Network – Jupiter Broadcasting

Schoolhouse Exploits | TechSNAP 296

chris — Thu, 08 Dec 2016 21:37:05 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Project Zero: Breaking the chain

“Much as we’d like it to be true, it seems undeniable that we’ll never fix all security bugs just by looking for them. One of most productive ways to dealing with this fact is to implement exploit mitigations. Project Zero considers mitigation work just as important as finding vulnerabilities. Sometimes we can get our hands dirty, such as helping out Adobe and Microsoft in Flash mitigations. Sometimes we can only help indirectly via publishing our research and giving vendors an incentive to add their own mitigations.”
“This blog post is about an important exploit mitigation I developed for Chrome on Windows. It will detail many of the challenges I faced when trying to get this mitigation released to protect end-users of Chrome. It’s recently shipped to users of Chrome on Windows 10 (in M54), and ended up blocking the sandbox escape of an exploit chain being used in the wild.”
“It’s possible to lockdown a sandbox such as Chrome’s pretty comprehensively using Restricted Tokens. However one of the big problems on Windows is locking down access to system calls. On Windows you have both the normal NT system calls and Win32k system calls for accessing the GUI which combined represents a significant attack surface.”
“While the NT system calls do have exploitable vulnerabilities now and again (for example issue 865) it’s nothing compared to Win32k. From just one research project alone 31 issues were discovered, and this isn’t counting the many font issues Mateusz has found and the hundreds of other issues found by other researchers.”
“Much of Win32k’s problems come from history. In the first versions of Windows NT almost all the code responsible for the windowing system existed in user-mode. Unfortunately for 90’s era computers this wasn’t exactly good for performance so for NT 4 Microsoft moved a significant portion of what was user-mode code into the kernel (becoming the driver, win32k.sys). This was a time before Slammer, before Blaster, before the infamous Trustworthy Computing Memo which focussed Microsoft to think about security first. Perhaps some lone voice spoke for security that day, but was overwhelmed by performance considerations. We’ll never know for sure, however what it did do was make Win32k a large fragile mess which seems to have persisted to this day. And the attack surface this large fragile mess exposed could not be removed from any sandboxed process.”
“That all changed with the release of Windows 8. Microsoft introduced the System Call Disable Policy, which allows a developer to completely block access to the Win32k system call table. While it doesn’t do anything for normal system calls the fact that you could eliminate over a thousand win32k system calls, many of which have had serious security issues, would be a crucial reduction in the attack surface.”
“However no application in a default Windows installation used this policy (it’s said to have been introduced for non-GUI applications such as on Azure) and using it for something as complex as Chrome wasn’t going to be easy. The process of shipping Win32k lockdown required a number of architectural changes to be made to Chrome. This included replacing the GDI-based font code with Microsoft’s DirectWrite library. After around two years of effort Win32k lockdown was shipping by default.”
The problem is that plugins, like Flash and PDFium, run via the PPAPI, and cannot have access to the Win32k blocked
“This would seem a pretty large weak point. Flash has not had the best security track record (relevant), making the likelihood of Flash being an RCE vector very high. Combine that with the relative ease of finding and exploiting Win32k vulnerabilities and you’ve got a perfect storm.”
“It would seem reasonable to assume that real attackers are finding Win32k vulnerabilities and using them to break out of restrictive sandboxes including Chrome’s using Flash as the RCE vector. The question was whether that was true. The first real confirmation that this was true came from the Hacking Team breach, which occurred in July 2015. In the dumped files was an unfixed Chrome exploit which used Flash as the RCE vector and a Win32k exploit to escape the sandbox. While both vulnerabilities were quickly fixed I came upon the idea that perhaps I could spend some time to implement the lockdown policy for PPAPI and eliminate this entire attack chain.”
“For a better, more robust solution I needed to get changes made to Flash. I don’t have access to the Flash source code, however Google does have a good working relationship with Adobe and I used this to get the necessary changes implemented. It turned out that there was a Pepper API which did all that was needed to replace the GDI font handling, pp::flash::FontFile. Unfortunately that was only implemented on Linux, however I was able to put together a proof-of-concept Windows implementation of pp::flash::FontFile and through Xing Zhang of Adobe we got a full implementation in Chrome and Flash.”
So, with some work, most of the code in Flash that needed access to the Win32k API could be removed, so access to it could be blocked
“From this point I could enable Win32k lockdown for plugins and after much testing everything seemed to be working, until I tried to test some DRM protected video. While encrypted video worked, any Flash video file which required output protection (such as High-bandwidth Digital Content Protection (HDCP)) would not.”
“Still this presents a problem, as video along with games are some of the only residual uses of Flash. In testing, this also affected the Widevine plugin that implements the Encrypted Media Extensions for Chrome. Widevine uses PPAPI under the hood; not fixing this issue would break all HD content playback.”
“The ideal way of fixing this would be to implement a new API in Chrome which exposed enabling HDCP then get Adobe and Widevine to use that implementation. It turns out that the Adobe DRM and Widevine teams are under greater constraints than normal development teams. After discussion with my original contact at Adobe they didn’t have access to the DRM code for Flash. I was able to have meetings with Widevine (they’re part of Google) and the Adobe DRM team but in the end I decided to go it alone and implement redirection of these APIs as part of the sandbox code.”
It seems that the DRM code is so locked down, that even the developers at the companies that created it, cannot modify it
So the Chrome developer just created a compatibility layer, that brokers the Win32k calls to a separate process, that is outside of the Win32k API blocking, so the calls can succeed
“From the first patch submitted in September 2015 to the final patch in June it took almost 10 months of effort to come up with a shipping mitigation. The fact that it’s had its first public success (and who knows how many non-public ones) shows that it was worth implementing this mitigation.”
“In the latest version of Windows 10, Anniversary Edition, Microsoft have implemented a Win32k filter which makes it easier to reduce the attack surface without completely disabling all the system calls which might have sped up development. Microsoft are also taking pro-active effort to improve the Win32k code base.”

‘Avalanche’ Global Fraud Ring Dismantled

“In what’s being billed as an unprecedented global law enforcement response to cybercrime, federal investigators in the United States, United Kingdom and Europe today say they’ve dismantled a sprawling cybercrime machine known as “Avalanche” — a distributed, cloud-hosting network that for the past seven years has been rented out to fraudsters for use in launching countless malware and phishing attacks.”
“The Avalanche network was used as a delivery platform to launch and manage mass global malware attacks and money mule recruiting campaigns. It has caused an estimated EUR 6 million in damages in concentrated cyberattacks on online banking systems in Germany alone. In addition, the monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of euros worldwide, although exact calculations are difficult due to the high number of malware families managed through the platform.”
“The global effort to take down this network involved the crucial support of prosecutors and investigators from 30 countries. As a result, 5 individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. Also, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing[1] to combat botnet[2] infrastructures and is unprecedented in its scale, with over 800 000 domains seized, sinkholed or blocked.”
“Built as a criminal cloud-hosting environment that was rented out to scammers, spammers other ne’er-do-wells, Avalanche has been a major source of cybercrime for years. In 2009, when investigators say the fraud network first opened for business, Avalanche was responsible for funneling roughly two-thirds of all phishing attacks aimed at stealing usernames and passwords for bank and e-commerce sites. By 2011, Avalanche was being heavily used by crooks to deploy banking Trojans.”
““Cyber criminals rented the servers and through them launched and managed digital fraud campaigns, sending emails in bulk to infect computers with malware, ransomware and other malicious software that would steal users’ bank details and other personal data,” the NCA said in a statement released today on the takedown. The criminals used the stolen information for fraud or extortion. At its peak 17 different types of malware were hosted by the network, including major strains with names such as goznym, urlzone, pandabanker and loosemailsniffer. At least 500,000 computers around the world were infected and controlled by the Avalanche system on any given day.””
“The Avalanche network was especially resilient because it relied on a hosting method known as fast-flux, a kind of round-robin technique that lets botnets hide phishing and malware delivery sites behind an ever-changing network of compromised systems acting as proxies.”
By constantly changing addresses, it is hard for researchers and others to report the compromised hosts. Even when trying constant lookups, a researcher will only see a fraction of the actual hosts in the network.
“It’s worth noting here that Avalanche has for many years been heavily favored by crime gangs to deploy Zeus and SpyEye malware variants involved in cleaning out bank accounts for a large number of small to mid-sized businesses. These attacks relied heavily on so-called “money mules,” people willingly or unwittingly recruited into helping fraudsters launder stolen funds.”
“The Shadowserver Foundation, a non-profit organization of security professionals that assisted in what the organization described in a post on the takedown as an 18-month collaboration with law enforcement, described Avalanche as a “Double Fast Flux” botnet. Individual nodes within the botnet are registered and then quickly de-registered as the host associated with a Domain Name Service A address record for a single DNS name The destination addresses for a DNS record often change as quickly as once every 5 minutes, and can cycle through hundreds or thousands of IP addresses. And there are multiple domain names for command and control nodes hard-coded into the botnet malware, allowing the bots to switch to a different domain name if a specific domain is blocked.”
Additional Coverage
EuroPol Announcement
EuroPol Technical Infographic

Meet the men who spy on women through their webcams

The article describes some miscreants using RATs (Remote Administration Trojans) to control people’s computers, then using it to harass them and/or spy on them in various ways
It describes a scenario of a ratter watching and taunting a victim. Trying to scare and shock them
“See! That shit keeps popping up on my fucking computer!” says a blond woman as she leans back on a couch, bottle-feeding a baby on her lap.
“The woman is visible from thousands of miles away on a hacker’s computer. The hacker has infected her machine with a remote administration tool (RAT) that gives him access to the woman’s screen, to her webcam, to her files, to her microphone. He watches her and the baby through a small control window open on his Windows PC, then he decides to have a little fun. He enters a series of shock and pornographic websites and watches them appear on the woman’s computer.”
“The woman is startled. “Did it scare you?” she asks someone off camera. A young man steps into the webcam frame. “Yes,” he says. Both stare at the computer in horrified fascination. A picture of old naked men appears in their Web browser, then vanishes as a McAfee security product blocks a “dangerous site.””
“Far away, the hacker opens his “Fun Manager” control panel, which provides a host of tools for messing with his RAT victims. He can hide their Windows “Start” button or the taskbar or the clock or the desktop, badly confusing many casual Windows users. He can have their computer speak to them. Instead, he settles for popping open the remote computer’s optical drive”
“Copies of the incident aren’t hard to find. They’re on YouTube, along with thousands of other videos showing RAT controller (or “ratters,” as they will be called here) taunting, pranking, or toying with victims. But, of course, the kinds of people who watch others through their own webcams aren’t likely to limit themselves to these sorts of mere hijinks—not when computers store and webcams record far more intimate material.”
“”Man I feel dirty looking at these pics,” wrote one forum poster at Hack Forums, one of the top “aboveground” hacking discussion sites on the Internet (it now has more than 23 million total posts). The poster was referencing a 134+ page thread filled with the images of female “slaves” surreptitiously snapped by hackers using the women’s own webcams. “Poor people think they are alone in their private homes, but have no idea they are the laughing stock on HackForums,” he continued. “It would be funny if one of these slaves venture into learning how to hack and comes across this thread.””
“Whether this would in fact be “funny” is unlikely. RAT operators have nearly complete control over the computers they infect; they can (and do) browse people’s private pictures in search of erotic images to share with each other online. They even have strategies for watching where women store the photos most likely to be compromising.”
I have always found people’s storage and organization strategies fascinating, especially for material they are trying to ‘hide in plain sight’
“RAT tools aren’t new; the hacker group Cult of the Dead Cow famously released an early one called BackOrifice at the Defcon hacker convention in 1998. The lead author, who went by the alias Sir Dystic, called BackOrifice a tool designed for “remote tech support aid and employee monitoring and administering [of a Windows network].” But the Cult of the Dead Cow press release made clear that BackOrifice was meant to expose “Microsoft’s Swiss cheese approach to security.” Compared to today’s tools, BackOrifice was primitive. It could handle the basics, though: logging keystrokes, restarting the target machine, transferring files between computers, and snapping screenshots of the target computer.”
“”I seem to get a lot of female slaves by spreading Sims 3 with a [RAT] server on torrent sites,” wrote one poster. Another turned to social media, where “I’ve been able to message random hot girls on facebook (0 mutual friends) and infect (usually become friends with them too); with the right words anything is possible.””
“Calling most of these guys “hackers” does a real disservice to hackers everywhere; only minimal technical skill is now required to deploy a RAT and acquire slaves. Once infected, all the common RAT software provides a control panel view in which one can see all current slaves, their locations, and the status of their machines. With a few clicks, the operator can start watching the screen or webcam of any slave currently online.”
“One of the biggest problems ratters face is the increasing prevalence of webcam lights that indicate when the camera is in use. Entire threads are devoted to bypassing the lights, which routinely worry RAT victims and often lead to the loss of slaves.”
“Unfortunately she asked her boyfriend why the light on her cam kept coming on,” one RAT controller wrote. “And he knew, she never came back :)”
“RATs can be entirely legitimate. Security companies have used them to help find and retrieve stolen laptops, for instance, and no one objects to similar remote login software such as LogMeIn. The developers behind RAT software generally describe their products as nothing more than tools which can be used for good and ill. And yet some tools have features that make them look a lot like they’re built with lawlessness in mind.”
“RATs aren’t going away, despite the occasional intervention of the authorities. Too many exist, plenty of them are entirely legal, and source code is in the wild (a version of the Blackshades source leaked in 2010). Those who don’t want to end up being toyed with in a YouTube video are advised to take the same precautions that apply to most malware: use a solid anti-malware program, keep your operating system updated, and make sure plugins (especially Flash and Java) aren’t out of date. Don’t visit dodgy forums or buy dodgy items, don’t click dodgy attachments in e-mail, and don’t download dodgy torrents. Such steps won’t stop every attack, but they will foil many casual users looking to add a few more slaves to their collections.”
“If you are unlucky enough to have your computer infected with a RAT, prepare to be sold or traded to the kind of person who enters forums to ask, “Can I get some slaves for my rat please? I got 2 bucks lol I will give it to you :b” At that point, the indignities you will suffer—and the horrific website images you may see—will be limited only by the imagination of that most terrifying person: a 14-year-old boy with an unsupervised Internet connection.”
Honestly, this article was rather tame in its list of possibly things the ratters could do to you.
To pay off webcam spies, Detroit kid pawns $100k in family jewels for $1,500

Feedback:

Round Up:

The post Schoolhouse Exploits | TechSNAP 296 first appeared on Jupiter Broadcasting.

OpSec for Script Kiddies | TechSNAP 285

chris — Thu, 22 Sep 2016 07:37:15 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

FBI Arrests Two Alleged Members of Group That Hacked the CIA Director

“Two young men from North Carolina have been charged with their alleged connection to the hacking group “Crackas With Attitude.” The group gained notoriety when it hacked into the personal email account of CIA Director John Brennan last year and in the following weeks claimed responsibility for hacking the Department of Justice, email accounts of several senior officials, and other US government systems.”
“Andrew Otto Boggs, 22, who allegedly used the handle Incursio, or IncursioSubter, and Justin Gray Liverman, who is suspected of using the moniker D3f4ult, were arrested on Thursday, according to a press release by the US State’s Attorney’s Office in the Eastern District of Virginia.”
“Crackas With Attitude, or CWA, first sprung on the hacking scene when they broke into Brennan’s AOL email account in October 2015. The group distinguished itself for openly bragging about their exploits and for making fun of their victims online. After hacking into Brennan’s account, one of the members of the group, known as “Cubed,” said it was so easy “a 5 year old could do it.” After Brennan, the group targeted and hacked the accounts of Director Of National Intelligence James Clapper, a White House official, and others.”
“Much of the time, the group would use social engineering to gain access to accounts. In February, one member of the group explained to Motherboard how they broke into a Department of Justice system, by calling up the relevant help desk and pretending to be a new employee. That hack led in the exposure of contact information for 20,000 FBI and 9,000 DHS employees.”
“The group made heavy use of social media, and in particular Twitter, to spread news of the dumps and mock victims. However, according to the affidavit, Boggs allegedly connected to one of the implicated Twitter accounts (@GenuinelySpooky) from an IP address registered to his father, with whom Boggs lived. Much the same mistake led to Liverman’s identification: an IP address used to access the Twitter handle @_D3F4ULT and another account during the relevant time period was registered to an Edith Liverman. According to the affidavit, publicly available information revealed that Justin Liverman lived with Edith at the time.”
“The affidavit also includes several sets of Twitter direct messages between members of the group.”
Which suggests Twitter may have provided the government with that data, probably under a subpoena
“Liverman seemingly logged his conversations: according to the affidavit, law enforcement found copies of chats on his hard drive, including one where Liverman encouraged Cracka to publish the social security number of a senior US government official. These logs make up a large chunk of the affidavit, laying out the groups alleged crimes in detail, and investigators found other forensics data on Liverman’s computer too.”
It really goes to show how unsophisticated these attackers were

Discovering how Dropbox hacks your mac

“If you have Dropbox installed, take a look at System Preferences > Security & Privacy > Accessibility tab (see screenshot above). Notice something? Ever wondered how it got in there? Do you think you might have put that in there yourself after Dropbox asked you for permission to control the computer? No, I can assure you that your memory isn’t faulty. You don’t remember doing that because Dropbox never presented this dialog to you, as it should have”
“That’s the only officially supported way that apps are allowed to appear in that list, but Dropbox never asked you for that permission. I’ll get to why that’s important in a moment, but if you have the time, try this fascinating experiment: try and remove it.”
“That leaves a couple of questions. First, why does it matter, and second, is there any way to keep using Dropbox but stop it having access to control your computer?”
“There’s at least three reasons why it matters. It matters first and foremost because Dropbox didn’t ask for permission to take control of your computer. What does ‘take control’ mean here? It means to literally do what you can do in the desktop: click buttons, menus, launch apps, delete files… . There’s a reason why apps in that list have to ask for permission and why it takes a password and explicit user permission to get in there: it’s a security risk.”
“The list of authorization “rights” used by the system to manage this “policy based system” is held in /var/db/auth.db database, and a backup or default copy is retained in /System/Library/Security/authorization.plist.”
“The allow-root property specifies whether a right should be allowed automatically if the requesting process is running with uid == 0. This defaults to false if not specified.”
“In other words, if allow-root isn’t explicitly set, the default is that even a process with root user privileges does not have the right to perform that operation. Since that’s not specified in the default shown above, then even root couldn’t add Dropbox to the list of apps in Accessibility preferences. Is it possible then, that Dropbox had overridden this setting in the auth.db? Let’s go and check!””
Basically, by using sqlite directly, rather than the OS X tcc utility, you can override the policy, and add any apps you want to the whitelist. Or worse, any app running as root can do this without you even knowing
“I tested this with several of my own apps and found it worked reliably. It’ll even work while System Preferences is open, which is exactly the behaviour I saw with Dropbox. It remained to prove, though, that this was indeed the hack that Dropbox was using, and so I started to look at what exactly Dropbox did after being given an admin password on installation or launch. Using DetectX, I was able to see that Dropbox added a new folder to my /Library folder after the password was entered”
“As can be seen, instead of adding something to the PrivilegedHelperTools folder as is standard behaviour for apps on the mac that need elevated privileges for one or two specialist operations, Dropbox installs its own folder containing these interesting items”
“the deliciously named dbaccessperm file, we finally hit gold and the exact proof I was looking for that Dropbox was using a sql attack on the tcc database to circumvent Apple’s authorization policy”
“What I do suspect, especially in light of the fact that there just doesn’t seem to be any need for Dropbox to have Accessibility permissions, is that it’s in there just in case they want that access in the future. If that’s right, it suggests that Dropbox simply want to have access to anything and everything on your mac, whether it’s needed or not.”
“The upshot for me was that I learned a few things about how security and authorisation work on the mac that I didn’t know before investigating what Dropbox was up to. But most of all, I learned that I don’t trust Dropbox at all. Unnecessary privileges and backdooring are what I call untrustworthy behaviour and a clear breach of user trust. With Apple’s recent stance against the FBI and their commitment to privacy in general, I feel moving over to iCloud and dropping Dropbox is a far more sensible way to go for me.”
“For those of you who are stuck with Dropbox but don’t want to allow it access to Accessibility features, you can thwart Dropbox’s hack by following my procedure here”
Previous Article

Proprietors of vDoS, the DDoS for hire service, arrested

“Two young Israeli men alleged to be the co-owners of a popular online attack-for-hire service were reportedly arrested in Israel on Thursday. The pair were arrested around the same time that KrebsOnSecurity published a story naming them as the masterminds behind a service that can be hired to knock Web sites and Internet users offline with powerful blasts of junk data.”
“The pair were reportedly questioned and released Friday on the equivalent of about USD $10,000 bond each. Israeli authorities also seized their passports, placed them under house arrest for 10 days, and forbade them from using the Internet or telecommunications equipment of any kind for 30 days.”
“Huri and Bidani are suspected of running an attack service called vDOS. As I described in this week’s story, vDOS is a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline.”
“The two men’s identities were exposed because vDOS got massively hacked, spilling secrets about tens of thousands of paying customers and their targets. A copy of that database was obtained by KrebsOnSecurity.”
“For most of Friday, KrebsOnSecurity came under a heavy and sustained denial-of-service attack, which spiked at almost 140 Gbps. A single message was buried in each attack packet: “godiefaggot.” For a brief time the site was unavailable, but thankfully it is guarded by DDoS protection firm Prolexic. The attacks against this site are ongoing.”
“At the end of August 2016, the two authored a technical paper (PDF) on DDoS attack methods which was published in the Israeli security e-zine Digital Whisper. In it, Huri signs his real name and says he is 18 years old and about to be drafted into the Israel Defense Forces. Bidani co-authored the paper under the alias “Raziel.b7@gmail.com,” an email address that I pointed out in my previous reporting was assigned to one of the administrators of vDOS.”
“Sometime on Friday, vDOS went offline. It is currently unreachable. According to several automated Twitter feeds that track suspicious large-scale changes to the global Internet routing tables, sometime in the last 24 hours vDOS was apparently the victim of what’s known as a BGP hijack.”
“Reached by phone, Bryant Townsend, founder and CEO of BackConnect Security, confirmed that his company did in fact hijack Verdina/vDOS’s Internet address space. Townsend said the company took the extreme measure in an effort to get out from under a massive attack launched on the company’s network Thursday, and that the company received an email directly from vDOS claiming credit for the attack.”
““For about six hours, we were seeing attacks of more than 200 Gbps hitting us,” Townsend explained. “What we were doing was for defensive purposes. We were simply trying to get them to stop and to gather as much information as possible about the botnet they were using and report that to the proper authorities.””
Krebs also got access to a large log file from the vdos site
“The file lists the vDOS username that ordered and paid for the attack; the target Internet address; the method of attack; the Internet address of the vDOS user at the time; the date and time the attack was executed; and the browser user agent string of the vDOS user.”

Feedback:

Round Up:

The post OpSec for Script Kiddies | TechSNAP 285 first appeared on Jupiter Broadcasting.

Buffalo Overflow | TechSNAP 284

chris — Thu, 15 Sep 2016 16:25:50 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Whoosh! That was the sound of your bank’s hard drives being destroyed

“ING Bank’s main data center in Bucharest, Romania, was severely damaged over the weekend during a fire extinguishing test. In what is a very rare but known phenomenon, it was the loud sound of inert gas being released that destroyed dozens of hard drives. The site is currently offline and the bank relies solely on its backup data center, located within a couple of miles’ proximity.”
“The drill went as designed, but we had collateral damage”, ING’s spokeswoman in Romania told me, confirming the inert gas issue. Local clients were unable to use debit cards and to perform online banking operations on Saturday between 1PM and 11PM because of the test. “Our team is investigating the incident,” she said.”
“The purpose of the drill was to see how the data center’s fire suppression system worked. Data centers typically rely on inert gas to protect the equipment in the event of a fire, as the substance does not chemically damage electronics, and the gas only slightly decreases the temperature within the data center.”
“The gas is stored in cylinders, and is released at high velocity out of nozzles uniformly spread across the data center. According to people familiar with the system, the pressure at ING Bank’s data center was higher than expected, and produced a loud sound when rapidly expelled through tiny holes”
“The bank monitored the sound and it was very loud, a source familiar with the system told us. “It was as high as their equipment could monitor, over 130dB”.”
“here is still very little known about how sound can cause hard drive failure. One of the first such experiments was made by engineer Brendan Gregg, in 2008, while he was working for Sun’s Fishworks team. He recorded a video in which he explains how shouting in a data center can result in hard drives malfunction.”
The test Brendan did was just a demonstration, the problem they were diagnosing in the video was caused by traffic on the street outside of the office basement data center. The rumble of the diesel bus engine as it pulled away from the stop on a regular basis caused latency on their hard drives
“Researchers at IBM are also investigating data center sound-related inert gas issues. “[T]he HDD can tolerate less than 1/1,000,000 of an inch offset from the center of the data track—any more than that will halt reads and writes”, experts Brian P. Rawson and Kent C. Green wrote in a paper. “Early disk storage had much greater spacing between data tracks because they held less data, which is a likely reason why this issue was not apparent until recently.””
“The Bank said it required 10 hours to restart its operation due to the magnitude and the complexity of the damage. A cold start of the systems in the disaster recovery site was needed. “Moreover, to ensure full integrity of the data, we’ve made an additional copy of our database before restoring the system,” ING’s press release reads.”
“Over the next few weeks, every single piece of equipment will need to be assessed. ING Bank’s main data center is compromised “for the most part”, a source told us.”

Critical MySQL vulnerability

“An independent research has revealed multiple severe MySQL vulnerabilities. This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662 which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences.”
“The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers. Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors.”
The vulnerability also affects forks of MySQL including MariaDB and Percona
“Official patches for the vulnerability are not available at this time for Oracle MySQL server. The vulnerability can be exploited even if security modules SELinux and AppArmor are installed with default active policies for MySQL service on major Linux distributions.”
Oracle has decided to not release a patch until their next “Critical Patch Update” in the middle of October
How does it work?
“The default MySQL package comes with a mysqld_safe script which is used by many default installations/packages of MySQL as a wrapper to start the MySQL service process”
This wrapper allows you to specify an alternate malloc() implementation via the mysql config file (my.cnf), to improve performance by using a specially designed library from Google performance team, or another implementation.
The problem is that many MySQL tutorials, guides, how-tos, and setup scripts chown the my.cnf file to the mysql user. Even most MySQL security guides give this bad advice.
“In 2003 a vulnerability was disclosed in MySQL versions before 3.23.55 that
allowed users to create mysql config files with a simple statement:”
SELECT * INFO OUTFILE ‘/var/lib/mysql/my.cnf’
“The issue was fixed by refusing to load config files with world-writable permissions as these are the default permissions applied to files created by OUTFILE query.”
This issue has been considered fixed for more than 10 years.
However, a new vector has appeared:

mysql> set global general_log_file = ‘/etc/my.cnf’;
mysql> set global general_log = on;
mysql> select ‘
‘> ; injected config entry
‘> [mysqld]
‘> malloc_lib=/tmp/mysql_exploit_lib.so
‘> ‘;
1 row in set (0.00 sec)
mysql> set global general_log = off;
If MySQL has permission, it will write that content into that file
Now, the config file will be invalid, and mysql will not like it because it contains excess lines, however:
“mysqld_safe will read the shared library path correctly and add it to the LD_PRELOAD environment variable before the startup of mysqld daemon. The preloaded library can then hook the libc fopen() calls and clean up the config before it is ever processed by mysqld daemon in order for it to start up successfully.”
Another issue is that the mysqld_safe script loads my.cnf from a number of locations, so even if you have properly security your config file, if one of the other locations is not locked down, MySQL could create a new config file in that location
“The vulnerability was reported to Oracle on 29th of July 2016 and triaged by the security team. It was also reported to the other affected vendors including PerconaDB and MariaDB. The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of 30th of August.”
“During the course of the patching by these vendors the patches went into public repositories and the fixed security issues were also mentioned in the new releases which could be noticed by malicious attackers. As over 40 days have passed since reporting the issues and patches were already mentioned publicly, a decision was made to start disclosing vulnerabilities (with limited PoC) to inform users about the risks before the vendor’s next CPU update that only happens at the end of October.”
“No official patches or mitigations are available at this time from the vendor. As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnf files that are not in use. These are by no means a complete solution and users should apply official vendor patches as soon as they become available.”

Bugs in Cisco networking gear at center of hosting company bankruptcy fight

“Game of War: Fire Age, your typical melange of swords and sorcery, has been one of the top-grossing mobile apps for three years, accounting for hundreds of millions of dollars in revenue. So publisher Machine Zone was furious when the game’s servers, run by hosting company Peak Web, went dark for 10 hours last October. Two days later, Machine Zone fired Peak Web, citing multiple outages, and later sued.”
“Then came the countersuit. Peak Web argued in court filings that Machine Zone was voiding its contract illegally, because the software bug that caused the game outages resided in faulty network switches made by Cisco Systems, and according to Peak Web’s contract with Machine Zone, it wasn’t liable. In December, Cisco publicly acknowledged the bug’s existence—too late to help Peak Web, which filed for bankruptcy protection in June, citing the loss of Machine Zone’s business as the reason. The Machine Zone-Peak Web trial is slated for March 2017.”
“There’s buggy code in virtually every electronic system. But few companies ever talk about the cost of dealing with bugs, for fear of being associated with error-prone products. The trial, along with Peak Web’s bankruptcy filings, promises a rare look at just how much or how little control a company may have over its own operations, depending on the software that undergirds it.”
“Peak Web, founded in 2001, had worked with companies including MySpace, JDate, EHarmony, and Uber. Under its $4 million-a-month contract with Machine Zone, which began on April 1, 2015, it had to keep Game of War running with fewer than 27 minutes of outages a year, court filings show. According to Machine Zone, the hosting service couldn’t make it a month without an outage lasting almost an hour. Another in August of that year was traced to faulty cables and cooling fans, according to the publisher.”
“Cisco’s networking equipment became a problem in September, says a person familiar with Peak Web’s operations, who requested anonymity to discuss the litigation. The company’s Nexus 3000 switches began to fail after trying to improperly process a routine computer-to-computer command, and because Cisco keeps its code private, Peak Web couldn’t figure out why. The person familiar with the situation says Cisco denied Peak Web’s requests for an emergency software fix, and as more switches failed over the next month, the hosting service’s staffers couldn’t move quickly enough to keep critical systems online.”
“Finally, late in October, came the 10 hours of darkness. Three people familiar with Peak Web’s operations say the lengthy outage gave the company time to deduce that the troublesome command was reducing the switches’ available memory and causing them to crash. The company alerted Cisco. Machine Zone’s attorneys wrote that Peak Web has “aggressively sought to place the blame elsewhere for its failures” and that it could have prevented the downtime. In December, Cisco confirmed to Peak Web that it had replicated the bug and issued a fix, according to e-mails filed as evidence in the lawsuit.”
“Networking equipment such as switches and routers, which carry the world’s internet and corporate data traffic, tend to be especially difficult to fix with a software patch”
“In one previously unreported incident, in 2014, a glitch in a Cisco Invicta flash storage system corrupted data and disabled the emergency-room computer systems at Chicago’s Mount Sinai Hospital for more than eight hours, says a person familiar with the incident. Cisco later froze shipments of Invicta equipment and discontinued the product line. In another unreported case, a Cisco server in 2012 overheated inside a data center at chipmaking equipment manufacturer KLA-Tencor, forcing the facility to close and costing the company more than $50 million, according to a person familiar with the matter.”
This is definitely a tough spot to be in. I have been on both sides of this, and even in the middle. I use the services of a larger ISP to provide service to my customers, so when a problem is with that upstream ISP, their SLA only covers a fraction of what I pay them, not what my customers pay me
One of the worst cases for me was when a automated configuration error at an upstream ISP changed a bunch of switch ports from gigabit to 100mbps, severely degrading the performance of our servers, and interrupting an important live stream.
While our ISP gave us a large credit to cover their screw up, it didn’t cover the lossed revenue we didn’t get because of the screw up, nor the even larger lost revenue of our customer. That customer left, so we ended up also missing out all of future revenue

Feedback:

Round Up:

The post Buffalo Overflow | TechSNAP 284 first appeared on Jupiter Broadcasting.

The Shadow Knows | TechSNAP 282

chris — Thu, 01 Sep 2016 18:18:08 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Shadow Brokers steal hacking tools from NSA linked Equation Group

“On Monday, a hacking group calling itself the “ShadowBrokers” announced an auction for what it claimed were “cyber weapons” made by the NSA.”
“The previously unknown group said that it broke into the cyberespionage organization known as the Equation Group and has now put the hacking tools that it acquired up for auction”
“In addition to selling the hacking tools to whoever would end up as the highest bidder, the Shadow Brokers said that if it will be paid 1 million bitcoins, which currently carries a value of about $568 million, the cyberweapons will be publicly released”
“To back up its claims, the Shadow Brokers uploaded what looks like attack code that focuses on the security systems of routers that direct computer traffic online. According to security experts, the code looks legitimate, affecting routers manufactured by three United States companies and two Chinese companies. Specifically, the companies involved are Cisco Systems, Fortinet, Juniper Networks, Shaanxi Networkcloud Information Technology and Beijing Topsec Network Security Technology.”
“Last year, researchers from Kaspersky Lab described the Equation Group as one of the most advanced hacking groups in the world. The compressed data that accompanied the post by the Shadow Brokers had a size of just over 256 MB and is said to contain hacking tools that are dated as early as 2010 belonging to the Equation Group”
Additional Coverage: The Intercept: The NSA Leak Is Real, Snowden Documents Confirm
“Based on never-before-published documents provided by the whistleblower Edward Snowden, The Intercept can confirm that the arsenal contains authentic NSA software, part of a powerful constellation of tools used to covertly infect computers worldwide.”
This does not necessarily mean that the tools were stolen directly from the NSA, just that Shadow Brokers stole them from someone who had them. Maybe the Equation Group stole them, or maybe the NSA stole them from the Equation Group.
“The provenance of the code has been a matter of heated debate this week among cybersecurity experts, and while it remains unclear how the software leaked, one thing is now beyond speculation: The malware is covered with the NSA’s virtual fingerprints and clearly originates from the agency.”
“The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, “ace02468bdf13579.” That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE.”
“SECONDDATE plays a specialized role inside a complex global system built by the U.S. government to infect and monitor what one document estimated to be millions of computers around the world. Its release by ShadowBrokers, alongside dozens of other malicious tools, marks the first time any full copies of the NSA’s offensive software have been available to the public, providing a glimpse at how an elaborate system outlined in the Snowden documents looks when deployed in the real world, as well as concrete evidence that NSA hackers don’t always have the last word when it comes to computer exploitation.”
“SECONDDATE is a tool designed to intercept web requests and redirect browsers on target computers to an NSA web server. That server, in turn, is designed to infect them with malware. SECONDDATE’s existence was first reported by The Intercept in 2014, as part of a look at a global computer exploitation effort code-named TURBINE. The malware server, known as FOXACID, has also been described in previously released Snowden documents.”
“Snowden, who worked for NSA contractors Dell and Booz Allen Hamilton, has offered some context and a relatively mundane possible explanation for the leak: that the NSA headquarters was not hacked, but rather one of the computers the agency uses to plan and execute attacks was compromised. In a series of tweets, he pointed out that the NSA often lurks on systems that are supposed to be controlled by others, and it’s possible someone at the agency took control of a server and failed to clean up after themselves. A regime, hacker group, or intelligence agency could have seized the files and the opportunity to embarrass the agency.”
Additional Coverage: SoftPedia: List of Equation Group Files Leaked by Shadow Brokers
The list of names is quite amusing, likely computer generated by sticking two random words together. Reminds me of a domain-name generator I wrote when I was a teenager
Additional Coverage: Wired: Of Course Everyone’s Already Using the Leaked NSA Exploits
“All of which means anyone—curious kids, petty criminals, trolls—can now start hacking like a spy. And it looks like they are.”
“Curious to learn if anyone was indeed trying to take advantage of the leak, Brendan Dolan-Gavitt—a security researcher at NYU—set up a honeypot. On August 18 he tossed out a digital lure that masqueraded as a system containing one of the vulnerabilities. For his experiment, Dolan-Gavitt used a Cisco security software bug from the leak that people have learned to fix with workarounds, but that doesn’t have a patch yet.”
“Within 24 hours Dolan-Gavitt saw someone trying to exploit the vulnerability, with a few attempts every day since. “I’m not surprised that someone tried to exploit it,” Dolan-Gavitt says. Even for someone with limited technical proficiency, vulnerable systems are relatively easy to find using services like Shodan, a search engine of Internet-connected systems. “People maybe read the blog post about how to use the particular tool that carries out the exploit, and then either scanned the Internet themselves or just looked for vulnerable systems on Shodan and started trying to exploit them that way,” Dolan-Gavitt says. He explains that his honeypot was intentionally very visible online and was set up with easily guessable default passwords so it would be easy to hack.”
“The findings highlight one of the potential risks that come with hoarding undisclosed vulnerabilities for intelligence-gathering and surveillance. By holding on to bugs instead of disclosing them so they can be patched, spy agencies like the NSA create a potentially dangerous free-for-all if their exploits are exposed.”
Additional Coverage: Softpedia: Computer Science Professor Gives Failing Grade to Newly Leaked NSA Hacking Tool
Additional Coverage: Stephen Checkoway: Equation Group Initial Impressions
Additional Coverage: @musalbas: NSA’s BENIGNCERTAIN sends IKE packets to Cisco VPNs, then parses config and private keys from the response
Additional Coverage: @thegrugq: speculation that the ShadowBrokers leak was from another Snowden is “completely wrong”
Additional Coverage: Matt Blaze

Google Login Issue Allows Credential Theft

Attackers can add an arbitrary page to the end of a Google login flow that can steal users’ credentials. or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process.
A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don’t consider it a security issue. The bug results from the fact that the Google login page will take a specific, weak GET parameter.
“Google’s login page accepts a vulnerable GET parameter, namely ‘continue’. As far as I can determine, this parameter undergoes a basic check,” Aidan Woods, the researcher who discovered the bug, wrote in an explanation of the flaw.
The login page checks to ensure that the parameter points to .google.com/, but doesn’t determine which Google service the parameter is pointing to.
“The application fails to verify the type of Google service that has been specified. This means that is is possible to seamlessly insert any Google service at the end of the login process.”
Using this bug, an attacker could add an extra step to the end of the login flow that could steal a user’s credentials.
For example, the page could mimic an incorrect password dialog and ask the user to re-enter the password. Woods said an attacker also could send an arbitrary file to the target’s browser any time the login form is submitted.
Exploiting the flaw should be simple, an “Attacker would not need to intercept traffic to exploit – they only need to get the user to click a link that they have crafted to exploit the bug in the continue parameter,”
Woods opened three separate reports with Google about the vulnerability, but to no avail.
In a message to Woods, Google representatives said they saw phishing as the only attack vector, and didn’t consider this a security problem.
“The simplest action Google can take to address this would be to remove the redirect feature at login. If they want to retain that feature and also address this problem, they need to properly validate the contents of the parameter: Google needs to make sure the values they allow can’t be abused, and validate the allowed values are also safe themselves,” Woods said.
“This could be done by building a whitelist of [sub-]domains, (including paths if necessary) that they wish to redirect to.”
Aidan Woods: Google’s Faulty Login Pages

Researchers map the Netflix content delivery network, find 4669 servers

“When you open Netflix and hit “play,” your computer sends a request to the video-streaming service to locate the movie you’d like to watch. The company responds with the name and location of the specific server that your device must access in order for you to view the film.”
“For the first time, researchers have taken advantage of this naming system to map the location and total number of servers across Netflix’s entire content delivery network, providing a rare glimpse into the guts of the world’s largest video-streaming service.”
“A group from Queen Mary University of London (QMUL) traced server names to identify 4,669 Netflix servers in 243 locations around the world. The majority of those servers still reside in the United States and Europe at a time when the company is eager to develop its international audience. The United States also leads the world in Netflix traffic, based on the group’s analysis of volumes handled by each server. Roughly eight times as many movies are watched there as in Mexico, which places second in Netflix traffic volume. The United Kingdom, Canada, and Brazil round out the top five.”
“In March, Netflix did publish a blog post outlining the overall structure of its content delivery network, but did not share the total number of servers or server counts for specific sites.”
“Last January, Netflix announced that it would expand its video-streaming service to 190 countries, and IHS Markit recently predicted that the number of international Netflix subscribers could be greater than U.S. subscribers in as few as two years.”
“Steve Uhlig, the networks expert at Queen Mary University of London who led the mapping project, says repeating the analysis over time could track shifts in the company’s server deployment and traffic volumes as its customer base changes.”
“Traditionally, content delivery services have chosen one strategy or the other. Akamai, for example, hosts a lot of content with Internet service providers, while Google, Amazon, and Limelight prefer to store it at IXPs. However, Uhlig’s group found that Netflix uses both strategies, and varies the structure of its network significantly from country to country.”
“Timm Böttger, a doctoral student at QMUL who is a member of the research team, says he was surprised to find two Netflix servers located within Verizon’s U.S. network. Verizon and other service providers have argued with Netflix over whether they would allow Netflix to directly connect servers to their networks for free. In 2014, Comcast required Netflix to pay for access to its own network.”
“Tellingly, the group did not find any Netflix servers in Comcast’s U.S. network. As for the mysterious Verizon servers? “We think it is quite likely that this is a trial to consider broader future deployment,” Böttger says. Netflix did not respond to a request for comment.”
“Their search revealed that Netflix’s server names are written in a similar construction: a string of numbers and letters that include traditional airport codes such as lhr001 for London Heathrow to mark the server’s location and a “counter” such as c020 to indicate the number of servers at that location. A third element written as .isp or .ix shows whether the server is located within an Internet exchange point or with an Internet service provider.”
“To study traffic volumes, the researchers relied on a specific section of the IP header that keeps a running tally of data packets that a given server has handled. By issuing multiple requests to these servers and tracking how quickly the values rose, the team estimated how much traffic each server was processing at different times of the day. They tested the servers in 1-minute intervals over a period of 10 days.”
That counter is only 32 bit, and the larger Netflix servers push 80 gigabits per second (enough to wrap a 32 bit counter every 24 seconds)
“The U.K. has more Netflix servers than any other European country, and most of those servers are deployed within Internet service providers. All French customers get their films streamed through servers stationed at a single IXP called France-IX. Eastern Europe, meanwhile, has no Netflix servers because those countries were only just added to the company’s network in January.”
The researchers expected to see a lot more servers embedded in ISPs rather than at Internet exchanges. There are two reasons why this is not so: It would require more hardware, since machines at a specific ISP cannot service a second ISP, and: many ISPs like Comcast are resisting accepting Netflix CDN boxes
“In March, the company said it delivers about 125 million total hours of viewing to customers per day. The researchers learned that Netflix traffic seems to peak just before midnight local time, with a second peak for IXP servers occurring around 8 a.m., presumably as Netflix uploads new content to its servers.”
See Netflix and Fill – BSDNow 157 for more on how Netflix runs their FreeBSD powered CDN.

Feedback:

Round Up:

The post The Shadow Knows | TechSNAP 282 first appeared on Jupiter Broadcasting.

PIS Poor DNS | TechSNAP 268

chris — Thu, 26 May 2016 17:32:03 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Is the “Dark Cloud” hype, or a real technology? Using DNS tunneling for remote command and control & the big problem with 1-Day exploits.

Plus your great question, our answers, a breaking news roundup & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

APT Groups still successfully exploiting Microsoft Office flaw patched 6 months ago

“A Microsoft Office vulnerability patched six months ago continues to be a valuable tool for APT gangs operating primarily in Southeast Asia and the Far East.”
“CVE-2015-2545 is a vulnerability discovered in 2015 and corrected with Microsoft’s update MS15-099. The vulnerability affects Microsoft Office versions 2007 SP3, 2010 SP2, 2013 SP1 and 2013 RT SP1.”
“The error enables an attacker to execute arbitrary code using a specially crafted EPS image file. The exploit uses PostScript and can evade Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protection methods.”
One of the groups using the exploit targeted the Japanese military industrial complex
“In December 2015, Kaspersky Lab became aware of a targeted attack against the Japanese defense sector. In order to infect victims, the attacker sent an email with an attached DOCX file exploiting the CVE-2015-2545 vulnerability in Microsoft Office using an embedded EPS (Encapsulated Postscript) object. The EPS object contained a shellcode that dropped and loaded a 32-bit or 64-bit DLL file depending on the system architecture. This, in turn exploited another vulnerability to elevate privileges to Local System (CVE-2015-1701) and download additional malware components from the C&C server.”
“The C&C server used in the attack was located in Japan and appears to have been compromised. However, there is no indication that it has ever been used for any other malicious purpose. Monitoring of the server activity for a period of several months did not result in any new findings. We believe the attackers either lost access to the server or realized that it resulted in too much attention from security researchers, as the attack was widely discussed by the Japanese security community.”
The report details a number of different teams, with different targets
Some or all of the teams may be related
“The attackers used at least one known 1-day exploit: the exploit for CVE-2015-2545 – EPS parsing vulnerability in EPSIMP32.FLT module, reported by FireEye, and patched by Microsoft on 8 September 2015 with MS15-099. We are currently aware of about four different variants of the exploit. The original one was used in August 2015 against targets in India by the Platinum (TwoForOne) APT group.”
Kaspersky Lab Report

Krebs investigates the “Dark Cloud”

“Crooks who peddle stolen credit cards on the Internet face a constant challenge: Keeping their shops online and reachable in the face of meddling from law enforcement officials, security firms, researchers and vigilantes.”
“In this post, we’ll examine a large collection of hacked computers around the world that currently serves as a criminal cloud hosting environment for a variety of cybercrime operations, from sending spam to hosting malicious software and stolen credit card shops.”
How do you keep your site online while hosting it on hacked machines you do not control
How do you keep the data secure? Who is going to pay for stolen credit cards when they can just hack one of the compromised machines hosting your site?
“I first became aware of this botnet, which I’ve been referring to as the “Dark Cloud” for want of a better term, after hearing from Noah Dunker, director of security labs at Kansas City-based vendor RiskAnalytics. Dunker reached out after watching a Youtube video I posted that featured some existing and historic credit card fraud sites. He asked what I knew about one of the carding sites in the video: A fraud shop called “Uncle Sam,” whose home page pictures a pointing Uncle Sam saying “I want YOU to swipe.””
“I confessed that I knew little of this shop other than its existence, and asked why he was so interested in this particular crime store. Dunker showed me how the Uncle Sam card shop and at least four others were hosted by the same Dark Cloud, and how the system changed the Internet address of each Web site roughly every three minutes. The entire robot network, or “botnet,” consisted of thousands of hacked home computers spread across virtually every time zone in the world, he said.”
So, most of these hacked machines are likely just “repeaters”, accepting connections from end users and then relaying those connections back to the secret central server
This also works fairly well as a DDoS mitigation mechanism
“the Windows-based malware that powers the botnet assigns infected hosts different roles, depending on the victim machine’s strengths or weaknesses: More powerful systems might be used as DNS servers, while infected systems behind home routers may be infected with a “reverse proxy,” which lets the attackers control the system remotely”
“It’s unclear whether this botnet is being used by more than one individual or group. The variety of crimeware campaigns that RiskAnalytics has tracked operated through the network suggests that it may be rented out to multiple different cybercrooks. Still, other clues suggests the whole thing may have been orchestrated by the same gang.”
A more indepth report on the botnet is expected next week
“If you liked this story, check out this piece about another carding forum called Joker’s Stash, which also uses a unique communications system to keep itself online and reachable to all comers.”

Wekby APT gang using DNS tunneling for C&C

“Palo Alto Networks is reporting a shift in malware tactics used by the APT group Wekby that has added a rare but effective new tool to its bag of tricks. Wekby attackers are turning to the technique known as DNS tunneling in lieu of more conventional HTTP delivery of command and controls for remote access control of infected computer networks.”
“Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeam’s Flash zero-day exploit.”
“The malware used by the Wekby group has ties to the HTTPBrowser malware family, and uses DNS requests as a command and control mechanism. Additionally, it uses various obfuscation techniques to thwart researchers during analysis. Based on metadata seen in the discussed samples, Palo Alto Networks has named this malware family ‘pisloader’.”
“The initial dropper contains very simple code that is responsible for setting persistence via the Run registry key, and dropping and executing an embedded Windows executable. Limited obfuscation was encountered, where the authors split up strings into smaller sub-strings and used ‘strcpy’ and ‘strcat’ calls to re-build them prior to use. They also used this same technique to generate garbage strings that are never used. This is likely to deter detection and analysis of the sample.”
“The payload is heavily obfuscated using a return-oriented programming (ROP) technique, as well as a number of garbage assembly instructions. In the example below, code highlighted in red essentially serves no purpose other than to deter reverse-engineering of the sample. This code can be treated as garbage and ignored. The entirety of the function is highlighted in green, where two function offsets are pushed to the stack, followed by a return instruction. This return instruction will point code execution first at the null function, which in turn will point code execution to the ‘next_function’. This technique is used throughout the runtime of the payload, making static analysis difficult.”
“The malware is actually quite simplistic once the obfuscation and garbage code is ignored. It will begin by generating a random 10-byte alpha-numeric header. The remaining data is base32-encoded, with padding removed. This data will be used to populate a subdomain that will be used in a subsequent DNS request for a TXT record.”
“The use of DNS as a C2 protocol has historically not been widely adopted by malware authors.”
“The use of DNS as a C2 allows pisloader to bypass certain security products that may not be inspecting this traffic correctly.”
“The C2 server will respond with a TXT record that is encoded similar to the initial request. In the response, the first byte is ignored, and the remaining data is base32-encoded. An example of this can be found below.”
The Malware also looks for specific flags in the DNS response, to prevent it being spoofed by a DNS server not run by the authors. Palo Alto Networks has reverse engineered the malware and found the special flags
The following commands, and their descriptions are supported by the malware:
- sifo – Collect victim system information
- drive – List drives on victim machine
- list – List file information for provided directory
- upload – Upload a file to the victim machine
- open – Spawn a command shell
“The Wekby group continues to target various high profile organizations using sophisticated malware. The pisloader malware family uses various novel techniques, such as using DNS as a C2 protocol, as well as making use of return-oriented programming and other anti-analysis tactics.”
Palo Alto Networks Report

Feedback:

Round up:

The post PIS Poor DNS | TechSNAP 268 first appeared on Jupiter Broadcasting.

On Target | TechSNAP 264

chris — Thu, 28 Apr 2016 05:53:17 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week, Chris & allan are both out of town at different shenanigans, but they recorded a sneaky episode for you in which they recap the Target breach, from when the news broke to the lessons learned and everything in between!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Episode Links:

The post On Target | TechSNAP 264 first appeared on Jupiter Broadcasting.

One Key to Rule Them All | TechSNAP 263

chris — Thu, 21 Apr 2016 10:41:52 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week, the FBI says APT6 has pawned the government for the last 5 years, Unaoil: a company that’s bribing the world & Researchers find a flaw in the visa database.

All that plus a packed feedback, roundup & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

FBI says APT6 has pwning the government for the last 5 years

The feds warned that “a group of malicious cyber actors,” whom security experts believe to be the government-sponsored hacking group known as APT6, “have compromised and stolen sensitive information from various government and commercial networks” since at least 2011, according to an FBI alert obtained by Motherboard
The official advisory is available on the Open Threat Exchange website
The alert, which is also available online, shows that foreign government hackers are still successfully hacking and stealing data from US government’s servers, their activities going unnoticed for years. This comes months after the US government revealed that a group of hackers, widely believed to be working for the Chinese government, had for more than a year infiltrated the computer systems of the Office of Personnel Management, or OPM. In the process, they stole highly sensitive data about several millions of government workers and even spies.
In the alert, the FBI lists a long series of websites used as command and control servers to launch phishing attacks “in furtherance of computer network exploitation (CNE) activities [read: hacking] in the United States and abroad since at least 2011.” Domains controlled by the hackers were “suspended” as of late December 2015, according to the alert, but it’s unclear if the hackers have been pushed out or they are still inside the hacked networks.
Looks like they were in for years before they were caught, god knows where they are,” Michael Adams, an information security expert who served more than two decades in the US Special Operations Command, and who has reviewed the alert, told Motherboard. “Anybody who’s been in that network all this long, they could be anywhere and everywhere.
“This is one of the earlier APTs, they definitely go back further than 2011 or whatever—more like 2008 I believe,” Kurt Baumgartner, a researcher at the Russian security firm Kaspersky Lab, told me. (Baumgartner declined to say whether the group was Chinese or not, but said its targets align with the interest of a state-sponsored attacker.)
Kyrk Storer, a spokesperson with FireEye, confirmed that the domains listed in the alert “were associated with APT6 and one of their malware backdoors,” and that the hackers “targeted the US and UK defense industrial base.” APT6 is ”likely a nation-state sponsored group based in China,” according to FireEye, which ”has been dormant for the past several years.”
Another researcher at a different security company, who spoke on condition of anonymity because he wasn’t authorized to speak publicly about the hacker’s activities, said this was the “current campaign of an older group,” and said there “likely” was an FBI investigation ongoing. (Several other security companies declined to comment for this story.) At this point, it’s unclear whether the FBI’s investigation will lead to any concrete result. But two years after the US government charged five Chinese military members for hacking US companies, it’s clear hackers haven’t given up attacking US targets.

Unaoil: the company that bribed the world

After a six-month investigation across two continents, Fairfax Media and The Huffington Post are revealing that billions of dollars of government contracts were awarded as the direct result of bribes paid on behalf of firms including British icon Rolls-Royce, US giant Halliburton, Australia’s Leighton Holdings and Korean heavyweights Samsung and Hyundai.
A massive leak of confidential documents, and a large email, has for the first time exposed the true extent of corruption within the oil industry, implicating dozens of leading companies, bureaucrats and politicians in a sophisticated global web of bribery.
The investigation centres on a Monaco company called Unaoil.
Following a coded ad in a French newspaper, a series of clandestine meetings and midnight phone calls led to our reporters obtaining hundreds of thousands of the Ahsanis’ leaked emails and documents.
The leaked files expose as corrupt two Iraqi oil ministers, a fixer linked to Syrian dictator Bashar al-Assad, senior officials from Libya’s Gaddafi regime, Iranian oil figures, powerful officials in the United Arab Emirates and a Kuwaiti operator known as “the big cheese”.
Western firms involved in Unaoil’s Middle East operation include some of the world’s wealthiest and most respected companies: Rolls-Royce and Petrofac from Britain; US companies FMC Technologies, Cameron and Weatherford; Italian giants Eni and Saipem; German companies MAN Turbo (now know as MAN Diesal & Turbo) and Siemens; Dutch firm SBM Offshore; and Indian giant Larsen & Toubro. They also show the offshore arm of Australian company Leighton Holdings was involved in serious, calculated corruption.
The leaked files reveal that some people in these firms believed they were hiring a genuine lobbyist, and others who knew or suspected they were funding bribery simply turned a blind eye.
The files expose the betrayal of ordinary people in the Middle East. After Saddam Hussein was toppled, the US declared Iraq’s oil would be managed to benefit the Iraqi people. Today, in part one of the ‘Global Bribe Factory’ expose, that claim is demolished.
It is the Monaco company that almost perfected the art of corruption.
It is called Unaoil and it is run by members of the Ahsani family – Monaco millionaires who rub shoulders with princes, sheikhs and Europe’s and America’s elite business crowd.
How they make their money is simple. Oil-rich countries often suffer poor governance and high levels of corruption. Unaoil’s business plan is to play on the fears of large Western companies that they cannot win contracts without its help.
Its operatives then bribe officials in oil-producing nations to help these clients win government-funded projects. The corrupt officials might rig a tender committee. Or leak inside information. Or ensure a contract is awarded without a competitive tender.
On a semi-related note, another big story for you to go read:
How to hack an Election from someone who has done it, more than once

Researchers find flaw in Visa database

No, not that kind of Visa, the other one.
Systems run by the US State Department, that issue Travel Visas that are required for visitors from most countries to be admitted to the US
This has very important security considerations, as the application process for getting a visa is when most security checks are done
Cyber-defense experts found security gaps in a State Department system that could have allowed hackers to doctor visa applications or pilfer sensitive data from the half-billion records on file, according to several sources familiar with the matter –- though defenders of the agency downplayed the threat and said the vulnerabilities would be difficult to exploit.
Briefed to high-level officials across government, the discovery that visa-related records were potentially vulnerable to illicit changes sparked concern because foreign nations are relentlessly looking for ways to plant spies inside the United States, and terrorist groups like ISIS have expressed their desire to exploit the U.S. visa system, sources added
After commissioning an internal review of its cyber-defenses several months ago, the State Department learned its Consular Consolidated Database –- the government’s so-called “backbone” for vetting travelers to and from the United States –- was at risk of being compromised, though no breach had been detected, according to sources in the State Department, on Capitol Hill and elsewhere.
As one of the world’s largest biometric databases –- covering almost anyone who has applied for a U.S. passport or visa in the past two decades -– the “CCD” holds such personal information as applicants’ photographs, fingerprints, Social Security or other identification numbers and even children’s schools.
“Every visa decision we make is a national security decision,” a top State Department official, Michele Thoren Bond, told a recent House panel.
Despite repeated requests for official responses by ABC News, Kirby and others were unwilling to say whether the vulnerabilities have been resolved or offer any further information about where efforts to patch them now stand.
State Department documents describe CCD as an “unclassified but sensitive system.” Connected to other federal agencies like the FBI, Department of Homeland Security and Defense Department, the database contains more than 290 million passport-related records, 184 million visa records and 25 million records on U.S. citizens overseas.
“Because of the CCD’s importance to national security, ensuring its data integrity, availability, and confidentiality is vital,” the State Department’s inspector general warned in 2011.

Feedback:

Round Up:

The post One Key to Rule Them All | TechSNAP 263 first appeared on Jupiter Broadcasting.

rm -rf $ALLTHETHINGS/ | TechSNAP 262

chris — Thu, 14 Apr 2016 18:34:12 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Find out why everyone’s just a little disappointed in Badlock, the bad security that could be connected to the Panama Papers leak & the story of a simple delete command that took out an entire hosting provider.

Plus your batch of networking questions, our answers & a packed round up!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Badlock vulnerability disclosed

The badlock vulnerability was finally disclosed on Tuesday after 3 weeks of hype
It turns out to not have been as big a deal as we were lead to believe
The flaw was not in the SMB protocol itself, but in the related SAM and LSAD protocols
The flaw itself is identified as https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2118
It affects all versions of Samba clear back to 3.0
“Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases are available”
“Please be aware that Samba 4.1 and below are therefore out of support, even for security fixes. There will be no official security releases for Samba 4.1 and below published by the Samba Team or SerNet (for EnterpriseSAMBA). We strongly advise users to upgrade to a supported release.”
See the Samba Release Planning page for more details about support lifetime for each branch
Microsoft releases MS16-047 but rated it only “Important”, not “Critical”
The patch fixes an “elevation of privilege bug in both SAM and LSAD that could be exploited in a man-in-the-middle attack, forcing a downgrade of the authentication level of both channels. An attacker could then impersonate an authenticated user”
Microsoft was also careful to note: “Only applications and products that use the SAM or LSAD remote protocols are affected by this issue. The SMB protocol is not vulnerable.”
It seems most of the “badlock” bugs were actually in Samba itself, rather than the protocol as we were lead to believe
“There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user. Impact examples of intercepting administrator network traffic:”
Samba AD server – view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
standard Samba server – modify user permissions on files or directories.
There were also a number of related CVEs that are also fixed:
- CVE-2015-5370 3.6.0 to 4.4.0: Errors in Samba DCE-RPC code can lead to denial of service (crashes and high cpu consumption) and man in the middle attacks. It is unlikely but not impossible to trigger remote code execution, which may result in an impersonation on the client side.
- CVE-2016-2110 3.0.0 to 4.4.0: The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags, especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL. Which has implications on encrypted LDAP traffic.
- CVE-2016-2111 3.0.0 to 4.4.0: When Samba is configured as Domain Controller it allows remote attackers to spoof the computer name of a secure channel’s endpoints, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic.
- CVE-2016-2112 3.0.0 to 4.4.0: A man in the middle is able to downgrade LDAP connections to no integrity protection. It’s possible to attack client and server with this.
- CVE-2016-2113 4.0.0 to 4.4.0: Man in the middle attacks are possible for client triggered LDAP connections (with ldaps://) and ncacn_http connections (with https://).
- CVE-2016-2114 4.0.0 to 4.4.0: Due to a bug Samba doesn’t enforce required smb signing, even if explicitly configured. In addition the default for the active directory domain controller case was wrong.
- CVE-2016-2115 3.0.0 to 4.4.0: The protection of DCERPC communication over ncacn_np (which is the default for most the file server related protocols) is inherited from the underlying SMB connection. Samba doesn’t enforce SMB signing for this kind of SMB connections by default, which makes man in the middle attacks possible.
Additional Coverage: Threadpost – Badlock vulnerability falls flat against its type
“As it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it’s a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services.”
“Red Hat security strategist Josh Bressers said Badlock could have been much worse, especially if it had turned out to be a memory corruption issue in SMB as some had surmised. Such a scenario would have cleared a path for remote code execution, for example.”
Additional Coverage: sadlock.org

Panama Papers: Mossack Fonseca

Eleven million documents were leaked from one of the world’s most secretive companies, Panamanian law firm Mossack Fonseca.
They show how Mossack Fonseca has helped clients launder money, dodge sanctions and avoid tax.
The documents show 12 current or former heads of state and at least 60 people linked to current or former world leaders in the data.
Eleven million documents held by the Panama-based law firm Mossack Fonseca have been passed to German newspaper Sueddeutsche Zeitung, which then shared them with the International Consortium of Investigative Journalists. BBC Panorama is among 107 media organisations – including UK newspaper the Guardian – in 76 countries which have been analysing the documents.
There are many conspiracy theories about the source of the Panama Papers leak. One of the more prominent theories today blames the CIA.
Bradley Birkenfeld is “the most significant financial whistleblower of all time,” and he has opinions about who’s responsible for leaking the Panama Papers rattling financial and political power centers around the world.
Wikileaks is also getting attention today for blaming USAID and George Soros for the leaks.
What little is known about the source of the leak comes from details published by German newspaper Suddeutsche Zeitung. Communicating via encrypted chat in late 2014, the source warned his or her life was “in danger” but that they had data from law firm Mossack Fonseca that they wanted to share. When asked how much data they had, the source replied “more than you have ever seen,” according to the newspaper.
Regardless, the front-end computer systems of Mossack Fonseca are outdated and riddled with security flaws, analysis has revealed.
Mossack Fonseca’s client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site’s changelog.
On its main website Mossack Fonseca claims its Client Information Portal provides a “secure online account” allowing customers to access “corporate information anywhere and everywhere”. The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal’s backend can also be accessed by guessing the URL structure, a security researcher noted.
Mossack Fonseca’s webmail system, which runs on Microsoft’s Outlook Web Access, was last updated in 2009, while its main site runs a version of WordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca’s site simply by guessing the URL.
Mossack Fonseca’s emails were also not transport encrypted, according to privacy expert Christopher Soghoian who noted the company did not use the TLS security protocol.
Who leaked the Panama Papers? A famous financial whistleblower says: CIA. / Boing Boing
Wikileaks Accuses US Of Funding Panama Papers Putin Expose | The Daily Caller
Panama Papers: The security flaws at the heart of Mossack Fonseca (Wired UK)
Additional Coverage: The Register – Mossack Fonseca website found vulnerable to SQL injection
Additional Coverage: Forbes
Additional Coverage: WordFence
Additional Coverage: Slashdot
In general, it seems there were so many flaws in the website we may never know which one was used to compromise the server

I accidently rm -rf /’d, and destroyed my entire company

“I run a small hosting provider with more or less 1535 customers and I use Ansible to automate some operations to be run on all servers. Last night I accidentally ran, on all servers, a Bash script with a rm -rf {foo}/{bar} with those variables undefined due to a bug in the code above this line.”
“All servers got deleted and the offsite backups too because the remote storage was mounted just before by the same script (that is a backup maintenance script).
How I can recover from a rm -rf / now in a timely manner?”
There is not usually any easy way to recover from something like this
That is why you need backups. Backups are not just a single copy of your files in another location, you need time series data, in case you need to go back more than the most recent backup
It is usually best to not have your backups mounted directly, for exactly this reason
Even if you will never rm -rf /, an attacker might run rm -rf /backup/*
While cleaning up after an attacker attempted to use a Linux kernel exploit against my FreeBSD machine in 2003, I accidently rm -rf /’d in a roundabout way, Trying to remove a symlink to / that had a very funky name (part of the exploit iirc), i used tab complete, and instead of: rm -rf badname, it did rm -rf badname/, which deletes the target of the symlink, which was /.
Obviously this was my fault for using -r for a symlink, since I only wanted to delete one thing
When the command took too long, I got worried, and when I saw ‘can’t delete /sbin/init’, I panicked and aborted it with control+c
Luckily, I had twice daily backups with bacula, to another server. 30 minutes later, everything was restored, and the server didn’t even require a reboot. The 100+ customers on the machine never noticed, since I stopped the rm before it hit /usr/home
There are plenty of other examples of this same problem though
Steam accidently deletes ALL of your files
Bryan Cantrill tells a similiar story from the old SunOS days
Discussion continues and talks about why rm -rf / is blocked by on SunOS and FreeBSD
Additional Coverage: ServerFault
When told to dd the drive to a file, to use testdisk to try to recover files, the user reports accidentally swapping if= and of=, which likely would just error out if the input file didn’t exist, but it might also mean that this entire thing is just a troll. Further evidence: rm -rf / usually doesn’t work on modern linux, without the –no-preserve-root flag

Feedback:

Round Up:

The post rm -rf $ALLTHETHINGS/ | TechSNAP 262 first appeared on Jupiter Broadcasting.

Let Accidents Happen | WTR 54

chris — Wed, 16 Mar 2016 10:47:28 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Jo is cofounder & chief creative officer at cardsmith.co, a web-based software to double your productivity, provide clear visibility of your progress, capture & execute your ideas & projects, keep yourself organized & amaze your friends & family.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

Interview – Jo Wollschlaeger – @jo_wollsch

Are you looking for the transcription? Please let us know you use it and we may bring it back!

WTR Transcription Poll

The post Let Accidents Happen | WTR 54 first appeared on Jupiter Broadcasting.

A Look Back On Feedback | TechSNAP 251

chris — Thu, 28 Jan 2016 08:02:40 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Since Allan is off being fancy at FOSDEM, we decided that now would be a good time to celebrate the audience & feature some of the best feedback we’ve had over the years!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Episode List

The post A Look Back On Feedback | TechSNAP 251 first appeared on Jupiter Broadcasting.

Lights out Management | TechSNAP 250

chris — Thu, 21 Jan 2016 10:00:10 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The bizarre saga of Juniper maybe finally be coming to a conclusion, details about SLOTH, the latest SSL vulnerability that also affects IPSec and SSH & the attack on the Ukrainian power grid made possible by malware.

Plus your questions with a special theme, a rockin roundup & much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Still more questions about Dual_EC in Juniper devices

“Juniper Networks announced late Friday it was removing the suspicious Dual_EC_DRBG random number generator from its ScreenOS operating system”
“The networking giant said it was not only removing Dual_EC, but also the ANSI X9.31 algorithm from ScreenOS starting with an upcoming release sometime in the first half of this year”
Questions still remain as to why it was used in the first place
Also, questions about some strange coding decisions that lead to the ANSI X9.31 algorithm being subtle broken
It is still unclear how the backdoors were added to the code, or by whom
At last week’s Real World Crypto conference a team of crypto experts presented a number of revelations, including the news that Juniper’s use of Dual_EC dates to 2009, perhaps 2008, at least a year after Dan Shumow and Neils Ferguson’s landmark presentation at the CRYPTO conference that first cast suspicion on Dual_EC being backdoored by the NSA. Shumow’s and Ferguson’s work showed that not only was Dual_EC slow compared to other pseudo random number generators, but it also contained a bias
“Stephen Checkoway, assistant professor of computer science at the University of Illinois at Chicago, told Threatpost that he and his colleagues on this investigation looked at dozens of versions of NetScreen and learned that ANSI X9.31 was used exclusively until ScreenOS 6.2 when Juniper added Dual_EC. It also changed the size of the nonce used with ANSI X9.31 from 20 bytes to 32 bytes for Dual_EC, giving an attacker the necessary output to predict the PRNG output”
“And at the same time, Juniper introduced what was just a bizarre bug that caused the ANSI generator to never be used and instead just use the output of Dual_EC. They made all of these changes in the same version update.”
“It’s very bizarre. I’ve never seen anything like that before where gone from something that was working and written in a standard manner to something as strange as this,” he said. It’s that bug that enabled another attacker to replace the Dual_EC constant—thought to belong to the NSA—with their own constant
“The scenario harkens back to the documents leaked by NSA whistleblower Edward Snowden, in particular the NSA’s Project BULLRUN, which explains the NSA’s subversion of Dual_EC and eventually the revelation that RSA Security was allegedly paid $10 million by the NSA to use the algorithm in its products”
The SSH backdoor on the other hand, is clearly malicious
A network diagram

SLOTH, the latest SSL/TLS vunerability, but also affects IPSec and SSH

“If you thought MD5 was banished from HTTPS encryption, you’d be wrong. It turns out the fatally weak cryptographic hash function, along with its only slightly stronger SHA1 cousin, are still widely used in the transport layer security protocol that underpins HTTPS. Now, researchers have devised a series of attacks that exploit the weaknesses to break or degrade key protections provided not only by HTTPS but also other encryption protocols, including Internet Protocol Security and secure shell.”
“The attacks have been dubbed SLOTH—short for security losses from obsolete and truncated transcript hashes. The name is also a not-so-subtle rebuke of the collective laziness of the community that maintains crucial security regimens forming a cornerstone of Internet security. And if the criticism seems harsh, consider this: MD5-based signatures weren’t introduced in TLS until version 1.2, which was released in 2008. That was the same year researchers exploited cryptographic weaknesses in MD5 that allowed them to spoof valid HTTPS certificates for any domain they wanted. Although SHA1 is considerably more resistant to so-called cryptographic collision attacks, it too is considered to be at least theoretically broken. (MD5 signatures were subsequently banned in TLS certificates but not other key aspects of the protocol.)”
“”Notably, we have found a number of unsafe uses of MD5 in various Internet protocols, yielding exploitable chosen-prefix and generic collision attacks,” the researchers wrote in a technical paper scheduled to be discussed Wednesday at the Real World Cryptography Conference 2016 in Stanford, California. “We also found several unsafe uses of SHA1 that will become dangerous when more efficient collision-finding algorithms for SHA1 are discovered.””
“The most practical SLOTH attack breaks what’s known as TLS-based client authentication. Although it’s not widely used, some banks, corporate websites, and other security-conscious organizations rely on it to ensure an end user is authorized to connect to their website or virtual private network. It works largely the same way as TLS server authentication, except that it’s the end user who provides the certificate rather than the server.”
OpenVPN uses this to authenticate clients
“When both the end user and the server support RSA-MD5 signatures for client authentication, SLOTH makes it possible for an adversary to impersonate the end user, as long as the end user first visits and authenticates itself to a site controlled by the attacker. The so-called credential forwarding attack is carried out by sending carefully crafted messages to both the end user and the legitimate server. To impersonate the end user, an attacker must complete some 239 (about 5.75 billion) hash computations, an undertaking that requires about an hour using a powerful computer workstation with 48 cores.”
“The impersonation attack is made possible by the susceptibility of MD5 to collision attacks, in which the two different message inputs generate precisely the same cryptographic hash. Because MD5 is a 128-bit function, cryptographers once expected to find a collision after completing 264 computations (a phenomenon known as the birthday paradox reduces the number of bits of security of a given function by one half). Weaknesses in MD5, however, reduce the requirement to just 215 (or 32,768) for a collision or 239 for more powerful chosen-prefix collisions, in which an attacker can choose different message inputs and add values that result in them having the same hash value. Such an attack would be infeasible if MD5 hadn’t been added to TLS in 2008.”
“SLOTH can also be used to cryptographically impersonate servers, but the requirements are steep. An attacker would first have to make an astronomically large number of connections to a server and then store the results to disk. If the attacker made 2X connections, it would then require making 2(128-X) computations. If the number of connections, for example, was 264, the attack would require 264 computations. The precomputation requirements are high enough to be outside the capability of most attackers, but they remain feasible for government-sponsored adversaries or those with similarly deep pockets.”
“The researchers behind SLOTH have been privately working with developers of vulnerable software to come up with a fix. A partial list of protocols that were identified as vulnerable included TLS versions 1.1, 1.2, and 1.3; IKE versions 1 and 2; and SSH version 2. Vulnerable software included various versions of OpenSSL, NSS, Oracle Java, BouncyCastle Java, and PolarSSL/mbedTLS”
The researchers cited this Internet scan indicating 32 percent of TLS servers supported RSA-MD5 signatures.

Attack on Ukrainian power grid, made possible by malware

“The attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure, and attempt to delay the restoration by wiping SCADA servers after they caused the outage. This attack consisted of at least three components: the malware, a denial of service to the phone systems, and the missing piece of evidence of the final cause of the impact. Current evidence and analysis indicates that the missing component was direct interaction from the adversary and not the work of malware. Or in other words, the attack was enabled via malware but consisted of at least three distinct efforts.”
“The cyber attack was comprised of multiple elements which included denial of view to system dispatchers and attempts to deny customer calls that would have reported the power out. We assess with high confidence that there were coordinated attacks against multiple regional distribution power companies. Some of these companies have been reported by media to include specifically named utilities such as Prykarpattyaoblenergo and Kyivoblenergo. The exact timeline for which utilities were affected and their ordering is still unclear and is currently being analyzed. What we do know is that Kyivoblenergo provided public updates to customers, shown below, indicating there was an unauthorized intrusion (from 15:30 — 16:30L) that disconnected 7 substations (110 kV) and 23 (35 kV) substations leading to an outage for 80,000 customers.”
It appears that malware on workstations at the power companies allowed the attackers to gain a foothold in the network and start moving around laterally
They also used this foothold to deny the operators of the power distribution system a correct view of what was happening.
Combined with a denial of service attack against the phone system, the operators were left unaware that a large number of substations had been shut down
The attacks also used the malware to interfere with efforts to regain control of the computers and SCADA systems that control the power grid
From what has been reported, here is the information to date that we are confident took place. The exact timing of the events is still being pieced together.
The adversary initiated an intrusion into production SCADA systems
Infected workstations and servers
Acted to “blind” the dispatchers
Acted to damage the SCADA system hosts (servers and workstations)
Action would have delayed restoration and introduce risk, especially if the SCADA system was essential to coordinate actions
Action can also make forensics more difficult
Flooded the call centers to deny customers calling to report power out
Because of the way the SCADA systems work, it is almost a certainty that the attacks purposefully opened the breakers to turn off the power, as opposed to it just being a side effect of the malware
Luckily, the Ukrainian power grid does not rely heavily on SCADA, using it mostly as a convenience. Other more automated power grids would not have been able to restore power as quickly
“We are very interested in helping power utilities learn as much as they can from this real world incident. We would also note the competent action by Ukrainian utility personnel in responding to the attack and restoring their power system. As a community the power industry is dedicated to keeping the lights on. What is now true is that a coordinated cyber attack consisting of multiple elements is one of the expected hazards they may face. We need to learn and prepare ourselves to detect, respond, and restore from such events in the future.”
Squirrels attacking the power grid

Feedback:

Round Up:

The post Lights out Management | TechSNAP 250 first appeared on Jupiter Broadcasting.

LAS 400 Phones Home | LAS 400

chris — Fri, 15 Jan 2016 21:39:26 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We celebrate 400 episodes of the Linux Action Show, show you how easy it is to setup your own free phone system, never flash another USB stick again & the big Ubuntu rumors.

Plus the openSSH bug you need to patch, the Steam Link SDK, Gnome 3 changes & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

Noah Calls /home

AsterisksNOW

Install Asterisk and start building custom telephony applications with AsteriskNOW. AsteriskNOW makes it easy to create custom telephony solutions by automatically installing the “plumbing.” It’s a complete Linux distribution with Asterisk, the DAHDI driver framework, and, the FreePBX administrative GUI. Much of the complexity of Asterisk and Linux is handled by the installer, the yum package management utility and the administrative GUI. With AsteriskNOW, application developers and integrators can concentrate on building solutions, not maintaining the plumbing.

SIP Desk Phone

Part of the Cisco Small Business Pro Series, the SIP-based Cisco SPA504G 4-Line IP Phone (Figure 1) has been tested to ensure comprehensive interoperability with equipment from voice over IP (VoIP) infrastructure leaders, enabling service providers to quickly roll out competitive, feature-rich services to their customers.

Grandstream PBX

1GHz ARM Cortex A8 application processor, large memory (512MB DDR RAM, 4GB NAND Flash), and dedicated high performance multi-core DSP array for advanced voice processing
Integrated 2 PSTN trunk FXO ports, 2 analog telephone FXS ports with lifeline capability in case of power outage, and up to 50 SIP trunk accounts
Gigabit network port(s) with integrated PoE, USB, SD card; integrated NAT router with advanced QoS support
Hardware DSP based 128ms-tail-length carrier-grade line echo cancellation (LEC), hardware based caller ID/call progress tone and smart automated impendance matching for various countries
Supports up to 500 SIP endpoint registrations, up to 60 concurrent calls (up to 40 SRTP encrypted concurrent calls), and up to 32 conference attendees
– Flexible dial plan, call routing, site peering, call recording, central control panel for endpoints, integrated NTP server, and integrated LDAP contact directory
– Automated detection and provisioning of IP phones, video phones, ATAs, gateways, SIP cameras, and other endpoints for easy deployment
– Strongest-possible security protection using SRTP, TLS, and HTTPS with hardware encryption accelerator

— PICKS —

Runs Linux

My gym runs linux!

I was working out this morning, and the IT guy was messing with the exercise bike next to me. I noticed the CentOs boot screen, and when I inquired further, I found out that all the equipment uses linux! Looks like our penguin buddy is trying to work off those holiday pounds.

M3 Indoor Cycle

Desktop App Pick

netboot.xyz

View post on imgur.com

netboot.xyz is a way to select various operating system installers or utilities from one place within the BIOS without the need of having to go retrieve the media to run the tool. iPXE is used to provide a user friendly menu from within the BIOS that lets you easily choose the OS you want along with any specific types of versions or bootable flags.

You can remote attach the ISO to servers, set it up as a rescue option in Grub, or even set up your home network to boot to it by default so that it’s always available.

Digital Ocean – netboot.xyz

netboot.xyz – never flash a thumb drive again!

Weekly Spotlight

Open-AudIT – The network inventory, audit, documentation and management tool.

Open-AudIT is an application to tell you exactly what is on your network, how it is configured and when it changes.

LAS Shirt at SCALE – Teespring

— NEWS —

Bug that can leak crypto keys just fixed in widely used OpenSSH

View post on imgur.com

The vulnerability resides only in the version end users use to connect to servers and not in versions used by servers. A maliciously configured server could exploit it to obtain the contents of the connecting computer’s memory, including the private encryption key used for SSH connections. The bug is the result of code that enables an experimental roaming feature in OpenSSH versions 5.4 to 7.1

OpenSSH 7.1p2

Gnome Settings design update

A major feature of the latest settings designs is a rethink of the GNOME Settings “shell” (that is, the overall framework of the settings application). We want to move from the current model, that uses an icon grid and fixed window size, to one that uses a list sidebar for navigation, and has a resizeable window.

System 6 Ex 2

Steam Link SDK AKA Steam Link Native Apps

View post on imgur.com

We have released an SDK for native application development!
https://github.com/ValveSoftware/steamlink-sdk

The Steam Link hardware is a single core ARMv7 processor using the hard-float ABI, running at 1 GHz, with neon instruction support.
Approximately 256 MB of available RAM.
500 MB of usable flash storage.
Custom Linux firmware based on kernel 3.8
glibc 2.19.

View post on imgur.com

New Ubuntu Convergence Device Will Be Demoed Next Month

Canonical will demo at least one new Ubuntu convergence device at next month’s Mobile World Congress next month, we’ve learned.

Feedback:

https://slexy.org/view/s20lrCrSh4
https://slexy.org/view/s2wcBsKt0X
https://slexy.org/view/s20AM6fJjb
Chris’ call out for the community to help him with his background for the Linux Action

Were you around for today’s (10 January 2016) live show? If not, you should seriously consider taking some time with us on Sunday and watch the live show. Not only will you get more content, but you’ll be able to interact with Chris and Noah.
One of the things that came up today was Chris talking about his background in today’s episode.

Brought to you by: System76

Semi-Official SCaLE 14x Jupiter Broadcasting thread : LinuxActionShow

Register! and use the coupon code LAS40 for a 40% discount; thanks /u/irabinovitch!

SCaLE 14x: The Southern California Linux Expo is upon us again! I’m looking forward to seeing & sharing with everyone in the free software community in Southern California this year; last year was a blast.

SCaLE 14x is January 21-24, 2016 at the Pasadena Convention Center

Thanks to Ryan (@techhelper1)

Offered the use of his 99 Cadillac Seville while at SCALE

Thanks to Brian

Offered his long driveway, which might or might not work.

Catch the show LIVE SUNDAY:

— CHRIS’ STASH —

Driving in the snow and Leavenworth was Fun

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

Find us on Twitter

Follow us on Facebook

The post LAS 400 Phones Home | LAS 400 first appeared on Jupiter Broadcasting.

Internet of Threats | TechSNAP 249

chris — Thu, 14 Jan 2016 16:58:33 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A Critical OpenSSH flaw can expose your private keys, a new WiFi spec for IoT devices, that has all the classic issues & Intel’s SkyLake bug.

Plus your feedback, our answers, a rockin’ round up & so much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Critical OpenSSH flaw can expose your private keys and other client memory

Two major issues have been identified in OpenSSH
CVE-2016-0777: An information leak (memory disclosure) can be exploited by a rogue SSH server to trick a client into leaking sensitive data from the client memory, including for example private keys.
Vendor contributed code for a feature called Roaming, was added in OpenSSH 5.4, that allowed broken SSH sessions to be resumed. The server side code for this was never activated, only the commercial SSH server supported it.
However, the Roaming feature is on by default, and due to a but a malicious server can exploit the bug to read memory from the client when it tries to connect to the server
This includes the ability to steal your SSH private keys
“The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.”
Because OpenSSH checks the host key of the remote server, if you are connecting to trusted servers, there is no risk
You can disable the feature by adding the following line to your /etc/ssh/ssh_config: UseRoaming no
The feature can also be disabled on a per-user basis using: ~/.ssh/config
The patch just disabled this feature by default
CVE-2016-0778
A buffer overflow (leading to file descriptor leak), can also be exploited by a rogue SSH server, but due to another bug in the code is possibly not exploitable, and only under certain conditions (not the default configuration), when using ProxyCommand, ForwardAgent or ForwardX11.
Both of these vulnerabilities are fixed in OpenSSH 7.1p2
It is not clear if the roaming support will be removed entirely
Researcher Post

Bug in Intel Skylake CPUs means complex workloads can hang the machine

Intel has confirmed that its Skylake processors suffer from a bug that can cause a system to freeze when performing complex workloads.
The bug was reportedly discovered and tested by the the community at hardwareluxx.de and passed onto GIMPS (Great Internet Mersenne Prime Search), which conducted further testing. Both groups passed their findings onto Intel.
Intel states:

“Intel has identified an issue that potentially affects the 6th Gen Intel Core family of products. This issue only occurs under certain complex workload conditions, like those that may be encountered when running applications like Prime95. In those cases, the processor may hang or cause unpredictable system behaviour.”

Intel has developed a fix, and is working with hardware partners to distribute it via a BIOS update.
No reason has been given as to why the bug occurs, but it’s confirmed to affect both Linux and Windows-based systems.
While the bug was discovered using Prime95, it could affect other industries that rely on complex computational workloads, such as scientific and financial institutions.
Recently, Intel’s Haswell and early Broadwell processors suffered from a TSX (Transactional Synchronization Extensions) bug. Rather than recall the parts, Intel disabled the TSX instructions via a microcode update delivered via new motherboard firmware.
Additional Coverage

New WiFi spec for IoT devices, WiFi HaLow likely has all the classic issues

“The new protocol is based on the 802.11ah standard from the IEEE and is being billed as Wi-Fi HaLow by the Wi-Fi Alliance. Wi-Fi HaLow differs from the wireless signal that most current devices uses in a couple of key ways. First, it’s designed as a low-powered protocol and will operate in the range below one gigahertz. Second, the protocol will have a much longer range than traditional Wi-Fi, a feature that will make it attractive for use in applications such as connecting traffic lights and cameras in smart cities.”
There is also talk of using it for wearables, I suppose as a replacement for bluetooth
“Wi-Fi HaLow is well suited to meet the unique needs of the Smart Home, Smart City, and industrial markets because of its ability to operate using very low power, penetrate through walls, and operate at significantly longer ranges than Wi-Fi today,” said Edgar Figueroa, president and CEO of Wi-Fi Alliance.
“But, as with any new protocol or system, Wi-Fi HaLow will carry with it new security considerations to face. And one of the main challenges will be securing all of the various implementations of the protocol. Device manufacturers all implement things in their own way and in their own time, a practice that has led to untold security vulnerabilities and innumerable billable hours for security consultants. Security experts don’t expect Wi-Fi HaLow to be the exception.”
“While the standard could be good and secure, implementations by different vendors can have weaknesses and security issues. This is common to all protocols,” said Cesar Cerrudo, CTO of IOActive Labs, who has done extensive research on the security of a wide range of smart devices and smart city environments
Who could possibly be worse at implementing security, than the vendors and government contractors that would be used for a “smart city”
“Many of the devices that may use the new protocol–which isn’t due for release for a couple of years–are being manufactured by companies that aren’t necessarily accustomed to thinking about threat modeling, potential attacks, and other issues that computer hardware and software makers have had to face for decades. That could lead to simple implementation problems that attackers can take advantage of.”
This seems to call for a nice clean BSD licensed implementation, although even then, everyone using the same implementation could be just as risky
Plus, as we have seen, most vendors will ship an old insecure version, rather than the latest, and won’t update the implementation as they iterate their product
The extended range of HaLow also means that attackers can come from much further away, making it harder to physically protect devices
“Each new iteration in technology brings with it fresh security and privacy considerations, and the proliferation of connected non-computing devices is no different. The concept of a voice-enabled hub that controls your home’s climate, entertainment, and other systems is now a reality, as is the ability to send an email from your refrigerator. That’s all well and good, until these smart devices start doing really dumb things.”

Feedback:

Round Up:

The post Internet of Threats | TechSNAP 249 first appeared on Jupiter Broadcasting.

Authentic Partnership | WTR 49

chris — Wed, 30 Dec 2015 12:33:04 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Jennifer is the VP of business development at Women Who Code, with over 50k members across 20 countries and 67 cities & growing!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

Are you looking for the transcription? Please let us know you use it and we may bring it back!

WTR Transcription Poll

The post Authentic Partnership | WTR 49 first appeared on Jupiter Broadcasting.

Insecurity Appliance | TechSNAP 245

chris — Thu, 17 Dec 2015 19:45:41 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Meet BOOTTRASH the Malware that executes before your OS does, the hard questions you need to ask when buying a security appliance, Project Zero finds flaws in Fireeye hardware.

Plus some great audience questions, a big round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

BOOTRASH malware executes before your OS does

“Researchers at FireEye spotted the financial threat group FIN1 targeting payment card data using sophisticated malware dubbed “BOOTRASH” that executes before the operating system boots.”
The malware only works against MBR formatted disks, if it detects GPT it just exists
It backs up the original VBR (Volume Boot Record, the boot code at the start of the partition, which is calls from the boot code installed in the MBR) to a different location on the disk
It finds some free space between partitions or at the end of the disk, and uses that to create its own tiny virtual file system, to store the actual malware files
Additional files and resources are encoded into a registry hive, so they do not leave any files on the regular file system. Only the invisible virtual file system (not listed in the partition table, hiding in unused space), and some random strings on encoded binary in the registry
“As previously discussed, during a normal boot process the MBR loads the VBR, which loads the operating system code. However, during the hijacked boot process, the compromised system’s MBR will attempt to load the boot partition’s VBR, which has been overwritten with the malicious BOOTRASH bootstrap code. This code loads the Nemesis bootkit components from the custom virtual file system. The bootkit then passes control to the original boot sector, which was saved to a different location on disk during the installation process. From this point the boot process continues with the loading and executing of the operating system software.”
“The bootkit intercepts several system interrupts to assist with the injection of the primary Nemesis components during the boot process. The bootkit hijacks the BIOS interrupt responsible for miscellaneous system services and patches the associated Interrupt Vector Table entry so it can intercept memory queries once the operating system loader gains control. The bootkit then passes control to the original VBR to allow the boot process to continue. While the operating system is being loaded, the bootkit also intercepts the interrupt and scans the operating system loader memory for a specific instruction that transfers the CPU from real mode to protected mode. This allows the bootkit to patch the Interrupt Descriptor Table each time the CPU changes from real mode to protected mode. This patch involves a modified interrupt handler that redirects control to the bootkit every time a specific address is executed. This is what allows the bootkit to detect and intercept specific points of the operating system loader execution and inject Nemesis components as part of the normal kernel loading.”
So it dynamically replaces bits of kernel code with its own code, making it a very hard to detect rootkit, since it is actually injected before the kernel is loaded (hence the name, bootkit)
Researcher Blog

“A decisionmaker’s guide to buying security appliances and gateways”

“With the prevalence of targeted “APT-style” attacks and the business risks of data breaches reaching the board level, the market for “security appliances” is as hot as it has ever been. Many organisations feel the need to beef up their security – and vendors of security appliances offer a plethora of content-inspection / email-security / anti-APT appliances, along with glossy marketing brochures full of impressive-sounding claims.”
This article provides a bit of a guide to help you shop for an appliance that might actually be worth the number of zeros on the price tag
“Most security appliances are Linux-based, and use a rather large number of open-source libraries to parse the untrusted data stream which they are inspecting. These libraries, along with the proprietary code by the vendor, form the “attack surface” of the appliance, e.g. the code that is exposed to an outside attacker looking to attack the appliance. All security appliances require a privileged position on the network – a position where all or most incoming and outgoing traffic can be seen. This means that vulnerabilities within security appliances give an attacker a particularly privileged position – and implies that the security of the appliance itself is rather important.”
Five questions to ask the vendor of a security appliance
- What third-party libraries interact directly with the incoming data, and what are the processes to react to security issues published in these libraries?
- Are all these third-party libraries sandboxed in a sandbox that is recognized as industry-standard? The sandbox Google uses in Chrome and Adobe uses in Acrobat Reader is open-source and has undergone a lot of scrutiny, so have the isolation features of KVM and qemu. Are any third-party libraries running outside of a sandbox or an internal virtualization environment? If so, why, and what is the timeline to address this?
- How much of the proprietary code which directly interacts with the incoming data runs outside of a sandbox? To what extent has this code been security-reviewed?
- Is the vendor willing to provide a hard disk image for a basic assessment by a third-party security consultancy? Misconfigured permissions that allow privilege escalation happen all-too often, so basic permissions lockdown should have happened on the appliance.
- In the case of a breach in your company, what is the process through which your forensics team can acquire memory images and hard disk images from the appliance?
Not to mention, in the case of a breach at the vendor, what information could the attacker get about your appliance, your network, or your security? How are the trusted keys protected on the vendor’s network?
- Bonus Question: Does the vendor publish hashes of the packages they install on the appliance so in case of a forensic investigation it is easy to verify that the attacker has not replaced some?
“A vendor that takes their product quality (and hence your data security) seriously will be able to answer these questions, and will be able to confidently state that all third-party parsers and a large fraction of their proprietary code runs sandboxed or virtualized, and that the configuration of the machine has been reasonably locked down – and will be willing to provide evidence for this (for example a disk image or virtual appliance along with permission to inspect).”
All of these are very good questions, and I happen to know one vendor who answered these questions in their recent BSDNow interview.

Project Zero finds flaws in FireEye security appliance

“FireEye sell security appliances to enterprise and government customers. FireEye’s flagship products are monitoring devices designed to be installed at egress points of large networks”
The device is connected to a SPAN, MONITOR, or MIRROR port. A feature of high end switches that allows all traffic from a port or set of ports to be copied to another port
“The FireEye device then watches all network traffic passively, monitoring common protocols like HTTP, FTP, SMTP, etc, for any transferred files. If a file transfer is detected (for example, an email attachment or a HTTP download) the FireEye extracts the file and scans it for malware.”
If the device detects malware, it alerts the security team
The device can also be configured in a IPS (Intrusion Prevention System) mode, where it would block such traffic
“For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario. This would mean an attacker would only have to send an email to a user to gain access to a persistent network tap – the recipient wouldn’t even have to read the email, just receiving it would be enough”
If you compromise one of these devices, you are basically sitting on a wiretap of the entire network. These devices are sometimes even installed behind devices that decrypt encrypted traffic, giving you even more access
“A network tap is one of the most privileged machines on the network, with access to employee’s email, passwords, downloads, browsing history, confidential attachments, everything. In some deployment configurations an attacker could tamper with traffic, inserting backdoors or worse. Because FireEye devices typically have a secondary internet-connected interface for updates and management, the issue could even be wormable across the internet.”
“FireEye have issued a patch for this vulnerability, and customers who have not updated should do so immediately to protect their infrastructure.” Devices with security content release 427.334 and higher have this issue resolved
Q. How long did FireEye take to resolve this issue after it was reported?
A. FireEye responded very quickly, pushed out temporary mitigations to customers within hours of our report and resolved the issue completely within 2 days.
- Q. Have FireEye supported your security research?
A. Yes, FireEye have been very cooperative. They worked with us closely, provided test equipment, support, and have responded very quickly to any issues we reported.
“Project Zero have been evaluating a FireEye NX 7500 appliance, and created a lab to generate sample traffic. The test environment consisted of a workstation with four network interfaces. Two interfaces were connected to a hub, which were used for simulating network traffic. The FireEye passive monitoring interface (called pether3) was connected to a third port on the hub (acting like a mirror port) so that it could observe traffic being exchanged between the two interfaces on the test machine. This simulates an intranet user receiving email or downloading files from the internet.”
“The main analyses performed by the FireEye appliance are monitoring for known malicious traffic (blacklisted netblocks, malware domains, snort rules, etc), static analysis of transferred files (antivirus, yara rules, and analysis scripts), and finally tracing the execution of transferred files in instrumented virtual machines. Once an execution trace has been generated, pattern matching against known-bad behaviour is performed.”
“The MIP (Malware Input Processor) subsystem is responsible for the static analysis of files, invoking helper programs and plugins to decode various file types. For example, the swf helper invokes flasm to disassemble flash files, the dmg helper invokes p7zip to extract the contents of Mac OS Disk Images and the png helper invokes pngcheck to check for malformed images. The jar helper is used to analyze captured Java Archives, which checks for signatures using jarsigner, then attempts to decompile the contents using an open source Java decompiler called JODE.”
The problem is that the JODE decompiler, actually executes small bits of the java code, to try to deobfuscate it
“With some trial and error, we were eventually able to construct a class that JODE would execute, and used it to invoke java.lang.Runtime.getRuntime().exec(), which allows us to execute arbitrary shell commands. This worked during our testing, and we were able to execute commands just by transferring JAR files across the passive monitoring interfaces.”
So, just by emailing someone behind this device a .jar file, it would end up getting executed on the security device, running arbitrary shell commands
“As FireEye is shipped with ncat installed by default, creating a connect-back shell is as simple as specifying the command we want and the address of our control server.”
“We now have code execution as user mip, the Malware Input Processor. The mip user is already quite privileged, capable of accessing sensitive network data. However, , there is a very simple privilege escalation to root”
“FireEye have requested additional time to prepare a fix for the privilege escalation component of this attack”
“This allows exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating internet worms.”
“If you would like to read more from our series on attacks against security products, we have also published research into ESET, Kaspersky, Sophos, Avast and more, with further research scheduled for release soon.”

Feedback:

Round Up:

The post Insecurity Appliance | TechSNAP 245 first appeared on Jupiter Broadcasting.

Leaky RSA Keys | TechSNAP 231

chris — Thu, 10 Sep 2015 05:03:52 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Red Hat highlights how leaky many open source RSA implementations are, Netflix releases Sleepy Puppy & the Mac is definitely under attack.

Plus some quick feedback, a rockin’ roundup & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

NetFlix releases new open source security tool, Sleepy Puppy

Sleepy Puppy is a delayed XSS (Cross-Site Scripting) vulnerability scanner
In a typical XSS scan, and attacker (or the scanner program) attempts to send a script as part of some user input (the comment on a blog or something like that, or via a URL variable). This content is then shown to that user, and often times, other users. If I can make a bit of my javascript run on your computer, when you visit someone else’s site, I have achieved XSS
There are a number of scanners out there, and they “fuzz test” all of the inputs and variables they can find, and attempt to get some code they submit to be returned to them
This new tool from NetFlix addresses second level vulnerabilities, and beyond
What if an attacker injects the code on the website, and the website mitigates this, but some other application, internal or public facing, also uses the data from the database, and it then ends up being vulnerable to the XSS
Sleepy Puppy is a “XSS payload management framework”, it generates unique code snippets for each injection, so that when a successful XSS happens, it can be tracked back to its source, even if that is outside of the application where the exploit took place
“Delayed XSS testing is a variant of stored XSS testing that can be used to extend the scope of coverage beyond the immediate application being tested. With delayed XSS testing, security engineers inject an XSS payload on one application that may get reflected back in a separate application with a different origin.”
- Show Diagram
“Here we see a security engineer inject an XSS payload into the assessment target (App #1 Server) that does not result in an XSS vulnerability. However, that payload was stored in a database (DB) and reflected back in a second application not accessible to the tester. Even though the tester can’t access the vulnerable application, the vulnerability could still be used to take advantage of the user. In fact, these types of vulnerabilities can be even more dangerous than standard XSS since the potential victims are likely to be privileged types of users (employees, administrators, etc.)”
SleepyPuppy ships with a default set of assessments includes, so is ready to use out of the box

Researchers announce new iOS vulnerability: brokenchain

The vulnerability allows a piece of malware to access the keychain in iOS, and copy your saved passwords and other secret keys
These keys can then be exfiltrated via SMS or HTTP etc
When the malware attempts to access the keychain, iOS presents a dialog asking them user to allow or deny the action, but the malware can simulate a tap on the screen and accept the dialog
Further, some malware seems to be able to cause the popup to appear off screen, so the user never even sees it
“Special-crafted commands can be triggered by malware — or even an image or video — which causes OS X to display a prompt to click an Allow button. But rather than relying on users clicking on a button that appears unexpectedly, the button is displayed very briefly off the edge of the screen or behind the dock, and is automatically pressed using a further command. It is then possible to intercept a user’s password and send it to the attacker via SMS or any other means.”
“Apple has been told about the vulnerability. The company has not only failed to issue a fix yet, but has not even responded to Jebara and Rahbani.”
Ars Technica found that parts of the vulnerability have existed since 2011, and have been used actively
“DevilRobber, the then new threat caught the attention of security researchers because it commandeered a Mac’s graphics card and CPU to perform the mathematical calculations necessary to mine Bitcoins, something that was novel at the time. Less obvious was the DevilRobber’s use of the AppleScript programming language to locate a window requesting permission to access the Keychain and then simulate a mouse click over the OK button.”
“The same technique was being used by the Genieo adware installer to gain access to a Safari extensions list that’s protected inside the Mac Keychain.”
The same day, another group of researchers independently found the same vulnerability
Windows UAC has a bunch of defenses against apps users accidentally accepting or malware auto-clicking the authorization popups. Maybe we need the same in mobile OSes
“Mac users should remember that the technique works only when invoked by an application already installed on their systems. There is no evidence the technique can be carried out through drive-by exploits or attacks that don’t require social engineering and end-user interaction. Still, the weakness is unsettling, because it allows the same app requesting access to the keychain to unilaterally approve it and to do so quickly enough for many users to have no idea what has happened. And by default, OS X will grant the access without requiring the user to enter a password. The Mac keychain is the protected place storing account passwords and cryptographic keys.”
Maybe the solution is to require the unlock code or password in order to authorize access to sensitive areas like the keychain
“I think that Apple needs to isolate that particular window,” Reed told Ars on Wednesday. “They need to pull that particular window out of the window list … in a way that an app can’t tell it’s on the screen and get its location.”

Factoring RSA keys with TLS Forward Secrecy

“Back in 1996, Arjen Lenstra described an attack against an optimization (called the Chinese Remainder Theorem optimization, or RSA-CRT for short). If a fault happened during the computation of a signature (using the RSA-CRT optimization), an attacker might be able to recover the private key from the signature (an “RSA-CRT key leak”). At the time, use of cryptography on the Internet was uncommon, and even ten years later, most TLS (or HTTPS) connections were immune to this problem by design because they did not use RSA signatures.”
“This changed gradually, when forward secrecy for TLS was recommended and introduced by many web sites.”
“We evaluated the source code of several free software TLS implementations to see if they implement hardening against this particular side-channel attack, and discovered that it is missing in some of these implementations. In addition, we used a TLS crawler to perform TLS handshakes with servers on the Internet, and collected evidence that this kind of hardening is still needed, and missing in some of the server implementations: We saw several RSA-CRT key leaks, where we should not have observed any at all.”
“An observer of the private key leak can use this information to cryptographically impersonate the server, after redirecting network traffic, conducting a man-in-the-middle attack. Either the client making the TLS handshake can see this leak, or a passive observer capturing network traffic. The key leak also enables decryption of connections which do not use forward secrecy, without the need for a man-in-the-middle attack. However, forward secrecy must be enabled in the server for this kind of key leak to happen in the first place, and with such a server configuration, most clients will use forward secrecy, so an active attack will be required for configurations which can theoretically lead to RSA-CRT key leaks.”
“Does this break RSA? No. Lenstra’s attack is a so-called side-channel attack, which means that it does not attack RSA directly. Rather, it exploits unexpected implementation behavior. RSA, and the RSA-CRT optimization with appropriate hardening, is still considered secure.“
While it appears that OpenSSL and NSS properly implement the hardening, some other products do not
It seems RedHat discovered this issue some time ago, and reported it to a number of vendors
Oracle patched OpenJDK back in April
“None of the key leaks we observed in the wild could be attributed to these open-source projects, and no key leaks showed up in our lab testing, which is why this additional hardening, while certainly desirable to have, does not seem critical at this time.”
“Once the necessary data is collected, the actual computation is marginally more complicated than a regular RSA signature verification. In short, it is quite cheap in terms of computing cost, particularly in comparison to other cryptographic attacks.”
Then the most important question came up
“Does this vulnerability have an name? We think that “RSA-CRT hardening” (for the countermeasure) and “RSA-CRT key leaks” (for a successful side-channel attack) is sufficiently short and descriptive, and no branding is appropriate. We expect that several CVE IDs will be assigned for the underlying vulnerabilities leading to RSA-CRT key leaks. Some vendors may also assign CVE IDs for RSA-CRT hardening, although no key leaks have been seen in practice so far.”
Crypto Rundown, Hardened:
- GnuPG
- NSS
- OpenSSL 1.0.1l
- OpenJDK8 (after the April patch)
- cryptlib (hardening disabled by default)
Unhardened:
- GNUTLS (via libgcrypt and Nettle)
- Go 1.4.1
- libgcrypt (1.6.2)
- Nettle (3.0.0)
- ocaml-nocrypto (0.5.1)
- OpenSwan (2.6.44)
- PolarSSL (1.3.9)
Technical Record [PDF]

Feedback

Round Up:

The post Leaky RSA Keys | TechSNAP 231 first appeared on Jupiter Broadcasting.

How We Got Started With Linux | LAS 381

chris — Sun, 06 Sep 2015 07:53:10 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We finally share our getting started with Linux stories. And it turns out, it was nearly a freak happenstance for both of us & some great stories from our community.

Plus the Safe Wifi campaign you need to know about, we discuss the new elementaryOS, an update on the Munich situation & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: System76

We share how we got started with Linux

— PICKS —

Runs Linux

KIller Robot Runs Linux

Desktop App Pick

Bash Scanner – A fast way to scan your server for outdated software and potential exploits.

After an initial scan, you will be asked to create an account on the PatrolServer dashboard (which is totally optional, you are free to use the tool without an account). The benefit of creating a sustainable account is detailed reporting, together with documentation on how to secure your server.

Submitted by SameerJubeh

Weekly Spotlight

Road Trip Playlist

Watch the adventures, productions, road trips, trails, mistakes, and fun of the Jupiter Broadcasting mobile studio.

— NEWS —

Save WiFi/Individual Comments

Right now, the FCC is considering a proposal to require manufacturers to lock down computing devices (routers, PCs, phones) to prevent modification if they have a “modular wireless radio”[1][2]
or a device with an “electronic label”[3]. The rules would likely:

Restrict installation of alternative operating systems on your PC, like GNU/Linux, OpenBSD, FreeBSD, etc.
Prevent research into advanced wireless technologies, like mesh networking and bufferbloat fixes
Ban installation of custom firmware on your Android phone
Discourage the development of alternative free and open source WiFi firmware, like OpenWrt
Infringe upon the ability of amateur radio operators to create high powered mesh networks to assist emergency personnel in a disaster.
Prevent resellers from installing firmware on routers, such as for retail WiFi hotspots or VPNs, without agreeing to any condition a manufacturer so chooses.
Save WiFi: Act Now To Save WiFi From The FCC | Hackaday

The folks at ThinkPenguin, the EFF, FSF, Software Freedom Law Center, Software Freedom Conservancy, OpenWRT, LibreCMC, Qualcomm, and other have put together the SaveWiFi campaign.

Federal Register | Equipment Authorization and Electronic Labeling for Wireless Devices

Online comments end 09/08/2015.

Freya 0.3.1 is Here!

At the heart of this upgrade is the latest Hardware Enablement stack from Ubuntu 14.04.3. It includes version 3.19 of the Linux kernel and an updated Mesa that fixes the dreaded “double cursor” glitch. Workspaces in the Multitasking view also now work properly on Nvidia Optimus. The new hardware stack also brings better support for backlights and touchpads on certain laptops, a host of performance and power-related improvements, and support for 5th generation Intel processors. This release should also improve support for (U)EFI systems, especially when installing without an internet connection.

Munich Linux councillor: ‘We didn’t propose a switch back to Windows’

“There are several points of criticism concerning the notebooks of the councillors with very different reasons (not Linux in general). There are 80 councillors in the city. Their work and needs can’t be compared with the whole administration.”

Pfeiler denied that there was any kind of consensus towards a complete reverse migration, but rather suggests a retroactive fitting of Windows for certain specific purposes, adding that there was nothing to suggest that the Limux system was working anything other than well.

Feedback:

Mycroft Adds Linux Desktop Voice Controlled AI as Stretch Goal

#VoiceOfMycroft
New Machine Tip
https://slexy.org/view/s2DJHp2hXG

Interoperable and Open
Optimized for the web
Scalable to any modern device at any bandwidth
Designed with a low computational footprint and optimized for hardware
Capable of consistent, highest quality, real-time video delivery; and
Flexible for both commercial and non-commercial content.

https://slexy.org/view/s28zaxg5vu
Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

Find us on Twitter

Follow us on Facebook

Catch the show LIVE Friday:

The post How We Got Started With Linux | LAS 381 first appeared on Jupiter Broadcasting.

SourceForge’s Downfall | TechSNAP 225

chris — Thu, 30 Jul 2015 17:08:13 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

SourceForge sees downtime, and we examine their infrastructure, a new pervasive hackgroup has been exposed and their track record is fascinating.

Plus a Hacking Team Round up, a wide variety of audience questions, our answers & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

SourceForge Downtime

SourceForge suffered a large data corruption problem and was down for a number of days, slowly restoring services as they could
“The Slashdot Media sites experienced an outage commencing last Thursday. We responded immediately and confirmed the issue was related to filesystem corruption on our storage platform. This incident impacted all block devices on our Ceph cluster. We consulted with our storage vendor when forming our next steps”
As part of this, we learned a bit about the backends of sourceforge and slashdot
Server platform is CentOS Linux.
We use an Open Source virtualization platform and have in recent years achieved a 75%+ reduction in physical server count through widespread virtualization.
We use an Open Source storage platform, Ceph, with spinning disks and SSD.
The storage backing our services is a mix of ext4, XFS and NFS.
Our backup solution is Open Source, backing on to popular cloud storage platforms.
Our sites use Open Source database platforms including MongoDB and flavors of MySQL and PostgreSQL.
We leverage scalable data solutions including Hadoop and ElasticSearch.
Slashdot is backed by Perl. SourceForge is backed by Python. Both language stacks are entirely Open Source.
And the SourceForge developer services are backed by the Apache Allura code base, which we Open Sourced and delivered to the Apache incubation process.
“We’re prioritizing the project web service (used by many projects using custom vhosts), mailing lists, and the ability to upload data to our download service. Downloads (40+ TB of data)”
Most Recent Update – Sourceforge Blog
A Post mortem is expected once everything is restored

Black Vine Group behind Anthem breach

In a report last week Symantec said it was Black Vine that broke into the health insurer “Anthem” system’s and stole more than 80 million patients records.
The group has the resources to customize malware, and uses zero-day vulnerabilities in Microsoft Internet Explorer to launch watering-hole attacks.
Black Vine’s malware Mivast, was used in the Anthem breach, according to Symantec.
Anthem said the hack likely began in May 2014, but that it didn’t realize its systems had been compromised until January. The company, which is one of the largest health insurance providers in the U.S., disclosed the breach in February. Hackers made off with personal data including names, birth dates, member ID numbers and Social Security numbers.
Like other Black Vine attacks, The Mivast malware was signed with a fake digital certificate. (more on that below)
Since 2012 Black Vine has gone after other businesses that deal with sensitive and critical data, including organizations in the aerospace, technology and finance industries, according to Symantec. The majority of the attacks (82 percent) were waged against U.S. businesses.
During its research, Symantec discovered Black Vine began using exploits around the same time as other hacking groups. Each group delivered different malware and went after certain organizations,
The fact that they used the same exploits as other groups suggests the attackers relied on the same distribution network.
One of the group’s first attacks came in December 2012 against gas turbine manufacturer Capstone Turbine, Symantec said.
That hack used the IE exploit CVE-2012-4792 and delivered the Sakurel malware.
Symantec noted that the malware was signed with a digital certificate attributed to a company called Micro Digital, fooling Windows into believing the program was legitimate.
In 2013 and 2014, Black Vine targeted companies in the aviation and aerospace industries. One third-party blog cited by Symantec noted that in 2013 specific employees at a global airline were sent spear phishing emails containing a URL that instructed them to download Hurix.
Symantec claimed some Black Vine members have ties to Topsec, a Chinese IT security company, and the group has access to the Edlerwood framework
PDF

Hacking Team Roundup:

FreeNAS Mini Review by Toms Hardware

Feedback:

Round Up:

The post SourceForge's Downfall | TechSNAP 225 first appeared on Jupiter Broadcasting.

An Encryptioner’s Conscience | TechSNAP 217

chris — Thu, 04 Jun 2015 17:35:50 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The sad state of SMTP encryption, a new huge round of flaws has been found in consumer routers & the reviews of Intel’s new Broadwell desktop processors are in!

Plus some great questions, a huge round-up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

The sad state of SMTP (email) encryption

This article talks about the problems with the way email transport encryption is done
When clients submit mail to a mail server, and when mail servers talk to each other to exchange those emails, they have the option of encrypting that communication to prevent snooping
This “opportunistic” encryption happens if the server you are connecting to (as a client, or as another server), advertises the STARTTLS option during the opening exchange
If that keyword is there, then your client can optionally send the STARTTLS command, and switch further communications to be encrypted
The first problem with this is that it happens over plain text, which has no protection against modification
Some cisco firewalls, and most bad guys, will simply modify the message from the server before it gets to you, to remove the STARTTLS keyword, so you client will assume the server just doesn’t speak TLS.
Do we maybe need something like HSTS for SMTP?
When submitting email from my client machine, I always use a special port that is ALWAYS SSL.
But this is only the beginning of the problem
SSL/TLS are designed to provide 3 guarantees:
- Authenticity: You are talking to who you think you are talking to (not someone pretending to be them). This is provided by verifying that the presented SSL Certificate is issued by a trusted CA
- Integrity: The message was not modified or tampered with by someone during transit. This is provided by the MAC (Message Authentication Code), a hash that is used to ensure the message has not been modified
- Privacy: The contents of the message are encrypted so no one else can read them. This is provided by symmetric encryption using a session key negotiated with the other side using asymmetric cryptography based on the SSL Certificate.
Mail servers rarely actually check authenticity, because many mail servers use self-signed certificates.
Many domains are hosted on one server, so the certificate is not likely to match the name of the email domain
The certificate check is done against the hostname in the MX record, but most people prefer to use a ‘vanity’ name here, mail.mydomain.com, which won’t match in2-smtp.messagingengine.com or whatever the mail server ends up being called
But, even if we did enforce this, and reject mail sent by servers with self-signed certificates, without DNSSEC, someone could just spoof the MX records, and instead of my email being sent over an encrypted channel to your server, which I have verified, I would be given an incorrect MX record, telling me to deliver mail to mx1.evilguy.com, which has a perfectly vaild SSL certificate for that domain
In the end, the better solution looks like it will be DNSSEC + DANE (publish the fingerprint of the correct SSL certificate as a DNS entry, alongside your MX record)
With this setup, you still get all 3 protections of SSL, without needing to trust the Certificate Authorities, who do not have the best record at this point
Don’t think MitM is a big deal? The ongoing problem of BGP hijacking suggests otherwise. A lot of internet traffic is getting misdirected. If it eventually makes it to its destination, people are much less likely to notice.

Researchers find 60 flaws in 22 common consumer network devices

A group of security researchers doing their IT Security Master’s Thesis at Universidad Europea de Madrid in Spain have published their research
They found serious flaws in 22 different SOHO network devices, including those from D-Link, Belkin, Linksys, Huawei, Netgear, and Zyxel
Most of the devices they surveyed were ones distributed by ISPs in Spain, so these vulnerabilities have a very large impact, since almost every Internet user in Spain has one of these 22 devices
They found 11 unique types of vulnerability, for a total of 60 flaws across the 22 devices
Persistent Cross Site Scripting (XSS)
- Unauthenticated Cross Site Scripting
- Cross Site Request Forgery (CSRF)
- Denial of Service (DoS)
- Privilege Escalation
- Information Disclosure
- Backdoor
- Bypass Authentication using SMB Symlinks
- USB Device Bypass Authentication
- Bypass Authentication
- Universal Plug and Play related vulnerabilities
All of this makes me glad my router runs FreeBSD.
Luckily, there are finally some consumer network devices like these that can run a real OS, like the TP-LINK WDR3600, which has a 560mhz MIPS CPU and can run FreeBSD 11 or Linux distros such as DD-WRT
Additional Coverage – ITWorld

CareFirst Blue Cross hit by security breach affecting 1.1 million customers

“CareFirst BlueCross BlueShield last week said it had been hit with a data breach that compromised the personal information on approximately 1.1 million customers. There are indications that the same attack methods may have been used in this intrusion as with breaches at Anthem and Premera, incidents that collectively involved data on more than 90 million Americans.”
It would be interesting to know if there are common bits of infrastructure or software in use at these providers that made these compromises possible, or if security was just generally lax enough that the attackers were able to compromise the three insurance providers separately
“According to a statement CareFirst issued Wednesday, attackers gained access to names, birth dates, email addresses and insurance identification numbers. The company said the database did not include Social Security or credit card numbers, passwords or medical information. Nevertheless, CareFirst is offering credit monitoring and identity theft protection for two years.”
“There are clues implicating the same state-sponsored actors from China thought to be involved in the Anthem and Premera attacks.”
“As Krebs noted in this Feb. 9, 2015 story, Anthem was breached not long after a malware campaign was erected that mimicked Anthem’s domain names at the time of the breach. Prior to its official name change at the end of 2014, Anthem was known as Wellpoint. Security researchers at cybersecurity firm ThreatConnect Inc. had uncovered a series of subdomains for we11point[dot]com (note the “L’s” in the domain were replaced by the numeral “1”) — including myhr.we11point[dot]com and hrsolutions.we11point[dot]com. ThreatConnect also found that the domains were registered in April 2014 (approximately the time that the Anthem breach began), and that the domains were used in conjunction with malware designed to mimic a software tool that many organizations commonly use to allow employees remote access to internal networks.”
“On Feb. 27, 2015, ThreatConnect published more information tying the same threat actors and modus operandi to a domain called “prennera[dot]com” (notice the use of the double “n” there to mimic the letter “m”)
So it seems that the compromises may have just been a combination of spear phishing and malware, to trick employees into divulging their credentials to sites they thought were legitimate
Such targeted attacks on teleworkers are a disturbing new trend
The same Chinese bulk registrant also bought careflrst[dot]com (the “i” replaced with an “L”) and caref1rst[dot]com (the “i” replaced with the number “1”).
“Additionally, ThreatConnect has unearthed evidence showing the same tactics were used on EmpireB1ue.com (note the “L” replaced with a number “1”), a domain registered April 11, 2014 (the same day as the phony Carefirst domains). EmpireBlue BlueCross BlueShield was one of the organizations impacted by the Anthem breach.”
Anthem has broken the trend, and is offering “AllClear ID” credit and identity theft monitoring, rather than Experian

First review of Intel’s new Broadwell desktop processors

The long awaited new line of desktop processors has landed
Problems with the new 14nm fabrication process resulted in the entire broadwell line being delayed, significantly in the case of the desktop chip
The two new models are the Core i7 5775c, and Core i5 5765c with a 65W TDP
These Broadwell chips are a lower TDP than the top-end Haswell cousins, actually being closer to the lower clocked i7-4790S than the top end i7-4770K
Overall, speeds are not quite as fast as the current generation Haswell flagship processors
These new processors use Intel’s Iris Pro 6200 Integrated GPU, with performance numbers that now outpace rival AMD’s offerings, although at a higher price point
Broadwell will soon be replaced by Skylake, later this year, so you might want to wait to make your next big purchase
Broadwell also features: “128MB of eDRAM that acts almost like an L4 cache. This helps alleviate memory bandwidth pressure by providing a large(ish) pool near the CPU but with lower latency and much greater bandwidth than main memory. The eDRAM has the greatest effect in graphics, but we also saw some moderate increases in our non-3D regular benchmark suite”
In the end, it is a bit unexpected for the desktop range to include only 2 processors, and in the middle TDP, with no offerings at the lower end (35W) or higher end (88W)
Some of the benchmarks suggest the eDRAM may help with video encoding

Feedback:

Round Up:

The post An Encryptioner's Conscience | TechSNAP 217 first appeared on Jupiter Broadcasting.

Don’t Do It Alone | WTR 29

chris — Wed, 03 Jun 2015 07:31:50 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Moira is the President and CEO of Galvanize Labs, an edutech startup that brings together learning through gaming!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

Full transcription of previous episodes can be found below:

Transcription:

ANGELA: This is Women’s Tech Radio.
PAIGE: A show on the Jupiter Broadcasting Network interviewing interesting women in technology. Exploring their roles and how they are successful in technology. I’m Paige.
ANGELA: And I”m Angela.
PAIGE: Angela, today we interviewed a good friend of mine, Moira Hardek, and she is the CEO and President, sole founder, of Galvanized Labs, and they’re a edutech startup. She kind of gives us the lowdown on what that means, and what that looks like, and kind of how she’s using her experiencing in gaming to bring technology and education together.
ANGELA: And into gaming, because it’s technology and education in games.
PAIGE: Yeah, its’ crazy. It’s like this awesome hybrid mashup that she goes on to kind of explain what that means. It’s a really neat interview, I think.
ANGELA: And before we get into the interview, I’d like to mention Digital Ocean. If you go to digitalocen.com and use the promo code heywtr, you can save on simple cloud hosting, dedicated to offering the most intuative and easy way to spin up a cloud server. You can create a cloud server in 55 seconds, and pricing plans start at only $5.00 a month. That’s 512 megabytes of RAM, 20 gigabytes SSD, One CPU, and one terabyte transfer. Digital Ocean has date center locations in New York, San Francisco, Singapore, Amsterdam, and London. The interface is incredibly simple, intuitive. The control panel is awesome. It will help you design exactly what you need, which empowers users to replicate on large scales with the company’s straightforward API. Check out digitialocen.com by using promo code heywtr.
PAIGE: And we got started with our interview today by asking Moira to explain her role in technology.
MOIRA: I’m the President and CEO of Galvanize Labs. We are a hybrid tech company at the moment. What we’re working on is ed tech, so educational gaming and technology education. My role is a little bit of everything. In startups, in small companies, it’s kind of everything from the business side to the tech side, the design side. I get to do a little bit of everything, which is probably really good for me. It keeps me excited. It keeps me interested, and it’s certainly never boring,. It’s kind of broad, but also really exciting.
PAIGE: What is a hybrid technology company?
MOIRA: I like to think of it as a hybrid, because we’re focusing on education and we have such a strong emphasis and validating the educational side of what we’re doing. Not just throwing out the term of, hey this is an educational product. We really want to be accredited and validate that educational status. So, we’re kind of half an educational company and the other half of it is a gaming studio. Everything to do within the game is all in house. Nothing is third party. Nothing is purchased. We do everything inside. So, everything from soundtracks to all the digital assets, to the game design, to the voices is all in house. That’s where I kind of feel the hybrid is. It’s great educational emphasis and then this fun game studio.
PAIGE: Has it been a challenge to kind of combine those two worlds? I mean, you don’t typically think of education and gaming at all.
MOIRA: It has been really interesting, because I just don’t think it’s been done in this way before. You really do have these two totally separate industries of gaming, which is so much more classically identified as entertainment. You know, I think of, game releases now are almost like movie release weekends and billion dollar release weekends. It’s entertainment and it’s really what it does so well. Education is obviously kind of almost the flip side of that. Not to say that education isn’t fascinating, but you certainly don’t see, you know, a billion dollar education weekend. And so, as far as how the money flows and how the tech works, it’s entirely different. So, when you try to put educational gaming together, you don’t see gaming classically as an industry really turning its considerable talent towards the education industry, because it just doesn’t have the same type of return. That leaves education a little bit off on an island, that although gaming is a really powerful tool that can be utilized within education, they really don’t get to use the great talant of the gaming industry. And so, that leaves educators to kind of self-educate when it comes to gaming. So, gaming inside of education, or edugaming, which that’s always a great term, has been a little bit lackluster, because it doesn’t bring this entertainment quality. Kids today, I mean, I like to call them the 3DS generation. They’re the first one, if you give them a crappy game, they’re going to tell you this is a crappy game. When they’re used to things like Battlefield and Call of Duty, and World of Warcraft. Visually stunning games with tremendous dynamics that keep them really engaged. Edugaming really can’t compete. What we really wanted to bring to this was a level of entertainment quality gaming with real educational validation. And that was a challenge. We really kind of were able to pull that off for the first time. We live in between these two worlds, and yet we don’t wholey belong to one or the other. There’s pros and cons to that.
PAIGE: Always, whenever you’re bridging a gap it’s always strengths and weaknesses.
MOIRA: Right. Yeah, first to market, again there’s bonuses and there’s drawbacks.
PAIGE: So you do everything in house. What kind of tools do you use to do that for education for gaming?
MOIRA: Oh my god, we do. I feel like there’s a little bit of, just, everything. The game and built and designed entirely from the unity engine. So, obviously, we do a lot of work in unity. All of the web interfaces. All of your guy’s favorite stuff from node to angular to the tremendous list of the custom APIs that we create. The game is hosted within Amazon, right, so AWS, and god bless them for that. And there’s just there’s so many little pieces that we’re able to put together and custom design. Half of the time that we spent building the original platform for launch, before we actually built the game, we built proprietary tools that we were going to use to build the game, and make production even easier going forward. So, the custom scripting system that we were able to create. All of the techs and all the interaction that you see in the game isn’t actually hard coded into the game. It’s actually all dynamically being pulled through our custom scripting system. And so, for our writers and our game designers, we actually have a web portal where now when we write scripts for games going forward, is we’re actually just — when we create those storyboards and write those scripts, we’re dropping the scripts into a web portal that’s then dynamically being pulled into the game when the game is hard coded. So, it’s great tools like that. We have an in-game currency that’s called jewels. It’s like gold coins in Mario Bros or rings in Sonic. To make, again, production much more efficient, instead of hardcoding exactly where those little pieces of currency are going to be in every level, we have a custom coordinate and mapping system. So, again, it’s on the back end. We get to go in this great little web portal that we’ve created and drop the coordinates for where these are going to go, instead of hardcoding in the game where they are. That just gives us a lot of freedom. So we can change levels, and we change maps, and we can build new things, and keep the game and the future games really dynamic and updated for the kids. So, it’s a great experience for our users. So, from the game itself to the tools we’ve created to make production more dynamic, there’s so much stuff that we’re using, and a lot of stuff that we’re creating on our own.
ANGELA: What is your target age?
MOIRA: The age range is remarkably large, because of the type of content that we’re offering. I kind of like to call the beginning platforms — right now, Taken Charge is a serious of four games that are played sequentially, and then we actually have three games that are about to kind of roll off the production line, and then we have 30 more that are currently up on the storyboard that are in production. The first, beginning part of our platform, I like to call as b.c. it’s before coding. So, its’ fundamentals, right. Its’ really getting kids to kind of work up into coding and those advanced topics. Because we’re talking about these fundamentals, that actually gives us a tremendously large age range. The only thing that you need to play Taken Charge is a third grade reading level, and a browser, and an internet connection. So, I have kids playing this that are from third grades to — we just completed a really fun pilot, actually here at a Chicago high school, and it was freshman, sophomores, and juniors in high school that were playing it. So, its’ really all about what level of knowledge the user or the player has, or in this case doesn’t have. And a lot of students in American are lacking these technology fundamentals. And then gaming, being this great universal language, can speak to a large range of audiences. So, the exact same game is just as fun and interactive for elementary school kids as it is for high schoolers. It kind of has that Minecraft effect, right?
ANGELA: Yes.
MOIRA: You know, ten years old playing Minecraft, and then very popular in the 55 plus market too, it’s tremendous.
ANGELA: Right. Where do you see the kids going after they use your product? Are you planning to develop something after that for more advanced? What is your vision on where they go after?
MOIRA: There’s kind of multiple ways to look at it. Obviously, the company being as young as it is, we are building extended platforms. So there are, again, three games coming and there’s 30 more games to come. So, this will be quite a large marketplace of options and of topics. It all begins to get more advanced. So, we’re all kind of about this progressive learning model and being able to progress kids through technology as a subject. Because, I feel like, technology is always kind of treated as this one off when it’s addressed educationally, and we certainly don’t do that math, right? And you always see, like, let’s throw kids into coding. Because coding and robotics, those are really sexy technology topics. And those are great, great, great topics. But when we teach kids math in school, when they have no background in math, we don’t start them in long division. We go back and start with addition and subtraction and multiplication. And then we move them forward. We make sure that they grasp these topics so that they don’t get frustrated, they walk way. When we teach kids technology, we’re throwing them to coding and there’s this huge assumption that they have this underlying knowledge, when I’ve got the benefit of working with kids hands on for the last decade. Ninety percent of the kids that we work with don’t know where a file goes when you download it through a browser. But we’re like, (unintelligible) go to coding. So, what we really want to do is build this progressive model, have them move forward. So, yeah, our platform will move into things like coding. It doesn’t move into things like 3D modeling and different stuff like that, so yeah, there are those options. We partner with a lot of youth development organizations that offer, again, more advanced programs. And we’re also kind of working with, now, other types of technical sites that are a little bit more adult driven. That, if you can get this really solid, kind of, base line in your younger years, then why couldn’t you go into — think of what’s out there in tech ed for adults. And things like Linda and portal site, and all those great educational sites that you can continue your own education online. So, there’s so many places to go after this, once you establish this great baseline. So, we’re working in a lot of different arenas to see where you can go.
PAIGE: Have you always been involved in gaming? Did you start out as a game developer or anything like that?
MOIRA: No, certainly not. I mean, I’ve always had an interest in games dynamics. I’ve always applied them in a lot of the work I’ve done. And game design as pure game design, was something that kind of came later. It really kind of came in the second half of my career and the decade that I spent at Best Buy. It really came for me when I really was able to recognize what a powerful tool gaming was going to be, and it could be in that educational realm. I had just had a particular passion point around teaching, and particularly in the youth market. Gaming just seemed to be at the center of that for me. Immediately, I think, kind of any other entrepreneur, I just looked at gaming and what it could be and was urked that — my point was view was, we’re not doing it right. I wanted to do something different with it. I had to get involved. So, gaming came much later for me.
PAIGE: So, you’re been a lifelong gamer yourself. What are some of your favorites?
MOIRA: I go all the way back to my Apple IIe when I was younger. I totally just dated myself and gave away how old I am. That’s fine. I still play like mod of number munchers from when I was a kid, because that’s all we had when we were in school. So games like that. And then Day of Tentacle I felt was really great. I still have the original box too, it’s one of my prized possessions. For me though, really, really advanced gaming. I have told this story a million times. It was the very first Civilization by Sid Meier when i was Civ, and that really pushed me over the top into my love of gaming. I really kind of like this closeted gamer in college, because I didn’t know any other girl that gamed. So, yeah, I always hung out with the geeky guys, because I worked at the student union, and they introduced me to Counter Strike and things like that. It’s been this really slow progression. I was really kind of an isolated individual gamer until after I got out of college. Then, when you go to work for a company like Best Buy, that sells games and consoles. the addiction got out of control from there.
PAIGE: I had a very similar experience. I got into games a little bit in high school and then (unintelligible) Civilization, definitely one of those. And the Sims.
ANGELA: Yeah, I never did do Sims.
PAIGE: I had to actually — I had a burned copy back in the day of the Sims and my freshman year I had to take it out of my drive during finals week and literally break it in half so that I would pass my finals and stop playing the Sims.
ANGELA: Oh my gosh.
MOIRA: Yeah, see. I think it still is. I believe it is still like the number one game for women. I believe it is still sitting out there as the number one game for women.
PAIGE: Yeah, I’m pretty sure.
ANGELA: I got into Minecraft in 2011, I think. And I really like it. Now, I’m playing it with my son and that’s really fun, but I did Battlefield 1942 and some of the other first-person shooters. And it was my husband and me and his friends. No other women, but it was great.
PAIGE: It’s one of my geek cards of shame that I’m epically bad at first-person shooters.
ANGELA: Oh, I am epically good.
PAIGE: Really?
ANGELA: They call me hidden angerz.
PAIGE: Oh man, that’s awesome.
ANGELA: Yes. Yes, I’m a sniper.
MOIRA: Very nice. I am epically mediocre.
PAIGE: Well, we run the gamut now.
ANGELA: Yeah, all three of us.
MOIRA: I can at least hold my own and not be at the bottom of it, but if I go to talk trash, then I totally get rocked. And so I’m just kind of somewhere in the middle. It Sim games that just dominated me. So like SImcity, that was the one that I had to get rid of, because I was going to never have a social live again with Simcity. And then, I was one of those that was so depressed when Simcity came out, you know, with EA last year, and it was so bad. But now, thank you Skylines, is amazing. And if you haven’t played that yet, do it. I’m afraid it’s going to very, very negatively impact Galvanize right now.
ANGELA: You know, in the same way that I’ve avoided Pinterest, I avoided Sims. Because I would get consumed. I have chosen not to do that, intentionally.
MOIRA: Don’t avoid Pinterest, it’s so good.
ANGELA: No, you know what, I use Instructables. It’s way better, because they actually show how to do it, right there. You don’t have to click on somebody’s blog so they can get ad revenue, or wonder, just because they didn’t put any link on how to do things. Instructables is way better. I tried to get into console games, like Donkey Kong I really liked on Super Nintendo. But Poker Smash on XBox is amazing.
MOIRA: I’ll have to look at it.
PAIGE: Like Poker, the card game?
ANGELA: Yes. And it’s like Tetris, but with poker. You match poker hands to clear lines.
PAIGE: Whoa.
ANGELA: It’s really cool. You go up levels. There’s different music, I just love it. Anyway.
MOIRA: This is it. Gaming is just universal. And this is why it’s just so, so powerful as a tool. This is why.
ANGELA: Yep.
PAIGE: I’m a competitive Tetris junkie. I like it. A lot of people are like, I”m really good at Tetris. I’m like, you don’t understand, competitive Tetris is different. Where you send lines to each other and stuff.
ANGELA: Do you have the Tetris lamp from ThinkGeek?
PAIGE: No, but I should.
ANGELA: Yeah.
MOIRA: Clearly.
ANGELA: I can’t find the power brick. The straight — it’s the straight brick. I can’t find it, but I have all the other ones.
MOIRA: I bet you anything it doesn’t exist, because like in the game, it’s never there when you need it.
ANGELA: Yeah, I have real life Tetris in my house with that lamp.
MOIRA: So, ThinkGeek didn’t actually ever create one, just to give you the same level of frustration that the game does.
ANGELA: No, I did — it did — I did have it. I have three kids and one of them took off with it somewhere and it is somewhere else in the house.
MOIRA: Your kids also are functioning completely the way the game Tetris does. That’s fantastic.
ANGELA: Yes.
PAIGE: Somebody has made off with my ilen piece. Where is it?
ANGELA: Yep.
MOIRA: So awesome.
PAIGE: So, you’re the CEO of your own company now?
MOIRA: Yep.
PAIGE: And having done that, and having been in the gaming space as a woman, have you been able to find other women to work with in your company? Other women gamers? How is that working?
MOIRA: I mean, I will definitely say, obviously there is women at Galvanize. I won’t overplay that, that I went out and went on some big search for women and everything, because quite honestly, my team and I have been together for a long time. We’ve worked together at previous companies. So, sadly that wasn’t this big recruiting coo. And I haven’t expanded the company incredibly. We’ve stayed in a very, very lean model as we’ve gone on to do this. You know, kind of going to Reddit way and staying real lean, so I haven’t done a lot of that. But, from a networking standpoint, it’s hard. I don’t see — I don’t come across a ton of other female startups in this genre. Certainly not, kind of, in gaming, and not locally. I think I mentioned I was on a Skype call last week, and that happened to be a female game designer and she was up in Canada. But the two worlds were completely different. Being on the business side here, right, and we’re monetizing the game. There’s is more kind of social game and kind of grant based. That kind of stuff. So, those were two a little bit different worlds that we lived in. Gaming is still, obviously very, very male dominated. I still get bathrooms to myself at PAX and GDC. And you guys know how that goes. I don’t come across a lot of that. What has been, I think, a little bit different for me is because of how we started the company, the fact that it was kind of bootstrap and angel funded, I didn’t do things like Y-combinator or Sim Connector, or kind of any of those incubators to kind of get this started. I went a different path. And then we moved right into a revenue model. I was networked a little bit differently. I didn’t have access to a ton of that stuff. It has been a little bit isolating. And that’s been not the greatest feeling in the world.
PAIGE: So, if other women are kind of out there with a big idea, and kind of some cohones to make it happen, it’s always sad to me that there aren’t more women out taking risks. What would you say to someone who’s got an idea and wants to try to be an entrepreneur?
MOIRA: Take a risk. I don’t see why not. I really — I don’t see any difference in a woman taking the risk than a man taking the risks, and the startups that they have. Quite honestly, my favorite kind of part of it is always strength in numbers. I don’t think it should be one or two female entrepreneurs at a time. I think we should be doing this in big groups and big numbers. Are there special challenges for us? I think, yeah. That certainly can be the case. But I also think women have a really, very particular point of view. I think it’s very powerful. The way that women look differently at how to solve problems. I think in the world and the way the marketplace today, I think the woman’s point of view is very, very powerful. And I’d love to see that out there way more than it is. The very simple answer to that is, yeah get out there and do it. I don’t see any reason why not. The same risk is involved. It is, it’s scary. I think my dad says it best. It kind of feels like you’re trying to thread a needle while jumping out of an airplane. It feels like that for everybody, no matter what gender you ar.
PAIGE: The diverse thinking is so important. We had an interview with Tarah Wheeler Van Vlack, and she’s a CEO of Fresh Mint and has done a lot of work in the tech space as a woman entrepreneur. And she’s like, it’s not even just women. It’s just getting a group together that doesn’t all think the same way. You can have a diverse group of all different colors of the rainbow; all different genders, all different sexualities, and put them in a room. If they’re all Harvard grads, they still all think the same.
MOIRA: That’s true.
PAIGE: Diverse thinking is more than just gender, but gender is a huge piece of that.
MOIRA: Agreed. Agreed. I’m a very, very big advocate of that. I think you see it all the time. I am members of different women’s groups and I can’t help but see it in a lot of different scenarios that I’ve put in, and these very stark differences. And I think that point of view is just so powerful, and I really want to see that voice and that point of view come to the forefront a lot more.
PAIGE: If there was one piece of advice you could give someone who is about to get started, what would you say?
MOIRA: I think is one I give every time I hear this one, and it’s so true. It’s just, don’t do it alone. I think there are a lot of people out there that think that when you do this and the startup culture is — it’s kind of either one of two things. Either you already have to be incredibly well-networked, and if I’m not then I can’t do this. And that’s not true. And the other side of it is, I have to have all the answers. I can’t do this if I don’t have all the answers. There’s this kind of misconception of I’m doing this alone. You’re not. You’re never actually really doing it alone and don’t try to do it alone. You don’t have to have all the answers. Don’t try to be the lone ranger on this. It’s okay to ask for help. It’s okay to bring other people in. It’s better to do it that way. It is scary, but it’s not scary for the reasons that you think it’s scary. Scary comes later, but don’t do it alone.
ANGELA: Thank you for listening to this episode of Women’s Tech Radio. Don’t forget, you can contact us by going to jupiterbroadcasting.com. There is a contact form. You can also do the show drop down to find all the Women’s Tech Radio shows, and find the show notes for each of the shows with tons of links and resources.
PAIGE: You can also check us out on iTunes, where you can subscribe to the podcast. Or, if you’d rather use the RSS feed, that’s available on the Jupiter Broadcasting site. You can also follow us on Twitter @heywtr. Or, you can check out our tumblr that has all of the transcripts of the past shows at heywtr.tumblr.com. And if you have a minute, shoot us an email. Leave us some feedback wtr@jupiterbroadcasting.com

Transcribed by Carrie Cotter | transcription@cotterville.net

The post Don’t Do It Alone | WTR 29 first appeared on Jupiter Broadcasting.