Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox





TechSNAP 100 Limited Edition Shirt:

Limited time left on our limited run TechSNAP 100 T-shirt!

Zendesk servers compromised, affects Twitter, Tumblr and Pinterest users

• Zendesk is a SaaS (Software as a Service) that provides a ticket system, knowledge base and help desk for a monthly fee
• It is quite popular, and used by large online services such as Twitter, Tumblr, Pinterest, Vodafone, 20th Century Fox, Denver Broncos, eLance, Fiverr, Gawker, Groupon, New Zealand Post, Rackspace Cloud, Scribd, Sears Canada, Sony Music, Xerox, and Yousendit
• Zendesk’s blog post says they believe only 3 of their customers were affected (not named, but other sources and the end users who received emails about the issue suggest it was Twitter, Tumblr and Pinterest)
• Apparently the attackers got access to a database with all of the email addresses of users who contacted those Zendesk customers for support, in addition to the email subject lines, apparently the body of the emails was not disclosed
• A help desk is likely to contain sensitive information, especially when used for billing inquiries and password resets, but could also contain API keys, vulnerability disclosures, internal comments, and other information that should not get out
• Self-hosting vulnerable software could leave you just as exposed, so the question comes down to, do you trust a 3rd party to do a better job of protection your customers than you will?
• Additional Coverage

---

sshd rootkit in the wild

• The sshd rootkit actually targets libkeyutils rather than the sshd binary itself, because previous sshd binary rootkits, have been defeated by updates to the sshd binary
• It is not yet clear what the original attack vector is, that allows the attackers to compromise the libkeyutils in the first place
• Seems to targets Red Hat and other RPM Based Distros, not clear if other distros are vulnerable
• The rootkit does a number of things, including allowing an attacker with a specific password to gain root access, open a listener, and steal all of the credentials that have been used to login to the infected sshd
• cPanel support server compromised, seemingly via sshd rootkit
• the cPanel support system often requests users enter the root credentials for their servers, so support staff can login and assess/fix problems. These credentials must be stored in a format that can be returned to plain text (rather than being hashed), because the support staff need the original password to login. Encrypting the password (normally not what you want) might work here, but the keys to decrypt would need to be accessible to either all support staff (a key management nightmare) or to the system itself (so it can decrypt the passwords for the users)
• Many cPanel customers report that their servers were compromised after they provided their credentials to cPanel support staff, this correlation may be how cPanel determined that they had been compromised, and spawned the investigation

---

Adi Shamir (the S in the RSA algorithm) says we need to prepare for a post-cryptography world

• Speaking at the RSA Conference in San Francisco this week as part of a panel Adi Shamir (of the Weizmann Institute of Science in Israel) spoke about the failure of traditional security mechanisms, including restricting access, virus scanners and IDS (Intrusion Detection Systems) to thwart APT (Advanced Persistent Threat) attacks.
• “It’s very hard to use cryptography effectively if you assume an APT is watching everything on a system, We need to think about security in a post-cryptography world.”
• The panel also included:
• Ron Rivest of MIT (the R in the RSA algorithm)
• Whitfield Diffie of ICANN (of the Diffie-Hellman-Merkle key exchange algorithm)
• Dan Boneh of Stanford University
• Ari Juels of RSA Labs
• Rivest also talked about the problems with the current PKI systems, especially Certificate Authorities (the Comodo and DigiNotar compromises), as well as the more recent problems with TurkTrust, the Turkish CA who gave out signing certificates to a government contractor that used them to create valid but fake google certificates
• Rivest suggests a new system with more tolerance for failures and where users have more control over whom they trust, especially in light of the growing trend where governments pressure CAs to fail, behave strangely or issue certificates they shouldn’t

---

Feedback:

• Resources for Learning More about FreeBSD?

• What’s so bad about a double NAT?

• What are intermediate SSL Certs?

• Fed Requirements Sometimes Force Equipment Online

• Internships, Learning, Training up while working 40+ Hours a week? CAN IT BE DONE?

• Last week we had a question of uPNP and pfSense – The pfSense blog has the official answer – pfSense uses an updated version of miniupnp, and has always done so, the vulnerable ones are more than 2 years old. Additionally, even if a new vulnerability in upnp is found, In order for your system to be vulnerable, you’d have had to manually add a firewall rule allowing access to upnp from the Internet.

Round Up:

• Sergey Brin says using a smart phone makes him feel like a girl
• HTML5 Bug in all major browsers except Firefox allows a remote site to fill your hard drive
• Microsoft suffers from same hacking attack as Apple, Facebook, small number of computers infected
• Time Warner CFO says no one wants gigabit internet a home
• How paid apps will work on Firefox OS phones – The start of a ‘buy it once, use it everywhere’ store?
• Symantec Finds Older Version of Stuxnet Dating Back to 2005
• Chrome 25 fixes 9 criticial vulnerabilities
• Comcast Punishes BitTorrent Pirates With Browser Hijack
• Security Explorations finds 2 more vulnerabilities in Java, even after u15
• Court orders UK ISPs to block more piracy sites
• Adobe pushes yet another Flash update, fixes 2 critical vulnerabilities being used in the wild
• Bitcoin reaches an all-time trading high of over $33
  • Current trading a CAVirtEx is $34.30/BTC

The post How I Met Your SSH | TechSNAP 99 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/22601/most-vpns-insecure-techsnap-69/ Thu, 02 Aug 2012 16:53:35 +0000 https://original.jupiterbroadcasting.net/?p=22601 We’ll cover how the most common type of VPN has been cracked wide open. Plus what to look for when renting a server, and managing a dedicated box.

The post Most VPNs Insecure | TechSNAP 69 first appeared on Jupiter Broadcasting.

]]>



We’ll cover how the most common type of VPN has been cracked wide open. Plus what to look for when renting a server, and what’s involved in managing a dedicated box.

Plus a batch of your questions!

All that and more on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Show Notes:

Check out Michael Dominick’s Code Journal App

Moxie Marlinspike release new analysis and tool for cracking MS-CHAP-V2

• MS-CHAP-V2 (Microsoft Challenge Handshake Authentication Protocol version 2) is responsible for authenticating the remote user and defining the encryption for the entire VPN session
• The new tool allows the cracking of those encrypted VPN and WiFi sessions, and can also allow the attacker to gain access to those networks using your credentials disclosed by a decrypted session
• MS-CHAP-V2 was introduced in Windows NT 4.0 SP4, and via updates for Windows 95 and 98
• Due to the way MS-CHAP-V2 works, and the fact that it uses NTHash and DES, it is far less secure than it was designed to be
• For example, the riseup.net VPN service gives users a 21 character password out of a 96 character keyspace, resulting in a possible key size of approximately 138 bit
• However the MD4 hash limits the key space to only 128 bits
• Furthermore, because DES only uses a 7 byte key, the keyspace is only 2^56 + 2^56 + 2^56 = 2^57.59
• However because the MD4 output only provides 16 bytes, when split into 3 blocks of 7, this leaves the last 5 bytes of the 3rd DES key as 0s, reducing the key space to only 2^56 + 2^56 + 2^16, and because each of the three DES blocks are separate, they can be cracked concurrently, basically reducing the key space to a single DES of 56 bits (just comparing against three different cipher texts for each attempt)
• The chapcrack tool will analyze a packet capture of a VPN or WiFi handshake, and generate a token that includes the DES ciphertext and MD4 hash of the user’s password
• This token is then fed into Merlinspike’s cloudcrack.com service and the DES encryption is cracked using the Pico Computing FPGA (each FPGA is 40 cores at 450mhz, and the system runs 48 FPGAs). In a worse case scenario, a DES key would take approximately 23 hours to crack (meaning half of all keys would be cracked in under 12 hours). The EFF’s Deepcrack machine built in 1998, cost $250,000 and took an average of 4.5 days to crack a single DES key
• Marlinspike recommends that all users and providers immediately stop using PPTP and consider all traffic via PPTP unencrypted and unprotected (including the password you use to login to the VPN service)
• Enterprise networks using WPA2 with MS-CHAP-V2 should immediately switch to something else (although IPSEC-PSK should also be avoided due to its vulnerability to dictionary attacks)
• Marlinspike recommends using a VPN based on certificates (such as OpenVPN or IPSEC in Certificate mode)
• GitHub Repository
• ThreatPost coverage
• Previous Analysis:
  • Bruce Schneier: Cryptanalysis of Microsoft’s PPTP Authentication Extensions (MS-CHAPv2)
  • Jochen Eisinger: Exploiting known security holes in Microsoft’s PPTP Authentication Extensions (MS-CHAPv2)

Elections Ontario confused compression with encryption after losing info on 2.4 million voters

• The information included:
• full name
• gender
• birth date
• address
• any elector information updates provided during the last writ period
• The information may also have included whether or not the person voted in the October 2011 General Election
• USB sticks were used to carry data back and forth between the main office and the satellite office
• Staff members using the USB sticks did not understand what encryption was
• Some were apparently under the impression that putting the files in a .zip was the same as encrypting them
• After the data breach, new USB sticks were purchased that had an encryption capability, but it was never configured or used (were the staff under the impression that the encryption just magically worked?)
• Original Data Breach Report

Microsoft Azure cloud suffer European outage

• At 11:00 UTC on 2012–07–26 the Microsoft Azure cloud for the western Europe sub-region experienced an unexplained outage for more than 2.5 hours
• Microsoft updated the Azure dashboard with the news of the outage, and then again 2 hours later saying they were still investigating, then finally at 13:33 UTC they posted that the issue has been resolved
• No explanation for the outage has been given, saying only “We apologize for any inconvenience this outage may have caused our customers. The duration of the service interruption was approximately 2.5 hours and was resolved at 6:33 AM PDT. Customers who have questions regarding this incident are encouraged to contact Customer Service and Support.”
• The previous widespread outage was on February 29th, when the Azure cloud suffered from a Leap Day Bug
• The Azure cloud western Europe sub-region is powered by a data center in Amsterdam, while the Northern Europe sub-region is hosted in Dublin

Feedback:

• Traci asks: How do you pick a dedicated server provider?
  • How diverse is their network/transit?
  • Do they operate their own AS (Autonomous System)? Or are they just a reseller?
  • Location?
  • Do they post pricing for buying additional bandwidth (if they don’t, this is usually a bad sign)
  • Do they only sell ‘unmetered’ packages? (this is also bad, usually means they are overselling)
  • Do they offer an SLA? Hardware SLA covers how quickly they promise to replace failed components such as PSU and HDD. Power and Network SLA cover remedies for outages
  • Do they use quality server hardware, or repurposed desktops? (less expensive hardware can be attractive, but should be avoided for more critical tasks). Allan prefers, and finds that most providers use SuperMicro hardware. Dell/HP/Fujitsu are also popular but more expensive
  • Do they offer Out-of-Band Management (such as IPMI)?
  • Do they offer FreeBSD? (if they have IPMI or KVM w/ Virtual Media, I can install FreeBSD myself)

• What’s involved in administering a dedicated server?

• Q; I would like to know more about TarSnap. I hear it talked about and I hear it is good.

• Time Warner Hijacking my DNS?

• Raspberry PI Router Success

• Bitcoin update

• Do we trust hushmail?

• Enigmail :: Add-ons for Thunderbird

Round-Up:

• Cybersecurity Act fails to pass in the Senate
• Ubisoft assassinates Uplay flaw, denies DRM rootkit
• Dropbox confirms it got hacked, will offer two-factor authentication
  • Security update & new features – The Dropbox Blog
• Startup claims 80% of facebook ad clicks it paid for were from bots
• HP offering $20 per month credit to their Open-Stack based cloud

The post Most VPNs Insecure | TechSNAP 69 first appeared on Jupiter Broadcasting.