Show Notes: techsnap.systems/413

The post The Coffee Shop Problem | TechSNAP 413 first appeared on Jupiter Broadcasting.

The real fallout from the Ashley Madison hack gets personal. The Android StageFright patch that doesn’t cover all of the holes, and turning a KVM into a spying appliance.

Plus a great batch of questions, our answers, and a rocking round up.

All that and a heck of a lot more on this week’s TechSNAP!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Ashley Madison Fallout

• According to security firms and to a review of several emails shared with this author, extortionists already see easy pickings in the leaked AshleyMadison user database.
• Earlier today Krebs heard from Rick Romero, the information technology manager at VF IT Services, an email provider based in Milwaukee. Romero said he’s been building spam filters to block outgoing extortion attempts against others from rogue users of his email service.
• The individual “Mac” who received that extortion attempt — an AshleyMadison user who agreed to speak about the attack on condition that only his first name be used — said he’s “loosely concerned” about future extortion attacks, but not especially this one in particular.
• Mac says he’s more worried about targeted extortion attacks. A few years ago, he met a woman via AshleyMadison and connected both physically and emotionally with the woman, who is married and has children. A father of several children who’s been married for more than 10 years, Mac said his life would be “incredibly disrupted” if extortionists made good on their threats.
• Mac said he used a prepaid card to pay for his subscription at AshleyMadison.com, but that the billing address for the prepaid ties back to his home address.
• Unfortunately, the extortion attempts like the one against Mac are likely to increase in number, sophistication and targeting, says Tom Kellerman, chief cybersecurity officer at Trend Micro.
• The leaked AshleyMadison data could also be useful for extorting U.S. military personnel and potentially stealing U.S. government secrets, experts fear. Some 15,000 email addresses ending in dot-mil (the top-level domain for the U.S. military) were included in the leaked AshleyMadison database, and this has top military officials just a tad concerned.
• According to The Hill, the U.S. Defense Secretary Ash Carter said in his daily briefing Thursday that the DoD is investigating the leak.
• Almost None of the Women in the Ashley Madison Database Ever Used the Site
• A light-weight forensic analysis of the AshleyMadison Hack
• City employees among emails listed in Ashley Madison hack
  
• John McAfee thinks he knows who hacked Ashley Madison
• Leaked AshleyMadison Emails Suggest Execs Hacked Competitors
• The only thing potentially interesting or useful in AshMad CEO’s inbox…

Android StageFright patch doesn’t cover all of the holes

• Google released to the open source Android project a new patch for the Stagefright vulnerability found in 950 million Android devices after researchers at Exodus Intelligence discovered the original patch was incomplete and Android devices remain exposed to attack.
• “We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update,” a Google spokesperson told Threatpost. Last week at Black Hat, Google announced that it would begin
• The original four-line code fix for CVE-2015-3824, one of several patches submitted by researcher Joshua Drake of Zimperium Mobile Security’s zLabs who discovered the flaw in Stagefright, still leads to a crash and device takeover. Jordan Gruskovnjak, a security researcher at Exodus, found the problem with the patch, and Exodus founder Aaron Portnoy today hinted that there could be similar problems in all the patches.
• “They failed to account for an integer discrepancy between 32- and 64 bit,” Portnoy told Threatpost this morning. “They’re not accounting for specific integer types, and [Gruskovnjak] was able to bypass the patch with specific values that cause a heap buffer allocated to overflow.”
• “According to public sources, many more issues have been discovered since they reported the bugs in MPEG4 processing on Android. I expect we will see continuing fixes to the Stagefright code base for the coming months,” Drake said in an email to Threatpost. “The story is long from over.”
• Exodus Intelligence notified Google on Aug. 7, the first day of DEF CON in Las Vegas and two days after Drake’s Stagefright presentation at the Black Hat conference. Google has assigned CVE-2015-3864 to the issue.
• In addition to Nexus devices, Google said it sent the original patches to other mobile providers, including: Samsung for its Galaxy and Note devices; HTC for the HTC One; LG for the G2, G3 and G4; Sony for its Xperia devices; and Android One.
• The vulnerabilities affect Android devices going back to version 2.2; newer versions of Android have built-in mitigations such as ASLR that lessen the effects of Stagefright exploits. Google said last week that 90 percent of Android devices have ASLR enabled, and that the next release of its Messenger SMS app also contains a mitigation requiring users to click on videos in order to play them.
• Additional Coverage: Forbes
• The news is compounded by yet more Android vulnerabilities
• Checkpoint Security: Certifigate
• Major Android remote-access vulnerability is now being exploited

Turning a KVM into a spying appliance

• Researchers presented their work at BlackHat on how to teach a keyboard switch to spy on its users
• “When it comes to large systems, there are a lot more computers than there are people maintaining them. That’s not a big deal since you can simply use a KVM to connect one Keyboard/Video/Mouse terminal up to all of them, switching between each box simply and seamlessly. The side effect is that now the KVM has just as much access to all of those systems as the human who caresses the keyboard. [Yaniv Balmas] and [Lior Oppenheim] spent some time reverse engineering the firmware for one of these devices and demonstrated how shady firmware can pwn these systems, even when some of the systems themselves are air-gapped from the Internet.”
• Early KVM switches were just physical hardware switches that allowed more than one computer to be controlled by a single Keyboard, Video (Monitor), and Mouse
• By the year 2000, we had Matrix KVMs that could be chained together and used to control more than 1000 computers from a single keyboard
• USB Stacks, Video Transcoding, Virtual Media (mount an ISO from your workstation as if it was a usb cdrom drive) drove KVMs towards being entire computers in and of themselves, with an operating system, that could be hacked
• The firmware shipped with the device was obfuscated, and at the start, the researchers were unable to find anything useful. Not a single string in the firmware
• By comparing a number of different firmware versions, they were able to figure out which part of the firmware image was the version number. This gave them a starting point
• Looking at the circuit board of the KVM they found some common ASICs, which provided more clues
• Once they cracked the obfuscation, they now had code they could analyze
• “Of course reading the firmware is only the first step, you need to show that something useful (insidious) can be done with it. During the talk the pair demonstrated their custom firmware switching to a different system, “typing” in the password (which would have been logged earlier when a human typed it in), and echoing out a binary file which was then executed to load malware onto the system.”
• “Yes, you need physical access to perform this attack with the KVM used during the talk. But some KVMs allow firmware updates over IP, and many of them have web interfaces for configuration. There are many vectors available here and knowing that, the discussion turns to prevention. Keystroke statistics are one way to prevent this kind of attack. By logging how fast characters are being typed, how tight the cadence is, and other human traits like use of backspace, the effectiveness of this type of attack can be greatly reduced.”
• This is interesting research, and makes me even more suspicious of the 16 port, 2 user, IP-KVM I use to manage some of my servers.

Feedback

• Get your BSDNow 2 year anniversary t-shirt before time runs out

• Corporate email being hacked?

• PfSense vs cheap off-the-shelf router for home network

• Self-Hosted RMM Software

• Allan and Chris: Your personal SSH key management methodologies?
  • Allow storage of SSH private keys in LastPass, and use lpass CLI to retrieve and load into ssh-agent. The general idea is to store the private key armored ASCII in an “SSH Key” Secure Note, in a specific folder (i.e.: “Secure Notes\SSH” ). · GitHub
  • SSH Authentication with YubiKey | LAS 373 | Jupiter Broadcasting
• FUDO

Round Up:

• Microsoft has no plans to tell us what’s in Windows patches
• DNSSEC – Fighting the FUD
• Researcher catches AT&T injecting ads on free airport Wi-Fi hotspot
• OpenSSH privilege separation accidently disabled on pkgsrc platforms, for the last 9 years
• A data center of liquid cooled servers
• GitHub attacked again as Chinese developers forced by police to pull code
• UK Police investigate first instance of “Cyber Flashing”, iOS AirDrop
• The security content of the latest OS X update

The post Extortion Startups | TechSNAP 229 first appeared on Jupiter Broadcasting.

More and more data breaches are leading to blackmail but the stats don’t tell the whole story. We’ll explain.

Plus the latest in the Sony hack, and the wider reaction. Plus a great batch of emails & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Illinois Hospital being blackmailed with stolen Patient Data

• “An Illinois hospital says someone attempted to blackmail it to stop the release of data about some of its patients.”
• The hospital chain received an anonymous email asking for a substantial amount of money in order to prevent the release of patient data. A sample of the data was included in the email as proof
• “The hospital says it immediately notified law enforcement agencies.”
• “An investigation discovered the data relates to patients who visited Clay County Hospital clinics on or before February 2012. A hospital representative declined to disclose how many people are involved but said the data is limited to their names, addresses, Social Security numbers and dates of birth. No medical information was compromised in the breach”
• “The hospital believes the data has not been released so far. It didn’t disclose how the data was obtained but said an audit by an outside expert concluded the hospital hadn’t been hacked.”
• The age of the data suggests that the compromise may have involved backups and/or cold storage
• It is not clear of the Hospital stores the older data themselves, or if they rely on a 3rd party provider that may have been compromised
• “A recent report by the Identity Theft Report Center found that by early December there had been 304 breaches so far this year in the U.S. healthcare sector. That’s 42 percent of the 720 breaches reported across the country. But, in part because of the massive breaches at major retailers, the entire healthcare sector only accounted for 9.7 percent of all records compromised in reported breaches so far in 2014.”

Sony cancels the release of “The Interview” – plays the victim

• Sony has apparently cancelled the release of the film that is apparently the cause of the hack of their systems
• A number of cinemas had declined to screen the file after vague threats of physical violence were made
• “We are deeply saddened at this brazen effort to suppress the distribution of a movie, and in the process do damage to our company, our employees, and the American public,” Sony’s statement continues. “We stand by our filmmakers and their right to free expression and are extremely disappointed by this outcome.”
• If they stand for freedom of expression, they wouldn’t have cancelled the movie
• A number of people believe that the hackers may have found something especially damaging to Sony, and Sony is hoping to avoid the disclosure
• Bruce Schneier – “It’s really a phenomenally awesome hack—they completely owned this company,”
• “this is like Snowden, only with Sony.” He said that releases from the hack could go on for months.
• That seems to suggest that the hackers will soon leak something that will look very, very bad for the company, Schneier says.
• Earlier this week, Sony sent a letter to news outlets reporting on the leaks, saying that they could face prosecution for downloading stolen information. That letter, Schneier said, was a signal that the worst is still to come.
• Gawker posts a copy of the threatening letter
• “The fact that they sent that letter tells me there is stuff still to be found that Sony is terrified of. There’s some really bad stuff in there—stuff they did, stuff they said, stuff that’s illegal. Someone [from Sony] is going to jail for this.”
• Reaction to the Sony hack is beyond the realm of stupid – This is not terrorism
• Cisco analysis of Wiper malware used at Sony
• Newer version of Wiper malware signed with stolen Sony certificate
• ThreatPost Digital Undergound Podcast – Details of the Sony Breach
• The leak has also covered a number of different plans and plots by the MPAA
• Inclusing the MPAA’s post-SOPA plan to make ISP DNS Servers block sites

Feedback:

• FW Question

• IP management with 257 devices

• Isolating a server

• Certificate for web site
  • Mozilla TLS Server Side settings

• OpenYourMouth · GitHub

• Cipherli.st – Strong Ciphers for Apache, nginx and Lighttpd

Round Up:

• Viber calls out ESET for flagging them, ESET responds with a digital uppercut
• Yahoo releases new disclosure policy, all new bugs it finds will be disclosed within 90 days
• Report: Mysterious Russian Malware Is Infecting 100,000+ WordPress Sites
• Red October APT team is back, with the CloudAtlas APT attack
• Verizon’s new “end-to-end” encrypted calling app, includes “Government Access Option” – Cellcrypt’s vice president for North America, disputes the idea that building technology to allow wiretapping is a security risk. “It’s only creating a weakness for government agencies,” he says. “Just because a government access option exists, it doesn’t mean other companies can access it.”
• Leaked Government documents reveal Canadian Telco’s offering the Government “Surveillance Ready Networks”, to avoid legislation, and to force small operators out of the market
• Ars was briefly hacked yesterday; here’s what we know (Ars uses PHPass to hash passwords, that is 2048 rounds of MD5. Not as bad as it sounds: If you want to put this into “OL Hashcat” terms, a single R9 290X (video card) can pull ~ 12.2 GH/s on raw MD5, but only 3 MH/s against PHPass. Divide that by 1,071,734 unique salts, and that means our effective speed is only 2.86 H/s. That’s beyond properly slow.)
• A small bank in Kansas may be the future of banking, replacing ‘batched processed’ ACH transfers with instant transfers backed by the existing ATM processing network
• phpBB Status Update
• Study by Dell SecureWorks researchers finds that prices on the Internet Underground are rising

The post Don’t Fire IT | TechSNAP 193 first appeared on Jupiter Broadcasting.

One of the worlds most prolific spammers gets profiled & the technical details are fascinating. New Apple malware is getting everyones attention, but why iOS trusts the code is really the more fascinating story, we’ll explain.

Plus a great batch of questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

MeetBSD

• MeetBSD2014 – UCL all of the things

Spammers are always developing new tactics

• Prolific spammer Michael Persaud has been caught sending spam yet again
• The 37-year-old from San Diego was the first spammer to have been criminally prosecuted, 13 years ago
• By following a string of clues in the details used to register 1100 new domains used to send spam, researcher Ron Guilmette was able to track the source of the spam back to Persuad
• What makes this case specially interesting was the technique used to send the spam
• The chain of events starts with a block of IP addresses getting added to a blacklist, and the owner of those IP addresses being notified of the fact
• The owner of the IP addresses was adamant that the spam was not coming from their network, as they do not host any spammers
• When Cisco provided evidence that the spam was in fact coming from their IP addresses, further investigation revealed that that block of addresses was not actually in use
• The block of IPs was not being announced via BGP by the owner of the IP space, thus the IPs were dormant (unannounced)
• The spammers had looked around the internet, found ranges of dormant IP addresses, and announced those themselves, in effect moving the hosting for that IP range to their hosting provider, instead of that of the owner
• This allowed the spammers to send spam from ‘clean’ IP addresses, that had never been used to send spam before
• The spammer in question claims he did not know the IP addresses were hijacked, that the ISP he was using was selling him ‘stolen’ IPs without his knowledge
• Persuad made this seem like a common occurrence, but it isn’t, and the researchers are not buying it

• “In 1998, Persaud was sued by AOL, which charged that he committed fraud by using various names to send millions of get-rich-quick spam messages to America Online customers. In 2001, the San Diego District Attorney’s office filed criminal charges against Persaud, alleging that he and an accomplice crashed a company’s email server after routing their spam through the company’s servers. In 2000, Persaud admitted to one felony count (PDF) of stealing from the U.S. government, after being prosecuted for fraud related to some asbestos removal work that he did for the U.S. Navy”

• Spam Nation: The Inside Story of Organized Cybercrime – from Global Epidemic to Your Front Door Audiobook | Brian Krebs | Audible.com

Google launches new network security testing tool: nogotofail

• SSL/TLS has seen a number of major vulnerabilities lately, including Heartbleed, Apple’s goto fail, GNUTLS and NSS both having certificate verification flaws, and most recently the POODLE vulnerability
• To help researchers and administrators test for these vulnerabilities, Google has released nogotofail, a new testing tool
• “allows developers to set up an infrastructure through which they can run known attacks against the target application. It has the ability to execute various attacks that require man-in-the-middle position, which is one of the key components of many of the known attacks on SSL/TLS, including POODLE, BEAST and others“
• “The core of nogotofail is the on path network MiTM named nogotofail.mitm that intercepts TCP traffic. It is designed to primarily run on path and centers around a set of handlers for each connection which are responsible for actively modifying traffic to test for vulnerabilities or passively look for issues. nogotofail is completely port agnostic and instead detects vulnerable traffic using DPI instead of based on port numbers. Additionally, because it uses DPI, it is capable of testing TLS/SSL traffic in protocols that use STARTTLS“
• The tool can be deployed on Clients, Routers, and VPNs to automatically detect connections between clients and servers that are vulnerable to any of the known flaws
• Project on GitHub

Feedback:

• Homeserver / SSH / Permissions or SPOUSAL APPROVAL

• Printers with public IPs?

• 10Gb NIC query

• ZFS on Linux and ECC RAM?

• Healthcare vendor negligent of POODLE

• Daniel Blair on Twitter: “Hey @ChrisLAS I am wearing my #TechSNAP 100th episode shirt while getting interviewed after #innovateordiedays https://t.co/4UwbBTJ0sl #rep”

Round-Up:

• WireLurker Mac OS X Malware Found, Shut Down
• New, harder to detect version of the Backoff Point-of-Sales malware found in the wild. Old version still infecting more than 1000 point of sales systems
• FBI Holds Secret Meeting To Scare Congress Into Backdooring Phone Encryption
• Linksys patches more routers for flaw found in July. Flaws Include allowing attackers to steal password database
• Secure Messaging Scorecard | Electronic Frontier Foundation
• Next weeks Microsoft Patch Tuesday will be a big one, 16 patches covering IE, Windows, Exchange, Office and more
• Swedish hacker finds ‘serious’ vulnerability in OS X Yosemite
• American Express proposes new tokenized payment cards, unique code for each merchant, transaction type, or device.

The post Apple Approved Malware | TechSNAP 187 first appeared on Jupiter Broadcasting.

It’s way past time to turn off Universal Plug and Play, we’ll give you the details on the exploit that only requires a single network packet.

Plus how we’ve built our VM storage setup, our favorite network monitoring tools, and much much more! In this week’s episode of TechSNAP!

Thanks to:

Use our code tech295 to get a .COM for $2.95.

Something else in mind? Use go28off2 to save 28% on your entire order!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show: