HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Dropbox Kept Files Around For Years Due To ‘Delete’ Bug

• Dropbox has fixed a bug that caused old, deleted data to reappear on the site. The bug was reported by multiple support threads in the last three weeks and merged into one issue here. An anonymous Slashdot reader writes
• In some of the complaints users reported seeing folders they deleted in 2009 reappear on their devices overnight. After seeing mysterious folders appear in their profile, some users thought they were hacked. Last week, a Dropbox employee provided an explanation to what happened, blaming the issue on an old bug that affected the metadata of soon-to-be-deleted folders. Instead of deleting the files, as users wanted and regardless of metadata issues, Dropbox choose to keep those files around for years, and eventually restored them due to a blunder. In its File retention Policy, Dropbox says it will keep files around a maximum 60 days after users deleted them
• If you have sensitive data, do not rely on delete, rely on encryption.
• If you have sensitive data, you shouldn’t have it on third-party systems without encryption.
• The encryption and decryption should occur on your system, not theirs.
• Imagine you deleted those risky files just before an international trip, you get requested to power up your laptop, and bang, there’s those deleted files back….!

Twitter Activist Security – Guidelines for safer resistance

• We’ve covered privacy on the Internet before. We’ve stated very clearly that using privacy tools such as Tor is not illegal nor is it suspicious, no more so than someone paying cash at the grocery store.
• This guideline is specfically for Twitter, but many of the suggestions can be apply to other social media as well, but I am not sure how well they will travel. Chose carefully
• Many people are starting to get politically active in ways they fear might have negative repercussions for their job, career or life. It is important to realise that these fears are real, but that public overt resistance is critical for political legitimacy. This guide hopes to help reduce the personal risks to individuals while empowering their ability to act safely.
  I am not an activist, and I almost certainly don’t live in your country. These guidelines are generic with the hope that they will be useful for a larger number of people.
• Security Principles To Live By The basic principles of operational security are actually very simple, they’re what we call the three Cs: Cover, Concealment, Compartmentation

Move over skimmers, ‘shimmers’ are the newest tool for stealing credit card info

• Consumers and retailers be on guard: there’s a new and more devious way for fraudsters to steal your credit and debit card information.
• “Shimmers” are the newest form of credit card skimmers, only smaller, more powerful and practically impossible to detect. And they’re popping up all over the place, says RCMP Cpl. Michael McLaughlin, who sounded the alarm after four shimmers were extracted from checkout card readers at a Coquitlam, B.C., retailer.
• “Something this sophisticated, this organized and multi-jurisdictional has all the classic hallmarks of organized crime,” said McLaughlin.
• Unlike skimmers, a shimmer — named for its slim profile — fits inside a card reader and can be installed quickly and unobtrusively by a criminal who slides it into the machine while pretending to make a purchase or withdrawal.
• Once installed, the microchips on the shimmer record information from chip cards, including the PIN. That information is later extracted when the criminal inserts a special card — also during a purchase or cash withdrawal — which downloads the data. The information is then used to make fake cards.
• Shimmers have rendered the bigger and bulkier skimmers virtually obsolete, according to Const. Alex Bojic of the Coquitlam RCMP economic crime unit.
• “You can’t see a shimmer from the outside like the old skimmer version,” Bojic said in a statement. “Businesses and consumers should immediately report anything abnormal about the way their card is acting … especially if the card is sticking inside the machine.”
• McLaughlin said the Coquitlam retailer detected the shimmers through its newly introduced daily testing of point-of-sales terminals. A test card inserted into the machines kept on getting stuck and the shimmers were found when the terminals were opened.
• “We want to get the word out,” said McLaughlin. “Businesses really need to be checking for these kinds of devices and consumers need to be aware of them.”
• Bojic said using the tap function of a chip card is one way to avoid being “shimmed.”
  “It’s actually very secure. Each tap transfers very limited banking information, which can’t be used to clone your card,” Bojic said.
• Krebs wrote about this and has a post which is all about skimmer and shimmer
• Not new tech, been around since at least 2015

Feedback:

• FreeBSD + Bacula as a portable VM
• Bank security or lack of!

Round Up:

• Hotel ransomed by hackers as guests locked out of rooms
• ShmooCon 2017 Videos
• Google – Site Reliability Engineering
• Booted up in 1993, this server still runs — but not for much longer
• Digital Ocean re-enabling password authentication for snapshot-based droplets
• HP recalls 101,000 laptop batteries due to fire concerns.
• A Shakeup in Russia’s Top Cybercrime Unit
• Hardening Windows 10 With Zero Day Exploit Mitigations Under The Microscope
• Delta Airlines cancels at least 150 flights due to IT issue
• Texas Police Department Loses Years Worth of Evidence in Ransomware Incident
• A crowd funded effort to review “Secure HTTP without HTTPS”, from the Unity Asset Store, finds it critically flawed
• Backblaze Hard Drive Stats for 2016

The post Three C's to Tweet By | TechSNAP 304 first appeared on Jupiter Broadcasting.

It’s revealed that the US government is sending billions of dollars to Iraq’s central bank, which is winding up in the hands of ISIS. We cover the latest on this story. Then we follow the money on some major defense spending & bust the week’s bogus news.

Why the rest of the 2016 presidential run will be filled with softball questions.

And you won’t believe how bad the TSA failed their latest security test, a frank discussion on media biases & we wrap it all up with a high note.

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

Show Notes:

— Episode Links —

• NY Fed’s $40 Billion Iraqi Money Trail
• U.S. Cut Cash to Iraq on Iran, ISIS Fears – WSJ
• ISIS just stole $425 million, Iraqi governor says, and became the ‘world’s richest terrorist group’ – The Washington Post
• Russia’s Syria Force Grows to 4,000, U.S. Officials Say – Washington Free Beacon
• Syrian Invasion Planned Since 2012 – ‘No Boots on Ground’ a Lie from the Start | The Free Thought Project
• Israel orders aircraft carrier as part of US military aid package
• Obama Federalizes Police Forces in Six US Cities –

The post Billions for Baghdad | Unfilter 165 first appeared on Jupiter Broadcasting.

Debug mode exposes sensitive data, Cisco’s Talos group exposes the Angler exploit kit & how a Microsoft exposed Conficker with an egg hunt.

Plus some great feedback, a huge round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Danish bank leaves production server in debug mode, exposes sensitive data

• While at Chaos Communication Camp, the Dutch researcher was talking with some Danish hackers about the security of Danish banks, especially their terrible HTTPS settings that result in an F from Qualys SSL Labs
• Upon arriving back home, he opened up the bank’s website, and decided to look at the HTML of the page
• On it, he found a giant URL encoded javascript comment
• Upon decoding it, he was that it leaked a huge amount of information, some of it sensitive
• It returned session cookie id, the entire contents of the cookie submitted by the user, and a bunch of other cookies.
• It also revealed that the site was written in Microsoft ASP, shows the path to the files on the web server, the internal IP addresses
• Worse, while looking at the data, he realized that the data was not infact his, but belonged to the session of another user
• “If I refreshed the login screen again, I would get to see a different set of data, from another customer. I repeated that a few times and got back different records each time.”
• He also noticed that the server port was 80, and HTTPS was “off”, this suggests it is a normal web server without TLS, with some kind of SSL Terminator appliance in front of it. It would be best practise to use TLS on the internal network as well, else a sysadmin, or someone who manages to compromise the web application, could snoop usernames and passwords as they passed between the terminator and the web servers.
• The researcher resisted the urge to add the cookie he had just seem go by to his own browser and login as some unsuspecting customer
• It seems likely that if viewing this same dump from a page that involved an HTTP POST, it would have included plain text username and password
• “The variables HTTP_SOPDB2MEMBER, HTTP_SOPQMGR and HTTP_SOPFECICS indicate that their Microsoft IIS server is connecting to a z/OS server that runs a DB2 database, message queue software and CICS. That’s a pretty normal (but old!) software stack for a bank. Probably also means they’re still using COBOL code on their backend.”
• He then tried to report the issue
• “Easier said than done. They don’t have a responsible disclosure process in place, so there was no e-mail address I could mail my findings to. I called a phone number on their web site and the lady that I spoke didn’t seem to understand the problem and said: “our technical guy will look at your finding”. I asked for her e-mail address so I could mail the details to her but she said that wasn’t possible. I didn’t get the feeling I was taken seriously, so I started looking on LinkedIn for IT security personnel that worked at the bank.”
• “Found someone that worked in the security incident response department and mailed him my findings. That worked! I saw that within 24 hours the vulnerability was patched.”
• The response from the bank: “Thank you for reporting a potential security vulnerability on our website. We investigated your report immediately. However, the data you saw was not real customer sessions or data – just some debug information. Our developers corrected this later that day.”
• “A potential vulnerability? Are you serious? The server was leaking all kinds of highly technical data. And what about using not real customer data? Is it suggested that Danske Bank is using test customer data in their production environment? That would be against all safety guards and all best practices. And creating test cookie data in production in combination with an IP address and user agent? Never seen that one before.”
• “For at least two weeks, but probably a lot longer, very confidential customer data in the form of session cookies were leaking on Danske Bank’s web site. With these cookies it should have been possible to hijack internet banking accounts of their customers. They closed the security hole quickly, but are now in denial of it.”
• “Update October 8: Because of all publicity this story gets, Danske Bank now admits that their production server was in debug mode and that I saw information and cookies from other visitors (!). That’s quite a turn! Seems that media attention forces the bank to be honest. They still hold on that I couldn’t hijack banking sessions.”
• Researcher’s Blog

