stuxnet – Jupiter Broadcasting

Spy Tapes | TechSNAP 340

chris — Thu, 12 Oct 2017 16:33:13 +0000

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

The Ethics of Running a Data Breach Search Service

HIBP – have i been pwned?

Is the NSA Doing More Harm Than Good in Not Disclosing Exploits?

Post a boarding pass on Facebook, get your account stolen

How Israel Caught Russian Hackers Scouring the World for U.S. Secrets

See also Israel hacked Kaspersky, then tipped the NSA that its tools had been breached

Feedback

Round Up:

The post Spy Tapes | TechSNAP 340 first appeared on Jupiter Broadcasting.

OPM Data too Valuable to Sell | TechSNAP 219

chris — Thu, 18 Jun 2015 17:58:20 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Kaspersky labs has been hacked, we’ll tell you why it looks like a nation state was the attacker, why OPM data is too valuable sell & the real situation with LastPass.

Plus some great questions, our answers & a rocking round up.

All that and much, much more on this week’s TechSNAP!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Kaspersky Lab hacked

“Russia-based Kaspersky Lab, one of the biggest and most well-known cybersecurity research firms in the world, has admitted to being hacked. In a blog post published earlier today, Kaspersky Lab CEO and founder Eugene Kaspersky wrote, “We discovered an advanced attack on our own internal networks. It was complex, stealthy, it exploded several zero-day vulnerabilities, and we’re quite confident that there’s a nation state behind it.“”
“The firm dubbed this attack Duqu 2.0. It’s named after a specific series of malware called Duqu, which was considered to be related to the Stuxnet attack that targeted states like Iran, India, France, and the Ukraine in 2011.”
“The post went on to say that it was not wise to use an advanced never-before-used technology to spy on a firm. For one, Kaspersky sells access to a great deal of its technologies, so this group could have just paid for it. Also, in its attempt to infiltrate Kaspersky, it clued the company into the next generation spying technologies hackers are developing.”
“”They’ve now lost a very expensive technologically-advanced framework they’d been developing for years,” the post explained.”
“In the case of Kaspersky Lab, the attack took advantage of a zero-day in the Windows Kernel, and possibly up to two other, currently patched vulnerabilities, which were zero-day at that time. The analysis of the attack revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected. More details can be found in our technical paper.”
“From a threat actor point of view, the decision to target a world-class security company must be quite difficult. On one hand, it almost surely means the attack will be exposed – it’s very unlikely that the attack will go unnoticed. So the targeting of security companies indicates that either they are very confident they won’t get caught, or perhaps they don’t care much if they are discovered and exposed. By targeting Kaspersky Lab, the Duqu attackers probably took a huge bet hoping they’d remain undiscovered; and lost.”
Blog: Kaspersky statement on Duqu 2.0 attack
Research: The mystery of Duqu 2.0
Research: The Duqu 2.0 persistence module

U.S. Office of Personnel Management (OPM) hacked

“OPM discloses breach affecting up to 4 million federal employees, offers 18 months of free credit monitoring through CSID. Follow-up reports indicate that the breach may extend well beyond federal employees to individuals who applied for security clearances with the federal government.”
The Office of Personnel Management (OPM) confirmed that both current and past employees had been affected.
The breach could potentially affect every federal agency
OPM said it became aware of the breach in April during an “aggressive effort” to update its cyber security systems.
As the OPM’s Inspector General report put it, “attacks like the ones on Anthem and Premera [and OPM] are likely to increase. In these cases, the risk to Federal employees and their families will probably linger long after the free credit monitoring offered by these companies expires.”
“In those files are huge treasure troves of personal data, including “applicants’ financial histories and investment records, children’s and relatives’ names, foreign trips taken and contacts with foreign nationals, past residences, and names of neighbors and close friends such as college roommates and co-workers. Employees log in using their Social Security numbers.”
“That quote aptly explains why a nation like China might wish to hoover up data from the OPM and a network of healthcare providers that serve federal employees: If you were a state and wished to recruit foreign spies or uncover traitors within your own ranks, what sort of goldmine might this data be? Imagine having access to files that include interviews with a target’s friends and acquaintances over the years, some of whom could well have shared useful information about that person’s character flaws, weaknesses and proclivities.”
Krebs Coverage
The Krebs article has a great timeline
US Law Makers demand encryption after OPM hack
DHS says: Encryption would not have helped OPM
OPM’s archaic IT infrastructure to blame for breach
Krebs finds that [version of OPM data on the darkweb] is actually from a different hack of ](https://krebsonsecurity.com/2015/06/opms-database-for-sale-nope-it-came-from-another-us-gov/)

Feedback:

BSDCan Videos:

The videos from BSDCan have started to appear. Not all of them are online yet, but a good sample to get you started.

https://www.youtube.com/playlist?list=PLWW0CjV-TafY0NqFDvD4k31CtnX-CGn8f

Round Up:

The post OPM Data too Valuable to Sell | TechSNAP 219 first appeared on Jupiter Broadcasting.

How I Met Your SSH | TechSNAP 99

chris — Thu, 28 Feb 2013 16:50:04 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

cPanel’s helpdesk was recently compromised, exposing root credentials for many of their customers, plus the troubles at Zendesk that caused quite a headache for twitter and other popular sites.

And we debate if we’re living in a post-cryptography world, plus a big batch of your questions, and much more on, on this week’s TechSNAP.

Thanks to:

GoDaddy.com

Use our code hostdeal4 to practically steal economy hosting for $1 a month, for one year.

Something else in mind? Use go35off4 to save 35% on your entire order!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

TechSNAP 100 Limited Edition Shirt:

Limited time left on our limited run TechSNAP 100 T-shirt!

Zendesk servers compromised, affects Twitter, Tumblr and Pinterest users

Zendesk is a SaaS (Software as a Service) that provides a ticket system, knowledge base and help desk for a monthly fee
It is quite popular, and used by large online services such as Twitter, Tumblr, Pinterest, Vodafone, 20th Century Fox, Denver Broncos, eLance, Fiverr, Gawker, Groupon, New Zealand Post, Rackspace Cloud, Scribd, Sears Canada, Sony Music, Xerox, and Yousendit
Zendesk’s blog post says they believe only 3 of their customers were affected (not named, but other sources and the end users who received emails about the issue suggest it was Twitter, Tumblr and Pinterest)
Apparently the attackers got access to a database with all of the email addresses of users who contacted those Zendesk customers for support, in addition to the email subject lines, apparently the body of the emails was not disclosed
A help desk is likely to contain sensitive information, especially when used for billing inquiries and password resets, but could also contain API keys, vulnerability disclosures, internal comments, and other information that should not get out
Self-hosting vulnerable software could leave you just as exposed, so the question comes down to, do you trust a 3rd party to do a better job of protection your customers than you will?
Additional Coverage

sshd rootkit in the wild

The sshd rootkit actually targets libkeyutils rather than the sshd binary itself, because previous sshd binary rootkits, have been defeated by updates to the sshd binary
It is not yet clear what the original attack vector is, that allows the attackers to compromise the libkeyutils in the first place
Seems to targets Red Hat and other RPM Based Distros, not clear if other distros are vulnerable
The rootkit does a number of things, including allowing an attacker with a specific password to gain root access, open a listener, and steal all of the credentials that have been used to login to the infected sshd
cPanel support server compromised, seemingly via sshd rootkit
the cPanel support system often requests users enter the root credentials for their servers, so support staff can login and assess/fix problems. These credentials must be stored in a format that can be returned to plain text (rather than being hashed), because the support staff need the original password to login. Encrypting the password (normally not what you want) might work here, but the keys to decrypt would need to be accessible to either all support staff (a key management nightmare) or to the system itself (so it can decrypt the passwords for the users)
Many cPanel customers report that their servers were compromised after they provided their credentials to cPanel support staff, this correlation may be how cPanel determined that they had been compromised, and spawned the investigation

Adi Shamir (the S in the RSA algorithm) says we need to prepare for a post-cryptography world

Speaking at the RSA Conference in San Francisco this week as part of a panel Adi Shamir (of the Weizmann Institute of Science in Israel) spoke about the failure of traditional security mechanisms, including restricting access, virus scanners and IDS (Intrusion Detection Systems) to thwart APT (Advanced Persistent Threat) attacks.
“It’s very hard to use cryptography effectively if you assume an APT is watching everything on a system, We need to think about security in a post-cryptography world.”
The panel also included:
Ron Rivest of MIT (the R in the RSA algorithm)
Whitfield Diffie of ICANN (of the Diffie-Hellman-Merkle key exchange algorithm)
Dan Boneh of Stanford University
Ari Juels of RSA Labs
Rivest also talked about the problems with the current PKI systems, especially Certificate Authorities (the Comodo and DigiNotar compromises), as well as the more recent problems with TurkTrust, the Turkish CA who gave out signing certificates to a government contractor that used them to create valid but fake google certificates
Rivest suggests a new system with more tolerance for failures and where users have more control over whom they trust, especially in light of the growing trend where governments pressure CAs to fail, behave strangely or issue certificates they shouldn’t

Feedback:

Resources for Learning More about FreeBSD?
What’s so bad about a double NAT?
What are intermediate SSL Certs?
Fed Requirements Sometimes Force Equipment Online
Internships, Learning, Training up while working 40+ Hours a week? CAN IT BE DONE?
Last week we had a question of uPNP and pfSense – The pfSense blog has the official answer – pfSense uses an updated version of miniupnp, and has always done so, the vulnerable ones are more than 2 years old. Additionally, even if a new vulnerability in upnp is found, In order for your system to be vulnerable, you’d have had to manually add a firewall rule allowing access to upnp from the Internet.

Round Up:

The post How I Met Your SSH | TechSNAP 99 first appeared on Jupiter Broadcasting.

Red October Hunts You | TechSNAP 93

chris — Thu, 17 Jan 2013 20:46:48 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

If you thought Stuxnet was a big deal, wait till you meet Red October. The incredible story of some of the most sophisticated malware yet surfaces, and we’ve got the details.

Plus: A Nasty 0-Day exploit for Linksys routers, a HUGE batch of your questions, and much much more – On this week’s episode of TechSNAP!

Thanks to:

GoDaddy.com

Use our code tech295 to get a .COM for $2.95.

Something else in mind? Use go20off5 to save 20% on your entire order!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

0-Day exploit for Linksys routers found

Researchers at DefenseCode have discovered a remote root access exploit for default installations on Linksys routers
When the researchers contacted Cisco and shared the vulnerability as well as Proof of Concept code, Cisco originally claimed that the vulnerability had already been fixed in the latest firmware release, however this turned out the be incorrect
The current Linksys firmware (4.30.14) and all previous versions are vulnerable to this remote root exploit
DefenseCode published a youtube video showing them using the exploit against a Linksys WRT54GL router, and getting busybox shell
It is not clear what if other models of Linksys routers are also vulnerable
Sales figures say Linksys has shipped over 70 million routers
Cisco expects to have a firmware update available before the full research is published in less than two weeks

Java saga continues, patches that don’t fix everything and new exploits

Researchers at Immunity Products looked at the Java 7u11 patch and found that it only fixed one of two vulnerabilities
They say that this means that the next 0-day exploit could cause all the same problems over again
Security Explorations, the firm with a reputation for discovering Java vulnerabilities reports that Oracle has still not addressed issues they reported in April and September of 2012
The September vulnerability , as with the one fixed in Java 7u11 allows an attacker to bypass the java security sandbox and remotely execute code
Metaploit’s HD Moore says Java could take years to fix
the next scheduled Java security release is Feb. 19

Red October – Cyber Espionage campaign dating back to 2007

In October 2012 Kaspersky labs was contacted by a partner (who wishes to remain anonymous, likely a government or defense contractor), and was asked to investigate some malware samples
This week, they started publishing the results of the attack they found, called Rocra (short for ‘Red October’)
Researchers did not find any evidence of links between Rocra and other major malware platforms such as: Stuxnet, Duqu, Flame, Tilded and Gauss
The exploits appear to have been created by Chinese hackers
Some of the Rocra malware modules appear to have been created by Russian-speaking operatives
In addition to exploits for MS Excel and MS Word, the Red October attacks also used exploits for Java 6 and 7 as part of the attack
The malware would check for an internet connection by attempting to connect to legitimate addresses at microsoft (windows update, support.microsoft.com), likely to avoid detection of unusual network traffic. If a connection was not found, some information would still be collected and stored locally, possibly to be copied via file sharing to a machine that did have internet access
The attack was used to gain access to secured systems and lift files, especially files with these extensions:
- txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau,
  cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca,
  aciddsk, acidpvr, acidppr, acidssa
- Of particular interest are the files with the acid extensions, likely created by “Acid Cryptofiler", which is known to be used by NATO and others in the European Union
The attack was also an ‘advanced persistent threat’, doing things such as:
Extract saved passwords for Web sites, FTP servers, mail and IM accounts from various applications
Send Windows account password hashes to the C&C server for offline cracking
Copy configurations from exposed network devices (Switches and routers with default passwords)
Enumerate visible windows shares and report to the C&C server (probably for future document exfiltration)
Scan connected USB drives for interesting files, the attack even included its own file system parser to copy deleted files
Copy data from connected Nokia and Apple iPhones copy address books, call history, calendar, SMS messages, and browsing history
Infecting Windows Mobile phones with a special mobile version of the Rocra virus
Watch for specially crafted Microsoft Office or PDF documents and execute their malicious payload without user interaction, allowing the attackers to exploit future vulnerabilities to keep control over exploited machines even as old exploits were patched
Standard key logging and screenshots, send back to C&C servers
Execute additional encrypted payload modules according to a pre-defined schedule
Copy all e-mail messages and attachments from Microsoft Outlook and from any mail servers found on the network that were accessible with the previously obtained credentials
Targets Infographic
Detailed Analysis:
- Red October – Introduction Blog Post
- Red October – Diplomatic Cyber Espionage Investigation
- Red October – Stage One – Exploits and Components
- Red October – Stage Two – Modules and Recon
- Red October – Stage Two – Passwords, Email and Physical
- Red October – Stage Two – Persistence and Spreading
- Red October – Stage Two – Mobile and Exfiltration
Digital Undergrounds podcast – Interview with Red October researchers

Feedback:

Round-Up:

The post Red October Hunts You | TechSNAP 93 first appeared on Jupiter Broadcasting.

Peek Inside | TechSNAP 63

chris — Thu, 21 Jun 2012 16:00:02 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We take a peek inside a few never before seen data centers, and find out what makes the unique, then a major flaw affecting Intel chips, and some big answers to the Flame malware mystery!

Plus some great Q&A and a few follow up stories you won’t want to miss!

All that and more, on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offers:

$1.99/mo economy hosting for 3 months – special offer!
Code: 199tech
Expires: June 30, 2012

$3.99 .US domain!
Code: 399us4

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes:

Washington Post and New York Times suggest Flame malware created by US and Israel

American officials say that Flame was not part of Operation Olympic Games (which was begun under President G.W. Bush)
Officials have declined to say whether the United States was responsible for the Flame attack
Obama repeatedly expressed concerns that any American acknowledgment that it was using cyber weapons could enable other countries, terrorists or hackers to justify their own attacks
New York Times Coverage
Noted Security Expert Bruce Schneier calls cyber warfare destabilizing and dangerous
Compared the 2007 Israeli attack on the Syrian nuclear facility, Stuxnet did not result in any loss of life, or risk to friendly personnel
However, Stuxnet has damaged the U.S.’s credibility as a fair arbiter and force for peace in cyberspace. Its effects will be felt as other countries ramp up their offensive cyberspace capabilities in response
The offensive use of cyber weapons opens a pandora’s box and weakens the U.S.’s long term position, in exchange for a short term gain
Have Stuxnet and Flame already destroyed the U.S.’s credibility as a leader for a free and open Internet?
Richard Clarke (Former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism, and Author of ‘Cyber War’), contends that there is a firm distinction between cyber-espionage and offensive cyber-attacks
Clarke argues that while cyber-espionage should be considered a routine, acceptable practice of any country as part of government intelligence operations, cyber-attacks are much more grave, and should be considered on par with physical attacks
Clarke and others argue for international cyber weapon arms control treaties
Richard Clark: How China Steals Our Secrets

US-CERT discloses security flaw in 64 bit Intel chips

The issue surrounds the AMD64 processor instruction SYSRET
The instruction is implemented differently by AMD (who developed the AMD64 instruction set) than by Intel
Some implementations, notably: Microsoft, FreeBSD/NetBSD and Xen, used the AMD specifications
This resulted in a mismatch in the expected behavior, that could result in a privilege escalation
Microsoft’s Statement: An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights
FreeBSD’s Statement: Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this vulnerability, an attacker must be able to run code with user privileges on the target system
Xen’s Statement: 64-bit PV guest to host privilege escalation vulnerability. This issue only impacts servers running on Intel processors and could permit a 64-bit PV guest to compromise the XenServer host
Intel’s Statement: This is a software implementation issue. Intel processors are functioning as per specifications and this behavior is correctly documented in the IntelR64 Software Developers Manual, Volume 2B Pages 4–598–599
AMD’s Statement: AMD processors’ SYSRET behavior is such that a non-canonical address in RCX does not generate a #GP while in CPL0. We have verified this with our architecture team, with our design team, and have performed tests that verified this on silicon. Therefore, this privilege escalation exposure is not applicable to any AMD processor
Additional Source

Team at Fujitsu cracks proposed new pairing-based cryptography standard

The team at Fujitsu, working in partnership with the Japanese National Institute of Information and Communications Technology (NICT) and Kyushu University, have successfully cracked 923-bit pairing based cryptography, in 148.2 days
Based on previous results it was estimated to take several hundred thousand years to break a 923-bit key
This does not mean that the security of pairing-based cryptography is entirely broken, just that a larger key size is required to maintain security
This type of research is why only open cryptography standards should be trusted, and why it takes so long to select new standards
The competition for the SHA–3 algorithm opened in 2007 and is not expected to be completed until later this year. More than 50 algorithms were entered into the competition, only 5 remain
Among the rejected algorithms is MD6, which proported to scale to very large numbers of CPU cores for long messages, due to speed problems and unsufficient proof if its resistance to differential cryptanalysis. MD6 is still a work in progress and may still be used sometime in the future
Additional Source
NICT paper on cracking 676 bit pairing cryptography

A tour of GoDaddy’s Data Center

Photo Tour
Go Daddy is the registrar for over 52 million domain names
DNS infrastructure responds to 10 billion DNS queries per day
SSL infrastructure handles more than 1 billion OCSP responses every day
Currently hosts more than 5 million web sites on 35,000 servers
Blocks 2.5 million brute force attacks every hour.
More than 23 petabytes of data housed on its storage systems
Processes more than 350 million emails every day

OVH deploys world’s largest data center in Canada

The new data center makes use of OVH’s ‘Cube Data Center’ design, where servers are servers are kept in the outer corridors of the cube, and the center of the cube is open
Cold air is inlet from the outside of the cube, and the hot exhaust air is vented outside in the center of the cube
OVH also makes extensive use of water cooling for their servers, which they found can save as much as 30% on their energy bills
OVH Beauharnois, Quebec Data Center Video
The Quebec data center is located adjacent to the electrical sub station for the 1900 megawatt Beauharnois Hydroelectric Power Station, which will provide renewable energy for the data center
The data center also takes feeds from two additional power grids
Additional Coverage

Feedback:

Q: Eric asks about AD PW Storage
Check the GPO Setting “Store passwords using reversible encryption”. – You DON’T want reversible encryption, unless application requirements outweigh the need to protect password information.
Does Windows really still use unsalted MD4 for password storage?
Q: Frank wants to know what more he could be doing to stay secure.
Q: Robert wants to do some testing!

Round-Up:

The post Peek Inside | TechSNAP 63 first appeared on Jupiter Broadcasting.

Cyber Bank Heist | TechSNAP 41

chris — Thu, 19 Jan 2012 19:34:30 +0000

Find out how hackers robbed a bank for nearly $6 million dollars over the Internet, the Zappos security breach, the fall of the koobface botnet, and what happened to Megaupload.

Plus we look back at the web’s SOPA protest this week, and see where things stand.

All that, and much more, on this week’s episode of TechSNAP!

Thanks to:
GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Pick your code and save:
DOTCO9: .co domain for $17.99
techsnap7: $7.99 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans

Direct Download Links:

Subscribe via RSS and iTunes:

Show Notes:

Cyber Bank Heist Nets 5.3 Million Dollars

During the first three days of the new year, while the bank was closed for the holiday, thieves accessed a compromised computer at the South African Postbank and used it to transfer large sums of money in to accounts they had opened over the past few months
They then used the compromised computer, and the credentials of a teller and a call center employee, to raise the withdrawal limits on their accounts
By 9am January first, numerous money mules started making trips to ATMs in Gauteng, KwaZulu-Natal and the Free State, unhindered by withdrawal limits
Withdrawals stopped around 6am January 3rd before the bank reopened and the compromise was detected
In total, approximately 42 Million South African Rand were stolen (approximately 5.3 million USD, although some news stories reported the figure as 6.7 million USD). This appears to be around 1% of the entire holdings of the government operated bank
The National Intelligence Agency (NIA) is investigating as Postbank is a government institution
Sources report that the bank’s fraud detection system failed to detect the extremely large withdrawals, and the fraud was not discovered until employees returned to the bank from the new years holiday
Observers question way such low level employees (Teller, Call Center Agent) had the required access to raise the withdrawal limits
Investigators have not yet determined if the computers and passwords were compromised by the employees unwittingly, or if they were involved in the heist
Local Coverage

Koobface operators go underground as researchers disclose their identities

The koobface malware mostly targetted facebook users, prompting users to download a newer version of flash in order to watch a non-existent video. Rather than the expected flash update, the users would be infected with malware
The malware operators made large sums of money by using the botnet of infected computers to perpetrate click fraud against pay-per-click advertising networks. “Through the use of pay-per-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud”
Facebook and some researchers they had been working with released their findings, including the identities, social media accounts and other information that had gathered on those behind the malware
Within days of that disclosure, the attackers had shut down their C&C servers and rapidly began destroying the evidence against them. They also appear to have gone in to hiding (likely to avoid prosecution or extradition)
With the shutdown of the C&C servers, and the disappearance of the operators, new infections of Koobface have dropped to near zero
Researchers question if exposing the operators was the right thing to do
Canadian Researchers released paper on Koobface in 2010 . Rather than releasing the identities of the attackers, Infowar Monitor handed the information over to Canadian Law Enforcement
Additional Coverage

Shoe Retailer Zappos Hacked, 24 million customers compromised

Zappos, and online shoe retailer owned by Amazon, was compromised last week
Attackers gained access to the customer database after compromising a Zappos server in Kentucky, and using it to Island Hop into the internal network
The Zappos customer database contained the names, email addresses, scrambled passwords, billing and shipping addresses, phone numbers and the last four digits of credit cards numbers
It is unclear what is meant by ‘scrambled’ password, hopefully secure hashing
Zappos states rather clearly, and repeatedly, that their secure payment processing servers were not compromised, and that credit card and transaction data remains secure
Hopefully this means that Zappos takes their PCI-DSS compliance seriously, and the payment servers are isolated from the internet network that was invaded via the compromised server
Even without the full credit card data the information from this compromised could be used quite successfully in spear phishing attacks
Zappos has reset and expired all customers passwords, forcing customers to choose new passwords
Zappos has disabled its phone systems in anticipation of an extremely high volume of support inquiries
Zappos Announcement

Researcher reveals that stuxnet did not use a vulnerability in SCADA

Researcher Ralph Langner presented his findings at the S4 Conference on SCADA Systems
In his presentation, he revealed that the stuxnet worm, while possessing many 0-day exploits to gain access to the protected computer systems, used a design flaw in the SCADA system, rather than an exploit to perform the attack
Langner postulates that the design of the Stuxnet worm was not to destroy the centrifuges, but to undetectably disrupt the process, making production impossible
The Stuxnet worm takes advantage of the fact that the input process image of the PLC is read/write rather than read only, so the Stuxnet work simply plays back the results of a known good test to the controller, while actually feeding the centrifuge bad instructions, resulting in unexplained undesired results
Langner used his analysis to criticize both Siemens and the U.S. Department of Homeland Security for failing to take the security issues more seriously

Round Up:

The post Cyber Bank Heist | TechSNAP 41 first appeared on Jupiter Broadcasting.

Ultimate ZFS Overview | TechSNAP 28

chris — Thu, 20 Oct 2011 18:57:12 +0000

Coming up on this week’s TechSNAP…

Buckle up and prepare for our Ultimate ZFS overview!

Plus, the next generation of Stuxnet is in the wild, but this time is laying low, collecting data.

All that and more, on this week’s TechSNAP!

Direct Download Links:

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:

Jupiter Broadcasting Gear

https://www.printfection.com/jbgear

Coupon Code: SuperDuperShip – Free Shipping on Super Saver, International, and Canadian Airmail orders. No minimums
Coupon Code: SuperSave$10 – $10 off orders with a subtotal of $50+
Coupon Code: Scary35% – 35% off orders with a subtotal of $100+

Next generation of Stuxnet seen in the wild?

Called Duqu, the malware appears to be based on the same concepts as Stuxnet, and likely was written by some of the same people, or someone with access to the Stuxnet source code.
The malware is designed to be stealthy and silent, rather than exploiting the system to some gain, like most malware
The rootkit loads it self as a validly signed driver. It appears to have been signed by the certificate of a company in Taiwan identified as C-Media Electronics Incorporation. It is possible that their systems were compromised and their private key is being used without their knowledge. The certificate was set to expire on August 2, 2012, but authorities revoked it on Oct. 14
The malware is not a worm, as it does it spread, and has no destructive payload
It appears to only gather intelligence and act as a espionage agent, collecting data to be used a future attack.
Analysts claim it appears to be seeking information on an unidentified industrial control system
Duqu appears to have been in operation, undetected for more than a year
Symantec has declined to name the countries where the malware was found, or to identify the specific industries infected, other than to say they are in the manufacturing and critical infrastructure sectors
Duqu analysis paper

Google switching to SSL for logged in users’ searches

Users who do a search while logged in, will do the search over SSL, meaning their search query and the results will be protected from snooping by their ISP, Government, Law Enforcement and WiFi hackers.
This is an important step as google works to personalize your search results more and more.
An interesting side effect of this is that browsers do not pass referrer headers when you transition from an SSL site. So the sites you visit from the search results page will no longer see what your search query was. Clicks on Adwords and other sponsored links will still pass your search query.
The primary impediment to SSL for everything is performance, encrypting all traffic on the web would require a great deal more hardware. This is why Google defaults to a weaker encryption for things like search results, than what online merchants typically use.
Another impediment to SSL is the certificate system, typical setups require a unique IP for each SSL certificate (because the name based virtual hosting typically done by web servers relies on an HTTP header, that is not sent until after the encryption session is started). However modern browsers and web servers support ‘SNI’ (Server Name Indication) to allow that information to be passed as part of the initial encryption setup. There are also solutions such as wildcard certificates (ie, *.google.com) and Unified Communications Certificates (UCC, typically used for MS Exchange servers and the like).
Google will also provide website owners with the top 1000 search queries that lead visitors to their site via Google Webmaster Tools.
HTTPS Everywhere | Electronic Frontier Foundation

Feedback:

TechSnap Question – YouTube
Typically a solution like this relies on a hard line connection between the two wireless APs so that they do not have to communicate via wireless as well.
www.dd-wrt.com | Unleash Your Router
DD-WRT Router Database
Turn Your $60 Router into a User-Friendly Super-Router with Tomato
Tomato (firmware)

ZFS Segment

This week we will be taking a look at ZFS as a storage solution
ZFS was originally developed by Sun Microsystems to be able to store a zetta byte of data (A zetta byte is equal to 1 billion tera bytes)
ZFS is both the Volume Manager and the File System. This gives it some unique benefits, including the ability to increase the size of the file system on the fly and improves performance for the ‘scrub’ (integrity check all data) and resilver (recover from a failed disk) operations, as only data blocks that are actually in use need to be rewritten, whereas a hardware RAID controller must resilver the entire disk because it is unaware of the file system.
ZFS is a ‘Copy-On-Write’ file system, this means that data is not immediately overwritten when it is changed
Features
- Multiple mount points – You can create various mount points from the same storage pool, allowing you to have different settings for different types of files.
- Passive Integrity Checking (Fletcher Checksum or SHA–2) – As data is read, it is compared against the checksum (or hash, depending on settings). If the data is found to be corrupted, ZFS attempts to recover it (from a mirrored device, RAID Z, or copies). This feature allows ZFS to detect silent corruption that normally goes unnoticed.
- RAID Z – RAID Z works very similar to RAID 5, except without the requirement for a hardware RAID controller. RAID Z2 provides two parity drives, like RAID 6. Recently, RAID Z3 was also introduced, using 3 drives for parity, providing exceptional fault tolerance.
- Compression – Allow you to compress the data stored in this mount point (defaults to lzjb for speed, or you can choose a specific level of gzip). This can be great for storing highly compressible information such as log files
- Deduplication – Since ZFS already knows the hash of your files as it writes them, it can detect that a file with the identical content already exists in your storage pool, and it will simply link the new file to the old one, and because ZFS is copy-on-write, if either file changes, it does not effect the other. ZFS also supports an optional ‘verify’ setting, where even if the checksum/hash matches, it will do a byte-by-byte verification to ensure the files are the same, to avoid a cache collision resulting in data corruption, even though the chances of this happening are around 10^–77. Deduplication uses a lot of ram, so it is recommended that you only use it on datasets where there is a high probability of duplication (It requires 320 bytes per block, meaning 1TB of data in 8kb blocks requires 32GB of ram. ZFS allows blocks up to 128kb). Deduplication will only use up to 25% of ARC memory, after that performance is degraded.
- Purposeful Duplication (Copies) – Allows you to ask ZFS to maintain more than 1 copy of each file in a mount point. This is in addition to any redundancy provided by mirrors/RAID Z etc. Where possible the additional copies are stored on different physical devices. This allows you to get the benefit of a system like RAID Z but only for a specific set of data, while using regular striping for the rest, to maximize your storage capacity. (The ‘Copies’ system was not designed to protect against entire drives failing, just the loss of specific sectors, also this setting only effects newly created files, so you should set it when you create the mount point)
- Snapshots – A read only copy of the file system from a specific point in time, great for backups etc.
- Clones – A writable snapshot. Allows you to create a second copy of the file system that shares all of the same disk space, and any changes to either the original or the clone get saved separately.
- Dynamic Striping – As you add more disks to your ZFS pool, the strips are automatically adjusted to take advantage of the write performance of all available disks.
- Space Reservation – Since all mount points share the same pool of free space, you can set reservations to make sure specific mount points always have access to free space, even if another mount point is trying to use all of the space.
In summary, ZFS can be a great solution for your home file server, as it allows you the flexibility to add additional storage at any time, deduplicate files, provided limited redundancy without needing RAID and can even provide some Drobo like functionality.
If you keep at least one SATA port available in your file server, you can replace smaller devices by attaching the newer drive, and using the ‘zpool replace’ command, to copy all of the data to the new device, then remove the smaller one. You can eventually replace every device in the system this way, and the storage pool sizes up automatically.
RAID Z pools cannot currently have devices added to them, although this feature is in the works. If you create a RAID Z (or Z2/Z3) pool, you can still increase it’s storage capacity by replacing each disk one at a time, and waiting for it to resilver (unlike in non-redundant setups, you do not have to connect the new device before removing the old one). Again, because ZFS is both the Volume Manager and the File System, the resilvering process is faster, because only data that is actually in use needs to be written to the new device.

Round Up:

The post Ultimate ZFS Overview | TechSNAP 28 first appeared on Jupiter Broadcasting.

Ultimate Home Router | TechSNAP 23

chris — Thu, 15 Sep 2011 19:16:01 +0000

Exploits are in the wild that can take down critical infrastructure equipment, and some highly trusted sites were attacked this week and used against their own visitors.

Plus – We’ll tell you how to build the ultimate home router, that can do more than many Enterprise grade systems, with the press of a few buttons – and for FREE!

All that and more, on this week’s TechSNAP!

Direct Download Links:

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:

Italian hacker publishes 10+ 0 day SCADA exploits with proof of concept code

SCADA (Supervisory Control and Data Acquisition) are Industrial control systems
The Stuxnet worm targeted the specific SCADA system used by the Iranian centrifuges
These exploits could cause serious disruption if the systems are not properly protected from external access
SCADA systems are used to control numerous important industrial systems including water and sewage treatment, dams and power plants, as well as manufacturing automation systems.
In January 2000, the remote compromised of a SCADA system was responsible for pumping sewage into a nearby park and contaminated an open surface-water drainage ditch.
News Article

Official uTorrent website compromised, users download spyware

On or before Tuesday September 13th, the Official uTorrent.com website was compromised, and on the 13th, the attackers replaced the download files with spyware.
Users who downloaded uTorrent on the 13th instead received a scareware fake anti-virus package called ‘Security Shield’
The scareware told them they were infected with malware and demanded payment to remove it
Any users who downloaded uTorrent between 12.20 and 14.10 BST likely received the malware instead of uTorrent.
In this case, the attack was fairly obvious, but a similar hack against popular software distribution points could have resulted in the stealth infection of 1000s of systems via the auto-update feature built in to most modern applications.
This is always the nightmare security situation, when legitimate trusted sites are compromised and start to distribute harmful content.

Funny Virus Pic – Google+

BIOS rootkit found in the wild

The virus can infect most any computer with an Award BIOS (very popular, used in most all Motherboards that I own).
The virus dumps a copy of the BIOS, and then adds an ISA ROM that will rewrite the MBR (Master Boot Record) on the hard drive at each bootup.
The MBR virus then rootkits winlogon.exe to take over control of the system
The rootkit then prevents modification of the MBR, making it harder to remove the virus
Even if the MBR is repaired, it is reinfected at the next boot by the BIOS portion of the virus
The rootkit also downloads a trojan and allows the system to be remotely controlled.
This attack is related to the attack we discussed in a previous episode of TechSNAP where a researcher was able to infect the battery in a MacBook with a virus. If the virus was similar to this one, it would add an additional layer of complexity, if the BIOS could be reinfected from the battery.
Details from Symantec

TWiT.tv compromised, malicious iframe injected, loads Java malware

The popular TWiT.tv page was compromised and a snippet of malicious code was added, an iframe that directed users’ browsers to a page that attempted to use Java and PDF exploits.
Google’s safe browsing started blocking the site. Firefox and Google Chrome users will be presented with a warning before visiting the site.

War Story:

At approximately 4:00 PM facility local time on Sunday, September 11, 2011, the Seattle 1 data center experienced an unexpected service interruption. It was determined that the cause of the issue was a malfunction in one of the edge routers servicing the facility.
The device was rebooted to correct the issue and we proceeded to work with the device manufacturers TAC (Technical Assistance Center) to determine the cause of the issue and proper resolution to avert any future problems.
At 6:20 PM facility local time, the same issue occurred again, and the device was again rebooted.
To prevent any future unexpected service interruptions, it was decided that the best course of action would be to replace the device with the standby device available at the facility.
At approximately 7:00 PM facility local time, we began the process of replacing the faulting device with a new one. The old device was removed and the new device was put in its place.
Once powered on the replacement device alerted us to a number of errors within the switch fabric modules that were causing inter-line card communication to not work properly.
We again contacted the device manufactures TAC, and at approximately 8:30 PM, we decided with the TAC that the best option was to replace the switch fabrics in the replacement device with the switch fabrics from the old device.
Once this was completed the device was restarted but produced the same errors.
The issue was then escalated to tier 2 support at the device manufactures TAC.
We concluded that the issue was likely a problem somewhere within the replacement device’s chassis, and proceeded to replace the chassis with the one from the old device.
Upon doing so, we began getting a different set of errors, this time with the management modules communication to the line cards.
At approximately 4:30 AM facility local time, the matter was escalated to tier 3 support at the device manufactures TAC. At this time, we also dispatched our head network technician to the facility from Phoenix with a spare device which is stored at our office in the event of issues such as this one.
At approximately 6:30 AM facility local time, the TAC tier 3 technician concluded that the likely cause of the issue was an electrical problem either within the switch fabric modules or the replacement device chassis which resulted in improper current being sent to various parts of the device and damaging several of the sensitive electronic components in the line card, forwarding engines and switch fabrics. Because the electrical subsystem within the device had potentially caused damage to all of the switch fabric modules that we had available at the facility, we were advised that we should power down both devices and not use either of them any further until a full diagnostic of the electrical sub-system could be completed by the manufacturer.
At approximately 12:00 PM our head network technician arrived at the Seattle airport, and by 1:00 PM was at the facility with the replacement device from our Phoenix office.
At approximately 2:00 PM our head network technician completed the installation of the replacement device from our Phoenix office and service was fully restored.
Total time offline: 19 hours 8 minutes.

Feedback:

A few questions about home servers
Q: crshbndct I’ve built a spare computer out of some spare parts and I want to use it as a home server. I’d like to use it as a router, a DNS server, a caching server, and maybe also throttle the usage of my servers. What should I use?
A: Chris and I both love pfSense, it is a FreeBSD based router appliance. You can basically turn any computer with 2 network cards into a Router/Firewall, with DHCP, DNS/DDNS, VPN (IPSec, PPTP, OpenVNP), VLANs, Captive Portal, Traffic Shaping and Graphing. It has a web interface similar but more expansive than what most people are already used to from a normal off the shelf home router.

Next Week: RAID types, what they are and some use cases for each.

Round-Up:

Bitcoin-Blaster:

Bitcoin Value: 34,196,260 USD

The post Ultimate Home Router | TechSNAP 23 first appeared on Jupiter Broadcasting.