Show Notes: techsnap.systems/424

The post AMD Inside | TechSNAP 424 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Exclusive: Microsoft responded quietly after detecting secret database hack in 2013

• Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago, according to five former employees, in only the second known breach of such a corporate database.

• The company did not disclose the extent of the attack to the public or its customers after its discovery in 2013, but the five former employees described it to Reuters in separate interviews. Microsoft declined to discuss the incident.

How I Socially Engineer Myself Into High Security Facilities

• A few months ago, a client had hired me to test two of their facilities. A manufacturing plant, plus data center and office building nearby.

• I scour profiles of employees who work at these facilities, and cross-reference them to other social media sites.

• This is not an advanced investigation. I’m not a private investigator and I don’t have the resources of the NSA. But I can do a lot of damage with simple methods.

• X could have saved the company a lot of heartache by simply verifying that I was who I claimed to be.

• I’ve been doing this job for a couple years now, and almost every job is a variant of this story. Very rarely do I go through an entire assessment without some sort of social engineering.

Crippling crypto weakness opens millions of smartcards to cloning

• Yubico not aware of any security breaches due to this issue

Millions of smartcards in use by banks and large corporations for more than a decade have been found to be vulnerable to a crippling cryptographic attack. That vulnerability allows hackers to bypass a wide range of protections, including data encryption and two-factor authentication.

At this time, we are not aware of any security breaches due to this issue. We are committed to always improving how we protect our customers and continuously invest in making our products even more secure.

Feedback

• Workaround for the WPA2 exploit – from Jonathan

• SNAPs for… Windows?

• Server Layout for Linux System with LXC – There is an interesting project kind of related to this idea called CloudABI – CloudABI for FreeBSD

• IT Land before time COMPUTERS THAT NEVER WERE Software Emulator for the Cardboard Illustrative Aid to Computationn

Round Up:

• Android getting “DNS over TLS” support to stop ISPs from knowing what websites you visit

• Mercedes handles the competition because it knows how to handle data, too

• IT TAKES JUST $1,000 TO TRACK SOMEONE’S LOCATION WITH MOBILE ADS

• Encryption chip flaw afflicts huge number of computers

• Canada’s ‘super secret spy agency’ is releasing a malware-fighting tool to the public

• Writing a Bootloader Part 1

The post Cloudy with a chance of ABI | TechSNAP 342 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Update Every Device — This KRACK Hack Kills Your Wi-Fi Privacy

• use a VPN & https, which would reduce the attack surface, but it’s not ‘perfect’.

• Update from Forbes

• Lots of stuff updated. Lots of stuff not. This is where it pays to know what you have in use and monitor your suppliers for notices.

Mobile carriers selling personal data

• Mobile carriers sell users’ personal information to third parties

Western Digital Stuns Storage Industry with MAMR Breakthrough for Next-Gen HDDs

• Western Digital Hard Drives Will Provide Over 40TB of Storage by 2025

• new tech is MAMR – microwave-assisted magnetic recording instead of HAMR (Heat-assisted magnetic recording) with a laser

• [Why MAMR over HAMR?]](https://www.extremetech.com/computing/257352-western-digital-reveals-mamr-technology-allow-40tb-hard-drives)

Feedback

• Hey Wes, what do you do in your day job

• Hey Wes what do you know about elliptic curves?

Round Up:

• Hackers modify overdraft on credit cards

• Subaru key fobs

• Crypto anchors

• DragonFly 5.0 with HAMMER2 officially released

The post HAMR Time | TechSNAP 341 first appeared on Jupiter Broadcasting.

MP3 Feed | HD Video Feed | iTunes Feed

Become a supporter on Patreon:

— Show Notes: —

— The Cliff Notes —

• RedHat, 5 Billion Goal
• Krack Attack
• High DPI in Linux
• Vox Tel Sys

— Stay In Touch —

Find all the resources for this show on the Ask Noah Dashboard

Ask Noah Dashboard

Need more help than a radio show can offer? Altispeed provides commercial IT services and they’re excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show!

Altispeed Technologies

Contact Noah

asknoah [at] jupiterbroadcasting.com

— Twitter —

• Noah – Kernellinux
• Ask Noah Show
• Altispeed Technologies
• Jupiter Broadcasting

The post Doin' Lines of WiFi | Ask Noah 30 first appeared on Jupiter Broadcasting.

On this weeks episode we cover a UEFI firmware bug that is affecting computers including ThinkPads, tell you how your windows box can be totally pwned even if it’s fully encrypted & talk about the shortcomings of the MD5 checksum. Plus the feedback, the roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

ThinkPwn, Lenovo and possible other vendors vulnerable to UEFI bug

• “This code exploits 0day privileges escalation vulnerability (or backdoor?) in SystemSmmRuntimeRt UEFI driver (GUID is 7C79AC8C-5E6C-4E3D-BA6F-C260EE7C172E) of Lenovo firmware. Vulnerability is present in all of the ThinkPad series laptops, the oldest one that I have checked is X220 and the neweset one is T450s (with latest firmware versions available at this moment). Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do others evil things.”
• an attacker can “disable flash write protection and infect platform firmware, disable Secure Boot, [and] bypass Virtual Secure Mode
• “Vulnerable code of SystemSmmRuntimeRt UEFI driver was copy-pasted by Lenovo from Intel reference code for 8-series chipsets.”
• “Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability’s presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code”
• Lenovo Advisory
• The vulnerable code has also been found in HP Pavilion Laptops, some Gigabyte Motherboards (Z68, Z77, Z87, Z97), Fujitsu, and Dell.
• Exploring and exploiting Lenovo firmware secrets
• ThinkPWN, proof of concept exploit

From zero to SYSTEM on a fully encrypted Windows machine

• “Whether you want to protect the operating system components or your personal files, a Full Disk Encryption (FDE) solution allows you to keep track of the confidentiality and integrity. One of the most commonly used FDE solutions is Microsoft Bitlocker®, which due to its integration with the Trusted Platform Module (TPM) as well as the Active Directory environment makes it both user-friendly and manageable in a corporate environment.
  When the system is protected with a FDE solution, without a pre-boot password, the login or lock screen makes sure attackers with physical access are not able to gain access to the system.”
• “In this post we will explain how an attacker with physical access to an active directory integrated system (e.g. through stealing) is able to bypass the login or lock screen, obtain a clear-text version of the user’s password and elevate his privileges to that of a local administrator or SYSTEM. This can be accomplished via two security vulnerabilities which affects all Windows versions (from Vista to 10) and abusing a standard “security” feature.”
• “These two vulnerabilities, discovered with the help of my colleague Tom Gilis were reported to Microsoft however only one vulnerability is patched at the time of writing CVE-2016-0049 / MS16-014.
• “The other one, which allows you to elevate your privileges to that of a local administrator or SYSTEM is still under investigation by Microsoft and is not yet disclosed here.”
• Acknowledgement by Microsoft
• Since the time of this post, the patch has been released. It turns out, it is MS16-072
• You might remember MS16-072 from TechSNAP #272 as the Windows Update that broke Group Policies!
• “Step 1 – Hibernation – Your friendly neighbourhood password dumper”
• “Speaking for myself, and probably a lot of other users, shutting down a laptop has become a thing of the past. In order to be able to rapidly start using your system when travelling from one place to another, we put it into sleep (or hibernation) mode, essentially putting all processes on hold to be easily resumed when needed. Although in order to resume your session after sleep or hibernation, you’ll have to enter your password on the lock screen (or at least I hope so), the system has your password stored somewhere in memory in order to resume the different processes. We want the system to dump the contents of the memory on disk so we can recover it later. Hibernation is there to the rescue, but we need to be able to force the system into hibernation, creating the HIBERFIL.SYS.”
• “Luckily, the default configuration of a laptop running Windows depicts going into hibernation if the battery hits a critical low. This feature, by default at set 5%, ensures you don’t lose any unsaved documents when your battery dies. Once we force the laptop into hibernation mode we reboot it and move to the next step”
• “Step 2 – Bypassing the login or lock screen”
• “If the computer is a member of an AD Domain, and the user has logged in on this machine before, so their password is cached locally, all an attacker needed to do is create a rogue Kerberos server with the targets user account’s password set to a value of choice and indicated as expired. Upon login attempt, Windows would then prompt the user to change the password before continuing”
• “Once the password change procedure is completed, the cached credentials on the machine are updated with the new password set by the attacker. Because the system is not able to establish a secure connection, the password is not updated on the Kerberos server but still allows the attacker to login when the system no longer has an active network connection (using the cached credentials)”
• So, since the attacker set the new password on the Domain Controller (not really, but the computer things they did), they know this password, and when they attempt to login with it, and windows cannot reach the domain controller, it uses this locally cached password, and allows them to login
• “Although the authentication has been bypassed, we still only have the (limited) privileges of the victim’s account (taking into consideration this is not an local administrator). This is where the next step comes in, in which we explain how you can obtain full local administrative privileges just by using standard Windows functionalities and thus not relying on any vulnerable installed software.”
• “Step 3 – Privilege escalation to SYSTEM”
• “We know that the trust between the client and Domain Controller (DC) is not always properly validated, we have a working Active Directory set-up and we have a working rogue DC. The question is are there any other Windows functionality that is failing to properly validate the trust?”
• “How about Group Policies? It works on all supported Windows versions. There is no need for any additional (vulnerable) software. No specific configuration requirements”
• “There are 2 types of Group Policy Objects (GPO), Computer Configuration and User Configuration Policies.”
• “Computer Configuration Policies are applied before logon, the machine account is used to authenticated to the DC in order to retrieve the policies and finally all policies are executed with SYSTEM privileges. Since we don’t know the machine account password using Computer Configuration Policies is not an option.”
• “User Configuration Policies are applied after a user is logged in, user’s account is used to authenticated to the DC to retrieved the User Configuration Policies and the policies are either executed as the current logged-on user or as SYSTEM.”
• “Now this last type of Policy is interesting because we know the password of the user as we reset it to our likings.”
• “Let’s create a Scheduled Task GPO that will execute NetCat as SYSTEM and finally will connect to the listening NetCat service as a the current user.”
• On Windows 7, Immediately game over, you own the system
• “Windows 7 fails to validate if the DC from where the Group Policies are being applied is indeed a trusted DC. It is assumed that the user credentials are sufficient to acknowledge the trust relationship. In this attack all encrypted traffic remains intact and doesn’t require any modification whatsoever.”
• On Windows 10, it didn’t work right out of the box
• It turns out, the Rouge DC needs to have a user object matching the SID of the user that is logging in. Luckily, with Mimikatz, you can edit the SID of the user on the Rouge DC to make it match
• Additional Coverage: Part 2
• Slides
• So, Microsoft has patched both of these vulnerabilities, and we are all safe again, right?
• “Bypassing patch MS16-014: Yes, you’ve read it right! There is still a way to bypass the Windows Login screen and bypass Authentication More details will be released soon!”
• The author has not released the details yet, as they are waiting on Microsoft to release another patch

The MD5 collision is here

• “A while ago a lot of people visited my site (~ 90,000 ) with a post about how easy it is to make two images with same MD5 by using a chosen prefix collision. I used Marc Steven’s HashClash on AWS and estimated the the cost of around $0.65 per collision.”
• “Given the level of interest I expected to see cool MD5 collisions popping up all over the place. Possibly it was enough for most people to know it can be done quite easily and cheaply but also I may have missed out enough details in my original post”
• A 2014 blog post showed how to create two php scripts with the same MD5
• An early 2015 blog post showed two JPGs with the same MD5
• So, this version of the tools was able to make two different .jpg images, that had the same MD5 checksum, but different contents, while still being perfectly valid JPG images
• The post included instructions and an Amazon AWS images to do the number crunching
• That a later follow up post on how to do the same thing with executable files
• Same Binaries Blog Post
• This example shows a C binary that prints an Angel if a condition is true, and a Devil if it is false
• It contains a bunch of filler that can be changed to make the hashes the same in a second version of the file, where the condition is false. The end result is a pair of binaries, with the same MD5 hash, but different output
• Using this same technique, Casey Smith (@subtee) managed to make an Angel.exe that is a copy if mimikatz, a windows password dumping utility, and a devil.exe that just says ‘nothing to see here’
• Demo of the attack
• This means all I need to do is run this tool against my malware, and say, regedit.exe that is on the whitelist in Windows, and now I have a malware binary that will be trusted

Feedback:

• Pete asks about Owncloud

• John tries to troll Noah

• Matt is having ZFS problems

Round Up:

• New Edge Switch
• Reverse engineering the default WPA2 password on UPC UBEE routers
• ViewSonic ThinClient
• Post intrusion, most attackers use the same everyday admin tools that you do
• TP Link Forgets to Renew Domain
• What Air conditioning Tech can teach us about innovation and laziness
• 10 Million Android Phones Rooted
• Your SmartWatch can steal your ATM pin
• Microsoft’s attempt to recruit interns is a barrel of cringe
• Password sharing ruled a crime under the terrible CFAA (Computer Fraud and Abuse Act)
• Avast Acquired AVG for $1.3 billion, now has 400 million endpoints
• Wendy’s POS malware disclosure page, pwned with XSS
• Passthoughts, a new type of password?
• The definition of a sophishticated attack
• Frontier and AT&T to Block Google Fiber
• This cyber security guide from “The Guardian”, is full of AWEFUL advice, don’t do it
• Man builds $53,000 computer that plays Tetris, to visualize the internals

The post Windows Exploit Edition | TechSNAP 274 first appeared on Jupiter Broadcasting.

We explore some common misconceptions about Linux security. Plus the 0-Day hitting Microsoft Office users…

A great big batch of your questions, our answers, and much much more!

On this week’s episode, of TechSNAP.

