LinuxPlanet Casts

Media from the Linux Moguls

Archive for the ‘AWS’ Category

How Malware Makes Money | TechSNAP 31

without comments

post thumbnail

The FBI shuts down a cyber crime syndicate, and we’ll tell you just how much profit they were bring in.

Plus we’ll cover how to securely erase your hard drive, Xbox Live’s minor password leak, how researches remotely opened prison cell doors, in my own state!

All that and more, on this week’s episode of TechSNAP!

Thanks to:
GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!


Pick your code and save:

  • techsnap7: $7.49 .com
    techsnap10: 10% off
    techsnap20: 20% off 1, 2, 3 year hosting plans
    techsnap40: $10 off $40
    techsnap25: 25% off new Virtual DataCenter plans
  •  


    Direct Download Links:

    HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

    Subscribe via RSS and iTunes:

       

    Show Notes:

    FBI takes out malware operation that illicitly made 14 million dollars

    • The malware was said to have infected as many as 4 million computers in 100 countries
    • Atleast 500,000 infected machines in the USA alone
    • Operation Ghost Click resulted in indictments against six Estonian and one Russian national. The Estonians were taken in to custody by local authorities and the US is seeking to extradite them.
    • The malware, called DNSChanger, changed the users DNS servers, to use rogue servers run by the botnet operators, and allowed the attackers to basically perform man-in-the-middle attacks against any site they wished.
    • The attackers redirected all traffic related to Apple and iTunes to a site that sold fake apple software and pirated music.
    • The attackers also stole traffic from legitimate advertising networks and replaced it with their own network, charging advertisers for their ill gotten traffic.
    • The malware also blocked windows update and most known virus scanners and help sites.

    Pastebin of XBox Live IDs and passwords published

    • The pastebin contained 90 game tags, passwords and possibly email addresses
    • Microsoft says that they do not believe their network was compromised, and that this list is the result of a small scale phishing attack
    • The size of the credential dump seems to support that conclusion
    • Regardless, it is recommended that you change your XBox Live password, and the password on any other service that shared the same password, especially the email address used for your XBox Live.

    Researchers Uncover ‘Massive Security Flaws’ In Amazon Cloud

    • The vulnerability (since fixed) allowed an attacker to completely take over administrative rights on another AWS account, including starting new EC2 and S3 instances, and deleting instances and storage
    • An attacker could have run up a huge bill very quickly, and it would appear legitimate.
    • Using EC2 to crack passwords becomes even more effective when someone else is paying for your instances
    • The vulnerability was exploited using an XML signature wrapping attack, allowing them to modify the signed message while still having it verify as unmodified.
    • Amazon said “customers fully implementing the AWS security best practices were not susceptible to these vulnerabilities”
    • Previous Article about Amazon AWS Security
    • The previous article mostly covers vulnerabilities created by users of AWS, including people publicly publishing AMIs with their SSH keys still in them.

    Prison SCADA systems vulnerable to compromise

    • Researchers have been able to compromised the SCADA systems and open/close cell doors, overload door mechanisms so they cannot be open/closed, and disable the internal communications systems.
    • The researches worked in one of their basements, spent less than $2,500 and had no previous experience in dealing with these technologies.
    • Washington Times Article confirms that the research was delivered to state and prison authorities, and that Homeland Security has verified the research
    • Researchers were called in after an incident where all of the cell doors on death row at once prison opened spontaneously
    • While the SCADA systems are not supposed to be connected to the Internet, it was found that many of them were.
    • Some were used by prison staff to browse the Internet, leaving them open to malware and other such attacks.
    • While others had been connected to the Internet so they could be remotely managed by consultants and software vendors
    • Even without the Internet, researchers found that the system could be compromised by an infected USB drive, connected to the
      SCADA system either via social engineering or bribery of prison employees.

    Feedback:

    Simon asks about destroying your data before recycling/selling your used hard drives

    • There are a number of tools that will overwrite the contents of your hard drive a number of times in various patterns. The goal here is to ensure that any data that was on the drive can not be recovered. There is never a guarantee that the data will not be recoverable.
    • Allan Recommends: DBAN – Darik’s Boot And Nuke
    • It is still a very good idea to overwrite the data on your disks before you recycle/sell them. The methods are slightly different now, specifically, some methods such as the ‘Gutmann Wipe’ which was designed for a specific type of disk encoding that is no longer users in modern hard drives are no longer effective.
    • DBAN supports a number of methods:
    • PRNG Stream (recommend) – literally overwrites the entire drive with a stream of data from the Pseudo Random Number Generator. It is recommended that you use 4 passes for medium security, and 8 or more passes for high security.
    • DoD 5220.22-M – The US Department of Defence 7 pass standard. The default is DBAN is the DoD Short, which consists of passes 1, 2 and 7 from the full DoD wipe.
    • RCMP TSSIT OPS-II – The Canadian governments “Technical Security Standard for Information Technology”: Media Sanitization procedure. (8 passes)
    • Quick Erase (Not recommended) – Overwrite the entire drive from 0s, only 1 pass. This is designed for when you are going to reuse the drive internally, and is not considered secure at all
    • DBAN also verifies that the data was overwritten properly, by reading back the data from the drive and verifying that the correct pattern is found.
    • I am not certain about the answer to your question concerning SD cards and other flash storage not in the form of a hard disk. A file erasure utility may be the only option if the device does not actually accept ATA/SCSI commands (careful, some USB devices pretend to accept the commands but just ignore ones they do not understand)
    • Simon’s method of using the shred utility (designed to overwrite an individual file) on the block device, is not recommended. a proper utility like DBAN uses ATA/SCSI commands to tell the disk to securely erase it self, which involves disabling write caching, and erasing unaddressable storage such as those that have been relocated due to bad sectors.
    • Special consideration should be given to SSDs, as they usually contain more storage than advertised, and as the flash media wears out, it is replaced from this additional storage. You want to be sure your overwrite utility overwrites the no-longer-used sectors as they will still contain your data. This is why a utility that uses the proper ATA/SCSI commands is so important.
    • A utility like DBAN is also required if the disk contained business or customer data. Under legislation such as PIPEDA (Personal Information Protection and Electronic Documents Act, Canada), HIPAA and Sorbanes-Oxley (USA), the information must be properly destroyed.

    Round UP:

    ZFS Server Build Progress:

    • Finalized Parts List
    • Parts Summary:
    • Supermicro CSE–829TQ-R920UB Chassis
      • 8 hot swapable SAS bays
      • dual redundant 920 watt high-efficiency PSUs
    • Supermicro X8DTU–6F+ motherboard
      • Dual Socket LGA 1366
      • 18x 240pin DDR3 1333 slots (max 288GB ram)
      • Intel 5520 Tylersburg Chipset, ICH10R
      • LSI 6Gb/s SAS Hardware RAID controller
      • Intel ICH10R SATA 3Gb/s SATA Controller
      • IPMI 2.0 with Virtual Media and KVM over LAN
      • Dual Intel 82576 Gigabit Ethernet Controller
    • Dual Intel Xeon E5620 Processors (4×2.4Ghz, HT, 12MB Cache, 80W)
    • 48GB DDR3 1333mhz ECC Registered RAM
    • 2x Seagate Barracuda XT 2TB SATA 6Gb/s 7200rpm Drives (for OS)
    • 9x Seagate Consellsation ES 2TB SAS 6Gb/s 7200rpm Drives (8x for RAID Z2, 1x cold spare)
    • Adaptec RAID 6805 Controller (8 Internal drives, supports up to 256 drives, 512mb DDR2 667 cache)
    • Adaptec AFM 600 Flash Module (Alternative to BBU, provides 4GB NAND flash power by super capacitor to provide zero maintenance battery backup)

    Written by chris

    November 10th, 2011 at 8:18 pm

    Great Disk Famine | TechSNAP 30

    without comments

    post thumbnail

    Anonymous says it’s going after a Mexican Drug Cartel, we’ll share you the amazing details!

    Plus: Our tips for controlling remote downloads, and why all I’m going to want for Christmas is hard drives!

    All that and more, on this week’s TechSNAP!

    Thanks to:
    GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

     


    Direct Download Links:

    HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

    Subscribe via RSS and iTunes:


    Show Notes:

    Anonymous says it will go after Mexican Drug Cartel

    • Anonymous claims one of its members was kidnapped at a street protest
    • Anonymous claims it will start releasing details about journalists, taxi drivers, police officers and government officials who are on the Cartel’s payroll, if the kidnap victim is not released by November 5th (Guy Fawkes Day)
    • No information about the person who was allegedly kidnapped has been released
    • Anonymous hopes that releasing this information, the government will be able to pursue the allegedly corrupt officials. However, depending on the type of information, it is unlikely that the evidence provided would be enough to convict someone.
    • There are serious concerns that the release or even the threat of the release of such information could result in a violent backlash from the Cartel.
    • It would seem that anyone who’s name appears on the lists released by anonymous would be in serious danger. A case of mistaken identity or speculation could result in the death of an innocent person.
    • Anonymous has claimed it would attack a number of entities, including the NYSE and Facebook, a large number of these attacks have never taken place, or were unsuccessful and never mentioned again.

    Series of spear phishing attacks against chemical and defense companies

    • At least 50 different companies were targeted by attackers attempting to steal research and development documents and other sensitive information.
    • The attacks started in July, and continued through September, it is also believed that the same attackers were targeting NGOs and the auto industry earlier this year.
    • The attacks where spear phishing attacks, a specialized form of the common email attack. Unlike a typical phishing scam, where an attacker poses as your bank and attempts to get you to enter your login credentials and other personal information in to a fake site designed to mimic the look of your banks site, a spear phishing attack specifically targets individuals, using information that is known about them and where they work. Spear Phishing attacks also commonly involve impersonating someone you might expect to receive such an email from.
    • The emails sent in this case often took the form of meeting invitations with infected attachments. In other cases when the messages were broadcast to many victims, they took the form of security bulletins, usually riding on actual vulnerability announcements for common software such as Adobe Reader and Flash Player. It also seems the attackers attached the infected files in 7Zip format, to evade many spam filters and virus scanners that block or scan .zip files. The attackers also took to encrypting the zip files with a password, and providing that password in the email, again to avoid virus scanners on the inbound mail servers.
    • This attackers used PoisonIvy, a common backdoor trojan written by one or more persons who speak Mandarin. The Trojan also contained the address of a Command and Control (C&C) server used to feed it additional instructions.
    • Once the attackers made their way in to the network through one or more infected machines, they leveraged that access to eventually gain permissions to copy sensitive documents and upload them to an external server where they could then be recovered.
    • One of the command and control servers was a VPS operated in the United States, owned by a Chinese individual from Hebei province. Investigators have not been able to determine if this individual was part of the attacks, if anyone else had access to the VPS, or if he was acting on behalf of another group. It is possible the server was compromised, or that it could have been made to look like that was the case.
    • Symantec says that there were a number of different groups attacking these companies during this time span, some using a custom developed backdoor called ‘Sogu’ and using specially crafted .doc and .pdf files. There is no word on if these additional attacks were also successful.
    • Full Report

    Feedback:

    • Remote Downloads?
    • Q: I have a question regarding downloads, in particular, remote downloads.
    • A: There are a number of options, ranging in capability and ease of use.
    • rTorrent – A command line torrent client, works great over SSH (especially when combined with Screen). This is what Allan uses to seed the Linux Action Show torrents.
    • uTorrent – uTorrent (microTorrent) is available for windows, mac and linux. It offers an optional web UI (the web UI is the only option for linux) for remotely controlling the torrents, and can also automatically start downloading torrents when they are placed in a specified directory. uTorrent also incorporates an RSS reader.
    • wget – is a standard command line downloading tool included in most GNU Linux distros. Also available for windows
    • curl – A library and utility for dealing with http, it is a common feature of most web hosting servers, and easily integrates with PHP. You could write a short PHP script that would download files to the report server when prompted (possibly by an email or access from your mobile phone)

    Round UP:

    Written by chris

    November 3rd, 2011 at 7:15 pm