Archive for the ‘rootkit’ Category
Coming up on this week’s TechSNAP…
Buckle up and prepare for our Ultimate ZFS overview!
Plus, the next generation of Stuxnet is in the wild, but this time is laying low, collecting data.
All that and more, on this week’s TechSNAP!
Direct Download Links:
Subscribe via RSS and iTunes:
Jupiter Broadcasting Gear
- Coupon Code: SuperDuperShip – Free Shipping on Super Saver, International, and Canadian Airmail orders. No minimums
- Coupon Code: SuperSave$10 – $10 off orders with a subtotal of $50+
- Coupon Code: Scary35% – 35% off orders with a subtotal of $100+
- Called Duqu, the malware appears to be based on the same concepts as Stuxnet, and likely was written by some of the same people, or someone with access to the Stuxnet source code.
- The malware is designed to be stealthy and silent, rather than exploiting the system to some gain, like most malware
- The rootkit loads it self as a validly signed driver. It appears to have been signed by the certificate of a company in Taiwan identified as C-Media Electronics Incorporation. It is possible that their systems were compromised and their private key is being used without their knowledge. The certificate was set to expire on August 2, 2012, but authorities revoked it on Oct. 14
- The malware is not a worm, as it does it spread, and has no destructive payload
- It appears to only gather intelligence and act as a espionage agent, collecting data to be used a future attack.
- Analysts claim it appears to be seeking information on an unidentified industrial control system
- Duqu appears to have been in operation, undetected for more than a year
- Symantec has declined to name the countries where the malware was found, or to identify the specific industries infected, other than to say they are in the manufacturing and critical infrastructure sectors
- Duqu analysis paper
- Users who do a search while logged in, will do the search over SSL, meaning their search query and the results will be protected from snooping by their ISP, Government, Law Enforcement and WiFi hackers.
- This is an important step as google works to personalize your search results more and more.
- An interesting side effect of this is that browsers do not pass referrer headers when you transition from an SSL site. So the sites you visit from the search results page will no longer see what your search query was. Clicks on Adwords and other sponsored links will still pass your search query.
- The primary impediment to SSL for everything is performance, encrypting all traffic on the web would require a great deal more hardware. This is why Google defaults to a weaker encryption for things like search results, than what online merchants typically use.
- Another impediment to SSL is the certificate system, typical setups require a unique IP for each SSL certificate (because the name based virtual hosting typically done by web servers relies on an HTTP header, that is not sent until after the encryption session is started). However modern browsers and web servers support ‘SNI’ (Server Name Indication) to allow that information to be passed as part of the initial encryption setup. There are also solutions such as wildcard certificates (ie, *.google.com) and Unified Communications Certificates (UCC, typically used for MS Exchange servers and the like).
- Google will also provide website owners with the top 1000 search queries that lead visitors to their site via Google Webmaster Tools.
- HTTPS Everywhere | Electronic Frontier Foundation
- TechSnap Question – YouTube
- Typically a solution like this relies on a hard line connection between the two wireless APs so that they do not have to communicate via wireless as well.
- www.dd-wrt.com | Unleash Your Router
- DD-WRT Router Database
- Turn Your $60 Router into a User-Friendly Super-Router with Tomato
- Tomato (firmware)
- This week we will be taking a look at ZFS as a storage solution
- ZFS was originally developed by Sun Microsystems to be able to store a zetta byte of data (A zetta byte is equal to 1 billion tera bytes)
- ZFS is both the Volume Manager and the File System. This gives it some unique benefits, including the ability to increase the size of the file system on the fly and improves performance for the ‘scrub’ (integrity check all data) and resilver (recover from a failed disk) operations, as only data blocks that are actually in use need to be rewritten, whereas a hardware RAID controller must resilver the entire disk because it is unaware of the file system.
- ZFS is a ‘Copy-On-Write’ file system, this means that data is not immediately overwritten when it is changed
- Multiple mount points – You can create various mount points from the same storage pool, allowing you to have different settings for different types of files.
- Passive Integrity Checking (Fletcher Checksum or SHA–2) – As data is read, it is compared against the checksum (or hash, depending on settings). If the data is found to be corrupted, ZFS attempts to recover it (from a mirrored device, RAID Z, or copies). This feature allows ZFS to detect silent corruption that normally goes unnoticed.
- RAID Z – RAID Z works very similar to RAID 5, except without the requirement for a hardware RAID controller. RAID Z2 provides two parity drives, like RAID 6. Recently, RAID Z3 was also introduced, using 3 drives for parity, providing exceptional fault tolerance.
- Compression – Allow you to compress the data stored in this mount point (defaults to lzjb for speed, or you can choose a specific level of gzip). This can be great for storing highly compressible information such as log files
- Deduplication – Since ZFS already knows the hash of your files as it writes them, it can detect that a file with the identical content already exists in your storage pool, and it will simply link the new file to the old one, and because ZFS is copy-on-write, if either file changes, it does not effect the other. ZFS also supports an optional ‘verify’ setting, where even if the checksum/hash matches, it will do a byte-by-byte verification to ensure the files are the same, to avoid a cache collision resulting in data corruption, even though the chances of this happening are around 10^–77. Deduplication uses a lot of ram, so it is recommended that you only use it on datasets where there is a high probability of duplication (It requires 320 bytes per block, meaning 1TB of data in 8kb blocks requires 32GB of ram. ZFS allows blocks up to 128kb). Deduplication will only use up to 25% of ARC memory, after that performance is degraded.
- Purposeful Duplication (Copies) – Allows you to ask ZFS to maintain more than 1 copy of each file in a mount point. This is in addition to any redundancy provided by mirrors/RAID Z etc. Where possible the additional copies are stored on different physical devices. This allows you to get the benefit of a system like RAID Z but only for a specific set of data, while using regular striping for the rest, to maximize your storage capacity. (The ‘Copies’ system was not designed to protect against entire drives failing, just the loss of specific sectors, also this setting only effects newly created files, so you should set it when you create the mount point)
- Snapshots – A read only copy of the file system from a specific point in time, great for backups etc.
- Clones – A writable snapshot. Allows you to create a second copy of the file system that shares all of the same disk space, and any changes to either the original or the clone get saved separately.
- Dynamic Striping – As you add more disks to your ZFS pool, the strips are automatically adjusted to take advantage of the write performance of all available disks.
- Space Reservation – Since all mount points share the same pool of free space, you can set reservations to make sure specific mount points always have access to free space, even if another mount point is trying to use all of the space.
- In summary, ZFS can be a great solution for your home file server, as it allows you the flexibility to add additional storage at any time, deduplicate files, provided limited redundancy without needing RAID and can even provide some Drobo like functionality.
- If you keep at least one SATA port available in your file server, you can replace smaller devices by attaching the newer drive, and using the ‘zpool replace’ command, to copy all of the data to the new device, then remove the smaller one. You can eventually replace every device in the system this way, and the storage pool sizes up automatically.
- RAID Z pools cannot currently have devices added to them, although this feature is in the works. If you create a RAID Z (or Z2/Z3) pool, you can still increase it’s storage capacity by replacing each disk one at a time, and waiting for it to resilver (unlike in non-redundant setups, you do not have to connect the new device before removing the old one). Again, because ZFS is both the Volume Manager and the File System, the resilvering process is faster, because only data that is actually in use needs to be written to the new device.
- Jobs offered ‘nine-digit price’ to buy Dropbox
- NCI, Australia’s largest Supercomputer, confirmed hacked.
- Sesame Street’s YouTube channel hacked, replaced with porn
- Analysis of 250,000 hacker conversations PDF
- Google Music to support peer-to-peer file sharing, says record exec
- MIT researches develop system to record real time video through walls
Exploits are in the wild that can take down critical infrastructure equipment, and some highly trusted sites were attacked this week and used against their own visitors.
Plus – We’ll tell you how to build the ultimate home router, that can do more than many Enterprise grade systems, with the press of a few buttons – and for FREE!
All that and more, on this week’s TechSNAP!
Direct Download Links:
Subscribe via RSS and iTunes:
- SCADA (Supervisory Control and Data Acquisition) are Industrial control systems
- The Stuxnet worm targeted the specific SCADA system used by the Iranian centrifuges
- These exploits could cause serious disruption if the systems are not properly protected from external access
- SCADA systems are used to control numerous important industrial systems including water and sewage treatment, dams and power plants, as well as manufacturing automation systems.
- In January 2000, the remote compromised of a SCADA system was responsible for pumping sewage into a nearby park and contaminated an open surface-water drainage ditch.
- News Article
- On or before Tuesday September 13th, the Official uTorrent.com website was compromised, and on the 13th, the attackers replaced the download files with spyware.
- Users who downloaded uTorrent on the 13th instead received a scareware fake anti-virus package called ‘Security Shield’
- The scareware told them they were infected with malware and demanded payment to remove it
- Any users who downloaded uTorrent between 12.20 and 14.10 BST likely received the malware instead of uTorrent.
- In this case, the attack was fairly obvious, but a similar hack against popular software distribution points could have resulted in the stealth infection of 1000s of systems via the auto-update feature built in to most modern applications.
- This is always the nightmare security situation, when legitimate trusted sites are compromised and start to distribute harmful content.
- The virus can infect most any computer with an Award BIOS (very popular, used in most all Motherboards that I own).
- The virus dumps a copy of the BIOS, and then adds an ISA ROM that will rewrite the MBR (Master Boot Record) on the hard drive at each bootup.
- The MBR virus then rootkits winlogon.exe to take over control of the system
- The rootkit then prevents modification of the MBR, making it harder to remove the virus
- Even if the MBR is repaired, it is reinfected at the next boot by the BIOS portion of the virus
- The rootkit also downloads a trojan and allows the system to be remotely controlled.
- This attack is related to the attack we discussed in a previous episode of TechSNAP where a researcher was able to infect the battery in a MacBook with a virus. If the virus was similar to this one, it would add an additional layer of complexity, if the BIOS could be reinfected from the battery.
- Details from Symantec
- The popular TWiT.tv page was compromised and a snippet of malicious code was added, an iframe that directed users’ browsers to a page that attempted to use Java and PDF exploits.
- Google’s safe browsing started blocking the site. Firefox and Google Chrome users will be presented with a warning before visiting the site.
- At approximately 4:00 PM facility local time on Sunday, September 11, 2011, the Seattle 1 data center experienced an unexpected service interruption. It was determined that the cause of the issue was a malfunction in one of the edge routers servicing the facility.
- The device was rebooted to correct the issue and we proceeded to work with the device manufacturers TAC (Technical Assistance Center) to determine the cause of the issue and proper resolution to avert any future problems.
- At 6:20 PM facility local time, the same issue occurred again, and the device was again rebooted.
- To prevent any future unexpected service interruptions, it was decided that the best course of action would be to replace the device with the standby device available at the facility.
- At approximately 7:00 PM facility local time, we began the process of replacing the faulting device with a new one. The old device was removed and the new device was put in its place.
- Once powered on the replacement device alerted us to a number of errors within the switch fabric modules that were causing inter-line card communication to not work properly.
- We again contacted the device manufactures TAC, and at approximately 8:30 PM, we decided with the TAC that the best option was to replace the switch fabrics in the replacement device with the switch fabrics from the old device.
- Once this was completed the device was restarted but produced the same errors.
- The issue was then escalated to tier 2 support at the device manufactures TAC.
- We concluded that the issue was likely a problem somewhere within the replacement device’s chassis, and proceeded to replace the chassis with the one from the old device.
- Upon doing so, we began getting a different set of errors, this time with the management modules communication to the line cards.
- At approximately 4:30 AM facility local time, the matter was escalated to tier 3 support at the device manufactures TAC. At this time, we also dispatched our head network technician to the facility from Phoenix with a spare device which is stored at our office in the event of issues such as this one.
- At approximately 6:30 AM facility local time, the TAC tier 3 technician concluded that the likely cause of the issue was an electrical problem either within the switch fabric modules or the replacement device chassis which resulted in improper current being sent to various parts of the device and damaging several of the sensitive electronic components in the line card, forwarding engines and switch fabrics. Because the electrical subsystem within the device had potentially caused damage to all of the switch fabric modules that we had available at the facility, we were advised that we should power down both devices and not use either of them any further until a full diagnostic of the electrical sub-system could be completed by the manufacturer.
- At approximately 12:00 PM our head network technician arrived at the Seattle airport, and by 1:00 PM was at the facility with the replacement device from our Phoenix office.
- At approximately 2:00 PM our head network technician completed the installation of the replacement device from our Phoenix office and service was fully restored.
- Total time offline: 19 hours 8 minutes.
- A few questions about home servers
Q: crshbndct I’ve built a spare computer out of some spare parts and I want to use it as a home server. I’d like to use it as a router, a DNS server, a caching server, and maybe also throttle the usage of my servers. What should I use?
A: Chris and I both love pfSense, it is a FreeBSD based router appliance. You can basically turn any computer with 2 network cards into a Router/Firewall, with DHCP, DNS/DDNS, VPN (IPSec, PPTP, OpenVNP), VLANs, Captive Portal, Traffic Shaping and Graphing. It has a web interface similar but more expansive than what most people are already used to from a normal off the shelf home router.
Next Week: RAID types, what they are and some use cases for each.
- Awesome LastPass Alternative : techsnap
- Hotfile Sues Warner Bros. For Copyright Fraud and Abuse
- White House clears the way for net neutrality protection
- Secret Obama flight plans disclosed on blog
- Chinese government producing more defensive propaganda about cyber security
- Increasing demand for Custom Data center servers ala Google and Facebook
- Google has disable youtube comments for users from the RoK (South Korea) after a new law was passed that requires users to give their real name and national ID card number when posting anything online to a site that has more than 100,000 unique visits per day
- Ron Paul schedules House hearing to push gold standard, mentions bitcoin
- MultiBit – Desktop Client
- Bitcoin Wallet – Android
- MtGox Mobile – Android
- Bitcoin Prices – Android
- BTCmon – iOS
- iBitcoin – iOS US Store link.
Bitcoin Value: 34,196,260 USD