Show Notes: linuxactionnews.com/246

The post Linux Action News 246 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/389

The post The Future of HTTP | TechSNAP 389 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/375

The post Surprise Root Access | TechSNAP 375 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Mirai IoT Botnet Co-Authors Plead Guilty

The U.S. Justice Department on Tuesday unsealed the guilty pleas of two men first identified in January 2017 by KrebsOnSecurity as the likely co-authors of Mirai, a malware strain that remotely enslaves so-called “Internet of Things” devices such as security cameras, routers, and digital video recorders for use in large scale attacks designed to knock Web sites and entire networks offline (including multiple major attacks against this site).

Pre-Installed Keylogger Found On Over 460 HP Laptop Models

The Keylogger was found embedded in the SynTP.sys file, a part of Synaptics touchpad driver that ships with HP notebook computers, leaving more than 460 HP Notebook models vulnerable to hackers.

A security researcher who goes by the name of ZwClose discovered a keylogger in several Hewlett-Packard (HP) laptops that could allow hackers to record your every keystroke and steal sensitive data, including passwords, account information, and credit card details.

• HP keylogger – Bytes – ZwClose on bytes

Apple Releases iOS 11.2.1 Update With HomeKit Remote Sharing Fix

According to Apple’s release notes, the update re-enables remote access for shared users of the Home app. Apple broke remote access for shared users when implementing a fix for a major HomeKit vulnerability last week.

FreeNAS

• FreeNAS 11.1 is Now Available for Download! – FreeNAS – Open Source Storage Operating System

Feedback

• Any input on giving a “security” presentation to HR?
• New feedback URL: techsnap.systems – Contact

Process Doppelgänging attack affects all Windows version & evades AV products

Dubbed ‘Process** **Doppelgänging‘ by Tal Liberman and Eugene Kogan of EnSilo, the attack was _demonstrated_during Black Hat Europe 2017 security conference in London earlier today.

Doppelgänging, a fileless code injection technique, works in such a manner that an attacker can manipulate the way Windows handles its file transaction process and pass malicious files even if the code is known to be malicious.

According to security duo “The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine.”

The post Server Neglect | TechSNAP 348 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Yellow dots give you away

• How to remove the yellow dots

• List of Printers Which Do or Do Not Display Tracking Dots – no longer updated

• More on Steganography: in pornography

Hiding command and control in plain text

• The ESET report

libtrue

• HOME page

• GitHub page

• FreeBSD port

• Code of Conduct

• 34 watches on GitHub

• Libraries.io entry

• subreddit

Feedback

• Quadrupled photos

• Apple laptop repair place – Brickfence

• Low power pfSense & pfSense 2.5

Round Up:

• 8,000 Vulnerabilities Found in Pacemakers
  

• Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA

• Ex-Admin Deletes All Customer Data and Wipes Servers of Dutch Hosting Provider

• Microsoft Azure adds OpenBSD support

• Watch what government is looking at

The post Comment & Control | TechSNAP 323 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Ansible vulnerability

• “Ansible is an open-source automation engine that automates cloud provisioning, configuration management, and application deployment. Once installed on a control node, Ansible, which is an agentless architecture, connects to a managed node through the default OpenSSH connection type.”
• Similar tools are Puppet, Chef, SaltStack, cfEngine
• Summary: Command execution on Ansible controller from host
• Why is this important? First, if one of your ansible-controlled hosts is compromised, they can execute a command on your ansible controller.
• So what you might ask? Your ansible controller accesses all your systems….
• Computest notes: Not a full audit, might be other issues
• Affected versions: < 2.1.4, < 2.2.1
• A big threat to a configuration management system like Ansible, Puppet, SaltStack and others, is compromise of the central node. In Ansible terms this is called the Controller. If the Controller is compromised, an attacker has unfettered access to all hosts that are controlled by the Controller. As such, in any deployment, the central node receives extra attention in terms of security measures and isolation, and threats to this node are taken even more Seriously.
• Fortunately for team blue (team blue is the defense team), in the case of Ansible the attack surface of the Controller is pretty small. Since Ansible is agent-less and based on push, the
  Controller does not expose any services to hosts.
• A very interesting bit of attack surface though is in the Facts. When Ansible runs on a host, a JSON object with Facts is returned to the Controller. The Controller uses these facts for various housekeeping purposes. Some facts have special meaning, like the fact “ansible_python_interpreter” and “ansible_connection”. The former defines the command to be run when Ansible is looking for the python interpreter, and the second determines the host Ansible is running against. If an attacker is able to control the first fact he can execute an arbitrary command, and if he is able to control the second fact he is able to execute on an arbitrary (Ansible-controlled) host. This can be set to “local” to execute on the Controller itself.
• Because of this scenario, Ansible filters out certain facts when reading the facts that a host returns. However, we have found 6 ways to bypass this filter.
• Bypass #1: Adding a host – Ansible allows modules to add hosts or update the inventory. This can be very useful, for instance when the inventory needs to be retrieved from a IaaS platform like as the AWS module does. If we’re lucky, we can guess the inventory_hostname, in which case the host_vars are overwritten and they will be in effect at the next task. If host_name doesn’t match inventory_hostname, it might get executed in the play for the next hostgroup, also depending on the limits set on the commandline.
• Bypass #2: Conditionals – Ansible actions allow for conditionals. If we know the exact contents of a “when” clause, and we register it as a fact, a special case checks whether the
  “when” clause matches a variable. In that case it replaces it with its
  contents and evaluates them.
• Bypass #3: Template injection in stat module – The template module/action merges its results with those of the stat module.This allows us to bypass the stripping of magic variables from ansible_facts, because they’re at an unexpected location in the result tree.
• Bypass #4: Template injection by changing jinja syntax – Remote facts always get quoted. Set_fact unquotes them by evaluating them.
  UnsafeProxy was designed to defend against unquoting by transforming jinja
  syntax into jinja comments, effectively disabling injection.
• Bypass #5: Template injection in dict keys – Strings and lists are properly cleaned up, but dictionary keys are not.
• Bypass #6: Template injection using safe_eval – There’s a special case for evaluating strings that look like a list or dict. Strings that begin with “{” or “[” are evaluated by safe_eval [2]. This allows us to bypass the removal of jinja syntax: we use the whitelisted Python to re-create a bit of Jinja template that is interpreted.
• Computest is not aware of mitigations short of installing fixed versions of the
  software.
• Ansible has released new versions that fix the vulnerabilities described in this advisory: version 2.1.4 for the 2.1 branch and 2.2.1 for the 2.2 branch.
• The handling of Facts in Ansible suffers from too many special cases that allow for the bypassing of filtering. We found these issues in just hours of code review, which can be interpreted as a sign of very poor security. However, we don’t believe this is the case.
• The attack surface of the Controller is very small, as it consists mainly of the Facts. We believe that it is very well possible to solve the filtering and quoting of Facts in a sound way, and that when this has been done, the opportunity for attack in this threat model is very small.
• Furthermore, the Ansible security team has been understanding and professional in their communication around this issue, which is a good sign for the handling of future issues.

Who is Anna-Senpai, the Mirai Worm Author?

• Way too long to go into full detail, so I will only outline a few interesting bits
  +On September 22, 2016, this site was forced offline for nearly four days after it was hit with “Mirai,” a malware strain that enslaves poorly secured Internet of Things (IoT) devices like wireless routers and security cameras into a botnet for use in large cyberattacks. Roughly a week after that assault, the individual(s) who launched that attack — using the name “Anna-Senpai” — released the source code for Mirai, spawning dozens of copycat attack armies online.
• After months of digging, KrebsOnSecurity is now confident to have uncovered Anna-Senpai’s real-life identity, and the identity of at least one co-conspirator who helped to write and modify the malware.
  +Before we go further, a few disclosures are probably in order. First, this is easily the longest story I’ve ever written on this blog. It’s lengthy because I wanted to walk readers through my process of discovery, which has taken months to unravel. The details help in understanding the financial motivations behind Mirai and the botnet wars that preceded it. Also, I realize there are a great many names to keep track of as you read this post, so I’ve included a glossary.
• The story you’re reading now is the result of hundreds of hours of research. At times, I was desperately seeking the missing link between seemingly unrelated people and events; sometimes I was inundated with huge amounts of information — much of it intentionally false or misleading — and left to search for kernels of truth hidden among the dross. If you’ve ever wondered why it seems that so few Internet criminals are brought to justice, I can tell you that the sheer amount of persistence and investigative resources required to piece together who’s done what to whom (and why) in the online era is tremendous.
• As noted in previous KrebsOnSecurity articles, botnets like Mirai are used to knock individuals, businesses, governmental agencies, and non-profits offline on a daily basis. These so-called “distributed denial-of-service (DDoS) attacks are digital sieges in which an attacker causes thousands of hacked systems to hit a target with so much junk traffic that it falls over and remains unreachable by legitimate visitors. While DDoS attacks typically target a single Web site or Internet host, they often result in widespread collateral Internet disruption.
• A great deal of DDoS activity on the Internet originates from so-called ‘booter/stresser’ services, which are essentially DDoS-for-hire services which allow even unsophisticated users to launch high-impact attacks. And as we will see, the incessant competition for profits in the blatantly illegal DDoS-for-hire industry can lead those involved down some very strange paths, indeed.
• Talks about the variants of the IoT botnet, mentions Minecraft webservers were a frequent target.
• Goes into a lot of detail of DDoS protection services, how Minecraft customers would come under attack, and how a competing DDoS protection company made threats directly preceding attacks
• Discusses how the attacks where are way to boost business by not attacking your own customers, but by attacker customers of other DDoS proection services.
• Boils down to the classic: nice business you have here, it’d be a shame if anything happened to it.

TechSNAP Career Challenge

• I was at the [Grace Hopper Celebration(https://ghc.anitaborg.org/) of Women in Computing is the world’s largest gathering of women technologists. It is huge. I met people from many different technology areas (medicine, robotics, software design, someone who built a chip for the iPhone).
• I was there on behalf of The FreeBSD Foundation to give a talk about how to contribute to open source.
• Many were students and often were not sure of what part of technology they wanted to pursue.
• I’ve seen many people go for years in their careers then suddenly discover a passion they previously didn’t know about and their life completely changes.
• This point was mentioned to me by a Google Employee who gave me this list of steps which I then incorporated into my talk, then I wrote a blog post about it.
• Seeing the eyes light up made me think we need to send this wider.
• Allan Jude suggested I include this into the show
• Here is what you do
• Here is what I challeng our listeners to do:
• Take this challenge
• Blog about it
• Then send us your blog URL and tell us what you got out of the challenge

Feedback:

• Bareos/bacula for which I suggest my jail snapshot script
• Malware in the browser

Round Up:

• Dan’s t-shirt challenge
• straight stick, curved slot – tweet by Amanda Rousseau
• Google Infrastructure Security Design Overview
• Criminal cases, public and police safety put at risk by IT failures, RCMP documents say – Politics
• The 32-Bit Dog Ate 16 Million Kids’ CS Homework
• Oren Jacob’s answer to Did Pixar accidentally delete Toy Story 2 during production? – Quora
• Heartbleed Report (2017-01)
• Already on probation, Symantec issues more illegit HTTPS certificates

The post DDos Mafia | TechSNAP 303 first appeared on Jupiter Broadcasting.

Project Zero lays into Symantec’s enterprise products, the botnet you’ll never find & the poor security of HTML5 video ads.

Plus your questions, our answers & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Google’s Project Zero lays into Symantec’s Enterprise Endpoint Security products

• “Symantec is a popular vendor in the enterprise security market, their flagship product is Symantec Endpoint Protection. They sell various products using the same core engine in several markets, including a consumer version under the Norton brand.”
• “Today we’re publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws.”
• “These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”
• “As Symantec use the same core engine across their entire product line, all Symantec and Norton branded antivirus products are affected by these vulnerabilities, including:”
• Norton Security, Norton 360, and other legacy Norton products (All Platforms)
• Symantec Endpoint Protection (All Versions, All Platforms)
• Symantec Email Security (All Platforms)
• Symantec Protection Engine (All Platforms)
• Symantec Protection for SharePoint Servers
• And so on.
• “Some of these products cannot be automatically updated, and administrators must take immediate action to protect their networks. Symantec has published advisories for customers, available here.”
• “Many developers will be familiar with executable packers like UPX, they’re tools intended to reduce the size of executables by compressing them. This causes a problem for antivirus products because it changes how executables look.”
• Packers can be designed to obfuscate the executable, and make it harder for virus scanners to match against their signature database, or heuristically detect bad code
• “Antivirus vendors solve this problem with two solutions. First, they write dedicated unpackers to reverse the operation of the most common packers, and then use emulation to handle less common and custom packers.”
• “The problem with both of these solutions is that they’re hugely complicated and prone to vulnerabilities; it’s extremely challenging to make code like this safe. We recommend sandboxing and a Security Development Lifecycle, but vendors will often cut corners here. Because of this, unpackers and emulators continue to be a huge source of vulnerabilities, we’ve written about examples in Comodo, ESET, Kaspersky, Fireeye and many more.”
• “Let’s look at an example from Symantec and Norton Antivirus. This vulnerability has an unusual characteristic: Symantec runs their unpackers in the Kernel!”
• “Reviewing Symantec’s unpacker, we noticed a trivial buffer overflow when a section’s SizeOfRawData field is greater than SizeOfImage. When this happens, Symantec will allocate SizeOfImage bytes and then memcpy all available data into the buffer.”
• “This was enough for me to make a testcase in NASM that reliably triggered Symantec’s ASPack unpacker. Once I verified this work with a debugger, building a PE header that mismatched SizeOfImage and SizeOfRawData would reliably trigger the vulnerability.”
• “Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.”
• “An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.”
• There is also a buffer overflow in the Power Point decomposer (used to check for macros etc)
• There is another vulnerability in “Advanced Heuristic Protection” or “Bloodhound Heuristics” mode
• “As with all software developers, antivirus vendors have to do vulnerability management. This means monitoring for new releases of third party software used, watching published vulnerability announcements, and distributing updates.”
• “Nobody enjoys doing this, but it’s an integral part of secure software development. Symantec dropped the ball here.”
• “A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries like libmspack and unrarsrc, but hadn’t updated them in at least 7 years.”
• “Dozens of public vulnerabilities in these libraries affected Symantec, some with public exploits. We sent Symantec some examples, and they verified they had fallen behind on releases.”
• There is “behind” and then there is 7 years, which is pretty much “definitely didn’t bother to look at all”
• “As well as the vulnerabilities we described in detail here, we also found a collection of other stack buffer overflows, memory corruption and more.”
• Additional Coverage: Fortune.com
• Additional Coverage: Ars Technica

Botnet made up to CCTV Cameras and DVRs conducts DDoS attacks

• As we reported in TechSNAP #259 a security research found that 70 different CCTV-DVR vendors are just reselling devices from the same Chinese manufacturer, with the same firmware
• This firmware has a number of critical security flaws that the vendor was notified about, but refused to fix
• Original coverage from March
• Now criminals have exploited one or more of these known vulnerabilities to turn these devices into a large botnet
• Unlike a typical botnet made up of personal computers that are turned on and off at random, and where a user might notice sluggish performance, infected embedded devices tend to be always on, and performance issues are rarely noticed
• A botnet of over 25,000 of these CCTV systems is being used to conduct layer7 DDoS attacks against various businesses
• One of the victims, a Jewelry store, moved their site behind a WAF (Web Application Firewall), to protect it from the attack
• Unlike most attackers, instead of admitting defeat and moving on, the attacker stepped up the attack, and prolonged it for multiple days
• Most botnets lose strength the longer the attack is sustained, because infected machines are shutdown, isolated, reported, or disconnected.
• The fact that this botnet is made up of embedded CCTV devices gives it more staying power, and it is not likely to be considered the source of the problem if abuse reports do come in.

Security of HTML5 Video Ads

• For a long time many have railed against Flash, and accused it of being the root of all evil when it comes to Malvertising
• “For the last several years, Adobe Flash has been an enemy of the online community. In general, the position is well deserved: there were more than 300 vulnerabilities found in Flash Player during 2015 alone, making it the most vulnerable PC software of the year.”
• This study provides a comparison between Flash and HTM5 based advertisements
• Flash ads tend to be smaller. HTML5 ads also on average 100kb larger, using more bandwidth, which on mobile can be a big deal
• Flash ads may be more work to create, since they are not responsive, and a different file must be created for each different ad size
• HTML5 ads do not require a plugin to run, but older browsers do not support them. This is becoming less of an issue the number of aged devices dwindles
• Flash ads tend to provide better picture quality, due to sub-pixel support
• HTML5 provides better mobile support, where Flash on mobile is rare
• There is currently a larger community of Flash developers, but this is changing
• HTML5 is not controlled by a single entity like Adobe
• Flash provides better optimization
• HTML5 provides better usability and semantic support
• This study finds that killing off Adobe Flash will not solve the security problems, HTML5 has plenty of its own security issues
• “Even if Flash is prohibited, malvertising can still be inserted in the first two stages of video ad delivery.”
• “The proponents pushing for Flash to be prohibited from use in an ad creative are saying that HTML5 is the remedy that can handle security threats in the advertising industry. It stands to reason that if the ad unit itself is clean, then the user won’t have any problems. Unfortunately, this is an inaccurate statement. Malvertising attacks using video ads were already occurring in late 2015 and early 2016.”
• A typical flash malvertising campaign, the ad calls the flash externalCall interface, and runs some malicious javascript, creating a popup, that if you user accepts, may infect their computer
• In an HTML5 based attack, the malvertising campaign payload is not in the actual advertisement, but in the VAST/VPAID metadata, as the tracking url. This silently navigates the user to an Angler exploit kit, where they are infected with no required user interaction
• “the second scenario shows how the ad unit itself is not the only piece of the malvertising pie”
• “The main root of the video ad malvertising problem is, unfortunately, fundamental. VAST/VPAID standards, developed in 2012, provide extensive abilities so that ad industry players can create a rich ad experience.”
• “Since these standards allow advertisers to receive data about the user, they allow for third-party codes to be inserted inside the ad. Once a third-party code is allowed, there is an open door for bad actors to perpetrate malicious activities, i.e. insert malicious code.”
• “Now that we have debunked the idea that malvertising would be eliminated if the industry prohibited the use of Flash in their ads, let’s discuss solutions.”
• Even if malicious ads could be eliminated by better screening, malactors can compromise the ad network, and inject the malicious ads there
• In the end, maybe we need to stop allowing advertisements to have the ability to execute code
• Does anyone remember when advertisements were just animated .gif files?

Feedback:

• Jason

• Rob

• Ray –

• TheCloudisaLie

Round Up:

• Google’s giant new trans-Pacific internet cable goes online Thursday
• Vacationing Security Researcher finds skimmer in the wild
• Resold hard drives on eBay, Craigslist are often still ripe with leftover data
• Google CEO Sundar Pichais has Quota account hacked by “OurMine”
• FBI’s use of Tor exploit is like peering through “broken blinds”
• NASCAR team pays ransomware fee of $500 to recover 2 million dollar design files
• Chrome DRM bug makes it easy to download streaming video
• Java, PHP, NodeJS, and Ruby exposed to Swagger vulnerability
• Bits, Please!: QSEE privilege escalation vulnerability and exploit (CVE-2015-6639)
• Video: Lecture 13 – How to Build an Insecure System out of Perfectly Good Cryptography
• DoJ report: less than a quarter of one percent of wiretaps encounter any crypto
• Exfiltrate data from an air-gapped computer by modulating the fan speed — Fansmitter
• Microsoft to make saying no to Windows 10 update easier
• IRS kills off doomed PIN authentication method early. Authentication with your last years adjusted gross income to remain standard
• Javascript 7th edition released
• StartEncrypt had design, get a certificate for dropbox or github by faking API calls

The post Make Ads GIF Again | TechSNAP 273 first appeared on Jupiter Broadcasting.

Is the “Dark Cloud” hype, or a real technology? Using DNS tunneling for remote command and control & the big problem with 1-Day exploits.

Plus your great question, our answers, a breaking news roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

APT Groups still successfully exploiting Microsoft Office flaw patched 6 months ago

• “A Microsoft Office vulnerability patched six months ago continues to be a valuable tool for APT gangs operating primarily in Southeast Asia and the Far East.”
• “CVE-2015-2545 is a vulnerability discovered in 2015 and corrected with Microsoft’s update MS15-099. The vulnerability affects Microsoft Office versions 2007 SP3, 2010 SP2, 2013 SP1 and 2013 RT SP1.”
• “The error enables an attacker to execute arbitrary code using a specially crafted EPS image file. The exploit uses PostScript and can evade Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protection methods.”
• One of the groups using the exploit targeted the Japanese military industrial complex
• “In December 2015, Kaspersky Lab became aware of a targeted attack against the Japanese defense sector. In order to infect victims, the attacker sent an email with an attached DOCX file exploiting the CVE-2015-2545 vulnerability in Microsoft Office using an embedded EPS (Encapsulated Postscript) object. The EPS object contained a shellcode that dropped and loaded a 32-bit or 64-bit DLL file depending on the system architecture. This, in turn exploited another vulnerability to elevate privileges to Local System (CVE-2015-1701) and download additional malware components from the C&C server.”
• “The C&C server used in the attack was located in Japan and appears to have been compromised. However, there is no indication that it has ever been used for any other malicious purpose. Monitoring of the server activity for a period of several months did not result in any new findings. We believe the attackers either lost access to the server or realized that it resulted in too much attention from security researchers, as the attack was widely discussed by the Japanese security community.”
• The report details a number of different teams, with different targets
• Some or all of the teams may be related
• “The attackers used at least one known 1-day exploit: the exploit for CVE-2015-2545 – EPS parsing vulnerability in EPSIMP32.FLT module, reported by FireEye, and patched by Microsoft on 8 September 2015 with MS15-099. We are currently aware of about four different variants of the exploit. The original one was used in August 2015 against targets in India by the Platinum (TwoForOne) APT group.”
• Kaspersky Lab Report

Krebs investigates the “Dark Cloud”

• “Crooks who peddle stolen credit cards on the Internet face a constant challenge: Keeping their shops online and reachable in the face of meddling from law enforcement officials, security firms, researchers and vigilantes.”
• “In this post, we’ll examine a large collection of hacked computers around the world that currently serves as a criminal cloud hosting environment for a variety of cybercrime operations, from sending spam to hosting malicious software and stolen credit card shops.”
• How do you keep your site online while hosting it on hacked machines you do not control
• How do you keep the data secure? Who is going to pay for stolen credit cards when they can just hack one of the compromised machines hosting your site?
• “I first became aware of this botnet, which I’ve been referring to as the “Dark Cloud” for want of a better term, after hearing from Noah Dunker, director of security labs at Kansas City-based vendor RiskAnalytics. Dunker reached out after watching a Youtube video I posted that featured some existing and historic credit card fraud sites. He asked what I knew about one of the carding sites in the video: A fraud shop called “Uncle Sam,” whose home page pictures a pointing Uncle Sam saying “I want YOU to swipe.””
• “I confessed that I knew little of this shop other than its existence, and asked why he was so interested in this particular crime store. Dunker showed me how the Uncle Sam card shop and at least four others were hosted by the same Dark Cloud, and how the system changed the Internet address of each Web site roughly every three minutes. The entire robot network, or “botnet,” consisted of thousands of hacked home computers spread across virtually every time zone in the world, he said.”
• So, most of these hacked machines are likely just “repeaters”, accepting connections from end users and then relaying those connections back to the secret central server
• This also works fairly well as a DDoS mitigation mechanism
• “the Windows-based malware that powers the botnet assigns infected hosts different roles, depending on the victim machine’s strengths or weaknesses: More powerful systems might be used as DNS servers, while infected systems behind home routers may be infected with a “reverse proxy,” which lets the attackers control the system remotely”
• “It’s unclear whether this botnet is being used by more than one individual or group. The variety of crimeware campaigns that RiskAnalytics has tracked operated through the network suggests that it may be rented out to multiple different cybercrooks. Still, other clues suggests the whole thing may have been orchestrated by the same gang.”
• A more indepth report on the botnet is expected next week
• “If you liked this story, check out this piece about another carding forum called Joker’s Stash, which also uses a unique communications system to keep itself online and reachable to all comers.”

Wekby APT gang using DNS tunneling for C&C

• “Palo Alto Networks is reporting a shift in malware tactics used by the APT group Wekby that has added a rare but effective new tool to its bag of tricks. Wekby attackers are turning to the technique known as DNS tunneling in lieu of more conventional HTTP delivery of command and controls for remote access control of infected computer networks.”
• “Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeam’s Flash zero-day exploit.”
• “The malware used by the Wekby group has ties to the HTTPBrowser malware family, and uses DNS requests as a command and control mechanism. Additionally, it uses various obfuscation techniques to thwart researchers during analysis. Based on metadata seen in the discussed samples, Palo Alto Networks has named this malware family ‘pisloader’.”
• “The initial dropper contains very simple code that is responsible for setting persistence via the Run registry key, and dropping and executing an embedded Windows executable. Limited obfuscation was encountered, where the authors split up strings into smaller sub-strings and used ‘strcpy’ and ‘strcat’ calls to re-build them prior to use. They also used this same technique to generate garbage strings that are never used. This is likely to deter detection and analysis of the sample.”
• “The payload is heavily obfuscated using a return-oriented programming (ROP) technique, as well as a number of garbage assembly instructions. In the example below, code highlighted in red essentially serves no purpose other than to deter reverse-engineering of the sample. This code can be treated as garbage and ignored. The entirety of the function is highlighted in green, where two function offsets are pushed to the stack, followed by a return instruction. This return instruction will point code execution first at the null function, which in turn will point code execution to the ‘next_function’. This technique is used throughout the runtime of the payload, making static analysis difficult.”
• “The malware is actually quite simplistic once the obfuscation and garbage code is ignored. It will begin by generating a random 10-byte alpha-numeric header. The remaining data is base32-encoded, with padding removed. This data will be used to populate a subdomain that will be used in a subsequent DNS request for a TXT record.”
• “The use of DNS as a C2 protocol has historically not been widely adopted by malware authors.”
• “The use of DNS as a C2 allows pisloader to bypass certain security products that may not be inspecting this traffic correctly.”
• “The C2 server will respond with a TXT record that is encoded similar to the initial request. In the response, the first byte is ignored, and the remaining data is base32-encoded. An example of this can be found below.”
• The Malware also looks for specific flags in the DNS response, to prevent it being spoofed by a DNS server not run by the authors. Palo Alto Networks has reverse engineered the malware and found the special flags
• The following commands, and their descriptions are supported by the malware:
  • sifo – Collect victim system information
  • drive – List drives on victim machine
  • list – List file information for provided directory
  • upload – Upload a file to the victim machine
  • open – Spawn a command shell
• “The Wekby group continues to target various high profile organizations using sophisticated malware. The pisloader malware family uses various novel techniques, such as using DNS as a C2 protocol, as well as making use of return-oriented programming and other anti-analysis tactics.”
• Palo Alto Networks Report

Feedback:

• Colo

• Snapshot best practices

• SELinux is cruel to animals

• Work in IT, got this in the mail today.

• Parts of a computer labeled by someone who thinks they know how a computer works

Round up:

• Tor To Use Distributed RNG To Generate Truly Random Numbers
• Skimmers Found at Walmart: A Closer Look
• Foxconn replaces ‘60,000 factory workers with robots’
• FBI warns of wireless keystroke loggers that look like harmless USB chargers
• A third of new cellular customers last quarter were cars
• NIST publishes guide on: Security for Full Virtualization Technologies
• Google aims to kill passwords by the end of this year
• DARPA gives out 7 multi-million dollar grants for research into DDoS mitigation
• Fox ‘Stole’ a Game Clip, Used it in Family Guy & DMCA’d the Original
• Analog malicious hardware, how to slip a backdoor into a chip
• Microsoft promises to stop tricking people into upgrading to Windows 10 when they clearly do not want to
• Google might name and shame slow-to-update Android vendors
• Foul-mouthed worm takes control of wireless ISPs around the globe

The post PIS Poor DNS | TechSNAP 268 first appeared on Jupiter Broadcasting.

Is it possible to make a truly private phone call anymore? The answer might surprise you. Cisco and Level 3 battle a huge SSH botnet & how to Build a successful Information Security career.

Plus a great batch of your questions, a rocking round up, and much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

How to make secret phone calls

• “There’s a lot you can find in the depths of the dark web, but in 2013, photographer and artist Curtis Wallen managed to buy the ingredients of a new identity”
• “After purchasing a Chromebook with cash, Wallen used Tor, virtual marketplaces, and a bitcoin wallet to purchase a fake driver’s license, insurance card, social security number, and cable bill, among other identifying documents. Wallen saw his new identity, Aaron Brown, as more than just art: Brown was a political statement on the techno-surveillance age.”
• The article sets out the steps required to conduct untraceable phone calls
• The instructions are based on looking at how CIA OpSec was compromised by cell phones in the cases of the 2005 extraordinary rendition of Hassan Mustafa Osama in Italy and their surveillance of Lebanese Hezbollah
• “using a prepaid “burner” phone, posting its phone number publicly on Twitter as an encrypted message, and waiting for your partner to decrypt the message and call you at a later time”
• Analyze your daily movements, paying special attention to anchor points (basis of operation like home or work) and dormant periods in schedules (8-12 p.m. or when cell phones aren’t changing locations);
• Leave your daily cell phone behind during dormant periods and purchase a prepaid no-contract cell phone (“burner phone”);
• After storing burner phone in a Faraday bag, activate it using a clean computer connected to a public Wi-Fi network;
• Encrypt the cell phone number using a onetime pad (OTP) system and rename an image file with the encrypted code. Using Tor to hide your web traffic, post the image to an agreed upon anonymous Twitter account, which signals a communications request to your partner;
• Leave cell phone behind, avoid anchor points, and receive phone call from partner on burner phone at 9:30 p.m.—or another pre-arranged “dormant” time—on the following day;
• Wipe down and destroy handset.
• “The approach is “very passive” says Wallen. For example, “Posting an image to Twitter is a very common thing to do, [and] it’s also very common for image names to have random numbers and letters as a file name,” he says. “So, if I’ve prearranged an account where I’m going to post an encrypted message, and that message comes in the form of a ‘random’ filename, someone can see that image posted to a public Twitter account, and write down the filename—to decrypt by hand—without ever actually loading the image. Access that Twitter account from Tor, from a public Internet network, and there’s hardly any trace that an interaction even happened.””
• “This is not easy, of course. In fact, it’s really, comically hard. “If the CIA can’t even keep from getting betrayed by their cell phones, what chance do we have?””
• “Central to good privacy, says Wallen, is eliminating or reducing anomalies that would pop up on surveillance radars, like robust encryption or SIM card swapping. To understand the risks of bringing unwanted attention to one’s privacy practices, Wallen examined the United States Marine Corps’ “Combat Hunter” program, which deals with threat assessment through observation, profiling, and tracking.”
• “Anomalies are really bad for what I’m trying to accomplish—that means any overt encryption is bad, because it’s a giant red flag,” Wallen said. “I tried to design the whole system to have as small a footprint as possible, and avoid creating any analyzable links.”
• “I was going out and actually buying phones, learning about different ways to buy them, to activate them, to store them, and so on,” said Wallen, who eventually bought a burner phone from a Rite Aid. “I kept doing it until I felt like I’d considered it from every angle.”
• “After consulting on commercially available Faraday bags, Wallen settled on the Ramsey Electronics STP1100”
• Wallen cautions his audience about taking his instructions too literally. The project, he says, “was less about arriving at a necessarily practical system for evading cell phone tracking, than it was about the enjoyment of the ‘game’ of it all. In fact, I think that it is so impractical says a lot.”
• “Bottom line,” he adds. “If your adversary is a nation state, don’t use a cellphone.”
• Guide to creating and using One-Time Pads
• John Oliver: Government Surveillance — Interview with Edward Snowden

Cisco and Level 3 battle a huge SSH botnet

• “Talos has been monitoring a persistent threat for quite some time, a group we refer to as SSHPsychos or Group 93. This group is well known for creating significant amounts of scanning traffic across the Internet. Although our research efforts help inform and protect Cisco customers globally, sometimes it is our relationships that can multiply this impact. Today Cisco and Level 3 Communications took action to help ensure a significantly larger portion of the Internet is also protected.”
• “The behavior consists of large amounts of SSH brute force login attempts from 103.41.124.0/23, only attempting to guess the password for the root user, with over 300,000 unique passwords. Once a successful login is achieved the brute forcing stops. The next step involves a login from a completely different IP ranges owned by shared hosting companies based out of the United States. After login is achieved a wget request is sent outbound for a single file which has been identified as a DDoS rootkit. “
• “Once the rootkit is installed additional instructions are downloaded via an XOR encoded file from one of the C2 servers. The config file is largely constructed of a list of IP addresses that are being denied and filenames, and files to be deleted.”
• “At times, this single attacker accounted for more than 35% of total Internet SSH traffic”
• Level 3 then worked to block the malicious traffic
• “Our goal, when confirming an Internet risk, is to remove it as broadly as possible; however, before removing anything from the Internet, it is important to fully understand the impact that may have to more benign hosts. To do this, we must understand more details of the attacker’s tools and infrastructure.”
• “As part of the process, Level 3 worked to notify the appropriate providers regarding the change. On March 30th SSHPsychos suddenly pivoted. The original /23 network went from a huge volume of SSH brute force attempts to almost no activity and a new /23 network began large amounts of SSH brute forcing following the exact same behavior associated with SSHPsychos. The new network is 43.255.190.0/23 and its traffic was more than 99% SSH immediately after starting communication. The host serving the malware also changed and a new host (23.234.19.202) was seen providing the same file as discussed before a DDoS Rootkit.”
• “Based on this sudden shift, immediate action was taken. Talos and Level 3 decided to remove the routing capabilities for 103.41.124.0/23, but also add the new netblock 43.255.190.0/23. The removal of these two netblocks introduced another hurdle for SSHPsychos, and hopefully slows their activity, if only for a short period.”
• “For those of you who have Linux machines running sshd on the open Internet, be sure to follow the best practice of disabling root login in your sshd config file. That step alone would stop this particular attacker from being successful in your environment.”
• Remote root login should never be allowed anyway
• Hopefully this will send a clear message to the providers that allow these type of attackers to operate on their network. If you don’t clean up your act, you’ll find large swaths of your IP space unusable on the public internet.

How to Build a Successful Information Security Career

• A question I often get is “how do I get into InfoSec”
• Myself, not actually being an InfoSec professional, and never having really worked in that space, do not have the answer
• Luckily, someone who is in that space, finally wrote it all down
• “One of the most important things for any infosec professional is a good set of inputs for news, articles, tools, etc.”
  • So, keep watching TechSNAP
• Basic Steps:
• Education (Sysadmin, Networking, Development)
• Building Your Lab (VMs, VPSs from Digital Ocean)
• You Are Your Projects (Build something)
• Have a Presence (Website, Blog, Twitter, etc)
• Certifications (“Things have the value that others place on them”)
• Networking With Others (Find a mentor, be an intern)
• Conferences (Go to Conferences. Speak at them)
• Mastering Professionalism (Dependability, Well Written, Good Speaker)
• Understanding the Business (Businesses want to quantify risk so they can decide how much should be spent on mitigating it)
• Having Passion (90% of being successful is simply getting 100,000 chances to do so. You get chances by showing up)
• Becoming Guru
• It is a very good read, broken down into easy to understand steps, with the justification for each requirement, as well as some alternatives, because one size does not fit all
• Related, but Roundup is already full enough: How to Avoid a Phone Call from Brian Krebs – The Basics of Intrusion Detection and Prevention with Judy Novak

Feedback:

• Data Delivery/Syncing over WAN

• TOR Question

• Upgrading password hash algorithm

Round Up:

• Announcing Git Large File Storage (LFS)
• Amazon EFS
• One in seven employees will self corporate passwords for $150 or less
• Hidden backdoor API to root privileges in Apple OS X
• Vulnerability in Firefox forced Mozilla to disable opportunistic encryption
• The FBI Has Its Own Secret Brand of Malware
• AT&T Call Center staff sold hundres of thousands of customer records to criminals
• Expired SSL certificate
• Google lets the Root CA certificate that issues the smtp.gmail.com certificate expire
• Congress must end mass NSA surveillance with next Patriot Act vote
• Greenwald criticized universities which open up their campuses to government agencies in exchange for funding
• 8 Ways You Didn’t Know Hackers Could Steal Your Identity
• Apple did not remove CNNIC Root CA from trust lists in latest security update
• Every Wi-Fi Router Should Look Like The USS Enterprise
• IT Security in a nutshell

The post Day-0 of an InfoSec Career | TechSNAP 209 first appeared on Jupiter Broadcasting.

Amazon is making movies for the theaters with a faster release online master plan, but could this sink Prime streaming?

Plus how the NSA takes over botnets without a trace & hacks the hackers.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Amazon announces plans to make movies for theaters, Prime streaming

Amazon Studios is going to start making movies, and you’ll be seeing them in theaters before they become available for streaming on Prime.Fresh off Golden Globe wins for its original series Transparent, the company today announced it will produce and acquire full-length feature films for theatrical release. Amazon Original Movies, which “focus on unique stories, voices, and characters from top and up-and-coming creators,” will become available to US Prime subscribers just 4 to 8 weeks after they premiere in theaters — a shorter transition to streaming than you’d see from the major movie studios.

And Amazon’s not exactly starting small; it plans to produce up to 12 movies each year as part of the new initiative, and those efforts will kick off in earnest later this year. “Not only will we bring Prime Instant Video customers exciting, unique, and exclusive films soon after a movie’s theatrical run, but we hope this program will also benefit filmmakers, who too often struggle to mount fresh and daring stories that deserve an audience,” said Roy Price, VP of Amazon Studios.

Report: NSA not only creates, but also hijacks, malware

One of the secret documents leaked by former NSA contractor Edward Snowden and published by Der Spiegel contains details about a covert NSA program called DEFIANTWARRIOR that’s used to hijack botnet computers and use them as “pervasive network analysis vantage points” and “throw-away non-attributable CNA [computer network attack] nodes.”

This means that if a user’s computer is infected by cybercriminals with some malware, the NSA might step in, deploy their own malware alongside it and then use that computer to attack other interesting targets. Those attacks couldn’t then be traced back to the NSA.

According to the leaked document, this is only done for foreign computers. Bots that are based in the U.S. are reported to the FBI Office of Victim Assistance.

Sometimes the NSA also uses the servers of unsuspecting third parties as scapegoats, Der Spiegel reported. When exfiltrating data from a compromised system, the data is sent to such servers, but it is then intercepted and collected en route though the NSA’s vast upstream surveillance network.

Star Trek Continues 2015 “Kirkstarter 2.0” by Far From Home, LLC — Kickstarter

Star Trek Continues is a successful award-winning, non-profit, fan-based webseries finishing the final 2 years of the original mission.

The post Amazon Treks On | Tech Talk Today 119 first appeared on Jupiter Broadcasting.

We cover the latest from the IFA consumer electronics shows where the next major mobile devices are being showcased, the big new virtual reality backer & the Sony bump.

Plus we’ll discuss the inaccurate Linux security story floating around the net & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

• Driving the news: IFA 2014

IFA (Internationale Funkausstellung) is an annual consumer electronics show held in Berlin, Germany, which often serves as a launching platform for smartphone and tablet manufacturers. Think of it as a mini-Mobile World Congress. Last year’s IFA hosted the launch of the Samsung Galaxy Note 3 and Galaxy Gear, among others. This year’s event officially runs from Sept. 5-10, but we’re expecting many of larger announcements to be made in the couple of days before IFA officially begins.

The Galaxy Note Edge is a flagship phone with an entirely new kind of curved display | The Verge

Samsung has introduced the Note 4, a 5.7-inch phone with a 1440p SuperAMOLED display coming in October.

The Note Edge is, on paper at least, only the slightest variation on the new Note 4. It has the same metallic design. It has the same 16-megapixel camera, the same heart-rate monitor, the same processor, the same memory, the same software. It even has a Quad HD, 2560 x 1440 display like the Note 4, though this one is slightly smaller at 5.6 inches rather than 5.7.

It’s on the right side of the phone’s front face that a sharp difference appears between the two models. The screen starts to slope downward, falling off toward the edge and wrapping around the side. It’s as if two screens have been connected to each other at an acute angle, but there’s only one display here. The asymmetry of the phone feels a little odd, like I chipped part of the right side off by accident, but it doesn’t really hurt the aesthetic appeal of the phone. It’s still very comfortable, the metal body both solid and dense, and I like the way the screen curls under my right thumb. (If you’re a lefty, using the Note Edge in one hand is going to be terrible — but then again using a Note in one hand is already terrible.)

Sony announces its latest flagship smartphone, the Xperia Z3

You’ll find a 5.2-inch, 1080p display, a 20.7-megapixel camera and waterproofing. (Same as the Z2)

Sony has also added a new, wide-angle 25mm lens (to fit more into a shot) and extra-high ISO 12,800 light sensitivity.

A 2.5GHz Snapdragon 801 processor instead of the 2.3GHz chip you saw in the Z2.

Price and carries will be annouced in the fall.

• A closer look at Sony’s Xperia Z3 flagship

Samsung and Oculus partner to create Gear VR, a virtual reality headset that uses the Note 4 (hands-on)

Samsung’s getting in on the virtual reality action, announcing Gear VR at IFA 2014 today in Berlin, Germany. Gear VR is a virtual reality headset with a removable front cover where Samsung’s newly announced Note 4 slips in, acting as the screen. Paired with adjustable lenses built into the headset

• Built in Camera
• No wires (that means no PC to drive it too)
• Touch Pad
• Good build

The only information on availability is “this year,” and there is no price just yet; it’ll be available for purchase online and through “select carriers.” Considering how low-tech Gear VR is, and the fact that Samsung’s pushing a product into a market that doesn’t really exist just yet, I expect the company will aim as low as possible in terms of pricing.

When you do get one, it comes with a 16GB microSD preloaded with a variety of “360-degree videos and 3D movie trailers from major studios” (that’ll go into the Note 4, naturally). Oh, and you’ll need a Note 4 (not a Note 4 Edge — just the Note 4), as Gear VR is built to work with only that device.

Linux systems infiltrated and controlled in a DDoS botnet

Akamai Technologies is alerting enterprises to a high-risk threat of IptabLes and IptabLex infections on Linux systems. Malicious actors may use infected Linux systems to launch DDoS attacks against the entertainment industry and other verticals.

The mass infestation of IptabLes and IptabLex seems to have been driven by a large number of Linux-based web servers being compromised, mainly by exploits of Apache Struts, Tomcat and Elasticsearch vulnerabilities.

Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine, and then drop malicious code into the system and run it. As a result, a system could then be controlled remotely as part of a DDoS botnet.

A post-infection indication is a payload named .IptabLes or. IptabLex located in the /boot directory. These script files run the .IptabLes binary on reboot.

The malware also contains a self-updating feature that causes the infected system to contact a remote host to download a file. In the lab environment, an infected system attempted to contact two IP addresses located in Asia.

“We have traced one of the most significant DDoS attack campaigns of 2014 to infection by IptabLes and IptabLex malware on Linux systems,” said Stuart Scholly, senior VP and GM, Security Business Unit, Akamai.

The post Linux Fear-Mongering | Tech Talk Today 52 first appeared on Jupiter Broadcasting.

Want to make billions in days? Quit your job and become a botnet master. We’ll share the story about a Brazilian botnet that you’ve just got to hear.

Plus a major flaw in Android, encryption done right, your questions, our answers & much much more!

Thanks to:

— Show Notes: —

Botnet stealing from Brazilian banks rampent, maybe into the billions of dollars

• In Brazil, the most common form of payment, for everything from taxes, utility bills or large purchases and almost all business-to-business payments is “Boleto Bancario” (or just boleto for short)
• It is basically an bank transfer, somewhere between a cheque and a wire transfer
• Most Brazilians do not have credit cards, and credit card processing is expensive (usually 3-5% or more) and the merchant usually has to wait 30 days to receive the funds
• A boleto usually only takes 24 to 48 hours and has a low fixed fee (approximately $1)
• unlike credit card payments, which can be disputed and reversed, boleto cannot be reversed. Refunds are handled by bank transfer
• The information is filled out on a form, and then the recipient enters the details online to receive the payment
• Brian Krebs was shown a botnet that was lying in wait on infected computers, and as the user entered the details of a boleto, it would quickly change the recipient as the transfer was submitted, allowing the botnet controllers to receive the money, instead of the intended recipient
• “Thieves had hijacked some 383 boleto transactions between February 2014 and the end of June, but had stolen the equivalent of nearly USD $250,000 during that time”
• Researchers at RSA Security (part of EMC) found an even larger botnet
• “RSA says the fraud ring it is tracking — known as the “Bolware” operation — affects more than 30 different banks in Brazil, and may be responsible for up to $3.75 billion USD in losses. RSA arrived at this estimate based on the discovery of a similar botnet control panel that tracked nearly a half-million fraudulent transactions.”
• “Most Brazilian banks require online banking customers to install a security plug-in that hooks into the user’s browser. The plug-ins are designed to help block malware attacks. But according to RSA, the Bolware gang’s malware successfully disables those security plug-ins, leaving customers with a false sense of security when banking online.”
• “RSA notes that the miscreants responsible for the Bolware operation appear to have used just over 8,000 separate accounts to receive the stolen funds.”
• The botnet Krebs discovered was much less sophisticated, using only 3 destination bank accounts
• RSA PDF

Dealing with encrypted streams

• Adam Langley (of Google Security, and one of the authors behind BoringSSL) posts on his blog about how many file encryption systems, including gnupg, get it “wrong”
• Specifically, when encrypting large messages they often use a single MAC (Message Authentication Code) at the end of the message
• A MAC is used to ensure that the ciphertext has not been modified or corrupted before attempting to decrypt it
• The problem is, if you do something like this: gpg -d your_archive.tgz.gpg | tar -xz
• It will decrypt the contents of the gpg encrypted file and spit them out to the pipe, and not until it reaches the MAC at the end of the message, will it realize that the file was corrupted, and should not have been used. At this point it is too late, tar has already processed the invalid stream
• An attacker may be able to use this to cause tar to overwrite a file the user did not intend, or otherwise create corrupted files or exploit a vulnerability in tar
• The correct way to handle this situation is to not return the data until it has been authenticated, however this may require an impossibly large buffer
• The author discusses the reasonably low overhead (0.1%) of breaking the message into 16 KiB chunks, each with a 16 byte MAC. This would allow gpg to authenticate each small chunk before writing it to the pipe.
• However, with that approach “Although safer in general, when chunking one has to worry that an attacker hasn’t reordered chunks, hasn’t dropped chunks from the start and hasn’t dropped chunks from the end”
• Ted Unangst (of OpenBSD/LibreSSL) posts his thoughts
• Ted clarifies that OpenBSD’s ‘signify’ system in newer OpenBSD installers download the archive, verify the downloaded temporary archive before passing it to tar to be extracted, as opposed the the old design before signify, where the file was piped to tar directly from the ftp client, not requiring the temporary storage space
• Ted also mentions his ‘reop’ (Reasonable Expectation Of Privacy) tool, a light weight (incompatible) replacement for GnuPG, “However, the entire message must decrypt and authenticate successfully before any output is produced, so it’s actually safer than a small packet streaming program which may produce partial output. (reop cheats a bit by imposing a message size limit; it simply can’t encrypt large files, for large values of large.)”

Android keystore stack overflow flaw could allow key-theft

• The vulnerability could allow attackers to steal cryptographic keys from the device, including those for some banking services, virtual private networks, and PINs or patterns used to unlock vulnerable devices
• The flaw is fixed in Android 4.4
• Originally incorrectly reported as affecting 86% of devices, it only affects ~ 10.3% as it only affects Android 4.3
• The vulnerability requires a malicious app be installed on the targeted handset, but we have seen legitimate apps be bought or hijacked before, and it is often fairly easy to trick people into installing apps
• “Generally speaking this is how apps are going to store their authentication credentials, so if you can compromise the KeyStore, you can log in as the phone’s user to any service where they’ve got a corresponding app, or, at least, an app that remembers who you are and lets you log back in without typing a password. This means that most banking apps, which force you to type your password every time, are probably safe against this particular attack.”
• Researcher Post

Feedback:

• Mortgage Fraud and Decrypt Follow Up

• disaster recovery = backup??

• Backup Overview | dpBestflow

• Allan’s Backup Article

• ZFS – Copy on Write and Virtual Machines

• Hey Allen, how did you manage your passwords prior to Lastpass?

• QUESTION: Which groupware to use?

• Powerful Collaboration and Community Platform for Social, Mobile and the Cloud – Zimbra

• Overview | Kolab.org Community

• own notes

Round Up:

• Banking Malware Intercepts and Logs Network Traffic – Sent in by Mark
• Unix wildcards gone wild
• How to watch hacking, and cyberwarfare between the USA and China, in real time
• Norse – IPViking Live
• Bug in Amazon Fire TV causes Screensaver to use 80GB per day of data, blowing users’ transfer caps
• Goldman Sachs demands Google “Unsend an emails” that is accidently sent to @gmail.com instead of @gs.com. Google said “not without a court order”, Goldman Sachs filed with the New York Supreme Court, requesting “emergency relief” to avoid a privacy violation and “avoid the risk of unnecessary reputational damage to Goldman Sachs.”
• Microsoft kills “Patch Tuesday” emails, blames new Canadian anti-spam law
  • Microsoft provided feedback and was involved in every step of drafting the Canadian anti-spam law. It can as quite a shock to all involved when Microsoft announced they would be killing off their email services. After the uproar, Microsoft quickly reversed course “On June 27, 2014, Microsoft notified customers that we were suspending Microsoft Security Notifications due to changing governmental policies concerning the issuance of automated electronic messaging. We have reviewed our processes and will resume these security notifications with our monthly Advanced Notification Service (ANS) on July 3, 2014.”
• Fallout from the poor communications surrounding the announcement of a 2012 study by facebook which saw it modify the tone of stories displayed to users to track how it changed the emotions of the users. Surprise: Showing users sad stories made them sad, and vice versa
• NZ Court rules Dotcom encryption keys cannot be given to FBI
• Medal for writing Perl for the US Army
• Malware targetting ICS may have been able to sabotage electrical grid
  • “Its most vicious attack campaign saw it imperil several industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This resulted in companies installing the malware while downloading software updates for computers operating ICS equipment. These attacks not only gave the hackers a foothold in the targeted companies’ networks, but also provided them the means to mount sabotage operations against infected ICS computers”

The post Botnet Billionaires | TechSNAP 170 first appeared on Jupiter Broadcasting.

On this week\’s show, you\’ll be getting the full jail treatment. We\’ll show you how to create and deploy BSD jails, as well as chatting with Poul-Henning Kamp – the guy who actually invented them! There\’s lots of interesting news items to cover as well.

So stay tuned to BSD Now – the place to B.. SD.

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD turns it up to 11

• The -CURRENT branch is now known as 11
• 10 has been branched to -STABLE
• 10-BETA1 ISOs are available now
• Will be the next -RELEASE, probably next year

Stopping the SSH bruteforce with OpenBSD and pf

• The Hail Mary Cloud is an SSH bruteforce botnet that takes a different approach
• While most botnets pound port 22 rapidly, THMB does it very slowly and passively
• This makes prevention based on rate limiting more involved and complex
• Nice long blog post about some potential solutions and what we\’ve learned

ZFS and GELI in bsdinstall coming soon

• The man with the beard strikes again, new patch allows for ZFS-on-root installs
• Supports GELI for disk encryption
• Might be the push we need to make Michael W Lucas update his FreeBSD book

AsiaBSDCon 2014 announced

• Will be held in Tokyo, 13-16 March, 2014
• The conference is for anyone developing, deploying and using systems based on FreeBSD, NetBSD, OpenBSD, DragonFlyBSD, Darwin and Mac OS X
• Call for papers can be found here

Interview – Poul-Henning Kamp – phk@freebsd.org / @bsdphk

FreeBSD beginnings, md5crypt, jails, varnish and his… telescope project?

Tutorial

Everything you need to know about Jails

• Last week we showed you how to run VNC in a jail, but people asked \”how do I make a jail in the first place?\”
• This time around, we\’ll show you how to do exactly that
• Jails are a dream come true for both security experts and clean freaks, keeping everything isolated
• We\’ll be using the ezjail utility and making a basic jail setup

News Roundup

New pf queue system

• Henning Brauer committed the new kernel-side bandwidth shaping subsystem
• Uses the HFSC algorithm behind the scenes
• ALTQ to be retired \”in a release or two\” – everyone should migrate soon

Dragonfly imports FreeBSD KMS driver

• Hot on the trails of OpenBSD and later FreeBSD, Dragonfly gets AMD KMS
• Ported over from the FreeBSD port

Weekly PCBSD feature digest

• Weekly status update every Friday
• Will be a \”highlight of what important features have been added, what major bugs have been fixed, and what is presently going on in general with the project.\”

Get paid to hack OpenSSH

• Google has announced they will pay up to $3113.70 for security patches to OpenSSH
• Patches can fix security or improve security
• If you come up with something, send it to the OpenSSH guys

Feedback/Questions

• Darren writes in: https://slexy.org/view/s24RmwvEvE
• Kjell-Aleksander writes in: https://slexy.org/view/s2wFcFk9Yz
• Ryan writes in: https://slexy.org/view/s23e920gNG
• Alexander writes in: https://slexy.org/view/s2usxPqO9k

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, etc to feedback@bsdnow.tv
• We don’t check YouTube comments, JB comments, Reddit, etc. If you want us to see it, send it via email (the preferred way) or Twitter (also acceptable)
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Go Directly to Jail(8) | BSD Now 7 first appeared on Jupiter Broadcasting.

13 of the most popular home routes are wide open to attack, is your’s one of them? Tune in to find out.

Plus details on the Malwarebytes update that rendered some systems unbootable, the latest on CISPA, your questions our answers…

And so much more, On this week’s episode of… TechSNAP!

Thanks to:

GoDaddy.com Use our code tech295 to score .COM for $2.95! 35% off your ENTIRE first order just use our code go35off4 until the end of the month!
FauxShow Awards Catch episode 137 for the TechSNAP 100 T-Shirt awards. Angela and Chris share stroies, pictures, and jokes sent in by the TechSNAP audience!

Support the Show:

   

Support the Show: