Show Notes: selfhosted.show/20

The post One is None | Self-Hosted 20 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

OpenSSH CLI escape sequences

• Notes from when Dan was experimenting with this: Only work if ~ is the first character you type; typing something, then backspace, then ~ will not invoke the escape sequence. Must be the first character after ENTER.

Kaspersky Confirms It Downloaded Classified Docs, Blames NSA Contractor’s Dumb Mistake

• According to Kaspersky, the fault rests of the shoulders of the NSA contractor, who allegedly brought home government surveillance tools and then decided to activate their consumer antivirus software

• The analyst’s computer was infected with malware while Kaspersky’s product was disabled

• When Kaspersky’s product was re-enabled, the user apparently scanned their system multiple times

• A 7-zip archive of documents was retrieved for analysis because the user had set the software to send reports of malicious detections.

‘I Forgot My PIN’: An Epic Tale of Losing $30,000 in Bitcoin

• Spent $3,000 to buy 7.4 bitcoins. Saved them to Trezor hardware wallet. Wrote down a 24-word recovery key. Saved a PIN.

• Paper went missing

• Could not remember PIN

• Tried many times.

• Tried an exploit…..

Feedback

• Backup to tapes

• Feedback on Krack Updates

  • KRACK Test Python Script

• It is worth reporting malware etc?

Round Up:

• grafana – Datasources as configuration

• curl statistics made simple: davecheney/httpstat (written in GO) refers to reorx/httpstat (written in Python) which is in FreeBSD Ports as net/py-httpstat – Dan tweeted his test case

• Gentoo system ransomware’d

• Backblaze Hard Drive Stats for Q3 2017

• ​A flaw in Google’s bug database exposed private security vulnerability reports – original blog post

• Staging Best Practices

• Protocol standards not publicly available

• Oracle ZFS man calls for Big Red to let filesystem upstream into Linux – sounds like Oracle wants to get ZFS into Linux

• Things You Can Do on the Dark Web That Aren’t Illegal

The post Low Security Pillow Storage | TechSNAP 343 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

New password guidelines say everything we thought about passwords is wrong

• No more periodic password changes

• No more imposed password complexity

• Mandatory validation of newly created passwords against a list of commonly-used, expected, or compromised passwords.

• We recommend you use a password manager, use a different password on every login

• Rainbow tables used to convert hashes to passwords

Enterprise hard disks are faster and use more power, but are they more reliable?

• The enterprise disks also use more power: 9W idle and 10W operational, compared to 7.2W idle and 9W operational for comparable consumer disks.

• If you have one or two spindles, that’s no big deal, but each Backblaze rack has 20 “storage pods” with 60 disks each. An extra 2.2kW for an idle rack is nothing to sniff at.

• Other HGST models are also continuing to show impressive longevity, with three 4TB models and one 3TB model both boasting a sub-1 percent annualized failure rate.

Don’t trust OAuth: Why the “Google Docs” worm was so convincing

• Access to all your mail

• access to any of your google hangout chats

• access to all your contacts

• makes a good case for encryption/decryption at the client

• OAuth

Feedback

• Intel AMT bug

• bhyve VGA pass-through see also mailing list post

• Amazing, and keep it up!

• Borg Backup see Borg Documentation

  • Borg demonstration

• inexpensive, managed switches

Round Up:

• Why Security Backdoors are Bad (Common Sense Version)

• How to remote hijack computers using Intel’s insecure chips: Just use an empty login string

• Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable

• NASA wants YOU (to make its Fortran code run faster)

The post All Drives Die | TechSNAP 318 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Dropbox Kept Files Around For Years Due To ‘Delete’ Bug

• Dropbox has fixed a bug that caused old, deleted data to reappear on the site. The bug was reported by multiple support threads in the last three weeks and merged into one issue here. An anonymous Slashdot reader writes
• In some of the complaints users reported seeing folders they deleted in 2009 reappear on their devices overnight. After seeing mysterious folders appear in their profile, some users thought they were hacked. Last week, a Dropbox employee provided an explanation to what happened, blaming the issue on an old bug that affected the metadata of soon-to-be-deleted folders. Instead of deleting the files, as users wanted and regardless of metadata issues, Dropbox choose to keep those files around for years, and eventually restored them due to a blunder. In its File retention Policy, Dropbox says it will keep files around a maximum 60 days after users deleted them
• If you have sensitive data, do not rely on delete, rely on encryption.
• If you have sensitive data, you shouldn’t have it on third-party systems without encryption.
• The encryption and decryption should occur on your system, not theirs.
• Imagine you deleted those risky files just before an international trip, you get requested to power up your laptop, and bang, there’s those deleted files back….!

Twitter Activist Security – Guidelines for safer resistance

• We’ve covered privacy on the Internet before. We’ve stated very clearly that using privacy tools such as Tor is not illegal nor is it suspicious, no more so than someone paying cash at the grocery store.
• This guideline is specfically for Twitter, but many of the suggestions can be apply to other social media as well, but I am not sure how well they will travel. Chose carefully
• Many people are starting to get politically active in ways they fear might have negative repercussions for their job, career or life. It is important to realise that these fears are real, but that public overt resistance is critical for political legitimacy. This guide hopes to help reduce the personal risks to individuals while empowering their ability to act safely.
  I am not an activist, and I almost certainly don’t live in your country. These guidelines are generic with the hope that they will be useful for a larger number of people.
• Security Principles To Live By The basic principles of operational security are actually very simple, they’re what we call the three Cs: Cover, Concealment, Compartmentation

Move over skimmers, ‘shimmers’ are the newest tool for stealing credit card info

• Consumers and retailers be on guard: there’s a new and more devious way for fraudsters to steal your credit and debit card information.
• “Shimmers” are the newest form of credit card skimmers, only smaller, more powerful and practically impossible to detect. And they’re popping up all over the place, says RCMP Cpl. Michael McLaughlin, who sounded the alarm after four shimmers were extracted from checkout card readers at a Coquitlam, B.C., retailer.
• “Something this sophisticated, this organized and multi-jurisdictional has all the classic hallmarks of organized crime,” said McLaughlin.
• Unlike skimmers, a shimmer — named for its slim profile — fits inside a card reader and can be installed quickly and unobtrusively by a criminal who slides it into the machine while pretending to make a purchase or withdrawal.
• Once installed, the microchips on the shimmer record information from chip cards, including the PIN. That information is later extracted when the criminal inserts a special card — also during a purchase or cash withdrawal — which downloads the data. The information is then used to make fake cards.
• Shimmers have rendered the bigger and bulkier skimmers virtually obsolete, according to Const. Alex Bojic of the Coquitlam RCMP economic crime unit.
• “You can’t see a shimmer from the outside like the old skimmer version,” Bojic said in a statement. “Businesses and consumers should immediately report anything abnormal about the way their card is acting … especially if the card is sticking inside the machine.”
• McLaughlin said the Coquitlam retailer detected the shimmers through its newly introduced daily testing of point-of-sales terminals. A test card inserted into the machines kept on getting stuck and the shimmers were found when the terminals were opened.
• “We want to get the word out,” said McLaughlin. “Businesses really need to be checking for these kinds of devices and consumers need to be aware of them.”
• Bojic said using the tap function of a chip card is one way to avoid being “shimmed.”
  “It’s actually very secure. Each tap transfers very limited banking information, which can’t be used to clone your card,” Bojic said.
• Krebs wrote about this and has a post which is all about skimmer and shimmer
• Not new tech, been around since at least 2015

Feedback:

• FreeBSD + Bacula as a portable VM
• Bank security or lack of!

Round Up:

• Hotel ransomed by hackers as guests locked out of rooms
• ShmooCon 2017 Videos
• Google – Site Reliability Engineering
• Booted up in 1993, this server still runs — but not for much longer
• Digital Ocean re-enabling password authentication for snapshot-based droplets
• HP recalls 101,000 laptop batteries due to fire concerns.
• A Shakeup in Russia’s Top Cybercrime Unit
• Hardening Windows 10 With Zero Day Exploit Mitigations Under The Microscope
• Delta Airlines cancels at least 150 flights due to IT issue
• Texas Police Department Loses Years Worth of Evidence in Ransomware Incident
• A crowd funded effort to review “Secure HTTP without HTTPS”, from the Unity Asset Store, finds it critically flawed
• Backblaze Hard Drive Stats for 2016

The post Three C's to Tweet By | TechSNAP 304 first appeared on Jupiter Broadcasting.

How to get an SSL certificate for other people’s domains, how to decrypt HTTPS traffic with some javascript & the latest storage reliability report.

Plus great questions & a rocking round up!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Keeping Positive: Obtaining wildcard SSL certificates for arbitrary domains

I recently decided to investigate the security of various certificate authority’s online certificate issuing systems. These online issuers allow certificate authorities to verify that someone owns a specific domain, such as thehackerblog.com and get a signed certificate so they can enable SSL/TLS on their domain.

When I started out hunting for possible vulnerabilities, my initial strategy was to look for the cheapest, most 90’s-looking, poorly designed certificate authority websites. Since the compromise of any certificate authority allows an attacker to bypass all the protections of SSL/TLS it doesn’t even have to be a popular provider because they all have the same power. After doing a bit of searching I realized it would be advantageous to do testing against authorities that had free SSL certificates, since doing tests against these wouldn’t cost me any money. I passed on Let’s Encrypt because I figured it had already been thoroughly audited, the second site I saw was a 30 day free trial from Positive SSL (a company owned by Comodo).

Upon entering your CSR and selecting the software you used to generate it, you then select the email address for domain validation (from the website’s WHOIS) and arrive on a “Corporate Details” page. This is the vulnerable portion of the application, where you fill out your company/personal information getting to the email validation portion

When I first went through this process I mindlessly filled out junk HTML for all of these fields. The service then sent a verification email to the email address on the website’s WHOIS info. Once I received the email, I noticed the HTML was not being properly escaped and the markup I had entered before was being evaluated. This is really bad because the email also contained a verification code which could be used to obtain an SSL/TLS certificate for my website. This means if I had a way to leak a victim’s token, I could obtain a valid certificate for their site, so that I could intercept traffic to that site seamlessly without users knowing I was doing so

• Normally, the email provides the user with a link and the code to validate the certificate. However, because an attacker can fill out the form fields with HTML, they can change the message in the email, instead requiring you to click a link within the next 24 hours to REJECT this bogus certificate
• So, in the field he wrote some HTML that included an form tag and a textarea tag that was never closed
• This resulted in everything that appears after that field in the email, being swallowed by the text area, rather than the body of the email.
• Then a later form field adds a button, “click here to reject this request”. When the user clicks the button, it submits the contents of the HTML textarea (including the verification code) to the attacker’s website, giving them the code, allowing them to approve the certificate for YOUR domain

Form submissions are a great way to leak secrets like this because they work in many different mail clients. Even the iPhone’s Mail app supports this functionality

Once I’ve leaked the code from the victim in this way, I can then log into the account I created during the certificate request process and download the SSL/TLS certificate

One other important thing to note is that resellers of Comodo’s certificates were also affected as well. This risk is amplified because resellers can have a customized HTML header and footer for the verification emails that get sent out. This means that it would be possible for a third party vendor to have a dangling tag in the header combined with a single quote in the footer which would side-channel leak the verification code in the email body (similar to the attack above, but automatic with no user interaction). This style of dangling mark-up injection wasn’t possible in the previously proof-of-concept but is possible for resellers.

• Timeline:
• June 4th, 2016 – Emailed security@comodo.com and reached out on Twitter to @Comodo_SSL.
  • June 6th, 2016 – Robin from Comodo confirms this is the correct contact to report security issues, provides PGP key.
  • June 6th, 2016 – Emailed Comodo the vulnerability PGP-encrypted and sent my PGP public key.
  • June 7th, 2016 – Robin from Comodo confirms they understand the bug and state they will work on a fix as soon as possible.
  • June 20th, 2016 – Emailed Comodo for status update.
  • July 1st, 2016 – Outline timeline for responsible disclosure date (90 days from report date per industry standards).
  • July 25th, 2016 – Robin from Comodo confirms a fix has be put in place.

Normally, the name of the game when it comes to finding a way to mint arbitrary SSL/TLS certificates is to find the smallest, cheapest, and oldest certificate provider you can. Comodo is the exact opposite of this, they have a 40.6% marketshare and are the largest minter of certificates on the internet. Basically, they are the largest provider of SSL/TLS certificates and yet they still suffer from security issues which would be (hopefully) caught on a regular penetration testing engagement. This paints a grim picture for the certificate authority system. If the top providers can’t secure their systems, how could the smaller providers possibly be expected to do so? It’s a hard game to play since the odds are heavily stacked in the attacker’s favor with tons of certificate authorities all with the power to mint arbitrary certificates. A single CA compromise and the entire system falls apart.

Luckily, we have some defences against this with newer web technologies such as Public Key Pinning which offers protection against attackers using forged certificates. This is a fairly powerful mitigation against an attacker with a forged certificate. However, the support is iffy with a lack of support in Internet Explorer, Edge, Safari, and Safari on iOS.

Many people like to speak of a certificate authority hack as if it was something only a nation state could accomplish, but just a day’s worth of searching led me to this issue and I don’t doubt that many providers suffer from much more severe vulnerabilities. What happens when your attacker doesn’t care about ethical boundaries and is willing to do much more in-depth testing? After all, this is Comodo, the largest provider. What about the smaller certificate providers? Do they really stand a chance?

HEIST: New attack allows stealing sensitive information web HTTPS encrypted pages

• HEIST: HTTP Encrypted Information can be Stolen through TCP-windows
• This new attack exploits how HTTPS responses are delivered over TCP, and how compression is used, and the new Javascript API

The exploit is notable because it doesn’t require a man-in-the-middle position. Instead, an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage. The malicious code can then query a variety of pages protected by the secure sockets layer or transport layer security protocols and measure the precise file sizes of the encrypted data they transmit.

Once attackers know the size of an encrypted response, they are free to use one of two previously devised exploits to ferret out the plaintext contained inside it. Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly.

• “HEIST makes a number of attacks much easier to execute,” Tom Van Goethem, one of the researchers who devised the technique, told Ars. “Before, the attacker needed to be in a Man-in-the-Middle position to perform attacks such as CRIME and BREACH. Now, by simply visiting a website owned by a malicious party, you are placing your online security at risk.”
• Rather than having to visit a malicious website, all that is required is that you end up being served a malicious advertisement, on any website

Using HEIST in combination with BREACH allows attackers to pluck out and decrypt e-mail addresses, social security numbers, and other small pieces of data included in an encrypted response. BREACH achieves this feat by including intelligent guesses—say, @gmail.com, in the case of an e-mail address—in an HTTPS request that gets echoed in the response. Because the compression used by just about every website works by eliminating repetitions of text strings, correct guesses result in no appreciable increase in data size while incorrect guesses cause the response to grow larger.

To determine the size of an HTTPS-protected response, the attacker uses an oracle technique that returns what amounts to a yes-or-no response to each guess. When a request containing “value=” results in the same data size, the attacker knows that string is inside the encrypted response and then tries to modify the guess to include the next character, say “value=0”. If that guess results in a larger file size, the attacker knows it’s wrong and will try “value=1”, “value=2”, and so on until the new guess similarly results in a response that shows no increase in file size. The attacker then tries to guess the next character and repeats the process until the entire token has been recovered.

Until now, this BREACH-style exploit required the attacker to be able to actively manipulate the traffic passing between the Web server and end user. A HEIST-enabled BREACH exploit removes that limitation. It does this by using TCP characteristics as a quasi cryptographic side channel to measure the size of an HTTPS response. TCP divides large transmissions into smaller fixed-sized chunks called frames and further groups frames inside what are called TCP windows, which are sent one at a time. TCP sends a new window only after receiving confirmation that frames from the previous window were received by the end user.

HEIST is able to count the number of frames and windows sent by interacting with a set of newly approved APIs, one called Resource Timing and another called Fetch. In the process, they allow a piece of JavaScript to determine the exact size of an HTTPS response.

Van Goethem said the only mitigation he knows of is to disable the third-party cookies, since responses sent by the HTTPS site are no longer associated with the victim. At the moment, most Web browsers by default enable the receipt of third-party cookies, and some online services don’t work unless third-party cookies are allowed.

Wednesday’s demo will show how a malicious ad displayed on The New York Times website is able to painstakingly measure the size of an encrypted response sent by a fictitious third-party site they dubbed targetwebsite.com (see the image below). It will go on to show how that information can be used to infer the characters contained in a security token designed to prevent cross-site request forgery attacks

• And, we are not protected by the next generation HTTP protocol either

HEIST is also effective against HTTP/2, the drop-in replacement for the older HTTP standard that encrypts all Web traffic. In some cases, HEIST can abuse new features of HTTP/2 to increase the damaging effects.

• If we know that HTTP/2 is used, we can let the browser simultaneously request the targeted resource, and another resource that contains reflected content,” Vanhoef and Van Goethem wrote in a research paper.

Since HTTP/2 is used, both requests are sent in parallel to the server, and the server replies to them in parallel as well.

It’s too early to know if HEIST combined with BREACH will be exploited against real people visiting real HTTPS-protected websites. While there’s no indication that BREACH has ever been exploited in the wild, the new convenience offered by HEIST may change that.

• Blackhat Slides
• Research Paper

Backblaze: 2016 Q2 hard drive failure rates

• Backblaze has published their latest numbers on drive failures
• This is the first report to feature the newer 8TB drives
• As before, the HGST drives are doing very well, although some models seem to be doing better than others. The Seagate drives are on spec, and the Western Digital drives are not doing so well. Although there is relatively few WD drives, not because of the high failure rate, but as explained in the 2016Q1 report, just difficulty acquiring large numbers of them
• Almost half of all drives in BackBlaze are the Seagate 4TB desktop model
• I think it would help for BackBlaze’s formula to consider the age of the drive. Of course the failure rate of older drives will increase over time. It would be interesting to see a graph of the failure rate vs drive age
• The Seagate 4TB drives seem to be doing as expected. I feel confident in my decision to purchase these exact drives for my own use
• Backblaze explains their formula, and reminders readers to consider the formula when looking at the numbers. A single drive failure in a new set of Toshiba 5TB drives gives a result of a nearly 9% failure rate, but obviously the sample set is too small
• There is also an interesting discussion of their migration process, moving data from 64+ month old hard drives to new larger drives
• Further down, they also provide a breakdown of their failure statistics from 2013 through 2016, which makes for much more interesting reading
• In general, most of the drives seem to perform as expected, with a 1 – 3 % annual failure rate
• Of course, BackBlaze does not buy the fancier Enterprise drives. Hopefully someone else will produce a similar report using Enterprise drives, so we can see if they are worth the extra money.

The 4TB Seagate drives are our workhorse drives today and their 2.8% annualized failure rate is more than acceptable for us. Their low failure rate roughly translates to an average of one drive failure per Storage Pod per year. Over the next few months expect more on our migrations, a look at the day in the life of a data center tech, and an update of the “bathtub” curve, i.e. hard drive failure over time

• If you would like to do your own thing with the data, here it is

Feedback:

• Any way to guess or estimate how many drives would be needed? // Slexy 2.0

• how secure are long unique links?

• Google’s Unguessable URLs – Schneier on Security

• Redirecting domain requests, mail and linking droplets

  • DNS Made Easy for dns or backup mx

• Hosting your own email – follow up to Feedback Episode 277

Round Up:

• Networking hardware vendor TP-Link today admitted violating US radio frequency rules by selling routers that could operate at power levels higher than their approved limits. In a settlement with the Federal Communications Commission, TP-Link agreed to pay a $200,000 fine, comply with the rules going forward, and to let customers install open source firmware on routers
• FireFox 48 finally ships, with multiprocess support. For the next few days, only a fraction of a percent of Firefox 48 users will have Electrolysis turned on by default. If this mini-rollout goes well, the multiprocess feature will be rolled out to about half of all Firefox 48 users
• Malvertising Campaign Infected Thousands of Users per Day for More than a Year
• EFF Files lawsuit challenging DMCA provisions that place restrictions on security researchers
• Iranian hackers compromise Telegram’s secure messaging
• FireEye releases: Overload: Critical lessons from 15 years of ICS vulnerabilities
• QRLJacking attack can bypass any QR login system
• Something I have been saying for years, FTC says frequent forced password changes are the enemy of security Allan’s post from 2009 came to the same conclusion
• Japanese Olympic Gymnist racks up $5000 mobile data bill playing Pokemon go in Brazil
• Deanonymizing Windows users and stealing Microsoft and VPN accounts
• SwiftKey was accidently sharing your autocorrect suggestions with other people, leaking email contents, search history, and more

The post Dangerous Dangling Quotes | TechSNAP 278 first appeared on Jupiter Broadcasting.

A typo stops a billion dollar bank hack, a vulnerability in 7zip that might surprise you & the best solutions for secure remote network access.

Your great questions, our answers, a packed round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Attackers compromise banks and steal millions

• Attackers compromised the credentials of Bangladesh Bank (the Country’s central bank), and used those credentials to make SWIFT wire transfers
• “Cyber criminals broke into Bangladesh Bank’s system and in early February tried to make fraudulent transfers totaling $951 million from its account at the Federal Reserve Bank of New York.”
• Using the credentials, they started a wave of transfers. The first four went through, transferring a total of more than $81 million, the largest bank heist in history
• The fifth, was stopped only because of a typo
• “a transfer for $20 million, to a Sri Lankan non-profit organization was held up because the hackers misspelled the name of the NGO, Shalika Foundation. Hackers misspelled “foundation” in the NGO’s name as “fandation”, prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction”
• “The details of how the hacking came to light and was stopped before it did more damage have not been previously reported. Bangladesh Bank has billions of dollars in a current account with the Fed, which it uses for international settlements.”
• “The transactions that were stopped totaled $850-$870 million, one of the officials said”
• So if it wasn’t for the typo, the hackers may have made off with almost $1 billion
• “Bangladesh Bank has said it has recovered some of the money that was stolen, and is working with anti-money laundering authorities in the Philippines to try to recover the rest.”
• “More than a month after the attack, Bangladeshi officials are scrambling to trace the money, shore up security and identify weaknesses in their systems. They said there is little hope of ever catching the hackers, and it could take months before the money is recovered, if at all.”
• Additional Coverage
• “Bangladesh’s central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network”
• “The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank’s SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police’s criminal investigation department.”
• Experts in bank security said that the findings described by Alam were disturbing. “You are talking about an organization that has access to billions of dollars and they are not taking even the most basic security precautions”
• “Two (SWIFT) engineers came and visited the bank after the heist and suggested to upgrade the system”
• “Bangladesh police said earlier this week they had identified 20 foreigners involved in the heist but they appear to be people who received some of the payments, rather than those who initially stole the money.”
• “The SWIFT room is roughly 12 feet by 8 feet, a window-less office located on the eight floor of the bank’s annex building in Dhaka. There are four servers and four monitors in the room”
• “The SWIFT facility should have been walled off from the rest of the network. That could have been done if the bank had used the more expensive, “managed” switches, which allow engineers to create separate networks, said Alam, whose institute includes a cyber-crime division.”
• My kingdom for a vlan…
• Last week, a second bank was hit
• Additional Coverage
• “The second case targeted a commercial bank, Swift spokeswoman Natasha de Teran said, without naming it. It was not immediately clear how much money, if any, was stolen in the second attack.”
• Swift said in a statement that the attackers exhibited a “deep and sophisticated knowledge of specific operational controls” at targeted banks and may have been aided by “malicious insiders or cyber attacks, or a combination of both”.
• “News of a second case comes as law enforcement authorities in Bangladesh and elsewhere investigate the February cyber theft from the Bangladesh central bank account at the New York Federal Reserve Bank. Swift has acknowledged that that scheme involved altering Swift software to hide evidence of fraudulent transfers, but that its core messaging system was not harmed.”
• “In the second case SWIFT said attackers had also used a kind of malware called a “Trojan PDF reader” to manipulate PDF reports confirming the messages in order to hide their tracks.”
• That sounds a lot more sophisticated than the first attack. Of course, it could just be that sophisticated attackers hit an unsophisticated bank, and so did not need to use such techniques, or that they just went undetected, because of the lax security at the first bank
• SWIFT network issues security advisory about malware targetting banks
• “In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT. The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognise the fraud.”

Cisco TALOS finds vulnerability in 7zip

• “Recently Cisco Talos has discovered multiple exploitable vulnerabilities in 7-Zip. These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.”
• For example, a number of virus and malware scanners using the 7-Zip library to scan inside various archive formats
• This means an attacker could send you a file, which would automatically be scanned by your virus scanner, which would trigger the exploit
• The Talos article includes a link to a Google search for the 7-Zip license, which you can find embedded in a huge number of open and closed source applications
• “An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format (UDF) files. The UDF file system was meant to replace the ISO-9660 file format, and was eventually adopted as the official file system for DVD-Video and DVD-Audio.”
• “Central to 7-Zip’s processing of UDF files is the CInArchive::ReadFileItem method. Because volumes can have more than one partition map, their objects are kept in an object vector. To start looking for an item, this method tries to reference the proper object using the partition map’s object vector and the “PartitionRef” field from the Long Allocation Descriptor. Lack of checking whether the “PartitionRef” field is bigger than the available amount of partition map objects causes a read out-of-bounds and can lead, in some circumstances, to arbitrary code execution.”
• “An exploitable heap overflow vulnerability exists in the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip. In the HFS+ file system, files can be stored in compressed form using zlib. There are three different ways of keeping data in that form depending on the size of the data. Data from files whose compressed size is bigger than 3800 bytes is stored in a resource fork, split into blocks.”
• “Block size information and their offsets are kept in a table just after the resource fork header. Prior to decompression, the ExtractZlibFile method reads the block size and its offset from the file. After that, it reads block data into static size buffer “buf”. There is no check whether the size of the block is bigger than size of the buffer “buf”, which can result in a malformed block size which exceeds the mentioned “buf” size. This will cause a buffer overflow and subsequent heap corruption.”
• “Sadly, many security vulnerabilities arise from applications which fail to properly validate their input data. Both of these 7-Zip vulnerabilities resulted from flawed input validation. Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications’ security. Talos has worked with 7-Zip to responsibly disclose, and then patch these vulnerabilities. Users are urged to update their vulnerable versions of 7-Zip to the latest revision, version 16.00, as soon as possible.”
• 2016-03-03 – Vendor Notification
• 2016-05-10 – Public Disclosure

Two large middle eastern banks hit by hackers

• “A massive collection of documents from Qatar National Bank, based in Doha, was leaked and posted online to the whistleblower site Cryptome on April 26. The leaked data, which totals 1.4 GBs, apparently includes internal corporate files and sensitive financial data for QNB’s customers.”
• “Cryptome reports that the leak comprises 15,460 files, containing details, including passwords, PINs and payment card data, for hundreds of thousands of the bank customers’ accounts. Multiple experts have also examined the data, and likewise report that it appears to be legitimate. But Cryptome offered no insights into how the data was obtained, for example, if it was via an external hack attack, or an inside job.”
• “Multiple sources who have reviewed the data dump have also confirmed to ISMG that the data appears to be genuine. One researcher, speaking on condition of anonymity, also confirmed that he had successfully used leaked customer internet banking credentials from the data dump to begin logging in to the customer’s account, purely for research purposes. But he said the bank’s systems then sent a one-time password to the customer’s registered mobile number, which would serve as a defense against any criminals who might now attempt to use the leaked data to commit fraud.”
• Additional Coverage: IBTimes
• “Although analysis of the leaked data remains ongoing, there are reports that it contains additional, unusual information. U.K.-based digital media news site IBTimes, for example, reports that in addition to consumer data, the leaked information also includes documents with information on Qatar’s Al-Thani royal family as well as the broadcaster Al Jazeera, which is partly funded by the same family.”
• “In addition, some leaked folders are marked “Spy” and contain what appear to be intelligence dossiers on individuals, according to IBTimes. Some files contained in the dump are labeled as “MI6” – in apparent reference to the British intelligence agency – with others naming Qatar’s state security bureau, known as the Mukhabarat, as well as French and Polish intelligence agencies, IBTimes reports.”
• “Interestingly, there is also additional data about mainly foreign bank account holders, which includes information such as their Facebook and LinkedIn profiles, along with ‘friends’ associated through those social networks. This data doesn’t appear to have come directly from the bank itself, rather the perpetrator used the data held by the bank to then build up profiles of further targets.”
• A second breach occurred at InvestBank, in the UAE
• Additional Coverage
• “A massive tranche of nearly 10GB of files alleged to be from Sharjah, UAE-based InvestBank appears to have been dumped online by the hacking group “Bozkurtlar” – Turkish for “Gray Wolves” – on May 7. The zip archive released by the attackers appears to contain internal files and sensitive financial documents, including InvestBank customers’ data.”
• “The Bozkurtlar hacker or hacking group appears to have Turkish ties, and also claimed credit for a similar data dump on April 26, involving Doha-based Qatar National Bank. In that case, leaked customer data for QNB was quickly posted online by the Cryptome.org whistleblower site”
• “The dumped data appears to include a massive amount of information tied to InvestBank’s systems, including SQL databases and some backup folders. Speaking on condition of anonymity, one expert who’s reviewed the data says it appears to date from 2011 to September 2015.”
• “Customer data included in the leak includes copies of ID documents, photographs of individuals, documents relating to land purchases – such as stamp papers and financials, as well as bank statements and nearly 100,000 credit card numbers, including expiry dates in clear text. Security researchers, however, note that customer credentials such as account passwords and PINs appear to be encrypted.”
• “The dump also contains comprehensive details on InvestBank’s IT setup, including clear-text credentials for its production systems, switches, routers, virtual machines and Windows servers – many of which appear to have been using easily guessable vendor default passwords. Screenshots of server settings and diagrams of server and data center layouts have also been found in the dump, in addition to details of VPN setups with the bank’s branch offices.”
• “The dump also appears to contain complete details of InvestBank’s Oracle FLEXCUBE core banking solution implementation, including costs, deliverables, scope of work, licensing information and the entire database pertaining to InvestBank’s FLEXCUBE implementation.”
• “In December 2015, a hacker broke into InvestBank’s systems and released records for thousands of customers, after the bank refused to pay the $3 million bitcoin ransom demanded by the attacker”
• InvestBank claims this is not a new hack, but just the old data being fully released
• It is possible the original attacker gave up on trying to ransom or sell the data, and just released it publicly

Feedback:

• Remote access possibilities

• Episode 266 – OwnCloud Cloud Proxy

• Pagekite – The fast, reliable localhost tunneling solution

• Storing client sensitive data

• Dynamic DNS via scp, and remote support for my mother’s computer

• Researchers get United Airlines bug bounty of 1 million air miles. Find out that that has a “street value” of $20,000, and it will be considered income by the IRS, so they donate it to Charity instead.

Round Up:

• Federal Judge Says Internet Archive’s Wayback Machine A Perfectly Legitimate Source Of Evidence
• Backblaze releases their 2016Q1 hard drive reliability stats
• Senators introduce bill to block expansion of FBI hacking authority
• Backwards compatibility layer used to bypass EMET, defeating advanced protections in Windows
• Cisco Adaptive Security Appliance VPN Memory Block Exhaustion Vulnerability
• How do you deal with a petabyte of disks with sensitive data you need to destroy? Basically a wood chipper.
• Internet Speed Test by Netflix
• The “Ping of Death” is back, this time in the Linux Kernel
• Sites Turn to Audio Fingerprinting to Track Users
• Remember back to the last US Presidential Election, and some guy claimed he hacked Mitt Romney’s lawyers and stole his tax records? It was fake, but, you can still go to jail for that
• Microsoft Disables Wi-Fi Sense on Windows 10
• The printer works fine, except on Tuesdays…
• High CPU use by taskhost.exe when Windows 8.1 user name contains “user”
• A kickstarter campaign full of nonsense and false buzzwords. Watch what people promise you
• How the internet works, a story in pictures

The post My Kingdom for a VLAN | TechSNAP 267 first appeared on Jupiter Broadcasting.

The Belkin router apocalypse takes users offline all over the world, Infected ATMs spit out money on cue, plus isolating your network, a great batch of your questions & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Belkin router apocolypse, world wide outage of almost all Belkin routers

• “Starting approximately midnight on October 7, Belkin began experiencing an issue with a service configured in certain Belkin router models that causes a failure when it checks for general network connectivity by pinging a site hosted by Belkin.”
• It seems Belkin routers check to see if “the internet is up” by pinging or connecting to heartbeat.belkin.com. When this service went down, all of those routers decided the internet was ‘down’, and stopped letting customers use the Internet, despite the fact that the rest of the Internet was fine
• “One of our cloud services associated with maintaining router operations was negatively impacted by a change made in our data center that caused a false denial of service. Normal operations were restored by 3PM PST, but some users might still need to reset their router and/or cable modem to regain connectivity. Moving forward, we will continue to monitor, improve and validate the system to ensure our routers continue to work properly in the event connectivity to our cloud environment is not available. “
• The fact that the routers rely on only a single signal, a response from heartbeat.belkin.com, to determine if the internet is working, seems wrong.
• Even so, it doesn’t explain why the routers ‘give up’ and stops users accessing the Internet
• It appears this has to do with the DNS Resolver in the Router, which stops attempting to resolve addresses when it cannot reach the Belkin site. Users to manually change their DNS servers to Google Public DNS or OpenDNS had their service restored
• What if the Belkin site goes down? (Like it did). What if there is a routing or transit issue? What if access to the Belkin site is blocked in your country?
• “If your service has not yet been restored, please unplug your router and plug it back in after waiting 1 minute. Wait 5 more minutes and the router should reconnect.”
• There were rumours that this issue was caused by a firmware update. Belkin denies this, although it is not clear if they had pushed a firmware update around the same time or not
• Interesting: Apparently Belkin’s call center got a high volume of calls. How many users call their Router manufacturer when they have an issue, rather than their ISP? My Cisco router/modem only had my ISPs phone number on it.
• Belkin Status Page
• Belkin Community Forums
• Additional Coverage: Internet Storm Center

Infected ATMs spit out money on queue, without debiting anyones bank account

• “What do you need in order to withdraw cash from an ATM?”
• First, you need to have a debit or credit card, which acts as a key to your bank account
• Second, you must know the PIN code associated with the card; otherwise, the bank wouldn’t approve the transaction.
• Finally, you need to have some money in your account that you can withdraw.
• Or, you just need a bootable CD
• “However, hackers do things differently: they don’t need cards, PIN codes or bank accounts to get money. In reality, all they need is an ATM with some cash in it and a special piece of software.”
• “criminals were somehow able to physically access the ATMs so that they could install the malware via a bootable CD on an embedded Windows machine”
• “The trojan that was used had complex abilities. First, when activated inside of the ATM, it had the ability to turn off the McAfee Solidcare AV software so that it could do its job with ease”
• “Second, to avoid accidental detection, Tyupkin trojan had the ability to stay in a standby mode for an entire week and activate only Sunday and Monday nights.”
• “Third, it had the ability to disable the local network in the case of an emergency, so that the bank could not remotely connect to the ATM to check on what was happening with it.”
• “All an attacker has to do is merely approach an infected ATM and enter a special PIN code in order to access the secret menu that will allow him to make cash withdrawals or control the trojan (for example, to delete it).”
• “To make a withdrawal the person has to know the appropriate commands, as well as a special formula that will calculate a session key — some kind of a two-factor authentication. If both codes are correct, then a second menu will appear that allows the criminal to choose the cassette number and make a withdrawal.”
• “Although one can only dispense 40 banknotes per transaction, it’s possible to dispense any amount of money by simply performing the actions several times over.”

Pair arrested for exploiting flaw in Casino slot machines

• John Kane, a gambling addict, and an accomplice, Andre Nestor, exploited a bug in Game King video poker slot machines
• “It turned out the Game King’s endless versatility was also its fatal flaw. In addition to different game variants, the machine lets you choose the base level of your wagers: At the low-limit Fremont machines, you could select six different denomination levels, from 1 cent to 50 cents a credit”
• “The key to the glitch was that under just the right circumstances, you could switch denomination levels retroactively. That meant you could play at 1 cent per credit for hours, losing pocket change, until you finally got a good hand—like four aces or a royal flush. Then you could change to 50 cents a credit and fool the machine into re-awarding your payout at the new, higher denomination. “
• “Performing that trick consistently wasn’t easy—it involved a complicated misdirection that left the Game King’s internal variables in a state of confusion. But after seven hours rooted to their seats, Kane and Nestor boiled it down to a step-by-step recipe that would work every time. “
• It turns out John Kane was very familiar with the slot machine in question:
• “he blew half a million dollars in 2006 alone—a pace that earned him enough Player’s Club points to pay for his own Game King to play at his home on the outskirts of Vegas, along with technicians to service it. (The machine was just for fun—it didn’t pay jackpots.)“ He’s played more than anyone else in the United States, says his lawyer, Andrew Leavitt. I’m not exaggerating or embellishing. It’s an addiction.”
• Game King 5.0 was released in 2002, however it contained a series of subtle errors in program number G0001640 that evaded laboratory testing and source code review.
• “The bug survived like a cockroach for the next seven years. It passed into new revisions, one after another, ultimately infecting 99 different programs installed in thousands of IGT machines around the world. As far as anyone knows, it went completely undetected until late April 2009, when John Kane was playing at a row of four low-limit Game Kings outside the entrance to a Chinese fast food joint”
• “Kane had some idea of how the glitch operated but hadn’t been able to reliably reproduce it. Working together, the two men began trying different combinations of play, game types, and bet levels, sounding out the bug like bats in the dark.”
• The pair eventually sorted out the details, and managed to get more than $750,000 out of various slot machines before being arrested

Feedback:

• Building a FreeBSD storage backend for my cloud
  • High Availably Storage Technology
  • FreeBSD Wiki about GlusterFS

• Home hybrid router replacement

• Server Isolation

• What to do when cafes have terrible network the security

Round up:

• Adobe is Spying on Users, Collecting Data on Their eBook Libraries
• Shell Shock proof-of-concepts against various applications, also includes one-liners to test your bash against each different vulnerability
• Funny post over at OpenBSD misc@ mailing list: User doesn’t quite understand how bash vulnerability checks work
• Marriott fined $600K by FCC for Wi-Fi blocking scam – Android Authority
• Defense contractor Raytheon gets patent for ‘smart mouse’ technology, based on smart grip technology for guns, authenticate the user by the way they hold their mouse
• Popular electricity smart meters in Spain can be hacked, researchers say
• Backblaze updates Drive Reliability numbers, still lacking some detail
• SQL Injection Vulnerability in ‘Yahoo! Contributors Network’
• JPMorgan Chase breach exposes data on 83 million customers. No credit card or social security data was taken. However, security experts remain skeptical that this breach is as low-impact as the bank is suggestion

The post Belkin Heartbeat Stops | TechSNAP 183 first appeared on Jupiter Broadcasting.

Facebook just paid out their biggest bug bounty yet, we’ll tell you about the flaw was so major it warranted a $33k bounty. Plus it’s been a bad week for Chrome security…

Then it’s a big batch of your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

Facebook pays out biggest bug bounty ever, $33,500 after researcher gets ‘keys to the kingdom’

• Reginaldo Silva, a Brazilian security researcher, found a remote execution flaw in Facebook and was able to perform various functions including coping the /etc/passwd file, getting him a list of the users that exist on the system, and could have changed the URL for the Google OpenID provider, in order to execute MitM attacks on users logging in to Facebook using their Gmail accounts
• The original flaw was found in September 2012, when the researcher discovered an XXE (XML External Entity) bug in a Drupal blogs OpenID provider
• After finding the flaw in OpenID, he tried the attack successfully against StackExchange
• Later he also tried it against Google, while it worked, he was not able to read any files or make any network connections. For this he received his first bug bounty, $500 from Google
• During the original investigation, he could not find a valid Facebook OpenID endpoint
• Some time later, while investigating the Facebook password reset system, he discovered they still used OpenID for Gmail users to reset their passwords
• Using the newly discovered endpoint, he still was not able to launch his attack, because Facebook only communicated with Google, and for the attack to work he needed to communicate with his malicious OpenID provider
• After more reading of the OpenID spec, he found what he was looking for and was able to cause Facebook to contact his server, parse his malicious XML and cause Facebook’s servers to run code of his choosing
• From this he was able to get a copy of the /etc/passwd from the server
• Researcher’s Blog Post
• Facebook Security Team Blog Post
• Facebook Extends Bug Bounty Program

Security companies remove information about target breach from the Internet

• One we had previously covered:
• “On Dec. 18, a malicious software sample was submitted to ThreatExpert.com, a Symantec-owned service. But the public report the service generated vanished. “
• However, as is often the case with the internet, someone (Krebs ftw) had a copy of the report and posted it
• “iSight Partners, a Dallas-based cybersecurity company that is working with the U.S. Secret Service, published a series of questions and answers on its website related to the attacks on point-of-sale devices at U.S retailers. That too vanished on Thursday.”
• “Intel-owned McAfee redacted on Tuesday a blog post from last week that contained technical detail similar to the ThreatExpert.com report”
• When queried, a Symantec spokeswoman said “we took the initiative to remove it because we didn’t want the information to compromise the ongoing investigation.”
• Alex Holden, founder of Hold Security, who worked with Brian Krebs on the Adobe breach, said it was the right move for Symantec to pull the report, as attackers might have been able to use the information to compromise other point-of-sale devices at other retailers
• “I was surprised that this information was posted on the Internet in the first place,” Holden said. “Besides having a Target machine’s name and its IP address, system structure and drive mapping, it discloses a very vital set of credentials setup specifically for exploitation of the device.”
• As many as six other U.S. companies are believed to be victims of point-of-sale related attacks, where malware intercepts unencrypted card details. So far, only Target and high-end retailer Neiman Marcus have acknowledged the attacks.

Adware vendors buy Chrome Extensions to send ad- and malware-filled updates

• While Chrome itself is updated automatically by Google, that update process also includes Chrome’s extensions, which are updated by the extension owners.
• This means that it’s up to the user to decide if the owner of an extension is trustworthy or not, since you are basically giving them permission to push new code out to your browser whenever they feel like it.
• Ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens.
• Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions.
• Once the deal is done and the ownership of the extension is transferred, the new owners can issue an ad-filled update over Chrome’s update service, which sends the adware out to every user of that extension.
• A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the “Add to Feedly” extension.
• One morning, the extension author got an e-mail offering “4 figures” for the sale of his Chrome extension. The extension was only about an hour’s worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account.
• A month later, the new extension owners released their first (and so far only) update, which injected adware on all webpages and started redirecting links.
• This isn’t a one-time event, either. About a month ago, I had a very simple Chrome extension called “Tweet This Page” suddenly transform into an ad-injecting machine and start hijacking Google searches.
• Google has stated that Chrome’s extension policy is due to change in June 2014. The new policy will require extensions to serve a single purpose.
• Chromium Blog: Keeping Chrome Extensions Simple

• FauxShow Sticker Awards

Feedback:

• Allan’s home network setup
  • VLAN A – Home network (upstairs), plus hidden WiFi SSID, only has access to personal ZFS server
  • VLAN B – Office network, WiFi, connections machines work
  • VLAN C – Management network, switches, IPMI, PDUs etc
  • VLAN D – Guest Wireless
  • VLAN E – DMZ for servers
  • Personal ZFS server has separate interfaces on VLAN A and B
  • FreeBSD PF Firewall is only machine that can route between the VLANs
  • DMZ is not used yet, will be once 1000mbps unmetered Fibre connection arrives
  • Gear Used: Netgear GS724T 24port gig-e switch.
• Dropbox De-dupe BS
  • How Tarsnap Works
• Authentication for Linux
• IBM SMartCloud Mini War Story
• jupiterbroadcasting on Instagram
• BSD Now tutorial contest, win a hand-made FreeBSD Pillow

Round Up:

• Network Solutions, the original domain name registrar, appears to be automatically enrolling customers in a $1850/year “WebLock Security Service”, you must call to opt-out
• FreeBSD 10.0-RELEASE Announcement
• Developer finds Chrome eavesdropping bug
• Target restarts push for Chip&Pin protected cards (Common in Europe and Canada) after failed adoption 10 years ago
• IBM says goodbye to x86 forever, sells server lines to Lenovo
• Backblaze publishes reliability numbers of different models of hard drive
• The Most (and Least) Reliable Hard Drive Brands
• Researchers tell Congess Healthcare.gov is insecure, researchers able to get 70,000 records in only 4 minutes
• Kids, this is story of How I Met… my VPS hacked.
• 16 Million German users infected with malware that steals passwords, email addresses and other sensitive data
• More from last week, a Documentary on the first trans-atlantic telephone cable
• How a DNS query works Get DNSMadeEasy Hosting
• EasyDNS wins case and blocks London Police takedown order, domain transered

The post Tarnished Chrome | TechSNAP 146 first appeared on Jupiter Broadcasting.

How a Russian Spy ring used floppies to pass sensitive information, how Backblaze made it through the great hard drive shortage, and why the US congress is saying no to Chinese Telco manufactures.

Plus a big batch of your questions, and our answers.

All that and much more, on this week’s TechSNAP!

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

BONOUS ROUND PROMO:

Get your .COMs just $5.99 per year up to 3 domains! Additional .COMs just $7.99 per year!
CODE: 599tech

Expires 10/31/12

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show: