FTP – Jupiter Broadcasting

HyperionGray have announced a new project, where they have connected their open source distributed PunkSCAN webapp scanner to an Apache Hadoop Cluster and set it loose on the Internet
The goal of the project is to highlight the abysmal state of security on the Internet
The scanner finds sites that are vulnerable to SQL Injection, Blind SQL Injection, and Cross-Site Scripting
This information is then stored in a database, and is searching using PunkSPIDER
You can search by keyword in the URL or Title of the site and search by vulnerability types
PunkSPIDER Search Engine
PunkSPIDER is similar to another online search engine we have discussed previously, SHODAN is an online index of banner messages and version info
Additional Coverage

How power failures can corrupt Flash SSDs

Researchers at Ohio State University have conducted extensive testing of Flash SSD drives to determine how they react to unexpected power failures
By creating a worst case scenario that involves many concurrent writes of incompressible data, and a direct loss of power (cutting power between the PSU and the SSD rather than cutting power to the PSU), the researchers were able to enumerate a number of possible failure scenarios
The possible failures they looked for were:
- Bit Corruption – Random bits in the data set incorrectly
- Flying Writes – The correct data written to the wrong block/sector
- Shorn Writes – A write is interrupted while overwriting a sector, leaving the sector with some of the new bits and some of the old bits
- Metadata Corruption – The Flash Translation Layer (FTL, the complex firmware on an SSD that makes the NAND Flash chips appear like a regular hard drive) metadata is corrupted
- Dead Device – The SSD no longer functions at all
- Unserializability – The disk is in a state where writes were completed out of order
Researchers tested 15 different SSDs and 2 regular spinning drives
They did not release the manufacturer names or model numbers
Additional Coverage
Paper
Erretum Insert
A case of a similar problem? SSD suddenly only 34kb

Source code and possibly private keys for AMI BIOS/Firmware leaked

Security researchers Brandan Wilson and Adam Caudill found some interesting things on an open FTP server in Taiwan
On the FTP site they found numerous goodies, including internal emails, system images, high resolution PCB images, and Excel sheets loaded with private data
In addition, they also found a directory named ‘code’, that contained the source code and a private key for the AMI Firmware
According to AMI, the FTP site belongs to one of its customers, and the private key that was exposed is a testing key they use for all of their images, but they instruct all of their customers to generate their own keys and not use that testing key in production
It is not clear if this is the case, one or more manufacturer making use of the AMI Firmware are using that testing key
If that key is trusted in the wild, it means someone with access to this leaked source code could make a malicious firmware update that would be considered valid, it would also mean that the entire UEFI trust system for the affected machines could be invalid
“The worst case is the creation of a persistent, Trojanized update that would allow remote access to the system at the lowest possible level,” Caudill said. “Another possibility would be the creation of an update that would render the system unbootable, requiring replacement of the mainboard.”
“This kind of leak is a dream-come-true for advanced corporate espionage or intelligence operations,” Caudill wrote. “The ability to create a nearly undetectable, permanent hole in a system’s security is an ideal scenario for covert information collection.”

Feedback:

Round-Up:

The post FTP Treasure Trove | TechSNAP 105 first appeared on Jupiter Broadcasting.

Password SecuritIEEE | TechSNAP 77

chris — Thu, 27 Sep 2012 16:30:08 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A big password leak from a major industry player, mobile security takes a big hit, we cover a couple of the major vulnerabilities affecting our favorite gadgets, and more Java troubles.

Plus moving from Apache to Nginx, and a big batch of your questions.

All that and so much more, on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

BONOUS ROUND PROMO:

Get your .COMs just $5.99 per year up to 3 domains! Additional .COMs just $7.99 per year!
CODE: 599tech

Expires 10/31/12

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Virgin Mobile USA customers may be at risk

Virgin Mobile customers in the USA access their customer portal using their mobile phone number and a 6 digit pin
In addition to the obvious lack of security of using such a limited keyspace, it seems that the Virgin portal does not implement any type of lockout or intrusion detection
Specifically, they do not block an IP after 100s of failed attempts, meaning an attacker can quickly run through the entire 1 million possible passwords and gain access to any account
Kevin Burke, the researcher who discovered the flaw, said that after several phone and email exchanges with parent company Sprint in which he attempted to warn them about the exploit, he was ignored and his concerns were dismissed
Later, a fix was applied to the portal, blocking users after 4 failed attempts, however it relied on a browser cookie to keep track of the number. In additional to how easily this mitigation is evaded, most attack scripts don’t keep cookies anyway
Virgin’s portal now correctly blocks an IP address after 20 failed attempts
Virgin uses a 404 error instead of 503 or another more proper error code
Additional Coverage

Security Explorations finds another Java 0-day, for Java SE 5, 6 and 7

Security Explorations, the Polish research firm that found the previous Java exploits, has now topped 50 different vulnerabilities reported to Oracle, and the 50th one is the worst to date
The flaw affects fully patched Windows 7 machine, using all major browsers
Oracle has produced a comprehensive status report regarding upcoming Java Critical Patch Update. The company claims to have fixes for all, except two issues (29 and 50) integrated and undergoing testing for release in the October 2012 Java SE CPU. Oracle is still evaluating fixes for Issue 50 and will provide further update on whether a fix for it will be also included in the October 2012 Java SE CPU
Additional Coverage

IEEE passwords exposed via FTP site

A researcher found a log file on a publically accessible IEEE FTP site
The file contained logs from 01/Aug/2012:20:46:28 +0000 to 18/Sep/2012:08:47:17 +0000
The log contained around 375 million lines, 400,000 of which contained plain text passwords, 17k of which were password reset requests
A total of 99,979 unique usernames were found
7 of the top 10 passwords were all numeric, variations of 123 – 1234567890
Other popular passwords included ieee2012, IEEE2012, password, library and ADMIN123
38% of users use gmail, 7.6% use yahoo
It does not appear that the IEEE actually stores usernames and passwords in plaintext in its authentication database, but it is unclear why or how the passwords were included in the access logs
The IEEE acknowledged the breach
And issues a notice to its members, encouraging them to use strong passwords when they are forced to reset thier password
Additional Coverage

Your Android phone could be remotely erased by a malicious website

Security Researcher Ravi Borgaonkar revealed the exploit at ekoparty 2012
An apparent bug in the Samsung TouchWiz UI makes it possible for a malicious website or remote attacker to reset your Android device
The vulnerability can be exploited via NFC, QR code, SMS, or a web link
Remote wipe attack not limited to Samsung phones, Android dialer may be to blame
The vulnerability may actually be in the Android dialer, which would mean all devices are vulnerable
As a temporary fix you can get the TelStop app, which publishes a URL handler for tel: URLs and prevents the exploit from being used via websites
Additional Coverage:
Major Samsung Galaxy TouchWiz exploit hard resets a device by just visiting a website
Critical vulnerability in Samsung Galaxy S3, possibly other smartphones. – Spiceworks
Samsung has released new firmware that resolves the issue
- Samsung applies quick patch to dailer vulnerability

Feedback:

spleeeem submitted something handy for a common theme on our show, secure passwords: Password Storage Cheat Sheet
Best Way to Migrate a lot of Sites from Apache to NGINX
How to benchmark nginx?
Why can’t you just send the “finished” hash?
Mail Server with Blocked Port 25?
I wonder if I could get your thoughts on https://www.sendfilessecurely.com
Followup: rikai found an SSH SVR record wrapper script

Book: Nginx HTTP Server

It provides a step-by-step tutorial to replace your existing web server with Nginx. With commented configuration sections and in-depth module descriptions

Have some fun:

What will be in the news the week in October when Allan is at Euro BSD Con? Let make a prediction on the head lines or just make up funny stuff to read

What I wish the new hires “knew”

Round-Up:

Adobe Announces Rapid Release Cycle for Flash Player
Compromised phpMyAdmin download reinforces importance of verifying checksums . SourceForge is investigating how the copy of the file on a Korean mirror was compromised and downloaded by over 400 users
Android 4.0.4 NFC vulnerability exposed at Pwn2Own contest
How to build a passive ethernet tap, to spy on traffic as it crosses the wire
Microsoft may have known about IE 0-day flaw for months, credit goes to “TippingPoint Zero Day Initiative” on July 24th, not to researcher who disclosed the flaw in September
Bruce Schneier doesn’t want his algorithm, or any other, to win the SHA–3 competition
Guild Wars 2’s Mike O’Brien on Account Security

HALL of SHAME: Secret Microsoft policy limited Hotmail passwords to 16 characters

The post Password SecuritIEEE | TechSNAP 77 first appeared on Jupiter Broadcasting.