Cisco Talos tackles the Angler exploit kit

• Angler is one of the largest exploit kit found on the market and has been making news as it has been linked to several high profile malvertising/ransomware campaigns.
• In its research, Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30M annually.
• The Talos organization gained additional visibility into the global activity of the network through their ongoing collaboration with Level 3 Threat Research Labs.
• Thanks to their continued collaboration with OpenDNS they were able to gain in depth visibility into the domain activity associated with the adversaries.
• The dataset was originally from July 2015 and included data from all sources available. July provided a unique opportunity because Angler went through several iterations of development, including URL structure changes and implementation of several unpatched Adobe Flash vulnerabilities. During the analysis, trends and patterns emerged. This paper will discuss trends in hosting, domain usage, referers, exploits, and payloads. It was the trends associated with the hosting that lead to the most significant discoveries.
• While analyzing the data they found that a large amount of Angler activity was focused with a single hosting provider, Limestone Networks. Talos collaborated with Limestone to gather some previously unknown insight into Angler. This includes details related to data flow, management, and scale.
• Angler is actually constructed in a proxy/server configuration. There is a single exploit server that is responsible for serving the malicious activity through multiple proxy servers.
• Additionally, there is a health monitoring server that is conducting health checks, gathering information about the hosts that are being served exploits, and remotely erase the log files once they have been fetched. This health server revealed the scope and scale of the campaign, and helped allow us to put a monetary value on the activity.
• A single health server was seen monitoring 147 proxy servers over the span of a month and generating in excess of $3,000,000 USD in revenue.
• Despite not having a large footprint, Angler is able to compromise a significant amount of users, for a presumably small amount of customers. An interesting aspect is the lack of IP variety from day to day. Angler starts with an IP address (i.e. 74.63.217.218) as the system compromises users and generates noise the adversaries shift to an adjacent IP (i.e. 74.63.217.219).
• This activity would continue through contiguous blocks of IP space being used from a single provider. Indicating that the actors likely had multiple servers available moving from one server to the next as they were blocked.
• Looking at the amount of unique IP’s, while it is still clear that Hetzner and Limestone Networks were the primary sources of Angler, Limestone Networks was the largest single provider.
• Talos approached both Hetzner and Limestone related to the information we gathered on these threat actors. Limestone Networks responded and cooperated fully with this investigation.
• For example one Talos account purchased 815 servers during the course of a week using stolen credit cards originating from different countries. This would continue gradually allowing the users to accumulate a fair amount of server infrastructure. Eventually the credit cards would be identified as stolen and significant costs are incurred. According to Limestone Networks our adversaries “contributed approximately $10,000 in cost and lost revenue each month.” The vast majority of this in charge backs due to fraudulent credit card charges.
• Limestone Networks was also able to provide Talos with copies of images of the servers that were being used as well as network captures of the communications the servers were conducting for short time periods. As a result of this Talos was able to get valuable information that exposed previously undisclosed aspects of Angler, as well as the scope of the users impacted.
• Users do not just browse to an exploit kit they are pushed into it there via malicious iFrames and malvertising. Both were found in significant volume during the course of the month. Talos observed popular websites redirecting users to the Angler exploit kit via malvertising including hundreds of major news, real estate, and popular culture sites.
• Additionally, Talos noticed a couple of smaller volume referer chains that were being used, either as a way to directly get users to Angler or just add a layer to the redirection chain. The first was the use of dynamic DNS services.
• A similar type of service has also been observed gaining volume recently. It also made use of an additional tier of redirection using shadowed domains.
• These were almost exclusively javascript files that are hosted under englishword based sub folders
• A huge variety of different browsers and operating systems hit Angler landing pages (including Netscape 4.0 which was a bit surprising, but not all of those users were served exploits). Overwhelmingly the most common browsers to be served actual exploits were Internet Explorer and the reasons we believe are two fold. First is that Angler leveraged CVE-2014-6332 heavily for the last six months and continues to do so (Angler also recently added CVE-2015-2419 also targeting IE), this exploit is targeted specifically at Internet Explorer users. The second is that the other major web browsers, Chrome and Firefox, have gone to great lengths to either sandbox Adobe Flash or prevent any flash rendering with outdated versions. Firefox even went so far as to block all Flash activity when the Hacking Team 0days (CVE-2015-5119, CVE-2015-5122) were disclosed to prevent its users from being impacted.
• Talos has observed both Cryptowall 3.0 as well as Teslacrypt 2.0 being delivered by Angler during this time period. Both ransomware variants leverage compromised wordpress sites to push data for later retrieval.
• Not surprisingly the overwhelming majority of the exploits Angler was serving were tied to Adobe Flash. Almost 75% of the exploits served to users were Adobe Flash related.
• One of the biggest reasons that Angler has been so pervasive and able to infect as many users is the lack of antivirus coverage. During the month of July Talos observed almost 3,000 unique hashes associated with exploits. That data was then queried against VirusTotal which found that only 6% of the hashes were in VirusTotal. Of that 6% the average detection was low, with usually less than ten AV engines detecting it. This, coupled with the recent large scale malvertising campaign, reinforces that a user browsing the internet using Internet Explorer with only basic antivirus protection is highly vulnerable to an Angler infection.
• Additional Coverage: TheStack

