Show Notes: techsnap.systems/411

The post Mobile Security Mistakes | TechSNAP 411 first appeared on Jupiter Broadcasting.

Find out why everyone’s just a little disappointed in Badlock, the bad security that could be connected to the Panama Papers leak & the story of a simple delete command that took out an entire hosting provider.

Plus your batch of networking questions, our answers & a packed round up!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Badlock vulnerability disclosed

• The badlock vulnerability was finally disclosed on Tuesday after 3 weeks of hype
• It turns out to not have been as big a deal as we were lead to believe
• The flaw was not in the SMB protocol itself, but in the related SAM and LSAD protocols
• The flaw itself is identified as https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2118
• It affects all versions of Samba clear back to 3.0
• “Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases are available”
• “Please be aware that Samba 4.1 and below are therefore out of support, even for security fixes. There will be no official security releases for Samba 4.1 and below published by the Samba Team or SerNet (for EnterpriseSAMBA). We strongly advise users to upgrade to a supported release.”
• See the Samba Release Planning page for more details about support lifetime for each branch
• Microsoft releases MS16-047 but rated it only “Important”, not “Critical”
• The patch fixes an “elevation of privilege bug in both SAM and LSAD that could be exploited in a man-in-the-middle attack, forcing a downgrade of the authentication level of both channels. An attacker could then impersonate an authenticated user”
• Microsoft was also careful to note: “Only applications and products that use the SAM or LSAD remote protocols are affected by this issue. The SMB protocol is not vulnerable.”
• It seems most of the “badlock” bugs were actually in Samba itself, rather than the protocol as we were lead to believe
• “There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user. Impact examples of intercepting administrator network traffic:”
• Samba AD server – view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
• standard Samba server – modify user permissions on files or directories.
• There were also a number of related CVEs that are also fixed:
  • CVE-2015-5370 3.6.0 to 4.4.0: Errors in Samba DCE-RPC code can lead to denial of service (crashes and high cpu consumption) and man in the middle attacks. It is unlikely but not impossible to trigger remote code execution, which may result in an impersonation on the client side.
  • CVE-2016-2110 3.0.0 to 4.4.0: The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags, especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL. Which has implications on encrypted LDAP traffic.
  • CVE-2016-2111 3.0.0 to 4.4.0: When Samba is configured as Domain Controller it allows remote attackers to spoof the computer name of a secure channel’s endpoints, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic.
  • CVE-2016-2112 3.0.0 to 4.4.0: A man in the middle is able to downgrade LDAP connections to no integrity protection. It’s possible to attack client and server with this.
  • CVE-2016-2113 4.0.0 to 4.4.0: Man in the middle attacks are possible for client triggered LDAP connections (with ldaps://) and ncacn_http connections (with https://).
  • CVE-2016-2114 4.0.0 to 4.4.0: Due to a bug Samba doesn’t enforce required smb signing, even if explicitly configured. In addition the default for the active directory domain controller case was wrong.
  • CVE-2016-2115 3.0.0 to 4.4.0: The protection of DCERPC communication over ncacn_np (which is the default for most the file server related protocols) is inherited from the underlying SMB connection. Samba doesn’t enforce SMB signing for this kind of SMB connections by default, which makes man in the middle attacks possible.
• Additional Coverage: Threadpost – Badlock vulnerability falls flat against its type
• “As it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it’s a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services.”
• “Red Hat security strategist Josh Bressers said Badlock could have been much worse, especially if it had turned out to be a memory corruption issue in SMB as some had surmised. Such a scenario would have cleared a path for remote code execution, for example.”
• Additional Coverage: sadlock.org

Panama Papers: Mossack Fonseca

• Eleven million documents were leaked from one of the world’s most secretive companies, Panamanian law firm Mossack Fonseca.
• They show how Mossack Fonseca has helped clients launder money, dodge sanctions and avoid tax.
• The documents show 12 current or former heads of state and at least 60 people linked to current or former world leaders in the data.
• Eleven million documents held by the Panama-based law firm Mossack Fonseca have been passed to German newspaper Sueddeutsche Zeitung, which then shared them with the International Consortium of Investigative Journalists. BBC Panorama is among 107 media organisations – including UK newspaper the Guardian – in 76 countries which have been analysing the documents.
• There are many conspiracy theories about the source of the Panama Papers leak. One of the more prominent theories today blames the CIA.
• Bradley Birkenfeld is “the most significant financial whistleblower of all time,” and he has opinions about who’s responsible for leaking the Panama Papers rattling financial and political power centers around the world.
• Wikileaks is also getting attention today for blaming USAID and George Soros for the leaks.
• What little is known about the source of the leak comes from details published by German newspaper Suddeutsche Zeitung. Communicating via encrypted chat in late 2014, the source warned his or her life was “in danger” but that they had data from law firm Mossack Fonseca that they wanted to share. When asked how much data they had, the source replied “more than you have ever seen,” according to the newspaper.
• Regardless, the front-end computer systems of Mossack Fonseca are outdated and riddled with security flaws, analysis has revealed.
• Mossack Fonseca’s client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site’s changelog.
• On its main website Mossack Fonseca claims its Client Information Portal provides a “secure online account” allowing customers to access “corporate information anywhere and everywhere”. The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal’s backend can also be accessed by guessing the URL structure, a security researcher noted.
• Mossack Fonseca’s webmail system, which runs on Microsoft’s Outlook Web Access, was last updated in 2009, while its main site runs a version of WordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca’s site simply by guessing the URL.
• Mossack Fonseca’s emails were also not transport encrypted, according to privacy expert Christopher Soghoian who noted the company did not use the TLS security protocol.
• Who leaked the Panama Papers? A famous financial whistleblower says: CIA. / Boing Boing
• Wikileaks Accuses US Of Funding Panama Papers Putin Expose | The Daily Caller
• Panama Papers: The security flaws at the heart of Mossack Fonseca (Wired UK)
• Additional Coverage: The Register – Mossack Fonseca website found vulnerable to SQL injection
• Additional Coverage: Forbes
• Additional Coverage: WordFence
• Additional Coverage: Slashdot
• In general, it seems there were so many flaws in the website we may never know which one was used to compromise the server

I accidently rm -rf /’d, and destroyed my entire company

• “I run a small hosting provider with more or less 1535 customers and I use Ansible to automate some operations to be run on all servers. Last night I accidentally ran, on all servers, a Bash script with a rm -rf {foo}/{bar} with those variables undefined due to a bug in the code above this line.”
• “All servers got deleted and the offsite backups too because the remote storage was mounted just before by the same script (that is a backup maintenance script).
  How I can recover from a rm -rf / now in a timely manner?”
• There is not usually any easy way to recover from something like this
• That is why you need backups. Backups are not just a single copy of your files in another location, you need time series data, in case you need to go back more than the most recent backup
• It is usually best to not have your backups mounted directly, for exactly this reason
• Even if you will never rm -rf /, an attacker might run rm -rf /backup/*
• While cleaning up after an attacker attempted to use a Linux kernel exploit against my FreeBSD machine in 2003, I accidently rm -rf /’d in a roundabout way, Trying to remove a symlink to / that had a very funky name (part of the exploit iirc), i used tab complete, and instead of: rm -rf badname, it did rm -rf badname/, which deletes the target of the symlink, which was /.
• Obviously this was my fault for using -r for a symlink, since I only wanted to delete one thing
• When the command took too long, I got worried, and when I saw ‘can’t delete /sbin/init’, I panicked and aborted it with control+c
• Luckily, I had twice daily backups with bacula, to another server. 30 minutes later, everything was restored, and the server didn’t even require a reboot. The 100+ customers on the machine never noticed, since I stopped the rm before it hit /usr/home
• There are plenty of other examples of this same problem though
• Steam accidently deletes ALL of your files
• Bryan Cantrill tells a similiar story from the old SunOS days
• Discussion continues and talks about why rm -rf / is blocked by on SunOS and FreeBSD
• Additional Coverage: ServerFault
• When told to dd the drive to a file, to use testdisk to try to recover files, the user reports accidentally swapping if= and of=, which likely would just error out if the input file didn’t exist, but it might also mean that this entire thing is just a troll. Further evidence: rm -rf / usually doesn’t work on modern linux, without the –no-preserve-root flag

Feedback:

• NAS or SAN?
• Full SSD ZFS array

Round Up:

• “FreeBSD Mastery: Advanced ZFS” has been released as ebook for $9.99, print version in a few weeks
• Book features a fancy “Wrap Around” cover, the secret art not revealed yet
• How to not get pwned on Windows: Don’t run any virtual machines, open any web pages, Office docs, hyperlinks
• OpenWhisperSystems has integrated its Signal Protocol public key encryption systems into WhatsApp, now fully end-to-end encrypted with identity verification
• FBI bought previously undisclosed zeroday to crack the iPhone 5c
• After Apple claims to have fixed iOS 1970 bug in February, researchers demo a new remote version, bricks your device 20 minutes after connecting to their rouge WiFi, if your battery doesn’t catch fire first…
• 0-day exploits more than double as attackers prevail in security arms race
• Proving apps don’t take data security seriously, new website uses Tinder’s official API to let you spy on other users
• Google’s monthly Android update fixes Linux kernel flaw from 2014 that was being used to root Android devices
• Nest pulls the plug on the Resolv Hub, leaving owners who were promised a lifetime service subscription with a $299 paperweight
• The entire Turkish citizenship database appears to have been hacked and leaked online
• Python, Go, and PHP (before 5.6), failed to check for self-signed, expired, or worse revoked SSL certificates, also older versions may still accept RC4 and weak DH (logjam)
• Cellebrite, the company originally rumoured to have helped the FBI crack the iPhone, set to release a road side ‘textalyzer’, to determine if you were using your cell phone at the time of an accident
• Google’s new “BeyondCorp” security model, all networks are untrusted, users earn trust with good behaviour, devices earn trust with known good state
• All the resources in the world are not use if you don’t know how to use them

The post rm -rf $ALLTHETHINGS/ | TechSNAP 262 first appeared on Jupiter Broadcasting.

Oracle really doesn’t want you to reverse engineer their products but they may have just released the Kraken, we’ll explain.

A massive drop of 35 fixes in one day, great feedback and follow up, a rockin roundup & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Oracle doesn’t think you should try to reverse engineer their products

• “Oracle, never the most researcher-friendly software vendor, has taken its antagonism to another level after publishing a blog post by CSO Mary Ann Davidson that rails against reverse engineering and saying that the company has no need for researchers to look at Oracle’s code for vulnerabilities because “it’s our job to do that, we are pretty good at it”
• The blog post has since been taken down
• Archive.org copy of Oracle Blog post
• Google Cache of Oracle Blog post
• “Davidson, who has been at Oracle for more than 25 years, said in the post that reverse engineering violates Oracle’s license agreement and that the company regularly sends letters to customers and consultants who it believes have violated the EULA. She also said that even when researchers try to report a security vulnerability in an Oracle product, the company often takes issue with how the bug was found and won’t credit researchers.“
• This is where I take the most extreme exception
• First, I don’t imagine that it is most average Oracle customers who are reverse engineering Oracle software looking for bugs
• Often, security research companies will look for bugs in major bits of software (be in Flash, Windows, Firefox, Chrome, Java, etc) with the goal of publishing their research once the bugs they find are fixes, in order to build a reputation, to get security consulting customers
• This system depends on A) Vendors actually accepting and acting upon bug reports, and B) Vendors crediting the people who discover the flaws in the security advisory / patch notes
• When a researcher is helping you better your software, for free, the least you can do is given them credit where it is due
• If Oracle doesn’t want to have a bug bounty program, that is their decision, but they cannot expect the entire security community to just pretend Oracle doesn’t exist, and isn’t an attack surface
• ““I almost hate to answer this question because I want to reiterate that customers Should Not and Must Not reverse engineer our code. However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren’t going to ignore a real problem – that would be a disservice to our customers. We will, however, fix it to protect all our customers, meaning everybody will get the fix at the same time,” Davidson said in the post.“
• So atleast they are going to fix it, eventually …
• ““However, we will not give a customer reporting such an issue (that they found through reverse engineering) a special (one-off) patch for the problem. We will also not provide credit in any advisories we might issue. You can’t really expect us to say ‘thank you for breaking the license agreement.’”“
• But credit? Nope. Ohh, and we might decide to try to engage in litigation against you
• Of course, if you actually read the EULA, Oracle’s software is not warranted for any use what-so-ever. The EULA basically spells out that using any of the software in production is at your own risk, and you probably shouldn’t do that. Of course, that is what every EULA says.
• ““Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers,” Davidson said in the post.“
• Of course, Oracle’s Legal department backpedaled, hard:
• A statement sent by Oracle PR said that the company removed the post because it didn’t fit with the company’s relationship with customers.
• “The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers,” said Edward Screven, Executive Vice President and Chief Corporate Architect, at Oracle.
• Twitter reacted quickly
• An new trend has emerged around the hashtag #OracleFanFic

Why not insider trade on EVERY company?

• This bloomberg view article starts with a typical description of how insider trading works, and how people get away with it
• It then starts to dig into how a group of Ukrainian malactors did it against a huge number of companies, and illegally profited over $100 million.
• The group broke into the systems of Marketwired, PR Newswire, and Business Wire, and lifted the press releases before they became public
• Then, rather than acting on this information themselves, which might have been obvious, they sold the information to various different people, in exchange for a flat fee, or a stake in the action
• They created an entire industry around the information, eventually growing a support infrastructure, and even taking ‘requests’ for releases from specific companies
• “They ran this like a business. They provided customer support: The hackers allegedly set up servers for their customers to access their information, and “created a video tutorial on how to access and use one of the servers they used to share the Stolen Releases.””
• “The defendants allegedly stole approximately 150,000 confidential press releases from the servers of the newswire companies,”
• “The size and professionalization of the business, though, shouldn’t be confused with sophistication. There are some signs that these guys actually weren’t all that sophisticated. For one thing, the traders seem to have gotten caught in the usual way. “The investigation began when prosecutors in Brooklyn and the FBI received a referral from the SEC about a pattern of suspicious trading by some of the defendants,”
• “The other place where the hackers may not have been that sophisticated was in the actual hacking. The hackers “gained unauthorized access to press releases on the networks of Marketwired using a series of SQL Injection Attacks.” They gained access to Business Wire after “the login credentials of approximately fifteen Business Wire employees had been ‘bruted.’”
• The author of the article makes an interesting point: “But I feel like part of it has to be that the people in charge of those databases, like me until today, had a disenchanted view of the financial world. These systems didn’t hold the nuclear launch codes. They held press releases — documents that, by definition, would be released publicly within a few days at most. Speed, convenience and reliability were what mattered, not top-notch security. How important could it be to keep press releases secure? What were the odds that a crack team of criminals would be downloading tens of thousands of press releases before they became public, in order to sell them to further teams of criminals who would trade on them? It just sounds so crazy. You’d have to be paranoid to even think of it. But — allegedly! — it’s exactly what happened.”
• Additional Coverage – Bloomberg
• Additional Coverage – Threat Post
• Justice Department Press Release
• New Jersey Federal Criminal Complaint
• Brooklyn Federal Criminal Complaint
• SEC Press Release
• SEC Civil Complaint

Adobe issues huge patch that fixes 35 vulnerabilities in Flash and AIR

• “The vulnerabilities Adobe patched Tuesday include a number of type confusion flaws, use-after-free vulnerabilities, buffer overflows, and memory corruption vulnerabilities. Many of the vulnerabilities can be used to take complete control of vulnerable machines”
• Make sure your flash version is 18.0.0.232 or newer
• The fixes flaws include:
• 16 use-after-frees
• 8 memory corruptions
• 5 type confusions
• 5 buffer overflow and heap buffer overflow bugs
• 1 integer overflow flaw
• “These updates include further hardening to a mitigation introduced in version 18.0.0.209 to defend against vector length corruptions (CVE-2015-5125).”
• In an interesting turn of events, “On Monday, researchers from Kaspersky Lab disclosed that attackers behind the Darkhotel APT campaign have been using one of the patched Flash bugs developed by Hacking Team in its attacks”
• “Darkhotel seems to have burned through a pile of Flash zero-day and half-day exploits over the past few years, and it may have stockpiled more to perform precise attacks on high-level individuals globally,” Kaspersky Lab principal security researcher Kurt Baumgartner said
• “Note: Beginning August 11, 2015, Adobe will update the version of the “Extended Support Release” from Flash Player 13 to Flash Player 18 for Macintosh and Windows. To stay current with all available security updates, users must install version 18 of the Flash Player Extended Support Release or update to the most recent available version. For full details, please see this blog post “
• Official Adobe Advisory
• The advisory issues thanks to a number of researchers and companies that found the vulnerabilities including:
  • Google Project Zero
  • FortiGuard Labs
  • Alibaba Security Research Team
  • Chromium Vulnerability Rewards Program
  • 360 Vulcan Team
• Additional Coverage

Feedback:

• multiboot linux and running openssh-server on all

• Allan made a comment in response to a question “FreeNAS with Quad GbEthernet

• Get some Fiber in your Freenas.. Fiber Channel

• Server Envy

Round Up:

• The first publicly released Android Security Advisory – Fixing StageFright and other video processing vulnerabilities on Nexus devices
• Sharp announces new line of DC powered appliances, starting with an Air Conditioner. Avoiding the conversion from DC to AC to DC for Solar and other alternative power sources
• Cisco warns customers of attacks replacing IOS bootstrap images on routers
• Why it is important to choose your audience. When you leak documents, and no one takes you seriously
• Facebook’s Internet Defense Prize ($100,000) was awarded to a team of Georgia Tech researchers who found a new class of browser-based memory-corruption vulnerabilities and built a corresponding detection technique
• The team behind the Anthem breach may also be who hit United Airlines
• Steam fixes vulnerability in site that allowed anyone to reset the password of another account, hijacking it
• 3 Chechen women use “CatFishing” scheme to take ISIS combatants for $3300
• Don’t be fooled by phony online reviews – Krebs details the story of someone who got scammed, badly
• Finally, a way to explain IaaS, PaaS, and SaaS

The post Oracle's EULAgy #oraclefanfic | TechSNAP 227 first appeared on Jupiter Broadcasting.

A fresh version of LibreOffice hits the web, another Flash attack in the wild, this one uses “malvertising”. What the heck is malvertising? We discuss.

Plus what the state of Android looks like in 2015, another OS X bug & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• New Features | LibreOffice – Free Office Suite – Fun Project – Fantastic People
• Another Flash attack spotted, this time against Yahoo! users
• OS X Bug Exploited To Infect Macs Without Need For Password – Slashdot
• This is what Android fragmentation looks like in 2015
• This is what Android looks like in 2015 | The Verge

The post Lousy Lollipop Adoption | TTT 202 first appeared on Jupiter Broadcasting.

The Backronym vulnerability hits MySQL right in the SSL protection, we’ll share the details. The hacker Group that hit Apple & Microsoft intensifies their attacks & a survey shows many core Linux tools are at risk.

Plus some great questions, a rockin’ roundup & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Backronym – ssl stripping mysql connections

• Researchers have identified a serious vulnerability in some versions of MySQL that allows an attacker to strip SSL/TLS connections of their security wrapping transparently.
• Researchers at Duo Security realized that even when they set the correct option to initiate an SSL connection with the MySQL server, they could not make the client enforce a secure connection.
• This means that an attacker with a man-in-the-middle position could force an unencrypted connection and passively sniff all of the unencrypted queries from the client to the MySQL database.
• The vulnerability lies within the behaviour of the ‘–ssl’ client option, which on affected versions it is being treated as “advisory”. Therefore while the option would attempt an SSL/TLS connection to be initiated towards a server, it would not actually require it. This allows a MITM attack to transparently “strip” the SSL/TLS protection.
• The issue affects the ssl client option whether used directly or triggered automatically by the use of other ssl options.
• The vulnerability affects MySQL 5.7.2 and earlier versions, along with MySQL Connector versions 6.1.2 and earlier, all versions of Percona Server and all versions of MariaDB.
• The vulnerability is nicknamed BACKRONYM (Bad Authentication Causes Kritical Risk Over Networks Yikes MySQL) by the Duo researchers, who also put up a site that riffs on the recent trend of researchers putting up sites for major vulnerabilities.
• What does BACKRONYM stand for? Bad Authentication Causes Kritical Risk Over Networks, Yikes MySQL!
• They say: “We spent countless hours analyzing the BACKRONYM vulnerability to come up with a human-readable description that would convey the underlying root-cause to infosec professionals.”
• What do I need to do to fix BACKRONYM?
• Step 1: PANIC! I mean look at that logo – your database is basically exploding!
• Step 2: Tell all your friends about BACKRONYM. Use your thought leadership talents to write blog post about BACKRONYM to reap sweet Internet karma. Leverage your efforts in responding to BACKRONYM to build political capital with the executives in your organization. Make sure your parents know it’s not safe to shop online until BACKRONYM is eradicated.
• Step 3: Actually remediate the vulnerability in any of your affected MySQL client-side libraries (also MariaDB and Percona). Unfortunately, there’s no patch backported for MySQL <= 5.7.2. So if you’re on MySQL 5.6 like 99.99% of the Internet is, you’re basically out of luck and have to upgrade to the MySQL 5.7 “preview release” or figure out how to pull in libmysqlclient >= 6.1.3. Backporting security fixes is hard, apparently.
• Additional Coverage: New PHP release to fix backronym flaw
• The BACKRONYM Vulnerability

Hacker Group That Hit Twitter, Facebook, Apple and Microsoft Intensifies Attacks

• The hacker group, which security researchers from Kaspersky Lab and Symantec call Wild Neutron or Morpho, has broken into the networks of over 45 large companies since 2012.
• After the 2013 attacks against Twitter, Facebook, Apple and Microsoft were highly publicized, the group went underground and temporarily halted its activity.
• Symantec has named the group behind the attacks “Butterfly”.
• Butterfly is technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero-day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it cleans up after itself before moving on to its next target.
• The first signs of Butterfly’s activities emerged in early 2013 when several major technology and internet firms were compromised. Twitter, Facebook, Apple and Microsoft disclosed that they had been compromised by very similar attacks. This was done by compromising a website used by mobile developers (that we covered before on the show) using a Java zero-day exploit to infect them with malware.
• The malware used in these attacks was a Mac OS X back door known as OSX.Pintsized. Subsequent analysis by security researcher Eric Romang identified a Windows back door, Backdoor.Jiripbot, which was also used in the attacks.
• Symantec has to date discovered 49 different organizations in more than 20 countries that have been attacked by Butterfly.
• Butterfly has also shown an interest in the commodities sector, attacking two major companies involved in gold and oil in late 2014. In addition to this, the Central Asian offices of a global law firm were compromised in June 2015. The company specializes in finance and natural resources specific to that region. The latter was one of at least three law firms the group has targeted over the past three years.
• Butterfly has also developed a number of its own hacking tools. Hacktool.Securetunnel is a modified version of OpenSSH which contains additional code to pass a command-and-control (C&C) server address and port to a compromised computer.
• Hacktool.Bannerjack is meanwhile used to retrieve default messages issued by Telnet, HTTP, and generic Transmission Control Protocol (TCP) servers. Symantec believes it is used to locate any potentially vulnerable servers on the local network, likely including printers, routers, HTTP servers, and any other generic TCP server.
• The group uses Hacktool.Eventlog to parse event logs, dumping out ones of interest, and delete entries. It also kills processes and performs a secure self-delete. Hacktool.Proxy.A is used to create a proxy connection that allows attackers to route traffic through an intermediary node, onto their destination node.
• Based on the profile of the victims and the type of information targeted by the attackers, Symantec believes that Butterfly is financially motivated, stealing information it can potentially profit from. The group appears to be agnostic about the nationality of its targets, leading us to believe that Butterfly is unaffiliated to any nation state.
• Links:
• Butterfly: Profiting from high-level corporate attacks | Symantec Connect Community
• Hacktool.Securetunnel | Symantec
• Wild Neutron – Economic espionage threat actor returns with new tricks – Securelist

Core Linux tools top list of most at-risk software

• The CII (Core Infrastructure Initiative), a Linux Foundation effort assembled in the wake of the Heartbleed fiasco to provide development support for key Internet protocols, has opened the doors on its Census Project — an effort to figure out what projects need support now, instead of waiting for them to break.
• The Census, with both its code and results available on GitHub, assembles metrics about open source projects found in Debian Linux’s package list and on openhub.net, then scores them based on the amount of risk each presents.
• A copy of the census data downloaded from GitHub on Friday morning showed 395 projects in the census, with the top-listed projects to be core Linux utilities. Ftp, netcat-traditional, tcpd, and whois all scored 11 out of a possible 15.
• High scores in the survey, said the CII in its page on the project, don’t mean a given program should be ditched, or that it’s to be presumed vulnerable. Rather, it means “the project may not be getting the attention that it deserves and that it merits further investigation.”
• Apache’s https Web server, a large and “vitally important” project with many vulnerabilities tracked over the years, ranked as an 8 in part because “there’s already large development & review team in place.”
• Busybox, a project found in many embedded Linux applications that has been implicated before with security concerns, ranked even lower, at 6.
• One of tricky issues that bubbles up is the complications posed by dependencies between projects. For the libaprutil1-ldap project (with a score of 8), the notes indicate that “the general Apache Portable Runtime (APR) appears to be actively maintained. However, it’s not as clear that the LDAP library in it is as actively managed.” Likewise, anything that uses the Kerberos authentication system — recently implicated in a security issue — typically has “Kerberos” in the notes.
• linuxfoundation/cii-census · GitHub

Feedback:

• 6gig SAS

• fail2ban

• Colo or No-Go

Round Up:

• International cybercrime marketplace taken down
• Larry Wall on Perl 6 and teaching kids to code
• Uninstalled Google Photos? Thought your pics safe from slurping? WRONG, bozo
• Toshiba owned OCZ launches new line of SSDs at $0.40/GB. Uses new flash memory and controller directly from Toshiba. Do you trust something new? From
• ID Theft Service Proprietor Gets 13 Years
• When security and politics collide: Lifespan in the SES (Senior Executive Service)
• Intel confirms tick-tock-shattering Kaby Lake processor as Moore’s Law falters

The post Butterflies & Backronyms | TechSNAP 224 first appeared on Jupiter Broadcasting.

Google wants to get into the wireless business & while we are more than a little intrigued by the idea, we also have some major questions. We kick around the very real possibility that Google Wireless could become a thing.

Plus a few zero day exploits for OS X, the bad news for RT users & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Report: Google to launch wireless service this year | Ars Technica

Reports about a rumored Google wireless service are cropping up again. The Information (subscription required) is reporting that Google plans to resell Sprint and T-Mobile services as a Mobile Virtual Network Operator (MVNO).

• Google to Sell Wireless Service in Deals With Sprint, T-Mobile – WSJ

Google drops three OS X 0days on Apple | Ars Technica

In the past two days, Project Zero has disclosed OS X vulnerabilities here, here, and here. At first glance, none of them appear to be highly critical, since all three appear to require the attacker to already have some access to a targeted machine. What’s more, the first vulnerability, the one involving the “networkd ‘effective_audit_token’ XPC,” may already have been mitigated in OS X Yosemite, but if so the Google advisory doesn’t make this explicit and Apple doesn’t publicly discuss security matters with reporters.

Still, the exploits could be combined with a separate attack to elevate lower-level privileges and gain control over vulnerable Macs.

Surface RT Devices Won’t Get Windows 10

In its announcement of Windows 10, Microsoft indicated not all devices would get the updated operating system. Now, Microsoft says its Surface devices running Windows RT won’t be receiving full updates, though it does plan to roll some new functionality into them. “Given that Windows RT and RT 8.1 were designed for power economizing devices sporting 32-bit ARM architecture, and never had the same functionality — to many users’ frustration — as full-blown Windows 8 and 8.1, it comes as little surprise that the RT versions of the operating system should be left out of the latest update loop. In fact, a week before Microsoft’s big Windows 10 reveal on January 21, the company released firmware updates for all three models of its Intel-powered Surface Pro series, but neither of the ARM-based Surface tablets — the Surface 2 or Surface RT — received any new updates this month.” The Surface Pro line of tablets, which run a normal version of Windows, will be getting an update to Windows 10.

Plasma 5.2 – The Quintessential Breakdown | Ken Vermette

KDE is one of the oldest open-source desktop projects which can be found today, and over the years it has established a rich history of highs and lows. During some points it has been the undisputed ruler of the desktop world, while other times it had fallen behind or faced hard trials.

The post Google's Candy Van | Tech Talk Today 121 first appeared on Jupiter Broadcasting.

Adobe has a bad week, with exploits in the wild & no patch. We’ll share the details. Had your credit card stolen? We’ll tell you how.

Plus the harsh reality for IT departments, a great batch of questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

New flash zero day found being exploited in the wild, no patch yet

• The new exploit is being used in some versions of the Angler exploit kit (the new top dog, replacing former champ blackhole)
• The exploit kit currently uses three different flash exploits:
• CVE-2014-8440 – which was added to the exploit kit only 9 days after being patched
• CVE-2015-0310 – Which was patched today
• and a 3rd new exploit, which is still being investigated
• Most of these exploit kits rely on reverse engineering an exploit based on the patch or proof of concept, so the exploit kits only gain the ability to inflict damage on users after the patch is available
• However, a 0 day where the exploit kit authors are the first to receive the details, means that even at this point, researchers and Adobe are not yet sure what the flaw is that is being exploited
• Due to a bug in the Angler exploit kit, Firefox users were not affected, but as of this morning, the bug was fixed and the Angler kit is now exploiting Firefox users as well
• Additional Coverage – Krebs On Security
• Additional Coverage – PCWorld
• Additional Coverage – Malware Bytes
• Additional Coverage – ZDNet

How was your credit card stolen

• Krebs posts a write up to answer the question he is asked most often: “My credit card was stolen, can you help me find out how”
• Different ways to get your card stolen, and your chance of proving it:
• Hacked main street merchant, restaurant (low, depends on card use)
• Processor breach (nil)
• Hacked point-of-sale service company/vendor (low)
• Hacked E-commerce Merchant (nil to low)
• ATM or Gas Pump Skimmer (high)
• Crooked employee (nil to low)
• Lost/Stolen card (high)
• Malware on Consumer PC (very low)
• Physical record theft (nil to low)
• “I hope it’s clear from the above that most consumers are unlikely to discover the true source or reason for any card fraud. It’s far more important for cardholders to keep a close eye on their statements for unauthorized charges, and to report that activity as quickly as possible.”
• Luckily, since most consumers enjoy zero liability, they do not have to worry about trying to track down the source of the fraud
• With the coming change to Chip-and-Pin in the US, the liability for some types of fraud will shift from the banks to the retailers, which might see some changes to the way things are done
• Banks have a vested interest in keeping the results of their investigations secret, whereas a retailer who is the victim of fraudulent cards, may have some standing to go after the other vendor that was the source of the leak
• Machine Learning for Fraud Detection

15% of business cloud accounts are hacked

• Research by Netskope, a cloud analysis company, finds that only one in ten cloud apps are secure enough for enterprise use
• In their survey, done using network probes, gateways, and other analysis techniques (rather than asking humans), they found that the average large enterprise uses over 600 cloud applications
• Many of these applications were not designed for enterprise use, and lack features like 2 factor authentication, hierarchical access control, “group” features, etc
• The report also found that 8% of files uploaded to cloud storage provides like Google Drive, Dropbox, Box.com etc, were in violoation of the enterprises’ own Data Loss Prevention (DLP) policies.
• The downloading numbers were worst, 25% of all company files in cloud providers were shared with 1 or more people from outside the company. 12% of outsiders had access to more than 100 files.
• Part of the problem is that many “cloud apps” used in the enterprise are not approved, but just individual employees using personal accounts to share files or data
• When the cloud apps are used that lack enterprise features that allow the IT and Security teams to oversee the accounts, or when IT doesn’t even know that an unapproved app is being used, there is no hope of them being able to properly manage and secure the data
• Management of the account life cycle: password changes, password resets, employees who leave or are terminated, revoking access to contractors when their project is finished, etc, is key
• If an employee just makes a dropbox share, adds a few other employees, then adds an outside contractor that is working on a project, but accidently shares all files instead of only specific project files, then fails to remove that person later on, data can leak.
• When password resets are managed by the cloud provider, rather than the internal IT/Security team, it makes it possible for an attacker to more easily use social engineering to take over an account
• Infographic
• Report

Feedback:

• ZFS me timbers

• Allan’s Modified Lenovo

• Sharing a large movie collection over the internet

• RAID alternatives for a bug

Round Up:

• Yes, Every Freeware Download Site is Serving Crapware (Here’s the Proof)
• CERT-UK offers a new best practices guide to combat social engineering
• FBI seeks to legally hack you if you are using TOR or a VPN
• Java patches 19 security holes (13 with 10/10 exploitability score). Make sure you are running at least 7u75 or 8u31
• NSA says it has proof DPRK was behind Sony hack, because they had already hacked the DPRK
• Government health care website quietly sharing personal data
• Steam shell script bug causes it to rm -rf /
• NSA Preps America for Future Battle
• Diary of an NSA Intern
• Password reuse causes spike in Hotel Rewards fraud
• The Sorry State of In-Flight Wi-Fi
• Technical mistake, not terrorist DDoS downed french media websites
• Blackhat, the movie, gets the technobabble mostly right
• All you need is a clipboard, or a stethoscope

The post Dude Where's My Card? | TechSNAP 198 first appeared on Jupiter Broadcasting.

A zero day flaw has Microsoft scrambling, and the banking hack that only requires a nice jacket.

Then it’s a great big batch of your questions, our answers, and much much more!

On this week’s TechSNAP.

Thanks to:

— Show Notes: —

Crooks Hijack Retirement Funds Via Social Security Administration Portal

• Traditional SSA fraud involves identity thieves tricking the beneficiary’s bank into diverting the payments to another account, either through Social Security’s 800 number or through a financial institution, or through Treasury’s Direct Express program
• The newer version of this fraud involves the abuse of the SSA’s my Social Security Web portal
• The SSA added the ability to change direct deposit information via their my Social Security Web portal. Shortly thereafter, the agency began receiving complaints that identity thieves were using the portal to hijack the benefits of individuals who had not yet created an account at the site.
• As of August 23, 2013, the SSA has received 18,417 allegations of possibly fraudulent mySocialSecurity account activity.
• There is no suggestion that SSA’s systems have been compromised; this is an identity theft scheme aimed at redirecting existing benefits, often to prepaid debit cards.” – via Jonathan Lasher, assistant inspector general for external relations at the SSA’s Office of Inspector General.
• Banks usually will alert customers if the beneficiary account for SSA payments is changed. But she said those communications typically are sent via snail mail.
• Many customers will overlook such notices.
• If you receive direct deposits from the Social Security Administration but haven’t yet registered at the agency’s new online account management portal, now would be a good time take care of that.
• Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that consumers can avoid becoming victims of this scam.
• In Canada, registering on the Canada Revenue Agency’s website, requires information from your previous years tax returns, and an activation code is snail mailed to you

Microsoft warns of a 0day in all versions of Internet Explorer, working on a patch for IE 6 – 11

• The flaw in question makes remote code execution possible if you browse to a website containing malicious content for your specific browser type
• Actively being exploited against IE8 and 9
• Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.
• The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
• The company is offering the following workarounds and mitigations:
• Apply the Microsoft Fix it solution, \”CVE-2013-3893 MSHTML Shim Workaround,\” that prevents exploitation of this issue. Note: This ‘fixit’ solution only works for 32bit versions of IE
• Set Internet and local intranet security zone settings to \”High\” to block ActiveX Controls and Active Scripting in these zones.
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.
• CVE-2013-3893
• Additional Coverage

Cyber Police Arrest 12 Over Santander Bank Heist Plot

• The Metropolitan Police’s Central e-Crime Unit (PCeU) has arrested 12 men as part of an investigation into an “audacious” plot to take control of a Santander Banking computer.
• The PCeU is committed to tackling cyber-crime and the damage it can cause to individuals, organisations and the wider economy.”
• According to the police, the group sent a man in dressed as a maintenance engineer, who managed to attach a IP-KVM (keyboard video mouse) device to a machine in the bank, allowing the attackers to remotely carry out actions on the computer
• The men, aged between 23 and 50, were arrested yesterday, whilst searches were carried out addresses in Westminster, Hounslow, Hillingdon, Brent, Richmond and Slou

Feedback

• Worried about listentobitcoin.com Malware

• FreeNAS NFS Mount FAIL

10.1.10.254:/mnt/fart /mnt/nfs nfs auto,noatime,nolock,defaults,user=1001 0 0

• Fingerprint reader and Software vs Hardware RAID

• I have several questions for the double show. I hope you\’ll discus them all.

• DNS + Rasberry Pi Questions

• Contacts Sync

Round Up:

iOS 7 Swamps the Internet

• Traffic Spotlight: iOS 7 Pre-Launch
• iOS7 release traffic

• iOS 7 downloads causing network outages at several school campuses, activation server failures

• Hackers crowdfund bounty to hack iPhone 5S fingerprint scanner

• Netflix exec: Canada’s broadband caps “almost a human rights violation”
• Abandoned NHS IT system costing British tax payers over 10 billion GBP
• Today we announce OpenZFS: the truly open source successor to the ZFS project.
• pfSense 2.1-RELEASE now available!
• SSD failure rate only 1.5% per year, compared to 5% for HDDs
• USB Condoms now for sale, protect your devices from evil charging ports
• Honey docs – Service creates fake documents on your computer, and notifies you if anyone ever tries to access them
• Schneier on Security: New NSA Leak Shows MITM Attacks Against Major Internet Services

The post Gentlemen, Start Your NGINX | TechSNAP 128 first appeared on Jupiter Broadcasting.

A security breach become a lesson for us all. We’ll make some lemonade from a bad situation, and arm you with what you need to protect your self.

Plus Demonoid users get phished, a batch of your questions, and much much more.

On this week’s TechSNAP.

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! 32% off your ENTIRE first order just use our code go32off3 until the end of the month!

Support the Show:

   

Support the Show: