Duqu – Jupiter Broadcasting

OPM Data too Valuable to Sell | TechSNAP 219

chris — Thu, 18 Jun 2015 17:58:20 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Kaspersky labs has been hacked, we’ll tell you why it looks like a nation state was the attacker, why OPM data is too valuable sell & the real situation with LastPass.

Plus some great questions, our answers & a rocking round up.

All that and much, much more on this week’s TechSNAP!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Kaspersky Lab hacked

“Russia-based Kaspersky Lab, one of the biggest and most well-known cybersecurity research firms in the world, has admitted to being hacked. In a blog post published earlier today, Kaspersky Lab CEO and founder Eugene Kaspersky wrote, “We discovered an advanced attack on our own internal networks. It was complex, stealthy, it exploded several zero-day vulnerabilities, and we’re quite confident that there’s a nation state behind it.“”
“The firm dubbed this attack Duqu 2.0. It’s named after a specific series of malware called Duqu, which was considered to be related to the Stuxnet attack that targeted states like Iran, India, France, and the Ukraine in 2011.”
“The post went on to say that it was not wise to use an advanced never-before-used technology to spy on a firm. For one, Kaspersky sells access to a great deal of its technologies, so this group could have just paid for it. Also, in its attempt to infiltrate Kaspersky, it clued the company into the next generation spying technologies hackers are developing.”
“”They’ve now lost a very expensive technologically-advanced framework they’d been developing for years,” the post explained.”
“In the case of Kaspersky Lab, the attack took advantage of a zero-day in the Windows Kernel, and possibly up to two other, currently patched vulnerabilities, which were zero-day at that time. The analysis of the attack revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected. More details can be found in our technical paper.”
“From a threat actor point of view, the decision to target a world-class security company must be quite difficult. On one hand, it almost surely means the attack will be exposed – it’s very unlikely that the attack will go unnoticed. So the targeting of security companies indicates that either they are very confident they won’t get caught, or perhaps they don’t care much if they are discovered and exposed. By targeting Kaspersky Lab, the Duqu attackers probably took a huge bet hoping they’d remain undiscovered; and lost.”
Blog: Kaspersky statement on Duqu 2.0 attack
Research: The mystery of Duqu 2.0
Research: The Duqu 2.0 persistence module

U.S. Office of Personnel Management (OPM) hacked

“OPM discloses breach affecting up to 4 million federal employees, offers 18 months of free credit monitoring through CSID. Follow-up reports indicate that the breach may extend well beyond federal employees to individuals who applied for security clearances with the federal government.”
The Office of Personnel Management (OPM) confirmed that both current and past employees had been affected.
The breach could potentially affect every federal agency
OPM said it became aware of the breach in April during an “aggressive effort” to update its cyber security systems.
As the OPM’s Inspector General report put it, “attacks like the ones on Anthem and Premera [and OPM] are likely to increase. In these cases, the risk to Federal employees and their families will probably linger long after the free credit monitoring offered by these companies expires.”
“In those files are huge treasure troves of personal data, including “applicants’ financial histories and investment records, children’s and relatives’ names, foreign trips taken and contacts with foreign nationals, past residences, and names of neighbors and close friends such as college roommates and co-workers. Employees log in using their Social Security numbers.”
“That quote aptly explains why a nation like China might wish to hoover up data from the OPM and a network of healthcare providers that serve federal employees: If you were a state and wished to recruit foreign spies or uncover traitors within your own ranks, what sort of goldmine might this data be? Imagine having access to files that include interviews with a target’s friends and acquaintances over the years, some of whom could well have shared useful information about that person’s character flaws, weaknesses and proclivities.”
Krebs Coverage
The Krebs article has a great timeline
US Law Makers demand encryption after OPM hack
DHS says: Encryption would not have helped OPM
OPM’s archaic IT infrastructure to blame for breach
Krebs finds that [version of OPM data on the darkweb] is actually from a different hack of ](https://krebsonsecurity.com/2015/06/opms-database-for-sale-nope-it-came-from-another-us-gov/)

Feedback:

BSDCan Videos:

The videos from BSDCan have started to appear. Not all of them are online yet, but a good sample to get you started.

https://www.youtube.com/playlist?list=PLWW0CjV-TafY0NqFDvD4k31CtnX-CGn8f

Round Up:

The post OPM Data too Valuable to Sell | TechSNAP 219 first appeared on Jupiter Broadcasting.

Global Blackout a Hoax | TechSNAP 51

chris — Thu, 29 Mar 2012 19:34:40 +0000

Microsoft leads raids on the Zeus botnet and seizes their servers, Duqu still evolving and new details have been revealed.

And we bust Anonymous’ over-hyped Operation Global Blackout

All that and more, on this week’s episode of TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offer: $5.99 .coms, up to 5 domains! just use our code 599com7

Want to save money on your entire order? Use our code spring7 and save 15%!

Direct Download Links:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes:

Duqu still evolving

Researchers have recently discovered a newly compiled driver for the Duqu worm
Duqu is rather unique, as it appears to be a framework for building highly targeted malware to attack a specific target, as opposed to regular malware that is design to target as wide an array of victims as possible
Researchers believe that the number of victims targeted by Duqu could be as few as 50
The new mcd9x86.sys Duqu driver appears to be specifically designed to evade detection by the CrySysLab tool build by the Hungarian researchers who initially discovered Duqu
The new driver does not appear to contain any new functionality, however in addition to changing the signature to make it harder to detect, the new driver may have been necessary as the code signing certificate used to sign the old driver has been revoked
Researchers assisted by crowdsourced analysis and the reverse engineering sub reddit identified the language that parts of Duqu were written in as Object Oriented C, which is quite rare compared to C++
Researchers speculate that this means the authors of Duqu are older programmers, brought up in traditional C and did not trust the abstracted memory management and other features of C++ and were more comfortable writing C and using an OO framework

Microsoft launches operation b71, leads raid against Zeus Botnet

This week Microsoft lead a coalition raid against a set of Command and Control servers for the Zeus botnet
Microsoft was joined by the FS-ISAC (Financial Services – Information Sharing and Analysis Center), NACHA (the Electronic Payments Association), the ABA (American Bankers Association)
Microsoft and its co-plaintiffs filed for a temporary restraining order and a seizure order to confiscate the servers for the botnet
The court ordered the US Marshals to seize the servers from two data centers in Chicago, IL and Scranton, PA
The Marshals were accompanied by Microsoft’s lawyers and forensics experts to assist in identifying the machines and isolating the command and control systems
The court also ordered the Marshals to collect 4 hours of internet traffic bound for the C&C servers before disconnecting them
The court ordered all US based domain registrars associated with the domains microsoft identified as belonging to the botnet, to redirect them to a Microsoft controlled server
This is the first known case of a company using the RICO act to seize servers and domain names
Official Legal Filings
Security Week
Digital Underground – Interview
Microsoft Digital Crimes Unit Newsroom

Feedback:

Q: Simon from Australia writes to ask about the security implications of the DNS AXFR command

Xonotic Server Info

Name: JupiterColony / LAS Xonotic Server
IP: 176.31.45.139:26000

War Story:

When Kids Attack

In summer 1999, around June, just before my son was born I was working in tech support with IBM at night and during the days I was doing some freelance IT jobs. One job that consistently came up was teaching the basics of networking with Windows systems in some local schools. The course I wrote up covered a lot of ground and took 2 four hour sessions to complete.

The curriculum I decided upon started off with about an hour covering the components of a PC and their basic functions. I explained how the BIOS on the motherboard was a kind of “proto operating system” that allowed the hardware to be manipulated at a very low level. The next portion covered how to install an operating system and then add in specific software drivers to allow the hardware to be used effectively. The operating system of choice at this point was Windows 98. Despite that I spent a good 40% of that topic covering how DOS was the best solution for when Windows breaks. As part of the operating system tour I would make sure to cover things like the startup folder, the “new” msconfig tool, the “run” keys and the “run once” keys in the registry and even how to create keys that would allow applications to be run as if they were “services” by adding keys for them. By the end of that 4 hour session, my aim was to have the students leave with a solid and practical understanding of the magical mysteries inside a PC case. Most of the kids were in their mid-teens so keeping their interest from topic to topic was a challenge.

When the second session came up I would roll out basic networking using real world examples in the hope that abstract theory could be simplified with visuals from all around us. To

As you can see from that lot, there were some fairly heavy topics getting crunched down into oversimplified day to day, real world examples but it seemed to work. I continued running the course this way for months and at one point I was asked to do some more advanced topics as follow ups for the more interested students. There were maybe three or four of those follow ups done and I was quite happy to see the depth of question coming from the classes.

Some time later, maybe near to November, I got a panic call from the school principal of a college that was located about 10 minutes drive from my house. Apparently every computer in their lab was “going crazy”. None of the students were able to help and the IT Teacher was actually a carpenter who did work around the college and also had some basic computer skills. I agreed to help out and drove over a couple of hours before work to take a look.

Upon my arrival I noticed that every PC when turned on would go through the POST process, boot up Windows 98, barely load the icons on the desktop and would instantly start to shutdown. I was starting to see why they thought their computers were now possessed by some vengeful spirit of a mailman who got lost in the maze of network circuits inside the computers. Unfortunately, the solution was a little more mundane. Once I got a box into safe mode I was able to start pulling apart what was happening as Windows booted to the desktop. It seemed that someone had installed a Windows Resource Kit to every computer which included a nifty little Shutdown application. The culprit had then created a batch file that called the shutdown application and added that batch file to another hidden batch file in the Windows directory. A run once registry key was being created that would call the hidden batch file and trigger the process. It seemed that the run once registry key was being created by yet another batch file that was named in the autoexec.bat file. The end result of this mess was that just as Windows booted to the desktop, the shutdown command would activate and a boot loop would ensue. Doing a little more digging I was able to find yet another batch file that was inserting another reg entry into the Run key hive thus providing two different ways for the loop to be initiated.

I tried to explain the whole thing to the principal and while he struggled to understand the technical details, he did grasp the concept that this was a well thought out act of IT sabotage. Each computer used the same generic log on and so that offered no solution in identifying the saboteur. Unless the IT Teacher was an oscar winning actor, I was pretty sure that he wasn’t the guy. The only thing I could think of was a student and I started to suspect that it would be one of the ones that I had trained. The attack showed a good grasp of batch files and Windows start up processes but I had never shown a class how to use batch files to insert registry keys. Whoever had wrecked Windows 98 on the 70 or so computers in the college had done some research for themselves. I figured that the work to take out that number of computers would probably have taken me four or five minutes per PC for each of the 70 computers meaning somebody had to have taken around six hours to do all the sabotage work. Everything was fine at the end of the previous school day and so it had to be an after hours job. From there we spoke with the teachers who ran the after hours classes and it didn’t take long to find a student who was supposed to be in the library until around 10pm the previous night. The last teacher leaving the school said that the student had hung around since around 3pm until lock up and was supposedly working on an end of term project. When the principal brought the student to the IT room I was taken aback that it was one of the kids from my basic class who always seemed disinterested. I was truly expecting one of the kids from my advanced class to have been the culprit.

After some conversation it turned out that the student had sabotaged the PCs because his Math teacher had given them a tonne of homework for the next weekend and it meant that he wouldn’t have been able to take a girl to see Star Wars Episode 1 which was having a final screening that Saturday. I managed to get some more information from him about how he carried out the hack and it was a combination of taking the DOS training I gave him along with the Windows lessons and speaking to the father of one of his friends who was working in Microsoft doing localisation of their products. The Microsoft guy taught the student how to take the DOS commands and batch files and have them interact with the registry. A hacker was born. The principal suspended the kid and that was pretty much the end of it. I detailed how to fix the problem and left the work for the IT teacher and his backup, the maths teacher to do. So in some small way, I helped the kid to punish the maths teacher. I figured that it was the least I could do.

I don’t really know too much about how the student progressed from that point but I can tell you that I ran into him three years ago and a Windows 2008 Server industry-only event in Dublin by Microsoft. He was running the IT security for the event as part of his role with Microsoft. From little acorns, large Oak trees are born. I never decided whether the kid turned to the dark side from being denied a viewing of Star Wars on the big screen or from not getting that girl to go there with him but either way, rage lead to anger, anger lead to revenge and revenge lead to a nice paycheck.

Maybe there is a nugget of wisdom in that somewhere, probably not since it sounds like contrived crap but I just like how this kid took some basic lessons in IT, found them to be a toolset he could expand upon and then used it to get himself jobs in the industry. Awesome.

Round Up:

The post Global Blackout a Hoax | TechSNAP 51 first appeared on Jupiter Broadcasting.

Allan’s ZFS Server Build | TechSNAP 34

chris — Thu, 01 Dec 2011 20:05:26 +0000

Allan walks us through his epic ZFS server build, find out why he needs 48GBs of RAM!

Plus: The UN has suffered a user database leak, but the situation might not be as bad as it sounds, we’ll explain!

All that and more, on this week’s episode of TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans

Direct Download Links:

Subscribe via RSS and iTunes:

Fill out my Wufoo form!

Show Notes:

UN Site Compromised, Usernames and Passwords Exposed

Team Poison attacked and compromised one or more servers at the UN
The data exposed via pastebin mostly came from UNDP.org, the UN Development Program, but also included the Organisation for Economic Co-operation and Development (OECD), the World Health Organisation (WHO) and the UK’s Office for National Statistics (ONS)
The UN responded saying “The server goes back to 2007. There are no active passwords listed for those accounts” and “Please note that UNDP.org was not compromised.”
Even though the UN claims the data is not current, it suggests that passwords are stored in plain text, without salting and hashing, and that no password requirements are enforced. Many of the passwords appeared to be overly short, and did not contain
Teampoison hackers have previously attacked the RIM/Blackberry website and published private information about former UK Prime Minister Tony Blair
Teampoison included a message with the pastebin, officially joining Anonymous in Operation Robinhood, against banks and financial institutions

Duqu Attackers Destroyed Their C&C Server, Covered Tracks

On October 20 at around 18:00 GMT, the root user logged in to a number of Duqu C&C servers and proceeded to destroy /root, /etc, /var/log and some other files
The attackers securely erased the log files so they could not be recovered
However, due to the nature of the ext3 file system, some fragments of the logs had been relocated to reduce fragmentation, and these bits were not securely erased. While brute force searching the slack space, Kaspersky Labs was able to find a fragment of sshd.log showing root logins and the source IP address from another server in Germany.
Researchers followed the trail back to Germany, and used the same technique to find more IP addresses. However the logs were from mid November (and were found in early November), and do not indicate which year. Based on other log files, this server may back been part of the Duqu C&C infrastructure as far back as 2009.
There is also evidence that the Duqu operators upgrading the OpenSSH that came with CentOS on the server, to the latest versions, 5.8p1 and 5.8p2 when they were released. The attackers also enabled GSSAPIAuthentication on all of their servers. The article below includes more evidence of a possible long lived 0-day exploit for OpenSSH 4.3
The Duqu C&C network was made up of hacked servers from all over the world, including: Vietnam, India, Germany, Singapore, Switzerland, the UK, the Netherlands, Belgium, and South Korea. Most if not all of the compromised machines were running CentOS
These servers were used as reverse proxies to the real C&C Mothership, which still has not been identified.
Very Detailed Analysis of the C&C Servers

Apache Vulnerability Could Expose Internal Systems, Trivial Island Hopping

A problem with the way Apache handles rewrite rules could allow an attacker to gain access to internal systems that they would not normally be able to reach
The problem was found while looking at a recent fix to the same vulnerability
In some specific cases it is still possible to exploit the vulnerability
The vulnerability only exists if you use mod_rewrite (almost everyone does) and mod_proxy (fewer people do)
You can work around the issue by changing your rewrite rules slighty

Feedback:

Allan finished the build of his ZFS server and shared the results with us:

Parts List

Photos

Q: What OS
A: FreeBSD 9.0-RC2, Will upgrade to 9.0-RELEASE when it comes out.

Q: What version of ZFS?
A: ZPool 28 and ZFS 5 (ZPool 21 introduces the deduplication system, which isn’t available in FreeBSD 8.2 which only has ZPool 15)

Q: What kind of throughput do you get?
A: Sequential read and write: 600+ megabytes/second. I write out a 16gb file in under 27 seconds. Reading it back took under 2.8 seconds (over 6 gigabytes/sec) because the entire file was stored in the ZFS ARC (Adaptive Replacement Cache)

Q: Power Supplies
A: Redundant 920watt Platinum Level (94%+) Efficient Power Supplies, fed from APC 7900 PDUs

Q: Do you suggest I build a server or buy a server?
A: I usually build, but I am a control freak. Buying can be a good option too

Q: What about the RAID Controller
A: Adaptec 6805, comes with FreeBSD drivers for 6.x, 7.x and 8.x, but not 9.x (because it is not out yet). Luckily, they include the source code, so I was able to compile the driver as a loadable module for 9.x. Adaptec has also submitted the changes to FreeBSD to be included in future releases.

Round-Up

The post Allan’s ZFS Server Build | TechSNAP 34 first appeared on Jupiter Broadcasting.

Skype Exposes Pirates | TechSNAP 29

chris — Thu, 27 Oct 2011 18:43:12 +0000

Coming up on this week’s TechSNAP…

Researches have developed a way to tie your file sharing to your Skype account. We’ll share the details on how this works, and what you can do to prevent being tracked!

Plus we cover the Ultimate way to host your own email, and what happened when Chinese hackers took control of US Satellites!

All that and more, on this week’s episode of TechSNAP!

Direct Download Links:

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:

Audible.com:

Ready Player One

Suspected Chinese Military Hackers take control of US Satellites

On four separate occasions during 2007 and 2008 US satellites were hijacked by way of their ground control stations.
The effected satellites were Landsat–7 (Terrain Mapping and Satellite Photography, example 1 example 2) and Terra AM–1 (Climate and Environmental Monitoring, 2010 Hurricane Karl)
While the US does not directly accuse the Chinese government in writing, these types of actions are consistent with known war plans that involve disabling communications, command and control, and GPS satellites as a precursor to war.
In one incident with NASA’s Terra AM–1, “the responsible party achieved all steps required to command the satellite,” however the attackers never actually took control of the satellite.
It was not until the 2008 investigation that the previous compromises in 2007 were detected
This raises an important question, are the US military and other NATO members, too reliant of satellite communications and GPS?
In a recent NATO exercise called ‘Joint Warrior’, it was planned to jam GPS satellite signals, however the jamming was suspended after pressure on the governments over civilian safety concerns. Story

Researchers develop a procedure to link Skype users to their Bittorrent downloads

The tools developed by the researchers at New York University allow any to determine a strong correlation between bittorrent downloads and a specific skype user.
Importantly, unlike RIAA/MPAA law suites, the researchers consider the possibility of false positives because of multiple users behind NAT.
The researchers resolve this issue by probing both the skype and bittorrent clients after a correlation is suspected. By generating a response from both clients at nearly the same time and comparing the IP ID (similar to a sequence number) of the packets, if the ID numbers are close together, than it is extremely likely that the response was generated by the same physical machine. If the IDs are very different, then it is likely that the Skype and BitTorrent users are on different machines, and there is no correlation between them.
This same technique could be made to work with other VoIP and P2P applications, and could be used to gather enough evidence to conclusively prove a bittorrent user’s identity.
This situation can be mitigated by using the feature of some OS’s that randomizes the IP ID to prevent such tracking. (net.inet.ip.random_id in FreeBSD, separate ‘scrub random-id’ feature in the BSD PF firewall)
The discovery could also be prevented by fixing the skype client such that it will not reply with its IP address if the privacy settings do not allow calls from that user. The current system employed by the researches does not actually place a call to the user, just tricks skype into thinking that a call will be placed, and skype then leaks the sensitive information by returning its IP address or initiating a connection to the attacker.
Read the full research paper

NASDAQ web application Directors Desk hacked

Directors Desk is a web application designed to allow executives to share documents and other sensitive information
When NASDAQ was hacked in February, they did not believe that any customer data was stolen
The attackers implanted spyware into the Directors Desk application and were able to spy on the sensitive documents of publicly traded companies as they were passed back and forth through the system
This is another example of the Advanced Persistent Threat (APT) as we saw with the RSA and South Korea Telecom hacks, where the attackers went after a service provider (in his case NASDAQ) to compromise the ultimate targets, the publicly traded companies and their sensitive documents.
It is not known what if any protection or encryption systems were part of Directors Desk, but it seems that the application was obviously lacking some important security measures, including an Intrusion Detection System that would have detected the modifications to the application.

SEC says companies may need to disclose cyber attacks in regulatory filings

The new guidance from the SEC spells out some of the things that companies may need to disclose to investors and others, depending upon their situation.
Some of the potential items companies may need to disclose include:
Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences
To the extent the registrant outsources functions that have material cyber security risks, description of those functions and how the registrant addresses those risks
Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences
Risks related to cyber incidents that may remain undetected for an extended period
“For example, if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition,” the statement says.
From the SEC guidance: The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision”
CF Disclosure Guidance: Topic No. 2 – Cybersecurity

Feedback:

Q: Owning my own Email?
Roundcube – Free webmail for the masses
MailServer – Community Ubuntu Documentation
Postfix – Community Ubuntu Documentation
Setting up a Forwarding Account in the Email Control Center – GoDaddy Help Center (Remember to use the coupon code LINUX or LINUX20)
Google apps for your domain (free)

It is definitely advantageous to own the domain that your email address is on. On top of looking more professional than a hotmail, or even gmail address, it also allows you to choose your host and have full control over everything. There are some caveats though, of course you must remember to renew your domain name, else your email stops working (just ask Chris about that one), you also have to be careful about picking where to host your domain, having your site or email hosted by a less reputable service can result in your domain being included on blacklists and stopping delivery of your mail to some users. The biggest problem with hosting your own email, from your home, is that you must keep the server up 24/7, and it must have a reasonable static IP address. If you are going to host from your home, I recommend you get a ‘backup mx’ service, a backup mail server that will collect mail sent to you while you are offline, and then forward it to your server when it is back up. Even if you are using a dedicated server or VPS, this is important, because email is usually the most critical service on your server. The other major issue with hosting your email from home, is that most ISPs block port 25 inbound and outbound, to prevent infected computers from sending spam. This means that you will not be able to send or receive email to other servers. Usually your ISP will require you to have a more expensive business class connection with a dedicated static IP address in order to allow traffic on port 25. Also, a great many spam filtering systems, such as spamassassin, use blacklists that contain the IP ranges of all consumer/home Internet providers, designed to stop spam from virus infected machines, because email should not be send from individual client machines, but through the ISP or Domain email server.

Round Up:

The post Skype Exposes Pirates | TechSNAP 29 first appeared on Jupiter Broadcasting.

Ultimate ZFS Overview | TechSNAP 28

chris — Thu, 20 Oct 2011 18:57:12 +0000

Coming up on this week’s TechSNAP…

Buckle up and prepare for our Ultimate ZFS overview!

Plus, the next generation of Stuxnet is in the wild, but this time is laying low, collecting data.

All that and more, on this week’s TechSNAP!

Direct Download Links:

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:

Jupiter Broadcasting Gear

https://www.printfection.com/jbgear

Coupon Code: SuperDuperShip – Free Shipping on Super Saver, International, and Canadian Airmail orders. No minimums
Coupon Code: SuperSave$10 – $10 off orders with a subtotal of $50+
Coupon Code: Scary35% – 35% off orders with a subtotal of $100+

Next generation of Stuxnet seen in the wild?

Called Duqu, the malware appears to be based on the same concepts as Stuxnet, and likely was written by some of the same people, or someone with access to the Stuxnet source code.
The malware is designed to be stealthy and silent, rather than exploiting the system to some gain, like most malware
The rootkit loads it self as a validly signed driver. It appears to have been signed by the certificate of a company in Taiwan identified as C-Media Electronics Incorporation. It is possible that their systems were compromised and their private key is being used without their knowledge. The certificate was set to expire on August 2, 2012, but authorities revoked it on Oct. 14
The malware is not a worm, as it does it spread, and has no destructive payload
It appears to only gather intelligence and act as a espionage agent, collecting data to be used a future attack.
Analysts claim it appears to be seeking information on an unidentified industrial control system
Duqu appears to have been in operation, undetected for more than a year
Symantec has declined to name the countries where the malware was found, or to identify the specific industries infected, other than to say they are in the manufacturing and critical infrastructure sectors
Duqu analysis paper

Google switching to SSL for logged in users’ searches

Users who do a search while logged in, will do the search over SSL, meaning their search query and the results will be protected from snooping by their ISP, Government, Law Enforcement and WiFi hackers.
This is an important step as google works to personalize your search results more and more.
An interesting side effect of this is that browsers do not pass referrer headers when you transition from an SSL site. So the sites you visit from the search results page will no longer see what your search query was. Clicks on Adwords and other sponsored links will still pass your search query.
The primary impediment to SSL for everything is performance, encrypting all traffic on the web would require a great deal more hardware. This is why Google defaults to a weaker encryption for things like search results, than what online merchants typically use.
Another impediment to SSL is the certificate system, typical setups require a unique IP for each SSL certificate (because the name based virtual hosting typically done by web servers relies on an HTTP header, that is not sent until after the encryption session is started). However modern browsers and web servers support ‘SNI’ (Server Name Indication) to allow that information to be passed as part of the initial encryption setup. There are also solutions such as wildcard certificates (ie, *.google.com) and Unified Communications Certificates (UCC, typically used for MS Exchange servers and the like).
Google will also provide website owners with the top 1000 search queries that lead visitors to their site via Google Webmaster Tools.
HTTPS Everywhere | Electronic Frontier Foundation

Feedback:

TechSnap Question – YouTube
Typically a solution like this relies on a hard line connection between the two wireless APs so that they do not have to communicate via wireless as well.
www.dd-wrt.com | Unleash Your Router
DD-WRT Router Database
Turn Your $60 Router into a User-Friendly Super-Router with Tomato
Tomato (firmware)

ZFS Segment

This week we will be taking a look at ZFS as a storage solution
ZFS was originally developed by Sun Microsystems to be able to store a zetta byte of data (A zetta byte is equal to 1 billion tera bytes)
ZFS is both the Volume Manager and the File System. This gives it some unique benefits, including the ability to increase the size of the file system on the fly and improves performance for the ‘scrub’ (integrity check all data) and resilver (recover from a failed disk) operations, as only data blocks that are actually in use need to be rewritten, whereas a hardware RAID controller must resilver the entire disk because it is unaware of the file system.
ZFS is a ‘Copy-On-Write’ file system, this means that data is not immediately overwritten when it is changed
Features
- Multiple mount points – You can create various mount points from the same storage pool, allowing you to have different settings for different types of files.
- Passive Integrity Checking (Fletcher Checksum or SHA–2) – As data is read, it is compared against the checksum (or hash, depending on settings). If the data is found to be corrupted, ZFS attempts to recover it (from a mirrored device, RAID Z, or copies). This feature allows ZFS to detect silent corruption that normally goes unnoticed.
- RAID Z – RAID Z works very similar to RAID 5, except without the requirement for a hardware RAID controller. RAID Z2 provides two parity drives, like RAID 6. Recently, RAID Z3 was also introduced, using 3 drives for parity, providing exceptional fault tolerance.
- Compression – Allow you to compress the data stored in this mount point (defaults to lzjb for speed, or you can choose a specific level of gzip). This can be great for storing highly compressible information such as log files
- Deduplication – Since ZFS already knows the hash of your files as it writes them, it can detect that a file with the identical content already exists in your storage pool, and it will simply link the new file to the old one, and because ZFS is copy-on-write, if either file changes, it does not effect the other. ZFS also supports an optional ‘verify’ setting, where even if the checksum/hash matches, it will do a byte-by-byte verification to ensure the files are the same, to avoid a cache collision resulting in data corruption, even though the chances of this happening are around 10^–77. Deduplication uses a lot of ram, so it is recommended that you only use it on datasets where there is a high probability of duplication (It requires 320 bytes per block, meaning 1TB of data in 8kb blocks requires 32GB of ram. ZFS allows blocks up to 128kb). Deduplication will only use up to 25% of ARC memory, after that performance is degraded.
- Purposeful Duplication (Copies) – Allows you to ask ZFS to maintain more than 1 copy of each file in a mount point. This is in addition to any redundancy provided by mirrors/RAID Z etc. Where possible the additional copies are stored on different physical devices. This allows you to get the benefit of a system like RAID Z but only for a specific set of data, while using regular striping for the rest, to maximize your storage capacity. (The ‘Copies’ system was not designed to protect against entire drives failing, just the loss of specific sectors, also this setting only effects newly created files, so you should set it when you create the mount point)
- Snapshots – A read only copy of the file system from a specific point in time, great for backups etc.
- Clones – A writable snapshot. Allows you to create a second copy of the file system that shares all of the same disk space, and any changes to either the original or the clone get saved separately.
- Dynamic Striping – As you add more disks to your ZFS pool, the strips are automatically adjusted to take advantage of the write performance of all available disks.
- Space Reservation – Since all mount points share the same pool of free space, you can set reservations to make sure specific mount points always have access to free space, even if another mount point is trying to use all of the space.
In summary, ZFS can be a great solution for your home file server, as it allows you the flexibility to add additional storage at any time, deduplicate files, provided limited redundancy without needing RAID and can even provide some Drobo like functionality.
If you keep at least one SATA port available in your file server, you can replace smaller devices by attaching the newer drive, and using the ‘zpool replace’ command, to copy all of the data to the new device, then remove the smaller one. You can eventually replace every device in the system this way, and the storage pool sizes up automatically.
RAID Z pools cannot currently have devices added to them, although this feature is in the works. If you create a RAID Z (or Z2/Z3) pool, you can still increase it’s storage capacity by replacing each disk one at a time, and waiting for it to resilver (unlike in non-redundant setups, you do not have to connect the new device before removing the old one). Again, because ZFS is both the Volume Manager and the File System, the resilvering process is faster, because only data that is actually in use needs to be written to the new device.

Round Up:

The post Ultimate ZFS Overview | TechSNAP 28 first appeared on Jupiter Broadcasting.