Level3 – Jupiter Broadcasting

Docker Shocker | TechSNAP 167

chris — Thu, 19 Jun 2014 18:24:07 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

An exploit that leaves Docker containers leaky, who really owns your email account and one hash algorithm to rule them all.

Then it’s a great batch of your questions and much, much more!

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

Docker Linux containers spring a security leak

A security exploit has surfaced that can allow rogue programs to break out of Docker containers and access files on their host OS.
The flaw has been solved in the latest version of the tech.
The flaw \”Demonstrates that any given Docker image someone is asking you to run in your Docker setup can access ANY file on your host, e.g. dumping hosts /etc/shadow or other sensitive info, compromising security of the host and any other docker container is on\”
\”The proof of concept exploit relies on a kernel capability that allows a process to open any file in the host based on its inode. On most systems, the inode of the / (root) filesystem is 2. With this information and the kernel capability it is possible to walk the host’s filesystem tree until you find the object you wish to open and then extract sensitive information like passwords,\” Docker explained in a blog post published after the flaw came out.
\”In earlier Docker Engine releases (pre-Docker Engine 0.12) we dropped a specific list of kernel capabilities, ( a list which did not include this capability), and all other kernel capabilities were available to Docker containers. In Docker Engine 0.12 (and continuing in Docker Engine 1.0) we drop all kernel capabilities by default. Essentially, this changes our use of kernel capabilities from a blacklist to a whitelist.\”
\”Please remember, however, that at this time we don\’t claim that Docker Engine out-of-the-box is suitable for containing untrusted programs with root privileges,\”
Proof of Concept exploit prints /etc/shadow from the host from within Docker

Generalized Secure Hashing Algorithm

Ted Unangst (one of the lead developers of LibreSSL, as well as OpenBSDs secure signing infrastructure and many other things) posted a thought experiment to his blog
How would you design an uncrackable password hashing algorithm?
Ted’s idea: create a very large number of unique hashing algorithms, or rather, a generalized hashing algorithm that takes a ‘tweaking’ parameters that changes how the hash is generated
“Consider a hash function GSHA512, very similar to SHA512, but with slight variations on each of its constants. You could use GSHA512 #42, or GSHA512 #98765, or even GSHA512 #658743092112345678890 if there were enough variants available. 2^512 variants should be enough for anyone.”
Now, instead of having to spend a few million on specialized SHA512 cracking hardware, an attacker (the NSA) would have to build 2^512 different specialized cracking chips
The results?
“Safe to say we’ve defeated custom silicon. Nobody has a fab that can trace out millions of distinct custom circuits per second.”
“FPGA is finished too. Assuming you don’t melt it trying, you can’t reprogram an FPGA fast enough.”
“GPUs are harder. Without having tried it, my gut tells me you won’t be able to copy out the GSHA code to the GPU fast enough to make it worthwhile.”
- “An attacker with lots of CPUs can still crack our password, but CPUs are very expensive. What if somebody could fab their own very cheap, very limited CPUs? Like a 100000 core CPU with only just enough cache to implement GSHA? Now we may be in trouble. The transistor count for GSHA is quite low, but they need to be the special high speed general purpose kind of transistor circuit. The scrypt paper notes that a CPU could be cheaper than RAM if stripped of all its extra functionality, but in practice it’s hard to calculate all the tradeoffs.”
- “This part isn’t very practical The idea is that a cracker would look less like a SHA512 cracker, capable only of performing one hash, and more like a typical CPU, capable of performing many hashes. Requiring the attacker to be adaptable in this way brings their costs in line with our costs. Maybe. Waves hands.”
Of course, to defeat custom CPUs, one could just use GSHA512 as the core to something like scrypt, which tries to defeat customer hardware by requiring a lot of memory instead
Example Implementation
“Don’t use these functions for anything but password hashing. (Don’t use them at all is even sounder advice.)”

Who owns your email account?

A user had their Yahoo email account terminated by Yahoo for violation of its terms of service
The violation was apparently for flaming another user in the comments thread under Yahoo news articles
Since the email address is part of the overall ‘Yahoo Account’, it was terminated
Eric Goldman, law professor at Santa Clara University says: \”A cloud service can lock off your assets,\” he adds. \”They may still be your assets from a matter of legal ownership, but if you have no access to them, who cares?\” (Possession is 9/10th of the law?)
Microsoft and Google have similar terms, although Google adds: \”If we discontinue a Service, where reasonably possible, we will give you reasonable advance notice and a chance to get information out of that Service\”
This is why it is probably best to always use your own domain, that you own it
Even if you use gmail or some other service to actually host the mail, if your gmail account gets terminated, you can move your hosting elsewhere and most importantly, your email address does not change
There is also the option to host your own email, with a hosting account, VPS or dedicated server
In these cases, especially when you do not have multiple servers to provide backup MX, I recommend a service such as: DNSMadeEasy Backup Email Service

Feedback:

Round Up:

The post Docker Shocker | TechSNAP 167 first appeared on Jupiter Broadcasting.

Internet Over Packet Loss | TechSNAP 162

chris — Thu, 15 May 2014 12:01:44 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We’ve got the definitive report on the Target breach, a flaw in single sign used all over the net, Level3 calls out broadband monopolies, and tech giants unite to save net neutrality.

Plus a huge batch of your question, our answer, and much much more!

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

Kill-Chain analysis of the Target breach

A report was prepared for the Senate Committee on Commerce, Science, and Transportation
Kill-Chain analysis involves looking at all of the things that could have been done to stop the attack from succeeding, and how or why they were not done. Kill-chain analysis was developed by security researchers at Lockheed Martin in 2011
“This analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach.“
“Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.”
“Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s system.”
“Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets.”
“Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network”
“According to reports by Brian Krebs, a tailored version of the “BlackPOS” malware – available on black market cyber crime forums for between $1,800 and $2,300 – was installed on Target’s POS machines.“
“This malware has been described by McAfee Director of Threat Intelligence Operations as “absolutely unsophisticated and uninteresting.””
“Target’s FireEye malware intrusion detection system triggered urgent alerts with each installation of the data exfiltration malware. However, Target’s security team neither reacted to the alarms nor allowed the FireEye software to automatically delete the malware in question. Target’s Symantec antivirus software also detected malicious behavior around November 28, implicating the same server flagged by FireEye’s software”
The phases in the kill-chain:
- Recon – Research, identify and select targets
- Weaponize – Pair remote access malware with exploits (PDF files, Office files, Flash or Java exploits)
- Deliver – Transmission of weapon to target (email attachment/phishing, website/watering hole, USB drive)
- Exploit – Once delivered, weapon code is triggered, exploiting the vulnerable application or system
- Install – The weapon installs a backdoor allowing persistent access
- Command & Control – Outside server communicates with the weapon, allowing attackers inside the network
- Action – Attacker works to achieve objective, maybe exfiltration of data (credit cards, plans/designs, intelligence data), destruction of data, or further intrusion/island hopping
Background on Kill-Chain Analysis
Paper: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains

Serious vulnerability in OAuth and OpenID could leak information

A vulnerability in the OAuth and OpenID protocols has been found that count be used to trick a user into being redirected to a malicious site.
OAuth and OpenID are commonly used to allow a user to login or authenticate on a site using credentials from another site. For example many websites allow you to login using your existing Facebook, Google or Microsoft ID, rather than registering separately
OAuth is also used to authorize 3rd parties to perform actions on your behalf, such as allowing an application access to your Twitter account
The flaw could allow attackers to steal personal data from users and redirect them to questionable sites
This is especially dangerous, since a user on a trusted site, such as Facebook, could be tricked into loading content from an unsafe site, and doing so may also leak private data from Facebook to that unsafe site
“for OAuth 2.0, the attacks could primarily jeopardize the token of site users. If a user were to authorize the login the attackers could then use that to access that user’s personal data. When it comes to OpenID, the attacker could get a user’s information directly, as it’s immediately transferred from the provider upon request”
“An attacker could exploit the affected protocols and via a pop-up message through Facebook for example and trick users into giving up their information on otherwise legitimate websites”
Thus the attacker makes it look to the user as if the request is from Facebook, not the attacker
Researcher Blog
Researcher site about the vulnerabilties

Mozilla recommends a new approach to net neutrality to the FCC

Mozilla filed a petition with the FCC suggesting a new approach to net neutrality
PDF: Petition
The new approach involves looking at the entire question from the opposite direction
Rather than Comcast providing Netflix, Amazon, Youtube etc access to its customer, Carol, Comcast is instead providing its customers, Alice, Carol, David, etc access to ‘remote services’, like Netflix and Dropbox
Under this new ‘understanding’ of the shape of the Internet, Mozilla believes that the FCC already has the authority to impose strong net neutrality rules, resolving the question of authority raised when the courts struck down the old net neutrality rules
Level 3 Blog Post – ISPs play chicken with the future of the Internet
Level 3 Blog Post – Observations from an Internet Middleman
There are “six peers with congestion on almost all of the interconnect ports between us. Congestion that is permanent, has been in place for well over a year and where our peer refuses to augment capacity. They are deliberately harming the service they deliver to their paying customers. They are not allowing us to fulfil the requests their customers make for content.”
“All six are large Broadband consumer networks with a dominant or exclusive market share in their local market. In countries or markets where consumers have multiple Broadband choices (like the UK) there are no congested peers.”
Level 3 claims 6 big ISPs purposely degrading traffic
Level 3 and Cogent ask FCC for protection from ISP “Tolls”
“While ISPs say the traffic loads are too heavy, Level 3, Cogent, and Netflix argue that ISPs are abusing their market power, since customers often have little to no choice of Internet provider. That means there’s only one path for Netflix traffic to reach consumers, at least over the last mile”
Level 3 and Cogent both filed comments with the FCC
Level 3 said “the Commission should require last-mile ISPs to interconnect on commercially reasonable terms, without the payment of an access charge.”
Cogent proposed much harsher terms, reclassifying ISPs to be subject to common carrier rules, and requesting that “When interconnection points become congested, the FCC should have authority to intervene, Cogent said. This would force the broadband provider “to show cause why it should not be required to implement prompt remedial measures to relieve the sustained state of congestion”
Cogent claims Comcast should have to pay for network connections
In 2010, Internap network architecture manager Adam Rothschild said, “Comcast runs its ports to Tata at capacity, deliberately, as a means of degrading connectivity to networks which won’t peer with them or pay them money”

Feedback:

Round Up:

The post Internet Over Packet Loss | TechSNAP 162 first appeared on Jupiter Broadcasting.