SCADA – Jupiter Broadcasting

Lights out Management | TechSNAP 250

chris — Thu, 21 Jan 2016 10:00:10 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The bizarre saga of Juniper maybe finally be coming to a conclusion, details about SLOTH, the latest SSL vulnerability that also affects IPSec and SSH & the attack on the Ukrainian power grid made possible by malware.

Plus your questions with a special theme, a rockin roundup & much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Still more questions about Dual_EC in Juniper devices

“Juniper Networks announced late Friday it was removing the suspicious Dual_EC_DRBG random number generator from its ScreenOS operating system”
“The networking giant said it was not only removing Dual_EC, but also the ANSI X9.31 algorithm from ScreenOS starting with an upcoming release sometime in the first half of this year”
Questions still remain as to why it was used in the first place
Also, questions about some strange coding decisions that lead to the ANSI X9.31 algorithm being subtle broken
It is still unclear how the backdoors were added to the code, or by whom
At last week’s Real World Crypto conference a team of crypto experts presented a number of revelations, including the news that Juniper’s use of Dual_EC dates to 2009, perhaps 2008, at least a year after Dan Shumow and Neils Ferguson’s landmark presentation at the CRYPTO conference that first cast suspicion on Dual_EC being backdoored by the NSA. Shumow’s and Ferguson’s work showed that not only was Dual_EC slow compared to other pseudo random number generators, but it also contained a bias
“Stephen Checkoway, assistant professor of computer science at the University of Illinois at Chicago, told Threatpost that he and his colleagues on this investigation looked at dozens of versions of NetScreen and learned that ANSI X9.31 was used exclusively until ScreenOS 6.2 when Juniper added Dual_EC. It also changed the size of the nonce used with ANSI X9.31 from 20 bytes to 32 bytes for Dual_EC, giving an attacker the necessary output to predict the PRNG output”
“And at the same time, Juniper introduced what was just a bizarre bug that caused the ANSI generator to never be used and instead just use the output of Dual_EC. They made all of these changes in the same version update.”
“It’s very bizarre. I’ve never seen anything like that before where gone from something that was working and written in a standard manner to something as strange as this,” he said. It’s that bug that enabled another attacker to replace the Dual_EC constant—thought to belong to the NSA—with their own constant
“The scenario harkens back to the documents leaked by NSA whistleblower Edward Snowden, in particular the NSA’s Project BULLRUN, which explains the NSA’s subversion of Dual_EC and eventually the revelation that RSA Security was allegedly paid $10 million by the NSA to use the algorithm in its products”
The SSH backdoor on the other hand, is clearly malicious
A network diagram

SLOTH, the latest SSL/TLS vunerability, but also affects IPSec and SSH

“If you thought MD5 was banished from HTTPS encryption, you’d be wrong. It turns out the fatally weak cryptographic hash function, along with its only slightly stronger SHA1 cousin, are still widely used in the transport layer security protocol that underpins HTTPS. Now, researchers have devised a series of attacks that exploit the weaknesses to break or degrade key protections provided not only by HTTPS but also other encryption protocols, including Internet Protocol Security and secure shell.”
“The attacks have been dubbed SLOTH—short for security losses from obsolete and truncated transcript hashes. The name is also a not-so-subtle rebuke of the collective laziness of the community that maintains crucial security regimens forming a cornerstone of Internet security. And if the criticism seems harsh, consider this: MD5-based signatures weren’t introduced in TLS until version 1.2, which was released in 2008. That was the same year researchers exploited cryptographic weaknesses in MD5 that allowed them to spoof valid HTTPS certificates for any domain they wanted. Although SHA1 is considerably more resistant to so-called cryptographic collision attacks, it too is considered to be at least theoretically broken. (MD5 signatures were subsequently banned in TLS certificates but not other key aspects of the protocol.)”
“”Notably, we have found a number of unsafe uses of MD5 in various Internet protocols, yielding exploitable chosen-prefix and generic collision attacks,” the researchers wrote in a technical paper scheduled to be discussed Wednesday at the Real World Cryptography Conference 2016 in Stanford, California. “We also found several unsafe uses of SHA1 that will become dangerous when more efficient collision-finding algorithms for SHA1 are discovered.””
“The most practical SLOTH attack breaks what’s known as TLS-based client authentication. Although it’s not widely used, some banks, corporate websites, and other security-conscious organizations rely on it to ensure an end user is authorized to connect to their website or virtual private network. It works largely the same way as TLS server authentication, except that it’s the end user who provides the certificate rather than the server.”
OpenVPN uses this to authenticate clients
“When both the end user and the server support RSA-MD5 signatures for client authentication, SLOTH makes it possible for an adversary to impersonate the end user, as long as the end user first visits and authenticates itself to a site controlled by the attacker. The so-called credential forwarding attack is carried out by sending carefully crafted messages to both the end user and the legitimate server. To impersonate the end user, an attacker must complete some 239 (about 5.75 billion) hash computations, an undertaking that requires about an hour using a powerful computer workstation with 48 cores.”
“The impersonation attack is made possible by the susceptibility of MD5 to collision attacks, in which the two different message inputs generate precisely the same cryptographic hash. Because MD5 is a 128-bit function, cryptographers once expected to find a collision after completing 264 computations (a phenomenon known as the birthday paradox reduces the number of bits of security of a given function by one half). Weaknesses in MD5, however, reduce the requirement to just 215 (or 32,768) for a collision or 239 for more powerful chosen-prefix collisions, in which an attacker can choose different message inputs and add values that result in them having the same hash value. Such an attack would be infeasible if MD5 hadn’t been added to TLS in 2008.”
“SLOTH can also be used to cryptographically impersonate servers, but the requirements are steep. An attacker would first have to make an astronomically large number of connections to a server and then store the results to disk. If the attacker made 2X connections, it would then require making 2(128-X) computations. If the number of connections, for example, was 264, the attack would require 264 computations. The precomputation requirements are high enough to be outside the capability of most attackers, but they remain feasible for government-sponsored adversaries or those with similarly deep pockets.”
“The researchers behind SLOTH have been privately working with developers of vulnerable software to come up with a fix. A partial list of protocols that were identified as vulnerable included TLS versions 1.1, 1.2, and 1.3; IKE versions 1 and 2; and SSH version 2. Vulnerable software included various versions of OpenSSL, NSS, Oracle Java, BouncyCastle Java, and PolarSSL/mbedTLS”
The researchers cited this Internet scan indicating 32 percent of TLS servers supported RSA-MD5 signatures.

Attack on Ukrainian power grid, made possible by malware

“The attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure, and attempt to delay the restoration by wiping SCADA servers after they caused the outage. This attack consisted of at least three components: the malware, a denial of service to the phone systems, and the missing piece of evidence of the final cause of the impact. Current evidence and analysis indicates that the missing component was direct interaction from the adversary and not the work of malware. Or in other words, the attack was enabled via malware but consisted of at least three distinct efforts.”
“The cyber attack was comprised of multiple elements which included denial of view to system dispatchers and attempts to deny customer calls that would have reported the power out. We assess with high confidence that there were coordinated attacks against multiple regional distribution power companies. Some of these companies have been reported by media to include specifically named utilities such as Prykarpattyaoblenergo and Kyivoblenergo. The exact timeline for which utilities were affected and their ordering is still unclear and is currently being analyzed. What we do know is that Kyivoblenergo provided public updates to customers, shown below, indicating there was an unauthorized intrusion (from 15:30 — 16:30L) that disconnected 7 substations (110 kV) and 23 (35 kV) substations leading to an outage for 80,000 customers.”
It appears that malware on workstations at the power companies allowed the attackers to gain a foothold in the network and start moving around laterally
They also used this foothold to deny the operators of the power distribution system a correct view of what was happening.
Combined with a denial of service attack against the phone system, the operators were left unaware that a large number of substations had been shut down
The attacks also used the malware to interfere with efforts to regain control of the computers and SCADA systems that control the power grid
From what has been reported, here is the information to date that we are confident took place. The exact timing of the events is still being pieced together.
The adversary initiated an intrusion into production SCADA systems
Infected workstations and servers
Acted to “blind” the dispatchers
Acted to damage the SCADA system hosts (servers and workstations)
Action would have delayed restoration and introduce risk, especially if the SCADA system was essential to coordinate actions
Action can also make forensics more difficult
Flooded the call centers to deny customers calling to report power out
Because of the way the SCADA systems work, it is almost a certainty that the attacks purposefully opened the breakers to turn off the power, as opposed to it just being a side effect of the malware
Luckily, the Ukrainian power grid does not rely heavily on SCADA, using it mostly as a convenience. Other more automated power grids would not have been able to restore power as quickly
“We are very interested in helping power utilities learn as much as they can from this real world incident. We would also note the competent action by Ukrainian utility personnel in responding to the attack and restoring their power system. As a community the power industry is dedicated to keeping the lights on. What is now true is that a coordinated cyber attack consisting of multiple elements is one of the expected hazards they may face. We need to learn and prepare ourselves to detect, respond, and restore from such events in the future.”
Squirrels attacking the power grid

Feedback:

Round Up:

The post Lights out Management | TechSNAP 250 first appeared on Jupiter Broadcasting.

Bait and Phish | TechSNAP 181

chris — Thu, 25 Sep 2014 11:21:20 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We’ll tell you about a major German hack that lasted 12 years, and struck over 300 business. Plus researchers discover a nasty Android bug that impacts over 70% of users.

Then it’s a great big batch of your networking questions, our answers & much much more!

Thanks to:

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Operation Harkonnen, a 12 year long intrusion to over 300 businesses

“From 2002 a German cybercrime network performed numerous targeted penetrations to over 300 organizations, including tier one commercial companies, government institutions, research laboratories and critical infrastructure facilities in the German speaking countries. The attackers planted Trojans in specific workstations in the organizations, gained access to sensitive confidential documents and information and silently exfiltrating them to the organizations who ordered the attack”
“Once embedded in the system the files started to send data from the target computer to an external domain. The analysis revealed the domain was registered by a UK company, with the exact address and contact details of 833 other companies, most of which are already dissolved”
“The British relatively tolerant requirements to purchasing SSL security certificates were exploited by the network to create pseudo legitimate Internet service names and to use them to camouflage their fraudulent activity”
Specifically, it is quite easy to establish a new company in England
It is estimated that the attackers spent as much as $150,000 establishing fake companies, and arming them with domains and SSL certificates in order to make their spear-phishing campaign appear more legitimate
“The discovery happened at a leading, 30 year old, 300 employees’ German organization that holds extremely sensitive information with a strategic value to many adverse organizations and countries. The organizational network contains 5 domains with complex architecture of multiple network segments and sites, connected through VPN.“
Additional Coverage: TheHackerNews

Researcher finds same-origin-policy bypass for Android browser, allows attacker to read your browser tabs

Android versions before 4.4 (75% of all current Android phones) are vulnerable
CVE-2014-6041, and was disclosed on September 1, 2014 by Rafay Baloch on his blog.
By malforming a javascript: URL handler with a prepended null byte, an attacker can avoid the Android Open Source Platform (AOSP) Browser’s Same-Origin Policy (SOP) browser security control.
What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page.
The attacker could scrape your e-mail data and see what your browser sees.
Or snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.
As part of its attempts to gain more control over Android, Google has discontinued the AOSP Browser.
Android Browser used to be the default browser on Google, but this changed in Android 4.2, when Google switched to Chrome.
The core parts of Android Browser were still used to power embedded Web view controls within applications, this changed in Android 4.4, when it switched to a Chromium-based browser engine.
Users of Android 4.0 and up can avoid much of the exposure by switching to Chrome, Firefox, or Opera, none of which should use the broken code.
Update: Google has offered the following statement:

We have reviewed this report and Android users running Chrome as their browser, or those who are on Android 4.4+ are not affected. For earlier versions of Android, we have already released patches (1, 2) to AOSP.

Feedback:

Round Up:

The post Bait and Phish | TechSNAP 181 first appeared on Jupiter Broadcasting.

Misconceptions of Linux Security | TechSNAP 155

chris — Thu, 27 Mar 2014 17:01:59 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We explore some common misconceptions about Linux security. Plus the 0-Day hitting Microsoft Office users…

A great big batch of your questions, our answers, and much much more!

On this week’s episode, of TechSNAP.

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

Exploring the misconceptions of Linux Security

“There is a perception out there that Linux systems don\’t need additional security”
As Linux grows more and more mainstream, attacks become more prominent
We have already seen malware with variants targeting Linux desktop users, Flash and Java exploits with Linux payloads
Linux servers have been under attack for more than a decade, but these incidents are rarely publicized
The most common attacks are not 0day exploits against the kernel or some critical service, but compromised web applications, or plain old brute force password cracking
However, it is still important to keep services up to date as well (openssh, openssl, web server, mail server, etc)
Typical ‘best practice’ involves having firewalls, web application firewalls and intrusion detection systems. These systems cannot prevent every type of attack.
Firewalls generally do not help attacks against web applications, because they operate at layer 3 & 4 and can no detect an attempted exploit
Web Application Firewalls operate at layer 7 and inspect HTTP traffic before it is sent to the application and attempt to detect exploit or SQL injection attempts. These are limited by definitions of what is an attack, and are also often limited to providing protection for specific applications, since protecting an application generally means knows exactly what legitimate traffic will look like
Intrusion detection systems again rely on detecting specific patterns and are often unable to detect an attack, or detect so many false positives that the attack is buried in a report full of noise and isn’t recognized
Linux backdoors have become remarkably sophisticated, taking active steps to avoid detection, including falling silent when an administrator logs in, and suspending exfiltration when an interface is placed in promiscuous mode (such as when tcpdump is run)
Linux servers are often out of date, because most distributions do not have something similar to Microsoft’s “Patch Tuesday”. Security updates are often available more frequently, but the irregular cadence can cause operational issues. Most enterprise patch management systems do not include support for Linux, and it is often hard to tell if a Linux server is properly patched
“The main problem is that these system administrators think their [Linux] systems are so secure, when they haven\’t actually done anything to secure them,” David Jacoby, a senior security researcher for the Global Research and Analysis Team at Kaspersky Lab said. For example, the default Linux configuration for most distributions does not restrict login attempts, Jacoby warned. Attackers can attempt to brute-force passwords by running through a list of possibilities without having to worry about locking out the account or getting disconnected from the server. This is something the administrator has to configure manually, and many don\’t, Jacoby said.

0day exploit in MS Word triggered by Outlook preview

Microsoft issued a warning on Monday of a new 0day exploit against MS Word being exploited in the wild
Microsoft has released an emergency Fix-It Solution until a proper patch can be released
This attack is especially bad since it doesn’t not require the victim to open the malicious email, looking at the message in Outlook’s preview mode will trigger the exploit
According to Microsoft’s advisory the flaw is also present in Word 2003, 2007, 2010, 2013, Word Viewer and Office for Mac 2011
The attack uses a malicious RTF (Rich-Text file), Outlook renders RTF files with MS Word by default
The Fix-It solution disables automatically opening emails with RTF content with MS Word
This attack can also be worked around by configuring your email client to view all emails in plain-text only
Instructions for Office 2003, 2007 and 2010
Instructions for Outlook 2013
“The attack is very sophisticated, making use of an ASLR bypass, ROP techniques (bypassing the NX bit and DEP), shellcode, and several layers of tools designed to detect and defeat analysis”
The code attempts to determine if it is running in a sandbox and will fail to execute, to hamper analysis and reverse engineering
The exploit also checks how recently windows updates have been installed on the machine. “The shellcode will not perform any additional malicious action if there are updates installed after April, 8 2014”
Additional Coverage – ThreatPost

Feedback:

Round Up:

The post Misconceptions of Linux Security | TechSNAP 155 first appeared on Jupiter Broadcasting.

WordPress LAN Recon | TechSNAP 89

chris — Thu, 20 Dec 2012 17:50:14 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A malicious Apache module that uses some clever tricks so that you’ll never find it, a WordPress flaw that exposes your LAN, and the big Samsung exploit you might not have heard about!

Plus a big batch of your questions, and so much more on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our code tech295 to get a .COM for $2.95.

Something else in mind? use go20off5 to save 20% on your entire order!

$4.99 SSL certificates, just use our code 499ssl2. Expires 12-31-12!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Updated version of rouge Apache Module injects iframes, but hides from administrators

The module, known as Linux/Chapro.A and alternately as Darkleech, is loaded into an Apache server and injects iframes into the pages that are served
The iframes load content from malicious sites, usually the with intent of infecting the visitor with the Zeus trojan (Win32/Zbot), or another malware such as the new Sweet Orange exploit kit
What makes this module exceedingly clever is that it uses a number of techniques to prevent itself from being discovered and to mask the source of the infection
For starters, the module checks all open SSH sessions on the host server and will not serve the malware to any website visitors from those IP addresses
The malware also looks at the user agent string, and purposely does not serve the malware to bots, crawlers (Attempting to avoid detection by the likes of Google’s Safe Browsing system) or machines that are not likely to be vulnerable (it purposely does not inject the iframe for browsers on OS X, Linux or BSD or mobile devices)
The malware also does not attempt to infect the same user twice, via communications with a C&C server, the module decides whether or not to attempt to infect a user. This means that returning to the site if you are already infected, your IP address has been seen before or you are marked by a cookie, will return in you not being served the malware
This remote C&C server also determines the content that is injected, allowing the controllers to change the iframe to point to a different exploit without having to change the apache module
These factors make it much harder for server administrators to determine that it is infact their server that is injecting the iframe, not something on the users’ side, but also makes it harder for users and researchers to determine which site infected them, as they may not see the malicious content on a return visit
As we know the Zeus trojan targets users of European and Russian banks, and attempts to steal users’ credentials
Some banks have started adding warnings to their login screen, notifying users that the bank will never ask them for specific pieces of information, like their card PIN, or CVC/CVV value, however machines infected with the trojan do not see the warning, as it is removed by the malware
The apache module has also been seen to deliver the Sweet Orange exploit kit
The developers of the new sweet orange exploit kit claim an infection rate of 10–25%
The developers have 45 dedicated IP addresses and 267 unique domains to allow them to avoid blacklists
Researchers also found an alarmingly low detection rate when some of the domains and IPs were run through scanners
It has yet to be seen if this new-comer can compete with the industry-dominating Blackhole Exploit Kit

Researcher exploits old design flaw in WordPress to turn it into an Island Hopping Machine

WordPress and many other blogging platforms use a feature called ‘pingback’ to alert other blogs when they are being mentioned
In WordPress this causes the blog being mentioned to add a link to the new blog post as a comment, making the connection bidirectional
The way this works is upon receiving a pingback request the wordpress site will contact the URL included in the pingback and attempt to find links to itself and if found, add the requested comment
The issue here is that the pingback request may not actually originate from the site mentioned in the pingback
In a wordpress bug opened in 2007, the reporter describes a scenario where many wordpress sites could be asked to pull large files from a victim site, causing a bandwidth amplification attack on both the requesters and the responder. Additionally an extremely large number of wordpress sites could be used for a regular distributed denial of service attack against a target site
The severity of this flaw was considered low and while some attempts to write patches to prevent large files from being returned were written for older versions of wordpress, it seemed that the feared attacks never surfaced and nothing was ever done about it
However, new research by Bogdan Calin (the researcher that developed the ‘hijack your router via an email message to your iOS device’ attack) has found a more novel use for this flaw
In addition to causing wordpress to execute his existing attacks against routers on the local networks of the wordpress sites he is attacking, he has also managed to map the various error messages wordpress returns to be able to explore and map the local network
WordPress returns different error messages based on if the host of the requested pingback URL resolves or not or if the port connected to is open or not (connection refused, timeout, or connected)
This allows anyone with access to the xmlrpc.php (which is typically publically exposed) to determine if specific hostnames (especially unqualified ones) such as svn, subversion, dev, fileserver, exchange, bugzilla, etc exist or not as well as do port scans (request a pingback to https://192.168.0.100:22/ and see which error message you get)

Some Samsung devices include full read/write access to all memory, allowing easy rooting and exploitation of the devices

/dev/exynos-mem has world read/write permissions and seems to be very similar to /dev/mem
The device seems to be used by the Camera and HDMI interfaces on the devices
The exploit allows for dumping all device ram, kernel code injection, and possibly malicious app installation
Additional Coverage
A new app called ExynosAbuse APK chmod’s the device at boot to prevent world read/write access, however this may disable your camera and HDMI interfaces
Samsung Exynos kernel exploit offers easy root and malware possibilities | Android Community
Vulnerable devices include:
Samsung Galaxy S II, S III and S III LTE
Samsung Galaxy Camera
Samsung Galaxy Note, Note II, and Note II LTE
Samsung Galaxy Note 10.1
Samsung Galaxy Tab 7.0 Plus
Samsung Galaxy Tab 7.7
Hardkernel ODROID-A and Hardkernel ODROID-X
Lenovo K860
Meizu MX 2-Core, Meizu MX 4-Core and Meizu MX2
Newman N2
ORIGEN 4 Dual and ORIGEN 4 Quad

Feedback:

HALL OF SHAME:

Alabama Department of Education USA Hall of shame

Round Up:

The post WordPress LAN Recon | TechSNAP 89 first appeared on Jupiter Broadcasting.

Cyber Bank Heist | TechSNAP 41

chris — Thu, 19 Jan 2012 19:34:30 +0000

Find out how hackers robbed a bank for nearly $6 million dollars over the Internet, the Zappos security breach, the fall of the koobface botnet, and what happened to Megaupload.

Plus we look back at the web’s SOPA protest this week, and see where things stand.

All that, and much more, on this week’s episode of TechSNAP!

Thanks to:
GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Pick your code and save:
DOTCO9: .co domain for $17.99
techsnap7: $7.99 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans

Direct Download Links:

Subscribe via RSS and iTunes:

Show Notes:

Cyber Bank Heist Nets 5.3 Million Dollars

During the first three days of the new year, while the bank was closed for the holiday, thieves accessed a compromised computer at the South African Postbank and used it to transfer large sums of money in to accounts they had opened over the past few months
They then used the compromised computer, and the credentials of a teller and a call center employee, to raise the withdrawal limits on their accounts
By 9am January first, numerous money mules started making trips to ATMs in Gauteng, KwaZulu-Natal and the Free State, unhindered by withdrawal limits
Withdrawals stopped around 6am January 3rd before the bank reopened and the compromise was detected
In total, approximately 42 Million South African Rand were stolen (approximately 5.3 million USD, although some news stories reported the figure as 6.7 million USD). This appears to be around 1% of the entire holdings of the government operated bank
The National Intelligence Agency (NIA) is investigating as Postbank is a government institution
Sources report that the bank’s fraud detection system failed to detect the extremely large withdrawals, and the fraud was not discovered until employees returned to the bank from the new years holiday
Observers question way such low level employees (Teller, Call Center Agent) had the required access to raise the withdrawal limits
Investigators have not yet determined if the computers and passwords were compromised by the employees unwittingly, or if they were involved in the heist
Local Coverage

Koobface operators go underground as researchers disclose their identities

The koobface malware mostly targetted facebook users, prompting users to download a newer version of flash in order to watch a non-existent video. Rather than the expected flash update, the users would be infected with malware
The malware operators made large sums of money by using the botnet of infected computers to perpetrate click fraud against pay-per-click advertising networks. “Through the use of pay-per-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud”
Facebook and some researchers they had been working with released their findings, including the identities, social media accounts and other information that had gathered on those behind the malware
Within days of that disclosure, the attackers had shut down their C&C servers and rapidly began destroying the evidence against them. They also appear to have gone in to hiding (likely to avoid prosecution or extradition)
With the shutdown of the C&C servers, and the disappearance of the operators, new infections of Koobface have dropped to near zero
Researchers question if exposing the operators was the right thing to do
Canadian Researchers released paper on Koobface in 2010 . Rather than releasing the identities of the attackers, Infowar Monitor handed the information over to Canadian Law Enforcement
Additional Coverage

Shoe Retailer Zappos Hacked, 24 million customers compromised

Zappos, and online shoe retailer owned by Amazon, was compromised last week
Attackers gained access to the customer database after compromising a Zappos server in Kentucky, and using it to Island Hop into the internal network
The Zappos customer database contained the names, email addresses, scrambled passwords, billing and shipping addresses, phone numbers and the last four digits of credit cards numbers
It is unclear what is meant by ‘scrambled’ password, hopefully secure hashing
Zappos states rather clearly, and repeatedly, that their secure payment processing servers were not compromised, and that credit card and transaction data remains secure
Hopefully this means that Zappos takes their PCI-DSS compliance seriously, and the payment servers are isolated from the internet network that was invaded via the compromised server
Even without the full credit card data the information from this compromised could be used quite successfully in spear phishing attacks
Zappos has reset and expired all customers passwords, forcing customers to choose new passwords
Zappos has disabled its phone systems in anticipation of an extremely high volume of support inquiries
Zappos Announcement

Researcher reveals that stuxnet did not use a vulnerability in SCADA

Researcher Ralph Langner presented his findings at the S4 Conference on SCADA Systems
In his presentation, he revealed that the stuxnet worm, while possessing many 0-day exploits to gain access to the protected computer systems, used a design flaw in the SCADA system, rather than an exploit to perform the attack
Langner postulates that the design of the Stuxnet worm was not to destroy the centrifuges, but to undetectably disrupt the process, making production impossible
The Stuxnet worm takes advantage of the fact that the input process image of the PLC is read/write rather than read only, so the Stuxnet work simply plays back the results of a known good test to the controller, while actually feeding the centrifuge bad instructions, resulting in unexplained undesired results
Langner used his analysis to criticize both Siemens and the U.S. Department of Homeland Security for failing to take the security issues more seriously

Round Up:

The post Cyber Bank Heist | TechSNAP 41 first appeared on Jupiter Broadcasting.

Future SSL | TechSNAP 37

chris — Thu, 22 Dec 2011 20:09:38 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Find out what major infrastructure software uses the admin password of “100”, plus future improvements to SSL, how the CIA keeps their IT guys trustworthy, and…

An epic tech war story!!

All that and more, on this week’s TechSNAP.

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Free Private Registration

GoDaddy Offer Code: techsnap17
Link: https://www.godaddy.com/domainaddon/private-registration.aspx?isc=techsnap17

$1.99 hosting for the first 3 months

GoDaddy Offer Code: techsnap11

20% off .xxx domains

Code: techsnapx

Direct Download Links:

Subscribe via RSS and iTunes:

Show Notes:

Siemens lied about critical flaws in SCADA software

The SIMATIC systems have a major flaw in the authentication system that allows an attacker to entirely bypass authentication, accessing the control software without a username or password
If a user changes the password to something with a special character in it, the system may automatically reset the password to ‘100’
The Siemens system was the target of the Stuxnet attack, the most sophisticated virus/worm ever seen, yet the Siemens system is rather trivial to break in to
The values of the session cookies used by the Siemens system can be predicted after some analysis, allowing the attacker to authenticate themselves without any credentials
The researcher (Bill Rios, who works for Google) discovered this issue in May, and reported it to Siemens. Siemens had acknowledged the problem when it was reported.
Later, Siemens PR department told a Reuters reporter that “there are no open issues regarding authentication bypass bugs at Siemens,”
The SIMATIC system has 3 interfaces, Web, VNC and Telnet (why? Telnet is insecure). All three interfaces uses separate credentials, all defaulting to ‘100’. If a user changes the web password, they may not realize that the VNC password is still the default
The SCADA system at a water and sewage treatment plant in Texas was compromised by an attacker who found the system to be using a 3 character password (possibly the ‘100’ described above)
Addition In-Depth Coverage

Shorter warranties of desktop hard drives

Western Digital and Seagate have announced that drives sold in the new year may have significantly shorter warranties
Most desktop hard drives will see their warranties cut. Higher end and Near Line drives may see reductions
Western Digital drives (Green/Blue editions and others), except the Black editions, will drop from 3 years to 2. Black Edition, VelociRaptor and Enterprise products will continue to have 5 year warranties.
Seagate desktop and laptop drives (Barracuda, Barracuda Green,
Momentus 2.5”) will see their industry leading 5 year warranties cut to only 1 year
Seagate’s specialty Video and Surveillance drives (SV35 Series, Pipeline HD/HD Mini) will feature 2 year warranties
Seagate’s higher end drives (Barracuda XT, and the hybrid Momentus XT) as well as near line drives (Constellation 2/ES/ES2) will come with 3 year warranties
Seagate enterprise drives, such as the Cheetah series, will retain their 5 year warranty
Seagate recently purchases Samsung’s hard drive business, so warranties on the remaining product lines to carry the samsung name will also be reduced
Original Coverage

New SSL CA Requirements Published

In an effort to solve issues that have plagues the SSL Certificate system this year, a new set of requirements has been put together
The goal is to establish a new set of criteria that vendors will use when deciding which CAs to trust. This list distributed as part of web browsers, operating systems and other SSL clients, is inherently important to the PKI
The CA/Browser forum is made up of major CAs such as Comodo, CyberTrust, Entrust, GeoTrust, GlobalSign, GoDaddy, Network Solutions, RSA Security, StartCom, Symantec, Thawte and Verizon. (Interestingly, VeriSign does not appear on the list). The Relying-Parties include Apple, Google, Microsoft, Mozilla, RIM, KDE, and Opera
The policy strictly spells out the duties of the CA, such as verifying that the user requesting the certificate actually has control over and the right to use the Domains and IP Addresses listed on the certificate (Earlier this year, certificates for domains such as google.com and mail.yahoo.com were incorrectly issued to an attacker)
CAs must also make efforts to ensure the information on the certificate is correct, and not misleading (with the advent of internationalized domain names, it was possible to get a certificate for a domain that looked like paypal.com, but was actually spelled with a unicode character that looks very much like the letter a)
All CAs much provide a 24×7 publicly accessible repository of status information about all certificates (whether the certificate has been revoked, etc)
Certificates will no longer be allowed to be issues for internal IP addresses (such as 192.168.0.0/24 or 10.0.0.0/8). New certificates with internal IPs cannot be issued after November 2015, and all existing certificates will be revoked October 2016
The common name field is deprecated in favour of the subjectAltNames field.
Certificates can no have an expiration date of more than 60 months. Beyond April 2015, any certificate with an expiration date greater than 39 months requires special documentation
Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates

How Does the CIA Keep Its IT Staff Honest?
“Once you’re in, there are frequent reinvestigations, but it’s just part of process here,” says Tarasiuk, who also gets polygraphed regularly
There’s so much top secret information contained within the CIA’s systems that IT plays a key infosecurity role in making sure that CIA employees are not doing anything nefarious.
“They are very concerned about foreign intelligence services that are interested in penetrating the CIA. Because of that we pay particular attention to the kinds of things we put on our network.”
The CIA’s networks aren’t directly connected to the internet. “We have a very closed network that’s connected to an intelligence community enterprise,” Tarasiuk says, “so I don’t necessarily have the worries about the hackers from the internet trying to break through.”

Feedback

Q: (Markus) I have a small company network. (About 5 clients 1 windows 4 linux). Your War story about Bacula was very interesting. I’m interested in building a dedicated bacula server for my backups. Do you know a entry level barebones system that supports the latest FreeBSD and can handle 3 drives (ZFS). Can I just grab a Intel Atom barebones and it is going to work?

A: An Atom based system would likely work well for that, you don’t really need all that much performance to do backups, so even the slower RAM, lack of cache/queue depth, and typically weaker SATA controller really won’t be an issue for a backup server. I don’t have any advice on a specific model or anything, the SuperMicro barebones Atom servers are nice, but they are typically space-saver type deals that won’t fit more than 1 disk, and may be over priced for what you want. Chris’ Bitcoin Atom Parts List

Atom board with 8GB of RAM Support

War Story

This weeks War Story comes in from long time JB viewer Irish_Darkshadow (The other, other Alan)

Setting:
IBM has essentially two “faces”, one is the commercial side that deals with all of the clients and the other is a completely internal organisation called the IGA (IBM Global Account) that provides IT infrastructure and support to all parts of IBM engaged with commercial business.

There are sites located in key geographies which then provide that support for their regions and at a rudimentary level, those sites act as failover for each other.

Each of those sites has a team that deals with Incident / Problem / Change Management functions in addition to Crit Sit (critical situations handling) and communications around those disciplines. Sometimes events take place that require multiple sites to cooperate in order to handle certain situations.

The events described below took place between August 14th and 15th of 2003.

War Story:

The EMEA (Europe / Middle East / Africa) CSC (Customer Support Centre) site was based in Dublin, Ireland at the time. The site management arranged to have a night out on the town for the entire location as a sort of “end of summer” event. I was working for the crit sit team at that point and happened to be designated as the “on call” guy that night. Being an Irishman with a healthy liking for the odd alcoholic beverage I was a bit miffed at having to attend such an event and not being able to imbibe.

While at the event I then set about blagging as many vouchers for free drinks as possible to give to my team and I hassled every management person I could see to get the job done. At one point I went up to the bar to get a round for my team and realised that I was standing beside the on call Duty Manager. If something kicked off at work, I would be the first person called and if I needed management support to get things done, this Duty Manager would have been my first call thereafter. My next realisation was that the Duty Manager was knocking back cocktails to beat the band. I questioned this and got one of those “meh, what’s the worst that could happen” responses. My first mistake that night was that I took her response as an implicit “all clear” to have some drinks myself. Several rounds later at around 2am, I decided to have my girlfriend drive me home as she was on soft drinks that night. I arrived home, very drunk at around 2:35 and was dead to the world about 10 seconds after my head hit the pillow. And that’s where things take a turn for the worst.

I awake at 3:20 to the wonderful melody of the on call mobile phone. Upon eventually figuring out how to answer the phone and then hold it the right way up, I was greeted by an overly enthusiastic support agent. Apparently “some guy” from the US had called in to the EMEA CSC site to request that our Dublin Executive join some conference call in the middle of the night (at least for Dublin). Through the fog of alcohol induced indecision, I somehow managed to realise that this meant contacting the cocktail loving Duty Manager to get approval to wake up the Executive (ya gotta love big blue bureaucracy). I gave my permission to the support agent to make that call for me while I located a cold shower and a source of caffeine. During the following minutes I realised that the cocktail loving duty manager would probably not answer her phone and that I would likely be getting another call. In preparation I went down to the kitchen….impressively staying upright despite my blood alcohol level. Tea was the only option available to me and some toast to soak up some of the sweet, sweet booze in my belly. The phone rang again and it was time to get an update…..as expected, the agent was unable to contact the Duty Manager and so I gave permission for him to call the Executive directly giving instructions for her to call me. Just before hanging up I walked into my living room, turned on the TV and there on the news channel I saw “US power outage – 16 million east coast homes without power”. I had a sudden sinking feeling when I realised that the little graphic they showed covered an area which included some major IBM locations: Research Triangle Park (RTP in North Carolina), IBM Headquarters in Armonk, New York and also MOB North in Toronto. The shit was truly about to hit the fan and if I wasn’t under the influence of alcohol at that point, I likely would have been more worried. Instead, I managed to explain to the agent on the phone what I believed the situation was and how to proceed. I knew that I would have to get to the office and the local taxi service told me that they had no cars available for at least 90 mins. I made the long climb back upstairs….nudged the already miffed girlfriend and requested a lift to work . After much moaning, she decided she would just start work early anyways and off we went.

Upon arrival at the EMEA CSC site I started organising calls to sort out a plan for handling the initial problems. With those US and Canada sites being offline we would have to activate contingency plans in other geographies to cover them. Within the hour we had established that only the Toronto site had not failed over onto backup power. The site was primarily a call taking center and that meant I needed to arrange for staff on our site to come in early, cancel all native language support in favour of english only support and then assess workload incoming versus emergency capacity. Oh alcohol, how you did tease me with these conundrums in the middle of the night!

I called Toronto personally to speak with my counterpart there in order to get an update on why they were unable to get over to backup power. Each site typically has a diesel generator in their disaster recovery plans for just such an eventuality. The Toronto site manager was able to explain to me that the diesel generator simply had not kicked in and they were investigating. I requested 15 minute update calls from that point onwards. The first call exposed that the primary reason for their backup generator failing was that nobody had thought to put any frickin’ diesel in the damn thing! I requested that they arrange for an emergency supply to be procured and get back to me on the next call with an outlook. The next call never happened 15 minutes later but the following one did (30 mins after I asked for a diesel supply). The Toronto site manager then explained that a supply was en route and would be there in less than an hour. It was about 05:30 for me at that point and I was sobering up fast. I agreed to put off the next update call for an hour while I prepared on our side.

I had to assume that the diesel would be a failure and that meant I needed to arrange for staff to be called, woken up and summoned to work. This included calling in people off vacation and basically staffing for an apocalyptic onslaught of incoming work to handle the overflow from Toronto. Preparations were going well on that front despite the inconvenience to our staff who were being rudely awoken with the wonderful news.

When it came time to speak with Toronto again, nobody answered. Fifteen minutes later….still no answer. This went on for about 45 minutes before I got the site manager on the line. The conversation went something like this:

Me: Ok, where the hell have you been for the last 45 minutes?!?!

Toronto: I’m at the compound with the diesel truck.

Me: That doesn’t exactly answer my question. Are you guys up and running now?

Toronto: No, the truck guy says that it will take up to an hour to fill the generator and it cannot be switched on until that is done.

Me: Ok, that’s good news. So in an hour or so you guys will be powered up and my staff only need to cover that time for you. Excellent, I’ll inform the Execs.

Toronto: Eh, I wouldn’t do that just yet.

Me: Why not?

Toronto: There’s another problem.

Me: You have my undivided attention.

Toronto: We can’t actually get to the backup generator to fill it with diesel.

Me: I think that warrants further explanation.

Toronto: The gate to the compound that surrounds the generator…well…..it’s electrically powered!

And there you have it folks, in IT support when you see high level disaster recovery plans being put in place. Maybe somebody with some common sense should take a look over them and ensure that a crucial, diesel backup generator actually has fuel in it and that it can be accessed in the event of a power outage! (and never, ever get drunk when you’re the on call guy).

Round Up:

The post Future SSL | TechSNAP 37 first appeared on Jupiter Broadcasting.

How Malware Makes Money | TechSNAP 31

chris — Thu, 10 Nov 2011 18:18:24 +0000

The FBI shuts down a cyber crime syndicate, and we’ll tell you just how much profit they were bring in.

Plus we’ll cover how to securely erase your hard drive, Xbox Live’s minor password leak, how researches remotely opened prison cell doors, in my own state!

All that and more, on this week’s episode of TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Pick your code and save:

techsnap7: $7.49 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans

Direct Download Links:

Subscribe via RSS and iTunes:

Fill out my Wufoo form!

Show Notes:

FBI takes out malware operation that illicitly made 14 million dollars

The malware was said to have infected as many as 4 million computers in 100 countries
Atleast 500,000 infected machines in the USA alone
Operation Ghost Click resulted in indictments against six Estonian and one Russian national. The Estonians were taken in to custody by local authorities and the US is seeking to extradite them.
The malware, called DNSChanger, changed the users DNS servers, to use rogue servers run by the botnet operators, and allowed the attackers to basically perform man-in-the-middle attacks against any site they wished.
The attackers redirected all traffic related to Apple and iTunes to a site that sold fake apple software and pirated music.
The attackers also stole traffic from legitimate advertising networks and replaced it with their own network, charging advertisers for their ill gotten traffic.
The malware also blocked windows update and most known virus scanners and help sites.

Pastebin of XBox Live IDs and passwords published

The pastebin contained 90 game tags, passwords and possibly email addresses
Microsoft says that they do not believe their network was compromised, and that this list is the result of a small scale phishing attack
The size of the credential dump seems to support that conclusion
Regardless, it is recommended that you change your XBox Live password, and the password on any other service that shared the same password, especially the email address used for your XBox Live.

Researchers Uncover ‘Massive Security Flaws’ In Amazon Cloud

The vulnerability (since fixed) allowed an attacker to completely take over administrative rights on another AWS account, including starting new EC2 and S3 instances, and deleting instances and storage
An attacker could have run up a huge bill very quickly, and it would appear legitimate.
Using EC2 to crack passwords becomes even more effective when someone else is paying for your instances
The vulnerability was exploited using an XML signature wrapping attack, allowing them to modify the signed message while still having it verify as unmodified.
Amazon said “customers fully implementing the AWS security best practices were not susceptible to these vulnerabilities”
Previous Article about Amazon AWS Security
The previous article mostly covers vulnerabilities created by users of AWS, including people publicly publishing AMIs with their SSH keys still in them.

Prison SCADA systems vulnerable to compromise

Researchers have been able to compromised the SCADA systems and open/close cell doors, overload door mechanisms so they cannot be open/closed, and disable the internal communications systems.
The researches worked in one of their basements, spent less than $2,500 and had no previous experience in dealing with these technologies.
Washington Times Article confirms that the research was delivered to state and prison authorities, and that Homeland Security has verified the research
Researchers were called in after an incident where all of the cell doors on death row at once prison opened spontaneously
While the SCADA systems are not supposed to be connected to the Internet, it was found that many of them were.
Some were used by prison staff to browse the Internet, leaving them open to malware and other such attacks.
While others had been connected to the Internet so they could be remotely managed by consultants and software vendors
Even without the Internet, researchers found that the system could be compromised by an infected USB drive, connected to the
SCADA system either via social engineering or bribery of prison employees.

Feedback:

Simon asks about destroying your data before recycling/selling your used hard drives

There are a number of tools that will overwrite the contents of your hard drive a number of times in various patterns. The goal here is to ensure that any data that was on the drive can not be recovered. There is never a guarantee that the data will not be recoverable.
Allan Recommends: DBAN – Darik’s Boot And Nuke
It is still a very good idea to overwrite the data on your disks before you recycle/sell them. The methods are slightly different now, specifically, some methods such as the ‘Gutmann Wipe’ which was designed for a specific type of disk encoding that is no longer users in modern hard drives are no longer effective.
DBAN supports a number of methods:
PRNG Stream (recommend) – literally overwrites the entire drive with a stream of data from the Pseudo Random Number Generator. It is recommended that you use 4 passes for medium security, and 8 or more passes for high security.
DoD 5220.22-M – The US Department of Defence 7 pass standard. The default is DBAN is the DoD Short, which consists of passes 1, 2 and 7 from the full DoD wipe.
RCMP TSSIT OPS-II – The Canadian governments “Technical Security Standard for Information Technology”: Media Sanitization procedure. (8 passes)
Quick Erase (Not recommended) – Overwrite the entire drive from 0s, only 1 pass. This is designed for when you are going to reuse the drive internally, and is not considered secure at all
DBAN also verifies that the data was overwritten properly, by reading back the data from the drive and verifying that the correct pattern is found.
I am not certain about the answer to your question concerning SD cards and other flash storage not in the form of a hard disk. A file erasure utility may be the only option if the device does not actually accept ATA/SCSI commands (careful, some USB devices pretend to accept the commands but just ignore ones they do not understand)
Simon’s method of using the shred utility (designed to overwrite an individual file) on the block device, is not recommended. a proper utility like DBAN uses ATA/SCSI commands to tell the disk to securely erase it self, which involves disabling write caching, and erasing unaddressable storage such as those that have been relocated due to bad sectors.
Special consideration should be given to SSDs, as they usually contain more storage than advertised, and as the flash media wears out, it is replaced from this additional storage. You want to be sure your overwrite utility overwrites the no-longer-used sectors as they will still contain your data. This is why a utility that uses the proper ATA/SCSI commands is so important.
A utility like DBAN is also required if the disk contained business or customer data. Under legislation such as PIPEDA (Personal Information Protection and Electronic Documents Act, Canada), HIPAA and Sorbanes-Oxley (USA), the information must be properly destroyed.

Round UP:

ZFS Server Build Progress:

Finalized Parts List
Parts Summary:
Supermicro CSE–829TQ-R920UB Chassis
- 8 hot swapable SAS bays
- dual redundant 920 watt high-efficiency PSUs
Supermicro X8DTU–6F+ motherboard
- Dual Socket LGA 1366
- 18x 240pin DDR3 1333 slots (max 288GB ram)
- Intel 5520 Tylersburg Chipset, ICH10R
- LSI 6Gb/s SAS Hardware RAID controller
- Intel ICH10R SATA 3Gb/s SATA Controller
- IPMI 2.0 with Virtual Media and KVM over LAN
- Dual Intel 82576 Gigabit Ethernet Controller
Dual Intel Xeon E5620 Processors (4×2.4Ghz, HT, 12MB Cache, 80W)
48GB DDR3 1333mhz ECC Registered RAM
2x Seagate Barracuda XT 2TB SATA 6Gb/s 7200rpm Drives (for OS)
9x Seagate Consellsation ES 2TB SAS 6Gb/s 7200rpm Drives (8x for RAID Z2, 1x cold spare)
Adaptec RAID 6805 Controller (8 Internal drives, supports up to 256 drives, 512mb DDR2 667 cache)
Adaptec AFM 600 Flash Module (Alternative to BBU, provides 4GB NAND flash power by super capacitor to provide zero maintenance battery backup)

The post How Malware Makes Money | TechSNAP 31 first appeared on Jupiter Broadcasting.

Ultimate Home Router | TechSNAP 23

chris — Thu, 15 Sep 2011 19:16:01 +0000

Exploits are in the wild that can take down critical infrastructure equipment, and some highly trusted sites were attacked this week and used against their own visitors.

Plus – We’ll tell you how to build the ultimate home router, that can do more than many Enterprise grade systems, with the press of a few buttons – and for FREE!

All that and more, on this week’s TechSNAP!

Direct Download Links:

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:

Italian hacker publishes 10+ 0 day SCADA exploits with proof of concept code

SCADA (Supervisory Control and Data Acquisition) are Industrial control systems
The Stuxnet worm targeted the specific SCADA system used by the Iranian centrifuges
These exploits could cause serious disruption if the systems are not properly protected from external access
SCADA systems are used to control numerous important industrial systems including water and sewage treatment, dams and power plants, as well as manufacturing automation systems.
In January 2000, the remote compromised of a SCADA system was responsible for pumping sewage into a nearby park and contaminated an open surface-water drainage ditch.
News Article

Official uTorrent website compromised, users download spyware

On or before Tuesday September 13th, the Official uTorrent.com website was compromised, and on the 13th, the attackers replaced the download files with spyware.
Users who downloaded uTorrent on the 13th instead received a scareware fake anti-virus package called ‘Security Shield’
The scareware told them they were infected with malware and demanded payment to remove it
Any users who downloaded uTorrent between 12.20 and 14.10 BST likely received the malware instead of uTorrent.
In this case, the attack was fairly obvious, but a similar hack against popular software distribution points could have resulted in the stealth infection of 1000s of systems via the auto-update feature built in to most modern applications.
This is always the nightmare security situation, when legitimate trusted sites are compromised and start to distribute harmful content.

Funny Virus Pic – Google+

BIOS rootkit found in the wild

The virus can infect most any computer with an Award BIOS (very popular, used in most all Motherboards that I own).
The virus dumps a copy of the BIOS, and then adds an ISA ROM that will rewrite the MBR (Master Boot Record) on the hard drive at each bootup.
The MBR virus then rootkits winlogon.exe to take over control of the system
The rootkit then prevents modification of the MBR, making it harder to remove the virus
Even if the MBR is repaired, it is reinfected at the next boot by the BIOS portion of the virus
The rootkit also downloads a trojan and allows the system to be remotely controlled.
This attack is related to the attack we discussed in a previous episode of TechSNAP where a researcher was able to infect the battery in a MacBook with a virus. If the virus was similar to this one, it would add an additional layer of complexity, if the BIOS could be reinfected from the battery.
Details from Symantec

TWiT.tv compromised, malicious iframe injected, loads Java malware

The popular TWiT.tv page was compromised and a snippet of malicious code was added, an iframe that directed users’ browsers to a page that attempted to use Java and PDF exploits.
Google’s safe browsing started blocking the site. Firefox and Google Chrome users will be presented with a warning before visiting the site.

War Story:

At approximately 4:00 PM facility local time on Sunday, September 11, 2011, the Seattle 1 data center experienced an unexpected service interruption. It was determined that the cause of the issue was a malfunction in one of the edge routers servicing the facility.
The device was rebooted to correct the issue and we proceeded to work with the device manufacturers TAC (Technical Assistance Center) to determine the cause of the issue and proper resolution to avert any future problems.
At 6:20 PM facility local time, the same issue occurred again, and the device was again rebooted.
To prevent any future unexpected service interruptions, it was decided that the best course of action would be to replace the device with the standby device available at the facility.
At approximately 7:00 PM facility local time, we began the process of replacing the faulting device with a new one. The old device was removed and the new device was put in its place.
Once powered on the replacement device alerted us to a number of errors within the switch fabric modules that were causing inter-line card communication to not work properly.
We again contacted the device manufactures TAC, and at approximately 8:30 PM, we decided with the TAC that the best option was to replace the switch fabrics in the replacement device with the switch fabrics from the old device.
Once this was completed the device was restarted but produced the same errors.
The issue was then escalated to tier 2 support at the device manufactures TAC.
We concluded that the issue was likely a problem somewhere within the replacement device’s chassis, and proceeded to replace the chassis with the one from the old device.
Upon doing so, we began getting a different set of errors, this time with the management modules communication to the line cards.
At approximately 4:30 AM facility local time, the matter was escalated to tier 3 support at the device manufactures TAC. At this time, we also dispatched our head network technician to the facility from Phoenix with a spare device which is stored at our office in the event of issues such as this one.
At approximately 6:30 AM facility local time, the TAC tier 3 technician concluded that the likely cause of the issue was an electrical problem either within the switch fabric modules or the replacement device chassis which resulted in improper current being sent to various parts of the device and damaging several of the sensitive electronic components in the line card, forwarding engines and switch fabrics. Because the electrical subsystem within the device had potentially caused damage to all of the switch fabric modules that we had available at the facility, we were advised that we should power down both devices and not use either of them any further until a full diagnostic of the electrical sub-system could be completed by the manufacturer.
At approximately 12:00 PM our head network technician arrived at the Seattle airport, and by 1:00 PM was at the facility with the replacement device from our Phoenix office.
At approximately 2:00 PM our head network technician completed the installation of the replacement device from our Phoenix office and service was fully restored.
Total time offline: 19 hours 8 minutes.

Feedback:

A few questions about home servers
Q: crshbndct I’ve built a spare computer out of some spare parts and I want to use it as a home server. I’d like to use it as a router, a DNS server, a caching server, and maybe also throttle the usage of my servers. What should I use?
A: Chris and I both love pfSense, it is a FreeBSD based router appliance. You can basically turn any computer with 2 network cards into a Router/Firewall, with DHCP, DNS/DDNS, VPN (IPSec, PPTP, OpenVNP), VLANs, Captive Portal, Traffic Shaping and Graphing. It has a web interface similar but more expansive than what most people are already used to from a normal off the shelf home router.

Next Week: RAID types, what they are and some use cases for each.

Round-Up:

Bitcoin-Blaster:

Bitcoin Value: 34,196,260 USD

The post Ultimate Home Router | TechSNAP 23 first appeared on Jupiter Broadcasting.