HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Gas Pump Skimmer Sends Card Data Via Text

• Skimming devices that crooks install inside fuel station gas pumps frequently rely on an embedded Bluetooth component allowing thieves to collect stolen credit card data from the pumps wirelessly with any mobile device. The downside of this approach is that Bluetooth-based skimmers can be detected by anyone else with a mobile device. Now, investigators in the New York say they are starting to see pump skimmers that use cannibalized cell phone components to send stolen card data via text message.

• Skimmers that transmit stolen card data wirelessly via GSM text messages and other mobile-based communications methods are not new; they have been present — if not prevalent — in ATM skimming devices for ages.

• But this is the first instance KrebsOnSecurity is aware of in which such SMS skimmers have been found inside gas pumps, and that matches the experience of several states hardest hit by pump skimming activity.

• see also Gas Theft Gangs Fuel Pump Skimming Scams

Erasing hard drives – dd might be enough – Dan talks about how he erased the drives

• I recently upgraded several 3TB drives to 5TB drives and no longer needs the smaller drives. I usually used DBAN, but this time, it failed to run and I have no idea why

• I started looking around for upgrades in case my newer hardware didn’t work with this version of DBAN

• In September 2012, Blancco of Finland announced its acquisition of DBAN – Windows binary – no use to me

• There is an unofficial fork of DBAN that is actively maintained. The dwipe program that DBAN uses has been forked and is available as a standalone program called Nwipe, which is actively maintained.

• Appears to be more than one unofficial dban fork

• nwipe is included with Parted Magic so I paid my $11 and downloaded UNetbootin and tried to install it

• I failed to get my latest version (2017_06_03) of Parted Magic to boot so I resorted to letting UNetbootin download and install Latest_Live and I think that was 2.4

• I was told DBAN is drive abuse and that dd is sufficient

• Highly recommended NAS configuration – KIds don’t try this at home!

• Originally thought to be serial, butlater confirmed to work in parallel

• Discussion on: when you power cycle, how long do you want to power on?

• Next, tried nwipe but found that that took too long

• Going back to Parted Magic, I found the disk erase UI to have a few interesting features

• Then, I managed to get my SAS2008 card to work, and started doing 8 drives at a time

• dd is always an option, but I found it more convenient to use Parted Magic. Why? I didn’t have to script it and I can use the Secure Erase feature

Feedback

• A question about database migrations – apgdiff SQL Manager – SQLFairy – Dan used to use a tool for designing the database, but hasn’t use one lately. Now he constructs the DDL on the fly to amend the database and keeps them aside for upgrading the production database. Dan once kept the DDL for FreshPorts in a repo, but no longer does. Now he just backs up.

• ZFS Configuration new System76 Oryx pro

• Nigel Brownsey wrote in about Password security all about length

• PostgreSQL password hashing & backups

Round Up:

• The HDFS Juggernaut – Hadoop Distributed File System

• Plans for Partitioning in PostgreSQL v11

• debian-policy: Packages should be reproducible

• Everything You Always Wanted to Know
  About Optical Networking –
  But Were Afraid to Ask
  slides – Youtube video

• Looking at public Puppet servers

• Airbnb’s preferred smart lock vendor accidentally bricks 500 door-locks

• I Bought a Book About the Internet From 1994 and None of the Links Worked

The post Leaky Pumps | TechSNAP 332 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Krebs hit with record breaking DDoS attack

• “On Tuesday evening, KrebsOnSecurity.com was the target of an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline. The attack did not succeed thanks to the hard work of the engineers at Akamai/Prolexic, the company that protects my site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack they’d seen previously, and was among the biggest assaults the Internet has ever witnessed.”
• “The attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second. Additional analysis on the attack traffic suggests the assault was closer to 620 Gbps in size, but in any case this is many orders of magnitude more traffic than is typically needed to knock most sites offline.”
• “Martin McKeay, Akamai’s senior security advocate, said the largest attack the company had seen previously clocked in earlier this year at 363 Gbps. But he said there was a major difference between last night’s DDoS and the previous record holder: The 363 Gpbs attack is thought to have been generated by a botnet of compromised systems using well-known techniques allowing them to “amplify” a relatively small attack into a much larger one.”
• Almost all of the previous large scale DDoS attacks were the result of ‘reflection’ and ‘amplification’ attacks
• That is, exploiting DNS, NTP, and other protocols to allow the attackers to send a small amount of data, while spoofing their IP address to that of the victim, and cause the reflection server to send a larger amount of data.
• Basically, have your bots send spoofed packets of a few bytes, and the reflector send as much as 15 times the amount of data to the victim. This attack harms both the victim and the reflector.
• Thanks to the hard work of many sysadmins, most DNS and NTP servers are much more locked down now, and reflection attacks are less common, although there are still some protocols vulnerable to amplification that are not as easy to fix
• “In contrast, the huge assault this week on my site appears to have been launched almost exclusively by a very large botnet of hacked devices. According to Akamai, none of the attack methods employed in Tuesday night’s assault on KrebsOnSecurity relied on amplification or reflection. Rather, many were garbage Web attack methods that require a legitimate connection between the attacking host and the target, including SYN, GET and POST floods.”
• “There are some indications that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords.”
• “I’ll address some of the challenges of minimizing the threat from large-scale DDoS attacks in a future post. But for now it seems likely that we can expect such monster attacks to soon become the new norm.”
• “Many readers have been asking whether this attack was in retaliation for my recent series on the takedown of the DDoS-for-hire service vDOS, which coincided with the arrests of two young men named in my original report as founders of the service.”
• “I can’t say for sure, but it seems likely related: Some of the POST request attacks that came in last night as part of this 620 Gbps attack included the string “freeapplej4ck,” a reference to the nickname used by one of the vDOS co-owners.”

The shot heard round the world

• In this followup post, Krebs discusses “The Democratization of Censorship”
• You no longer need to be a nation state to censor someone, you just need a big enough botnet
• “Allow me to explain how I arrived at this unsettling conclusion. As many of you know, my site was taken offline for the better part of this week. The outage came in the wake of a historically large distributed denial-of-service (DDoS) attack which hurled so much junk traffic at Krebsonsecurity.com that my DDoS protection provider Akamai chose to unmoor my site from its protective harbor.”
• “Let me be clear: I do not fault Akamai for their decision. I was a pro bono customer from the start, and Akamai and its sister company Prolexic have stood by me through countless attacks over the past four years. It just so happened that this last siege was nearly twice the size of the next-largest attack they had ever seen before. Once it became evident that the assault was beginning to cause problems for the company’s paying customers, they explained that the choice to let my site go was a business decision, pure and simple.”
• This poses a huge problem. The bad guys now know the magic number, 650 gbps, at which point even the most expensive DDoS protection service will boot you off and shutdown your site.
• “Nevertheless, Akamai rather abruptly informed me I had until 6 p.m. that very same day — roughly two hours later — to make arrangements for migrating off their network. My main concern at the time was making sure my hosting provider wasn’t going to bear the brunt of the attack when the shields fell. To ensure that absolutely would not happen, I asked Akamai to redirect my site to 127.0.0.1 — effectively relegating all traffic destined for KrebsOnSecurity.com into a giant black hole.”
• “Today, I am happy to report that the site is back up — this time under Project Shield, a free program run by Google to help protect journalists from online censorship. And make no mistake, DDoS attacks — particularly those the size of the assault that hit my site this week — are uniquely effective weapons for stomping on free speech, for reasons I’ll explore in this post.”
• This raises another question, what happens when the bad guys perform an attack large enough to disrupt Google?
• This was the topic of the closing keynote at EuroBSDCon last weekend, sadly no video recordings are available.
• “Why do I speak of DDoS attacks as a form of censorship? Quite simply because the economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists.”
• “In an interview with The Boston Globe, Akamai executives said the attack — if sustained — likely would have cost the company millions of dollars. In the hours and days following my site going offline, I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.”
• “Earlier this month, noted cryptologist and security blogger Bruce Schneier penned an unusually alarmist column titled, “Someone Is Learning How to Take Down the Internet.” Citing unnamed sources, Schneier warned that there was strong evidence indicating that nation-state actors were actively and aggressively probing the Internet for weak spots that could allow them to bring the entire Web to a virtual standstill.”
• “Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services,” Schneier wrote. “Who would do this? It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that.”
• “Furthermore, the size and scale of these probes — and especially their persistence — points to state actors. It feels like a nation’s military cyber command trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US’s Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.”
• “What exactly was it that generated the record-smashing DDoS of 620 Gbps against my site this week? Was it a space-based weapon of mass disruption built and tested by a rogue nation-state, or an arch villain like SPECTRE from the James Bond series of novels and films? If only the enemy here was that black-and-white.”
• “No, as I reported in the last blog post before my site was unplugged, the enemy in this case was far less sexy. There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords. Most of these devices are available for sale on retail store shelves for less than $100, or — in the case of routers — are shipped by ISPs to their customers.”
• “Some readers on Twitter have asked why the attackers would have “burned” so many compromised systems with such an overwhelming force against my little site. After all, they reasoned, the attackers showed their hand in this assault, exposing the Internet addresses of a huge number of compromised devices that might otherwise be used for actual money-making cybercriminal activities, such as hosting malware or relaying spam. Surely, network providers would take that list of hacked devices and begin blocking them from launching attacks going forward, the thinking goes.”
• While we’d like to think that the hacked devices will be secured, the reality is that they probably won’t be. Even if there was a firmware update, how often do people firmware update their IP Cameras? Their DVRs?
• The cable companies might be able to help by pushing firmware updates, and they have some incentive to do so, as the attacks use up their bandwidth
• In the end, even if ISPs notified their customers that they were part of the attack, how is a regular person supposed to determine which of the IoT devices was used as part of the attack?
• If you don’t know how to use a protocol analyzer, and the attack is not ongoing right now, how do you tell if it was your DVR, your SmartTV, your Thermostat, or your refrigerator that was attacking Krebs?
• And if we thought that 650 gbps was enough to make almost any site neel to an attacker, OVH.net reports a botnet of 150,000 CCTV/Camera/DVR units, each with 1 – 30 mbps of upload capacity, attacking their network with a peak of 1.1 terabits (1100gbps) of traffic, but they estimate the capacity of the botnet at over 1.5 terabits
• “I don’t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and ecommerce. My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections.”
• “The sad truth these days is that it’s a lot easier to censor the digital media on the Internet than it is to censor printed books and newspapers in the physical world. On the Internet, anyone with an axe to grind and the willingness to learn a bit about the technology can become an instant, self-appointed global censor.”
• The possible solutions presented at EuroBSDCon were even scarier. Breaking the Internet up along national borders, and only allowing traffic to pass between countries on regulated major services like Facebook and Google.
• Additional Coverage: Forbes
• Additional Coverage: Ars Technica

Firefox preparing to block Certificate Authority for violating rules

• “The organization that develops Firefox has recommended the browser block digital credentials issued by a China-based certificate authority for 12 months after discovering it cut corners that undermine the entire transport layer security system that encrypts and authenticates websites.”
• “The browser-trusted WoSign authority intentionally back-dated certificates it has issued over the past nine months to avoid an industry-mandated ban on the use of the SHA-1 hashing algorithm, Mozilla officials charged in a report published Monday. SHA-1-based signatures were barred at the beginning of the year because of industry consensus they are unacceptably susceptible to cryptographic collision attacks that can create counterfeit credentials. To satisfy customers who experienced difficulty retiring the old hashing function, WoSign continued to use it anyway and concealed the use by dating certificates prior to the first of this year, Mozilla officials said. They also accused WoSign of improperly concealing its acquisition of Israeli certificate authority StartCom, which was used to issue at least one of the improperly issued certificates.”
• “Taking into account all the issues listed above, Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA,” Monday’s report stated. “Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly issued certificates issued by either of these two CA brands.”
• So, existing certificates will continue to work, to avoid impact on those who paid for certificates, but Mozilla will not trust any newly issued certificates
• “WoSign’s practices came under scrutiny after an IT administrator for the University of Central Florida used the service to obtain a certificate for med.ucf.edu. He soon discovered that he mistakenly got one for www.ucf.edu. To verify that the error wasn’t isolated, the admin then used his control over the github subdomains schrauger.github.com and schrauger.github.io to get certificates for github.com, github.io, and www.github.io. When the admin finally succeeded in alerting WoSign to the improperly issued Github certificates, WoSign still didn’t catch the improperly issued www.ucf.edu certificate and allowed it to remain valid for more than a year. For reasons that aren’t clear, Mozilla’s final report makes no explicit mention the certificates involving the Github or UCF domains, which were documented here in August.”
• Some other issues highlighted in the Mozilla report:
  • “WoSign has an “issue first, validate later” process where it is acceptable to detect mis-issued certificates during validation the next working day and revoke them at that point. (Issue N)”
  • “If the experience with their website ownership validation mechanism is anything to go by, It seems doubtful that WoSign keep appropriately detailed and unalterable logs of their issuances. (Issue L)”
  • “The level of understanding of the certificate system by their engineers, and the level of quality control and testing exercised over changes to their systems, leaves a great deal to be desired. It does not seem they have the appropriate cultural practices to develop secure and robust software. (Issue V, Issue L)”
  • “For reasons which still remain unclear, WoSign appeared determined to hide the fact that they had purchased StartCom, actively misleading Mozilla and the public about the situation. (Issue R)”
  • “WoSign’s auditors, Ernst & Young (Hong Kong), have failed to detect multiple issues they should have detected. (Issue J, Issue X)”
• Mozilla Report
• Mozilla Wiki: WoSign issues
• WoSign incident report

Feedback:

• Backups

• A Little Salty

• Salt SSH

• FreeNAS

• FreeNAS(found a bug), and ZFS stripe with 4-SSD use case question

• Content Filtering HTTPS on pfSense with no proxy

• NFS vs Samba

Round Up:

• macOS Sierra Addresses Dropbox Security Concerns by Explicitly Asking for Accessibility User Permission
• How to crash systemd in one tweet
• How the Seattle Police Secretly—and Illegally—Purchased a Tool for Tracking Your Social Media Posts
• Hacking Tesla cars, locally and remotely
• A Pokemon Go guide infected thousands of phones
• New 2.5 and 5 gbps ethernet standards approved. Allows 2.5 gbps over standard cat 5e cables, and 5gbps over cat6
• Apple Logs Your iMessage Contacts — and May Share Them With Police
• Money Mules now using Bitcoin ATMs
• Firefox is eating your SSD – here is how to fix it
• Disassembly of Super Mario Bros.
• Heads up: CentOS 5 goes end-of-life in 6 months
• What happens when you don’t test your backups
• Russia Bans Pornhub, YouPorn – Tells Citizens To Meet Someone In Real Life

The post Botnet of Things | TechSNAP 286 first appeared on Jupiter Broadcasting.

Amazon has a new TLS implementation & the details look great, we’ll share them with you. The technology that powers the NSA’s XKEYSCORE you could have deployed yourself.

Some fantastic questions, a big round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Amazon releases s2n, a new TLS implementation

• s2n (signal2noise) is a brand new implementation of the TLS protocol in only ~6000 lines of code
• It has been fully audited, and will be re-audited once per year, paid for by Amazon
• It does not replace OpenSSL, as it only implements the TLS protocol (libssl) not the crypto primitives and algorithms (libcrypto). s2n can be built against any of the various libcrypto implementations, including: OpenSSL, LibreSSL, BoringSSL, and the Apple Common Crypto framework
• The API appears to be very easy to use, and prevent many common errors
• The client side of the library is not ready for use yet
• Features:
  • “s2n encrypts or erases plaintext data as quickly as possible. For example, decrypted data buffers are erased as they are read by the application.”
  • “s2n uses operating system features to protect data from being swapped to disk or appearing in core dumps.”
  • “s2n avoids implementing rarely used options and extensions, as well as features with a history of triggering protocol-level vulnerabilities. For example there is no support for session renegotiation or DTLS.”
  • “s2n is written in C, but makes light use of standard C library functions and wraps all memory handling, string handling, and serialization in systematic boundary-enforcing checks.”
  • “The security of TLS and its associated encryption algorithms depends upon secure random number generation. s2n provides every thread with two separate random number generators. One for “public” randomly generated data that may appear in the clear, and one for “private” data that should remain secret. This approach lessens the risk of potential predictability weaknesses in random number generation algorithms from leaking information across contexts. “
• One of the main features is that, instead of having to specify which set of crypto algorithms you want to prefer, in what order, as we have discussed doing before for OpenSSL (in apache/nginx, etc), to can either use ‘default’, which will change with the times, or a specific snapshot date, that corresponds to what was the best practise at that time
• Github Page
• Additional Coverage – ThreatPost
• It will be interesting to see how this compares with the new TLS API offered by LibreSSL, and which direction various applications choose to go.

How the NSA’s XKEYSCORE works

• “The NSA’s XKEYSCORE program, first revealed by The Guardian, sweeps up countless people’s Internet searches, emails, documents, usernames and passwords, and other private communications. XKEYSCORE is fed a constant flow of Internet traffic from fiber optic cables that make up the backbone of the world’s communication network, among other sources, for processing. As of 2008, the surveillance system boasted approximately 150 field sites in the United States, Mexico, Brazil, United Kingdom, Spain, Russia, Nigeria, Somalia, Pakistan, Japan, Australia, as well as many other countries, consisting of over 700 servers.”
• “XKEYSCORE allows for incredibly broad surveillance of people based on perceived patterns of suspicious behavior. It is possible, for instance, to query the system to show the activities of people based on their location, nationality and websites visited. For instance, one slide displays the search “germansinpakistn,” showing an analyst querying XKEYSCORE for all individuals in Pakistan visiting specific German language message boards.”
• “The sheer quantity of communications that XKEYSCORE processes, filters and queries is stunning. Around the world, when a person gets online to do anything — write an email, post to a social network, browse the web or play a video game — there’s a decent chance that the Internet traffic her device sends and receives is getting collected and processed by one of XKEYSCORE’s hundreds of servers scattered across the globe.”
• “In order to make sense of such a massive and steady flow of information, analysts working for the National Security Agency, as well as partner spy agencies, have written thousands of snippets of code to detect different types of traffic and extract useful information from each type, according to documents dating up to 2013. For example, the system automatically detects if a given piece of traffic is an email. If it is, the system tags if it’s from Yahoo or Gmail, if it contains an airline itinerary, if it’s encrypted with PGP, or if the sender’s language is set to Arabic, along with myriad other details.”
• You might expect some kind of highly specialized system to be required to do all of this, but that is not the case:
• “XKEYSCORE is a piece of Linux software that is typically deployed on Red Hat servers. It uses the Apache web server and stores collected data in MySQL databases. File systems in a cluster are handled by the NFS distributed file system and the autofs service, and scheduled tasks are handled by the cron scheduling service. Systems administrators who maintain XKEYSCORE servers use SSH to connect to them, and they use tools such as rsync and vim, as well as a comprehensive command-line tool, to manage the software.”
• The security of the system is also not as good as than you might imagine:
• “Analysts connect to XKEYSCORE over HTTPS using standard web browsers such as Firefox. Internet Explorer is not supported. Analysts can log into the system with either a user ID and password or by using public key authentication.”
• “When systems administrators log into XKEYSCORE servers to configure them, they appear to use a shared account, under the name “oper.” Adams notes, “That means that changes made by an administrator cannot be logged.” If one administrator does something malicious on an XKEYSCORE server using the “oper” user, it’s possible that the digital trail of what was done wouldn’t lead back to the administrator, since multiple operators use the account.”
• “There appears to be another way an ill-intentioned systems administrator may be able to cover their tracks. Analysts wishing to query XKEYSCORE sign in via a web browser, and their searches are logged. This creates an audit trail, on which the system relies to assure that users aren’t doing overly broad searches that would pull up U.S. citizens’ web traffic. Systems administrators, however, are able to run MySQL queries. The documents indicate that administrators have the ability to directly query the MySQL databases, where the collected data is stored, apparently bypassing the audit trail.”
• The system is not well designed, and could likely have been done better with existing open source tools, or commercial software designed to classify web traffic
• “When data is collected at an XKEYSCORE field site, it is processed locally and ultimately stored in MySQL databases at that site. XKEYSCORE supports a federated query system, which means that an analyst can conduct a single query from the central XKEYSCORE website, and it will communicate over the Internet to all of the field sites, running the query everywhere at once.”
• Your traffic is analyzed and will probably match a number of classifiers. The most specific classifier is added as a tag to your traffic. Eventually (3-5 days), your actual traffic is deleted to make room for newer traffic, but the metadata (those tags) are kept for 30-45 days
• “This is done by using dictionaries of rules called appIDs, fingerprints and microplugins that are written in a custom programming language called GENESIS. Each of these can be identified by a unique name that resembles a directory tree, such as “mail/webmail/gmail,” “chat/yahoo,” or “botnet/blackenergybot/command/flood.””
• “One document detailing XKEYSCORE appIDs and fingerprints lists several revealing examples. Windows Update requests appear to fall under the “update_service/windows” appID, and normal web requests fall under the “http/get” appID. XKEYSCORE can automatically detect Airblue travel itineraries with the “travel/airblue” fingerprint, and iPhone web browser traffic with the “browser/cellphone/iphone” fingerprint.”
• “To tie it all together, when an Arabic speaker logs into a Yahoo email address, XKEYSCORE will store “mail/yahoo/login” as the associated appID. This stream of traffic will match the “mail/arabic” fingerprint (denoting language settings), as well as the “mail/yahoo/ymbm” fingerprint (which detects Yahoo browser cookies).”
• “Sometimes the GENESIS programming language, which largely relies on Boolean logic, regular expressions and a set of simple functions, isn’t powerful enough to do the complex pattern-matching required to detect certain types of traffic. In these cases, as one slide puts it, “Power users can drop in to C++ to express themselves.” AppIDs or fingerprints that are written in C++ are called microplugins.”
• All of this information is based on the Snowden leaks, and is from any years ago
• “If XKEYSCORE development has continued at a similar pace over the last six years, it’s likely considerably more powerful today.”
• Part 2 of Article

[SoHo Routers full of fail]

Home Routers that still support RIPv1 used in DDoS reflection attacks

• RIPv1 is a routing protocol released in 1988 that was deprecated in 1996
• It uses UDP and so an attacker can send a message to a home router with RIP enabled from a spoofed IP address, and that router will send the response to the victim, flooding their internet connection
• ““Since a majority of these sources sent packets predominantly of the 504-byte size, it’s pretty clear as to why they were leveraged for attack purposes. As attackers discover more sourc­es, it is possible that this vector has the potential to create much larger attacks than what we’ve observed thus far,” the advisory cautions, pointing out that the unused devices could be put to work in larger and more distributed attacks.”
• “Researchers at Akamai’s Prolexic Security Engineering and Research Team (PLXsert) today put out an advisory about an attack spotted May 16 that peaked at 12.9 Gbps. Akamai said that of the 53,693 devices that responded to RIPv1 queries in a scan it conducted, only 500 unique sources were identified in the DDoS attack. None of them use authentication, making them easy pickings.”
• Akamai identified Netopia 2000 and 3000 series routers as the biggest culprits still running the vulnerable and ancient RIPv1 protocol on devices. Close to 19,000 Netopia routers responded in scans conducted by Akamai, which also noted that more than 5,000 ZET ZXv10 and TP-Link TD-8000 series routers collectively responded as well. Most of the Netopia routers, Akamai said, are issued by AT&T to customers in the U.S. BellSouth and MegaPath also distribute the routers, but to a much lesser extent.

Home Routers used to host Malware

• Home routers were found to be hosting the Dyre malware
• Symantec Research Paper of Dyre
• Affected routers include MikroTik and Ubiquiti’s AirOS, which are higher end routers geared towards “power user” and small businesses
• “We have seen literally hundreds of wireless access points, and routers connected in relation to this botnet, usually AirOS,” said Bryan Campbell, lead threat intelligence analyst at Fujitsu. “The consistency in which the botnet is communicating with compromised routers in relation to both distribution and communication leads us to believe known vulnerabilities are being exploited in the firmware which allows this to occur.”
• “Campbell said it’s not clear why so many routers appear to be implicated in the botnet. Perhaps the attackers are merely exploiting routers with default credentials (e.g., “ubnt” for both username and password on most Ubiquiti AirOS routers). Fujitsu also found a disturbing number of the systems in the botnet had the port for telnet connections wide open.”

Feedback:

• ZFS with 4K drives?

• ZFS Replication Between FreeNAS and Linux

• Splitting a pool

• DNS Transfer Email Downtime Followup

• FreeBSD Mastery: ZFS — Not just about ZFS

Round Up:

• Hacked OPM and Background Check Contractors Lacked Logs, DHS Says
• How Facebook stores 900 million new photos per day, using Blu-Ray disks Video
• Software developers are failing to implement crypto correctly, data reveals
• Windows 10 will share all of your WiFi passwords with your Outlook (and optionally Facebook) Contacts. Access points can opt out by adding ‘_optout’ to the SSID
• Cisco to buy security firm OpenDNS for $635 million
• Your F5 BIG-IP load balancer is not affected by the Redhat 4.x/5.x bug that might make it reboot during the leap second We are sorry your BIG-IP rebooted during the leap second
• DYN reports possible routing hiccup caused by leap second Turns out it was just someone accidently routing all traffic to Amazon AWS via their AS
• Someone is cutting fiber optic cables in California
• IKEA presents how they patched 3500 RHEL servers for the shellshock vulnerability in only 2.5 hours
• Scaling the Address Resolution Protocol for Large Data Centers (SARP)
• SSLv3 now officially deprecated
• Cisco UCDM (Unified Communications Domain Manager) has a default static password for a root account

The post Ripping me a new Protocol | TechSNAP 221 first appeared on Jupiter Broadcasting.

Alice is a site reliability engineer with New Relic & describes herself as “the digruntled Spock of our age.”

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Peter Jennison Music

• Pandora

• Alice Goldfuss on Twitter

• Learn To Program
• New Relic
• Coursera
• Rice University

• /r/linux subreddit

• Kenneth Love

• Treehouse

• Treehouse Twitter

• Forrest Norvell

• Rachel Kelly
• PyLadies

The post Alice Goldfuss | WTR 10 first appeared on Jupiter Broadcasting.

Authentic iOS Apps can be replaced with malware, the US Postal service gets breached & Microsoft has a hot mess of critical patches.

Plus some great feedback, a rocking round-up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Masque Attack — authentic iOS apps can be replaced by malware with ease

• Last week we talked about new malware for OS X that infected iOS devices with malicious apps
• Part of the problem seemed to stem from the fact that if a corporation got a certificate from Apple to sign internally developed apps for use by employees, these apps were innately trusted by all iOS devices, even those not part of the corporation who signed the application
• While we suspected this may be a fairly major vulnerability in the architecture of iOS, it turns out was was only the tip of the iceberg
• “In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier”
• This means that the malicious app, signed by a random corporate certificate issued by Apple (supposedly only for internal use), can replace any application on your phone, except those directly from Apple
• “An attacker can leverage this vulnerability both through wireless networks and USB”
• If you install ‘new flappy bird’, or, connect your iOS device to an infected computer, a malicious charging port in some public space, or untrusted wifi, the Twitter app on your device could be replaced with one that steals the credentials for your account and tweets spam, or worse
• “That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly”
• FireEye shared this information with Apple in July, but after the news about the WireLurker malware, which uses a very limited form of this attack (the attackers may not have realized the full extend of what they had discovered), FireEye felt it necessary to go public with the information so customers can take steps to protect themselves
• “As mentioned in our Virus Bulletin 2014 paper “Apple without a shell – iOS under targeted attack”, apps distributed using enterprise provisioning profiles (which we call “EnPublic apps”) aren’t subjected to Apple’s review process. Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring (CVE-2014-1276) and mimic iCloud’s UI to steal the user’s Apple ID and password.”
• “The attacker can also use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team”

USPS computer networks compromised, telecommuting VPN temporarily shutdown

• Attackers compromised the internal network of the United States Postal Service
• It is not clear how or where the compromise happened, although some information suggestions a call center was compromised, possibly via the VPN
• Possibly compromised information includes: Employee names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment, emergency contact information and other information
• “The intrusion also compromised call center data for customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1, 2014, and Aug. 16, 2014. This compromised data consists of names, addresses, telephone numbers, email addresses and other information for those customers who may have provided this information. At this time, we do not believe that potentially affected customers need to take any action as a result of this incident”
• Additional Information
• “VPN was identified as vulnerable to this type of intrusion and will remain unavailable as we work to make modifications to this type of remote access to our networks. When VPN is available again users will notice changes in functionality. We will have additional information about VPN in the near future”
• I wonder if this might have been related to Heartbleed. We have had stories in the recent past about SSL based VPNs that were compromised before they could be upgraded with the heartbleed fix, and then this access was used later on because passwords were not changed
• “Should I change my ACE ID and password, Postal EIN or other postal passwords as a result of this incident?”
• “At this time there is no requirement to change your ACE password or other passwords unless prompted to do so by email prompts from IT as part of the normal password change process. You will be notified if other password changes are required.”
• Having IT email you to ask you to change your password just seems like a really bad idea. This is a great opening for a phishing campaign. If a password change is required, it should be prompted for from a more trustworthy source than email
• After a breach, out of an abundance of caution, all passwords should be changed.

Microsoft releases patch for OLE vulnerability

• As part of this months Patch Tuesday, Microsoft has released an official patch for both OLE vulnerability (specially crafted website, and malicious office document) used in the “Sandworm Team” attacks against NATO and other government agencies that we discussed on episode 185
• This new patch, MS14-064 replaces the patch from October’s Patch Tuesday MS14-060
• Microsoft – November Patch Update Summary
• Microsoft Advisory – MS14-064
• Microsoft Advisory – MS14-070 – Local user remote code execution via vulnerability in Windows TCP/IP stack
• Also included was a cumulative patch for Internet Explorer, however this patch breaks compatibility with EMET (Enhanced Mitigation Experience Toolkit
  ) 5.0, and customers are instructed to upgrade to EMET 5.1 before upgrading IE
• “If you are using Internet Explorer 11, either on Windows 7 or Windows 8.1, and have deployed EMET 5.0, it is particularly important to install EMET 5.1 as compatibility issues were discovered with the November Internet Explorer security update and the EAF+ mitigation”
• “Microsoft also patched a remote code execution vulnerability in Microsoft Secure Channel, or Schannel, a Windows encryption security package used for SSL and TLS connections”
• “MS14-067 is the final bulletin ranked critical by Microsoft. The vulnerability can be exploited by a malicious website designed to invoke Microsoft XML Core Services through IE. MSXML improperly parses XML content, which can then in turn corrupt the system state and enable remote code execution”
• The previous patch for the OLE vulnerability merely marked files that come from the internet as untrusted. However there are a number of ways around this, some of which may already be in use by attackers
• McAfee Labs – Bypassing Microsofts Patch for Sandworm Zero Day
• In addition, the Microsoft ‘workaround’ for the flaw, by marking the file as untrusted, only applies when you try to ‘execute’ a file. If you right click and file and open it for ‘editing’, or open it from within an application, the untrusted flag is never checked
• McAfee also found samples in the wild that ran the untrusted file as administrator, which only pops up the standard ‘run this program as admin?’ prompt (only if UAC is not disabled), and does not show the ‘this file is not trusted’ prompt

• OpenZFS Developer Summit – OpenZFS

Feedback:

• Instant Answer tutorial

• SGID SFTP Uploads
  • This only works on some file systems
  • On FreeBSD, only set-uid on a directory works (sets owner on all newly created files), only if the file system is UFS, only if the file system is mounted with the MNT_SUIDDIR flag, and only if the Kernel is compiled with support for SUIDDIR (not enabled by default)
  • ZFS is working on a feature to force the owner/group on a dataset

• caryhartline comments on Apple Approved Malware

• FreeBSD ZFS – preferred method of auto snapshot
  • ZFSTools
• shared root password or sudo?
  • SUDO Master

Round Up:

• ISPs caught stripping StartTLS flag from servers, causing clients to not be aware that the remote server supports encryption
• FBI’s most wanted cybercriminal used his cat’s name as a password
• Pwn2Own event in Tokyo breaks security on slew of modern mobile devices
• Home Depot attackers also got 53 million customer email addresses. Other details about the attack, original compromise was via stolen 3rd party vendor credentials
• 4 NOAA (National Oceanic and Atmospheric Administration) websites hacked, services including satelite weather and ice data temporarily suspended
• ‘Replay’ attack used to pilfer money from stolen Home Depot credit cards via chip-and-pin system, even though the bank has never issued cards with chips – because banks do not check properly
• German Spy Agency Wants To Buy Zero-Day Vulnerabilities In Order To Undermine SSL Security
• Silk Road 2.0 and other ‘hidden services’ sites may have been decloaked via DDoS, sending huge amounts of traffic and looking for where it ended up
• Retailers ask to be regulated to protect customers, is the government too gridlocked to actually do it?
• BrowserStack a website testing service for developers, has a rather embarassing security breach
• Mozilla’s “Open Standard” interviews Brian Krebs

The post Hackers Go Postal | TechSNAP 188 first appeared on Jupiter Broadcasting.

A vulnerability in wget exposes more flaws in commonly used tools, the major flaw in Drupal that just got worse & the new protocol built into your router you need to disable.

Plus a great batch of your feedback, a rocking round up & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

wget vulnerability exposes more flaws in commonly used tools

• wget is a command line downloading client from the GNU project, often found on linux and unix servers, and even available for windows
• It was originally designed for mirroring websites, it has a ‘recursive’ mode where it will download an entire website (by crawling links) or an entire FTP site (or subdirectory) by traversing the directory tree
• It is this mode that is the subject of the vulnerability
• Versions of wget before the patched 1.16 are vulnerable to CVE-2014-4877, a symlink attack when recursively downloading (or mirroring) an FTP site
• A malicious FTP site can change its ‘LIST’ response (the directory listing command in the FTP protocol) to indicate the same file twice, first as a symbolic link, then the second time as a directory. This is not possible on a real FTP server, since the file system can not have 2 objects with the same name
• This vulnerability allows the operator of the malicious FTP site you are downloading from, to cause wget to create arbitrary files, directories and symlinks on your system
• The creation of new symlinks allows files to be overwritten
• An attacker could use this to overwrite or create an additional bash profile, or ssh authorized_keys file, causing arbitrary commands to be executed when the user logs in
• So an attacker could upload malware or an exploit of some kind, then cause the user to run it unintentionally the next time they start a shell
• “If you use a distribution that does not ship a patched version of wget, you can mitigate the issue by adding the line “retr-symlinks=on” to either /etc/wgetrc or ~/.wgetrc”
• Note: wget is often mislabeled as a ‘hacker’ tool because it has been used to bulk-download files from websites. Most times it is merely used an an HTTP client to download a file from a url
• Redhat Bug Tracker
• Some have proposed calling this bug “wgetmeafreeshell” or “wtfget” or “wgetbleed”, thankfully, we were spared such theatrics
• HD Moore Tweets
• HD Moore Blog Post
• Metasploit Module

Drupal flaw from 2 weeks ago, if you have not patched, assume your site is compromised

• Drupal 7 included a new database abstraction API specifically designed to help prevent SQL injection attacks
• It turns out to be vulnerable, a specially crafted request results in the execution of arbitrary SQL commands
• “Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks”
• All users running Drupal core 7.x versions prior to 7.32 need to upgrade
• Drupal Security Advisory
• One line patch — It seems the code assumed $data would always be a simple array, and if it was an associative array (had named keys instead of integers) it would have unintended affects
• Additional Coverage: Threat Post
• It was announced today that a wide spread automated attack has been detected against unpatched Drupal instances
• Because of the nature of the vulnerability, a valid user account is not required to exploit the vulnerability, and no traces are left behind when a site is compromised
• “Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” says a statement released by the Drupal maintainers on Wednesday
• Drupal Public Sevice Announcement
• Additional Coverage: Thread Post
• It is entirely possible that attackers could have dumped the contents of databases in Drupal, it is probably best to reset all passwords

NAT-PMP flaw puts 1.2 million home routers at risk

• NAT-PMP is a UDP protocol designed in 2005 and standardized in 2013 RFC6886 to replace part of uPNP with a more simple implementation
• It allows hosts on the internal network to request ‘please open tcp (or udp) port XXXX on the internet interface and forward that traffic to me’, and ‘what is our internet facing IP’
• This allows hosts to accept incoming connections (like game servers, skype calls, etc) without having to manually create a ‘port forwarding’ rule
• However, it seems some implementation are configured incorrectly, and accept requests from both the internal (expected) and external (very bad!) interface
• The NAT-PMP protocol uses the source IP address of the request to create the mapping, to help prevent abuse (so host A on the LAN cannot open up ports on host B, exposing it to the internet), however, because it is UDP, the source address can be spoofed
• Researcher Post
• Of the 1.2 million internet exposed devices Project Sonar found to be in some way vulnerable:
• 2.5% are vulnerable to ‘interception of internal NAT traffic’, specifically, an attacker can create a mapping to forward attempts to connect to the router itself, to an external address, allowing the attacker to take over DNS and other services, as well as the administrative interface of the NAT device
• 86% are vulnerable to ‘interception of external traffic’, allows the attacker to create a mapping on the external interface, for example, since more routers have the HTTP server disabled on the external interface for security reasons, an attacker could use your router to ‘reflect’ their website. Allowing them to keep the true address of their site secret, by directing traffic to your router, which would then reflect it to their address.
• 88% are vulnerable to ‘Access to Internal NAT Client Services’, because NAT-PMP is over UDP, it is often times possible to send a spoofed packet, with a fake from address. This allows an attacker to basically create port-forwarding rules from outside, gaining access to machines behind the router, that are normally not exposed to the Internet.
• 88% are vulnerable to a Denial of Service attack, by creating a mapping to the NAT-PMP service, the device will forward all real NAT-PMP requests off to some other host, basically breaking the NAT-PMP feature on the device
• 100% of the 1.2 million devices were vulnerable to ‘Information Disclosure’, where they exposed more data about the NAT-PMP device than they should have
• Also found during the SONAR scan: “7,400 devices responses were from a single ISP in Israel that responds to unwarranted UDP requests of any sort with HTTP responses from nginx. Yes, HTTP over UDP”
• Because of the nature of project SONAR and the wide spread of the vulnerability, it is not possible to tell which brands or models of device are vulnerable. It may be easier for users to test known routers with the metasploit module, and attempt to create a database

Feedback:

• Why I switched from Puppet to Saltstack

• Salt vs ansible vs puppet

• Possible to Spoof a Source IP Across the Internet

• Solution for SMTP from home lab

• Network throughput/bandwidth Issues.

• Woes with tar

Round Up:

• FBI cut hotel Internet access, sent agents to “fix” it without warrants
• Interview with the developers of the Gopher protocol
• Brazil Is Keeping Its Promise to Avoid the U.S. Internet
• Botnet uses gmail drafts as a “dead drop” for command and control
• Lawyer doesn’t know what Java is, thinks Bill Gates is trying to get out of a question.
• Don’t run the gnu ‘strings’ command on untrusted files
• SQL Injection attack against speed cameras in France
• Paul Vixie: “Abuse of CPE Devices and Recommended Fixes”
• Whitehouse unclassfied network breached by attackers
• Twitter possibly vulnerable to command injection via new ‘card’ URLs
• Researchers publish report investigating the bitcoin theft from CryptoRush.in
• Security is hard
• Computer hardware identification chart

The post wget a Shell | TechSNAP 186 first appeared on Jupiter Broadcasting.

We finally have the answer to how the Target network was physically breached, and it just might make you face-palm.

Plus some urgent Adobe news, the NSA ORCHESTRA program, and a big batch of your questions and our answers.

All that and a heck of a lot more, on this week’s TechSNAP!

Thanks to:

— Show Notes: —

Security Protocols and Evidence

• Researchers at Cambridge propose a new way of thinking about security protocols, designing in to them the facilities required to generate proper evidence to be used in court for dispute resolution
• The goal of the research is to highlight the types of design considerations that should be put into cryptocurrency systems like bitcoin and other payment systems like electronic banking and mobile payment apps
• The research uses EMV (Chip&Pin) as an example and shows how it does not currently provide the evidence required for proper dispute resolution
• The paper outlines 5 design considerations:
• Principle 1: Retention and disclosure.
• Protocols designed for evidence should allow all protocol data and the keys needed to authenticate them to be publicly disclosed, together with full documentation and a chain of custody
• Principle 2: Test and debug evidential functionality.
• When a protocol is designed for use in evidence, the designers should also specify, test and debug the procedures to be followed by police officers, defence lawyers and expert witnesses
• Principle 3: Open description of TCB (trusted computing base)
• Systems designed to produce evidence must have an open specification, including a concept of operations, a threat model, a security policy, a reference implementation and protection profiles for the evaluation of other implementations
• Principle 4: Failure-evidentness.
• Transaction systems designed to produce evidence must be failure-evident. Thus they must not be designed so that any defeat of the system entails the defeat of the evidence mechanism
• Principle 5: Governance of forensic procedures
• The forensic procedures for investigating disputed payments must be repeatable and be reviewed regularly by independent experts appointed by the regulator. They must have access to all security breach notifications and vulnerability disclosures
• The paper then goes on to describe ways these principles could be applied to the existing EMV system to improve its security and dispute resolution facilities

Target Hackers Broke in Via HVAC Company

• Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor.
• Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.
• Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.
• The HVAC company president confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation
• It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network.
• According to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.
• Sources said that between Nov. 15 and Nov. 28 (Thanksgiving and the day before Black Friday), the attackers succeeded in uploading their card-stealing malicious software to a small number of cash registers within Target stores.
• Those same sources said the attackers used this time to test that their point-of-sale malware was working as designed.
• While some reports on the Target breach said the stolen card data was offloaded via FTP communications to a location in Russia.
• Sources close to the case say much of the purloined financial information was transmitted to several “drop” locations.
• These were essentially compromised computers in the United States and elsewhere that were used to house the stolen data and that could be safely accessed by the suspected perpetrators in Eastern Europe and Russia.
• These compromised hosts serve as cut-outs, after the stolen data is copied from them by the attacker, the logs can be erased to break the trail of evidence

Adobe announces emergency patch for Flash Player, flaw being exploited in the wild

• Adobe has issues an emergency security advisory for all versions of Flash Player
• Adobe released 12.0.0.44 for Windows and Mac, and 11.2.202.336 for Linux and FreeBSD
• Bundled versions for Chrome (12.0.0.41) and Internet Explorer (12.0.0.38) were also updated to 12.0.0.44
• “These updates resolve an integer underflow vulnerability that could be exploited to execute arbitrary code on the affected system (CVE-2014-0497).”
• Researchers Alexander Polyakov and Anton Ivanov of Kaspersky Lab discovered an exploit for the vulnerability being used in the wild and reported it to Adobe
• Adobe has released no further details about the ongoing attack
• Researcher’s Post
• “During the past months we have been busy analysing yet another sophisticated cyberespionage operation which has been going on at least since 2007, infecting victims in 27 countries. We deemed this operation “The Mask” for reasons to be explained later”
• “The “Mask” is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products. This is putting them above Duqu in terms of sophistication, making it one of the most advanced threats at the moment”
• “Most interesting, the authors appears to be native in yet another language which has been observed very rarely in APT attacks.“
• The language in question appears to be Korean
• Kaspersky Labs have released more technical details about the exploit
• Additional Coverage

Feedback:

• Alternative to shared users
  • FUDO Security Appliance
• Where Puppet ends
• FreeNAS Jails ??
• How do sites save card information?

Round Up:

• Gates Spends Entire First Day Back in Office Trying to Install Windows 8.1
• Why the USA doesn’t have Chip&Pin yet
• Skype ads in rotation have been compromised
• 2014 will be the year of encryption and the summer of Key Management
• CBS screws up Superbowl security
• Finnish hacker decodes GPS signal in youtube video of helicopter tracking a police chase
• Mass hack attack on Yahoo Mail accounts prompts password reset
• FBI is looking for a vendor to sell it a constant stream of malware, appears to not understand researches collect and share these for free
• British intelligence used DDoS tactics against Anonymous, Snowden documents show
• NSA operation ORCHESTRA – a ficticious NSA briefing, Closing key-note of FOSDEM 2014

The post Targeting the HVAC | TechSNAP 148 first appeared on Jupiter Broadcasting.

Puppet is an an open source configuration management tool that our friend Allan uses every single day. He joins us to discuss this free tool that can help you manage 1 to thousands of Linux boxes.

Then a look at Linux Mint Debian Edition, Fedora’s Wayland strategy, some Kickstarter games that look great…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

GoDaddy.com Use our code hostdeal3 to score economy hosting for $1 a month, for one year. 35% off your ENTIRE order just use our code go35off3 until the end of the month!
Ting.com Visit las.ting.com to save $25 off your device or service credits.

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

— Show Notes: —

Manage Multiple Linux Boxes, with Puppet:

Brought to you by: System76

• Puppet Labs: IT Automation Software for System Administrators

• Puppet Labs Documentation

• Puppet Free Bsd – Puppet – Puppet Labs

• Config Management in FreeBSD using Puppet – Edward Tan, EuroBSDcon 2012 – YouTube

• Puppet

• I manage a 1600+ node Puppet configuration, AMA

---

– Picks –

Runs Linux:

• NVIDIA’s CEO Runs Linux

• Thanks to 1roxtar for catching this

Android Pick:

• MightyText

• Android Picks so far thanks to Madjo in the IRC Chat room!

Desktop App Pick:

• Electrum Bitcoin Client

• Sing up for the Bitcoin Show Draft!

• Picks so far

• Madjo

Search our past picks:

• Linux Action Show Lookup
• Thanks to sakuramboo!

Git yours hands all over our STUFF:

• Jupiter Broadcasting Affiliate Extensions
• Callisto-app – Google Project Hosting
• Quick Update to the Jupiter Broadcasting Android App

*

— NEWS —

News:

• Linux Mint Debian 201303 released!

• Debian 7.0 for Easter?

• Symantec finds Linux wiper malware used in S. Korean attacks

• Chinese government to use Ubuntu as standardised operating system for the country

• Canonical and Chinese standards body announce Ubuntu collaboration

• Ubuntu to halve support length for non-LTS releases
  

• Wayland and Fedora

• The Humble Weekly Sale

• OpenShot Video Editor for Windows, Mac, and Linux by Jonathan Thomas — Kickstarter

• Planet Explorers by Pathea Games — Kickstarter

• Guns of Icarus Online—Adventure Mode by Muse Games — Kickstarter

• Steam Sale

— FEEDBACK —

• Kevin Google+ – Virtualization

• OSS Google Reader

• Files are packaged in .deb or .rpm, why can’t they be version agnostic?

  — Chris’ Stash —

• Jupiter Gaming – Google+

• Jupiter Colony – Google+

• Sing up for the Bitcoin Show Draft!
  Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Dispelling FUD About Ubuntu
• Writing about Linux, sometimes, even asking tough questions
• Hell froze over, Matt’s on Facebook

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post Master Linux with Puppet | LAS | s26e03 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/33126/100-uptime-techsnap-100/ Thu, 07 Mar 2013 17:20:39 +0000 https://original.jupiterbroadcasting.net/?p=33126 We’ve warned against it for nearly 100 episodes, this week we’ll share the fallout from NBC.com getting hacked, and more.

The post 100% Uptime | TechSNAP 100 first appeared on Jupiter Broadcasting.

]]>

We’ve warned against it for nearly 100 episodes, this week we’ll share the fallout from NBC.com getting hacked, Bit9’s whitelist technology is use against them and their customers.

Plus the bad news for Java users, a batch of your questions, and some big surprises.

Thanks to:

GoDaddy.com Use our code hostdeal4 to score economy hosting for $1 a month, for one year. 35% off your ENTIRE order just use our code go35off4 until the end of the month!
Ting.com Visit techsnap.ting.com to save $25 off your device or service credits.

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   

Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

NBC website compromised, malicious code injected

• The official website of US broadcasting and media giant NBC was found to contain a malicious iframe pointing visitors to the RedKit Exploit Kit
• The exploit kit used one of the vulnerabilities patched in Java 7u11 (released January 13th, although the issue was not fully fixed until Java 7 u13 on February 1st), as well as a .PDF exploit to drop the Citadel banking Trojan, a variant of the Zeus botnet only ever sold to the russian underground, to prevent infiltration by authorities and security companies
• This attack could have been much worse if it has used one of the newer vulnerabilities that had not been patched until u15 (February 19th) or u17 (March 4th)
• Many users are likely still using somewhat outdated versions of java due to the rapid release and the inefficacy of the java updater, and the addition of the .PDF exploit ensured a wider vulnerability
• The attackers likely had ongoing access for a time, as the URL target of the iframe changed rapidly to avoid blocking of the delivery sites
• One of the domains used in the iframe was an internationalized domain name, which translated from russian to my-new-sploit.com
• The version of the Citadel trojan used in the exploit was only recognized by 3 of the 46 virus scanners on virustotal.com on the date of the attack
• The infection was also detected on other NBC sites such as latenightwithjimmyfallon.com and jeylenosgarage.com, so it was likely an exploit against the CMS
• These trusted sites are especially valuable as attack vectors for malware authors, because of their huge traffic volumes and the fact that users expect the large trusted sites to be free of malware or other risk
• Facebook’s malware scanner detected something was wrong (since iframes of .jar and .pdf files are usually only seen in attacks), and blocked users from posting links to NBC.com (We have discussed Facebook malware scan that is part of their spider that fetches the preview images)
• The malware was first detected by researchers at 16:43 CET on the 21st, it is unclear how long the injection was on the site before it was discovered
• The malware was removed from the site by 21:28 CET
• Researchers Post
• Additional Coverage

---

Bit9’s cloud security app compromised, 32 pieces of malware whitelisted

• Bit9 is a security company whose main product is an application control software, which basically monitors all of the applications and processes running on a server or end-user device, and reports any unusual activity (applications not on the cloud maintained whitelist)
• Customers of Bit9 include the US government, banks, oil and energy companies, defence contractors and 30 companies from the Fortune 100 list
• Attackers managed to compromise one or more virtual machines at the company and gained access to a code signing certificate, subsequently using it to sign 32 pieces of malware, effectively whitelisting them
• It turns out, due to an “operational oversight” a “handful” of computers at Bit9 did not run Bit9’s own software, so the intrusion was not detected or prevented
• As such, Bit9 claims that the compromise was not due to a problem with their software
• Bit9’s investigation suggests that only three of their customers were affected by the illegitimately signed malware
• Bit9 revoked the certificate that was used to sign the malware (and probably all previously whitelisted binaries, Bit9 claims it was no longer actively using the stolen certificate, but that it was still valid), got a new certificate and resigned the whitelisted apps, and patched their software to blacklist anything signed with the revoked certificate
• It is interesting to note that the most often touted features of the Bit9 system is that it stops new and unknown malware, because it only allows approved applications to run, the opposite of traditional anti-virus applications, which rely on a blacklist of known malware. In this case, it might have been that the compromised caused Bit9 to allow known malware that would have been stopped by traditional anti-virus to run on the target systems
• Bit9 is not saying which of its customers were targeted, but based on other information and the list of industries Bit9 said were not targeted, it appears to have been a defence contractor
• Official Update Announcement
• Bit9 says the attackers originally compromised their systems in July of 2012 view an SQL injection flaw in software that was running on an internet accessible web server
• From the web server, the attackers were able to compromise two legitimate user accounts, and eventually use those to access a virtual machine that contains the private keys for the code-signing certificate
• The virtual machine that was compromised was shut down a few days later, the compromise undetected
• In January that virtual machine was started again, and the compromise was eventually detected
• Bit9 says evidence suggests that they were not the ultimate target of the attack, but rather just a stepping stone to eventually compromise one of their customers
• Bit9’s audit showed that the source code for their software was not accessed or modified
• The attackers later executed a watering hole attack (similar to the mobile developer forum attack that compromised twitter, facebook, apple and microsoft) against the 3 target Bit9 customers
• The attack used a java vulnerability to execute the HiKit and Unixhome backdoors, two of the binaries that had been signed with the stolen Bit9 certificate. Rather than these being blocked by Bit9 as intended, because they had been signed by Bit9, they were whitelisted and allowed to run in the highly secured network of the defense contractors
• Krebs on Security Coverage – Part 1 Part 2
• Security Ledger coverage

---

Oracle issues another emergency Java patch after McRAT exploits new 0-day in the wild

• The fix covers CVE–2013–1493 and CVE–2013–0809
• The latter vulnerability is in the colour management system of Java 2D and allows an attack to use a specially crafted image file to execute a memory corruption attack. The attack targets the JVM’s internal data structures and overwrites the areas of memory that control whether the security manager to enabled or not
• The exploit has been seen in the wild, successful exploited to drop the McRAT trojan
• The security company that discovered the exploit reported that the McRAT trojan was communicating with the same Command and Control server that was used in an earlier attack against security company Bit9
• FireEye blog post
• Additional Coverage
• The issue was originally reported on February 1st, Oracle claimed that was too late to be included in the February 19th patch. Oracle planned to sit on the update until the next scheduled update in April, but once it was being exploited in the wild they were forced to release this update
• Java Security bulletin
• Security Explorations has reported 7 more java vulnerabilities since February 25th
• Oracle has rejected issue #54 claiming it is not a vulnerability, but the polish firm and US-CERT disagree, Security Explorations has sent additional details and proof of concept to help Oracle understand the vulnerability
• Oracle has issued tracking numbers for issues #56–60 but clarifies that the issues are not ‘confirmed’ yet
• This seems to signal an increasing resistance from Oracle and acknowledge and fix the bugs that researchers report, until it is too late and they are being actively exploited

---

Feedback

• Patch management for workstations

• Archive and storing the web

• Named-Based Virtual Hosting vs Virtual interfaces?

• Career Change Help

• What happens if my Nginx Reverse Proxy Goes Down?

• Keeping my IT an Dept Sane

• Watching TechSNAP on the Projector

Round Up:

• Is code.org all hype? or can anyone learn to code?
• Seagate will stop making 7200pm laptop drives (focus on hybrid hdd/ssd drives and 5400 hdds)
• NYC District Attorney says nearly all crimes involve computers in some way
• Servers compromised at Evernote – Username, email and hashed passwords stolen – Forced password reset
• Microsoft Azure storage outage caused by expired certificate
• Icelandic electronics retailer Elko’s website accidently explosed resumes of all applications over the last 7 years

The post 100% Uptime | TechSNAP 100 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/29371/ssh-fud-busting-techsnap-90/ Thu, 27 Dec 2012 17:11:42 +0000 https://original.jupiterbroadcasting.net/?p=29371 We’ll bust the FUD around the media’s overreaction to SSH Key mismanagement, plus the details on millions of WordPress databases exposed by a popular plugin.

The post SSH FUD Busting | TechSNAP 90 first appeared on Jupiter Broadcasting.

]]>



We bust the FUD around the media’s overreaction to SSH Key mismanagement, plus the details on millions of WordPress databases exposed by a popular plugin.

Plus a rockin round-up and a batch of your questions, and our answers!

All that and more on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our code tech295 to get a .COM for $2.95.

Something else in mind? use go20off5 to save 20% on your entire order!

$4.99 SSL certificates, just use our code 499ssl2. Expires 12-31-12!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   

Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Shop Amazon – Year End Deals

W3 Total Cache (a popular wordpress plugin) may expose sensitive data

• W3 Total Cache is a very popular and powerful caching plugin
• The recently discovered problems are technically a configuration error, not a vulnerability, but because it is the default configuration, most sites are vulnerable
• It can provide significant speed gains over stock wordpress
• Page Cache – By creating flat .html versions of the page after it is dynamically generated, subsequent anonymous visitors can be shown the cached version of the page, significantly reducing server load and response times
• Database Cache – By caching the results of database queries, if the same read query needs to be is executed again, the cached result can be used, significantly reducing the number of database queries required to render a page
• Object Cache – A higher level cache than the database cache, Objects may be constructed from the results of many queries and plugins, caching the complete object may result in significant page load time improvements
• Minify Cache – By removing comments and whitespace from .css and .js files and gzipping them, less bandwidth is required to download the file
• JS and CSS Combining – By combining many files into only 1 or 2 files, the total number of requests to the server is reduced, which can markedly improve performance
• CDN Offloading – W3TC can automatically change the URLs of content such as .css and .js files in addition to media such as images and thumbnails. My loading these content from a CDN instead of the main site, users get faster responses and the site gets reduced load. W3TC can also use multiple subdomains for the loading, allowing it to take advantage of browser’s parallel downloading features
• All of these caches offer a number of numbers, allowing you to choose between caching to disk, advanced caching to disk, Opcode caches such as APC or dedicated caches such as memcache
• All of these features make W3TC very popular and well respected
• However, W3TC defaults to disk based caching because it does not require any additional configuration or server side features (such as APC or the IP address of a memcache server)
• The problem stems from the fact that W3TC keeps its database and object caches in a web accessible directory (alongside the page and minification caches, which need to be web accessible)
• This means that if your web server is configured to allow directory listing, any visitor can browse to /wp-content/w3tc/dbcache and see a list of all of the items in your database cache, and by downloading and analyzing these files, they may be able to recover sensitive information, such as the hashed passwords of users or administrators
• If an attacker were to get the password hash for an administrative account, if they brute forced that hash, they could then take over that wordpress installation
• Disabling directory indexing does not entirely solve the problem, as the filenames of the cache objects are the md5 hash of the string: w3tc${host}${site_id}_sql_${query}
• You should configure your web server to deny access to the /wp-content/w3tc/dbcache , /wp-content/w3tc/objectcache and /wp-content/w3tc/log directories (using .htaccess will work for apache)
• If you use an Opcode cache, or Memcache, you site is not affected by this configuration error
• Make sure your memcache instances are secured, as if they are publicly addressable, any information cached in them may be accessible
• The creators of W3TC are working on an update to address the issue
• Allan’s slides on improving your Blog with ScaleEngine

---

Inventor of SSH warns that improper key management makes SSH less secure than it should be

• This news story has created a significant amount of FUD due to the general media’s lack of understanding of what SSH is and what it does
• SSH is not vulnerable or compromised
• The story started with an interview of Tatu Ylonen, the inventor of SSH
• “In the worst-case scenario, most of the data on the servers of every company in the developed world gets wiped out."
• The problem is actually caused by users, and bad management practises
• Users often generate many SSH keys, and store them unencrypted in predictable locations (~/.ssh/id_rsa) where they may be stolen if someone compromises their account or the server they are stored on
• Many logins, especially those that are shared, will contain large authorized_keys files, allowing many keys to access that account, often these lists are not pruned because keys are hard to identify
• While auditing a large financial institution, auditors found more than 1 million unaccounted-for keys — 10 percent of which granted root access, or control of the server at the most basic level
• federal rules for classified computer networks cover the “issuance and assignment and storage of keys” but do not dictate what should be done with used keys. Auditing guidelines require that administrators be able to enumerate exactly who has access to specific systems, but often times SSH access is not properly accounted for, as each line in the authorized_keys file is not easily linked to a specific person, and the control of those keys is not guaranteed
• A stolen SSH key is what lead to the compromise of the FreeBSD Packaging Building Cluster last month
• It is recommended that companies refresh keys on a regular basis and remove old keys to prevent them being used to access sensitive servers, although most companies do not have such a policy
• Tools such as puppet can help with the management of authorized_keys files across a large number of servers, but it is up to the user to ensure the security of their private key
• One solution to this problem may be a new feature of OpenSSH that allows it to be configured to check the results of a command, before optionally checking the authorized_keys file
• This feature can be used to check for keys in directory services such as LDAP or Active Directory, simplifying the administration of multiple servers and SSO by storing cannonical keys in a central location

---

Feedback:

• Raspberry Pi Used To Replace A 30-Foot GSM Base Station And Create A Working Mobile Network

• Compare bare-metal HVs?

• Open Source Virtual Desktop Broker?

• Management Tools – KVM

• VPS Suggestions?

• [Hall of Shame] Claro (Latam ISP) is installing routers with passphrase based on their BSSID and is also shown on WLAN name.

Round-Up:

• Steam suffers ‘no connection’ outage on Christmas morning
• Netflix is down: AWS outage takes down service on some devices — Online Video News
• Aaron Toponce : Linux. GNU. Freedom.
• Plain Text Offenders
• Daily Dot | YouTube strips Universal and Sony of 2 billion fake views
• Brazil blocks port 25
• Congress tweaks US video-privacy law so Netflix can get on Facebook
• I probably should not have admin access to this… : pwned
• How the Internet is becoming a closed shop

Amazon Book:
[asa]B003F3PKTK[/asa]

Audible Book Pick: The Master Switch: The Rise and Fall of Information Empires Audio Book

The post SSH FUD Busting | TechSNAP 90 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/23941/double-0-java-techsnap-73/ Thu, 30 Aug 2012 16:52:17 +0000 https://original.jupiterbroadcasting.net/?p=23941 This week we’ll tell you the story about Agent Double 0-Java, the exploit with a license to kill. Plus Google’s creative solution to securing user content.

The post Double 0-Java | TechSNAP 73 first appeared on Jupiter Broadcasting.

]]>



This week we’ll tell you the story about Agent Double 0-Java, the exploit with a license to kill. Plus Google’s creative solution to securing user content.

Then it’s a big batch of your questions, and our answers.

All that and much more, in this week’s TechSNAP.

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   

Show Notes:

Java 0-day exploit in the wild

• Two critical vulnerabilities in Java 7 are being combined to create a 0-day exploit that can compromise all major browsers (Firefox, Chrome, Safari, Opera, IE)
• The vulnerability can be exploited in a ‘drive-by’ fashion, meaning it does not require any interaction from the user
• This means that attackers could purchase advertising on legitimate sites and inject the exploit code in to the adverts
• This exploit will likely also be heavily used on compromised websites (like Bryan’s wordpress blog)
• Java 6 is not susceptible to this exploit, but contains a number of older unpatched vulnerabilities, and should not be used
• Oracle reportedly knew of critical Java bugs under attack for 4 months
• The two vulnerabilities were reported to Oracle in April, along with a total of 29 other flaws
• Security Explorations furnished the bug reports, with working Proof of Concept code to Oracle
• Oracle patched 3 of the issues in the Jun 12 2012 Java Critical Patch Update, issues 10, 13 and 21. There was also some mitigation in the code that broke the original PoC exploit of issue 26
• According to a status report received by Security Explorations from Oracle on August 23rd, Oracle was planning to fix the two vulnerabilities in its October Critical Patch Update (CPU), along with 17 of the other Java 7 flaws reported
• Adam Gowdiak, CEO of Security Explorations, remarks that the exploit in the wild combines the 2 vulnerabilities in an entirely different way than their proof of concept furnished to Oracle
• Owing to the difference in implementation, Security Explorations assumes that someone else independently discovered the same exploit, rather than discovering it via some leak in the vulnerability report handling process
• Gowdiak adds ““We don’t know with whom and in what form or detail Oracle is sharing vulnerability information.”
• A 3rd party patch for the vulnerability has been developed, but is only available from the author to IT Administrators, and is not designed for end users
• Additional Coverage
• Java 7 Update 7 has been released to resolve this exploit

---

Google publishes important information about hosting user generated content

• Google loads all user generated content from an isolated domain, googleusercontent.com
• Google uses subdomains to separate different bits of UGC
• One of the reasons for this is attacks such as GIFAR, which an attacker takes a valid .gif file, and concatenates a java exploit .jar (which is just a zip file containing the compiled code)
• Now an attacker can embed on their site an HTML appet tag with a src pointing to a google domain (such as Picasa)
• By shifting the content from official google domains, to the googleusercontent.com, the browser’s ‘same origin’ policy should prevent malicious UGC from accessing the users’ google.com authentication cookie
• Google goes on to detail their solutions for content that requires authentication (private documents, google apps for enterprise), where not being able to access the google authentication cookie would pose a problem
• Google uses a number of solutions (temporary cookies on googleusercontent.com URL passed authorization tokens, URLs bound to a specific user), to trade off usability and the risk of accidental disclosure (if access to a private image is controlled by a URL parameter, what if the user copies the link to the picture and uses it elsewhere?)

---

Feedback:

• Tool for provisioning new servers
  FreeBSD’s install can be scripted in a few different ways, the easiest is likely to start with the 225 line shell script that is the current FreeBSD installed
  /usr/src/usr.sbin/bsdinstall/scripts/auto
  You can set a few environment variables, and remove the dialogs, and you’ll have a fully automated install tuned just the way you like, then just PXE boot that, or make your own CD
  There are also some nice tutorials out there:
  Scripting a FreeBSD 9.x Install
  HOWTO: Modern FreeBSD Install RELOADED
  I generally do not script the installs of my BSD boxes, it takes only 5–10 minutes to do the install, and since each machine tends to have a different disk layout, it wouldn’t save much time
  Also, many of my servers are in foreign data centers, and they do the FreeBSD install for me, then just provide me with my SSH credentials. (Although a great many now provide IPMI/KVMoIP and allow me to install the OS myself)

• Thoughts on OpenID
  OpenID moves the trust from a number of separate sites, to a single site, your ‘identity provider’
  This is likely more secure, since OpenID is based on strong practices, but also presents a more tempting target
  The advantage is that you can be your own OpenID provider, and then you only have to trust yourself

• Tricks to conserve Bandwidth?

• Daniel writes in with a note that he uses Puppet to manage over 2000 nodes from a pair of redundant Puppetmasters running via Apache/mod_passenger without issue.

• Shlomi writes in with a question about moving an LVM to ZFS.
  Your best bet is to do something like I did when I moved from a number of separate UFS drives, to a ZFS array (not, there is some performance penalty for doing it this way, more on that later)
  Use these instructions to remove one of the disks from your LVM volume (the biggest one you have enough free space to remove).
  Now create your ZFS pool, and add this now empty disk
  Start filling the ZFS pool until you have free enough space in the LVM to remove another disk, then add that disk to the ZFS pool
  Repeat as necessary
  ZFS will do write-biasing to try to ensure the drives reach ‘full’ at the same rate, so the emptier drives will receive a higher portion of the new writes. If you can create the pool from scratch, you will get better write performance, since all disks will be used to their maximum bandwidth
  ZFS had a planned feature called ‘block pointer rewriting’ that would allow for re-balancing the disk space across devices and for defragmenting files (fragmentation gets excessive due to copy-on-write)
  Personally, I am going to build a fresh array with 4x3TB disks in RAID Z1, and then recycle my 1.5TB disks for other purposes

• I want to hear more about Scale Engine and what it does and some of the services. How about a segment on just Scale
  We provide a few main services:
  • Origin Web Cluster – Accelerated PHP/MySQL platform (Hosts JB’s site, and forums)
  • Edge Side Cache – an extremely fast memory backed geographically distributed MRU cache. Stores frequently accessed content in memory close to the users for fastest delivery. Great for images, css and javascript, but can also cache entire pages (Hosts JBs images, css and js)
  • Content Distribution Network – Disk backed geographically distributed MFU cache, stores static content close to the user for faster delivery. Works great for static content, especially larger content like audio and video podcasts. (Hosts JB episode downloads)
  • Video Streaming Network – Hosting Live, On-Demand, Pay-Per-View and Fake-Live video streaming. Provides multi-bitrate streaming to ‘any screen’ via RTMP (Flash), HLS (iOS, Safari, Android, Roku, VLC), or RTSP (Android, Blackberry, Quicktime, VLC). ScaleEngine’s SEVU API allows extensive content control for Geo-Blocking and Pay-Per-View/Subscription based viewing (Hosts JB live stream)

Have some fun:

• What will be in the news the week in October when Allan is at Euro BSD Con? Let make a prediction on the head lines or just make up funny stuff to read

What I wish the new hires “knew”

Round-Up:

• ‘Lulzsec hacker’ latest to be arrested in US
• Researchers at the Usenix Security conference have demonstrated a zero-day vulnerability in your brain. Attaching an $200 EEG to your head, they can extract your bank card PIN number
• Windows 8 Tells Microsoft About Everything You Install, Not Very Securely | Nadim Kobeissi
• VMware Joins OpenStack, Embraces Its ‘Ugly Sister’
• Want a Windows 8 Start Button? Open source to the rescue!
• FreeBSD Struggles To Gain UEFI Boot Support
• Dropbox finally adds 2 factor authentication
• Top-Level Universal XSS
• Team GhostShell posts database and information dumbs from a number of sites, totalling over 1 million records, a number of the dumps contain usernames, passwords, email addresses and phone numbers

The post Double 0-Java | TechSNAP 73 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/23581/not-so-private-keys-techsnap-72/ Thu, 23 Aug 2012 16:33:58 +0000 https://original.jupiterbroadcasting.net/?p=23581 How a Man in the Browser attack could expose an airport VPN, RuggedCom’s messed up the very fundamentals again, and the big update from Adobe.

The post Not so Private Keys | TechSNAP 72 first appeared on Jupiter Broadcasting.

]]>

How a Man in the Browser attack could expose an airport VPN, RuggedCom’s messed up the very fundamentals again, and the big update from Adobe.

Plus – Running Linux in a FreeBSD Jail, virtual networking basics, and a great batch of your questions.

All that and more, in this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   

Show Notes:

Man in the Browser attack used against Airport employees to gain credentials for VPN

• In what appears to be a highly targeted attack, some airport employees had their machines infected with Man-in-the-Browser malware
• This allowed the attackers to use form-grabbing and screen capturing to steal the airport employee’s login credentials for the airport VPN
• The attack also compromised the single channel mode of the airports two-factor authentication system, where an image was displayed and used by the user to transform their password into a temporary one-time code. Because this one-time code is based on the password, an attacker who is able to capture a number of these (the image and the response) can calculate what the original static password was
• A more secure two-channel mode, sends a one-time code via SMS or a Mobile Application, but apparently was not used by many airport employees
• It is unclear what type of VPN this was, or why the VPN involves logging in via a browser (layer 7), rather than the more typical layer 2 or 3 type VPN
• It is not known what the attackers were after, but with access to the internal airport network, they may have been able to gain information on employees, the hiring process (to get their own people employed at the airport), or the ability to flag specific luggage, cargo or persons such that it is not subjected to normal security screenings
• Additional Coverage

---

Adobe releases Flash 11.4, critical update to fix 6 security vulnerabilities

• This update resolves a number of memory corruption vulnerabilities that could lead to code execution
• CVE–2012–4163 Score: 10.0
• CVE–2012–4164 Score: 10.0
• CVE–2012–4165 Score: 10.0
• CVE–2012–4166 Score: 10.0
• This update also resolves an integer overflow vulnerability that could lead to code execution CVE–2012–4167 Score: 10.0
• And this update also resolves a cross-domain information leak vulnerability that could expose information from a the site you are visiting to other sites CVE–2012–4168 Score: 4.3
• With the end of Flash support for Android, A fake flash player laden with malware and adware has been found in the wild. It rooms your phone and floods it with advertisements, including a popup every 15 minutes

---

Hard coded SSL Keys in RuggedCom Switches

• RuggedCom and their Rugged OS has caused headlines again with a massive security flaw
• The rugged devices are used in many very sensitive installations, including military bases, train switches, power distribution systems, and traffic signals
• The systems are designed to be rugged, insofar as standing up to harsh climate conditions, however it appears that many of these devices have been connected to the internet to allow for remote management, and the security of these systems has again been compromised
• In this case, the RuggedCom devices use a hardcoded SSL private key, meaning that the secret used to decrypt the data sent from the user to the device, can be known by anyone who has ever had access to such a device, or has otherwise gotten access to the key (I am sure it has been posted online somewhere by now)
• SSL uses PKI and asymmetric encryption, meaning there is one key to encrypt data (the public key, published as part of the SSL Certificate), and a private key, used to decrypt information encrypted with the public key
• It seems that all RuggedCom devices uses the SAME SSL key. This is such a large security fiasco as to defy classification. In order for this to have happened, every single person involved with the RuggedCom OS must have entirely lacked any understanding of how SSL works
• The researcher who discovered the vulnerability (Justin W. Clarke, also discovered the previous vulnerability) was able to get the SSL key from various RuggedCom devices he bought on eBay, and discovered that the key on each device was the same
• In addition to being able to decrypt the communications between users and the device, in order to get the login credentials or other sensitive information, an attacker with access to the SSL private key could also send modified responses from the device, making it appear to be normal, or even alter the responses from the device such that they compromise the computer of the administrator who is accessing the RuggedCom device, with something like one of the Flash exploits mentioned earlier in the show
• ICS-CERT is recommending that all RuggedCom devices be isolated from the internet, and only accessed over VPNs to reduce the risk of an attack being able to decrypt the SSL session
• Why any of these devices were connected directly to the public Internet in the first place boggles the mind
• Additional Coverage
• Additional Coverage
• Coverage on Previous Flaw
• TechSNAP 55 – Obscurity is not Security

---

New financial malware demostrates interesting new feature, blocks users from accessing their bank account after it is compromised with friendly error message

• Normally, a man-in-the-browser or keylogger style malware that targets your banking credentials would steal them, and send them to the fraudster, who would use them to gain access to your bank account
• In a later iteration, the MitB attacks would prompt you for the answers to your secret questions
• This level of MitB attacks was confounded by 2 factor authentication, because once the user entered the short-lived PIN, it was no longer useful, so the key-logged information did not allow the fraudster to gain access to the account
• This newest version of the attack now stops your browser from actually communicating with the bank at all
• When you go to the banks site in your browser, and enter your username, password and the one-time PIN, the form details are taken by the malware, and the fraudster then uses them from his computer, and drains your bank account, meanwhile you are given a friendly error message, informing you that the banks website is down for a short maintenance and will be back later
• The reason for this, is the banks fraud-screening system
• The banks automated defense systems monitor where you log in to your online banking from, and if you login from two very distant locations within such a short amount of time that it is not possible for you to have traveled that far, it flags your account as possibly compromised
• By preventing the legitimate user from accessing their account, it prevents this alarm being tripped, giving the fraudster more time to drain the account before being detected

---

Feedback:

• Chef vs Puppet?
• David Suggests we Check out Salt Stack!

---

• Sean has some FreeBSD question

FreeBSD has a ‘linux compatibility layer’, a kernel module called the Linuxulator, that basically translate system called from Linux to BSD. If you install the basic libraries from CentOS into /usr/local/compat under BSD (there are packages that do this for you), you can run compiled linux binaries on FreeBSD. The target of this system is commercial linux applications, like game servers, scientific software and all kinds of not-open-source stuff.

If you create a jail (a second copy of the OS installed in a chroot, which uses the host OS’s kernel), and your freebsd kernel has the linux module loaded, then you could install CentOS in the jail chroot instead of FreeBSD, and have CentOS boot (with its boot scripts etc). It would be CentOS, except with a FreeBSD kernel (although CentOS will think it is using a linux kernel). All of the system binaries, and the package binaries would run through the translation layer (there is no real performance penalty for this, some apps even run faster under FreeBSD)

If you google for it, there are some how-tos on running linux in a FreeBSD jail, for some commercial software like Adobe Flash Media Server, that only want to run on CentOS (doesn’t even like to run on other Linux distros, let alone BSD), it can provide an easy out.

Apparently PC-BSD’s new ‘Warden’ jail management GUI includes the option to deploy a linux jail automatically, but I have not tried it yet

---

• How to setup proper virtual networking?

What I wish the new hires “knew”

Round-Up:

• VMware virtual machines targeted by “Crisis” espionage malware
• Amazon’s Glacier Offers Archival Storage in the Cloud
• Australia Passes ‘Lite’ Data Retention Laws
• New financial Man-In-The-Browser malware still not reliably detected by AV due to self-mutation
• Own someone’s email, and you own them

The post Not so Private Keys | TechSNAP 72 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/23236/server-puppeteering-techsnap-71/ Thu, 16 Aug 2012 15:46:51 +0000 https://original.jupiterbroadcasting.net/?p=23236 Automating your server deployments and configurations has never been easier, find out what Allan uses to get the job done! Plus Blizzards database beach details

The post Server Puppeteering | TechSNAP 71 first appeared on Jupiter Broadcasting.

]]>

Rumor has it the playstation network has been hacked again, but we’ve got the real story. Blizzard suffered a nasty database breach, and it might be much worse then they are letting on.

Plus: Automating your server deployments and configurations has never been easier, find out what Allan uses to get the job done!

All that and a lot more, in this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   

Show Notes:

Attacker claims to have broken in to Sony PSN again, Sony denies claim

• Attackers have pasted 3000 password hashes and email addresses from an alleged list of 10 million
• The official Playstation twitter account has denied the claim
• Most of the password hashes appear to be the phpBB modified version of the openwall phpass hashing system, although some appear to be raw SHA1 hashes
• This specific hashing algorithm suggests that the passwords are not from PSN, but from a forum database
• However, since the Sony network might use a single-signon system, it may be possible that these passwords are the same as ones on the PSN network
• Others have suggested it is just data from the previous attack last year

---

Blizzard admits Battlenet was compromised

• This week the security team at Blizzard discovered unauthorized access to their internal servers
• Information that is known to have been accessed includes:
  • Email Address
  • Answer to security question
  • Cryptographic verifiers for account passwords
  • Information relating to Mobile and Dial-In Authenticators
• Blizzard does not believe at this time that any payment information (credit card numbers, billing addresses, real names) were taken
• Battlenet uses the Secure Remote Password protocol (SRP), which is designed to allow remote users to authenticate in such a way that an network eavesdropper would not be able to retrieve the user’s password, or perform an offline dictionary attack against it
• The need for such a protocol has long been obviated by SSL/TLS, which provider stronger protection against eavesdroppers, and also prevents attacks that involve altering the messages or spoofing the identity of the endpoint
• This might have made sense when battlenet was originally introduced, SSL was too costly in terms of performance
• Using a standard password cryptographic hashing algorithm, even just md5crypt would likely have been more secure (obviously bcrypt would have been better) as far as a compromised database. Maybe they will transition to something better now

• One blogger who took the time to read the official SRP whitepaper written by the protocol author has gone so far as to request a retraction or clarification from Blizzard President Mike Morhaime.

  “Blizzard is incorrect in claiming that SRP ‘is designed to make it extremely difficult to extract the actual password’ after the verifier database is stolen,”

• Jeremy Spilman, the founder of a company called TapLink, wrote in a blog post titled “SRP Won’t Protect Blizzard’s Stolen Passwords,”
• However: a Battle.net 2.0 emulator suggests that at least some of the hashed Blizzard’s passwords were generated with an SRP implementation that uses a 1024-bit modulus, rather than the 256-bit modulus described in the whitepaper. The tweak makes password cracking take about 64 times longer than it would using the lower-bit setting.
• Why hacked Blizzard passwords aren’t as hard to crack as company says
• Additional Coverage: PCMag
• Additional Coverage: Gamespot

---

Feedback:

• Raymii created a Security Question Answers Generator Page!
  • Violates rule #3 of a security question, the answers are not ‘memorable’
  • Randomly generated answers are technically not stable or definitive either
  • Relies on you remembering or storing the answer, in case you fail to remember or store your password… (the secret answers should not be stored, or stored as security as the original password itself, since they can be used in place of, or to reset the password)
  • Cool site, decent random password generator ala XKCD
• White Spiral from the chatroom wrote in with a number of suggestions for security questions
  • Your questions are not very applicable to average users (none of my ex-girlfriends had bad breath)
  • Questions related to sex pose numerous problems, including offending customers, or causing an unpleasant work environment for support employees who must ask these questions over the phone
  • User generated questions require more database resources, but likely solve the problems of applicability
  • Most users are likely worse at coming up with their own questions than the site will be
• Jim emails in and suggests: why not use pictures of people you know! The first question might be their name and the second question may be the location.
  • You can’t use this type of security question over the phone
  • There may be privacy issues with storing pictures of 3rd parties on behalf of the customer (what if the database gets hacked, and now pictures of me uploaded by someone else are leaked)
  • I may not be able to remember the location the picture was taken in a few years

• Peter suggests committing a lot of crimes , and confessing one to each company that requires a security answer

• Q: I did bad-do I have to give up my internet license?

• Q: Configuration management automation?
  • BSDMagazine’s January issue has a how-to for deploying Puppet on FreeBSD, the steps would be very similar on any linux distro

Question for a future episode:

Sr. SysAdmins and Techs, what would you like your Jr. co-workers to know or learning more about before joining the work force?

Round-Up:

• BBC Olympics Coverage – Visitor & Data throughput statistics
• Wikileaks gets $37K in donations via Bitcoin
• Saudi Arabia’s National Oil Company Kills Network After Cyber Attack

The post Server Puppeteering | TechSNAP 71 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/21306/faster-gpu-cracking-techsnap-65/ Thu, 05 Jul 2012 16:45:55 +0000 https://original.jupiterbroadcasting.net/?p=21306 Everyone's beloved password cracker has a major update, you won’t believe what it can do now! Plus we share some infrastructure wisdom.

The post Faster GPU Cracking | TechSNAP 65 first appeared on Jupiter Broadcasting.

]]>

Everyone’s beloved password cracker has had a major update, and you won’t believe what it can do now!

The Aerospace industry has a new Advanced Persistent Threat, and a major Microsoft XML flaw already being exploited.

Plus we share some infrastructure wisdom in today’s feedback segment.

All that and more, on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offers:

$1.99/mo economy hosting for 3 months – special offer!
Code:  199tech
Expires:  June 30, 2012

$3.99 .US domain!
Code:  399us4

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   

Show Notes:

New version of John the Ripper targets slow hashes with GPUs

• The new version focuses on adding GPU support, both CUDA (for nVidia) and OpenCL (for AMD and other cards)
• Other interesting new additions:
• Non-hash cracking support for:
  • Mac OS X keychains
  • KeePass 1.x files
  • ODF and MS Office 2007/2010 files
  • Mozilla Firefox/Thunderbird/etc master password files
  • RAR -p and -hp encryption modes
  • WPA-PSK
  • VNC Challenge/response auth
  • SIP challenge/response auth
  • HMAC-SHA1/224/256/384/512
• New hashes supported:
• sha256crypt (CPU or CUDA)
• sha512crypt (CPU/CUDA/OpenCL)
• DragonFly BSD SHA256/512
• Drupal 7 custom PHP SHA–256 hashes
• Raw-SHA1-LinkedIn
• Interestingly, bcrypt (OpenBSDs implementation of blowfish as a password hashing algorithm), even on an AMD 7970, is slower on a GPU than a CPU due to the nature of the algorithm
• Full Release Announcement

---

Unpatched Microsoft XML exploit added to Blackhole toolkit

• An exploit for the unpatched vulnerability is now included in recent versions of the blackhole exploit kit, sold to cyber criminals and installed on infected and compromised websites across the internet
• Numerous attack vectors have been used to exploit this flaw in the Microsoft XML engine, including MS Office documents, Flash, and Internet Explorer it self
• The flaw is present in versions 3, 4 and 6 of MS XML Core Services, and exploitable on all supported versions of windows (XP/Vista/7, 2003/2008/R2 Server)
• Microsoft published the advisory about the flaw on June 12th, after it was already actively being exploited in the wild
• At this time, there is still not a fix for ‘Microsoft XML Core Services’, however Microsoft offers a ‘Fix-It’ that is supposed to mitigate the flaw, but suggests that this may cause application compatibility issues
• The Microsoft EMET Toolkit may prevent the exploitation of this vulnerability, but as discussed previously, is incompatible with AMD Video Drivers
• CVE–2012–1889
• Official Microsoft Announcement

---

New version of trojan used in highly targetted attack

• The Sykipot trojan is not new, however the latest version is being used more successfully than before
• Phishing emails and targeted web advertisements are being used to drive users to sites where they are infected by drive-by-downloading of the trojan using the MS XML exploit
• This requires zero user interaction in order to become infected
• Previous versions of Sykipot have relied on file format exploits (MS Office files, PDFs)
• The latest attack seems to be targeting attendees to the IEEE’s Aerospace Conference (the International Conference for Aerospace Experts, Academics, Military Personnel, and Industry Leaders)
• Researchers have found a Sykipot variant that was programmed to steal credentials from systems using ‘ActivIdentity’s ActivClient’, the smart card application used by the U.S. Department of Defense’s Common Access Card (CAC)
• This could result in the compromise of such smart cards, allowing the attack to gain access to highly sensitive materials

---

A third of top UK Univerisities use weak SSL configurations

• TechWeek Europe used the SSL Labs tool to test the SSL implementations used at the top Univertisities in the UK
• Many of the schools received grades of C or D instead of the expected A
• Such weakness in the implementation of SSL could allow an attacker to inject data into encrypted packets, in order to exploit the user’s machine while they are visiting a trusted site, or to hijack the session or compromise other private data
• Many of the schools responded quickly with configuration changes to upgrade their scores, while others were hesitant to make configuration changes for fear of affecting accessibility for users
• SSL Best Practices Guide
• ScaleEngine.com ‘s Results

---

Feedback:

• Aviad asks How to Scale VMs Fast
• Dale asks If the password is in clear text, is everything?
• Beep’s comment on Token Security

Round Up:

• Cisco Pushing ‘Cloud Connect’ Router Firmware, Allows Web History Tracking
• Cisco appears to be pulling back from its previous attempts to ammend the privacy policy on some of its routers to allow it to collect web history
• Europe declares independence from Hollywood with ACTA vote
• Microsoft silently kills silent, automatic Skype install via Updates
• Microsoft engineer discovers Android spam botnet
• Apple App Store distributing corrupted binaries, breaking app updates
  • Rewrite Bingo
• Remote flaw in KeePass, hard to exploit but serious
• Air raid sirens in Illinois go off unexpectedly, claims they may have been hacked
• Don’t take pictures of your Credit/Debit card, ever

The post Faster GPU Cracking | TechSNAP 65 first appeared on Jupiter Broadcasting.

]]>