nas – Jupiter Broadcasting

Need more help than a radio show can offer? Altispeed provides commercial IT services and they’re excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show!

Altispeed Technologies

Contact Noah

asknoah [at] jupiterbroadcasting.com

— Twitter —

The post Starting a Business with Linux | Ask Noah 26 first appeared on Jupiter Broadcasting.

Leaky Pumps | TechSNAP 332

chris — Tue, 15 Aug 2017 23:35:33 +0000

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Gas Pump Skimmer Sends Card Data Via Text

Skimming devices that crooks install inside fuel station gas pumps frequently rely on an embedded Bluetooth component allowing thieves to collect stolen credit card data from the pumps wirelessly with any mobile device. The downside of this approach is that Bluetooth-based skimmers can be detected by anyone else with a mobile device. Now, investigators in the New York say they are starting to see pump skimmers that use cannibalized cell phone components to send stolen card data via text message.
Skimmers that transmit stolen card data wirelessly via GSM text messages and other mobile-based communications methods are not new; they have been present — if not prevalent — in ATM skimming devices for ages.
But this is the first instance KrebsOnSecurity is aware of in which such SMS skimmers have been found inside gas pumps, and that matches the experience of several states hardest hit by pump skimming activity.
see also Gas Theft Gangs Fuel Pump Skimming Scams

Erasing hard drives – dd might be enough – Dan talks about how he erased the drives

I recently upgraded several 3TB drives to 5TB drives and no longer needs the smaller drives. I usually used DBAN, but this time, it failed to run and I have no idea why
I started looking around for upgrades in case my newer hardware didn’t work with this version of DBAN
In September 2012, Blancco of Finland announced its acquisition of DBAN – Windows binary – no use to me
There is an unofficial fork of DBAN that is actively maintained. The dwipe program that DBAN uses has been forked and is available as a standalone program called Nwipe, which is actively maintained.
Appears to be more than one unofficial dban fork
nwipe is included with Parted Magic so I paid my $11 and downloaded UNetbootin and tried to install it
I failed to get my latest version (2017_06_03) of Parted Magic to boot so I resorted to letting UNetbootin download and install Latest_Live and I think that was 2.4
I was told DBAN is drive abuse and that dd is sufficient
Highly recommended NAS configuration – KIds don’t try this at home!
Originally thought to be serial, butlater confirmed to work in parallel
Discussion on: when you power cycle, how long do you want to power on?
Next, tried nwipe but found that that took too long
Going back to Parted Magic, I found the disk erase UI to have a few interesting features
Then, I managed to get my SAS2008 card to work, and started doing 8 drives at a time
dd is always an option, but I found it more convenient to use Parted Magic. Why? I didn’t have to script it and I can use the Secure Erase feature

Feedback

A question about database migrations – apgdiff SQL Manager – SQLFairy – Dan used to use a tool for designing the database, but hasn’t use one lately. Now he constructs the DDL on the fly to amend the database and keeps them aside for upgrading the production database. Dan once kept the DDL for FreshPorts in a repo, but no longer does. Now he just backs up.
ZFS Configuration new System76 Oryx pro
Nigel Brownsey wrote in about Password security all about length
PostgreSQL password hashing & backups

Round Up:

The HDFS Juggernaut – Hadoop Distributed File System
Plans for Partitioning in PostgreSQL v11
debian-policy: Packages should be reproducible
Everything You Always Wanted to Know
About Optical Networking –
But Were Afraid to Ask
slides – Youtube video
Looking at public Puppet servers
Airbnb’s preferred smart lock vendor accidentally bricks 500 door-locks
I Bought a Book About the Internet From 1994 and None of the Links Worked

The post Leaky Pumps | TechSNAP 332 first appeared on Jupiter Broadcasting.

Cyber Liability | TechSNAP 314

chris — Wed, 12 Apr 2017 02:09:54 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Researchers demonstrate how PINs and other info can be gathered through phone movement

Team was able to crack four digit-PINs with 70 percent accuracy on the first try, with 100 percent accuracy by try number five
A site accessed with malicious code can open the device to such sensor-based monitoring working in the background when browser tabs are left open.
The team suggests a number of ways to help combat vulnerabilities, including regularly changing PINs and quitting out of any apps not currently in use
Dan suggests: Simple way around this: randomize the display of numbers on the keypad. I think this should be standard for all PIN entry. I recall seeing this somewhere, years ago, but I don’t recall where. I’ve always wondered why I’ve never seen it again. If the numbers have a narrow field of vision, nobody can watch over your shoulder.
A better article on the issue
The PDF of the study
From the PDF: . In the latest Apple Security Updates for iOS 9.3 (released in March 2016), Safari took a similar countermeasure by “suspending the availability of this [motion and orientation] data when the web view is hidden”x

Computer security is broken from top to bottom

Robert Watson spoke at the very first BSDCan
There are three main fundamental causes of insecurity: technology complexity, culture, an the economic incentives of the computer business.

Deep Dive starts with Dan’s first blog post about PostgreSQL

PostgreSQL
PostgreSQL < 9.6 has DATADIR is the same for all versions
PostgreSQL 9.6+ on FreeBSD, each major version has it’s own DATADIR
Installing in a FreeBSD jail means you can easily upgrading another jail, then start using it

Feedback

10 messages this past week. Requests for deep dives on PostgreSQL, DNS, ZFS, Jails.
The guy who asked us about that free DNS service, wrote in to say he has no connection with them.
Building pfsense box
Suggestion for a Simple Inventory & Change Management Software
Raidz-1 with hotspare vs raidz-2

Round Up:

The post Cyber Liability | TechSNAP 314 first appeared on Jupiter Broadcasting.

This Old Linux RV | LAS 444

chris — Sun, 20 Nov 2016 18:44:53 +0000

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

Hacking the UPS

This week we install the NAS that was reviewed last episode, and take you through some of the hardware modifications we made to get this Linux rig installed.

— PICKS —

Runs Linux

The Synthetic Human RUNS LINUX

Sent in by: Craig T
Hi Guys,

I was watching a documentary over here that is forked from a new TV series Humanshttps://www.channel4.com/programmes/humans which follows a world where synthetic Human’s are part of life.

Anyway the show made a documentary to see how far off creating Synthetic human’s we are : How to build a Human https://www.channel4.com/programmes/how-to-build-a-human

They appear to be using Ubuntu to program the robot for speech interaction https://imgur.com/a/bBQos its at about 13:48through the video.

Craig

Desktop App Pick

Ranger

Sent in by Tux t

Ranger is a console file manager with VI key bindings. It provides a minimalistic and nice curses interface with a view on the directory hierarchy. It ships with “rifle”, a file launcher that is good at automatically finding out which program to use for what file type.

UTF-8 Support
Multi-column display
Preview of the selected file/directory
Common file operations (create/chmod/copy/delete/…)
VIM-like console and hotkeys
Renaming multiple files at once
Automatically determine file types and run them with correct programs
Change the directory of your shell after exiting ranger
Tabs, Bookmarks, Mouse support
True Color Image previews [How to enable]
Video thumbnails [How to enable]

Spotlight

SSH Tunnel

Sent in By Oliver A

Transparent proxy server that works as a poor man’s VPN. Forwards over ssh. Doesn’t require admin. Works with Linux and MacOS. Supports DNS tunneling.

Stickers – Super Key Sticker with Any LAS Sticker While They Last!

Chris’ Personal YouTube Channel – MeetBSD and Behind the Scenes Noah Vist Videos Soon

— NEWS —

Microsoft SQL On linux is The Real Deal

Now available in a public preview, SQL Server for Linux aims to be full-featured like the Windows edition and a robust, long-term choice for enterprises

Those who wondered what it would be like to run Microsoft SQL Server on Linux now have an answer. Microsoft has released the first public preview of the long-promised product.

Microsoft also wants to make clear this isn’t a “SQL Server Lite” for those satisfied with a reduced feature set. Microsoft has a four-point plan to make this happen.

Microsoft Joins the Linux Foundation

It isn’t about Linux alone

And neither is the Linux Foundation. A lot of the projects Microsoft has been helping under the Linux Foundation umbrella are infrastructure and developer-oriented projects that Microsoft’s user base is interested in using.

Microsoft still has a lot of proprietary software, and it’s going to stay that way

Make no mistake: This move does not constitute a signal that Microsoft is preparing to open-source its key products. The Microsoft Windows kernel, Microsoft SQL Server, crucial parts of the Azure stack, and so on—they are all still strong moneymakers for Microsoft in their current incarnations. You can expect them to remain proprietary for a good long while.

This helps Microsoft help itself

A common theme in discussions about Microsoft’s involvements with Linux and open source is that it’s been a self-serving effort. Over time, Microsoft has found more places where its best interests coincide nicely with those of others—but again, in a pragmatic and transactional manner.

There’s still a lot of room for change on Microsoft’s part

Don’t get this wrong, Microsoft joining the Linux Foundation would have been unthinkable even a short time ago. But it is only one of many possible steps that Microsoft could take.

The Five Dollar Tool That Breaks Passwords

The perils of leaving computers unattended just got worse, thanks to a newly released exploit tool that takes only 30 seconds to install a privacy-invading backdoor, even when the machine is locked with a strong password.

PoisonTap, as the tool has been dubbed, runs freely available software on a $5/£4 Raspberry Pi Zero device. Once the payment card-sized computer is plugged into a computer’s USB slot, it intercepts all unencrypted Web traffic, including any authentication cookies used to log in to private accounts. PoisonTap then sends that data to a server under the attacker’s control. The hack also installs a backdoor that makes the owner’s Web browser and local network remotely controllable by the attacker.

It Turns Out The Btrfs RAID 5/6 Issue Isn’t Completely Fixed

_with headlines like “btrfs RAID5/RAID6 support is finally fixed” when that’s very much not the case. Only one bug has been removed for the key use case that makes RAID5 interesting, and it’s just the first of many that still remain in the path of a user trying to recover from a normal disk failure.

Feedback:

https://www.dropbox.com/s/26yiubqm4wv00if/video_2016-11-20_11-23-42.mov?dl=0

Mail Bag

Name: Broken Canoe
Subject: Data Privacy Following The Presidential Election

Hey Chris, – this is something I’ve had a lot of people ask me following Trump’s victory, – “should I keep my data in the cloud on services based in the US now that Trump is President?”

I think it’s a valid question, and one worth discussing on LAS or User Error. The general feeling is that infringements on privacy and civil liberties will only get worse in the coming years. Interested to hear your thoughts, more so that you use Dropbox.

Message: + Name: Daniel T

Subject: Touchpad Issue

in Gnome 3.20 (I think) Gnome switched to use libinput over synaptic for the touchpad lib. you need to remove xf86-input-synaptic and install xf86-input-libinput. but you also need to remove the synaptic config file. Forgive me I don’t remember what/where it is. Antergos may still be setting it up with synaptic

Call in: 1-877-347-0011

New Show: User Error

User Error | Jupiter Broadcasting

Catch the show LIVE SUNDAY:

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

Find us on Twitter

Follow us on Facebook

The post This Old Linux RV | LAS 444 first appeared on Jupiter Broadcasting.

Botnet of Things | TechSNAP 286

chris — Thu, 29 Sep 2016 19:18:38 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Krebs hit with record breaking DDoS attack

“On Tuesday evening, KrebsOnSecurity.com was the target of an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline. The attack did not succeed thanks to the hard work of the engineers at Akamai/Prolexic, the company that protects my site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack they’d seen previously, and was among the biggest assaults the Internet has ever witnessed.”
“The attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second. Additional analysis on the attack traffic suggests the assault was closer to 620 Gbps in size, but in any case this is many orders of magnitude more traffic than is typically needed to knock most sites offline.”
“Martin McKeay, Akamai’s senior security advocate, said the largest attack the company had seen previously clocked in earlier this year at 363 Gbps. But he said there was a major difference between last night’s DDoS and the previous record holder: The 363 Gpbs attack is thought to have been generated by a botnet of compromised systems using well-known techniques allowing them to “amplify” a relatively small attack into a much larger one.”
Almost all of the previous large scale DDoS attacks were the result of ‘reflection’ and ‘amplification’ attacks
That is, exploiting DNS, NTP, and other protocols to allow the attackers to send a small amount of data, while spoofing their IP address to that of the victim, and cause the reflection server to send a larger amount of data.
Basically, have your bots send spoofed packets of a few bytes, and the reflector send as much as 15 times the amount of data to the victim. This attack harms both the victim and the reflector.
Thanks to the hard work of many sysadmins, most DNS and NTP servers are much more locked down now, and reflection attacks are less common, although there are still some protocols vulnerable to amplification that are not as easy to fix
“In contrast, the huge assault this week on my site appears to have been launched almost exclusively by a very large botnet of hacked devices. According to Akamai, none of the attack methods employed in Tuesday night’s assault on KrebsOnSecurity relied on amplification or reflection. Rather, many were garbage Web attack methods that require a legitimate connection between the attacking host and the target, including SYN, GET and POST floods.”
“There are some indications that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords.”
“I’ll address some of the challenges of minimizing the threat from large-scale DDoS attacks in a future post. But for now it seems likely that we can expect such monster attacks to soon become the new norm.”
“Many readers have been asking whether this attack was in retaliation for my recent series on the takedown of the DDoS-for-hire service vDOS, which coincided with the arrests of two young men named in my original report as founders of the service.”
“I can’t say for sure, but it seems likely related: Some of the POST request attacks that came in last night as part of this 620 Gbps attack included the string “freeapplej4ck,” a reference to the nickname used by one of the vDOS co-owners.”

The shot heard round the world

In this followup post, Krebs discusses “The Democratization of Censorship”
You no longer need to be a nation state to censor someone, you just need a big enough botnet
“Allow me to explain how I arrived at this unsettling conclusion. As many of you know, my site was taken offline for the better part of this week. The outage came in the wake of a historically large distributed denial-of-service (DDoS) attack which hurled so much junk traffic at Krebsonsecurity.com that my DDoS protection provider Akamai chose to unmoor my site from its protective harbor.”
“Let me be clear: I do not fault Akamai for their decision. I was a pro bono customer from the start, and Akamai and its sister company Prolexic have stood by me through countless attacks over the past four years. It just so happened that this last siege was nearly twice the size of the next-largest attack they had ever seen before. Once it became evident that the assault was beginning to cause problems for the company’s paying customers, they explained that the choice to let my site go was a business decision, pure and simple.”
This poses a huge problem. The bad guys now know the magic number, 650 gbps, at which point even the most expensive DDoS protection service will boot you off and shutdown your site.
“Nevertheless, Akamai rather abruptly informed me I had until 6 p.m. that very same day — roughly two hours later — to make arrangements for migrating off their network. My main concern at the time was making sure my hosting provider wasn’t going to bear the brunt of the attack when the shields fell. To ensure that absolutely would not happen, I asked Akamai to redirect my site to 127.0.0.1 — effectively relegating all traffic destined for KrebsOnSecurity.com into a giant black hole.”
“Today, I am happy to report that the site is back up — this time under Project Shield, a free program run by Google to help protect journalists from online censorship. And make no mistake, DDoS attacks — particularly those the size of the assault that hit my site this week — are uniquely effective weapons for stomping on free speech, for reasons I’ll explore in this post.”
This raises another question, what happens when the bad guys perform an attack large enough to disrupt Google?
This was the topic of the closing keynote at EuroBSDCon last weekend, sadly no video recordings are available.
“Why do I speak of DDoS attacks as a form of censorship? Quite simply because the economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists.”
“In an interview with The Boston Globe, Akamai executives said the attack — if sustained — likely would have cost the company millions of dollars. In the hours and days following my site going offline, I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.”
“Earlier this month, noted cryptologist and security blogger Bruce Schneier penned an unusually alarmist column titled, “Someone Is Learning How to Take Down the Internet.” Citing unnamed sources, Schneier warned that there was strong evidence indicating that nation-state actors were actively and aggressively probing the Internet for weak spots that could allow them to bring the entire Web to a virtual standstill.”
“Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services,” Schneier wrote. “Who would do this? It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that.”
“Furthermore, the size and scale of these probes — and especially their persistence — points to state actors. It feels like a nation’s military cyber command trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US’s Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.”
“What exactly was it that generated the record-smashing DDoS of 620 Gbps against my site this week? Was it a space-based weapon of mass disruption built and tested by a rogue nation-state, or an arch villain like SPECTRE from the James Bond series of novels and films? If only the enemy here was that black-and-white.”
“No, as I reported in the last blog post before my site was unplugged, the enemy in this case was far less sexy. There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords. Most of these devices are available for sale on retail store shelves for less than $100, or — in the case of routers — are shipped by ISPs to their customers.”
“Some readers on Twitter have asked why the attackers would have “burned” so many compromised systems with such an overwhelming force against my little site. After all, they reasoned, the attackers showed their hand in this assault, exposing the Internet addresses of a huge number of compromised devices that might otherwise be used for actual money-making cybercriminal activities, such as hosting malware or relaying spam. Surely, network providers would take that list of hacked devices and begin blocking them from launching attacks going forward, the thinking goes.”
While we’d like to think that the hacked devices will be secured, the reality is that they probably won’t be. Even if there was a firmware update, how often do people firmware update their IP Cameras? Their DVRs?
The cable companies might be able to help by pushing firmware updates, and they have some incentive to do so, as the attacks use up their bandwidth
In the end, even if ISPs notified their customers that they were part of the attack, how is a regular person supposed to determine which of the IoT devices was used as part of the attack?
If you don’t know how to use a protocol analyzer, and the attack is not ongoing right now, how do you tell if it was your DVR, your SmartTV, your Thermostat, or your refrigerator that was attacking Krebs?
And if we thought that 650 gbps was enough to make almost any site neel to an attacker, OVH.net reports a botnet of 150,000 CCTV/Camera/DVR units, each with 1 – 30 mbps of upload capacity, attacking their network with a peak of 1.1 terabits (1100gbps) of traffic, but they estimate the capacity of the botnet at over 1.5 terabits
“I don’t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and ecommerce. My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections.”
“The sad truth these days is that it’s a lot easier to censor the digital media on the Internet than it is to censor printed books and newspapers in the physical world. On the Internet, anyone with an axe to grind and the willingness to learn a bit about the technology can become an instant, self-appointed global censor.”
The possible solutions presented at EuroBSDCon were even scarier. Breaking the Internet up along national borders, and only allowing traffic to pass between countries on regulated major services like Facebook and Google.
Additional Coverage: Forbes
Additional Coverage: Ars Technica

Firefox preparing to block Certificate Authority for violating rules

“The organization that develops Firefox has recommended the browser block digital credentials issued by a China-based certificate authority for 12 months after discovering it cut corners that undermine the entire transport layer security system that encrypts and authenticates websites.”
“The browser-trusted WoSign authority intentionally back-dated certificates it has issued over the past nine months to avoid an industry-mandated ban on the use of the SHA-1 hashing algorithm, Mozilla officials charged in a report published Monday. SHA-1-based signatures were barred at the beginning of the year because of industry consensus they are unacceptably susceptible to cryptographic collision attacks that can create counterfeit credentials. To satisfy customers who experienced difficulty retiring the old hashing function, WoSign continued to use it anyway and concealed the use by dating certificates prior to the first of this year, Mozilla officials said. They also accused WoSign of improperly concealing its acquisition of Israeli certificate authority StartCom, which was used to issue at least one of the improperly issued certificates.”
“Taking into account all the issues listed above, Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA,” Monday’s report stated. “Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly issued certificates issued by either of these two CA brands.”
So, existing certificates will continue to work, to avoid impact on those who paid for certificates, but Mozilla will not trust any newly issued certificates
“WoSign’s practices came under scrutiny after an IT administrator for the University of Central Florida used the service to obtain a certificate for med.ucf.edu. He soon discovered that he mistakenly got one for www.ucf.edu. To verify that the error wasn’t isolated, the admin then used his control over the github subdomains schrauger.github.com and schrauger.github.io to get certificates for github.com, github.io, and www.github.io. When the admin finally succeeded in alerting WoSign to the improperly issued Github certificates, WoSign still didn’t catch the improperly issued www.ucf.edu certificate and allowed it to remain valid for more than a year. For reasons that aren’t clear, Mozilla’s final report makes no explicit mention the certificates involving the Github or UCF domains, which were documented here in August.”
Some other issues highlighted in the Mozilla report:
- “WoSign has an “issue first, validate later” process where it is acceptable to detect mis-issued certificates during validation the next working day and revoke them at that point. (Issue N)”
- “If the experience with their website ownership validation mechanism is anything to go by, It seems doubtful that WoSign keep appropriately detailed and unalterable logs of their issuances. (Issue L)”
- “The level of understanding of the certificate system by their engineers, and the level of quality control and testing exercised over changes to their systems, leaves a great deal to be desired. It does not seem they have the appropriate cultural practices to develop secure and robust software. (Issue V, Issue L)”
- “For reasons which still remain unclear, WoSign appeared determined to hide the fact that they had purchased StartCom, actively misleading Mozilla and the public about the situation. (Issue R)”
- “WoSign’s auditors, Ernst & Young (Hong Kong), have failed to detect multiple issues they should have detected. (Issue J, Issue X)”
Mozilla Report
Mozilla Wiki: WoSign issues
WoSign incident report

Feedback:

Round Up:

The post Botnet of Things | TechSNAP 286 first appeared on Jupiter Broadcasting.

Buffalo Overflow | TechSNAP 284

chris — Thu, 15 Sep 2016 16:25:50 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Whoosh! That was the sound of your bank’s hard drives being destroyed

“ING Bank’s main data center in Bucharest, Romania, was severely damaged over the weekend during a fire extinguishing test. In what is a very rare but known phenomenon, it was the loud sound of inert gas being released that destroyed dozens of hard drives. The site is currently offline and the bank relies solely on its backup data center, located within a couple of miles’ proximity.”
“The drill went as designed, but we had collateral damage”, ING’s spokeswoman in Romania told me, confirming the inert gas issue. Local clients were unable to use debit cards and to perform online banking operations on Saturday between 1PM and 11PM because of the test. “Our team is investigating the incident,” she said.”
“The purpose of the drill was to see how the data center’s fire suppression system worked. Data centers typically rely on inert gas to protect the equipment in the event of a fire, as the substance does not chemically damage electronics, and the gas only slightly decreases the temperature within the data center.”
“The gas is stored in cylinders, and is released at high velocity out of nozzles uniformly spread across the data center. According to people familiar with the system, the pressure at ING Bank’s data center was higher than expected, and produced a loud sound when rapidly expelled through tiny holes”
“The bank monitored the sound and it was very loud, a source familiar with the system told us. “It was as high as their equipment could monitor, over 130dB”.”
“here is still very little known about how sound can cause hard drive failure. One of the first such experiments was made by engineer Brendan Gregg, in 2008, while he was working for Sun’s Fishworks team. He recorded a video in which he explains how shouting in a data center can result in hard drives malfunction.”
The test Brendan did was just a demonstration, the problem they were diagnosing in the video was caused by traffic on the street outside of the office basement data center. The rumble of the diesel bus engine as it pulled away from the stop on a regular basis caused latency on their hard drives
“Researchers at IBM are also investigating data center sound-related inert gas issues. “[T]he HDD can tolerate less than 1/1,000,000 of an inch offset from the center of the data track—any more than that will halt reads and writes”, experts Brian P. Rawson and Kent C. Green wrote in a paper. “Early disk storage had much greater spacing between data tracks because they held less data, which is a likely reason why this issue was not apparent until recently.””
“The Bank said it required 10 hours to restart its operation due to the magnitude and the complexity of the damage. A cold start of the systems in the disaster recovery site was needed. “Moreover, to ensure full integrity of the data, we’ve made an additional copy of our database before restoring the system,” ING’s press release reads.”
“Over the next few weeks, every single piece of equipment will need to be assessed. ING Bank’s main data center is compromised “for the most part”, a source told us.”

Critical MySQL vulnerability

“An independent research has revealed multiple severe MySQL vulnerabilities. This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662 which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences.”
“The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers. Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors.”
The vulnerability also affects forks of MySQL including MariaDB and Percona
“Official patches for the vulnerability are not available at this time for Oracle MySQL server. The vulnerability can be exploited even if security modules SELinux and AppArmor are installed with default active policies for MySQL service on major Linux distributions.”
Oracle has decided to not release a patch until their next “Critical Patch Update” in the middle of October
How does it work?
“The default MySQL package comes with a mysqld_safe script which is used by many default installations/packages of MySQL as a wrapper to start the MySQL service process”
This wrapper allows you to specify an alternate malloc() implementation via the mysql config file (my.cnf), to improve performance by using a specially designed library from Google performance team, or another implementation.
The problem is that many MySQL tutorials, guides, how-tos, and setup scripts chown the my.cnf file to the mysql user. Even most MySQL security guides give this bad advice.
“In 2003 a vulnerability was disclosed in MySQL versions before 3.23.55 that
allowed users to create mysql config files with a simple statement:”
SELECT * INFO OUTFILE ‘/var/lib/mysql/my.cnf’
“The issue was fixed by refusing to load config files with world-writable permissions as these are the default permissions applied to files created by OUTFILE query.”
This issue has been considered fixed for more than 10 years.
However, a new vector has appeared:

mysql> set global general_log_file = ‘/etc/my.cnf’;
mysql> set global general_log = on;
mysql> select ‘
‘> ; injected config entry
‘> [mysqld]
‘> malloc_lib=/tmp/mysql_exploit_lib.so
‘> ‘;
1 row in set (0.00 sec)
mysql> set global general_log = off;
If MySQL has permission, it will write that content into that file
Now, the config file will be invalid, and mysql will not like it because it contains excess lines, however:
“mysqld_safe will read the shared library path correctly and add it to the LD_PRELOAD environment variable before the startup of mysqld daemon. The preloaded library can then hook the libc fopen() calls and clean up the config before it is ever processed by mysqld daemon in order for it to start up successfully.”
Another issue is that the mysqld_safe script loads my.cnf from a number of locations, so even if you have properly security your config file, if one of the other locations is not locked down, MySQL could create a new config file in that location
“The vulnerability was reported to Oracle on 29th of July 2016 and triaged by the security team. It was also reported to the other affected vendors including PerconaDB and MariaDB. The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of 30th of August.”
“During the course of the patching by these vendors the patches went into public repositories and the fixed security issues were also mentioned in the new releases which could be noticed by malicious attackers. As over 40 days have passed since reporting the issues and patches were already mentioned publicly, a decision was made to start disclosing vulnerabilities (with limited PoC) to inform users about the risks before the vendor’s next CPU update that only happens at the end of October.”
“No official patches or mitigations are available at this time from the vendor. As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnf files that are not in use. These are by no means a complete solution and users should apply official vendor patches as soon as they become available.”

Bugs in Cisco networking gear at center of hosting company bankruptcy fight

“Game of War: Fire Age, your typical melange of swords and sorcery, has been one of the top-grossing mobile apps for three years, accounting for hundreds of millions of dollars in revenue. So publisher Machine Zone was furious when the game’s servers, run by hosting company Peak Web, went dark for 10 hours last October. Two days later, Machine Zone fired Peak Web, citing multiple outages, and later sued.”
“Then came the countersuit. Peak Web argued in court filings that Machine Zone was voiding its contract illegally, because the software bug that caused the game outages resided in faulty network switches made by Cisco Systems, and according to Peak Web’s contract with Machine Zone, it wasn’t liable. In December, Cisco publicly acknowledged the bug’s existence—too late to help Peak Web, which filed for bankruptcy protection in June, citing the loss of Machine Zone’s business as the reason. The Machine Zone-Peak Web trial is slated for March 2017.”
“There’s buggy code in virtually every electronic system. But few companies ever talk about the cost of dealing with bugs, for fear of being associated with error-prone products. The trial, along with Peak Web’s bankruptcy filings, promises a rare look at just how much or how little control a company may have over its own operations, depending on the software that undergirds it.”
“Peak Web, founded in 2001, had worked with companies including MySpace, JDate, EHarmony, and Uber. Under its $4 million-a-month contract with Machine Zone, which began on April 1, 2015, it had to keep Game of War running with fewer than 27 minutes of outages a year, court filings show. According to Machine Zone, the hosting service couldn’t make it a month without an outage lasting almost an hour. Another in August of that year was traced to faulty cables and cooling fans, according to the publisher.”
“Cisco’s networking equipment became a problem in September, says a person familiar with Peak Web’s operations, who requested anonymity to discuss the litigation. The company’s Nexus 3000 switches began to fail after trying to improperly process a routine computer-to-computer command, and because Cisco keeps its code private, Peak Web couldn’t figure out why. The person familiar with the situation says Cisco denied Peak Web’s requests for an emergency software fix, and as more switches failed over the next month, the hosting service’s staffers couldn’t move quickly enough to keep critical systems online.”
“Finally, late in October, came the 10 hours of darkness. Three people familiar with Peak Web’s operations say the lengthy outage gave the company time to deduce that the troublesome command was reducing the switches’ available memory and causing them to crash. The company alerted Cisco. Machine Zone’s attorneys wrote that Peak Web has “aggressively sought to place the blame elsewhere for its failures” and that it could have prevented the downtime. In December, Cisco confirmed to Peak Web that it had replicated the bug and issued a fix, according to e-mails filed as evidence in the lawsuit.”
“Networking equipment such as switches and routers, which carry the world’s internet and corporate data traffic, tend to be especially difficult to fix with a software patch”
“In one previously unreported incident, in 2014, a glitch in a Cisco Invicta flash storage system corrupted data and disabled the emergency-room computer systems at Chicago’s Mount Sinai Hospital for more than eight hours, says a person familiar with the incident. Cisco later froze shipments of Invicta equipment and discontinued the product line. In another unreported case, a Cisco server in 2012 overheated inside a data center at chipmaking equipment manufacturer KLA-Tencor, forcing the facility to close and costing the company more than $50 million, according to a person familiar with the matter.”
This is definitely a tough spot to be in. I have been on both sides of this, and even in the middle. I use the services of a larger ISP to provide service to my customers, so when a problem is with that upstream ISP, their SLA only covers a fraction of what I pay them, not what my customers pay me
One of the worst cases for me was when a automated configuration error at an upstream ISP changed a bunch of switch ports from gigabit to 100mbps, severely degrading the performance of our servers, and interrupting an important live stream.
While our ISP gave us a large credit to cover their screw up, it didn’t cover the lossed revenue we didn’t get because of the screw up, nor the even larger lost revenue of our customer. That customer left, so we ended up also missing out all of future revenue

Feedback:

Round Up:

The post Buffalo Overflow | TechSNAP 284 first appeared on Jupiter Broadcasting.

I Can’t Believe It’s Not Ethernet | TechSNAP 283

chris — Thu, 08 Sep 2016 20:00:44 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Modified USB ethernet adapter can steal windows and mac credentials

“Security researcher Rob Fuller has discovered a unique attack method that can steal PC credentials from Windows and Mac computers, and possibly Linux (currently untested).”
Thesis: “If I plug in a device that masquerades as a USB Ethernet adapter and has a computer on the other end, can I capture credentials from a system, even when locked out”
“The researcher used USB-based Ethernet adapters, for which he modified the firmware code to run special software that sets the plug-and-play USB device as the network gateway, DNS, and WPAD servers on the computer it’s connected to.”
“The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device. This means that even if a system is locked out, the device still gets installed”
“Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.”
“When installing the new (rogue) plug-and-play USB Ethernet adapter, the computer will give out the PC credentials needed to install the device. Fuller’s modified device includes software that intercepts these credentials and saves them to an SQLite database. The password is in its hashed state, but this can be cracked using currently available technology. The researcher’s modified device also includes a LED that lights up when the credentials have been recorded.”
So, just like in a spy movie, you plug in the device, wait until the light comes on, and you have stolen the credentials
“An attacker would need physical access to a device to plug in the rogue USB Ethernet adapter, but Fuller says the average attack time is 13 seconds.”
The attack was tested against versions of Windows as far back as Windows 98 SE, and as modern as Windows 10 Enterprise and OS X El Capitan
The device pretends to be an ethernet adapter, and provides access to a ‘network’, where a DHCP server tells you to install this proxy configuration
“This means that by plugging in the device it quickly becomes the gateway, DNS server, WPAD server and others”
It gives you the hashes password for the logged in user, which you can then crack offline, and return later and login with the known password
Researcher blog

Zstandard, a new compression algorithm from Facebook

Unlike the new Dropbox algorithm that is designed specifically for jpeg images, this is a general purpose algorithm, designed to replace gzip
“Today, the reigning data compression standard is Deflate, the core algorithm inside Zip, gzip, and zlib. For two decades, it has provided an impressive balance between speed and space, and, as a result, it is used in almost every modern electronic device (and, not coincidentally, used to transmit every byte of the very blog post you are reading). Over the years, other algorithms have offered either better compression or faster compression, but rarely both. We believe we’ve changed this.”
There are three standard metrics for comparing compression algorithms and implementations:
- Compression ratio: The original size (numerator) compared with the compressed size (denominator), measured in unitless data as a size ratio of 1.0 or greater.
Compression speed: How quickly we can make the data smaller, measured in MB/s of input data consumed.
Decompression speed: How quickly we can reconstruct the original data from the compressed data, measured in MB/s for the rate at which data is produced from compressed data.
“The type of data being compressed can affect these metrics, so many algorithms are tuned for specific types of data, such as English text, genetic sequences, or rasterized images. However, Zstandard, like zlib, is meant for general-purpose compression for a variety of data types. To represent the algorithms that Zstandard is expected to work on, in this post we’ll use the Silesia corpus, a data set of files that represent the typical data types used every day.”
The post compares the best of the modern compression algorithms, lz4 (what ZFS uses), zstd (Facebook’s new thing), libz (gzip, what your browser uses for webpages), and xz (what most unix distros have switched to for compressing tar and log files)
In the comparison, LZ4 does not compress the data as much, but does so at almost 450 MB/s, while zlib compresses more, but only 23 MB/s. XZ compresses even better, but at only 2.3 MB/s
zstd gets about the same compression as zlib, but at almost 6 times the speed (136 MB/s)
Decompression is similar: LZ4: 2165 MB/s, zstd: 536 MB/s, zlib: 281 MB/s, xz: 63 MB/s
When comparing the command line tools, zstd is about 5x faster at compression, and 3.6x faster at decompression
As with gzip and xz, zstd also supports different ‘levels’ of compression. Although instead of having a range from 1 to 9, it instead offers a range of 1-22 (which suggests that additional levels might be added in the future)
It looks like it can get xz levels of of compression if turned up high enough
“By design, zlib is limited to a 32 KB window, which was a sensible choice in the early ’90s. But, today’s computing environment can access much more memory — even in mobile and embedded environments.

Zstandard has no inherent limit and can address terabytes of memory (although it rarely does). For example, the lower of the 22 levels use 1 MB or less. For compatibility with a broad range of receiving systems, where memory may be limited, it is recommended to limit memory usage to 8 MB. This is a tuning recommendation, though, not a compression format limitation.”

I forgot the password for my consumer grade NAS

“I got my WD My Book World Edition II NAS out of the closet. The reason it went in the closet is that I locked myself out of SSH access, and in the meantime I forgot most of its passwords.”
“I miraculously still remember the password to my regular user, but the admin password is nowhere to be found and you need the old one to change it. So I start poking around to see if there is any way to recover it.”
“One of the most common vulnerabilities on these thingies is allowing anyone to download a “config backup” that includes all the juicy passwords, and indeed, this screen looks promising”
The download was just base64 encoded random data. Definitely encrypted
“Mandatory Open Source releases usually have LICENSE files or some other indication of what libraries are being used, so he’s hoping to find some clue on what they used.”
Apparently WD releases everything, including the php script that generates the config download
“Looks like it’s a tarball encrypted with something called encodex and a fixed password”
“So we got the config file. Is it over? Nope. No passwords in it. This system does everything wrong. it’s unsalted MD5. Then it is stored a second time as a plain MD5 anyway”
I have never seen anyone do that before. I didn’t even know that would work…
So they reversed the process and uploaded a new configuration file with the hash of a known password (faster than brute forcing). Why is this allowed by a non-admin user anyway?
“Great. Fun. Is it enough? No! I locked myself out of ssh access too, by adding an unmatchable AllowUsers directive to my sshd_config.”
“First realization, the whole webgui runs as root. Look at ChangeWebAdmin above, it calls passwd and reads /etc/shadow!”
So, when you upload a new config, it just decrypts it and runs the untar, as root
“plus the fact that it’s probably a BusyBox implementation of tar might mean that the oldest trick in the book works: creating an archive with a fully-qualified /etc/sshd_config file in it and hope it gets extracted directly at the absolute path.”
“No luck. Second try: we see that it’s extracted in /tmp, what if we call it ../etc/sshd_config? No luck with that neither.”
“But hey… we can extract as much as we want in /tmp and nothing will get deleted between a run and the next! So let’s try with a convenient symlink :). First we plant a root => / symlink, and now that /tmp/root points to / we try calling our file root/etc/sshd_config and hope it gets extracted inside the symlink”
And, we’re in. The sshd_config has been replaced with one uploaded by a unprivileged user.
“This is all nice, but I started from a vantage point: I remembered a user login. Can we do something from scratch?”
“For example, extracting the config… It didn’t look like that PHP file had any access control, is it possible that… Oh God.”
“If we can crack any user password from the MD5, we can go from zero to root”
“All actions are actually unauthenticated. If you are not logged in the NAS will answer with a HTTP 302 Redirect… AND THEN PROCEED HANDLING THE REQUEST and sending the output. As if you were logged in. That’s a first for me.”
“Let me repeat this: if you are not logged in, the only thing the system will do is add a redirect to the login page in the HTTP Headers and carry on, obeying whatever you are telling it to do.”
Most browsers will respect the header, and redirect you to the login page, and ignore the excess content that was included in the response (like a config backup, or downloading a file, or doing any action what-so-ever
“So with the admin password reset trick above, we can get a full escalation from unauth to admin+root. Pwn’d. (The hardest thing was emulating the browser request with curl well enough to upload the file.)”
“So yeah, don’t expose these thingies on the Internet and don’t worry too much if you lose the passwords ;-)”
And in the end, the mystery was solved: “Turns out all the password fields except the login form have maxlength=16, so when resetting the password I pasted it from the password manager and it got cut without me knowing”

Feedback:

Round Up:

The post I Can't Believe It's Not Ethernet | TechSNAP 283 first appeared on Jupiter Broadcasting.

Signature Bloatware Updates | TechSNAP 270

chris — Thu, 09 Jun 2016 10:03:13 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The bloatware shipping on those new computers is way, way worse than you probably thought, Internet exposed printers & the thrilling story of reverse engineering an ATM skimmer. Yes that’s really a thing.

Plus great questions, our answers & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Nice brand new computer you have there, would be a shame if something happened to it

“According to a report published by two-factor authentication service Duo Security, third-party updating tools installed by Dell, HP, Lenovo, Acer, and Asus (the top five Windows PC OEMs) are exposing their devices to man-in-the-middle attacks.”
“OEM PC vendors understandably need a way to maintain and install more of the aforementioned bloatware. The Duo Labs team investigated OEM software update tools spanning five vendors: Acer, Asus, Dell, HP, and Lenovo.”
“Implementing a robust, secure system for delivering software updates to users requires a thorough threat model, and a fundamental understanding of how to correctly make use of the various cryptosystems available to do so. Many OEM vendors don’t seem to understand or care about the need for building basic security measures into their software, resulting in software rife with vulnerabilities.”
“Whether it’s a creep on the coffee shop WiFi or a nation state sitting on all the right trunks, any software that downloads and executes arbitrary binaries is an enticing target to attackers. This is a well-established fact — in 2006, some dude broke Mozilla’s Auto-Update; in 2010, there was Evilgrade; in 2012, Flame malware authors discovered how to man-in-the-middle (MITM) Windows Update; and in January 2016, there was the Sparkle debacle. This shows that targeting the transmission of executable files on the wire is a no-brainer for attackers.”
“The scope of this research paper is limited to OEM updaters, although this wasn’t the only attack surface found on these systems. Basic reverse engineering uncovered flaws that affected every single vendor reviewed, often with a very low barrier to both discovery and exploitation.”
The results:
- Dell — One high-risk vulnerability involving lack of certificate best practices, known as eDellroot
- Hewlett Packard — Two high-risk vulnerabilities that could have resulted in arbitrary code execution on affected systems. In addition, five medium-to-low risk vulnerabilities were also identified.
Asus — One high-risk vulnerability that allows for arbitrary code execution, as well as one medium-severity local privilege escalation
Acer — Two high-risk vulnerabilities that allow for arbitrary code execution.
Lenovo — One high-risk vulnerability that allows for arbitrary code execution.
Other Findings:
“Every vendor shipped with a preinstalled updater, that had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM, allowing for a complete compromise of the affected machine”
Every new machine came with crapware, and an auto-updated for the crapware. The auto-updated made the machine less secure, not more secure as it expected. Not to mention they that this report doesn’t actually look at the crapware itself
“There was a very low level of technical sophistication required – that is, it was trivial to exploit most of the vulnerabilities”
They didn’t have to try very hard, some of these updaters run a local http server that anything can connect to
“Vendors often failed to make even basic use of TLS, properly validate update integrity, or verify the authenticity of update manifest contents”
This means that a random person at the coffee shop, or the government, can pretend to be your OEMs update server, and feed you malware instead of security fixes
“Vendors sometimes had multiple software updaters for different purposes and different implementations, some more secure than others”
Multiple auto-updaters, that is what everyone wants
“The large attack surface presented by ancillary OEM software components makes updater-specific bugs easier to exploit in practice by providing the missing pieces of the puzzle through other tools bundled with their systems”
If the auto-updater isn’t buggy enough, the crapware provides everything else you need to compromise the system
“Microsoft offers ‘Signature Edition’ systems which are intended to be free of the third-party software that plagues so many OEM systems. However, OEM-supplied software updaters and support packages are often still present on these machines.”
So even if you pay extra for a brand new system free of crapware, it still has the auto-updater that makes the system insecure
Additional Coverage
Additional Coverage: Lenovo tells users to uninstall vulnerable updater

Clinton email server — may have had an internet based printer…

“The Associated Press today points to a remarkable footnote in a recent State Department inspector general report on the Hillary Clinton email scandal: The mail was managed from the vanity domain “clintonemail.com.” But here’s a potentially more explosive finding: A review of the historic domain registration records for that domain indicates that whoever built the private email server for the Clintons also had the not-so-bright idea of connecting it to an Internet-based printer.”
According to historic Internet address maps stored by San Mateo, Calif. based Farsight Security, among the handful of Internet addresses historically assigned to the domain “clintonemail.com” was the numeric address 24.187.234.188. The subdomain attached to that Internet address was….wait for it…. “printer.clintonemail.com”.
“Interestingly, that domain was first noticed by Farsight in March 2015, the same month the scandal broke that during her tenure as United States Secretary of State Mrs. Clinton exclusively used her family’s private email server for official communications.”
“I should emphasize here that it’s unclear whether an Internet-capable printer was ever connected to printer.clintonemail.com. Nevertheless, it appears someone set it up to work that way.”
“More importantly, any emails or other documents that the Clintons decided to print would be sent out over the Internet — however briefly — before going back to the printer. And that data may have been sniffable by other customers of the same ISP”
Not necessarily, it can depend on the setup. The reason you might expose a printer to the internet like that on purpose, is to allow printing while you are away from home, but it isn’t a good idea
“Not just because any idiot on the Internet can just waste all your toner. Some of these printers have simple vulnerabilities that leave them easy to be hacked into.”
That printer can then serve as an ‘island hopping’ beachhead, allowing the attacker to do this from an internal IP address that is likely to be trusted, and allowed through firewalls (you do want to be able to talk to the printer right?)
It does appear the Clintons had an SSL VPN, which is a good sign, although I would expect the printer to have been behind that

Reverse engineering an ATM skimmer

“Brian Krebs has produced numerous articles on ATM skimmers. He has essentially become the “go to” journalist on ATM fraud. From reading his stuff, I have learned how the “bad guys” think when it comes to ATM fraud. In a nutshell, they are after two things:”
They want your card number
They want your PIN number
“To get your card number, the thieves have a few options. Traditionally, they affix a device to the ATM card reader that “skims” your card as it passes into the actual machine”
“The devices must look as close to the actual reader as possible so they don’t arouse suspicion. The blackhats go to great lengths to achieve this. Sometimes they will replace entire panels of the atm. They may even go as far as inserting a tiny card reader INSIDE the card slot. Alternatively, a thief may try to record the number “on the wire”. This is called “network skimming””
The post includes a video of a skimmer being installed in just a few seconds
Then it gets interesting, after having read all of Krebs advice, while visiting Indonesia, the author of the post encountered a skimmer
“A quick glance, and I suspected it was a skimmer immediately. It had a tiny switch, a port for a cable of some sort and I could see a faint blue light in the dark.”
“I was not sure what to do. I was tempted to leave it alone since it wasn’t mine and it could possibly be a legitimate piece of the ATM. But if it were a skimmer, I would be knowingly allowing people to get ripped off. I couldn’t allow that to happen, plus I wanted to take it home and see how it works!”
“We decided to take it. On our way out to dinner, Elizabeth and I discussed excitedly about how cool this is to be in the middle of a criminal conspiracy. “It feels like we are in a movie”, she said. We talked about how we think the crooks were getting the data. We talked about how we would report it to the authorities and take it apart. The movie kept getting more and more exciting in our imaginations. Then we got to the part of the movie where a group of men on motorcycles track us to our home and shoot us with automatic weapons.”
“By the time we got to the restaurant, we were pretty scared, A GSM-enabled device could feasibly phone home with its GPS coordinates. Just in case, we asked for some aluminum foil and made a makeshift Faraday cage. When it comes to Indonesian criminal gangs, you can never be too careful.”
“The next day we were still alive and not shot by a gang of criminals. We called the bank to report the device we found on their ATM. The CSR was pretty confused, but he took my name and number and dispatched a technician to look at the machine.”
This reaction is very common, and is starting to be troubling
After some deduction, he determined the ports on the side were for a USB cable
“Threading the braided wires into those tiny holes one at a time was an exercise in patience. After 40 minutes or so, I got them all aligned. I had to hold the wires in with my hand while I plugged the USB cable into my computer. I crossed my fingers and…. Skimmer device mounts as an external hard drive!”
“It mounts! I freak-out a little and begin copying the files from the device. There are two folders. One is named “Google Drive” and one is named “VIDEO”. The “Google Drive” folder was empty, but there is over 11GB of video files in the “VIDEO” folder. 45 minutes later, the files are still copying to my machine. The whole time I have to hold the cable and not move lest I break the transfer.”
“After it’s done, I shake out the cramps in my hand and go over the footage. The camera records 30 minute chunks of video whenever it detects movement. Most of the videos are of people typing in their pin numbers [upside down]”
“The device records sound. At first I thought it was a waste of storage to record this, but after looking at the footage, I realized how helpful the sound is. The beeps correspond to actual keypresses, so you can’t fool the skimmer by pretending to touch multiple keys. Also, the sound of money dispensing means that PIN is valid.”
When they tore the device apart, they found a cell phone battery, a control board, and a pinhole camera
“Googling the number from the controller board revealed that it is a commercially available board used in spy camera gear. The board was modified to include an external on/off switch, the stronger Samsung battery, and the aforementioned USB connection.”
“The overall design choices of the skimmer were actually pretty decent. As mentioned, at first I thought sound recording was a waste, but then found it to be useful for decoding PIN numbers as they are typed. I also initially thought that the cell phone battery was a lazy choice, like they just had one laying around. I have come to believe, however, that this is the best choice for a long-lasting and small-profile power source.”
The researcher did not find the actual card skimmer, but suspected that the data was being “network skimmed”
Going back a few days later, they found a fresh pin number camera installed

Feedback:

Round Up:

The post Signature Bloatware Updates | TechSNAP 270 first appeared on Jupiter Broadcasting.

Insecure Socket Layer | TechSNAP 265

chris — Thu, 05 May 2016 20:35:37 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A critical flaw in that bit of software tucked far far away that you never think about… Until now, we explain why ImageTragick is a pain. More OpenSSL flaws & fraudsters stealing tax data from the motherload.

Plus great questions, our answers, a packed Round up & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Critical flaw found in ImageMagick

ImageMagick is a very popular suite of applications for working with images
It is used by many websites, to process, convert, and resize uploaded images
It is used for photos, avatars, and any other type of image a website might process
“There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.”
“If you use ImageMagick or an affected library, we recommend you mitigate the known vulnerabilities by doing at least one of these two things (but preferably both!):”
Verify that all image files begin with the expected “magic bytes” corresponding to the image file types you support before sending them to ImageMagick for processing. (see FAQ for more info)
Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in “/etc/ImageMagick”. The below policy.xml example will disable the coders EPHEMERAL, URL, MVG, and MSL.
A first draft of the fix was released as ImageMagick to 6.9.3-9, on 2016-04-30
However, it is not clear that this entirely resolves the problem
“Insufficient filtering for filename passed to delegate’s command allows remote code execution during conversion of several file formats.”
“ImageMagick allows to process files with external libraries. This feature is called ‘delegate’. It is implemented as a system() with command string (‘command’) from the config file delegates.xml with actual value for different params (input/output filenames etc). Due to insufficient %M param filtering it is possible to conduct shell command injection. One of the default delegate’s command is used to handle https requests:”
“wget” -q -O “%o” “https:%M”
If instead of a URL, you provide say: https://example.com;ls -la
It runs your command in addition to the normal operation, allowing the attacker to run any command they wish
“The most dangerous part is ImageMagick supports several formats like svg, mvg, and maybe some others – which allow to include external files from any supported protocol including delegates. As a result, any service, which uses ImageMagick to process user supplied images and uses default delegates.xml / policy.xml, may be vulnerable to this issue.”
Why are you disclosing a vulnerability like this?
“We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software. ImageMagick also disclosed this on their forum a few hours ago.”
Additional Coverage – OSS Security List
Additional Coverage – Ars Technica – Huge number of sites imperiled by critical image-processing vulnerability [Updated]

Fraudsters steal tax and salary data from ADP

“Identity thieves stole tax and salary data from payroll giant ADP by registering accounts in the names of employees at more than a dozen customer firms”
“ADP says the incidents occurred because the victim companies all mistakenly published sensitive ADP account information online that made those firms easy targets for tax fraudsters.”
“ADP provides payroll, tax and benefits administration for more than 640,000 companies”
“Last week, U.S. Bancorp (U.S. Bank) — the nation’s fifth-largest commercial bank — warned some of its employees that their W-2 data had been stolen thanks to a weakness in ADP’s customer portal.”
“ID thieves are interested in W-2 data because it contains much of the information needed to fraudulently request a large tax refund from the U.S. Internal Revenue Service (IRS) in someone else’s name.”
US Bancorp: “Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP. During the course of that investigation we have learned that an external W-2 portal, maintained by ADP, may have been utilized by unauthorized individuals to access your W-2, which they may have used to file a fraudulent income tax return under your name.”
“The incident originated because ADP offered an external online portal that has been exploited. For individuals who had never used the external portal, a registration had never been established. Criminals were able to take advantage of that situation to use confidential personal information from other sources to establish a registration in your name at ADP. Once the fraudulent registration was established, they were able to view or download your W-2.”
“ADP emphasized that the fraudsters needed to have the victim’s personal data — including name, date of birth and Social Security number — to successfully create an account in someone’s name. ADP also stressed that this personal data did not come from its systems, and that thieves appeared to already possess that data when they created the unauthorized accounts at ADP’s portal.”
“According to ADP, new users need to be in possession of two other things (in addition to the victim’s personal data) at a minimum in order to create an account: A custom, company-specific link provided by ADP, and a static code assigned to the customer by ADP.”
“The problem, ADP Chief Security Officer Roland Cloutier said, seems to stem from ADP customers that both deferred the signup process for some or all of their employees and at the same time inadvertently published online the link and the company code. As a result, for users who never registered, criminals were able to register as them with fairly basic personal info, and access W-2 data on those individuals.”
“We viewed the code as an identification code, not as an authentication code, and we posted it to a Web site for the convenience of our employees so they could access their W-2 information,” Ripley said. “We have discontinued that practice.”
A secret can only be protected if everyone that possesses it, knows it is a secret
“ADP’s portal, like so many other authentication systems, relies entirely on static data that is available on just about every American for less than $4 in the cybercrime underground (SSN/DOB, address, etc). It’s true that companies should know better than to publish such a crucial link online along with the company’s ADP code, but then again these are pretty weak authenticators.”
“Cloutier said ADP does offer an additional layer of authentication — a personal identification code (PIC) — basically another static code that can be assigned to each employee. He added that ADP is trialing a service that will ask anyone requesting a new account to successfully answer a series of questions based on information that only the real account holder is supposed to know.”
Of course, “supposed to know” is the problem
The IRS learned this the hard way, and has already had to replace 2 different authentication systems because the ‘knowledge based authentication’ questions were easily guessed by attackers
“It’s truly a measure of the challenges ahead in improving online authentication that so many organizations are still looking backwards to obsolete and insecure approaches. ADP’s logo includes the clever slogan, “A more human resource.” It’s hard to think of a more apt mission statement for the company. After all, it’s high time we started moving away from asking people to robotically regurgitate the same static identifiers over and over, and shift to a more human approach that focuses on dynamic elements for authentication. But alas, that’s fodder for a future post.”
Apparently Kreb’s report caused a large temporary dip in ADP’s stock price

Another OpenSSL Advisory

More fun with OpenSSL
Memory corruption in the ASN.1 encoder (CVE-2016-2108) [HIGH]
The advisory notes that the most severe of the issues was partially fixed over a year ago: “This issue affected versions of OpenSSL prior to April 2015. The bug causing the vulnerability was fixed on April 18th 2015, and released as part of the June 11th 2015 security releases. The security impact of the bug was not known at the time.”
However, because of a second bug, this issue turned out to be a critical flaw
Padding oracle in AES-NI CBC MAC check (CVE-2016-2107) [HIGH]
- “This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes.”
In both of these cases it seems that, in a rush to fix a bug, a further flaw was created
Additional Fixes:
EVP_EncodeUpdate overflow (CVE-2016-2105) [LOW]
EVP_EncryptUpdate overflow (CVE-2016-2106) [LOW]
ASN.1 BIO excessive memory allocation (CVE-2016-2109) [LOW]
EBCDIC overread (CVE-2016-2176) [LOW]
Note: support for OpenSSL version 1.0.1 will cease on 31st December 2016. Support for versions 0.9.8 and 1.0.0 already ended on 31st December 2015. Those versions are no longer receiving security updates.
Additional Coverage: Ars Technica

How do fraudsters get the CVV number for your credit card?

“A longtime reader recently asked: “How do online fraudsters get the 3-digit card verification value (CVV or CVV2) code printed on the back of customer cards if merchants are forbidden from storing this information? The answer: If not via phishing, probably by installing a Web-based keylogger at an online merchant so that all data that customers submit to the site is copied and sent to the attacker’s server.”
The CVV is the 3 (or 4 in the case of AMEX) digit number on the back of your credit card
This number is not normally used for “card present” transactions, like checking out at the supermarket
The CVV is designed for “card not present” transactions, like shopping online
The idea was, this number was NEVER to be stored, so even in the event of a credit card database breach, the attackers would not get the CVV number, and so could not use the stolen cards in online transactions
The CVV is basically how you prove that you have the card in your hands
This of course works in theory, but just because merchants are not SUPPOSED to not store the CVV, doesn’t mean they don’t
“The vast majority of the time, this CVV data has been stolen by Web-based keyloggers. This is a relatively uncomplicated program that behaves much like a banking Trojan does on an infected PC, except it’s designed to steal data from Web server applications.”
“PC Trojans like ZeuS, for example, siphon information using two major techniques: snarfing passwords stored in the browser, and conducting “form grabbing” — capturing any data entered into a form field in the browser before it can be encrypted in the Web session and sent to whatever site the victim is visiting.”
“Web-based keyloggers also can do form grabbing, ripping out form data submitted by visitors — including names, addresses, phone numbers, credit card numbers and card verification code — as customers are submitting the data during the online checkout process.”
“These attacks drive home one immutable point about malware’s role in subverting secure connections: Whether resident on a Web server or on an end-user computer, if either endpoint is compromised, it’s ‘game over’ for the security of that Web session. With PC banking trojans, it’s all about surveillance on the client side pre-encryption, whereas what the bad guys are doing with these Web site attacks involves sucking down customer data post- or pre-encryption (depending on whether the data was incoming or outgoing).”

Feedback:

Round Up:

The post Insecure Socket Layer | TechSNAP 265 first appeared on Jupiter Broadcasting.

rm -rf $ALLTHETHINGS/ | TechSNAP 262

chris — Thu, 14 Apr 2016 18:34:12 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Find out why everyone’s just a little disappointed in Badlock, the bad security that could be connected to the Panama Papers leak & the story of a simple delete command that took out an entire hosting provider.

Plus your batch of networking questions, our answers & a packed round up!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Badlock vulnerability disclosed

The badlock vulnerability was finally disclosed on Tuesday after 3 weeks of hype
It turns out to not have been as big a deal as we were lead to believe
The flaw was not in the SMB protocol itself, but in the related SAM and LSAD protocols
The flaw itself is identified as https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2118
It affects all versions of Samba clear back to 3.0
“Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases are available”
“Please be aware that Samba 4.1 and below are therefore out of support, even for security fixes. There will be no official security releases for Samba 4.1 and below published by the Samba Team or SerNet (for EnterpriseSAMBA). We strongly advise users to upgrade to a supported release.”
See the Samba Release Planning page for more details about support lifetime for each branch
Microsoft releases MS16-047 but rated it only “Important”, not “Critical”
The patch fixes an “elevation of privilege bug in both SAM and LSAD that could be exploited in a man-in-the-middle attack, forcing a downgrade of the authentication level of both channels. An attacker could then impersonate an authenticated user”
Microsoft was also careful to note: “Only applications and products that use the SAM or LSAD remote protocols are affected by this issue. The SMB protocol is not vulnerable.”
It seems most of the “badlock” bugs were actually in Samba itself, rather than the protocol as we were lead to believe
“There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user. Impact examples of intercepting administrator network traffic:”
Samba AD server – view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
standard Samba server – modify user permissions on files or directories.
There were also a number of related CVEs that are also fixed:
- CVE-2015-5370 3.6.0 to 4.4.0: Errors in Samba DCE-RPC code can lead to denial of service (crashes and high cpu consumption) and man in the middle attacks. It is unlikely but not impossible to trigger remote code execution, which may result in an impersonation on the client side.
- CVE-2016-2110 3.0.0 to 4.4.0: The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags, especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL. Which has implications on encrypted LDAP traffic.
- CVE-2016-2111 3.0.0 to 4.4.0: When Samba is configured as Domain Controller it allows remote attackers to spoof the computer name of a secure channel’s endpoints, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic.
- CVE-2016-2112 3.0.0 to 4.4.0: A man in the middle is able to downgrade LDAP connections to no integrity protection. It’s possible to attack client and server with this.
- CVE-2016-2113 4.0.0 to 4.4.0: Man in the middle attacks are possible for client triggered LDAP connections (with ldaps://) and ncacn_http connections (with https://).
- CVE-2016-2114 4.0.0 to 4.4.0: Due to a bug Samba doesn’t enforce required smb signing, even if explicitly configured. In addition the default for the active directory domain controller case was wrong.
- CVE-2016-2115 3.0.0 to 4.4.0: The protection of DCERPC communication over ncacn_np (which is the default for most the file server related protocols) is inherited from the underlying SMB connection. Samba doesn’t enforce SMB signing for this kind of SMB connections by default, which makes man in the middle attacks possible.
Additional Coverage: Threadpost – Badlock vulnerability falls flat against its type
“As it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it’s a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services.”
“Red Hat security strategist Josh Bressers said Badlock could have been much worse, especially if it had turned out to be a memory corruption issue in SMB as some had surmised. Such a scenario would have cleared a path for remote code execution, for example.”
Additional Coverage: sadlock.org

Panama Papers: Mossack Fonseca

Eleven million documents were leaked from one of the world’s most secretive companies, Panamanian law firm Mossack Fonseca.
They show how Mossack Fonseca has helped clients launder money, dodge sanctions and avoid tax.
The documents show 12 current or former heads of state and at least 60 people linked to current or former world leaders in the data.
Eleven million documents held by the Panama-based law firm Mossack Fonseca have been passed to German newspaper Sueddeutsche Zeitung, which then shared them with the International Consortium of Investigative Journalists. BBC Panorama is among 107 media organisations – including UK newspaper the Guardian – in 76 countries which have been analysing the documents.
There are many conspiracy theories about the source of the Panama Papers leak. One of the more prominent theories today blames the CIA.
Bradley Birkenfeld is “the most significant financial whistleblower of all time,” and he has opinions about who’s responsible for leaking the Panama Papers rattling financial and political power centers around the world.
Wikileaks is also getting attention today for blaming USAID and George Soros for the leaks.
What little is known about the source of the leak comes from details published by German newspaper Suddeutsche Zeitung. Communicating via encrypted chat in late 2014, the source warned his or her life was “in danger” but that they had data from law firm Mossack Fonseca that they wanted to share. When asked how much data they had, the source replied “more than you have ever seen,” according to the newspaper.
Regardless, the front-end computer systems of Mossack Fonseca are outdated and riddled with security flaws, analysis has revealed.
Mossack Fonseca’s client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site’s changelog.
On its main website Mossack Fonseca claims its Client Information Portal provides a “secure online account” allowing customers to access “corporate information anywhere and everywhere”. The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal’s backend can also be accessed by guessing the URL structure, a security researcher noted.
Mossack Fonseca’s webmail system, which runs on Microsoft’s Outlook Web Access, was last updated in 2009, while its main site runs a version of WordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca’s site simply by guessing the URL.
Mossack Fonseca’s emails were also not transport encrypted, according to privacy expert Christopher Soghoian who noted the company did not use the TLS security protocol.
Who leaked the Panama Papers? A famous financial whistleblower says: CIA. / Boing Boing
Wikileaks Accuses US Of Funding Panama Papers Putin Expose | The Daily Caller
Panama Papers: The security flaws at the heart of Mossack Fonseca (Wired UK)
Additional Coverage: The Register – Mossack Fonseca website found vulnerable to SQL injection
Additional Coverage: Forbes
Additional Coverage: WordFence
Additional Coverage: Slashdot
In general, it seems there were so many flaws in the website we may never know which one was used to compromise the server

I accidently rm -rf /’d, and destroyed my entire company

“I run a small hosting provider with more or less 1535 customers and I use Ansible to automate some operations to be run on all servers. Last night I accidentally ran, on all servers, a Bash script with a rm -rf {foo}/{bar} with those variables undefined due to a bug in the code above this line.”
“All servers got deleted and the offsite backups too because the remote storage was mounted just before by the same script (that is a backup maintenance script).
How I can recover from a rm -rf / now in a timely manner?”
There is not usually any easy way to recover from something like this
That is why you need backups. Backups are not just a single copy of your files in another location, you need time series data, in case you need to go back more than the most recent backup
It is usually best to not have your backups mounted directly, for exactly this reason
Even if you will never rm -rf /, an attacker might run rm -rf /backup/*
While cleaning up after an attacker attempted to use a Linux kernel exploit against my FreeBSD machine in 2003, I accidently rm -rf /’d in a roundabout way, Trying to remove a symlink to / that had a very funky name (part of the exploit iirc), i used tab complete, and instead of: rm -rf badname, it did rm -rf badname/, which deletes the target of the symlink, which was /.
Obviously this was my fault for using -r for a symlink, since I only wanted to delete one thing
When the command took too long, I got worried, and when I saw ‘can’t delete /sbin/init’, I panicked and aborted it with control+c
Luckily, I had twice daily backups with bacula, to another server. 30 minutes later, everything was restored, and the server didn’t even require a reboot. The 100+ customers on the machine never noticed, since I stopped the rm before it hit /usr/home
There are plenty of other examples of this same problem though
Steam accidently deletes ALL of your files
Bryan Cantrill tells a similiar story from the old SunOS days
Discussion continues and talks about why rm -rf / is blocked by on SunOS and FreeBSD
Additional Coverage: ServerFault
When told to dd the drive to a file, to use testdisk to try to recover files, the user reports accidentally swapping if= and of=, which likely would just error out if the input file didn’t exist, but it might also mean that this entire thing is just a troll. Further evidence: rm -rf / usually doesn’t work on modern linux, without the –no-preserve-root flag

Feedback:

Round Up:

The post rm -rf $ALLTHETHINGS/ | TechSNAP 262 first appeared on Jupiter Broadcasting.