Archive for the ‘mozilla’ Category
Coming up on this week’s on TechSNAP…
Have you ever been curious how hackers pull off massive security breaches? This week we’ve got the details on a breach that exposed private data of 35 millions customers.
Plus MySQL.com spreads custom malware tailored just for your system, and the details are amazing!
On top of all that, we’ll share our insights are setting up the ultimate network file server!
Direct Download Links:
Subscribe via RSS and iTunes:
- Between July 18th and 25th, SK Telecom’s systems were compromised, and all of their customer records (35 million customers) were compromised. The records included a wealth of information, including username, password, national ID number, name, address, mobile phone number and email address.
- The attack was classified as an Advanced Persistent Threat, the attackers compromised 60 computers at SK Telecom in total, biding their time until they could compromise the database. Data was exchanged between the compromised computers at SK Telecom, and a server at a Taiwanese publishing company that had been compromised by the attackers at an earlier date.
- The attack was very sophisticated, specifically targeted, and also seems to indicate a degree of knowledge about the the target. The well organized attackers managed to compromise the software updates server of another company (ESTsoft) who’s software (ALTools) was used by SK Telecom, then piggyback a trojan in to the secure systems that way. Only computers from SK Telecom received the malicious update.
- The attackers send the compromised data through a number of way points before receiving it, masking the trail and the identities of the attackers. A similar pattern was seen with the RSA APT attack, the attackers uploaded the stolen data to a compromised web server, and once they had removed the data from there, destroyed the server and broke the trail back to them selves.
- Proper code signing, or GPG signing could have prevented this
- Original BBC Article about the attack
- The Directory Services command allows users to search for data about other users on the machine. This is the intended function.
- The problem is that the search results for the current user also include sensitive information, such as the users’ password hash. You are authorized to view this information, because you are the current user.
- However, any application running as that user, could also gain that information, and send it back to an attacker.
- Using the hash, an attacker could perform an offline brute force attack against the password. These attacks have gotten more common and less time consuming with the advent of better parallel computing, cloud computing and high performance GPGPUs.
- My bitcoin mining rig could easily be converting to a password hash cracking rig, especially now that the current value of bitcoin is sagging. If there were a big enough market for cracking hashed passwords, there are now a huge number of highly specialized machines devoted to bitcoin that could be easily switched over.
- The tool can also allow the current user to overwrite their own password hash with a new one, without the need to provide the current plain text password. This means that rather than spend time cracking the password, the attacker could just change the current users password, and then take over the account that way.
- These attacks would require some kind of exploit that allowed the attack to perform the required actions, however we have seen a number of flash, java and general browsers exploits that could allow this.
- The current recommended work around is to chmod the dscl command such that it can only be used by root
- Additional Article
- The MySQL.com front page was compromised and had malicious code injected in to it.
- The code (usually an iframe) caused a java exploit to be executed against the visitor. The exploit required no interaction or confirmation from the user. This type of attack is know as a ‘drive by infection’, because the user does not have to take any action to become infected.
- Two different trojans were detected being sent to users, Troj/WndRed-C and Troj/Agent-TNV
- Because of the nature of the iframe attack, and the redirect chain the attackers could have easily varied the payload, or selected different payloads based on the platform the user was visiting the site on.
- There are reports of Russian hackers offering to sell admin access to mysql.com for $3000
- Detailed Analysis with malicious source code, video of the infection process
- Article about previous compromise
- When the previous compromise was reported, it was also reported that MySQL.com was subject to a XSS (Cross Site Scripting) attack, where content from another site could be injected in to the MySQL site, subverting the browsers usual ‘Same Origin’ policy. This vulnerability, if not repaired, could have been the source of this latest attack.
Continuing our Home Server Segment – This week we are covering file servers.
Some possible solutions:
- Roll Your Own (UNIX)
- Linux or FreeBSD Based
- Install Samba for SMB Server (allow windows and other OS machines to see your shared files)
- Setup FTP (unencrypted unless you do FTPS (ftp over ssl), high speed, doesn’t play well with NAT, not recommended)
- Configure SSH (provides SCP and SFTP) (encrypted, slightly higher cpu usage, recommended for Internet access)
- Install rsync (originally designed to keep mirrors of source code and websites up to date, allows you to transfer only the differences between files, rather than the entire file) (although it is recommended you do rsync over SSH not via the native protocol)
- Configure NFS (default UNIX file sharing system)
- Build your own iSCSI targets (allows you to mount a remote disk as if it were local, popular in virtualization as it removes a layer of abstraction. required for virtual machines that can be transferred from one host to another.
- Roll Your Own (Windows)
- Windows provides built in support for SMB
- Install Filezilla Server for FTP/FTPs (Alternative: CyberDuck)
- There are some NFS alternatives for windows, but not are not free
- There is an rsync client for windows, or you could use cygwin, same goes for SSH. Similar tools like robocopy and synctoy
- FreeBSD Based. Provides: SMB, NFS, FTP, SFTP/SCP, iSCSI (and more)
- Supports ZFS
- Chris’ Previous Coverage of FreeNAS:
- FreeNAS, IN DEPTH
- FreeNAS Vs. HP MediaSmart WHS
- FreeNAS vs Drobo
- To Stop BEAST, Mozilla Developer Proposes Blocking Java Framework
- The NSA Wants Its Own Smartphone
- New Mac OS X Trojan Imuler Hides Inside Malicious PDF
- IBM Seeks Patent On Retailer-Rigged Driving Routes
- Anonymous Goes After the Pepper Spray Cop’s Personal Info
Remember the Man in the Middle attack on google from last week? Turns out it was far worse than though, we now have more details on the DigiNotar compromise, and a number of other important sites have had their DNS hijacked.
Plus we cover the advantages of running your own DNS server at home, and how Allan and Chris got their start in the world of IT!
All that and more, in this week’s TechSNAP!
Direct Download Links:
Subscribe via RSS and iTunes:
- A company spokesman said that “several dozen” certificates had been acquired by the attackers.
- The confirmed count of fraudulently-issued SSL (secure socket layer) certificates now stands at 531.
- The first known-bad certificate, for Google.com, was created by attackers on July 10, 2011. Between July 19 and July 29, DigiNotar began discovering bad certificates during routine security operations, and blocking them.
- But the attack didn’t come to light until August 27
- Comodohacker said the attack against DigiNotar was payback for the Srebrenica massacre.
- He also suggested that he wasn’t operating under the auspices of Iranian authorities, but that he may have given them the certificates.
- Comodohacker also posted additional proof that he had the private key for the invalid google.com certificate, by using it to sign a copy of calc.exe, a feature a regular website SSL certificate should not have.
- The DigiNotar hack has already had wide-ranging repercussions for the 9 million Dutch citizens–in a country with a population of 17 million–that use DigiD , a government website for accessing services, such as paying taxes.
- According to news reports, the country’s lawyers have been forced to switch to fax and mail, to handle many activities that were supported by an intranet.
- The Netherlands has also indefinitely extended the country’s tax deadline until DigiD can again be declared secure.
- Mozilla has made this public statement: “This is not a temporary suspension, it is a complete removal from our trusted root program.”. Such harsh action was taken because DigiNotar did NOT notify everyone when the breech was discovered.
- F-Secure Weblog says they were hacked by someone who was connected to “ComodoGate” — the hacking of another Certificate Authority earlier this year, by an Iranian attacker.
Soon after the Comodo forged certificates hack an Iranian using the handle Comodohacker posted a series of messages via Pastebin account providing evidence that he carried out the attack.
The hacker boasted he still has access to four other (unnamed) “high-profile” CAs and retains the ability to issue new rogue certificates, including code signing certificates.
ComodoHacker also claims to have compromised StartSSL, however issuance of invalid certificates was prevented by a policy change that required the CEO to manually offline approve each issued certificate. The HSM (Hardware Signing Module) being offline seems like the only way to be entirely sure that invalid certificates are not issued. A proper policy, more than just rubber stamping any certificate that doesn’t say google.com on it should be required.
GlobalSign on Tuesday announced that it would temporarily cease issuing any new certificates.
“GlobalSign takes this claim very seriously and is currently investigating,” according to a statement released by the company
Is the fifth-largest CA
- Further websites which have been affected by the DNS hack include National Geographic, BetFair, Vodafone and Acer.
- Instead of breaching the website itself, the hackers have managed to change the DNS records for the various sites affected.
- Because of the way that DNS works, it may take some time for corrected DNS entries for the affected websites to propagate worldwide – meaning there could be problems for some hours even after the fix.
- The attack was against the domain registrars Ascio and NetNames, both owned by the same parent company.
- Apparently the attacker managed to use an SQL injection attack to gain access to the domain accounts, and change the name servers.
- BBC Article
Home DNS Software:
- Sex and Plugs and Geek Patrol
- EveryDNS/EditDNS Nameservers shutting down on Sep 9, 2011
- Facebook pays out $40K to hackers in three weeks
- Judge Decimates BitTorrent Lawsuit With Common Sense Ruling