voicemail – Jupiter Broadcasting

Snakes in a Bank | TechSNAP 96

chris — Thu, 07 Feb 2013 16:55:14 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Using phone tones and a little Python to get access to someone’s bank account, and Oracle steps up with an early patch for Java but it doesn’t fix everything.

Then we answer a big batch of your questions, and much more on this week’s TechSNAP.

Thanks to:

GoDaddy.com

Use our code tech295 to get a .COM for $2.95.

Something else in mind? Use go47off1 to save 47% on your entire order!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Oracle responds, February Critical Patch Update released early

The February CPU was originally scheduled for February 19th, but was released February 1st
The patch fixes 50 different issues, more than half of which have a CVSS risk score of 10 out of 10
This CPU covers issues #29, 50, 52 and 53 reported by Security Explorations, however a fix for issue #51 is still outstanding. Each of these issues is a sandbox security bypass
In addition to the new ‘disable java in all browsers’ setting in the java control panel that was introduced in the last CPU, this update also changes the default security setting to high, requiring users to approve all unsigned applets, rather than letting them run silently
“The size of this Critical Patch Update, as well as its early publication, demonstrate Oracle’s intention to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.”
The next Java CPU is not scheduled until June 18th 2013

Researchers develop attack against micro-financing banks in Africa

Banks is Africa uses Audio-One-Time-Passwords (AOTP), since most users do not have smart phones, and SMS is not widely deployed
The way the system works, is that after a user logs in to their bank and makes a transaction, the bank calls their mobile phone to verify the transaction. The user holds their mobile phone up to the speakers on their computer, and the browser plays some audio, which is then received by the bank via the open phone line, and compared
The researchers wrote a python script to simulate logging in to the bank 10,000 times, and recorded the audio for each of these attempts
There are a number of issues with the implementation of this system
- Users login to their bank with their mobile phone number and a 4 digit pin, this is obviously not very secure, and is also open to brute force attacks, since both credentials are numeric, and the phone numbers are fairly predictable
- The researchers found that the AOTPs are not cryptographically random
- The AOTPs are only 1000ms long
- Based on analysis, the AOTPs only contain 55 bits of information
- The system assumes it is connecting to the users’ mobile phone, when it may actually be redirected
Based on predictable AOTPs, the researchers were able to save a AOTP as the voicemail greeting on a target users’ number, so when the bank made the verification call, it got the expected tones
Brute force attacks against voicemail passwords are fairly trivial, as most are only 3 or 4 digit pins, and users often leave them at defaults such as the last 3–4 digits of the phone number, a birth date or 1234
Some carriers also offer a web interface for retrieving your voicemail making web based attacks possible as well
Presentation Slides

Twitter servers compromised

The twitter security team detected an unusual pattern of attempts to access their infrastructure
In the process of investigating, they found a live ongoing attack
They believe the attackers may have had access to: usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users
If twitter believes you were affected, you will have already received a password reset email
Twitter reminds you to choose a password that is at least 10 characters long, a mix of case and symbols, and to never use the same password on multiple sites
The blog post needlessly mentions the recent Java exploits, and how browsers are disabling the plugin, creating a false equivalency or relationship between what happened to the Twitter servers and the ongoing saga of Java
At the end of the blog post, they again remind users to disable Java, even though java played no part in this attack

Packet of death disables Intel 82574L network cards

While debugging a problem that would cause their on-premise VoIP devices to suddenly fail, a sysadmin discovered a bug in the Intel EEPROM
A very interesting story of the steps required to reliably reproduce the problem, in order to attempt to isolate it
If a specific bit has a value of 32 (ASCII 2) the nic will die, and can only be revived by a full power cycle
However, to complicate things, if a value of 34 (ASCII 4) happens to fall at this specific offset, the NIC is ‘inoculated’, and won’t crash if it subsequently receives a 32 or 33
It took a great deal of testing to reproduce the problem, because if a nic got inoculated, it wouldn’t fail again until it was power cycled
Packets for TCPReplay to test your nic

Feedback:

Another question or 2 regarding my home server…
What’s the advantage of a VM over a Physical Box?
Protecting your self on shared hosting?
W3 Total Cache update
The TechSNAP 100 shirt campaign launches on Tuesday Feb 12th!
Working Remotely
How a sysadmin looks when there is an emergency

Round Up:

The post Snakes in a Bank | TechSNAP 96 first appeared on Jupiter Broadcasting.

Phreaking 3G | TechSNAP 14

chris — Thu, 14 Jul 2011 21:38:23 +0000

Coming up on This Week’s TechSNAP!

We’ll cover a story that really drives home how serious cell phone hijacking has gotten, and what new technology just made it a lot easier for the bad guys.

Plus find out why TrendJacking is more than a stupid buzz term, and we load up on a whole batch of audience questions!

All that and more, on this week’s TechSNAP!

Direct Download Links:

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:

Thanks to the TechSNAP Redditors!

Vodaphone SureSignal appliance rooted by THC

Vodaphone sells a 3G Signal Boosting appliance for home users to boost mobile reception in their homes. The device sells for 160GBP ($260 USD)
The FemtoCell or SureSignal appliance connects to the VodaPhone network via your home internet connections, and relays mobile phone signals
The Hackers Choice (THC, developers of the well known hacking tool Hydra) managed to reserve engineer the device and brute force the root password. THC has been actively working on exploiting various devices of this nature since 2009
Once compromised, the device can be turned in to a full blown 3G/UMTC/WCDMA call interception device.
The FemtoCell uses the internet connection to retrieve the private key of the handset that is attempting to use the cell, in order to create an encrypted connection.
In it’s intended mode of operation, the FemtoCell can only be used by the person who purchased it
The FemtoCell has a limited range of about 50 meters (165 feet)
With a rooted device, an attacker can get the secret key of any Vodaphone Subscriber
With a users secret key, you can decrypt their phone calls (if they are within range), but also masquerade as their phone, and make calls at the victims expense.
This attack also grants you access to the victims voicemail
The root password on the Vodaphone device was ‘newsys’
Some question whether Vodaphone should be held liable for not protecting their customers
Quote from THC “Who is liable if the brakes on my car malfunction? The drive or the manufacture? Or the guys who tell us how insecure they are?”
THC Wiki page on the Vodaphone device, includes Diagrams

Fake Facebook App promises invites to Google+ to steal your info

When you visit the unofficial page for Google+ on Facebook, you are invited to allow the 3rd party app to access your facebook account (common requirement to use any facebook app)
Specifically, this app requests access to post on your wall, allowing it to spam all of your friends, inviting them to join as well. It also requests access to all of your personal data
You are then requested to ‘Like’ the app, and then invite all of your friends (Again, this is common with many Facebook apps, especially games, where inviting your friends can offer in-game rewards)
Your friends then accept the invite, assuming it is legitimate because it came from you
Now this application has managed to spread wildly and has complete access to your facebook profile, allowing it to scrape all of your personal information, as well as use your account to promote further fake and malicious applications.
You need to watch what applications you are allowing access to your profile, and specifically which rights they are requesting. Does that game really need ‘access to your data at any time’, rather than only when you are using it? Do you trust it with access to post to your wall?
This trend has been dubbed TrendJacking

Feedback

Q: (Peter) While investigating different data centers to house our application, one of them mentioned that we should use physical servers to host our database, rather than hosting the database in virtualization like vmware. This this true?

A: There are a number of reasons that a physical server is better for a database. The first is pure I/O. In virtualization, there is always some level of overhead in accessing the physical storage medium, compared to doing it natively. There is also an overhead even with hardware virtualization for CPU cycles, Disk Access, Network Access, etc. In it generally considered best practise to keep your database on physical hardware. That doesn’t mean you can’t virtualize it, but if you are worried about performance, I wouldn’t.

Q: (nikkor_f64) In the recent ‘usage based billing’ legal battles in Canada, the smaller ISPs are proposing to use 95th Percentile Billing, what is that?
A: 95th Percentile billing is the way most carrier grade Internet connections have been billed for as long as I have been in the business. The concept is quite simple, rather then charging the subscriber for the amount of bandwidth that they use, such as pricing per gigabyte, the billing is based on peak usage. Typically, the rate of data up and down the link is measured every 5 minutes (routers count every bit as it goes though, but looking at that counter every 5 minutes, and subtracting the value from 5 minutes ago, you can determine the average speed for the last 5 minutes). Then, as the name suggests, you take the 95th percentile of those values. This is done by sorting the list of measurements, then deleting the top 5%, the highest measurement left, is the 95th percentile, and you pay for that much bandwidth. Some might argue, but that is more than I actually used, my average was far less than that. The key to why this system works, is that it charges the subscriber for the peak amount of bandwidth they used, save for a small grace. This allows the ISP to properly budget for the capacity they need to serve that customer. Normally, your contract will be something like: a 5 megabit/second commitment, with 100megabit burstable. This means you have a full 100/100 megabit connection, and you will pay for 5 megabits/second minimum at a fixed price. You will also be quoted a price for ‘overage’. If your 95th percentile is over 5 megabits, you pay the overage rate per megabit that you are over. You get a lower per megabit rate on your commitment level, but that is a minimum, you have to buy at least that much each month, even if you don’t use it, but the more you buy, the cheaper it is. So, this means that during peak periods, you can use the full 100 megabits, without having to pay extra, as long as your 95th percentile stays below 5 megabits. (5% of a month is about 36 hours, meaning you get the busiest 1 hour of each day, for free)

Q: (Justin) What would be the weaknesses of using GPG to encrypt my files before storing them in the cloud.
A: There are a few issues:
1. Key Security – You need to keep the keys safe, if they fall in to the wrong hands, then your data is no longer secure.
2. Key Management – You also have to have access to the key, where ever you are, in order to access your data. Unlike data that is protected with a simple passphrase, in order to access your data, you need the key. So if you are on your mobile, and you need access to your data, how do you get access to your key? If you store a copy of your key on the mobile, is it secure? Also, if your key is lost or destroyed, then there is no way to access your data, so you have to safely back it up.
3. Key Lifecycle – How often should you change your key? How many different keys should you use? If you use multiple keys, less data is compromised in the event that one of your keys is exposed, but it also complicates Key Security and Key Management.
4. Speed – Asymmetric encryption, such as GPG is far slower than symmetric encryption algorithms like AES. This is especially true with the newer Intel i7 processors having a specific AES instruction set that increases performance by about 8 times. This is way sometimes, you will see a system, where the data is encrypted with AES, and then the key for the AES is then encrypted with GPG. Giving you a hybrid, the strength of GPG with the speed of AES.
5. Incremental Changes –

Round-Up:

Bitcoin Blaster:

Download & Comment:

The post Phreaking 3G | TechSNAP 14 first appeared on Jupiter Broadcasting.