Show Notes: linuxactionnews.com/252

The post Linux Action News 252 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/246

The post Linux Action News 246 first appeared on Jupiter Broadcasting.

Show Notes: coder.show/444

The post Mining the Logs | Coder Radio 444 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/131

The post Linux Action News 131 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/411

The post Mobile Security Mistakes | TechSNAP 411 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/400

The post Supply Chain Attacks | TechSNAP 400 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/377

The post Linux Under Pressure | TechSNAP 377 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

The Market for Stolen Account Credentials

Usernames and passwords to active accounts at military personnel-only credit union NavyFederal.com fetch $60 apiece,

while credentials to various legal and data aggregation services from Thomson Reuters properties command a $50 price tag.

Hackers Target Plant Safety Systems

FireEye reported that a plant of an unmentioned nature and location (other firms believe it’s in the Middle East) was forced to shut down after a hack targeted its industrial safety system

— it’s the first known instance of a breach like this taking place.

• Source at FireEye

R OBOT Attack: 19-Year-Old Bleichenbacher Attack On Encrypted Web Reintroduced

A 19-year-old vulnerability has been re-discovered in the RSA implementation from at least 8 different vendors—including F5, Citrix, and Cisco—that can give man-in-the-middle attackers access to encrypted messages.

• The ROBOT Attack – Return of Bleichenbacher’s Oracle Threat

• robot-detect: Detection script for the ROBOT vulnerability

WannaCry: End of Year Retrospective

Last November marked the six-month anniversary of WannaCry, arguably the most impactful global cyberattack in history. The persisting WannaCry attack is a re-purposed ransomware strain amplified by (allegedly) leaked exploit code from the NSA.

• Why NSA spied on inexplicably unencrypted Windows crash reports | Ars Technica

Linux Network Namespaces Explained

• Namespaces in operation, part 7: Network namespaces

• namespaces(7) – Linux manual page

• Network Namespaces » ADMIN Magazine

• Network namespaces – Unweaving the web

• How to Get the Network Namespace Associated With a Socket

• Virtual Ethernet devices

• Testing network software with pytest and Linux namespaces

• lldpd » implementation of IEEE 802.1ab (LLDP)

• Routing & Network Namespaces

• VRF for Linux – Cumulus Networks Blog

• linux/vrf.txt at master · torvalds/linux

• Using VRFs with linux

Feedback

Reboot Follow Up

• People REALLY love the MP3 Chapters. Check to see if your Podcast player supports them.

• Overcast

• Pocket Casts
• AntennaPod – Android Apps on Google Play

• Podcast Addict – Android Apps on Google Play

• Why someone would need a keylogger for developing a audio driver.

• DHCPDECLINE over and over again

• DHCP Snooping

Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites

This backdoor code was designed to create a login session for the attacker, who is the plugin author in this case, with administrative privileges, allowing them to gain access to any of the 300,000 websites (using this plugin) remotely without requiring any authentication.

The post All Natural Namespaces | TechSNAP 349 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

OpenSSH CLI escape sequences

• Notes from when Dan was experimenting with this: Only work if ~ is the first character you type; typing something, then backspace, then ~ will not invoke the escape sequence. Must be the first character after ENTER.

Kaspersky Confirms It Downloaded Classified Docs, Blames NSA Contractor’s Dumb Mistake

• According to Kaspersky, the fault rests of the shoulders of the NSA contractor, who allegedly brought home government surveillance tools and then decided to activate their consumer antivirus software

• The analyst’s computer was infected with malware while Kaspersky’s product was disabled

• When Kaspersky’s product was re-enabled, the user apparently scanned their system multiple times

• A 7-zip archive of documents was retrieved for analysis because the user had set the software to send reports of malicious detections.

‘I Forgot My PIN’: An Epic Tale of Losing $30,000 in Bitcoin

• Spent $3,000 to buy 7.4 bitcoins. Saved them to Trezor hardware wallet. Wrote down a 24-word recovery key. Saved a PIN.

• Paper went missing

• Could not remember PIN

• Tried many times.

• Tried an exploit…..

Feedback

• Backup to tapes

• Feedback on Krack Updates

  • KRACK Test Python Script

• It is worth reporting malware etc?

Round Up:

• grafana – Datasources as configuration

• curl statistics made simple: davecheney/httpstat (written in GO) refers to reorx/httpstat (written in Python) which is in FreeBSD Ports as net/py-httpstat – Dan tweeted his test case

• Gentoo system ransomware’d

• Backblaze Hard Drive Stats for Q3 2017

• ​A flaw in Google’s bug database exposed private security vulnerability reports – original blog post

• Staging Best Practices

• Protocol standards not publicly available

• Oracle ZFS man calls for Big Red to let filesystem upstream into Linux – sounds like Oracle wants to get ZFS into Linux

• Things You Can Do on the Dark Web That Aren’t Illegal

The post Low Security Pillow Storage | TechSNAP 343 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Distrustful U.S. allies force spy agency to back down in encryption fight

• Some ISO delegates said much of their skepticism stemmed from the 2000s, when NSA experts invented a component for encryption called Dual Elliptic Curve and got it adopted as a global standard.

• In 2007, mathematicians in private industry showed that Dual EC could hide a back door, theoretically enabling the NSA to eavesdrop without detection. After the Snowden leaks, Reuters reported that the U.S. government had paid security company RSA $10 million to include Dual EC in a software development kit that was used by programmers around the world.

Viacom exposes crown jewels to world+dog in AWS S3 bucket blunder

• Researchers found a wide-open, public-facing misconfigured AWS S3 bucket containing pretty much everything a hacker would need to take down the company’s IT systems.

• “The contents of the repository appear to be nothing less than either the primary or backup configuration of Viacom’s IT infrastructure,” Vickery revealed today.

• The Amazon-hosted bucket could be accessed by any netizen stumbling upon it, and contained the passwords and manifests for Viacom’s servers, as well as the access key and private key for the corporation’s AWS account. Some of the data was encrypted using GPG, but that wouldn’t be an issue because the bucket also contained the necessary decryption keys.

Equifax sends customers to wrong website, not theirs, for help

• The credit management company Equifax has been sending customers to a fake “phishing” website for weeks, potentially causing them to hand over their personal data and full financial information to hackers.

• After the data breach was revealed earlier this month, Equifax established the domain www.equifaxsecurity2017.com to handle incoming customer questions and complaints. This website is not connected to Equifax’s main website.

• On Wednesday, a user reached out to Equifax on Twitter asking for assistance. The responding tweet sent the user to www.securityequifax2017.com, which is an impostor site designed to look like the Equifax splash page.

FinFisher government spy tool found hiding as WhatsApp and Skype

• This week (21 September), experts from cybersecurity firm Eset claimed that new FinFisher variants had been discovered in seven countries, two of which were being targeted by “man in the middle” (MitM) attacks at an ISP level – packaging real downloads with spyware.

• When a target of surveillance was downloading the software, they would be silently redirected to a version infected with FinFisher, research found.

• When downloaded, the software would install as normal – but Eset found it would also be covertly bundled with the surveillance tool.

Feedback

• Stored passwords & Amazon Fire Stick

+Hey Dan. What is a good and inexpensive tape backup drive for LTO tapes? What works for you best? Thx!

Round Up:

• HOW TO HACK A TURNED-OFF COMPUTER

• Passwords For 540,000 Car Tracking Devices Leaked Online

• In spectacular fail, Adobe security team posts private PGP key on blog

Apache Struts Vulnerability: More Than 3,000 Organizations At Risk Of Breach

• Facebook re-licenses React under MIT license after developer backlash

The post Patch Your S3it | TechSNAP 338 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

How I tricked Symantec with a Fake Private Key

• If true, not very good.

• The Baseline Requirements – a set of rules that browsers and certificate authorities agreed upon – regulate this and say that in such a case a certificate authority shall revoke the key within 24 hours (Section 4.9.1.1 in the current Baseline Requirements 1.4.8).

• I registered two test domains at a provider that would allow me to hide my identity and not show up in the whois information. I then ordered test certificates from Symantec (via their brand RapidSSL) and Comodo.

• Comodo didn’t fall for it. They answered me that there is something wrong with this key. Symantec however answered me that they revoked all certificates – including the one with the fake private key

Alert, backup, whatever on DNS NOTIFY with nsnotifyd

• Fair warning: blog post is from 2015, but with Let’s Encrypt all around us, I think this is relevant now.

• “Tony Finch has created a gem of a utility called nsnotifyd. It’s a teeny-tiny DNS “server” which sits around and listens for DNS NOTIFY messages which are sent by authority servers when they instruct their slaves that the zone has been updated and they should re-transfer (AXFR / IXFR) them. As soon as nsnotifyd receives a NOTIFY, it executes a shell script you provide.

• offical repo

• nsnotifyd on GitHub

• man 1 nsnotifyd

• man 1 nsnotify

• man 4 metazone

New details emerge on Fruitfly, highly-invasive Mac malware

• Mysterious Mac Malware Has Infected Victims for Years

• The recently discovered Fruitfly malware is a stealthy, but highly-invasive, malware for Macs that went undetected for years. The controller of the malware has the capability to remotely take complete control of an infected computer — files, webcam, screen, keyboard and mouse.

• Apple released security patches for Fruitfly earlier this year, but variants of the malware have since emerged. The core of the malware is an obfuscated perl script using antiquated code, with indicators in the code that suggest the malware may go back almost half a decade or more, the security firm said.

• Wardle said based on the target victims, the malware is less likely run by a nation state attacker, and more likely operated by a single hacker “with the goal to spy on people for perverse reasons.” He wouldn’t say how many were affected by the malware, but suggested it wasn’t widespread like other forms of malware.

Feedback

• Tell me more on XML vs JSON
• JSON – data format
• XML – language
• Stop Comparing JSON and XML
• Extensible Data Notation
• https://www.compoundtheory.com/clojure-edn-walkthrough/
• Transit is a format and set of libraries for conveying values between applications written in different programming languages.

• https://github.com/cognitect/transit-js

• Thanks for Dan’s recommendations
  +Lee Valley Divider boxes

• Duluth Fire Hose Pants

Round Up:

• Vulnerabilities discovered in Windows security protocols

• With Patch Tuesday imminent, make sure you have Automatic Update turned off + From Matthew Garrett‏ – YOU ARE EVERYTHING WRONG WITH SOCIETY
  

• Post mortums from NASA: flight test & Avionics cooling

• Interesting analysis by Bitdefender suggests Petya/Goldeneye/NotPetya gave Kaspersky AV users a pass

• Adobe to pull plug on Flash, ending an era

• Roomba’s Next Big Step Is Selling Maps of Your Home to the Highest Bidder

• How the coffee-machine took down a factory control room

The post Teeny Weeny DNS Server | TechSNAP 329 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Apple’s New File System: Who Cares?

• Apple’s Hierarchical File System

• Apple File System

ZFS, jails, FreeBSD

• FreeBSD Jails

• Origins of FreeBSD Jail and why imperfect virtualization is good

• Jails are like little virtual machines (jails) running on a bigger machine (the jail host)

• From the jail host (often just referred to as the host), you can see into the jails, see everything that’s running, monitor, etc.

• Stuff in the jail cannot see outside the jail and have no interactions with the host

• You can configure the host so that the jail can access stuff on the host (e.g. a tape drive) but that requires explicit action by the sysadmin.

• Simplified concept of a FreeBSD Jail: create a directory, install FreeBSD in there, chroot, done.

Feedback

• Changing bacula volume sizes pt2

• When to choose MySQL over Postgres?

• Bacula System

• File sharing in diverse environment

• Pin entry pad randomised feature

• Good $TIME_OF_DAY!

Round Up:

• FreeNAS Corral relegated to “TECHNOLOGY PREVIEW” status

• Dallas’ emergency sirens were hacked with a rogue radio signal

• Malware Reaches Play Store as Google Wages War Against BankBot Trojan

• Prisoners built two PCs from parts, hid them in ceiling, connected to the state’s network and did cybershenanigans

• Historian

Other links:

• Bacula copy job via SQL

• The Cuckoo’s Egg

• Acme Klein Bottle

The post Tales of FileSystems | TechSNAP 315 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Malware found preinstalled on 38 Android phones used by 2 companies

• Malicious apps were surreptitiously added somewhere along the supply chain.

• Check Point didn’t disclose the names of the companies that owned the infected phones. One of the affected parties was a “large telecommunications company” and the other was a “multinational technology company.”

• It’s interesting how this came on out March 10 and the WikiLeaks notice about compromised cellphones came out a few days earlier. Coincidence?

“Vault 7” by WikiLeaks

• A total of 8,761 documents have been published as part of ‘Year Zero’, the first in a series of leaks the whistleblower organization has dubbed ‘Vault 7.’ WikiLeaks said that ‘Year Zero’ revealed details of the CIA’s “global covert hacking program,” including “weaponized exploits” used against company products including “Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.”

• Among the more notable disclosures which, if confirmed, “would rock the technology world”, the CIA had managed to bypass encryption on popular phone and messaging services such as Signal, WhatsApp and Telegram. According to the statement from WikiLeaks, government hackers can penetrate Android phones and collect “audio and message traffic before encryption is applied.”

• NOTE: From what I’ve read, this compromise involves first compromising the phone in question and as such is not an attack on the apps themselves.

• Kreb’s coverage

• Krebs says: “The documents for the most part don’t appear to include the computer code needed to exploit previously unknown flaws in these products, although WikiLeaks says those exploits may show up in a future dump. This collection is probably best thought of as an internal corporate wiki used by multiple CIA researchers who methodically found and documented weaknesses in a variety of popular commercial and consumer electronics.”

• Krebs also says: “Some of the exploits discussed in these leaked CIA documents appear to reference full-on, remote access vulnerabilities. However, a great many of the documents I’ve looked at seem to refer to attack concepts or half-finished exploits that may be limited by very specific requirements — such as physical access to the targeted device.”

• See also Espionage vs. Surveillance

• Best advice: patch your shit, secure physical access, it is not as bad as WikiLeaks is making it out to be.

Feedback

• VLANing vs. subnetting

• [Just getting into freebsd](https://slexy.org/view/s2GHEJe0zR

• Bacula disk autochanger

• Blocking ip from attempting connections to postfix email server

  • https://techarena51.com/index.php/confiigure-fail2ban-block-brute-force-ips-scanning-postfix-logs/

  • WordPress and Fail2ban

Round Up:

• Year 2036/2038 problems

• Vibrator Maker To Pay Millions Over Claims It Secretly Tracked Use

• These are the 24 Senators that introduced a bill to let telecoms sell your private internet history

• EFF Applauds Amazon For Pushing Back on Request for Echo Data

• If Your iPhone is Stolen, These Guys May Try to iPhish You

• internet-connected backup drive was not password protected – contains military data

• Congratulations @freebsdfndation for the @Intel partnership and $250,000 donation!

• The CIA’s “Development Tradecraft DOs and DON’Ts”

• Nintendo Switch ships with unpatched 6-month-old WebKit vulnerabilities

• exploit toolkit for the Nintendo Switch

+Silent Data Corruption Is Real

The post Don’t Panic & P your S | TechSNAP 310 first appeared on Jupiter Broadcasting.

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Follow Up / Catch Up

GNU founder Richard Stallman's famous quote resonates with today's @WikiLeaks publication on the CIA's #Vault7 https://t.co/h5wzfrReyy pic.twitter.com/aPk2CK2DbN

— WikiLeaks (@wikileaks) March 7, 2017

Vault7 – HIVE Targets Linux

The CIA has developed automated multi-platform malware attack and control
systems covering Windows, Mac OS X, Solaris, Linux and more, such
as EDB’s “HIVE” and the related “Cutthroat” and “Swindle” tools, which are
_described in the examples section below._

• Vault7 – Home

HIVE

HIVE is a multi-platform CIA malware suite and its associated control
software. The project provides customizable implants for Windows, Solaris,
MikroTik (used in internet routers) and Linux platforms and a Listening
Post (LP)/Command and Control (C2) infrastructure to communicate with
these implants.

The implants are configured to communicate via HTTPS with the webserver of a
cover domain; each operation utilizing these implants has a separate cover
domain and the infrastructure can handle any number of cover domains.

Each cover domain resolves to an IP address that is located at a commercial
VPS (Virtual Private Server) provider. The public-facing server forwards all
incoming traffic via a VPN to a ‘Blot’ server that handles actual connection
requests from clients. It is setup for optional SSL client authentication: if
a client sends a valid client certificate (only implants can do that), the
connection is forwarded to the ‘Honeycomb’ toolserver that communicates with
the implant; if a valid certificate is missing (which is the case if someone
tries to open the cover domain website by accident), the traffic is forwarded
to a cover server that delivers an unsuspicious looking website.

The Honeycomb toolserver receives exfiltrated information from the implant; an
operator can also task the implant to execute jobs on the target computer, so
the toolserver acts as a C2 (command and control) server for the implant.

Similar functionality (though limited to Windows) is provided by the RickBobby
project.

See the classified user and
developer guides for HIVE.

What time period is covered?

The years 2013 to 2016. The sort order of the pages within each level is determined by date (oldest first).

WikiLeaks has obtained the CIA’s creation/last modification date for each page but these do not yet appear for technical reasons. Usually the date can be discerned or approximated from the content and the page order. If it is critical to know the exact time/date contact WikiLeaks.

What is “Vault 7”

“Vault 7” is a substantial collection of material about CIA activities obtained by WikiLeaks.

When was each part of “Vault 7” obtained?

Part one was obtained recently and covers through 2016. Details on the other parts will be available at the time of publication.

Setting Up a Linux Build Environment for EFI

This page will walk you through building a build environment for a Linux machine. Specifically, this tutorial is focused on Ubuntu/Linux Mint.

If you're writing about the CIA/@Wikileaks story, here's the big deal: first public evidence USG secretly paying to keep US software unsafe. pic.twitter.com/kYi0NC2mOp

— Edward Snowden (@Snowden) March 7, 2017

Linux Academy

• Linux Academy | Linux and AWS Online Training

“Linux Sucks… For the Last Time” – 2017

“Linux Sucks”. 2017 edition. The very last “Linux Sucks”. Ever. Recorded live at the Southern California Linux Expo (SCaLE) on March 2nd, 2017.

The Story of Firefox OS

Well, I’m Ben and I’m a Mozillian. I’m a Software Engineer who worked on the “Boot to Gecko” project full time for five years and I have a story to tell.

The Endless Mission One is a gorgeous Linux-powered desktop with a tempting price tag

But the Endless Mission One, which is the subject of this review, is significantly more expensive, costing $250. It also packs more capable hardware, and a gorgeous wood finish that wouldn’t look out of place in a home office. P

OggCamp 17 – Aug 19th & 20th 2017 | Canterbury, UK

OggCamp 17 is on! Canterbury Christ Church University, 19th-20th August 2017 https://t.co/nYNbYBTO6l pic.twitter.com/AK3ZeRBK1X

— OggCamp (@oggcamp) February 26, 2017

OggCamp is a Free Culture Unconference.

TING

• Ting – mobile that makes sense

Gnome and Endless at SCaLE 15x

• The Endless Mission One is a gorgeous Linux-powered desktop with a tempting price tag

View post on imgur.com

The Endless Mission One comes in two variants — one with 320GB of storage, and one with 500GB. I reviewed the latter.

• Get the most out of GNOME notifications – Fedora Magazine

For many users, GNOME 3, also known as Gnome Shell, is the definitive desktop interface. It’s clean and simple, without too many twinkles or distractions. That said, this article describes some tricks to change the GNOME notifications experience.

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Litebook is a $249 Linux laptop – Liliputing

You can order the 2.9 laptop from the Litebook website. A model with a 512GB hard drive is priced at $249. Or you can pay $20 more for a version with a 32GB mSATA solid state disk and a 512GB hard drive.

• Litebook – Slim, Light, Elegant — Take Back Control of your Digital Life

k. Litebooks are the perfect combination of beautiful hardware and software. Fast and intuitive the Litebook offers a computing experience like no other. Unlike Windows laptops, Litebooks are highly optimized, come without performance hogging bloatware, are designed to ensure your privacy, and are entirely free of malware and viruses, while unlike macs Litebooks are affordable, customizable, and are backwards compatible with windows software.

The post CIA's Dank Trojans | LINUX Unplugged 187 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Ansible vulnerability

• “Ansible is an open-source automation engine that automates cloud provisioning, configuration management, and application deployment. Once installed on a control node, Ansible, which is an agentless architecture, connects to a managed node through the default OpenSSH connection type.”
• Similar tools are Puppet, Chef, SaltStack, cfEngine
• Summary: Command execution on Ansible controller from host
• Why is this important? First, if one of your ansible-controlled hosts is compromised, they can execute a command on your ansible controller.
• So what you might ask? Your ansible controller accesses all your systems….
• Computest notes: Not a full audit, might be other issues
• Affected versions: < 2.1.4, < 2.2.1
• A big threat to a configuration management system like Ansible, Puppet, SaltStack and others, is compromise of the central node. In Ansible terms this is called the Controller. If the Controller is compromised, an attacker has unfettered access to all hosts that are controlled by the Controller. As such, in any deployment, the central node receives extra attention in terms of security measures and isolation, and threats to this node are taken even more Seriously.
• Fortunately for team blue (team blue is the defense team), in the case of Ansible the attack surface of the Controller is pretty small. Since Ansible is agent-less and based on push, the
  Controller does not expose any services to hosts.
• A very interesting bit of attack surface though is in the Facts. When Ansible runs on a host, a JSON object with Facts is returned to the Controller. The Controller uses these facts for various housekeeping purposes. Some facts have special meaning, like the fact “ansible_python_interpreter” and “ansible_connection”. The former defines the command to be run when Ansible is looking for the python interpreter, and the second determines the host Ansible is running against. If an attacker is able to control the first fact he can execute an arbitrary command, and if he is able to control the second fact he is able to execute on an arbitrary (Ansible-controlled) host. This can be set to “local” to execute on the Controller itself.
• Because of this scenario, Ansible filters out certain facts when reading the facts that a host returns. However, we have found 6 ways to bypass this filter.
• Bypass #1: Adding a host – Ansible allows modules to add hosts or update the inventory. This can be very useful, for instance when the inventory needs to be retrieved from a IaaS platform like as the AWS module does. If we’re lucky, we can guess the inventory_hostname, in which case the host_vars are overwritten and they will be in effect at the next task. If host_name doesn’t match inventory_hostname, it might get executed in the play for the next hostgroup, also depending on the limits set on the commandline.
• Bypass #2: Conditionals – Ansible actions allow for conditionals. If we know the exact contents of a “when” clause, and we register it as a fact, a special case checks whether the
  “when” clause matches a variable. In that case it replaces it with its
  contents and evaluates them.
• Bypass #3: Template injection in stat module – The template module/action merges its results with those of the stat module.This allows us to bypass the stripping of magic variables from ansible_facts, because they’re at an unexpected location in the result tree.
• Bypass #4: Template injection by changing jinja syntax – Remote facts always get quoted. Set_fact unquotes them by evaluating them.
  UnsafeProxy was designed to defend against unquoting by transforming jinja
  syntax into jinja comments, effectively disabling injection.
• Bypass #5: Template injection in dict keys – Strings and lists are properly cleaned up, but dictionary keys are not.
• Bypass #6: Template injection using safe_eval – There’s a special case for evaluating strings that look like a list or dict. Strings that begin with “{” or “[” are evaluated by safe_eval [2]. This allows us to bypass the removal of jinja syntax: we use the whitelisted Python to re-create a bit of Jinja template that is interpreted.
• Computest is not aware of mitigations short of installing fixed versions of the
  software.
• Ansible has released new versions that fix the vulnerabilities described in this advisory: version 2.1.4 for the 2.1 branch and 2.2.1 for the 2.2 branch.
• The handling of Facts in Ansible suffers from too many special cases that allow for the bypassing of filtering. We found these issues in just hours of code review, which can be interpreted as a sign of very poor security. However, we don’t believe this is the case.
• The attack surface of the Controller is very small, as it consists mainly of the Facts. We believe that it is very well possible to solve the filtering and quoting of Facts in a sound way, and that when this has been done, the opportunity for attack in this threat model is very small.
• Furthermore, the Ansible security team has been understanding and professional in their communication around this issue, which is a good sign for the handling of future issues.

Who is Anna-Senpai, the Mirai Worm Author?

• Way too long to go into full detail, so I will only outline a few interesting bits
  +On September 22, 2016, this site was forced offline for nearly four days after it was hit with “Mirai,” a malware strain that enslaves poorly secured Internet of Things (IoT) devices like wireless routers and security cameras into a botnet for use in large cyberattacks. Roughly a week after that assault, the individual(s) who launched that attack — using the name “Anna-Senpai” — released the source code for Mirai, spawning dozens of copycat attack armies online.
• After months of digging, KrebsOnSecurity is now confident to have uncovered Anna-Senpai’s real-life identity, and the identity of at least one co-conspirator who helped to write and modify the malware.
  +Before we go further, a few disclosures are probably in order. First, this is easily the longest story I’ve ever written on this blog. It’s lengthy because I wanted to walk readers through my process of discovery, which has taken months to unravel. The details help in understanding the financial motivations behind Mirai and the botnet wars that preceded it. Also, I realize there are a great many names to keep track of as you read this post, so I’ve included a glossary.
• The story you’re reading now is the result of hundreds of hours of research. At times, I was desperately seeking the missing link between seemingly unrelated people and events; sometimes I was inundated with huge amounts of information — much of it intentionally false or misleading — and left to search for kernels of truth hidden among the dross. If you’ve ever wondered why it seems that so few Internet criminals are brought to justice, I can tell you that the sheer amount of persistence and investigative resources required to piece together who’s done what to whom (and why) in the online era is tremendous.
• As noted in previous KrebsOnSecurity articles, botnets like Mirai are used to knock individuals, businesses, governmental agencies, and non-profits offline on a daily basis. These so-called “distributed denial-of-service (DDoS) attacks are digital sieges in which an attacker causes thousands of hacked systems to hit a target with so much junk traffic that it falls over and remains unreachable by legitimate visitors. While DDoS attacks typically target a single Web site or Internet host, they often result in widespread collateral Internet disruption.
• A great deal of DDoS activity on the Internet originates from so-called ‘booter/stresser’ services, which are essentially DDoS-for-hire services which allow even unsophisticated users to launch high-impact attacks. And as we will see, the incessant competition for profits in the blatantly illegal DDoS-for-hire industry can lead those involved down some very strange paths, indeed.
• Talks about the variants of the IoT botnet, mentions Minecraft webservers were a frequent target.
• Goes into a lot of detail of DDoS protection services, how Minecraft customers would come under attack, and how a competing DDoS protection company made threats directly preceding attacks
• Discusses how the attacks where are way to boost business by not attacking your own customers, but by attacker customers of other DDoS proection services.
• Boils down to the classic: nice business you have here, it’d be a shame if anything happened to it.

TechSNAP Career Challenge

• I was at the [Grace Hopper Celebration(https://ghc.anitaborg.org/) of Women in Computing is the world’s largest gathering of women technologists. It is huge. I met people from many different technology areas (medicine, robotics, software design, someone who built a chip for the iPhone).
• I was there on behalf of The FreeBSD Foundation to give a talk about how to contribute to open source.
• Many were students and often were not sure of what part of technology they wanted to pursue.
• I’ve seen many people go for years in their careers then suddenly discover a passion they previously didn’t know about and their life completely changes.
• This point was mentioned to me by a Google Employee who gave me this list of steps which I then incorporated into my talk, then I wrote a blog post about it.
• Seeing the eyes light up made me think we need to send this wider.
• Allan Jude suggested I include this into the show
• Here is what you do
• Here is what I challeng our listeners to do:
• Take this challenge
• Blog about it
• Then send us your blog URL and tell us what you got out of the challenge

Feedback:

• Bareos/bacula for which I suggest my jail snapshot script
• Malware in the browser

Round Up:

• Dan’s t-shirt challenge
• straight stick, curved slot – tweet by Amanda Rousseau
• Google Infrastructure Security Design Overview
• Criminal cases, public and police safety put at risk by IT failures, RCMP documents say – Politics
• The 32-Bit Dog Ate 16 Million Kids’ CS Homework
• Oren Jacob’s answer to Did Pixar accidentally delete Toy Story 2 during production? – Quora
• Heartbleed Report (2017-01)
• Already on probation, Symantec issues more illegit HTTPS certificates

The post DDos Mafia | TechSNAP 303 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Malware hosted in your browser

• Last show, we talked about malware, blocking it via URLs, and malware which spoofs the domain names, thereby bypassing many URL-based filters.
• This show, we have an instance of malware which completely defeats all of the above, in a very simple and clever way.
• A common way to steal credentials is hosting a webpage which looks a lot like the real thing. Google, Facebook, Paypal, etc are all targets of this. It is simple to do. Just throw up a web page, and start directing people to it.
• Lots of ways to defeat this with conventional tools
• This method bypasses all those tools
• Tom Scott tweeted about malware he received via email.
• when you click on the link, you get what appears to be a Google Login page.
• The URI is of the form: data:text/html,https…… lots of spaces <script src=date:text/html;…. etc
• However, it is hosted entirely within your browser
• Matt Hughes reportrd that Andriod actually tries to autofill his Google account credentials on that data URI
• This has been around at least a year, and was written about by linkcabin
  spoofs the login page by hosting it in your browser.
• Suprisingly common and is often using to phish Google or Paypal

Bug Bounty – GitHub Enterprise SQL Injection

• This story involves responsible research and disclosure by Orange Tsai
• GitHub Enterprise is the on-premises version of GitHub.com that you can deploy a whole GitHub service in your private network for businesses
• You can get 45-days free trial and download the VM from enterprise.github.com.
• Code is downloaded, configured, and observations begin.
• GitHub uses a custom library to obfuscate their source code. If you search for ruby_concealer.so on Google, you will find a snippet in a gist.
• The first two days are getting the VM running etc.
• Day 3-5 are learning Rails by code reviewing.
• On 6, an SQL Injection is found

Feedback:

• Hiring senior sysadmins who listen to TechSNAP and BSDNow

War Story:

• Broken out-going mail from cellphone

Round Up:

• BSDCan Call for Papers
• PGCON Call for Papers
• FTC Sues D-Link Over Insecure Routers, Cameras
• TV anchor says live on-air ‘Alexa, order me a dollhouse’ – guess what happens next

The post Internet of Voice Triggers | TechSNAP 302 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Malware authors have found a way to evade URL-blocking systems by swapping bad domain names with unknown ones

• Malware is often hosted on pop-up domains (bought specifically for the purpose, and with very odd names). Othertimes, it is resident on compromised hosts (PYS!). As such hosting locations/domains are discovered, they are added to blacklists.
• The criminals have yet anotherfound a way to avoid the blacklists – spoofing
• Spoofing is not knew: think of it as pretending to be someone else.
• What seems to be new is deception in the TCP packets, or more specifcally, the TCP headers.
• For some time now URL filtering techniques have provided a fairly reliable way for organizations to block traffic into their network from domains that are known to be malicious. But as with almost every defense mechanism, threat actors appear to have found a way around that as well.
• Security researchers from Cyren are warning about a new tactic for fooling Web security and URL–filtering systems. The technique, which Cyren has dubbed “Ghost Host,” is designed to evade host and domain blacklists by swapping bad domain names and inserting random, non-malicious host names in the HTTP host field instead.
• The objective is to evade host and domain blacklists by resetting the host name with a benign one, even when the actual connection is to a malicious command and control IP, according to a Cyren blog post today.
• “Ghost hosts are unknown or known-benign host names used by malware for evading host and URL blacklists,” says Geffen Tzur, a security researcher at Cyren.
• Tzur says there have been no previously reported incidents he knows of where malware actors have attempted to fool detection systems by inserting benign names in the HTTP host field.

Feedback:

• @TechSNAP_Dan How’d you first get into BSD?
  • Why I wanted FreeBSD before I knew it existed
  • How I found FreeBSD
  • The installation

Round Up:

• Android Was 2016’s Most Vulnerable Product
• FTC issues the IoT security challenge. Design the best service or device to manage the security of various IoT devices in a home, and win the $25,000 prize
• Ultrasound Tracking Could Be Used to Deanonymize Tor Users

The post The Next Generation | TechSNAP 301 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Patch Your Sh** T-Shirt

• TechSNAP is about to reach episode 300 so before Chris and Allan hand over the show to Wes & Dan we have a round of PATCH YOUR SH** swag to get out! Be sure to check out the tote bag and the sticker too!

Exploit in PHPMailer puts almost every PHP CMS at risk

• “PHPMailer continues to be the world’s most popular transport class, with an estimated 9 million users worldwide. Downloads continue at a significant pace daily.”
• “Probably the world’s most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, [..], Joomla! and many more”
• “An independent researcher uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.”
• “To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.”
• “A successful exploitation could let remote attackers to gain access to the target server in the context of the web server account which could lead to a full compromise of the web application.”
• When the mailer software calls the system’s sendmail binary to send the email, it can optionally pass additional parameters to sendmail, like -f to override the from address.
• Proper input validation was not performed on this input. Instead of the content being restricted based on what is safe to evaluate in the shell, the input is validated as an email address via RFC 3696, which allows for quoted usernames with spaces.
• So if the attacker fills out the form such that their email address is:
• “attacker\” -oQ/tmp/ -X/var/www/cache/phpcode.php some”@email.com
• this will actually execute:
• Arg no. 0 == [/usr/sbin/sendmail]
  • Arg no. 1 == [-t]
  • Arg no. 2 == [-i]
  • Arg no. 3 == [-fattacker]
  • Arg no. 4 == [-oQ/tmp/]
  • Arg no. 5 == [-X/var/www/cache/phpcode.php]
  • Arg no. 6 == [some”@email.com]
• If the attacker can also provide some PHP code as the body of the message, it will be written to the indicated file, phpcode.php, where it can then be run by the attacker via the web server.
• “The vulnerability was responsibly disclosed to PHPMailer vendor. The vendor released a critical security release of PHPMailer 5.2.18 to fix the issue as notified”
• “UPDATE: The author of this advisory published a bypass of the current solution/fix which makes the PHPMailer vulnerable again in versions <5.2.20”
• There was also a similar vulnerability found in SwiftMailer, another similar application

Use of Fancy Bear Android Malware in Tracking of Ukrainian Field Artillery Units

• “From late 2014 and through 2016, FANCY BEAR X-Agent implant was covertly distributed on Ukrainian military forums within a legitimate Android application developed by Ukrainian artillery officer Yaroslav Sherstuk”
• “The original application enabled artillery forces to more rapidly process targeting data for the Soviet-era D-30 Howitzer employed by Ukrainian artillery forces reducing targeting time from minutes to under 15 seconds. According to Sherstuk’s interviews with the press, over 9000 artillery personnel have been using the application in Ukrainian military”
• “Successful deployment of the FANCY BEAR malware within this application may have facilitated reconnaissance against Ukrainian troops. The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them”
• “Open source reporting indicates that Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal”
• “This previously unseen variant of X-Agent represents FANCY BEAR’s expansion in mobile malware development from iOS-capable implants to Android devices, and reveals one more component of the broad spectrum approach to cyber operations taken by Russia-based actors in the war in Ukraine”
• “The collection of such tactical artillery force positioning intelligence by FANCY BEAR further supports CrowdStrike’s previous assessments that FANCY BEAR is likely affiliated with the Russian military intelligence (GRU), and works closely with Russian military forces operating in Eastern Ukraine and its border regions in Russia”
• “The original application central to this discussion, Попр-Д30.apk, was initially developed domestically within Ukraine by a member of the 55th Artillery Brigade. Based on the file creation timestamps as well as the app signing process, which occurred on 28 March 2013, CrowdStrike has determined that the app was developed sometime between 20 February and 13 April 2013.”
• Distributed on a forum, and popularized via social media under a name that translates to “Correction-D30”, described as “Modern combat software”
• “As an additional control measure, the program was only activated for
  use after the developer was contacted and issued a code to the individual
  downloading the application”
• “At the time of this writing, it is unclear to what degree and for how long this specific application was utilized by the entirety of the Ukrainian Artillery Forces. Based on open source reporting, social media posts, and video evidence, CrowdStrike assesses that Попр-Д30.apk was potentially used through 2016 by at least one artillery unit operating in eastern Ukraine”
• “The use of the X-Agent implant in the original Попр-Д30.apk application appears to be the first observed case of FANCY BEAR malware developed for the Android mobile platform. On 21 December 2014 the malicious variant of the Android application was first observed in limited public distribution on a Russian language, Ukrainian military forum.”
• “The creation of an application that targets some of the front line forces pivotal in Ukrainian defense on the eastern front would likely be a high priority for Russian adversary malware developers seeking to turn the tide of the conflict in their favor”
• “Although traditional overhead intelligence surveillance and reconnaissance (ISR) assets were likely still needed to finalize tactical movements, the ability of this application to retrieve communications and gross locational data from infected devices, could provide insight for further planning, coordination, and tasking of ISR, artillery assets, and fighting forces.”
• “The X-Agent Android variant does not exhibit a destructive function and does not interfere with the function of the original Попр-Д30.apk application. Therefore, CrowdStrike Intelligence has assessed that the likely role of this malware is strategic in nature. The capability of the malware includes gaining access to contacts, Short Message Service (SMS) text messages, call logs, and internet data, and FANCY BEAR would likely leverage this information for its intelligence and planning value.”
• “CrowdStrike Intelligence assesses a tool such as this has the potential ability to map out a unit’s composition and hierarchy, determine their plans, and even triangulate their approximate location. This type of strategic analysis can enable the identification of zones in which troops are operating and help prioritize assets within those zones for future targeting”
• The Evidence to Prove the Russian Hack

Bigger than Miria? New leet botnet launches ddos attacks

• “Earlier in the year, a huge DDoS attack was launched on Krebs on Security. Analysis showed that the attack pelted servers with 620 Gbps, and there were fears that the release of the Mirai source code used to launch the assault would lead to a rise in large-scale DDoS attacks. Welcome Leet Botnet.”
• “In the run-up to Christmas, security firm Imperva managed to fend off a 650 Gbps DDoS attack. But this was nothing to do with Mirai; it is a completely new form of malware, but is described as “just as powerful as the most dangerous one to date”. The concern for 2017 is that “it’s about to get a lot worse”.”
• “Clearly proud of the work put into the malware, the creator or creators saw fit to sign it. Analysis of the attack showed that the TCP Options header of the SYN packets used spelled out l33t, hence the Leet Botnet name.”
• “The attack itself took place on 21 December, but details of what happened are only just starting to come out. It targeted a number of IP addresses, and Imperva speculates that a single customer was not targeted because of an inability to resolve specific IP addresses due to the company’s proxies. One wave of the attack generated 650 Gbps of traffic — or more than 150 million packets per second.”
• “Despite attempting to analyze the attack, Imperva has been unable to determine where it originated from, but the company notes that it used a combination of both small and large payloads to “clog network pipes and bring down network switches”. While the Mirai attacks worked by firing randomly generated strings of characters to generate traffic, in the case of Leet Botnet the malware was accessing local files and using scrambled versions of the compromised content as its payload. Imperva describes the attack as “a mishmash of pulverized system files from thousands upon thousands of compromised devices”. What’s the reason for using this particular method?”
• “Besides painting a cool mental image, this attack method serves a practical purpose. Specifically, it makes for an effective obfuscation technique that can be used to produce an unlimited number of extremely randomized payloads. Using these payloads, an offender can circumvent signature-based security systems that mitigate attacks by identifying similarities in the content of network packets.”
• “While in this instance Imperva was able to mitigate the attack, the company says that Leet Botnet is “a sign of things to come”. Brace yourself for a messy 2017…”
• Technical Details
• “The attack began around 10:55 AM on December 21, targeting several anycasted IPs on the Imperva Incapsula network.”
• “It’s hard to say why this attack didn’t focus on a specific customer. Most likely, it was the result of the offender not being able to resolve the IP address of his actual victim, which was masked by Incapsula proxies. And so, lacking any better option, the offender turned his attention to the service that stood between him and his target.”
• “The first DDoS burst lasted roughly 20 minutes, peaking at 400 Gbps. Failing to make a dent, the offender regrouped and came back for a second round. This time enough botnet “muscle” to generate a 650 Gbps DDoS flood of more than 150 million packets per second (Mpps)”
• “Both attack bursts originated from spoofed IPs, making it impossible to trace the botnet’s actual geo-location or learn anything about the nature of the attacking devices.”
• So, unlike Mirai, it seems leet depends on reflection and amplification, rather than raw power
• The attack traffic was generated by two different SYN payloads:
• Regular-sized SYN packets, ranging from 44 to 60 bytes in size
• Abnormally large SYN packets, ranging from 799 to 936 bytes in size
• “The former was used to achieve high Mpps packet rates, while the latter was employed to scale up the attack’s capacity to 650 Gbps.”
• Additional Coverage

Feedback:

• ZFS pool additions

• I thought it would never happen to me.

• Torikun asks: So ISP’s have slow upload speeds and high download speeds. Is my download speed affected when I max out the upload?

Round Up:

• T-Mobile rolls out battery shutdown update to remaining Galaxy Note 7
• This $300 device lets you steal a Mac’s encryption password in 30 seconds
• Android Ransomware Infects LG Smart TV
• Vulnerability in Ubuntu’s software update mechanism exposes users
• Obama moves to split cyberwarfare command from the NSA
• New malware detects when it is being run in many popular sandboxes, plays dumb to get through
• Other malware tricks user into clicking to activate it, so it doesn’t do anything bad in the sandbox
• Reflections on SystemsWeLove
• How Russia Recruited Elite Hackers for Its Cyberwar
• Canadian ISPs pushing back against new police powers bill C51
• Russian MethBot botnet makes $180 million from advertising networks by running 250,000 fake websites, generating 300 million fake video impressions per day
• Project Zero gets a guest blog post by a non-google researcher who found an exploit for Chrome OS
• ADUPS android spyware infects Barnes and Noble’s new $50 tablet
• Two lawyers charged with “Conspiracy to Commit Mail Fraud And Wire Fraud” after they uploaded videos they owned to pirate sites, then sued those who downloaded them for copyright infringement
• Interactivate timeline of FBI surveillance operations
• surveillance, whistleblowing, and security engineering — The NSA’s Yahoo backdoor
• What happens when a law firm doesn’t take security seriously

The post Fancy Bear Misfire.apk | TechSNAP 299 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Links

• Virtual Private Surveillance | TechSNAP 248
• Internet of Threats | TechSNAP 249
• Pay to Boot | TechSNAP 260
• Insecure Socket Layer | TechSNAP 265
• Curl Sleeper Agent | TechSNAP 266
• Signature Bloatware Updates | TechSNAP 270
• Internet Power Struggle | TechSNAP 277

The post Best of 2016 | TechSNAP 298 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Lifting the lid on Sednit: A closer look at the software it uses

• Security experts at ESET have released the final two parts of their new research into the operations of the notorious Sednit hacking group.
• The Sednit gang, also known as APT28, Fancy Bear, Pawn Storm and Sofacy, are highly experienced, and have been engaged in criminal activity since at least 2004. They have developed sophisticated attacks that bypass the typical network security at compromised organizations.
• In parts two and three of their research, entitled En Route with Sednit: Observing the Comings and Goings and En Route with Sednit: A Mysterious Downloader respectively ESET’s threat analysts have taken a closer look at the software used by Sednit to spy on its targets and steal confidential information.
• Sednit’s espionage toolkit is only deployed on targets deemed interesting to the hacking group after a period of reconnaissance.
• The toolkit has three main components, made up of two spying backdoors (SEDRECO and XAGENT), and a network tool named XTUNNEL.
• “Deploying both spying backdoors at the same time allows them to remain in contact if one of them becomes detected.”
• Once in place, the SEDRECO backdoor trojan provides its remote operators with a variety of functions – including the ability to read and write files, turn on keylogging to furtively capture a user’s keypresses (and no doubt passwords), scour the victim computer’s hard drives and map network resources.
• ESET’s research has further discovered that SEDRECO contains the capability to run external plugins, downloaded and executed as requested by a command-and-control (C&C) server under the hackers’ control.
• A SEDRECO plugin identified by the researchers was found to share code with a module used by XAGENT, the other backdoor utilized by the Sednit gang.
• XAGENT can exfiltrate information from compromised computers via HTTP and email, working alongside other components in the toolkit including USBSTEALER, which attempts to steal data from air-gapped computers.
• During their investigations, ESET researchers were able to retrieve the complete Xagent source code intended to work under GNU/Linux operating system.
• Although versions of XAGENT have been seen for Windows, Linux and iOS, ESET’s team of researchers believe that it would be surprising if there has not also been a version of XAGENT created for other operating systems, including Android.
• The well-designed XAGENT malware is comprised of a series of modules providing varying functionalities, and the samples examined by ESET’s researchers indicate that the Sednit hacking gang adapts each attack for specific targets. This also, of course, avoids the risk of exposing all of XAGENT’s code to security researchers.
• XTUNNEL, the network proxy tool used by the Sednit group to relay network traffic between a C&C server on the internet and infected computers on their local networks.
• The researchers say that significant resources have been put into the development of XTUNNEL, SEDRECO and XAGENT, as they describe in En Route with Sednit: Observing the Comings and Goings:
• “In order to perform its espionage activities, the Sednit group mainly relies on two backdoors, Xagent and Sedreco, which were intensively developed over the past years. Similarly, notable effort has been invested into Xtunnel, in order to pivot in a stealthy way. Overall, these three applications should be a primary focus to anyone wanting to understand and detect the Sednit group’s activities.”
• The final focus of ESET researchers’ deep dive in the Sednit group is a special downloader called DOWNDELPH.
• DOWNDELPH, which gets its name from being written in the Delphi programming language, is used in hacks orchestrated by the Sednit group to deploy the previously mentioned XAGENT and SEDRECO onto infected computers.
• Once in place, DOWNDELPH downloads a configuration file from the internet, and fetches payloads from a series of command & control (C&C) servers.
• The use of rootkit/bootkit technology to hide the activities of the Sednit group and the small number of deployments suggests one thing: this group of attackers wanted to do everything they could to avoid being noticed.

The chinese manufacturer vows to recall IoT devices used in attack

• “A Chinese electronics firm pegged by experts as responsible for making many of the components leveraged in last week’s massive attack that disrupted Twitter and dozens of popular Web sites has vowed to recall some of its vulnerable products, even as it threatened legal action against this publication and others for allegedly tarnishing the company’s brand.”
• How effective a recall will be is hard to say, since most of the devices were sold rebranded by other companies, not by the manufacturer directly
• The major flaw with these devices is that the passwords that allow access via SSH cannot be changed, and their presence is not even visible from the web interface that most users are expected to use.
• “I interviewed researchers at Flashpoint who discovered that one of the default passwords sought by machines infected with Mirai — username: root and password: xc3511 — is embedded in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use them in their own products.”
• “The scary part about IoT products that include XiongMai’s various electronics components, Flashpoint found, was that while users could change the default credentials in the devices’ Web-based administration panel, the password is hardcoded into the device firmware and the tools needed to disable it aren’t present.”
• “Mirai is a huge disaster for the Internet of Things,” the manufacturer said in a separate statement emailed to journalists. “XM have to admit that our products also suffered from hacker’s break-in and illegal use.”
• “At the same time, the Chinese electronics firm said that in September 2015 it issued a firmware fix for vulnerable devices, and that XiongMai hardware shipped after that date should not by default be vulnerable.”
• “Since then, XM has set the device default Telnet off to avoid the hackers to connect,” the company said. “In other words, this problem is absent at the moment for our devices after Sep 2015, as Hacker cannot use the Telnet to access our devices.”
• Additional Coverage:
• In the meantime, it raises questions about how consumers can try to protect themselves
• Senator Prods Federal Agencies on IoT Mess
• “The co-founder of the newly launched Senate Cybersecurity Caucus is pushing federal agencies for possible solutions and responses to the security threat from insecure “Internet of Things” (IoT) devices, such as the network of hacked security cameras and digital video recorders that were reportedly used to help bring about last Friday’s major Internet outages.”
• “In letters to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS), Virginia Senator Mark Warner (D) called the proliferation of insecure IoT devices a threat to resiliency of the Internet.”
• “Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support,” Warner wrote to the agencies. “And buyers seem unable to make informed decisions between products based on their competing security features, in part because there are no clear metrics.”
• “Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none. Further, buyers have little recourse when, despite their best efforts, security failures occur”
• Then some serious questions are raised, about interference with traffic
• “In the FCC’s Open Internet Order, the Commission suggested that ISPs could take such steps only when addressing ‘traffic that constitutes a denial-of-service attack on specific network infrastructure elements,’” Warner wrote in his missive to the FCC. “Is it your agency’s opinion that the Mirai attack has targeted ‘specific network infrastructure elements’ to warrant a response from ISPs?”
• “I have been asked by several reporters over the past few days whether I think government has a role to play in fixing the IoT mess. Personally, I do not believe there has ever been a technology challenge that was best served by additional government regulation.”
• “However, I do believe that the credible threat of government regulation is very often what’s needed to spur the hi-tech industry into meaningful action and self-regulation. And that process usually starts with inquiries like these. So, here’s hoping more lawmakers in Congress can get up to speed quickly on this vitally important issue.”
• Quote I saw on twitter the other day: “In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.”

Feedback:

• Home server questions

• remote access to fileserver

• What does my proper backup look like?

• ffmpeg Bulk Re-Encode

Round Up

• Undersea cable to connect South Africa with the US – all the details
• Locky ransomware learns new evasive tricks
• How Sega Saturn’s 20-Year Old DRM Was Finally Cracked
• Adding a phone number to your Google account can make it less secure
• AT&T’s Vision of Ultrafast Wireless Technology May Be a Mirage
• Millennials easier bait for tech support scams than baby boomers
• Warner Brothers claims talent agency ran its own pirate movie site for screeners
• Fake Microsoft Installer Leads to Malware, Support Call Scam
• Qualcomm to Buy NXP Semiconductors in $47 Billion Deal

The post Nuclear IoT Toaster | TechSNAP 291 first appeared on Jupiter Broadcasting.