MP3 Feed | HD Video Feed | iTunes Feed

Become a supporter on Patreon:

— Show Notes: —

— The Cliff Notes —

• RedHat, 5 Billion Goal
• Krack Attack
• High DPI in Linux
• Vox Tel Sys

— Stay In Touch —

Find all the resources for this show on the Ask Noah Dashboard

Ask Noah Dashboard

Need more help than a radio show can offer? Altispeed provides commercial IT services and they’re excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show!

Altispeed Technologies

Contact Noah

asknoah [at] jupiterbroadcasting.com

— Twitter —

• Noah – Kernellinux
• Ask Noah Show
• Altispeed Technologies
• Jupiter Broadcasting

The post Doin' Lines of WiFi | Ask Noah 30 first appeared on Jupiter Broadcasting.

The Mask, an advanced persistent threat is revealed, a slew of various home router models are actively being exploited, we’ll share the important details.

Plus some routing basics explained, and much much more.

On this week’s TechSNAP

Thanks to:

— Show Notes: —

Kaspersky discovered “The Mask” APT

• We got some hints about Careto (also know as “The Mask” or “The Masked APT”) a few weeks ago, and speculation suggested that the unusual native language of the attackers was Korean
• In an even bigger surprise, it turns out the attackers are Spanish speaking
• the Spanish-speaking attackers targeted government institutions, energy, oil & gas companies and other high-profile victims via a cross-platform malware toolkit
• Full Research PDF
• The APT has been going on since 2007 or earlier
• “More than 380 unique victims in 31 countries have been observed to date”
• “What makes “The Mask” special is the complexity of the toolset used by the
  attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32 and 64 bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS)”
• “The Mask also uses a customized attack against older versions of Kaspersky Lab products to hide in the system, putting them above Duqu in terms of sophistication and making it one of the most advanced threats at the moment. This and several other factors make us believe this could be a nation state sponsored campaign”
• “When active in a victim system, The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys, analyse WiFi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations”
• “The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files. There are also several extensions being monitored that we have not been able to identify and could be related to custom military/government level encryption tools”
• “Overall, we have found exploits for Java, Flash SWF (CVE-2012-0773), as well as malicious plugins for Chrome and Firefox, on Windows, Linux and OS X. The names of the subdirectories give some information about the kind of attack they launch, for instance we can find /jupd where JavaUpdate.jar downloads and executes javaupdt.exe”
• “CVE-2012-0773 has an interesting history. It was originally discovered by French
  company VUPEN and used to win the “pwn2own” contest in 2012. This was the first
  known exploit to escape the Chrome sandbox. VUPEN refused to share the exploit
  with the contest organizers, claiming that it plans to sell it to its customers”
• “A Google engineer offered Bekrar (of VUPEN) $60,000 on top of the $60,000 he had already won for the Pwn2Own contest if he would hand over the sandbox exploit and the details so Google could fix the vulnerability. Bekrar declined and joked that he might consider the offer if Google bumped it up to $1 million, but he later told WIRED he wouldn’t hand it over for even $1 million.”
• This suggests that the threat actor may be a government
• However, Chaouki Bekrar denies the VUPEN exploit was used
• “Several attacks against browsers supporting Java have been observed.
  Unfortunately, we weren’t able to retrieve all the components from these attacks, as
  they were no longer available on the server at the time of checking”
• Also exploits CVE-2011-3544 against Java
• Additional Coverage

Linksys Router Malware

• Researchers say they have uncovered an ongoing attack that infects home and small-office wireless routers from Linksys with self-replicating malware, most likely by exploiting a code-execution vulnerability in the device firmware.
• Johannes B. Ullrich, CTO of the Sans Institute, told Ars he has been able to confirm that the malicious worm has infected around 1,000 Linksys E1000, E1200, and E2400 routers, although the actual number of hijacked devices worldwide could be much higher.
• A blog post Sans published shortly after this article was posted expanded the range of vulnerable models to virtually the entire Linksys E product line. Once a device is compromised, it scans the Internet for other vulnerable devices to infect.
• Compromised routers remain infected until they are rebooted. Once the devices are restarted, they appear to return to their normal state. People who are wondering if their device is infected should check for heavy outbound scanning on port 80 and 8080, and inbound connection attempts to miscellaneous ports below 1024.
• The attack begins with a remote call to the Home Network Administration Protocol (HNAP), an interface that allows ISPs and others to remotely manage home and office routers. The remote function is exposed by a built-in Web server that listens for commands sent over the Internet.
• Typically, it requires the remote user to enter a valid administrative password before executing commands, although previous bugs in HNAP implementations have left routers vulnerable to attack.
• After using HNAP to identify vulnerable routers, the worm exploits an authentication bypass vulnerability in a CGI script.
• Infected devices are highly selective about the IP ranges they will scan when searching for other vulnerable routers. The sample Ullrich obtained listed just 627 blocks of /21 and /24 subnets.
• The discovery comes a week after researchers in Poland reported an ongoing attack used to steal online banking credentials, in part by modifying home routers\’ DNS settings.
• The phony domain name resolvers listed in the router settings redirected victims\’ computers, tablets, and smartphones to fraudulent websites masquerading as an authentic bank service; the sites would then steal the victims\’ login credentials.
• The objective behind this ongoing attack remains unclear. Given that the only observable behavior is to temporarily infect a highly select range of devices, one possible motivation is to test how viable a self-replicating worm can be in targeting routers.
• Two days after this article was published, Linksys representatives issued the following statement:

Linksys is aware of the malware called “The Moon” that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware.
+ Additional Coverage Internet Storm Center
+ These are not the only routers that have problems
+ Home Routers pose the biggest threat to consumer security
+ An old backdoor from 2005 was found in brand new Cisco home “Gigabit Security Routers”
+ As the covered last year, 40-50 million routers have uPnP flaw
+ Yesterday, researchers found a stack overflow bug in Linksys WRT120N routers
+ The new protocol that proposes to make “security” easier on the next generation of home routers may cause more harm than good
+ Asus Routers are also vulnerable including the RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R

Feedback:

• Do you do disk or filesystem level encryption? If so, how do you manage the keys?

• confused about default routes

• Migrating ZFS

  • ZFS Replication

• Smart Wire Modems

• \”I just don\’t want to see the internet just walled off in different areas of the world\”

Round Up:

• Email attack on Vendor was source of Target breach
• Target\’s cybersecurity team raised concerns months before hack
• Schneier on Security: My Talk on the NSA
• Are 400gbps DDoS attacks the new normal?
• Verizon seeks payment for carrying Netflix traffic, WSJ reports
• RAID reliability calculator
• More than 2000 Tesco.com accounts leaked
• The History of Data Storage
• Important Kickstarter Security Notice
• FreeBSD PEFS file system security audit
• Tour of the Verizon Terremark Data Center
• Intel introduces new 15 core Xeon CPU, Xeon E7-8893 v2 (LGA2011), 3.4 GHz (3.7 GHz turbo), 37.5 MB cache, 1536 GB max ram, 8 way system would have 240 logical CPUs
• US Health care sector vulnerable to Hackers

The post 7 Year Malware | TechSNAP 150 first appeared on Jupiter Broadcasting.

What is the Dark Mail Alliance? We’ll dig into how it’s more of a protocol, and a hope than an actual product. Now the time to replace email we’ll explain how you can help get the concept kickstarted.

Plus your follow up on upstart vs systemd, a brief SteamOS chat, and more!

Thanks to:

• Help the DigitalOcean community by submitting articles and get paid $50 per published piece!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

FU

• upstart vs. systemd in debian

• The future of Linux should be independent

• WebM on the HTML5 embed was missing sorry – Published early due to YouTube outage.

• On Ubuntu\’s user base being used as justification for lesser technology

• Lavabit\’s Dark Mail Initiative by Ladar Levison

Dark Mail Explained:

• Lavabit\’s Dark Mail Initiative by Ladar Levison — Kickstarter

The goal is to cleanup and release the source code that was used to power Lavabit as a f/oss project with support for dark mail added.

• Lavabit creator launches Kickstarter campaign for dark mail open-source project for encrypted email – The Next Web

Lavabit creator Ladar Levison has launched a Kickstarter campaign for the dark mail encrypted email initiative he\’s working on in partnership with Silent Circle.

The project is looking to raise $196,608 to take the Lavabit source code and turn it into a free and open-source project with the new dark mail protocol.

Mail Sack:

• Straw Poll Results
• Why people will not use darkmail… // Slexy 2.0

The post Dark Mail: A New Hope | LINUX Unplugged 13 first appeared on Jupiter Broadcasting.

We’ll dig into bitcoin and explain what it is, and how it works. Is there a future for this Cryptocurrency?

Plus Sony is in the news again, and its not good… And we talk about a new ruling on how far your bank has to go to protect you from cyber criminals.