Noah’s back from Defcon! He shares his experience at this infamous conference, his Linux in the wild sightings & his surprising takeaway.

Plus Btrfs’ RAID 5/6 code has been found “unsafe”, the FossHub compromise, an Internet of Things failure that struck close to home & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

Noah Visits Defcon

• Badges are more than the sum of their parts – Imgur

• Ham Radio Exams at DEF CON 24 brought to you by dc408

Hackers Fool Tesla S’s Autopilot to Hide and Spoof Obstacles

In a series of tests they plan to detail in a talk later this week at the Defcon hacker conference, they found that they could use off-the-shelf radio-, sound- and light-emitting tools to deceive Tesla’s autopilot sensors, in some cases causing the car’s computers to perceive an object where none existed, and in others to miss a real object in the Tesla’s path.

Hacking Hotel Keys and Point of Sale Systems at DEFCON

Hecker is scheduled to talk about his research at the DEFCON security conference in a talk where he will also reveal flaws in the magnetic stripe approach used in point-of-sale (POS) systems. In an interview ahead of the talk, Hecker detailed some of his key findings and the widespread risks.

— PICKS —

Runs Linux

This Sewer Camera that my plumber used, Runs Linux

Desktop App Pick

Lifeograph

Private offline journal, encrypted note taking.

Features

• Search and play audio/video from YouTube
• Search tracks of albums by album title
• Search and import YouTube playlists
• Create and save local playlists
• Download audio/video
• Convert to mp3 & other formats (requires ffmpeg or avconv)
• View video comments
• Works with Python 3.x
• Works with Windows, Linux and Mac OS X
• Requires mplayer or mpv
• This project is based on mps, a terminal based program to search, stream and download music. This implementation uses YouTube as a source of content and can play and download video as well as audio. The pafy library handles interfacing with YouTube.

Spotlight

Stellarium 0.15.0 has been released

New big features

• We introduce a major internal change with the StelProperty system.

• This allows simpler access to internal variables and therefore more ways of operation.

• Most notably this version introduces an alternative control option via RemoteControl, a new webserver interface plugin.

• We also introduce another milestone towards providing better astronomical accuracy for historical applications:

• experimental support of getting planetary positions from JPL DE430 and DE431 ephemerides. This feature is however not fully tested yet.

The major changes:

• Added StelProperty system
• Added new plugin for exhibitions and planetariums – Remote Control
• Added new skycultures: Macedonian, Ojibwe, Dakota/Lakota/Nakota,
  Kamilaroi/Euahlayi
• Updated code of plugins
• Added Bookmarks tool and updated AstroCalc tool
• Added new functions for Scripting Engine and new scripts
• Added Miller Cylindrical Projection
• Added updates and improvements in DSO and star catalogues (include initial
  support of The Washington Double Star Catalog)
• azimuth lines (also targeting geographic locations) in ArchaeoLines plugin
• Many fixes and improvements…

— NEWS —

• Ting data price drop
• Ting drops data prices to $10 GB beyond the first gig

PSA – Do not download Classic SHELL! read comments (MBR overwrite!!) mbr.rootkit

Classic Shell itself wasn’t compromised. FossHub was and some download links were replaced by another program, not signed, that do only one thing: overwrite the MBR. It’s not an infected version of Classic Shell, Audacity or whatever, it’s only a small program that targets your MBR. If at the end of the installation process nothing happens beside a short cmd window then you have downloaded the malware.

• Hacker Compromises Fosshub to Distribute MBR-Hijacking Malware

“In short, a network service with no authentication was exposed to the internet,” the hacker told Softpedia in an email. “We were able to grab data from this network service to obtain source code and passwords that led us further into the infrastructure of FOSSHub and eventually gain control of their production machines, backup and mirror locations, and FTP credentials for the caching service they use, as well as the Google Apps-hosted email.”

• FossHub serves up MBR-compromising versions of Audacity and Classic Shell

Corrupt .exe’s downloads of both Audacity and Classic Shell have been removed from FossHub.com after being found laden with a Master Boot Record-overwriting Trojan.

Never Trust a Found USB Drive, Black Hat Demo Shows Why

“Despite the dangers of hackers, viruses and other bad things, almost half of those who found one of our flash drives plugged it into a computer,” Bursztein said.

• What are malicious USB keys and how to create a realistic one?

Btrfs RAID 5/6 Code Found To Be Very Unsafe & Will Likely Require A Rewrite

“more or less fatally flawed, and a full scrap and rewrite to an entirely different raid56 mode on-disk format may be necessary to fix it. And what’s even clearer is that people /really/ shouldn’t be using raid56 mode for anything but testing with throw-away data, at this point. Anything else is simply irresponsible.”

@ahl I assume you actually tested it before shipping it though

— Allan Jude (@allanjude) August 6, 2016

• Re: [BUG] Btrfs scrub sometime recalculate wrong parity in raid5

Couldn't turn on my bedroom lights last night because there is no way to dismiss this dialog. Thank you @tweethue! pic.twitter.com/2EJUgujzLF

— Thomas Roth (@StackSmashing) July 30, 2016

• JB1 Studio Hit too

• Huemote App

• Amazon.com: CHAUVET SlimPAR 56: Musical Instruments

• Amazon.com: ADJ Products AC3PDMX25 25 ft 3 pin DMX Cable for lighting products: Musical Instruments
• Amazon.com: DMXking ultraDMX Micro USB DMX adapter/dongle: Musical Instruments

MeetBSD California 2016

• Any tips where I can park Lady Jupiter near the Clark Kerr Campus
• Meet up?

Mail Bag

• https://slexy.org/view/s2NuBRmc2H

• https://slexy.org/view/s2usaSqiSk

• https://slexy.org/view/s2vRzbEICz

• Audio Only for Live Show?

Call Box

• Chris’ call out for the community to help him with his background

Catch the show LIVE SUNDAY:

• Noon Pacific
• https://jblive.tv
• Network Calendar

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

The post Fear and Linux in Las Vegas | LAS 429 first appeared on Jupiter Broadcasting.

Meet BOOTTRASH the Malware that executes before your OS does, the hard questions you need to ask when buying a security appliance, Project Zero finds flaws in Fireeye hardware.

Plus some great audience questions, a big round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

BOOTRASH malware executes before your OS does

• “Researchers at FireEye spotted the financial threat group FIN1 targeting payment card data using sophisticated malware dubbed “BOOTRASH” that executes before the operating system boots.”
• The malware only works against MBR formatted disks, if it detects GPT it just exists
• It backs up the original VBR (Volume Boot Record, the boot code at the start of the partition, which is calls from the boot code installed in the MBR) to a different location on the disk
• It finds some free space between partitions or at the end of the disk, and uses that to create its own tiny virtual file system, to store the actual malware files
• Additional files and resources are encoded into a registry hive, so they do not leave any files on the regular file system. Only the invisible virtual file system (not listed in the partition table, hiding in unused space), and some random strings on encoded binary in the registry
• “As previously discussed, during a normal boot process the MBR loads the VBR, which loads the operating system code. However, during the hijacked boot process, the compromised system’s MBR will attempt to load the boot partition’s VBR, which has been overwritten with the malicious BOOTRASH bootstrap code. This code loads the Nemesis bootkit components from the custom virtual file system. The bootkit then passes control to the original boot sector, which was saved to a different location on disk during the installation process. From this point the boot process continues with the loading and executing of the operating system software.”
• “The bootkit intercepts several system interrupts to assist with the injection of the primary Nemesis components during the boot process. The bootkit hijacks the BIOS interrupt responsible for miscellaneous system services and patches the associated Interrupt Vector Table entry so it can intercept memory queries once the operating system loader gains control. The bootkit then passes control to the original VBR to allow the boot process to continue. While the operating system is being loaded, the bootkit also intercepts the interrupt and scans the operating system loader memory for a specific instruction that transfers the CPU from real mode to protected mode. This allows the bootkit to patch the Interrupt Descriptor Table each time the CPU changes from real mode to protected mode. This patch involves a modified interrupt handler that redirects control to the bootkit every time a specific address is executed. This is what allows the bootkit to detect and intercept specific points of the operating system loader execution and inject Nemesis components as part of the normal kernel loading.”
• So it dynamically replaces bits of kernel code with its own code, making it a very hard to detect rootkit, since it is actually injected before the kernel is loaded (hence the name, bootkit)
• Researcher Blog