The story of MS08-067, the 2008

• This is the story of a zero-day exploit against all versions of Windows that came to light in 2008
• “The attackers had a remote code execution (RCE) vulnerability that affected every version of Windows, gave them full control at SYSTEM level rights, left almost no forensic footprint, and could be used anonymously from anywhere on the Internet. Their exploit was 95% reliable. Almost perfect. Almost.”
• “To understand MS08-067 you need to understand MS07-029, an RCE vulnerability in Windows DNS. MS07-029 was one of a series of Remote Procedure Call (RPC) server vulnerabilities that were steadily being ferreted out by Microsoft, attackers, and security researchers alike. There was one difference. MS07-029 was the first RCE that where we had our Visual Studio return address protection (/GS) and Windows Data Execute Prevention (DEP) in effect. We refer to these defenses as exploit mitigations and we had been steadily adding them since XP SP2. It was one of the ways we were using security engineering to combat security issues in engineering. Once an exploit has trashed the internal memory of a process, there is no recovery and the only option is to force a crash—a terrible user experience for sure, but better than resulting in a compromised machine.”
• “By September 2008 we had built a system that screened millions of crashes for security exploits. Along the way I felt like I joined the world’s smallest profession—that of an exploit failure engineer. On September 25th a crash came in that got my attention–an exploit in netapi32.dll. This new crash was in very similar code, but in a different WER bucket. It was not in the top 100 or top 1,000 issues. It was bucket #45,000 with exactly 2 hits ever. This was living in the tail. ”
• “What made this tiny bucket stand out? First, there was an exploit. It found shellcode in the crash dump. I reviewed the shellcode and saw that it used an egghunt to find the payload. An egghunt is an exploit engineering technique used when a buffer overrun is constrained in terms of how much payload can be sent.”
• “The second thing unusual about this crash dump was not just the way it failed. It was the way it was succeeding before it crashed. I looked beyond the crashing thread to the other threads in the process. One of them revealed the attacker had already exploited the process and the shellcode was in the middle of downloading a payload using URLDownloadToFileA!”
• “While egghunts weren’t new, this was a new flavor of shellcode for netapi32 exploits and clear evidence of a successful exploit. The final nail in the coffin was the version information in the crash dump. Netapi32.dll was fully patched! There seemed to be only one explanation for this: a new 0-day in the wild. “
• “Most of the time security researchers find a vulnerability then work to write an exploit. I was going in reverse: examining an exploit to determine the vulnerability, armed with only a forensic crash and no way to reproduce it. Had the exploit blown away the crucial clues in the buffer overrun itself? I studied the crash over and over. I looked at the source code for netapi32. Vulnerabilities are often obvious in hindsight but stubborn to reveal themselves at first. Here was my dilemma: if I could not find the vulnerability, despite having a clear exploit, we could not act.”
• “I brought the case to the manager of the MSRC security engineers, Andrew Roths. I remember the moment Andrew stopped by my office. He said, “I found a vulnerability.””
• “We walked down the hallway to the office of the crisis manager, Phillip. He was in the middle of a meeting with someone in his office. There must have been something about the expression on our faces because he turned to his visitor and abruptly said, “I’ll talk with you later”. We entered and I said, “we have a zero day.” We explained the basic facts. We had a vulnerability, that could be exploited remotely, anonymously, that affected all versions of Windows. It was wormable and someone was already exploiting it. When you say the word ‘wormable’ to a crisis manager, it activates some latent response DNA. In his quiet way he went from 1 to 11 and immediately got to work mobilizing everyone. Scarred by Code Red and Blaster, when an issue is wormable, at Microsoft everyone shows up and works it as job #1.”
• “On Windows Vista and Windows Server 2008 it always failed. The Security Development Lifecycle (SDL) process at Microsoft made sure those OS editions had full ASLR and DEP for the svchost.exe”
• “Their solution for this was to first call the vulnerable function with a benign input that had the slash character but would not trigger the vulnerability. This data would stay latent on the stack, like a ghost, the next time the function was called. This technique was perfectly reliable if Windows used the same thread for both requests. This happened nearly all the time. Nearly. In a quirk of fate, the Windows RPC thread pool handed the second request containing the exploit to a different thread—one that did not have the carefully placed slash character. The netapi32 code kept searching for it, eventually running off the end of the thread stack, hitting the guard page, and crashing the process with a stack overflow error (0xC00000fd).”
• “Once MSRC was ready with the patch, we made the decision to ship it as an out-of-band update. Every patch release starts the clock in terms of copycat exploits. This is the one of those dilemmas in the MSRC business. Naturally you want to ship an update as soon as it’s ready. But when you ship an out-of-band update, many IT teams aren’t ready and this slows down how quickly systems are updated. Attackers don’t hesitate to download the patch, diff it, and start building exploits, and defenders caught on their back foot may be at a disadvantage as they scramble to rearrange their schedule to deploy the update. We considered. Can you hold until Patch Tuesday when IT teams around the world are ready to receive and act? Or do you ship early and disrupt customers? The answer was clear. We had a critical vulnerability. We saw an uptick in activity. The patch was ready. We went out-of-band.”
• “Ask anyone about MS08-067 and most will mention Conficker. At this point in October, Conficker did not even exist. Conficker, as disruptive as it was, affected only the tail of computers that had not patched. Imagine what would have happened if Conficker had half a billion more systems to infect.”

iXsystems — FreeNAS worst practices guide

Feedback:

• Passwordless SSH keys for deployment

• ZFS question: corruption rebuilding a ZRAID

• ZFS send and receive to multiple locations.

• allanjude/zxfer

• Video Encoding

• Amazon.com: Magewell XI100DUSB-HDMI HDMI to USB 3.0 Video Capture Dongle

Round up:

• Chinese Hackers Breached LoopPay, Whose Tech Is Central to Samsung Pay
• IPv6 is a real world big deal now, 50% of facebook traffic from mobile is v6 now
• Verizon’s zombie cookie gets new life
• Ubuntu plans to make ZFS a standard option
• Not all iPhone 6s are created equal. Samsung chips slower and use more battery than TSMC chips
• For justice to work properly, you need to be able to inspect the source code of forensic devices to prove they actually collected the evidence properly
• Journalist linked to Anonymous found guilty of 3 federal counts of hacking
• Be sure to dispose of your airline boarding passes properly
• Get AMP’d: Here’s what publishers need to know about Google’s new plan to speed up your website
• The certification disconnect — Hacker witch hunts are driving students away from the security field
• Volvo Will Accept Liability For Self-Driving Car Crashes
• How I spent 2 weeks hunting a memory leak in ruby
• OPM says more than 5.6 million fingerprint records also compromised
• How elliptic curve cryptography works
• The low-tech approach to taking out a network, just zap an exposed ethernet port
• Understanding bias and arguments
• CEO Responds To Experian Data Breach
• Hack Android phones, by typing in a really long password

The post Catching the Angler | TechSNAP 235 first appeared on Jupiter Broadcasting.

Is there a fix to the human flaw in banking systems? We’ll debate. Plus how hackers can take over your internal network using a pixel on a webpage.

Then its a huge batch of your storage questions, the Giganews conspiracy & much, much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

5 people charged in identity theft ring linked to bank tellers

• Five people have been charged as part of an identity theft ring in which bank tellers used personal information about customers to withdraw a total of $850,000 from numerous accounts over the course of several years.
• The tellers used customer information to create fake driver’s licenses and checks to gain access to accounts
• “The victims were customers at several of banks in the region, including JPMorgan Chase and Bank of America locations in the Bronx, White Plains and Yonkers”
• “The banks reimbursed the customers whose accounts were affected”
• The five defendants were each charged with grand larceny, identity theft and scheme to defraud. Four of the five have already been arrested, while the fifth is from Florida and is currently being sought by the New York State Attorney’s office
• The three women involved in the scheme worked as tellers at a TD Bank in Apollo Beach, Fla., a Bank of America in White Plains, a JPMorgan Chase in White Plains, and a Wachovia (now Wells Fargo), in Newburgh, N.Y.”
• How do you maintain security when it is the people who are supposed to enforce that security that are stealing the information?

Hacked Brazillian news site targets router dns settings

• In an attack we practically predicted on a previous TechSNAP…
• The website of Politica Estadao (one of the biggest newspapers in Brazil) was compromised
• The pages had a series of iframes injected, which basically carried out a simple brute-force attack against the admin credentials of common routers
• “Five domains and nine DNS servers were found in this attack hosting bank phishing sites“
• “The payload was trying the user admin, root, gvt and a few other usernames, all using the router default passwords,”
• “Hackers are well aware of the shortcomings of home and small business routers, most of which are woefully shy of appropriate patching levels, and are likely protected only by a default or weak password“
• “At the DEF CON conference last month, the SOHOpelessly Broken contest enumerated the security issues around SOHO routers. Fifteen zero-day vulnerabilities were disclosed and demonstrated during the contest, leading to seven full router compromises and another attack that could have led to corruption of the internal network.“
• Watch your browser disclose your local network configuration
• Additional Coverage: Sucuri
• Additional Coverage: SecureList
• Previous Coverage: TechSNAP 86
• Previous Coverage: TechSNAP 106

Feedback:

• Having some FreeNAS iSCSI and NFS performance problems

• Self healing drive

• ZFS on Linux

• zfs linux story

• Comcast is awful : techsnap

Round Up:

• Giganews Is an FBI Operation
• New Archie exploit kit targets Adobe Flash and Microsoft Silverlight vulnerabilities
• IRC Freenode Network Hacked
• US Government threatened to fine Yahoo $250,000/day in 2008 to force them to release data on users and become part of PRISM
• Malware going around Twitch.tv that steals your steam account, puts your games up for sale, and empties your steam wallet
• Why is it taking so long to secure Internet Routing?
• Apple will no longer unlock most iPhones, iPads for police, even with search warrants
• Facebook turns off entire data center to test resiliency

The post Pixel Imperfect Security | TechSNAP 180 first appeared on Jupiter Broadcasting.

Home Depot is breached, and the scale could be much larger than the recent Target hack & we discuss the explosion of fake cell towers in the US, and whats behind it. Then the tools used in the recent celebrity photo leak & the steps that need to be taken.

Plus a great batch of your questions, our answers & much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Krebs: Banks report breach at Home Depot. Update: Almost all home depot stores hit

• Sources from multiple banks have reported to Brian Krebs that the common retailer in a series of stolen credit cards appears to be Home Depot
• Home Depots Spokesperson Paula Drake says: “I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Drake said, reading from a prepared statement. “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further – but we will provide further information as soon as possible.”
• “Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period”
• “The breach appears to extend across all 2,200 Home Depot stores in the United States. Home Depot also operates some 287 stores outside the U.S. including in Canada, Guam, Mexico, and Puerto Rico”
• Zip-code analysis shows 99.4% overlap between stolen cards and home depot store locations
• This is important, as the fraud detection system at many banks is based on proximity
• If a card is used far away from where the card holder normally shops, that can trigger the card being frozen by the bank
• By knowing the zip code of the store the cards were stolen from, the criminal who buys the stolen card information to make counterfeit cards with, can use cards that are from the same region they intent to attack, increasing their chance of successfully buying gift cards or high value items that they can later turn into cash
• The credit card numbers are for sale on the same site that sold the Target, Sally Beauty, and P.F. Chang’s cards
• “How does this affect you, dear reader? It’s important for Americans to remember that you have zero fraud liability on your credit card. If the card is compromised in a data breach and fraud occurs, any fraudulent charges will be reversed. BUT, not all fraudulent charges may be detected by the bank that issued your card, so it’s important to monitor your account for any unauthorized transactions and report those bogus charges immediately.”
• Some retailers, including Urban Outfitters, say they do not plan to notify customers, vendors or the authorities if their systems are compromised

Fake cell towers found operating in the US

• Seventeen mysterious cellphone towers have been found in America which look (to your phone) like ordinary towers, and can only be identified by a heavily customized handset built for Android security – but have a much more malicious purpose. Source: Popular Science
• Mobile Handsets are supposed to warn the user when the tower does not support encryption, as all legitimate towers do support encryption, and the most likely cause of a tower not supporting encryption, is that it is a rogue tower, trying to trick your phone into not encrypting calls and data, so they can be eavesdropped upon
• The rogue towers were discovered by users of the CryptoPhone 500, a Samsung SIII running a modified Android that reports suspicious activity, like towers without encryption, or data communications over the baseband chip without corresponding activity from the OS (suggesting the tower might be trying to install spyware on your phone)
• “One of our customers took a road trip from Florida to North Carolina and he found eight different interceptors on that trip. We even found one near the South Point Casino in Las Vegas.”
• “What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases.” says Goldsmith. “Whose interceptor is it? Who are they, that’s listening to calls around military bases? The point is: we don’t really know whose they are.”
• Documents released last week by the City of Oakland reveal that it is one of a handful of American jurisdictions attempting to upgrade an existing cellular surveillance system, commonly known as a stingray.
• The Oakland Police Department, the nearby Fremont Police Department, and the Alameda County District Attorney jointly applied for a grant from the Department of Homeland Security to “obtain a state-of-the-art cell phone tracking system,” the records show.
• Stingray is a trademark of its manufacturer, publicly traded defense contractor Harris Corporation, but “stingray” has also come to be used as a generic term for similar devices.
• According to Harris’ annual report, which was filed with the Securities and Exchange Commission last week, the company profited over $534 million in its latest fiscal year, the most since 2011.
• Relatively little is known about how stingrays are precisely used by law enforcement agencies nationwide, although documents have surfaced showing how they have been purchased and used in some limited instances.
• Last year, Ars reported on leaked documents showing the existence of a body-worn stingray. In 2010, Kristin Paget famously demonstrated a homemade device built for just $1,500.
• According to the newly released documents, the entire upgrade will cost $460,000—including $205,000 in total Homeland Security grant money, and $50,000 from the Oakland Police Department (OPD). Neither the OPD nor the mayor’s office immediately responded to requests for comment.
• One of the primary ways that stingrays operate is by taking advantage of a design feature in any phone available today. When 3G or 4G networks are unavailable, the handset will drop down to the older 2G network. While normally that works as a nice last-resort backup to provide service, 2G networks are notoriously insecure.
• Handsets operating on 2G will readily accept communication from another device purporting to be a valid cell tower, like a stingray. So the stingray takes advantage of this feature by jamming the 3G and 4G signals, forcing the phone to use a 2G signal.
• Cities scramble to upgrade “stingray” tracking as end of 2G network looms

The Nude Celebrity Photo Leak Was Made Possible By Law Enforcement Software That Anyone Can Get

• Elcomsoft Phone Password Breaker requires the iCloud username and password, but once you have it you can impersonate the phone of the valid user, and have access to all of their iCloud information, not just photos
• “If a hacker can obtain a user’s iCloud username and password, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages.”
• “It’s important to keep in mind that EPPB doesn’t work because of some formal agreement between Apple and Elcomsoft, but because Elcomsoft reverse-engineered the protocol that Apple uses for communicating between iCloud and iOS devices. This has been done before —Wired specifically refers to two other computer forensic firms called Oxygen and Cellebrite that have done the same thing — but EPPB seems to be a hacker’s weapon of choice. As long as it is so readily accessible, it’s sure to remain that way”
• All of this still requires the attacker to know the celebrities username and password
• This is where iBrute came in
• A simple tool that takes advantage of the fact that when Apple built the ‘Find My iPhone’ service, they failed to implement login rate limiting
• An attacker can sit and brute force the passwords at high speed, with no limitations
• The API should block an IP address after too many failed attempts. This has now been fixed
• Another way to deal with this type of attack is to lockout an account after too many failed attempts, to ensure a distributed botnet cannot do something like try just 3 passwords each from 1000s of different IP addresses
• When it becomes obvious that an account is under attack, locking it so that no one can gain access to it until the true owner of the account can be verified and steps can be taken to ensure the security of the account (change the username?)
• The issue with this approach is that Apple Support has proven to be a weak link in regards to security in the past. See TechSNAP Episode 70 .
• Obviously, the iPhone to iCloud protocol should not depend of obscurity to provide security either. We have seen a number of different attacks against the iPhone based on reverse engineering the “secret” Apple protocols
• Security is often a trade-off against ease-of-use, and Apple keeps coming down on the wrong side of the scale

Feedback:

• Server Setup: Windows Man Gone To The Darkside.

• ZFS Snapshots

• Puppet or CFEngine

• Question about online banking security

• PFSense Bandwidth Limiters Don’t Work with Squid Web Cache Package

Round Up:

• Watch Infected Windows Machines Interact with Each Other in a “Virus Farm” – We Can Has The Technology
• Prolexic (owned by Akamai) sounding alarm about IptabLes and IptabLex infections. Attackers are using unmaintained servers to launch large DDoS attacks
• WordPress 4.0 “Benny”
• Stick Figure’s guide to AES encryption
• Twitter now pays bounties for vulnerabilities
• Another WPS flaw, crack some wireless routers in a single try
• IEEE publishes paper “Avoiding the top 10 software security design flaws”
• Technical Difficulties with home delivery by drones
• Microsoft still struggling with last months patch tuesday patches
• Shortage of skilled security people leads to hiring problems for enterprises. Skilled people change jobs every 2-3 years for large pay bumps, leads to a lack of retained ‘institutionalized security’ and ‘operational knowledge’
• NameCheap reports bit russian list of usernames and passwords being used against accounts, some successful logins
• Intel announces new i7-5960x processor and new X99 chipset. 8 cores (16 with hyperthreading), 3ghz (turbo boost to 3.5ghz), 20mb cache, support for up to 64 gigabytes of DDR4 across 4 channels, 40 lanes of PCI-E 3.0, 10 SATA3 ports, 6 USB3 and 8x USB2
• Microsoft to defy federal court order and not turn over emails stored in europe to US authorities

The post Home Depot Credit Repo | TechSNAP 178 first appeared on Jupiter Broadcasting.

We’ll look back at 10 years of Patch Tuesday, then the shutdown of Lavabit and Silkroad.

Plus a big batch of your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

Microsoft Patch Tuesday turns 10

• On Oct. 9, 2003, Microsoft announced its new security patching process, it ended up changing the entire industry
• Microsoft promised:
• “Improved patch management processes, policies and technologies to help customers stay up to date and secure.”
• “Global education programs to provide better guidance and tools for securing systems.”
• “Our goal is simple: Get our customers secure and keep them secure. Our commitment is to protect our customers from the growing wave of criminal attacks.”
• Microsoft started blogging about security issues and also embarked on serious outbound communication campaigns to educate users
• Even Microsoft’s security bulletin text format and sections were delivered in a consistent format that security professionals have come to rely upon
• Today public disclosure of serious Microsoft security holes is now the exception

2 new vulnerabilities bypass Java ‘Click2Play’ security system

• A new variant of the \”Kore-ish\” Cool Exploit Kit appears to make use of two new zero-day exploits in Java7u21
• CVE-2013-2460
• CVE-2013-2472
• It appears this vulnerability may have originally been discovered by VUPEN and solid to governments and used for an indeterminate amount of time, until it was fixed by Oracle in Java7u25
• The current version of Java is Java7u40
• The latest version of Java includes a new ‘deployment rule set’ feature, that allows enterprise customers to create a whitelist of allowable applications, preventing drive-by attacks

Barclay’s hit by KVM attack, 1.3 million GBP stolen

• An person pretending to be an IT admin, walked in to the branch and installed an IP-KVM connected to a 3G Router, then later used it to take over the workstation it was connected to
• Barclays claims to have recovered “a significant amount” of the stolen money
• When police raided a number of properties to arrest the perpetrators, they found thousands of credit cards and other personal data, plus drugs, jewellery and cash
• This is not the first time Barclay’s has been hit. “We have been working closely with the Metropolitan Police following a security breach at our Swiss Cottage branch in April 2013. We identified the fraud and acted swiftly to recover funds on the same day,” said Alex Grant, managing director of fraud prevention at Barclays.

Feedback

[asa]B00457X7XQ[/asa]

• Zero Day: A Jeff Aiken Novel Audiobook | Mark Russinovich | Audible.com

• Co-located server connected to home server + 6 screens problem

• proXPN VPN | Checkout Code: JBLIVE for 20% off for Life

• Why use services like LastPass instead of directly generating passwords using e.g. PBKDF2?

• ZFS and Virtualization

• ZFS Distributed FS

• Follow up to the TechSNAP 128 Bank Job

• Ethernet over power!

• BSD Conference and vBSDcon 2013 – Verisign

Round Up:

• Edward Snowden\’s E-Mail Provider Defied FBI Demands to Turn Over Crypto Keys, Documents Show
• FIMail – Graphical Email client for DOS
• Silk Road Shutdown, Owner Arrested. FBI Says Simple Mistake Led to his Arrest
• Internet of Things Demands New Social Contract To Protect Privacy
• Rocket Researches bypass US GPS limits
• Lackluster broadband hurting adoption of ‘the cloud’
• Former NSA CTO Prescott Winter says enterprise IT security is appalling
• Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes
• Security after the death of trust
• Yahoo does bugbounty wrong, researcher reports serious vulnerability, gets $12.50 coupon for Yahoo store

The post ZFS Can Do that | TechSNAP 130 first appeared on Jupiter Broadcasting.

It all started with a simple phishing attack, we’ll share the story about a small bank that had a major compromise, plus the Washington Post gets hacked…

A great batch of questions, our answers, and much much more!

Thanks to:

GoDaddy.com Use our code techsnap249 to get a .COM for $2.49.
UnitySync Visit dirwiz.com/unitysync use code tech for an extended trial and a year of maintenance.
Ting.com Visit techsnap.ting.com to save $25 off your device or service credits.

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

Attackers use DDoS attack on banks as cover to conduct APT attack on wire transfer switches, stealing millions of dollars

• Rather than attacks like we have previously discussed where the the fraudsters targeted individuals and companies with malware and then drained their bank accounts, this newer series of attacks has targeted the banks and credit unions directly
• Many of these attacks have been against smaller banks and credit unions because of their more limited IT security infrastructure
• It is unclear exactly how the attackers infiltrated the banks’ networks, but attacks similar to those against The Washington Post and The Onion are likely, fairly well executed spear phishing attacks
• Once the computer of someone inside the bank has been compromised, it can be loaded up with keyloggers, remote administration trojans and other malware
• The attacker can then use the ‘trusted’ computer to escalate their privileges, either directly, or by impersonating the person whos PC has been compromised, and sending more phishing emails internally
• Once a computer with access to the ‘wire transfer switch’ (usually an application) is compromised, the attacker can initiate a wire transfer from any account
• Individual bank accounts and bank employees often have limits on the amount they can transfer, however with escalated privileges, the attackers were able to increase or remote these limits in some cases
• Some banks have instituted anti-fraud systems that require a second employee to authorize any large wire transfer, however attackers had managed to compromise multiple employee accounts inside the bank, and were able to provide the secondary approval of their fraudulent transfers
• “In at least one instance, actors browsed through multiple accounts, apparently selecting the accounts with the largest balance”
• Then, to cover their tracks, the attackers launch a Distributed Denial of Service attack against the banks website, and/or online banking portal. This disruption is designed to keep the IT staff at the bank busy and keep attention of other bank employees away from the wire transfer system
• If successful, the DDoS attack distracts the bank long enough to prevent them clawing back the wire transfer. The bank has a much better chance of getting the money back if they can report the transfer as fraudulent within the first few minutes
• \”The service portal is down, the bank is losing money and reliability, and the security team is juggling the priorities of what to fix first. That\’s when the switch attack – which is very rare because those systems are not easily compromised [and require] high-privilege level in a more advanced persistent threat style case – takes place.\”
• Internet Crime Complaint Center (IC3) issues warning in Sept 2012
• Gartner Report
• Dell SecureWorks Report

Washington Post hacked by Syrian Electronic Army

• The attackers managed to modify specific pages of the Washington Post website to redirect traffic to the site of the attackers for about 30 minutes
• The Syrian Electronic Army (SEA) is a pro-Assad group known for hacking many twitter accounts, as well as other newspapers including The Financial Post, The Onion and the Associated Press
• SEA originally hacked an employee’s twitter account and used it to spread their message
• Some time after that, pages on the website started being redirected
• It is unclear if the employee’s credentials were used to execute the redirect attack
• The method of attack was exactly the same as that used against the Financial Post and The Onion, phishing emails appearing to come from other employees inside the same company, that redirected users to a fake email login page, that captured their credentials. It is unclear if WP uses gmail as the FP and the Onion did
• In a tweet, SEA claimed they had compromised ‘Outbrain’, a business partner of the newspaper that provides ‘content discovery’ mechanisms
• The tweet also claimed that this compromise gave them access to not only the WP, but also CNN and TIME Magazine
• The newspaper promptly disabled the Outbrain module and enacted other defensive measures
• Outbrain acknowledged the problem last Thursday. “We are aware that Outbrain was hacked earlier today. In an effort to protect our publishers and readers, we took down service as soon as it was apparent. The breach now seems to be secured and the hackers blocked out, but we are keeping the service down for a little longer until we can be sure it’s safe to turn it back on securely. We are working hard to prevent future attacks of this nature.”
• This type of attack is especially dangerous. If the SEA had redirected users to a site containing malware, rather than just their own site feature a political message in arabic, the results could have been much worse, and it could have gone on much longer before it was noticed
• This is the type of attack that is the most dangerous, it is like a watering hole attack, except it targets a mass audience, instead of a small one
• Additional Coverage

Feedback:

• Project Byzantium

• getvau.lt passwords

• Geek Choices

  • Switch: Netgear GS724T-300NAS
  • Router: Soekris net6501

• em0 watchdog timeout

Send us a Bitmessage: BM-GuGEaEtsqQjqgHRAfag5FW33Dy2KHUmZ

Round-Up:

• EFF wins court battle to release document showing FISC court ruled NSA Surveillance unconstitutional in 2011
• Poison Ivy RAT used in 3 new attacks
• Microsoft re-releases patch for vulnerability in Active Directory Federation Services after it caused many servers to stop working
• Twitter oauth token data leaked, attacker claims to have tokens for every twitter user, posts 15k tokens
• Microsoft pulls back patch for Exchange Server 2013, fixes Oracle bug that could allow a malicious .PDF to compromise the SERVER when viewed by a client with OWA
• Microsoft announces that in 6 months they will issue an update that will disable digital certificates with MD5 fingerprints. An optional version of the patch is available for testing, before the patch goes live on all supported OSs. Certifications should use SHA1 or SHA256 hashes
• Jekyll transforming malware developed by Georgia Institute of Technology passed through Apple iOS Review process undetected. Apparently the app was only tested by Apple for 7 seconds. Malware is able to post tweets, take photos, send email and SMS, and even attack other apps – all without the user’s knowledge
• Bruce Schneier’s comments on the Cryptopocalypse
• Trading on NASDAQ halted by unknown technical glitch
• Programming via voice recognition – developing a custom spoken language to express programming concepts like curley braces
• Groklaw shuts down because it can no longer trust the security of email

The post Little Phish Big Breach | TechSNAP 124 first appeared on Jupiter Broadcasting.

Using phone tones and a little Python to get access to someone’s bank account, and Oracle steps up with an early patch for Java but it doesn’t fix everything.

Then we answer a big batch of your questions, and much more on this week’s TechSNAP.

Thanks to:

Use our code tech295 to get a .COM for $2.95.

Something else in mind? Use go47off1 to save 47% on your entire order!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show: