Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Inside the Malware

• Security researcher Sherri Davidoff profiles the Blackhole exploit kit
• Walking us step by step through what the malware does once your computer is infected
• It starts with a simple phishing email, in this example just a plain email that says “Hi, as promised your photos.” with a link
• The unsuspecting user follows the link, and nothing much seems to happen and they continue about their day
• In actuality, their computer has not been infected with the Blackhole exploit kit
• A few days later, while visiting the website of their bank, the user is prompted by the page to verify their identity. Over a short period of time, the attack, using a man-in-the-browser attack, was able to gain:
  • The victim’s name
  • Phone number
  • Answers to security questions
  • RSA token
• The attacker then used this information to wire themselves $49,500 out of the victim’s bank account
• However, because this was a large corporate account, the bank requires a second person to authorize such a transfer
• The attacker used the MITB attack to ask the victim for the name of that second person, which the user entered
• The attacker then asked for the email address of the second person, however the user got suspicious, called the bank and the account was quickly frozen
• Once the blackhole exploit kit is installed on a computer, it loads updates and then continues to phone home once every 20 minutes, using a simple HTTP POST request
• The researcher also managed to capture a Man-In-The-Browser attack on video, when attempting to login to the BankofAmerica site, the infected computer injects a page after the user submits the login form, but before the information is actually sent to the bank
• The injected page claims that the bank does “not recognize” your computer and asks you for a number of details, including your debit card number, social security number, date of birth and mother’s maiden name
• These details are not sent to the bank, but rather to the attacker, who can use them later to drain your account
• In more sophisticated attacks using this technique, the attacker is actually communicating with your system live, in order to take advantage of the information as you enter it, such as passing on to the victim the secret questions they are prompted for when trying to send a wire transfer
• This also allows the attackers, in the situation where they are actively monitoring your computer when you are attempting to access your account, to take advantage of temporary information such as the output of your RSA security token

---

Dedicated server provider Hetzner finds backdoor

• Administrators at Hetzner discovered a backdoor on their nagios monitoring server
• After further investigation, they discovered that their web interface for managing dedicated servers (called the Hetzner Robot) had also been infected
• This means some personal details of customers, including name, email address, phone number, hashed password, last 3 digits of credit card number, credit card type and expiration date
• The actual card number is never stored by Hetzner, it is passed directly to the payment processor who returns a unique token that is used to reference that card in the future
• However, customers using direct debit (debit note) from their bank account, may have been compromised. While the information is stored encrypted in the Hetzner database, the key may have been compromised
• Passwords were SHA256 hashed with a salt, but it does not sound like they used sha256crypt
• “The malicious code used in the “backdoor” exclusively infects the RAM. First
  analysis suggests that the malicious code directly infiltrates running Apache
  and sshd processes. Here, the infection neither modifies the binaries of the
  service which has been compromised, nor does it restart the service which has
  been affected.”
• Hetzner has hired an external security company to do a more indepth investigation
• English FAQ

---

Feedback:

• MAC Filtering?

• FreeNAS as Storage for VMs… HOW?

• Using rsnapshot for backup?

• Apple’s Hidden Details

• Another Take on Passwords when Mobile

• Sharing a Real Life Bad Security Experience

BSDCan 2013 Videos:

• All Videos
• Allan Jude – Managing FreeBSD at Scale
• Paul Chvostek – Switching from Linux to FreeBSD
• Peter Hansteen – The Hail Mary Cloud And The Lessons Learned
• Pawel Jakub Dawidek – FreeBSD, Capsicum, GELI and ZFS as key components of a security appliance
• Kirk McKusick – An Overview of Security in the FreeBSD Kernel
• Shawn Webb – Runtime Process Infection Part 2

---

Round Up:

• Lenovo opens heavily automated assembly plant in North Carolina
• 0 day exploit for Plesk puts more than 360,000 linux servers at risk, unknown if windows servers are affected. Exposes /usr/bin
• China says it is the USA’s fault that their weapons designs were stolen, “Even following the general principle of secret-keeping, it should not have been linked to the Internet,”
• Vint Cerf worries that we won’t be able to access historical data due to the cost of maintaining backwards compatibility
• NSA collecting phone records of millions of Verizon customers daily
• Google researcher releases a working exploit for the Windows Kernel bug he disclosed earlier
• Car thiefs may have a new device that unlocks many makes and models of vehicles
• Attackers use massive DDoS to mask exploit attack against EVE Online backend servers

The post Phishin' Hole | TechSNAP 113 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/36606/intelligent-malware-techsnap-108/ Thu, 02 May 2013 16:12:46 +0000 https://original.jupiterbroadcasting.net/?p=36606 A new Apache exploit hinds in shared memory, making it hard to detect. We’ll tell you all about this new type Intelligent malware.

The post Intelligent Malware | TechSNAP 108 first appeared on Jupiter Broadcasting.

]]>



A new Apache exploit hinds in shared memory, making it hard to detect. We’ll tell you all about this new type Intelligent malware.

Plus: Why all passwords are crackable no matter what anyone says, a great batch of your questions, and much more!

Thanks to:

GoDaddy.com Use our code tech295 to score .COM for $2.49! 32% off your ENTIRE first order just use our code go32off3 until the end of the month!

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   


Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

New Apache exploit hides in shared memory

• The backdoor, called Linux/Cdorked.A is unusually sophisticated and stealthy
• It is unclear if Cdorked is related to the previous ‘deepleech’, which deepleech was an apache module and worked quite differently, it shared the common goal of infecting users with the blackhole exploit kit and hiding from administrators
• Unlike similar backdoors, Cdorked does not store or modify any files on the file system, other than the modified httpd binary
• State information and configuration are stored in a small area of shared memory shared between all of the httpd processes
• Interestingly, the region of shared memory has its permissions set wide open to allow the information to be read or modified by other applications as well
• All of the backdoor bits of the infected httpd binary are encrypted with a static XOR key
• The infected machines receive their instructions from the command and control server as special HTTP requests, which the backdoor prevents from ever being logged
• The backdoor also has a reverse connection shell, when a special HTTP GET request is received, the httpd will connect out to the specified host and port, allowing the attack to get a shell on the infected host, even if it is behind a strict firewall
• The reverse shell connection is also encrypted using a XOR based on the parameters sent when initializing the connection, likely to hide the shell connection from IDS (Intrusion Detection Systems)
• The goal of the backdoor is the same as the earlier version, redirect users from legitimate sites to the blackhole exploit kit
• This improved version does an even better job of hiding itself, and also provides perpetrators with additional analytics
• When a victim is redirected to the exploit kit, the URL includes a long base64 encoded string, which contains information including the domain and url of the file the user was requesting (the attackers can figure out what sites and sending them the most victims, or when a site stops sending them victims) and whether or not the client’s request was to a javascript file, allowing the correct exploit to be served
• Once a victim has been redirected once, a cookie is set on their system which prevents the exploit from appearing again in the future, making is harder to detect or recreate the infection
• The exploit purposely avoids trying to infect administrators to avoid detection, not serving the redirect to visitors to any URLs containing: ‘adm’, ‘webmaster’, ‘submit’, ‘stat’, ‘mrtg’, ‘webmin’, ‘cpanel’, ‘memb’, ‘bucks’, ‘bill’, ‘host’, ‘secur’, ‘support’
• ESet has published detection instructions
• It is not clear how servers are being infected initially, some suggest it is just ssh brute force attacks gaining administrative access, however a researcher from Cisco believe it may be an exploit in unpatched installations of Plesk, a web hosting control panel application

---

Salted hashes are not uncrackable, no matter what anyone says

• As details emerge about the recent compromise of LivingSocial that exposed their password database, it is important to clarify some points about password hashes
• LivingSocial was using SHA1 hashes, with “40 byte salts”. It is unclear, but it seems they ‘rolled their own’ hashing system, because they knew SHA1 was not good enough by it self
• There are a number of problems with their approach:
  • SHA1 is designed for speed, in a cryptographic password hashing system, you want it to be slow/expensive
  • There are special versions of the SHA algorithms for this, like sha512crypt, rather than just doing a sha512 hash of the input, it does a variable number of rounds, typically 5000, with alternating inputs, to make it take longer. More on how sha512crypt works
  • Salting a hash does not make the hash any stronger, because the salt is part of the hash, and known to the attacker (because you need to the salt to verify a legitimate login attempt). The purpose of a salt is to require an attack to calculate the hash of each password separately, so when you have a list of 50 million passwords, you have to try ‘password’ against all 50 million of them, because each has a unique salt
  • Poul-Henning Kamp, author of the original md5-crypt, in his post officially deprecating md5-crypt recommended large sites consider using a blend of the existing algorithms to take advantage of things like bcrypt’s resistance to GPU cracking
• Password hashing has never, and will never be uncrackable
• As with all security measures, it is a trade off. The goal is to balance the amount of computer power it takes to generate a single hash (to compare your login attempt against the stored hash to decide if you have entered the correct password) so that it is as slow as possible without delaying your login or over burdening the server (a good benchmark is 50–100ms) so that login attempts take an imperceptible amount of time, but brute forcing the hashes takes an impractical amount of time (large number of years)
• Password hashing is designed to buy time, so that when the password database leaks, you have time to reset your password to something new, before the attacker can brute force the password and compromise your account
• Reminder: Use a unique password for each site/service

---

[asa]B00B7VZN76[/asa]

Feedback:

• Jason with a few suggestion

• Monitoring Power Outages / Backup Generator

• Generator dry closure

• FIOS and PFSense

• Actiontec Ethernet to Coax Adapter Kit for Homes with Cable TV Service

• I want to pose a ZFS Q for Allan

• Really likes IRedMail

• Network Troubles in South Korea

Round-Up:

• Google Glass jailbroken: hacker says security is ineffective
• Spyware used by governments poses as Firefox, and Mozilla is angry
• Web hosting company finds Btrfs not ready for prime time
• Australia’s Mandatory Data Breach Notification Bill Revealed, business could face up to $1.7 million fine for breaches
• Spanish police arrest owner of CyberBunker on charges related to DDoS against Spamhaus
• The Real Reason ARM Will Menace Intel in the Data Center
• National Security Draft proposes to fine tech companies that do not help with live wiretaps
• Advertising companies don’t even know who is tracking you

The post Intelligent Malware | TechSNAP 108 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/23941/double-0-java-techsnap-73/ Thu, 30 Aug 2012 16:52:17 +0000 https://original.jupiterbroadcasting.net/?p=23941 This week we’ll tell you the story about Agent Double 0-Java, the exploit with a license to kill. Plus Google’s creative solution to securing user content.

The post Double 0-Java | TechSNAP 73 first appeared on Jupiter Broadcasting.

]]>



This week we’ll tell you the story about Agent Double 0-Java, the exploit with a license to kill. Plus Google’s creative solution to securing user content.

Then it’s a big batch of your questions, and our answers.

All that and much more, in this week’s TechSNAP.

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   


Show Notes:

Java 0-day exploit in the wild

• Two critical vulnerabilities in Java 7 are being combined to create a 0-day exploit that can compromise all major browsers (Firefox, Chrome, Safari, Opera, IE)
• The vulnerability can be exploited in a ‘drive-by’ fashion, meaning it does not require any interaction from the user
• This means that attackers could purchase advertising on legitimate sites and inject the exploit code in to the adverts
• This exploit will likely also be heavily used on compromised websites (like Bryan’s wordpress blog)
• Java 6 is not susceptible to this exploit, but contains a number of older unpatched vulnerabilities, and should not be used
• Oracle reportedly knew of critical Java bugs under attack for 4 months
• The two vulnerabilities were reported to Oracle in April, along with a total of 29 other flaws
• Security Explorations furnished the bug reports, with working Proof of Concept code to Oracle
• Oracle patched 3 of the issues in the Jun 12 2012 Java Critical Patch Update, issues 10, 13 and 21. There was also some mitigation in the code that broke the original PoC exploit of issue 26
• According to a status report received by Security Explorations from Oracle on August 23rd, Oracle was planning to fix the two vulnerabilities in its October Critical Patch Update (CPU), along with 17 of the other Java 7 flaws reported
• Adam Gowdiak, CEO of Security Explorations, remarks that the exploit in the wild combines the 2 vulnerabilities in an entirely different way than their proof of concept furnished to Oracle
• Owing to the difference in implementation, Security Explorations assumes that someone else independently discovered the same exploit, rather than discovering it via some leak in the vulnerability report handling process
• Gowdiak adds ““We don’t know with whom and in what form or detail Oracle is sharing vulnerability information.”
• A 3rd party patch for the vulnerability has been developed, but is only available from the author to IT Administrators, and is not designed for end users
• Additional Coverage
• Java 7 Update 7 has been released to resolve this exploit

---

Google publishes important information about hosting user generated content

• Google loads all user generated content from an isolated domain, googleusercontent.com
• Google uses subdomains to separate different bits of UGC
• One of the reasons for this is attacks such as GIFAR, which an attacker takes a valid .gif file, and concatenates a java exploit .jar (which is just a zip file containing the compiled code)
• Now an attacker can embed on their site an HTML appet tag with a src pointing to a google domain (such as Picasa)
• By shifting the content from official google domains, to the googleusercontent.com, the browser’s ‘same origin’ policy should prevent malicious UGC from accessing the users’ google.com authentication cookie
• Google goes on to detail their solutions for content that requires authentication (private documents, google apps for enterprise), where not being able to access the google authentication cookie would pose a problem
• Google uses a number of solutions (temporary cookies on googleusercontent.com URL passed authorization tokens, URLs bound to a specific user), to trade off usability and the risk of accidental disclosure (if access to a private image is controlled by a URL parameter, what if the user copies the link to the picture and uses it elsewhere?)

---

Feedback:

• Tool for provisioning new servers
  FreeBSD’s install can be scripted in a few different ways, the easiest is likely to start with the 225 line shell script that is the current FreeBSD installed
  /usr/src/usr.sbin/bsdinstall/scripts/auto
  You can set a few environment variables, and remove the dialogs, and you’ll have a fully automated install tuned just the way you like, then just PXE boot that, or make your own CD
  There are also some nice tutorials out there:
  Scripting a FreeBSD 9.x Install
  HOWTO: Modern FreeBSD Install RELOADED
  I generally do not script the installs of my BSD boxes, it takes only 5–10 minutes to do the install, and since each machine tends to have a different disk layout, it wouldn’t save much time
  Also, many of my servers are in foreign data centers, and they do the FreeBSD install for me, then just provide me with my SSH credentials. (Although a great many now provide IPMI/KVMoIP and allow me to install the OS myself)

• Thoughts on OpenID
  OpenID moves the trust from a number of separate sites, to a single site, your ‘identity provider’
  This is likely more secure, since OpenID is based on strong practices, but also presents a more tempting target
  The advantage is that you can be your own OpenID provider, and then you only have to trust yourself

• Tricks to conserve Bandwidth?

• Daniel writes in with a note that he uses Puppet to manage over 2000 nodes from a pair of redundant Puppetmasters running via Apache/mod_passenger without issue.

• Shlomi writes in with a question about moving an LVM to ZFS.
  Your best bet is to do something like I did when I moved from a number of separate UFS drives, to a ZFS array (not, there is some performance penalty for doing it this way, more on that later)
  Use these instructions to remove one of the disks from your LVM volume (the biggest one you have enough free space to remove).
  Now create your ZFS pool, and add this now empty disk
  Start filling the ZFS pool until you have free enough space in the LVM to remove another disk, then add that disk to the ZFS pool
  Repeat as necessary
  ZFS will do write-biasing to try to ensure the drives reach ‘full’ at the same rate, so the emptier drives will receive a higher portion of the new writes. If you can create the pool from scratch, you will get better write performance, since all disks will be used to their maximum bandwidth
  ZFS had a planned feature called ‘block pointer rewriting’ that would allow for re-balancing the disk space across devices and for defragmenting files (fragmentation gets excessive due to copy-on-write)
  Personally, I am going to build a fresh array with 4x3TB disks in RAID Z1, and then recycle my 1.5TB disks for other purposes

• I want to hear more about Scale Engine and what it does and some of the services. How about a segment on just Scale
  We provide a few main services:
  • Origin Web Cluster – Accelerated PHP/MySQL platform (Hosts JB’s site, and forums)
  • Edge Side Cache – an extremely fast memory backed geographically distributed MRU cache. Stores frequently accessed content in memory close to the users for fastest delivery. Great for images, css and javascript, but can also cache entire pages (Hosts JBs images, css and js)
  • Content Distribution Network – Disk backed geographically distributed MFU cache, stores static content close to the user for faster delivery. Works great for static content, especially larger content like audio and video podcasts. (Hosts JB episode downloads)
  • Video Streaming Network – Hosting Live, On-Demand, Pay-Per-View and Fake-Live video streaming. Provides multi-bitrate streaming to ‘any screen’ via RTMP (Flash), HLS (iOS, Safari, Android, Roku, VLC), or RTSP (Android, Blackberry, Quicktime, VLC). ScaleEngine’s SEVU API allows extensive content control for Geo-Blocking and Pay-Per-View/Subscription based viewing (Hosts JB live stream)

Have some fun:

• What will be in the news the week in October when Allan is at Euro BSD Con? Let make a prediction on the head lines or just make up funny stuff to read

What I wish the new hires “knew”

Round-Up:

• ‘Lulzsec hacker’ latest to be arrested in US
• Researchers at the Usenix Security conference have demonstrated a zero-day vulnerability in your brain. Attaching an $200 EEG to your head, they can extract your bank card PIN number
• Windows 8 Tells Microsoft About Everything You Install, Not Very Securely | Nadim Kobeissi
• VMware Joins OpenStack, Embraces Its ‘Ugly Sister’
• Want a Windows 8 Start Button? Open source to the rescue!
• FreeBSD Struggles To Gain UEFI Boot Support
• Dropbox finally adds 2 factor authentication
• Top-Level Universal XSS
• Team GhostShell posts database and information dumbs from a number of sites, totalling over 1 million records, a number of the dumps contain usernames, passwords, email addresses and phone numbers

The post Double 0-Java | TechSNAP 73 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/22996/best-of-bash-scripts-las-s23e02/ Sun, 12 Aug 2012 15:24:39 +0000 https://original.jupiterbroadcasting.net/?p=22996 We bring on Michael Dominick from Coder Radio and we go through some of the best Bash scripts sent in to the show! Then we put them up to a vote by you!

The post Best of BASH Scripts | LAS | s23e02 first appeared on Jupiter Broadcasting.

]]>



We bring on Michael Dominick from Coder Radio and we go through some of the best Bash scripts sent in to the show! Then we put them up to a vote by you!

Plus: Some great emails, we put the call out for a remote desktop solution, a new patent filing that might hint and Valve’s big plans, and so much more!

All this week on, The Linux Action Show!

Thanks to:

GoDaddy.com

Limited time offer:
SPECIAL OFFER! For all customers, Save 20% off your order! – code: go20off6
Expires: August 31st 2012

Missed the good deal? Use our code LINUX and save 10%! anytime!

Direct Download:

HD Video | Mobile Video | WebM Video | Ogg Video | MP3 Audio | Ogg Audio | YouTube | Torrent File

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes:

Runs Linux:

• SpaceX rockets run linux. (at 9m30s)

Android Pick:

• Terminal IDE
• Android Picks so far thanks to Madjo in the IRC Chat room!

Desktop App Pick:

• Lightread
• Thanks to Madgo
• Picks so far

Random Distro Of The Day

• Bedrock Linux
• Bedrock Linux 1.0alpha1 Demonstration – YouTube

Linux Action Show Subreddit

• Linux Action Show Subreddit

Search our past picks:

• Linux Action Show Lookup
• Thanks to sakuramboo!

News:

• Debian Now Defaults To Xfce Desktop
• Digia to acquire Qt from Nokia
• What’s Valve Really Up To?
• Announcing the Ubuntu App Showdown winners
• GNOME OS Details
• Attachmate reveals Novell, SUSE, & Linux Plan
• Linux founder Linus Torvalds delivers a smackdown like no other

Best of BASH

Presented by: System76

The contestants:

• JB Live Show Recorder by KreepyUncle
• One-line bash http server — Gist
• Podcastrecording script to directly save as OGG & MP3 + apply compressor, all live
• My script to setup squid, dhcp, adblocking, bind dns from scratch on centOS and Fedora install
• A bash script that sends you an e-mail containing your public IP when it changes.
• Bash script: a better prompt; dynamically
• Bash Wallpaper Changer

Michael’s Picks:

• JB Live Show Recorder by KreepyUncle
• One-line bash http server — Gist
• A bash script that sends you an e-mail containing your public IP when it changes.

Cast Your Vote:

• Pick the BASH Champion!

Feedback:

• Have you ever used Reaper?
• Concerns with KLANG
• How to get media on the RP?

Chris’ Stash:

• Jupiter Audio Radio

What’s Matt Doin?

• Writing about Linux, sometimes, even asking tough questions

Michael Dominick

• Mike on Twitter
• Mike on Google Plus
• Mike’s website

Find us on Google+

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

Find us on Twitter:

• Chris – ChrisLAS
• Matt – matthartley

Follow the network on Facebook:

• Jupiter Broadcasting on Facebook

Jupiter Broadcasting Forum:

• Jupiter Colony

Catch the show LIVE Sunday 10am Pacific / 5pm UTC:

• https://jblive.tv
• Network Calendar

The post Best of BASH Scripts | LAS | s23e02 first appeared on Jupiter Broadcasting.

]]>