“A decisionmaker’s guide to buying security appliances and gateways”

• “With the prevalence of targeted “APT-style” attacks and the business risks of data breaches reaching the board level, the market for “security appliances” is as hot as it has ever been. Many organisations feel the need to beef up their security – and vendors of security appliances offer a plethora of content-inspection / email-security / anti-APT appliances, along with glossy marketing brochures full of impressive-sounding claims.”
• This article provides a bit of a guide to help you shop for an appliance that might actually be worth the number of zeros on the price tag
• “Most security appliances are Linux-based, and use a rather large number of open-source libraries to parse the untrusted data stream which they are inspecting. These libraries, along with the proprietary code by the vendor, form the “attack surface” of the appliance, e.g. the code that is exposed to an outside attacker looking to attack the appliance. All security appliances require a privileged position on the network – a position where all or most incoming and outgoing traffic can be seen. This means that vulnerabilities within security appliances give an attacker a particularly privileged position – and implies that the security of the appliance itself is rather important.”
• Five questions to ask the vendor of a security appliance
  • What third-party libraries interact directly with the incoming data, and what are the processes to react to security issues published in these libraries?
  • Are all these third-party libraries sandboxed in a sandbox that is recognized as industry-standard? The sandbox Google uses in Chrome and Adobe uses in Acrobat Reader is open-source and has undergone a lot of scrutiny, so have the isolation features of KVM and qemu. Are any third-party libraries running outside of a sandbox or an internal virtualization environment? If so, why, and what is the timeline to address this?
  • How much of the proprietary code which directly interacts with the incoming data runs outside of a sandbox? To what extent has this code been security-reviewed?
  • Is the vendor willing to provide a hard disk image for a basic assessment by a third-party security consultancy? Misconfigured permissions that allow privilege escalation happen all-too often, so basic permissions lockdown should have happened on the appliance.
  • In the case of a breach in your company, what is the process through which your forensics team can acquire memory images and hard disk images from the appliance?
• Not to mention, in the case of a breach at the vendor, what information could the attacker get about your appliance, your network, or your security? How are the trusted keys protected on the vendor’s network?
  • Bonus Question: Does the vendor publish hashes of the packages they install on the appliance so in case of a forensic investigation it is easy to verify that the attacker has not replaced some?
• “A vendor that takes their product quality (and hence your data security) seriously will be able to answer these questions, and will be able to confidently state that all third-party parsers and a large fraction of their proprietary code runs sandboxed or virtualized, and that the configuration of the machine has been reasonably locked down – and will be willing to provide evidence for this (for example a disk image or virtual appliance along with permission to inspect).”
• All of these are very good questions, and I happen to know one vendor who answered these questions in their recent BSDNow interview.

Project Zero finds flaws in FireEye security appliance

• “FireEye sell security appliances to enterprise and government customers. FireEye’s flagship products are monitoring devices designed to be installed at egress points of large networks”
• The device is connected to a SPAN, MONITOR, or MIRROR port. A feature of high end switches that allows all traffic from a port or set of ports to be copied to another port
• “The FireEye device then watches all network traffic passively, monitoring common protocols like HTTP, FTP, SMTP, etc, for any transferred files. If a file transfer is detected (for example, an email attachment or a HTTP download) the FireEye extracts the file and scans it for malware.”
• If the device detects malware, it alerts the security team
• The device can also be configured in a IPS (Intrusion Prevention System) mode, where it would block such traffic
• “For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario. This would mean an attacker would only have to send an email to a user to gain access to a persistent network tap – the recipient wouldn’t even have to read the email, just receiving it would be enough”
• If you compromise one of these devices, you are basically sitting on a wiretap of the entire network. These devices are sometimes even installed behind devices that decrypt encrypted traffic, giving you even more access
• “A network tap is one of the most privileged machines on the network, with access to employee’s email, passwords, downloads, browsing history, confidential attachments, everything. In some deployment configurations an attacker could tamper with traffic, inserting backdoors or worse. Because FireEye devices typically have a secondary internet-connected interface for updates and management, the issue could even be wormable across the internet.”
• “FireEye have issued a patch for this vulnerability, and customers who have not updated should do so immediately to protect their infrastructure.” Devices with security content release 427.334 and higher have this issue resolved
• Q. How long did FireEye take to resolve this issue after it was reported?
• A. FireEye responded very quickly, pushed out temporary mitigations to customers within hours of our report and resolved the issue completely within 2 days.
  • Q. Have FireEye supported your security research?
• A. Yes, FireEye have been very cooperative. They worked with us closely, provided test equipment, support, and have responded very quickly to any issues we reported.
• “Project Zero have been evaluating a FireEye NX 7500 appliance, and created a lab to generate sample traffic. The test environment consisted of a workstation with four network interfaces. Two interfaces were connected to a hub, which were used for simulating network traffic. The FireEye passive monitoring interface (called pether3) was connected to a third port on the hub (acting like a mirror port) so that it could observe traffic being exchanged between the two interfaces on the test machine. This simulates an intranet user receiving email or downloading files from the internet.”
• “The main analyses performed by the FireEye appliance are monitoring for known malicious traffic (blacklisted netblocks, malware domains, snort rules, etc), static analysis of transferred files (antivirus, yara rules, and analysis scripts), and finally tracing the execution of transferred files in instrumented virtual machines. Once an execution trace has been generated, pattern matching against known-bad behaviour is performed.”
• “The MIP (Malware Input Processor) subsystem is responsible for the static analysis of files, invoking helper programs and plugins to decode various file types. For example, the swf helper invokes flasm to disassemble flash files, the dmg helper invokes p7zip to extract the contents of Mac OS Disk Images and the png helper invokes pngcheck to check for malformed images. The jar helper is used to analyze captured Java Archives, which checks for signatures using jarsigner, then attempts to decompile the contents using an open source Java decompiler called JODE.”
• The problem is that the JODE decompiler, actually executes small bits of the java code, to try to deobfuscate it
• “With some trial and error, we were eventually able to construct a class that JODE would execute, and used it to invoke java.lang.Runtime.getRuntime().exec(), which allows us to execute arbitrary shell commands. This worked during our testing, and we were able to execute commands just by transferring JAR files across the passive monitoring interfaces.”
• So, just by emailing someone behind this device a .jar file, it would end up getting executed on the security device, running arbitrary shell commands
• “As FireEye is shipped with ncat installed by default, creating a connect-back shell is as simple as specifying the command we want and the address of our control server.”
• “We now have code execution as user mip, the Malware Input Processor. The mip user is already quite privileged, capable of accessing sensitive network data. However, , there is a very simple privilege escalation to root”
• “FireEye have requested additional time to prepare a fix for the privilege escalation component of this attack”
• “This allows exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating internet worms.”
• “If you would like to read more from our series on attacks against security products, we have also published research into ESET, Kaspersky, Sophos, Avast and more, with further research scheduled for release soon.”

Feedback:

• RAID Repair Gone Wrong

• adblocking with pfsense – how?

• Pfblocker – PFSenseDocs
  • Pfsense Blocking ads with squid or lusca

• How feasible would it be to set up passwordless systems?

• Greetings from Ecuador!

Round Up:

• Further investigation shows Satoshi PGP keys may have been backdated
• More bitcoin followup from Wired
• Google will actively distrust Symantec’s “Class 3 Public Primary CA”. The root CA, issued in 1996, is being retired because it uses SHA-1, which no longer meets the requirements of the CA/Browser forum. Symantec will continue to use the root CA for “other things”, so Google is actively distrusting it, to prevent it being used.
• MacKeeper database exposed. Not hacked, just totally open to the entire Internet. Passwords hashed with plain md5, no salt.
• Shodan search shows over 650 terabytes of data exposed via completely unsecured MongoDB instances
• Cyber Crime 3.0: Stealing whole houses
• Why Governments lie about encryption backdoors
• 21-year old man arrested in the UK in connection with VTech hack
• Bypass authentication in Grub2, by pressing backspace 28 times
• (0Day) Microsoft Office Excel Binary Worksheet Use-After-Free Remote Code Execution Vulnerability. After the researchers worked with Microsoft since September, Microsoft closes the issue as “won’t fix”
  
• OPSEC of Honeypots, if your honeypot is obvious, it doesn’t do much good
• Joomla exploit via user-agent string, injecting code allows full remote command execution
• SMTP Injection via recipient email addresses
• Steam introduces a Trade Escrow system to stop scamming and hijacked accounts. Trend jackers jump on this and trick users into installing malware
• How not to do two factor authentication

The post Insecurity Appliance | TechSNAP 245 first appeared on Jupiter Broadcasting.

Bitcoin’s creator has been found again, we’ll cover what the media thinks they’ve figured out & what we really know.

Then, ‘In Patches We Trust: Why Security Updates have to get better’, a great batch of questions, a huge round up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

WIRED thinks they found Bitcoin’s Creator Satoshi Nakamoto

• Since that pseudonymous figure first released bitcoin’s code on January 9th, 2009, Nakamoto’s ingenious digital currency has grown from a nerd novelty to a kind of economic miracle. As it’s been adopted for everything from international money transfers to online narcotrafficking, the total value of all bitcoins has grown to nearly $5 billion.
• Nakamoto himself, whoever he is, appears to control a stash of bitcoins easily worth a nine-figure fortune (it rose to more than a billion at the cryptocurrency’s peak exchange rate in 2014).
• In the last weeks, WIRED has obtained the strongest evidence yet of Satoshi Nakamoto’s true identity. The signs point to Craig Steven Wright.
• Gizmodo thinks it was actually two people
• A monthlong Gizmodo investigation has uncovered compelling and perplexing new evidence in the search for Satoshi Nakamoto, the pseudonymous creator of Bitcoin.

• According to a cache of documents provided to Gizmodo which were corroborated in interviews, Craig Steven Wright, an Australian businessman based in Sydney, and Dave Kleiman, an American computer forensics expert who died in 2013, were involved in the development of the digital currency.

• Wired’s “Evidence”

• An August 2008 post on Wright’s blog, months before the November 2008 introduction of the bitcoin whitepaper on a cryptography mailing list. It mentions his intention to release a “cryptocurrency paper,” and references “triple entry accounting,” the title of a 2005 paper by financial cryptographer Ian Grigg that outlines several bitcoin-like ideas.

• A post on the same blog from November, 2008 includes a request that readers who want to get in touch encrypt their messages to him using a PGP public key apparently linked to Satoshi Nakamoto. This key, when checked against the database of the MIT server where it was stored, is associated with the email address satoshin@vistomail.com, an email address very similar to the satoshi@vistomail.com address Nakamoto used to send the whitepaper introducing bitcoin to a cryptography mailing list.
• An archived copy of a now-deleted blog post from Wright dated January 10, 2009, which reads: “The Beta of Bitcoin is live tomorrow. This is decentralized… We try until it works.” (The post was dated January 10, 2009, a day after Bitcoin’s official launch on January 9th of that year. But if Wright, living in Eastern Australia, posted it after midnight his time on the night of the 9th, that would have still been before bitcoin’s launch at 3pm EST on the 9th.) That post was later replaced with the rather cryptic text “Bitcoin — AKA bloody nosey you be…It does always surprise me how at times the best place to hide [is] right in the open.” Sometime after October of this year, it was deleted entirely.
• In addition to those three blog posts, they received a cache of leaked emails, transcripts, and accounting forms that corroborate the link.

• Another clue as to Wright’s bitcoin fortune wasn’t leaked to WIRED but instead remains hosted on the website of the corporate advisory firm McGrathNicol: a liquidation report on one of several companies Wright founded known as Hotwire, an attempt to create a bitcoin-based bank. It shows that the startup was backed in June 2013 by $23 million in bitcoins owned by Wright. That sum would be worth more than $60 million today.

• Reported bitcoin ‘founder’ Craig Wright’s home raided by Australian police

• On Wednesday afternoon, police gained entry to a home belonging to Craig Wright, who had hours earlier been identified in investigations by Gizmodo and Wired,

• People who say they knew Wright have expressed strong doubts about his alleged role, with some saying privately they believe the publications have been the victims of an elaborate hoax.
• More than 10 police personnel arrived at the house in the Sydney suburb of Gordon at about 1.30pm. Two police staff wearing white gloves could be seen from the street searching the cupboards and surfaces of the garage. At least three more were seen from the front door.
• The Australian Federal police said in a statement that the raids were not related to the bitcoin claims. “The AFP can confirm it has conducted search warrants to assist the Australian Taxation Office at a residence in Gordon and a business premises in Ryde, Sydney. This matter is unrelated to recent media reporting regarding the digital currency bitcoin.”
• The documents published by Gizmodo appear to show records of an interview with the Australian Tax Office surrounding his tax affairs in which his bitcoin holdings are discussed at length.
• During the interview, the person the transcript names as Wright says: “I did my best to try and hide the fact that I’ve been running bitcoin since 2009 but I think it’s getting – most – most – by the end of this half the world is going to bloody know.”
• Guardian Australia has been unable to independently verify the authenticity of the transcripts published by Gizmodo, or whether the transcript is an accurate reflection of the audio if the interview took place. It is also not clear whether the phrase “running” refers merely to the process of mining bitcoin using a computer.
• The purported admission in the transcript does not state that Wright is a founder of the currency, but other emails that Gizmodo claim are from Wright suggest further involvement he may have had in the development of bitcoin.
• The emails published by Gizmodo cannot been verified. Comment has been sought from Sinodinos on whether he was contacted by Wright – or his lawyer – in relation to bitcoin and its regulatory and taxation status in Australia.
• A third email published by Gizmodo from 2008 attributes to Wright a comment where he said: “I have been working on a new form of electronic money. Bit cash, bit coin …”
• WikiLeaks on Twitter: “We assess that Craig S Wright is unlikely to be the principal coder behind Bitcoin.” https://t.co/nRnftKPjm9”
• Additional Coverage: Freedom Hacker

In Patches We Trust: Why Security Updates have to get better

• “How long do you put off restarting your computer, phone, or tablet for the sake of a security update or software patch? All too often, it’s far too long”
• Why do we delay?
• I am in the middle of something
• The update might break something
• I can’t waste a bunch of time dealing with fixing it if it doesn’t work
• I hate it when they move buttons around on me
• Installing the update makes the device unusable for 20+ minutes
• “Patches are good for you. According to Homeland Security’s cyber-emergency unit, US-CERT, as many as 85 percent of all targeted attacks can be prevented by applying a security patch”
• “The problem is that far too many have experienced a case when a patch has gone disastrously wrong. That’s not just a problem for the device owner short term, but it’s a lasting trust issue with software giants and device makers.”
• We have all seen examples of bad patches
• “Apple’s iOS 8.0.1 update was meant to fix initial problems with Apple’s new eight generation mobile operating system, but killed cell service on affected phones — leaving millions stranded until a fix was issued a day later. Google had to patch the so-called Stagefright flaw, which affected every Android device, for a second time after the first fix failed to do the job. Meanwhile, Microsoft has seen more patch recalls in the past two years than in the past decade.”
• “Microsoft, for example, issued 135 security bulletins this year alone with thousands of separate vulnerabilities patched. All it takes is one or two patches to fail or break something — which has happened — to account for a 1 percent failure rate.”
• Users get “update fatigue”, If every time they go to use the computer, there is a new update for one or more of: Java, Flash, Chrome, Skype, Windows, etc.
• Worse, many drivers and other programs now add their own utilities, “update managers” and so on. Lenovo and Dell have both recently had to patch their “update managers” because they actually make your system more vulnerable
• Having a slew of different programs constantly nagging the user about updating just causes the user to stop updating everything, or to put the updates off for longer and longer
• “At the heart of any software update is a trust relationship between the user and the company. When things go wrong, it can affect thousands or millions of users. Just ignoring the issue and pulling patches can undermine a user’s trust, which can damage the future patching process.”
• “Customers don’t always expect vendors to be 100 percent perfect 100 percent of the time, or at least they shouldn’t,” said Childs. “However, if vendors are upfront and honest about the situation and provide actionable guidance, it goes a long way to reestablishing the trust that has been lost over the years.”

New APT group identified, known as Sofacy, or Fancy Bear

• “Sofacy (also known as “Fancy Bear”, “Sednit”, “STRONTIUM” and “APT28”) is an advanced threat group that has been active since around 2008, targeting mostly military and government entities worldwide, with a focus on NATO countries. More recently, we have also seen an increase in activity targeting Ukraine.”
• “Back in 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFACE) as its first stage malware. The implant shared certain similarities with the old Miniduke implants. This led us to believe the two groups were connected, at least to begin with, although it appears they parted ways in 2014, with the original Miniduke group switching to the CosmicDuke implant.”
• “In the months leading up to August, the Sofacy group launched several waves of attacks relying on zero-day exploits in Microsoft Office, Oracle Sun Java, Adobe Flash Player and Windows itself. For instance, its JHUHUGIT implant was delivered through a Flash zero-day and used a Windows EoP exploit to break out of the sandbox. The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day (CVE-2015-2590) in July 2015.
  While the JHUHUGIT (and more recently, “JKEYSKW”) implant used in most of the Sofacy attacks, high profile victims are being targeted with another first level implant, representing the latest evolution of their AZZYTrojan.”
• This shows how APT attackers constantly evolve, and reserve their best exploits for use against high profile targets, using lesser quality exploits on lesser targets, to avoid the better exploits being discovered and mitigated
• “The first versions of the new AZZY implant appeared in August of this year. During a high profile incident we investigated, our products successfully detected and blocked a “standard” Sofacy “AZZY” sample that was used to target a range of defense contractors.”
• “Interestingly, the fact that the attack was blocked didn’t appear to stop the Sofacy team. Just an hour and a half later they had compiled and delivered another AZZY x64 backdoor. This was no longer detectable with static signatures by our product. However, it was detected dynamically by the host intrusion prevention subsystem when it appeared in the system and was executed.”
• “This recurring, blindingly-fast Sofacy attack attracted our attention as neither sample was delivered through a zero-day vulnerability — instead, they appeared to be downloaded and installed by another malware. This separate malware was installed by an unknown attack as “AppData\Local\Microsoft\Windows\msdeltemp.dll””
• The attackers have multiple levels of malware, and can cycle through them until something works, then use that to drop a payload that matches the quality of the target they are attacking
• “In addition to the new AZZY backdoors with side-DLL for C&C, we observed a new set of data-theft modules deployed against victims by the Sofacy group. Among the most popular modern defense mechanisms against APTs are air-gaps — isolated network segments without Internet access, where sensitive data is stored. In the past, we’ve seen groups such as Equation and Flame use malware to steal data from air-gapped networks. The Sofacy group uses such tools as well. The first versions of these new USB stealer modules appeared around February 2015 and the latest appear to have been compiled in May 2015.”
• “This data theft module appears to have been compiled in May 2015 and is designed to watch removable drives and collect files from them, depending on a set of rules defined by the attackers. The stolen data is copied into a hidden directory as “%MYPICTURES%\%volume serial number%“, from where it can be exfiltrated by the attackers using one of the AZZY implants. More details on the new USB stealers are available in the section on technical analysis.”
• “Over the last year, the Sofacy group has increased its activity almost tenfold when compared to previous years, becoming one of the most prolific, agile and dynamic threat actors in the arena. This activity spiked in July 2015, when the group dropped two completely new exploits, an Office and Java zero-day. At the beginning of August, Sofacy began a new wave of attacks, focusing on defense-related targets. As of November 2015, this wave of attacks is ongoing. The attackers deploy a rare modification of the AZZY backdoor, which is used for the initial reconnaissance. Once a foothold is established, they try to upload more backdoors, USB stealers as well as other hacking tools such as “Mimikatz” for lateral movement.”
• Lateral movement is a more generic term for Island Hopping, moving around inside the network once you get through the outer defenses
• “Two recurring characteristics of the Sofacy group that we keep seeing in its attacks are speed and the use of multi-backdoor packages for extreme resilience. In the past, the group used droppers that installed both the SPLM and AZZY backdoors on the same machine. If one of them was detected, the other one provided the attacker with continued access.”
• “As usual, the best defense against targeted attacks is a multi-layered approach. Combine traditional anti-malware technologies with patch management, host intrusion detection and, ideally, whitelisting and default-deny strategies.”

Feedback:

• Backup solution….. Help!

• Replicate to Freenas at in-laws

• ddos

• ZFS on the Desktop

Round Up:

• A journal for MD/RAID5 Fixes old Linux RAID issue?
• Adobe releases Flash patch for 79 different CVEs, 56 of which are use-after-frees. Adobe says none of the patched vulnerabilities are being exploited publicly. Adobe also patched a dozen memory corruption vulnerabilities, two heap buffer overflows, stack, integer and buffer overflow vulnerabilities, in additional to security bypass flaws and a type confusion vulnerability
• When Undercover Credit Card Buys Go Bad — Krebs on Security
• Microsoft moving Windows Server 2016 to per-core licensing (compared to current per-socket)
• Steam tightens trading security amid 77,000 monthly account hijackings
• On the CCA (in)security of MTProto, How Telegram’s crypto is not as good as standard crypto
• Adobe, Microsoft Each Plug 70+ Security Holes — Krebs on Security
• oclHashcat can now crack 8 different TrueCrypt ciphers for the price of 3
• Microsoft Patch Tuesday includes revoking *.xboxlive.com certificate after it was accidently leaked
• Interview about the ‘Crypto Wars’ with Matt Blaze, the man to killed the Clipper Chip by finding its flaws
• FBI admits it uses stingrays, zero-day exploits
• Cloud is outsourcing but it’s not outsourcing (as was)
• After UAE bank fails to pay ransom, attack dumps 10s of thousands of customers transaction histories online
• Cisco warns of one ‘Critical’, and a number of ‘High’ severity flaw in its routers and other devices
• More Than 80% of Mobile Apps Have Encryption Flaws, Study Finds
• An HTTP Status Code to Report Legal Obstacles
• Millions of embedded devices including routers, smart TVs, and cell phones, still have not patched uPNP bug from 2012, including 326 apps on the Google Apps Store, including some very popular apps
• 7 signs you’re doing devops wrong
• DN42, a massive dynamic VPN, specifically for testing and learning about routing protocols
• Funny KGB story

The post Finding Nakamoto | TechSNAP 244 first appeared on Jupiter Broadcasting.