Show Notes: linuxactionnews.com/130

The post Linux Action News 130 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Malware hosted in your browser

• Last show, we talked about malware, blocking it via URLs, and malware which spoofs the domain names, thereby bypassing many URL-based filters.
• This show, we have an instance of malware which completely defeats all of the above, in a very simple and clever way.
• A common way to steal credentials is hosting a webpage which looks a lot like the real thing. Google, Facebook, Paypal, etc are all targets of this. It is simple to do. Just throw up a web page, and start directing people to it.
• Lots of ways to defeat this with conventional tools
• This method bypasses all those tools
• Tom Scott tweeted about malware he received via email.
• when you click on the link, you get what appears to be a Google Login page.
• The URI is of the form: data:text/html,https…… lots of spaces <script src=date:text/html;…. etc
• However, it is hosted entirely within your browser
• Matt Hughes reportrd that Andriod actually tries to autofill his Google account credentials on that data URI
• This has been around at least a year, and was written about by linkcabin
  spoofs the login page by hosting it in your browser.
• Suprisingly common and is often using to phish Google or Paypal

Bug Bounty – GitHub Enterprise SQL Injection

• This story involves responsible research and disclosure by Orange Tsai
• GitHub Enterprise is the on-premises version of GitHub.com that you can deploy a whole GitHub service in your private network for businesses
• You can get 45-days free trial and download the VM from enterprise.github.com.
• Code is downloaded, configured, and observations begin.
• GitHub uses a custom library to obfuscate their source code. If you search for ruby_concealer.so on Google, you will find a snippet in a gist.
• The first two days are getting the VM running etc.
• Day 3-5 are learning Rails by code reviewing.
• On 6, an SQL Injection is found

Feedback:

• Hiring senior sysadmins who listen to TechSNAP and BSDNow

War Story:

• Broken out-going mail from cellphone

Round Up:

• BSDCan Call for Papers
• PGCON Call for Papers
• FTC Sues D-Link Over Insecure Routers, Cameras
• TV anchor says live on-air ‘Alexa, order me a dollhouse’ – guess what happens next

The post Internet of Voice Triggers | TechSNAP 302 first appeared on Jupiter Broadcasting.

The US Government is offering free penetration tests, with a catch, we break down the VTech Breakin & the only sure way to protect your credit online.

Plus great questions, a big round up with breaking news & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

• TechSNAP SWAG for the Holidays

— Show Notes: —

Department of Homeland Security giving “critical infrastructure” firms free penetration tests

• “The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies — mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help “critical infrastructure” companies shore up their computer and network defenses against real-world adversaries. And it’s all free of charge (well, on the U.S. taxpayer’s dime).”
• It seems like big banks and oil companies could afford to pay for such services, but, at least the penetration tests are happening
• “KrebsOnSecurity first learned about DHS’s National Cybersecurity Assessment and Technical Services (NCATS) program after hearing from a risk manager at a small financial institution in the eastern United States. The manager was comparing the free services offered by NCATS with private sector offerings and was seeking my opinion. I asked around to a number of otherwise clueful sources who had no idea this DHS program even existed.”
• “DHS declined requests for an interview about NCATS, but the agency has published some information about the program. According to DHS, the NCATS program offers full-scope penetration testing capabilities in the form of two separate programs: a “Risk and Vulnerability Assessment,” (RVA) and a “Cyber Hygiene” evaluation. Both are designed to help the partner organization better understand how external systems and infrastructure appear to potential attackers.”
• “The RVA program reportedly scans the target’s operating systems, databases, and Web applications for known vulnerabilities, and then tests to see if any of the weaknesses found can be used to successfully compromise the target’s systems. In addition, RVA program participants receive scans for rogue wireless devices, and their employees are tested with “social engineering” attempts to see how employees respond to targeted phishing attacks.”
• “The Cyber Hygiene program — which is currently mandatory for agencies in the federal civilian executive branch but optional for private sector and state, local and tribal stakeholders — includes both internal and external vulnerability and Web application scanning.”
• “The reports show detailed information about the organization’s vulnerabilities, including suggested steps to mitigate the flaws. DHS uses the aggregate information from each client and creates a yearly non-attributable report. The FY14 End of Year report created with data from the Cyber Hygiene and RVA program is here (PDF).”
• Manual testing was required to identify 67 percent of the RVA vulnerability findings (as opposed to off-the-shelf, automated vulnerability scans)
• More than 50 percent of the total 344 vulnerabilities found during the scans last year earned a severity rating of “high” (40 percent) or “critical” (13 percent)
• RVA phishing emails resulted in a click rate of 25 percent.
• 46% of RVAs resulted in an EASILY GUESSABLE CREDENTIALS finding
• “I was curious to know how many private sector companies had taken DHS up on its rather generous offers, since these services can be quite expensive if conducted by private companies. In response to questions from this author, DHS said that in Fiscal Year 2015 NCATS provided support to 53 private sector partners. According to data provided by DHS, the majority of the program’s private sector participation come from the energy and financial services industries — with the latter typically at regional or smaller institutions such as credit unions”
• Asking the penetration testing industry what it thought about the DHS offering a free service, Dave Aitel is chief technology officer at Immunity Inc., a Miami Beach, Fla. based security firm that offers many of the same services NCATS bundles in its product said: “DHS is a big player in the ‘regulation’ policy area, and the last thing we need is an uninformed DHS that has little technical expertise in the areas that penetration testing covers,” Aitel said. “The more DHS understands about the realities of information security on the ground – the more it treats American companies as their customers – the better and less impactful their policy recommendations will be. We always say that Offense is the professor of Defense, and in this case, without having gone on the offense DHS would be helpless to suggest remedies to critical infrastructure companies”
• “Even if the DHS team doing the work is great, part of the value of an expensive penetration test is that companies feel obligated to follow the recommendations and improve their security,” he said. “Does the data found by a DHS testing team affect a company’s SEC liabilities in any way? What if the Government gets access to customer data during a penetration test – what legal ramifications does that have? This is a common event and pre-CISPA it may carry significant liability”
• “Aitel, a former research scientist at the National Security Agency (NSA), raised another issue: Any vulnerabilities found anywhere within the government — for example, in a piece of third party software — are supposed to go to the NSA for triage, and sometimes the NSA is later able to use those vulnerabilities in clandestine cyber offensive operations”
• But what about previously unknown vulnerabilities found by DHS examiners? “This may be less of an issue when DHS uses a third party team, but if they use a DHS team, and they find a bug in Microsoft IIS (Web server), that’s not going to the customer – that’s going to the NSA,” Aitel said.
• Alan Paller, director of research at the SANS Institute sees a potential problem
• “The NCATS program could be an excellent service that does a lot of good but it isn’t,” Paller said. “The problem is that it measures only a very limited subset of of the vulnerability space but comes with a gold plated get out of jail free card: ‘The US government came and checked us.’ They say they are doing it only for organizations that cannot afford commercial assessments, but they often go to organizations that have deep enough pockets.”
• I can definitely see this being used as an excuse to spend LESS on network security

Break at VTech (toy manufacturer) exposes pictures and chatlogs of millions of children and parents

• “The hacked data includes names, email addresses, passwords, and home addresses of 4,833,678 parents who have bought products sold by VTech, which has almost $2 billion in revenue. The dump also includes the first names, genders and birthdays of more than 200,000 kids”
• “What’s worse, it’s possible to link the children to their parents, exposing the kids’ full identities and where they live, according to an expert who reviewed the breach for Motherboard”
• “This is the fourth largest consumer data breach to date, according to the website Have I Been Pwned, the most well known repository of data breaches online, which allows users to check if their emails and passwords have been compromised in any publicly known hack”
• “The hacker who claimed responsibility for the breach provided files containing the sensitive data to Motherboard last week. VTech then confirmed the breach in an email on Thursday, days after Motherboard reached out to the company for comment”
• VTech told Motherboard: “We were not aware of this unauthorized access until you alerted us”
• “On November 14 [Hong Kong Time] an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database”
• “On Friday, I asked the hacker what the plan was for the data, and they simply answered, “nothing.” The hacker claims to have shared the data only with Motherboard, though it could have easily been sold online.”
• “When pressed, VTech did not provide any details on the attack. But the hacker, who requested anonymity, told Motherboard that they gained access to the company’s database using a technique known as SQL injection. Also known as SQLi, this is an ancient, yet extremely effective, method of attack where hackers insert malicious commands into a website’s forms, tricking it into returning other data”
• Related: Motherboard: The histroy of SQL injection, the hack that will never go away
• “The passwords were not stored in plaintext, but “hashed” or protected with an algorithm known as MD5, which is considered trivial to break”
• It is not clear if they mean plain MD5 or md5crypt (the former being REALLY bad)
• “Moreover, secret questions used for password or account recovery were also stored in plaintext, meaning attackers could potentially use this information to try and reset the passwords to other accounts belonging to users in the breach—for example, Gmail or even an online banking account”
• Also, “VTech doesn’t use SSL web encryption anywhere, and transmits data such as passwords completely unprotected”, so breaching the database might not even be strictly necessary to gain access to the information
• Additional Coverage: Motherboard followup
• Additional Coverage: ZDNet
• Additional Coverage: TheRegister
• Related: Researcher claims to have hacked “Hello Barbie” toys

Why putting a preemptive freeze on your credit profile is better than credit monitoring

• “Krebs has frequently urged readers to place a security freeze on their credit files as a means of proactively preventing identity theft. Now, a major consumer advocacy group is recommending the same: The U.S. Public Interest Research Group (US-PIRG) recently issued a call for all consumers to request credit file freezes before becoming victims of ID theft.”
• “Each time news of a major data breach breaks, the hacked organization arranges free credit monitoring for all customers potentially at risk from the intrusion. But as I’ve echoed time and again, credit monitoring services do little if anything to stop thieves from stealing your identity. The best you can hope for from these services is that they will alert you when a thief opens or tries to open a new line of credit in your name.”
• “But with a “security freeze” on your credit file at the four major credit bureaus, creditors won’t even be able to look at your file in order to grant that phony new line of credit to ID thieves.”
• “These constant breaches reveal what’s wrong with data security and data breach response. Agencies and companies hold too much information for too long and don’t protect it adequately,” the organization wrote in a report (PDF) issued late last month. “Then, they might wait months or even years before informing victims. Then, they make things worse by offering weak, short-term help such as credit monitoring services.”
• “Whether your personal information has been stolen or not, your best protection against someone opening new credit accounts in your name is the security freeze (also known as the credit freeze), not the often-offered, under-achieving credit monitoring. Paid credit monitoring services in particular are not necessary because federal law requires each of the three major credit bureaus to provide a free credit report every year to all customers who request one. You can use those free reports as a form of do-it-yourself credit monitoring.”
• Related: Krebs: FAQ on Credit File Freezes
• Additional Coverage: Krebs: OPM Credit Monitoring vs Freeze
• One of the things that stops working once you put a security freeze on your credit file, is credit monitoring
• A Krebs reader wrote in: “I just received official notification that I am affected by the OPM data breach. I attempted to sign up for credit monitoring services with the OPM’s contractor ID Experts at opm.myidcare.com, but was denied these services because I have a credit security freeze. I was told by ID Experts that the OPM’s credit monitoring services will not work for accounts with a security freeze.”
• “This supports my decision to issue a security freeze for all my credit accounts, and in my assessment completely undermines the utility and value of the OPM’s credit monitoring services when individuals can simply issue a security freeze. This inability to monitor a person’s credit file when a freeze is in place speaks volumes about the effectiveness of a freeze in blocking anyone — ID protection firms or ID thieves included — from viewing your file.”
• “Removing a security freeze to enable credit monitoring is foolhardy because the freeze offers more comprehensive protection against ID theft. Credit monitoring services are useful for cleaning up your credit file after you’re victimized by ID thieves, but they generally do nothing to stop thieves from applying for and opening new lines of credit in your name.”
• Lifting a freeze to enable credit monitoring is like….
  • installing flash to watch a flash video about the evils of flash
  • leaving your doors and windows unlocked so that burglars can set off your indoor motion sensors
  • taking your gun off safety to check and see if it’s loaded
• Additional Coverage: Credit monitoring used to secretly track ex-wife’s financial moves
• “Many of these third party credit monitoring services also induce people to provide even more information than was leaked in the original breach. For example, ID Experts — the company that OPM has paid $133 million to offer credit monitoring for the 21.5 million Americans affected by its breach — offers the ability to “monitor thousands of websites, chat rooms, forums and networks, and alerts you if your personal information is being bought or sold online.” But in order to use this service, users are encouraged to provide bank account and credit card data, passport and medical ID numbers, as well as telephone numbers and driver’s license information.”

Feedback:

• Proxmox and ZFS

• Autofs and cifs

• ZFS/BSD/QNAP

• Which BSD? // Slexy 2.0

Round Up:

• Large Systems Administrators Conference: It Was Never Going to Work, So Let’s Have Some Tea
  
• OpenSSL Security Advisory — 1.0.2e, 1.0.1q, 1.0.0t, 0.9.8zh released. Reminder: 1.0.0t and 0.9.8zh are EoL December 31, 2015
• Sneaky Microsoft renamed its data slurper before sticking it back in Windows 10
• HGST releases new 10TB spinning disks
• Popular Google Chrome extensions are constantly tracking you per default
• “PortFail” exposes VPN users’ real IP addresses
• FTTH last-mile through your water pipes – in photos
• Security Advisory: Remote exploitation of an information disclosure vulnerability in Oral B’s Triumph Toothbrush 9900 with SmartGuide management system allows attackers to obtain sensitive information
• Google Deceptively Tracks Students’ Internet Browsing, EFF Says in FTC Complaint
• The wrong way to use passwords
• Drug Pump Maker Denies Security Patch to Researcher Who Found Vulnerabilities
• Fans trying to buy Adele tickets are presented with other customers data, apparently because the system was ‘overloaded’
• Lenovo patches serious vulnberabilities in its PC system update tool
• More than 900 different devices found to have the same SSH host keys
• Detecting malware through DNS queries: a Kali Pi / Snort project
• Pulling off arbitrary code execution in Super Mario World
• 3 Attacks on Cisco TACACS+: Bypassing the Cisco’s auth
• A device that knows your next amex card number before you do. Renewed/replaced Amex card numbers are predictable if you know your previous number
• the Soviet Union’s KGB developed software to predict sneak attacks from the U.S., which almost triggered a war In 1983
• I’ve build my own crypto system…

The post SpyFi Barbie | TechSNAP 243 first appeared on Jupiter Broadcasting.