Thanks to:

— Show Notes: —

Exploring the misconceptions of Linux Security

• “There is a perception out there that Linux systems don\’t need additional security”
• As Linux grows more and more mainstream, attacks become more prominent
• We have already seen malware with variants targeting Linux desktop users, Flash and Java exploits with Linux payloads
• Linux servers have been under attack for more than a decade, but these incidents are rarely publicized
• The most common attacks are not 0day exploits against the kernel or some critical service, but compromised web applications, or plain old brute force password cracking
• However, it is still important to keep services up to date as well (openssh, openssl, web server, mail server, etc)
• Typical ‘best practice’ involves having firewalls, web application firewalls and intrusion detection systems. These systems cannot prevent every type of attack.
• Firewalls generally do not help attacks against web applications, because they operate at layer 3 & 4 and can no detect an attempted exploit
• Web Application Firewalls operate at layer 7 and inspect HTTP traffic before it is sent to the application and attempt to detect exploit or SQL injection attempts. These are limited by definitions of what is an attack, and are also often limited to providing protection for specific applications, since protecting an application generally means knows exactly what legitimate traffic will look like
• Intrusion detection systems again rely on detecting specific patterns and are often unable to detect an attack, or detect so many false positives that the attack is buried in a report full of noise and isn’t recognized
• Linux backdoors have become remarkably sophisticated, taking active steps to avoid detection, including falling silent when an administrator logs in, and suspending exfiltration when an interface is placed in promiscuous mode (such as when tcpdump is run)
• Linux servers are often out of date, because most distributions do not have something similar to Microsoft’s “Patch Tuesday”. Security updates are often available more frequently, but the irregular cadence can cause operational issues. Most enterprise patch management systems do not include support for Linux, and it is often hard to tell if a Linux server is properly patched
• “The main problem is that these system administrators think their [Linux] systems are so secure, when they haven\’t actually done anything to secure them,” David Jacoby, a senior security researcher for the Global Research and Analysis Team at Kaspersky Lab said. For example, the default Linux configuration for most distributions does not restrict login attempts, Jacoby warned. Attackers can attempt to brute-force passwords by running through a list of possibilities without having to worry about locking out the account or getting disconnected from the server. This is something the administrator has to configure manually, and many don\’t, Jacoby said.

0day exploit in MS Word triggered by Outlook preview

• Microsoft issued a warning on Monday of a new 0day exploit against MS Word being exploited in the wild
• Microsoft has released an emergency Fix-It Solution until a proper patch can be released
• This attack is especially bad since it doesn’t not require the victim to open the malicious email, looking at the message in Outlook’s preview mode will trigger the exploit
• According to Microsoft’s advisory the flaw is also present in Word 2003, 2007, 2010, 2013, Word Viewer and Office for Mac 2011
• The attack uses a malicious RTF (Rich-Text file), Outlook renders RTF files with MS Word by default
• The Fix-It solution disables automatically opening emails with RTF content with MS Word
• This attack can also be worked around by configuring your email client to view all emails in plain-text only
• Instructions for Office 2003, 2007 and 2010
• Instructions for Outlook 2013
• “The attack is very sophisticated, making use of an ASLR bypass, ROP techniques (bypassing the NX bit and DEP), shellcode, and several layers of tools designed to detect and defeat analysis”
• The code attempts to determine if it is running in a sandbox and will fail to execute, to hamper analysis and reverse engineering
• The exploit also checks how recently windows updates have been installed on the machine. “The shellcode will not perform any additional malicious action if there are updates installed after April, 8 2014”
• Additional Coverage – ThreatPost

Feedback:

• Multiple ISPs

• Securing my fortress

• Can you please explain some basic terms

• Is better/safer to use keys than passwords?

• Proper use of SSH keys

• SSH: Best Practices | HowtoForge – Linux Howtos and Tutorials

• IPv6

Round Up:

• Tarsnap now accepts Bitcoin
• Fake GPG keys for crypto developers found in the wild
• Apps with millions of Google Play downloads covertly mine cryptocurrency
• More holes in SCADA systems, 7600 power, chemical and petrochemical plants at risk
• Gordon Lyon reboots the Full Disclosure mailing list
• Deanonymizing tor with denial of service attacks
• Sony Pictures Plans Movie About Brian Krebs
• Robbing ATMs using SMS messages
• Hackers transform EA Web page into Apple ID phishing scheme
• Cabling done right More cable porn
• WPA2 vulnerabilities found in deauthentication phase, may allow an attacker to temporarily gain access to the network
• Trendjacking – New phishing campaign against governement targets using MH-370
• California DMV breach leaks credit cards

The post Misconceptions of Linux Security | TechSNAP 155 first appeared on Jupiter Broadcasting.