LinuxPlanet Casts

Media from the Linux Moguls

Archive for the ‘spyware’ Category

Skype Exposes Pirates | TechSNAP 29

without comments

post thumbnail

Coming up on this week’s TechSNAP…

Researches have developed a way to tie your file sharing to your Skype account. We’ll share the details on how this works, and what you can do to prevent being tracked!

Plus we cover the Ultimate way to host your own email, and what happened when Chinese hackers took control of US Satellites!

All that and more, on this week’s episode of TechSNAP!


Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:




Show Notes:

Audible.com:


Suspected Chinese Military Hackers take control of US Satellites

  • On four separate occasions during 2007 and 2008 US satellites were hijacked by way of their ground control stations.
  • The effected satellites were Landsat–7 (Terrain Mapping and Satellite Photography, example 1 example 2) and Terra AM–1 (Climate and Environmental Monitoring, 2010 Hurricane Karl)
  • While the US does not directly accuse the Chinese government in writing, these types of actions are consistent with known war plans that involve disabling communications, command and control, and GPS satellites as a precursor to war.
  • In one incident with NASA’s Terra AM–1, “the responsible party achieved all steps required to command the satellite,” however the attackers never actually took control of the satellite.
  • It was not until the 2008 investigation that the previous compromises in 2007 were detected
  • This raises an important question, are the US military and other NATO members, too reliant of satellite communications and GPS?
  • In a recent NATO exercise called ‘Joint Warrior’, it was planned to jam GPS satellite signals, however the jamming was suspended after pressure on the governments over civilian safety concerns. Story


Researchers develop a procedure to link Skype users to their Bittorrent downloads

  • The tools developed by the researchers at New York University allow any to determine a strong correlation between bittorrent downloads and a specific skype user.
  • Importantly, unlike RIAA/MPAA law suites, the researchers consider the possibility of false positives because of multiple users behind NAT.
  • The researchers resolve this issue by probing both the skype and bittorrent clients after a correlation is suspected. By generating a response from both clients at nearly the same time and comparing the IP ID (similar to a sequence number) of the packets, if the ID numbers are close together, than it is extremely likely that the response was generated by the same physical machine. If the IDs are very different, then it is likely that the Skype and BitTorrent users are on different machines, and there is no correlation between them.
  • This same technique could be made to work with other VoIP and P2P applications, and could be used to gather enough evidence to conclusively prove a bittorrent user’s identity.
  • This situation can be mitigated by using the feature of some OS’s that randomizes the IP ID to prevent such tracking. (net.inet.ip.random_id in FreeBSD, separate ‘scrub random-id’ feature in the BSD PF firewall)
  • The discovery could also be prevented by fixing the skype client such that it will not reply with its IP address if the privacy settings do not allow calls from that user. The current system employed by the researches does not actually place a call to the user, just tricks skype into thinking that a call will be placed, and skype then leaks the sensitive information by returning its IP address or initiating a connection to the attacker.
  • Read the full research paper


NASDAQ web application Directors Desk hacked

  • Directors Desk is a web application designed to allow executives to share documents and other sensitive information
  • When NASDAQ was hacked in February, they did not believe that any customer data was stolen
  • The attackers implanted spyware into the Directors Desk application and were able to spy on the sensitive documents of publicly traded companies as they were passed back and forth through the system
  • This is another example of the Advanced Persistent Threat (APT) as we saw with the RSA and South Korea Telecom hacks, where the attackers went after a service provider (in his case NASDAQ) to compromise the ultimate targets, the publicly traded companies and their sensitive documents.
  • It is not known what if any protection or encryption systems were part of Directors Desk, but it seems that the application was obviously lacking some important security measures, including an Intrusion Detection System that would have detected the modifications to the application.


SEC says companies may need to disclose cyber attacks in regulatory filings

  • The new guidance from the SEC spells out some of the things that companies may need to disclose to investors and others, depending upon their situation.
  • Some of the potential items companies may need to disclose include:
  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences
  • To the extent the registrant outsources functions that have material cyber security risks, description of those functions and how the registrant addresses those risks
  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences
  • Risks related to cyber incidents that may remain undetected for an extended period
  • “For example, if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition,” the statement says.
  • From the SEC guidance: The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision”
  • CF Disclosure Guidance: Topic No. 2 – Cybersecurity


Feedback:

It is definitely advantageous to own the domain that your email address is on. On top of looking more professional than a hotmail, or even gmail address, it also allows you to choose your host and have full control over everything. There are some caveats though, of course you must remember to renew your domain name, else your email stops working (just ask Chris about that one), you also have to be careful about picking where to host your domain, having your site or email hosted by a less reputable service can result in your domain being included on blacklists and stopping delivery of your mail to some users. The biggest problem with hosting your own email, from your home, is that you must keep the server up 24/7, and it must have a reasonable static IP address. If you are going to host from your home, I recommend you get a ‘backup mx’ service, a backup mail server that will collect mail sent to you while you are offline, and then forward it to your server when it is back up. Even if you are using a dedicated server or VPS, this is important, because email is usually the most critical service on your server. The other major issue with hosting your email from home, is that most ISPs block port 25 inbound and outbound, to prevent infected computers from sending spam. This means that you will not be able to send or receive email to other servers. Usually your ISP will require you to have a more expensive business class connection with a dedicated static IP address in order to allow traffic on port 25. Also, a great many spam filtering systems, such as spamassassin, use blacklists that contain the IP ranges of all consumer/home Internet providers, designed to stop spam from virus infected machines, because email should not be send from individual client machines, but through the ISP or Domain email server.


Round Up:

Encryption Best Practices | TechSNAP 10

without comments

post thumbnail

Coming up on this episode of TechSNAP:

We follow up on last week’s bitcoin coverage with scandal that has a $500k price tag.

Then – We launch into your questions, and cover encryption best practices to keep your data safe!

Plus – We take our first live war story call, all that and more on this week’s TechSNAP!


Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

TechSNAP has a new Sub-Reddit, submit links and questions for the show, and vote away!


Topic: Bitcoin wallet stolen (25,000 coins worth ~$500,000 USD)

  • Bitcoin wallets work by using public/private key pairs
  • Each wallet, by default, has 100 keys, and you allocate them as needed, and then new ones are generated so that you always have 100 ready for use
  • If someone manages to steal your wallet.dat file, they have the private keys for your addresses that contain the coins, and they can cryptographically sign a transaction using that private key, and therefore transfer the coins
  • User who had their coins stolen admits that they found spyware/malware on their computer. Possibly also a trojan
  • The attack also accessed the users account at a mining pool, and changed the destination address for payouts (some pools off the option to lock this address so that i can never be changed)
  • Bitcoin transactions are irreversible and there is no central authority to settle disputes or forcibly undo a transaction (This is both a feature and a flaw, it is a trade off to allows BTC transactions to avoid many forms of interference)

How to protect your wallet file:

  • Use separate wallet files, and don’t keep all of your money in one place.
  • Backup your wallet file regularly. The wallet file contains the private keys that actually control the coins, without them, you cannot transfer the coins. If you totally lose your wallet file without a backup, those coins are lost to everyone forever.
  • Your backups of your wallet file must be recent, because of the ‘100 key buffer’, that your wallet file has, if your backup is more than 100 transactions old, it will not contain the keys used for the newer transactions, and you will not be able to control those coins. Make sure you backup your wallet file on a regular basis. You can also adjust the configuration of your client to created a larger key buffer.
  • Your wallet file is the same as your GPG key ring, protect it as best you can. It should be stored in an encrypted volume (like a TrueCrypt mount or a GBDE file system) . It might also be advisable to run the bitcoin client as a dedicated user with much more locked down permissions on your machine.
  • As we learned from this incident, and the banking trojan news last week, it is imperative that you ensure that no one is logging your keystrokes, sniffing your traffic, or remotely controlling your machine (a remote control trojan such as the ZeuS banking worm, would be able to access your truecrypt partition when you mount it to use your bitcoin wallet)

mybitcoin.com – The bitcoin bank Chris is “trying”.

BITCOIN BLASTER:

- Our current Mining efforts -

Allan:
It all started with the dual GPUs in my gaming machine and the spare cycles on some of my servers, but CPUs and older nVidia cards were just not worth the power and effort with the higher difficulty.

So, a two friends and I have built a dedicated mining rig (2×5870, 1×6950) that is doing over 1100 Mh/s with a bit of overclocking. Sadly, the difficulty jump came only a few hours after we got the machine online, and it cut the profitability down. We are looking at another more expensive machine, but this will mean a longer wait for ROI.

Chris:
I’m pushing about 500 – 600 Mh/s during the day, nearing 810 MH/s at night. I plan to add two more moderately powerful ATI cards in the next week.

I bought my first physical good, a video card to mine some more. Using a “service” to convert bitcoins to Amazon gift-cards: http://www.bitcoinredemption.com/


FEEDBACK:

Q: (Michal) Is there a way for me to tell if my machine has been compromised while I was asleep?
A: Yes, using an application such as Tripware, or the Verification system in some backup software (Bacula, etc), allows you to detect which files have been changed since the last time the tool was run (ie, you run it daily). This way, when an important system file is changed, you are notified, if you did not cause this change (OS or package update/install), then it is possible someone has successfully compromised your system and modified important system files.


Q: (Dale) Is continuing to use Dropbox safe if i use TrueCrypt to encrypt my files before uploading them?
A: While it is theoretically safe to store your encrypted files in dropbox, because of the way dropbox works (copy on write deduplication), you would have to reupload the entire TrueCrypt volume every time you changed a file (because of the nature of the encryption, the changes to the encrypted volume will also be bigger). Unless you only store some very small files, or are using separate TrueCrypt volumes for each file you are storing, this will quickly get unwieldy and slow.


Q: (Michal) How can I store my users’ files such that they are encrypted with the users’ password, but can still be recovered if the password is lost/forgotten
A: The short answer is that you cannot. Strong cryptography does not have any recovery method. If you want the files to be truly secure, then they need to be able to be accessed by only a single key, and if that key is lost, the files are lost. The only real option is to encrypt the files to two different keys, one of the user, and one of the ‘Recovery Agent’, the person responsible for decrypting the files if the user loses their key. This lowers the security of the encrypted files, because the Recovery Agent can decrypt the files without the users’ permission.


Q: (Justin) How secure is it to enable to ‘text a password reset token to your mobile phone’ in gmail?
A: Mostly that depends on how secure your phone is. Does it display part of the text message when it comes in? How quickly does your phone lock it self when it is inactive. Can your unlock code be reset? How many other people have your unlock code? How easily can the unlock code be defeated? It is really up to you to decide how secure you feel your phone is. I for one, just don’t lose my passwords :p


Q: (brotherlu) What is the difference between a NAS and a SAN. Also in which environments would you use each.
A: a NAS (Network Attached Storage) is a dedicated storage device that you connect to your network. a SAN (Storage Area Network) is a dedicated network for storage devices. Usually SANs are much higher performance and sometimes use technologies other than ethernet. Really, it depends how much performance you need, SANs are much more expensive.


Grab bag bonus links:
Senate Bill Requires Permission to Collect & Share Location Data
LulzSec’s busy week:
Senate website, CIA.gov hacked. LulzSec claims responsibility.
LulzSec opens hack request line
LulzSec takes Eve Online and Minecraft offline
Ex-Googler Calls Out Google Infrastructure as Obsolete
Sophisticated Cyberattack Is Reported by the I.M.F.


Download: