A new major security breach at a large health insurance firm could expose 10s of millions, a phone phishing scam anyone could fall for & we celebrate our 200th episode with your TechSNAP stories.

Then its a storage spectacular Q&A & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Security breach at health insurance firm Anthem, could expose 10s of millions

• “Anthem Inc., the nation’s second largest health insurer, disclosed Wednesday that hackers had broken into its servers and stolen Social Security numbers and other personal data from all of its business lines. “
• “Anthem didn’t specify how many consumer records may have been breached, but it did say all of the company’s business units are affected. The figures from Anthem’s Web site offer a glimpse at just how big this breach could be: “With nearly 69 million people served by its affiliated companies including more than 37 million enrolled in its family of health plans, Anthem is one of the nation’s leading health benefits companies.””
• “The company said it is conducting an extensive IT forensic investigation to determine what members are impacted.”
• It is reported that Anthem has hired Mandiant to investigate the attack
• Exposed data:
• Full Name
• date of birth
• member ID
• Social Security number
• address
• phone numbers
• email addresses
• employment information
• “According to Anthem’s statement, the impacted (plan/brands) include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. The company said impacted members will receive notice via mail which will advise them of the protections being offered to them as well as any next steps.”
• “Anthem said once the attack was discovered, the company immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.”
• More detailed information is not available yet, but I am sure we’ll be following this story in the weeks to come
• Additional Coverage – ThreatPost
• Additional Coverage

Hacked hotel phones used in bank phishing scam

• “A recent phishing campaign targeting customers of several major U.S. banks was powered by text messages directing recipients to call hacked phone lines at Holiday Inn locations in the south. Such attacks are not new, but this one is a timely reminder that phishers increasingly are using lures blasted out via SMS as more banks turn to text messaging to communicate with customers about account activity.”
• “The above-mentioned phishing attacks were actually a mix of scams known as “SMiShing” — phishing lures sent via SMS text message — and voice phishing or “vishing,” where consumers are directed to call a number that answers with a voice prompt spoofing the bank and instructing the caller to enter his credit card number and expiration date”
• It seems Holiday Inn’s telephone switching system may have been hacked, and used to record and exfiltrate the stolen information
• It is likely the hotel also lost out on business from customers actually trying to reach the hotel, and instead getting fake voice prompts for various banks
• “According to Jan Volzke, Numbercop’s chief executive, these scams typically start on a Saturday afternoon and run through the weekend when targeted banks are typically closed.”
• ““Two separate Holiday Inns getting hijacked in such short time suggests there is a larger issue at work with their telephone system provider,” he said. “That phone line is probably sitting right next to the credit card machine of the Holiday Inn. In a way this is just another retail terminal, and if they can’t secure their phone lines, maybe you shouldn’t be giving them your credit card.”
• “A front desk clerk who answered the line on Tuesday said the hotel received over 100 complaints from people who got text messages prompting them to call the hotel’s main number during the time it was hacked.”
• “Numbercop says the text message lures were sent using email-to-SMS gateways, but that the company also has seen similar campaigns sent from regular in-network numbers (prepaid mobile phones e.g.), which can be harder to catch. In addition, Volzke said, phishers often will target AT&T and Verizon users for use in furthering these schemes.”
• Volzke says it’s unfortunate that more financial institutions aren’t communicating with their customers via mobile banking apps. “Banking apps are among the most frequently downloaded and used apps,” Volzke said. “If the user has an app from the bank installed, then if the bank really has something to say they should use the in-app messaging method, not text messages which can be spoofed and are not secure. And yet we see almost no bank making use of this.”
• “Regardless of whether you communicate with your bank via text message, avoid calling phone numbers or clicking links that appear to have been sent via text message from your bank. Also, be extremely wary of any incoming calls from someone calling from your bank. If you think there may be an issue with your account, your best bet is to simply call the number on the back of your credit or debit card.”
• Example call recording from Numbercop

Your TechSNAP Story

• TechSNAP 200

• TechSNAP 200 – FreeNAS Deployed!

• Episode 200 – Thx Allan!

• TechSNAP 200 : How its helped

• Episode 200 – Thx for BSD!

• TechSNAP Changed my Life!

• How has TechSNAP affected me?

• For 200 episode TechSnap

Feedback:

• Network Switches

• Adopted Drive Solution

• QUESTION: ZFS riskiness

• ELI5 Storage: Blocks, Extents, Pages …

Round-Up:

• Forget North Korea – Russian Hackers Are Selling Access To Sony Pictures, Claims US Security Firm
• Why Gmail has better security than your bank does
• Warning – Microsofts Outlook app for iOS breaks your company security
• More flash updates, 16.0.0.305 fixes CVE-2015-0313 through CVE-2015-0330, 15 of the 18 could lead to code execution
• Slew of Flash zero day exploits dominate malware landscape, new exploid kit emerges called Hanjuan
• The problem with crypto-challenges – a challenge constructed of known various bad practises and algorithms, is still hard to crack, does not prove security
• Fix for ‘Fancybox’ plugin for WordPress resolved zero day exploit seen in the wild
• Universal Cross site scripting vulnerability in IE could be used for Phishing or injecting malware into legitimate sites
• More serious bugs found in Siemens “RuggedCom” switches, one allows administrative and settings changes without authentication
• Google designs new SSL warning messages after more research into the subject. The hypothesis of their researched failed, but important lessons were learned

The post Your TechSNAP Story | TechSNAP 200 first appeared on Jupiter Broadcasting.

We’ve got the details about critical vulnerabilities in LastPass and other popular password managers, Russian hackers attack the NASDAQ, and how to pull off an SSH Man in Middle attack.

Plus a fantastic batch of your questions, our answers & much, much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Critical vulnerabilities found in online password managers including LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword

• Four researchers from the University of California, Berkeley, did a manual analysis of some of the most popular online password managers
• Their findings are troubling, showing problems with all of the popular services
• “Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem. After all, a vulnerability in a password manager could allow an attacker to steal all passwords for a user in a single swoop”
• The researchers found problems with each of the services they investigated, including bookmarklet vulnerabilities, web vulnerabilities (CSRF and XSS), user interface vulnerabilities, and authorization vulnerabilities.
• The paper shows how an attacker might be able to steal a LastPass users’ dropbox password when the user visits the attackers site
• The paper also discusses a vulnerability in the LastPass OTP (One Time Password) feature, where an attacker specifically targeting you (requires knowing your lastpass username) could access the encrypted LastPass database. While the attacker would have to resort to an offline brute force attack to decrypt it and get the passwords, they would also have a list of all of the sites that the user has saved passwords for. In addition, the attack can delete saved credentials from the database, possibly allowing them to lock the user out of other sites.
• An authorization vulnerability in the password sharing system at My1login could allow an attack to share a web card (url/username/password) they do not own with another user, only needing to know the unique id#, which is a globally unique incrementing counter, so can be predicted. It also allows an attacker to modify another users’ web cards once they are shared
• “Since our analysis was manual, it is possible that other vulnerabilities lie undiscovered”
• “Of the five vendors whose products were tested, only the last one (NeedMyPassword) didn’t respond when they contacted them and responsibly shared their findings. The other four have fixed the vulnerabilities within days after disclosure.”
• Research Paper

How Russian Hackers stole the Nasdaq (2010)

• In October 2010, a Federal Bureau of Investigation system monitoring U.S. Internet traffic picked up an alert. The signal was coming from Nasdaq
• The October alert prompted the involvement of the National Security Agency, and just into 2011, the NSA concluded there was a significant danger.
• The Secret Service had notified NASDAQ of suspicious activity previously and suspected the new activity may be related, and requested to take the lead on the investigation, but was denied and shut out of the investigation.
• “We’ve seen a nation-state gain access to at least one of our stock exchanges, I’ll put it that way, and it’s not crystal clear what their final objective is”
• Bloomberg Businessweek spent several months interviewing more than two dozen people about the Nasdaq attack and its aftermath, which has never been fully reported. Nine of those people were directly involved in the investigation and national security deliberations; none were authorized to speak on the record. “The investigation into the Nasdaq intrusion is an ongoing matter,” says FBI New York Assistant Director.
• The hackers had used two zero-day vulnerabilities in combination to compromise machines on the NASDAQ network
• The NSA claimed they had seen very similar malware before, designed and built by the Federal Security Service of the Russian Federation (FSB), that country’s main spy agency.
• Later in the investigation, some U.S. officials questioned whether the NSA had pushed the evidence too far. Malware often changes hands—it’s sold, stolen, or shared. And the technical differences between attack code and something less destructive can be surprisingly small. At the time, NSA Director Keith Alexander and his agency were locked in a fight with government branches over how much power the NSA should have to protect private companies from this new form of aggression. Such a brazen attack would certainly bolster its case.
• “While the hack was successfully disrupted, it revealed how vulnerable financial exchanges—as well as banks, chemical refineries, water plants, and electric utilities—are to digital assault. One official who experienced the event firsthand says he thought the attack would change everything, that it would force the U.S. to get serious about preparing for a new era of conflict by computer. He was wrong.”
• What the investigators found inside Nasdaq shocked them, according to both law enforcement officials and private contractors hired by the company to aid in the investigation. Agents found the tracks of several different groups operating freely, some of which may have been in the exchange’s networks for years, including criminal hackers and Chinese cyberspies. Basic records of the daily activity occurring on the company’s servers, which would have helped investigators trace the hackers’ movements, were almost nonexistent. Investigators also discovered that the website run by One Liberty Plaza’s building management company had been laced with a Russian-made exploit kit known as Blackhole, infecting tenants who visited the page to pay bills or do other maintenance.
• an FBI team and market regulators analyzed thousands of trades using algorithms to determine if information in Director’s Desk could be traced to suspicious transactions. They found no evidence that had happened
• By mid-2011, investigators began to conclude that the Russians weren’t trying to sabotage Nasdaq. They wanted to clone it
• Without a clear picture of exactly what data was taken from Nasdaq and where it went—impossible given the lack of logs and other vital forensics information—not everyone in the government or even the FBI agreed with the finding

Tutorial: SSH MITM Downgrade Attack

• This is a tutorial on how to perform an SSH Man-In-The-Middle downgrade attack
• This attack involves tricking the user connecting to the SSH server you are intercepting into using the old version 1 of the SSH protocol
• SSH1 uses a separate SSH Fingerprint from SSH2, so the user will be prompted to accept the different key
• Many users will blindly accept this warning
• If the user can be tricked into dropping to SSH1, it may be possible to steal the username and password they use to login with
• Luckily, most modern SSH servers do not allow SSH1
• However, some clients, including PuTTY, allow both SSH1 and SSH2, with a preference for the latter
• Users are encouraged to change the setting on their server and in their client to only allow SSH2
• Many embedded devices still allow SSH1, including many older Cisco Security Appliances
• These devices are perfect targets for this type of downgrade attack

Feedback

• ZFS Transaction Log (ZIL)

• WWAD (What Would Allan Do?)
  • ZFS Stripe Width

• building a new PC

• How to Sysadmin?

• DNS Made Easy (Email backups), and tiny war story

Round-Up:

• US claims jurisdiction over all servers on the internet. “any company with operations in the United States must comply with valid warrants for data, even if the content is stored overseas”
• Only a few days old, OpenSSL fork LibreSSL is declared “unsafe for Linux”
• Canadian ISP Rogers updates privacy policy, promises to require a warrant to turn over data
• Microsoft tells users to stop using strong passwords everywhere
• Sony forgets to renew a domain name (SonyOnline.net) where all of the name servers are hosted, takes out all of SOE (Sony Online Entertainment), including forums and websites. Did not have a valid email address on the domain registration
• Cisco Security Advisory: Cisco Wireless Residential Gateway Remote Code Execution Vulnerability
• Where do online services go when they die?
• fail2ban security update
• Robert Watson and SRI/Cambridge University open source the CHERI secure processor design

The post SSH1tty leakage | TechSNAP 171 first appeared on Jupiter Broadcasting.

That Adobe breach we told you about? It’s about 10x worse than originally reported, we’ll share the details.

Plus PHP.net gets compromised, howto future proof your storage, and much much more!

On this week’s TechSNAP!

Thanks to:

Adobe breach worse than originally thought, number of impacted customers now atleast 38 million

• Adobe is continuing its flurry of password resets, which now extend to more than 38 million customers
• Adobe has also revised its original list of applications for which the source code was leaked to include the entire photoshop family of programs
• “This past weekend, AnonNews.org posted a huge file called “users.tar.gz” that appears to include more than 150 million username and hashed password pairs taken from Adobe” – This number apparently includes inactive and test accounts, the 38 million number mentioned earlier are those considered ‘Active’
• A company spokesperson said Adobe has no indication that there has been any unauthorized activity on any Adobe ID involved in the incident
• As part of its resolution of the breach, Adobe is offering customers a years worth of free credit monitoring… from Experian (See last weeks story about how Experian was caught selling personal data to identity thieves)
• Additional Coverage

PHP.net compromised, serves malware and is blocked by Google Safe Browsing

• On 24 Oct 2013 06:15:39 +0000 Google started saying www.php.net was hosting malware. The Google Webmaster Tools were initially quite delayed in showing the reason why and when they did it looked a lot like a false positive because we had some minified/obfuscated javascript being dynamically injected into userprefs.js.
• To summarise, the situation right now is that:
• JavaScript malware was served to a small percentage of php.net users from the 22nd to the 24th of October 2013.
• Neither the source tarball downloads nor the Git repository were modified or compromised.
• Two php.net servers were compromised, and have been removed from service. All services have been migrated to new, secure servers.
• SSL access to php.net Web sites is temporarily unavailable until a new SSL certificate is issued and installed on the servers that need it.
• Over the next few days: php.net users will have their passwords reset. Note that users of PHP are unaffected by this: this is solely for people committing code to projects hosted on svn.php.net or git.php.net.
• As part of this, the php.net systems team have audited every server operated by php.net, and have found that two servers were compromised: the server which hosted the www.php.net, static.php.net and git.php.net domains, and was previously suspected based on the JavaScript malware, and the server hosting bugs.php.net.
• All affected services have been migrated off those servers. We have verified that our Git repository was not compromised, and it remains in read only mode as services are brought back up in full.
• As it\’s possible that the attackers may have accessed the private key of the php.net SSL certificate, we have revoked it immediately.

Researchers at Vicarious software claim to be able to defeat 90% of Captchas

• “Vicarious is developing machine learning software based on the computational principles of the human brain. Our first technology is a visual perception system that interprets the contents of photographs and videos in a manner similar to humans.“
• The claim that using this technology, they can defeat 0% of common anti-bot technology used to defect websites from automated usage
• While no paper or code has been shared, they provide a demonstration video that appears fairly compelling
• If their claim is true, this could be a huge setback for the internet
• Captchas are often used to prevent automated signups for services, to defend login systems from brute force attempts, and to moderate spam in online discussion and comment forums
• CAPTCHA creator Luis von Ahn of Carnegie Mellon University says “This is the 50th time somebody claims this. I don\’t really get how they think this is news :)”
• The writing from ScienceMag jumped on a skype call with the company and send them 4 sample captchas, a recaptcha and a paypal captcha were both solved, however another containing cyrillic characters was not (the company says they have not trained their system on non-latin characters yet), and one containing a checkerboard pattern was also not solved immediately.
• If this research got into the wrong hands, it could be used to defeat protection systems across the internet, flooding websites with spam, evading brute force protection systems and otherwise wreaking havoc

Feedback:

• ZFS Choices

  • iXsystems Amazon Store – buy a FreeNAS Mini and support JB at the same time

• freenas/zfs with raid many enclosures

• Software RAID vs LVM

Round Up:

• Announcing The Dark Mail Alliance – Founded by Silent Circle & Lavabit
• Keynote: Tradeoffs in Cyber Security – Cyber Security Symposium, University of North Carolina
• NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say
• ShellCheck – a “Static” analyzer for shell script, finds many common flaws and mistakes
• How the NSA is infiltrating private networks
• Researcher exposes issues with online music charts like Spotify, how to make money with fake music + amazon EC2 instances, and how to get your rival’s account suspended
• Why you shouldn’t interupt a programmer
• FAA develops new guidelines for the use of Personal Electronic Devices during all phases of flight – Airlines must test each airframe and pass a safety approval process
• Bluecoat security blog Roundup of recent news
• HP sues seven optical drive manufacturers over alleged price fixing
• De-anonymizing users of french political forums
• Cyber Dialog 2013 – Canada Centre for Global Security Studies, University of Toronto
• Doing Strong Cryptography in the Browser

The post TrekSNAP | TechSNAP 134 first appeared on Jupiter Broadcasting.

If you have a Barracuda device, it’s time to put it behind a real firewall. We’ll blow your minds with the horrible state of security on many popular Barracuda products.

Plus why a long password is not necessarily mean a more secure password, a big batch of your questions, and a great roundup!

All that and a lot more, on this week’s TechSNAP!

Thanks to:

Use our code tech295 to get a .COM for $2.95.

Something else in mind? Use go20off5 to save 20% on your entire order!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show:

   

Support the Show: