Show Notes:

GoDaddy outage was caused by router snafu, not DDoS attack

• GoDaddy’s services started to drop off of the internet
• The outage lasted approximately 6 hours, from 10:00 PDT (17:00 UTC) and being fully restored about 16:00 PDT (23:00 UTC)
• A twitter account, claiming to represent part of Anonymous, took responsibility, claiming to have launched a massive DDoS attack against GoDaddy
• Some news outlets and blogs misunderstand what a DDoS attack is, and report that Anonymous has hacked GoDaddy
• “We have determined the service outage was due to a series of internal network events that corrupted router data tables.” – Interim Godaddy CEO Scott Wagner
• The issue was compounded because the downtime affected not only GoDaddy hosting customers, but also customers that only used GoDaddy for DNS
• GoDaddy hosts 5 million web sites and manages a total of 52 million domain names
• For example, the DNS for jupiterbroadcasting.com is hosted at GoDaddy, while the actual site resides at ScaleEngine, but because the DNS was down, viewers were unable to lookup the IP address of jupiterbroadcasting.com in order to connect to ScaleEngine
• DNS caching will have helped reduce the effect of this downtime somewhat, especially for more popular sites, and for users coming from larger ISPs, the DNS records for JB have a TTL of 1 day, so users would only have issues reaching the site if the records had not yet been cached, or once the cache expired. At the time of this writing, the records for JB still had 28461 seconds left in my local Google Public DNS cache, but we not cached at my local OpenDNS
• This event ruined GoDaddy’s previous 99.999% uptime record for DNS (99.999%, or 5 nines as it is called in the industry, allows for only 6 minutes of cumulative downtime in an entire year, compared to 4 nines, which allows about 53 minutes of downtime per year, or 99.9% which is nearly 9 hours)
• GoDaddy uses Anycast for the DNS servers, this means that while it looks like each domain is only assigned to 2 DNS servers, each of those two IP addresses actually exists in multiple data centers around the world. Traffic is routed to the closest server, and if that servers route fails, after a few minutes the BGP routers at your ISP or an intervening transit provider route the traffic to the next closest server
• However, due to what I assume was some human error after the failure of one or more network components, the routes that GoDaddy broadcasted to their upstream providers were in some way incorrect, and caused traffic to no longer reach the GoDaddy servers
• Anycast is commonly used for DNS but is not very often used for TCP based services due to the fact that the routes can change at any time, and suddenly the same IP address points to a different server, and your connection is dropped. There are some cases where people have successfully used Anycast for short lived TCP connections
• Additional Coverage
• Go Daddy Site Outage Investigation Completed – GoDaddy.com

---

Blue Toad comes forward as the source of the leaked Apple UDIDs

• Security researcher David Schuetz was analyzing the the data posted online, and found an unusually large number of devices that mentioned Blue Toad, 19 out of the 1 million records analyzed
• Schuetz then contacted Blue Toad to report what he had found
• Schuetz also said he couldn’t say conclusively if Anonymous’ claims about the FBI were false or true
• Blue Toad makes apps for publishing companies, long known for collecting extensive data about their readers for market research and marketing purposes
• Paul DeHart, CEO of Blue Toad said his firm would not be contacting individual consumers to notify them that their information had been compromised, instead leaving it up to individual publishers to contact readers as they see fit
• The company’s forensic analysis claims to show the data had been stolen “in the past two weeks”
• This is contrary to the original claim that the data was stolen from an FBI computer months ago

---

Feedback:

• Techsnap drinking game
• Windows Server 2012 review
• Shoeboxed.com security sufficient for personal documents, eg. tax returns?
• 10 Char Password Enough?
• Bad to use scripts to set stuff up?
• Siemens Admits Issues
• Are you a PHP programmer with time to spare for an open source security project? I am considering building an open source web service to handle sensitive information disclosure, and I am looking for some help building the site and API. email allan@jupiterbroadcasting.com

Round-Up:

• BEAST creators develop new SSL attack
• Thoughts on the way Amazon Glacier Pricing works
• Malicious Apache Module Injects Iframes
• Github Goes Down
• Over 11,000 Guild Wars 2 passwords hacked
• Romney 1040 Tax Returns – Part 2 – Pastebin.com
• Shane’s Software on the side: Quick Update to the Jupiter Broadcasting Android App
• BMW cars build since 2006 vulnerable to attack with blank programmable keys
• Microsoft Digital Crimes Unit gets permissions to disrupt botnet of computers sold from China with pirated copies of windows

The post The Human Factor | TechSNAP 75 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/24176/donated-privacy-techsnap-74/ Thu, 06 Sep 2012 15:53:20 +0000 https://original.jupiterbroadcasting.net/?p=24176 Anti-sec posts 1 million Apple UDIDs they claim to have stolen from the FBI, but what was the FBI doing with them in the first place?

The post Donated Privacy | TechSNAP 74 first appeared on Jupiter Broadcasting.

]]>

Anti-sec posts 1 million Apple UDIDs they claim to have stolen from the FBI, but what was the FBI doing with them in the first place?

More infrastructure switches vulnerabilities, and a great batch of audience questions and our answers!

All that and a lot more on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Show Notes:

Java flaws not entirely fixed by emergency patch

• The Polish security firm that initially discovered the 29 Java vulnerabilities back in April, two of which were the target of the emergency out-of-band patch issued by Oracle last week, has discovered that the flaws are still exploitable
• Oracle’s patch removed the getField and getMethod methods from the implementation of the sun.awt.SunToolkit, this disabled all of the Proof of Concept exploits from the security researchers, and the exploits actively being used in the wild
• Oracle basically removed the exploitation vector, without fixing the underlying vulnerabilities
• The Polish firm discovered another exploitation vector, that when combined with the unpatched vulnerabilities, allowed them to update their Proof of Concept code and continue to posses a large number of working exploits again Java
• Adam Gowdiak, CEO of Security Explorations (the Polish firm that discovered the vulnerabilities) also commented that Java 6 seemed much more secure, in all the time they spend researching it, they only ever managed to escape the sandbox once, using an Apple Quicktime exploit
• Researchers find critical vulnerability in Java 7 patch hours after release

---

More infrastructure switches vulnerable

• Some GarrettCom switches come with a hard coded password for a default account that cannot be changed or disabled
• A researcher at Cylance discovered the hidden account in April and warned the vendor and ICS-CERT
• The issue is present in GarrettCom Magnum MNS–6K Management Software version 4.1.14 and 14.1.14 SECURE, the vendor released an update that addresses the issue in May, but the issue was not disclosed until this week
• The attack is mitigated somewhat by the fact that the attacker would need access to an account on the switch, in order to exploit the vulnerability and escalate the privileges of the regular user account
• “A ‘factory’ account intended to only be allowed to log in over a local serial console port exists in certain versions of GarrettCom’s MNS–6K and MNS–6K-SECURE software. Cylance has identified an unforseen method whereby a user authenticated as ‘guest’ or ‘operator’ can escalate privileges to the ‘factory’ account”
• GarretCom switches are marketed as “Hardened” and used in traffic control systems, railroad communications systems, power plants, electrical substations, and even US military sites. Beyond simple L2 and L3 networking these devices are also used for serial-to-ip conversion in SCADA systems
• Original Advisory
• ICS-CERT Advistory

---

Hackers claim to have stolen Mitt Romney’s tax returns from financial firm

• A group claims to have broken into the offices of Price Waterhouse Cooper in Tennessee, accessed the network file servers and copied the Romney’s tax returns for the years before 2010
• Later years were apparently not digitized yet and so were not able to be copied
• It doesn’t seem correct to refer to the individuals as hackers because the data was physically stolen from unsecured file servers, rather than accessed remotely
• The attackers seem to have thought ahead, going so far as to include secret statements in the copies of the documents sent to PWC and using those to authenticate themselves as the real attackers
• The attackers claim to have send encrypted copies of the documents to the media, as well as both political parties
• The attackers provide two bitcoin addresses, if the first receives 1 million USD worth of bitcoins before September 28th, then the encryption keys will be destroyed. If this does not happen, or if 1 million USD is sent to the second bitcoin address, the keys will be released publically
• In Canada the Personal Information Protection and Electronic Documents Act (PIPEDA) mandates specific security measures be taken to safeguard such personal information, it seems that the security practices at PWC were extremely lax
• The US Secret Service is investigating
• Pastebin Post #1
• Pastebin Post #2
• Additional Coverage

---

Anti-sec releases 1 million iOS unique device ID, apparently stolen from FBI laptop

• Anti-sec claims the original file they stole contains more than 12 million records
• The file apparently includes detailed data, including the UDIDs, push notification tokens, device names, usernames, phone numbers, addresses and device types
• Antisec claims to have remotely accessed Supervisor Special Agent Christopher K. Stangl’s Dell Vostro notebook in March 2012 using the AtomicReferenceArray Java vulnerability
• "During the shell session some files were downloaded from his Desktop folder one of them with the name of ‘NCFTA_iOS_devices_intel.csv’
• NCFTA is the: National Cyber Forensics and Training Alliance, a private group set up by a former FBI agent to facilitate information sharing between private companies and the FBI. Companies can share information with the 501(c)6 non-profit that they would be wary of (or prohibited from) sharing directly with the FBI
• SSA Stangl is a member of the FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team
• The FBI denies the claim . “The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data”
• A website has been setup to attempt to identify which apps or companies are sharing data with the FBI
• Original Pastebin
• Additional Coverage

---

Feedback:

• Comcast transparent DNS proxy. Another pfSense solution? : techsnap
• How do you choose networking gear?
• How I cope with a cap on my bandwidth

Have some fun:

• What will be in the news the week in October when Allan is at Euro BSD Con? Let make a prediction on the head lines or just make up funny stuff to read

What I wish the new hires “knew”

Round-Up:

• GhostBSD 3.0 BETA1 LXDE is ready to test. | GhostBSD
• BBC pursuades Adobe to continue to support Flash for Android 4.x
• Widely used fingerprint reader exposes Windows passwords in seconds
• Research shows possible vulnerability in Firefox and Opera, using data URIs to mask phishing attacks
• Intel immerses its servers in oil — and they like it!
• the Islamic Republic of Iran and the Democratic People’s Republic of Korea (DPRK, North Korea), have signed a number of new cooperation agreements, and are likely collaberating to attempt to defend them selves from the current cyber warfar campaign being waged against them
• Bitfloor hacked

The post Donated Privacy | TechSNAP 74 first appeared on Jupiter Broadcasting.

]]>