Show Notes:

GoDaddy outage was caused by router snafu, not DDoS attack

• GoDaddy’s services started to drop off of the internet
• The outage lasted approximately 6 hours, from 10:00 PDT (17:00 UTC) and being fully restored about 16:00 PDT (23:00 UTC)
• A twitter account, claiming to represent part of Anonymous, took responsibility, claiming to have launched a massive DDoS attack against GoDaddy
• Some news outlets and blogs misunderstand what a DDoS attack is, and report that Anonymous has hacked GoDaddy
• “We have determined the service outage was due to a series of internal network events that corrupted router data tables.” – Interim Godaddy CEO Scott Wagner
• The issue was compounded because the downtime affected not only GoDaddy hosting customers, but also customers that only used GoDaddy for DNS
• GoDaddy hosts 5 million web sites and manages a total of 52 million domain names
• For example, the DNS for jupiterbroadcasting.com is hosted at GoDaddy, while the actual site resides at ScaleEngine, but because the DNS was down, viewers were unable to lookup the IP address of jupiterbroadcasting.com in order to connect to ScaleEngine
• DNS caching will have helped reduce the effect of this downtime somewhat, especially for more popular sites, and for users coming from larger ISPs, the DNS records for JB have a TTL of 1 day, so users would only have issues reaching the site if the records had not yet been cached, or once the cache expired. At the time of this writing, the records for JB still had 28461 seconds left in my local Google Public DNS cache, but we not cached at my local OpenDNS
• This event ruined GoDaddy’s previous 99.999% uptime record for DNS (99.999%, or 5 nines as it is called in the industry, allows for only 6 minutes of cumulative downtime in an entire year, compared to 4 nines, which allows about 53 minutes of downtime per year, or 99.9% which is nearly 9 hours)
• GoDaddy uses Anycast for the DNS servers, this means that while it looks like each domain is only assigned to 2 DNS servers, each of those two IP addresses actually exists in multiple data centers around the world. Traffic is routed to the closest server, and if that servers route fails, after a few minutes the BGP routers at your ISP or an intervening transit provider route the traffic to the next closest server
• However, due to what I assume was some human error after the failure of one or more network components, the routes that GoDaddy broadcasted to their upstream providers were in some way incorrect, and caused traffic to no longer reach the GoDaddy servers
• Anycast is commonly used for DNS but is not very often used for TCP based services due to the fact that the routes can change at any time, and suddenly the same IP address points to a different server, and your connection is dropped. There are some cases where people have successfully used Anycast for short lived TCP connections
• Additional Coverage
• Go Daddy Site Outage Investigation Completed – GoDaddy.com

---

Blue Toad comes forward as the source of the leaked Apple UDIDs

• Security researcher David Schuetz was analyzing the the data posted online, and found an unusually large number of devices that mentioned Blue Toad, 19 out of the 1 million records analyzed
• Schuetz then contacted Blue Toad to report what he had found
• Schuetz also said he couldn’t say conclusively if Anonymous’ claims about the FBI were false or true
• Blue Toad makes apps for publishing companies, long known for collecting extensive data about their readers for market research and marketing purposes
• Paul DeHart, CEO of Blue Toad said his firm would not be contacting individual consumers to notify them that their information had been compromised, instead leaving it up to individual publishers to contact readers as they see fit
• The company’s forensic analysis claims to show the data had been stolen “in the past two weeks”
• This is contrary to the original claim that the data was stolen from an FBI computer months ago

---

Feedback:

• Techsnap drinking game
• Windows Server 2012 review
• Shoeboxed.com security sufficient for personal documents, eg. tax returns?
• 10 Char Password Enough?
• Bad to use scripts to set stuff up?
• Siemens Admits Issues
• Are you a PHP programmer with time to spare for an open source security project? I am considering building an open source web service to handle sensitive information disclosure, and I am looking for some help building the site and API. email allan@jupiterbroadcasting.com

Round-Up:

• BEAST creators develop new SSL attack
• Thoughts on the way Amazon Glacier Pricing works
• Malicious Apache Module Injects Iframes
• Github Goes Down
• Over 11,000 Guild Wars 2 passwords hacked
• Romney 1040 Tax Returns – Part 2 – Pastebin.com
• Shane’s Software on the side: Quick Update to the Jupiter Broadcasting Android App
• BMW cars build since 2006 vulnerable to attack with blank programmable keys
• Microsoft Digital Crimes Unit gets permissions to disrupt botnet of computers sold from China with pirated copies of windows

The post The Human Factor | TechSNAP 75 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/23581/not-so-private-keys-techsnap-72/ Thu, 23 Aug 2012 16:33:58 +0000 https://original.jupiterbroadcasting.net/?p=23581 How a Man in the Browser attack could expose an airport VPN, RuggedCom’s messed up the very fundamentals again, and the big update from Adobe.

The post Not so Private Keys | TechSNAP 72 first appeared on Jupiter Broadcasting.

]]>

How a Man in the Browser attack could expose an airport VPN, RuggedCom’s messed up the very fundamentals again, and the big update from Adobe.

Plus – Running Linux in a FreeBSD Jail, virtual networking basics, and a great batch of your questions.

All that and more, in this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Show Notes:

Man in the Browser attack used against Airport employees to gain credentials for VPN

• In what appears to be a highly targeted attack, some airport employees had their machines infected with Man-in-the-Browser malware
• This allowed the attackers to use form-grabbing and screen capturing to steal the airport employee’s login credentials for the airport VPN
• The attack also compromised the single channel mode of the airports two-factor authentication system, where an image was displayed and used by the user to transform their password into a temporary one-time code. Because this one-time code is based on the password, an attacker who is able to capture a number of these (the image and the response) can calculate what the original static password was
• A more secure two-channel mode, sends a one-time code via SMS or a Mobile Application, but apparently was not used by many airport employees
• It is unclear what type of VPN this was, or why the VPN involves logging in via a browser (layer 7), rather than the more typical layer 2 or 3 type VPN
• It is not known what the attackers were after, but with access to the internal airport network, they may have been able to gain information on employees, the hiring process (to get their own people employed at the airport), or the ability to flag specific luggage, cargo or persons such that it is not subjected to normal security screenings
• Additional Coverage

---

Adobe releases Flash 11.4, critical update to fix 6 security vulnerabilities

• This update resolves a number of memory corruption vulnerabilities that could lead to code execution
• CVE–2012–4163 Score: 10.0
• CVE–2012–4164 Score: 10.0
• CVE–2012–4165 Score: 10.0
• CVE–2012–4166 Score: 10.0
• This update also resolves an integer overflow vulnerability that could lead to code execution CVE–2012–4167 Score: 10.0
• And this update also resolves a cross-domain information leak vulnerability that could expose information from a the site you are visiting to other sites CVE–2012–4168 Score: 4.3
• With the end of Flash support for Android, A fake flash player laden with malware and adware has been found in the wild. It rooms your phone and floods it with advertisements, including a popup every 15 minutes

---

Hard coded SSL Keys in RuggedCom Switches

• RuggedCom and their Rugged OS has caused headlines again with a massive security flaw
• The rugged devices are used in many very sensitive installations, including military bases, train switches, power distribution systems, and traffic signals
• The systems are designed to be rugged, insofar as standing up to harsh climate conditions, however it appears that many of these devices have been connected to the internet to allow for remote management, and the security of these systems has again been compromised
• In this case, the RuggedCom devices use a hardcoded SSL private key, meaning that the secret used to decrypt the data sent from the user to the device, can be known by anyone who has ever had access to such a device, or has otherwise gotten access to the key (I am sure it has been posted online somewhere by now)
• SSL uses PKI and asymmetric encryption, meaning there is one key to encrypt data (the public key, published as part of the SSL Certificate), and a private key, used to decrypt information encrypted with the public key
• It seems that all RuggedCom devices uses the SAME SSL key. This is such a large security fiasco as to defy classification. In order for this to have happened, every single person involved with the RuggedCom OS must have entirely lacked any understanding of how SSL works
• The researcher who discovered the vulnerability (Justin W. Clarke, also discovered the previous vulnerability) was able to get the SSL key from various RuggedCom devices he bought on eBay, and discovered that the key on each device was the same
• In addition to being able to decrypt the communications between users and the device, in order to get the login credentials or other sensitive information, an attacker with access to the SSL private key could also send modified responses from the device, making it appear to be normal, or even alter the responses from the device such that they compromise the computer of the administrator who is accessing the RuggedCom device, with something like one of the Flash exploits mentioned earlier in the show
• ICS-CERT is recommending that all RuggedCom devices be isolated from the internet, and only accessed over VPNs to reduce the risk of an attack being able to decrypt the SSL session
• Why any of these devices were connected directly to the public Internet in the first place boggles the mind
• Additional Coverage
• Additional Coverage
• Coverage on Previous Flaw
• TechSNAP 55 – Obscurity is not Security

---

New financial malware demostrates interesting new feature, blocks users from accessing their bank account after it is compromised with friendly error message

• Normally, a man-in-the-browser or keylogger style malware that targets your banking credentials would steal them, and send them to the fraudster, who would use them to gain access to your bank account
• In a later iteration, the MitB attacks would prompt you for the answers to your secret questions
• This level of MitB attacks was confounded by 2 factor authentication, because once the user entered the short-lived PIN, it was no longer useful, so the key-logged information did not allow the fraudster to gain access to the account
• This newest version of the attack now stops your browser from actually communicating with the bank at all
• When you go to the banks site in your browser, and enter your username, password and the one-time PIN, the form details are taken by the malware, and the fraudster then uses them from his computer, and drains your bank account, meanwhile you are given a friendly error message, informing you that the banks website is down for a short maintenance and will be back later
• The reason for this, is the banks fraud-screening system
• The banks automated defense systems monitor where you log in to your online banking from, and if you login from two very distant locations within such a short amount of time that it is not possible for you to have traveled that far, it flags your account as possibly compromised
• By preventing the legitimate user from accessing their account, it prevents this alarm being tripped, giving the fraudster more time to drain the account before being detected

---

Feedback:

• Chef vs Puppet?
• David Suggests we Check out Salt Stack!

---

• Sean has some FreeBSD question

FreeBSD has a ‘linux compatibility layer’, a kernel module called the Linuxulator, that basically translate system called from Linux to BSD. If you install the basic libraries from CentOS into /usr/local/compat under BSD (there are packages that do this for you), you can run compiled linux binaries on FreeBSD. The target of this system is commercial linux applications, like game servers, scientific software and all kinds of not-open-source stuff.

If you create a jail (a second copy of the OS installed in a chroot, which uses the host OS’s kernel), and your freebsd kernel has the linux module loaded, then you could install CentOS in the jail chroot instead of FreeBSD, and have CentOS boot (with its boot scripts etc). It would be CentOS, except with a FreeBSD kernel (although CentOS will think it is using a linux kernel). All of the system binaries, and the package binaries would run through the translation layer (there is no real performance penalty for this, some apps even run faster under FreeBSD)

If you google for it, there are some how-tos on running linux in a FreeBSD jail, for some commercial software like Adobe Flash Media Server, that only want to run on CentOS (doesn’t even like to run on other Linux distros, let alone BSD), it can provide an easy out.

Apparently PC-BSD’s new ‘Warden’ jail management GUI includes the option to deploy a linux jail automatically, but I have not tried it yet

---

• How to setup proper virtual networking?

What I wish the new hires “knew”

Round-Up:

• VMware virtual machines targeted by “Crisis” espionage malware
• Amazon’s Glacier Offers Archival Storage in the Cloud
• Australia Passes ‘Lite’ Data Retention Laws
• New financial Man-In-The-Browser malware still not reliably detected by AV due to self-mutation
• Own someone’s email, and you own them

The post Not so Private Keys | TechSNAP 72 first appeared on Jupiter Broadcasting.

]]>