LinuxPlanet Casts

Media from the Linux Moguls

Archive for the ‘BIOS’ Category

Ultimate RAID | TechSNAP 24

without comments

post thumbnail

When your data is important, understanding RAID can make the difference between a major loss, or saving the day. We’ll break down the different types of RAID, and the setups we’ve found to work best!

All that and more, in this week’s TechSNAP.

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:


EFF to build early warning system for rouge SSL certificates


Adobe released out-of-band Flash fix for critical vulnerability


New SSL attack targets older versions of SSL and TLS

  • SSL 3.0 and TLS 1.0 are vulnerable to an attack that can disclose private data
  • The researchers proof of concept can be used against popular sites such as PayPal
  • The exploit requires the attacker to be in a ‘man-in-the-middle’ position, and uses a ‘chosen plain-text attack’ against the AES encryption algorithm often used by SSL/TLS.
  • The attack works by having malicious javascript inject known plain text into the encrypted data stream, offering the attackers a chosen plain text to target their cryptanalysis against.
  • Not all SSL implementations default to AES, OpenSSL prefers the Camellia cipher first, however, a man-in-the-middle attack could influence the list of allowable ciphers, causing AES to be chosen as the cipher suite.
  • The researchers have been working with browser vendors since May to develop a solution, however every proposed patch has been found to break compatibility with some major SSL appliance resulting in a number of major sites not being reachable over SSL. Thus far browser vendors have not resolved the issue.
  • The attack is relatively slow, and requires a MiTM position, so it not likely to result in the breakdown of all e-commerce, however, it could be used quite effectively against public wifi spots.
  • Interesting notes from my own research, Cipher Suite Preference Order:
  • PayPal
    • AES256-SHA
    • AES128-SHA
    • DES-CBC3-SHA
    • RC4-SHA
    • RC4-MD5
  • Google (Docs, Gmail)
    • RC4-SHA
    • RC4-MD5
    • AES256-SHA
    • DES-CBC3-SHA
    • AES128-SHA
  • Facebook
    • RC4-MD5
    • RC4-SHA
    • AES128-SHA
    • AES256-SHA
    • DES-CBC3-SHA
  • Hotmail
    • AES128-SHA
    • AES256-SHA
    • RC4-SHA
    • DES-CBC3-SHA
    • RC4-MD5
  • StarTrekOnline.com
    • AES256-SHA
    • AES128-SHA
    • DES-CBC3-SHA
    • DES-CBC-SHA
    • RC4-SHA
    • RC4-MD5
  • ScaleEngine.com (OpenSSL HIGH:!MD5)
    • DHE-RSA-CAMELLIA256-SHA, CAMELLIA256-SHA
    • DHE-RSA-CAMELLIA128-SHA, CAMELLIA128-SHA
    • DHE-RSA-AES256-SHA, AES256-SHA
    • DHE-RSA-AES128-SHA, AES128-SHA
    • EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA
  • None of these sites support SSLv2
  • Additional Article
  • Statistics shows that as many as 35% of SSL enabled sites are still vulnerable to a 2009 attack. Some sites purposely delay deploying SSL updates due to concerts about compatibility with outdated browsers, especially since SSL is used primary for e-commerce.

Intel integrates RealVNC at the BIOS level, allowing full remote access via the existing Intel vPro management engine

  • Intel has worked with RealVNC to embed a VNC Remote Frame Buffer server directly into the BIOS and vPro management chipset
  • Featuring include allowing you to remotely change BIOS settings, mount virtual images for reinstalling or repairing the OS, full remote-kvm features and remote reboot capability
  • The VNC access is secured using the existing on board encryption and certificate system built into the Intel vPro Management Engine Chipset.
  • vPro must be enabled, assigned an IP address and certificate (or strong password) in order to be used, so this will not expose unconfigured computers to the risk of being unintentionally remotely controlled.

Feedback:

Home Server Segment – Storage. There are many different types of RAID, a set of technologies that allow multiple independent physical disks to act as a single logical disk. The different types of RAID provide different advantages and disadvantages and have various uses.

  • RAID 0 – Striping
  • RAID 0 uses any number of disks and spreads the data between the disks, usually in blocks of 64 or 128kb. The total size of the logical disk will be N * smallest disk
  • This means that while reading and writing data, you have more physical heads doing the work, meaning that when read or writing a large amount of data, all of the disks can work in tandem, resulting in higher throughput
  • The disadvantage to RAID 0 is that there is no redundancy, if any one disk in the set fails to work, all data in the entire RAID array is no longer usable.
  • Common use cases for RAID 0 are things such as Video Editing that requires extremely high throughput rates
  • RAID 1 – Mirroring
  • RAID 1 is the most basic type of RAID, it requires an even number of disks. Each pair of disks contains identical information. The total size of the logical disk is N/2 * smallest disk.
  • When one of the two disks fails, the other contains exactly the same data, and the system can continue to operate. The failed disk can then be replaced, and the remaining disk has it’s data cloned to the new disk (this process is called Resilvering), restoring the system to full operational status.
  • RAID 1 can improve read performance because two heads can be seeking at the same time, however it cannot improve write performance, as both disks must write all changes made to the data
  • The disadvantage to RAID 1 is that you lose half of the storage capacity of the drives you put in to the array
  • RAID 1 is typically used for systems that require high fault tolerance, and the ability to continue to operate even during a disk failure
  • RAID 2 is not currently used, the original specification called for disks that would rotate and seek in unison and offer the possibility of higher transfer rates.
  • RAID 3 is similar to RAID 0, however instead of using large blocks, data is split between the drives at the byte level. This is very rare in practise because of the limited number of IOPS that most disks can handle, and the fact that RAID 3 suffers from a great loss of speed if more than 1 operation is run concurrently
  • RAID 4 works similar to RAID 5 below, except that it uses a dedicated parity disk
  • RAID 5
  • RAID 5 combines striping (RAID 0) with parity. This means that as each group of blocks is written, a parity block is calculated and written to one of the disks. This way, if any one of the disks were to fail, using the remaining blocks and the parity block, it would be possible to calculate what the missing block should be. The total size of the logical disk is N – 1 * smallest disk.
  • During operations, if a disk fails, the RAID array will be in what is know as ‘degraded’ mode, where the controller must do the calculations to determine what the missing data would be. This results in significantly lower performance. However the array can be restored to healthy status by replacing the failed disk, and allowing it to ‘resilver’ (the process of calculating each block of data that should exist on that drive, and writing it to the disk).
  • RAID 5 provides a the advantages of RAID 0 (speed, use of most of your disk capacity), while still providing some fault tolerance.
  • The parity data is storage spread across all of the disks, rather than always one one specific disk, for more even performance, because the parity calculation is
  • RAID 5 is typically used in servers where a large amount of storage and performance is required, but some degree of fault tolerance is also warranted. RAID 5 is rarely available on built-in RAID controllers due to the complexity of the parity calculations.
  • RAID 6
  • RAID 6 works like RAID 5 except with two copies of the parity information. The size of the logical disk is N–2 * the smallest disk
  • RAID 6 provides additional fault tolerance, specifically it allows the array to continue to operate if more than 1 disks fails at once, or if a second disk fails before the first can be resilvered. In a RAID 5 array, if a second disk dies before the first failed disk is completely restored, the entire array is lost.
  • RAID 6 is typically used in servers that require more storage and more fault tolerance than RAID 1 can provide, and where RAID 5 is just not enough fault tolerance. RAID 6 usually requires a rather expensive hardware controller.
  • Some complex controllers can allow you to do ‘nested raid levels’.
  • RAID 0+1
  • A mirrored array of two striped arrays, allowing both speed and fault tolerance
  • RAID 50
  • RAID 60
  • A stripped array of two RAID 6 arrays, providing additional performance on top of the fault tolerance and larger capacity of RAID 6. This setup is also common in setups where the RAID 6 arrays are on separate controllers.

Roundup

Bitcoin-Blaster:

Written by chris

September 22nd, 2011 at 9:58 pm

Ultimate Home Router | TechSNAP 23

without comments

post thumbnail

Exploits are in the wild that can take down critical infrastructure equipment, and some highly trusted sites were attacked this week and used against their own visitors.

Plus – We’ll tell you how to build the ultimate home router, that can do more than many Enterprise grade systems, with the press of a few buttons – and for FREE!

All that and more, on this week’s TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

Italian hacker publishes 10+ 0 day SCADA exploits with proof of concept code

  • SCADA (Supervisory Control and Data Acquisition) are Industrial control systems
  • The Stuxnet worm targeted the specific SCADA system used by the Iranian centrifuges
  • These exploits could cause serious disruption if the systems are not properly protected from external access
  • SCADA systems are used to control numerous important industrial systems including water and sewage treatment, dams and power plants, as well as manufacturing automation systems.
  • In January 2000, the remote compromised of a SCADA system was responsible for pumping sewage into a nearby park and contaminated an open surface-water drainage ditch.
  • News Article

Official uTorrent website compromised, users download spyware

  • On or before Tuesday September 13th, the Official uTorrent.com website was compromised, and on the 13th, the attackers replaced the download files with spyware.
  • Users who downloaded uTorrent on the 13th instead received a scareware fake anti-virus package called ‘Security Shield’
  • The scareware told them they were infected with malware and demanded payment to remove it
  • Any users who downloaded uTorrent between 12.20 and 14.10 BST likely received the malware instead of uTorrent.
  • In this case, the attack was fairly obvious, but a similar hack against popular software distribution points could have resulted in the stealth infection of 1000s of systems via the auto-update feature built in to most modern applications.
  • This is always the nightmare security situation, when legitimate trusted sites are compromised and start to distribute harmful content.

Funny Virus Pic – Google+


BIOS rootkit found in the wild

  • The virus can infect most any computer with an Award BIOS (very popular, used in most all Motherboards that I own).
  • The virus dumps a copy of the BIOS, and then adds an ISA ROM that will rewrite the MBR (Master Boot Record) on the hard drive at each bootup.
  • The MBR virus then rootkits winlogon.exe to take over control of the system
  • The rootkit then prevents modification of the MBR, making it harder to remove the virus
  • Even if the MBR is repaired, it is reinfected at the next boot by the BIOS portion of the virus
  • The rootkit also downloads a trojan and allows the system to be remotely controlled.
  • This attack is related to the attack we discussed in a previous episode of TechSNAP where a researcher was able to infect the battery in a MacBook with a virus. If the virus was similar to this one, it would add an additional layer of complexity, if the BIOS could be reinfected from the battery.
  • Details from Symantec

TWiT.tv compromised, malicious iframe injected, loads Java malware

  • The popular TWiT.tv page was compromised and a snippet of malicious code was added, an iframe that directed users’ browsers to a page that attempted to use Java and PDF exploits.
  • Google’s safe browsing started blocking the site. Firefox and Google Chrome users will be presented with a warning before visiting the site.

War Story:

  • At approximately 4:00 PM facility local time on Sunday, September 11, 2011, the Seattle 1 data center experienced an unexpected service interruption. It was determined that the cause of the issue was a malfunction in one of the edge routers servicing the facility.
  • The device was rebooted to correct the issue and we proceeded to work with the device manufacturers TAC (Technical Assistance Center) to determine the cause of the issue and proper resolution to avert any future problems.
  • At 6:20 PM facility local time, the same issue occurred again, and the device was again rebooted.
  • To prevent any future unexpected service interruptions, it was decided that the best course of action would be to replace the device with the standby device available at the facility.
  • At approximately 7:00 PM facility local time, we began the process of replacing the faulting device with a new one. The old device was removed and the new device was put in its place.
  • Once powered on the replacement device alerted us to a number of errors within the switch fabric modules that were causing inter-line card communication to not work properly.
  • We again contacted the device manufactures TAC, and at approximately 8:30 PM, we decided with the TAC that the best option was to replace the switch fabrics in the replacement device with the switch fabrics from the old device.
  • Once this was completed the device was restarted but produced the same errors.
  • The issue was then escalated to tier 2 support at the device manufactures TAC.
  • We concluded that the issue was likely a problem somewhere within the replacement device’s chassis, and proceeded to replace the chassis with the one from the old device.
  • Upon doing so, we began getting a different set of errors, this time with the management modules communication to the line cards.
  • At approximately 4:30 AM facility local time, the matter was escalated to tier 3 support at the device manufactures TAC. At this time, we also dispatched our head network technician to the facility from Phoenix with a spare device which is stored at our office in the event of issues such as this one.
  • At approximately 6:30 AM facility local time, the TAC tier 3 technician concluded that the likely cause of the issue was an electrical problem either within the switch fabric modules or the replacement device chassis which resulted in improper current being sent to various parts of the device and damaging several of the sensitive electronic components in the line card, forwarding engines and switch fabrics. Because the electrical subsystem within the device had potentially caused damage to all of the switch fabric modules that we had available at the facility, we were advised that we should power down both devices and not use either of them any further until a full diagnostic of the electrical sub-system could be completed by the manufacturer.
  • At approximately 12:00 PM our head network technician arrived at the Seattle airport, and by 1:00 PM was at the facility with the replacement device from our Phoenix office.
  • At approximately 2:00 PM our head network technician completed the installation of the replacement device from our Phoenix office and service was fully restored.
  • Total time offline: 19 hours 8 minutes.

Feedback:

  • A few questions about home servers
    Q: crshbndct I’ve built a spare computer out of some spare parts and I want to use it as a home server. I’d like to use it as a router, a DNS server, a caching server, and maybe also throttle the usage of my servers. What should I use?
    A: Chris and I both love pfSense, it is a FreeBSD based router appliance. You can basically turn any computer with 2 network cards into a Router/Firewall, with DHCP, DNS/DDNS, VPN (IPSec, PPTP, OpenVNP), VLANs, Captive Portal, Traffic Shaping and Graphing. It has a web interface similar but more expansive than what most people are already used to from a normal off the shelf home router.

Next Week: RAID types, what they are and some use cases for each.

Round-Up:

Bitcoin-Blaster:


Bitcoin Value: 34,196,260 USD

Written by chris

September 15th, 2011 at 9:16 pm