The US State Department shuts down its email in what can only be described as a major overreaction, WebRTC sees a major breakthrough that will bring major competition to Skype.

Plus the big results from Mobile Pwn2Own 2014 & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

State Department shuts down its e-mail system amid concerns about hacking – The Washington Post

The State Department scrambled over the weekend to secure its unclassified e-mails, shutting down the entire e-mail system after finding evidence suggesting a hacker may have been been poking around.

A senior State Department official said technicians recently detected “activity of concern” in portions of the system handling unclassified e-mail. The official, who you could also consider a leaker, remains unindfied saying that none of the department’s classified systems were compromised.

VP8 and H.264 to both become mandatory for WebRTC | Andreas Gal

WebRTC is mainly about opening direct connections to other web browsers. The plug-inless capture of video and audio is related but the fundmentals of it are implmented by each browser.

Unfortunately, the full potential of the WebRTC ecosystem has been held back by a long-running disagreement about which video codec should be mandatory to implement. The mandatory to implement audio codecs were chosen over two years ago with relatively little contention: the legacy codec G.711 and Opus, an advanced codec co-designed by Mozilla engineers. The IETF RTCWEB Working Group has been deadlocked for years over whether to pick VP8 or H.264 for the video side.

At the last IETF meeting in Hawaii the RTCWEB working group reached strong consensus to follow in our footsteps and make support for both H.264 and VP8 mandatory for browsers. This compromises was put forward by Mozilla, Cisco and Google. The details are a little bit complicated, but here’s the executive summary:

• Browsers will be required to support both H.264 and VP8 for WebRTC.
• Non-browser WebRTC endpoints will be required to support both H.264 and VP8. However, if either codec becomes definitely royalty free (with no outstanding credible non-RF patent claims) then endpoints will only have to do that codec.
• “WebRTC-compatible” endpoints will be allowed to do either codec, both, or neither.

See the complete proposal by Mozilla Principal Engineer Adam Roach here. There are still a few procedural issues to resolve, but given the level of support in the room, things are looking good.

Mobile Pwn2Own 2014: Windows Phone’s sandbox resists attack

The Mobile Pwn2Own 2014 hacking competition, held at the PacSec Applied Security Conference in Tokyo, Japan, was concluded on Thursday, and not one of the targeted phones has survived completely unscathed.

Of the targets available for selection, Amazon Fire Phone, Apple iPhone 5S, Samsung Galaxy S5, and Google/LG Nexus were completely “pwned,” the Nokia Lumia 1520 running Windows Phone partially, and BlackBerry Z30, Apple’s iPad Mini and the Nexus 7 weren’t targeted at all.

A successful exploitation of a bug in the latter carried with it a $150,000 prize, the others less: $100,000 for messaging services, $75,000 for short distance and $50,000 for the browser, apps or OS.

What we know is that the Apple iPhone 5S was owned via the Safari browser by exploiting two bugs, the Amazon Fire Phone was breached via three bugs in its browser, Samsung Galaxy S5 was successfully targeted via NFC by two different teams (one by triggering a deserialization issue in certain code, and the other by targeting a logical error), and the Nexus 5 was forced to pair with another phone via Bluetooth.

The two contestants that did their attacks on the second day were less successful: Jüri Aedla used Wi-Fi to target a Nexus 5, but was unable to elevate his privileges further than their original level. And Nico Joly tried to exploit Lumia’s browser, but didn’t manage to gain full control of the system as the sandbox held. He did, however, manage to extract the cookie database.

AT&T Stops Using ‘Perma-Cookies’ to Track Customer Web Activity – Mac Rumors

In late October, researchers discovered that AT&T and Verizon had been engaging in some unsavory customer tracking methods, using unique identifying numbers or “perma-cookies” to track the websites that customers visited on their cellular devices to deliver target advertisements.

Following significant negative attention from the media, AT&T today told the Associated Press that it is no longer injecting the hidden web tracking codes into the data sent from its customers’ devices.

The change by AT&T essentially removes a hidden string of letters and numbers that are passed along to websites that a consumer visits. It can be used to track subscribers across the Internet, a lucrative data-mining opportunity for advertisers that could still reveal users’ identities based on their browsing habits.

AT&T’s customer tracking practices, called “Relevant Advertising,” were the result of a pilot program the company had been experimenting with, which has apparently come to an end.

While AT&T has opted to stop using the invasive tracking method, Verizon is continuing to utilize perma-cookies to track the web activity of its customers. Unlike AT&T’s experimental program, Verizon has been using Relevant Advertising techniques for approximately two years.

• Simple test page for Cellular ISP tracking beacons – by Kenn White

The post WebRTC vs Skype | Tech Talk Today 92 first appeared on Jupiter Broadcasting.

The Mask, an advanced persistent threat is revealed, a slew of various home router models are actively being exploited, we’ll share the important details.

Plus some routing basics explained, and much much more.

On this week’s TechSNAP

Thanks to:

— Show Notes: —

Kaspersky discovered “The Mask” APT

• We got some hints about Careto (also know as “The Mask” or “The Masked APT”) a few weeks ago, and speculation suggested that the unusual native language of the attackers was Korean
• In an even bigger surprise, it turns out the attackers are Spanish speaking
• the Spanish-speaking attackers targeted government institutions, energy, oil & gas companies and other high-profile victims via a cross-platform malware toolkit
• Full Research PDF
• The APT has been going on since 2007 or earlier
• “More than 380 unique victims in 31 countries have been observed to date”
• “What makes “The Mask” special is the complexity of the toolset used by the
  attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32 and 64 bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS)”
• “The Mask also uses a customized attack against older versions of Kaspersky Lab products to hide in the system, putting them above Duqu in terms of sophistication and making it one of the most advanced threats at the moment. This and several other factors make us believe this could be a nation state sponsored campaign”
• “When active in a victim system, The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys, analyse WiFi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations”
• “The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files. There are also several extensions being monitored that we have not been able to identify and could be related to custom military/government level encryption tools”
• “Overall, we have found exploits for Java, Flash SWF (CVE-2012-0773), as well as malicious plugins for Chrome and Firefox, on Windows, Linux and OS X. The names of the subdirectories give some information about the kind of attack they launch, for instance we can find /jupd where JavaUpdate.jar downloads and executes javaupdt.exe”
• “CVE-2012-0773 has an interesting history. It was originally discovered by French
  company VUPEN and used to win the “pwn2own” contest in 2012. This was the first
  known exploit to escape the Chrome sandbox. VUPEN refused to share the exploit
  with the contest organizers, claiming that it plans to sell it to its customers”
• “A Google engineer offered Bekrar (of VUPEN) $60,000 on top of the $60,000 he had already won for the Pwn2Own contest if he would hand over the sandbox exploit and the details so Google could fix the vulnerability. Bekrar declined and joked that he might consider the offer if Google bumped it up to $1 million, but he later told WIRED he wouldn’t hand it over for even $1 million.”
• This suggests that the threat actor may be a government
• However, Chaouki Bekrar denies the VUPEN exploit was used
• “Several attacks against browsers supporting Java have been observed.
  Unfortunately, we weren’t able to retrieve all the components from these attacks, as
  they were no longer available on the server at the time of checking”
• Also exploits CVE-2011-3544 against Java
• Additional Coverage

Linksys Router Malware

• Researchers say they have uncovered an ongoing attack that infects home and small-office wireless routers from Linksys with self-replicating malware, most likely by exploiting a code-execution vulnerability in the device firmware.
• Johannes B. Ullrich, CTO of the Sans Institute, told Ars he has been able to confirm that the malicious worm has infected around 1,000 Linksys E1000, E1200, and E2400 routers, although the actual number of hijacked devices worldwide could be much higher.
• A blog post Sans published shortly after this article was posted expanded the range of vulnerable models to virtually the entire Linksys E product line. Once a device is compromised, it scans the Internet for other vulnerable devices to infect.
• Compromised routers remain infected until they are rebooted. Once the devices are restarted, they appear to return to their normal state. People who are wondering if their device is infected should check for heavy outbound scanning on port 80 and 8080, and inbound connection attempts to miscellaneous ports below 1024.
• The attack begins with a remote call to the Home Network Administration Protocol (HNAP), an interface that allows ISPs and others to remotely manage home and office routers. The remote function is exposed by a built-in Web server that listens for commands sent over the Internet.
• Typically, it requires the remote user to enter a valid administrative password before executing commands, although previous bugs in HNAP implementations have left routers vulnerable to attack.
• After using HNAP to identify vulnerable routers, the worm exploits an authentication bypass vulnerability in a CGI script.
• Infected devices are highly selective about the IP ranges they will scan when searching for other vulnerable routers. The sample Ullrich obtained listed just 627 blocks of /21 and /24 subnets.
• The discovery comes a week after researchers in Poland reported an ongoing attack used to steal online banking credentials, in part by modifying home routers\’ DNS settings.
• The phony domain name resolvers listed in the router settings redirected victims\’ computers, tablets, and smartphones to fraudulent websites masquerading as an authentic bank service; the sites would then steal the victims\’ login credentials.
• The objective behind this ongoing attack remains unclear. Given that the only observable behavior is to temporarily infect a highly select range of devices, one possible motivation is to test how viable a self-replicating worm can be in targeting routers.
• Two days after this article was published, Linksys representatives issued the following statement:

Linksys is aware of the malware called “The Moon” that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware.
+ Additional Coverage Internet Storm Center
+ These are not the only routers that have problems
+ Home Routers pose the biggest threat to consumer security
+ An old backdoor from 2005 was found in brand new Cisco home “Gigabit Security Routers”
+ As the covered last year, 40-50 million routers have uPnP flaw
+ Yesterday, researchers found a stack overflow bug in Linksys WRT120N routers
+ The new protocol that proposes to make “security” easier on the next generation of home routers may cause more harm than good
+ Asus Routers are also vulnerable including the RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R

Feedback:

• Do you do disk or filesystem level encryption? If so, how do you manage the keys?

• confused about default routes

• Migrating ZFS

  • ZFS Replication

• Smart Wire Modems

• \”I just don\’t want to see the internet just walled off in different areas of the world\”

Round Up:

• Email attack on Vendor was source of Target breach
• Target\’s cybersecurity team raised concerns months before hack
• Schneier on Security: My Talk on the NSA
• Are 400gbps DDoS attacks the new normal?
• Verizon seeks payment for carrying Netflix traffic, WSJ reports
• RAID reliability calculator
• More than 2000 Tesco.com accounts leaked
• The History of Data Storage
• Important Kickstarter Security Notice
• FreeBSD PEFS file system security audit
• Tour of the Verizon Terremark Data Center
• Intel introduces new 15 core Xeon CPU, Xeon E7-8893 v2 (LGA2011), 3.4 GHz (3.7 GHz turbo), 37.5 MB cache, 1536 GB max ram, 8 way system would have 240 logical CPUs
• US Health care sector vulnerable to Hackers

The post 7 Year Malware | TechSNAP 150 first appeared on Jupiter Broadcasting.

We cover the amazing story of how the FBI infiltrated and exposed LulzSec.

And in a retro war story, Microsoft miss more than just a leap day and we answer some of your feedback questions.

All that and on, on this week’s TechSNAP!

Thanks to:

Subscribe via RSS and iTunes:
    Subscribe...           --RSS-- TechSNAP HD TechSNAP Large     TechSNAP Mobile      TechSNAP MP3     TechSNAP OGG     --iTunes--     TechSNAP iTunes HD     TechSNAP iTunes Mobile     TechSNAP iTunes Large     TechSNAP iTunes MP3  

Support the Show:

Show Notes: