NASA laptop stolen, contained control algorithms for the International Space Station

• In 2010 and 2011 NASA reported 5,408 computer security incidents ranging from the installation of malware on a computer, through the theft of devices and cyber attacks suspected to be from foreign intelligence agencies.
• 47 incidents were identified as Advance Persistent Threat attacks, and of these, 13 were successful in compromising the agency’s computer systems
• In an example of such an incident, attackers from Chinese-based IP addresses gained full access to a number of key JPL systems giving them the ability to:
• Modify, copy or delete sensitive files
• Add, modify or delete user accounts for mission critical systems
• Upload hacking tools (keyloggers, rootkits) to steal user credentials and thereby compromise other NASA systems
• Modify or corrupt the system logs to conceal their actions
• Some of the breaches have resulted in the unauthorized release of Personally Identifiable Information, the disclosure of sensitive export-controlled data and 3rd party intellectual property
• Inspector General Testimony before Congress re: IT Security
• Discovery News Coverage

Windows Azure suffers worldwide outage

• The Microsoft Azure Cloud service was down for most of the day on February 29th
• The Service Management system was down for over 9 hours
• Azure Data Sync was down form 2012–02–29 08:00 through 2012–03–01 03:00 UTC
• Microsoft says that the outage appears to have been caused by a leap year bug
• “28 February, 2012 at 5:45 PM PST Windows Azure operations became aware of an issue impacting the compute service in a number of regions,”
• “While final root cause analysis is in progress, this issue appears to be due to a time calculation that was incorrect for the leap year.”
• Microsoft Azure Service Dashboard
• The outage also effected the UK Government’s ‘G-Cloud’ CloudStore
• TechWeek Europe Coverage
• Slashdot Coverage – Outage – Root Cause
• PCWorld – Previous Microsoft problems with Leap Years

Wikileaks releases the data stolen in the StratFor compromise

• The Global Intelligence Files – List of Releases
• US Government has had sealed indictment for Julian Assange for over a year
• Slashdot Coverage
• Details of StratFor read remarkably similar to Tom Clancy’s Teeth of the Tiger

Feedback:

Q: Robert Bishop Writes: Can I Secure my network with multiple NAT routers to isolate a system?

War Story:

This is a war story with a difference, as it didn’t involve some crazy user doing some bat shit crazy thing with their computer. It was simply a call to one of the tech support agents where the user wanted to know the following:

“What is the exact chemical composition of the battery in the Thinkpad 760 XD?”
“What are the recommended disposal procedures for said battery?”
“Can you tell me what would happen to the battery if it ruptured in a vacuum environment?”
“If the battery were to overheat, how volatile would the liquid effluent be?”

I doubt the user could have even gotten the questions out and taken a breath before the agent put them on hold and ran for help. The agent walked over to the second level support area rather than call as per procedure. After a good five minutes of talking, nobody could really answer the questions and worse, we couldn’t figure out what part of the company might actually have those answers.

As with all good tech support strategies we decided a two pronged approach – the agent would get back on with the user and stall for time while the rest of us would frantically hunt down any possible source of information that could help. We told the agent to ask why the user needed such detailed information and if it was a weak answer to push for a callback to buy even more time.

Some twenty minutes later the agent came back over to us with some interesting details on what was going on. It was all a misunderstanding. The user was supposed to call some private support number at IBM and not the public number. Our enterprising young agent did pull a fast one and offer to transfer the user to the number directly. The user provided the number and the agent promptly connected the call, then hit mute and stayed on the line. An American accent answered, the user responded and provided an account code upon request.

The tech on the private number acknowledged that the user was calling from NASA – Blackhawk Technologies Subsidiary. Apparently the shuttle program had 4 of those laptops on each mission – 1 primary and 3 redundant backups just in case. Suddenly the tricky questions all made sense. And eavesdropping can kill curiosity can never be a bad thing, right?

Round Up:

• Black March 2012
• Cyberattack by Anonymous on the Vatican reveals insights
• Anonymous members arrested after Interpol investigation
• EFF releases browser plugin to help detect bogus SSL certificates
• Verisign seizes .com domain registered via foreign Registrar on behalf of US Authorities. » blog2.easydns.org
• Schmidt: UN treaty a ‘disaster’ for the internet
• 50% of Data Center Outages caused by vendors and non-data center staff
• [Hall of Shame] Stratfor – Submitted by manwich2000 for using the password “stratfor” and getting hacked by Anonymous.

The post NASA Hacked 5,400 Times? | TechSNAP 47 first appeared on Jupiter Broadcasting.

StratFor database full of incredibly weak passwords

• A total of over 860,000 password hashes were released in successive leaks
• Researchers at TheTechHerald were able to crack over 80,000 of the passwords in under 5 hours
• To increase their success rate, TheTechHerald uses existing word lists of common passwords, including those from Facebook, MySpace, Singles.org, Hotmail, and Gawker database exposures
• Horribly insecure passwords such as 123456, 11111111, qwerty, Robert, James, 19871987, etc were found in great number
• StratFor and its customers should have been using far more secure passwords, this should have been enforced by basic password policies that prevent passwords shorter than 9 characters and passwords that contained insufficient entropy (not enough unique characters, no non-alpha characters, etc)
• While StratFor failed to force its customers to use strong passwords (in fact, it allowed single character passwords), and failed to cryptographically hash those passwords, it still shows a surprising lack of password management skills on the part of of the users
• Due to the weak hashing (straight single round md5), even passwords up to 10 characters were cracked in great numbers
• Many of the users of the StratFor system were from organizations and institutions that are considered high security, and from which you would expect better password behaviours
• Full research methodology and breakdown

EFF warns users about privacy issues with the new AIM chat client

• The EFF is warning users not to upgrade to the latest version of the AOL Instant Messenger client due to some disturbing changes
• The new client logs all conversations by default, worse, the logs are stored on AOLs servers. The goal of this feature is to have your chat history follow you from device to device, however it has serious security and privacy implications, as well as legal implications if such logs are subpoenaed by law enforcement. With instruments such as ‘National Security Letters’, the government can gain access to those lows, and AOL may be prevented from warning you that your private IM chats, are no longer private
• The AIM client also scans all chat sessions for links, and pre-loads the links, while this seems like a handy feature, it is definitely a security issue, but also a privacy issue as AOL now has a list of URLs you are likely to have visited. The EFF also pointed out to AOL that the links may contain private authentication information, or be one-time-use links, such as activation links or unsubscribe links, which if prefetched, could have unintended consequences to the befuddlement of the users
• Once you have logged in once with the new version, your account is opted in to the logging option without your knowledge or consent, there is currently no way to disable logging
• IM is one of the most popular methods of spreading browser borne infections, because of users’ propensity for clicking links shared by their friends. These viruses then repeat the link to everyone on your contact list, spreading further and damaging your credibility
• AOL has agreed to examine the EFFs recommendations

Lilupophilupop SQL Injection attack spreading rapidly

• The lilupophilupop SQL injection attack, originally identified by researchers at SANS ISC in early december, when it had infected a few 1000 websites, has now spread to over a million sites
• The attack targets sites based on Microsoft’s IIS/ASP architecture with MS SQL
• The goal of the attack is to hijack traffic, redirecting visitors to the victim website to pages for fake AV and other scareware
• Such an attack could further compromise the visitors machine if it were to take advantage of the known Java and Flash exploits that surface on a regular basis

Nginx overtakes Microsoft as No. 2 Web server

• NGINX, the BSD licenses high performance web server has taken the number two spot from microsoft for having the most active websites
• While IIS is used on 84 million sites, to NGINXs 56 million, when you consider only active sites, both come in at 22 million domains, NGINX edging out IIS by less than a hundred thousand
• NGINX was also the only major web server experiencing growth during the January survey
• The netcraft servey queried 582 million sites for january, and considered 175 million of those to be active
• Netcraft Survey – January 2012

Feedback:

Q: Apache vs. nginx?
A: NGINX and Apache both have their strengths and weaknesses, and therefore each has their place depending what your requirements and goals are.

NGINX is fast and light, designed to serve static content as quickly as possible. Out of the box, it lacks the ability to do any type of interpretation or CGI. NGINX is however a great load balancer, with the ability to handle requirements such as ‘sticky’ backends, last resort backends, and unfair load balancing. NGINX is event driven, so uses a small number of single threaded workers, which allows it to easily meet the C10K requirement (10,000 concurrent clients), using only 10mb of ram.

Apache is far more powerful and versatile. Apache has a number of different ‘mpm’s (Multi-Processing Modules). The most common is prefork, where apache will start a number of worker processes that then wait for incoming client connections. When the number of idle workers gets to low, Apache starts more in an attempt to ensure that there is always a worker ready to handle the next request, rather than making that user wait while the worker starts up. The issue with this approach is that each worker must load all of the the capabilities of the web server, for example, things like PHP and webdav. This means that, even a worker which is only going to server a simple image, requires the memory and resources of a worker that is processing a much more complex request. There is a limit to how many workers can be running at once, due to limited resources on the machine such as RAM. If the Apache MPM is not tuned with a proper MaxClients setting, to limit the number of workers that are started, the server can quickly enter ‘swap death’, as it is constantly paging memory in and out of swap to try to service the requests, slowing down the rate at which the requests can be served, further increasing the number of pending requests. Also, the Apache worker is not free to start work on the next request, until the client has received the response, and closed the connection. This means that ‘keep alive’ connections, which a great performance improvement, can also reduce the available capacity of the server, as many workers are tied up simply waiting to see if there will be an additional request.

NGINX is however not incapable of dealing with things like PHP. NGINX is designed as a reverse proxy, allowing it to pass off requests that it cannot handle itself, to the appropriate server that can handle them. For most items, there are 2 major options; FastCGI (works much like the apache mechanism described above, a number of php, perl or other processes preforked and waiting to answer requests, however a major difference is that these workers never receive simple requests for things such as image, NGINX handles those internally); The other option is to proxy the requests to another server, such as an Apache server, which will then handle the more complex requests. An advantage to this solution is that NGINX will receive the response from apache (usually over localhost or an internal LAN) very quickly, freeing that Apache worker for the next request, while NGINX handles returning the response to the client at little to no cost due to the event driven nature of NGINX.

Some notable shortcomings of NGINX: For performance and security reasons, NGINX does not support .htaccess files, all configuration must be done in the server config file. Extensive rewrite rules are possible, but are done in a very different format from standard apache mod_rewrite rules. There are currently no webhosting control panels that support NGINX.

While both servers are very useful, if you need versatility or generalized solution, value ease of use, or have to support many customers, Apache is likely the better solution. If you have a very busy site, and you need to get the most out of your hardware, NGINX is quite likely the right solution for you. Even just placing an NGINX in front of your apache server can greatly increase performance.

Q: Common Questions!

We would love to answer common sysadmin questions, in fact, that is what I am doing right now :p. Just send them in to techsnap@jupiterbroadcasting.com and we’ll try to keep throwing knowledge at you. Developer questions are a bit more complicated, neither Chris nor I are developers, although we can answer a lot of DevOps questions. Send it in anyway, and we’ll see if we can come up with an answer for you.

Server to busy pages, such as the failwhale, are static, and so require little to no resources to return to the user. If you are using a server like NGINX, you can serve 1000s of failwhale pages per second from a laptop without issue. Most sites big enough to need an ‘overloaded’ page have a dedicated set of web servers or load balances infront of the actual application servers that run the site, and it is these front end servers that return the overloaded page, when they cannot find a backend server that is available to serve the user request.

For your second question, you’ll need to be more specific. Email us back with a use case, and I’ll try to walk you through some potential solutions.

Roundup:

• Firefox’s codebase is now so big it fails to build on 32-bit OSes, Mozilla backing out new features as a short-term fix
• Crucial M4 SSD drives start to fail after one hour of powered operation after 5200 hours of operation
• US ‘Threatened Spain Over Piracy Law’
• Start 2012 by Taking 2 Minutes to Clean Your Apps Permissions
• XSS flaw found in the latest wordpress, limited impact due to constraints
• Followup: Stuxnet and Duqu older than originally though? Evidence of more variants that have never been spotted
• Followup: New York Times email blast was an accident
• Followup: Attack tool for WPS vulnerability released

The post NGINX vs Apache | TechSNAP 39 first appeared on Jupiter Broadcasting.

Breaking

New York Times subscriber list may have been compromised

• This story was first reported minutes before the recording of this episode of TechSNAP, so further information and verification were not possible
• An email was sent to users asking them to reconsider cancelling their home delivery subscription
• The email seems to have been targeted at anyone with a NYTimes.com accounts, not just current home delivery subscribers
• Some people who received the message say that the NYTimes was the only 3rd party that had their email address
• The email appears to have a correct DKIM signature, meaning it was signed with the private key of the email.newyorktimes.com domain
• The email was sent via Epsilon Interactive, a mass emailing company that has previously been compromised
• NYTimes First Responses: Blog.NYTimes.com Twitter
• Email Headers
• It is unclear if the email was the result of the compromise of Epsilon’s servers (and the NYTimes private key), or was accidentally sent to all subscribers instead of the intended subset

WiFi Protected Setup (WPS) flaw exposes millions of devices to trivial attack

• WPS was created to allow users to more easily setup secure wireless networks
• WPS uses either an 8 digit PIN number, or a ‘push to connect’ button on both the AP and Client device
• This security vulnerability specifically targets the 8 digit PIN number
• The 8 digit PIN results in a key space of 10^8 (100 million) keys
• However, the last digit in the PIN is actually a checksum, used to detect typographic errors
• The attack described below exploits a flaw in WPS where the attacker is able to determine by the response from a failed attempt, that the first 4 digits of the PIN matched
• This combined with the last digit being a checksum, effectively narrows the key space of possible PINs to 10^4 + 10^3 (11,000) keys
• Even this key space should be enough to keep attackers out, however it was discovered that many devices do not implement any type of failed login banning, making brute force attacks much easier and faster
• It was also observed that rapid brute force attempts also seemed to have a Denial of Service effect on the targeted AP, exhausting its processor time responding to the authentication requests
• Affected vendors include: Belkin, Buffalo, D-Link, LinkSys, NetGear, TP-Link and ZyXel
• As of yet, there have been no new firmware offerings to resolve this issue
• DD-WRT does not support WPS so is not vulnerable
• To work around the problem, you can disable WPS on your AP, or if it is supported, set a long lockout time for failed attempts
• Technical Details
• Vulnerability Announcement

GSM Phones vulnerable to hijacking

• Security researcher Karsten Nohl, known for his research into exploiting GSM to tap/eavesdrop on mobile phone calls, is set to present new research that he says allows an attacker to impersonate your phone, making calls and sending text messages to expensive premium services operated by the attacker
• Such attacks are commonly executed against corporate land line PBX systems, breaking in to systems and then placing expensive per-minute calls, collecting large sums of money, and then disappearing before the victim gets their next phone bill and notices the problem
• In the days of dialup, computer viruses that cause your computer to much similar expensive phone calls in the middle of the night were also fairly common
• The vulnerability only effects the older 2G GMS network, however most all phones still support GMS as a fallback when newer 3G networks are not available
• “We can do it to hundreds of thousands of phones in a short time frame,” Nohl told Reuters
• Security Research Labs (the company Nohl works for) runs a website where they rank the various mobile providers based on their ease of Impersonation, Interception and Tracking
• “None of the networks protects users very well,” Nohl said.
• SRLabs plans to release data collection software, allowing users to participate in data collection to grow the improve the database
• SRLabs research is focused in Europe and did not review any North American telcos

Anonymous claims responsibility for compromise of StratFor website, releases customer information via pastebin

• The website of US security think tank Strategic Forecasting Inc (Stratfor) was compromised by attackers under the banner of the Anonymous movement
• Other members of Anonymous stated that the attack was not an official operation, and that because Stratfor is a media source, they are protected by freedom of the press, a highly valued principle in the Anonymous movement
• The pastebin posts are only flagged as #antisec and #lulzxmas, and may have been falsely attributed to anonymous by the media
• Stratfor has suspended the operation of its website and email
• The attackers have obtained the credit card details, password, and addresses of 4000 of Startfor private clients
• The attackers claimed to have stolen 200GB of data, including emails and research
• The goal of the #lulzxmas campaign was apparently to make 1 million dollars in donations to charities using stolen credit cards
• Other twitter posts claim the total number of stolen credit cards was in excess of 90,000. Of these, two lists containing 3956 items and 13,191 items respectively, have been published
• The data is said to include the CVV values for the credit cards, it is against the PCI-DSS standard to store the CVV value specifically for this reason, so that when a database is compromised, the CVV value is NOT disclosed, so that online stores that use the CVV value can still prevent fraud
• It also appears that the users’ passwords were stored in plain text. The data that was released via pastebin had the passwords MD5 hashed, but even if that is how they were stored in the database, that is insufficient protection
• Most of these funds will likely be charged back, actually costing the charities money
• Stratfor describes itself as a provider of strategic intelligence for business, economic, security and geopolitical affairs
• Stratfor’s said that they were working with law enforcement to attempt to apprehend the attackers
• “Stratfor’s relationship with its members and, in particular, the confidentiality of their subscriber information, are very important to Stratfor and me,” wrote Mr. Friedman (Chief Executive of Startfor) in an email to clients
• “Contrary to this assertion the disclosure was merely a list of some of the members that have purchased our publications and does not comprise a list of individuals or entities that have a relationship with Stratfor beyond their purchase of our subscription-based publications,”
• Purported Client List
• Client Details

Round Up:

• Apple fined $1.2 Million in Italy for making customers pay for support that should have been under warranty
• Siemens publicly admits to security vulnerabilities after US Department of Homeland Security issued an advisory warning all critical infrastructure operators to ensure their Siemens systems are not reachable from the Internet. Siemens expectsing to release the first security update/fix late next month
• pfSense 2.0.1 release now available!
• How hackers gave Subway a $3 million lesson in point-of-sale security
• Update: China Denies Responsibility, claims they are under same attacks
• Merry Christmas from the FreeBSD Security Team
• Fjord cooled data center in Norway, worlds greenest data center?
• Chinese Software Developers’ Forum hacked, 6 million plain text user credentials posted online Analysis of most used passwords

The post Unsafe Wifi | TechSNAP 38 first appeared on Jupiter Broadcasting.