HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

How the hack of DigiNotar changed the infrastucture of the Internet forever

• Think back to TechSNAP Episode 22: https://original.jupiterbroadcasting.net/11948/rooted-trust-techsnap-22/
• “On Saturday, Aug. 27, 2011, an Iranian man who went by the online alias alibo tried to check his email—only to find he couldn’t connect to Gmail. Yet the problem disappeared when he connected to a virtual private network that disguised his location. Whatever was going on, it seemed to only affect computer users in Iran.”
• “His first hunch was that the problem might be somehow tied to the Iranian government—which was known for interfering with online activity—or a problem with his local internet service provider. So alibo posted a question about the issue on the Gmail Help Forum. Two days later, Google responded to this apparently small problem in a big way: It issued a public statement about the incident, attributing the problem to security issues at a Dutch company called DigiNotar. Within a month, DigiNotar had been taken over by the Dutch government. Not long after that, it declared bankruptcy and dissolved.”
• “Cybersecurity breaches don’t usually spell the end of companies, much less spur national governments to seize control of private firms. But the DigiNotar compromise was unusual in many ways. Usually, the cybersecurity incidents we read about involve a company failing to protect the information entrusted to it by users. DigiNotar was different: Its whole reason for existence was to tell internet users who and what they could trust—and in 2011, it failed spectacularly in that mission.”
• This started a radical shift in the way a lot of things are done on the Internet
• Suddenly, that archaically maintained list of Certificate Authorities started to be scrutinized.
• Originally, the list often included quasi-government controlled agencies, but the trend over the previous 10 years had seen the shift towards commercial entities.
• Now, we needed a better way to police the actions and procedures of these Certificate Authorities, because the security of almost all of our systems depend on them
• The point of the Certificate Authority, is to Certify that the system you are connecting to, actually belongs to your bank, and not the russian mafia. Your browser or operating system usually gives them this authority, by including their certificate in the ‘root trust store’
• They are basically like countries, and they issue websites a passport, proof that the website is who they claim to be. It only works if you trust the issuer of the passport.
• “Five years later, the story of DigiNotar’s demise is all but forgotten, eclipsed by a series of more recent, more easily understandable, and more exciting breaches. But DigiNotar’s case has had long-lasting impacts, motivating some much needed improvements in the security of our online trust infrastructure, including a set of new minimum security requirements for companies like DigiNotar that were announced earlier this month by the Certificate Authority Security Council.”
• “in 2015, a root CA operated by the China Internet Network Information Center issued an intermediate certificate to one of its customers, which then used the certificate to perform man-in-the-middle attacks and potentially intercept traffic between users and websites.”
• “Any of those trusted CAs, whether they are root CAs or intermediate CAs that have been endorsed, can then issue certificates for any website they choose—even websites that have chosen to buy certificates from different CAs.”
• To address this, there is a push for a system called Certificate Transparency, where every certificate, as it is issued, it published to immutable logs kept by 3rd parties.
• Google Chrome began requiring Certificate Transparency for newly issued Extended Validation Certificates in 2015. It began requiring Certificate Transparency for all certificates newly issued by Symantec from June 1, 2016, after they were found to have issued 187 certificates without the domain owners’ knowledge.
• Certificate Search is a tool that uses various Certificate Transparency logs (including Googles) to let you see all certificates that have been issued or seen for various domains or organizations
• This provides a number of facets of security:
• Your browser can check that the certificate you are being presented, is one listed on the transparency log, meaning it is not one a government is trying to keep secret, and one that has been legitimately issued.
• It makes it possible to publically audit the activities of Certificate Authorities. If only certificates that are logged are trusted, and they cannot scrub a certificate from the logs, they cannot hide the fact that they incorrectly issued a certificate. This is why Google demanded participation in CT from Symantec after their screwup
• A website operator can automatically search for and find any certificates issued on their behalf, to confirm they are legitimate
• “Because CAs are prime targets, they have to—and tend to—take security very seriously. DigiNotar was no exception. Among other things, it had segmented its computer networks into several different isolated partitions to constrain access attempts and used an intrusion prevention system to monitor incoming traffic. Every request for a new certificate had to be vetted and approved by two DigiNotar employees. Then, to issue the certificate, an employee had to insert a physical key card into a computer kept in a heavily guarded room.”
• According to a postmortem report on DigiNotar’s compromise by security firm Fox-IT: “This room could be entered only if authorized personnel used a biometric hand recognition device and entered the correct PIN code. This inner room was protected by an outer room connected by a set of doors that opened dependent on each other creating a sluice. These sluice doors had to be separately opened with an electronic door card that was operated using a separate system than for any other door. To gain access to the outer room from a publicly accessible zone, another electronic door had to be opened with an electronic card.”
• “This mix of physical and virtual safeguards demonstrates that DigiNotar was not a company that had failed to think about or invest in security. It understood that its security was vital for its own reputation—and for the wider world of internet users who relied, often without even knowing it, on DigiNotar’s certificates to tell them whom to trust online.”
• “But DigiNotar also made some serious mistakes during the summer of 2011. For one, it was running some unpatched software one its web servers, which allowed an intruder to begin burrowing into its maze of partitioned networks in June 2011. On July 10, the intruder successfully issued his first rogue certificate. All told, by the end of the summer, he would go on to issue 531 rogue certificates for domains ranging from aol.com and microsoft.com to mossad.gov.il and cia.gov. (Once you’ve got access to a CA server, issuing rogue certificates for high-value targets like the CIA is no harder than issuing them for sites like AOL.)”
• “It’s still unclear how exactly the intruder managed to bypass all the physical security in place to protect the inner sanctum where certificates were generated, but the investigators’ best guess was that the keycards for a few computers were left permanently in place. If true, it would have largely defeated the purpose of requiring the keycard insertion—not to mention all those sluiced doors and biometrics and PIN codes—in the first place.”
• Again, all that security defeated by: pesky humans
• “On July 19, a routine check by DigiNotar revealed that some of the certificates it had ostensibly signed were not listed in the company’s logs—indeed, DigiNotar had no records of ever issuing these certificates. They were promptly revoked, and DigiNotar launched an internal investigation that uncovered still more rogue certificates. But by the end of July, the company believed the problem had been dealt with.”
• “So it came as a shock when the report from alibo, the Iranian user, surfaced on the Gmail Help Forum a month later, and Google, in turn, blamed an unauthorized google.com certificate issued by DigiNotar. Some of the rogue certificates, it seemed, had slipped through the cracks of DigiNotar’s internal audit. And they were being used to certify impostor websites. Thousands of Iranians who tried to visit Google websites in August 2011 were apparently redirected to sites that looked like Google webpages and were also certified as belonging to Google according to certificates issued by DigiNotar. Users from 298,140 unique internet protocal addresses trying to access Google websites were affected, and 95 percent of those IP addresses originated in Iran.”
• “Why bother redirecting hundreds of thousands of Iranian Google users to fraudulent websites? Probably in order to read their email. Only one thing stood in the way: Google Chrome.”
• Google had taken to hard-coding the hashes of the certificates for Google owned websites into the Chrome browser, specifically to detect this type of situation, where a supposedly trusted certificate was in fact not authorized by Google
• This effort has since been expanded, with other browsers implementing similar certificate pinning systems. This are also systems for individual websites to security publish the hash of the trusted certificate, so that the browser will warn users presented with the wrong certificate.
• Some of these, like TLSA, require DNSSEC, as the hash is published in DNS, and needs to be protected from being spoofed as well
• “No one has ever been caught or charged with the compromise, though many have speculated that Iran’s government was likely involved. The only clue left by the intruder—a message left behind on a DigiNotar server—offers little insight into the perpetrator’s mission or identity other than a profound sense of self-importance. “I know you are shocked of my skills, how I got access to your network,” the message begins. “THERE IS NO [sic] ANY HARDWARE OR SOFTWARE IN THIS WORLD EXISTS WHICH COULD STOP MY HEAVY ATTACKS MY BRAIN OR MY SKILLS OR MY WILL OR MY EXPERTISE.””
• “The discovery of the DigiNotar compromise left the browser and CA community—to say nothing of the Dutch government—reeling. Browser vendors rushed to revoke trust in DigiNotar certificates, but removing a root CA was not entirely straightforward. “We actually needed to push out an update to Firefox because the CA information was hard-coded to the browser,” Firefox security lead Richard Barnes said. Additionally, many legitimate websites (including some operated by the Dutch government) were still relying on DigiNotar certificates, so the browser vendors were forced to hold off on a blanket ban. Instead, Mozilla decided to block all DigiNotar certificates issued after July 1, 2011, but allowed users to decide whether they wanted to trust certificates issued by the company before that date. But giving users that autonomy over their online security only works if they understand what it is they’re choosing and the implications of that choice—a task that surely went beyond many Firefox users.”
• “While the browsers scrambled to protect their users, the Dutch government took charge of DigiNotar and commissioned Fox-IT to investigate what had gone wrong. Hans Hoogstraaten, who led the investigation, said in an email, “What really shocked me was when I realized the impact it had for the people of Iran. In those days … people got killed for having a different opinion. The hackers (presumably the state) had access to over 300,000 Gmail accounts. The realization that the … security of a small company in Holland [may have] played a part in the killing or torture of people really shocked me.””
• “Perhaps the most significant change in the certificate landscape is simply that there are now many more certificates than there were five years ago. This is part of a larger push for widespread online encryption spearheaded by the CA Let’s Encrypt, launched earlier this year, which provides free certificates to anyone who wants them. Let’s Encrypt doesn’t provide the Extended Validation certificates that involve verifying a website owner’s identity (the kind that most high-value targets generally get and that warrant a green box in many browsers) because that process cannot be automated. “There are hundreds of millions of websites and devices out there, and in the future there will be many billions. For every one to have a certificate we’ll need issuance systems that can be fully automated,” said Josh Aas, founder of the Internet Security Research Group, which established Let’s Encrypt. Issuing more certificates helps spread encryption, but it also raises the stakes for the security of CAs and the risks posed by incidents like the DigiNotar compromise because it means that an increasing amount of our online communication relies on the protection provided by digital certificates.”
• I almost wonder if LetsEncrypt should use a new intermediate CA for each calendar day. So that if there was some kind of compromise, they could dis-trust the intermediates from a specific date range, with much less impact on the other certificates.
• “And problems with CAs have not gone away. On March 20, 2015, years after the collapse of DigiNotar, Google discovered another set of rogue certificates for Google domains. These certificates had been issued by an Egyptian company, MCS Holdings, which had, in turn, received its certificates from CNNIC, the CA operated by the China Internet Network Information Center, an agency in the Chinese government’s Ministry of Information Industry. Soon afterward, Firefox and Chrome both removed CNNIC from their root CA lists. Just this summer, Chinese CA WoSign was accused of issuing fake certificates for Github and Alibaba, and in October Mozilla announced that it would no longer trust WoSign certificates.”
• “Thanks in no small part to the legacy of DigiNotar, browsers and CAs alike are better able to deal with problems like these than they were five years ago—they can revoke compromised certificates faster, check certificates against public logs, and restrict the use of rogue certificates with pinning. But in other, more fundamental ways, the system of relying on CAs to tell us who we can trust online remains inherently vulnerable—and, perhaps more importantly, largely invisible to most internet users. The complexity of the certificate infrastructure can make it difficult for the wider public—beyond the community of browsers and CAs who have long been attuned to the importance of the DigiNotar compromise—to understand the risks they face online, as well as the signals and warnings that their browsers provide.”
• ““The folks who operate the CAs are really a very tempting point of attack,” said Daniel Kahn Gillmor, a senior staff technologist with the American Civil Liberties Union’s Speech, Privacy and Technology Project. “If I wanted to attack someone else I would be looking for a lever of control that they might not even know existed.” The more we gloss over the crucial components of the trust infrastructure underlying our online communications—an infrastructure that is every bit as relevant today as it was five years ago—the harder it becomes to grasp how deeply and fundamentally all of our security is predicated on the security of digital certificates and the companies that issue them.”
• While much is changed, not all of the issued are solved yet, and we can expect to see more of this as we go forward

Changing the way we think about security: Class Breaks

• “There’s a concept from computer security known as a class break. It’s a particular security vulnerability that breaks not just one system, but an entire class of systems. Examples might be a vulnerability in a particular operating system that allows an attacker to take remote control of every computer that runs on that system’s software. Or a vulnerability in Internet-enabled digital video recorders and webcams that allow an attacker to recruit those devices into a massive botnet.”
• “It’s a particular way computer systems can fail, exacerbated by the characteristics of computers and software. It only takes one smart person to figure out how to attack the system. Once he does that, he can write software that automates his attack. He can do it over the Internet, so he doesn’t have to be near his victim. He can automate his attack so it works while he sleeps. And then he can pass the ability to someone­ — or to lots of people — ­without the skill. This changes the nature of security failures, and completely upends how we need to defend against them.”
• “An example: Picking a mechanical door lock requires both skill and time. Each lock is a new job, and success at one lock doesn’t guarantee success with another of the same design. Electronic door locks, like the ones you now find in hotel rooms, have different vulnerabilities. An attacker can find a flaw in the design that allows him to create a key card that opens every door. If he publishes his attack software, not just the attacker, but anyone can now open every lock. And if those locks are connected to the Internet, attackers could potentially open door locks remotely — ­they could open every door lock remotely at the same time. That’s a class break.”
• “It’s how computer systems fail, but it’s not how we think about failures. We still think about automobile security in terms of individual car thieves manually stealing cars. We don’t think of hackers remotely taking control of cars over the Internet. Or, remotely disabling every car over the Internet. We think about voting fraud as unauthorized individuals trying to vote. We don’t think about a single person or organization remotely manipulating thousands of Internet-connected voting machines.”
• “In a sense, class breaks are not a new concept in risk management. It’s the difference between home burglaries and fires, which happen occasionally to different houses in a neighborhood over the course of the year, and floods and earthquakes, which either happen to everyone in the neighborhood or no one. Insurance companies can handle both types of risk, but they are inherently different. The increasing computerization of everything is moving us from a burglary/fire risk model to a flood/earthquake model, which a given threat either affects everyone in town or doesn’t happen at all.”
• “But there’s a key difference between floods/earthquakes and class breaks in computer systems: the former are random natural phenomena, while the latter is human-directed. Floods don’t change their behavior to maximize their damage based on the types of defenses we build. Attackers do that to computer systems. Attackers examine our systems, looking for class breaks. And once one of them finds one, they’ll exploit it again and again until the vulnerability is fixed.”
• “As we move into the world of the Internet of Things, where computers permeate our lives at every level, class breaks will become increasingly important. The combination of automation and action at a distance will give attackers more power and leverage than they have ever had before. Security notions like the precautionary principle­ — where the potential of harm is so great that we err on the side of not deploying a new technology without proofs of security — will become more important in a world where an attacker can open all of the door locks or hack all of the power plants. It’s not an inherently less secure world, but it’s a differently secure world. It’s a world where driverless cars are much safer than people-driven cars, until suddenly they’re not. We need to build systems that assume the possibility of class breaks — and maintain security despite them.”

How to hide malware in a PNG

• With that recent router hijacking malware, we saw the attackers were hiding an encrypted payload in the actual image served via the advertising network, and then decrypting the payload only if the victim met a set of criteria
• The main advantage to this method is that it doesn’t leave a trail back to a Command and Control infrastructure. There is no central location or obvious sign that the computer has downloaded some malware, all it did was load an image from legitimate advertising agency (maybe even Google)
• This post shows a crude method of hiding an executable file in a .png image and posting it to imgur
• The image can then be downloaded by a powershell script, vb script, or a MS Office macro
• PNG files are different than most other image formats, because they are lossless. It is basically a bitmap that is zlib compressed. Each pixel is represented by a set of 4 values, 0-255 for each of Red, Green, Blue, and Alpha (transparency).
• This allows the image to represent the full spectrum of 24-bit colour (16,777,216 unique colours) and each pixel can be 256 different degrees of transparent
• In the post’s example, a .jpg is encoded into the Alpha channel of an existing image from Wikipedia. This does not substantially change the size of the image, since the alpha channel was there for each pixel already, it might just compress slightly differently now
• In this crude example, the data is base64 encoded, then written into the alpha channel. This makes the original picture look a bit staticy and washed out
• If more work were put into it, it could be much harder to detect, and if the original image was carefully chosen, it could be almost impossible to detect
  The post demonstrates encoding calc.exe and running it on a remote system, in a way that will bypass most intrusion detection systems

Feedback:

• ZFS (on Linux): L2ARC / ZIL capacity and crypto

• Backing up FreeNAS

• Good bye from before episode 1

• Thanks for the lessons

Round Up:

• Android Was 2016’s Most Vulnerable Product
• FTC issues the IoT security challenge. Design the best service or device to manage the security of various IoT devices in a home, and win the $25,000 prize
• Ultrasound Tracking Could Be Used to Deanonymize Tor Users
• Facebook pays $5000 bounty for bug that allowed anyone to reveal the private email address of any user
• Hackers could turn your smart meter into a bomb and blow your family to smithereens
• Someone just registered their UK company name as ; DROP TABLE “COMPANIES”;– LTD.
• New York City wants information about where Uber is taking you, the company says
• Google kicks anti-ad-tracking extension out of the Chrome store, blocks installing it manually
• Hackers could turn your smart meter into a bomb and blow your family to smithereens
• Taking databases hostage, ransomware used against unprotected MongoDB instances. What US Healthcare organization was using a MongoDB with no authentication!?!?! HIPPA?
• Verizon executive reportedly unsure whether Yahoo deal will get done
• How not to use sudo
• Game developer accidently releases unencrypted build of next version of their game
• The 4 new normals of 2017: Ransomware, IoT botnets, Bug Bounties, and Bug Buying
• How to Factory Reset your LG SmartTV if it gets Ransomwared
• Why the presense of XAgent doesn’t automatically mean it was the Russians
• FBI never examined hacked DNC servers itself: report
• More old Russian spy stories
• The cryptographic capabilities of the Barbie Typewritter
• The Download on the DNC Hack
• Bitcoin jumps above $1,000 for first time in three years –

The post 2089 Days Uptime | TechSNAP 300 first appeared on Jupiter Broadcasting.

An inside look at how hard some Sysadmins had to work to keep their servers running after being hit by Superstorm Sandy!

Plus the final analysis of the Diginotar saga, an epic network debugging war story that will leave you groaning and a huge batch of your questions, and so much more!

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

BONOUS ROUND PROMO:

Get your .COMs just $5.99 per year up to 3 domains! Additional .COMs just $7.99 per year!
CODE: 599tech

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show:

   

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

   
Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3
   

Show Notes:

AT&T customer data targeted in attack

• The attackers used automated scripts to attempt to determine if phone numbers were linked to AT&T online accounts
• Attempts were made against approximately 1 million of AT&Ts 100 million customers
• The attackers appeared to already have a database of usernames and passwords, and were attempting to use brute force to link those credentials to phone numbers, in order to gain access to the accounts
• AT&T appears to lack any type of Intrusion Detection System, or automated defences that block an IP address after many failed login attempts. The millions of attempts were likely not launched from a single IP address, but it still should have been blocked well before 1 million accounts had attempts against them
• AT&T does not believe attackers were able to gain access to any accounts, but they are still investigating

---

South Korea blocks young games after midnight

• The so called Cinderella law blocks users under the age of 16 from accessing online games after midnight
• The articles are unclear about exactly how this is accomplished, but it appears it is enforced by the online gaming sites themselves, and teens using accounts created with their parents identities are not blocked
• In South Korea, most websites require you to enter your national ID card number. Comments on sites cannot be left anonymously (previously covered on TechSNAP 23 )
• Is this a sign of the level of censorship we can look forward to in the future?

---

RSA 512bit SSL certificates abused in the wild

• SSL Certificates signed by a few authorities (which have since had their trust revoked) have had their private keys factored
• Once you poses the private key for an SSL certificate, you can use it to pretend to be that site, and use any other capabilities that the certificate has
• It was originally thought that the private keys were merely stolen by malware, but it seems that factoring RSA 512 has become somewhat trivial, taking only a matter of days or weeks with a reasonable cluster of modern machines. With malware authors having access to large botnets, or cloud computing platforms like Amazon EC2, these certificates can no longer be considered safe
• A number of other vulnerable certificates were identified, many coming from DigiNotar, the certificate authority that was compromised by attackers and has since has its trust revoked and gone out of business.
• Most all SSL certificate authorities require at least a 2048bit RSA key for new certificates
• A normal HTTPS SSL certificate only has the ability to sign outbound messages, encipher symmetric keys, and to verify its identity as a TLS Client or Server.
• The problem with the certificates issued by the Digisign Server ID CA, is that they lacked the basic key usage definitions and constraints. This allowed the certificates to be used for any purpose, including signing software. The certificates also lacked a properly defined CRL (Certificate Revocation List), so they could not be revoked.
• The factored certificates were used to code-sign malware to remove or lessen the warnings given by windows when the code is executed
• The compromised certificates have been used as far back as March 2010, and Microsoft did not act until recently, revoking the trust in the CA. Microsoft will still accept 512bit certificates without proper use definition or constraints.

---

Feedback:

Q: Do you guys trust Internet aggregator services?
A: It depends on the level of security they employ. Most of these sites are not very forthcoming with details on how they secure your data, or even how they work. A better solution would be something like OAuth to allow you to grant only certain permissions to each specific site, and allow you to easily revoke a sites access to your accounts.

Q: SSH on Port 2222?
A: Using a different port does reduce the number of attacks from automated bots, but it will not stop anyone targeting you specifically. The solution is always to use a protection system such as DenyHosts, SSHGuard or Fail2Ban. Also, if it makes sense in your setup, disable password authentication entirely, and only use SSH keys. Note: you should still use DenyHosts to prevent an aggressive botnet from bogging down your SSH server so legitimate users cannot log in. This used to happen to one of my servers that had 250 ip addresses, the bots would attack each ip at the same time, creating 1000 ssh connections at once.

Q: Why not just one boot loader to rule them all?

Q: How do I get started in Tech Support?

War Story

Administering a Windows Server with your eyes closed

When ScaleEngine first started, we were in a much smaller local data center. One of the disadvantages to this data center was that they did not provide KVM Carts, in order to work on a server, you had to remove it from the rack, and take it over to a little desk in the corner with a monitor and keyboard, but no network connection. At our new data center, we have KVM carts we can take over to our rack to work on servers without disconnecting them. If we need to disassemble the server, they provide a nice large quiet work area with ample power, ethernet drops and free coffee.

I had just built two new Windows 2008 R2 servers for one of our clients, and had installed them in the rack. Got them up and running, and they were serving their websites fine. However, I was not able to connect via Remote Desktop. How had I forgotten to enable remote desktop…

I really did not feel like waiting for the server to shutdown (windows servers take an extremely long time to shut down, partly because they overwrite the entire swap file for security reasons), then removing the server from the rack again, waiting for it to boot up, change the settings, shutdown etc.

So, I grabbed our spare USB keyboard and connected it to the server in the rack. Balancing the keyboard on my left hand, while typing with only my right, with no monitor. I waited 30 seconds for windows to detect the keyboard, and then entered control+alt+delete to open the login prompt. I heard the drive start ticking as it loaded the desktop, so I gave it a few minutes. Once I was logged in, windows+r to open the run prompt, and started cmd.exe. Then I issued the following commands which I had arduously looked up on my old cell phones very limited browser.

netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
netsh firewall add portopening TCP 3389 RDesktop enable any

I issued each command twice, in case I might have made a typo, even though I was typing as carefully as I could, and slowly as I was doing it with one hand on an unsteady keyboard. Then to test it, I used pocketPutty on my cell phone, to SSH into one of my servers, and use netcat to see if port 3389 was open. It was. So I repeated the same procedure on the second windows server and again verified it via my cell phone before packing up and leaving the data center.

And that, is how I administered a pair of windows servers, with my eyes closed.

Round Up:

• DHS and the FBI find no evidence that water pump destruction was caused by SCADA hack, no evidence of intrusion into the network
• Activist Post: Alleged Cyber Attack on U.S. Water Plant is Propaganda to Curb Internet Freedom
• Feds Now Say Hacker Didn’t Destroy Water Pump
• Hacker says he broke into Texas water plant, others
• The list of companies opposing the SOPA bill has grown to include AOL, eBay, Facebook, Google, LinkedIn, Mozilla, Twitter, Yahoo and Zynga
• Facebook Tracking Cookies
• 25 worst passwords of 2011

The post Stuffed War Stories | TechSNAP 33 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/12758/pimp-my-network-techsnap-27/ Thu, 13 Oct 2011 19:11:59 +0000 https://original.jupiterbroadcasting.net/?p=12758 We cover your best options for pimping your home network for speed! Plus Facebook is fooled again, remote controlled voting machines!

The post Pimp My Network | TechSNAP 27 first appeared on Jupiter Broadcasting.

]]>

Facebook is fooled again, remote controlled voting machines, and Sony has another 93,000 accounts hacked, we’ll load you up on the details!

Then – We cover your best options for pimping your home network for speed!

Direct Download Links:

HD Video | Large Video | Mobile Video | WebM | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3

[ad#shownotes]

Show Notes:

Facebook URL scanner easily fooled

• Facebook has a malicious URL scanner that checks urls linked to in posts to make sure they do not contain content that could be harmful to users
• The most simple content cloaking technique, displaying different content to different users (ie, look for the facebook bots user-agent string) and fool this system
• In the example proof of concept attack, the url looks like a .jpg file, and will get a thumbnail in the facebook preview, but if you follow the link, you will be rickrolled
• Proof of Concept

*

Sony Locks 93,000 Accounts After Hacking Attempt

• Sony has suspended 93,000 accounts that were successfully accessed during a massive wave of failed login attempts.
• This suggests that Sony does not have any automated systems for slowing, or blocking such brute force attacks.
• The attack effected large numbers of users on both the PSN/SEN, and SOE
• While Sony claims the the attackers must have had a list of username/password combinations from some other site that was attacked, the fact that 100s of thousands of accounts had attempts against them, and 93,000 succeeded, suggests one of a few hypothesises:
• The attack used user data from the original sony hack (and/or users reset their passwords back to the same stolen passwords)
• The flaw in the PSN password reset system that allowed attackers to reset other users’ passwords was more widespread that first though
• Users were the victims of the multiple phishing attempts we saw around the the PSN compromise
• Sony was compromised again
• Additional Article
• Sony CISO Statement

*

Diebold Voting machines susceptible to untraceable man in the middle attack

• As many as 25% of American voters in the 2012 election will use voting machines that can be compromised using just $10.50 worth of off-the-shelf hardware (or $26 if you want a remote control).
• This attack is the most simplistic yet known to exist, as it requires far less programming or cyber warfare skills
• The researches developed three different types of attack
• Programmer under oath admits computers rig elections
• Insider Attack Against Diebold Voting Machines

*

Feedback:

• Dominic emails in:
  YOU’RE DOING IT WRONG

• How to connect multiple switches

• Q: When building physical network topology, say you have 5x 8 port switches, are you best to connect the router to port 1 of switch#1 then connect various other computers to the rest of the ports on switch#1 with the last port connecting to switch#2 which has one port to switch#3 and so on (essentially daisy chaining) or have one ‘master’ switch where each port of the switch connects to each of the other switches (2, 3, 4 and 5) then have the router and PCs plugged into those (I know its a bit overkill for a home network but its just in theory as I’ve had to deal with stuff like network loops and such before and wondering if there is any real advantage between the two methods).

• A: The second setup you described is a proper ‘hierarchical networking model’, which usually consists of three layers. The first layer is the Access Layer, this is where individual computers are connected to the network, this is typically just a (relatively) low-end switch. The next layer, is the Distribution Layer, this is where a lot of routers and firewalls do their work, they usually also acts as the separation between departments, locations and regions. Typically computers in the same Access Layer can reach each other directly without going through a router. The top layer of the network is the Core Layer, this is the fastest part of the network, where data is exchanged between the different Distribution Layers. In your more limited setup, the ‘master’ switch would be the Core Layer, and exchange traffic between each of the different Access Layer switches. However, for your home this may not be the best setup. If all of the switches are 100mbit, then the links between the Core Layer switch, and the Access Layer switch can be a bottleneck. For example, if you had 2 pairs of clients communicating with each other on the same switch (so 4 machines, A<->B and C<->D), they could each communicate at 100mbit/second. However, if A and C are on Access Layer switch#2, and B and D are on Access Layer switch#3, then the bandwidth between #2 and #3 is limited to 100mbit total, and so each stream would only be able to use 50mbit/sec. However, if A and B are on one switch, and C and D are on another, then no data is exchange through the Core Layer at all. So a number of factors, especially your traffic patterns, must be considered when setting up your network topology. You do not have to worry about creating ‘loops’ or anything as long as each switch only has a single path to each other switch. Higher end switches (managed ones) will have ‘STP’ (Spanning Tree Protocol), which allows them to avoid loops even when they have multiple paths, while still adapts and using one of the extra paths if the preferred path is disconnected.

• At my house, I have a 5 port gigabit switch, and 3 100mbit switches. My PC, Router/File Server, and Media center connect to the gigabit switch, the 4th port goes to the wireless AP, and the 5th to the switch in my bedroom. The remaining 100mbit switch (used for the machines in the rack in my living room) is fed off the wired ports for the wireless AP.

Round Up:

• Apple removes DigiNotar root certificates from iOS 5
• Virus Scanner performance benchmarks
• Amazon In Talks With HP To Buy Palm
• FBI makes arrest after Johansson, Aguilera e-mails hacked
• Google Hands Wikileaks Volunteer’s Gmail Data to U.S. Government
• Blackberry service loss questions. : techsnap
• BlackBerry services return after historical global outage
• Microsoft Security Products Flag Google Chrome As a Virus

The post Pimp My Network | TechSNAP 27 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/11948/rooted-trust-techsnap-22/ Thu, 08 Sep 2011 20:46:40 +0000 https://original.jupiterbroadcasting.net/?p=11948 DigiNotar's beach was far worse than originally known, and a recent DNS hack took many popular sites off-line. Plus we'll cover why a home DNS can be great!

The post Rooted Trust | TechSNAP 22 first appeared on Jupiter Broadcasting.

]]>

Remember the Man in the Middle attack on google from last week? Turns out it was far worse than though, we now have more details on the DigiNotar compromise, and a number of other important sites have had their DNS hijacked.

Plus we cover the advantages of running your own DNS server at home, and how Allan and Chris got their start in the world of IT!

All that and more, in this week’s TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3

[ad#shownotes]

Show Notes:

DigiNotar Hack Details

• A company spokesman said that “several dozen” certificates had been acquired by the attackers.
• The confirmed count of fraudulently-issued SSL (secure socket layer) certificates now stands at 531.
• The first known-bad certificate, for Google.com, was created by attackers on July 10, 2011. Between July 19 and July 29, DigiNotar began discovering bad certificates during routine security operations, and blocking them.
• But the attack didn’t come to light until August 27
• Comodohacker said the attack against DigiNotar was payback for the Srebrenica massacre.
• He also suggested that he wasn’t operating under the auspices of Iranian authorities, but that he may have given them the certificates.
• Comodohacker also posted additional proof that he had the private key for the invalid google.com certificate, by using it to sign a copy of calc.exe, a feature a regular website SSL certificate should not have.
• The DigiNotar hack has already had wide-ranging repercussions for the 9 million Dutch citizens–in a country with a population of 17 million–that use DigiD , a government website for accessing services, such as paying taxes.
• According to news reports, the country’s lawyers have been forced to switch to fax and mail, to handle many activities that were supported by an intranet.
• The Netherlands has also indefinitely extended the country’s tax deadline until DigiD can again be declared secure.
• Mozilla has made this public statement: “This is not a temporary suspension, it is a complete removal from our trusted root program.”. Such harsh action was taken because DigiNotar did NOT notify everyone when the breech was discovered.
• F-Secure Weblog says they were hacked by someone who was connected to “ComodoGate” — the hacking of another Certificate Authority earlier this year, by an Iranian attacker.

Removing the DigiNotar Root CA certificate : Ubuntu

Microsoft out-of-cycle patch to fix DigiNotar bogus certificates

Hacker claims to have compromised Other SSL Cert Authorities

• Soon after the Comodo forged certificates hack an Iranian using the handle Comodohacker posted a series of messages via Pastebin account providing evidence that he carried out the attack.

• The hacker boasted he still has access to four other (unnamed) “high-profile” CAs and retains the ability to issue new rogue certificates, including code signing certificates.

• ComodoHacker also claims to have compromised StartSSL, however issuance of invalid certificates was prevented by a policy change that required the CEO to manually offline approve each issued certificate. The HSM (Hardware Signing Module) being offline seems like the only way to be entirely sure that invalid certificates are not issued. A proper policy, more than just rubber stamping any certificate that doesn’t say google.com on it should be required.

• GlobalSign on Tuesday announced that it would temporarily cease issuing any new certificates.
  “GlobalSign takes this claim very seriously and is currently investigating,” according to a statement released by the company

• Is the fifth-largest CA

• GlobalSign Suspends Issuance of SSL Certificates

• BBC Article

DNS hack hits popular websites: Telegraph, Register, UPS, etc

• Further websites which have been affected by the DNS hack include National Geographic, BetFair, Vodafone and Acer.
• Instead of breaching the website itself, the hackers have managed to change the DNS records for the various sites affected.
• Because of the way that DNS works, it may take some time for corrected DNS entries for the affected websites to propagate worldwide – meaning there could be problems for some hours even after the fix.
• The attack was against the domain registrars Ascio and NetNames, both owned by the same parent company.
• Apparently the attacker managed to use an SQL injection attack to gain access to the domain accounts, and change the name servers.
• BBC Article

Feedback:

Home DNS Software:

• Simple DNS Plus
• DNSMasq
• OpenDNS
• B3 Server Review

A different kind of question for TechSNAP! : techsnap

Round-Up:

• Sex and Plugs and Geek Patrol
• EveryDNS/EditDNS Nameservers shutting down on Sep 9, 2011
• Facebook pays out $40K to hackers in three weeks
• Judge Decimates BitTorrent Lawsuit With Common Sense Ruling

Bitcoin-Blaster:

• The 800 pound gorilla in the room? The price of bitcoin is going down because miners are printing 50 BTC per 10 minutes
• Mt.Gox – FAKE!
• Bitcoin-wp-e-commerce
• Bitcoinica – Advanced Bitcoin Trading Platform
• Bitcoin Watch: $49,489,880 USD

The post Rooted Trust | TechSNAP 22 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/11691/smarter-google-dns-techsnap-21/ Thu, 01 Sep 2011 22:42:23 +0000 https://original.jupiterbroadcasting.net/?p=11691 Google and openDNS join forces to improve the speed of your downloads, find out what they are doing and how it works!

The post Smarter Google DNS | TechSNAP 21 first appeared on Jupiter Broadcasting.

]]>

Google and openDNS join forces to improve the speed of your downloads, find out what they are doing and how it works!

Plus gmail suffered another man in the middle attack, and Kernel.org gets some egg on their face!

All that and more, on this week’s episode of TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | WebM Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3

[ad#shownotes]

Show Notes:

Another SSL Certificate Authority Compromised, MitM Attack on Gmail

• Sometime before July 10th, the Dutch Certificate Authority DigiNotar was compromised and the attackers we able to issue a number (apparently as many as 200) of fraudulent certificates, including a wildcard certificate for *.google.com. The attack was only detected by DigiNotar on July 19th. DigiNotar revoked the certificates, and an external security audit determined that all invalid certificates had been revoked. However, it seemed that probably the most important certificate, *.google.com was in fact not revoked. This raises serious questions and seems to point to a coverup by DigiNotar. Detailed Article Additional Article
• Newer versions of Chrome were not effected, because Google specifically listed a small subset of CAs who would ever be allowed to issue a certificate for gmail. This also prevents self-signed certificates, which some users fall for regardless of the giant scary browser warning. Chrome Security Notes for June
• Mozilla and the other browsers have taken more direct action disabled than they did with the Comodo compromise. All major browsers have entirely removed the the DigiNotar root certificate from their trust list. With the Comodo compromise, the effected certificates were blacklisted, but the rest of the Comodo CA was left untouched. One wonders if this was done as strong signal to all CAs that that must take security more seriously, or if DigiNotar was in fact cooperating with the Iranian government in its efforts to launch MitM attacks on its citizens. Mozilla Security Blog
• Part of the issue is that some of the certificates issued were for the browser manufacturers them selves, such as Mozilla.org. With a fake certificate from Mozilla, it is possible that the MitM attack could block updates to your browser, or worse, feed you a spyware laden version of the browser.
• Press Release from Parent Company VASCO
• Pastebin of the fraudulent Certificate

• Allan’s blog post about the previous CA compromise, and more detail than can fit even in an episode of TechSNAP
  *

  GoogleDNS and OpenDNS launch ‘A Faster Internet’

• The site promoted a DNS protocol extension called edns-client-subnet that would have the recursive DNS server pass along the IP Subnet (not the full IP, for privacy) of the requesting client, to allow the authoritative DNS server to make a better Geo Targetting Decision.
• A number of large content distributors and CDNs rely on GeoIP technology at DNS time to direct users to the nearest (and as such, usually fastest) server. However this approach is often defeated when a large portion of users are using GoogleDNS and OpenDNS and all of those requests come from a specific IP range. As this technology takes hold, it should make it possible for the Authoritative DNS servers to target the user rather than the Recursive DNS Server, resulting in more accurate results.
• Internet Engineering Task Force Draft Specification
• This change has already started effecting users, many users of services such as iTunes had complained of much slower download speeds when using Google or Open DNS. This was a result of being sent to a far-away node, and that node getting a disproportionate amount of the total load. Now that this DNS extension has started to come online and is backed by a number of major CDNs, it should alleviate the problem.

• ScaleEngine is in the process of implementing this, and already has some test edns enabled authoritative name servers online.
  *

  Kernel.org Compromised

• Attackers were able to compromise a number of Kernel.org machines
• Attackers appear to have compromised a single user account, and then through unknown means, gained root access.
• Attackers replaced the running OpenSSH server with a trojaned version, likely leaking the credentials of users who authenticated against it.
• Kernel.org is working with the 448 people who have accounts there, to replace their passwords and SSH keys.
• The attack was only discovered due to an extraneous error message about /dev/mem
• Additional Article

---

Feedback:

Q: (DreamsVoid) I have a server setup, and I am wondering what it would take to setup a backup server, that would automatically take over if the first server were to go down. What are some of the ways I could accomplish this?

A: This is a rather lengthy answer, so I will actually break it apart, and have given one possible answer each week, for the last few weeks. This weeks solution is Anycast. This is by far the most complicated and resource intensive solution, but it is also the most scalable. Standard connections on the Internet are Unicast, meaning they go from a single point to another single point (typically, from a client to a specific server). The are also Broadcast (send to all nodes in the broadcast domain, such as your local LAN), and Multicast (send to a group of subscribed peers, used extensively by routers to distribute routing table updates, but does not work on the Internet). Anycast is different than a Unicast, instead of sending the packet to a specific host, the packet is sent to the nearest host (in network terms, hops, not necessarily geographic terms). The way Anycast works is your BGP enabled routers broadcast a route to your subnet to the Internet from each of the different locations, and the other routers on the Internet update their routing tables with the route to the location that is the fewest hops away. In this way, your traffic is diverted to the nearest location. If one of your locations goes down, when the other routers do not get an update from the downed router, they automatically change their route to the next nearest location. If you want only fail over, and not to distribute traffic geographically, you can have your routers prefix their routes with their own AS number a sufficient number of times to make the backup location always more hops than the main location, so it is only used if the main is down. There are some caveats with this solution, the first being that TCP packets were never meant to randomly redirect to another location, if a route change happens in the middle of an active session, that session will not exist at the second location, and the connection will be dropped. This makes Anycast unsuitable for long-lived connections, as routes on the Internet change constantly, routing around faults and congestion. Connections also cannot be made outbound from an Anycast IP, as the route back may end up going to a different server, and so a response will never be received, so servers would require a regular Unicast address, plus the Anycast address. A common solution to overcome the limitations of Anycast, is to do DNS (which is primarily UDP) via Anycast, and have each location serve a different version of the authoritative zone, which the local IP address of the web server, this way the users are routed to the nearest DNS server, which then returns the regular IP of the web server at the same location (this solution suffers from the same problems mentioned above in the Google DNS story). Another limitation is that due to the size of the address space on the Internet, most provides will not accept a route for a subnet smaller than a /24, meaning than an entire 256 ip address subnet must be dedicated to Anycast, and your servers will each require a regular address in a normal subnet. Broadcasting routes to the Internet also requires your own Autonomous System number, which are only granted to largish providers, or an ISP willing to announce your subnet on their AS number, but this requires a Letter of Authorization from the owner of the IP block.
*

ROUND-UP:

• Chinese Government removes Cyber warfare videos and denies everything
• New XBox 360 hack allows unsigned code execution
• Anonymous takes credit for Denial of Service attack on Wikileaks
• Anonymous tested its attack tool against pastebin.com first
• New windows worm spreading via weak RDP Credentials
• Cyber crime gang steals $13 million in a day
  Thanks to: stmiller
• Pakistan official bans all encryption and forces ISPs to block encrypted VPN traffic
• Wikileak cables reveal U.S. Government lobbied on behalf of Oracle.
  Thanks to: silvernode and for the eye catching title!

Bitcoin-Blaster:

• Difficulty dropped down to 1777774.482!
• The relationship between bitcoin price and difficulty
• Has Bruce Wagner pulled off the biggest financial scam on the bitcoin community?
• Bitcoin Watch: $59,420,956 USD

The post Smarter Google DNS | TechSNAP 21 first appeared on Jupiter Broadcasting.

]]>