Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Inside the Malware

• Security researcher Sherri Davidoff profiles the Blackhole exploit kit
• Walking us step by step through what the malware does once your computer is infected
• It starts with a simple phishing email, in this example just a plain email that says “Hi, as promised your photos.” with a link
• The unsuspecting user follows the link, and nothing much seems to happen and they continue about their day
• In actuality, their computer has not been infected with the Blackhole exploit kit
• A few days later, while visiting the website of their bank, the user is prompted by the page to verify their identity. Over a short period of time, the attack, using a man-in-the-browser attack, was able to gain:
  • The victim’s name
  • Phone number
  • Answers to security questions
  • RSA token
• The attacker then used this information to wire themselves $49,500 out of the victim’s bank account
• However, because this was a large corporate account, the bank requires a second person to authorize such a transfer
• The attacker used the MITB attack to ask the victim for the name of that second person, which the user entered
• The attacker then asked for the email address of the second person, however the user got suspicious, called the bank and the account was quickly frozen
• Once the blackhole exploit kit is installed on a computer, it loads updates and then continues to phone home once every 20 minutes, using a simple HTTP POST request
• The researcher also managed to capture a Man-In-The-Browser attack on video, when attempting to login to the BankofAmerica site, the infected computer injects a page after the user submits the login form, but before the information is actually sent to the bank
• The injected page claims that the bank does “not recognize” your computer and asks you for a number of details, including your debit card number, social security number, date of birth and mother’s maiden name
• These details are not sent to the bank, but rather to the attacker, who can use them later to drain your account
• In more sophisticated attacks using this technique, the attacker is actually communicating with your system live, in order to take advantage of the information as you enter it, such as passing on to the victim the secret questions they are prompted for when trying to send a wire transfer
• This also allows the attackers, in the situation where they are actively monitoring your computer when you are attempting to access your account, to take advantage of temporary information such as the output of your RSA security token

---

Dedicated server provider Hetzner finds backdoor

• Administrators at Hetzner discovered a backdoor on their nagios monitoring server
• After further investigation, they discovered that their web interface for managing dedicated servers (called the Hetzner Robot) had also been infected
• This means some personal details of customers, including name, email address, phone number, hashed password, last 3 digits of credit card number, credit card type and expiration date
• The actual card number is never stored by Hetzner, it is passed directly to the payment processor who returns a unique token that is used to reference that card in the future
• However, customers using direct debit (debit note) from their bank account, may have been compromised. While the information is stored encrypted in the Hetzner database, the key may have been compromised
• Passwords were SHA256 hashed with a salt, but it does not sound like they used sha256crypt
• “The malicious code used in the “backdoor” exclusively infects the RAM. First
  analysis suggests that the malicious code directly infiltrates running Apache
  and sshd processes. Here, the infection neither modifies the binaries of the
  service which has been compromised, nor does it restart the service which has
  been affected.”
• Hetzner has hired an external security company to do a more indepth investigation
• English FAQ

---

Feedback:

• MAC Filtering?

• FreeNAS as Storage for VMs… HOW?

• Using rsnapshot for backup?

• Apple’s Hidden Details

• Another Take on Passwords when Mobile

• Sharing a Real Life Bad Security Experience

BSDCan 2013 Videos:

• All Videos
• Allan Jude – Managing FreeBSD at Scale
• Paul Chvostek – Switching from Linux to FreeBSD
• Peter Hansteen – The Hail Mary Cloud And The Lessons Learned
• Pawel Jakub Dawidek – FreeBSD, Capsicum, GELI and ZFS as key components of a security appliance
• Kirk McKusick – An Overview of Security in the FreeBSD Kernel
• Shawn Webb – Runtime Process Infection Part 2

---

Round Up:

• Lenovo opens heavily automated assembly plant in North Carolina
• 0 day exploit for Plesk puts more than 360,000 linux servers at risk, unknown if windows servers are affected. Exposes /usr/bin
• China says it is the USA’s fault that their weapons designs were stolen, “Even following the general principle of secret-keeping, it should not have been linked to the Internet,”
• Vint Cerf worries that we won’t be able to access historical data due to the cost of maintaining backwards compatibility
• NSA collecting phone records of millions of Verizon customers daily
• Google researcher releases a working exploit for the Windows Kernel bug he disclosed earlier
• Car thiefs may have a new device that unlocks many makes and models of vehicles
• Attackers use massive DDoS to mask exploit attack against EVE Online backend servers

The post Phishin' Hole | TechSNAP 113 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/23581/not-so-private-keys-techsnap-72/ Thu, 23 Aug 2012 16:33:58 +0000 https://original.jupiterbroadcasting.net/?p=23581 How a Man in the Browser attack could expose an airport VPN, RuggedCom’s messed up the very fundamentals again, and the big update from Adobe.

The post Not so Private Keys | TechSNAP 72 first appeared on Jupiter Broadcasting.

]]>



How a Man in the Browser attack could expose an airport VPN, RuggedCom’s messed up the very fundamentals again, and the big update from Adobe.

Plus – Running Linux in a FreeBSD Jail, virtual networking basics, and a great batch of your questions.

All that and more, in this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Show Notes:

Man in the Browser attack used against Airport employees to gain credentials for VPN

• In what appears to be a highly targeted attack, some airport employees had their machines infected with Man-in-the-Browser malware
• This allowed the attackers to use form-grabbing and screen capturing to steal the airport employee’s login credentials for the airport VPN
• The attack also compromised the single channel mode of the airports two-factor authentication system, where an image was displayed and used by the user to transform their password into a temporary one-time code. Because this one-time code is based on the password, an attacker who is able to capture a number of these (the image and the response) can calculate what the original static password was
• A more secure two-channel mode, sends a one-time code via SMS or a Mobile Application, but apparently was not used by many airport employees
• It is unclear what type of VPN this was, or why the VPN involves logging in via a browser (layer 7), rather than the more typical layer 2 or 3 type VPN
• It is not known what the attackers were after, but with access to the internal airport network, they may have been able to gain information on employees, the hiring process (to get their own people employed at the airport), or the ability to flag specific luggage, cargo or persons such that it is not subjected to normal security screenings
• Additional Coverage

---

Adobe releases Flash 11.4, critical update to fix 6 security vulnerabilities

• This update resolves a number of memory corruption vulnerabilities that could lead to code execution
• CVE–2012–4163 Score: 10.0
• CVE–2012–4164 Score: 10.0
• CVE–2012–4165 Score: 10.0
• CVE–2012–4166 Score: 10.0
• This update also resolves an integer overflow vulnerability that could lead to code execution CVE–2012–4167 Score: 10.0
• And this update also resolves a cross-domain information leak vulnerability that could expose information from a the site you are visiting to other sites CVE–2012–4168 Score: 4.3
• With the end of Flash support for Android, A fake flash player laden with malware and adware has been found in the wild. It rooms your phone and floods it with advertisements, including a popup every 15 minutes

---

Hard coded SSL Keys in RuggedCom Switches

• RuggedCom and their Rugged OS has caused headlines again with a massive security flaw
• The rugged devices are used in many very sensitive installations, including military bases, train switches, power distribution systems, and traffic signals
• The systems are designed to be rugged, insofar as standing up to harsh climate conditions, however it appears that many of these devices have been connected to the internet to allow for remote management, and the security of these systems has again been compromised
• In this case, the RuggedCom devices use a hardcoded SSL private key, meaning that the secret used to decrypt the data sent from the user to the device, can be known by anyone who has ever had access to such a device, or has otherwise gotten access to the key (I am sure it has been posted online somewhere by now)
• SSL uses PKI and asymmetric encryption, meaning there is one key to encrypt data (the public key, published as part of the SSL Certificate), and a private key, used to decrypt information encrypted with the public key
• It seems that all RuggedCom devices uses the SAME SSL key. This is such a large security fiasco as to defy classification. In order for this to have happened, every single person involved with the RuggedCom OS must have entirely lacked any understanding of how SSL works
• The researcher who discovered the vulnerability (Justin W. Clarke, also discovered the previous vulnerability) was able to get the SSL key from various RuggedCom devices he bought on eBay, and discovered that the key on each device was the same
• In addition to being able to decrypt the communications between users and the device, in order to get the login credentials or other sensitive information, an attacker with access to the SSL private key could also send modified responses from the device, making it appear to be normal, or even alter the responses from the device such that they compromise the computer of the administrator who is accessing the RuggedCom device, with something like one of the Flash exploits mentioned earlier in the show
• ICS-CERT is recommending that all RuggedCom devices be isolated from the internet, and only accessed over VPNs to reduce the risk of an attack being able to decrypt the SSL session
• Why any of these devices were connected directly to the public Internet in the first place boggles the mind
• Additional Coverage
• Additional Coverage
• Coverage on Previous Flaw
• TechSNAP 55 – Obscurity is not Security

---

New financial malware demostrates interesting new feature, blocks users from accessing their bank account after it is compromised with friendly error message

• Normally, a man-in-the-browser or keylogger style malware that targets your banking credentials would steal them, and send them to the fraudster, who would use them to gain access to your bank account
• In a later iteration, the MitB attacks would prompt you for the answers to your secret questions
• This level of MitB attacks was confounded by 2 factor authentication, because once the user entered the short-lived PIN, it was no longer useful, so the key-logged information did not allow the fraudster to gain access to the account
• This newest version of the attack now stops your browser from actually communicating with the bank at all
• When you go to the banks site in your browser, and enter your username, password and the one-time PIN, the form details are taken by the malware, and the fraudster then uses them from his computer, and drains your bank account, meanwhile you are given a friendly error message, informing you that the banks website is down for a short maintenance and will be back later
• The reason for this, is the banks fraud-screening system
• The banks automated defense systems monitor where you log in to your online banking from, and if you login from two very distant locations within such a short amount of time that it is not possible for you to have traveled that far, it flags your account as possibly compromised
• By preventing the legitimate user from accessing their account, it prevents this alarm being tripped, giving the fraudster more time to drain the account before being detected

---

Feedback:

• Chef vs Puppet?
• David Suggests we Check out Salt Stack!

---

• Sean has some FreeBSD question

FreeBSD has a ‘linux compatibility layer’, a kernel module called the Linuxulator, that basically translate system called from Linux to BSD. If you install the basic libraries from CentOS into /usr/local/compat under BSD (there are packages that do this for you), you can run compiled linux binaries on FreeBSD. The target of this system is commercial linux applications, like game servers, scientific software and all kinds of not-open-source stuff.

If you create a jail (a second copy of the OS installed in a chroot, which uses the host OS’s kernel), and your freebsd kernel has the linux module loaded, then you could install CentOS in the jail chroot instead of FreeBSD, and have CentOS boot (with its boot scripts etc). It would be CentOS, except with a FreeBSD kernel (although CentOS will think it is using a linux kernel). All of the system binaries, and the package binaries would run through the translation layer (there is no real performance penalty for this, some apps even run faster under FreeBSD)

If you google for it, there are some how-tos on running linux in a FreeBSD jail, for some commercial software like Adobe Flash Media Server, that only want to run on CentOS (doesn’t even like to run on other Linux distros, let alone BSD), it can provide an easy out.

Apparently PC-BSD’s new ‘Warden’ jail management GUI includes the option to deploy a linux jail automatically, but I have not tried it yet

---

• How to setup proper virtual networking?

What I wish the new hires “knew”

Round-Up:

• VMware virtual machines targeted by “Crisis” espionage malware
• Amazon’s Glacier Offers Archival Storage in the Cloud
• Australia Passes ‘Lite’ Data Retention Laws
• New financial Man-In-The-Browser malware still not reliably detected by AV due to self-mutation
• Own someone’s email, and you own them

The post Not so Private Keys | TechSNAP 72 first appeared on Jupiter Broadcasting.

]]>