LinuxPlanet Casts

Media from the Linux Moguls

Archive for the ‘SQL’ Category

Phreaking 3G | TechSNAP 14

without comments

post thumbnail

Coming up on This Week’s TechSNAP!

We’ll cover a story that really drives home how serious cell phone hijacking has gotten, and what new technology just made it a lot easier for the bad guys.

Plus find out why TrendJacking is more than a stupid buzz term, and we load up on a whole batch of audience questions!

All that and more, on this week’s TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

Thanks to the TechSNAP Redditors!

Vodaphone SureSignal appliance rooted by THC

  • Vodaphone sells a 3G Signal Boosting appliance for home users to boost mobile reception in their homes. The device sells for 160GBP ($260 USD)
  • The FemtoCell or SureSignal appliance connects to the VodaPhone network via your home internet connections, and relays mobile phone signals
  • The Hackers Choice (THC, developers of the well known hacking tool Hydra) managed to reserve engineer the device and brute force the root password. THC has been actively working on exploiting various devices of this nature since 2009
  • Once compromised, the device can be turned in to a full blown 3G/UMTC/WCDMA call interception device.
  • The FemtoCell uses the internet connection to retrieve the private key of the handset that is attempting to use the cell, in order to create an encrypted connection.
  • In it’s intended mode of operation, the FemtoCell can only be used by the person who purchased it
  • The FemtoCell has a limited range of about 50 meters (165 feet)
  • With a rooted device, an attacker can get the secret key of any Vodaphone Subscriber
  • With a users secret key, you can decrypt their phone calls (if they are within range), but also masquerade as their phone, and make calls at the victims expense.
  • This attack also grants you access to the victims voicemail
  • The root password on the Vodaphone device was ‘newsys’
  • Some question whether Vodaphone should be held liable for not protecting their customers
  • Quote from THC “Who is liable if the brakes on my car malfunction? The drive or the manufacture? Or the guys who tell us how insecure they are?”
    THC Wiki page on the Vodaphone device, includes Diagrams

Fake Facebook App promises invites to Google+ to steal your info

  • When you visit the unofficial page for Google+ on Facebook, you are invited to allow the 3rd party app to access your facebook account (common requirement to use any facebook app)
  • Specifically, this app requests access to post on your wall, allowing it to spam all of your friends, inviting them to join as well. It also requests access to all of your personal data
  • You are then requested to ‘Like’ the app, and then invite all of your friends (Again, this is common with many Facebook apps, especially games, where inviting your friends can offer in-game rewards)
  • Your friends then accept the invite, assuming it is legitimate because it came from you
  • Now this application has managed to spread wildly and has complete access to your facebook profile, allowing it to scrape all of your personal information, as well as use your account to promote further fake and malicious applications.
  • You need to watch what applications you are allowing access to your profile, and specifically which rights they are requesting. Does that game really need ‘access to your data at any time’, rather than only when you are using it? Do you trust it with access to post to your wall?
  • This trend has been dubbed TrendJacking

Feedback


Q: (Peter) While investigating different data centers to house our application, one of them mentioned that we should use physical servers to host our database, rather than hosting the database in virtualization like vmware. This this true?

A: There are a number of reasons that a physical server is better for a database. The first is pure I/O. In virtualization, there is always some level of overhead in accessing the physical storage medium, compared to doing it natively. There is also an overhead even with hardware virtualization for CPU cycles, Disk Access, Network Access, etc. In it generally considered best practise to keep your database on physical hardware. That doesn’t mean you can’t virtualize it, but if you are worried about performance, I wouldn’t.


Q: (nikkor_f64) In the recent ‘usage based billing’ legal battles in Canada, the smaller ISPs are proposing to use 95th Percentile Billing, what is that?
A: 95th Percentile billing is the way most carrier grade Internet connections have been billed for as long as I have been in the business. The concept is quite simple, rather then charging the subscriber for the amount of bandwidth that they use, such as pricing per gigabyte, the billing is based on peak usage. Typically, the rate of data up and down the link is measured every 5 minutes (routers count every bit as it goes though, but looking at that counter every 5 minutes, and subtracting the value from 5 minutes ago, you can determine the average speed for the last 5 minutes). Then, as the name suggests, you take the 95th percentile of those values. This is done by sorting the list of measurements, then deleting the top 5%, the highest measurement left, is the 95th percentile, and you pay for that much bandwidth. Some might argue, but that is more than I actually used, my average was far less than that. The key to why this system works, is that it charges the subscriber for the peak amount of bandwidth they used, save for a small grace. This allows the ISP to properly budget for the capacity they need to serve that customer. Normally, your contract will be something like: a 5 megabit/second commitment, with 100megabit burstable. This means you have a full 100/100 megabit connection, and you will pay for 5 megabits/second minimum at a fixed price. You will also be quoted a price for ‘overage’. If your 95th percentile is over 5 megabits, you pay the overage rate per megabit that you are over. You get a lower per megabit rate on your commitment level, but that is a minimum, you have to buy at least that much each month, even if you don’t use it, but the more you buy, the cheaper it is. So, this means that during peak periods, you can use the full 100 megabits, without having to pay extra, as long as your 95th percentile stays below 5 megabits. (5% of a month is about 36 hours, meaning you get the busiest 1 hour of each day, for free)


Q: (Justin) What would be the weaknesses of using GPG to encrypt my files before storing them in the cloud.
A: There are a few issues:
1. Key Security – You need to keep the keys safe, if they fall in to the wrong hands, then your data is no longer secure.
2. Key Management – You also have to have access to the key, where ever you are, in order to access your data. Unlike data that is protected with a simple passphrase, in order to access your data, you need the key. So if you are on your mobile, and you need access to your data, how do you get access to your key? If you store a copy of your key on the mobile, is it secure? Also, if your key is lost or destroyed, then there is no way to access your data, so you have to safely back it up.
3. Key Lifecycle – How often should you change your key? How many different keys should you use? If you use multiple keys, less data is compromised in the event that one of your keys is exposed, but it also complicates Key Security and Key Management.
4. Speed – Asymmetric encryption, such as GPG is far slower than symmetric encryption algorithms like AES. This is especially true with the newer Intel i7 processors having a specific AES instruction set that increases performance by about 8 times. This is way sometimes, you will see a system, where the data is encrypted with AES, and then the key for the AES is then encrypted with GPG. Giving you a hybrid, the strength of GPG with the speed of AES.
5. Incremental Changes –


Round-Up:

Bitcoin Blaster:


Download & Comment:

Leaky Authentication | TechSNAP 12

without comments

post thumbnail

How many times have your credentials been leaked online? Think your safe? Chris thought he was. In today’s episode he’ll find out how many times his information has been leaked online, and we tell you how you check for your self.

Plus we’ll cover how to build your own layered spam defense, and why you probably want to leave that USB thumb drive, on the ground!

Sneak peek: Next week we’re going to be talking about the future of Cyber Warfare in our special episode #13. Please send us any stories, suggestions or questions you have so we can include them for next week.


Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

Thanks to the TechSNAP Redditors!

 


Topic: Groupon India leaks SQL database, plain text passwords

  • Groupon’s Indian subsidiary Sosasta.com accidentally published an SQL dump of it’s users table, including email addresses and passwords. The file was indexed and cached by google, so even once it was taken down, it was still visible.
  • This raises the question as to why the passwords were ever stored in plain text, instead of as salted hashes
  • Does the North American version of Groupon also store user passwords in plain text?
  • Leaked data was found by a security researching using a google search query for “filetype:sql” “password” and “gmail”
  • Once Sosasta was notified of the issue, they started sending out emails to their customers recommending that they change their password. This is definitely the wrong approach, the passwords were leaked, in plain text. All accounts should have had their passwords forcibly reset and a password reset email sent to the customer. Otherwise, customers may have their account compromised before they can change their password, and customers who no longer use the service will have their personal information exposed.

shouldichangemypassword.com – Check your address

Submitted by: refuse2speak


Topic: EA Forums hacked, Sega Database Compromised

  • a “Highly sophisticated cyber attack” was used to compromise the database of the forums for Bioware’s Neverwinter Nights.
  • Stolen data included username, password, email, and birth date
  • How many users were effected was not specified
  • EA says no credit card information was in the stolen database
  • Sega was also compromised, 1.29 million customers had their data exposed via the website of the European unit’s “Sega Pass” website.
  • Again, username, password, email and birth date were exposed, but it appears that no financial information was leaked.

TechSNAP reminds you: use a different password for every service. We know it’s hard, but cleaning up behind an identity thief is worse.

Submitted by: Raventiger


Topic: US Government Study shows alarming attack vector

  • 60% of Government or Contractor employees who found a USB stick or CD on the ground outside their office plugging the device in to their computer.
  • 90% of the employees installed the software if it had an official looking logo on it.
  • This is reminiscent of the StuxNet worm, which targeted isolated computers that were not on the Internet. It is believed that they were infected via a hardware device containing the payload.

Topic: Research reveals that pin numbers are predictable

  • 15% of iPhones could be unlocked in fewer than 10 tries using the most common pin codes
  • The most common first character in a pin number is 1
  • The most common second character is 2
  • The values 1980 through 2000 make up a huge portion of the top 100 pin codes, meaning if you know or can guess a users date of birth, you can increase your chance of cracking their code
  • Other popular codes include repeating digits or patterns, such as 2222 or 1212, or lines drawn on the input screen, such as 2580, 0852 or 1241
  • Another popular value is 5683, which didn’t seem to fit any pattern until you realize that is spells ‘love’ with standard phone letter substitution.
  • This means that if you know the users birthday and relationship status, you can increase your chance of cracking their pin code just by applying a little statistical analysis. If you can shoulder surf them, and further reduce the pool of possible codes, you can almost guarantee success.
  • Users tend to reuse passwords, if you guess their phone password, there is a good chance that is also their ATM pin. Either way, the exact same techniques can be applied to ATM, Voicemail and other pin codes.

Feedback:

Q: (Bob) How did Chris and Allan meet
A: Chris and Allan first met in April 2009 when Jupiter Broadcasting moved their IRC chat to GeekShed.net. In January 2010 Allan won a closed beta invite to Star Trek Online during a STOked trivia contest on IRC. During the ramp up to open beta, JupiterColony.com was receiving so much traffic that it was suspended by the web host, and was moved to ScaleEngine.com. Later on, Allan guest hosted a few episodes of the Linux Action Show while Bryan was away, and they went so well that Chris and Allan decided to start their own show.

Q: (Leon) How do you handle spam filtering on your servers?
A: For my web hosting customers, we use 4 main mail servers (running Exim with mail time SpamAssassin). The four mail servers ensure that incoming mail is always received, even if one or more of our servers is down at any time. These servers automatically run the incoming mail through the SpamAssassin scoring system, and if the spam score exceeds a specific threshold, then the mail is automatically rejected at SMTP time (so no bounce message is generated, an error is returned to the original sending server, this prevents misdirected bounces from spammers using forged from addresses). If the spam score is borderline, we do ‘grey listing’, temporarily rejecting the spam so it will be retried in a little while, this gives the DNS blacklists we use time to catch up, and most spammers never bother with retries. If the spam score is low enough then the mail is accepted. Once mail has arrived at one of our edge servers, it is then queued and sent on to our mailbox server, where it is sorted and delivered to the actual mailboxes of our users. SpamAssassin is run on the mail again, and users-specific settings determine what happens to the mail. Spam can be flagged (subject prefix, messages added as attachments to protect outlook from preview attacks) or directed to a spam folder.

Send us your questions and feedback!


Roundup:
Netflix shares insight on it’s cloud infrastructure
Netflix transitions to high availability storage systems
Researchers say Massive Botnet is Indestructible
DropBox CEO: Lone hacker downloaded data from ‘fewer than a hundred’ accounts
Spamming Becoming Financially Infeasible

Bitcoin BLASTER:
LinuxCoin – Bitcoin Live Linux CD – LOVES IT!
Article: Buying lunch with bitcoin – Submitted by Angela
Chris’ early bitcoin farm
Chris’ cheap and low power miner hardware.
Article: Bitcoin Comes Out Swinging off the Ropes
MtGox Apologizes

 

Written by chris

July 1st, 2011 at 1:18 am