Inside the Malware

• Security researcher Sherri Davidoff profiles the Blackhole exploit kit
• Walking us step by step through what the malware does once your computer is infected
• It starts with a simple phishing email, in this example just a plain email that says “Hi, as promised your photos.” with a link
• The unsuspecting user follows the link, and nothing much seems to happen and they continue about their day
• In actuality, their computer has not been infected with the Blackhole exploit kit
• A few days later, while visiting the website of their bank, the user is prompted by the page to verify their identity. Over a short period of time, the attack, using a man-in-the-browser attack, was able to gain:
  • The victim’s name
  • Phone number
  • Answers to security questions
  • RSA token
• The attacker then used this information to wire themselves $49,500 out of the victim’s bank account
• However, because this was a large corporate account, the bank requires a second person to authorize such a transfer
• The attacker used the MITB attack to ask the victim for the name of that second person, which the user entered
• The attacker then asked for the email address of the second person, however the user got suspicious, called the bank and the account was quickly frozen
• Once the blackhole exploit kit is installed on a computer, it loads updates and then continues to phone home once every 20 minutes, using a simple HTTP POST request
• The researcher also managed to capture a Man-In-The-Browser attack on video, when attempting to login to the BankofAmerica site, the infected computer injects a page after the user submits the login form, but before the information is actually sent to the bank
• The injected page claims that the bank does “not recognize” your computer and asks you for a number of details, including your debit card number, social security number, date of birth and mother’s maiden name
• These details are not sent to the bank, but rather to the attacker, who can use them later to drain your account
• In more sophisticated attacks using this technique, the attacker is actually communicating with your system live, in order to take advantage of the information as you enter it, such as passing on to the victim the secret questions they are prompted for when trying to send a wire transfer
• This also allows the attackers, in the situation where they are actively monitoring your computer when you are attempting to access your account, to take advantage of temporary information such as the output of your RSA security token

Dedicated server provider Hetzner finds backdoor

• Administrators at Hetzner discovered a backdoor on their nagios monitoring server
• After further investigation, they discovered that their web interface for managing dedicated servers (called the Hetzner Robot) had also been infected
• This means some personal details of customers, including name, email address, phone number, hashed password, last 3 digits of credit card number, credit card type and expiration date
• The actual card number is never stored by Hetzner, it is passed directly to the payment processor who returns a unique token that is used to reference that card in the future
• However, customers using direct debit (debit note) from their bank account, may have been compromised. While the information is stored encrypted in the Hetzner database, the key may have been compromised
• Passwords were SHA256 hashed with a salt, but it does not sound like they used sha256crypt
• “The malicious code used in the “backdoor” exclusively infects the RAM. First
  analysis suggests that the malicious code directly infiltrates running Apache
  and sshd processes. Here, the infection neither modifies the binaries of the
  service which has been compromised, nor does it restart the service which has
  been affected.”
• Hetzner has hired an external security company to do a more indepth investigation
• English FAQ

Feedback:

• MAC Filtering?

• FreeNAS as Storage for VMs… HOW?

• Using rsnapshot for backup?

• Apple’s Hidden Details

• Another Take on Passwords when Mobile

• Sharing a Real Life Bad Security Experience

BSDCan 2013 Videos:

• All Videos
• Allan Jude – Managing FreeBSD at Scale
• Paul Chvostek – Switching from Linux to FreeBSD
• Peter Hansteen – The Hail Mary Cloud And The Lessons Learned
• Pawel Jakub Dawidek – FreeBSD, Capsicum, GELI and ZFS as key components of a security appliance
• Kirk McKusick – An Overview of Security in the FreeBSD Kernel
• Shawn Webb – Runtime Process Infection Part 2

Round Up:

• Lenovo opens heavily automated assembly plant in North Carolina
• 0 day exploit for Plesk puts more than 360,000 linux servers at risk, unknown if windows servers are affected. Exposes /usr/bin
• China says it is the USA’s fault that their weapons designs were stolen, “Even following the general principle of secret-keeping, it should not have been linked to the Internet,”
• Vint Cerf worries that we won’t be able to access historical data due to the cost of maintaining backwards compatibility
• NSA collecting phone records of millions of Verizon customers daily
• Google researcher releases a working exploit for the Windows Kernel bug he disclosed earlier
• Car thiefs may have a new device that unlocks many makes and models of vehicles
• Attackers use massive DDoS to mask exploit attack against EVE Online backend servers

The post Phishin' Hole | TechSNAP 113 first appeared on Jupiter Broadcasting.

Why a password isn’t good enough anymore

• An article by Mat Honan, the Wired writer who had his entire online existence destroyed earlier this year
• An attacker wanted to steal the twitter handle @mat, and so started by trying to do a password reset on twitter.
• This directed the attacker to Mat’s gmail account
• When trying to initiate a password reset set on the gmail account, he was directed to Mat’s Apple account
• The attacker called Apple and using information about Mat from Twitter, Facebook, Google etc, he managed to reset the password for Mat’s Apple account
• Using the Apple account, the attacker was able to disable and remotely wipe Mat’s Apple devices (iPhone, iPad and Macbook)
• Once the attacker was in control of the Apple account, he was able to reset the password for the Gmail account
• Then to reset the password for the Twitter account
• Watch TechSNAP 70 for the full story
• In this followup article we get an even closer look at what happened, and an in-depth analysis of other recent happenings
• A lot of the problems discussed in the article are not weaknesses in passwords specifically, but in the people and systems that use them
• Authentication Bypass – When an attacker finds a way to access an account or service without needing the password at all. We have seen this with Dropbox, Oracle and others in past episodes of TechSNAP, or the recent case with Skype, where it failed to properly authenticate you before allowing you to reset account, we’ll cover that later in this episode.
• Brute Force – Accounts for services like POP3, FTP, SSH, and SIP are under constant attack, all day, every day. Attackers attempt to compromise the accounts in order to gain access for various reasons, from using the initial password as a stepping stone to gain access to more sensitive accounts, to using your machine to scan for yet more weak passwords, or as a source of spam. Attackers are constantly attempting common username and password combinations against every public facing server on the internet, using apps such as DenyHosts, Fail2Ban or SSHGuard to protect these servers is a must.
• Database Compromise – Services such as Sony PSN, Gawker, LinkedIn, Yahoo, eHarmony, LastFM and others had their databases compromised, and their lists of passwords dumped online. Often these passwords were hashed (MD5, SHA1, SHA256), but not always. Even a hashed password is little protection, it doesn’t immediately disclose your password, but with tools like Rainbow Tables and GPU accelerated cracking, these hashes were quickly cracked and the plain text passwords posted online. Hopefully more services will start using properly secure Cryptographic Hashes (sha512crypt, bcrypt) that take tens of thousands of times more computational power for each attempt to crack a password. Some algorithms like bcrypt are also, thus far, immune to GPU acceleration, actually taking longer on a GPU than a CPU.
• Disclosure – People often share their passwords, I don’t know how many facebook accounts have been ‘hacked’ by friends or ex’s because you willingly gave them your password, or you gave them the password to something else, and they used one of the other techniques described here to gain access to something you didn’t mean for them to have access to.
• Eavesdropping – Someone could be listening on the wire (or in the air in the case of wireless or mobile data connections) and see your password as it goes between your computer and the remote service. Most services now login over SSL to prevent this, but older services such as FTP (still very popular for web hosting, where your password may be shared with the web hosting control panel that has access to reset your email password) are not encrypted.
• Exposure – This is when you accidently give away your password, it happens on IRC at least once a week, someone attempts to enter the command to identify, but prefixes it with a space or something and ends up displaying their password to the entire chat room. Users will also sometimes accidentally enter their password in the username field, or their credit card number in the field that is for the ‘name as it appears on the card’, which causes it not to be treated with the same level of security.
• Guessing and Inference – When people base their password on birthdays or pet’s names, they become easy to guess. If you compile a largish list of keywords about a person, including bands and songs they like, their family and friends names, important dates, sports teams etc, and run it through an app like John The Ripper, which will make variations of those passwords, including l33t speak transformations, adding numbers and symbols, are are likely to get a fairly high success rate. In addition to guessing, there is inference, if you know that Bob’s password for gmail is: bobisgreat@gmail then you can probably guess that his password for facebook is: bobisgreat@facebook. If there is a pattern or ‘system’ to your passwords, once someone compromises ONE of those passwords, they have a much greater chance of compromising them all.
• Key Logging – When an attacker, using hardware or software, is able to record the keys you type in your keyboard, thus capturing your password as you input it. Apps like LastPass may seem to help with this, but they usually use an OS API to simulate typing the keys to remain compatible with all applications. Clipboard scanners can also often catch passwords.
• Man-in-the-Middle – An attack that intercepts your traffic and pretends to be the service you are trying to connect to, allowing it to capture your password, even if it was encrypted. SSL/TLS was designed to prevent Man-in-the-Middle attacks by verifying the identity of the remote server, however with Certificate Authority being compromised and issuing false certificates and tools such as SSLStrip to trick you into not using SSL, it is still possible for your communications to be intercepted.
• Phishing – Emails meant to look like they are from an official source, whether is be eBay, PayPal or your bank, prompt you to login on a page that looks like the legitimate one, but is not. Once you enter your details, the attackers have all they need to know to compromise your real account. Combine this with the weak DKIM keys from a few weeks ago, a compromised Certificate Authority and a man-in-the-middle DNS attack, and you have no way of knowing that when you entered https://www.paypal.com in to your browser, you actually ended up on an attackers site instead.
• Reply Attack – When an attacker is able to capture you authenticating in some secure manner, but is able to resend that same information and authenticate as you later, without ever knowing your password
• Reuse – Using the same password on multiple sites means that when one of them is compromised, they all are. I keep telling you, use lastpass.
  • Secret Questions – So, when you setup that new account and it prompts you for some secret questions/answers, consider carefully what you put down. You’re going to need to be able to remember it later to regain access to the account (or some accounts ask them when they suspect you are logging in from a different computer), but if they are simple ones that someone could look up via google or facebook (remember, the attacker could be someone you know, so your privacy settings on facebook might not be enough), then it isn’t good enough.
  • Social Engineering – In the case of the Mat Honan compromise, the weakest link turned out to be AppleCare Support, they very much wanted to be helpful and allow him to recover his accounts, the only problem was, the caller was not Mat Honan, but the attacker, to managed to guess and trick his way through the security questions and gain control of the Apple and Amazon accounts.
  • See some old Blog post by Allan for more reading at [GeekRoundTable] ](https://www.geekrt.com/read/88/Myths-of-Password-Security/) and AppFail
• These issues are endemic across the entire internet, and it is important that you be aware of them and take steps to protect yourself as best you can
• A comparison of two major password dumps has shown that half of all passwords were used on both sites, the problem of password reuse is growing rather than shrinking
• Having a long and strong password is important, but you have to consider the other ways someone could compromise your account, the weakest link is the most likely avenue of attack
• If you have the option, you should enable two-factor authentication, adding one more step makes the attackers job that much harder, but remember, this doesn’t mean you are immune, RSA and Blizzard authenticators have been compromised in the past when their seed values were stolen from the central databases.

Skype IDs hijackable by anyone who knows your email address

• An attacker found a way to bypass the authentication in skype’s password reset system, and take over any target account for which the email address was known
• The Instructions
• Register for a new account, using the email address of the victim
• Login to Skype using that new account
• Initiate a password reset for the victim’s account
• Skype will email the victim a password reset token, but the token will also pop up in the skype client for all accounts that use that email address, allowing the attacker to get the token
• Use the token to reset the password of the victim account
• Login to the victim’s account and remove their email address and add your own (one that no one knows) and you now own that account
• Skype disabled the password reset system a few hours later, then fixed the issue and re-enabled the password reset system. Tokens are no longer displayed in logged-in skype clients. This makes sense, and I question why it was ever the other way around, because if you are logged in, you are unlikely to have forgotten your password (unless it was saved I guess).
• Skype’s Reaction
• NextWeb Coverage
• NextWeb Followup

Feedback:

• Which server OS should I use?
• Home Server Hardware Swap
• SHODAN search
• Keeping FreeBSD Up to Date?
• Why did Allan decide to use hardware RAID with ZFS?
• Why would MD5 security be important to verifying a download?
• Multi-Master MySQL backups

Round Up:

• Origin Accounts Hacked – Maybe Change Your Password
• StackExchange podcast talks more about hurrican sandy and the effort to keep the Peer1 datacenter online
• Google declares Flash is now ‘fully sandboxed’ in Chrome for Windows, Mac, Linux and Chrome OS
• Google reveals seven years of evolving data-center strategy
• NSA Outs Top-Secret Report That Missed the Future of Supercomputing
• Hardcoded passwords leave Telstra routers wide open
• CyanogenMod’s domain hijacked by community member, now using .org
• Adobe’s Connectusers.com site was compromised via SQL injection, 150k user accounts and plain MD5 hashes leaked
• Blizzard sued over the cost of Battlenet Authenticators
• Researchers scan public malware infection forums (such as BleepingComputer) and find HJT and DDS logs from computers running SCADA software
• Critical Vulnerabilities in Call of Duty: Modern Warfare 3 and the Cryengine3 could compromise the systems of both gamers, the game servers, and the game companies
• NASA to have all laptops encrypted before the end of the year, and laptops containing sensitive information no longer allowed to leave it’s facilities

The post Patch Your Password | TechSNAP 84 first appeared on Jupiter Broadcasting.