Verizon Enterprise gets breached & the irony is strong with this one, details on the NPM fiasco & why the SAMSAM is holding up the doctor.

Plus some great questions, a packed round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

The NPM Fiasco

• NPM is a package manager, for node.js
• The Node.js ecosystem is “special”
• It provides packages that are mostly code snippets, usually individual functions
• Many packages, depend on a number of other packages to work correctly
• For example, the package ‘isArray’, which is a one-line function to tell if an object is an array, is depended upon by 72 other packages
• There was a package called ‘kik’, created by Azer Koçulu
• Kik.com, a mobile messaging app, wanted to create their own new package, called kik, for some new open source project
• Unpleasant discussions occurred
• Eventually kik.com had the NPM managers transfer ownership of the kik package name to the kik.com account
• Azer was offended by this, and deleted all of his packages from NPM (around 250 different packages)
• This fallout had unintended consequences
• One of the modules, left-pad, was a simple 11 line function to left-pad a string or number with spaces or zeros.
• Left-pad had been downloaded 2,486,696 times in the last month
• It was a dependency for a huge number projects, including: Node.js it self, Babel,
• NPM then restored the module to unbreak the other applications
• module’s author’s Medium.com post
• kik.com’s Medium.com post
• Official NPM blog post
• Blog Post: Have we forgotten how to program?
• Left-pad as a service
• “The fact that this is possible with NPM seems really dangerous. The author unpublished (erm, “liberated”) over 250 NPM modules, making those global names (e.g. “map”, “alert”, “iframe”, “subscription”, etc) available for anyone to register and replace with any code they wish. Since these libs are now baked into various package.json configuration files (some with 10s of thousands of installs per month, “left-pad” with 2.5M/month), meaning a malicious actor could publish a new patch version bump (for every major and minor version combination) of these libs and ship whatever they want to future npm builds.”

Verizon Enterprise Customer Data Breached

• “Verizon Enterprise Solutions, a B2B unit of the telecommunications giant that gets called in to help Fortune 500’s respond to some of the world’s largest data breaches, is reeling from its own data breach involving the theft and resale of customer data, KrebsOnSecurity has learned”
• “Earlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise”
• “The seller priced the entire package at $100,000, but also offered to sell it off in chunks of 100,000 records for $10,000 apiece. Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site”
• “Verizon recently discovered and remediated a security vulnerability on our enterprise client portal,” the company said in an emailed statement. “Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible.”
• So it seems to just be contact details from a database on the website, not more intimate details like login credentials for their networks, or other details that Verizon would posses as they administers and investigated the networks of the customers
• It appears the data is in MongoDB format, which suggests that might be the format it was stored in on the Verizon side
• “The irony in this breach is that Verizon Enterprise is typically the one telling the rest of the world how these sorts of breaches take place. I frequently recommend Verizon’s annual Data Breach Investigations Report (DBIR) because each year’s is chock full of interesting case studies from actual breaches, case studies that include hard lessons which mostly age very well (i.e., even a DBIR report from four years ago has a great deal of relevance to today’s security challenges).”
• “According to the 2015 report, for example, Verizon Enterprise found that organized crime groups were the most frequently seen threat actor for Web application attacks of the sort likely exploited in this instance. “Virtually every attack in this data set (98 percent) was opportunistic in nature, all aimed at easy marks,” the company explained.”
• While this attack may have been more targeted in nature. Although it is possible it was just opportunistic, because Verizon failed to secure its database
• Customers of Verizon who’s data was breached are likely targets for various types of spear phishing, including emails pretending to be from Verizon, who provides network security and post-breach investigation services to these customers

Cisco Talos reveals SAMSAM ransom ware

• Cisco Talos is currently observing a widespread campaign leveraging the Samas/Samsam/MSIL.B/C ransomware variant. Unlike most ransomware, SamSam is not launched via user focused attack vectors, such as phishing campaigns and exploit kits.
• This particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom.
• A particular focus appears to have been placed on the healthcare industry.
• Adversaries have been seen leveraging JexBoss, an open source tool for testing and exploiting JBoss application servers, to gain a foothold in the network. Once they have access to the network they proceed to encrypt multiple Windows systems using SamSam.
• Upon compromising the system the sample will launch a samsam.exe process which begins the process of encrypting files on the system.
• SamSam encrypts various file types (see Appendix A) with Rijndael and then encrypts that key with RSA-2048 bit encryption. This makes the files unrecoverable unless the author made a mistake in the implementation of the encryption algorithms.
• One interesting note regarding the samples Talos has observed is that the malware will abort the encryption routine if the system is running a version of Microsoft Windows prior to Vista. This is likely done for compatibility reasons.
• There were a couple of open source tools that were seen being leveraged by the adversaries. The first is JexBoss, which is a testing and exploitation framework for JBoss application servers.
• This was being used as an initial infection vector to gain a foothold in the network to spread the ransomware.
• The second is a component of REGeorg, tunnel.jsp. REGeorg is an open source framework to create socks proxies for communication.
• As we have monitored this activity, we have started to see changes in the amount and types of payment options available to victims. Initially, we saw a payment option of 1 bitcoin for each PC that has been infected.
• Later we saw the price for a single system has been raised to 1.5 bitcoin. It is likely the malware author is trying to see how much people will pay for their files.
• They even added an option for bulk decryption of 22 bitcoin to decrypt all infected systems.

Feedback:

• Peer to Peer Comms
• SNMP vs Syslog
• Backing up a FreeNAS box.

 
HEADS UP Stand ready to patch all of your Windows, Linux, BSD, OS X, iOS, Android, and other servers. And all of your routers, print servers, set-top boxes, smart TVs, IoT devices. And basically anything with a CPU. The “BADLOCK” bug will be releaved on April 12th, 2016 , a critical vulnerability in the SMB protocol, so affects Windows and all other implementations of the protocol (samba, whatever apple uses, whatever android uses, etc)

Round up:

• Docker for Mac and Windows Beta: the simplest way to use Docker on your laptop
• Krebs: Stolen credit cards are now a buyers market, a look inside “Joker’s Stash” to find out
• Microsoft deletes ‘teen girl’ AI after it became a Hitler-loving sex robot within 24 hours
• Spammers and Phishers abusing open redirectors on .GOV domains to hide link destinations
• Once thought safe, DDR4 memory shown to be vulnerable to “Rowhammer”
• Apple suspects server tampering during shipping
• A Government Error Just Revealed Snowden Was the Target in the Lavabit Case
• A proposal for SSTS, a version of HSTS for SMTP — My server claims it will ALWAYS support crypto, if you ever see it not, someone is intercepting the connection
• By boosting the radio signal of your contactless car keys, theives can unlock and start 24 models of car while the owner is 300 feet away, and indoors
• AMEX reveals more about stolen card data
• The firm helping the FBI hack the iPhone may be Cellebrite
• Hackers accidently break into Water Treatment Plant, modify parameters by accident. No one was harmed
• Vulnerability in 70 CCTV DVRs Traced Back to Chinese Firm Who Ignores Researcher
• A cross-site scripting vulnerability, in the national vulnerability database, the site you use to find out about… cross-site scripting vulnerabilities
• Feds arrest man apparently responsible for The Fappening
• Facebook and Wikipedia offer a limited version of the internet in Angola, allowing access to only those two sites. Angola’s embed other sites, and pirated movies into the sites to share access

The post Can You Hack Me Now? | TechSNAP 259 first appeared on Jupiter Broadcasting.

This week on BSD Now… a wrap-up from NYCBSDCon! We\’ll also be talking to Luke Marsden, CEO of HybridCluster, about how they use BSD at large. Following that, our tutorial will show you how to securely share files with SFTP in a chroot. The latest news and answers to your questions, of course it\’s BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD 10 as a firewall

• Back in 2012, the author of this site wrote an article stating you should avoid FreeBSD 9 for a firewall and use OpenBSD instead
• Now, with the release of 10.0, he\’s apparently changed his mind and switched back over
• It mentions the SMP version of pf, general performance advantages and more modern features
• The author is a regular listener of BSD Now, hi Joe!

Network Noise Reduction Using Free Tools

• Really long blog post, based on a BSDCan presentation, about fighting spam with OpenBSD
• Peter Hansteen, author of the book of PF, goes through how he uses OpenBSD\’s spamd and other security features to combat spam and malware
• He goes through his experiences with content filtering and disappointment with a certain proprietary vendor
• Not totally BSD-specific, lots of people can enjoy the article – lots of virus history as well

FreeBSD ASLR patches submitted

• So far, FreeBSD hasn\’t had Address Space Layout Randomization
• ASLR is a nice security feature, see wikipedia for more information
• With a giant patch from Shawn Webb, it might be integrated into a future version (after a vicious review from the security team of course)
• We might have Shawn on the show to talk about it, but he\’s also giving a presentation at BSDCan about his work with ASLR

Old-style pkg_ tools retired

• At last the old pkg_add tools are being retired in FreeBSD
• pkgng is a huge improvement, and now portmgr@ thinks it\’s time to cut the cord on the legacy toolset
• Ports aren\’t going away, and probably never will, but for binary package fans and new users that are used to things like apt, pkgng is the way to go
• All pkg_ tools will be considered unsupported on September 1, 2014 – even on older branches

This episode was brought to you by

Interview – Luke Marsden – luke@hybridcluster.com / @lmarsden

BSD at HybridCluster

Tutorial

Filesharing with chrooted SFTP

News Roundup

FreeBSD on OpenStack

• OpenStack is a cloud computing project
• It consists of \”a series of interrelated projects that control pools of processing, storage, and networking resources throughout a datacenter, able to be managed or provisioned through a web-based dashboard, command-line tools, or a RESTful API.\”
• Until now, there wasn\’t a good way to run a full BSD instance on OpenStack
• With a project in the vein of Colin Percival\’s AWS startup scripts, now that\’s no longer the case!

FOSDEM BSD videos

• This year\’s FOSDEM had seven BSD presentations
• The videos are slowly being uploaded for your viewing pleasure
• Not all of the BSD ones are up yet, but by the time you\’re watching this they might be!
• Check this directory for most of \’em
• The BSD dev room was full, lots of interest in what\’s going on from the other communities

The FreeBSD challenge finally returns!

• Due to prodding from a certain guy of a certain podcast, the \”FreeBSD Challenge\” series has finally resumed
• Our friend from the Linux foundation picks up with day 11 and day 12 on his switching from Linux journey
• This time he outlines the upgrade process of going from 9 to 10, using freebsd-update
• There\’s also some notes about different options for upgrading ports and some extra tips

PCBSD weekly digest

• After the big 10.0 release, the PCBSD crew is focusing on bug fixes for a while
• During their \”fine tuning phase\” users are encouraged to submit any and all bugs via the trac system
• Warden got some fixes and the package manager got some updates as well
• Huge size reduction in PBI format

Feedback/Questions

• After today\’s questions, our email backlog will be just about caught up. Now\’s a great time to send us something – questions, stories, ideas, requests, anything you want
• Derrick writes in: https://slexy.org/view/s21nbJKYmb
• Sean writes in: https://slexy.org/view/s2yhziVsBP
• Patrick writes in: https://slexy.org/view/s20PuccWbo
• Peter writes in: https://slexy.org/view/s22PL0SbUO
• Sean writes in: https://slexy.org/view/s20dkbjuOK

• All the tutorials are posted in their entirety at bsdnow.tv
• Last week\’s NTP tutorial got a small update if you\’re running a LAN-only server, as well as a couple links on how to turn it into a stratum 1 server with a GPS device
• The SSH tutorial also got some updates
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
• Lastly, the BSD Now t-shirt is close to being ready… stay tuned!

The post The Cluster & The Cloud | BSD Now 24 first appeared on Jupiter Broadcasting.

We\’ve got an interview with Henning Brauer about OpenBSD\’s pf firewall, a tutorial on how to follow the -STABLE and -CURRENT branches of FreeBSD, a recap of what happened at vBSDCon this year and.. As always, lots of news to cover, so stay tuned to BSD Now – the place to B.. SD.

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

Managed services using FreeBSD

• New York Internet, a huge ISP and service provider, details how they use FreeBSD
• Mentions using BSD technologies: pf, pfsync, carp, haproxy, zfs, jails and more
• Explains FreeBSD\’s role in commercial workloads on a massive scale
• Lots of cool graphs and info, check out the full write-up

OpenBSD boot support for keydisk-based crypto volumes

• So far, only passphrase-based crypto volumes were bootable
• Full disk encryption with key disks required a non-crypto partition to load the kernel
• The bootloader now scans all BIOS-visible disks for RAID partitions and automatically associates key disk partitions with their crypto volume
• No need to re-create existing volumes. Moving the root partition onto the crypto disk and running \”installboot\” is all that\’s needed

More Dragonfly SMP speedups

• Matthew Dillon has been committing lots of various SMP improvements
• Using dports builds on a 48-processor machine as a test
• The machine’s now building more than 1000 packages an hour
• Super technical details in the show notes, check \’em out

Getting to know portmgr

• Start of an ongoing series profiling members of the FreeBSD Ports Management Team
• In the first interview, they talk to longest serving member of the team, Joe Marcus Clarke
• In the second, Bernhard Frölich (who\’s also the creator of redports.org)
• Future segments will include the other members
• Topics include their inspiration for using FreeBSD, first time using it, lots of other interesting stuff

BSD Now at the top of iTunes

• BSD Now is on the front-and-center page of iTunes\’ technology podcast section
• We\’re better than everyone else and Leo is fat

Interview – Henning Brauer – henning@openbsd.org / @henningbrauer

OpenBSD\’s pf firewall, privilege separation, various topics

Tutorial

Tracking -STABLE and -CURRENT

• The BSDs have development branches you can follow
• This guide shows the differences between FreeBSD -RELEASE, -STABLE and -CURRENT
• Will do OpenBSD and NetBSD versions in the future, their methods are all pretty different

News Roundup

OpenBSD gets XBox360 controller support

• Adds support for Microsoft XBox 360 controller as a uhid
• Will make things easier for emulators in OpenBSD
• Are there people who regularly play games on BSD? Email us, might do a segment on it

PCBSD 10-STABLE ISOs available

• Early cut of the new stable/10 branch, not recommended for everyone
• A pkgng repository is available, but is missing a number of packages
• AMD KMS, new text installer, UEFI loader support, much more

Switching from Linux to BSD

• Yet another Linux user switching to BSD makes a thread about it
• Asks the community what some differences and advantages are
• Good response from the community, worth reading if you\’re a Linux guy

Unattended OpenBSD installations

• Unattended installations possible using DHCP and a \”response\” file
• The system gets an IP via DHCP, then fetches a config file with key=value pairs
• Can do automatic network setup, SSH, passwords, etc
• Still a work in progress

Feedback/Questions

• Kjell-Aleksander writes in: https://slexy.org/view/s21hxDpzjO
• Alex writes in: https://slexy.org/view/s21ibNDb5y
• Chad writes in: https://slexy.org/view/s20D6K2NUe
• Joshua writes in: https://slexy.org/view/s20UZLFHAg
• Craig writes in: https://slexy.org/view/s20S15bbZ4

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, etc to feedback@bsdnow.tv
• We don’t check YouTube comments, JB comments, Reddit, etc. If you want us to see it, send it via email (the preferred way) or Twitter (also acceptable)
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post -CURRENT Events | BSD Now 9 first appeared on Jupiter Broadcasting.