Show Notes: linuxunplugged.com/465

The post Too Nixy for My Shirt | LINUX Unplugged 465 first appeared on Jupiter Broadcasting.

Show Notes: coder.show/438

The post The Oppenheimer Problem | Coder Radio 438 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/396

The post Floating Point Problems | TechSNAP 396 first appeared on Jupiter Broadcasting.

Is the “Dark Cloud” hype, or a real technology? Using DNS tunneling for remote command and control & the big problem with 1-Day exploits.

Plus your great question, our answers, a breaking news roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

APT Groups still successfully exploiting Microsoft Office flaw patched 6 months ago

• “A Microsoft Office vulnerability patched six months ago continues to be a valuable tool for APT gangs operating primarily in Southeast Asia and the Far East.”
• “CVE-2015-2545 is a vulnerability discovered in 2015 and corrected with Microsoft’s update MS15-099. The vulnerability affects Microsoft Office versions 2007 SP3, 2010 SP2, 2013 SP1 and 2013 RT SP1.”
• “The error enables an attacker to execute arbitrary code using a specially crafted EPS image file. The exploit uses PostScript and can evade Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protection methods.”
• One of the groups using the exploit targeted the Japanese military industrial complex
• “In December 2015, Kaspersky Lab became aware of a targeted attack against the Japanese defense sector. In order to infect victims, the attacker sent an email with an attached DOCX file exploiting the CVE-2015-2545 vulnerability in Microsoft Office using an embedded EPS (Encapsulated Postscript) object. The EPS object contained a shellcode that dropped and loaded a 32-bit or 64-bit DLL file depending on the system architecture. This, in turn exploited another vulnerability to elevate privileges to Local System (CVE-2015-1701) and download additional malware components from the C&C server.”
• “The C&C server used in the attack was located in Japan and appears to have been compromised. However, there is no indication that it has ever been used for any other malicious purpose. Monitoring of the server activity for a period of several months did not result in any new findings. We believe the attackers either lost access to the server or realized that it resulted in too much attention from security researchers, as the attack was widely discussed by the Japanese security community.”
• The report details a number of different teams, with different targets
• Some or all of the teams may be related
• “The attackers used at least one known 1-day exploit: the exploit for CVE-2015-2545 – EPS parsing vulnerability in EPSIMP32.FLT module, reported by FireEye, and patched by Microsoft on 8 September 2015 with MS15-099. We are currently aware of about four different variants of the exploit. The original one was used in August 2015 against targets in India by the Platinum (TwoForOne) APT group.”
• Kaspersky Lab Report

Krebs investigates the “Dark Cloud”

• “Crooks who peddle stolen credit cards on the Internet face a constant challenge: Keeping their shops online and reachable in the face of meddling from law enforcement officials, security firms, researchers and vigilantes.”
• “In this post, we’ll examine a large collection of hacked computers around the world that currently serves as a criminal cloud hosting environment for a variety of cybercrime operations, from sending spam to hosting malicious software and stolen credit card shops.”
• How do you keep your site online while hosting it on hacked machines you do not control
• How do you keep the data secure? Who is going to pay for stolen credit cards when they can just hack one of the compromised machines hosting your site?
• “I first became aware of this botnet, which I’ve been referring to as the “Dark Cloud” for want of a better term, after hearing from Noah Dunker, director of security labs at Kansas City-based vendor RiskAnalytics. Dunker reached out after watching a Youtube video I posted that featured some existing and historic credit card fraud sites. He asked what I knew about one of the carding sites in the video: A fraud shop called “Uncle Sam,” whose home page pictures a pointing Uncle Sam saying “I want YOU to swipe.””
• “I confessed that I knew little of this shop other than its existence, and asked why he was so interested in this particular crime store. Dunker showed me how the Uncle Sam card shop and at least four others were hosted by the same Dark Cloud, and how the system changed the Internet address of each Web site roughly every three minutes. The entire robot network, or “botnet,” consisted of thousands of hacked home computers spread across virtually every time zone in the world, he said.”
• So, most of these hacked machines are likely just “repeaters”, accepting connections from end users and then relaying those connections back to the secret central server
• This also works fairly well as a DDoS mitigation mechanism
• “the Windows-based malware that powers the botnet assigns infected hosts different roles, depending on the victim machine’s strengths or weaknesses: More powerful systems might be used as DNS servers, while infected systems behind home routers may be infected with a “reverse proxy,” which lets the attackers control the system remotely”
• “It’s unclear whether this botnet is being used by more than one individual or group. The variety of crimeware campaigns that RiskAnalytics has tracked operated through the network suggests that it may be rented out to multiple different cybercrooks. Still, other clues suggests the whole thing may have been orchestrated by the same gang.”
• A more indepth report on the botnet is expected next week
• “If you liked this story, check out this piece about another carding forum called Joker’s Stash, which also uses a unique communications system to keep itself online and reachable to all comers.”

Wekby APT gang using DNS tunneling for C&C

• “Palo Alto Networks is reporting a shift in malware tactics used by the APT group Wekby that has added a rare but effective new tool to its bag of tricks. Wekby attackers are turning to the technique known as DNS tunneling in lieu of more conventional HTTP delivery of command and controls for remote access control of infected computer networks.”
• “Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeam’s Flash zero-day exploit.”
• “The malware used by the Wekby group has ties to the HTTPBrowser malware family, and uses DNS requests as a command and control mechanism. Additionally, it uses various obfuscation techniques to thwart researchers during analysis. Based on metadata seen in the discussed samples, Palo Alto Networks has named this malware family ‘pisloader’.”
• “The initial dropper contains very simple code that is responsible for setting persistence via the Run registry key, and dropping and executing an embedded Windows executable. Limited obfuscation was encountered, where the authors split up strings into smaller sub-strings and used ‘strcpy’ and ‘strcat’ calls to re-build them prior to use. They also used this same technique to generate garbage strings that are never used. This is likely to deter detection and analysis of the sample.”
• “The payload is heavily obfuscated using a return-oriented programming (ROP) technique, as well as a number of garbage assembly instructions. In the example below, code highlighted in red essentially serves no purpose other than to deter reverse-engineering of the sample. This code can be treated as garbage and ignored. The entirety of the function is highlighted in green, where two function offsets are pushed to the stack, followed by a return instruction. This return instruction will point code execution first at the null function, which in turn will point code execution to the ‘next_function’. This technique is used throughout the runtime of the payload, making static analysis difficult.”
• “The malware is actually quite simplistic once the obfuscation and garbage code is ignored. It will begin by generating a random 10-byte alpha-numeric header. The remaining data is base32-encoded, with padding removed. This data will be used to populate a subdomain that will be used in a subsequent DNS request for a TXT record.”
• “The use of DNS as a C2 protocol has historically not been widely adopted by malware authors.”
• “The use of DNS as a C2 allows pisloader to bypass certain security products that may not be inspecting this traffic correctly.”
• “The C2 server will respond with a TXT record that is encoded similar to the initial request. In the response, the first byte is ignored, and the remaining data is base32-encoded. An example of this can be found below.”
• The Malware also looks for specific flags in the DNS response, to prevent it being spoofed by a DNS server not run by the authors. Palo Alto Networks has reverse engineered the malware and found the special flags
• The following commands, and their descriptions are supported by the malware:
  • sifo – Collect victim system information
  • drive – List drives on victim machine
  • list – List file information for provided directory
  • upload – Upload a file to the victim machine
  • open – Spawn a command shell
• “The Wekby group continues to target various high profile organizations using sophisticated malware. The pisloader malware family uses various novel techniques, such as using DNS as a C2 protocol, as well as making use of return-oriented programming and other anti-analysis tactics.”
• Palo Alto Networks Report

Feedback:

• Colo

• Snapshot best practices

• SELinux is cruel to animals

• Work in IT, got this in the mail today.

• Parts of a computer labeled by someone who thinks they know how a computer works

Round up:

• Tor To Use Distributed RNG To Generate Truly Random Numbers
• Skimmers Found at Walmart: A Closer Look
• Foxconn replaces ‘60,000 factory workers with robots’
• FBI warns of wireless keystroke loggers that look like harmless USB chargers
• A third of new cellular customers last quarter were cars
• NIST publishes guide on: Security for Full Virtualization Technologies
• Google aims to kill passwords by the end of this year
• DARPA gives out 7 multi-million dollar grants for research into DDoS mitigation
• Fox ‘Stole’ a Game Clip, Used it in Family Guy & DMCA’d the Original
• Analog malicious hardware, how to slip a backdoor into a chip
• Microsoft promises to stop tricking people into upgrading to Windows 10 when they clearly do not want to
• Google might name and shame slow-to-update Android vendors
• Foul-mouthed worm takes control of wireless ISPs around the globe

The post PIS Poor DNS | TechSNAP 268 first appeared on Jupiter Broadcasting.

What’s really the key to detecting a breach before its become much too late? We’ll share some key insights, plus a technical breakdown of China’s great cannon & the new New French Surveillance Law that should be a warning to us all.

Plus a great round up, fantastic questions, our answers & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Security analytics: The key for breach detection

• “Although security spending is at an all-time high, security breaches at major organizations are also at an all-time high, according to Gartner, Inc. The impact of advanced attacks has reached boardroom-level attention, and this heightened attention to security has freed up funds for many organizations to better their odds against such attacks.”
• “Breach detection is top of mind for security buyers and the field of security technologies claiming to find breaches or detect advanced attacks is at an all-time noise level,” said Eric Ahlm, research director at Gartner. “Security analytics platforms endeavor to bring situational awareness to security events by gathering and analyzing a broader set of data, such that the events that pose the greatest harm to an organization are found and prioritized with greater accuracy.”
• The approach that seems to be in favour at the moment is: security information and event management (SIEM)
• “While most SIEM products have the ability to collect, store and analyze security data, the meaning that can be pulled from a data store (such as the security data found in a SIEM) depends on how the data is reviewed. How well a SIEM product can perform automated analytics — compared with user queries and rules — has become an area of differentiation among SIEM providers.”
• “User behavior analytics (UBA) is another example of security analytics that is already gaining buyer attention. UBA allows user activity to be analyzed, much in the same way a fraud detection system would monitor a user’s credit cards for theft. UBA systems are effective at detecting meaningful security events, such as a compromised user account and rogue insiders. Although many UBA systems can analyze more data than just user profiles, such as devices and geo-locations, there is still an opportunity to enhance the analytics to include even more data points that can increase the accuracy of detecting a breach.”
• “As security analytics platforms grow in maturity and accuracy, a driving factor for their innovation is how much data can be brought into the analysis. Today, information about hosts, networks, users and external actors is the most common data brought into an analysis. However, the amount of context that can be brought into an analysis is truly boundless and presents an opportunity for owners of interesting data and the security providers looking to increase their effectiveness.”
• “Analytics systems, on average, tend to do better analyzing lean, or metadata-like, data stores that allow them to quickly, in almost real-time speed, produce interesting findings. The challenge to this approach is that major security events, such as breaches, don’t happen all at once. There may be an early indicator, followed hours later by a minor event, which in turn is followed days or months later by a data leakage event. When these three things are looked at as a single incident that just happens to span, say, three months, the overall priority of this incident made up of lesser events is now much higher, which is why “look backs” are a key concept for analytics systems.”
• “Ultimately, how actual human users interface with the outputs of large data analytics will greatly determine if the technology is adopted or deemed to produce useful information in a reasonable amount of time,” said Mr. Ahlm. “Like other disciplines that have leveraged large data analytics to discover new things or produce new outputs, visualization of that data will greatly affect adoption of the technology.”
• It will be interesting to see where the industry goes with these new concepts

China’s Great Cannon

• “This post describes our analysis of China’s “Great Cannon,” our term for an attack tool that we identify as separate from, but co-located with, the Great Firewall of China. The first known usage of the Great Cannon is in the recent large-scale novel DDoS attack on both GitHub and servers used by GreatFire.org.”
• “On March 16, GreatFire.org observed that servers they had rented to make blocked websites accessible in China were being targeted by a Distributed Denial of Service (DDoS) attack. On March 26, two GitHub pages run by GreatFire.org also came under the same type of attack. Both attacks appear targeted at services designed to circumvent Chinese censorship. A report released by GreatFire.org fingered malicious Javascript returned by Baidu servers as the source of the attack. Baidu denied that their servers were compromised.”
• “Several previous technical reports have suggested that the Great Firewall of China orchestrated these attacks by injecting malicious Javascript into Baidu connections. This post describes our analysis of the attack, which we were able to observe until April 8, 2015.”
• “We show that, while the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the “Great Cannon.” The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.”
• The report is broken down into a number of sections
• Section 2 locates and characterizes the Great Cannon as a separate system;
• Section 3 analyzes DDoS logs and characterizes the distribution of affected systems;
• Section 4 presents our attribution of the Great Cannon to the Government of China;
• Section 5 addresses the policy context and implications;
• Section 6 addresses the possibility of using the Great Cannon for targeted exploitation of individual users.
• I wonder what the next target of the Great Cannon of China will be

New French Surveillance Law

• “The new French Intelligence Bill has provoked concern among many of the country’s lawmakers, as well as international NGOs.”
• “According to French Human Rights Defender Jacques Toubon, the legislation contravenes the rulings of the European Court of Human Rights”
• “Despite boasting the support of France’s two major political parties, the Union for a Popular Movement (UMP) and the Socialist Party (PS), the Intelligence Bill has come in for some strong criticism in France, and it is now also beginning to raise eyebrows abroad.”
• “Many international NGOs, have condemned the vague and general nature of the bill. Designed to legalise certain surveillance practices, the bill would also broaden the powers of the security services, giving them the authority to ask private operators to follow and report on the activity of internet users. The debate over using terrorism as an excuse for internet surveillance is already raging in France, since Paris decided to “block” access to certain sites in the wake of the 7 January attacks.”
• “But the new bill goes even further. If adopted, it will allow investigators and government agents to intercept private emails and telephone conversations in the name of security, if they are directly linked to an investigation. Agents would be allowed to use new technologies wherever they deem necessary, including microphones, trackers and spy cameras. They would also be able to intercept conversations typed on a keyboard in real time. All these interceptions would be authorised by the Prime Minister, without the prior approval of a judge, and would be authorised after the fact by a new administrative authority, the National Commission for the Control of Intelligence Techniques (CNCTR).”
• “Seven companies, including web hosting and technology companies OVH, IDS, and Gandi have said in a letter to the French prime minister Manuel Valls that they will be pushed into de facto “exile” if the French government goes ahead with the “real-time capture of data” by its intelligence agencies.”
• Letter to French Prime Minister (in French)
• This has caused a very large backlash from the IT community
• Especially some of the large Internet and Server providers like Gandi, OVH, IDS, Ikoula and Lomaco who have threatened to leave France if the law passes
• OVH and Gandi threaten to move their operations, customers, tax revenue, and most importantly, 1000s of high tech jobs
• Hopefully this sends a clear warning to the US and other countries who are considering or proposing similar legislation, or who’s intelligence agencies have run amok
• “The companies argued that being required by the law to install “black boxes” on their networks will “destroy a major segment of the economy,” and if passed it will force them to “move our infrastructure, investments, and employees where our customers will want to work with us.” Citing a figure of 30-40 percent of foreign users, the companies say their customers come to them “because there is no Patriot Act in France,” France’s surveillance bill (“projet de loi relatif au renseignement”) allows the government’s law enforcement and intelligence agencies to immediately access live phone and cellular data for anyone suspected of being linked to terrorism. These phone records can be held for five years.”
• Tech firms threaten mass exodus from franch of new mass suveillance law
• Additional Coverage
• Hacker News

Feedback:

• hardening SSH? on your server and port forwarding email SPAM mail attack analysis….

• Chaining SSH connections | BSD Now

• Creating a snapshot in the middle of file being written.

• An Allan cameo

• FreeBSD Mastery: ZFS (in-progress draft) | Tilted Windmill Press

Some twitter comics:

• A population study of companies identifying the phenotype of a next generation
• An examination of strategic play versus action, concluding that action whilst important was not the key
• An examination of predictability, demonstrating that there was many knowable things which often failed to exploit
• Using weak signals to identify when ‘war’ (i.e. industrialisation) was likely to start in different tech fields
• Not one of my graphs but a neat profile from @DanHushon which make my top list

Second Set:

• Everything you need to know about Knowledge & Expertise
• The Enterprise IT Adoption cycle
• The Entire History of Cloud in one handy 2 x 2
• Build or use? Everything you need to know about Cloud in a handy 2×2
• The Entire history of product development in a handy table
• The future history of technology with helpful hints

Round Up:

• Cash register maker used same password – 166816 – non-stop since 1990
• When the security community eats its own — How the hype around intrusions and compromises can cause problems
• United Airlines prevents security analyst from boarding after tweet
• US Blocks Intel from selling Xeon chips to Chinese Supercomputer Project over concerns they are being used in nuclear tests
• Match.com uses HTTP only login page exposing millions of users’ passwords to those sniffing traffic
• Chinese hacker group going after air gapped computers
• Privilege Escalation via Docker
• US Arms Export restrictions cause Rapid7 to have to manually verify licenses for Metasploit for users outside of the US and Canada. All foreign governmental agencies are no longer allowed to be issued licenses.
• NASA asks to keep an unencrypted options in HTTP/2 because scientific data needs to be cachable
• Adversaries need credentials more than malware. Deny them by avoiding the sins of Windows credential administration

The post The French Disconnection | TechSNAP 211 first appeared on Jupiter Broadcasting.

Our discussion of Linux filesystems goes in depth this week as our LUG sorts out the best filesystem for your Linux desktop, server, laptop & mobile. Plus a few corrections from last week & lots of follow up.

We also look at the release of Linux 4.0, some of the more humorous press coverage it’s received & the “big feature” Linus could care less about.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Catch Up:

• Linux 4.0 released

4.0 doesn’t have all that much special. Much have been
made of the new kernel patching infrastructure, but realistically,
that not only wasn’t the reason for the version number change, we’ve
had much bigger changes in other versions. So this is very much a
“solid code progress” release

• Latest Antergos Live CD Includes GNOME 3.16, Based on Arch Linux

TING

• Ting – mobile that makes sense

• Gnome 3.16 problems

Dell XPS 13

• A03 BIOS for XPS 13

LinuxFest Northwest 2015

Bellingham, WA • April 25th & 26th

Holy cookies I did it..

I created a Jupiter Broadcasting Meetup group. I was inspired by the idea of how nice it would be to have a rough idea of how many folks will be making it out to LFNW. Just to help with planning.

tl;dr

• Going to LFNW 2015: LFNW 2015 – Jupiter Broadcasting Meetup please register, thaaaank you.

• Want to attend future JB events in Seattle, or your area? Join our group: Jupiter Broadcasting Meetup (Seattle, WA) – Meetup

• Contact | LinuxFest Northwest 2015

• Easy rollback after update (btrfs and grub).

Linux Academy

• Linux Academy | Linux and AWS Online Training

The Death of Chris’ #1 Rig

Why I think btrfs remains the future for those who want it

Chris on the latest episode of Unplugged took the time to vent his latest frustration with btrfs. The issue in question is a bug that causes arch not to boot on 3.19.1-3, 3.18.9 and 3.14.35. I and quite a few others have experienced this on our Arch btrfs setups and I enjoyed fixing this issue for the same reason I enjoyed fixing libxcursor and radeon bugs that caused my system not to boot.

Easy rollback after update (btrfs and grub).

Hope anyone can find this useful when dealing with bleeding edge breakage

OS Backups…

How PC-BSD Does it…

• Another btrfs snafu… glad I am sitting this one out

• Stable kernel version 3.19.1+ can cause a deadlock at mount time
  • workaround: boot with older kernel, or run btrfs-zero-log to clear the log (beware of the consequences)
  • fix: scheduled for 3.19.4, or apply 9c4f61f01d269815bb7c37.
  • also affected: 3.14.35+, 3.18.9+

• Versions from 3.15 up to 3.16.1 suffer from a deadlock that was observed during heavy rsync workloads with compression on, it’s recommended to use 3.16.2 and newer

• Fedora Server 22 Is Using The XFS File-System By Default

The server edition of Fedora 22 is using the XFS file-system by default rather than EXT4.

Using the XFS file-system as the default within an LVM has been part of the Fedora Server technical spec while with Fedora 22 it’s finally happened. The default layout for Fedora Server 22 installations is using XFS atop LVM while /boot is outside the LVM setup.

• XFS: There and back … and there again?

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

Support Jupiter Broadcasting on Patreon

The post Churning Over Btrfs | LINUX Unplugged 88 first appeared on Jupiter Broadcasting.

Authentic iOS Apps can be replaced with malware, the US Postal service gets breached & Microsoft has a hot mess of critical patches.

Plus some great feedback, a rocking round-up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Masque Attack — authentic iOS apps can be replaced by malware with ease

• Last week we talked about new malware for OS X that infected iOS devices with malicious apps
• Part of the problem seemed to stem from the fact that if a corporation got a certificate from Apple to sign internally developed apps for use by employees, these apps were innately trusted by all iOS devices, even those not part of the corporation who signed the application
• While we suspected this may be a fairly major vulnerability in the architecture of iOS, it turns out was was only the tip of the iceberg
• “In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier”
• This means that the malicious app, signed by a random corporate certificate issued by Apple (supposedly only for internal use), can replace any application on your phone, except those directly from Apple
• “An attacker can leverage this vulnerability both through wireless networks and USB”
• If you install ‘new flappy bird’, or, connect your iOS device to an infected computer, a malicious charging port in some public space, or untrusted wifi, the Twitter app on your device could be replaced with one that steals the credentials for your account and tweets spam, or worse
• “That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly”
• FireEye shared this information with Apple in July, but after the news about the WireLurker malware, which uses a very limited form of this attack (the attackers may not have realized the full extend of what they had discovered), FireEye felt it necessary to go public with the information so customers can take steps to protect themselves
• “As mentioned in our Virus Bulletin 2014 paper “Apple without a shell – iOS under targeted attack”, apps distributed using enterprise provisioning profiles (which we call “EnPublic apps”) aren’t subjected to Apple’s review process. Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring (CVE-2014-1276) and mimic iCloud’s UI to steal the user’s Apple ID and password.”
• “The attacker can also use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team”

USPS computer networks compromised, telecommuting VPN temporarily shutdown

• Attackers compromised the internal network of the United States Postal Service
• It is not clear how or where the compromise happened, although some information suggestions a call center was compromised, possibly via the VPN
• Possibly compromised information includes: Employee names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment, emergency contact information and other information
• “The intrusion also compromised call center data for customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1, 2014, and Aug. 16, 2014. This compromised data consists of names, addresses, telephone numbers, email addresses and other information for those customers who may have provided this information. At this time, we do not believe that potentially affected customers need to take any action as a result of this incident”
• Additional Information
• “VPN was identified as vulnerable to this type of intrusion and will remain unavailable as we work to make modifications to this type of remote access to our networks. When VPN is available again users will notice changes in functionality. We will have additional information about VPN in the near future”
• I wonder if this might have been related to Heartbleed. We have had stories in the recent past about SSL based VPNs that were compromised before they could be upgraded with the heartbleed fix, and then this access was used later on because passwords were not changed
• “Should I change my ACE ID and password, Postal EIN or other postal passwords as a result of this incident?”
• “At this time there is no requirement to change your ACE password or other passwords unless prompted to do so by email prompts from IT as part of the normal password change process. You will be notified if other password changes are required.”
• Having IT email you to ask you to change your password just seems like a really bad idea. This is a great opening for a phishing campaign. If a password change is required, it should be prompted for from a more trustworthy source than email
• After a breach, out of an abundance of caution, all passwords should be changed.

Microsoft releases patch for OLE vulnerability

• As part of this months Patch Tuesday, Microsoft has released an official patch for both OLE vulnerability (specially crafted website, and malicious office document) used in the “Sandworm Team” attacks against NATO and other government agencies that we discussed on episode 185
• This new patch, MS14-064 replaces the patch from October’s Patch Tuesday MS14-060
• Microsoft – November Patch Update Summary
• Microsoft Advisory – MS14-064
• Microsoft Advisory – MS14-070 – Local user remote code execution via vulnerability in Windows TCP/IP stack
• Also included was a cumulative patch for Internet Explorer, however this patch breaks compatibility with EMET (Enhanced Mitigation Experience Toolkit
  ) 5.0, and customers are instructed to upgrade to EMET 5.1 before upgrading IE
• “If you are using Internet Explorer 11, either on Windows 7 or Windows 8.1, and have deployed EMET 5.0, it is particularly important to install EMET 5.1 as compatibility issues were discovered with the November Internet Explorer security update and the EAF+ mitigation”
• “Microsoft also patched a remote code execution vulnerability in Microsoft Secure Channel, or Schannel, a Windows encryption security package used for SSL and TLS connections”
• “MS14-067 is the final bulletin ranked critical by Microsoft. The vulnerability can be exploited by a malicious website designed to invoke Microsoft XML Core Services through IE. MSXML improperly parses XML content, which can then in turn corrupt the system state and enable remote code execution”
• The previous patch for the OLE vulnerability merely marked files that come from the internet as untrusted. However there are a number of ways around this, some of which may already be in use by attackers
• McAfee Labs – Bypassing Microsofts Patch for Sandworm Zero Day
• In addition, the Microsoft ‘workaround’ for the flaw, by marking the file as untrusted, only applies when you try to ‘execute’ a file. If you right click and file and open it for ‘editing’, or open it from within an application, the untrusted flag is never checked
• McAfee also found samples in the wild that ran the untrusted file as administrator, which only pops up the standard ‘run this program as admin?’ prompt (only if UAC is not disabled), and does not show the ‘this file is not trusted’ prompt

• OpenZFS Developer Summit – OpenZFS

Feedback:

• Instant Answer tutorial

• SGID SFTP Uploads
  • This only works on some file systems
  • On FreeBSD, only set-uid on a directory works (sets owner on all newly created files), only if the file system is UFS, only if the file system is mounted with the MNT_SUIDDIR flag, and only if the Kernel is compiled with support for SUIDDIR (not enabled by default)
  • ZFS is working on a feature to force the owner/group on a dataset

• caryhartline comments on Apple Approved Malware

• FreeBSD ZFS – preferred method of auto snapshot
  • ZFSTools
• shared root password or sudo?
  • SUDO Master

Round Up:

• ISPs caught stripping StartTLS flag from servers, causing clients to not be aware that the remote server supports encryption
• FBI’s most wanted cybercriminal used his cat’s name as a password
• Pwn2Own event in Tokyo breaks security on slew of modern mobile devices
• Home Depot attackers also got 53 million customer email addresses. Other details about the attack, original compromise was via stolen 3rd party vendor credentials
• 4 NOAA (National Oceanic and Atmospheric Administration) websites hacked, services including satelite weather and ice data temporarily suspended
• ‘Replay’ attack used to pilfer money from stolen Home Depot credit cards via chip-and-pin system, even though the bank has never issued cards with chips – because banks do not check properly
• German Spy Agency Wants To Buy Zero-Day Vulnerabilities In Order To Undermine SSL Security
• Silk Road 2.0 and other ‘hidden services’ sites may have been decloaked via DDoS, sending huge amounts of traffic and looking for where it ended up
• Retailers ask to be regulated to protect customers, is the government too gridlocked to actually do it?
• BrowserStack a website testing service for developers, has a rather embarassing security breach
• Mozilla’s “Open Standard” interviews Brian Krebs

The post Hackers Go Postal | TechSNAP 188 first appeared on Jupiter Broadcasting.

A company known for backup shuts down after their AWS account gets hacked, the Hedge fund thats under attack, how far you can get with a little cab data…

Your questions, our answers, and much, much more!

Thanks to:

— Show Notes: —

Company shuts down after their AWS account compromised, all customer data deleted

• Code Spaces, a source code hosting and backup service has ceased doing business
• On June 17th the company came under a DDoS attack, which is apparently business as normal for them
• Later, they found messages in their Amazon Web Services portal, urging them to contact a hotmail address
• When contacted, the attacker demanded a large ransom
• When Code Spaces attempted to change their passwords in the AWS control panel, additional administrator accounts added by the attacker were used to delete all EC2 virtual machines, S3 stores and EBS volumes in the account before all accessed could be revoked
• The most embarrassing part of the situation is the text on the original Code Spaces website:
  “Backing up data is one thing, but it is meaningless without a recovery plan, not only that [but also] a recovery plan—and one that is well-practiced and proven to work time and time again,” “Code Spaces has a full recovery plan that has been proven to work and is, in fact, practiced.”
• It is not clear what the Code Spaces backup strategy was, but it seemed to involve the same Amazon account
• In general, the idea with an “offsite” backup is to separate it from a failure of the primary. If you keep the backups for your database beside the database server and your office burns down, what good are the backups
• What if Amazon suffered a catastrophic data loss? or what if your account is compromised?
• The backups should have at least been in a different Amazon account that was very strictly controlled, or better yet, stored in some other service
• It is still unclear how the account was compromised, but it seems likely that Code Spaces was not making use of the Amazon’s Multi-Factor Authentication service, which offers either a mobile phone app, or two different types of hardware authenticators (key fob and credit-card style)

Poorly anonymized NYC Taxi data, de-anonymized

• Under an Open Data initiative, the New York City Taxi & Limousine Commission released the anonymized GPS logs of all taxi trips in 2013 (173 million trips)
• Chris Whong got a hold of this data and did some interesting stuff with it
• When he was done with it, he posted the data for everyone
• Developer Vijay Pandurangan took a look at the data and noticed that the medallion and hack numbers appeared to simply be MD5 hashes
• In particular, the driver with ID# CFCD208495D565EF66E7DFF9F98764DA appeared to have an impossibly large number of trips
• Turns out, that is the MD5 hash of “0”, cases where the data was unavailable
• Realizing that the data was only anonymized using MD5, and knowing the structure of a drivers license # (5-7 characters, with specific characters being numbers or letters), he was able to brute force all 24 million combinations in only 2 minutes using a single CPU
• Once this was done, he had the original un-anonymized data
• Using other websites, it is possible to link the medallion and hack numbers to the owners names
• Original Post
• Additional Coverage – Ars Technica
• To prevent this, there are a number of approaches, the fastest but weakest is a ‘secret key’. Instead of md5(hack#) just do md5(SUPERLONGSECRETKEYhack#), as long as the attacker doesn’t know the secret key, and it is long enough to make guessing it impractical, the data would remain anonymized
• Another option is to use the md5 hash of the encrypted form of the value. However this eventually just relies on a secret key as well. However, if the data never needs to be anonymized, a very strong key can be used, and that key can then be destroyed, making decryption impossible.

Hackers attack hedge fund for monetary gain

• BAE systems, a British defense contractor that also specializes in cyber security, was called in to investigate after computers at a hedge fund were hacked
• The attackers somehow infiltrated the HFT (High Frequency Trading) system, and injected delays of several hundred microseconds into the order entry system
• This causes the Hedge Fund to miss out on profits it could have made on the trades
• It is suspected, that the attackers capitalized on this to make those profits themselves
• “Hedge funds “really have inadequate cybersecurity as a whole” and the attacks threaten to undermine the systems used globally for high-speed trading, said Tom Kellerman, chief cyber security officer for Trend Micro Inc. ”

Feedback:

• Docker flaw

• RE: Docker containers and “secure root” in a container 0

• Mirror SSD with HDD?

• SnapRAID

Round Up:

• Massachusetts high court orders suspect to decrypt his computers
• Department of Justice Canada IT department runs moch phishing campaign against staff, 37% take the bait in December, rates cut in half in April re-test after awareness campaign and additional training
• Security Industry is failing to fix underlying dangers – applications need to be securely written, rather than have security bolted on
• Huawei (Chinese router manufacturer) has some very strict password complexity requirements
• Company wins law suite with bank to recover funds stolen by hackers. 3.5 million was stolen from the company account in 2011 when it was taken over by hackers. The bank managed to claw back all but $299,000 of it, and the company sued the bank for the remaining balance and won $350,000
• Cisco open sources FNR cipher, designed to very quickly encrypt IP addresses to anonymize log data
• World Cup Security Team Accidentally Shares Its Awful Wi-Fi Password
• “Yo” mobile app hacked by 3 Georgia Tech students, founder hires one of the hackers
• LastPass CEO: The Truth About Your Password Security

The post Restores are Everything | TechSNAP 168 first appeared on Jupiter Broadcasting.

Can OwnCloud solve your Dropbox problem? The free web based software that promises to reduce or even replace Google, Dropbox, and much more in your life. But has the project bitten off more then it can chew? Tune in to find out!

And: Our overview of OwnCloud’s desktop syncing system, and the innovative way OwnCloud is deployed to Linux distributions.

Plus: The FUD storm heading towards Linux gamers, a quick look at Gnome 3.8, Microsoft gets slapped down, a surprise gadget unboxing….

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

GoDaddy.com Use our code linux295 to score .COM for just $2.95! 35% off your ENTIRE order just use our code go35off3 until the end of the month!
Ting.com Visit las.ting.com to save $25 off your device or service credits.

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show: