Show Notes: techsnap.systems/412

The post Too Good To Be True | TechSNAP 412 first appeared on Jupiter Broadcasting.

This week, Chris & allan are both out of town at different shenanigans, but they recorded a sneaky episode for you in which they recap the Target breach, from when the news broke to the lessons learned and everything in between!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Episode Links:

• Cleaning up our Mess | TechSNAP 141
• Target XPoSed | TechSNAP 145
• Tarnished Chrome | TechSNAP 146
• Google’s Automated Outage | TechSNAP 147
• Targeting the HVAC | TechSNAP 148
• Internet Over Packet Loss | TechSNAP 162

The post On Target | TechSNAP 264 first appeared on Jupiter Broadcasting.

Pre-crime is here, with technology that lets you predicting a hack before it happens. We’ll tell you how. Google’s project zero goes to war, we get real about virtualization.

And then its a great batch of your questions, our answers & much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Predicting which sites will get hacked, before it happens

• Researchers from Carnegie Mellon University have developed a tool that can help predict if a website is likely to become compromised or malicious in the future
• Using the Archive.org “Wayback Machine” they looked at websites before they were hacked, and tried to identify trends and other information that may be predictors
• “The classifier correctly predicted 66 percent of future hacks in a one-year period with a false positive rate of 17 percent”
• “The classifier is focused on Web server malware or, put more simply, the hacking and hijacking of a website that is then used to attack all its visitors”
• The tool looks at the server software, outdated versions of Apache and PHP can be good indicators of future vulnerabilities
• It also looks at how the website is laid out, how often it is updated, what applications it runs (outdated wordpress is a good hacking target)
• It also compares the sites to sites that have been compromised. If a site is very like another, and that other was compromised, there is an increased probability that the first site will also be compromised
• The classifier looks at many other factors as well: “For instance, if a certain website suddenly sees a change in popularity, it could mean that it became used as part of a [malicious] redirection campaign,”
• The most common marker for a hackable website: The presence of the ‘generator’ meta tag with a value of ‘Wordpress 3.2.1’ or ‘Wordpress 3.3.1’
• Research PDF from USENIX
• There are tools like those from Norse, that analyze network traffic and attempt to detect new 0-day exploits before they are known

Google’s Project Zero exploits the unexploitable bug

• Well over a month ago Google’s Project Zero reported a bug in glibc, however there was much skepticism about the exploitability of the bug, so it was not fixed
• However, this week the Google researchers were able to create a working exploit for the bug, including an ASLR bypass for 32bit OSs
• The blog post details the process the Project Zero team went through to develop the exploit and gain root privileges
• The blog post also details an interesting (accidental) mitigation found in Ubuntu, they caused the researchers to target Fedora to more easily develop the exploit
• The blog also discusses a workaround for other issues they ran into. Once they had exploited the set-uid binary, they found that running: system(“/bin/bash”) started the shell with their original privileges, rather than as root. Instead, they called chroot() on a directory they had setup to contain their own /bin/sh that calls setuid(0) and then executes a real shell as the system root user.
• The path they used to get a root shell relies on a memory leak in the setuid binary pkexec, which they recommend be fixed as well as the original glibc bug
• “The ability to lower ASLR strength by running setuid binaries with carefully chosen ulimits is unwanted behavior. Ideally, setuid programs would not be subject to attacker-chosen ulimit values”
• “The exploit would have been complicated significantly if the malloc main linked listed hardening was also applied to the secondary linked list for large chunks”
• The glibc bug has since been fixed

Secret Service warns over 1000 businesses hit by Backoff Point-of-Sales terminal malware

• The Secret Service and DHS have released an advisory warning businesses about the POS (Point-of-Sales terminal) malware that has been going around for a while
• Advisory
• “The Department of Homeland Security (DHS) encourages organizations, regardless of size, to proactively check for possible Point of Sale (PoS) malware infections. One particular family of malware, which was detected in October 2013 and was not recognized by antivirus software solutions until August 2014, has likely infected many victims who are unaware that they have been compromised”
• “Seven PoS system providers/vendors have confirmed that they have had multiple clients affected“
• “Backoff has experts concerned because it’s effective in swiping customer credit card data from businesses using a variety of exfiltration tools, including memory, or RAM scraping, techniques, keyloggers and injections into running processes”
• “A report from US-CERT said attackers use Backoff to steal payment card information once they’ve breached a remote desktop or administration application, especially ones that are using weak or default credentials”
• “Backoff is then installed on a point-of-sale device and injects code into the explorer.exe process that scrapes memory from running processes in order to steal credit card numbers before they’re encrypted on the device and sent to a payment processor. “
• “Keylogging functionality is also present in most recent variants of ‘Backoff’. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware,”
• US-CERT Advisory
• Krebs reports that Dairy Queen may also be a victim of this attack
• “Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters”

Feedback:

• HVAC remote access protection fear.

• Deconstruct malware?

• Virtualisation

• Metric for success of an attack campaign

Round Up:

• Chromecast software vulnerability paves way for another root exploit
• Netflix releases two of their internal threat monitoring tools, used to detect origanization of attacks against their networks
• FBI, Secret Service investigate reports of cyber attacks on U.S. banks
• Seagate ships worlds first 8TB hard drive, with “Enhanced Rotational Vibration (RV) tolerance for reliable performance in multi-drive environments”, allowing more drives to stuffed in a single chassis
• Feds warn first responders of dangerous hacking tool: Google Search
• UK Ministry of Justice fined 180,000 GBP for not encrypting data. Data was being backed up to an external hard drive that was then lost, potentially exposing data on almost 3000 prisoners. The external drive supported some type of ‘encryption’, but it was not enabled
• 300 oil companies hacked in Norway
• Google, Facebook, and others did not read the Apple Documentation. In iOS, clicking a tel:// link in Safari prompts the user to confirm they want to place the call. However in native apps, it is left up to the app to check for permission, to allow apps to initiate calls at the users request, without the user having to confirm it a 2nd time. Apple’s docs state that the app should confirm that the user wants to place the call, but they do not. Using javascript or server-side redirects, a malicious attacker can have your phone place calls without your permission when you click a link in a Facebook, Gmail or G+ message on iOS.
• CouchSurfing email system compromised, many users sent AirBnB prank message
• Browsers will be removing 1024 bit CA certificates from the trust chain in the latest NSS, which will ship in FireFox 32, due for release September 2nd. Even though these certificates have not expired, they will no longer be trusted because of their low security
• Comcast training material leaked, shows how employees are directed to upsell customers during support calls
• Krebs: new razor think ATM insert skimmer goes inside the card slot, nearly impossible to spot. Most skimmers now use hidden cameras to capture your PIN number, rather than a pinpad overlay. Krebs recommends covering the keypad with your free hand while entering your pin number

The post Project Zero Goes To War | TechSNAP 177 first appeared on Jupiter Broadcasting.

We finally have the answer to how the Target network was physically breached, and it just might make you face-palm.

Plus some urgent Adobe news, the NSA ORCHESTRA program, and a big batch of your questions and our answers.

All that and a heck of a lot more, on this week’s TechSNAP!

Thanks to:

— Show Notes: —

Security Protocols and Evidence

• Researchers at Cambridge propose a new way of thinking about security protocols, designing in to them the facilities required to generate proper evidence to be used in court for dispute resolution
• The goal of the research is to highlight the types of design considerations that should be put into cryptocurrency systems like bitcoin and other payment systems like electronic banking and mobile payment apps
• The research uses EMV (Chip&Pin) as an example and shows how it does not currently provide the evidence required for proper dispute resolution
• The paper outlines 5 design considerations:
• Principle 1: Retention and disclosure.
• Protocols designed for evidence should allow all protocol data and the keys needed to authenticate them to be publicly disclosed, together with full documentation and a chain of custody
• Principle 2: Test and debug evidential functionality.
• When a protocol is designed for use in evidence, the designers should also specify, test and debug the procedures to be followed by police officers, defence lawyers and expert witnesses
• Principle 3: Open description of TCB (trusted computing base)
• Systems designed to produce evidence must have an open specification, including a concept of operations, a threat model, a security policy, a reference implementation and protection profiles for the evaluation of other implementations
• Principle 4: Failure-evidentness.
• Transaction systems designed to produce evidence must be failure-evident. Thus they must not be designed so that any defeat of the system entails the defeat of the evidence mechanism
• Principle 5: Governance of forensic procedures
• The forensic procedures for investigating disputed payments must be repeatable and be reviewed regularly by independent experts appointed by the regulator. They must have access to all security breach notifications and vulnerability disclosures
• The paper then goes on to describe ways these principles could be applied to the existing EMV system to improve its security and dispute resolution facilities

Target Hackers Broke in Via HVAC Company

• Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor.
• Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.
• Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.
• The HVAC company president confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation
• It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network.
• According to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.
• Sources said that between Nov. 15 and Nov. 28 (Thanksgiving and the day before Black Friday), the attackers succeeded in uploading their card-stealing malicious software to a small number of cash registers within Target stores.
• Those same sources said the attackers used this time to test that their point-of-sale malware was working as designed.
• While some reports on the Target breach said the stolen card data was offloaded via FTP communications to a location in Russia.
• Sources close to the case say much of the purloined financial information was transmitted to several “drop” locations.
• These were essentially compromised computers in the United States and elsewhere that were used to house the stolen data and that could be safely accessed by the suspected perpetrators in Eastern Europe and Russia.
• These compromised hosts serve as cut-outs, after the stolen data is copied from them by the attacker, the logs can be erased to break the trail of evidence

Adobe announces emergency patch for Flash Player, flaw being exploited in the wild

• Adobe has issues an emergency security advisory for all versions of Flash Player
• Adobe released 12.0.0.44 for Windows and Mac, and 11.2.202.336 for Linux and FreeBSD
• Bundled versions for Chrome (12.0.0.41) and Internet Explorer (12.0.0.38) were also updated to 12.0.0.44
• “These updates resolve an integer underflow vulnerability that could be exploited to execute arbitrary code on the affected system (CVE-2014-0497).”
• Researchers Alexander Polyakov and Anton Ivanov of Kaspersky Lab discovered an exploit for the vulnerability being used in the wild and reported it to Adobe
• Adobe has released no further details about the ongoing attack
• Researcher’s Post
• “During the past months we have been busy analysing yet another sophisticated cyberespionage operation which has been going on at least since 2007, infecting victims in 27 countries. We deemed this operation “The Mask” for reasons to be explained later”
• “The “Mask” is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products. This is putting them above Duqu in terms of sophistication, making it one of the most advanced threats at the moment”
• “Most interesting, the authors appears to be native in yet another language which has been observed very rarely in APT attacks.“
• The language in question appears to be Korean
• Kaspersky Labs have released more technical details about the exploit
• Additional Coverage

Feedback:

• Alternative to shared users
  • FUDO Security Appliance
• Where Puppet ends
• FreeNAS Jails ??
• How do sites save card information?

Round Up:

• Gates Spends Entire First Day Back in Office Trying to Install Windows 8.1
• Why the USA doesn’t have Chip&Pin yet
• Skype ads in rotation have been compromised
• 2014 will be the year of encryption and the summer of Key Management
• CBS screws up Superbowl security
• Finnish hacker decodes GPS signal in youtube video of helicopter tracking a police chase
• Mass hack attack on Yahoo Mail accounts prompts password reset
• FBI is looking for a vendor to sell it a constant stream of malware, appears to not understand researches collect and share these for free
• British intelligence used DDoS tactics against Anonymous, Snowden documents show
• NSA operation ORCHESTRA – a ficticious NSA briefing, Closing key-note of FOSDEM 2014

The post Targeting the HVAC | TechSNAP 148 first appeared on Jupiter Broadcasting.

A malicious Apache module that uses some clever tricks so that you’ll never find it, a WordPress flaw that exposes your LAN, and the big Samsung exploit you might not have heard about!

Plus a big batch of your questions, and so much more on this week’s TechSNAP!

Thanks to:

Use our code tech295 to get a .COM for $2.95.

Something else in mind? use go20off5 to save 20% on your entire order!

$4.99 SSL certificates, just use our code 499ssl2. Expires 12-31-12!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show: