dreamhost – Jupiter Broadcasting

Breaking DKIM | TechSNAP 81

chris — Thu, 25 Oct 2012 19:41:52 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

How an aviation blogger unlocked the secrets of the TSA’s barcode, if you’re a Barnes and Noble shopper we’ve got a story you need to hear, and a serious bug in the Linux Kernel.

Plus a batch of your questions, and our answers.

All that and so much more, in this week’s TechSNAP.

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

BONOUS ROUND PROMO:

Get your .COMs just $5.99 per year up to 3 domains! Additional .COMs just $7.99 per year!
CODE: 599tech

Expires 10/31/12

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Barnes and Noble POS Terminals compromised, debit card pin numbers stolen

Barnes and Noble discovered on Sept 14th that a number of the PIN Pads for its Point of Sales system had been compromised
Barnes and Noble did not go public with the information until this week at the request of investigators
Tampered PIN Pads were found in 63 stores all over the country, including California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania, and Rhode Island
The retailer reported that only about 1% of their PIN pads had been tampered with, but when the compromise was discovered on Sept 14th, they disconnected all PIN pads at their 700 stores
It appears that a coordinated criminal enterprise infected PIN pads with malware that would record credit/debit card numbers and PIN numbers
B&N recommends that you change your debit card PIN number and watch your debit and credit accounts for unauthorized transactions
Online purchases were not affected
Official Announcement from Barnes and Noble

Avaition Blogger finds that he can determine what security screening he will get from this boarding pass

Frequent Flyer John Butler wrote a blog post this week, after he was able to determine what level of security screening he was going to be subjected to at the airport by reading the unencrypted barcode on his boarding pass
This raises the possibility that terrorist or smuggling groups could buy multiple tickets, then check each and use the ones that subjects them to the less intense screening process
The barcodes also appear to lack any form of MAC (Message Authentication Code), to protect them from unauthorized modification
It is unclear if a modified barcode would work, or if it is checked against a central database
It is illegal under US law to tamper or alter a boarding pass
The vulnerability appears to be confirmed by reading the specifications for the system published by the IATA (International Air Transport Association)
Every airport I’ve been through (YYZ, YHM, YYC, CDG, WAW, AMS) has not had any way to avoid the screening process, it appears that only the TSA allows you to pass through security without the basic screening. I have been randomly selected for additional screening (chemical residue test) twice

Serious bug in Linux kernel results in EXT4 data corruption

A bug was accidently introduced in Linux Kernel version 3.6.2, and then backported into 3.4 and 3.5
The bug has to do with the way the superblock and journal are updated, and can result in extensive data corruption, especially if a filesystem is unmounted shorted after it was mounted
A patch was posted, but was found to not fully solve the problem, so a second patch was posted later
Kernel 3.4.x is reaching end of life, and may not get an official patch

Dreamhost decides to change its SSH keys without notifying customers

DreamHost, a large shared web hosting provider, generated new SSH keys for all of its servers on Wednesday
DreamHost claims it is the “result of a security maintenance which we are performing to prevent exploitation of weak or outdated keys”
It seems like an excessive step, unless one or more of the SSH host private keys were compromised, in which case that is huge security news
If the keys were compromised, this means that someone could impersonate the DH server and log the login attempts, capturing valid username and password combinations
DreamHost made a number of mistakes:
Not giving users a heads up about the change before it happened, no email was sent, just a blog post that users were directed two when they contacted support about the error message
The blog post encourages users to just delete the old SSH key from their known_hosts and accept the new one, without verifying its authenticity
DreamHost did not publish a list of the fingerprints of the new keys, so that customers could verify the authenticity of the new keys they are presented with when they connect
The purpose of SSH fingerprints is to verify the identity of the remote host, they work in much the same way as SSL certificates except that there is no central certificate authority, it is up to the user to verify the identity of the key the first time. The main goal is to notify the user if the key suddenly changes, suggesting that you are not infact connecting to the intended server, but to some other server that may be trying to get your credentials or perform a man-in-the-middle attack on you
An attacker that is able to perform a man-in-the-middle attack during a time when a user is willing to just ignore the security warning (or even, take the additional steps OpenSSH requires before allowing you to accept a new key), could be very successful

Mathematician finds that Google and others were using weak keys for DKIM

Mathematician Zachary Harris got an email from a Google headhunter for a job as a Site Reliability Engineer
Seeing as he is not an expert in that field, he assumed that the email was a phishing scam
He examined the headers, and determined that it was signed with the proper DKIM keys, appearing to actually be from Google
DKIM (DomainKeys Identified Mail), is a process where all outbound email is cryptographically signed with a private key, that can then be verified against a public key published in DNS, such that only emails that are actually from the domain can be signed with the key, it is a common anti-spam and anti-phishing mechanism
He noticed that Google was only using 512bit keys for DKIM,
Harris explored other sites and found the same problem with the keys used by Amazon, Apple, Dell, eBay, HP, HSBC, LinkedIn, Match.com, PayPal, SBCGlobal, Twitter, US Bank and Yahoo
He found keys in 384, 512 and 768 bits, despite the fact that the DKIM standard calls for a minimum of 1024 bit keys
A 384-bit key can factor on a laptop in 24 hours, while a 512-bit keys can be factored in about 72 hours using Amazon EC2 for around $75
In 1998 it was an academic breakthrough of great concerted effort to crack a 512 bit key. Today anyone can do it by myself in 72 hours on AWS

Feedback:

While having lunch at EuroBSDCon, a FreeBSD developer recognized me from the Linux Action Show. He just so happened to be one of the main USB developers, and proceeded to correct (yell at) me. He recently expended a great deal of effort to improve support for webcams and other USB devices under FreeBSD 9.1 (and therefore PC-BSD as well). As further evidence of this, once we were done talking, someone walked up and handed him a USB ethernet adapter that was not supported, a hardware donation to drive development.

Allan and Stefan speaking at EuroBSDCon 2012 another
Shots of the conference: 1 2 3 4

Roundup

The post Breaking DKIM | TechSNAP 81 first appeared on Jupiter Broadcasting.

DHCP Attacks | TechSNAP 43

chris — Thu, 02 Feb 2012 20:29:53 +0000

Find out how a simple system update brought DreamHost down for nearly two days, and how the MS Updater Trojan works.

PLUS: We answer frequently asked DNS questions, and a war story you’ll never forget!

All that and more, on this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Super special savings for TechSNAP viewers only. Get a .co domain for only $7.99 (regular $29.99, previously $17.99). Use the GoDaddy Promo Code cofeb8 before February 29, 2012 to secure your own .co domain name for the same price as a .com.

Pick your code and save:
cofeb8: .co domain for $7.99
techsnap7: $7.99 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
Deluxe Hosting for the Price of Economy (12+ mo plans)
Code: hostfeb8
Dates: Feb 1-29

Direct Download Links:

Subscribe via RSS and iTunes:

Fill out my Wufoo form!

Show Notes:

Ongoing targeted attacks against defense and aerospace industries

The research provides detailed analysis of the ‘MSUpdater Trojan’
The trojan was mostly spread using targeted spear phishing attacks, emailing people who would have access to sensitive information
The goal of the remote administration trojan was to steal sensitive or classified information about aerospace or defense designs
The trojan changed rapidly to avoid detection, and used a variety of methods to infect computers, including zero-day PDF exploits, fake conference invitations (usually specifically targeted to the recipient area of interest, including ISSNIP, IEEE Aerospace Conference, and an Iraq Peace Conference)
Communications between the infected machines and the C&C servers often took the form of HTTP traffic using the URL structure of Microsoft Windows Update (where the trojan got its name) and Windows Error Reporting likely to avoid detection by some IDSs and manual traffic analysis. Other versions of the trojan included fake google searches with encoded parameters
The trojan dropped was able to detect that it was being run in a virtual machine, and if so would not attempt to infect the machine. This allowed it to go on undetected for a longer period of time and until discovered, hampered its analysis by researchers
Outline by Researchers
Research and Analysis of the Trojan
Research paper on detecting Virtual Machines

DreamHost suffers massive outage due to automated Debian package updating

DreamHost had a policy where they would automatically install the latest packages from the their repository on all of their machines, including VPS and Dedicated servers rented to customers
Something in one or more of these packages caused some dependencies to be uninstalled resulting in Apache, the FTP server and in some instances, MySQL being uninstalled or unable to start properly
DreamHost is a very large attack target due to the number of servers and domains that they host, they must work diligently to ensure updates are applied to prevent massive numbers of machines from becoming compromised
DreamHost has to manually resolve many of the dependencies was unable to fix the issue in an automated fashion, requiring hands on admin time on each individual server and VPS
DreamHost has now changed their policy regarding updates, where they will now test all of the packages from Debian extensively before they are pushed to all customer servers

Feedback

Q: Chris D asks about monitoring solutions

A: I personally use Nagios + NagiosGraph for my monitoring, although I have also experimented with Zabbix recently. We discussed a number of monitoring applications in TechSNAP 20 – Keeping it up . Nagios configures each host/service from files, but supports extensive templating and host/service groups, allowing you to quickly configure servers that are nearly identical. Zabbix is powered by a database, which is both a pro and a con, but the main advantage I gave to NagiosGraph was that the historical data is stored in RRD files rather than a database, meaning it is aged to require less space. Zabbix by default deleted old data to avoid accumulating massive amounts of data.

Chris uses: monitor.us (want’s them to sponsor us)
Allan has monitoring included in his DNS Failover Service from DNS Made Easy
*

Q: Joshua asks about DNS A Records vs CNAME Records

A: If the CNAME is inside the same domain, the authoritative server will usually return the result with the response for the CNAME. For example, if static.example.com is a CNAME to www.example.com, the A record for www.example.com will be included in the response. However if the CNAME is for something like example.cdn.scaleengine.net then a 2nd lookup is required. To answer the second part of your question, it is not possible to do an HTTP redirect at the DNS level, so NGINX is the best place to do it, if done correctly this redirect can be cached by Varnish to avoid any additional latency. You could hard-code the redirect in to Varnish as well. I applaud your use of a cookieless domain for your static content.

War Story

This week’s war story is sent in by Irish_Darkshadow (the other other Alan)

The Setting:

IBM has essentially two “faces”, one is the commercial side that deals with all of the clients and the other is a completely internal organisation called the IGA (IBM Global Account) that provides IT infrastructure and support to all parts of IBM engaged with commercial business.

The events described here took place in early 2005.

The Story:

There is an IBM location in Madrid, Spain which was stafffed by about two thousand people at the time of this war story. The call centre in Dublin was tasked with supporting the users in that site and every single one of them had been trained in what I called “Criticial Situations – Connectivity Testing”. The training took about 4 hours to deliver and was followed up with some practical tests over the next two weeks to ensure the content was sinking in. There was also some random call recording done to detect the techniques being used on live calls too.

Early one morning a call came in to the Spanish support line from a user who had arrived to work late and was unable to get access to her email server. The agent immediately started to drill into the specifics of the problem and realised that the user simply had no network connectivity to her email. The next step in the training says to establish whether the user actually has partial connectivity or a complete loss. The agent began with a simple IPCONFIG /ALL and noticed right away that the user had a 192.168.x.x IP address. This is quite an unusual thing to get on a call from an internal IBM user and the agent didn’t know what to do next and started to get some empirical data before escalating the issue. The key question was – are you the only user affected? The user confirmed that everyone around her was working away with no issues.

The team leader for the Spanish support desk picked up on the call and decided to call my team for some troubleshooting tips. I dropped over to the call and started listening in (which was useless as it was all in frickin’ Spanish) in the hopes of catching something “weird” from the call. The 192 address piqued my curiosity so I had the agent check for a statically assigned IP address…the XP based computer the user was operating was set to use DHCP. Hmmmm…

While this call really started to gain my interested I started hearing of other calls beginning to come in from other users in the same building with the same problem. The agents on those calls were able to confirm to me that these users were on different floors than the original user. So I now had a building on my hands that was slowly losing connectivity to these 192 addresses and the only possibility was a rogue DHCP server.

I suspected that the network topology and physical structure was about to play an important part in isolating the problem so I called up the onsite technicians and managed to get one who knew the building and the network inside out. Each floor of this 20+ floor building has a comms room where 24 / 48 port switches were used to supply each area of the floors. The best part was that this guy actually had a map of which ports were patched to which desks for every floor.

Now that I was firmly into Sherlock Holmes mode I asked the onsite guy to arrange some teams for me. For each of the know affected floors I needed a tech in the comms room and another testing computers. We had hatched a plan to start from the original floor that was affected by unpatching one switch at a time from the building network and doing a release / renew on a PC in that newly unpatched section to see if we got a 169.254.x.x address. If that happened then we knew that the rogue DHCP server was not in that specific section (clever eh? what do you mean no? well screw you, you werent’ there man…it was a warzone!). We repeated this pattern for five floors with no success so we expanded one floor up and one floor down. Eventually one of the techs ran the test and the PC picked up a new 192.168.x.x lease…..we had the root of the problem within our grasp and it was time to close the net (too much? I’m trying to make this sound all actiony….it my head it has AWESOME danger music).

The onsite guys managed to check every PC in the suspect floor area and the rogue server was still not found. They yanked the cable from every PC in the area and while the rest of the building was recovering, we knew that if we repatched this section that the problem would spread again. When all the PCs were disconnected, I asked the onsite guy to check the switch for activity and there was still one port showing traffic. Despite having all the PCs on the floor disconnect…the rogue was still operational. I questioned if there were any meeting rooms or offices on the floor and there was one. AHA! Upon closer inspection, the empty office had a laptop on the desk that was showing activity on the NIC lights. They yanked the cable and tested a PC on the floor…..169.254.x.x…SUCCESS. The switch was repatched to the building network and all of the PCs recovered. The technician I had called originally started to cackle maniacally over the phone. Perhaps it was better described as derisive laughter. Apparently the door to the office that housed the rogue DHCP laptop had a sign on it that read – IT Manager!!!

When we managed to get a full post mortem / lessons learned done it turned out that the IT Manager had arrived to the building about an hour after most users start work and half an hour prior to the arrival of the original caller to the Dublin support centre. So every user who worked normal hours had arrived to work and gotten a valid IP lease. Then the IT Manager showed up, connected his laptop and buggered off to a meeting. 192.168.x.x addresses started getting issued. At that point the original user arrives to work, gets a bad IP and calls the support desk. It turned out that over the weekend the IT Manager had enabled Internet Connection Sharing so that his daughter could get online through the broadband on the laptop from her home PC. He hibernated the laptop, forgot all about the ICS being enabled and just connected it up at work that morning without even thinking about it .

Sometimes, late at night….I can still hear that derisive laughter and it makes me sad when I think of all those IT Managers out there who can do stupid shit like this and yet retain their positions!

It just goes to show, that the methodical approach may not always be the fastest approach, but because it solves the problem every single time, it usually results in a faster resolution and a better understanding of what the issue was.

Round Up

The post DHCP Attacks | TechSNAP 43 first appeared on Jupiter Broadcasting.

Answers for Everyone | TechSNAP 42

chris — Thu, 26 Jan 2012 20:40:12 +0000

We’ve got the answer to life the universe and everything, plus why you need to get upset about ACTA, and patch your Linux Kernel!

All that and more, in this Q&A PACKED edition of TechSNAP!

Thanks to:
GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Pick your code and save:
DOTCO9: .co domain for $17.99
techsnap7: $7.99 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans

Direct Download Links:

Subscribe via RSS and iTunes:

Show Notes:

Dreamhost gets hacked, resets all customers’ passwords, has scale issues

On January 19th, Dreamhost.com detected unauthorized activity in one of their databases
It is unclear which databases were compromised, if they were dreamhost databases of customer data, or customer site databases
Dreamhost uses separate passwords for their main web control panel, and individual user SSH and FTP accounts
Dreamhost ran in to scale issues, where their centralized web control panel could not handle the volume of users logging in and attempting to change their shell passwords
The fast forced password reset by DreamHost appears to have promptly ended the malicious activity
Based on the urgency of the reset, there seem to be indications that DreamHost stores users’ passwords in plain text in one or more databases
This assertion is further supported by the fact that they print passwords to confirmation screens and in emails
Dreamhost also reset the passwords for all of their VPS customers

Linux root exploit – when the fix makes it worse

Linux kernel versions newer than 2.6.39 are susceptible to a root exploit that allowed writing to protected memory
Prior to version 2.6.39 write access was prevent by an #ifdef, however this was deemed to be to weak, and was replaced by newer code
The new security code that was to ensure that writes were only possible with the correct permissions, turned out to be inadequate and easily fooled
Ubuntu has confirmed that an update for 11.10 has been released, users are advised to upgrade
This issue does not effect Redhat Enterprise Linux 4 or 5, because this change was not backported. A new kernel package for RHEL 6 is now available
Analysis
Proof of Concept
Proof of Concept for Android

Feedback

Q: Tzvi asks how to best Monitor employee Internet usage?

A: There are a number of ways to monitor and restrict Internet access through a connection you control. A common suggestion is the use of a proxy server. The issue with this is that it requires configuration on each client machine and sometimes even each client application. This is a lot of work, and is not 100% successful. However, there is an option know as a ‘transparent proxy’. This is where the router/firewall, or some other machine that all traffic to the internet must pass through analyzes the traffic, and routes connections outbound for port 80 or 443 (HTTP and HTTPS respectively, and optional additional ports) through the proxy server, without any configuration required on the individual clients. Then, you can use the firewall to deny all traffic outbound that is not via the proxy.

This is relatively easy to setup, so much so that as part of the final exam in my Unix Security class, students had 2 hours to setup their machine as follows:

Configure TCP/IP stack
Download GPG and Class GPG Key
Decrypt Exam Instructions
Install Lynx w/ SSL support
Install a class self-signed SSL certificate and the root certificate bundle to be trusted
Install and configure Squid to block facebook with a custom error page
Configure Lynx to use Squid
Create a default deny firewall that only allows HTTP via squid and FTP to the class FTP server
Access the college website and facebook (or rather the custom error page when attempting to access facebook)

While they had a little practice, and didn’t have to configure a transparent proxy, it is still are fairly straight forward procedure.

Instead of rolling your own, you can just drop in pfSense and follow these directions

Q: Brett asks, what do you do after a compromise?

A: The very first thing you do after a compromise, is take a forensic image of the drive. A bit by bit copy, without ever writing or changing the disk in any way. You then pull that disk out and put it away for safe keeping. Do all of your analysis and forensics on copies of that first image (but no not modify it either, you don’t want to have to do another copy from the original). This way as you work on it, and things get modified or trashed, you do not disturb the original copy. You may need the original unmodified copy for legal proceedings, as the evidentiary value is lost if it is modified or tampered with in any way.

So your best bet, is to boot off of a live cd (not just any live cd, many try to be helpful and auto-mount every partition they find, use a forensics live cd that will not take any auction without you requesting it). Then use a tool like dd to image the drive to a file or another drive. You can then work off copies of that. This can also work for damaged disks, using command switches for dd such as conv=noerror,sync . Also using a blocksize of 1mb or so will speed up the process greatly.

You asked about tripwire and the like, the problem with TripWire is that you need to have been running it since before the incident, so it has a fingerprint database of what the files should look like, so it can detect what has changed. If you did not have tripwire setup and running before, while it may be possible to create a fingerprint database from a backup, it is not that useful.
The freebsd-update command includes an ‘IDS’ command, that compares all of the system files against the central fingerprint database used to update the OS, and provides quick and powerful protection against the modification of the system files, but it does not check any files installed my users or packages. The advantage to the freebsd-update IDS over tripwire is that it uses the FreeBSD Security Officers fingerprint database, rather than a locally maintained one that may have been modified as part of the system compromise. In college I wrote a paper on using Bacula as a network IDS, I’ll see if I can find it and post it on my blog at appfail.com.

Q: Jono asks, VirtualBox vs. Bare to the metal VMs?

Xen, KVM and VirtualBox are not bare metal, they requires a full linux host
XenServer is similar to VMWare ESXi, in that it is bare metal. It uses a very stripped down version of CentOS and therefore far fewer resources than a full host. However XenServer is a commercial product (though there is a free version)
+The advantage to XenServer over VMWare ESXi (both are commercial but free), is XenServer is supported by more open source management tools, such as OpenStack

Q:Gene asks, IT Control is out of control, what can we users do?

Q: Crshbndct asks, Remote SSH for Mum

Roundup

The post Answers for Everyone | TechSNAP 42 first appeared on Jupiter Broadcasting.