Show Notes: techsnap.systems/411

The post Mobile Security Mistakes | TechSNAP 411 first appeared on Jupiter Broadcasting.

Episode Links:

linuxactionnews.com/73

The post Linux Action News 73 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

DNSFS. Store your files in others DNS resolver cache s

A while ago I did a blog post about how long DNS resolvers hold results in cache for, using RIPE Atlas probes testing against their default resolvers (in a lot of cases, the DNS cache on their modem/router).

• BPF – the forgotten bytecode
• dnsfs: Store your data in others DNS revolvers cache

Unauthenticated LAN remote code execution in AsusWRT

However due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user.

AI is moving towards acceptance in cyber security, says Check Point

Artificial intelligence (AI) is making headway in the security industry as a means to better analyse mountains of information, but will not be widely adopted in the short term because of a lack of actionable data and human expertise, according to security services supplier Check Point.

Alphabet is launching a new CyberSecurity unit.

Alphabet, the parent company of Google, announced today that they will be launching Chronicle, a new business unit that will focus on Cyber Security, using their servers and infrastructure. The new organization hopes to focus on machine learning and artificial intelligence to assist in the fight against cybercrime moving forward.

Google Project Zero claims new BitTorrent flaw could enable cyber crooks get into users’ PCs

Google Project Zero security researchers have found what they claim is a “critical flaw” in the Transmission BitTorrent client that could enable cyber crooks to take control of users’ computers.

• CVE-2018-5702: Mitigate dns rebinding attacks against daemon by taviso ·

• Blizzard Fixes DNS Rebinding Flaw that Put All the Company’s Users at Risk

• What is DNS rebinding, in layman’s terms?

Kubernetes

Kubernetes, at its basic level, is a system for managing containerized applications across a cluster of nodes. In many ways, Kubernetes was designed to address the disconnect between the way that modern, clustered infrastructure is designed, and some of the assumptions that most applications and services have about their environments.

Fun fact: The seven spokes in the Kubernetes logo refer to the project’s original name, “Project Seven of Nine.”

• What is Kubernetes
• Scaling Kubernetes to 2,500 Nodes

We’ve been running Kubernetes for deep learning research for over two years. While our largest-scale workloads manage bare cloud VMs directly, Kubernetes provides a fast iteration cycle, reasonable scalability, and a lack of boilerplate which makes it ideal for most of our experiments. We now operate several Kubernetes clusters (some in the cloud and some on physical hardware), the largest of which we’ve pushed to over 2,500 nodes. This cluster runs in Azure on a combination of D15v2 and NC24 VMs.

Feedback

• Talk more about Windows

• Starting with Ansible Quick

• Gary points everyone to: Some best practises of how to use ansible
• Ansible Console
  • GitHub – dominis/ansible-shell: Interactive ansible shell
• Ad-hoc Commands

If infrastructures are to be treated as a code than projects that manage them must be treated as software projects. As your infrastructure code gets bigger and bigger you have more problems to deal with it. Code layout, variable precedence, small hacks here and there. Therefore, organization of your code is very important, and in this repository you can find some of the best practices (in our opinion) to manage your infrastructure code.

About the security content of macOS High Sierra 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan

The post Too Many Containers | TechSNAP 353 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Announcing the first SHA1 collision

• Not just Google on this, they worked with CWI

• SHA1 is a Cryptographic hash function

• SHA-1 was developed as part of the U.S. Government’s Capstone project. The original specification of the algorithm was published in 1993

• two PDFs that have identical SHA-1 hashes but different content

• Lifetimes of cryptographic hash functions – by Valerie Aurora

• Git fscked by SHA-1 collision? Not so fast, says Linus Torvalds – Attack is hard, discovery is easy, so fix it right
  rather than right now

• Suggestion: Don’t panic. Things aren’t suddenly going to become vulnerable. Take your time, review your systems looking for SHA-1 usage and evaluate the risk, but best to get it of it all if you have not already.

CloudBleed

• Affects millions of websites, literally.

• Google Project Zero

• Could someone from cloudflare security urgently contact me. – 0011 UTC – 18 Feb 2018 UTC 0011

• bug report on chromium.org – 17:15 UTC – 19 Feb 2017

• Corpus distillation? What is that?

• Incident report on memory leak caused by Cloudflare parser bug 23 Feb 2017

• My work here is done 9:24 PM – 23 Feb 2017

• HIPPA implications

• List of Sites possibly affected by Cloudflare’s #Cloudbleed HTTPS Traffic Leak

Feedback

• Transmission Permission Follow-up (see original question in episode 305

• Dan’s pfSense box

Round Up:

• Hello False Flags! The Art of Deception in Targeted Attack Attribution – see also False Flag and Perfidy

• Researchers exfiltrate data by blinking the LEDs on the hard drives

• ZFS based replication and failover script from bolthole.com – note: ksh required

• FCC reverses net neutrality ISP transparency rules

• security analysis on the most popular Android password manager applications

• AWS service status about s3 outage couldn’t be updated b/c of s3

• Data from connected CloudPets teddy bears leaked and ransomed, exposing kids’ voice messages

The post Cloudy with a Chance of Leaks | TechSNAP 308 first appeared on Jupiter Broadcasting.

Pre-crime is here, with technology that lets you predicting a hack before it happens. We’ll tell you how. Google’s project zero goes to war, we get real about virtualization.

And then its a great batch of your questions, our answers & much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Predicting which sites will get hacked, before it happens

• Researchers from Carnegie Mellon University have developed a tool that can help predict if a website is likely to become compromised or malicious in the future
• Using the Archive.org “Wayback Machine” they looked at websites before they were hacked, and tried to identify trends and other information that may be predictors
• “The classifier correctly predicted 66 percent of future hacks in a one-year period with a false positive rate of 17 percent”
• “The classifier is focused on Web server malware or, put more simply, the hacking and hijacking of a website that is then used to attack all its visitors”
• The tool looks at the server software, outdated versions of Apache and PHP can be good indicators of future vulnerabilities
• It also looks at how the website is laid out, how often it is updated, what applications it runs (outdated wordpress is a good hacking target)
• It also compares the sites to sites that have been compromised. If a site is very like another, and that other was compromised, there is an increased probability that the first site will also be compromised
• The classifier looks at many other factors as well: “For instance, if a certain website suddenly sees a change in popularity, it could mean that it became used as part of a [malicious] redirection campaign,”
• The most common marker for a hackable website: The presence of the ‘generator’ meta tag with a value of ‘Wordpress 3.2.1’ or ‘Wordpress 3.3.1’
• Research PDF from USENIX
• There are tools like those from Norse, that analyze network traffic and attempt to detect new 0-day exploits before they are known

Google’s Project Zero exploits the unexploitable bug

• Well over a month ago Google’s Project Zero reported a bug in glibc, however there was much skepticism about the exploitability of the bug, so it was not fixed
• However, this week the Google researchers were able to create a working exploit for the bug, including an ASLR bypass for 32bit OSs
• The blog post details the process the Project Zero team went through to develop the exploit and gain root privileges
• The blog post also details an interesting (accidental) mitigation found in Ubuntu, they caused the researchers to target Fedora to more easily develop the exploit
• The blog also discusses a workaround for other issues they ran into. Once they had exploited the set-uid binary, they found that running: system(“/bin/bash”) started the shell with their original privileges, rather than as root. Instead, they called chroot() on a directory they had setup to contain their own /bin/sh that calls setuid(0) and then executes a real shell as the system root user.
• The path they used to get a root shell relies on a memory leak in the setuid binary pkexec, which they recommend be fixed as well as the original glibc bug
• “The ability to lower ASLR strength by running setuid binaries with carefully chosen ulimits is unwanted behavior. Ideally, setuid programs would not be subject to attacker-chosen ulimit values”
• “The exploit would have been complicated significantly if the malloc main linked listed hardening was also applied to the secondary linked list for large chunks”
• The glibc bug has since been fixed

Secret Service warns over 1000 businesses hit by Backoff Point-of-Sales terminal malware

• The Secret Service and DHS have released an advisory warning businesses about the POS (Point-of-Sales terminal) malware that has been going around for a while
• Advisory
• “The Department of Homeland Security (DHS) encourages organizations, regardless of size, to proactively check for possible Point of Sale (PoS) malware infections. One particular family of malware, which was detected in October 2013 and was not recognized by antivirus software solutions until August 2014, has likely infected many victims who are unaware that they have been compromised”
• “Seven PoS system providers/vendors have confirmed that they have had multiple clients affected“
• “Backoff has experts concerned because it’s effective in swiping customer credit card data from businesses using a variety of exfiltration tools, including memory, or RAM scraping, techniques, keyloggers and injections into running processes”
• “A report from US-CERT said attackers use Backoff to steal payment card information once they’ve breached a remote desktop or administration application, especially ones that are using weak or default credentials”
• “Backoff is then installed on a point-of-sale device and injects code into the explorer.exe process that scrapes memory from running processes in order to steal credit card numbers before they’re encrypted on the device and sent to a payment processor. “
• “Keylogging functionality is also present in most recent variants of ‘Backoff’. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware,”
• US-CERT Advisory
• Krebs reports that Dairy Queen may also be a victim of this attack
• “Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters”

Feedback:

• HVAC remote access protection fear.

• Deconstruct malware?

• Virtualisation

• Metric for success of an attack campaign

Round Up:

• Chromecast software vulnerability paves way for another root exploit
• Netflix releases two of their internal threat monitoring tools, used to detect origanization of attacks against their networks
• FBI, Secret Service investigate reports of cyber attacks on U.S. banks
• Seagate ships worlds first 8TB hard drive, with “Enhanced Rotational Vibration (RV) tolerance for reliable performance in multi-drive environments”, allowing more drives to stuffed in a single chassis
• Feds warn first responders of dangerous hacking tool: Google Search
• UK Ministry of Justice fined 180,000 GBP for not encrypting data. Data was being backed up to an external hard drive that was then lost, potentially exposing data on almost 3000 prisoners. The external drive supported some type of ‘encryption’, but it was not enabled
• 300 oil companies hacked in Norway
• Google, Facebook, and others did not read the Apple Documentation. In iOS, clicking a tel:// link in Safari prompts the user to confirm they want to place the call. However in native apps, it is left up to the app to check for permission, to allow apps to initiate calls at the users request, without the user having to confirm it a 2nd time. Apple’s docs state that the app should confirm that the user wants to place the call, but they do not. Using javascript or server-side redirects, a malicious attacker can have your phone place calls without your permission when you click a link in a Facebook, Gmail or G+ message on iOS.
• CouchSurfing email system compromised, many users sent AirBnB prank message
• Browsers will be removing 1024 bit CA certificates from the trust chain in the latest NSS, which will ship in FireFox 32, due for release September 2nd. Even though these certificates have not expired, they will no longer be trusted because of their low security
• Comcast training material leaked, shows how employees are directed to upsell customers during support calls
• Krebs: new razor think ATM insert skimmer goes inside the card slot, nearly impossible to spot. Most skimmers now use hidden cameras to capture your PIN number, rather than a pinpad overlay. Krebs recommends covering the keypad with your free hand while entering your pin number

The post Project Zero Goes To War | TechSNAP 177 first appeared on Jupiter Broadcasting.