Show Notes: techsnap.systems/387

The post Private Cloud Building Blocks | TechSNAP 387 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Distrustful U.S. allies force spy agency to back down in encryption fight

• Some ISO delegates said much of their skepticism stemmed from the 2000s, when NSA experts invented a component for encryption called Dual Elliptic Curve and got it adopted as a global standard.

• In 2007, mathematicians in private industry showed that Dual EC could hide a back door, theoretically enabling the NSA to eavesdrop without detection. After the Snowden leaks, Reuters reported that the U.S. government had paid security company RSA $10 million to include Dual EC in a software development kit that was used by programmers around the world.

Viacom exposes crown jewels to world+dog in AWS S3 bucket blunder

• Researchers found a wide-open, public-facing misconfigured AWS S3 bucket containing pretty much everything a hacker would need to take down the company’s IT systems.

• “The contents of the repository appear to be nothing less than either the primary or backup configuration of Viacom’s IT infrastructure,” Vickery revealed today.

• The Amazon-hosted bucket could be accessed by any netizen stumbling upon it, and contained the passwords and manifests for Viacom’s servers, as well as the access key and private key for the corporation’s AWS account. Some of the data was encrypted using GPG, but that wouldn’t be an issue because the bucket also contained the necessary decryption keys.

Equifax sends customers to wrong website, not theirs, for help

• The credit management company Equifax has been sending customers to a fake “phishing” website for weeks, potentially causing them to hand over their personal data and full financial information to hackers.

• After the data breach was revealed earlier this month, Equifax established the domain www.equifaxsecurity2017.com to handle incoming customer questions and complaints. This website is not connected to Equifax’s main website.

• On Wednesday, a user reached out to Equifax on Twitter asking for assistance. The responding tweet sent the user to www.securityequifax2017.com, which is an impostor site designed to look like the Equifax splash page.

FinFisher government spy tool found hiding as WhatsApp and Skype

• This week (21 September), experts from cybersecurity firm Eset claimed that new FinFisher variants had been discovered in seven countries, two of which were being targeted by “man in the middle” (MitM) attacks at an ISP level – packaging real downloads with spyware.

• When a target of surveillance was downloading the software, they would be silently redirected to a version infected with FinFisher, research found.

• When downloaded, the software would install as normal – but Eset found it would also be covertly bundled with the surveillance tool.

Feedback

• Stored passwords & Amazon Fire Stick

+Hey Dan. What is a good and inexpensive tape backup drive for LTO tapes? What works for you best? Thx!

Round Up:

• HOW TO HACK A TURNED-OFF COMPUTER

• Passwords For 540,000 Car Tracking Devices Leaked Online

• In spectacular fail, Adobe security team posts private PGP key on blog

Apache Struts Vulnerability: More Than 3,000 Organizations At Risk Of Breach

• Facebook re-licenses React under MIT license after developer backlash

The post Patch Your S3it | TechSNAP 338 first appeared on Jupiter Broadcasting.

Find out about another hospital that accidentally took advantage of free encryption, researchers turn up a DDoS on the root DNS servers & the password test you never want to take.

Plus your batch of networking questions, our answers & a packed round up!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Researchers at VeriSign investigate DDoS on root DNS servers

• Researchers from VeriSign, the company that runs the .com and .net registries, and operations 2 of the 13 critically import root DNS servers, will be giving a talk at a conference detailing their investigation into the attack
• Their findings suggest the attack, which took place in November of 2015, was not directed at the root name servers directly, but was an attempt to down two chinese websites
• The attack had some interesting patterns, likely caused by design decisions and mistakes made by the programmer of the botnet that was used in the attack
• The provide a video showing a breakdown of the attack
• It was interesting to learn that Randall Munroe (of XKCD fame) actually came up with the best way to visualize the distribution of IP addresses, with a grid where sequential numbers are in adjacent squares
• Only IP addresses in the first 128 /8 netbooks were used. The use of 128/8 specifically suggests an less than or equal, rather than an equal was used during the comparison of IP addresses
• It is not clear why a larger set of addresses were not used
• The attack seemed to use 3 or 4 different groups of bots, sending spoofed DNS requests
• Two of the larger groups of bots sequentially cycled through the 2.0.0.0/8 through 19.0.0.0/8 subnets at different speeds
• Attacks were not seen from the 10.0.0.0/8 and 127.0.0.0/8 networks, for obvious reasons
• However, a delay in the attacks sourced from 11.0.0.0/8 suggests that the botnet attempted to use the entire 10 block, but the packets just never left the source networks
• “The researchers also note that Response Rate Limiting was an effective mitigation in countering up to 60 percent of attack traffic. RRL is a feature in the DNS protocol that mitigates amplifications attacks where spoofed DNS queries are used to target victims in large-scale DDoS attacks.”
• “In addition to RRL, the researchers said attack traffic was easily filterable and through filtering were able to drop response traffic for the attack queries, leaving normal traffic untouched. One of the limitations with this approach is that it’s a manual process”

Virus hits Medstar hospital network, Hospital forced to shutdown systems

• “The health system took down some its computers to prevent the virus from spreading, but it’s not clear how many computers — or hospitals — are affected”
• “A statement by the health system said that all facilities remain open, and that there was “no evidence of compromised information.””
• “The not-for-profit healthcare system operates ten hospitals across the Washington and Baltimore region, with more than a hundred outpatient health facilities. According to the system’s website, it has more than 31,000 employees and serves hundreds of thousands of patients annually.”
• “One visitor to the hospital told ZDNet that staff switched the computers off after learning about the virus. The person, who was visiting a patient in one of the healthcare system’s Washington DC hospital, said the computers were powered off for more than an hour, with all patient orders lost, the person said.”
• “It’s not clear exactly what kind of malware was used in Monday’s cyberattack. A spokesperson for MedStar Health did not immediately respond to a request for comment.”
• An FBI spokesperson confirmed that it was “aware of the incident and is looking into the nature and scope of the matter.”
• Additional Coverage: Threat Post
• After a few days, the medical network was recovering
• “The healthcare provider said the attack forced it to shut down its three main clinical information systems, prevented staff from reviewing patient medical records, and barred patients from making medical appointments. In a statement issued Wednesday, it said that no patient data had been compromised and systems were slowly coming back online.”
• “Clinicians are now able to review medical records and submit orders via our electronic health records. Restoration of additional clinical systems continues with priority given to those related directly to patient care”
• “While the hospital still won’t officially confirm the attacks were ransomware related, The Washington Post along with other news outlets are reporting that employees at the hospital received pop-up messages on their computer screens seeking payment of 45 Bitcoins ($19,000) in exchange for a digital key that would decrypt data”
• “The MedStar cyberattack is one of many hospitals in recent months targeted by hackers. Last week, Kentucky-based Methodist Hospital paid ransomware attackers to unlock its hospital system after crypto-ransomware brought the hospital’s operations to a grinding halt. Earlier this year Los Angeles-based Hollywood Presbyterian Medical Center paid 40 Bitcoin ($17,000) to attackers that locked down access to the hospital’s electronic medical records system and other computer systems using crypto-ransomware.”
• As long as hospitals continue to pay out, this will only grow to be a worse problem
• “Medical facilities don’t give security the same type of attention that other verticals do,” said Craig Williams, senior technical leader for Cisco Talos. “They are there to heal people and cure the sick. Their first priority is not to take care of an IT environment. As a result it’s likely the hackers have been out there for quite some time and realized that there are a lot (healthcare) sites that have a lot of base vulnerabilities.”
• As you might expect: 1400 vulnerabilities to remain unpatched in medical supply system
• Additional Coverage
• In related news:
• Canadian hospital website compromised serves up the Angler malware kit to visitors
• The site is for a hospital in a small city that serves a mostly rural area. Happens to be where I grew up, and the hospital I was born in
• The hospital site is run on Joomla, and is running version 2.5.6, which has many known vulnerabilities. The latest version of Joomla is 3.4.8
• “Like many site hacks, this injection is conditional and will appear only once for a particular IP address. For instance, the site administrator who often visits the page will only see a clean version of it, while first timers will get served the exploit and malware.”
• The obvious targets are “staff, patients and their families and visitors, as well as students”
• The hospital became a teaching facility for McMaster University’s Faculty of Health Sciences in 2009
• “The particular strain of ransomware dropped here is TeslaCrypt which demands $500 to recover your personal files it has encrypted. That payment doubles after a week.”

CNBC Password Tester — How not to do it

• CNBC has a post about constructing secure passwords
• The basic idea was that you submit your password, and it tells you how strong it is
• There are obvious problems with this idea. Why are you giving out your password anyway?
• Of course, the CNBC site is served in plain text (which is fine for a news site), but it means your password is sent to them in the clear
• Worse, they had the site adding all of the submitted passwords to a google spreadsheet, also in the clear
• Because the password was submitted as a GET variable, and was in the URL, it was also included in the referral information sent to all of the advertising networks in the CNBC site, including DoubleClick, ScoreCardResearch, something hosted at Amazon AWS, and any other widgets on the site (Facebook, Gigya)
• If you actually did want to build a tool like this, at least use javascript to perform the calculations on the users’ device and never transmit their passwords
• Of course, users should never type the password into another website. This is the definition if a phishing attack
• The page has since been removed
• Additional Coverage

Feedback:

• pfSense question ALERT!
• OpenVPN vs IPSec VPN
• leaky DNS

Round Up:

• Finnish supercomputer suffers largest unplanned outage in years, provides post mortem
• Mattel hit by fake CEO scam, for $3 million. Managed to get it back because the next day was a bank holiday in China
• Google offers a free DDoS shield to news papers and other sites that seek to expose corruption, and may face state-level DDoS attacks attempting to silence them
• EFF Proposes “DRM Non-Aggression Pact” as part of W3C standard for DRM. Asks signatories to agree not to go after security researchers or those making ‘compatible’ technologies
• Amazon Updates Its Policies To Ban USB Type-C Cables That Are Not Fully Spec Compliant
• TrendMicro A/V software accidently exposes debugging console that can be exploited
• US Federal court warns of scammers trying to get people to pay hefty fines for missing fake jury duty
• HID Networking Door Controllers have remote root vulnerability, hilarity ensues
• A Romanian ex-minister faces jail time after embezzling the windfall from the 47% discount Microsoft gave the government for a 5 year deal to use MS Office in all Schools and Public Institutions
• New SideStepper exploit allows Man-in-the-Middle attacks against iOS devices, requires phishing or otherwise tricking the user
• Enders Analysis ad blocker study finds ads take up 79% of mobile data transfer
• Operating Blockbuster, an investigation into the Sony Pictures Entertainment wiper hack
• How Wi-Fi Works

The post Holding Hospitals Hostage | TechSNAP 261 first appeared on Jupiter Broadcasting.

The theoretical Android flaw becomes reality, a simple phishing scam hits some major companies & why your PIN has already been leaked.

Plus great questions, our answers, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

W2 Phishing scams hit a number of companies

• “Payday lending firm Moneytree is the latest company to alert current and former employees that their tax data — including Social Security numbers, salary and address information — was accidentally handed over directly to scam artists”
• “Seattle-based Moneytree sent an email to employees on March 4 stating that “one of our team members fell victim to a phishing scam and revealed payroll information to an external source.”
• “Moneytree was apparently targeted by a scam in which the scammer impersonated me (the company co-founder) and asked for an emailed copy of certain information about the Company’s payroll including Team Member names, home addresses, social security numbers, birthdates and W2 information,” Moneytree co-founder Dennis Bassford wrote to employees.”
• Why that would even be a reasonable request, I don’t know
• “Unfortunately, this request was not recognized as a scam, and the information about current and former Team Members who worked in the US at Moneytree in 2015 or were hired in early 2016 was disclosed. The good news is that our servers and security systems were not breached, and our millions of customer records were not affected. The bad news is that our Team Members’ information has been compromised.”
• Moneytree joins a growing list of companies disclosing to employees that they were duped by W2 phishing scams, which this author first warned about in mid-February. Earlier this month, data storage giant Seagate acknowledged that a similar phishing scam had compromised the tax and personal data on thousands of current and past employees.
• “On March 1, Seagate Technology learned that the 2015 W-2 tax form information for current and former U.S.-based employees was sent to an unauthorized third party in response to the phishing email scam. The information was sent by an employee who believed the phishing email was a legitimate internal company request.”
• “W2 information is highly prized by fraudsters involved in tax refund fraud, a multi-billion dollar problem in which thieves claim a large refund in the victim’s name, and ask for the funds to be electronically deposited into an account the crooks control.”
• “For better or worse, most companies that have notified employees about a W2 phish this year are offering employees the predictable free credit monitoring, which is of course useless to prevent tax fraud and many other types of identity theft. But in a refreshing departure from that tired playbook, Moneytree says it will be giving employees an extra $50 in their next paycheck to cover the initial cost of placing a credit freeze (for more information on the different between credit monitoring and a freeze and why a freeze might be a better idea, check out Credit Monitoring vs. Freeze and How I Learned to Stop Worrying and Embrace the Security Freeze).”
• ““When something like this happens, the right thing to do is to disclose what you know as soon as possible, take care of the people affected, and learn from what went wrong. To make good on that last point, we will be ramping up our information security efforts company-wide, because we never want to have to write an email like this to you again”.”

New exploit developed for Android Stagefright

• “Security researchers have successfully exploited the Android-based Stagefright bug and remotely hacked a phone, which may leave millions devices vulnerable to attack.”
• “Israeli software research company NorthBit claimed it had “properly” exploited the Android bug that was originally described as the “worst ever discovered”.”
• “The exploitation, called Metaphor, is detailed in a research paper (PDF) from NorthBit and also a video showing the exploit being run on a Nexus 5. NorthBit said it had also successfully tested the exploit on a LG G3, HTC One and Samsung Galaxy S5.”
• “The Stagefright vulnerability was first highlighted by security firm Zimperium in July 2015. The hack was said to be able to execute remote code on Android devices and could possibly affect up to 95 percent of Android devices.”
• “A second critical vulnerability exploited issues in .mp3 and .mp4 files, which when opened were claimed to be able to remotely execute malicious code, was dubbed Stagefright 2.0 in October.”
• The flaws were originally thought to not be easily exploitable, but this new research provides a simple remote exploit case
• “The researchers from NorthBit say they have been able to create an exploit that can be used against Stagefright on Android 2.2, 4.0, 5.0 and 5.1. Other versions are not affected.”
• Android 5.0 and above are protected by ASLR, however “Dabah claims the exploit “depicts a way to bypass” address space layout randomisation (ASLR)”
• “”We managed to exploit it to make it work in the wild,” Dabah said. The research paper reads: “Breaking ASLR requires some information about the device, as different devices use slightly different configurations which may change some offsets or predictable addresses locations.”
• “”I would be surprised if multiple professional hacking groups do not have working Stagefright exploits by now. Many devices out there are still vulnerable, so Zimperium has not published the second exploit in order to protect the ecosystem”.”
• Researcher PDF
• I am glad my phone runs Android 6.0.1 with the March 2016 Security Updates applied

PIN analysis

• “There are 10,000 possible combinations that the digits 0-9 can be arranged to form a 4-digit pin code. Out of these ten thousand codes, which is the least commonly used?”
• “People are notoriously bad at generating random passwords. I hope this article will scare you into being a little more careful in how you select your next PIN number. Are you curious about what the least commonly used PIN number might be?”
• “I was able to find almost 3.4 million four digit passwords. Every single one of the of the 10,000 combinations of digits from 0000 through to 9999 were represented in the dataset”
• “A staggering 26.83% of all passwords could be guessed by attempting the top 20 combinations”
• “The first “puzzling” password I encountered was 2580 in position #22. What is the significance of these digits? Why should so many people select this code to make it appear so high up the list?”
• This turns out to be straight down the middle of a telephone style number pad. Not the same as on on a computer, but most ABMs use the telephone style
• “Another fascinating piece of trivia is that people seem to prefer even numbers over odd, and codes like 2468 occur higher than a odd number equivalent, such as 1357”
• “Statistically, one third of all codes can be guessed by trying just 61 distinct combinations! The 50% cumulative chance threshold is passed at just 426 codes (far less than the 5,000 that a random uniformly distribution would predict)”
• The most unpopular pin is: 8068
• “Warning Now that we’ve learned that, historically, 8068 is (was?) the least commonly used password 4-digit PIN, please don’t go out and change yours to this! Hackers can read too! They will also be promoting 8068 up their attempt trees in order to catch people who read this (or similar) articles.”
• “Many of the high frequency PIN numbers can be interpreted as years, e.g. 1967 1956 1937 … It appears that many people use a year of birth (or possibly an anniversary) as their PIN. This will certainly help them remember their code, but it greatly increases its predictability”
• Pins that start with 19 dominate the top 10%, and all appear within the top 20%
• The heatmap also shows that people tend to use Birthdays a lot as well (MMDD)

Feedback:

• Techsnap feedback
• Network printing
• Linux printing using CUPS (Raspberry Pi)
• OPNsense?

Round Up:

• Hands-on with Intel’s Skull Canyon NUC, the most powerful game-ready mini-PC
• Microsoft has lost their audit data on all Certificate Authorities
• tcpdump is amazing – Julia Evans
• A study by Rutgers University and Microsoft has found that hard drives are more prone to failure due to high levels of humidity [PDF] than high temperature
• U.S. army developing encrypted radar waveform
• AMEX warns customers about breach at third party service provider, in 2013
• Big-name sites hit by rash of malicious ads spreading crypto ransomware
• Inside NIST, how time servers work
• I stayed in a hotel with Android lightswitches and it was just as bad as you’d imagine
• How quickly and easily a card skimmer can be installed
• Hurricane Electric Hosted DNS

The post Metaphorically Exploited | TechSNAP 258 first appeared on Jupiter Broadcasting.

A new major security breach at a large health insurance firm could expose 10s of millions, a phone phishing scam anyone could fall for & we celebrate our 200th episode with your TechSNAP stories.

Then its a storage spectacular Q&A & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Security breach at health insurance firm Anthem, could expose 10s of millions

• “Anthem Inc., the nation’s second largest health insurer, disclosed Wednesday that hackers had broken into its servers and stolen Social Security numbers and other personal data from all of its business lines. “
• “Anthem didn’t specify how many consumer records may have been breached, but it did say all of the company’s business units are affected. The figures from Anthem’s Web site offer a glimpse at just how big this breach could be: “With nearly 69 million people served by its affiliated companies including more than 37 million enrolled in its family of health plans, Anthem is one of the nation’s leading health benefits companies.””
• “The company said it is conducting an extensive IT forensic investigation to determine what members are impacted.”
• It is reported that Anthem has hired Mandiant to investigate the attack
• Exposed data:
• Full Name
• date of birth
• member ID
• Social Security number
• address
• phone numbers
• email addresses
• employment information
• “According to Anthem’s statement, the impacted (plan/brands) include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. The company said impacted members will receive notice via mail which will advise them of the protections being offered to them as well as any next steps.”
• “Anthem said once the attack was discovered, the company immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.”
• More detailed information is not available yet, but I am sure we’ll be following this story in the weeks to come
• Additional Coverage – ThreatPost
• Additional Coverage

Hacked hotel phones used in bank phishing scam

• “A recent phishing campaign targeting customers of several major U.S. banks was powered by text messages directing recipients to call hacked phone lines at Holiday Inn locations in the south. Such attacks are not new, but this one is a timely reminder that phishers increasingly are using lures blasted out via SMS as more banks turn to text messaging to communicate with customers about account activity.”
• “The above-mentioned phishing attacks were actually a mix of scams known as “SMiShing” — phishing lures sent via SMS text message — and voice phishing or “vishing,” where consumers are directed to call a number that answers with a voice prompt spoofing the bank and instructing the caller to enter his credit card number and expiration date”
• It seems Holiday Inn’s telephone switching system may have been hacked, and used to record and exfiltrate the stolen information
• It is likely the hotel also lost out on business from customers actually trying to reach the hotel, and instead getting fake voice prompts for various banks
• “According to Jan Volzke, Numbercop’s chief executive, these scams typically start on a Saturday afternoon and run through the weekend when targeted banks are typically closed.”
• ““Two separate Holiday Inns getting hijacked in such short time suggests there is a larger issue at work with their telephone system provider,” he said. “That phone line is probably sitting right next to the credit card machine of the Holiday Inn. In a way this is just another retail terminal, and if they can’t secure their phone lines, maybe you shouldn’t be giving them your credit card.”
• “A front desk clerk who answered the line on Tuesday said the hotel received over 100 complaints from people who got text messages prompting them to call the hotel’s main number during the time it was hacked.”
• “Numbercop says the text message lures were sent using email-to-SMS gateways, but that the company also has seen similar campaigns sent from regular in-network numbers (prepaid mobile phones e.g.), which can be harder to catch. In addition, Volzke said, phishers often will target AT&T and Verizon users for use in furthering these schemes.”
• Volzke says it’s unfortunate that more financial institutions aren’t communicating with their customers via mobile banking apps. “Banking apps are among the most frequently downloaded and used apps,” Volzke said. “If the user has an app from the bank installed, then if the bank really has something to say they should use the in-app messaging method, not text messages which can be spoofed and are not secure. And yet we see almost no bank making use of this.”
• “Regardless of whether you communicate with your bank via text message, avoid calling phone numbers or clicking links that appear to have been sent via text message from your bank. Also, be extremely wary of any incoming calls from someone calling from your bank. If you think there may be an issue with your account, your best bet is to simply call the number on the back of your credit or debit card.”
• Example call recording from Numbercop

Your TechSNAP Story

• TechSNAP 200

• TechSNAP 200 – FreeNAS Deployed!

• Episode 200 – Thx Allan!

• TechSNAP 200 : How its helped

• Episode 200 – Thx for BSD!

• TechSNAP Changed my Life!

• How has TechSNAP affected me?

• For 200 episode TechSnap

Feedback:

• Network Switches

• Adopted Drive Solution

• QUESTION: ZFS riskiness

• ELI5 Storage: Blocks, Extents, Pages …

Round-Up:

• Forget North Korea – Russian Hackers Are Selling Access To Sony Pictures, Claims US Security Firm
• Why Gmail has better security than your bank does
• Warning – Microsofts Outlook app for iOS breaks your company security
• More flash updates, 16.0.0.305 fixes CVE-2015-0313 through CVE-2015-0330, 15 of the 18 could lead to code execution
• Slew of Flash zero day exploits dominate malware landscape, new exploid kit emerges called Hanjuan
• The problem with crypto-challenges – a challenge constructed of known various bad practises and algorithms, is still hard to crack, does not prove security
• Fix for ‘Fancybox’ plugin for WordPress resolved zero day exploit seen in the wild
• Universal Cross site scripting vulnerability in IE could be used for Phishing or injecting malware into legitimate sites
• More serious bugs found in Siemens “RuggedCom” switches, one allows administrative and settings changes without authentication
• Google designs new SSL warning messages after more research into the subject. The hypothesis of their researched failed, but important lessons were learned

The post Your TechSNAP Story | TechSNAP 200 first appeared on Jupiter Broadcasting.

It’s great to be a malware author, if your selling to the government, Bypassing PayPal’s two-factor authentication is easier than you might think. Plus a great batch of your questions and our answers and much, much more!

Thanks to:

— Show Notes: —

Flaw in mobile app allows attackers to bypass PayPal two-factor authentication

• Researchers at Duo Security have produced a proof-of-concept app that is able to bypass the two-factor authentication when using the PayPal mobile app, allowing an attacker to transfer funds out of a PayPal account with only the username and password, without needing to provide the one-time password
• The PayPal bug was discovered by an outside researcher, Dan Saltman, who asked Duo Security for help validating it and communicating with the PayPal security team
• “PayPal has been aware of the issue since March and has implemented a workaround, but isn’t planning a full patch until the end of July”
• Currently, the PayPal mobile apps do not support 2 factor authentication, meaning if you have 2FA enabled on your PayPal account, you cannot use the mobile app
• The exploit tricks the PayPal app into ignoring the 2FA flag and allowing the mobile app to work anyway
• The researchers found that in the PayPal mobile app, the only thing preventing a 2FA enabled account from working was a flag in the response from the server
• After modifying that flag, it was found that the client could login, and transfer funds
• The check to prevent 2FA enabled accounts from logging in without the one-time passwords appears to only be enforced on the client, not the server as it should be
• Once logged in with a valid session_id, the proof-of-concept app is able to use the API to transfer funds
• “There are plenty of cases of PayPal passwords being compromised in giant database dumps, and there’s also been a giant rise in PayPal related phishing”
• It is not clear how large the bug bounty on this vulnerability will be

“Hacking Team”

• “Hacking Team” is an Italian company that develops “legal” spyware used by law enforcement and other government agencies all over the world
• They originally came to light in 2011 after WikiLeaks released documents from 2008 where Hacking Team was trying to sell its software to governments
• The software bills itself as “Offensive Security”, allowing LEAs to remotely monitor and control infected machines
• The software claims to be undetectable, however when samples were anonymously sent to AV vendors in July of 2012, most scanners added definitions to detect some variants of the malware
• In newly released research, Kaspersky has tracked the Command & Control (C2) servers used by “HackingTeam”
• The countries with the most C2 servers include the USA, Kazakhstan, Ecuador, the UK and Canada
• It is not clear if all of the C2 servers located in these countries are for the exclusive use of LEAs in those countries
• “several IPs were identified as “government” related based on their WHOIS information and they provide a good indication of who owns them.”
• The malware produced by Hacking Team has evolved to include modern malware for mobile phones
• Although this is rarely seen, if it is only used by LEAs rather than for mass infection, this is to be expected
• On a jail broken iOS device, the malware has the following features:
• Control of Wi-Fi, GPS, GPRS
• Recording voice
• E-mail, SMS, MMS
• Listing files
• Cookies
• Visited URLs and Cached web pages
• Address book and Call history
• Notes and Calendar
• Clipboard
• List of apps
• SIM change
• Live microphone
• Camera shots
• Support chats, WhatsApp, Skype, Viber
• Log keystrokes from all apps and screens via libinjection
• The Android version is heavily obfuscated, but it appears to target these specific applications:
• com.tencent.mm
• com.google.android.gm
• android.calendar
• com.facebook
• jp.naver.line.android
• com.google.android.talk
• The article also provides details about how mobile phones are infected. Connecting a phone to an already compromised computer can silently infect it. In addition, the research includes screenshots of the iOS “Infector”, that merely requires LEAs connect the phone to their computer, where they can manually infect it before returning it to the owner
• Additional Coverage – ThreatPost
• Additional Coverage – SecureList
• Additional Coverage – SecureList – Original article on HackingTeam from April 2013

Feedback:

• What is the point of SUDO?
  • SUDO Mastery

• Sending E-mail from a server

• How To Install and Setup Postfix on Ubuntu 14.04 | DigitalOcean

• How To Configure a Mail Server Using Postfix, Dovecot, MySQL, and SpamAssasin | DigitalOcean

• Securing data in a database with GnuPG or OpenSSL

Round Up:

• Google Starts Removing Search Results Under Europe’s ‘Right to be Forgotten’
• Malware authors targeting vendors of legitimate apps as new infection vector. By hacking the websites of legitimate applications used by plants that also employ ICS (Industrial Control Systems), such as power plants, they gain a way to get a foothold in secure networks.
• Nation States implicated in two airports hacked with spear-phishing emails
• Yeah, I trust that ATM, looks totally legit
• Intel offering x86 based robot kits designed to be augmented with 3d printed parts
• MIT researchers unveil 36 core ‘tile’ processor that uses a routed network to move data between cores
• Red Hat Assistant General Counsel posts analysis of Supreme Court’s patent ruling
• Intuit defeats patent troll that bested NewEgg, may finally put an end to the SSL+RC4 trials

The post Big Brother's Malware | TechSNAP 169 first appeared on Jupiter Broadcasting.

In an ironic twist of fate, the Onion suffers an embarrassing compromising, that appears to match a new pattern of attack. We’ve got the details.

Plus picking the right open source load balancer, Google’s aggressive new disclosure policies, and big batch of your questions, and much much more!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! 32% off your ENTIRE first order just use our code go32off3 until the end of the month!

Support the Show:

   

Support the Show: