Cisco – Jupiter Broadcasting

In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service.

Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability

A vulnerability in the XML parser of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.

Microsoft To Embrace Decentralized Identity Systems Built On Bitcoin And Other Blockchains

In a new post today, Microsoft announced their embrace of public blockchains, such as Bitcoin and Ethereum, for use in decentralized identity systems. Initially, the longtime tech giant will support blockchain-based decentralized IDs (DIDs) through the Microsoft Authenticator app.

BitGrail lost $170 million worth of Nano XRB tokens because… the checks for whether you had a sufficient balance to withdraw were only implemented as client-side JavaScript https://t.co/XH5mbIWUno pic.twitter.com/WmCwj5gy8W

— Tony Arcieri (@bascule) February 11, 2018

XRballer comments on The Stolen XRB has already been Redistributed/Sold Off

Containers Will Not Fix Your Broken Culture (and Other Hard Truths)

We focus so often on technical anti-patterns, neglecting similar problems inside our social structures. Spoiler alert: the solutions to many difficulties that seem technical can be found by examining our interactions with others. Let’s talk about five things you’ll want to know when working with those pesky creatures known as humans.

Escaping Sensitive Data from Faraday-Caged, Air-Gapped Computers via Magnetic Fields

Our method is based on an exploitation of the magnetic field generated by the computer’s CPU. Unlike electromagnetic radiation (EMR), low frequency magnetic radiation propagates through the air, penetrating metal shielding such as Faraday cages (e.g., compass still works inside Faraday cages).

Feedback / Follow Up

The post The Concern with Containers | TechSNAP 356 first appeared on Jupiter Broadcasting.

Turkey.deb | TechSNAP 294

chris — Thu, 24 Nov 2016 18:32:02 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Akamai’s quarterly State of the Internet report: The Krebs Attack

“Internet infrastructure giant Akamai last week released a special State of the Internet report. Normally, the quarterly accounting of noteworthy changes in distributed denial-of-service (DDoS) attacks doesn’t delve into attacks on specific customers. But this latest Akamai report makes an exception in describing in great detail the record-sized attack against KrebsOnSecurity.com in September, the largest such assault it has ever mitigated.”
Akamai: “The same data we’ve shared here was made available to Krebs for his own reporting and we received permission to name him and his site in this report.”
“Akamai said the attack on Sept. 20 was launched by just 24,000 systems infected with Mirai, mostly hacked Internet of Things (IoT) devices such as digital video recorders and security cameras.”
“The first quarter of 2016 marked a high point in the number of attacks peaking at more than 100 Gbps,” Akamai stated in its report. “This trend was matched in Q3 2016, with another 19 mega attacks. It’s interesting that while the overall number of attacks fell by 8% quarter over quarter, the number of large attacks, as well as the size of the biggest attacks, grew significantly.”
“The magnitude of the attacks seen during the final week were significantly larger than the majority of attacks Akamai sees on a regular basis,” Akamai reports. “In fact, while the attack on September 20 was the largest attack ever mitigated by Akamai, the attack on September 22 would have qualified for the record at any other time, peaking at 555 Gbps.”
Krebs has also made a .csv of the data available: “An observant reader can probably correlate clumps of attacks to specific stories covered by Krebs. Reporting on the dark side of cybersecurity draws attention from people and organizations who are not afraid of using DDoS attacks to silence their detractors.” In case any trenchant observant readers wish to attempt that, I’ve published a spreadsheet here (in .CSV format) which lists the date, duration, size and type of attack used in DDoS campaigns against KrebsOnSecurity.com over the past four years.”
Some comments about the “mega” attacks on Kreb’s site:
“We haven’t seen GRE really play a major role in attacks until now. It’s basically a UDP flood with a layer-7 component targeting GRE infrastructure. While it’s not new, it’s certainly rare.”
“Overall, Columbia was the top source of attack traffic. This is surprising, because Columbia has not been a major source of attack traffic in the past. While Columbia only accounted for approximately 5% of the traffic in the Mirai-based attacks, it accounted for nearly 15% of all source IPs in the last four attacks. A country that was suspiciously missing from both top 10 lists was the u.s. With regards to Mirai, this may be due to a comparative lack of vulnerable and compromised systems, rather than a conscious decision not to use systems in the u.s.”
“There are a few distinctive programming characteristics we initially discovered in our lab, and later confirmed when the source code was published, which have helped identify Mirai-based traffic. At the end of the day what Mirai really brings to the table is a reasonably well written and extensible code base. It’s unknown as to what Mirai may bring in the foreseeable future but it is clear that it has paved the way for other malicious actors to create variants that improve on its foundation.”
The full report can be downloaded here
Some other data from the report:
“Last quarter we reported a 276% increase in NTP attacks compared with Q2 of 2015. This quarter, we analyzed NTP trends over two years and have noticed shrinking capabilities for NTP reflection.” — It is good to finally see NTP falling off the attack charts as it gets patched up
“Web application attack metrics around the European Football Cup Championship Game and the Summer Games, as analyzed in the Web Application Attack Spotlight, show us that while malicious actors take advantage of high-profile events, there’s also a lull that indicates they might like to watch them.” (see page 26)
Application Layer DDoS attacks (GET/HEAD/POST/PUT etc) account for only 1.66% of DDoS attacks. Most attacks are aimed at the infrastructure layer (IP and TCP/UDP)
“Repeat DDoS Attacks by Target / After a slight downturn in Q2 2016, the average number of DDoS attacks increased to an average of 30 attacks per target, as shown in Figure 2-13. This statistic reflects that once an organization has been attacked, there is a high probability of additional attacks.”
SQL Injection (49%) and Local File Inclusion (40%) make up the greatest share of attacks against web applications

Is your server (N)jinxed ?

A flaw in the way Debian (and Ubuntu) package nginx, can allow your server to be compromised.
The flaw allows an attacker who has managed to gain control of a web application, like wordpress, to escalate privileges from the www-data user to root.
“Nginx web server packaging on Debian-based distributions such as Debian or Ubuntu was found to create log directories with insecure permissions which can be exploited by malicious local attackers to escalate their privileges from nginx/web user (www-data) to root.”
“The vulnerability could be easily exploited by attackers who have managed to compromise a web application hosted on Nginx server and gained access to www-data account as it would allow them to escalate their privileges further to root access and fully compromise the system.”
The attack flow works as follows:
- Compromise a web application
- Run the exploit as the www-data user
- Compile your privilege escalation shared library /tmp/privesclib.c
- Install your own low-priv shell (maybe /bin/bash, or an exploit) as /tmp/nginxrootsh
- Take advantage of the permissions mistake where /var/log/nginx is writable by the www-data user, and replace error.log with a symlink to /etc/ld.so.preload
- Wait for nginx to be restarted or rehashed by logrotate
- When nginx is restarted or rehashed, it creates the /etc/ld.so.preload file
- Add the /tmp/privesclib.so created earlier to /etc/ld.so.preload
- Run sudo, which will now load /tmp/privesclib.so before other libraries, running the code
- sudo will not allow the www-data user to do any commands, but before sudo read its config file, it ran privesclib.so, which made /tmp/nginxrootsh setuid root for us
- Run /tmp/nginxrootsh as any user, and you now have a shell as the root user
- The now own the server
Video Proof of Concept
Fixes:
Debian: Fixed in Nginx 1.6.2-5+deb8u3
- Ubuntu 14.04 LTS: 1.4.6-1ubuntu3.6
- Ubuntu 16.04 LTS: 1.10.0-0ubuntu0.16.04.3
- Ubuntu 16.10: 1.10.1-0ubuntu1.1
Make sure your log directory is not writable by the www-data user

Hacking 27% of the web via WordPress Auto-update

“At Wordfence, we continually look for security vulnerabilities in the third party plugins and themes that are widely used by the WordPress community. In addition to this research, we regularly examine WordPress core and the related wordpress.org systems. Recently we discovered a major vulnerability that could have caused a mass compromise of the majority of WordPress sites.”
“The vulnerability we describe below may have allowed an attacker to use the WordPress auto-update function, which is turned on by default, to deploy malware to up to 27% of the Web at once.”
“The server api.wordpress.org has an important role in the WordPress ecosystem: it releases automatic updates for WordPress websites. Every WordPress installation makes a request to this server about once an hour to check for plugin, theme, or WordPress core updates. The response from this server contains information about any newer versions that may be available, including if the plugin, theme or core needs to be updated automatically. It also includes a URL to download and install the updated software.”
“Compromising this server could allow an attacker to supply their own URL to download and install software to WordPress websites, automatically. This provides a way for an attacker to mass-compromise WordPress websites through the auto-update mechanism supplied by api.wordpress.org. This is all possible because WordPress itself provides no signature verification of the software being installed. It will trust any URL and any package that is supplied by api.wordpress.org.”
“We describe the technical details of a serious security vulnerability that we uncovered earlier this year that could compromise api.wordpress.org. We reported this vulnerability to the WordPress team via HackerOne. They fixed the vulnerability within a few hours of acknowledging the report. They have also awarded Wordfence lead developer Matt Barry a bounty for discovering and reporting it.”
“api.wordpress.org has a GitHub webhook that allows WordPress core developers to sync their code to the wordpress.org SVN repository. This allows them to use GitHub as their source code repository. Then, when they commit a change to GitHub it will reach out and hit a URL on api.wordpress.org which then triggers a process on api.wordpress.org that brings down the latest code that was just added to GitHub.”
“The URL that GitHub contacts on api.wordpress.org is called a ‘webhook’ and is written in PHP. The PHP for this webhook is open source and can be found in this repository. We analyzed this code and found a vulnerability that could allow an attacker to execute their own code on api.wordpress.org and gain access to api.wordpress.org. This is called a remote code execution vulnerability or RCE.”
“If we can bypass the webhook authentication mechanism, there is a POST parameter for the GitHub project URL that is passed unescaped to shell_exec which allows us to execute shell commands on api.wordpress.org. This allows us to compromise the server.”
There is security built into the system. Github hashes the JSON data with a shared secret, and submits the hash with the data. The receiving side then hashes the JSON with its copy of the shared secret. If the two hashes match, the JSON must have been sent by someone who knows the shared secret (ideally only api.wordpress.com and github)
There is a small catch
“GitHub uses SHA1 to generate the hash and supplies the signature in a header: X-Hub-Signature: sha1={hash}. The webhook extracts both the algorithm, in this case ‘sha1’, and the hash to verify the signature. The vulnerability here lies in the fact the code will use the hash function supplied by the client, normally github. That means that, whether it’s GitHub or an attacker hitting the webhook, they get to specify which hashing algorithm is used to verify the message authenticity”
“The challenge here is to somehow fool the webhook into thinking that we know the shared secret that GitHub knows. That means that we need to send a hash with our message that ‘checks out’. In other words it appears to be a hash of the message we’re sending and the secret value that only api.wordpress.org and GitHub know – the shared secret.”
“As we pointed out above, the webhook lets us choose our own hashing algorithm. PHP provides a number of non-cryptographically secure hashing functions like crc32, fnv32 and adler32, which generate a 32bit hash vs the expected 160 bit hash generated by SHA1. These hashing functions are checksums which are designed to catch data transmission errors and be highly performant with large inputs. They are not designed to provide security.”
So instead of having to brute force a 160 bit hash (1.46 with 48 zeros after it) you only have to brute force 32 bits (4 billion possibilities). But it gets even easier
“Of these weak algorithms, the one that stood out the most was adler32, which is actually two 16 bit hashing functions with their outputs concatenated together. Not only are the total number of hashes limited, but there’s also significant non-uniformity in the hash space. This results in many hashes being the same even though they were supplied with different inputs. The distribution of possible checksum values are similar to rolling dice where 7 is the most likely outcome (the median value), and the probability of rolling any value in that range would work its way out from the median value (6 and 8 would have the next highest probability, and on it goes to 2 and 12).”
“The proof of concept supplied in the report utilizes the non-uniformity by creating a profile of most common significant bytes in each 16 bit hash generated. Using this, we were able to reduce the amount of requests from 2^32 to approximately 100,000 to 400,000 based on our tests with randomly generated keys.”
“This is a far more manageable number of guesses that we would need to send to the webhook on api.wordpress.org which could be made over the course of a few hours. Once the webhook allows the request, the attack executes a shell command on api.wordpress.org which gives us access to the underlying operating system and api.wordpress.org is compromised.”
“From there an attacker could conceivably create their own update for all WordPress websites and distribute a backdoor and other malicious code to more than one quarter of the Web. They would also be able to disable subsequent auto-updates so that the WordPress team would lose the ability to deploy a fix to affected websites.”
“We confidentially reported this vulnerability on September 2nd to Automattic and they pushed a fix to the code repository on September 7th. Presumably the same fix had been deployed to production before then.”
“We still consider api.wordpress.org a single point of failure when distributing WordPress core, plugins and theme updates. We have made attempts to start a conversation with members of Automattic’s security team about improving the security posture of the automatic update system, but we have not yet received a response.”

Feedback:

Round Up:

The post Turkey.deb | TechSNAP 294 first appeared on Jupiter Broadcasting.

The Shadow Knows | TechSNAP 282

chris — Thu, 01 Sep 2016 18:18:08 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Shadow Brokers steal hacking tools from NSA linked Equation Group

“On Monday, a hacking group calling itself the “ShadowBrokers” announced an auction for what it claimed were “cyber weapons” made by the NSA.”
“The previously unknown group said that it broke into the cyberespionage organization known as the Equation Group and has now put the hacking tools that it acquired up for auction”
“In addition to selling the hacking tools to whoever would end up as the highest bidder, the Shadow Brokers said that if it will be paid 1 million bitcoins, which currently carries a value of about $568 million, the cyberweapons will be publicly released”
“To back up its claims, the Shadow Brokers uploaded what looks like attack code that focuses on the security systems of routers that direct computer traffic online. According to security experts, the code looks legitimate, affecting routers manufactured by three United States companies and two Chinese companies. Specifically, the companies involved are Cisco Systems, Fortinet, Juniper Networks, Shaanxi Networkcloud Information Technology and Beijing Topsec Network Security Technology.”
“Last year, researchers from Kaspersky Lab described the Equation Group as one of the most advanced hacking groups in the world. The compressed data that accompanied the post by the Shadow Brokers had a size of just over 256 MB and is said to contain hacking tools that are dated as early as 2010 belonging to the Equation Group”
Additional Coverage: The Intercept: The NSA Leak Is Real, Snowden Documents Confirm
“Based on never-before-published documents provided by the whistleblower Edward Snowden, The Intercept can confirm that the arsenal contains authentic NSA software, part of a powerful constellation of tools used to covertly infect computers worldwide.”
This does not necessarily mean that the tools were stolen directly from the NSA, just that Shadow Brokers stole them from someone who had them. Maybe the Equation Group stole them, or maybe the NSA stole them from the Equation Group.
“The provenance of the code has been a matter of heated debate this week among cybersecurity experts, and while it remains unclear how the software leaked, one thing is now beyond speculation: The malware is covered with the NSA’s virtual fingerprints and clearly originates from the agency.”
“The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, “ace02468bdf13579.” That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE.”
“SECONDDATE plays a specialized role inside a complex global system built by the U.S. government to infect and monitor what one document estimated to be millions of computers around the world. Its release by ShadowBrokers, alongside dozens of other malicious tools, marks the first time any full copies of the NSA’s offensive software have been available to the public, providing a glimpse at how an elaborate system outlined in the Snowden documents looks when deployed in the real world, as well as concrete evidence that NSA hackers don’t always have the last word when it comes to computer exploitation.”
“SECONDDATE is a tool designed to intercept web requests and redirect browsers on target computers to an NSA web server. That server, in turn, is designed to infect them with malware. SECONDDATE’s existence was first reported by The Intercept in 2014, as part of a look at a global computer exploitation effort code-named TURBINE. The malware server, known as FOXACID, has also been described in previously released Snowden documents.”
“Snowden, who worked for NSA contractors Dell and Booz Allen Hamilton, has offered some context and a relatively mundane possible explanation for the leak: that the NSA headquarters was not hacked, but rather one of the computers the agency uses to plan and execute attacks was compromised. In a series of tweets, he pointed out that the NSA often lurks on systems that are supposed to be controlled by others, and it’s possible someone at the agency took control of a server and failed to clean up after themselves. A regime, hacker group, or intelligence agency could have seized the files and the opportunity to embarrass the agency.”
Additional Coverage: SoftPedia: List of Equation Group Files Leaked by Shadow Brokers
The list of names is quite amusing, likely computer generated by sticking two random words together. Reminds me of a domain-name generator I wrote when I was a teenager
Additional Coverage: Wired: Of Course Everyone’s Already Using the Leaked NSA Exploits
“All of which means anyone—curious kids, petty criminals, trolls—can now start hacking like a spy. And it looks like they are.”
“Curious to learn if anyone was indeed trying to take advantage of the leak, Brendan Dolan-Gavitt—a security researcher at NYU—set up a honeypot. On August 18 he tossed out a digital lure that masqueraded as a system containing one of the vulnerabilities. For his experiment, Dolan-Gavitt used a Cisco security software bug from the leak that people have learned to fix with workarounds, but that doesn’t have a patch yet.”
“Within 24 hours Dolan-Gavitt saw someone trying to exploit the vulnerability, with a few attempts every day since. “I’m not surprised that someone tried to exploit it,” Dolan-Gavitt says. Even for someone with limited technical proficiency, vulnerable systems are relatively easy to find using services like Shodan, a search engine of Internet-connected systems. “People maybe read the blog post about how to use the particular tool that carries out the exploit, and then either scanned the Internet themselves or just looked for vulnerable systems on Shodan and started trying to exploit them that way,” Dolan-Gavitt says. He explains that his honeypot was intentionally very visible online and was set up with easily guessable default passwords so it would be easy to hack.”
“The findings highlight one of the potential risks that come with hoarding undisclosed vulnerabilities for intelligence-gathering and surveillance. By holding on to bugs instead of disclosing them so they can be patched, spy agencies like the NSA create a potentially dangerous free-for-all if their exploits are exposed.”
Additional Coverage: Softpedia: Computer Science Professor Gives Failing Grade to Newly Leaked NSA Hacking Tool
Additional Coverage: Stephen Checkoway: Equation Group Initial Impressions
Additional Coverage: @musalbas: NSA’s BENIGNCERTAIN sends IKE packets to Cisco VPNs, then parses config and private keys from the response
Additional Coverage: @thegrugq: speculation that the ShadowBrokers leak was from another Snowden is “completely wrong”
Additional Coverage: Matt Blaze

Google Login Issue Allows Credential Theft

Attackers can add an arbitrary page to the end of a Google login flow that can steal users’ credentials. or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process.
A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don’t consider it a security issue. The bug results from the fact that the Google login page will take a specific, weak GET parameter.
“Google’s login page accepts a vulnerable GET parameter, namely ‘continue’. As far as I can determine, this parameter undergoes a basic check,” Aidan Woods, the researcher who discovered the bug, wrote in an explanation of the flaw.
The login page checks to ensure that the parameter points to .google.com/, but doesn’t determine which Google service the parameter is pointing to.
“The application fails to verify the type of Google service that has been specified. This means that is is possible to seamlessly insert any Google service at the end of the login process.”
Using this bug, an attacker could add an extra step to the end of the login flow that could steal a user’s credentials.
For example, the page could mimic an incorrect password dialog and ask the user to re-enter the password. Woods said an attacker also could send an arbitrary file to the target’s browser any time the login form is submitted.
Exploiting the flaw should be simple, an “Attacker would not need to intercept traffic to exploit – they only need to get the user to click a link that they have crafted to exploit the bug in the continue parameter,”
Woods opened three separate reports with Google about the vulnerability, but to no avail.
In a message to Woods, Google representatives said they saw phishing as the only attack vector, and didn’t consider this a security problem.
“The simplest action Google can take to address this would be to remove the redirect feature at login. If they want to retain that feature and also address this problem, they need to properly validate the contents of the parameter: Google needs to make sure the values they allow can’t be abused, and validate the allowed values are also safe themselves,” Woods said.
“This could be done by building a whitelist of [sub-]domains, (including paths if necessary) that they wish to redirect to.”
Aidan Woods: Google’s Faulty Login Pages

Researchers map the Netflix content delivery network, find 4669 servers

“When you open Netflix and hit “play,” your computer sends a request to the video-streaming service to locate the movie you’d like to watch. The company responds with the name and location of the specific server that your device must access in order for you to view the film.”
“For the first time, researchers have taken advantage of this naming system to map the location and total number of servers across Netflix’s entire content delivery network, providing a rare glimpse into the guts of the world’s largest video-streaming service.”
“A group from Queen Mary University of London (QMUL) traced server names to identify 4,669 Netflix servers in 243 locations around the world. The majority of those servers still reside in the United States and Europe at a time when the company is eager to develop its international audience. The United States also leads the world in Netflix traffic, based on the group’s analysis of volumes handled by each server. Roughly eight times as many movies are watched there as in Mexico, which places second in Netflix traffic volume. The United Kingdom, Canada, and Brazil round out the top five.”
“In March, Netflix did publish a blog post outlining the overall structure of its content delivery network, but did not share the total number of servers or server counts for specific sites.”
“Last January, Netflix announced that it would expand its video-streaming service to 190 countries, and IHS Markit recently predicted that the number of international Netflix subscribers could be greater than U.S. subscribers in as few as two years.”
“Steve Uhlig, the networks expert at Queen Mary University of London who led the mapping project, says repeating the analysis over time could track shifts in the company’s server deployment and traffic volumes as its customer base changes.”
“Traditionally, content delivery services have chosen one strategy or the other. Akamai, for example, hosts a lot of content with Internet service providers, while Google, Amazon, and Limelight prefer to store it at IXPs. However, Uhlig’s group found that Netflix uses both strategies, and varies the structure of its network significantly from country to country.”
“Timm Böttger, a doctoral student at QMUL who is a member of the research team, says he was surprised to find two Netflix servers located within Verizon’s U.S. network. Verizon and other service providers have argued with Netflix over whether they would allow Netflix to directly connect servers to their networks for free. In 2014, Comcast required Netflix to pay for access to its own network.”
“Tellingly, the group did not find any Netflix servers in Comcast’s U.S. network. As for the mysterious Verizon servers? “We think it is quite likely that this is a trial to consider broader future deployment,” Böttger says. Netflix did not respond to a request for comment.”
“Their search revealed that Netflix’s server names are written in a similar construction: a string of numbers and letters that include traditional airport codes such as lhr001 for London Heathrow to mark the server’s location and a “counter” such as c020 to indicate the number of servers at that location. A third element written as .isp or .ix shows whether the server is located within an Internet exchange point or with an Internet service provider.”
“To study traffic volumes, the researchers relied on a specific section of the IP header that keeps a running tally of data packets that a given server has handled. By issuing multiple requests to these servers and tracking how quickly the values rose, the team estimated how much traffic each server was processing at different times of the day. They tested the servers in 1-minute intervals over a period of 10 days.”
That counter is only 32 bit, and the larger Netflix servers push 80 gigabits per second (enough to wrap a 32 bit counter every 24 seconds)
“The U.K. has more Netflix servers than any other European country, and most of those servers are deployed within Internet service providers. All French customers get their films streamed through servers stationed at a single IXP called France-IX. Eastern Europe, meanwhile, has no Netflix servers because those countries were only just added to the company’s network in January.”
The researchers expected to see a lot more servers embedded in ISPs rather than at Internet exchanges. There are two reasons why this is not so: It would require more hardware, since machines at a specific ISP cannot service a second ISP, and: many ISPs like Comcast are resisting accepting Netflix CDN boxes
“In March, the company said it delivers about 125 million total hours of viewing to customers per day. The researchers learned that Netflix traffic seems to peak just before midnight local time, with a second peak for IXP servers occurring around 8 a.m., presumably as Netflix uploads new content to its servers.”
See Netflix and Fill – BSDNow 157 for more on how Netflix runs their FreeBSD powered CDN.

Feedback:

Round Up:

The post The Shadow Knows | TechSNAP 282 first appeared on Jupiter Broadcasting.

Anita Borg Institute | WTR 56

chris — Wed, 30 Mar 2016 09:43:58 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

ABI.chicago launched Oct 2015 as a 501.3c focused to women and men that are in all interests of technology. Its goal is to reach more beginners interested in transitioning to technology. LaShon Anthony is the Community Leader of the ABI.chicago chapter.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

Interview – LaShon Anthony – @visuals4u

Are you looking for the transcription? Please let us know you use it and we may bring it back!

WTR Transcription Poll

The post Anita Borg Institute | WTR 56 first appeared on Jupiter Broadcasting.

Cisco’s Perfect 10 | TechSNAP 253

chris — Thu, 11 Feb 2016 17:50:21 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Cisco has a wormable vulnerability in its Firewall appliances, crimeware that allows unlimited ATM withdrawals & the big problem with the Java installer.

Plus great questions, a rocking round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Cisco ASA IPSec vulnerability given highest possible CVSS score

Cisco has released a patch for a critical vulnerability its ASA (Adaptive Security Appliance) firewalls
“The Cisco ASA Adaptive Security Appliance is an IP router that acts as an application-aware firewall, network antivirus, intrusion prevention system, and virtual private network (VPN) server. It is advertised as “the industry’s most deployed stateful firewall.” When deployed as a VPN, the device is accessible from the Internet and provides access to a company’s internal networks.”
“A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.“
“The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.”
So the router can be owned by a single UDP packet. It could then be controlled by the attack and used to send more of those UDP packets, making this a “wormable” exploit
Affected devices include:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower 9300 ASA Security Module
- Cisco ISA 3000 Industrial Security Appliance
Users of ASA software versions 7.x, 8.0 – 8.6, will be forced to upgrade to ASA version 9.1
The researchers had dubbed the exploit “Execute My Packet”
“The algorithm for re-assembling IKE payloads fragmented with the Cisco fragmentation protocol contains a bounds-checking flaw that allows a heap buffer to be overflowed with attacker-controlled data.”
Attempts to exploit the attack can be detected with packet inspection:
“Looking for the value of the length field of a Fragment Payload (type 132) IKEv2 or IKEv1 packet allows detecting an exploitation attempt. Any length field with a value < 8 must be considered as an attempt to exploit the vulnerability. The detection also has to deal with the fact that the multiple payloads can be chained inside an IKEv2 packet, and that the Fragment Payload may not be the only/first payload of the packet.”
Researcher Post
Additional Coverage: SANS
SANS says “We are seeing a LARGE INCREASE in port 500/UDP traffic (see and select TCP Ratio for the left Y axis. earlier spikes affecting this port were mostly TCP)”

Metel crimeware allows unlimited ATM withdrawls

An APT (Advanced Persistent Threat) crimeware package has been found in the wild, being used to drain ATMs and bank accounts
This type of attack was previously the exclusive territory of Nation States
“It contains more than 30 separate modules that can be tailored to the computer it’s infecting. One of the most powerful components automatically rolls back ATM transactions shortly after they’re made. As a result, people with payment cards from a compromised bank can withdraw nearly unlimited sums of money from ATMs belonging to another bank. Because the Metel module repeatedly resets card balances, the criminals never pass the threshold that would normally freeze the card. Last year, the rollback scheme caused an unnamed bank in Russia to lose millions of rubles in a single night.”
“Metel usually gains an initial foothold by exploiting vulnerabilities in browsers or through spear phishing e-mails that trick employees to execute malicious files. Members of the Metel hacking gang then use legitimate software used by server administrators and security researchers to compromise other PCs in an attempt to further burrow into the targeted network. They will often patiently work this way until they gain control over a system with access to money transactions, for example, PCs used by call center operators or IT support.”
“Metel illustrates the growing sophistication of hackers targeting banks. It wasn’t long ago that reconnaissance, social engineering, state-of-the-art software engineering, lateral movements through a network, and long-term persistence were largely the exclusive hallmarks of so-called advanced persistent threat actors that painstakingly hack high-profile targets, usually on behalf of government spy agencies. Hackers targeting financial institutions, by contrast, took a more opportunistic approach that infected the easiest targets and didn’t bother with more challenging ones. Now, sophisticated techniques are increasingly a part of financially motivated hacking crimes as well.”
Other groups have been found doing similar things:
“The so-called GCMAN group, which gets its name because its malware is built using the GCC compiler. Like Metel, its members gain an initial foothold into financial institutions using spearphishing e-mails and from there use widely available tools such as Putty, VNC, and Meterpreter to broaden their access. In one case, GCMAN members had access to one targeted network for 18 months before siphoning any funds. When the group finally sprang into action, it used automated scripts to slowly transfer funds—about $200 per minute—into the account of a so-called “mule,” who was designated to withdraw the money.”
“The Carbanak 2.0 malware, which in one recent case used its access to a financial institution to change ownership details of a large company. The records were modified to list a money mule as one of the shareholders. After attacking a variety of banks last year, the gang took a five-month sabbatical that caused Kaspersky researchers to think it had disbanded. In December, Kaspersky confirmed the group was active and had overhauled its malware to target new classes of victims”
“Kaspersky researchers said all three gangs appear to be active and are known to have collectively infected 29 organizations in Russia. The researchers said they suspect the number of institutions hit by the groups is much higher.”
Researcher Post
Indicators and Signatures

Java installer vulnerable to binary planting

“On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later.”
Oracle Advisory
“On most computers, the default download folder quickly becomes a repository of old and unorganized files that were opened once and then forgotten about. A recently fixed flaw in the Java installer highlights why keeping this folder clean is important.”
“The reason is that older Java installers are designed to look for and automatically load a number of specifically named DLL (Dynamic Link Library) files from the current directory. In the case of Java installers downloaded from the Web, the current directory is typically the computer’s default download folder.”
This allows an attacker to plant their own malicious binaries there, and then when the “trusted” Java installer is run with enhanced privileges, the malicious .dll gains those enhanced permissions
“To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files into the user’s system before installing Java SE 6, 7 or 8. Though relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system.”
It is not clear how Oracle’s new java downloader is improved, but it is likely not as good as it should be
Many other downloaders are also likely vulnerable, but the applications do not have the same install base as java
For less sophisticated users, the process of “clearing download history” would seem to imply that the files are removed as well, which is not the case

Feedback:

Round Up:

The post Cisco's Perfect 10 | TechSNAP 253 first appeared on Jupiter Broadcasting.

Hot Norse Potato | TechSNAP 252

chris — Thu, 04 Feb 2016 18:35:16 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A new openSSL exploit, cyber security firm Norse implodes & the Windows Hot Potato flaw that’s been around for over a decade.

Plus great questions, our answers, a rockin round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

OpenSSL Exploit

Official Advisory
The OpenSSL team announced versions 1.0.2f and 1.0.1r to fix a number of vulnerabilities
The first issue, DH small subgroups (CVE-2016-0701), is classified as “High Severity”
“Historically OpenSSL usually only ever generated DH parameters based on “safe” primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be “safe”. Where an application is using DH configured with parameters based on primes that are not “safe” then an attacker could use this fact to find a peer’s private DH exponent.”
“OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk.”
“OpenSSL 1.0.1 is not affected by this CVE because it does not support X9.42 based parameters”
Another issue, SSLv2 doesn’t block disabled ciphers (CVE-2015-3197), is classified as “Low Severity”
“A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2”
So if your server disabled all of the SSLv2 ciphers, but didn’t disable the SSLv2 protocol itself, SSLv2 could still be used. This is likely higher severity than it seems, since it could be used in a downgrade attack
A third issue was an update on DHE man-in-the-middle protection (Logjam)
“OpenSSL added Logjam mitigation for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits in releases 1.0.2b and 1.0.1n. This limit has been increased to 1024 bits in this release, to offer stronger cryptographic assurance for all TLS connections using ephemeral Diffie-Hellman key exchange.”
“As per the previous announcements support for OpenSSL version 1.0.1 will cease on 31st December 2016. No security updates for that version will be provided after that date. Users of 1.0.1 are advised to upgrade. Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates.”

Krebs: Norse Corp. Implodes

Norse Corp is a security startup that has made a lot of headlines, many surrounding its graphical “Attack Map” of the Internet
Last month, Norse unexpectedly laid off more than 30% of its workforce
Now, Norse’s CEO, Sam Glines, has been asked to step down by the board of directors
“sources say the company’s investors have told employees that they can show up for work on Monday but that there is no guarantee they will get paid if they do.”
“Glines agreed earlier this month to an interview with KrebsOnSecurity but later canceled that engagement without explanation.”
“Two sources at Norse said the company’s assets will be merged with networking firm SolarFlare, which has some of the same investors and investment capital as Norse. Neither Norse nor SolarFlare would comment for this story.
“Update, Feb. 1, 12:34 p.m. ET: SolarFlare CEO Russell Stern just pinged me to say that “there has been no transaction between Norse and SolarFlare.””
“A careful review of previous ventures launched by the company’s founders reveals a pattern of failed businesses, reverse mergers, shell companies and product promises that missed the mark by miles”
“In the tech-heavy, geek-speak world of cybersecurity, infographics and other eye candy are king because they promise to make complicated and boring subjects accessible and sexy. And Norse’s much-vaunted interactive attack map is indeed some serious eye candy: It purports to track the source and destination of countless Internet attacks in near real-time, and shows what appear to be multicolored fireballs continuously arcing across the globe.”
“Several departing and senior Norse employees said the company’s attack data was certainly voluminous enough to build a business upon — if not especially sophisticated or uncommon. But most of those interviewed said Norse’s top leadership didn’t appear to be interested in or capable of building a strong product behind the data. More worryingly, those same people said there are serious questions about the validity of the data that informs the company’s core product.”
“Norse Corp. and its fundamental technology arose from the ashes of several companies that appear to have been launched and then acquired by shell companies owned by Norse’s top executives — principally the company’s founder and chief technology officer Tommy Stiansen. Stiansen”
“This acquisition process, known as a “reverse merger” or “reverse takeover,” involves the acquisition of a public company by a private company so that the private company can bypass the lengthy and complex process of going public. Reverse mergers are completely legal, but they can be abused to hide the investors in a company and to conceal certain liabilities of the acquired company, such as pending lawsuits or debt. In 2011, the U.S. Securities and Exchange Commission (SEC) issued a bulletin cautioning investors about plunking down investments in reverse mergers, warning that they may be prone to fraud and other abuses.”
The founders of Norse Corp. got their start in 1998 with a company called Cyco.net (pronounced “psycho”). According to a press release issued at the time, “Cyco.net was a New Mexico based firm established to develop a network of cyber companies.” “This site is a lighthearted destination that will be like the ‘People Magazine’ of the Internet”
“In 2003, Cyco.net acquired Orion Security Services, a company founded by Stiansen, Norse’s current CTO and founder and the one Norse executive who is actually from Norway. Orion was billed as a firm that provides secure computer network management solutions, as well as video surveillance systems via satellite communications.”
“Despite claims that Cyco.net was poised to “rocket into the deepest riches of cyberspace,” it somehow fell short of that destination and ended up selling cigarettes online instead. Perhaps inevitably, the company soon found itself the target of a lawsuit by several states led by the Washington state attorney general that accused the company of selling tobacco products to minors, failing to report cigarette sales and taxes, and for falsely advertising cigarettes as tax-free.”
“In 2005, Cyco.net changed its name to Nexicon, but only after acquiring by stock swap another creation by Stiansen — Pluto Communications — a company formed in 2002 and whose stated mission was to provide “operational billing solutions for telecom networks.” Again, Urrea would issue a press release charting a course for the company that would have almost no bearing on what it actually ended up doing.”
“In June 2008, Sam Glines — who would one day become CEO of Norse Corp. — joined Nexicon and was later promoted to chief operating officer. By that time, Nexicon had morphed itself into an online copyright cop, marketing a technology they claimed could help detect and stop illegal file-sharing. The company’s “GetAmnesty” technology sent users a pop-up notice explaining that it was expensive to sue the user and even more expensive for the user to get sued. Recipients of these notices were advised to just click the button displayed and pay for the song and all would be forgiven.”
“In November 2008, Nexicon was acquired by Priviam, another shell company operated by Stiansen and Nexicon’s principals. Nexicon went on to sign Youtube.com and several entertainment studios as customers. But soon enough, reports began rolling in of rampant false-positives — Internet users receiving threatening legal notices from Nexicon that they were illegally sharing files when they actually weren’t. Nexicon/Priviam’s business began drying up, and it’s stock price plummeted.”
“In September 2011, the Securities and Exchange Commission revoked the company’s ability to trade its penny stock (then NXCO on the pink sheets), noting that the company had failed to file any periodic reports with the SEC since its inception. In June 2012, the SEC also revoked Priviam’s ability to trade its stock, citing the same compliance failings that led to the de-listing of Nexicon.”
“By the time the SEC revoked Nexicon’s trading ability, the company’s founders were already working to reinvent themselves yet again. In August 2011, they raised $50,000 in seed money from Capital Innovators to jump-start Norse Corp. A year later, Norse received $3.5 million in debt refinancing, and in December 2013 got its first big infusion of cash — $10 million from Oak Investment Partners. In September 2015, KPMG invested $11.4 million in the company.”
“Several former employees say Stiansen’s penchant for creating shell corporations served him well in building out Norse’s global sensor network. Some of the sensors are in countries where U.S. assets are heavily monitored, such as China. Those same insiders said Norse’s network of shell corporations also helped the company gain visibility into attack traffic in countries where it is forbidden for U.S. firms to do business, such as Iran and Syria.”
By 2014, former employees say Norse’s systems were collecting a whopping 140 terabytes of Internet attack and traffic data per day.”
Norse’s senior data scientist says she “wasn’t actually given access to all that data until the fall of 2015 — seven months after being hired as Norse’s chief data scientist — and that when she got the chance to dig into it, she was disappointed: The information appeared to be little more than what one might glean from a Web server log — albeit millions of them around the world.”
“The data isn’t great, and it’s pretty much the same thing as if you looked at Web server logs that had automated crawlers and scanning tools hitting it constantly. But if you know how to look at it and bring in a bunch of third-party data and tools, the data is not without its merits, if not just based on the sheer size of it.”
“Landesman and other current and former Norse employees said very few people at the company were permitted to see how Norse collected its sensor data, and that Norse founder Stiansen jealously guarded access to the back-end systems that gathered the information.”
This seems to be to cover up the fact that there was no “secret sauce”, it was all smoke and mirrors
“With this latest round of layoffs, if Tommy got hit by a bus tomorrow I don’t think there would be a single person in the company left who understands how the whole thing works,” said one former employee at Norse who spoke on condition of anonymity.
“Stuart McClure, president and founder of the cybersecurity firm Cylance, said he found out just how reluctant Stiansen could be to share Norse data when he visited Stiansen and the company’s offices in Northern California in late 2014. McClure said he went there to discuss collaborating with Norse on two upcoming reports: One examining Iran’s cyber warfare capabilities, and another about exactly who was responsible for the massive Nov. 2014 cyber attack on Sony Pictures Entertainment.”
“The FBI had already attributed the attack to North Korean hackers. But McClure was intrigued after Stiansen confidentially shared that Norse had reached a vastly different conclusion than the FBI: Norse had data suggesting the attack on Sony was the work of disgruntled former employees.”
“McClure said he recalls listening to Stiansen ramble on for hours about Norse’s suspicions and simultaneously dodging direct questions about how it had reached the conclusion that the Sony attack was an inside job.”
“I just kept going back to them and said, ‘Tommy, show me the data.’ We wanted to work with them, but when they couldn’t or wouldn’t produce any data or facts to substantiate their work, we couldn’t proceed.”
“Conversely, Norse’s take on Iran’s cyber prowess (PDF) was trounced by critics as a deeply biased, headline-grabbing report. It came near the height of international negotiations over lifting nuclear sanctions against Iran, and Norse had teamed up with the American Enterprise Institute, a conservative think tank that has traditionally taken a hard line against threats or potential threats to the United States.”
“In its report, Norse said it saw a half-million attacks on industrial control systems by Iran in the previous 24 months — a 115 percent increase in attacks. But in a scathing analysis of Norse’s findings, critical infrastructure security expert Robert M. Lee said Norse’s claim of industrial control systems being attacked and implying it was definitively the Iranian government was disingenuous at best. Lee said he obtained an advanced copy of an earlier version of the report that was shared with unclassified government and private industry channels, and that the data in the report simply did not support its conclusions.”
“KrebsOnSecurity interviewed almost a dozen current and former employees at Norse, as well as several outside investors who said they considered buying the firm. None but Landesman would speak on the record. Most said Norse’s data — the core of its offering — was solid, if prematurely marketed as a way to help banks and others detect and deflect cyber attacks.”
The problem seems to be that the top executives of the company we more interested in getting investments based on the “Attack Map” and their marketing, than actually building the product
“I think they just went to market with this a couple of years too soon,” said one former Norse employee who left on his own a few months prior to the January 2016 layoffs, in part because of concerns about the validity of the data that the company was using to justify some of its public threat reports. “It wasn’t all there, and I worried that they were finding what they wanted to find in the data. If you think about the network they built, that’s a lot of power.”
After being fired, some former employees started doing some deeper digging
“I realized that, oh crap, I think this is a scam,” Landesman said. “They’re trying to draw this out and tap into whatever the buzzwords du jour there are, and have a product that’s going to meet that and suck in new investors.”
“These shell companies formed by [the company’s founders] bilked investors,” Landesman said. “Had anyone gone and investigated any of these partnerships they were espousing as being the next big thing, they would have realized this was all smoke and mirrors.”

Windows Privilege Escalation — Hot Potato

Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing.
If this sounds vaguely familiar, it’s because a similar technique was disclosed by the guys at Google Project Zero – https://code.google.com/p/google-security-research/issues/detail?id=222 . In fact, some of our code was shamelessly borrowed from their PoC and expanded upon.
Using this technique, they can elevate their privilege on a Windows workstation from the lowest levels to “NT AUTHORITY\SYSTEM” – the highest level of privilege available on a Windows machine.
This is important because many organizations unfortunately rely on Windows account privileges to protect their corporate network.
This is perfect for the island hopping technique we frequently talk about on TechSNAP.
The techniques that this exploit uses to gain privilege escalation aren’t new, but the way they are combined is. Microsoft is aware of all of these issues and has been for some time (circa 2000). These are unfortunately hard to fix without breaking backward compatibility and have been leveraged by attackers for over 15 years.
The exploit consists of 3 main parts, all of which are somewhat configurable through command-line switches.
Part One: Local NBNS Spoofer
If we can know ahead of time which hostname a target machine (in this case our target is 127.0.0.1) will be sending an NBNS query for, we can craft a fake response and flood the target host with NBNS responses very quickly (since it is a UDP protocol).
One complication is that a 2-byte field in the NBNS packet, the TXID, must match in the request and response, and we are unable to see the request. We can overcome this by flooding quickly and iterating over all 65536 possible values.
What if the network we are targeting has a DNS record for the host we want to spoof?
We can use a technique called UDP port exhaustion to force ALL DNS lookups on the system to fail. All we do is bind to EVERY single UDP port. This causes DNS to fail because there will be no available UDP source port for the request. When DNS fails, NBNS will be the fallback.
Part Two: Fake WPAD Proxy Server
In Windows, Internet Explorer by default will automatically try to detect network proxy setting configuration.
This also surprisingly applies to some Windows services such as Windows Update, but exactly how and under what conditions seems to be version dependent.
With the ability to spoof NBNS responses, we can target our NBNS spoofer at 127.0.0.1. We flood the target machine (our own machine) with NBNS response packets for the host “WPAD”, or “WPAD.DOMAIN.TLD”, and we say that the WPAD host has IP address 127.0.0.1.
At the same time, we run an HTTP server locally on 127.0.0.1, configured with a response at the URL IE will be checking.
This will cause all HTTP traffic on the target to be redirected through our server running on 127.0.0.1.

Part Three: HTTP -> SMB NTLM Relay

NTLM relay is a well known, but often misunderstood attack against Windows NTLM authentication. The NTLM protocol is vulnerable to man-in-the-middle attacks. If an attacker can trick a user into trying to authenticate using NTLM to his machine, he can relay that authentication attempt to another machine!
Microsoft patched this by disallowing same-protocol NTLM authentication using a challenge that is already in flight. What this means is that SMB->SMB NTLM relay from one host back to itself will no longer work. However cross-protocol attacks such as HTTP->SMB will still work with no issue!
With all HTTP traffic now presumably flowing through an HTTP server that we control, we can do things like redirect them somewhere that will request NTLM authentication.
In the Potato exploit, all HTTP requests are redirected with a 302 redirect to “https://localhost/GETHASHESxxxxx”, where xxxxx is some unique identifier. Requests to “https://localhost/GETHASHESxxxxx” respond with a 401 request for NTLM authentication.
Any NTLM credentials are then relayed to the local SMB listener to create a new system service that runs a user-defined command.
When the HTTP request in question originates from a high privilege account, for example, when it is a request from the Windows Update service, this command will run with “NT AUTHORITY\SYSTEM” privilege!
Windows 7 can be fairly reliably exploited through the Windows Defender update mechanism.
Wince Windows Server doesn’t come with Defender, we need an alternate method. Instead we’ll simply check for Windows updates.
In the newest versions of Windows, it appears that Windows Update may no longer respect the proxy settings set in “Internet Options”, or check for WPAD. Instead proxy settings for Windows Update are controlled using “netsh winhttp proxy…”
Instead for these versions, we rely on a newer feature of Windows, the “automatic updater of untrusted certificates”
It’s unclear whether this attack would work when SMB signing is enabled. The exploit as released currently does not, but this may just be due to lack of SMB signing support in the CIFS library they’re using.

Feedback:

Round Up:

The post Hot Norse Potato | TechSNAP 252 first appeared on Jupiter Broadcasting.

Internet of Threats | TechSNAP 249

chris — Thu, 14 Jan 2016 16:58:33 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A Critical OpenSSH flaw can expose your private keys, a new WiFi spec for IoT devices, that has all the classic issues & Intel’s SkyLake bug.

Plus your feedback, our answers, a rockin’ round up & so much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Critical OpenSSH flaw can expose your private keys and other client memory

Two major issues have been identified in OpenSSH
CVE-2016-0777: An information leak (memory disclosure) can be exploited by a rogue SSH server to trick a client into leaking sensitive data from the client memory, including for example private keys.
Vendor contributed code for a feature called Roaming, was added in OpenSSH 5.4, that allowed broken SSH sessions to be resumed. The server side code for this was never activated, only the commercial SSH server supported it.
However, the Roaming feature is on by default, and due to a but a malicious server can exploit the bug to read memory from the client when it tries to connect to the server
This includes the ability to steal your SSH private keys
“The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.”
Because OpenSSH checks the host key of the remote server, if you are connecting to trusted servers, there is no risk
You can disable the feature by adding the following line to your /etc/ssh/ssh_config: UseRoaming no
The feature can also be disabled on a per-user basis using: ~/.ssh/config
The patch just disabled this feature by default
CVE-2016-0778
A buffer overflow (leading to file descriptor leak), can also be exploited by a rogue SSH server, but due to another bug in the code is possibly not exploitable, and only under certain conditions (not the default configuration), when using ProxyCommand, ForwardAgent or ForwardX11.
Both of these vulnerabilities are fixed in OpenSSH 7.1p2
It is not clear if the roaming support will be removed entirely
Researcher Post

Bug in Intel Skylake CPUs means complex workloads can hang the machine

Intel has confirmed that its Skylake processors suffer from a bug that can cause a system to freeze when performing complex workloads.
The bug was reportedly discovered and tested by the the community at hardwareluxx.de and passed onto GIMPS (Great Internet Mersenne Prime Search), which conducted further testing. Both groups passed their findings onto Intel.
Intel states:

“Intel has identified an issue that potentially affects the 6th Gen Intel Core family of products. This issue only occurs under certain complex workload conditions, like those that may be encountered when running applications like Prime95. In those cases, the processor may hang or cause unpredictable system behaviour.”

Intel has developed a fix, and is working with hardware partners to distribute it via a BIOS update.
No reason has been given as to why the bug occurs, but it’s confirmed to affect both Linux and Windows-based systems.
While the bug was discovered using Prime95, it could affect other industries that rely on complex computational workloads, such as scientific and financial institutions.
Recently, Intel’s Haswell and early Broadwell processors suffered from a TSX (Transactional Synchronization Extensions) bug. Rather than recall the parts, Intel disabled the TSX instructions via a microcode update delivered via new motherboard firmware.
Additional Coverage

New WiFi spec for IoT devices, WiFi HaLow likely has all the classic issues

“The new protocol is based on the 802.11ah standard from the IEEE and is being billed as Wi-Fi HaLow by the Wi-Fi Alliance. Wi-Fi HaLow differs from the wireless signal that most current devices uses in a couple of key ways. First, it’s designed as a low-powered protocol and will operate in the range below one gigahertz. Second, the protocol will have a much longer range than traditional Wi-Fi, a feature that will make it attractive for use in applications such as connecting traffic lights and cameras in smart cities.”
There is also talk of using it for wearables, I suppose as a replacement for bluetooth
“Wi-Fi HaLow is well suited to meet the unique needs of the Smart Home, Smart City, and industrial markets because of its ability to operate using very low power, penetrate through walls, and operate at significantly longer ranges than Wi-Fi today,” said Edgar Figueroa, president and CEO of Wi-Fi Alliance.
“But, as with any new protocol or system, Wi-Fi HaLow will carry with it new security considerations to face. And one of the main challenges will be securing all of the various implementations of the protocol. Device manufacturers all implement things in their own way and in their own time, a practice that has led to untold security vulnerabilities and innumerable billable hours for security consultants. Security experts don’t expect Wi-Fi HaLow to be the exception.”
“While the standard could be good and secure, implementations by different vendors can have weaknesses and security issues. This is common to all protocols,” said Cesar Cerrudo, CTO of IOActive Labs, who has done extensive research on the security of a wide range of smart devices and smart city environments
Who could possibly be worse at implementing security, than the vendors and government contractors that would be used for a “smart city”
“Many of the devices that may use the new protocol–which isn’t due for release for a couple of years–are being manufactured by companies that aren’t necessarily accustomed to thinking about threat modeling, potential attacks, and other issues that computer hardware and software makers have had to face for decades. That could lead to simple implementation problems that attackers can take advantage of.”
This seems to call for a nice clean BSD licensed implementation, although even then, everyone using the same implementation could be just as risky
Plus, as we have seen, most vendors will ship an old insecure version, rather than the latest, and won’t update the implementation as they iterate their product
The extended range of HaLow also means that attackers can come from much further away, making it harder to physically protect devices
“Each new iteration in technology brings with it fresh security and privacy considerations, and the proliferation of connected non-computing devices is no different. The concept of a voice-enabled hub that controls your home’s climate, entertainment, and other systems is now a reality, as is the ability to send an email from your refrigerator. That’s all well and good, until these smart devices start doing really dumb things.”

Feedback:

Round Up:

The post Internet of Threats | TechSNAP 249 first appeared on Jupiter Broadcasting.

Finding Nakamoto | TechSNAP 244

chris — Thu, 10 Dec 2015 19:56:35 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Bitcoin’s creator has been found again, we’ll cover what the media thinks they’ve figured out & what we really know.

Then, ‘In Patches We Trust: Why Security Updates have to get better’, a great batch of questions, a huge round up & much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

WIRED thinks they found Bitcoin’s Creator Satoshi Nakamoto

Since that pseudonymous figure first released bitcoin’s code on January 9th, 2009, Nakamoto’s ingenious digital currency has grown from a nerd novelty to a kind of economic miracle. As it’s been adopted for everything from international money transfers to online narcotrafficking, the total value of all bitcoins has grown to nearly $5 billion.
Nakamoto himself, whoever he is, appears to control a stash of bitcoins easily worth a nine-figure fortune (it rose to more than a billion at the cryptocurrency’s peak exchange rate in 2014).
In the last weeks, WIRED has obtained the strongest evidence yet of Satoshi Nakamoto’s true identity. The signs point to Craig Steven Wright.
Gizmodo thinks it was actually two people
A monthlong Gizmodo investigation has uncovered compelling and perplexing new evidence in the search for Satoshi Nakamoto, the pseudonymous creator of Bitcoin.
According to a cache of documents provided to Gizmodo which were corroborated in interviews, Craig Steven Wright, an Australian businessman based in Sydney, and Dave Kleiman, an American computer forensics expert who died in 2013, were involved in the development of the digital currency.
Wired’s “Evidence”
An August 2008 post on Wright’s blog, months before the November 2008 introduction of the bitcoin whitepaper on a cryptography mailing list. It mentions his intention to release a “cryptocurrency paper,” and references “triple entry accounting,” the title of a 2005 paper by financial cryptographer Ian Grigg that outlines several bitcoin-like ideas.
A post on the same blog from November, 2008 includes a request that readers who want to get in touch encrypt their messages to him using a PGP public key apparently linked to Satoshi Nakamoto. This key, when checked against the database of the MIT server where it was stored, is associated with the email address satoshin@vistomail.com, an email address very similar to the satoshi@vistomail.com address Nakamoto used to send the whitepaper introducing bitcoin to a cryptography mailing list.
An archived copy of a now-deleted blog post from Wright dated January 10, 2009, which reads: “The Beta of Bitcoin is live tomorrow. This is decentralized… We try until it works.” (The post was dated January 10, 2009, a day after Bitcoin’s official launch on January 9th of that year. But if Wright, living in Eastern Australia, posted it after midnight his time on the night of the 9th, that would have still been before bitcoin’s launch at 3pm EST on the 9th.) That post was later replaced with the rather cryptic text “Bitcoin — AKA bloody nosey you be…It does always surprise me how at times the best place to hide [is] right in the open.” Sometime after October of this year, it was deleted entirely.
In addition to those three blog posts, they received a cache of leaked emails, transcripts, and accounting forms that corroborate the link.
Another clue as to Wright’s bitcoin fortune wasn’t leaked to WIRED but instead remains hosted on the website of the corporate advisory firm McGrathNicol: a liquidation report on one of several companies Wright founded known as Hotwire, an attempt to create a bitcoin-based bank. It shows that the startup was backed in June 2013 by $23 million in bitcoins owned by Wright. That sum would be worth more than $60 million today.
Reported bitcoin ‘founder’ Craig Wright’s home raided by Australian police
On Wednesday afternoon, police gained entry to a home belonging to Craig Wright, who had hours earlier been identified in investigations by Gizmodo and Wired,
People who say they knew Wright have expressed strong doubts about his alleged role, with some saying privately they believe the publications have been the victims of an elaborate hoax.
More than 10 police personnel arrived at the house in the Sydney suburb of Gordon at about 1.30pm. Two police staff wearing white gloves could be seen from the street searching the cupboards and surfaces of the garage. At least three more were seen from the front door.
The Australian Federal police said in a statement that the raids were not related to the bitcoin claims. “The AFP can confirm it has conducted search warrants to assist the Australian Taxation Office at a residence in Gordon and a business premises in Ryde, Sydney. This matter is unrelated to recent media reporting regarding the digital currency bitcoin.”
The documents published by Gizmodo appear to show records of an interview with the Australian Tax Office surrounding his tax affairs in which his bitcoin holdings are discussed at length.
During the interview, the person the transcript names as Wright says: “I did my best to try and hide the fact that I’ve been running bitcoin since 2009 but I think it’s getting – most – most – by the end of this half the world is going to bloody know.”
Guardian Australia has been unable to independently verify the authenticity of the transcripts published by Gizmodo, or whether the transcript is an accurate reflection of the audio if the interview took place. It is also not clear whether the phrase “running” refers merely to the process of mining bitcoin using a computer.
The purported admission in the transcript does not state that Wright is a founder of the currency, but other emails that Gizmodo claim are from Wright suggest further involvement he may have had in the development of bitcoin.
The emails published by Gizmodo cannot been verified. Comment has been sought from Sinodinos on whether he was contacted by Wright – or his lawyer – in relation to bitcoin and its regulatory and taxation status in Australia.
A third email published by Gizmodo from 2008 attributes to Wright a comment where he said: “I have been working on a new form of electronic money. Bit cash, bit coin …”
WikiLeaks on Twitter: “We assess that Craig S Wright is unlikely to be the principal coder behind Bitcoin.” https://t.co/nRnftKPjm9”
Additional Coverage: Freedom Hacker

In Patches We Trust: Why Security Updates have to get better

“How long do you put off restarting your computer, phone, or tablet for the sake of a security update or software patch? All too often, it’s far too long”
Why do we delay?
I am in the middle of something
The update might break something
I can’t waste a bunch of time dealing with fixing it if it doesn’t work
I hate it when they move buttons around on me
Installing the update makes the device unusable for 20+ minutes
“Patches are good for you. According to Homeland Security’s cyber-emergency unit, US-CERT, as many as 85 percent of all targeted attacks can be prevented by applying a security patch”
“The problem is that far too many have experienced a case when a patch has gone disastrously wrong. That’s not just a problem for the device owner short term, but it’s a lasting trust issue with software giants and device makers.”
We have all seen examples of bad patches
“Apple’s iOS 8.0.1 update was meant to fix initial problems with Apple’s new eight generation mobile operating system, but killed cell service on affected phones — leaving millions stranded until a fix was issued a day later. Google had to patch the so-called Stagefright flaw, which affected every Android device, for a second time after the first fix failed to do the job. Meanwhile, Microsoft has seen more patch recalls in the past two years than in the past decade.”
“Microsoft, for example, issued 135 security bulletins this year alone with thousands of separate vulnerabilities patched. All it takes is one or two patches to fail or break something — which has happened — to account for a 1 percent failure rate.”
Users get “update fatigue”, If every time they go to use the computer, there is a new update for one or more of: Java, Flash, Chrome, Skype, Windows, etc.
Worse, many drivers and other programs now add their own utilities, “update managers” and so on. Lenovo and Dell have both recently had to patch their “update managers” because they actually make your system more vulnerable
Having a slew of different programs constantly nagging the user about updating just causes the user to stop updating everything, or to put the updates off for longer and longer
“At the heart of any software update is a trust relationship between the user and the company. When things go wrong, it can affect thousands or millions of users. Just ignoring the issue and pulling patches can undermine a user’s trust, which can damage the future patching process.”
“Customers don’t always expect vendors to be 100 percent perfect 100 percent of the time, or at least they shouldn’t,” said Childs. “However, if vendors are upfront and honest about the situation and provide actionable guidance, it goes a long way to reestablishing the trust that has been lost over the years.”

New APT group identified, known as Sofacy, or Fancy Bear

“Sofacy (also known as “Fancy Bear”, “Sednit”, “STRONTIUM” and “APT28”) is an advanced threat group that has been active since around 2008, targeting mostly military and government entities worldwide, with a focus on NATO countries. More recently, we have also seen an increase in activity targeting Ukraine.”
“Back in 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFACE) as its first stage malware. The implant shared certain similarities with the old Miniduke implants. This led us to believe the two groups were connected, at least to begin with, although it appears they parted ways in 2014, with the original Miniduke group switching to the CosmicDuke implant.”
“In the months leading up to August, the Sofacy group launched several waves of attacks relying on zero-day exploits in Microsoft Office, Oracle Sun Java, Adobe Flash Player and Windows itself. For instance, its JHUHUGIT implant was delivered through a Flash zero-day and used a Windows EoP exploit to break out of the sandbox. The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day (CVE-2015-2590) in July 2015.
While the JHUHUGIT (and more recently, “JKEYSKW”) implant used in most of the Sofacy attacks, high profile victims are being targeted with another first level implant, representing the latest evolution of their AZZYTrojan.”
This shows how APT attackers constantly evolve, and reserve their best exploits for use against high profile targets, using lesser quality exploits on lesser targets, to avoid the better exploits being discovered and mitigated
“The first versions of the new AZZY implant appeared in August of this year. During a high profile incident we investigated, our products successfully detected and blocked a “standard” Sofacy “AZZY” sample that was used to target a range of defense contractors.”
“Interestingly, the fact that the attack was blocked didn’t appear to stop the Sofacy team. Just an hour and a half later they had compiled and delivered another AZZY x64 backdoor. This was no longer detectable with static signatures by our product. However, it was detected dynamically by the host intrusion prevention subsystem when it appeared in the system and was executed.”
“This recurring, blindingly-fast Sofacy attack attracted our attention as neither sample was delivered through a zero-day vulnerability — instead, they appeared to be downloaded and installed by another malware. This separate malware was installed by an unknown attack as “AppData\Local\Microsoft\Windows\msdeltemp.dll””
The attackers have multiple levels of malware, and can cycle through them until something works, then use that to drop a payload that matches the quality of the target they are attacking
“In addition to the new AZZY backdoors with side-DLL for C&C, we observed a new set of data-theft modules deployed against victims by the Sofacy group. Among the most popular modern defense mechanisms against APTs are air-gaps — isolated network segments without Internet access, where sensitive data is stored. In the past, we’ve seen groups such as Equation and Flame use malware to steal data from air-gapped networks. The Sofacy group uses such tools as well. The first versions of these new USB stealer modules appeared around February 2015 and the latest appear to have been compiled in May 2015.”
“This data theft module appears to have been compiled in May 2015 and is designed to watch removable drives and collect files from them, depending on a set of rules defined by the attackers. The stolen data is copied into a hidden directory as “%MYPICTURES%\%volume serial number%“, from where it can be exfiltrated by the attackers using one of the AZZY implants. More details on the new USB stealers are available in the section on technical analysis.”
“Over the last year, the Sofacy group has increased its activity almost tenfold when compared to previous years, becoming one of the most prolific, agile and dynamic threat actors in the arena. This activity spiked in July 2015, when the group dropped two completely new exploits, an Office and Java zero-day. At the beginning of August, Sofacy began a new wave of attacks, focusing on defense-related targets. As of November 2015, this wave of attacks is ongoing. The attackers deploy a rare modification of the AZZY backdoor, which is used for the initial reconnaissance. Once a foothold is established, they try to upload more backdoors, USB stealers as well as other hacking tools such as “Mimikatz” for lateral movement.”
Lateral movement is a more generic term for Island Hopping, moving around inside the network once you get through the outer defenses
“Two recurring characteristics of the Sofacy group that we keep seeing in its attacks are speed and the use of multi-backdoor packages for extreme resilience. In the past, the group used droppers that installed both the SPLM and AZZY backdoors on the same machine. If one of them was detected, the other one provided the attacker with continued access.”
“As usual, the best defense against targeted attacks is a multi-layered approach. Combine traditional anti-malware technologies with patch management, host intrusion detection and, ideally, whitelisting and default-deny strategies.”

Feedback:

Round Up:

The post Finding Nakamoto | TechSNAP 244 first appeared on Jupiter Broadcasting.

SpyFi Barbie | TechSNAP 243

chris — Thu, 03 Dec 2015 18:46:14 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The US Government is offering free penetration tests, with a catch, we break down the VTech Breakin & the only sure way to protect your credit online.

Plus great questions, a big round up with breaking news & much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

TechSNAP SWAG for the Holidays

— Show Notes: —

Department of Homeland Security giving “critical infrastructure” firms free penetration tests

“The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies — mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help “critical infrastructure” companies shore up their computer and network defenses against real-world adversaries. And it’s all free of charge (well, on the U.S. taxpayer’s dime).”
It seems like big banks and oil companies could afford to pay for such services, but, at least the penetration tests are happening
“KrebsOnSecurity first learned about DHS’s National Cybersecurity Assessment and Technical Services (NCATS) program after hearing from a risk manager at a small financial institution in the eastern United States. The manager was comparing the free services offered by NCATS with private sector offerings and was seeking my opinion. I asked around to a number of otherwise clueful sources who had no idea this DHS program even existed.”
“DHS declined requests for an interview about NCATS, but the agency has published some information about the program. According to DHS, the NCATS program offers full-scope penetration testing capabilities in the form of two separate programs: a “Risk and Vulnerability Assessment,” (RVA) and a “Cyber Hygiene” evaluation. Both are designed to help the partner organization better understand how external systems and infrastructure appear to potential attackers.”
“The RVA program reportedly scans the target’s operating systems, databases, and Web applications for known vulnerabilities, and then tests to see if any of the weaknesses found can be used to successfully compromise the target’s systems. In addition, RVA program participants receive scans for rogue wireless devices, and their employees are tested with “social engineering” attempts to see how employees respond to targeted phishing attacks.”
“The Cyber Hygiene program — which is currently mandatory for agencies in the federal civilian executive branch but optional for private sector and state, local and tribal stakeholders — includes both internal and external vulnerability and Web application scanning.”
“The reports show detailed information about the organization’s vulnerabilities, including suggested steps to mitigate the flaws. DHS uses the aggregate information from each client and creates a yearly non-attributable report. The FY14 End of Year report created with data from the Cyber Hygiene and RVA program is here (PDF).”
Manual testing was required to identify 67 percent of the RVA vulnerability findings (as opposed to off-the-shelf, automated vulnerability scans)
More than 50 percent of the total 344 vulnerabilities found during the scans last year earned a severity rating of “high” (40 percent) or “critical” (13 percent)
RVA phishing emails resulted in a click rate of 25 percent.
46% of RVAs resulted in an EASILY GUESSABLE CREDENTIALS finding
“I was curious to know how many private sector companies had taken DHS up on its rather generous offers, since these services can be quite expensive if conducted by private companies. In response to questions from this author, DHS said that in Fiscal Year 2015 NCATS provided support to 53 private sector partners. According to data provided by DHS, the majority of the program’s private sector participation come from the energy and financial services industries — with the latter typically at regional or smaller institutions such as credit unions”
Asking the penetration testing industry what it thought about the DHS offering a free service, Dave Aitel is chief technology officer at Immunity Inc., a Miami Beach, Fla. based security firm that offers many of the same services NCATS bundles in its product said: “DHS is a big player in the ‘regulation’ policy area, and the last thing we need is an uninformed DHS that has little technical expertise in the areas that penetration testing covers,” Aitel said. “The more DHS understands about the realities of information security on the ground – the more it treats American companies as their customers – the better and less impactful their policy recommendations will be. We always say that Offense is the professor of Defense, and in this case, without having gone on the offense DHS would be helpless to suggest remedies to critical infrastructure companies”
“Even if the DHS team doing the work is great, part of the value of an expensive penetration test is that companies feel obligated to follow the recommendations and improve their security,” he said. “Does the data found by a DHS testing team affect a company’s SEC liabilities in any way? What if the Government gets access to customer data during a penetration test – what legal ramifications does that have? This is a common event and pre-CISPA it may carry significant liability”
“Aitel, a former research scientist at the National Security Agency (NSA), raised another issue: Any vulnerabilities found anywhere within the government — for example, in a piece of third party software — are supposed to go to the NSA for triage, and sometimes the NSA is later able to use those vulnerabilities in clandestine cyber offensive operations”
But what about previously unknown vulnerabilities found by DHS examiners? “This may be less of an issue when DHS uses a third party team, but if they use a DHS team, and they find a bug in Microsoft IIS (Web server), that’s not going to the customer – that’s going to the NSA,” Aitel said.
Alan Paller, director of research at the SANS Institute sees a potential problem
“The NCATS program could be an excellent service that does a lot of good but it isn’t,” Paller said. “The problem is that it measures only a very limited subset of of the vulnerability space but comes with a gold plated get out of jail free card: ‘The US government came and checked us.’ They say they are doing it only for organizations that cannot afford commercial assessments, but they often go to organizations that have deep enough pockets.”
I can definitely see this being used as an excuse to spend LESS on network security

Break at VTech (toy manufacturer) exposes pictures and chatlogs of millions of children and parents

“The hacked data includes names, email addresses, passwords, and home addresses of 4,833,678 parents who have bought products sold by VTech, which has almost $2 billion in revenue. The dump also includes the first names, genders and birthdays of more than 200,000 kids”
“What’s worse, it’s possible to link the children to their parents, exposing the kids’ full identities and where they live, according to an expert who reviewed the breach for Motherboard”
“This is the fourth largest consumer data breach to date, according to the website Have I Been Pwned, the most well known repository of data breaches online, which allows users to check if their emails and passwords have been compromised in any publicly known hack”
“The hacker who claimed responsibility for the breach provided files containing the sensitive data to Motherboard last week. VTech then confirmed the breach in an email on Thursday, days after Motherboard reached out to the company for comment”
VTech told Motherboard: “We were not aware of this unauthorized access until you alerted us”
“On November 14 [Hong Kong Time] an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database”
“On Friday, I asked the hacker what the plan was for the data, and they simply answered, “nothing.” The hacker claims to have shared the data only with Motherboard, though it could have easily been sold online.”
“When pressed, VTech did not provide any details on the attack. But the hacker, who requested anonymity, told Motherboard that they gained access to the company’s database using a technique known as SQL injection. Also known as SQLi, this is an ancient, yet extremely effective, method of attack where hackers insert malicious commands into a website’s forms, tricking it into returning other data”
Related: Motherboard: The histroy of SQL injection, the hack that will never go away
“The passwords were not stored in plaintext, but “hashed” or protected with an algorithm known as MD5, which is considered trivial to break”
It is not clear if they mean plain MD5 or md5crypt (the former being REALLY bad)
“Moreover, secret questions used for password or account recovery were also stored in plaintext, meaning attackers could potentially use this information to try and reset the passwords to other accounts belonging to users in the breach—for example, Gmail or even an online banking account”
Also, “VTech doesn’t use SSL web encryption anywhere, and transmits data such as passwords completely unprotected”, so breaching the database might not even be strictly necessary to gain access to the information
Additional Coverage: Motherboard followup
Additional Coverage: ZDNet
Additional Coverage: TheRegister
Related: Researcher claims to have hacked “Hello Barbie” toys

Why putting a preemptive freeze on your credit profile is better than credit monitoring

“Krebs has frequently urged readers to place a security freeze on their credit files as a means of proactively preventing identity theft. Now, a major consumer advocacy group is recommending the same: The U.S. Public Interest Research Group (US-PIRG) recently issued a call for all consumers to request credit file freezes before becoming victims of ID theft.”
“Each time news of a major data breach breaks, the hacked organization arranges free credit monitoring for all customers potentially at risk from the intrusion. But as I’ve echoed time and again, credit monitoring services do little if anything to stop thieves from stealing your identity. The best you can hope for from these services is that they will alert you when a thief opens or tries to open a new line of credit in your name.”
“But with a “security freeze” on your credit file at the four major credit bureaus, creditors won’t even be able to look at your file in order to grant that phony new line of credit to ID thieves.”
“These constant breaches reveal what’s wrong with data security and data breach response. Agencies and companies hold too much information for too long and don’t protect it adequately,” the organization wrote in a report (PDF) issued late last month. “Then, they might wait months or even years before informing victims. Then, they make things worse by offering weak, short-term help such as credit monitoring services.”
“Whether your personal information has been stolen or not, your best protection against someone opening new credit accounts in your name is the security freeze (also known as the credit freeze), not the often-offered, under-achieving credit monitoring. Paid credit monitoring services in particular are not necessary because federal law requires each of the three major credit bureaus to provide a free credit report every year to all customers who request one. You can use those free reports as a form of do-it-yourself credit monitoring.”
Related: Krebs: FAQ on Credit File Freezes
Additional Coverage: Krebs: OPM Credit Monitoring vs Freeze
One of the things that stops working once you put a security freeze on your credit file, is credit monitoring
A Krebs reader wrote in: “I just received official notification that I am affected by the OPM data breach. I attempted to sign up for credit monitoring services with the OPM’s contractor ID Experts at opm.myidcare.com, but was denied these services because I have a credit security freeze. I was told by ID Experts that the OPM’s credit monitoring services will not work for accounts with a security freeze.”
“This supports my decision to issue a security freeze for all my credit accounts, and in my assessment completely undermines the utility and value of the OPM’s credit monitoring services when individuals can simply issue a security freeze. This inability to monitor a person’s credit file when a freeze is in place speaks volumes about the effectiveness of a freeze in blocking anyone — ID protection firms or ID thieves included — from viewing your file.”
“Removing a security freeze to enable credit monitoring is foolhardy because the freeze offers more comprehensive protection against ID theft. Credit monitoring services are useful for cleaning up your credit file after you’re victimized by ID thieves, but they generally do nothing to stop thieves from applying for and opening new lines of credit in your name.”
Lifting a freeze to enable credit monitoring is like….
- installing flash to watch a flash video about the evils of flash
- leaving your doors and windows unlocked so that burglars can set off your indoor motion sensors
- taking your gun off safety to check and see if it’s loaded
Additional Coverage: Credit monitoring used to secretly track ex-wife’s financial moves
“Many of these third party credit monitoring services also induce people to provide even more information than was leaked in the original breach. For example, ID Experts — the company that OPM has paid $133 million to offer credit monitoring for the 21.5 million Americans affected by its breach — offers the ability to “monitor thousands of websites, chat rooms, forums and networks, and alerts you if your personal information is being bought or sold online.” But in order to use this service, users are encouraged to provide bank account and credit card data, passport and medical ID numbers, as well as telephone numbers and driver’s license information.”

Feedback:

Round Up:

The post SpyFi Barbie | TechSNAP 243 first appeared on Jupiter Broadcasting.

Openly Acquired | TTT 190

chris — Tue, 30 Jun 2015 10:32:35 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Cisco announces plans to buy OpenDNS, the European Government agrees on Net Neutrality rules, Microsoft selling Bing imaging to Uber & display ads to AOL, PayPal kills it’s terrible robocalling policy & more!

Direct Download:

RSS Feeds:

Become a supporter on Patreon

Show Notes:

— Episode Links —

The post Openly Acquired | TTT 190 first appeared on Jupiter Broadcasting.

SIPing on some Linux | LAS 371

chris — Sun, 28 Jun 2015 16:34:42 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Find out about the best software and hardware to make and take amazingly good sounding calls. From the best open source solutions, to turnkey solutions today’s episode has something from the beginner to the expert.

Plus Google removes “always listening” code from Chromium, The Linux Foundation invests some serious cash, why Red Hat’s CEO thinks Linux has “won” the datacenter & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Calling for Free with SIP and Linux

Brought to you by: O’REILLY OSCON

The PARTNER® Advanced Communications System processor module supports five incoming lines and nine extensions with a maximum configuration of 21 lines and 44 extensions, or 31 lines and eight extensions. The processor module can operate on its own or can be used with a 2- or 5-slot carrier and additional expansion modules. Expansion modules can be used to add lines and extensions to the system, or additional capabilities such as voice messaging and fractional T1 support.

Asterisk IP based PBX

Asterisk turns an ordinary computer into a communications server. Asterisk powers IP PBX systems, VoIP gateways, conference servers and is used by small businesses, large businesses, call centers, carriers and governments worldwide.

Cisco SPA303

The Cisco SPA 303 can be used with such productivity-enhancing features as VoiceView Express and Cisco XML applications when used with the Cisco Unified Communications 500 Series in SPCP mode. Cisco VoiceView Express allows users to interact with their Cisco Unity Express voicemail box using the phone’s LCD and soft keys. This makes it much easier to manage personal mailbox options and notifications as well as send, listen to, record, and manage voicemail messages. Managing voice calls and communications more quickly and effectively makes employees more productive and frees up time to strengthen customer relationships.

For doing SIP on a real budget take a look at the Nortel 6812. They are available on Ebay for as low as $15.00. You can even buy them in sets if you need to do an entire office building.

CSip

CSip is a basic SIP client for Android, but with enough features to make is usable for business.

GetOnSip

Integrate SIP-based voice and video into your applications for powerful HD communications on any device with our developer services. Best of all, it’s all built on a robust, industry-leading SIP platform that handles all the scaling for you

RingCentral

RingCentral delivers the high quality, reliability, and value expected by enterprise
businesses with RingCentral Office—an all-inclusive cloud phone system featuring
HD video meetings, unified voice, fax, text, and audio conferencing. Plans & Pricing

— PICKS —

Runs Linux

Tiny Mikrotik Router Runs Linux

The MikroTik mAP 2n is a tiny, featureful WiFi router.

Video Review of Micro Router

Desktop App Pick

Ring

Ring (formerly SFLphone) is an open-source SIP/IAX2 compatible softphone for Linux. Ring is free software released under the GNU General Public License. Packages are available for all major distributions including Debian, openSUSE, Fedora, Mandriva and the latest Ubuntu releases.

Ring is one of the few softphones under Linux to support PulseAudio out of the box. The Ubuntu documentation recommends it for enterprise use because of features like conferencing and attended call transfer. It has been named by CIO magazine among the 5 open source VoIP softphones to watch.

Weekly Spotlight

Librem 13″ Laptop Announced

Introducing the Librem 13 by Purism, a 13.3” laptop computer, built chip-by-chip to respect and protect your privacy, security, and freedom. Right now you are vulnerable to adversaries stealing your personal data for their gain. Thieves stealing your identity, credit cards, and banking logins, scammers taking over your email, criminals watching you through your web cam, marketers profiling your personal data from websites, and, ISPs wholesale gathering of all your insecure communication. You can stop them all.

— NEWS —

Google removes “always listening” code from Chromium

The code in question will no longer be included, starting with Chromium build r335874. Prior builds automatically downloaded an extension that could tap a microphone for the purpose of hearing voice commands.

On the surface that doesn’t sound nefarious when you consider that Google’s Chrome browser — which includes proprietary Google code — has had a similar function for months.

Google Chrome Listening In To Your Room Shows The Importance Of Privacy Defense In Depth

Docker, CoreOS, Google, Microsoft, Amazon And Others Come Together To Develop Common Container Standard

Docker, CoreOS, Google, Microsoft and Amazon are now working on a new standard for software containers with the help of the Linux Foundation. Other members of this coalition include Apcera, Cisco, EMC, Fujitsu Limited, Goldman Sachs, HP, Huawei, IBM, Intel, Joyent, Mesosphere, Pivotal, Rancher Labs, Red Hat and VMware — that is, virtually everybody who has a stake in building a thriving container ecosystem.

The Open Container Project (OCP), which will be housed under the Linux Foundation.

Linux Foundation Invests $452,000 in Open-Source Security Projects

Red Hat: ‘Linux Has Won The Data Center’

“Linux has won in the data center — [it is] one of two in the data center. Think about that,” Cormier said to an applauding crowd.

Video

The Linux Foundation’s Core Infrastructure Initiative (CII) today announced that it is investing $452,000 in new grants for three open-source projects, as part of CII’s continuing mission to improve open-source code security.

Feedback:

https://slexy.org/view/s2q1ulkezF
https://slexy.org/view/s2BOanhCE2
https://slexy.org/view/s2CKJX835s
Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

Find us on Twitter

Follow us on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

The post SIPing on some Linux | LAS 371 first appeared on Jupiter Broadcasting.

Two Factor Falsification | TechSNAP 206

chris — Thu, 19 Mar 2015 18:47:44 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Microsoft takes 4 years to fix a nasty bug, how to bypass 2 factor authentication in the popular ‘Authy’ app.

Hijacking a domain with photoshop, hardware vs software RAID revisited, tons of great questions, our answers & much much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Microsoft took 4 years to recover privileged TLS certificate addresses

The way TLS certificates are issued currently is not always foolproof
In order to get a TLS certificate, you must prove you own the domain that you are attempting to request the certificate for
Usually, the way this is done is sending an email to one of the administrative addresses at the domain, like postmaster@, hostmaster@, administrator@, or abuse@
The problem comes when webmail services, like hotmail, allow these usernames to be registered
That is exactly what happened with Microsoft’s live.be and live.fi
A Finnish man reported to Microsoft that he had been able to get a valid HTTPS certificate for live.fi by registering the address hostmaster@live.fi
It took Microsoft four to six weeks to solve the problem
Additional Coverage – Ars Technica
When this news story came out, another man, from Belgium, came forward to say he reported the same problem with live.be over 4 years ago
“After the Finnish man used his address to obtain a TLS certificate for the live.fi domain, Microsoft warned users it could be used in man-in-the-middle and phishing attacks. To foreclose any chance of abuse, Microsoft advised users to install an update that will prevent Internet Explorer from trusting the unauthorized credential. By leaving similar addresses unsecured, similar risks may have existed for years.”

Bypass 2 factor authentication in popular ‘Authy’ app

Authy is a popular reusable 2 factor authentication API
It allows 3rd party sites to easily implement 2 factor authentication
Maybe a little too easily
When asked for the verification code that is sent to your phone after a request to Authy is received, simply entering ../sms gives you access to the application
The problem is that the 3rd party sites send the request, and just look for a ‘success’ response
However, because the input is interpreted in the URL, the number you enter is not fed to: https://api.authy.com/protected/json/verify/1234/authy_id as it is expected to be
But rather, the url ends up being: https://api.authy.com/protected/json/verify/../sms/authy_id
Which is actually interpreted by the Authy API as: https://api.authy.com/protected/json/sms/authy_id
This API call is the one used to actually send the code to the user
This call sends another token to the user and returns success
The 3rd party application sees the ‘success’ part, and allows the user access
It seems like a weak design, there should be some kind of token that is returned and verified, or the implementation instructions for the API should be explicit about checking “token”:”is valid” rather than just “success”:true
Also, the middleware should probably not unescape and parse the user input

Hijacking a domain

An article where a reporter had a security researcher steal his GoDaddy account, and document how it was done
A combination of social engineering, publically available information, and a photoshopped government ID, allowed the security researcher to take over the GoDaddy account, and all of the domains inside of it
This could allow:
an attacker to inject malware into your site
redirect your email, capturing password reset emails from other services
redirect traffic from your website to their own
issue new SSL certificates for your sites, allowing them to perform man-in-the-middle attackers on your visitors with a valid SSL certificate
Some of the social engineering steps:
- Create a fake Social Media profile in the name of the victim (with the fake picture of them)
- Create a gmail address in the name of the victim
- Call and use myriad plausible excuses why you do not have the required information:
- please provide your pin #? I don’t remember setting up a pin number
- my assistant registered the domain for me, so I don’t have access to the email address used
- my assistant used the credit card ending in: 4 made up numbers
- create a sense of urgency: “I apologized, both for not having the information and for my daughter yelling in the background. She laughed and said it wasn’t a problem”
- GoDaddy requires additional verification is the domain is registered to a business, however, since many people make up a business name when they register a domain, it is very common for these business to not actually exist, and there are loopholes
- Often, you can create a letter on a fake letterhead, and it will be acceptable
In the end, Customer Support reps are there to help the customer, it is usually rather difficult for them to get away with refusing to help the customer because they lack the required details, or seem suspicious
GoDaddy’s automated system sends notifications when changes are made, however in this case it is often too later, the attacker has already compromised your account
GoDaddy issued a response: “GoDaddy has stringent processes and a dedicated team in place for verifying the identification of customers when a change of account/email is requested. While our processes and team are extremely effective at thwarting illegal requests, no system is 100 percent efficient. Falsifying government issued identification is a crime, even when consent is given, that we take very seriously and will report to law enforcement where appropriate.”
It appears that Hover.com (owned by Tucows, the same company that owns Ting) is one of the only registrars that does not allow photo ID as a form of verification, stating “anyone could just whip something up in Photoshop.”
GoDaddy notes that forging government ID (in photoshop or otherwise) is illegal

Feedback:

Round Up:

The post Two Factor Falsification | TechSNAP 206 first appeared on Jupiter Broadcasting.

Erin Clark | WTR 6

chris — Wed, 24 Dec 2014 00:26:32 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Erin Clark works at iXsystems as a system administrator and discusses the various technology and hardware background that is needed to be in that position.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

iXsystems
FreeNAS

The post Erin Clark | WTR 6 first appeared on Jupiter Broadcasting.

The Rally Around Microsoft | Tech Talk Today 107

chris — Wed, 17 Dec 2014 11:24:51 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Big names in tech jump behind Microsoft’s fight with the US Goverment over data search in Ireland, some of your favorite apps see some nice and maybe not so nice updates…

And we review the NoPhone!

Direct Download:

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Microsoft Gets Industry Support Against US Search Of Data In Ireland

Tech giants such as Apple and eBay have given their support in Microsoft’s legal battle against the U.S. government regarding the handing over of data stored in an Irish datacenter. In connection with a 2014 drugs investigation, U.S. prosecutors issued a warrant for emails stored by Microsoft in Ireland. The firm refused to hand over the information, but in July was ordered by a judge to comply with the investigation. Microsoft has today filed a collection of letters from industry supporters, such as Apple, eBay, Cisco, Amazon, HP, and Verizon. Trade associations including the U.S. Chamber of Commerce and Digital Rights Ireland have also expressed their support.

Canonical’s Stripped-Down “Snappy” Ubuntu Comes To Google’s Compute Engine | TechCrunch

A week ago, Canonical released the first alpha version of its new minimalist “Snappy” edition of Ubuntu Core for container farms. To the surprise of many, the launch partner for Snappy was Microsoft’s Azure cloud computing platform. Starting today, however, you will also be able to use this version of Ubuntu on Google’s Compute Engine.

Facebook Starts Auto-Enhancing Photos Because Algorithms Are Better At Filters Than You

Facebook will now auto-enhance newly uploaded photos starting today on iOS and soon on Android. You’ll be able to adjust a slider to control just how enhanced you want the light, shadow, and clarity, or revert back to your original shot.

Instagram Updated with New Filters and Design

Just when you thought you had enough filters, Instagram goes and adds more along with an updated design and a whole slew of other new and improved features.

Today the make-your-photos-look-better-than-they-are app for iOS and Android was updated with five new filters (Aden, Slumber, Crema, Ludwig and Perpetua), a new look for the filters area of the app, the ability to customize your filters tray, real-time commenting and support for uploading slow-motion video.

Instagram says the new filters take advantage of the higher quality images created by today’s smartphones while the original filters were there to help enhance the relatively low-quality images produced by those phones back when Instagram launched. These new filters soften and add a subtle color shift to photographs.

Two other new features round out today’s update: The ability to upload slow-motion videos is now supported. Plus, photo comments now update in real time. No need to refresh to see new updates.

The NoPhone Review

Introducing the NoPhone, a technology-free alternative to constant hand-to-phone contact.

Features

Battery free
No upgrades necessary
Shatterproof
Waterproof

Frequently Asked Questions

Does it have a camera?
No.

Is it Bluetooth compatible?
No.

Does it make calls?
No.

Is it toilet bowl resistant?
Yes.

The post The Rally Around Microsoft | Tech Talk Today 107 first appeared on Jupiter Broadcasting.

Bait and Phish | TechSNAP 181

chris — Thu, 25 Sep 2014 11:21:20 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We’ll tell you about a major German hack that lasted 12 years, and struck over 300 business. Plus researchers discover a nasty Android bug that impacts over 70% of users.

Then it’s a great big batch of your networking questions, our answers & much much more!

Thanks to:

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Operation Harkonnen, a 12 year long intrusion to over 300 businesses

“From 2002 a German cybercrime network performed numerous targeted penetrations to over 300 organizations, including tier one commercial companies, government institutions, research laboratories and critical infrastructure facilities in the German speaking countries. The attackers planted Trojans in specific workstations in the organizations, gained access to sensitive confidential documents and information and silently exfiltrating them to the organizations who ordered the attack”
“Once embedded in the system the files started to send data from the target computer to an external domain. The analysis revealed the domain was registered by a UK company, with the exact address and contact details of 833 other companies, most of which are already dissolved”
“The British relatively tolerant requirements to purchasing SSL security certificates were exploited by the network to create pseudo legitimate Internet service names and to use them to camouflage their fraudulent activity”
Specifically, it is quite easy to establish a new company in England
It is estimated that the attackers spent as much as $150,000 establishing fake companies, and arming them with domains and SSL certificates in order to make their spear-phishing campaign appear more legitimate
“The discovery happened at a leading, 30 year old, 300 employees’ German organization that holds extremely sensitive information with a strategic value to many adverse organizations and countries. The organizational network contains 5 domains with complex architecture of multiple network segments and sites, connected through VPN.“
Additional Coverage: TheHackerNews

Researcher finds same-origin-policy bypass for Android browser, allows attacker to read your browser tabs

Android versions before 4.4 (75% of all current Android phones) are vulnerable
CVE-2014-6041, and was disclosed on September 1, 2014 by Rafay Baloch on his blog.
By malforming a javascript: URL handler with a prepended null byte, an attacker can avoid the Android Open Source Platform (AOSP) Browser’s Same-Origin Policy (SOP) browser security control.
What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page.
The attacker could scrape your e-mail data and see what your browser sees.
Or snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.
As part of its attempts to gain more control over Android, Google has discontinued the AOSP Browser.
Android Browser used to be the default browser on Google, but this changed in Android 4.2, when Google switched to Chrome.
The core parts of Android Browser were still used to power embedded Web view controls within applications, this changed in Android 4.4, when it switched to a Chromium-based browser engine.
Users of Android 4.0 and up can avoid much of the exposure by switching to Chrome, Firefox, or Opera, none of which should use the broken code.
Update: Google has offered the following statement:

We have reviewed this report and Android users running Chrome as their browser, or those who are on Android 4.4+ are not affected. For earlier versions of Android, we have already released patches (1, 2) to AOSP.

Feedback:

Round Up:

The post Bait and Phish | TechSNAP 181 first appeared on Jupiter Broadcasting.

LinuxCon 2014 Unplugged | LINUX Unplugged 55

chris — Tue, 26 Aug 2014 18:10:58 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We’ve got exclusive interviews from LinuxCon 2014, learn about Linux in big networking, what the future holds for SUSE & much more.

Feeling a bit down? Maybe it’s because Linux users are being told to shut up about Desktop Linux & move on. We’ll discuss why this an absurdly short sighted idea.

Thanks to:

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Pre-Show:

Choose your side on the Linux divide

FU:

LinuxCon 2014

LinuxCon North America | Linux Conferences and Linux Events | The Linux Foundation

Is Desktop Linux Dead? Everyone seems to think so.

Can we please stop talking about the Linux desktop? – TechRepublic

Runs Linux from the people:

Send in a pic/video of your runs Linux.
Please upload videos to YouTube and submit a link via email or the subreddit.

New Shows : Tech Talk Today (Mon – Thur)

Tech Talk Today Today | Jupiter Broadcasting

Support Jupiter Broadcasting on Patreon

The post LinuxCon 2014 Unplugged | LINUX Unplugged 55 first appeared on Jupiter Broadcasting.

Heartbleed Hospital | TechSNAP 176

chris — Thu, 21 Aug 2014 17:43:06 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

You won’t believe how terrifying simple it is to control traffic lights and cameras, Cisco gets the boot and the hospital hack enabled by Heartbleed, plus a great batch of your emails, our answers and much, more!

Thanks to:

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Researchers find startling lack of security in traffic management systems

Researchers started investigating the traffic management system (that controls the traffic lights at intersections) in an unnamed city in Michigan
They found that the system uses IP traffic transmitted over two different wireless protocols, a 5.8ghz line-of-sight protocol (turns out to be very similar to 802.11n) and an over-the-horizon 900mhz protocol
Traffic over the wireless links is unencrypted, and has no authentication
While it would have been possible to reverse engineer the custom wireless protocols, to save time the researchers managed to get ahold of one of the radios used by the system instead
They found that the management system uses VxWorks 5.5, a proprietary RTOS for embedded devices from the 90s
VxWorks is usually built from source so it can be customized. The vendor, as many do, left the debugging options enabled, this includes an open TCP port that can be used to read and write memory locations, kill running tasks, restart the OS and more
By using this debugging feature, and capturing network traffic, the researchers were able to reverse engineer the protocol that the controller used to communicate with the traffic signals
Each command is essentially the same with only the last bit or two being different
There is no encryption, so anyone can see the commands being sent
There is no authentication, so the devices will accept commands from anyone, not just the controller
There are no firewalls, so a malactor on the network can completely take over
An attacker can trip the failsafe mode, where the traffic lights revert to flashing red in every direction and have to be physically reset by a technician
An attacker could before a type of denial of service attack, by tripping the traffic lights into this mode at random, and faster than crews could repair the lights
The biggest problem is the 5.8ghz network, since most all laptops and mobile devices have a radio capable of communicating on that band built in. Someone will undoubtedly take the time to reverse engineer the radio protocol and gain access to the network
Both the 5.8ghz network (WPA2) and the 900mhz network (WEP or WPA) support encryption, but it is not used
The traffic management system supports username and password authentication, but the default credentials are used
The paper was presented at USENIX: WOOT (Workshop on Offensive Technologies)
PDF: Green Lights Forever: Analyzing the Security of Traffic Infrastructure
The researchers point out an alarming quote they got from the vendor that sells the traffic management system: The vendor “has followed the accepted industry standard and it is that standard which does not include security.”

Secret Language, or Unlikely Bug?

“Imagine discovering a secret language spoken only online by a knowledgeable and learned few”
A researcher who wishes to be identified only as “Kraeh3n” was proofreading a document for a colleague
The opening part of the document had standard lorem ipsum filler text
Then the document was pasted into Google Translate, it was auto-detected as latin, and the translation to english was startling, key words included China, NATO, Internet, Business and “the Company” (a euphemism for the CIA)
Kraeh3n immediately shared the revelation with Michael Shoukry, a researcher as FireEye
This was later shared with Lance James, head of Cyber Intelligence at Deloitte, who then shared it with Brian Krebs
Brian’s blog contains a number of screenshots showing different translations
While Google Translate uses machine learning, and could be tricked by brute force into creating false translations like this, the fact that capitalization affects the translation suggests something more may be at work here
Brian Krebs then started adding other latin words, specifically from a work by Cicero that spawned Lorem Ipsum in the first place
Now he had “Russia may be suffering” and “The main focus of China”
“Translate [is] designed to be able to evolve and to learn from crowd-sourced input to reflect adaptations in language use over time,” Kraeh3n said. “Someone out there learned to game that ability and use an obscure piece of text no one in their right mind would ever type in to create totally random alternate meanings that could, potentially, be used to transmit messages covertly.”
However, not all of it makes that much sense, none of the translations constructed full sentences
Sadly, around midnight on August 16th, Google Translate abruptly stopped translating the word “lorem” into anything.
Google Translate still produces amusing and peculiar results when translating Latin to English in general.
“A spokesman for Google said the change was made to fix a bug with the Translate algorithm (aligning ‘lorem ipsum’ Latin boilerplate with unrelated English text) rather than a security vulnerability”
Inside Google Translate
It is also possible that all of these keywords just came from recent news articles Google had been translating, as much of the current news is about China and the Internet, and Russia and NATO

Computers of Nuclear Regulatory Commission hacked 3 times in 3 years

According to an inspector general report, two different foreign nationals, and one unidentified individual, have compromised the computer systems of the NRC over the course of last 3 years
One of the attacks was a phishing attempt, sent from a compromised computer inside the NRC to 215 NRC employees asking them to verify their username and password
A dozen NRC employees fell for the scam, and delivered their login credentials to a google spreadsheet
The IG’s office was able to track the google account and found out it belonged to a foreigner
In another spear phishing attack, emails were sent from outside to specific employees linking them to malware hosted on Microsoft skydrive, that would take over their machine
“In another case, intruders broke into the personal email account of an NRC employee and sent malware to 16 other personnel in the employee’s contact list. A PDF attachment in the email contained a JavaScript security vulnerability. One of the employees who received the message became infected by opening the attachment”
Despite the sensationalism of the headline, it does not appear that any type of APT (Advanced Persistent Threat) was detected, but these techniques are how an attacker gets a foothold in the network to set up such an attack
Infographic: 70% of the worlds critical utilities have been breached

Feedback:

Round-Up:

The post Heartbleed Hospital | TechSNAP 176 first appeared on Jupiter Broadcasting.