Show Notes: techsnap.systems/419

The post Nebulous Networking | TechSNAP 419 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/413

The post The Coffee Shop Problem | TechSNAP 413 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/309

The post The Future is Open | LINUX Unplugged 309 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/403

The post Keeping Systems Simple | TechSNAP 403 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/397

The post Quality Tools | TechSNAP 397 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/389

The post The Future of HTTP | TechSNAP 389 first appeared on Jupiter Broadcasting.

A typo stops a billion dollar bank hack, a vulnerability in 7zip that might surprise you & the best solutions for secure remote network access.

Your great questions, our answers, a packed round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Attackers compromise banks and steal millions

• Attackers compromised the credentials of Bangladesh Bank (the Country’s central bank), and used those credentials to make SWIFT wire transfers
• “Cyber criminals broke into Bangladesh Bank’s system and in early February tried to make fraudulent transfers totaling $951 million from its account at the Federal Reserve Bank of New York.”
• Using the credentials, they started a wave of transfers. The first four went through, transferring a total of more than $81 million, the largest bank heist in history
• The fifth, was stopped only because of a typo
• “a transfer for $20 million, to a Sri Lankan non-profit organization was held up because the hackers misspelled the name of the NGO, Shalika Foundation. Hackers misspelled “foundation” in the NGO’s name as “fandation”, prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction”
• “The details of how the hacking came to light and was stopped before it did more damage have not been previously reported. Bangladesh Bank has billions of dollars in a current account with the Fed, which it uses for international settlements.”
• “The transactions that were stopped totaled $850-$870 million, one of the officials said”
• So if it wasn’t for the typo, the hackers may have made off with almost $1 billion
• “Bangladesh Bank has said it has recovered some of the money that was stolen, and is working with anti-money laundering authorities in the Philippines to try to recover the rest.”
• “More than a month after the attack, Bangladeshi officials are scrambling to trace the money, shore up security and identify weaknesses in their systems. They said there is little hope of ever catching the hackers, and it could take months before the money is recovered, if at all.”
• Additional Coverage
• “Bangladesh’s central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network”
• “The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank’s SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police’s criminal investigation department.”
• Experts in bank security said that the findings described by Alam were disturbing. “You are talking about an organization that has access to billions of dollars and they are not taking even the most basic security precautions”
• “Two (SWIFT) engineers came and visited the bank after the heist and suggested to upgrade the system”
• “Bangladesh police said earlier this week they had identified 20 foreigners involved in the heist but they appear to be people who received some of the payments, rather than those who initially stole the money.”
• “The SWIFT room is roughly 12 feet by 8 feet, a window-less office located on the eight floor of the bank’s annex building in Dhaka. There are four servers and four monitors in the room”
• “The SWIFT facility should have been walled off from the rest of the network. That could have been done if the bank had used the more expensive, “managed” switches, which allow engineers to create separate networks, said Alam, whose institute includes a cyber-crime division.”
• My kingdom for a vlan…
• Last week, a second bank was hit
• Additional Coverage
• “The second case targeted a commercial bank, Swift spokeswoman Natasha de Teran said, without naming it. It was not immediately clear how much money, if any, was stolen in the second attack.”
• Swift said in a statement that the attackers exhibited a “deep and sophisticated knowledge of specific operational controls” at targeted banks and may have been aided by “malicious insiders or cyber attacks, or a combination of both”.
• “News of a second case comes as law enforcement authorities in Bangladesh and elsewhere investigate the February cyber theft from the Bangladesh central bank account at the New York Federal Reserve Bank. Swift has acknowledged that that scheme involved altering Swift software to hide evidence of fraudulent transfers, but that its core messaging system was not harmed.”
• “In the second case SWIFT said attackers had also used a kind of malware called a “Trojan PDF reader” to manipulate PDF reports confirming the messages in order to hide their tracks.”
• That sounds a lot more sophisticated than the first attack. Of course, it could just be that sophisticated attackers hit an unsophisticated bank, and so did not need to use such techniques, or that they just went undetected, because of the lax security at the first bank
• SWIFT network issues security advisory about malware targetting banks
• “In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT. The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognise the fraud.”

Cisco TALOS finds vulnerability in 7zip

• “Recently Cisco Talos has discovered multiple exploitable vulnerabilities in 7-Zip. These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.”
• For example, a number of virus and malware scanners using the 7-Zip library to scan inside various archive formats
• This means an attacker could send you a file, which would automatically be scanned by your virus scanner, which would trigger the exploit
• The Talos article includes a link to a Google search for the 7-Zip license, which you can find embedded in a huge number of open and closed source applications
• “An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format (UDF) files. The UDF file system was meant to replace the ISO-9660 file format, and was eventually adopted as the official file system for DVD-Video and DVD-Audio.”
• “Central to 7-Zip’s processing of UDF files is the CInArchive::ReadFileItem method. Because volumes can have more than one partition map, their objects are kept in an object vector. To start looking for an item, this method tries to reference the proper object using the partition map’s object vector and the “PartitionRef” field from the Long Allocation Descriptor. Lack of checking whether the “PartitionRef” field is bigger than the available amount of partition map objects causes a read out-of-bounds and can lead, in some circumstances, to arbitrary code execution.”
• “An exploitable heap overflow vulnerability exists in the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip. In the HFS+ file system, files can be stored in compressed form using zlib. There are three different ways of keeping data in that form depending on the size of the data. Data from files whose compressed size is bigger than 3800 bytes is stored in a resource fork, split into blocks.”
• “Block size information and their offsets are kept in a table just after the resource fork header. Prior to decompression, the ExtractZlibFile method reads the block size and its offset from the file. After that, it reads block data into static size buffer “buf”. There is no check whether the size of the block is bigger than size of the buffer “buf”, which can result in a malformed block size which exceeds the mentioned “buf” size. This will cause a buffer overflow and subsequent heap corruption.”
• “Sadly, many security vulnerabilities arise from applications which fail to properly validate their input data. Both of these 7-Zip vulnerabilities resulted from flawed input validation. Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications’ security. Talos has worked with 7-Zip to responsibly disclose, and then patch these vulnerabilities. Users are urged to update their vulnerable versions of 7-Zip to the latest revision, version 16.00, as soon as possible.”
• 2016-03-03 – Vendor Notification
• 2016-05-10 – Public Disclosure

Two large middle eastern banks hit by hackers

• “A massive collection of documents from Qatar National Bank, based in Doha, was leaked and posted online to the whistleblower site Cryptome on April 26. The leaked data, which totals 1.4 GBs, apparently includes internal corporate files and sensitive financial data for QNB’s customers.”
• “Cryptome reports that the leak comprises 15,460 files, containing details, including passwords, PINs and payment card data, for hundreds of thousands of the bank customers’ accounts. Multiple experts have also examined the data, and likewise report that it appears to be legitimate. But Cryptome offered no insights into how the data was obtained, for example, if it was via an external hack attack, or an inside job.”
• “Multiple sources who have reviewed the data dump have also confirmed to ISMG that the data appears to be genuine. One researcher, speaking on condition of anonymity, also confirmed that he had successfully used leaked customer internet banking credentials from the data dump to begin logging in to the customer’s account, purely for research purposes. But he said the bank’s systems then sent a one-time password to the customer’s registered mobile number, which would serve as a defense against any criminals who might now attempt to use the leaked data to commit fraud.”
• Additional Coverage: IBTimes
• “Although analysis of the leaked data remains ongoing, there are reports that it contains additional, unusual information. U.K.-based digital media news site IBTimes, for example, reports that in addition to consumer data, the leaked information also includes documents with information on Qatar’s Al-Thani royal family as well as the broadcaster Al Jazeera, which is partly funded by the same family.”
• “In addition, some leaked folders are marked “Spy” and contain what appear to be intelligence dossiers on individuals, according to IBTimes. Some files contained in the dump are labeled as “MI6” – in apparent reference to the British intelligence agency – with others naming Qatar’s state security bureau, known as the Mukhabarat, as well as French and Polish intelligence agencies, IBTimes reports.”
• “Interestingly, there is also additional data about mainly foreign bank account holders, which includes information such as their Facebook and LinkedIn profiles, along with ‘friends’ associated through those social networks. This data doesn’t appear to have come directly from the bank itself, rather the perpetrator used the data held by the bank to then build up profiles of further targets.”
• A second breach occurred at InvestBank, in the UAE
• Additional Coverage
• “A massive tranche of nearly 10GB of files alleged to be from Sharjah, UAE-based InvestBank appears to have been dumped online by the hacking group “Bozkurtlar” – Turkish for “Gray Wolves” – on May 7. The zip archive released by the attackers appears to contain internal files and sensitive financial documents, including InvestBank customers’ data.”
• “The Bozkurtlar hacker or hacking group appears to have Turkish ties, and also claimed credit for a similar data dump on April 26, involving Doha-based Qatar National Bank. In that case, leaked customer data for QNB was quickly posted online by the Cryptome.org whistleblower site”
• “The dumped data appears to include a massive amount of information tied to InvestBank’s systems, including SQL databases and some backup folders. Speaking on condition of anonymity, one expert who’s reviewed the data says it appears to date from 2011 to September 2015.”
• “Customer data included in the leak includes copies of ID documents, photographs of individuals, documents relating to land purchases – such as stamp papers and financials, as well as bank statements and nearly 100,000 credit card numbers, including expiry dates in clear text. Security researchers, however, note that customer credentials such as account passwords and PINs appear to be encrypted.”
• “The dump also contains comprehensive details on InvestBank’s IT setup, including clear-text credentials for its production systems, switches, routers, virtual machines and Windows servers – many of which appear to have been using easily guessable vendor default passwords. Screenshots of server settings and diagrams of server and data center layouts have also been found in the dump, in addition to details of VPN setups with the bank’s branch offices.”
• “The dump also appears to contain complete details of InvestBank’s Oracle FLEXCUBE core banking solution implementation, including costs, deliverables, scope of work, licensing information and the entire database pertaining to InvestBank’s FLEXCUBE implementation.”
• “In December 2015, a hacker broke into InvestBank’s systems and released records for thousands of customers, after the bank refused to pay the $3 million bitcoin ransom demanded by the attacker”
• InvestBank claims this is not a new hack, but just the old data being fully released
• It is possible the original attacker gave up on trying to ransom or sell the data, and just released it publicly

Feedback:

• Remote access possibilities

• Episode 266 – OwnCloud Cloud Proxy

• Pagekite – The fast, reliable localhost tunneling solution

• Storing client sensitive data

• Dynamic DNS via scp, and remote support for my mother’s computer

• Researchers get United Airlines bug bounty of 1 million air miles. Find out that that has a “street value” of $20,000, and it will be considered income by the IRS, so they donate it to Charity instead.

Round Up:

• Federal Judge Says Internet Archive’s Wayback Machine A Perfectly Legitimate Source Of Evidence
• Backblaze releases their 2016Q1 hard drive reliability stats
• Senators introduce bill to block expansion of FBI hacking authority
• Backwards compatibility layer used to bypass EMET, defeating advanced protections in Windows
• Cisco Adaptive Security Appliance VPN Memory Block Exhaustion Vulnerability
• How do you deal with a petabyte of disks with sensitive data you need to destroy? Basically a wood chipper.
• Internet Speed Test by Netflix
• The “Ping of Death” is back, this time in the Linux Kernel
• Sites Turn to Audio Fingerprinting to Track Users
• Remember back to the last US Presidential Election, and some guy claimed he hacked Mitt Romney’s lawyers and stole his tax records? It was fake, but, you can still go to jail for that
• Microsoft Disables Wi-Fi Sense on Windows 10
• The printer works fine, except on Tuesdays…
• High CPU use by taskhost.exe when Windows 8.1 user name contains “user”
• A kickstarter campaign full of nonsense and false buzzwords. Watch what people promise you
• How the internet works, a story in pictures

The post My Kingdom for a VLAN | TechSNAP 267 first appeared on Jupiter Broadcasting.

Cisco has a wormable vulnerability in its Firewall appliances, crimeware that allows unlimited ATM withdrawals & the big problem with the Java installer.

Plus great questions, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Cisco ASA IPSec vulnerability given highest possible CVSS score

• Cisco has released a patch for a critical vulnerability its ASA (Adaptive Security Appliance) firewalls
• “The Cisco ASA Adaptive Security Appliance is an IP router that acts as an application-aware firewall, network antivirus, intrusion prevention system, and virtual private network (VPN) server. It is advertised as “the industry’s most deployed stateful firewall.” When deployed as a VPN, the device is accessible from the Internet and provides access to a company’s internal networks.”
• “A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.“
• “The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.”
• So the router can be owned by a single UDP packet. It could then be controlled by the attack and used to send more of those UDP packets, making this a “wormable” exploit
• Affected devices include:
  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco ISA 3000 Industrial Security Appliance
• Users of ASA software versions 7.x, 8.0 – 8.6, will be forced to upgrade to ASA version 9.1
• The researchers had dubbed the exploit “Execute My Packet”
• “The algorithm for re-assembling IKE payloads fragmented with the Cisco fragmentation protocol contains a bounds-checking flaw that allows a heap buffer to be overflowed with attacker-controlled data.”
• Attempts to exploit the attack can be detected with packet inspection:
• “Looking for the value of the length field of a Fragment Payload (type 132) IKEv2 or IKEv1 packet allows detecting an exploitation attempt. Any length field with a value < 8 must be considered as an attempt to exploit the vulnerability. The detection also has to deal with the fact that the multiple payloads can be chained inside an IKEv2 packet, and that the Fragment Payload may not be the only/first payload of the packet.”
• Researcher Post
• Additional Coverage: SANS
• SANS says “We are seeing a LARGE INCREASE in port 500/UDP traffic (see and select TCP Ratio for the left Y axis. earlier spikes affecting this port were mostly TCP)”

Metel crimeware allows unlimited ATM withdrawls

• An APT (Advanced Persistent Threat) crimeware package has been found in the wild, being used to drain ATMs and bank accounts
• This type of attack was previously the exclusive territory of Nation States
• “It contains more than 30 separate modules that can be tailored to the computer it’s infecting. One of the most powerful components automatically rolls back ATM transactions shortly after they’re made. As a result, people with payment cards from a compromised bank can withdraw nearly unlimited sums of money from ATMs belonging to another bank. Because the Metel module repeatedly resets card balances, the criminals never pass the threshold that would normally freeze the card. Last year, the rollback scheme caused an unnamed bank in Russia to lose millions of rubles in a single night.”
• “Metel usually gains an initial foothold by exploiting vulnerabilities in browsers or through spear phishing e-mails that trick employees to execute malicious files. Members of the Metel hacking gang then use legitimate software used by server administrators and security researchers to compromise other PCs in an attempt to further burrow into the targeted network. They will often patiently work this way until they gain control over a system with access to money transactions, for example, PCs used by call center operators or IT support.”
• “Metel illustrates the growing sophistication of hackers targeting banks. It wasn’t long ago that reconnaissance, social engineering, state-of-the-art software engineering, lateral movements through a network, and long-term persistence were largely the exclusive hallmarks of so-called advanced persistent threat actors that painstakingly hack high-profile targets, usually on behalf of government spy agencies. Hackers targeting financial institutions, by contrast, took a more opportunistic approach that infected the easiest targets and didn’t bother with more challenging ones. Now, sophisticated techniques are increasingly a part of financially motivated hacking crimes as well.”
• Other groups have been found doing similar things:
• “The so-called GCMAN group, which gets its name because its malware is built using the GCC compiler. Like Metel, its members gain an initial foothold into financial institutions using spearphishing e-mails and from there use widely available tools such as Putty, VNC, and Meterpreter to broaden their access. In one case, GCMAN members had access to one targeted network for 18 months before siphoning any funds. When the group finally sprang into action, it used automated scripts to slowly transfer funds—about $200 per minute—into the account of a so-called “mule,” who was designated to withdraw the money.”
• “The Carbanak 2.0 malware, which in one recent case used its access to a financial institution to change ownership details of a large company. The records were modified to list a money mule as one of the shareholders. After attacking a variety of banks last year, the gang took a five-month sabbatical that caused Kaspersky researchers to think it had disbanded. In December, Kaspersky confirmed the group was active and had overhauled its malware to target new classes of victims”
• “Kaspersky researchers said all three gangs appear to be active and are known to have collectively infected 29 organizations in Russia. The researchers said they suspect the number of institutions hit by the groups is much higher.”
• Researcher Post
• Indicators and Signatures

Java installer vulnerable to binary planting

• “On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later.”
• Oracle Advisory
• “On most computers, the default download folder quickly becomes a repository of old and unorganized files that were opened once and then forgotten about. A recently fixed flaw in the Java installer highlights why keeping this folder clean is important.”
• “The reason is that older Java installers are designed to look for and automatically load a number of specifically named DLL (Dynamic Link Library) files from the current directory. In the case of Java installers downloaded from the Web, the current directory is typically the computer’s default download folder.”
• This allows an attacker to plant their own malicious binaries there, and then when the “trusted” Java installer is run with enhanced privileges, the malicious .dll gains those enhanced permissions
• “To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files into the user’s system before installing Java SE 6, 7 or 8. Though relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system.”
• It is not clear how Oracle’s new java downloader is improved, but it is likely not as good as it should be
• Many other downloaders are also likely vulnerable, but the applications do not have the same install base as java
• For less sophisticated users, the process of “clearing download history” would seem to imply that the files are removed as well, which is not the case

Feedback:

• R Pi 2 as proxy server?

• PFSense Central Management

• ZFS on the desktop

Round Up:

• Super Bowl fans use a record 10TB of data on Levi’s Stadium WiFi network, up 63% from 2015
• Paper: How Complex Systems Fail
• Hacker leaks thousands of FBI, DHS employees’ details
• Norse are not the only ones that can do Visualizations
• Google Will Reject All Flash Based Adverts In a Push For HTML5
• Krebs: Credit Card skimmers at the self checkout at Safeway
• U.S. can’t ban encryption because it’s a global phenomenon, Harvard study finds
• Krebs: New e-commerce fraud, order expensive merchandise just to steal the rewards points
• Linux kernel bug delivers corrupt TCP/IP data to Mesos, Kubernetes, Docker containers
• New tool from Harvard, AMBER, a wordpress and drupal plugin that automatically archives pages you link to, and uses that copy if the original goes away, or falls back to the Archive.org wayback machine
• “Revenue per employee, 2015: Yahoo: $419,830 Twitter: $462,009 MSFT: $789,145 Google: $1,160,648 Facebook: $1,412,655 Apple: $2,032,304”
• “Profit per employee, 2015: Twitter: -$129,334 Yahoo: $54,182 MSFT: $102,822 Google: $250,367 Facebook: $290,600 Apple: $464,296”

The post Cisco's Perfect 10 | TechSNAP 253 first appeared on Jupiter Broadcasting.

The OpenZFS summit just wrapped up and Allan shares the exciting new features coming to the file system, researchers warn about flaws in NTP & of course we’ve got some critical patches.

Plus a great batch of questions, a rockin’ round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

OpenZFS Dev Summit

• Earlier this week the OpenZFS Developers Summit was held, as well as the 10th Anniversary party for the open sourcing of ZFS
• The first day consisted of networking and presentations
• Videos:
  • Opening Keynote and OpenZFS Success Stories
  • OpenZFS Internals
  • Masked ZFS Send, and ZFS Send Compression
  • Live Migration of NFS shares with Zmotion
  • The birth of ZFS, with Jeff Bonwick
  • Declustered RAID
  • Eager Zero, improving performance on AWS and VMWare
  • Compressed ARC
  • Discontiguous Caching with ABD
  • Dedup Ceiling, Persistent L2ARC, and ZFS native TRIM/UNMAP
  • Sandboxing ZFS on Linux
  • Metadata Allocation Classes, and Ztour
  • Writeback Caching
  • Story Time / Q and A with Matt and Jeff
• The second day was a hackathon at Github’s offices. People worked on a number of different projects, and Nexenta provided prizes to the projects voted to be the best prototypes
• Hackathon Presentations
• During the hackathon, I worked on a new feature of ZFS to make it easier to tell what command line features the current version of ZFS supports, so my replication script can determine if a new feature is supported or not

Researchers warn about flaws in NTP

• NTP is one of the oldest protocols still in use on the Internet. The Network Time Protocol is used to keep a computer’s clock in sync. It is very important for many applications, including cryptography (if your clock is wrong, certificates cannot be verified, expired certificates may be accepted, one-time-passwords may not be valid yet or already expired, etc)
• “The importance of NTP was highlighted in a 2012 incident in which two servers run by the U.S. Navy rolled back their clocks 12 years, deciding it was the year 2000. Computers that checked in with the Navy’s servers and adjusted their clocks accordingly had a variety of problems with their phones systems, routers and authentication systems”
• Researchers from Boston University announced yesterday that it’s possible for an attacker to cause an organization’s servers to stopping checking the time altogether
• “This research was first disclosed on August 20, 2015 and made public on October 21, 2015.”
• “NTP has a rate-limiting mechanism, nicknamed the “Kiss O’ Death” packet, that will stop a computer from repeatedly querying the time in case of a technical problem. When that packet is sent, systems may stop querying the time for days or years, according to a summary of the research”
• Post by researchers
• PDF: Full research paper
• The researchers outline 4 different attacks against NTP:
  • Attack 1 (Denial of Service by Spoofed Kiss-o’-Death)
  • Attack 2 (Denial of Service by Priming the Pump)
  • Attack 3 (Timeshifting by Reboot)
  • Attack 4 (Timeshifting by Fragmentation)
• It is recommended you upgrade your version of NTP to ntp-4.2.8p4
• “With the virtual currency bitcoin, an inaccurate clock could cause the bitcoin client software to reject what is a legitimate transaction”
• The paper goes on to describe the amount of error that needs to be induced to cause a problem:
  • TLS Certificate: years. Make a valid certificate invalid by setting the time past its expiration date, or make an expired certificate valid by turning the clock back
  • HSTS: a year. This is a header sent by websites that says “This site will always use a secure connection”, for sanity’s sakes, this header has an expiration date set some time in the future, usually a year. If you forward the clock past then, you can trick a browsers into accepting an insecure connection.
  • DNSSEC: months.
  • DNS Caches: days.
  • Routing (if security is even enabled): days
  • Bitcoin: hours
  • API Authenticate: minutes
  • Kerberos: minutes
• Alternatives:
  • Ntimed
  • OpenNTPd
    • Interesting feature: It can validate the ‘sanity’ of the time returned by the NTP server by comparing it against the time in an HTTPS header from a set of websites you select, like Google.com etc. It doesn’t set the time based on that (too inaccurate), but if the value from the time server is more than a few seconds off from that, ignore that time server as it might be malicious
  • tlsdate
  • NTPSec (a fork of regular NTP being improved)
• Additional Coverage: ArsTechnica

Adobe and Oracle release critical patches

• Adobe has issued a patch to fix a zero-day vulnerability in its Flash Player software
• All users should upgrade to Flash 19.0.0.226
• If you are worried, consider switching Flash to Click-to-Play mode
• Oracle has also released its quarterly patch update for Java, addressing at least 25 security vulnerabilities
• “According to Oracle, all but one of those flaws may be remotely exploitable without authentication”
• All users are strongly encouraged to upgrade to Java 8 Update 65
• Again, consider using click-to-play mode, to avoid allowing unexpected execution of Java
• “The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.”
• “Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java”

Feedback:

• Bandwidth vs the speed of light

• Unison and an encrypted remote-mounted filesystem

• ZFS pool configuration

• Chinese woman made platform shoes for penetration testing

Round up:

• Android 6.0 re-implements mandatory storage encryption for new devices
• A tale of software maintenance, or lack there of
• Apple’s claim of unbreakable iMessage encryption ‘basically lies’
• To follow up last weeks news that Zerodium/VUPEN will pay $1 – $3 million for an iOS 9 jailbreak, if they can keep it private, PANGU released their Jailbreak for 9.0 – 9.0.2 to the public
• Apple tells US Court that “accessing data stored on a locked iPhone would be “impossible” with devices using its latest operating system (iOS8 at the time)”
• Yahoo mail app for mobile is getting rid of passwords, and using push notifications for authentication
• Remote code exec hijack hole found in Huawei 4G USB modems
• Don’t be fooled by fake online reviews, part 2
• Teen Who Hacked CIA Director’s Email Tells How He Did It
• Cisco TALOS offers expert assistance to any hosting provider to finds they are hosting malicious content or actors
• Tim Berners-Lee warns Facebook against creating a walled garden, “don’t you dare make a phone that can only go to facebook.com.”
• Google switches to BoringSSL, but they don’t recommend that you do
• Battery Tests Find No iPhone 6s Chipgate Problems – Consumer Reports
• XVWA (Xtreme Vulnerable Web Application) is a PHP/MySQL application purposely built with one of each different type of classic vulnerability, to help security enthusiasts learn about application security

The post A Rip in NTP | TechSNAP 237 first appeared on Jupiter Broadcasting.

A vulnerability in wget exposes more flaws in commonly used tools, the major flaw in Drupal that just got worse & the new protocol built into your router you need to disable.

Plus a great batch of your feedback, a rocking round up & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

wget vulnerability exposes more flaws in commonly used tools

• wget is a command line downloading client from the GNU project, often found on linux and unix servers, and even available for windows
• It was originally designed for mirroring websites, it has a ‘recursive’ mode where it will download an entire website (by crawling links) or an entire FTP site (or subdirectory) by traversing the directory tree
• It is this mode that is the subject of the vulnerability
• Versions of wget before the patched 1.16 are vulnerable to CVE-2014-4877, a symlink attack when recursively downloading (or mirroring) an FTP site
• A malicious FTP site can change its ‘LIST’ response (the directory listing command in the FTP protocol) to indicate the same file twice, first as a symbolic link, then the second time as a directory. This is not possible on a real FTP server, since the file system can not have 2 objects with the same name
• This vulnerability allows the operator of the malicious FTP site you are downloading from, to cause wget to create arbitrary files, directories and symlinks on your system
• The creation of new symlinks allows files to be overwritten
• An attacker could use this to overwrite or create an additional bash profile, or ssh authorized_keys file, causing arbitrary commands to be executed when the user logs in
• So an attacker could upload malware or an exploit of some kind, then cause the user to run it unintentionally the next time they start a shell
• “If you use a distribution that does not ship a patched version of wget, you can mitigate the issue by adding the line “retr-symlinks=on” to either /etc/wgetrc or ~/.wgetrc”
• Note: wget is often mislabeled as a ‘hacker’ tool because it has been used to bulk-download files from websites. Most times it is merely used an an HTTP client to download a file from a url
• Redhat Bug Tracker
• Some have proposed calling this bug “wgetmeafreeshell” or “wtfget” or “wgetbleed”, thankfully, we were spared such theatrics
• HD Moore Tweets
• HD Moore Blog Post
• Metasploit Module

Drupal flaw from 2 weeks ago, if you have not patched, assume your site is compromised

• Drupal 7 included a new database abstraction API specifically designed to help prevent SQL injection attacks
• It turns out to be vulnerable, a specially crafted request results in the execution of arbitrary SQL commands
• “Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks”
• All users running Drupal core 7.x versions prior to 7.32 need to upgrade
• Drupal Security Advisory
• One line patch — It seems the code assumed $data would always be a simple array, and if it was an associative array (had named keys instead of integers) it would have unintended affects
• Additional Coverage: Threat Post
• It was announced today that a wide spread automated attack has been detected against unpatched Drupal instances
• Because of the nature of the vulnerability, a valid user account is not required to exploit the vulnerability, and no traces are left behind when a site is compromised
• “Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” says a statement released by the Drupal maintainers on Wednesday
• Drupal Public Sevice Announcement
• Additional Coverage: Thread Post
• It is entirely possible that attackers could have dumped the contents of databases in Drupal, it is probably best to reset all passwords

NAT-PMP flaw puts 1.2 million home routers at risk

• NAT-PMP is a UDP protocol designed in 2005 and standardized in 2013 RFC6886 to replace part of uPNP with a more simple implementation
• It allows hosts on the internal network to request ‘please open tcp (or udp) port XXXX on the internet interface and forward that traffic to me’, and ‘what is our internet facing IP’
• This allows hosts to accept incoming connections (like game servers, skype calls, etc) without having to manually create a ‘port forwarding’ rule
• However, it seems some implementation are configured incorrectly, and accept requests from both the internal (expected) and external (very bad!) interface
• The NAT-PMP protocol uses the source IP address of the request to create the mapping, to help prevent abuse (so host A on the LAN cannot open up ports on host B, exposing it to the internet), however, because it is UDP, the source address can be spoofed
• Researcher Post
• Of the 1.2 million internet exposed devices Project Sonar found to be in some way vulnerable:
• 2.5% are vulnerable to ‘interception of internal NAT traffic’, specifically, an attacker can create a mapping to forward attempts to connect to the router itself, to an external address, allowing the attacker to take over DNS and other services, as well as the administrative interface of the NAT device
• 86% are vulnerable to ‘interception of external traffic’, allows the attacker to create a mapping on the external interface, for example, since more routers have the HTTP server disabled on the external interface for security reasons, an attacker could use your router to ‘reflect’ their website. Allowing them to keep the true address of their site secret, by directing traffic to your router, which would then reflect it to their address.
• 88% are vulnerable to ‘Access to Internal NAT Client Services’, because NAT-PMP is over UDP, it is often times possible to send a spoofed packet, with a fake from address. This allows an attacker to basically create port-forwarding rules from outside, gaining access to machines behind the router, that are normally not exposed to the Internet.
• 88% are vulnerable to a Denial of Service attack, by creating a mapping to the NAT-PMP service, the device will forward all real NAT-PMP requests off to some other host, basically breaking the NAT-PMP feature on the device
• 100% of the 1.2 million devices were vulnerable to ‘Information Disclosure’, where they exposed more data about the NAT-PMP device than they should have
• Also found during the SONAR scan: “7,400 devices responses were from a single ISP in Israel that responds to unwarranted UDP requests of any sort with HTTP responses from nginx. Yes, HTTP over UDP”
• Because of the nature of project SONAR and the wide spread of the vulnerability, it is not possible to tell which brands or models of device are vulnerable. It may be easier for users to test known routers with the metasploit module, and attempt to create a database

Feedback:

• Why I switched from Puppet to Saltstack

• Salt vs ansible vs puppet

• Possible to Spoof a Source IP Across the Internet

• Solution for SMTP from home lab

• Network throughput/bandwidth Issues.

• Woes with tar

Round Up:

• FBI cut hotel Internet access, sent agents to “fix” it without warrants
• Interview with the developers of the Gopher protocol
• Brazil Is Keeping Its Promise to Avoid the U.S. Internet
• Botnet uses gmail drafts as a “dead drop” for command and control
• Lawyer doesn’t know what Java is, thinks Bill Gates is trying to get out of a question.
• Don’t run the gnu ‘strings’ command on untrusted files
• SQL Injection attack against speed cameras in France
• Paul Vixie: “Abuse of CPE Devices and Recommended Fixes”
• Whitehouse unclassfied network breached by attackers
• Twitter possibly vulnerable to command injection via new ‘card’ URLs
• Researchers publish report investigating the bitcoin theft from CryptoRush.in
• Security is hard
• Computer hardware identification chart

The post wget a Shell | TechSNAP 186 first appeared on Jupiter Broadcasting.

Experian gets caught selling your records to identity thieves, hacking a router with a single UDP Packet, the cloud storage service that deletes your files…

And a huge batch of your questions, our answers!

Thanks to:

Experian credit reporting service sold data to identity theft service

• An identity theft service that sold Social Security and driver\’s license numbers — as well as bank account and credit card data on millions of Americans.
• Purchased much of its data from Experian, one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity.
• In November 2011, KrebsOnSecurity ran a story about an underground service called Superget.info, a fraudster-friendly site that marketed the ability to look up full Social Security numbers, birthdays, drivers license records and financial information on millions of Americans.
• Each SSN search on Superget.info returned consumer records that were marked with a set of varying and mysterious two- and three-letter “sourceid:” identifiers, including “TH,” “MV,” and “NCO,” among others.
• A KrebsOnSecurity reader said the abbreviations matched data sets produced by Columbus, Ohio-based USInfoSearch.com.
• Contacted about the reader’s claim, U.S. Info Search CEO Marc Martin said the data sold by the ID theft service was not obtained directly through his company, but rather via Court Ventures, a third-party company with which US Info Search had previously struck an information sharing agreement.
• Founded in 2001, Court Ventures described itself as a firm that “aggregates, repackages and distributes public record data, obtained from over 1,400 state and county sources.”
• In March 2012, Court Ventures was purchased by Costa Mesa, Calif.-based Experian, one of the three major consumer credit bureaus. According to Martin, the proprietors of Superget.info had gained access to Experian’s databases by posing as a U.S.-based private investigator. In reality, Martin said, the individuals apparently responsible for running Superget.info were based in Vietnam.
• Martin said he first learned of the ID theft service after hearing from a U.S. Secret Service agent who called and said the law enforcement agency was investigating Experian and had obtained a grand jury subpoena against the company.
• While the private investigator ruse may have gotten the fraudsters past Experian and/or CourtVentures’ screening process, according to Martin there were other signs that should have alerted Experian to potential fraud associated with the account. For example, the alleged proprietor of Superget.info had paid Experian for his monthly data access charges using wire transfers sent from Singapore.
• Experian declined multiple requests for an interview. But in a written statement provided to KrebsOnSecurity, Experian acknowledged the broad outlines of Martin’s story and said it had worked with the Secret Service to bring a Vietnamese national to justice in connection with the online ID theft service.
• Meanwhile, it’s not clear what — if any — trouble Experian may face as a result of its involvement in the identity theft scheme.

Tenda W302R router can be exploited by sending a single UDP packet

• The Tenda routers use a modified version of the GoAhead web server, popular for embedded platforms
• The custom version Tenda uses contains a modification, when the web server starts it creates a UDP socket and bind it to port 7329
• If a packet is received that starts with the string “w302r_mfg”
• The next byte of the packet indicates what to do with the rest of the packet:
• ‘e’ – Responds with a pre-defined string, basically a ping test
• ’1′ – Intended to allow you to run iwpriv commands
• ‘x’ – Allows you to run any command, as root
• This means you can exploit this router and gain remote root privileges with nothing more than the netcat command
• “the backdoor only listens on the LAN, thus it is not exploitable from the WAN. However, it is exploitable over the wireless network, which has WPS enabled by default with no brute force rate limiting”
• The device also ship with a default WPA key, which you might want to try first
• Another Researcher found that this exploit exists in many other versions of the Tenda router firmware

Cloud storage service allows strangers to delete your data

• Box.com is a cloud storage service like Dropbox and others
• A reporter had an account that he used from time to time to share images with his Editors
• His wife also used the account, and at one point had invited an employee from a large PR firm to upload a file
• That PR firm later signed up for a corporate account with box.com
• Box.com has a feature, called account roll-in, which allows companies to slurp up all of their employees accounts and grant those users the additional capacity and features of the corporate account
• This feature can also slurp in accounts that have “deep collaborative relationships” with the company
• So in this case, the reporters account was sucked into the corporate account of the PR firm, even though the relationship was only a single file
• Later on, the Administrators of the PR firm saw the account they did not recognize, and deleted it
• Box.com destroyed the account rather than just unrelating it to the PR firm
• Eventually, Box.com managed to find the Reporters files and return them to him
• This just goes to show the risk involved with trusting your files to a cloud storage provider

Feedback:

• ZPool problems

• Monitor host which is not reachable by my nagios server

• Purposeful duplication

• Allan thinks like an old man!

• Removing a drive from a ZFS volume

• Book Recommendations

— Allan’s new router unboxing —

• [25] An open plea for help from a weary sysadmin : techsnap

[asa]B005FYNSZA[/asa]

Amazon.com: SanDisk Cruzer Fit 16 GB USB Flash Drive SDCZ33-016G-B35: Electronics

Round Up:

• NSA hacked into public email of Mexican President and may have tapped the phone of the German Chancellor
• Disclosure attack on Asus Routers gives away your admin password
• Bing seen showing malware infested Ads
• Nordstrom’s Department Store Chain finds keyloggers on cash registers in Florida
• Underwater TCP/IP to connect offshore platforms etc
• Intel Broadwell chip production pushed back to 2014Q1 due to low yield
• US District court rules that if you claim you are a “hacker” you lose your 4th amendment rights
• Only a small fraction of internet facing Netgear ReadyNAS systems have been patched against serious command injection flaw, fix has been out for 3 months
• Contractors involved in ACA portal have history of security failures
• Officers in charge of Nuclear missile facility caught napping with anti-terrorist blastdoor left open
• Laptop rental company admits to putting spyware on machines
• Physical Access Attacks and Fun Bypass Tricks – How to bypass security on a windows computer

The post One Ping Only | TechSNAP 133 first appeared on Jupiter Broadcasting.

It’s been called the largest DDoS attack in history, we’ll bust past the hype and explain how a DNS Reflection attack works.

Plus a privacy surprise in Blackberry 10, the return of an old segment, a big back of your questions, and so much more!

Thanks to:

GoDaddy.com Use our code hostdeal4 to score economy hosting for $1 a month, for one year. 35% off your ENTIRE order just use our code go35off4 until the end of the month!

Support the Show: