Plus your questions, our answers & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Fixing this Internet before it breaks again

• “What we call the Internet, was not our first attempt at making a global data network that spanned the globe. It was just the first one that worked.”
• “There is no guarantee that the internet will succeed. And if we aren’t careful we can really screw it up. It has happened before and we can do it again.”
• “Kaminsky, who was delivering the keynote to over 6,000 Black Hat USA 2016 attendees, said problems that need to be addressed within the security community are political, technical and how the security community collaborates.”
• “The internet doesn’t have the equivalent of ‘the guy’ that’s working on cancer. We need institutions and systems. We need to have something like NIH (National Institutes of Health) for cyber. It needs to have good and stable funding,” Kaminsky said. Research, problem solving and solutions are too often conducted in fiefdoms that seldom share the collective solutions needed to help fix the big security issues of the day. “I’m worried. I’m worried about our ability to innovate and our ability to create and I’m worried that we are not building the sort of infrastructure to make the internet a safe place.”
• “By taking a NIH type of approach, Kaminsky argued, the internet would foster a large number of deeply committed security experts to work independently and away from commercial interest that push the security sector to come up with quick fixes to solve big security problems. “We need to make changes and we need to have studies about the way we program and the method that people use to build secure things”
• “So what I’m looking to answer is – forget the layers of abstraction and the politics – how do we get 100 nerds working on a project for 10 years without interrupting them or harassing them and telling them to do different things. How do you make that happen? How you don’t make that happen is how we are doing that in InfoSec today – and that’s with the spare time of a small number of highly paid consultants. We can do better than that”
• “Kaminsky doesn’t see the NIH approach as a panacea to all that ails the security world. In fact, in his talk he described a delicate balancing act where the security community derives the benefits of broader administration without being hamstrung by potential politics. Control, greed and companies driven by profits, he argue, killed the internet of the 1990s. He argues AOL tried to create a walled garden and control everything and make billions. But that internet failed”
• “There are two models of an internet. There is the walled garden and freedom. The walled garden is, ‘okay here is your environment and go ahead and try to use it.’ The other model is that people can put stuff up and other people can use and abuse it. People don’t need to ask for permission they don’t need to beg. Maybe it works and maybe it doesn’t.”
• Are Apple, Facebook, Google, and Microsoft, taking us towards their own versions of AOLs walled garden of the Internet?
• How often does your family’s internet browsing actually leave Facebook?
• He warns, the same way AOL’s walled garden threatened a free internet of the 1990s, government control over encryption could have the same stifling effects on innovation and cyber liberties. “Let’s stop the encryption debate. This is actually useless. It’s driving all the energy away from what are we need to fix,”
• Topping Kaminsky’s fixit list was devising better ways for the security community to collectively move the security ball forward and not view security solutions as individual races to win. “Let’s take our obscure knowledge and real expertise and making it available the rest of the security community,” he said. By sharing knowledge and solutions it allows us to find flaws quicker and fix them even faster.”
• It is not about the splashiest vuln with the coolest name, or having the fastest fix, it is about being in it for the long term, and actually fixing things.

Researchers bypass chip and pin protections by attacking the PoS terminals

• “The payment industry is becoming more driven by security standards. However, the corner stones are still broken even with the latest implementations of these payments systems, mainly due to focusing on the standards rather than security.”
• “Credit card companies for the most part have moved away from “swipe and signature” credit cards to chip and pin cards by this point; the technology known as EMV (Europay, MasterCard, and Visa) which is supposed to provide consumers with an added layer of security is beginning to see some wear, according to researchers.”
• Except in the US
• The chip card transition in the US has been a disaster
• “Nir Valtman and Patrick Watson, researchers with NCR Corporation, staged a series of malicious transactions in a talk here at Black Hat on Wednesday, demonstrating how they could capture Track 2 data and bypass chip and pin protections.”
• “Instead of attacking the operating system of the POI and POS devices, the researchers bypassed much of the built-in security. This includes integrated cryptographic security schemes. Breaking crypto, after all, is very hard. That’s because cryptography is just math, and math (for the most part) works. But the crypto is just part of the overall security system, the other pieces of which are vulnerable to attack. This was made even easier since much of the information the team sought in their attacks was not encrypted on the payment device.”
• “In their first demonstration, the duo used a Raspberry Pi to capture Track 2 data packets in real time. Via a passive man-in-the-middle compromise, Wireshark picked up two interactions from data entered into a pinpad running flawed production software that’s currently in the wild. The two declined to specify the company’s name, but claimed they had spoken with the vendor and asked them to implement TLS connections, but said they couldn’t as they ran old hardware.”
• “The garbled data can be transformed into readable bits, service code expiration data, discretionary data, and so on, data that can tip a hacker off whether the card is a chip card.”
• The pair showed how easy it’d be to use a malicious form to trick a consumer into re-entering their PIN or a CVV on a card machine. “Consumers trust pinpads, they usually think they entered it wrong,”
• “According to the two researchers, attackers could compromise a pinpad – by injecting a form, Malform.FRM in this instance, when no one’s in the store and quickly change it back to a customized “Welcome!” message. Both Valtman and Watson advocate that pin pads leverage strong crypto algorithms and allow only signed whitelist updates. Point of sale pin pads are usually PCI certified but the two pointed out PCI doesn’t require encryption over a local area network, which is how an attacker could carry out a MiTM attack.”
• So they used the API of the payment terminal to trick the user into actually typing in the CVV, so they could capture it.
• They also socially engineer the user into thinking they mistyped their PIN, and having them enter it a second time. One of which is not expected by the software, and is instead captured by the attackers software
• “Consumers should never re-enter their PIN, as it’s a telltale giveaway that a pin pad may have been compromised, Valtman claimed, before adding that he usually frequents stores that allow him to pay with his Apple Watch, as he finds the technology more secure than EMV”
• “It’s cool, but not a secure standard,” Nir said.
• “As part of our demos, we will include EMV bypassing, avoiding PIN protections and scraping PANs from various channels.”
• Slides
• Additional Coverage

The 2016 Pwnie Awards!

• The Pwnie Awards is an annual awards ceremony celebrating the achievements and failures of security researchers and the security community.
• The awards are given out once an year. The tenth annual ceremony will take place on Aug 3rd, 2016 in Las Vegas at the BlackHat USA security conference.
• Best Server-Side Bug: Cisco ASA IKEv1/IKEv2 Fragmentation Heap Buffer Overflow
• Best Client-side bug: glibc getaddrinfo stack-based buffer overflow
• Best Privilege Escalation Bug: Widevine QSEE TrustZone
• Best Cryptographic Attack: SSLv2 Crypto Attack DROWN
• Best Backdoor: Juniper ScreenOS
• Best junk or stunt hack: remotely killing a jeep on the highway
• Best Branding: Mousejack
• Epic Achievement: Never giving up, and never letting us down: Travis Ormandy
• Most Innovative Research: Dedup Est Machina Memory Deduplication as an Advanced Exploitation Vector
• Lamest Vendor Response: Western Digital: MyPassword Drive
• Most over hyped bug: Badlock
• Best Song: Cyberlier
• Most Epic FAIL: no one…!
• Lifetime Achievement Award: Mudge — L0phtcrack, DARPA’s cyber security program
• Epic 0wnage: The Juniper Backdoor
• Honourable Mentions: ImageTragick, Stagefright, SETFKey (1999), BlueCoat getting an Intermediate CA, Insecurity of self-encrypting drives, 60 Minutes hacked phone, BACKRONYM

Feedback:

• IRC Bots

• GitHub – rikai/Showbot: A fork of the Showbot irc bot suited for non-5by5 stuff.

• Virtulizing PFSense

• ZFS/NFS/KVM Question

• Multicast Youtube Home NAT Router

Round Up:

• ‘Webcam hackers caught me wanking, demanded $10k ransom’
• We all know that virus scanners are some of the worst security offenders, so Kaspersky has launched a new bug bounty program, administered by HackerOne, with rewards of up to $50,000
• Cisco: Potent ransomware is targeting the enterprise at a scary rate
• Google brings HSTS to Google.com, talks about the challenges and the process
• Canada Wants To Keep Federal Data Within National Borders
• The Antivirus Industry’s dirty little secret
• This is what Apple should tell you when you lose your iPhone
• Walmart proves Open Source is Big business
• Inside Facebook’s new “Area 404” hardware lab

The post The Internet is Dying | TechSNAP 279 first appeared on Jupiter Broadcasting.

We’re in the middle of an epic battle for power in cyberspace & Bruce Schneier breaks it down. PHP gets broken, PornHub gets hacked & the disgruntled employee who wiped the router configs on his way out the door.

Plus great emails, a packed round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Power in the Age of the Feudal Internet

• “We’re in the middle of an epic battle for power in cyberspace. On one side are the nimble, unorganized, distributed powers such as dissident groups, criminals, and hackers. On the other side are the traditional, organized, institutional powers such as governments and large multinational corporations. During its early days, the Internet gave coordination and efficiency to the powerless. It made them powerful, and seem unbeatable. But now the more traditional institutional powers are winning, and winning big. How these two fare long-term, and the fate of the majority of us that don’t fall into either group, is an open question – and one vitally important to the future of the Internet.”
• “In its early days, there was a lot of talk about the “natural laws of the Internet” and how it would empower the masses, upend traditional power blocks, and spread freedom throughout the world. The international nature of the Internet made a mockery of national laws. Anonymity was easy. Censorship was impossible. Police were clueless about cybercrime. And bigger changes were inevitable. Digital cash would undermine national sovereignty. Citizen journalism would undermine the media, corporate PR, and political parties. Easy copying would destroy the traditional movie and music industries. Web marketing would allow even the smallest companies to compete against corporate giants. It really would be a new world order.”
• “On the corporate side, power is consolidating around both vendor-managed user devices and large personal-data aggregators. It’s a result of two current trends in computing. First, the rise of cloud computing means that we no longer have control of our data. Our e-mail, photos, calendar, address book, messages, and documents are on servers belonging to Google, Apple, Microsoft, Facebook, and so on. And second, the rise of vendor-managed platforms means that we no longer have control of our computing devices. We’re increasingly accessing our data using iPhones, iPads, Android phones, Kindles, ChromeBooks, and so on. Even Windows 8 and Apple’s Mountain Lion are heading in the direction of less user control.”
• “I have previously called this model of computing feudal. Users pledge allegiance to more powerful companies who, in turn, promise to protect them from both sysadmin duties and security threats. It’s a metaphor that’s rich in history and in fiction, and a model that’s increasingly permeating computing today.”
• “Feudal security consolidates power in the hands of the few. These companies act in their own self-interest. They use their relationship with us to increase their profits, sometimes at our expense. They act arbitrarily. They make mistakes.”
• “Government power is also increasing on the Internet. Long gone are the days of an Internet without borders, and governments are better able to use the four technologies of social control: surveillance, censorship, propaganda, and use control. There’s a growing “cyber sovereignty” movement that totalitarian governments are embracing to give them more control – a change the US opposes, because it has substantial control under the current system. And the cyberwar arms race is in full swing, further consolidating government power.”
• “What happened? How, in those early Internet years, did we get the future so wrong?”
• “The truth is that technology magnifies power in general, but the rates of adoption are different. The unorganized, the distributed, the marginal, the dissidents, the powerless, the criminal: they can make use of new technologies faster. And when those groups discovered the Internet, suddenly they had power. But when the already powerful big institutions finally figured out how to harness the Internet for their needs, they had more power to magnify. That’s the difference: the distributed were more nimble and were quicker to make use of their new power, while the institutional were slower but were able to use their power more effectively. So while the Syrian dissidents used Facebook to organize, the Syrian government used Facebook to identify dissidents.”
• “There’s another more subtle trend, one I discuss in my book Liars and Outliers. If you think of security as an arms race between attackers and defenders, technological advances – firearms, fingerprint identification, lockpicks, the radio – give one side or the other a temporary advantage. But most of the time, a new technology benefits the attackers first.”
• “It’s quick vs. strong. To return to medieval metaphors, you can think of a nimble distributed power – whether marginal, dissident, or criminal – as Robin Hood. And you can think of ponderous institutional power – both government and corporate – as the Sheriff of Nottingham.”
• “So who wins? Which type of power dominates in the coming decades? Right now, it looks like institutional power.”
• “This is largely because leveraging power on the Internet requires technical expertise, and most distributed power groups don’t have that expertise. Those with sufficient technical ability will be able to stay ahead of institutional power. Whether it’s setting up your own e-mail server, effectively using encryption and anonymity tools, or breaking copy protection, there will always be technologies that are one step ahead of institutional power. This is why cybercrime is still pervasive, even as institutional power increases, and why organizations like Anonymous are still a social and political force. If technology continues to advance – and there’s no reason to believe it won’t – there will always be a security gap in which technically savvy Robin Hoods can operate.”
• “My main concern is for the rest of us: everyone in the middle. These are people who don’t have the technical ability to evade either the large governments and corporations that are controlling our Internet use, or the criminal and hacker groups who prey on us. These are the people who accept the default configuration options, arbitrary terms of service, NSA-installed back doors, and the occasional complete loss of their data. In the feudal world, these are the hapless peasants. And it’s even worse when the feudal lords – or any powers – fight each other. As anyone watching Game of Thrones knows, peasants get trampled when powers fight: when Facebook, Google, Apple, and Amazon fight it out in the market; when the US, EU, China, and Russia fight it out in geopolitics; or when it’s the US vs. the terrorists or China vs. its dissidents. The abuse will only get worse as technology continues to advance. In the battle between institutional power and distributed power, more technology means more damage. Cybercriminals can rob more people more quickly than criminals who have to physically visit everyone they rob. Digital pirates can make more copies of more things much more quickly than their analog forebears. And 3D printers mean that the data use restriction debate now involves guns, not movies. It’s the same problem as the “weapons of mass destruction” fear: terrorists with nuclear or biological weapons can do a lot more damage than terrorists with conventional explosives.”
• “The more destabilizing the technologies, the greater the rhetoric of fear, and the stronger institutional power will get. This means even more repressive security measures, even if the security gap means that such measures are increasingly ineffective. And it will squeeze the peasants in the middle even more.”
• “Transparency and oversight give us the confidence to trust institutional powers to fight the bad side of distributed power, while still allowing the good side to flourish. For if we are going to entrust our security to institutional powers, we need to know they will act in our interests and not abuse that power. Otherwise, democracy fails.”
• “This won’t be an easy period for us as we try to work these issues out. Historically, no shift in power has ever been easy. Corporations have turned our personal data into an enormous revenue generator, and they’re not going to back down. Neither will governments, who have harnessed that same data for their own purposes. But we have a duty to tackle this problem.”
• “Data is the pollution problem of the information age. All computer processes produce it. It stays around. How we deal with it — how we reuse and recycle it, who has access to it, how we dispose of it, and what laws regulate it — is central to how the information age functions. And I believe that just as we look back at the early decades of the industrial age and wonder how society could ignore pollution in their rush to build an industrial world, our grandchildren will look back at us during these early decades of the information age and judge us on how we dealt with the rebalancing of power resulting from all this new data.”
• “I can’t tell you what the result will be. These are all complicated issues, and require meaningful debate, international cooperation, and innovative solutions. We need to decide on the proper balance between institutional and decentralized power, and how to build tools that amplify what is good in each while suppressing the bad.”

How we broke PHP, hacked PornHub, and earned $20,000

• As we covered a few months ago, PornHub has opened up their new bug bounty program via Hackerone.com
• Now, a group of researchers have collected a $20,000 bounty, and are sharing the details of how they did it
• “We have gained remote code execution on pornhub.com and have earned a $20,000 bug bounty on Hackerone. We were also awarded with $2,000 by the Internet Bug Bounty committee”
• “We have found two use-after-free vulnerabilities in PHP’s garbage collection algorithm. Those vulnerabilities were remotely exploitable over PHP’s unserialize function.”
• “After analyzing the platform we quickly detected the usage of unserialize on the website. Multiple paths (everywhere where you could upload hot pictures and so on) were affected”
• “In all cases a parameter named “cookie” got unserialized from POST data and afterwards reflected via Set-Cookie headers”
• So, whatever data you sent to the website while uploading, was serialized and set as a cookie, which would be unserialized and read back in by each subsequent request. This is how websites maintain state across multiple requests.
• When the researchers modified the POST request to include an a serialized PHP Exception, the PornHub website reacted to the exception
• “This might strike as a harmless information disclosure at first sight, but generally it is known that using user input on unserialize is a bad idea”
• “The core unserializer alone is relatively complex as it involves more than 1200 lines of code in PHP 5.6. Further, many internal PHP classes have their own unserialize methods. By supporting structures like objects, arrays, integers, strings or even references it is no surprise that PHP’s track record shows a tendency for bugs and memory corruption vulnerabilities. Sadly, there were no known vulnerabilities of such type for newer PHP versions like PHP 5.6 or PHP 7, especially because unserialize already got a lot of attention in the past”
• “Hence, auditing it can be compared to squeezing an already tightly squeezed lemon. Finally, after so much attention and so many security fixes its vulnerability potential should have been drained out and it should be secure, shouldn’t it?”
• The implemented a fuzzer, and started running it. Eventually they found a bug in PHP 7, but when they tried it against PornHub, it didn’t work. This suggested that PornHub used PHP 5.6. Running the fuzzer against PHP 5.6 generated more than 1 TB of logs, but no vulnerabilities.
• “Eventually, after putting more and more effort into fuzzing we’ve stumbled upon unexpected behavior again.”
• “A tremendous amount of time was necessary to analyze potential issues. After all, we could extract a concise proof of concept of a working memory corruption bug — a so called use-after-free vulnerability! Upon further investigation we discovered that the root cause could be found in PHP’s garbage collection algorithm, a component of PHP that is completely unrelated to unserialize. However, the interaction of both components occurred only after unserialize had finished its job. Consequently, it was not well suited for remote exploitation. After further analysis, gaining a deeper understanding for the problem’s root causes and a lot of hard work a similar use-after-free vulnerability was found that seemed to be promising for remote exploitation.”
• “Even this promising use-after-free vulnerability was considerably difficult to exploit. In particular, it involved multiple exploitation stages.”
• The article then goes on to explain how they exploited the use-after-free vulnerability in great detail
• Once they had the ability to execute the code they provided, they needed a way to view the output
• “Being able to execute arbitrary PHP code is an important step, but being able to view its output is equally important, unless one wants to deal with side channels to receive responses. So the remaining tricky part was to somehow display the result on Pornhub’s website.”
• “Usually php-cgi forwards the generated content back to the web server so that it’s displayed on the website, but wrecking the control flow that badly creates an abnormal termination of PHP so that its result will never reach the HTTP server. To get around this problem we simply told PHP to use direct unbuffered responses that are usually used for HTTP streaming”
• “Together with our ROP stack which was provided over POST data our payload did the following things:”
  • Created our fake object which was later on passed as a parameter to “setcookie”.
• This caused a call to the provided add_ref function i.e. it allowed us to gain program counter control.
• Our ROP chain then prepared all registers/parameters as discussed.
• Next, we were able to execute arbitrary PHP code by making a call to zend_eval_string.
• Finally, we caused a clean process termination while also fetching the output from the response body.
• “Once running the above code we were in and got a nice view of Pornhub’s ‘/etc/passwd’ file. Due to the nature of our attack we would have also been able to execute other commands or actually break out of PHP to run arbitrary syscalls. However, just using PHP was more convenient at this point. Finally, we dumped a few details about the underlying system and immediately wrote and submitted a report to Pornhub over Hackerone.”
• “We gained remote code execution and would’ve been able to do the following things:”
  • Dump the complete database of pornhub.com including all sensitive user information.
  • Track and observe user behavior on the platform.
• Leak the complete available source code of all sites hosted on the server.
• Escalate further into the network or root the system.
• “It is well-known that using user input on unserialize is a bad idea. In particular, about 10 years have passed since its first weaknesses have become apparent. Unfortunately, even today, many developers seem to believe that unserialize is only dangerous in old PHP versions or when combined with unsafe classes. We sincerely hope to have destroyed this misbelief. Please finally put a nail into unserialize’s coffin so that the following mantra becomes obsolete.”
• “You should never use user input on unserialize. Assuming that using an up-to-date PHP version is enough to protect unserialize in such scenarios is a bad idea. Avoid it or use less complex serialization methods like JSON.”

Ex-Citibank employee wipes router configs and downs entire network

• “Lennon Ray Brown, 38, had been working at Citibank’s Irving, Texas, corporate office since 2012, first as a contractor and later as a staff employee, when he was called in by a manager and reprimanded for poor performance.”
• “At that point, the US Department of Justice said, the rogue employee uploaded a series of commands to Citibank’s Global Control Center routers, deleting the config files for nine of the routers and causing traffic to be re-routed through a set of backup routers. Court documents show that while there was not a complete outage, the re-routing led to “congestion” on the network and at the branch offices.”
• “Brown admits that on December 23, 2013, he issued commands to wipe the configuration files on 10 core routers within Citibank’s internal network. The resulting outage hit both network and phone access to 110 branches nationwide – about 90 per cent of all Citibank branch offices.”
• Brown said the following in a text message to a coworker shortly after the incident:
  • “They was firing me. I just beat them to it. Nothing personal, the upper management need to see what they guys on the floor is capable of doing when they keep getting mistreated. I took one for the team.”
  • “Sorry if I made my peers look bad, but sometimes it take something like what I did to wake the upper management up.”
• Brown admitted the intentional damage charge in February
• Justice Department Announcement
• Brown has been sentenced to 21 months in jail, and a $77,000 fine

Feedback:

• VBulletin Ubuntu Forums Hack

• Kids and Grown Up Networks

• Secure Webmail?

• ZFS snapshot to LUKs External on Linux

Round Up:

• Hijacking Youtube to transmit your Data
• NIST advises against SMS-Based Two-Factor Authentication — PDF
• LastPass: design flaw in communication between privileged and unprivileged components l
• LastPass Security Updates
• GOP delegates suckered into connecting to insecure Wi-Fi hotspots
• Katcr.co: Original KickassTorrents Community Is Back, Without Torrent s
• Tinder safe dating spam uses safety to scam users out of money
• Keys to Chimera crypto ransomware allegedly leaked by rival crime gang
• Pop star asks fans to send their passwords so he can tweet as them. May actually be a violation of the CFAA
• You can’t turn off Cortana in the Windows 10 Anniversary Update
• Vine accidently posts docker image with its source code publicly
• Yahoo ordered to show how it recovered deleted emails
• The sound of dialup, pictured, and explained
• Florida judge: Bitcoins aren’t currency, so state money laws don’t apply

The post Internet Power Struggle | TechSNAP 277 first appeared on Jupiter Broadcasting.

Ransomware unlocked, NASA rescues Kepler, the FBI still wants Apple’s help & Telegram wants to be your Jarvis.

Plus our “Kickstarter” of the week might be the craziest IoT device yet!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Experts crack Petya ransomware, enable hard drive decryption for free | PCWorld
• NASA’s Racing Against Time To Fix $600 Million Spacecraft – YouTube
• NASA has recovered the Kepler Space Telescope from ’emergency mode’ | The Verge
• Operating systems | News | TechRadar
• FBI says hack tool only works on iPhone 5c | CIO
• Facebook Messenger makes sharing Dropbox files easier
• Telegram’s Bot API gets inline keyboards, support for 19 file types before Facebook’s F8 event | VentureBeat | Dev | by Ken Yeung
• Kuvée: The Smart Wine Bottle that Keeps Wine Fresh | Indiegogo
• Hacker News

The post Internet of Wine | TTT 239 first appeared on Jupiter Broadcasting.