We’ve got the definitive report on the Target breach, a flaw in single sign used all over the net, Level3 calls out broadband monopolies, and tech giants unite to save net neutrality.

Plus a huge batch of your question, our answer, and much much more!

Thanks to:

— Show Notes: —

Kill-Chain analysis of the Target breach

• A report was prepared for the Senate Committee on Commerce, Science, and Transportation
• Kill-Chain analysis involves looking at all of the things that could have been done to stop the attack from succeeding, and how or why they were not done. Kill-chain analysis was developed by security researchers at Lockheed Martin in 2011
• “This analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach.“
• “Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.”
• “Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s system.”
• “Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets.”
• “Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network”
• “According to reports by Brian Krebs, a tailored version of the “BlackPOS” malware – available on black market cyber crime forums for between $1,800 and $2,300 – was installed on Target’s POS machines.“
• “This malware has been described by McAfee Director of Threat Intelligence Operations as “absolutely unsophisticated and uninteresting.””
• “Target’s FireEye malware intrusion detection system triggered urgent alerts with each installation of the data exfiltration malware. However, Target’s security team neither reacted to the alarms nor allowed the FireEye software to automatically delete the malware in question. Target’s Symantec antivirus software also detected malicious behavior around November 28, implicating the same server flagged by FireEye’s software”
• The phases in the kill-chain:
  • Recon – Research, identify and select targets
  • Weaponize – Pair remote access malware with exploits (PDF files, Office files, Flash or Java exploits)
  • Deliver – Transmission of weapon to target (email attachment/phishing, website/watering hole, USB drive)
  • Exploit – Once delivered, weapon code is triggered, exploiting the vulnerable application or system
  • Install – The weapon installs a backdoor allowing persistent access
  • Command & Control – Outside server communicates with the weapon, allowing attackers inside the network
  • Action – Attacker works to achieve objective, maybe exfiltration of data (credit cards, plans/designs, intelligence data), destruction of data, or further intrusion/island hopping
• Background on Kill-Chain Analysis
• Paper: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains

Serious vulnerability in OAuth and OpenID could leak information

• A vulnerability in the OAuth and OpenID protocols has been found that count be used to trick a user into being redirected to a malicious site.
• OAuth and OpenID are commonly used to allow a user to login or authenticate on a site using credentials from another site. For example many websites allow you to login using your existing Facebook, Google or Microsoft ID, rather than registering separately
• OAuth is also used to authorize 3rd parties to perform actions on your behalf, such as allowing an application access to your Twitter account
• The flaw could allow attackers to steal personal data from users and redirect them to questionable sites
• This is especially dangerous, since a user on a trusted site, such as Facebook, could be tricked into loading content from an unsafe site, and doing so may also leak private data from Facebook to that unsafe site
• “for OAuth 2.0, the attacks could primarily jeopardize the token of site users. If a user were to authorize the login the attackers could then use that to access that user’s personal data. When it comes to OpenID, the attacker could get a user’s information directly, as it’s immediately transferred from the provider upon request”
• “An attacker could exploit the affected protocols and via a pop-up message through Facebook for example and trick users into giving up their information on otherwise legitimate websites”
• Thus the attacker makes it look to the user as if the request is from Facebook, not the attacker
• Researcher Blog
• Researcher site about the vulnerabilties

Mozilla recommends a new approach to net neutrality to the FCC

• Mozilla filed a petition with the FCC suggesting a new approach to net neutrality
• PDF: Petition
• The new approach involves looking at the entire question from the opposite direction
• Rather than Comcast providing Netflix, Amazon, Youtube etc access to its customer, Carol, Comcast is instead providing its customers, Alice, Carol, David, etc access to ‘remote services’, like Netflix and Dropbox
• Under this new ‘understanding’ of the shape of the Internet, Mozilla believes that the FCC already has the authority to impose strong net neutrality rules, resolving the question of authority raised when the courts struck down the old net neutrality rules
• Level 3 Blog Post – ISPs play chicken with the future of the Internet
• Level 3 Blog Post – Observations from an Internet Middleman
• There are “six peers with congestion on almost all of the interconnect ports between us. Congestion that is permanent, has been in place for well over a year and where our peer refuses to augment capacity. They are deliberately harming the service they deliver to their paying customers. They are not allowing us to fulfil the requests their customers make for content.”
• “All six are large Broadband consumer networks with a dominant or exclusive market share in their local market. In countries or markets where consumers have multiple Broadband choices (like the UK) there are no congested peers.”
• Level 3 claims 6 big ISPs purposely degrading traffic
• Level 3 and Cogent ask FCC for protection from ISP “Tolls”
• “While ISPs say the traffic loads are too heavy, Level 3, Cogent, and Netflix argue that ISPs are abusing their market power, since customers often have little to no choice of Internet provider. That means there’s only one path for Netflix traffic to reach consumers, at least over the last mile”
• Level 3 and Cogent both filed comments with the FCC
• Level 3 said “the Commission should require last-mile ISPs to interconnect on commercially reasonable terms, without the payment of an access charge.”
• Cogent proposed much harsher terms, reclassifying ISPs to be subject to common carrier rules, and requesting that “When interconnection points become congested, the FCC should have authority to intervene, Cogent said. This would force the broadband provider “to show cause why it should not be required to implement prompt remedial measures to relieve the sustained state of congestion”
• Cogent claims Comcast should have to pay for network connections
• In 2010, Internap network architecture manager Adam Rothschild said, “Comcast runs its ports to Tata at capacity, deliberately, as a means of degrading connectivity to networks which won’t peer with them or pay them money”

Feedback:

• Essential software for digital ocean droplet
• How to deal with incompetent ISP sysadmin
• Event wifi setup recommendations
• Recomendation about server setup for a local kindergarden
• Why didn’t openBSD tell OpenSSL?
• Podcasts
• Testing Gigabit Broadband Speed?
• How I “Hacked” My ISP’s Router

Round Up:

• Huge coalition led by Amazon, Microsoft, and others take a stand against FCC on net neutrality
• Compilers love messing with benchmarks – avoid comparing the wrong thing
• Researcher: iOS 7 no longer encrypting email attachments
• Improving the Mac OS X SSH Agent
• Antivirus software is dead, says security expert at Symantec
• James Mickens of Microsoft Research on choosing your zombie apocalypse gang
• 79 Percent of IT Administrators Want to Quit Due to Stress
• Another hilarious article by James Mickens
• VHS era law that protected the privacy of your video rentals may apply to streaming video, law suit filed against Hulu
• If users use insecure passwords, make them change it every 3 days, eventually they’ll use a better password
• Apple issues guidelines for Police to know what data Apple can extract from a locked phone
• Symantec says anti-virus is no longer effective, but still makes lots of money
• Proof of concept tool for exploiting OpenSSL Heartbleed issue on the client side
• Why Clang, static analysis, and dynamic analysis failed to find heartbleed

The post Internet Over Packet Loss | TechSNAP 162 first appeared on Jupiter Broadcasting.

This week we’ll tell you the story about Agent Double 0-Java, the exploit with a license to kill. Plus Google’s creative solution to securing user content.

Then it’s a big batch of your questions, and our answers.

All that and much more, in this week’s TechSNAP.

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show: