Plus your questions, our answers & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Fixing this Internet before it breaks again

• “What we call the Internet, was not our first attempt at making a global data network that spanned the globe. It was just the first one that worked.”
• “There is no guarantee that the internet will succeed. And if we aren’t careful we can really screw it up. It has happened before and we can do it again.”
• “Kaminsky, who was delivering the keynote to over 6,000 Black Hat USA 2016 attendees, said problems that need to be addressed within the security community are political, technical and how the security community collaborates.”
• “The internet doesn’t have the equivalent of ‘the guy’ that’s working on cancer. We need institutions and systems. We need to have something like NIH (National Institutes of Health) for cyber. It needs to have good and stable funding,” Kaminsky said. Research, problem solving and solutions are too often conducted in fiefdoms that seldom share the collective solutions needed to help fix the big security issues of the day. “I’m worried. I’m worried about our ability to innovate and our ability to create and I’m worried that we are not building the sort of infrastructure to make the internet a safe place.”
• “By taking a NIH type of approach, Kaminsky argued, the internet would foster a large number of deeply committed security experts to work independently and away from commercial interest that push the security sector to come up with quick fixes to solve big security problems. “We need to make changes and we need to have studies about the way we program and the method that people use to build secure things”
• “So what I’m looking to answer is – forget the layers of abstraction and the politics – how do we get 100 nerds working on a project for 10 years without interrupting them or harassing them and telling them to do different things. How do you make that happen? How you don’t make that happen is how we are doing that in InfoSec today – and that’s with the spare time of a small number of highly paid consultants. We can do better than that”
• “Kaminsky doesn’t see the NIH approach as a panacea to all that ails the security world. In fact, in his talk he described a delicate balancing act where the security community derives the benefits of broader administration without being hamstrung by potential politics. Control, greed and companies driven by profits, he argue, killed the internet of the 1990s. He argues AOL tried to create a walled garden and control everything and make billions. But that internet failed”
• “There are two models of an internet. There is the walled garden and freedom. The walled garden is, ‘okay here is your environment and go ahead and try to use it.’ The other model is that people can put stuff up and other people can use and abuse it. People don’t need to ask for permission they don’t need to beg. Maybe it works and maybe it doesn’t.”
• Are Apple, Facebook, Google, and Microsoft, taking us towards their own versions of AOLs walled garden of the Internet?
• How often does your family’s internet browsing actually leave Facebook?
• He warns, the same way AOL’s walled garden threatened a free internet of the 1990s, government control over encryption could have the same stifling effects on innovation and cyber liberties. “Let’s stop the encryption debate. This is actually useless. It’s driving all the energy away from what are we need to fix,”
• Topping Kaminsky’s fixit list was devising better ways for the security community to collectively move the security ball forward and not view security solutions as individual races to win. “Let’s take our obscure knowledge and real expertise and making it available the rest of the security community,” he said. By sharing knowledge and solutions it allows us to find flaws quicker and fix them even faster.”
• It is not about the splashiest vuln with the coolest name, or having the fastest fix, it is about being in it for the long term, and actually fixing things.

Researchers bypass chip and pin protections by attacking the PoS terminals

• “The payment industry is becoming more driven by security standards. However, the corner stones are still broken even with the latest implementations of these payments systems, mainly due to focusing on the standards rather than security.”
• “Credit card companies for the most part have moved away from “swipe and signature” credit cards to chip and pin cards by this point; the technology known as EMV (Europay, MasterCard, and Visa) which is supposed to provide consumers with an added layer of security is beginning to see some wear, according to researchers.”
• Except in the US
• The chip card transition in the US has been a disaster
• “Nir Valtman and Patrick Watson, researchers with NCR Corporation, staged a series of malicious transactions in a talk here at Black Hat on Wednesday, demonstrating how they could capture Track 2 data and bypass chip and pin protections.”
• “Instead of attacking the operating system of the POI and POS devices, the researchers bypassed much of the built-in security. This includes integrated cryptographic security schemes. Breaking crypto, after all, is very hard. That’s because cryptography is just math, and math (for the most part) works. But the crypto is just part of the overall security system, the other pieces of which are vulnerable to attack. This was made even easier since much of the information the team sought in their attacks was not encrypted on the payment device.”
• “In their first demonstration, the duo used a Raspberry Pi to capture Track 2 data packets in real time. Via a passive man-in-the-middle compromise, Wireshark picked up two interactions from data entered into a pinpad running flawed production software that’s currently in the wild. The two declined to specify the company’s name, but claimed they had spoken with the vendor and asked them to implement TLS connections, but said they couldn’t as they ran old hardware.”
• “The garbled data can be transformed into readable bits, service code expiration data, discretionary data, and so on, data that can tip a hacker off whether the card is a chip card.”
• The pair showed how easy it’d be to use a malicious form to trick a consumer into re-entering their PIN or a CVV on a card machine. “Consumers trust pinpads, they usually think they entered it wrong,”
• “According to the two researchers, attackers could compromise a pinpad – by injecting a form, Malform.FRM in this instance, when no one’s in the store and quickly change it back to a customized “Welcome!” message. Both Valtman and Watson advocate that pin pads leverage strong crypto algorithms and allow only signed whitelist updates. Point of sale pin pads are usually PCI certified but the two pointed out PCI doesn’t require encryption over a local area network, which is how an attacker could carry out a MiTM attack.”
• So they used the API of the payment terminal to trick the user into actually typing in the CVV, so they could capture it.
• They also socially engineer the user into thinking they mistyped their PIN, and having them enter it a second time. One of which is not expected by the software, and is instead captured by the attackers software
• “Consumers should never re-enter their PIN, as it’s a telltale giveaway that a pin pad may have been compromised, Valtman claimed, before adding that he usually frequents stores that allow him to pay with his Apple Watch, as he finds the technology more secure than EMV”
• “It’s cool, but not a secure standard,” Nir said.
• “As part of our demos, we will include EMV bypassing, avoiding PIN protections and scraping PANs from various channels.”
• Slides
• Additional Coverage

The 2016 Pwnie Awards!

• The Pwnie Awards is an annual awards ceremony celebrating the achievements and failures of security researchers and the security community.
• The awards are given out once an year. The tenth annual ceremony will take place on Aug 3rd, 2016 in Las Vegas at the BlackHat USA security conference.
• Best Server-Side Bug: Cisco ASA IKEv1/IKEv2 Fragmentation Heap Buffer Overflow
• Best Client-side bug: glibc getaddrinfo stack-based buffer overflow
• Best Privilege Escalation Bug: Widevine QSEE TrustZone
• Best Cryptographic Attack: SSLv2 Crypto Attack DROWN
• Best Backdoor: Juniper ScreenOS
• Best junk or stunt hack: remotely killing a jeep on the highway
• Best Branding: Mousejack
• Epic Achievement: Never giving up, and never letting us down: Travis Ormandy
• Most Innovative Research: Dedup Est Machina Memory Deduplication as an Advanced Exploitation Vector
• Lamest Vendor Response: Western Digital: MyPassword Drive
• Most over hyped bug: Badlock
• Best Song: Cyberlier
• Most Epic FAIL: no one…!
• Lifetime Achievement Award: Mudge — L0phtcrack, DARPA’s cyber security program
• Epic 0wnage: The Juniper Backdoor
• Honourable Mentions: ImageTragick, Stagefright, SETFKey (1999), BlueCoat getting an Intermediate CA, Insecurity of self-encrypting drives, 60 Minutes hacked phone, BACKRONYM

Feedback:

• IRC Bots

• GitHub – rikai/Showbot: A fork of the Showbot irc bot suited for non-5by5 stuff.

• Virtulizing PFSense

• ZFS/NFS/KVM Question

• Multicast Youtube Home NAT Router

Round Up:

• ‘Webcam hackers caught me wanking, demanded $10k ransom’
• We all know that virus scanners are some of the worst security offenders, so Kaspersky has launched a new bug bounty program, administered by HackerOne, with rewards of up to $50,000
• Cisco: Potent ransomware is targeting the enterprise at a scary rate
• Google brings HSTS to Google.com, talks about the challenges and the process
• Canada Wants To Keep Federal Data Within National Borders
• The Antivirus Industry’s dirty little secret
• This is what Apple should tell you when you lose your iPhone
• Walmart proves Open Source is Big business
• Inside Facebook’s new “Area 404” hardware lab

The post The Internet is Dying | TechSNAP 279 first appeared on Jupiter Broadcasting.

On this weeks episode we cover a UEFI firmware bug that is affecting computers including ThinkPads, tell you how your windows box can be totally pwned even if it’s fully encrypted & talk about the shortcomings of the MD5 checksum. Plus the feedback, the roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

ThinkPwn, Lenovo and possible other vendors vulnerable to UEFI bug

• “This code exploits 0day privileges escalation vulnerability (or backdoor?) in SystemSmmRuntimeRt UEFI driver (GUID is 7C79AC8C-5E6C-4E3D-BA6F-C260EE7C172E) of Lenovo firmware. Vulnerability is present in all of the ThinkPad series laptops, the oldest one that I have checked is X220 and the neweset one is T450s (with latest firmware versions available at this moment). Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do others evil things.”
• an attacker can “disable flash write protection and infect platform firmware, disable Secure Boot, [and] bypass Virtual Secure Mode
• “Vulnerable code of SystemSmmRuntimeRt UEFI driver was copy-pasted by Lenovo from Intel reference code for 8-series chipsets.”
• “Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability’s presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code”
• Lenovo Advisory
• The vulnerable code has also been found in HP Pavilion Laptops, some Gigabyte Motherboards (Z68, Z77, Z87, Z97), Fujitsu, and Dell.
• Exploring and exploiting Lenovo firmware secrets
• ThinkPWN, proof of concept exploit

From zero to SYSTEM on a fully encrypted Windows machine

• “Whether you want to protect the operating system components or your personal files, a Full Disk Encryption (FDE) solution allows you to keep track of the confidentiality and integrity. One of the most commonly used FDE solutions is Microsoft Bitlocker®, which due to its integration with the Trusted Platform Module (TPM) as well as the Active Directory environment makes it both user-friendly and manageable in a corporate environment.
  When the system is protected with a FDE solution, without a pre-boot password, the login or lock screen makes sure attackers with physical access are not able to gain access to the system.”
• “In this post we will explain how an attacker with physical access to an active directory integrated system (e.g. through stealing) is able to bypass the login or lock screen, obtain a clear-text version of the user’s password and elevate his privileges to that of a local administrator or SYSTEM. This can be accomplished via two security vulnerabilities which affects all Windows versions (from Vista to 10) and abusing a standard “security” feature.”
• “These two vulnerabilities, discovered with the help of my colleague Tom Gilis were reported to Microsoft however only one vulnerability is patched at the time of writing CVE-2016-0049 / MS16-014.
• “The other one, which allows you to elevate your privileges to that of a local administrator or SYSTEM is still under investigation by Microsoft and is not yet disclosed here.”
• Acknowledgement by Microsoft
• Since the time of this post, the patch has been released. It turns out, it is MS16-072
• You might remember MS16-072 from TechSNAP #272 as the Windows Update that broke Group Policies!
• “Step 1 – Hibernation – Your friendly neighbourhood password dumper”
• “Speaking for myself, and probably a lot of other users, shutting down a laptop has become a thing of the past. In order to be able to rapidly start using your system when travelling from one place to another, we put it into sleep (or hibernation) mode, essentially putting all processes on hold to be easily resumed when needed. Although in order to resume your session after sleep or hibernation, you’ll have to enter your password on the lock screen (or at least I hope so), the system has your password stored somewhere in memory in order to resume the different processes. We want the system to dump the contents of the memory on disk so we can recover it later. Hibernation is there to the rescue, but we need to be able to force the system into hibernation, creating the HIBERFIL.SYS.”
• “Luckily, the default configuration of a laptop running Windows depicts going into hibernation if the battery hits a critical low. This feature, by default at set 5%, ensures you don’t lose any unsaved documents when your battery dies. Once we force the laptop into hibernation mode we reboot it and move to the next step”
• “Step 2 – Bypassing the login or lock screen”
• “If the computer is a member of an AD Domain, and the user has logged in on this machine before, so their password is cached locally, all an attacker needed to do is create a rogue Kerberos server with the targets user account’s password set to a value of choice and indicated as expired. Upon login attempt, Windows would then prompt the user to change the password before continuing”
• “Once the password change procedure is completed, the cached credentials on the machine are updated with the new password set by the attacker. Because the system is not able to establish a secure connection, the password is not updated on the Kerberos server but still allows the attacker to login when the system no longer has an active network connection (using the cached credentials)”
• So, since the attacker set the new password on the Domain Controller (not really, but the computer things they did), they know this password, and when they attempt to login with it, and windows cannot reach the domain controller, it uses this locally cached password, and allows them to login
• “Although the authentication has been bypassed, we still only have the (limited) privileges of the victim’s account (taking into consideration this is not an local administrator). This is where the next step comes in, in which we explain how you can obtain full local administrative privileges just by using standard Windows functionalities and thus not relying on any vulnerable installed software.”
• “Step 3 – Privilege escalation to SYSTEM”
• “We know that the trust between the client and Domain Controller (DC) is not always properly validated, we have a working Active Directory set-up and we have a working rogue DC. The question is are there any other Windows functionality that is failing to properly validate the trust?”
• “How about Group Policies? It works on all supported Windows versions. There is no need for any additional (vulnerable) software. No specific configuration requirements”
• “There are 2 types of Group Policy Objects (GPO), Computer Configuration and User Configuration Policies.”
• “Computer Configuration Policies are applied before logon, the machine account is used to authenticated to the DC in order to retrieve the policies and finally all policies are executed with SYSTEM privileges. Since we don’t know the machine account password using Computer Configuration Policies is not an option.”
• “User Configuration Policies are applied after a user is logged in, user’s account is used to authenticated to the DC to retrieved the User Configuration Policies and the policies are either executed as the current logged-on user or as SYSTEM.”
• “Now this last type of Policy is interesting because we know the password of the user as we reset it to our likings.”
• “Let’s create a Scheduled Task GPO that will execute NetCat as SYSTEM and finally will connect to the listening NetCat service as a the current user.”
• On Windows 7, Immediately game over, you own the system
• “Windows 7 fails to validate if the DC from where the Group Policies are being applied is indeed a trusted DC. It is assumed that the user credentials are sufficient to acknowledge the trust relationship. In this attack all encrypted traffic remains intact and doesn’t require any modification whatsoever.”
• On Windows 10, it didn’t work right out of the box
• It turns out, the Rouge DC needs to have a user object matching the SID of the user that is logging in. Luckily, with Mimikatz, you can edit the SID of the user on the Rouge DC to make it match
• Additional Coverage: Part 2
• Slides
• So, Microsoft has patched both of these vulnerabilities, and we are all safe again, right?
• “Bypassing patch MS16-014: Yes, you’ve read it right! There is still a way to bypass the Windows Login screen and bypass Authentication More details will be released soon!”
• The author has not released the details yet, as they are waiting on Microsoft to release another patch

The MD5 collision is here

• “A while ago a lot of people visited my site (~ 90,000 ) with a post about how easy it is to make two images with same MD5 by using a chosen prefix collision. I used Marc Steven’s HashClash on AWS and estimated the the cost of around $0.65 per collision.”
• “Given the level of interest I expected to see cool MD5 collisions popping up all over the place. Possibly it was enough for most people to know it can be done quite easily and cheaply but also I may have missed out enough details in my original post”
• A 2014 blog post showed how to create two php scripts with the same MD5
• An early 2015 blog post showed two JPGs with the same MD5
• So, this version of the tools was able to make two different .jpg images, that had the same MD5 checksum, but different contents, while still being perfectly valid JPG images
• The post included instructions and an Amazon AWS images to do the number crunching
• That a later follow up post on how to do the same thing with executable files
• Same Binaries Blog Post
• This example shows a C binary that prints an Angel if a condition is true, and a Devil if it is false
• It contains a bunch of filler that can be changed to make the hashes the same in a second version of the file, where the condition is false. The end result is a pair of binaries, with the same MD5 hash, but different output
• Using this same technique, Casey Smith (@subtee) managed to make an Angel.exe that is a copy if mimikatz, a windows password dumping utility, and a devil.exe that just says ‘nothing to see here’
• Demo of the attack
• This means all I need to do is run this tool against my malware, and say, regedit.exe that is on the whitelist in Windows, and now I have a malware binary that will be trusted

Feedback:

• Pete asks about Owncloud

• John tries to troll Noah

• Matt is having ZFS problems

Round Up:

• New Edge Switch
• Reverse engineering the default WPA2 password on UPC UBEE routers
• ViewSonic ThinClient
• Post intrusion, most attackers use the same everyday admin tools that you do
• TP Link Forgets to Renew Domain
• What Air conditioning Tech can teach us about innovation and laziness
• 10 Million Android Phones Rooted
• Your SmartWatch can steal your ATM pin
• Microsoft’s attempt to recruit interns is a barrel of cringe
• Password sharing ruled a crime under the terrible CFAA (Computer Fraud and Abuse Act)
• Avast Acquired AVG for $1.3 billion, now has 400 million endpoints
• Wendy’s POS malware disclosure page, pwned with XSS
• Passthoughts, a new type of password?
• The definition of a sophishticated attack
• Frontier and AT&T to Block Google Fiber
• This cyber security guide from “The Guardian”, is full of AWEFUL advice, don’t do it
• Man builds $53,000 computer that plays Tetris, to visualize the internals

The post Windows Exploit Edition | TechSNAP 274 first appeared on Jupiter Broadcasting.

Pre-crime is here, with technology that lets you predicting a hack before it happens. We’ll tell you how. Google’s project zero goes to war, we get real about virtualization.

And then its a great batch of your questions, our answers & much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Predicting which sites will get hacked, before it happens

• Researchers from Carnegie Mellon University have developed a tool that can help predict if a website is likely to become compromised or malicious in the future
• Using the Archive.org “Wayback Machine” they looked at websites before they were hacked, and tried to identify trends and other information that may be predictors
• “The classifier correctly predicted 66 percent of future hacks in a one-year period with a false positive rate of 17 percent”
• “The classifier is focused on Web server malware or, put more simply, the hacking and hijacking of a website that is then used to attack all its visitors”
• The tool looks at the server software, outdated versions of Apache and PHP can be good indicators of future vulnerabilities
• It also looks at how the website is laid out, how often it is updated, what applications it runs (outdated wordpress is a good hacking target)
• It also compares the sites to sites that have been compromised. If a site is very like another, and that other was compromised, there is an increased probability that the first site will also be compromised
• The classifier looks at many other factors as well: “For instance, if a certain website suddenly sees a change in popularity, it could mean that it became used as part of a [malicious] redirection campaign,”
• The most common marker for a hackable website: The presence of the ‘generator’ meta tag with a value of ‘Wordpress 3.2.1’ or ‘Wordpress 3.3.1’
• Research PDF from USENIX
• There are tools like those from Norse, that analyze network traffic and attempt to detect new 0-day exploits before they are known

Google’s Project Zero exploits the unexploitable bug

• Well over a month ago Google’s Project Zero reported a bug in glibc, however there was much skepticism about the exploitability of the bug, so it was not fixed
• However, this week the Google researchers were able to create a working exploit for the bug, including an ASLR bypass for 32bit OSs
• The blog post details the process the Project Zero team went through to develop the exploit and gain root privileges
• The blog post also details an interesting (accidental) mitigation found in Ubuntu, they caused the researchers to target Fedora to more easily develop the exploit
• The blog also discusses a workaround for other issues they ran into. Once they had exploited the set-uid binary, they found that running: system(“/bin/bash”) started the shell with their original privileges, rather than as root. Instead, they called chroot() on a directory they had setup to contain their own /bin/sh that calls setuid(0) and then executes a real shell as the system root user.
• The path they used to get a root shell relies on a memory leak in the setuid binary pkexec, which they recommend be fixed as well as the original glibc bug
• “The ability to lower ASLR strength by running setuid binaries with carefully chosen ulimits is unwanted behavior. Ideally, setuid programs would not be subject to attacker-chosen ulimit values”
• “The exploit would have been complicated significantly if the malloc main linked listed hardening was also applied to the secondary linked list for large chunks”
• The glibc bug has since been fixed

Secret Service warns over 1000 businesses hit by Backoff Point-of-Sales terminal malware

• The Secret Service and DHS have released an advisory warning businesses about the POS (Point-of-Sales terminal) malware that has been going around for a while
• Advisory
• “The Department of Homeland Security (DHS) encourages organizations, regardless of size, to proactively check for possible Point of Sale (PoS) malware infections. One particular family of malware, which was detected in October 2013 and was not recognized by antivirus software solutions until August 2014, has likely infected many victims who are unaware that they have been compromised”
• “Seven PoS system providers/vendors have confirmed that they have had multiple clients affected“
• “Backoff has experts concerned because it’s effective in swiping customer credit card data from businesses using a variety of exfiltration tools, including memory, or RAM scraping, techniques, keyloggers and injections into running processes”
• “A report from US-CERT said attackers use Backoff to steal payment card information once they’ve breached a remote desktop or administration application, especially ones that are using weak or default credentials”
• “Backoff is then installed on a point-of-sale device and injects code into the explorer.exe process that scrapes memory from running processes in order to steal credit card numbers before they’re encrypted on the device and sent to a payment processor. “
• “Keylogging functionality is also present in most recent variants of ‘Backoff’. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware,”
• US-CERT Advisory
• Krebs reports that Dairy Queen may also be a victim of this attack
• “Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters”

Feedback:

• HVAC remote access protection fear.

• Deconstruct malware?

• Virtualisation

• Metric for success of an attack campaign

Round Up:

• Chromecast software vulnerability paves way for another root exploit
• Netflix releases two of their internal threat monitoring tools, used to detect origanization of attacks against their networks
• FBI, Secret Service investigate reports of cyber attacks on U.S. banks
• Seagate ships worlds first 8TB hard drive, with “Enhanced Rotational Vibration (RV) tolerance for reliable performance in multi-drive environments”, allowing more drives to stuffed in a single chassis
• Feds warn first responders of dangerous hacking tool: Google Search
• UK Ministry of Justice fined 180,000 GBP for not encrypting data. Data was being backed up to an external hard drive that was then lost, potentially exposing data on almost 3000 prisoners. The external drive supported some type of ‘encryption’, but it was not enabled
• 300 oil companies hacked in Norway
• Google, Facebook, and others did not read the Apple Documentation. In iOS, clicking a tel:// link in Safari prompts the user to confirm they want to place the call. However in native apps, it is left up to the app to check for permission, to allow apps to initiate calls at the users request, without the user having to confirm it a 2nd time. Apple’s docs state that the app should confirm that the user wants to place the call, but they do not. Using javascript or server-side redirects, a malicious attacker can have your phone place calls without your permission when you click a link in a Facebook, Gmail or G+ message on iOS.
• CouchSurfing email system compromised, many users sent AirBnB prank message
• Browsers will be removing 1024 bit CA certificates from the trust chain in the latest NSS, which will ship in FireFox 32, due for release September 2nd. Even though these certificates have not expired, they will no longer be trusted because of their low security
• Comcast training material leaked, shows how employees are directed to upsell customers during support calls
• Krebs: new razor think ATM insert skimmer goes inside the card slot, nearly impossible to spot. Most skimmers now use hidden cameras to capture your PIN number, rather than a pinpad overlay. Krebs recommends covering the keypad with your free hand while entering your pin number

The post Project Zero Goes To War | TechSNAP 177 first appeared on Jupiter Broadcasting.

China goes on a hacking spree, compromising a Point of Sale system is as simple as an ebay purchase.

Plus what’s bad about about GoodGoogle, your questions, our answers, and much much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

What can you find on a used POS terminal off ebay?

• Matt Oh, a senior malware researcher with HP, recently bought a single Aloha point-of-sale terminal — a brand of computerized cash register widely used in the hospitality industry — on eBay for US$200.
• The Aloha POS system is sold by NCR, which came under its wing with its acquisition of Radiant Systems in July 2011 for $1.2 billion. It is one of the most popular systems in the hospitality industry behind those of Micros Systems, which Oracle bought last month for $5.3 billion.
• Oh found default passwords, at least one security flaw and a leftover database containing the names, addresses, Social Security numbers and phone numbers of employees who had access to the system.
• Oh’s research illustrates the security issues facing the hospitality industry, outdated POS systems which it sometimes cannot afford to update.
• Companies don’t appear to be paying enough attention to security issues with their POS terminals, and older systems are often still in use, which may not be as secure.
• The Problem is also impacting the food industry, where there is little budget to upgrade POS systems.
• P.F. Chang’s was listed as a customer of Radiant Systems in an SEC filing in March 2011, a few months before Radiant’s acquisition by NCR.
• P.F. Chang’s disclosed a credit and debit card breach last month.
• P.F. Chang’s said on July 1 the breach remains under investigation. The company temporarily shut down its POS system and switched to an old-style manual imprinting system for processing payment cards to prevent further damage.
• HP Security Research Blog

Hackers breach three Israeli Defense firms behind Iron Dome

• Brian Krebs breaks the news that the three defense contractors responsible for the design and building of the Iron Dome missile defense system have had their computer systems breached
• Iron Dome intercepts inbound rockets and mortars and has been credited with intercepting approximately one-fifth of the more than 2,000 rockets that Palestinian militants have fired at Israel during the current conflict
• The attackers stole huge quantities of sensitive documents pertaining to the missile shield technology
• The breach occurred between Oct. 10, 2011 and August 13, 2012, but was not disclosed
• The three victims were: Elisra Group, Israel Aerospace Industries, and Rafael Advanced Defense Systems
• The breach was investigated by Columbia, Md.-based threat intelligence firm Cyber Engineering Services Inc. (CyberESI)
• CyberESI managed to gain access to the secret communications infrastructure set up by the attackers, and from that learned that a very large volume of data had been exfiltrated from the victim networks
• The stolen material included a 900-page document that provides detailed schematics and specifications for the Arrow III missile, plus documents about Unmanned Aerial Vehicles (UAVs), ballistic rockets, and other related technical documents
• “Joseph Drissel, CyberESI’s founder and chief executive, said the nature of the exfiltrated data and the industry that these companies are involved in suggests that the Chinese hackers were looking for information related to Israel’s all-weather air defense system called Iron Dome.”
• Iron Dome is partially funded by the US Government, and was designed in cooperation with some US defense contractors
• “Most of the technology in the Arrow 3 wasn’t designed by Israel, but by Boeing and other U.S. defense contractors,” Drissel said. “We transferred this technology to them, and they coughed it all up. In the process, they essentially gave up a bunch of stuff that’s probably being used in our systems as well.”
• Many of the documents that were stolen have their distribution restricted by International Traffic in Arms Regulations (ITAR), a U.S. State Department control that regulate the defense industry, raising questions about the lack of timely disclosure
• “According to CyberESI, IAI was initially breached on April 16, 2012 by a series of specially crafted email phishing attacks. Drissel said the attacks bore all of the hallmarks of the “Comment Crew,” a prolific and state-sponsored hacking group associated with the Chinese People’s Liberation Army (PLA) and credited with stealing terabytes of data from defense contractors and U.S. corporations.”
• “Once inside the IAI’s network, Comment Crew members spent the next four months in 2012 using their access to install various tools and trojan horse programs on systems throughout company’s network and expanding their access to sensitive files. The actors compromised privileged credentials, dumped password hashes, and gathered system, file, and network information for several systems. The actors also successfully used tools to dump Active Directory data from domain controllers on at least two different domains on the IAI’s network.
• “Once the actors established a foothold in the victim’s network, they are usually able to compromise local and domain privileged accounts, which then allow them to move laterally on the network and infect additional systems,” the report continues. “The actors acquire the credentials of the local administrator accounts by using hash dumping tools. They can also use common local administrator account credentials to infect other systems with Trojans. They may also run hash dumping tools on Domain Controllers, which compromises most if not all of the password hashes being used in the network. The actors can also deploy keystroke loggers on user systems, which captured passwords to other non-Windows devices on the network.”
• “While some of the world’s largest defense contractors have spent hundreds of millions of dollars and several years learning how to quickly detect and respond to such sophisticated cyber attacks, it’s debatable whether this approach can or should scale for smaller firms.”

Chinese hackers breach National Research Council of Canada computers while they are working on new security system to prevent attacks

• The Canadian federal government revealed on Tuesday that the NRC’s computer networks were the target of a cyber attack, and had been shut down to contain the compromise
• The NRC is working with both the private sector and university research teams to create a physics-based computer encryption system
• “NRC is developing photonics-based, quantum-enhanced cyber security solutions … collaborating to develop technologies that address increased demands for high-performance security for communications, data storage and data processing.” says the NRC’s website.
• “NRC is continuing to work closely with its IT experts and security partners to create a new secure IT infrastructure”. “This could take approximately one year however; every step is being taken to minimize disruption.”
• The intrusion came from “a highly sophisticated Chinese state-sponsored actor,” said the Treasury Board. “We have no evidence that data compromises have occurred on the broader Government of Canada network.”
• The article states “… comes as the agency is working on an advanced computer encryption system that is supposed to prevent such attacks.”
• Encryption does not prevent your computer systems from being breached by attackers, especially if the attackers get a foothold via Phishing and other social engineering type attacks
• The encryption system is a defense against eavesdropping, and possibly can defend sensitive documents in cold storage, but it does not prevent systems from being compromised

Service offers to defeat your competitors online advertising

• Krebs brings us more news, this time about an online service that exhausts the daily advertising budget of your competitors, making your own advertisements less expensive and more visible
• A common scam involving Google’s AdSense service is “click fraud”. A fraudster sets up a website to display ads, then drives fake traffic to the site, and fake clicks on the ads
• The fraudster then gets paid by Google a portion of what the advertiser paid to show the ad
• However, Krebs found someone doing the opposite, defrauding the AdWords side of the business
• “GoodGoogle” is the name of one of these fraudster services. It promises to click the ads of your competitors, driving up their costs and exhausting their advertising budget early in the way (or early in each hour, depending on the Google settings)
• This means your own ads will be less expensive (your lower bid normally wouldn’t win, but if all of the higher bidders have expended their budget for the day, you are now the high bidder), and you cost your competitors more money
• “The prices range from $100 to block between three to ten ad units for 24 hours to $80 for 15 to 30 ad units. For a flat fee of $1,000, small businesses can use GoodGoogle’s software and service to sideline a handful of competitors’s ads indefinitely. Fees are paid up-front and in virtual currencies and the seller offers support and a warranty for his work for the first three weeks.”
• “Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley, speculated that GoodGoogle’s service consists of two main components: A private botnet of hacked computers that do the clicking on ads, and advanced software that controls the clicking activity of the botted computers so that it appears to be done organically from search results”
• This could also be an interesting case of double-dipping, If the fraudster ran fake sites with content specific to the keywords his customers wanted to attack, he could make money via the click fraud from the AdSense side, while charging for his services from the AdWords side
• “Amazingly, the individual responsible for this service not only invokes Google’s trademark in his nickname and advertises his wares via instructional videos on Google’s YouTube service, but he also lists several Gmail accounts as points of contact. My guess is it will not be difficult for Google to shutter this operation, and possibly to identity this individual in real life.”

Feedback:

• RPMfusion.org Not Secure

• William asks on mumble asks if anyone knows of an alternative to the ZeusRAM , a SAS SSD used in many ZFS boxes, but that uses a PCI-E interface, rather than being limited by a SAS interface. Or a modern version of the DDR-Drive, a PCI-E “ram disk”, but using DDR3 or 4 and with a supercapacitor to survive a reboot. I found the ‘SATADIMM’, an SSD that fits in a RAM slot
  • There is also the ULLtraDIMM which actually interfaces with the CPU via the memory controller, but it is not clear how it works or how it interfaces with the operating system. Additional Video – Technical Explaination

Round-Up:

• Symantec Endpoint Protection 0day
• Turning your USB devices against you
• Tor attackers tried to peek into the Deep Web, anonymity network reveals
• New SSL rules go into effect November 1st, no more internal SSL certificates
• Apple’s multi-terabit, $100M CDN is live—with paid connection to Comcast
• Comcast now carries 1Tbit/s of IPv6 traffic
• Android Fake ID Vulnerability Lets Malware Impersonate Trusted Applications, Puts All Android Users Since January 2010 At Risk
• Software that runs US bar exams fails
• Contries do not own their ccTLDs
• Social Engineering attack lets con artist defraud Apple out of over $300,000 in hardware over 42 occasions in 12 states
• How to invent a compression algorithm for a TV show
• Explaining the importance of Software Security

The post GoodGoogle BadUSB | TechSNAP 173 first appeared on Jupiter Broadcasting.

We finally have the answer to how the Target network was physically breached, and it just might make you face-palm.

Plus some urgent Adobe news, the NSA ORCHESTRA program, and a big batch of your questions and our answers.

All that and a heck of a lot more, on this week’s TechSNAP!

Thanks to:

— Show Notes: —

Security Protocols and Evidence

• Researchers at Cambridge propose a new way of thinking about security protocols, designing in to them the facilities required to generate proper evidence to be used in court for dispute resolution
• The goal of the research is to highlight the types of design considerations that should be put into cryptocurrency systems like bitcoin and other payment systems like electronic banking and mobile payment apps
• The research uses EMV (Chip&Pin) as an example and shows how it does not currently provide the evidence required for proper dispute resolution
• The paper outlines 5 design considerations:
• Principle 1: Retention and disclosure.
• Protocols designed for evidence should allow all protocol data and the keys needed to authenticate them to be publicly disclosed, together with full documentation and a chain of custody
• Principle 2: Test and debug evidential functionality.
• When a protocol is designed for use in evidence, the designers should also specify, test and debug the procedures to be followed by police officers, defence lawyers and expert witnesses
• Principle 3: Open description of TCB (trusted computing base)
• Systems designed to produce evidence must have an open specification, including a concept of operations, a threat model, a security policy, a reference implementation and protection profiles for the evaluation of other implementations
• Principle 4: Failure-evidentness.
• Transaction systems designed to produce evidence must be failure-evident. Thus they must not be designed so that any defeat of the system entails the defeat of the evidence mechanism
• Principle 5: Governance of forensic procedures
• The forensic procedures for investigating disputed payments must be repeatable and be reviewed regularly by independent experts appointed by the regulator. They must have access to all security breach notifications and vulnerability disclosures
• The paper then goes on to describe ways these principles could be applied to the existing EMV system to improve its security and dispute resolution facilities

Target Hackers Broke in Via HVAC Company

• Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor.
• Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.
• Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.
• The HVAC company president confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation
• It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network.
• According to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.
• Sources said that between Nov. 15 and Nov. 28 (Thanksgiving and the day before Black Friday), the attackers succeeded in uploading their card-stealing malicious software to a small number of cash registers within Target stores.
• Those same sources said the attackers used this time to test that their point-of-sale malware was working as designed.
• While some reports on the Target breach said the stolen card data was offloaded via FTP communications to a location in Russia.
• Sources close to the case say much of the purloined financial information was transmitted to several “drop” locations.
• These were essentially compromised computers in the United States and elsewhere that were used to house the stolen data and that could be safely accessed by the suspected perpetrators in Eastern Europe and Russia.
• These compromised hosts serve as cut-outs, after the stolen data is copied from them by the attacker, the logs can be erased to break the trail of evidence

Adobe announces emergency patch for Flash Player, flaw being exploited in the wild

• Adobe has issues an emergency security advisory for all versions of Flash Player
• Adobe released 12.0.0.44 for Windows and Mac, and 11.2.202.336 for Linux and FreeBSD
• Bundled versions for Chrome (12.0.0.41) and Internet Explorer (12.0.0.38) were also updated to 12.0.0.44
• “These updates resolve an integer underflow vulnerability that could be exploited to execute arbitrary code on the affected system (CVE-2014-0497).”
• Researchers Alexander Polyakov and Anton Ivanov of Kaspersky Lab discovered an exploit for the vulnerability being used in the wild and reported it to Adobe
• Adobe has released no further details about the ongoing attack
• Researcher’s Post
• “During the past months we have been busy analysing yet another sophisticated cyberespionage operation which has been going on at least since 2007, infecting victims in 27 countries. We deemed this operation “The Mask” for reasons to be explained later”
• “The “Mask” is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products. This is putting them above Duqu in terms of sophistication, making it one of the most advanced threats at the moment”
• “Most interesting, the authors appears to be native in yet another language which has been observed very rarely in APT attacks.“
• The language in question appears to be Korean
• Kaspersky Labs have released more technical details about the exploit
• Additional Coverage

Feedback:

• Alternative to shared users
  • FUDO Security Appliance
• Where Puppet ends
• FreeNAS Jails ??
• How do sites save card information?

Round Up:

• Gates Spends Entire First Day Back in Office Trying to Install Windows 8.1
• Why the USA doesn’t have Chip&Pin yet
• Skype ads in rotation have been compromised
• 2014 will be the year of encryption and the summer of Key Management
• CBS screws up Superbowl security
• Finnish hacker decodes GPS signal in youtube video of helicopter tracking a police chase
• Mass hack attack on Yahoo Mail accounts prompts password reset
• FBI is looking for a vendor to sell it a constant stream of malware, appears to not understand researches collect and share these for free
• British intelligence used DDoS tactics against Anonymous, Snowden documents show
• NSA operation ORCHESTRA – a ficticious NSA briefing, Closing key-note of FOSDEM 2014

The post Targeting the HVAC | TechSNAP 148 first appeared on Jupiter Broadcasting.

Microsoft has been breached, Google suffers a major outage, and finally some solid technical details on Target’s massive credit card hack.

Plus a great batch of your questions, a rockin roundup, and much much more.

Thanks to:

— Show Notes: —

Microsoft breach leads to hackers stealing Law Enforcement documents

• According to the company, a number of Microsoft employees were targeted with attacks aiming to compromise both email and social media accounts, and in some cases, the attacks were successful.
• “It appears that documents associated with law enforcement inquiries were stolen”
• Adrienne Hall, General Manager at Microsoft’s Trustworthy Computing Group, wrote in a blog post.
• He continues: “If we find that customer information related to those requests has been compromised, we will take appropriate action,” Hall continued. “Out of regard for the privacy of our employees and customers – as well as the sensitivity of law enforcement inquiries – we will not comment on the validity of any stolen emails or documents.”
• The attackers have conducted their offensive against both email and social media accounts of Microsoft’s employees, the company did not reveal how many documents might have been exposed neither the nature of the attackers.
• What’s interesting about this is that the incident was significant enough to disclose, indicating that a fair number of documents could have been exposed, or that the company fears some documents will make their way to the public if released by the attackers.
• According to Microsoft, the Syrian Electronic Army may be behind the attacks.
• “Our current information suggests the phishing attacks are related,” Hall told SecurityWeek in an emailed statement.
• In March 2013, Microsoft released its first transparency report, noting that it had received over 70,000 law enforcement requests in 2012.
• Additional Coverage:
• Spear phishing against Microsoft, exposed law enforcement inquiries
• Microsoft Believes Law Enforcement Documents Compromised in Hack
• Microsoft says new phishing attacks targeted law enforcement documents | Ars Technica
• Microsoft: documents were stolen during recent employee email hack | The Verge
• Syrian Electronic Army stole law enforcement docs from Microsoft

Target Update

• An examination of the malware used in the Target breach suggests that the attackers may have had help from a poorly secured feature built into a widely-used IT management software
• As we previously noted the attackers used malware on the POS boxes to send credit card data read from memory to a central control server on Targets internal network.
• The user account “Best1_user” and password “BackupU$r” were used to log in to the shared drive (indicated by the “S:” under the “Resource Type” heading in the image above.
• That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas base BMC Software — includes administrator-level user account called “Best1_user.”
• BMC explains the Best1_user account is installed by the software to do routine tasks. That article states that while the Best1_user account is essentially a “system” or “administrator” level account on the host machine
• The Best1_user account appears to be associated with the Performance Assurance component of BMC Software’s Patrol product. According to BMC’s documentation, this account is normally restricted, but the attackers may have usurped control to facilitate lateral movement within the network.” According to a Dell SecureWorks paper being circulated to certain Dell customers.
• According to SecureWorks, one component of the malware installed itself as a service called “BladeLogic,” a service name no doubt designed to mimic another BMC product called BMC BladeLogic Automation Suite.
• According to a trusted Krebs source who uses mostly open-source data to keep tabs on the software and hardware used in various retail environments, BMC’s software is in use at many major retail and grocery chains across the country, including Kroger, Safeway, Home Depot, Sam’s Club and The Vons Companies, among many others.
• Initial entry into the network is suspected to have been facilitated by a SQL injection attack, according to Malcovery.
• Update: BMC says it is working with McAfee to investigate
• Krebs: WSJ says that vendor credentials that were used in the attack may have been from vendor other than BMC
• Additional Coverage – Ars Technica

Google breaks itself, and then fixes itself, while Engineers are busy on Reddit

• At 10:55 a.m. PST this morning, an internal system that generates configurations—essentially, information that tells other systems how to behave—encountered a software bug and generated an incorrect configuration.
• The incorrect configuration was sent to live services over the next 15 minutes, caused users’ requests for their data to be ignored, and those services, in turn, generated errors.
• Users began seeing these errors on affected services at 11:02 a.m., and at that time our internal monitoring alerted Google’s Site Reliability Team. Engineers were still debugging 12 minutes later when the same system, having automatically cleared the original error, generated a new correct configuration at 11:14 a.m. and began sending it; errors subsided rapidly starting at this time.
• By 11:30 a.m. the correct configuration was live everywhere and almost all users’ service was restored.
• Reddit AMA
• Additional Coverage – Reuters
• Additional Coverage – TechCrunch
• Additional Coverage – FoxNews

• FauxShow – Final sticker map! That was quite the experience! Awards Show on Feb 15th

Feedback:

• Unrecoverable read errors, how they affect ZFS
  • Has RAID5 stopped working – No, it never worked
• Dell Poweredge 1800 server
• pfSense firewalls hardware?
  • Amazon.com: PLANEX Wireless N 150Mbps USB2.0 RJ45 Mini Print Server Supports Windows 7 and MAC OS, WPS, IEEE 802.11n/g/b print server support SNMP & HP Web JetAdmin/ Hi-Speed USB – EN, Fast EN – 10Base-T, 100Base-Print Server/2.4 Ghz Wi-Fi Wireless Network LAN Print Server/Mini -103MN for office and SOHO usage supports peer to peer or server based printing 2dBi internal antenna x 1: Electronics
• Using RAID (or RAID-Z) with SSD drives
• cURL vs curling

Round-Up:

• How I lost my $50,000 Twitter username
  • Update: GoDaddy restored account and increase employee training
  • Update: PayPal denies providing attackers with details
• Yes, Virginia, There Really is Social Engineering
• Slashdot headline claims IE market share down to single digits, turns out metrics are only from W3School, so are skewed towards web developers
• Why the backblaze hard drive reliability numbers are wrong
• ISC highlights findings from Cisco Annual Security Report
• Gmail bug sends thousands of emails to the same guy
• If You Used This Secure Webmail Site, the FBI Has Your Inbox
• Department of Justice says company that did background check on Snowden faked over 665,000 background checks
• 4 HTTP security headers you should know about
• LeaseWeb Labs talks about ZFS

The post Google's Automated Outage | TechSNAP 147 first appeared on Jupiter Broadcasting.

How an aviation blogger unlocked the secrets of the TSA’s barcode, if you’re a Barnes and Noble shopper we’ve got a story you need to hear, and a serious bug in the Linux Kernel.

Plus a batch of your questions, and our answers.

All that and so much more, in this week’s TechSNAP.

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

BONOUS ROUND PROMO:

Get your .COMs just $5.99 per year up to 3 domains! Additional .COMs just $7.99 per year!
CODE: 599tech

Expires 10/31/12

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show:

   

Support the Show: