Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

DNS Reflection Attack creates internet scare

• There has been much talk recently about the Cyberbunker DDoS attack against Spamhaus, and the ‘internet breaking’ size of the attack
• In truth, the attack did not break the internet, and was not that unusually large (described by one of the providers as only 10–15% larger than the regular large attacks they see)
• The attack made use of ‘DNS Reflection Attack’, which basically sends UDP packets with a forged from address, requesting the answer to a large DNS query to machines around the globe that run ‘open dns resolvers’, which are recursive DNS servers that do not restrict queries to only those inside their local network
• The forged from address in the header results in the DNS servers sending the response to the unexpecting victim, rather than the original requestor
• There are millions of these misconfigured DNS servers around the globe
• A possible resolution to this issue would be for ISPs to block traffic leaving their network with a from address that is not actually from inside their network (and therefore most likely forged)
• That might not have helped in this case, since the attacker, Cyberbunker, has their own AS and is responsible for that type of configuration on their network
• The real details have started to emerge and while it was reported that the attack was so large it that it disrupted the London internet exchange, that is not entirely true
• Response from someone who works for one of CloudFlare’s upstream providers
• What actually happened was that Cyberbunker managed to attack parts of LINX (London Internet Exchange) via IP addresses that are not normally announced to the internet, but had leaked due to misconfiguration by some members of LINX
• Looking at the Spamhaus DDoS from a BGP Prospective
• Cyberbunker (the attackers) did a BGP hijack via NL-IX (the Netherlands Internet Exchange) for the IP address of 0.ns.spamhaus.org, creating a more specific route and disrupting traffic to destin for that IP, routing it to a rouge server at Cyberbunker
• In the past Cyberbunker has executed similar BGP hijacks, including against a usually unroutable IP range of the US Department of Defence

---

How the world of tax havens actually works

• The ICIJ (International Consortium of Investigative Journalists) has come into possession of 30 years worth of files, emails and other data from 10 of the most popular offshore tax havens in the world
• The files cover more than 120,000 offshore entities (such as shell corporations, trusts, private foundations, and IBCs) that involve people from more than 170 different countries
• The leak totals over 260 gigabytes of data, making it 160 times larger than the Wikileaks US Cables dump
• The data details the structure of a number of different schemes and includes details that the holders of these offshore accounts would much rather keep secret
• The documents create the links between people and their offshore money that governments have been unable or unwilling to create themselves
• It is not yet clear if governments will use the data to prosecute tax cheats
• CBC Coverage
• The CBC has also created an Interactive tool that allows you to step through the process of hiding your money offshore, including:
  • Choose which Tax Haven to send your money to? what are the taxes rates like? Do they have a tax information sharing agreement with your home country?
  • Then you must create your ‘secret identity’ that will hide the true ownership of the funds. Offshore Trust, Private Foundation, LLC, IBC, Shelf Corp or Individual Account?
  • Next, choose the bank you will place your deposit with. Where are they based? How secretive are they? Will your home government be able to influence them?
  • Now it is time to actually move your money. If you’ve already paid tax on it, you could just wire it, but then the tax man may wonder if you’re earning any income with it…. Suitcase of cash (Illegal but usually pretty easy to get away with)? Phony Lawsuit? Money Swap?
  • Then you have to decide how to invest the money, the entire point of getting it offshore was to avoid paying tax on the income it generates
  • Now the hard part, spending the money. Move offshore? Back-to-back Loan? Insurance Scam? Offshore Credit Card? Fixed Gambling?
• The reasons for moving funds offshore are numerous, beyond just avoiding taxes, this data shows efforts by many to hide wealth from the courts, to avoid losing it in legal and civil lawsuits or costly divorces
• This data exposes the collective efforts of some of the greediest people in the world to hide their wealth from taxes and the law

---

DDoS attacks against Mt.Gox may be attempt to game the exchange

• The BBC reports that an ongoing denial of service attack against Mt.Gox, the most popular Bitcoin exchange, may actually be an effort to influence the trading price of bitcoin
• Mt.Gox suggests that the pattern of the attacks makes it seem like the attackers sell their bitcoins at the peak price, then use the attack to disrupt trading (which causes the price to fall) and create fear, uncertainty and doubt about bitcoin, which causes the skittish to sell, further dropping the price
• The attackers then swoop in and buy up more bitcoins with the recent proceeds from that sales, getting back more bitcoins than they started with
• The DDoS then stops, and the price climbs, then the cycle is repeated
• During the attack, bitcoins dropped to as low as $110 USD from $145
• This seems to underscore the need for a more robust and diverse trading and exchange system

---

Feedback:

• Where do Port standards come from?
  • IANA, the Internet Assigned Numbers Authority
• Is there any RAID configuration that would help in the case of any ext4 corruption like the “KDE Disaster”?
• Leon and his toys
• I noticed something growing from Allan
• VERY Important Shirt Question!
• MUST LEARN MOAR
• How to test RAID?

Round-Up:

• Apple’s iMessage encryption trips up feds’ surveillance
• Google Starts Counting Android Activations Based On A User Visit To Its Play Store
• The story behind Apple II DOS, an operating system built for $13,000
• Researcher may have found the Identity of the Flashback malware (major OS X virus) who reportedly earned $10,000 per day from infected computers
• New feature in Blackberry 10 BBM automatically shares what you are listening to/watching, even if it’s porn (on my default?)
• Why you don’t tell people you work in IT

Bitcoin Blaster

• Bitcoin service Instawallet ‘suspended indefinitely’ after hack
• The local bitcoin client Chris uses that supports off-line wallets: Electrum
• Keep an eye out for a beta test of a bitcoin show soon on JB, follow Chris on G+ and twitter

The post Amplifying the Hype | TechSNAP 104 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/17312/email-constipation-techsnap-46/ Thu, 23 Feb 2012 19:17:56 +0000 https://original.jupiterbroadcasting.net/?p=17312 We answer the question: What to do when your email server gets blocked, and why it keeps happening. GSM phones are vulnerable to a simple attack.

The post Email Constipation | TechSNAP 46 first appeared on Jupiter Broadcasting.

]]>



We answer the question: What to do when your email server gets blocked, and why it keeps happening.

PLUS: GSM phones are vulnerable to a simple tracking attack, all you need is some open source software and some spare hardware, we’ll share the details! And we introduce the TechSNAP “Hall of Shame”.

All that more, on this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Super special savings for TechSNAP viewers only. Get a .co domain for only $7.99 (regular $29.99, previously $17.99). Use the GoDaddy Promo Code cofeb8 before February 29, 2012 to secure your own .co domain name for the same price as a .com.

Pick your code and save:
cofeb8: .co domain for $7.99
techsnap7: $7.99 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
Deluxe Hosting for the Price of Economy (12+ mo plans)
Code:  hostfeb8
Dates: Feb 1-29

   

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

 

Subscribe via RSS and iTunes:
    Subscribe...           --RSS-- TechSNAP HD TechSNAP Large     TechSNAP Mobile      TechSNAP MP3     TechSNAP OGG     --iTunes--     TechSNAP iTunes HD     TechSNAP iTunes Mobile     TechSNAP iTunes Large     TechSNAP iTunes MP3  

Show Notes:

GSM Networks allow attacks to determine your location without your knowledge

• Researchers at the University of Minnesota have found a way that an attacker using open source software could locate your cell phone to within 1 square kilometer
• The GSM Protocol attempts to mask the identity of individual devices by using temporary IDs, however it is possible to map the phone number to these temporary IDs
• The attack works by placing repeated PSTN phone calls to the mobile number, but disconnecting before the first ring on the handset (~4 seconds)
• This causes the cell towers in the area where the networks believe the user to be to broadcast ‘paging’ requests to the target handset’s temporarily or immutable ID
• By listening in on the radio frequency for this broadcast, the attacker can determine if the target is in range of one of the cell towers near them. A few repeated calls allow the attacker to isolate which temporary ID corresponds to the mobile device they are placing the aborted calls to
• In a large area services by many towers, an attacker can determine if the target is within approximately 100 square kilometers
• This attack could be used by oppressive governments to determine if a person is present at a protest or other gathering without relying on support from the telco, to determine is a victim is away from home before attempting a robbery, or even to locate a high profile individual for stalking or assassination
• Research Paper

---

Feedback:

Q: (Traci) My webhost has been added to an RBL and now emails sent from my domain and from my website cannot be received by some people, can you explain what an RBL is and why it is blocking my email. (Dreamhost servers blocked by Trend Micro RBL )[https://www.dreamhoststatus.com/2012/02/14/mailservers-on-trend-micro-rbl-working-on-removal-from-list/]

A: An RBL or Real Time Blacklist is a list of IP addresses or domain names that the maintainer of the list feels should be blocked from sending emails. There are many different RBLs which different criteria from inclusion and removal from their lists. Most RBLs operate based on DNS due to its light weight and extremely low latency.

So, when an ISP, say, comcast, receives new email directed to one of its customers, it will check details of that email against a number of RBLs they comcast subscribes to. It checks the sending IP, any links included in the email, etc. If one or more of these RBLs returns a positive result, the email may be flagged as spam, or rejected entirely.

Different RBLs cover different problems, Spamhaus.org has lists that cover spam, Trojaned PCs and Open Proxies, Dynamic IP ranges, Spam Domains (sites that spam links to), and compromised servers. Spamcop.net bases its RBL on emails they intercept at honeypot addresses, and sampling the emails that users pay $30/year to have their email filtered via spamcop.net.

One of the most common ways for a webhost to get added to an RBL is when one or most customers run insecure CGI or PHP scripts that send email. When that happens, and attacker can cause your site to send email, or install a script that sends email. Sending large amounts of spam from the web host’s servers will cause it to be listed in the RBLs until the webhost resolves the issue. Many RBLs are automated, where they will add an IP when it is detected as a source of spam, and remove it once it has stopped sending spam for 24 hours. The other common cause of listing in an RBL is hosting sites that are the target of the spam messages (rather than the source). When a web application such as wordpress is compromised, the attacker may be able to install their own site in a subdirectory, using your hosting to host the link that send out in their spam messages. The target of the spam could be a page directing the user to buy something, a phishing site designed to look like paypal or a bank, or even malware, hosting the executable or javascript that the unsuspecting user will run. This last example is similar to the exploit we saw with cryptome last week, if other websites on the internet were infected and made to load a javascript file from a domain hosted at your host, then anti-virus vendors such as Trend Micro may add your webhost to their block list.

In the past, there have been a number of legal battles against RBLs where senders have tried to prosecute the RBL for blocking their communications, however, in the end, it is up the individuals ISPs to decide which RBLs to use and how to interpret the results returned by the RBL.

Email Blacklist Check – See if your server is blacklisted

---

War Story:

Another in our continuing series of War Stories submitted by the other other Alan (Irish_Darkshadow)

*
This incident took place in mid-April 1999 about two months into my technical support career with the US Thinkpad desk. Despite my rocky start I had managed to establish a reputation for myself as an agent who liked to tackle the more difficult calls. In addition, I had also managed to avoid having a single customer “escalate” on me. That is where a user demands a superior or someone who knows more about their issue to take over the call. That all changed with a single call.

I arrived to work that day for my 16:30 to 01:30 shift and settled in to take my first call. It was a relatively easy one where the user had picked up their laptop from a servicer and was having boot problems. It turned out to be a simple case of the servicer having left a driver disk in the floppy drive. Top to bottom the call took about 13 minutes including typing up the documention for it in our ticketing system. I sat in Avail on my phone for the next few minutes before my next call arrived.

Once I managed to get the initial greeting script out I was slammed with a guy screaming down the line about wanting to speak to a manager. I was resigned at this point to losing my “no escalation” record but I still needed to follow procedure and determine what grievance had the user so irate before putting a team lead or manager on the line with him. It took me a few mins to calm him down enough and to vent sufficiently for me to start gathering some information. It turned out that he had returned his laptop to IBM on three separate occasions in the first nine weeks he had owned it for various compatibility issues with 3rd party devices he had purchased. I could see his point of view perfectly in wanting an escalation and I placed him on hold to go look for someone in authority to help the guy out.

My team leader (TL) at the time was easily located and once I had explained the situation he decided to delegate the matter to his assistant team leader (ATL). I took her to my desk where she started speaking with the user and I strolled back to my TL to get some ribbing for my first customer escalation. Normally when a TL or ATL takes over a call it results in the user being placated in some manner or else the customer gets transferred to Customer Relations to be dealt with appropriately. Either way, once an agent handed off a call like that they simply waited for a resolution before taking the next call. No such luck this time. The ATL walked up to where I was standing and started to explain the situation to the TL and how the user had returned the machine three times with no faults found but he still could not get his 3rd party devices to work. Nothing too new there but then she dropped the bombshell that she had promised the user that I would troubleshoot the hardware issues for him immediately! This was unheard of, the customer had four devices that I had no familiarity with and this ATL had just thrown me under the frickin’ bus. I looked at the TL for some sanity to be brought to the situation but he had to acknowledge that the ATL had committed a course of action to the customer and I was going to have to pay for her generosity. Back to my desk I went whilst cursing the ATL, her lineage and any future offspring…..but in a harmless way

Once I was back on the call with the user I started to gather some details on exactly what I was dealing with. The user had a Thinkpad 560 which is termed a “single spindle” machine in that it only had a hard drive within the chassis and no floppy or optical devices. The external floppy drive was attachable via an IBM proprietary connector and the machine was a Pentium 120 with 32mb RAM, a 2.1 Gb HDD and an IrDA 1.0 header.

Now that I had some idea of the core hardware I ventured into the realm of 3rd party peripherals that the user was struggling with. He had a backpack cdrom (parallel port optical drive), a PCMCIA modem, a PCMCIA network card and a HP printer that he wanted to connect to via Infrared. I knew I was screwed at that point but figured I couldn’t really make the problem worse since none of the hardware operational anyway.

I began working with the backpack cdrom which was attached to the printer port. Windows 95 v2.1 was not detecting any new hardware once the drive was switched on. I tried the usual places like device manager for clues but all I could determine was that the parallel port appeared to be operational. I put the cdrom to the side and started working on the two PCMCIA cards. Despite the user having the proprietary CardMagic software installed that acted as a crutch to Windows 95 plug & play (*pray) neither card was detected and a pattern was beginning to emerge. The IR printer suffered from the same lack of detection and so I asked the user if he had any other device that we could attach to the laptop just to see if Windows was detecting anything at all. He connected up the external floppy drive and instantly it was detected and accessible in Windows Explorer. SHIT!!! My instincts were telling me that the OS was corrupted in some way and a reload was imminent and I hated having to do that to any user.

I sent an IM to the Team Leader to let him know that I was going to have to do a reload and he told me to stay on the call with the customer until the reload was complete and then resume working on the 3rd party hardware. As I was preparing the user for the reload I had a sudden realisation of how bad the situation really was. A single spindle machine comes with a specific reload solution where a user starts up Windows for the first time and they get prompted to insert floppy disks onto which the reload disk images will be “burned”. At first the customer didn’t recall any such prompt and I began to get a sinking feeling that I would need to have this laptop shipped to IBM for the 4th time just for a reload and then once it was returned to him, I would need to pick up with troubleshooting the 3rd party hardware. The user had a Eureka moment and told me that he believed that he had a shoe box with the floppy disks that had been in his office closet since the day he made them. He managed to locate the shoe box and the 37 floppy disks inside. 26 of those were the base OS and 11 were for the application layer.

I reckoned that the reload was going to take about two hours to complete which presented me with another challenge due to the team leader telling me to stay on the phone through to completion. One of the rules was that there should not be any dead silences during a tech support call so I was going to have to find a way to get this guy talking for the two hours in between me asking him about what was on the screen and how many disks he had left to go through. This was gonna be fun!

For the two hours of the reload, as the customer went through his 37 disks, I managed to lure him into topics like his job and prior computer experience and pretty much anything else I could come up with to keep things flowing. I was trying to hit on a topic that would allow for lots of conversation with minimal input from my side. It turned out that he was a Judge in NYC who handled criminal cases. The only common ground there is that I could explain to him that I loved My Cousin Vinny which I figured would not go down very well. Eventually he mentioned that his son was at soccer practice and he needed to arrange someone else to pick him up while we reloaded the laptop. That was my angle, I started talking to the guy about every possible soccer item that came to mind and the rest of the reload flew by without incident. I got him to go into the BIOS and I set up the the parallel port and PCMCIA slots before dealing with Windows.

Once the operating system was back on there and up and running I got him to attach the backpack cdrom and I heard the detection sound over the phone. That meant I had at least found one issue and corrected it. Device manager showed the cdrom with an exclamation mark and it looked to me like this thing needed to be installed from a DOS perspective before it would work in Windows. He had a driver disk for the cdrom which I was able to get running in DOS mode so that it added the driver to the config.sys file and called it from the autoexec.bat file. A quick reboot later and the cdrom was usable from within Windows 95. Problem #2 solved. Time for the PCMCIA fun and games.

I decided to go with setting up the modem first as it would be easiest to test. Upon insertion the card was instantly detected and I was able to talk him through configuring it in the CardMagic application. He hooked it up to his fax line and was able to connect to his ISP at a staggering, no, blistering 28.8kbps! Either way, problem #3 solved.

The network card was up next and once more upon insertion it was detected and was able to find a driver on the backpack cdrom drive. There was no network near the user that I could test with but I was able to talk him through some ping tests and winipcfg.exe tests that implied the TCP/IP stack was operational and the bindings to the card were good. So we agreed to call that problem #4 solved. I felt that I was in the home stretch now and when I looked at the clock I realised that the call was coming up on three and a half hours already. Now it was time to get the printer operational.

The printer was able to print a self test page from the buttons on it and so it appeared to be working from a hardware perspective. I got the user to test it using the parallel port by removing the backpack cdrom and that was also successful. The problem came when trying to get the IR link to the printer to work. No matter what configuration I tried I just could not get a connection between the IrDA header on the laptop and that on the HP printer. The customer refused to believe that it was the printer and was adamant that the IrDA header on the Thinkpad was at fault. I was completely stuck for a way to prove otherwise. At some point during that desperation to come up with a troubleshooting idea after nearly four hours of work I hit upon an idea that made sense…at least to me. I asked the user to confirm what COM port the IrDA was configured as and then I had him connect to that COM port via the Hyperterminal application. My next request was a weird one, I asked him to get a remote from a TV or a VCR for me. He rummaged around for a while and then found one for some small TV he had in his office that was barely used. I asked him to point it at the IrDA header on the laptop and keep pressing random buttons on it while watching the hyperterminal window. He said that gibberish symbols came up in the window whenever he pressed a button on the remote. EUREKA! I had solved problem #5 by proving that the issue was with the IR port on the printer and not the one on the laptop. He agreed with my conclusion and he asked me if I would set up the printer on the parallel port so that he could just hook up a cable if he needed to. As we were going through the steps of hooking up the backpack to install the driver he told me that he got a blue and then a black screen. The text said “registry not found”. Apparently he had decided to pull out the PCMCIA cards while the LPT printer driver was installing and it had thrashed Windows.

My first attempt at a solution was a reboot into safe mode but that failed with the same error and I was only able to get the system to reboot into DOS mode. From there I backed up the existing registry files and restored the user.da0 and system.dao clean registry files. When he booted back into Windows, we were back where things started….no hardware was detected once attached. EPIC USER FAIL!!!
With just over four hours on the timer, the whole procedure had to be done all over again. I asked the user if I could put him on hold and he agreed. Firstly I dealt with my bladder and then I went to the TL and told him what was happening and the sadistic bastard told me to go back with the user and see it through to completion. Fucker.

I got back onto the call and we started going through the whole process all over again from the ground up with one caveat – don’t do anything with the computer unless I authorised it. During the two hour reload portion of the call I got him to give me his AOL email address and I sent him a copy of a tool from the Microsoft site called E.R.U. (emergency recovery utility). This time around once we had managed to get all of the hardware and software to where it needed to be and we had done enough tests to convince us both that everything was operational. At that point I ran the ERU application and made him store that recovery set in his shoe box of floppy disks. We exchanged pleasanties and parted ways. I checked the timer and 8 hrs 38 minutes had passed.

On an average day I would deal with twenty to twenty five calls in a single shift. On this day I managed a grand total of two calls with 1 pee break and no food as I hadn’t taken any of my breaks. However, I was able to leave the office two hours earlier than expected. That didn’t really help with my complete burnout after that long of a call but at least I had a new record for the longest tech support call in the history of the call center and that record still stands today as far as I know.

Try to get a 8hr plus support call in a current day call center. Aside from the focus on 7 minutes per call I doubt you will find the will and dedication to send a customer away satisfied with the experience.

And I never even got a medal but if I ever get into nefarious matters in NYC, I will be calling in a favour from a certain Judge I know there.

---

Round Up:

• SSDs have a ‘bleak’ future, researchers say
• Government Pressures Twitter to Hand Over Keys to Occupy Wall Street Protester’s Location Data Without a Warrant
• Dutch government rejects ACTA as a Human Rights Violation
• Anonymous accuses NSA of fear-mongering
• NSA declassifies rejected proposals for a cryptography system submitted by Dr. John Nash (A Beautiful Mind) in the 1950s
• Obama unveils Consumer Privacy Bill of Rights
• EU court rules that hosting companies cannot be force to run anti-piracy filters as it violates privacy of the users and hinders the right to freedom of information
• Australian police spying on web and phone usage without warrants
• [Hall of Shame] Exposed: YouPorn passwords in all their plain-text glory

The post Email Constipation | TechSNAP 46 first appeared on Jupiter Broadcasting.

]]>