Asus (the top five Windows PC OEMs) are exposing their devices to man-in-the-middle attacks.”
• “OEM PC vendors understandably need a way to maintain and install more of the aforementioned bloatware. The Duo Labs team investigated OEM software update tools spanning five vendors: Acer, Asus, Dell, HP, and Lenovo.”
• “Implementing a robust, secure system for delivering software updates to users requires a thorough threat model, and a fundamental understanding of how to correctly make use of the various cryptosystems available to do so. Many OEM vendors don’t seem to understand or care about the need for building basic security measures into their software, resulting in software rife with vulnerabilities.”
• “Whether it’s a creep on the coffee shop WiFi or a nation state sitting on all the right trunks, any software that downloads and executes arbitrary binaries is an enticing target to attackers. This is a well-established fact — in 2006, some dude broke Mozilla’s Auto-Update; in 2010, there was Evilgrade; in 2012, Flame malware authors discovered how to man-in-the-middle (MITM) Windows Update; and in January 2016, there was the Sparkle debacle. This shows that targeting the transmission of executable files on the wire is a no-brainer for attackers.”
• “The scope of this research paper is limited to OEM updaters, although this wasn’t the only attack surface found on these systems. Basic reverse engineering uncovered flaws that affected every single vendor reviewed, often with a very low barrier to both discovery and exploitation.”
• The results:
  • Dell — One high-risk vulnerability involving lack of certificate best practices, known as eDellroot
  • Hewlett Packard — Two high-risk vulnerabilities that could have resulted in arbitrary code execution on affected systems. In addition, five medium-to-low risk vulnerabilities were also identified.
• Asus — One high-risk vulnerability that allows for arbitrary code execution, as well as one medium-severity local privilege escalation
• Acer — Two high-risk vulnerabilities that allow for arbitrary code execution.
• Lenovo — One high-risk vulnerability that allows for arbitrary code execution.
• Other Findings:
• “Every vendor shipped with a preinstalled updater, that had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM, allowing for a complete compromise of the affected machine”
• Every new machine came with crapware, and an auto-updated for the crapware. The auto-updated made the machine less secure, not more secure as it expected. Not to mention they that this report doesn’t actually look at the crapware itself
• “There was a very low level of technical sophistication required – that is, it was trivial to exploit most of the vulnerabilities”
• They didn’t have to try very hard, some of these updaters run a local http server that anything can connect to
• “Vendors often failed to make even basic use of TLS, properly validate update integrity, or verify the authenticity of update manifest contents”
• This means that a random person at the coffee shop, or the government, can pretend to be your OEMs update server, and feed you malware instead of security fixes
• “Vendors sometimes had multiple software updaters for different purposes and different implementations, some more secure than others”
• Multiple auto-updaters, that is what everyone wants
• “The large attack surface presented by ancillary OEM software components makes updater-specific bugs easier to exploit in practice by providing the missing pieces of the puzzle through other tools bundled with their systems”
• If the auto-updater isn’t buggy enough, the crapware provides everything else you need to compromise the system
• “Microsoft offers ‘Signature Edition’ systems which are intended to be free of the third-party software that plagues so many OEM systems. However, OEM-supplied software updaters and support packages are often still present on these machines.”
• So even if you pay extra for a brand new system free of crapware, it still has the auto-updater that makes the system insecure
• Additional Coverage
• Additional Coverage: Lenovo tells users to uninstall vulnerable updater

Clinton email server — may have had an internet based printer…

• “The Associated Press today points to a remarkable footnote in a recent State Department inspector general report on the Hillary Clinton email scandal: The mail was managed from the vanity domain “clintonemail.com.” But here’s a potentially more explosive finding: A review of the historic domain registration records for that domain indicates that whoever built the private email server for the Clintons also had the not-so-bright idea of connecting it to an Internet-based printer.”
• According to historic Internet address maps stored by San Mateo, Calif. based Farsight Security, among the handful of Internet addresses historically assigned to the domain “clintonemail.com” was the numeric address 24.187.234.188. The subdomain attached to that Internet address was….wait for it…. “printer.clintonemail.com”.
• “Interestingly, that domain was first noticed by Farsight in March 2015, the same month the scandal broke that during her tenure as United States Secretary of State Mrs. Clinton exclusively used her family’s private email server for official communications.”
• “I should emphasize here that it’s unclear whether an Internet-capable printer was ever connected to printer.clintonemail.com. Nevertheless, it appears someone set it up to work that way.”
• “More importantly, any emails or other documents that the Clintons decided to print would be sent out over the Internet — however briefly — before going back to the printer. And that data may have been sniffable by other customers of the same ISP”
• Not necessarily, it can depend on the setup. The reason you might expose a printer to the internet like that on purpose, is to allow printing while you are away from home, but it isn’t a good idea
• “Not just because any idiot on the Internet can just waste all your toner. Some of these printers have simple vulnerabilities that leave them easy to be hacked into.”
• That printer can then serve as an ‘island hopping’ beachhead, allowing the attacker to do this from an internal IP address that is likely to be trusted, and allowed through firewalls (you do want to be able to talk to the printer right?)
• It does appear the Clintons had an SSL VPN, which is a good sign, although I would expect the printer to have been behind that

Reverse engineering an ATM skimmer

• “Brian Krebs has produced numerous articles on ATM skimmers. He has essentially become the “go to” journalist on ATM fraud. From reading his stuff, I have learned how the “bad guys” think when it comes to ATM fraud. In a nutshell, they are after two things:”
• They want your card number
• They want your PIN number
• “To get your card number, the thieves have a few options. Traditionally, they affix a device to the ATM card reader that “skims” your card as it passes into the actual machine”
• “The devices must look as close to the actual reader as possible so they don’t arouse suspicion. The blackhats go to great lengths to achieve this. Sometimes they will replace entire panels of the atm. They may even go as far as inserting a tiny card reader INSIDE the card slot. Alternatively, a thief may try to record the number “on the wire”. This is called “network skimming””
• The post includes a video of a skimmer being installed in just a few seconds
• Then it gets interesting, after having read all of Krebs advice, while visiting Indonesia, the author of the post encountered a skimmer
• “A quick glance, and I suspected it was a skimmer immediately. It had a tiny switch, a port for a cable of some sort and I could see a faint blue light in the dark.”
• “I was not sure what to do. I was tempted to leave it alone since it wasn’t mine and it could possibly be a legitimate piece of the ATM. But if it were a skimmer, I would be knowingly allowing people to get ripped off. I couldn’t allow that to happen, plus I wanted to take it home and see how it works!”
• “We decided to take it. On our way out to dinner, Elizabeth and I discussed excitedly about how cool this is to be in the middle of a criminal conspiracy. “It feels like we are in a movie”, she said. We talked about how we think the crooks were getting the data. We talked about how we would report it to the authorities and take it apart. The movie kept getting more and more exciting in our imaginations. Then we got to the part of the movie where a group of men on motorcycles track us to our home and shoot us with automatic weapons.”
• “By the time we got to the restaurant, we were pretty scared, A GSM-enabled device could feasibly phone home with its GPS coordinates. Just in case, we asked for some aluminum foil and made a makeshift Faraday cage. When it comes to Indonesian criminal gangs, you can never be too careful.”
• “The next day we were still alive and not shot by a gang of criminals. We called the bank to report the device we found on their ATM. The CSR was pretty confused, but he took my name and number and dispatched a technician to look at the machine.”
• This reaction is very common, and is starting to be troubling
• After some deduction, he determined the ports on the side were for a USB cable
• “Threading the braided wires into those tiny holes one at a time was an exercise in patience. After 40 minutes or so, I got them all aligned. I had to hold the wires in with my hand while I plugged the USB cable into my computer. I crossed my fingers and…. Skimmer device mounts as an external hard drive!”
• “It mounts! I freak-out a little and begin copying the files from the device. There are two folders. One is named “Google Drive” and one is named “VIDEO”. The “Google Drive” folder was empty, but there is over 11GB of video files in the “VIDEO” folder. 45 minutes later, the files are still copying to my machine. The whole time I have to hold the cable and not move lest I break the transfer.”
• “After it’s done, I shake out the cramps in my hand and go over the footage. The camera records 30 minute chunks of video whenever it detects movement. Most of the videos are of people typing in their pin numbers [upside down]”
• “The device records sound. At first I thought it was a waste of storage to record this, but after looking at the footage, I realized how helpful the sound is. The beeps correspond to actual keypresses, so you can’t fool the skimmer by pretending to touch multiple keys. Also, the sound of money dispensing means that PIN is valid.”
• When they tore the device apart, they found a cell phone battery, a control board, and a pinhole camera
• “Googling the number from the controller board revealed that it is a commercially available board used in spy camera gear. The board was modified to include an external on/off switch, the stronger Samsung battery, and the aforementioned USB connection.”
• “The overall design choices of the skimmer were actually pretty decent. As mentioned, at first I thought sound recording was a waste, but then found it to be useful for decoding PIN numbers as they are typed. I also initially thought that the cell phone battery was a lazy choice, like they just had one laying around. I have come to believe, however, that this is the best choice for a long-lasting and small-profile power source.”
• The researcher did not find the actual card skimmer, but suspected that the data was being “network skimmed”
• Going back a few days later, they found a fresh pin number camera installed

Feedback:

• Adam asks about running pfSense on top of FreeNAS
• Mark asks about Direct Access to home while on the road
• RAM Disk
• Ceph on FreeBSD

Round Up:

• Armed FBI agents raid home of researcher who found unsecured patient data
• Core windows utility can be used to bypass application whitelisting
• Internet Explorer use in freefall as people flock to Google Chrome
• The guy who swatted Krebs is going to prison
• Police are filing warrants for Android’s vast store of location data
• 50 people arrested in Russia in connection with $45m bank hack
• SELinux is beyond saving at this point
• CoreOS launches Torus, a new open source distributed storage system
• Off-The-Record (OTR) protocol patched against remote code execution flaw
• 2016 Internet Trends Report: Global Smartphone User Growth Slowing as Android Outpaces iOS
• Slack plugs token security hole that was leaking private code and chat transcripts to anyone on the internet
• New tool out of MIT/Berkeley called “Space”, is a static analyzer for web applications

The post Signature Bloatware Updates | TechSNAP 270 first appeared on Jupiter Broadcasting.

A common vulnerability is impacting Firefox, LibreOffice, and others, the 7 problems with ATM security, and the Enterprise grade protection defeated with a batch script.

Plus some great questions, our answers, a rockin roundup, and much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

The 7 problems with ATM security

• Kaspersky presents a list of the 7 reasons why ATMs are so easily compromised, based on a talk given at the SAS2016 conference
• “Automated teller machines (ATM) have always a been a big target for criminals. In the past hunting for ATMs included some heavy tools like a cutting torch or explosives. However with the dawn of the Digital Age, everything has changed. Nowadays culprits can ‘jackpot’ an ATM without such special effects.”

1. ATMs are basically just computers (PCs)
2. That PC is likely running an old operating system (in early 2014, 95% of all ATMs still ran Windows XP)
3. The software other than the OS is also likely vulnerable. Many ATMs still have the bundled version of flash that came with stock Windows XP, which now has 9000 known vulnerabilities
4. ATMs have no software integrity control, no antivirus solutions, no authentication of an app that sends commands to cash dispenser.
5. Weak physical security for the PC part of the ATM. While the deposit box and cash dispenser are armored against attack, the PC is usually only hidden behind some thin plastic. “There is no money in that part of the ATM”
6. ATM control PCs have standard interfaces, that are not secured. Let me just plug this USB stick into your ATM, now it is my ATM
7. ATMs are increasingly directly connected to the Internet. You can find ATMs on Shodan

• ATMs are not replaced very often, so upgrades to the physical protections of the PC component will likely not happen very soon
• When was the last time you saw an ATM down for software updates?
• Maybe if the criminals keep stealing large amounts of money, the banks will be more interested in replacing the ATMs
• This of course doesn’t cover the private ATMs you often see in convenience stores

FireEye Detection Evasion and Whitelisting of Arbitrary Malware

• Researchers at Blue Frost Security have developed a way to evade the dynamic analysis of the FireEye suite of security appliances
• The FireEye appliance works by starting untrusted binaries and applications in virtualization and observing what they do
• If the application is found to be malicious, it is blocked
• Only applications allowed by the FireEye device can be run on the protected computers
• “The analysis engine evasion allows an attacker to completely bypass FireEye’s virtualization-based dynamic analysis on Windows and add arbitrary binaries to the internal whitelist of binaries for which the analysis will be skipped until the whitelist entry is wiped after a day”
• “FireEye is employing the Virtual Execution Engine (VXE) to perform a dynamic analysis. In order to analyze a binary, it is first placed inside a virtual machine. A Windows batch script is then used to copy the binary to a temporary location within the virtual machine, renaming it from “malware.exe” to its original file name.”
• “No further sanitization of the original filename is happening which allows an attacker to use Windows environment variables inside the original filename which are resolved inside the batch script. Needless to say this can easily lead to an invalid filename, letting the copy operation fail.”
• Let’s take the filename FOO%temp%BAR.exe which results in:
• copy malware.exe “%temp%\FOOC:\Users\admin\AppData\Local\TempBAR.exe”
• The filename, directory name, or volume label syntax is incorrect.
• “The batch script continues and tries to execute the binary under its new name which of course will fail as well because it does not exist.”
• “Afterwards the behavioral analysis inside the virtual machine is started which is running for a certain amount of time looking for malicious behavior. Since the binary was not started in the virtual machine in the first place, an empty virtual machine will be analyzed and no malicious behavior will be detected.”
• “Once a binary was analyzed and did not show any malicious behavior, its MD5 hash is added to an internal list of binaries already analyzed. If a future binary which is to be analyzed matches an MD5 hash in this list, the analysis will be skipped for that file. The MD5 hash will stay in the white list until it is wiped after day.”
• The issue was reported to FireEye on September 14th, and responded quickly
• FireEye released updates for some of its products on October 5th and 15th
• On December 31st FireEye published their Q4 security advisory
• FireEye Security Advisory
• On January 14th, FireEye asked that BFS delay publication of the vulnerability for another 30 days, as too many clients had not yet installed the update

Libgraphite Vulnerabilities Impact Firefox, OpenOffice, and Others

• Talos is releasing an advisory for four vulnerabilities that have been found within the Libgraphite library
• Which is used for font processing in Linux, Firefox, OpenOffice, and other major applications.
• The most severe vulnerability results from an out-of-bounds read which the attacker can use to achieve arbitrary code execution.
• A second vulnerability is an exploitable heap overflow.
• Finally, the last two vulnerabilities result in denial of service situations.
• To exploit these vulnerabilities, an attacker simply needs the user to run a Graphite-enabled application that renders a page using a specially crafted font that triggers one of these vulnerabilities.
• Since Mozilla Firefox versions 11-42 directly support Graphite, the attacker could easily compromise a server and then serve the specially crafted font when the user renders a page from the server (since Graphite supports both local and server-based fonts).
• Graphite is a package that can be used to create “smart fonts” capable of displaying writing systems with various complex behaviors.
• Basically Graphite’s smart fonts are just TrueType Fonts (TTF) with added extensions.
• The issues that Talos identified include the following:

• An exploitable denial of service vulnerability exists in the font handling of Libgraphite. A specially crafted font can cause an out-of-bounds read potentially resulting in an information leak or denial of service.
• A specially crafted font can cause a buffer overflow resulting in potential code execution.
• An exploitable NULL pointer dereference exists in the bidirectional font handling functionality of Libgraphite. A specially crafted font can cause a NULL pointer dereference resulting in a crash.

• If a malicious font is provided then an arbitrary length buffer overflow can occur when handling context items.
• The first denial of service issue results from a NULL pointer dereference.

• The second denial of service issue results from an out of bounds read that can not only cause a DoS, but it can also cause a leak of information. When reading an invalid font where the local table size is set to 0, an out of bounds read will occur.

• Known Vulnerable Versions:

• Libgraphite 2-1.2.4

• Firefox 31-42
• Firefox ESR before 38.6.1

Feedback:

• Booting on ZFS

• Open Source Security Systems?

• openHAB

• OpenSSL vs OpenSSH

• pfSense Question

Make sure you patch your linux machines for the glibc vulnerability

• In-Depth Analysis
• Additional Coverage
• FreeBSD base unaffected, but update your linux emulation ports

Round Up:

• Why you should side with Apple, not the FBI, in the San Bernardino iPhone case
• Distribution packages considered insecure
• Google Cloud Platform Blog: Google and Red Hat announce cloud-based scalable file servers
• ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs
• U.S. Hacked Into Iran’s Critical Civilian Infrastructure For Massive Cyberattack, New Film Claims
• IRS warns of a 400% increase in phishing and malware for this tax year
• Hospital paid hackers 40 bitcoins to get its network back
• “changing the date to May 1970 or earlier can prevent your iOS device from turning on after a restart” Public WiFi + Rouge NTP server = Bucket of bricked iPhones
• Bitcoin startup Butterfly Labs settles with FTC for $38.6M, but it can’t pay
• Mine 30% more bitcoins be allowing errors
• First tech expert on NSA Advisory board: Steve Bellovin, co-director of Columbia’s Cybersecurity and Privacy Center, and author of such papers as “Keys Under Doormats”, a spectacular broadside against government backdoors in crypto
• Ringo Starr’s twitter account hacked after email address of digital marketing manager compromised
• Cryptolocker-like malware found signed with real code-signing certificate, likely stolen
• Backblaze releases 2015Q4 study on hard drive reliability, and why they use Seagate drives

The post Weaponized Comic Sans | TechSNAP 254 first appeared on Jupiter Broadcasting.

Cisco has a wormable vulnerability in its Firewall appliances, crimeware that allows unlimited ATM withdrawals & the big problem with the Java installer.

Plus great questions, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Cisco ASA IPSec vulnerability given highest possible CVSS score

• Cisco has released a patch for a critical vulnerability its ASA (Adaptive Security Appliance) firewalls
• “The Cisco ASA Adaptive Security Appliance is an IP router that acts as an application-aware firewall, network antivirus, intrusion prevention system, and virtual private network (VPN) server. It is advertised as “the industry’s most deployed stateful firewall.” When deployed as a VPN, the device is accessible from the Internet and provides access to a company’s internal networks.”
• “A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.“
• “The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.”
• So the router can be owned by a single UDP packet. It could then be controlled by the attack and used to send more of those UDP packets, making this a “wormable” exploit
• Affected devices include:
  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco ISA 3000 Industrial Security Appliance
• Users of ASA software versions 7.x, 8.0 – 8.6, will be forced to upgrade to ASA version 9.1
• The researchers had dubbed the exploit “Execute My Packet”
• “The algorithm for re-assembling IKE payloads fragmented with the Cisco fragmentation protocol contains a bounds-checking flaw that allows a heap buffer to be overflowed with attacker-controlled data.”
• Attempts to exploit the attack can be detected with packet inspection:
• “Looking for the value of the length field of a Fragment Payload (type 132) IKEv2 or IKEv1 packet allows detecting an exploitation attempt. Any length field with a value < 8 must be considered as an attempt to exploit the vulnerability. The detection also has to deal with the fact that the multiple payloads can be chained inside an IKEv2 packet, and that the Fragment Payload may not be the only/first payload of the packet.”
• Researcher Post
• Additional Coverage: SANS
• SANS says “We are seeing a LARGE INCREASE in port 500/UDP traffic (see and select TCP Ratio for the left Y axis. earlier spikes affecting this port were mostly TCP)”

Metel crimeware allows unlimited ATM withdrawls

• An APT (Advanced Persistent Threat) crimeware package has been found in the wild, being used to drain ATMs and bank accounts
• This type of attack was previously the exclusive territory of Nation States
• “It contains more than 30 separate modules that can be tailored to the computer it’s infecting. One of the most powerful components automatically rolls back ATM transactions shortly after they’re made. As a result, people with payment cards from a compromised bank can withdraw nearly unlimited sums of money from ATMs belonging to another bank. Because the Metel module repeatedly resets card balances, the criminals never pass the threshold that would normally freeze the card. Last year, the rollback scheme caused an unnamed bank in Russia to lose millions of rubles in a single night.”
• “Metel usually gains an initial foothold by exploiting vulnerabilities in browsers or through spear phishing e-mails that trick employees to execute malicious files. Members of the Metel hacking gang then use legitimate software used by server administrators and security researchers to compromise other PCs in an attempt to further burrow into the targeted network. They will often patiently work this way until they gain control over a system with access to money transactions, for example, PCs used by call center operators or IT support.”
• “Metel illustrates the growing sophistication of hackers targeting banks. It wasn’t long ago that reconnaissance, social engineering, state-of-the-art software engineering, lateral movements through a network, and long-term persistence were largely the exclusive hallmarks of so-called advanced persistent threat actors that painstakingly hack high-profile targets, usually on behalf of government spy agencies. Hackers targeting financial institutions, by contrast, took a more opportunistic approach that infected the easiest targets and didn’t bother with more challenging ones. Now, sophisticated techniques are increasingly a part of financially motivated hacking crimes as well.”
• Other groups have been found doing similar things:
• “The so-called GCMAN group, which gets its name because its malware is built using the GCC compiler. Like Metel, its members gain an initial foothold into financial institutions using spearphishing e-mails and from there use widely available tools such as Putty, VNC, and Meterpreter to broaden their access. In one case, GCMAN members had access to one targeted network for 18 months before siphoning any funds. When the group finally sprang into action, it used automated scripts to slowly transfer funds—about $200 per minute—into the account of a so-called “mule,” who was designated to withdraw the money.”
• “The Carbanak 2.0 malware, which in one recent case used its access to a financial institution to change ownership details of a large company. The records were modified to list a money mule as one of the shareholders. After attacking a variety of banks last year, the gang took a five-month sabbatical that caused Kaspersky researchers to think it had disbanded. In December, Kaspersky confirmed the group was active and had overhauled its malware to target new classes of victims”
• “Kaspersky researchers said all three gangs appear to be active and are known to have collectively infected 29 organizations in Russia. The researchers said they suspect the number of institutions hit by the groups is much higher.”
• Researcher Post
• Indicators and Signatures

Java installer vulnerable to binary planting

• “On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later.”
• Oracle Advisory
• “On most computers, the default download folder quickly becomes a repository of old and unorganized files that were opened once and then forgotten about. A recently fixed flaw in the Java installer highlights why keeping this folder clean is important.”
• “The reason is that older Java installers are designed to look for and automatically load a number of specifically named DLL (Dynamic Link Library) files from the current directory. In the case of Java installers downloaded from the Web, the current directory is typically the computer’s default download folder.”
• This allows an attacker to plant their own malicious binaries there, and then when the “trusted” Java installer is run with enhanced privileges, the malicious .dll gains those enhanced permissions
• “To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files into the user’s system before installing Java SE 6, 7 or 8. Though relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system.”
• It is not clear how Oracle’s new java downloader is improved, but it is likely not as good as it should be
• Many other downloaders are also likely vulnerable, but the applications do not have the same install base as java
• For less sophisticated users, the process of “clearing download history” would seem to imply that the files are removed as well, which is not the case

Feedback:

• R Pi 2 as proxy server?

• PFSense Central Management

• ZFS on the desktop

Round Up:

• Super Bowl fans use a record 10TB of data on Levi’s Stadium WiFi network, up 63% from 2015
• Paper: How Complex Systems Fail
• Hacker leaks thousands of FBI, DHS employees’ details
• Norse are not the only ones that can do Visualizations
• Google Will Reject All Flash Based Adverts In a Push For HTML5
• Krebs: Credit Card skimmers at the self checkout at Safeway
• U.S. can’t ban encryption because it’s a global phenomenon, Harvard study finds
• Krebs: New e-commerce fraud, order expensive merchandise just to steal the rewards points
• Linux kernel bug delivers corrupt TCP/IP data to Mesos, Kubernetes, Docker containers
• New tool from Harvard, AMBER, a wordpress and drupal plugin that automatically archives pages you link to, and uses that copy if the original goes away, or falls back to the Archive.org wayback machine
• “Revenue per employee, 2015: Yahoo: $419,830 Twitter: $462,009 MSFT: $789,145 Google: $1,160,648 Facebook: $1,412,655 Apple: $2,032,304”
• “Profit per employee, 2015: Twitter: -$129,334 Yahoo: $54,182 MSFT: $102,822 Google: $250,367 Facebook: $290,600 Apple: $464,296”

The post Cisco's Perfect 10 | TechSNAP 253 first appeared on Jupiter Broadcasting.

2014 has been the year of the celebrity bugs, we take a look at the new trend of giving security vulnerabilities names & logos & ask who it truly benefits.

Plus practical way to protect yourself from ATM Skimmers, how they work & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

• Are you a BSD User? The first question we ask in every interview is “How did you get started with BSD?” Send your video clip or writeup before December 17th for our Christmas Episode

• Spam Nation: The Inside Story of Organized Cybercrim

• Brian Krebs’s “Spam Nation”

• Best of JB Submission Form

Wiretapping ATMs

• “Banks in Europe are warning about the emergence of a rare, virtually invisible form of ATM skimmer involving a so-called “wiretapping” device that is inserted through a tiny hole cut in the cash machine’s front. The hole is covered up by a fake decal, and the thieves then use custom-made equipment to attach the device to ATM’s internal card reader.”
• “The criminals cut a hole in the fascia around the card reader where the decal is situated,” EAST described in a recent, non-public report. “A device is then inserted and connected internally onto the card reader, and the hole covered with a fake decal”
• “It’s where a tap is attached to the pre-read head or read head of the card reader,” Lachlan said. “The card data is then read through the tap. We still classify it as skimming, but technically the magnetic stripe [on the customer/victim’s card] is not directly skimmed as the data is intercepted.”
• So, they attach to the REAL card reader, and siphon off a copy of the data as the card is read
• That makes this form of skimming pretty much undetectable (except possibly by the fake decal used to cover the hole cut in the front of the ATM)
• The Krebs article also talks about new “insert transmitter skimmers”, that use a small battery and transmit the skimmed data a short distance, meaning the attacker does not have to return to the scene of the crime to collect the stolen data, decreasing their risk of getting caught
• “It’s best to focus instead on protecting your own physical security while at the cash machine. If you visit an ATM that looks strange, tampered with, or out of place, try to find another ATM. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots”
• “Last, but certainly not least, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).”

Bug naming and shaming

• This article discusses the advantages and disadvantages to having named and branded bugs like Heartbleed, as well as some behind the scenes info on that exploit, and the people behind the naming of various other vulnerabilities since then
• “If the bug is dangerous enough, it gets a name. Heartbleed’s branding changed the way we talk about security, but did giving a bug a logo make it frivolous… or is this the evolution of infosec?”
• Heartbleed was discovered some time before Friday, March 21, 2014 by a Google security researcher. It was later shared with Open SSL, Red Hat, CloudFlare, Facebook, and Akamia
• Finnish security company Codenomicon separately discovered Heartbleed on April 3, and informing the National Cyber Security Centre Finland the next day”
• They then immediately went to work on a marketing plan. This discovery was going to launch their small firm into super stardom. They had a logo and website designed, and prepared for the public disclosure of the bug
• The original public disclosure was supposed to be made on April 9th. However, after details started to leak, and the OpenSSL team decided that if more than 1 group had already discovered the bug, more would quickly follow, they released the details early, on April 7th
• “Half an hour after OpenSSL published a security advisory the morning of April 7, CloudFlare bragged in a blog post and a tweet that it was first to protect its customers, and how CloudFlare was enacting an example for “responsible disclosure.”
• “An hour after CloudFlare’s little surprise, Codenomicon tweeted to announce the bug, now named Heartbleed, linking to a fully prepared website, with a logo, and an alternate SVG file of the logo made available for download.”
• “Heartbleed — birth name CVE-2014-0160 — became a household term overnight, even though average households still don’t actually understand what it is.”
• “The media mostly didn’t understand what Heartbleed was either, but its logo was featured on every major news site in the world, and the news spread quickly. Which was good, because for the organizations who needed to remediate Heartbleed, it was critical to move fast.”
• In the end, it seems Heartbleed was a success, most systems were patched quite quickly, although many systems did not follow the full procedure, and that has had some fallout that we have covered
• In justifying the name given to a Russian hacking group, iSight Partners said: “Without naming these teams, it would be impossible for a network defender to keep track of them all. We think that’s essential, because intimately understanding these teams is the first step to mounting an effective defense. Giving a name to a team — as we have done with Sandworm — helps practitioners and researchers track and attribute tactics, techniques, procedures and ongoing campaigns back to the team. By assigning identities, It helps to bring these actors out of the shadows and into the light.“
• Other vulnerabilities, like POODLE, had alarmingly bad reporting that may have done more harm than good
• ShellShock was the anti-case. It didn’t have a logo, or an official website. ShellShock timeline
• It was actually originally dubbed BashDoor by its creator, but when it was leaked to the press by someone else, they provided the name ShellShock
• Further, because the initial fix for the ShellShock vulnerability did not entirely solve the problem, there was much confusion, where people thought they had already patched, but didn’t have the “latest” patch
• Then, there were a number of follow-on vulnerabilities in bash, that didn’t have names, but were lumped in with ShellShock, which lead to even more confusion
• Closing Quote: “The researchers didn’t tell their closest biz-buddies in a game of telephone, one in which Heartbleed became an arms race of egos, insider information trading, and opportunism”
• Who gets to decide what bugs are bad enough to get a name instead of just a CVE number? Should MITRE start tracking names along with the CVE numbers?
• Who gains more for naming bugs, the end users who might become more aware of the issue and be able to protect themselves, or the PR powered firms that exploit it for their own good?

Feedback:

• Why is md5 not secure?

• Md5crypt Password scrambler is no longer considered safe by author — PHKs Bikeshed

• VMware’s page-sharing woes

• Brute Force, How Do They Know They Got It?

• Thank you – seriously

• BSDCan 2015 Call for Papers — Due by Jan 19th

Round Up:

• NSA spies on carriers to break call encryption, report suggests
• Government sites remain hacked 2 weeks later — The problem with not disclosing security breaches
• U.S. Intelligence Agency Aims to Develop Superconducting Computer
• The Cost of HTTPS everywhere
• Google Can Now Tell You’re Not a Robot With Just One Click
• Samsung announces 3.2TB PCI-E SSD, Intel/Micron announce 3D NAND, hard drives stuck at 7200rpm (or lower)
• “Its signed, must be legit” — Lessons in Interface Design
• ExplainShell.com — Explain what that code is actually doing, a quick way to learn to read shell scripts
• Prosecutors charge “hacker” with 44 felonies in typical scare tactics (10 year max on each, resulting in a total sentence that would be multiple lifetimes), final charges: a single misdemeanor with a $10,000 fine
• Crash CentOS6 init by touching a bunch of files
• Judge rules that IP addresses should not be exempt from a public records request because of “security”
• Nuclear weapons use fluctuating radiation fields to generate their own one-time passwords to restrict their use
• Your new 500GB external hard drive, guaranteed to be quieter than any other external hard drive

The post Celebrity Bugs | TechSNAP 191 first appeared on Jupiter Broadcasting.

A 0-day exploit is attacking Microsoft Windows boxes all over the web, thanks to a weaponized power power presentation. No, I’m not kidding. The details are fascinating.

Old ATMs become more and more of a target & it’s not because of Windows XP, and great big batch of your questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Older ATMs being targeted more and more often by Malware attacks

• Krebs describes the growing trend in ATM “Jackpotting”
• Formerly, the most common attack against ATMs was skimming, installing small physical devices to read the card data and capture the PIN of victims who use the ATM, and then creating fake cards to empty the victims’ accounts
• The new trend, installing Malware on the computer that operates ATM, allows the attackers to drain all of the cash out of the ATM, without requiring compromised accounts with large balances
• The fraud is harder to detect because money does not go missing from bank accounts in real time, the theft may not be discovered until the ATM is emptied and stops dispensing cash
• Some of the malware is even smart enough to interfere with the ATM’s reports back to the bank about the level of cash available, that might tip the bank off to the fact that the ATM is infected
• “Last month, media outlets in Malaysia reported that organized crime gangs had stolen the equivalent of about USD $1 million with the help of malware they’d installed on at least 18 ATMs across the country. Several stories about the Malaysian attack mention that the ATMs involved were all made by ATM giant NCR.”
• In an Interview with Owen Wild, NCR’s “global marketing director, security compliance solutions”, Krebs learned:
• More than half of the ATM install base is using a model that was discontinued 7 years ago (Windows XP Based?)
• Most of the attacks involve physically assaulting the ATM, removing the top of front casing to access the standard PC inside, and then infecting the machine via CD or USB stick
• “What we’re finding is these types of attacks are occurring on standalone, unattended types of units where there is much easier access to the top of the box than you would normally find in the wall-mounted or attended models.”
• When asked about Windows XP: “Right now, that’s not a major factor. It is certainly something that has to be considered by ATM operators in making their migration move to newer systems. Microsoft discontinued updates and security patching on Windows XP, with very expensive exceptions. Where it becomes an issue for ATM operators is that maintaining Payment Card Industry (credit and debit card security standards) compliance requires that the ATM operator be running an operating system that receives ongoing security updates. So, while many ATM operators certainly have compliance issues, to this point we have not seen the operating system come into play.”
• It would seem that installing malware on the machine would affect newer versions of Windows almost as easily, so Windows XP might not actually be that big of a factor in these cases
• “Most of these attacks come down to two different ways of jackpotting the ATM. The first is what we call “black box” attacks, where some form of electronic device is hooked up to the ATM — basically bypassing the infrastructure in the processing of the ATM and sending an unauthorized cash dispense code to the ATM. That was the first wave of attacks we saw that started very slowly in 2012, went quiet for a while and then became active again in 2013.”

Sandworm Team – not a worm, but still a big deal

• “Microsoft has announced the discovery of a zero-day vulnerability affecting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. Reports are also coming in that this specific vulnerability has been exploited and used in attacks against the North Atlantic Treaty Organization (NATO) and several European industries and sectors.”
• This particular vulnerability has allegedly been in use since August 2013, “mainly through weaponized PowerPoint documents.”
• The vulnerability exploits a flaw in the Microsoft OLE functionality
• It allows a PowerPoint or other office document to have an embedded file, or to embed and external untrusted resource
• This can cause remote code execution, allowing the attacker to run any code they wish as the user who is opening the document
• In the case of at least on attack, the embedded file was a .inf that then installed malware on the system
• Many users still run with administrative rights, giving the malware full control of the target system
• iSight Partners says: “We are actively monitoring multiple intrusion teams with differing missions, targets and attack capabilities. We are tracking active campaigns by at least five distinct intrusions teams”, “As part of our normal cyber threat intelligence operations, iSIGHT Partners is tracking a growing drum beat of cyber espionage activity out of Russia”
• “For example, we recently disclosed the activities of one of those teams (dubbed Tsar team) surrounding the use of mobile malware. This team has previously launched campaigns targeting the United States and European intelligence communities, militaries, defense contractors, news organizations, NGOs and multilateral organizations. It has also targeted jihadists and rebels in Chechnya”
• Trend Micro also found this same flaw being used against SCADA systems: “These attacks target Microsoft Windows PCs running the GE Intelligent Platform’s CIMPLICITY HMI solution suite with a spear phishing email.”, which downloads the Black Energy malware
• Researcher Post
• Technical Analysis by HP Security Research
• Additional Coverage – ZDNet
• Microsoft Security Bulletin

Delivering malicious Android apps hidden in image files

• Researchers have discovered a way to deliver Android malware by embedding the encrypted form in an image file
• The attack was demonstrated at Black Hat Europe last week in Amsterdam
• The tool encrypts a malicious .APK in such a way that it appears to be a .JPG or .PNG image file
• Then, they developed a simple wrapper .APK that includes that image file, and the ability to decrypt it
• Thus, the malicious app remains hidden from reverse engineering, anti-virus, and the Google Bouncer, so can be listed in the Google Play Store
• “In their testing, Android did show a permission request when the legitimate wrapper file tried to install the malicious APK, but the researchers say that this can be prevented by using DexClassLoader”
• Work was inspired by a previous exploit, Android/Gamex.A!tr that hid its payload in a .zip file named logos.png, with the added twist that the .zip was valid and innocuous, but if XOR’s with a key (18), it was also a valid .zip file containing a malware payload
• It turns out that .zip files do not require the header to be at the beginning of the file, so by simply concatenating a .png and a .zip file, the file will look like a valid .png, but can also be extracted as a valid .zip file
• PDF: Slides
• Example Code, Create a .PNG, .JPG, .FLV, or .PDF
• PDF: Paper

Feedback:

• Embed Browser For Steam

• Cheap NAS/Media Server

• Patch & System Management .:. Especially with all these recent bugs!

• Central Firewall Management

• But is it really your job to point out other peoples security issues?

• ZFS lag

• Windows Explorer and SMB Traffic – Ask the Performance Team – Site Home – TechNet Blogs

Round Up:

• Disney rendered its new animated film on a 55,000-core supercomputer
• Cisco finally fixed telnet bug from 2011 in Web Security Appliance, Email Security Appliance and Content Security Management Appliance
• Google’s 2-Step Verification Now Supports FIDO “Universal 2nd Factor” Open Standard
• Ironic: Publisher of Brian Krebs’ book discloses credit card breach in online shopping cart
• Hungary plans new tax on Internet traffic, public calls for rally
• MongoDB Advisory: Using MongoDB on Linux on top of VMWare may cause namespace files to be improperly zeroed, resulting in left over data that when read later is interpreted as a corrupt namespace, rather than the expected empty space. Patch resolves issue by manually zeroing the file rather than using the kernel facility to zero the entire file
• T-Mobile to upgrade US Cellular network 2G encryption from A5/1 to A5/3 to make surveillance harder. Made similar changes in Germany last year after NSA revelations
• Week old Flash vulnerability already included in 2 major Exploit kits, being deployed on legitimate infected sites throughout the Internet
• Kickstarter Freezes Anonabox Privacy Router Project for Misleading Funders
• Samsung acknowledges flaw in EVO 840 SSDs, issues Firmware update and “Data Migration Software” that re-writes data on the SSD to ‘refresh’ it, making reads faster again
• South Korea to rebuilt national ID system after a series of data breaches since 2004 have left 80% of the country exposed to identity theft. Many similar mistakes to US ID system, overuse across different sectors made the single ID number a ‘master key’ to a persons Identity, Inability to get a new ID number left victims with no recourse, and the ID numbers are based on date of birth and sex. Also, the government required the use of Microsoft ActiveX to provide digital signatures when interacting with banks and the government online

The post Weaponized PowerPoint | TechSNAP 185 first appeared on Jupiter Broadcasting.

The Belkin router apocalypse takes users offline all over the world, Infected ATMs spit out money on cue, plus isolating your network, a great batch of your questions & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Belkin router apocolypse, world wide outage of almost all Belkin routers

• “Starting approximately midnight on October 7, Belkin began experiencing an issue with a service configured in certain Belkin router models that causes a failure when it checks for general network connectivity by pinging a site hosted by Belkin.”
• It seems Belkin routers check to see if “the internet is up” by pinging or connecting to heartbeat.belkin.com. When this service went down, all of those routers decided the internet was ‘down’, and stopped letting customers use the Internet, despite the fact that the rest of the Internet was fine
• “One of our cloud services associated with maintaining router operations was negatively impacted by a change made in our data center that caused a false denial of service. Normal operations were restored by 3PM PST, but some users might still need to reset their router and/or cable modem to regain connectivity. Moving forward, we will continue to monitor, improve and validate the system to ensure our routers continue to work properly in the event connectivity to our cloud environment is not available. “
• The fact that the routers rely on only a single signal, a response from heartbeat.belkin.com, to determine if the internet is working, seems wrong.
• Even so, it doesn’t explain why the routers ‘give up’ and stops users accessing the Internet
• It appears this has to do with the DNS Resolver in the Router, which stops attempting to resolve addresses when it cannot reach the Belkin site. Users to manually change their DNS servers to Google Public DNS or OpenDNS had their service restored
• What if the Belkin site goes down? (Like it did). What if there is a routing or transit issue? What if access to the Belkin site is blocked in your country?
• “If your service has not yet been restored, please unplug your router and plug it back in after waiting 1 minute. Wait 5 more minutes and the router should reconnect.”
• There were rumours that this issue was caused by a firmware update. Belkin denies this, although it is not clear if they had pushed a firmware update around the same time or not
• Interesting: Apparently Belkin’s call center got a high volume of calls. How many users call their Router manufacturer when they have an issue, rather than their ISP? My Cisco router/modem only had my ISPs phone number on it.
• Belkin Status Page
• Belkin Community Forums
• Additional Coverage: Internet Storm Center

Infected ATMs spit out money on queue, without debiting anyones bank account

• “What do you need in order to withdraw cash from an ATM?”
• First, you need to have a debit or credit card, which acts as a key to your bank account
• Second, you must know the PIN code associated with the card; otherwise, the bank wouldn’t approve the transaction.
• Finally, you need to have some money in your account that you can withdraw.
• Or, you just need a bootable CD
• “However, hackers do things differently: they don’t need cards, PIN codes or bank accounts to get money. In reality, all they need is an ATM with some cash in it and a special piece of software.”
• “criminals were somehow able to physically access the ATMs so that they could install the malware via a bootable CD on an embedded Windows machine”
• “The trojan that was used had complex abilities. First, when activated inside of the ATM, it had the ability to turn off the McAfee Solidcare AV software so that it could do its job with ease”
• “Second, to avoid accidental detection, Tyupkin trojan had the ability to stay in a standby mode for an entire week and activate only Sunday and Monday nights.”
• “Third, it had the ability to disable the local network in the case of an emergency, so that the bank could not remotely connect to the ATM to check on what was happening with it.”
• “All an attacker has to do is merely approach an infected ATM and enter a special PIN code in order to access the secret menu that will allow him to make cash withdrawals or control the trojan (for example, to delete it).”
• “To make a withdrawal the person has to know the appropriate commands, as well as a special formula that will calculate a session key — some kind of a two-factor authentication. If both codes are correct, then a second menu will appear that allows the criminal to choose the cassette number and make a withdrawal.”
• “Although one can only dispense 40 banknotes per transaction, it’s possible to dispense any amount of money by simply performing the actions several times over.”

Pair arrested for exploiting flaw in Casino slot machines

• John Kane, a gambling addict, and an accomplice, Andre Nestor, exploited a bug in Game King video poker slot machines
• “It turned out the Game King’s endless versatility was also its fatal flaw. In addition to different game variants, the machine lets you choose the base level of your wagers: At the low-limit Fremont machines, you could select six different denomination levels, from 1 cent to 50 cents a credit”
• “The key to the glitch was that under just the right circumstances, you could switch denomination levels retroactively. That meant you could play at 1 cent per credit for hours, losing pocket change, until you finally got a good hand—like four aces or a royal flush. Then you could change to 50 cents a credit and fool the machine into re-awarding your payout at the new, higher denomination. “
• “Performing that trick consistently wasn’t easy—it involved a complicated misdirection that left the Game King’s internal variables in a state of confusion. But after seven hours rooted to their seats, Kane and Nestor boiled it down to a step-by-step recipe that would work every time. “
• It turns out John Kane was very familiar with the slot machine in question:
• “he blew half a million dollars in 2006 alone—a pace that earned him enough Player’s Club points to pay for his own Game King to play at his home on the outskirts of Vegas, along with technicians to service it. (The machine was just for fun—it didn’t pay jackpots.)“ He’s played more than anyone else in the United States, says his lawyer, Andrew Leavitt. I’m not exaggerating or embellishing. It’s an addiction.”
• Game King 5.0 was released in 2002, however it contained a series of subtle errors in program number G0001640 that evaded laboratory testing and source code review.
• “The bug survived like a cockroach for the next seven years. It passed into new revisions, one after another, ultimately infecting 99 different programs installed in thousands of IGT machines around the world. As far as anyone knows, it went completely undetected until late April 2009, when John Kane was playing at a row of four low-limit Game Kings outside the entrance to a Chinese fast food joint”
• “Kane had some idea of how the glitch operated but hadn’t been able to reliably reproduce it. Working together, the two men began trying different combinations of play, game types, and bet levels, sounding out the bug like bats in the dark.”
• The pair eventually sorted out the details, and managed to get more than $750,000 out of various slot machines before being arrested

Feedback:

• Building a FreeBSD storage backend for my cloud
  • High Availably Storage Technology
  • FreeBSD Wiki about GlusterFS

• Home hybrid router replacement

• Server Isolation

• What to do when cafes have terrible network the security

Round up:

• Adobe is Spying on Users, Collecting Data on Their eBook Libraries
• Shell Shock proof-of-concepts against various applications, also includes one-liners to test your bash against each different vulnerability
• Funny post over at OpenBSD misc@ mailing list: User doesn’t quite understand how bash vulnerability checks work
• Marriott fined $600K by FCC for Wi-Fi blocking scam – Android Authority
• Defense contractor Raytheon gets patent for ‘smart mouse’ technology, based on smart grip technology for guns, authenticate the user by the way they hold their mouse
• Popular electricity smart meters in Spain can be hacked, researchers say
• Backblaze updates Drive Reliability numbers, still lacking some detail
• SQL Injection Vulnerability in ‘Yahoo! Contributors Network’
• JPMorgan Chase breach exposes data on 83 million customers. No credit card or social security data was taken. However, security experts remain skeptical that this breach is as low-impact as the bank is suggestion

The post Belkin Heartbeat Stops | TechSNAP 183 first appeared on Jupiter Broadcasting.

Microsoft is in hot water with authorities in China and it could be worse than your being told. Plus Mozilla has a new CEO & then we cover a series of tech stories from down under that you’ve just got to hear!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

China Investigates Microsoft – WSJ

Two people familiar with the inquiry said Chinese corporate regulatory officials made surprise visits to Microsoft’s offices in four Chinese cities.

According to Reuters and the South China Morning Post, the company is being investigated by the State Administration for Industry and Commerce, which raided Microsoft offices in Beijing, Shanghai, Guangzhou and Chengdu on Monday.

China’s State Administration for Industry and Commerce acts as the nation’s corporate registry and has some marketing and antitrust responsibilities. It couldn’t be reached for comment late Monday.

AIC officials sometimes pay visits to industries under official scrutiny that don’t result in formal probes.

Microsoft had been in the Chinese government’s cross hairs before this week. China’s powerful state-run television broadcaster ran a report in June that questioned the security of the company’s new Windows 8 computer operating system.

The broadcast quoted Chinese experts who argued that Microsoft cooperated with the U.S. government to carry out cyberspying.

Other U.S. companies have also been under scrutiny in the country. China’s state broadcaster also raised questions about the security of the iPhone in July, allegations that Apple Inc.

In late May, the Chinese authorities banned government institutions from using Windows 8

• Microsoft targeted in apparent Chinese antitrust probe | Reuters
• Microsoft’s Chinese burn riddle: Antitrust g-men swoop on offices • The Register
• Chinese regulators drop in on Microsoft | ZDNet
• Microsoft Faces Mysterious Inquiry by Chinese Government | Paul Thurrotts WinInfo content from Windows IT Pro

Chris Beard Named CEO of Mozilla

Chris Beard has been appointed CEO of Mozilla Corp. The Mozilla board has reviewed many internal and external candidates — and no one we met was a better fit.

Chris first joined Mozilla in 2004, just before we shipped Firefox 1.0 – and he’s been deeply involved in every aspect of Mozilla ever since. During his many years here, he at various times has had responsibility for almost every part of the business, including product, marketing, innovation, communications, community and user engagement.

Leaked discussion paper reveals Australian online piracy crackdown in full swing

The federal government is proposing that internet service providers (ISPs), such as Telstra, Optus and iiNet, take measures to discourage or reduce online copyright infringement, according to a leaked copy of its discussion paper.

According to the document, first obtained by news website Crikey, the government also wants to give itself the power to prescribe specific measures that would see internet providers discourage online copyright infringement. This is in the cases where the industry does not develop effective schemes or commercial arrangements.

It is also proposing that universities be “captured” by the safe harbour scheme that currently governs internet service providers. This stipulates financial damages can be levied against carriage service providers who breach four categories, including providing connections to copyright material and referring users to an online location where it exists via a link.

In the document, signed by Attorney-General George Brandis and Communications Minister Malcolm Turnbull, the government cited its unratified trade obligations with the US – known as the** “Trans-Pacific Partnership Agreement”** – to pursue its reforms.

It essentially overrules a decision by the High Court in 2012, which found that internet service providers could not be found liable for authorising an act by a subscriber that infringes copyright.

Although the discussion paper hasn’t been released yet, a speedy response from industry and the public is expected, with submissions closing on August 25.

Aussie hackers get Doom working on an ATM- The Inquirer

HACKERS IN AUSTRALIA have succeeded in running classic first person shooter game Doom on a bank cash machine.

The ATM, which runs Windows XP Embedded, can be controlled using the device’s buttons, with the game appearing on the screen in place of the message telling you the size of your overdraft.

At the moment, weapons selection is done through the arrow buttons to the side of the screen, and the group already has plans to get the number keys up and running.

• Playing Doom on an ATM – YouTube

Close Encounters Of The Radio Kind? Mystery Bursts Baffle Astronomers : NPR

Back in 2007, astronomers detected an incredibly brief, incredibly strong radio wave burst in Australia. And now, on the opposite side of the world, astronomers have detected a second blast of similar proportions. Meaning that A) the first one wasn’t a fluke, and B) we have absolutely no idea what’s causing them.

This second ultrafast flash of radio waves was discovered by the Arecibo radio telescope in Puerto Rico, which had been putting out its feelers in hopes of discovering neutron stars. Instead, it got the second instance of so-called fast radio bursts (FRBs), which finally allowed astronomers to rule out cosmic noise and formally report them. Because unlike the radio signals we usually detect, these radio waves “show every sign of having come from far outside our galaxy.”

• Arecibo captures its first ‘fast radio burst’ | Cornell Chronicle
• No One Knows What’s Causing These Mysterious Radio Bursts From Space

Emails:

Stephen writes:

IBM Typerwriter

Yes, I remember that IBM typewriter. That typewriter was so popular that they were often stolen from offices. Some police forces had special teams to investigate thefts.

Sebastian writes:

USB flux capacitor

Hey Chris I saw this on twitter and it just lit a light in my soul, remembering the good old day
Flux Capacitor charger turns any ride into a DeLorean time machine

FauxShow Awards show – How do you watch JB? Send a pic, your IRC Nick, and anything you’d like to add to angela@jupiterbroadcasting.com

The post China Pays Microsoft a Visit | Tech Talk Today 34 first appeared on Jupiter Broadcasting.

2014 starts out with a bang, the NSA spying catalog is leaked, back doors are running wild, and thieves use a simple USB drive to steal thousands of dollars.

Then it’s a great big batch your questions, and our answers!

Thanks to:

— Show Notes: —

NSA Spy tool catalogue

• Der Spiegel displays the NSA’s 50 page catalogue of spy tools and “Tailored Access Operations”
• Many of the digital weapons are \”remotely installable\”
• While others require physical access to the device, called an \”interdiction\”
• The malware is installed into the hardware, usually intercepted sometime between leaving the manufacturer and arriving at the customer
• The malware is often persistent, meaning it will survive upgrades, and sometimes even reflashing the BIOS or firmware
• Some of the implants were new hardware, they provided the NSA with RF communications with the target system, allowing them to control or reinfect the system, or exfiltrate data
• The attack against Dell servers, known as ARKSTREAM reflashed the BIOS from a USB stick (so as not to require the attacker to have any technical skills) to implant the infection
• The NSA has nearly complete backdoor access to Apple\’s iPhone
• EFF: Everything we know about the NSA Spying
• One case involved Julian Assange\’s current home at the Ecuadorian Embassy in London, where visitors were surprised to receive welcome messages from a Ugandan telephone company. It turned out the messages were coming from a foreign base station device installed on the roof, masquerading as a cell tower for surveillance purposes
• The program also targeted hard drive manufacturers: Western Digital, Seagate, Maxtor and Samsung
• Responses:
• Dell
• Juniper
• Cisco

Thieves use USB sticks to compromise ATMs

• The attackers physically cut holes in the ATM to be able to access the USB port, then once they had infected the machines with their own code, they patched the holes to avoid discovery
• Once infected, the thieves just had to approach the ATM and enter a 12 digit code to get access
• “Analysis of software installed onto four of the affected machines demonstrated that it displayed the amount of money available in each denomination of note and presented a series of menu options on the ATM\’s screen to release each kind”
• The mastermind behind the attack designed it such that it required two-factor authentication, to ensure that the mules with the USB sticks could not ‘go rogue’
• The researchers added the organisers displayed \”profound knowledge of the target ATMs\” and had gone to great lengths to make their malware code hard to analyse.
• However, they added that the approach did not extend to the software\’s filenames – the key one was called hack.bat.

• FreeNAS Mini from iXsystems

Canadian Federal Departments consider banning USB devices

• After a number of incidents where USB sticks have been lost or stolen, the Canadian government is considering banning USB devices
• A week-long investigations led security officials to conclude it was “impossible to assess [the] compromise” related to the loss of the device
• Nor was it clear who was telling the truth about the number of hands the one small device passed through: Employees pointed fingers at each other, with none knowing where the USB key ended up
• Another USB key that was neither password protected nor encrypted was found on a downtown Ottawa sidewalk by a Good Samaritan. It contained protected information — albeit out-of-date details — of a federal project
• File servers are behind firewalls, support auditing and stronger access control, and are a better solution
• However, since any unsophisticated user can easily use a USB stick, they tend to get used to circumvent IT policy

Feedback:

• ZFS on Root
• ZFS Tuning
• Tuning ZFS on FreeBSD – Martin Matuska, EuroBSDcon 2012
• FreeNAS questions
  • FreeBSD 2012 Security Incident
• Could Allan share his router config?
• Password sharing methods for enterprise
  • FUDO contractor security and auditing appliance

Round Up:

• Backdoor found in Linksys, Netgear Routers
• Proof of concept exploit against Dual_EC_DRBG
• Target confirms encrypted PIN data stolen
• Man fights ISPs affiliate foulplay and wins
• The NSA\’s elite hackers can hijack your Wi-Fi from 8 miles away
• Attackers calling themselves ‘DERP’ take down multiple online gaming servers
• 30th Chaos Communication Congress [30c3] Videos Available on Youtube
• Breeze card hackers arrested and charged with racketeering
• Coca-Cola gets allocated 16 million MAC addresses
• Wired – We’re about to lose Net Neutrality
• Snapchat Account Leak Raises Questions About It and Other Mobile Apps
• Skype blog and social media accounts hacked by Syrian Electronic Army
• FireEye buys Mandiant for over $1 billion

The post ZFS Turntables | TechSNAP 143 first appeared on Jupiter Broadcasting.

The media has Bitcoin in it’s sights this week as they take a good laugh at the Winklevoss Twins Bitcoin Fund plans. But are the eye-rolls justified? We’ll dig in.

Plus the big change up at the Bitcoin Foundation, darknet Bitcoin exchanges, the new generation of merchants accepting Bitcoin, your emails and more!

Downloads:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | Video Feed | Torrent Feed | iTunes Audio | Ogg Feed

— Support the Show —

If you enjoyed this episode, found value or information from it, please consider contributing using Bitcoin. Each episode gets its own unique Bitcoin address so by tipping you\’re not only making our continued efforts possible but telling us what you liked. Our episode specific address is listed at the bottom of the show notes.

— Feedback —

• Simple Mining Question

• Open Source Car Builders Accepting Bitcoin

• Paper Payments and Transaction Fees

Help spread the word on iTunes with a Rating and Review:

• iTunes – Plan B by Jupiter Broadcasting

Call or txt the Show:

1 (352) 587-5262

(352) 58-PLANB

— Discussion —

New Executive Director of Bitcoin Foundation

• Jon Matonis Named New Executive Director of Bitcoin Foundation | Bitcoin MagazineBitcoin Magazine

Jon Matonis has served as an advocate for the Bitcoin currency and a source of insight for cryptocurrencies and general matters of finance and politics. Prior to assuming his position as Executive Director, Jon Matonis served on the Board of Directors for the Bitcoin Foundation. He currently is a regular contributor to Forbes and is the editor of The Monetary Future economics blog and has not only a passion for but understanding of the ins and outs of the Bitcoin currency.

Jon serves as a member of the Bitcoin Magazine Editorial Board and has contributed articles to the print magazine and website. Prior to getting heavily involved in the Bitcoin currency, Jon served as the CEO of Hushmail and Chief FX Dealer at Visa. Prior to accepting his new appointment of Executive Director of the Bitcoin Foundation, Jon was a board member holding the officer role of board secretary.

• Jon Matonis – The Monetary Future – Forbes

• The Monetary Future: Why I Accepted Executive Director Position for Bitcoin Foundation

One of my primary near-term objectives for the Foundation is to
become more inclusive of the various constituencies within the global
bitcoin community.

This will involve being more responsive to and
communicative with member requests. It will also involve being more open
to internationalization.

Currently, 60% of the Foundation\’s membership
is non-US based and we need to do a better job behaving like a global
organization. To this end, we will hold the next Bitcoin conference
outside of the United States and we will sign on local Foundation
chapters in several countries where interested parties have taken the
lead on expanding the principles of Bitcoin in their region.

Flattr Adds Bitcoin Support

• Adding Bitcoin support

Apparently the great community around Bitcoins wants us to add Bitcoin funding, the nagging has sometimes been skilled like that of an old lady.

As you asked for it. You got it! We are happy to tell you that you can now fund your account with Bitcoins. Just pick Bitcoin on the \”Add funds\” page.

Butterfly Labs Disappoints Again

• Butterfly Labs Still Shipping Day 1 Jalapeno Orders

We are into September 20, 2012 with Jalapeno orders. Not all through that date have shipped, however.

TOR ATM/Hidden Exchanges Set to Flourish

• TOR ATM Front Page
• TOR ATM Signup Page
• TOR ATM Public Key Easy to Find

Winklevoss Twins Stirring it Up

• Winklevoss’ ETF product draws laughs for a reason | Business – The News Tribune

Over the years, fund industry watchers have laughed about a lot of wild investment ideas.

So when the fund observers started laughing recently after seeing the registration papers for the Winklevoss Bitcoin Trust — a new exchange-traded product that faces a lengthy vetting process from the U.S. Securities and Exchange Commission — the question was which laugh, first or last, will be the better one here, and who will get the final guffaw.

• A Bitcoin ETF Is A Vital Step Towards Market Maturity – The Genesis Block

Regardless of your view on bitcoin as an investment, the product proposed by Tyler and Cameron Winklevoss would give a new world of potential investors the ability to make that decision for themselves — exactly as an ETF is intended to do.

Bitcoin Pick

• NZB Finder | Pro Account via Bitcoin Funding

— Watch Live —

Tuesday 2pm PDT / 5pm EDT / 9pm GMT

• JbLive.tv

— Plan B Subreddit —

• Plan B Show

— Contact us —

• Chris on G+
• Drew on G+

— Music —

• Thanks to Ronald Jenkees and his fantastic track 7 Times

— Support the Show —

• Donate to the network with your worthless fiat or your fancy bitcoins!

• Tip address:

  1HE36CMdeYCF9N7rmpfa5BwKMGb1PfkNyD

The post Winklevoss Woes | Plan B 14 first appeared on Jupiter Broadcasting.

We’ve got the details on a critical flaw in the chip and pin credit card system. The future of secure hashing, doing proper backups with rsync, and how squirrels and sharks take down the Internet.

Plus a big batch of your questions, and our answers.

All that and more, on this week’s TechSNAP

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

BONOUS ROUND PROMO:

Get your .COMs just $5.99 per year up to 3 domains! Additional .COMs just $7.99 per year!
CODE: 599tech

Expires 10/31/12

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show: