Show Notes: techsnap.systems/429

The post Curious About Caddy | TechSNAP 429 first appeared on Jupiter Broadcasting.

Show Notes: selfhosted.show/15

The post Keeping Track of Stuff | Self-Hosted 15 first appeared on Jupiter Broadcasting.

Show Notes/Links: https://www.bsdnow.tv/325

The post Cracking Rainbows | BSD Now 325 first appeared on Jupiter Broadcasting.

Show Notes/Links: https://www.bsdnow.tv/323

The post OSI Burrito Guy | BSD Now 323 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/404

The post Prefork Pitfalls | TechSNAP 404 first appeared on Jupiter Broadcasting.

Show Notes/Links: linuxunplugged.com/295

The post Stay and Compile a While | LINUX Unplugged 295 first appeared on Jupiter Broadcasting.

Show Notes/Links: linuxunplugged.com/292

The post Cheese on the SCaLE | LINUX Unplugged 292 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/395

The post The ACME Era | TechSNAP 395 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Feed | iTunes Feed

Become a supporter on Patreon:

Episode Links

• Connnect Watch smartwatch with AsteroidOS crowdfunding campaign begins — First unveiled in late August, the team behind the Connect Watch have launched a campaign on European crowdfunding site Ulule in hopes of raising about $33,000.
• Sailfish meetup in Krakow — We are inviting you to a meetup with our CEO, Mr. Sami Pienimäki in the city of Kraków on Thursday, September 14th for a round or two of beer!
• What Project Treble Means for Future Custom ROM Development — Because of the way the lower layer of Android was modularized, all Treble devices in the market will be able to boot a generic stock, AOSP Android build. This takes away most of the hassle of porting custom ROMs to an older device since a single, generic Android build can run on many devices.
• Mozilla and the Washington Post Are Reinventing Online Comments — Talk is developed by The Coral Project, a Mozilla creation that builds open-source tools to make digital journalism more inclusive and more engaging
• Chinese government bans ICOs — The ruling comes from China’s central bank, which issued a statement criticizing ICOs for “disrupting” the country’s financial order. The regulator described initial coin offerings as “a form of unapproved illegal public financing” that “raises suspicions” of fraud and criminal activity
• Might shut down Bitcoin exchanges — China’s Bitcoin exchanges said on Saturday they are still awaiting clarification from the authorities on a media report that they will be shut down.
• WinBtrfs 1.0 Released For Supporting Btrfs On Windows — Harmstone’s WinBtrfs driver is a “reimplementation from scratch” of Btrfs for Windows that supports all major functionality as well as basic RAID 0/1/10/5/6, caching, Btrfs partition discovery, ACLs, symlinks and hardlinks, free-space cache, LZO/ZLib compression, balancing, scrubbing, TRIM/DISCARD, and much more.
• A Breakdown of Operating Systems on Dockerhub — It is clear that Debian is the most popular, with Alpine taking second place, and then a number of others each taking a smaller share.
• NGINX releases application platform with new application server, centralized management tools — Today, NGINX launched its new NGINX Application Platform, a suite of products which together, form a solution made up of application delivery, an application server, and policy-driven monitoring and management.

The post Linux Action News 18 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Akamai’s quarterly State of the Internet report: The Krebs Attack

• “Internet infrastructure giant Akamai last week released a special State of the Internet report. Normally, the quarterly accounting of noteworthy changes in distributed denial-of-service (DDoS) attacks doesn’t delve into attacks on specific customers. But this latest Akamai report makes an exception in describing in great detail the record-sized attack against KrebsOnSecurity.com in September, the largest such assault it has ever mitigated.”
• Akamai: “The same data we’ve shared here was made available to Krebs for his own reporting and we received permission to name him and his site in this report.”
• “Akamai said the attack on Sept. 20 was launched by just 24,000 systems infected with Mirai, mostly hacked Internet of Things (IoT) devices such as digital video recorders and security cameras.”
• “The first quarter of 2016 marked a high point in the number of attacks peaking at more than 100 Gbps,” Akamai stated in its report. “This trend was matched in Q3 2016, with another 19 mega attacks. It’s interesting that while the overall number of attacks fell by 8% quarter over quarter, the number of large attacks, as well as the size of the biggest attacks, grew significantly.”
• “The magnitude of the attacks seen during the final week were significantly larger than the majority of attacks Akamai sees on a regular basis,” Akamai reports. “In fact, while the attack on September 20 was the largest attack ever mitigated by Akamai, the attack on September 22 would have qualified for the record at any other time, peaking at 555 Gbps.”
• Krebs has also made a .csv of the data available: “An observant reader can probably correlate clumps of attacks to specific stories covered by Krebs. Reporting on the dark side of cybersecurity draws attention from people and organizations who are not afraid of using DDoS attacks to silence their detractors.” In case any trenchant observant readers wish to attempt that, I’ve published a spreadsheet here (in .CSV format) which lists the date, duration, size and type of attack used in DDoS campaigns against KrebsOnSecurity.com over the past four years.”
• Some comments about the “mega” attacks on Kreb’s site:
• “We haven’t seen GRE really play a major role in attacks until now. It’s basically a UDP flood with a layer-7 component targeting GRE infrastructure. While it’s not new, it’s certainly rare.”
• “Overall, Columbia was the top source of attack traffic. This is surprising, because Columbia has not been a major source of attack traffic in the past. While Columbia only accounted for approximately 5% of the traffic in the Mirai-based attacks, it accounted for nearly 15% of all source IPs in the last four attacks. A country that was suspiciously missing from both top 10 lists was the u.s. With regards to Mirai, this may be due to a comparative lack of vulnerable and compromised systems, rather than a conscious decision not to use systems in the u.s.”
• “There are a few distinctive programming characteristics we initially discovered in our lab, and later confirmed when the source code was published, which have helped identify Mirai-based traffic. At the end of the day what Mirai really brings to the table is a reasonably well written and extensible code base. It’s unknown as to what Mirai may bring in the foreseeable future but it is clear that it has paved the way for other malicious actors to create variants that improve on its foundation.”
• The full report can be downloaded here
• Some other data from the report:
• “Last quarter we reported a 276% increase in NTP attacks compared with Q2 of 2015. This quarter, we analyzed NTP trends over two years and have noticed shrinking capabilities for NTP reflection.” — It is good to finally see NTP falling off the attack charts as it gets patched up
• “Web application attack metrics around the European Football Cup Championship Game and the Summer Games, as analyzed in the Web Application Attack Spotlight, show us that while malicious actors take advantage of high-profile events, there’s also a lull that indicates they might like to watch them.” (see page 26)
• Application Layer DDoS attacks (GET/HEAD/POST/PUT etc) account for only 1.66% of DDoS attacks. Most attacks are aimed at the infrastructure layer (IP and TCP/UDP)
• “Repeat DDoS Attacks by Target / After a slight downturn in Q2 2016, the average number of DDoS attacks increased to an average of 30 attacks per target, as shown in Figure 2-13. This statistic reflects that once an organization has been attacked, there is a high probability of additional attacks.”
• SQL Injection (49%) and Local File Inclusion (40%) make up the greatest share of attacks against web applications

Is your server (N)jinxed ?

• A flaw in the way Debian (and Ubuntu) package nginx, can allow your server to be compromised.
• The flaw allows an attacker who has managed to gain control of a web application, like wordpress, to escalate privileges from the www-data user to root.
• “Nginx web server packaging on Debian-based distributions such as Debian or Ubuntu was found to create log directories with insecure permissions which can be exploited by malicious local attackers to escalate their privileges from nginx/web user (www-data) to root.”
• “The vulnerability could be easily exploited by attackers who have managed to compromise a web application hosted on Nginx server and gained access to www-data account as it would allow them to escalate their privileges further to root access and fully compromise the system.”
• The attack flow works as follows:
  • Compromise a web application
  • Run the exploit as the www-data user
  • Compile your privilege escalation shared library /tmp/privesclib.c
  • Install your own low-priv shell (maybe /bin/bash, or an exploit) as /tmp/nginxrootsh
  • Take advantage of the permissions mistake where /var/log/nginx is writable by the www-data user, and replace error.log with a symlink to /etc/ld.so.preload
  • Wait for nginx to be restarted or rehashed by logrotate
  • When nginx is restarted or rehashed, it creates the /etc/ld.so.preload file
  • Add the /tmp/privesclib.so created earlier to /etc/ld.so.preload
  • Run sudo, which will now load /tmp/privesclib.so before other libraries, running the code
  • sudo will not allow the www-data user to do any commands, but before sudo read its config file, it ran privesclib.so, which made /tmp/nginxrootsh setuid root for us
  • Run /tmp/nginxrootsh as any user, and you now have a shell as the root user
  • The now own the server
• Video Proof of Concept
• Fixes:
• Debian: Fixed in Nginx 1.6.2-5+deb8u3
  • Ubuntu 14.04 LTS: 1.4.6-1ubuntu3.6
  • Ubuntu 16.04 LTS: 1.10.0-0ubuntu0.16.04.3
  • Ubuntu 16.10: 1.10.1-0ubuntu1.1
• Make sure your log directory is not writable by the www-data user

Hacking 27% of the web via WordPress Auto-update

• “At Wordfence, we continually look for security vulnerabilities in the third party plugins and themes that are widely used by the WordPress community. In addition to this research, we regularly examine WordPress core and the related wordpress.org systems. Recently we discovered a major vulnerability that could have caused a mass compromise of the majority of WordPress sites.”
• “The vulnerability we describe below may have allowed an attacker to use the WordPress auto-update function, which is turned on by default, to deploy malware to up to 27% of the Web at once.”
• “The server api.wordpress.org has an important role in the WordPress ecosystem: it releases automatic updates for WordPress websites. Every WordPress installation makes a request to this server about once an hour to check for plugin, theme, or WordPress core updates. The response from this server contains information about any newer versions that may be available, including if the plugin, theme or core needs to be updated automatically. It also includes a URL to download and install the updated software.”
• “Compromising this server could allow an attacker to supply their own URL to download and install software to WordPress websites, automatically. This provides a way for an attacker to mass-compromise WordPress websites through the auto-update mechanism supplied by api.wordpress.org. This is all possible because WordPress itself provides no signature verification of the software being installed. It will trust any URL and any package that is supplied by api.wordpress.org.”
• “We describe the technical details of a serious security vulnerability that we uncovered earlier this year that could compromise api.wordpress.org. We reported this vulnerability to the WordPress team via HackerOne. They fixed the vulnerability within a few hours of acknowledging the report. They have also awarded Wordfence lead developer Matt Barry a bounty for discovering and reporting it.”
• “api.wordpress.org has a GitHub webhook that allows WordPress core developers to sync their code to the wordpress.org SVN repository. This allows them to use GitHub as their source code repository. Then, when they commit a change to GitHub it will reach out and hit a URL on api.wordpress.org which then triggers a process on api.wordpress.org that brings down the latest code that was just added to GitHub.”
• “The URL that GitHub contacts on api.wordpress.org is called a ‘webhook’ and is written in PHP. The PHP for this webhook is open source and can be found in this repository. We analyzed this code and found a vulnerability that could allow an attacker to execute their own code on api.wordpress.org and gain access to api.wordpress.org. This is called a remote code execution vulnerability or RCE.”
• “If we can bypass the webhook authentication mechanism, there is a POST parameter for the GitHub project URL that is passed unescaped to shell_exec which allows us to execute shell commands on api.wordpress.org. This allows us to compromise the server.”
• There is security built into the system. Github hashes the JSON data with a shared secret, and submits the hash with the data. The receiving side then hashes the JSON with its copy of the shared secret. If the two hashes match, the JSON must have been sent by someone who knows the shared secret (ideally only api.wordpress.com and github)
• There is a small catch
• “GitHub uses SHA1 to generate the hash and supplies the signature in a header: X-Hub-Signature: sha1={hash}. The webhook extracts both the algorithm, in this case ‘sha1’, and the hash to verify the signature. The vulnerability here lies in the fact the code will use the hash function supplied by the client, normally github. That means that, whether it’s GitHub or an attacker hitting the webhook, they get to specify which hashing algorithm is used to verify the message authenticity”
• “The challenge here is to somehow fool the webhook into thinking that we know the shared secret that GitHub knows. That means that we need to send a hash with our message that ‘checks out’. In other words it appears to be a hash of the message we’re sending and the secret value that only api.wordpress.org and GitHub know – the shared secret.”
• “As we pointed out above, the webhook lets us choose our own hashing algorithm. PHP provides a number of non-cryptographically secure hashing functions like crc32, fnv32 and adler32, which generate a 32bit hash vs the expected 160 bit hash generated by SHA1. These hashing functions are checksums which are designed to catch data transmission errors and be highly performant with large inputs. They are not designed to provide security.”
• So instead of having to brute force a 160 bit hash (1.46 with 48 zeros after it) you only have to brute force 32 bits (4 billion possibilities). But it gets even easier
• “Of these weak algorithms, the one that stood out the most was adler32, which is actually two 16 bit hashing functions with their outputs concatenated together. Not only are the total number of hashes limited, but there’s also significant non-uniformity in the hash space. This results in many hashes being the same even though they were supplied with different inputs. The distribution of possible checksum values are similar to rolling dice where 7 is the most likely outcome (the median value), and the probability of rolling any value in that range would work its way out from the median value (6 and 8 would have the next highest probability, and on it goes to 2 and 12).”
• “The proof of concept supplied in the report utilizes the non-uniformity by creating a profile of most common significant bytes in each 16 bit hash generated. Using this, we were able to reduce the amount of requests from 2^32 to approximately 100,000 to 400,000 based on our tests with randomly generated keys.”
• “This is a far more manageable number of guesses that we would need to send to the webhook on api.wordpress.org which could be made over the course of a few hours. Once the webhook allows the request, the attack executes a shell command on api.wordpress.org which gives us access to the underlying operating system and api.wordpress.org is compromised.”
• “From there an attacker could conceivably create their own update for all WordPress websites and distribute a backdoor and other malicious code to more than one quarter of the Web. They would also be able to disable subsequent auto-updates so that the WordPress team would lose the ability to deploy a fix to affected websites.”
• “We confidentially reported this vulnerability on September 2nd to Automattic and they pushed a fix to the code repository on September 7th. Presumably the same fix had been deployed to production before then.”
• “We still consider api.wordpress.org a single point of failure when distributing WordPress core, plugins and theme updates. We have made attempts to start a conversation with members of Automattic’s security team about improving the security posture of the automatic update system, but we have not yet received a response.”

Feedback:

• Network Test

• SLOW FreeNAS FIXED

• Obligatory ZFS question / feature request

• ZFS replication for backup

Round Up:

• cURL Author: People email me asking for support with their Car’s infotainment system
• Another malicious link that can cause any iOS device to freeze & require a hard reset
• Walmart testing using the blockchain to track food recalls
• Attacking the Washington, D.C. Internet Voting System
• Uber Portal Leaked Names, Phone Numbers, Email Addresses, Unique Identifiers
• Mapping Malware Attack Methodology to Controls
• CocaCola moves most of their data to the cloud, but won’t store its secret formula in the cloud.
• Kaspersky OS: Antivirus Firm Launches Its Own “Hackproof” OS, Based On Microkernel
• Oracle acquires DNS provider Dyn
• Exploit Code Released for NTP Vulnerability
• Vulnerability in InPage publishing software used in attacks against banks

The post Turkey.deb | TechSNAP 294 first appeared on Jupiter Broadcasting.

A new vulnerability in many websites, Oracle’s Outside In Technology, Turned Inside-Out & the value of a hacked company.

Plus your questions, our answers, a really great round up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

New vulnerability in many websites: HTTPoxy

• Background #1: The CGI (Common Gateway Interface) Specification defines the standard way that web servers run backend applications to dynamically generate websites
• CGI can be used to run Perl, PHP, Python, Ruby, Go, C, and any other language
• To provide access to information about the original request from the user, the web server sets a number of environment variables to represent the HTTP headers that were sent with the request
• To avoid conflicting with any existing environment variables, the headers are prefixed with HTTP_
• So, when you pass the the Accept-Encoding header, to indicate your browser supports receiving compressed data, the environment variable HTTP_ACCEPT_ENCODING gets set to the contents of that header
• This allows your application to know what compression algorithms are supported
• Background #2: Most tools support accessing the Internet via a proxy, and in UNIX, this is usually configured by setting an environment variable, which happens to be named: HTTP_PROXY
• “httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:”
  • RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
  • HTTP_PROXY is a popular environment variable used to configure an outgoing proxy
• “This leads to a remotely exploitable vulnerability. httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry.”
• “What can happen if my web application is vulnerable? If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:”
  • Proxy the outgoing HTTP requests made by the web application
• Direct the server to open outgoing connections to an address and port of their choosing
• Tie up server resources by forcing the vulnerable software to use a malicious proxy
• “httpoxy is extremely easy to exploit in basic form. And we expect security researchers to be able to scan for it quickly. Luckily, if you read on and find you are affected, easy mitigations are available.”
• So, I can send a header that will cause your application to make all of its connections, even to things like your backend API, via a proxy that I control. This could allow me to get access to passwords and other data that you thought would only ever be transmitted over your internal network.
• Timeline:
• March 2001: The issue is discovered in libwww-perl and fixed. Reported by Randal L. Schwartz
• April 2001: The issue is discovered in curl, and fixed there too (albeit probably not for Windows). Reported by Cris Bailiff.
• July 2012: In implementing HTTP_PROXY for Net::HTTP, the Ruby team notice and avoid the potential issue. Nice work Akira Tanaka!
• November 2013: The issue is mentioned on the NGINX mailing list. The user humbly points out the issue: “unless I’m missing something, which is very possible”. No, Jonathan Matthews, you were exactly right!
• February 2015: The issue is mentioned on the Apache httpd-dev mailing list. Spotted by Stefan Fritsch.
• July 2016: Scott Geary, an engineer at Vend, found an instance of the bug in the wild. The Vend security team found the vulnerability was still exploitable in PHP, and present in many modern languages and libraries. We started to disclose to security response teams.
• So this issue was found and dealt with in Perl and cURL in 2001, but, not widely advertised enough to make people aware that it could also impact every other CGI application and language
• Luckily, you can solve it fairly easily, the site provides instructions for fixing most popular web servers, including NGINX, Apache. Varnish, Relayd, HAProxy, lighttpd, Microsoft IIS, and others
• The fix is simple, remove or blank out the ‘Proxy’ header before it is sent to the application. Since this is a non-standard header, and should never be used, it is safe to just delete the header
• Other Mitigations: Firewall the web server so it can not make outgoing requests, or use HTTPS for all internal requests, so they cannot be snooped upon.

Oracle’s Outside In Technology, Turned Inside-Out

• From Oracle’s Outside In Technology, Turned Inside-Out Site: “Outside In Technology is a suite of software development kits (SDKs) that provides developers with a comprehensive solution to extract, normalize, scrub, convert and view the contents of 600 unstructured file formats.”
• In April, Talos blogged about one of the OIT-related arbitrary code execution bugs patched by Oracle.
• The impact of that vulnerability, plus these additional eighteen OIT bugs disclosed in these findings, is severe because so many third-party products use Oracle’s OIT to parse and transform files.

A review of an OIT-related CERT advisory from January 2016 reveals a large list of third-party products, especially security and messaging-related products, that are affected. The list of products that, according to CERT, rely on Oracle’s Outside In SDK includes:

• Avira AntiVir for Exchange – antivirus protection for Microsoft Exchange * IBM WebSphere Portal – provides enterprise web portals
• Google Search Appliance – search all content in an enterprise through a single search box
• Guidance Encase – forensic investigation software
• Microsoft Exchange – enterprise email and productivity software
• Novell Groupwise – a collaboration tool for large enterprise
• Raytheon SureView – software designed for enterprise visibility and user activity monitoring

• Veritas (Symantec) Enterprise Vault – a program for information governance through archiving

• Talos has not confirmed that each of the third-party products listed above are affected. We have, however, confirmed that some are running vulnerable OIT-related code. For example, if WebReady Document Viewing is enabled for Microsoft Exchange 2013 (& earlier), an attacker could exploit these vulnerabilities by sending a malicious email attachment to a victim who then opens the email using web preview.

• Further, if Data Loss Prevention is enabled, the vulnerability can be triggered simply by sending an email with a malicious attachment outbound from the affected Exchange server. If Avira AntiVir for Exchange (v12.0.2775.0 & earlier) is in place, just sending or receiving a malicious email is sufficient, since this program will scan all inbound and outbound email. Additionally, multiple OIT vulnerabilities could conceivably be exploited in a chained fashion for a more effective approach.

  • PDF /Size Integer Overflow
  • TIFF ExtraSamples Code Execution
  • TIFF Photometric Interpretation Code Execution
  • GIF ImageWidth Code Execution
  • Gem_Text Code Execution
  • PSI Image File Code Execution
  • Word DggInfo Code Execution
  • Mac Works Database VwStreamSection Code Execution
  • Mac Word ContentAccess libvs_word+63AC Code Execution
  • BMP Heap Buffer Overflow & Code Execution
  • Mac Works VwStreamReadRecord Memory Corruption
  • PDF /Kids Information Leakage
  • PDF NULL Pointer Dereference Denial of Service
  • PDF Recursion Stack Overflow Denial of Service
  • PDF /FlateDecode /Colors Denial of Service
  • PDF /Type /Xref Denial of Service
  • PDF Xref Offset Denial of Service
  • Mac Word ContentAccess libvs_word Denial of Service

• Over, and over again we see problems that arise from software using untrusted data as input without proper and necessary validation of that data, and because not all software developers are experts in the multitude of file formats in existence they are forced to rely on SDKs such as Oracle’s OIT.

• However, the unfortunate reality is that vulnerabilities that are found in an SDK that is utilized by third-parties will take additional time to patch: First the organization that maintains the SDK issues a fix, and some amount of time later, third-parties that utilize the SDK provide an update to their customers including these fixes.
• This provides a rather large window of time in which miscreants can exploit vulnerabilities in third-party products.
• In related news: TALOS also found a similar vulnerability in Apple’s OS X
• Additional Coverage
• In other news: Oracle has released its Critical Patch Update for July 2016 to address 276 vulnerabilities across multiple products
• Includes 4 Java vulnerabilities with CVSS scores of 9.6 out of 10

Krebs: The value of a hacked company

• Based on his previous infographic, the value of a hacked email address, this new post covers the value of a hacked company
• “Most organizations only grow in security maturity the hard way — that is, from the intense learning that takes place in the wake of a costly data breach. That may be because so few company leaders really grasp the centrality of computer and network security to the organization’s overall goals and productivity, and fewer still have taken an honest inventory of what may be at stake in the event that these assets are compromised.”
• “If you’re unsure how much of your organization’s strategic assets may be intimately tied up with all this technology stuff, ask yourself what would be of special worth to a network intruder. Here’s a look at some of the key corporate assets that may be of interest and value to modern bad guys.”
• There is a lot of value that an attack can extract from a hacked company:
  • Intellectual Property, like trade secrets, plans, or even just a list of customers
  • Physical Property: Desktops, backups, telecom equipment, access to VOIP infrastructure
  • Partners: Access to other companies that the hacked company deals with, weather it be for the sake of Phishing those companies, accessing their bank details, or spreading the compromise to their network
  • HR Data: Information about employees, for tax fraud, insurance fraud, identity theft, or as further targeting data for future attacks
  • Financials: Draining the company bank account, company credit card details, customer credit card details, employee bank account details (payroll), sensitive financial data
  • Virtual Property: Access to cloud services, websites (watering hole attacks), software licenses, encryption keys, etc.
• “This isn’t meant to be an exhaustive list; I’m sure we can all think of other examples, and perhaps if I receive enough suggestions from readers I’ll update this graphic. But the point is that whatever paltry monetary value the cybercrime underground may assign to these stolen assets individually, they’re each likely worth far more to the victimized company — if indeed a price can be placed on them at all.”
• “In years past, most traditional, financially-oriented cybercrime was opportunistic: That is, the bad guys tended to focus on getting in quickly, grabbing all the data that they knew how to easily monetize, and then perhaps leaving behind malware on the hacked systems that abused them for spam distribution.”
• “These days, an opportunistic, mass-mailed malware infection can quickly and easily morph into a much more serious and sustained problem for the victim organization (just ask Target). This is partly because many of the criminals who run large spam crime machines responsible for pumping out the latest malware threats have grown more adept at mining and harvesting stolen data.”
• “It’s also never been easier for disgruntled employees to sell access to their employer’s systems or data, thanks to the proliferation of open and anonymous cybercrime forums on the Dark Web that serve as a bustling marketplace for such commerce.”
• “Organizational leaders in search of a clue about how to increase both their security maturity and the resiliency of all their precious technology stuff could do far worse than to start with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), the federal agency that works with industry to develop and apply technology, measurements, and standards. This primer (PDF) from PWC does a good job of explaining why the NIST Framework may be worth a closer look.”

Feedback:

• ZFS Fillin Up

• InfiniBand

• IPSEC VPN server & OS options

Mention: Networking for Information Security/Penetration Testing

Round Up:

• Feds Seize KickassTorrents Domains, Arrest Alleged Owner
• How to many money by abusing 2 Factor Auth — Have Google, Instagram, etc, call your premium rate (900) number to verify your 1000s of accounts
• Apple Has Its Own Stagefright Vulnerability
• PostgreSQL EnterpriseDB first open source database to pass Defense Information Systems Agency (DISA) testing, and publish a Security Technical Implementation Guide (STIG)
• Skype is Transitioning to a More Modern, Mobile-Friendly Architecture
• Microsoft killing off last bits of p2p in skype, and all old clients, in favour of new cloud-server backed infrastructure
• Seagate launches its new line of 10TB Helium drives: BarraCuda (Desktop HDD), FireCuda (Desktop SSHD), BarraCuda Pro (5 year Warrenty), IronWolf (NAS), and SkyHawk (Surveillance).
• Stack Exchange Outage Postmortem – July 20, 2016
• Engineer gets tired of waiting for Telcos, wires up his whole town
• Microsoft ordered to fix ‘excessively intrusive, insecure’ Windows 10
• France’s National Data Protection Commission (CNIL) has ordered Microsoft to “stop collecting excessive data and tracking browsing by users without consent”
• How (and why) FreeDOS keeps DOS alive
• Verizon to disconnect unlimited data customers who use over 100GB/month
• BT Outage the fault of Data Center and Exchange operator Equanix
• Mitsubishi Outlander Flaw Opens Door to Thieves—Literally – Infosecurity Magazine
• The Ubuntu forums have been hacked, IP address, username, and email address of over two million users have been compromised

The post Bitmap Pox | TechSNAP 276 first appeared on Jupiter Broadcasting.

Google leverages Chrome’s marketshare to push web security forward. Are we about to see zero day exploits reclassified as weapons & ZFS gets the green light on Linux for production.

Then it’s a great batch of your questions, our answers & much, much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Killing off SHA-1 in SSL certificates

• “The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to be since at least 2005 — 9 years ago”
• “That’s why Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November. HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface.”
• The CA/Browser forum, the group made up of Google, Mozilla, Microsoft, Apple, Opera, and most of the Certificate Authorities, and sets the policies for the group
• The forum is how the browsers decide which CAs to include in their trust store
• Part of the problem was that older browsers and devices only supported SHA-1, and none of the SHA-2 (SHA256, SHA512) algorithms
• The CA/Browser Forum officially deprecated SHA-1 in 2011, no new certificates can be issued that use SHA-1
• Google is proposing to add increasingly severe warning messages for visitors to site using SHA-1 certificates that have an expiration date after the end of 2016
• Upgrades may still be complicated. Windows Server 2003 and Windows XP SP2 does not support SHA-256, only SHA-1. Servers would need to be upgraded, and Windows XP clients would need to install SP3. Android before 2.3 only supports SHA-1, 2.2 is still quite popular
• Support for running 2 certificates, an upgraded one for clients that support it, and a legacy certificates for ones that do not, is being worked on. Apache supports it now, and work is underway to add support to NGINX and Apache Traffic Server.
• GlobalSign’s SHA-256 compatibility matrix
• It is nice to see the steps being taken with plenty of time for everyone to update gracefully. In the past, the move away from MD5 was much less smooth, only finally spurred on by the real danger of rogue certificates via MD5 collisions
• The CA/Browser forum similarly disallowed new 1024 bit certificates in 2010, with no certificate to have an expiration date later than Dec 31st 2013. Mozilla recently pulled the plug on 1024 bit certificates, leaving 107,000 “valid” certificates no longer trusted
• SSL Labs breaks down what you need to know
• Additional Coverage: Why Google is Hurrying to kill SHA-1

Will selling 0-day exploits soon be considered “Arms Dealing” and be illegal?

• VUPEN and others are now following the Wassenaar Arrangement that classifies their 0-days and exploits as regulated and export-controlled “dual-use” technologies. Going forward they will only sell to approved government agencies in approved countries.
• The latest version of the agreement included 0-days, exploits, and backdoors as regulated and export-controlled “dual-use” technologies. Previously, the US wasn’t recognizing these most recent additions but that is all changing come later this month according to a recent Federal Register notice (pdf). The notice states that the US will be adopting changes made to the list of dual-use items made in December 2013 as of August 4th.
• The big question is where the government will draw the line in terms of defining “dual-use.” Will day-to-day security tools (e.g., Nessus and Nmap) fit into this category? What about a quick bash script you write up to bruteforce web application session ids?

The state of ZFS on Linux

• ZFS on Linux is now “officially” production ready
• Key ZFS data integrity features work on Linux like they do on other platforms
• ZFS runtime stability on Linux is comparable to other filesystems, with certain exceptions
• ZoL is at near feature parity with ZFS on other platforms.
• ZoL does not lose data
• changes to the disk format are forward compatible
• Updates are always flawless
• Up until now, it was mostly the “on Linux” part that was at question, OpenZFS (the open source fork used in IllumOS, FreeBSD, SmartOS, and elsewhere) has been stable for many years
• “Data loss can be defined as the occurrence of either of two events. The first is failing to store some information. The second is attempting to retrieve information that was successfully stored and getting either something else or nothing at all”
• “The ZFS on Linux kernel driver performs the same block device operations as its counterparts on other platforms. As a consequence, its ability to ensure data integrity is equivalent to its counterparts on other platforms and this ability far exceeds that of any other Linux filesystem for direct attached storage”
• ZoL is missing 9 of the newest features in OpenZFS, including LZ4 compression, Spacemap histographs (speed improvements under heavy fragmentation), Feature Flag enabled TXG (support for rolling back and upgrade), Hole Birth (improved replication performance) and ZFS Bookmarks (resumable zfs send/recv)
• Also, there are 9 other features missing from ZoL, including integration for iSCSI (also missing on FreeBSD, as until recently FreeBSD did not have a kernel iSCSI target daemon), Integration with Containers (Linux doesn’t really have a feature similar to Solaris Zones or FreeBSD Jails), Boot Loader integration, etc.
• “The current release is 0.6.3 and the next release will be 0.6.4 later this year. The plan is to continue performing 0.6.x releases with distribution maintainers doing backports until the /dev/zfs ioctl interface is stabilized. At that point, the project will release 1.0. New releases will be 1.x while 1.x.y maintenance releases will be done to back port fixes like is done by the Linux kernel stable maintainers”

Feedback:

• Hall of Shame: Enigmail

• Untrusted mail servers

• Creating a backup system for my mom with NAS using Linux but for windows

• I’m not sure how to tell a gym about a miss configuration in there systems

• xp pos systems

Round Up:

• Dread Pirate Sunk By Leaky CAPTCHA — Krebs on Security
• Intel Announces new 18 core Xeon E5 dual-socket processors. DDR4 and all the other goodies too
• FBI reveals how they found Silk Road, security experts claim unlikely
• Using the iPhone thermal camera to steal PIN codes PDF: Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks
• Dropbox Transparency Report update: fighting for your right to know
• 5 Million google usernames and passwords from large Russian dump. Likely from other databases that were compromised, and these 5 million people happened to use the same password Download .txt file of just usernames
• Microsoft agrees to contempt order so e-mail privacy case can be appealed
• Secretive Bitcoin creator’s email address may have been compromised
• Malware found at Healthcare.gov, no personal data was at risk
• Allan’s Musings while depositing a cheque
• Switching ISPS is too hard. FCC says it might think about possibly maybe doing something to help a little, kind of, maybe

The post It's not a Bug, It's a Weapon | TechSNAP 179 first appeared on Jupiter Broadcasting.

It’s our one year anniversary episode, and we’ll be talking with Reyk Floeter about the new OpenBSD webserver – why it was created and where it’s going. After that, we’ll show you the ins and outs of DragonFly’s HAMMER FS. Answers to viewer-submitted questions and the latest headlines, on a very special BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD foundation’s new IPSEC project

• The FreeBSD foundation, along with Netgate, is sponsoring some new work on the IPSEC code
• With bandwidth in the 10-40 gigabit per second range, the IPSEC stack needs to be brought up to modern standards in terms of encryption and performance
• This new work will add AES-CTR and AES-GCM modes to FreeBSD’s implementation, borrowing some code from OpenBSD
• The updated stack will also support AES-NI for hardware-based encryption speed ups
• It’s expected to be completed by the end of September, and will also be in pfSense 2.2

NetBSD at Shimane Open Source Conference 2014

• The Japanese NetBSD users group held a NetBSD booth at the Open Source Conference 2014 in Shimane on August 23
• One of the developers has gathered a bunch of pictures from the event and wrote a fairly lengthy summary
• They had NetBSD running on all sorts of devices, from Raspberry Pis to Sun Java Stations
• Some visitors said that NetBSD had the most chaotic booth at the conference

pfSense 2.1.5 released

• A new version of the pfSense 2.1 branch is out
• Mostly a security-focused release, including three web UI fixes and the most recent OpenSSL fix (which FreeBSD has still not patched in -RELEASE after nearly a month)
• It also includes many other bug fixes, check the blog post for the full list

Systems, Science and FreeBSD

• Our friend George Neville-Neil gave a presentation at Microsoft Research
• It’s mainly about using FreeBSD as a platform for research, inside and outside of universities
• The talk describes the OS and its features, ports, developer community, documentation, who uses BSD and much more

Interview – Reyk Floeter – reyk@openbsd.org / @reykfloeter

OpenBSD’s HTTP daemon

Tutorial

A crash course on HAMMER FS

News Roundup

OpenBSD’s rcctl tool usage

• OpenBSD recently got a new tool for managing /etc/rc.conf.local in -current
• Similar to FreeBSD’s “sysrc” tool, it eliminates the need to manually edit rc.conf.local to enable or disable services
• This blog post – from a BSD Now viewer – shows the typical usage of the new tool to alter the startup services
• It won’t make it to 5.6, but will be in 5.7 (next May)

pfSense mini-roundup

• We found five interesting pfSense articles throughout the week and wanted to quickly mention them
• The first item in our pfSense mini-roundup details how you can stream Netflix to in non-US countries using a “smart” DNS service
• The second post talks about setting ip IPv6, in particular if Comcast is your ISP
• The third one features pfSense on Softpedia, a more mainstream tech site
• The fourth post describes how to filter HTTPS traffic with Squid and pfSense
• The last article describes setting up a VPN using the “tinc” daemon and pfSense
• It seems to be lesser known, compared to things like OpenVPN or SSH tunnels, so it’s interesting to read about
• This pfSense HQ website seems to have lots of other cool pfSense items, check it out

OpenBSD’s new buffer cache

• OpenBSD has traditionally used the tried-and-true LRU algorithm for buffer cache, but it has a few problems
• Ted Unangst has just switched to a new algorithm in -current, partially based on 2Q, and details some of his work
• Initial tests show positive results in terms of cache responsiveness
• Check the post for all the fine details

BSDTalk episode 244

• Another new BSDTalk is up and, this time around, Will Backman interviews Ken Moore, the developer of the new BSD desktop environment
• They discuss the history of development, differences between it and other DEs, lots of topics
• If you’re more of a visual person, fear not, because…
• We’ll have Ken on next week, including a full “virtual walkthrough” of Lumina and its applications

Feedback/Questions

• Ghislain writes in
• Raynold writes in
• Van writes in
• Sean writes in
• Stefan writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• We want to give a huge thank you to our viewer Toby for writing this week’s tutorial
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post It's HAMMER Time | BSD Now 53 first appeared on Jupiter Broadcasting.

We’ll be showing you how to set up a secure, SSL-only webserver. There’s also an interview with Eric Le Blan about community participation and FreeBSD’s role in the commercial server space. All that and more, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

Password gropers take spamtrap bait

• Our friend Peter Hansteen, who keeps his eyes glued to his log files, has a new blog post
• He seems to have discovered another new weird phenomenon in his pop3 logs
• “yes, I still run one, for the same bad reasons more than a third of my readers probably do: inertia”
• Someone tried to log in to his service with an address that was known to be invalid
• The rest of the post goes into detail about his theory of why someone would use a list of invalid addresses for this purpose

Inside the Atheros wifi chipset

• Adrian Chadd – sometimes known in the FreeBSD community as “the wireless guy” – gave a talk at the Defcon Wireless Village 2014
• He covers a lot of topics on wifi, specifically on Atheros chips and why they’re so popular for open source development
• There’s a lot of great information in the presentation, including cool (and evil) things you can do with wireless cards
• Very technical talk; some parts might go over your head if you’re not a driver developer
• The raw video file is also available to download on archive.org
• Adrian has also recently worked on getting Kismet and Aircrack-NG to work better with FreeBSD, including packet injection and other fun things

Trip report and hackathon mini- roundup

• A few more (late) reports from BSDCan and the latest OpenBSD hackathon have been posted
• Mark Linimon mentions some of the future plans for FreeBSD’s release engineering and ports
• Bapt also has a BSDCan report detailing his work on ports and packages
• Antoine Jacoutot writes about his work at the most recent hackathon, working with rc configuration and a new /etc/examples layout
• Peter Hessler, a latecomer to the hackathon, details his experience too, hacking on the installer and built-in upgrade function
• Christian Weisgerber talks about starting some initial improvements of OpenBSD’s ports infrastructure

DragonFly BSD 3.8.2 released

• Although it was already branched, the release media is now available for DragonFly 3.8.2
• This is a minor update, mostly to fix the recent OpenSSL vulnerabilities
• It also includes some various other small fixes

Interview – Eric Le Blan – info@xinuos.com

Xinuos’ recent FreeBSD integration, BSD in the commercial server space

Tutorial

Building a hardened, feature-rich webserver

News Roundup

Defend your network and privacy, FreeBSD version

• Back in episode 39, we covered a blog post about creating an OpenBSD gateway – partly based on our router tutorial
• This is a follow-up post, by the same author, about doing a similar thing with FreeBSD
• He mentions some of the advantages and disadvantages between the two operating systems, and encourages users to decide for themselves which one suits their needs
• The rest is pretty much the same things: firewall, VPN, DHCP server, DNSCrypt, etc.

Don’t encrypt all the things

• Another couple of interesting blog posts from Ted Unangst about encryption
• It talks about how Google recently started ranking sites with HTTPS higher in their search results, and then reflects on how sometimes encryption does more harm than good
• After heartbleed, the ones who might be able to decrypt your emails went from just a three-letter agency to any script kiddie
• He also talks a bit about some PGP weaknesses and a possible future replacement
• He also has another, similar post entitled “in defense of opportunistic encryption“

New automounter lands in FreeBSD

• The work on the new automounter has just landed in 11-CURRENT
• With help from the FreeBSD Foundation, we’ll have a new “autofs” kernel option
• Check the SVN viewer online to read over the man pages if you’re not running -CURRENT
• You can also read a bit about it in the recent newsletter

OpenSSH 6.7 CFT

• It’s been a little while since the last OpenSSH release, but 6.7 is almost ready
• Our friend Damien Miller issued a call for testing for the upcoming version, which includes a fair amount of new features
• It includes some old code removal, some new features and some internal reworkings – we’ll cover the full list in detail when it’s released
• This version also officially supports being built with LibreSSL now
• Help test it out and report any findings, especially if you have access to something a little more exotic than just a BSD system

Feedback/Questions

• David writes in
• Lachlan writes in
• Francis writes in
• Frank writes in
• Sean writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• We want to give a special thanks to our viewer Remy for writing the basis of today’s tutorial
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• Final reminder: OpenBSD is moving to a new distributor in September (which is very soon!) so this is your last chance to buy any of their tshirts, CDs or posters – grab them now while you still can, and support the project

The post Engineering Nginx | BSD Now 51 first appeared on Jupiter Broadcasting.

The NSA chilling effect is in full force, and you can probably guess where many companies are feeling too.

Then hidden problem facing IT security and why users expect magic.

Plus it’s a great batch of your questions, and our answers.

All that and more, on this week’s TechSNAP!

Thanks to:

— Show Notes: —

Companies start moving data and jobs to Canada to avoid the NSA

• “U.S. industry stands to lose billions as companies spooked by security leaks seek to store banks of personal data outside U.S.”
• “It’s also a question of perception. The Europeans want to say to their clients that their information is not in the United States even though it stays in North America.”
• Canada is also attractive due to the availability of skilled labour, the cooler climate (requiring less air conditioning) and cheap electricity
• Compared to moving data to Europe, the latency to Canada is much lower because of its proximity and diversity of fibre paths
• “No one will say which companies have decided to flee the U.S., but they are said to vary from European banking and insurance firms with operations in the U.S. to American oil and gas companies and retail outlets, according to Canadian industry representatives interviewed by the Star”
• Cisco has chosen Ontario as the destination of a $4 billion investment that will create 1700 engineering and tech jobs
• The 10 year deal will see more than half of the $4 billion spent on salaries
• The number of jobs could grow as high as 5000

• FreeNAS Mini on Amazon

Some speakers quit RSA conference and call for boycott

• After the revelation that RSA received $10 million from the NSA to make a flawed algorithm the default in their BSafe product, a number of speakers and panel participants have pulled our of the yearly conference run by RSA
• RSA denies it entered into a contract for the purpose of weaking its products
• RSA issued a warning against using the flawed algorithm in September when NIST issued a similar warning after the Snowden documents were leaked
• Researchers who have pulled out of the conference include:
• Mikko Hypponen – F-Secure’s Chief Researcher – Talk: Governments as Malware Authors
• Adam Langley – Google Security Expert
• Chris Palmer – Google Chrome security engineer
  • Christopher Soghoian – researcher with the American Civil Liberties Union
  • Marcia Hoffman – privacy attorney and former Electronic Frontier Foundation lawyer
    
  • Alex Fowler – Mozilla privacy and public policy expert
  • Josh Thomas – “Chief Breaking Officer” at security firm Atredis
  • Jeffrey Carr – Taia Global
• Taia Global is developing a product called Chimera, a commercial database of “rival state research and development projects” on the basis that knowing what the attackers are working on, lets you know which of your assets they may be out to steal
• “Organisers have said that next month’s conference in San Francisco will host 560 speakers, and that they expect more participants than the 24,000 who showed up last year”
• Additional Coverage

The hidden threat to network security? Management

• A survey and study by Stroz Friedberg called Information Security Risk in American Business was recently released
• The study shows much what you would expect, few people take security seriously, although everyone claims to care about it
• Most people expect the IT experts to somehow magically keep everything security, while end users go around sprinkling sensitive files all over the Internet and clicking the link in every spam email they get, and opening every attachment
• “Insiders are by far the biggest risk to the security of a company’s sensitive information, whether it’s a careless executive or a disgruntled employee”
• The horrible stats:
  • 87% of senior managers frequently or occasionally send work materials to a personal email or cloud account in order to work remotely
  • 58% of Senior management have accidentally sent sensitive information to the wrong person (compared to 25% of workers overall)
  • 51% of Senior management, and 37% of mid-level management have taken files with them after leave a job
    +45% of senior management say that C-level leadership are responsible for protecting companies against cyber-attacks
  • “Yet, 52% of this same group indicated they are falling down on the job, rating corporate America’s ability to respond to cyber-threats at a “C” grade or lower.”
  • Employees disagree, 54% say IT professionals should be responsible for cyber security
  • 73% of Employees fears their personal details such as Social Security numbers, birth date, banking information and home address could be stolen
  • “Only 35% of respondents reported receiving regular training and communications on mobile device security from their employers”
• “BYOD and the use of personal online accounts have become prevalent in American businesses, as workers use their personal smartphones, tablets, and preferred cloud providers to stay productive while at work and out of the office. This is opening the door for businesses to encounter new and emerging threats from hackers, malware, and viruses.”
• Full Study

Feedback:

• VPN’s: A developer’s nightmare
• FAQ – Microsoft’s PPTP Implementation
• Free and Open Source Support and FreeNAS Mirroring
• Nginx Client side SSL limiting
• Hows my SSL?
• Low-end server hardware prices

Round Up:

• Yahoo malware turned European computers into bitcoin slaves
• Humourous USENIX article about password security
• openSUSE forums defaced, emails leaked
• Poem about hacking the truth machine
• Zimbra 8 remote exploit
• How a simple screwup lead to a compromise and a $500 amazon bill
• Intel renames its ‘tainted’ McAfee brand to ‘Intel Security’
• Reading this May Harm Your Computer: The Psychology of Malware Warnings
• Not Cool: MPAA Joins The W3C
• OpenSSL site defaced – Official Statement
• The US Federal Election Commission is highly vulnerable to intrusions and data breaches
• Asprox botnet pushes KrebsOnSecurity themed malware

The post Firewalls Aren't Magic | TechSNAP 144 first appeared on Jupiter Broadcasting.

It’s never been easier to break a D-Link Router, we’ll share the details about the built in backdoor.

Plus a huge batch of Java fixes land, a look at iMessage security, and much much more!

On this week’s TechSNAP

Thanks to:

Reverse engineering a D-Link router

• Researchers found an authentication bypass backdoor in some D-Link routers
• Research was conducted on a D-Link DIR-100 revA
• The firmware is made by a company called Alpha Networks which was spun off from D-Link in 2003
• Other devices known to be vulnerable from D-Link:
  • DIR-100
  • DIR-120
  • DI-624S
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240
• Some devices from Planex appear to use the same firmware:
• BRL-04R
• BRL-04UR
• BRL-04CW
• If the router is accessed user a User-Agent string of: xmlset_roodkcableoj28840ybtide then the user bypasses the username/password requirement and has full access to the router
• If read backwards: edit by 04882 joel backdoor
• This backdoor also allows an attacker to perform remote code execution and could be used to infect a router with spyware
• D-Link promises to issue fixed firmware by the end of the month

Akamai finds most DDoS attacks come from Asia

• Threatpost reports on Akamai’s “State of the Internet report”
• Akamai is a global CDN that services many large websites including Microsoft Update
• “The Pacific rim region (especially China and Indonesia) accounted for just over 79 percent of all observed attacks” according to the firm’s studies
• The report also discussed the Syrian Electronic Army’s (SEA) and its attacks on media outlets, the exhaustion of IPv4 address space, and a rise in mobile data traffic
• The data does not quite match up with reports from other DDoS protection vendors
• The Prolexic report for Q1 2013 shows China as the source of 40.68% of all DDoS attacks, and Indonesia did not even register. USA: 21.88%, Germany: 10.59%
• The Prolexic report for Q2 2013 shows slightly different results, with China holding strong at 39.08% with Mexico coming in at a surprising second with 27.32% and Russian at 7.58%
• The wild differences are partly due to the fact that each company is measuring attacks against their clients, not the wider internet
• There is also the methodology for localizing the source of the attack to consider, GeoIP databases and the like are often inaccurate
• Each company may also have a different definition of a DDoS attack. Are bots crawling a website an attack? What about SQL injection attempts?

Oracle releases the October Critical Patch Update, with updates for Java

• This is the first time that the Oracle quarterly CPU (Critical Patch Update) has included updates for Java, usually Java is updated on a separate cycle
• “Of the 51 Java patches released, 50 allow for remote code execution and 20 were given the highest criticality rating by Oracle”
• All users should immediately upgrade to Java 7u45
• Java 6 is vulnerable to nearly a dozen critical vulnerabilities, but updates are only provided to Oracle customers with support contracts (Apple)
• Rapid7 (maintainers of Metasploit) recommend that if you must use Java: “run Java in the most restricted mode and only allow signed applets from white-listed sites”
• “Noted Java bug hunter Adam Gowdiak told Threatpost that the patches also harden interactions of LiveConnect code, a browser feature that allows applets to communicate with the javascript engine in the browser, and Java Rich Internet Applications”
• “Overall, there are 127 patches in the Oracle CPU that touch most of the Oracle product line. Aside from the Java vulnerabilities, the only other bug approaching the same level of criticality is in MySQL Enterprise Monitor, but it is not a remote execution bug.“

Feedback:

• Performance question about nginx and uWSGI

• Getting started as a Systems Administrator

• Are Dynamic IP\’s that much of an issue?

[asa]0133390098[/asa]

• Technical Book Recommendation: Systems Performance by Brendon Gregg

Round-Up:

• iMessage Privacy
• Surge 2013 Lightning Talk – Brendon Gregg – Benchmarking gone wrong 17:30
• More than 35,000 vBulletin forums hacked weeks after release of fix for vulnerability
• THC: SSL/TLS IN A POST-PRISM ERA
• SQLi Capture the Flag, with Prizes Story
• Surge 2013 Lightning Talk – Bryan Cantrill – Fun with tail 41:00
• Flaws found in Linux /dev/random pRNG
  • Insecurities in the Linux /dev/random | Hacker News
• FreeBSD now goes up to 11
• World\’s 3rd Largest Chinese Bitcoin exchange hit by 100Gbps DDoS attack
• Why internet pathing matters
• Skype under investigation in Luxembourg over link to NSA
• PR Newswire hacked on or before March 8th, related to Adobe hack “It’s unsettling to imagine the possible outcomes if the stolen data fell into the hands of any groups that are trying to affect political and economic stability”
• Further evidence that attacks against Adobe and others are related to ColdFusion exploits

The post SoDDing D-Link Backdoor | TechSNAP 132 first appeared on Jupiter Broadcasting.

A zero day flaw has Microsoft scrambling, and the banking hack that only requires a nice jacket.

Then it’s a great big batch of your questions, our answers, and much much more!

On this week’s TechSNAP.

Thanks to:

— Show Notes: —

Crooks Hijack Retirement Funds Via Social Security Administration Portal

• Traditional SSA fraud involves identity thieves tricking the beneficiary’s bank into diverting the payments to another account, either through Social Security’s 800 number or through a financial institution, or through Treasury’s Direct Express program
• The newer version of this fraud involves the abuse of the SSA’s my Social Security Web portal
• The SSA added the ability to change direct deposit information via their my Social Security Web portal. Shortly thereafter, the agency began receiving complaints that identity thieves were using the portal to hijack the benefits of individuals who had not yet created an account at the site.
• As of August 23, 2013, the SSA has received 18,417 allegations of possibly fraudulent mySocialSecurity account activity.
• There is no suggestion that SSA’s systems have been compromised; this is an identity theft scheme aimed at redirecting existing benefits, often to prepaid debit cards.” – via Jonathan Lasher, assistant inspector general for external relations at the SSA’s Office of Inspector General.
• Banks usually will alert customers if the beneficiary account for SSA payments is changed. But she said those communications typically are sent via snail mail.
• Many customers will overlook such notices.
• If you receive direct deposits from the Social Security Administration but haven’t yet registered at the agency’s new online account management portal, now would be a good time take care of that.
• Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that consumers can avoid becoming victims of this scam.
• In Canada, registering on the Canada Revenue Agency’s website, requires information from your previous years tax returns, and an activation code is snail mailed to you

Microsoft warns of a 0day in all versions of Internet Explorer, working on a patch for IE 6 – 11

• The flaw in question makes remote code execution possible if you browse to a website containing malicious content for your specific browser type
• Actively being exploited against IE8 and 9
• Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.
• The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
• The company is offering the following workarounds and mitigations:
• Apply the Microsoft Fix it solution, \”CVE-2013-3893 MSHTML Shim Workaround,\” that prevents exploitation of this issue. Note: This ‘fixit’ solution only works for 32bit versions of IE
• Set Internet and local intranet security zone settings to \”High\” to block ActiveX Controls and Active Scripting in these zones.
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.
• CVE-2013-3893
• Additional Coverage

Cyber Police Arrest 12 Over Santander Bank Heist Plot

• The Metropolitan Police’s Central e-Crime Unit (PCeU) has arrested 12 men as part of an investigation into an “audacious” plot to take control of a Santander Banking computer.
• The PCeU is committed to tackling cyber-crime and the damage it can cause to individuals, organisations and the wider economy.”
• According to the police, the group sent a man in dressed as a maintenance engineer, who managed to attach a IP-KVM (keyboard video mouse) device to a machine in the bank, allowing the attackers to remotely carry out actions on the computer
• The men, aged between 23 and 50, were arrested yesterday, whilst searches were carried out addresses in Westminster, Hounslow, Hillingdon, Brent, Richmond and Slou

Feedback

• Worried about listentobitcoin.com Malware

• FreeNAS NFS Mount FAIL

10.1.10.254:/mnt/fart /mnt/nfs nfs auto,noatime,nolock,defaults,user=1001 0 0

• Fingerprint reader and Software vs Hardware RAID

• I have several questions for the double show. I hope you\’ll discus them all.

• DNS + Rasberry Pi Questions

• Contacts Sync

Round Up:

iOS 7 Swamps the Internet

• Traffic Spotlight: iOS 7 Pre-Launch
• iOS7 release traffic

• iOS 7 downloads causing network outages at several school campuses, activation server failures

• Hackers crowdfund bounty to hack iPhone 5S fingerprint scanner

• Netflix exec: Canada’s broadband caps “almost a human rights violation”
• Abandoned NHS IT system costing British tax payers over 10 billion GBP
• Today we announce OpenZFS: the truly open source successor to the ZFS project.
• pfSense 2.1-RELEASE now available!
• SSD failure rate only 1.5% per year, compared to 5% for HDDs
• USB Condoms now for sale, protect your devices from evil charging ports
• Honey docs – Service creates fake documents on your computer, and notifies you if anyone ever tries to access them
• Schneier on Security: New NSA Leak Shows MITM Attacks Against Major Internet Services

The post Gentlemen, Start Your NGINX | TechSNAP 128 first appeared on Jupiter Broadcasting.

The nasty Apache Malware we’ve been telling you about has spread to Nginx and others, we’ll update you on the latest.

Plus hackers get access to control systems at Google, a big batch of your questions, and much much more.

On this week’s TechSNAP.

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! 32% off your ENTIRE first order just use our code go32off3 until the end of the month!

Support the Show: