Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Inside the Malware

• Security researcher Sherri Davidoff profiles the Blackhole exploit kit
• Walking us step by step through what the malware does once your computer is infected
• It starts with a simple phishing email, in this example just a plain email that says “Hi, as promised your photos.” with a link
• The unsuspecting user follows the link, and nothing much seems to happen and they continue about their day
• In actuality, their computer has not been infected with the Blackhole exploit kit
• A few days later, while visiting the website of their bank, the user is prompted by the page to verify their identity. Over a short period of time, the attack, using a man-in-the-browser attack, was able to gain:
  • The victim’s name
  • Phone number
  • Answers to security questions
  • RSA token
• The attacker then used this information to wire themselves $49,500 out of the victim’s bank account
• However, because this was a large corporate account, the bank requires a second person to authorize such a transfer
• The attacker used the MITB attack to ask the victim for the name of that second person, which the user entered
• The attacker then asked for the email address of the second person, however the user got suspicious, called the bank and the account was quickly frozen
• Once the blackhole exploit kit is installed on a computer, it loads updates and then continues to phone home once every 20 minutes, using a simple HTTP POST request
• The researcher also managed to capture a Man-In-The-Browser attack on video, when attempting to login to the BankofAmerica site, the infected computer injects a page after the user submits the login form, but before the information is actually sent to the bank
• The injected page claims that the bank does “not recognize” your computer and asks you for a number of details, including your debit card number, social security number, date of birth and mother’s maiden name
• These details are not sent to the bank, but rather to the attacker, who can use them later to drain your account
• In more sophisticated attacks using this technique, the attacker is actually communicating with your system live, in order to take advantage of the information as you enter it, such as passing on to the victim the secret questions they are prompted for when trying to send a wire transfer
• This also allows the attackers, in the situation where they are actively monitoring your computer when you are attempting to access your account, to take advantage of temporary information such as the output of your RSA security token

---

Dedicated server provider Hetzner finds backdoor

• Administrators at Hetzner discovered a backdoor on their nagios monitoring server
• After further investigation, they discovered that their web interface for managing dedicated servers (called the Hetzner Robot) had also been infected
• This means some personal details of customers, including name, email address, phone number, hashed password, last 3 digits of credit card number, credit card type and expiration date
• The actual card number is never stored by Hetzner, it is passed directly to the payment processor who returns a unique token that is used to reference that card in the future
• However, customers using direct debit (debit note) from their bank account, may have been compromised. While the information is stored encrypted in the Hetzner database, the key may have been compromised
• Passwords were SHA256 hashed with a salt, but it does not sound like they used sha256crypt
• “The malicious code used in the “backdoor” exclusively infects the RAM. First
  analysis suggests that the malicious code directly infiltrates running Apache
  and sshd processes. Here, the infection neither modifies the binaries of the
  service which has been compromised, nor does it restart the service which has
  been affected.”
• Hetzner has hired an external security company to do a more indepth investigation
• English FAQ

---

Feedback:

• MAC Filtering?

• FreeNAS as Storage for VMs… HOW?

• Using rsnapshot for backup?

• Apple’s Hidden Details

• Another Take on Passwords when Mobile

• Sharing a Real Life Bad Security Experience

BSDCan 2013 Videos:

• All Videos
• Allan Jude – Managing FreeBSD at Scale
• Paul Chvostek – Switching from Linux to FreeBSD
• Peter Hansteen – The Hail Mary Cloud And The Lessons Learned
• Pawel Jakub Dawidek – FreeBSD, Capsicum, GELI and ZFS as key components of a security appliance
• Kirk McKusick – An Overview of Security in the FreeBSD Kernel
• Shawn Webb – Runtime Process Infection Part 2

---

Round Up:

• Lenovo opens heavily automated assembly plant in North Carolina
• 0 day exploit for Plesk puts more than 360,000 linux servers at risk, unknown if windows servers are affected. Exposes /usr/bin
• China says it is the USA’s fault that their weapons designs were stolen, “Even following the general principle of secret-keeping, it should not have been linked to the Internet,”
• Vint Cerf worries that we won’t be able to access historical data due to the cost of maintaining backwards compatibility
• NSA collecting phone records of millions of Verizon customers daily
• Google researcher releases a working exploit for the Windows Kernel bug he disclosed earlier
• Car thiefs may have a new device that unlocks many makes and models of vehicles
• Attackers use massive DDoS to mask exploit attack against EVE Online backend servers

The post Phishin' Hole | TechSNAP 113 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/36971/packet-tells-a-lot-techsnap-109/ Thu, 09 May 2013 17:34:22 +0000 https://original.jupiterbroadcasting.net/?p=36971 The nasty Apache Malware we’ve been telling you about has spread to Nginx and others, we’ll update you on the latest.

The post Packet Tells A Lot | TechSNAP 109 first appeared on Jupiter Broadcasting.

]]>



The nasty Apache Malware we’ve been telling you about has spread to Nginx and others, we’ll update you on the latest.

Plus hackers get access to control systems at Google, a big batch of your questions, and much much more.

On this week’s TechSNAP.

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! 32% off your ENTIRE first order just use our code go32off3 until the end of the month!

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   


Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

BSDCan Live, May 17th and 18th

Cdorked Malware spreads to nginx and lighttpd as well

• ESET has found more than 400 servers infected with Cdorked in the top 100,000 ranked sites on Alexa
• Thanks to information shared with ESET by system administrators of some of the infected sites, ESET has the modified binaries of nginx and lighttpd as well as apache.
• Originally I thought the story may have been incorrect, that it was just infected apache behind nginx, but there are actually modified nginx binaries as well
• It is still unclear how the servers are being compromised to install the infected binaries, but the small footprint suggests that it is not a ‘class break’, and that the servers may be specifically targeted
• ESET has managed to analyze the configuration of the backdoor and find even more ways that Cdorked attempts to evade detection
• The configuration contains a very long blacklist of ips, who are not directed to the exploit kit, this list may be harvested from administrative logins of the compromised servers
• The servers do not attempt to infect anyone with their language localization set to: Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian
• ESET says 100,000 of its users have browsed to a page with a Cdorked redirection which was then blocked by their software
• Cdorked only seems to target Internet Explorer 7+ and Firefox on windows XP, Vista, 7 and 8, specifically ignoring Chrome, Opera and all devices running Linux or BSD
• Cdorked seems to have a special redirection for iPhone and iPad devices, instead of delivering windows malware, the mobile devices are redirected to a page with links to pornographic pay sites
• The malware currently being delivered by the infected sites is identified as Win32/Glupteba.G
• SHA1 hashes of known-bad binaries:
• a53a30f8cdf116de1b41224763c243dae16417e4 bad-apache
• a51b1835abee79959e1f8e9293a9dcd8d8e18977 bad-nginx
• dd7846b3ec2e88083cae353c02c559e79124a745 bad-lighthttpd
• ee679661829405d4a57dbea7f39efeb526681a7f bad-apache-x64-with-symbols
• 5b87807b4a1796cfb1843df03b3dca7b17995d20 bad-apache-i386
• 03592b8147e2c84233da47f6e957acd192b3796a bad-apache

---

Cylance compromises Industrial control system as Google HQ in Australia

• Cylance is running a world-wide project to identify vulnerable Industrial Control Systems
• While reviewing the logs of their scans, they stumbled across a particularly interest result
• The Tridium Niagara Building Management Systems (BMS) for Google Wharf 7, exposed on the internet
• They were able to interrogate the device and find out it was running a slightly outdated version of Tridium Niagara, on an embedded QNX machine
• They were also able to extract the config.bog file, which contains the username and ‘encoded’ (just encoded, not hashed) password for every user on the system
• With the administrative password, Cylance could have rooted the device and had persistent access
• The researchers reported the issue to Google, who quickly pulled the ICS system offline
• “At the time of this blog post, this exact issue affects tens of thousands of devices on the Internet and thousands of different organizations”
• Tridium claims on its website that “there are over 245,000 instances of the Niagara Framework deployed worldwide.”
• Cylance scans showed 25,000 similarly vulnerable systems facing the Internet
• “If Google can fall victim to an ICS attack, anyone can.”
• Additional Coverage – ThreatPost

---

Dissecting RSA’s packet capture of the VOHO Watering hole attack

• This story covers some of the interesting information to can get from even just a few packets off of someone elses network
• By analyzing the packet capture RSA releases, a lot of information about RSAs network can be gleaned
• First, the source MAC address in the captured frame starts with 00:50:56, a block assigned to VMWare, this is as you might expect, the researcher at VMWare was testing the exploit in a virtual machine
• Now, the destination MAC address (the router on the local network) is assigned to 2Wire, suggesting a small home-grade router
• The source IP address is 192.168.0.106, what you would expect for a device behind a home router
• The destination IP address is the Command & Control server, 58.64.155.59, in Hong Kong
• Looking at the IP TTL (128), this suggests the source machine (in the VMWare) is Windows, as FreeBSD and Linux use 64 as the default TTL
• Looking at the source port and the fact that it is very low rather than high, suggests that the source OS is Windows XP, rather than a newer version of windows
• Original RSA Story “Lions at the watering hole”

---

Feedback:

• Java & Android = Oh My?

• How do you DO Your Wireless?

• Shane’s algorithm based on Grammatical Evolution to generate different hashing algorithms for different websites.

• Our thoughts on the How Secure is Your Password Series

• Why Intel’s “How Strong is Your Password?” site can’t be trusted

• Intel’s Page: How Strong is Your Password?

---

Round Up:

• New tool iSniffGPS released on github allows you to determine where an iPhone owner lives
• FOIA request by MuckRock gets the NSA internal google hacks book released. Untangling the Web – 651 page PDF – Wired Coverage
• Reports: Facebook Is Buying Social Mapping/Traffic App Waze For Up To $1B
• The Onion presents: Tips on how to prevent your major media site being hacked
• Hackers gain access to all .edu domains
• Bruce Schneier – Why Collecting More Data Doesn’t Increase Safety

---

The post Packet Tells A Lot | TechSNAP 109 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/33641/gif-me-root-techsnap-101/ Thu, 14 Mar 2013 12:07:36 +0000 https://original.jupiterbroadcasting.net/?p=33641 We’ll explain the MiniDuke malware and the extremely clever way to slipped it’s way into victims systems, and the Google two-factor bypass flaw.

The post GIF me root | TechSNAP 101 first appeared on Jupiter Broadcasting.

]]>



We’ll explain the MiniDuke malware and the extremely clever way to slipped it’s way into victims systems.

Researchers discovered a way to bypass google two-factor authentication, we’ll explain the details, and we look back at 25 years of software vulnerabilities.

Plug a big batch of your questions, our answers, and so much more on this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our code hostdeal4 to score economy hosting for $1 a month, for one year. 35% off your ENTIRE order just use our code go35off4 until the end of the month!
Ting.com Visit techsnap.ting.com to save $25 off your device or service credits.

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   


Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

[asa]B0095ZMMCK[/asa]

Grab it at Audible.com

Miniduke malware used against European goverments

• A new attack against many european governments has been detected using a new malware called Miniduke
• The malware exploits a sandbox-bypass in Adobe Reader
• The malware targeted a very small (59) but specific number of people from 23 different countries mostly in Europe
• The spear phishing attacks were perpetrated using well crafted PDF files purporting to be NATO membership plans, Ukrainian foreign policy documents or a seminar on human rights
• The malware allowed the attackers to copy and move files from the infected machines to their own servers, as well as kill other processes (like security software) and install additional malware
• The attack was unique because of the unusual nature of the backdoor that was used and how specific and narrow the targets were
• The backdoor contained components written in assembly, a relative rarity in viruses and vulnerabilities
• The malware also used twitter as a command and control system, following specific users and looking for tweets containing encrypted commands prefixed with uri!
• The malware also used .gif files as an update and distribution method, the gif files had regular images (like the RSS icon) but also contained malware binaries embedded in the image using steganography
• The backdoor also gathered system specific information and used it to encrypt communications back and forth with the attacker’s servers (likely to avoid IDS and other forms to detection)
• This system specific information was also used as part of the attack, many parts of the malware that were subsequently loaded on the machines, contained code to make them only work on that specific machine, making the job of the security analysts much more difficult, as they could not run the malware on controlled virtual machines or their own machines in order to analyze it
• The researchers say the style and methods of the attack are reminiscent of attackers from the 90s
• The attack pattern and programming style are reminiscent of hacking group that was thought to have been long disbanded
• The group, called 29A (666 in hex) published their first malware magazine in December of 1996 and were active until February 2008, when the last standing member announced the group’s dismissal
• Digital Underground Podcast – Intricacies of Miniduke
• Full PDF with details

---

Researchers discovered a way to bypass google two-factor authentication

• For the last 7 months, researchers from DuoSecurity and any attackers with knowledge of the vulnerability have been able to bypass Google’s two-factor authentication system, even for Google services such as Gmail
• An attacker who managed to steal or guess a user’s application-specific password could then exploit the Android auto-login feature to take over full control of a user’s entire Google profile, without having to enter the result of the secondary authentication mechanism
• Once they have access to the profile, they could then reset the master password and disable two-factor authentication entirely, allowing them to completely steal the account
• Application specific passwords are a feature created by Google to allow you to use your Google account to authenticate to applications and services that do not support two-step login
• This allows you to use your existing authentication to google to access other apps that do not support web based login (like IMAP/SMTP, Chat and Calendar apps)
• “if a user has linked their Android device to their Google account, the Chrome browser will use local-device authentication to override Google’s two-factor authentication”
• This is a classic case of trading the stronger security that two-factor authentication and strong passwords provide, for the higher convenience factor
• The scary part is that this mechanism allowed an attacker to access the Google ‘Account Settings’ portal, where you can change your backup email address, the phone number linked to your google account, and other other settings that are extremely sensitive and important to the security of your account
• Researchers clarify that the only way for this vulnerability to affect users in a desktop environment, is when their mobile authentication is compromised and used to seize their entire account
• Google patched the vulnerability before it was announced last week
• Researchers Post

---

Google introduces new compression algorithm

• A key feature of Zopfli, is that the compression is deflate compatible, meaning the compressed data can be decompressed using the libraries already built into nearly all existing web browsers
• Zopfli has a compression gain of 3–8% over zlib, but takes 2–3 orders of magnitude longer to compress, making it only really useful for compression of static data, rather than compressing dynamic data for HTTP streams
• For example, to compress a 100mb sample of the english wikipedia, gzip takes 5.6 seconds, 7-zip takes 128 seconds, and zopfli takes 454 seconds
• All three compressed files can be decompressed in under 1 second
• Google’s goal is to save bandwidth and battery life by reducing the size of text and images transmitted to mobile devices
• The research started as an offshoot of the WebP project (advanced lossy and lossless image compression)
• Google has open sourced the code as a C library under the business friendly Apache 2.0 license
• PDF Paper on the compression savings
• Additional Coverage

---

VRT profiles 25 years of software vulnerabilities

• VRT, the Sourcefire Vulnerability Research Team, dug through the CVE (Common Vulnerabilities and Exposures) database and NIST NVD (National Vulnerability Database)
• 2012 was the first year since 2007 where the number of new vulnerability was greater than the previous year
• However the number of vulnerabilities with a score over 7 (out of a possible 10) was still down each year since 2007
• However 2012 had a record high number of vulnerabilities with scores of 10/10
• The top types of vulnerabilities over the last 25 years have been buffer errors (buffer overflow etc), Cross Site Scripting, Access control, SQL Injection, Code Injection and Input Validation
• Top Vendors with high severity vulnerabilities: Mozilla, Apple, Cisco, Sun, Adobe, IBM, Mozilla, HP, Google, and Oracle
• Mobile Vulnerability Share: iPhone: 81%, Android: 9%, Windows: 6%, Blackberry: 4%
• Full PDF

---

Feedback:

• The Risk of Exposing a Security System to the Web?

• What are your thoughts on DMZs? // Slexy 2.0

• Home Server Troubles

• My question mainly has to do with PHP and MySQL

• Sharing the root

+What is the value of a hacked PC?
+ Steal your username/passwords (banking, games, web servers, skype)
+ Steal your CD keys (windows, office, games, etc)
+ Use your computer as a web server (host spam, malware, etc)
+ Join a botnet (click fraud, send spam, launch ddos)
+ Reputation hijacking (using your facebook account to ‘like’ businesses etc that pay the malware author)

Conference Round Up:

• How to ask good questions at RSA
• RSA – Researchers find ‘beta’ of Stuxnet, making it 2 years older than previously thought – Also found more evidence linking the developers of Stuxnet to the developers of Flame – Paper
• Cyber Dialogue – Hacking Back, Signaling and State-Society Relations
• RSA – Analysis of SEC filings under new cyber attack disclosure rules
• RSA – [VIDEO] Key Source International makes Secure Logon Devices
• RSA: [VIDEO] Self encrypting USB hard drive for all operating systems
• RSA: [VIDEO] PwnPad – A steathly penetration testing platform
• RSA: [VIDEO] BehavioSec – Behaviorial Biometrics for Authentication

The post GIF me root | TechSNAP 101 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/32652/how-i-met-your-ssh-techsnap-99/ Thu, 28 Feb 2013 16:50:04 +0000 https://original.jupiterbroadcasting.net/?p=32652 cPanel’s helpdesk was recently compromised, exposing root credentials for many of their customers, plus the troubles at Zendesk that caused quite a headache.

The post How I Met Your SSH | TechSNAP 99 first appeared on Jupiter Broadcasting.

]]>



cPanel’s helpdesk was recently compromised, exposing root credentials for many of their customers, plus the troubles at Zendesk that caused quite a headache for twitter and other popular sites.

And we debate if we’re living in a post-cryptography world, plus a big batch of your questions, and much more on, on this week’s TechSNAP.

Thanks to:

GoDaddy.com

Use our code hostdeal4 to practically steal economy hosting for $1 a month, for one year.

Something else in mind? Use go35off4 to save 35% on your entire order!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   


Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox





TechSNAP 100 Limited Edition Shirt:

Limited time left on our limited run TechSNAP 100 T-shirt!

Zendesk servers compromised, affects Twitter, Tumblr and Pinterest users

• Zendesk is a SaaS (Software as a Service) that provides a ticket system, knowledge base and help desk for a monthly fee
• It is quite popular, and used by large online services such as Twitter, Tumblr, Pinterest, Vodafone, 20th Century Fox, Denver Broncos, eLance, Fiverr, Gawker, Groupon, New Zealand Post, Rackspace Cloud, Scribd, Sears Canada, Sony Music, Xerox, and Yousendit
• Zendesk’s blog post says they believe only 3 of their customers were affected (not named, but other sources and the end users who received emails about the issue suggest it was Twitter, Tumblr and Pinterest)
• Apparently the attackers got access to a database with all of the email addresses of users who contacted those Zendesk customers for support, in addition to the email subject lines, apparently the body of the emails was not disclosed
• A help desk is likely to contain sensitive information, especially when used for billing inquiries and password resets, but could also contain API keys, vulnerability disclosures, internal comments, and other information that should not get out
• Self-hosting vulnerable software could leave you just as exposed, so the question comes down to, do you trust a 3rd party to do a better job of protection your customers than you will?
• Additional Coverage

---

sshd rootkit in the wild

• The sshd rootkit actually targets libkeyutils rather than the sshd binary itself, because previous sshd binary rootkits, have been defeated by updates to the sshd binary
• It is not yet clear what the original attack vector is, that allows the attackers to compromise the libkeyutils in the first place
• Seems to targets Red Hat and other RPM Based Distros, not clear if other distros are vulnerable
• The rootkit does a number of things, including allowing an attacker with a specific password to gain root access, open a listener, and steal all of the credentials that have been used to login to the infected sshd
• cPanel support server compromised, seemingly via sshd rootkit
• the cPanel support system often requests users enter the root credentials for their servers, so support staff can login and assess/fix problems. These credentials must be stored in a format that can be returned to plain text (rather than being hashed), because the support staff need the original password to login. Encrypting the password (normally not what you want) might work here, but the keys to decrypt would need to be accessible to either all support staff (a key management nightmare) or to the system itself (so it can decrypt the passwords for the users)
• Many cPanel customers report that their servers were compromised after they provided their credentials to cPanel support staff, this correlation may be how cPanel determined that they had been compromised, and spawned the investigation

---

Adi Shamir (the S in the RSA algorithm) says we need to prepare for a post-cryptography world

• Speaking at the RSA Conference in San Francisco this week as part of a panel Adi Shamir (of the Weizmann Institute of Science in Israel) spoke about the failure of traditional security mechanisms, including restricting access, virus scanners and IDS (Intrusion Detection Systems) to thwart APT (Advanced Persistent Threat) attacks.
• “It’s very hard to use cryptography effectively if you assume an APT is watching everything on a system, We need to think about security in a post-cryptography world.”
• The panel also included:
• Ron Rivest of MIT (the R in the RSA algorithm)
• Whitfield Diffie of ICANN (of the Diffie-Hellman-Merkle key exchange algorithm)
• Dan Boneh of Stanford University
• Ari Juels of RSA Labs
• Rivest also talked about the problems with the current PKI systems, especially Certificate Authorities (the Comodo and DigiNotar compromises), as well as the more recent problems with TurkTrust, the Turkish CA who gave out signing certificates to a government contractor that used them to create valid but fake google certificates
• Rivest suggests a new system with more tolerance for failures and where users have more control over whom they trust, especially in light of the growing trend where governments pressure CAs to fail, behave strangely or issue certificates they shouldn’t

---

Feedback:

• Resources for Learning More about FreeBSD?

• What’s so bad about a double NAT?

• What are intermediate SSL Certs?

• Fed Requirements Sometimes Force Equipment Online

• Internships, Learning, Training up while working 40+ Hours a week? CAN IT BE DONE?

• Last week we had a question of uPNP and pfSense – The pfSense blog has the official answer – pfSense uses an updated version of miniupnp, and has always done so, the vulnerable ones are more than 2 years old. Additionally, even if a new vulnerability in upnp is found, In order for your system to be vulnerable, you’d have had to manually add a firewall rule allowing access to upnp from the Internet.

Round Up:

• Sergey Brin says using a smart phone makes him feel like a girl
• HTML5 Bug in all major browsers except Firefox allows a remote site to fill your hard drive
• Microsoft suffers from same hacking attack as Apple, Facebook, small number of computers infected
• Time Warner CFO says no one wants gigabit internet a home
• How paid apps will work on Firefox OS phones – The start of a ‘buy it once, use it everywhere’ store?
• Symantec Finds Older Version of Stuxnet Dating Back to 2005
• Chrome 25 fixes 9 criticial vulnerabilities
• Comcast Punishes BitTorrent Pirates With Browser Hijack
• Security Explorations finds 2 more vulnerabilities in Java, even after u15
• Court orders UK ISPs to block more piracy sites
• Adobe pushes yet another Flash update, fixes 2 critical vulnerabilities being used in the wild
• Bitcoin reaches an all-time trading high of over $33
  • Current trading a CAVirtEx is $34.30/BTC

The post How I Met Your SSH | TechSNAP 99 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/21117/token-security-techsnap-64/ Thu, 28 Jun 2012 15:37:03 +0000 https://original.jupiterbroadcasting.net/?p=21117 How attackers can defeat an RSA token in as little as 15 minutes. And a botched software update that shutdown a bank for days.

The post Token Security | TechSNAP 64 first appeared on Jupiter Broadcasting.

]]>



How attackers can defeat an RSA token in as little as 15 minutes, FBI has taken down an online fraud ring, we’ve got the details. And a botched software update that shutdown a bank for days.

Plus some great audience questions and our answers.

All that and more on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offers:

$1.99/mo economy hosting for 3 months – special offer!
Code:  199tech
Expires:  June 30, 2012

$3.99 .US domain!
Code:  399us4

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes:

Researchers can defeat RSA SecurID 800 tokens in under 15 minutes

• Researchers were able to use a ‘Padding Oracle Attack’ to compromise the plain text of an imported encrypted key in under 15 minutes
• A ‘Padding Oracle Attack’, is a side channel attack that allows an attacker to see if a message was decrypted successfully or not
• By purposely corrupting the encrypted message and/or its padding in different ways, and watching the error message (or even just the amount of time the device takes to attempt the decryption) the attacker is able to gain more and more information about the encrypted message, until they are able to recover the entire message
• The researchers developed a more efficient version of the ‘million messages attack’, that only requires to be carried out with only a few 10s of thousands of messages, and found that some devices can be attacked with as few as 3800 messages
• Researcher Blog Post
• Research Paper
• Don’t Believe Everything You Read…Your RSA SecurID Token is Not Cracked
• RSA contends that the researchers did not ‘crack’ the RSA SecurID Token, but rather that they exploited a flaw in PKCS#1v1.5
• However the researchers show (Table 1 on Page 9 and Table 3 on Page 12) that because the RSA SecurID tokens use a very simple padding check (not checking the length of the encrypted message), they disclose more information about the encrypted message during each attempt, this results in the RSA SecurID tokens taking the least amount of time to compromise
• The researchers were not able to afford an HSM, but postulate that their attack could compromise even the more secure ones in mere hours

---

PayPal starts Bug Bounty Program

• Paypal joins the ranks of Google, Mozilla, Facebook, Barracuda and others with bug bountry programs
• This resolves a potential legal ambiguity where researchers that were attempting to forge or modify data being sent to the paypal site, might be accused of unauthorized access rather than legitimate research
• Colin Percivals BSDCan 2012 Presentation – Crowdsourcing Security

---

FBI run sting operation nets 26 arrests of attempted ‘carders’

• The operation intercepted over 400,000 compromised credit cards
• The FBI estimates it prevented $200 million in losses (likely exaggerated)
• The FBI notified 47 companies, government entities, and educational institutions of the breach of their networks
• Example charges:
• zer0 used hacking tools to steal information from the internal databases of a bank, a hotel, and various online retailers, and then sold the information to others, including an individual he believed to be a fellow carder, but who in fact was an undercover FBI agent
• JoshTheGod (apparently a member of UGNazi) met in Manhattan with an undercover FBI agent to accept delivery of counterfeit cards encoded with stolen information. He was then arrested after attempting to withdraw funds from an ATM using one of the cards
• kool+kake sold stolen CVVs and advertised to fellow carders that he got fresh CVV’s on a daily basis from hacking into databases around the world
  • According to the PCI-DSS (Security standard for processing credit cards, CVVs are NOT allowed to be stored in database, they are specifically designed to make databases of stolen credit cards useless, since the attacker will NOT have the CVV value (which is a 3 or 4 digit numeric hash of the credit card data and the banks secret key)

---

Botched software update as Royal Bank of Scotland freezes customer accounts for days

• On Monday the 18th, a glitch was introduced into the banking system at RBS, that prevented new deposits from being credited to customers’ accounts
• 2012–06–22 – No solution in sight after four days
• 2012–06–25 – Confidence in the bank starts to slide sharply
• 2012–06–25 – Details start to emerge about the cause of the problem, the batch processing software (run by an outsourced team in India)
• 2012–06–26 – Glitch is identified as a problem with an update to the CA–7 batch processing software
• 2012–06–28 – Confirmation that half the team that runs the CA–7 batch processing software were outsourced to india
• Mishandling of batch schedule data while backing out of an update to CA–7 batch processing software last week caused the disruption that led to 16.9 million customers at RBS, Natwest and Ulsterbank being frozen out of their accounts for days, and ongoing issues in some cases.
• “When they did the back-out, a major error was made. An inexperienced person cleared the whole queue … they erased all the scheduling”

---

Feedback:

• Q: Alex Asks about: Mirroring Changes Across Hosts
• Q: Lawal asks: How do VPNs Work Exactly?

Round-Up:

• Millions of Website Passwords Stored in Plain Text in Plesk Panel
• Tech Security Savvy Varies with Age (and Experience Counts), Survey Finds
• EU Commissioner Reveals He Will Simply Ignore Any Rejection Of ACTA By European Parliament Next Week
• Australian ISP causes concern while testing Web Filter

The post Token Security | TechSNAP 64 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/17013/first-day-fail-techsnap-45/ Thu, 16 Feb 2012 18:03:18 +0000 https://original.jupiterbroadcasting.net/?p=17013 A first day on tech job war story, that’s as rough as they get! Plus details on recent doubt researchers have cast around fundamental technology behind SSL.

The post First Day Fail | TechSNAP 45 first appeared on Jupiter Broadcasting.

]]>



A first day on tech job war story, that’s as rough as they get! Plus details on recent doubt researchers have cast around the fundamental security technology behind SSL.

Plus: Microsoft was caught storing customer passwords in clear text, we’ve got the story, and some questions!

All that and more, on this week’s TechSNAP!

Thanks to:

GOG.com – the digital game distributor with a difference.

Get 10% off if you buy 2 or more games like Wing Commander 3 and Syndicate

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Super special savings for TechSNAP viewers only. Get a .co domain for only $7.99 (regular $29.99, previously $17.99). Use the GoDaddy Promo Code cofeb8 before February 29, 2012 to secure your own .co domain name for the same price as a .com.

Pick your code and save:
cofeb8: .co domain for $7.99
techsnap7: $7.99 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
Deluxe Hosting for the Price of Economy (12+ mo plans)
Code:  hostfeb8
Dates: Feb 1-29

   

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

 

Subscribe via RSS and iTunes:
    Subscribe...           --RSS-- TechSNAP HD TechSNAP Large     TechSNAP Mobile      TechSNAP MP3     TechSNAP OGG     --iTunes--     TechSNAP iTunes HD     TechSNAP iTunes Mobile     TechSNAP iTunes Large     TechSNAP iTunes MP3  

Show Notes:

---

Only 99.8% of the worlds PKI uses secure randomness

• PKI (Public Key Infrastructure) is a type of encryption system known as asymmetric cryptography
• This means there is one key used to encrypt data, and then a different key is used to decrypt the data
• In the RSA algorithm, a public/private key pair are generated by selecting two large prime numbers and multiplying them together. This value serves as the modulus (n) for both the public and private keys
• Then a public exponent (e) is selected, typically 65537 because it was found to provide more efficient encryption
• The private exponent (d) is then calculated as: (d*e)mod φ(n) = 1 Euler’s totient function
• An encrypted message (c), is calculated by turning the plaintext message (m) in to an integer, using a padding algorithm: c = m^e (mod n)
• To decrypt the message: m = c^d (mod n)
• This all seems relatively simple, one just has to remember the scale of the numbers being computed, in a 2048bit RSA key like the one used by your bank or amazon.com, each of the prime numbers has over 300 digits, and then you multiply them together.
• Researchers have found that some RSA keys in use on the internet had the same modulus (meaning they were using the same secret prime numbers). This means that the two parties that happen to end up using the same key, could compromise each other
• The researchers also found some public keys where it was possible to compromise the private key
• Overall, many of the compromisable keys appear to belong to expired certificates and old PGP keypairs, and the danger to modern properly generated RSA keys is much lower
• Rebuttal by Dan Kaminsky
• New York Times Coverage
• Research Paper

---

Cryptome hit by blackhole exploit kit

• Cryptome is a popular and long standing document repository for whistle blowers and others interested in secret information
• From the site: “Cryptome welcomes documents for publication that are prohibited by governments worldwide, in particular material on freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and secret governance – open, secret and classified documents – but not limited to those. Documents are removed from this site only by order served directly by a US court having jurisdiction. No court order has ever been served; any order served will be published here – or elsewhere if gagged by order. Bluffs will be published if comical but otherwise ignored.”
• On February 8, an attacker managed to upload some PHP code to serve an some malicious javascript that inserted an iframe and loads an attack site that exploits a vulnerability in Internet Explorer. The PHP code specifically avoids serving the exploit when the requesting IP comes from google or a number of other web scanners designed to detect malware, to avoid getting the infected sites blacklisted
• By February 14, 16:30 UTC, all files had been restored from backup
• Symantec has offered to help investigate the attack
• The malware is very common and accounts for a large portion of all infected websites found on the internet
• The exact vector that was used to infect the site is not yet known
• Details Analysis
• Additional Coverage
• Official Announcement with extensive details

---

War Story:

This week we have another in the series of war story sent in by Irish_Darkshadow (the other other Alan)

---

I joined IBM in February 1999 as a tech support agent for US Thinkpad (laptop) support. The training regime in those days was 7 weeks long with the final 5 weeks each being dedicated to hands on experience with a different product family / line. The call center had two support sections – Aptiva (IBM desktops for home users) and Thinkpad (IBM laptops for business & home users). The most technical staff from Aptiva were usually moved onto Thinkpad support before too long as that was the flagship brand.

Major emphasis during the training for Thinkpad support was placed on never resorting to a reload to solve an issue. We had solid problem solving technique driven into us constantly for the 7 weeks. The only caveat was that if the support call exceeded 1 hour then we should ask a team leader for permission to escalate the case to 2nd level support. I got the distinct impression that to do so was an admission of defeat and the only exception with passing your case over to 2nd level was if there was some procedure or fix that required advanced skills or registry changes.

My first shft was coming in at 16:30 until 01:30 from Monday to Friday which was typical for supporting US based users. For my first few hours on the floor I simply call shadowed an existing agent to get a feel for the type of calls and how they were handled. Immediately prior to joining IBM I had been running my own computer shop but my partner swindled funds from the company and I shut it down and made my money doing freelance work until I got the “I’m pregnant” revelation from my girlfriend and decided a steady paycheck was a smarter option. This gave me a major ego when it came to these mere tech support calls compared to my level of experience and that bit me in the ass on my first time out of the gate.

I finished up my call shadowing and went to my own desk, set up my applications for creating the tickets. My workstation was a P166 running OS/2 Warp 4.0…awesome eh? So once I was settled in I hit the Avail button on my phone and awaiting my first US user encounter. It only took a minute or so for a call to come in then I dished out the scripted greeting “Thank you for calling the IBM PC Help Center. My name is Alan with Thinkpad support. How may I help you?”. Then you let the user give the opening details, capture anything that might be relevant….ask for computer type and serial number to assess warranty status and from there it’s just problem determination.

The user had just picked up a 3Com PCMCIA network card and the thinkpad wouldn’t detect it properly. It was a Win95 preload and the user seemed savvy enough to have installed the drivers properly but nonetheless, I made him go through the entire process again with me listening in. Nothing seemed to be at fault. I got the user to go into Device Manager (making sure the other agents around me could hear what an absolute BOSS I was being in handling this call). Once there I asked if he could see an entry for the card and he did, as suspected it had an exclamation mark beside it. In my head I started to jump forward to possible causes like memory address space conflicts, IRQ conflicts, corrupted drivers or even operating system updates that might be needed to support such a high tech card (yep, I said it…1999…it WAS high tech damn it!). I reckoned that the IRQ conflict was the most likely starting point and asked the user to check the IRQ view in Device Manager and tell me what he saw. As he described the device tree to me I got that sinking feeling. The one were you know that the next thing you are going to do is going to make you look like a complete and total tit in front of the colleagues that you have just been showboating for. The user had explained to me that every single hardware entry in the IRQ list showed the status of “In Use By Unknown Device”. There is only 1 explanation for that – corrupted registry. I had two choices….#1 was to do a user.da0 and system.da0 restore from DOS mode and #2 was admit defeat and reload the machine. #1 was not something that IBM wanted agents doing so I bit the bullet and called 2nd level support to explain. It turned out that the 2nd level support guy was floor walking near my seat and had heard EVERYTHING. He swaggered over with an evil smirk and told me to reload the system. My first call turned into the one solution that we were absolutely NOT supposed to resort to. To cap it all off the 2nd level guy finished with “I’ll be keepin’ an eye on you Elliott. A close eye.” and at that point the only phrase going through my head was “bollocks drink feck arse girls diddy wank!”. And so began my tech support career.

---

Round-Up:

• Microsoft Antivirus Flags Google.com as Malicious
• Cloudcracker – Cloud WPA Cracking
• NASDAQ website suffers DDoS attack
• Internet crackdown in Iran continues, but Tor users are all back online
• Experts say Iran has neutralized Stuxnet virus
• Chinese hackers had unfettered access to nortel networks for a decade
• Microsoft Store hacked in India, passwords stored in plain text
• Bitcoin Exchange TradeHill Suspends Trading

The post First Day Fail | TechSNAP 45 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/15661/sql-injections-techsnap-40/ Thu, 12 Jan 2012 18:53:27 +0000 https://original.jupiterbroadcasting.net/?p=15661 We’ll explain how SQL Injections work, plus cover tools you can use to passively discover details about everyone connected to your network.

The post SQL Injections | TechSNAP 40 first appeared on Jupiter Broadcasting.

]]>



We’ll explain how SQL Injections work, plus cover tools you can use to passively discover details about everyone connected to your network.

And Adobe blames some researches for THEIR security mistakes, we’ll explain.

All that and more, on this week’s episode of TechSNAP!

   

Direct Download Links:

   

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

 

   
Subscribe via RSS and iTunes:
    Subscribe...           --RSS-- TechSNAP HD TechSNAP Large     TechSNAP Mobile      TechSNAP MP3     TechSNAP OGG     --iTunes--     TechSNAP iTunes HD     TechSNAP iTunes Mobile     TechSNAP iTunes Large     TechSNAP iTunes MP3  

Show Notes:

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Pick your code and save:
techsnap7: $7.99 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans

Zero day Adobe Reader vulnerability uses to target defense contractors

• An extremely targeted attack was carried out against major players in the defense industry using a previously unknown zero-day vulnerability in Adobe Reader
• Only 20 or so machines were targeted, spread across a number of different companies
• Specially crafted .PDF files that exploited the vulnerability to execute code on the victim’s machine were sent to a very specific list of email addresses, rather than the typical spam of phishing style attack. This was likely meant to prevent the zero day vulnerability from being discovered so it could continue to be used
• The payload of the exploit was the Sykipot Trojan
• From analysis of the exploit , it appears to be based on previous research and a proof of concept released by Felipe Andreas Manzano in 2009
• Adobe made a point of reminding security researchers that their publicly disclosed proof of concepts are often used as free R&D by cyber criminals. TechSNAP would like to remind Adobe that the point of publicly disclosing the research is free R&D to help/force Adobe to patch the vulnerabilities
• The vulnerability was apparently reported to Adobe by Lockheed Martin after they discovered they had been compromised
• Adobe announced the vulnerability on December 6th, and released the patch on January 10th
• Previous TechSNAP Coverage
• CVE Announcement

---

New version of the P0f network finger printing tool

• The tool passively analyzes incoming network transmissions and determines the operating system and other information about the remote machine with a fairly high degree of accuracy
• The feature of note with the newly rewritten version is that it can detect many types of forgery, alerting you when the remote machine is who what it claims to be
• The tool also features the ability to analyze some application layer protocols such as HTTP
• One of the features I the ability to detect user agent forging (spam bots pretending to be running firefox or MSIE)
• It is also able to detect some other aspects of the connection, such as NAT, load balancing, PPPoE (common for DSL), VPNs, Transparent and other irregular Proxies, and even tor
• This tool could be very useful for fraud screening purposes, ecommerce sites can detect when the user is attempting to mask their identity and flag the orders for additional investigation
• This tool could also be used as part of a firewall or man-in-the-middle attack, to detect technologies such as VPNs and block them, in an effort to have users connect without the additional security so they can be spied upon

---

Verizon Business Consulting analyzes second wave attacks against RSA customers

• Typical attacks using email spear-phishing to attempt to place trojans and keyloggers on machines of SecurID users
• The objective is to log the username, password and the temporary PIN generated by the SecurID Token
• Once a small number of these PINs are obtained, the attackers may be able to successfully clone the SecureID Token to generate valid PINs at will, allowing them to compromise the targets easily
• The unconfirmed list of companies who have been targeted includes: Lockheed Martin, Northrop Grumman, The International Monetary Fund, and L–3 Communications
• RSA continues to claim that the security of the SecurID tokens has not been compromised, but after being subjected to much pressure by customers, has agreed to replace the tokens of any customers who request it

---

Feedback:

Q: (EBeyer) You talk about it a lot on the show, and it is one of the most common security vulnerabilities on the web, but what is SQL Injection?

A: An SQL Injection attack is caused by careless coding during the construction of an application that uses an SQL database. Through some fault or other, the attacker is able to “inject” code in to the SQL statement.

The most classic example of this comes from this very poor example of a login script:

SELECT * FROM users WHERE username = ‘$username’ AND password = ‘$password’

During normal operations, which would work as expected. However, if someone were to attempt to login with a username of say, “allan’ –” the executed SQL query would be:

SELECT * FROM users WHERE username = ‘allan’ –‘ AND password = ‘$password’

Where – is the SQL comment indicator, causing the rest of the query to be ignored. This would allow someone to login as any user without knowing the users password

A further example, they could use the username “‘; DROP TABLE users; –”

Causing the resultant SQL query to be:

SELECT * FROM users WHERE username = ‘’; DROP TABLE users; –’ AND password = ‘$password’

Which would find 0 users, then delete the entire users database table.

That is why it is important to ‘sanitize inputs’. What this means is that you must remove or escape characters with special meanings, so that they are not interpreted. Each programming language provides ways to do this, but amateurs and sloppy coders often forget or miss cases where input from the user is executed without being sanitized.
PHP for example, provides a number of methods of sanitizing the input , including the mysql_escape_string() function which attempts to escape any meta characters, but does not consider the character set. It has been deprecated and should be replaced by mysql_real_escape_string() which requires an active connection to the MySQL database (required anyway if you are going to run a query), and takes the character set, database settings and server configuration in to consideration. You can also use Prepared Statements , where the SQL query is defined with the variables, and then those variables are replaced at execution time, where they are escaped properly.

---

Round-Up:

• Leaked Memo Says Apple Provides Backdoor To Governments – Sources claim it is a fake released by hackers trying to spread a political message
• US body probes RIM, Nokia, Apple backdoor claims
• Did Symantec source code hack reveal Indian phone surveillance?
• India Mobile Handset Backdoor Memo Probably a Fake

• Stopped they must be; on this all depends.

  we will be blacking out reddit on January 18th from 8am–8pm EST (1300–0100 UTC).

• The PROTECT IP Act Is Very Real and Very Bad — Call Now to Block It
• Speak out against ACTA — Free Software Foundation
• Six security flaws fixed in OpenSSL
• Followup: StratFor website back online
• Followup: Microsoft releases patch for BEAST SSL Attack – Previous Coverage on TechSNAP 24
• Followup: The SEC has published guidelines as it asks corporations to be more forthcoming about cyber security incidents in financial filings

The post SQL Injections | TechSNAP 40 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/13468/great-disk-famine-techsnap-30/ Thu, 03 Nov 2011 17:15:36 +0000 https://original.jupiterbroadcasting.net/?p=13468 Hard Drives are in very short supply, find out why. Plus Anonymous says it’s going after a Mexican Drug Cartel, we’ll share you the amazing details

The post Great Disk Famine | TechSNAP 30 first appeared on Jupiter Broadcasting.

]]>



Anonymous says it’s going after a Mexican Drug Cartel, we’ll share you the amazing details!

Plus: Our tips for controlling remote downloads, and why all I’m going to want for Christmas is hard drives!

All that and more, on this week’s TechSNAP!

Thanks to:


GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!


Pick your code and save:

techsnap7: $7.49 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans

 

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3
[ad#shownotes]

Show Notes:

Anonymous says it will go after Mexican Drug Cartel

• Anonymous claims one of its members was kidnapped at a street protest
• Anonymous claims it will start releasing details about journalists, taxi drivers, police officers and government officials who are on the Cartel’s payroll, if the kidnap victim is not released by November 5th (Guy Fawkes Day)
• No information about the person who was allegedly kidnapped has been released
• Anonymous hopes that releasing this information, the government will be able to pursue the allegedly corrupt officials. However, depending on the type of information, it is unlikely that the evidence provided would be enough to convict someone.
• There are serious concerns that the release or even the threat of the release of such information could result in a violent backlash from the Cartel.
• It would seem that anyone who’s name appears on the lists released by anonymous would be in serious danger. A case of mistaken identity or speculation could result in the death of an innocent person.
• Anonymous has claimed it would attack a number of entities, including the NYSE and Facebook, a large number of these attacks have never taken place, or were unsuccessful and never mentioned again.

---

Series of spear phishing attacks against chemical and defense companies

• At least 50 different companies were targeted by attackers attempting to steal research and development documents and other sensitive information.
• The attacks started in July, and continued through September, it is also believed that the same attackers were targeting NGOs and the auto industry earlier this year.
• The attacks where spear phishing attacks, a specialized form of the common email attack. Unlike a typical phishing scam, where an attacker poses as your bank and attempts to get you to enter your login credentials and other personal information in to a fake site designed to mimic the look of your banks site, a spear phishing attack specifically targets individuals, using information that is known about them and where they work. Spear Phishing attacks also commonly involve impersonating someone you might expect to receive such an email from.
• The emails sent in this case often took the form of meeting invitations with infected attachments. In other cases when the messages were broadcast to many victims, they took the form of security bulletins, usually riding on actual vulnerability announcements for common software such as Adobe Reader and Flash Player. It also seems the attackers attached the infected files in 7Zip format, to evade many spam filters and virus scanners that block or scan .zip files. The attackers also took to encrypting the zip files with a password, and providing that password in the email, again to avoid virus scanners on the inbound mail servers.
• This attackers used PoisonIvy, a common backdoor trojan written by one or more persons who speak Mandarin. The Trojan also contained the address of a Command and Control (C&C) server used to feed it additional instructions.
• Once the attackers made their way in to the network through one or more infected machines, they leveraged that access to eventually gain permissions to copy sensitive documents and upload them to an external server where they could then be recovered.
• One of the command and control servers was a VPS operated in the United States, owned by a Chinese individual from Hebei province. Investigators have not been able to determine if this individual was part of the attacks, if anyone else had access to the VPS, or if he was acting on behalf of another group. It is possible the server was compromised, or that it could have been made to look like that was the case.
• Symantec says that there were a number of different groups attacking these companies during this time span, some using a custom developed backdoor called ‘Sogu’ and using specially crafted .doc and .pdf files. There is no word on if these additional attacks were also successful.
• Full Report

---

Feedback:

• Remote Downloads?
• Q: I have a question regarding downloads, in particular, remote downloads.
• A: There are a number of options, ranging in capability and ease of use.
• rTorrent – A command line torrent client, works great over SSH (especially when combined with Screen). This is what Allan uses to seed the Linux Action Show torrents.
• uTorrent – uTorrent (microTorrent) is available for windows, mac and linux. It offers an optional web UI (the web UI is the only option for linux) for remotely controlling the torrents, and can also automatically start downloading torrents when they are placed in a specified directory. uTorrent also incorporates an RSS reader.
• wget – is a standard command line downloading tool included in most GNU Linux distros. Also available for windows
• curl – A library and utility for dealing with http, it is a common feature of most web hosting servers, and easily integrates with PHP. You could write a short PHP script that would download files to the report server when prompted (possibly by an email or access from your mobile phone)

Round UP:

• Windows Kernel Zero Day Vulnerability Found in Duqu Installer
• Stop Online Piracy Act Introduced in the House
• Data points to China as source of March RSA breach, wider attacks
• Authorities Seize Duqu’s C&C Servers in India
• AWS Load Balancer Sends 2 Million Netflix API Reqs To Wrong Customer
• Mac OS X Trojan steals processing power to produce Bitcoins

The post Great Disk Famine | TechSNAP 30 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/11308/planning-for-failures-techsnap-19/ Thu, 18 Aug 2011 22:05:43 +0000 https://original.jupiterbroadcasting.net/?p=11308 Find out how to plan your servers and network for failure, start building a website for cheap and much more in this packed audience Q&A episode!

The post Planning for Failures | TechSNAP 19 first appeared on Jupiter Broadcasting.

]]>



The RSA leak exposes the dirty under-belly of the commercial security industry, it’s a story that sounds like it’s straight out of Hollywood.

Then – We’ve packed this episode full of Audience questions, and our answers. Find out how to plan for failure, start building a website….

All that and more, on this week’s TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | WebM Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3

[ad#shownotes]

Show Notes:

News

EXCLUSIVE: Leaked “RSA dump” appears authentic

• A massive Pastebin dump of domain names and IP addresses supposedly linked to a cyber espionage ring appears to be the real deal.
• The dump claims the operation targets include private US defence firms.
• The analysis, which was leaked by an attack on HBGary Federal by Anonymous in February this year, identifies each IP address as a callback address for custom malware used in espionage operations, presumably operating out of China.
• The IP addresses serve a configuration file that re-directs infected hosts to an interactive command and control IP based in Hong Kong.
• HBGary codenamed the operation “Soysauce”.
• the HBGary document suggests that each sub-domain of each registered domain name corresponds to a successfully compromised target.
• Pastebin Dump

Feedback

Q: (DreamsVoid) I have a server setup, and I am wondering what it would take to setup a backup server, that would automatically take over if the first server were to go down. What are some of the ways I could accomplish this?

A: This is a rather lengthy answer, so I will actually break it apart, and give one possible answer each week, for the next few weeks. The first possible solution, is to use something like BSD’s CARP (Common Address Redundancy Pool). With it you assign each server an IP address like normal, then on each, you create a virtual CARP interface, where you assign a shared IP between the servers in your CARP group. The servers will advertise their control of the shared IP address, whichever server does so first, will become the master for that IP. The way you configure multiple hosts to fail over in a specific order, is by setting and ‘advertisement skew’, of 100ms multiplied by the servers position in the pool. So the 3rd server will wait 200ms before advertising, and will only gain control over the IP address if the 1st and 2nd server are no longer advertising. This system basically moves the IP address of the service you are trying to keep up, to whatever machine in the pool is actually up. This CARP system requires that the servers have identical services and static copies of the content. Obviously, you don’t want to failover your webserver to your mail server, if your mail server is not running an HTTP server. CARP works best for ‘stateless’ protocols, one of the most common uses of CARP is for redundant routers. If you are using FreeBSD or a derivative such as pfSense, you can use CARP on the IP your DHCP server gives our as the default gateway, so that if one of your routers is down, the other automatically takes over. pfSense even includes a protocol to sync the NAT tables between the two routers so that open connections are not dropped. This type of setup can be important if the business running behind the router cannot afford downtime for such trivial things as OS upgrades on the routers, with CARP, you can take down one router at a time, upgrade it, and put it back in service, without effecting the end users and servers behind the routers. Another option in carp is called ‘preempt’, this causes CARP to take it’s interface offline is ANY interface on the machine goes offline, not just the one the CARP IP is on. This can be important if your routers are connected to different ISPs, if one of the links goes down, the router will take it self offline, causing traffic to be routed via the backup Internet connection.

---

Q: (Mattias) I have been using the NoScript addon for Firefox and have become aware of just how many sites use Google Analytics. Is it a good way for website admins track visitors, or just a way for google to track everyone?

A: Google Analytics is based on a product called Urchin that Google acquired. Google Analytics is basically just a cloud hosted version of this product. You can still buy a copy of Urchin, but they don’t mention host much it costs. Google Analytics just provides much richer detail than you get from just regular log file analyzers. One of the keys to the success of Google Analytics for e-Commerce is the integration with Adwords and other CPC/CPA sites. Google Analytics allows the store to pass good information about the purchases that are made, and Google correlates these with the keywords the user searched for, and how much was paid for the advertisement. This allow stores to optimize their bids to get the best return for their advertising.

While there are some privacy concerns about what google does with the collected data, they cannot infer all that much from it. Your personal data is never passed from the site you are visiting to Google, and only a small number of sites pass data about what you purchased back to Google, and they do this for the sales/conversion reporting, rather than for Google’s benefit. Usually, the data based back could just be an internal product id, and not provide google with any useful data about your purchase.

Find out who tracks you: Ghostery

---

Q: (Leon) Hi guys,

Thanks for answering my question last time.
I’ve set up a testbox here on my desk with FreeBSD to tinker with spamassassin/amavis. It’s been a long time since I did anything with FreeBSD but Allan/TechSNAP made me curious for it again.

My question: what’s the best way to keep your FreeBSD (ports) up to date? Just checking it manually/reading the security mailing lists or is there some kind of tool that Alan uses for automatically updating his servers?

Thanks again and thanks for the great show(s). The recent comment of Chris convinced me to support Jupiter with a monthly subscription.

Regards,
Leon

A: The built in tool for keeping your ports tree up to date is called portsnap. This tool will use the BSDiff algorithm to only download the changes to the ports tree since your last update, and supports a simple cron method, where it randomly sleeps before starting, so that everyone cron’ing portsnap won’t hit the server at the same time. Once your ports tree is updated, there are a number of tools that you can use to go about upgrading your various packages. The tool I use is called ‘portupgrade’, but there are also others such as ‘portmanager’ and ‘portmaster’. There are also services such as VuXML (Vulnerability and eXposure Markup Language) that provide information about vulnerable ports, and can be used to check against your installed packages, and packages you are about to install.

---

Q: (Dan) I was going to send this email to Chris, but since you guys are doing a Q&A session on Techsnap, I figured I might as well send it here. Do you have any recommendations on sources for building websites? I’ve got a career move pending on a creation of a website, and a deadline of next week. I haven’t done basic HTML for about 6 years, and this site will need a forum and a way to pay for a service. I’m not worried about the hosting, I will be hosting it on my home server until the site is approved and ready to hit the ‘tubes. Any suggestions or information you have would be greatly appreciated!

PS. Been watching for two years, he’s Honclbrif in the IRC Chat room!

A: There are a number of great Open Source CMS (Content Management System) platforms out there. Some of the most popular are WordPress, Drupal and Joomla, all of which have huge support communities, and 1000s upon 1000s of free design templates. They also feature rich plugin architectures that allow you to add functionality such as video embedding or e-commerce. WordPress is designed for a more ‘blog’ like website, and might not fit well depending on the type of site you are building. Drupal is very extensible, but their framework can be a bit frustrating at times. You might want to look at which platform has the plugins that best fit your needs, and then go from there.

---

Bitcoin Blaster:

• Mt.Gox -to Acquire Bitomat.pl, Compensate Loss Of Bitcoins
• GPGPU Bitcoin Mining Trojan
• Bitcoin Conference 2011 – NYC: Aug 19-21

The post Planning for Failures | TechSNAP 19 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/9026/hijacking-the-news-techsnap-8/ Thu, 02 Jun 2011 21:32:26 +0000 https://original.jupiterbroadcasting.net/?p=9026 Find out about the hack that leaked the "truth" about Tupac, and the details of 100s of GMail accounts that have been snooped on!

The post Hijacking the News | TechSNAP 8 first appeared on Jupiter Broadcasting.

]]>



Google has confirmed that 100s of Gmail accounts were being snooped on, and the targets of this attack are not happy!

The cookie catastrophe in the UK continues, we’ll share the brutal details!

And Find out about the hack that leaked the truth about Tupac.

Plus some great audience submitted questions, and our answers!

Please send in more questions so we can continue doing the Q&A section every week! techsnap@jupiterbroadcasting.com


---

Direct Download Links: HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3

[ad#shownotes]

Show Notes:

Topic: 100s of GMail accounts hacked from China

• Users were all victims of a phishing scam
• Attackers used stolen passwords and setup forwarding and delegation to be able to spy on all current and future mail for that account, even if the password was changed
• Google stresses “It’s important to stress that our internal systems have not been affected—these account hijackings were not the result of a security problem with Gmail itself.”
• Targets seemed to be politically motivated, going after government officials and journalists

---

Topic: PBS website hacked

• LulzSec, one of the hacker groups from the Sony attacks we discussed last night, managed to gain access to several areas of the PBS website.
• They published the user login information they were able to siphon from the database
• They were able to posted fake news stories and could have causes serious harm (however their story was that rapped Tupac Shakur was still alive and living in New Zealand)
• If they had published specially crafted news stories, they could have infected the computers of visitors to the site, or have caused havoc on the stock market by falsely reporting news about various companies.
• LulzSec says the attack was in protest about a PBS Frontline episode that was critical of WikiLeaks

---

Topic: I told you so

https://yro.slashdot.org/story/11/05/27/2249210/BBC-Site-Uses-Cookies-To-Inform-Visitors-of-Anti-Cookie-Law

• In order to comply with a new UK law governing website cookies, when you visit some BBC websites such as radiotimes.com you will be presented with a message telling you about the new law. This message uses a cookie to remember that it has been displayed to you, and will not appear next time you visit the site, to avoid annoying you.
• This means they are using a cookie, to tell you about how they are not going to use cookies without your consent.
• In the future, without the use of something like the google/mozilla ‘do not track’ system, users who decline to accept a cookie will be prompted with such warnings every time, because there will be no way to store their acceptance of the agreement to accept cookies, without using a cookie.
• This is why this issue should have been left to the users and the browsers manufactures, who already have the issue well in hand with security settings, private browsing modes, and the do-not-track system.
• This law will become effectively unenforceable

---

Topic: Defense Contractor Lockheed Martin compromised by duplicate RSA SecureID Tokens

• Attacks broke in to the secure networks of Lockheed Martin and other government contractors by creating duplicates of RSA SecureID Tokens
• It is not clear what data may have been taken. It is unlikely that this information will ever be released by Lockheed Martin because it is likely highly sensitive.
• RSA SecureID is a two-factor authentication system. It is designed to thwart key-loggers and similar attacks by combining the usual username/password combination with a dynamic token they changes every few seconds.
• Senior defense officials claim that while contractors networks contain sensitive data, all classified data is on a separate, closed networks managed by the U.S. government
• The pentagon also uses RSA SecureID tokens, but declined to say how many
• Apparently the hackers learned how to duplicate the SecureID tokens using formation stolen during the Advanced Persistant Threat attacks of RSA that we discussed in episode 002 of TechSNAP
• The RSA attack was followed by targeted malware and phishing attacks on customers who used the RSA SecureID system in an effort to collection the information necessary to duplicate the SecureID Tokens
• This raises questions about the RSA SecureID system, can it be fixed or does the entire system need to be redesigned. It seems that it is far too easy to duplicate the SecureID tokens.

---

Q: (Swadhin) What are the differences between the virtualization that we do on our home pc and the virtualization  that you people do on enterprise servers
A: Mostly the virtualization used in enterprises is the same as what you can do on your home PC. One of the main differences is that in an enterprise, they will have many different servers hosting the virtualized systems, but they will all use what is called ‘shared storage’. Usually something like iSCSI. This does not mean that all of the virtual disks reside on the same physical drive, just that they are accessible in a single place. The advantage to this system is that it becomes possible to ‘migrate’ a virtual machine from one physical host to another, without rebooting the virtual machine. The disk is not moved at all, so all that happens is the memory footprint is transferred between the first host and a second host. Then the virtual machine is paused, and any changes in the memory footprint are synchronized, and the virtual machine is unpaused on the new host. This allows for individual physical host machines to be shutdown for maintenance without taking down the virtual machines hosted there. It also allows for load balancing, if a few virtual machines on the same physical host are very busy, one or more of them can be moved to other less busy hosts to maintain the highest possible performance. Another feature of this system is to allow you to maximize the efficiency of your hardware. Some physical machines can be turned off when the load level is lower, and then if the currently running machines are approaching their maximum load levels, you can turn some more physical machines on, and have the load balanced to them. Then when the load levels fall again, you can turn some physical machines back off. This reduces your power usage, and makes sure you don’t have a bunch of servers just sitting around idle wasting electricity and running up your cooling bill.

---

Q: (Alexander) I am building a new home network for my roommates and I at college, we plan to build a virtualization server as described on the ‘build your own cloud’ episode of LAS. I have a few questions:

1. Should I buy a managed or an unmanaged switch

A: Likely you do not need a managed switch. Managed switches provide features like ‘VLANs’, a way to basically break the switch up in to logical groups of ports, and simulate having multiple separate switches (that can even span between physical switches). This functionality is good for keeping different parts of the network separate (like having a DMZ to put your servers in, and then separate internal LANs), but is likely unnecessary in your setup. You can save your self 100s of dollars by just getting an unmanaged switch.

1. Should I build a virtualization server and a storage server or one that functions as both?

A: The advantage to having the storage server setup, if you use something like iSCSI for the storage system, is the ability to move the virtual machines between physical hosts. This is really only helpful if you have more than 1 virtualization server, so again, you can probably save money by building only a single server.

1. How much power would you think a system like this would draw?

A: That depends, you would be able to see that in the specs for the server when you go to buy it, but overall not that much. Hard drives draw fairly little power, and a quad core processor is usually between 94 and 135 watts, unless you get a lower power version. Servers also tend to have higher efficiency power supplies, at least 80% efficient, so less of the power draw is exhausted as waste heat.

1. How would I run multiple web servers in my network and have them all accessible to the outside world with only one external IP address?

A: If you only have a single external IP, your options are fairly limited. Either you run each web server on a different port, which is cumbersome to the users, or you use a reverse proxy to do virtual hosting. All web servers are capable of doing Virtual Hosting, that is, serving a different page based on the ‘Host’ header that the user’s browser sends when they visit a website. The idea here would be to setup something like NGINX or LigHTTPd to listen on your single ip, and then route the connection to the right internal web server based on the hostname or path that is being requested. This solution also works for routing different parts of a website to different internal servers while maintaining a single ‘domain’, which can be important for cookies, javascript and flash ‘same domain’ policies.
Reverse Proxy: https://nginx.org/

---

User submitted War Story:
(StayFrosty) I was building a new Windows 2008R2 server for a small business client of mine. The machine was little more than a glorified desktop, but it had a support contract. After installing the OS I started installing the drivers, and noticed that there was a BIOS update. I figured since the machine was not in production yet, I might as well install that too. During the flashing process, one of the steps failed. I flipped the KVM over to use a different machine to research the problem, while doing so, I heard the fans in the server spin down and then back up. The machine had rebooted automatically to install some windows updates. When I flipped the KVM back, nothing but a black screen. Luckily, when I contacted the hardware provider, they told me about the BIOS recovery jumper and I was able to get the machine back online.

Download & Comment:

The post Hijacking the News | TechSNAP 8 first appeared on Jupiter Broadcasting.

]]>