LinuxPlanet Casts

Media from the Linux Moguls

Archive for the ‘bsd’ Category

Ultimate File Server | TechSNAP 25

without comments

post thumbnail

Coming up on this week’s on TechSNAP…

Have you ever been curious how hackers pull off massive security breaches? This week we’ve got the details on a breach that exposed private data of 35 millions customers.

Plus spreads custom malware tailored just for your system, and the details are amazing!

On top of all that, we’ll share our insights are setting up the ultimate network file server!

Direct Download Links:

HD Video | Large Video | Mobile Video | WebM | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

South Korea’s SK Telecom hacked, detailed forensics released

  • Between July 18th and 25th, SK Telecom’s systems were compromised, and all of their customer records (35 million customers) were compromised. The records included a wealth of information, including username, password, national ID number, name, address, mobile phone number and email address.
  • The attack was classified as an Advanced Persistent Threat, the attackers compromised 60 computers at SK Telecom in total, biding their time until they could compromise the database. Data was exchanged between the compromised computers at SK Telecom, and a server at a Taiwanese publishing company that had been compromised by the attackers at an earlier date.
  • The attack was very sophisticated, specifically targeted, and also seems to indicate a degree of knowledge about the the target. The well organized attackers managed to compromise the software updates server of another company (ESTsoft) who’s software (ALTools) was used by SK Telecom, then piggyback a trojan in to the secure systems that way. Only computers from SK Telecom received the malicious update.
  • The attackers send the compromised data through a number of way points before receiving it, masking the trail and the identities of the attackers. A similar pattern was seen with the RSA APT attack, the attackers uploaded the stolen data to a compromised web server, and once they had removed the data from there, destroyed the server and broke the trail back to them selves.
  • Proper code signing, or GPG signing could have prevented this
  • Original BBC Article about the attack

Mac OS X Lion may expose your hashed password

  • The Directory Services command allows users to search for data about other users on the machine. This is the intended function.
  • The problem is that the search results for the current user also include sensitive information, such as the users’ password hash. You are authorized to view this information, because you are the current user.
  • However, any application running as that user, could also gain that information, and send it back to an attacker.
  • Using the hash, an attacker could perform an offline brute force attack against the password. These attacks have gotten more common and less time consuming with the advent of better parallel computing, cloud computing and high performance GPGPUs.
  • My bitcoin mining rig could easily be converting to a password hash cracking rig, especially now that the current value of bitcoin is sagging. If there were a big enough market for cracking hashed passwords, there are now a huge number of highly specialized machines devoted to bitcoin that could be easily switched over.
  • The tool can also allow the current user to overwrite their own password hash with a new one, without the need to provide the current plain text password. This means that rather than spend time cracking the password, the attacker could just change the current users password, and then take over the account that way.
  • These attacks would require some kind of exploit that allowed the attack to perform the required actions, however we have seen a number of flash, java and general browsers exploits that could allow this.
  • The current recommended work around is to chmod the dscl command such that it can only be used by root
  • Additional Article compromised, visitors subject to drive by infection

  • The front page was compromised and had malicious code injected in to it.
  • The code (usually an iframe) caused a java exploit to be executed against the visitor. The exploit required no interaction or confirmation from the user. This type of attack is know as a ‘drive by infection’, because the user does not have to take any action to become infected.
  • Two different trojans were detected being sent to users, Troj/WndRed-C and Troj/Agent-TNV
  • Because of the nature of the iframe attack, and the redirect chain the attackers could have easily varied the payload, or selected different payloads based on the platform the user was visiting the site on.
  • There are reports of Russian hackers offering to sell admin access to for $3000
  • Detailed Analysis with malicious source code, video of the infection process
  • Article about previous compromise
  • When the previous compromise was reported, it was also reported that was subject to a XSS (Cross Site Scripting) attack, where content from another site could be injected in to the MySQL site, subverting the browsers usual ‘Same Origin’ policy. This vulnerability, if not repaired, could have been the source of this latest attack.


Continuing our Home Server Segment – This week we are covering file servers.
Some possible solutions:

  • Roll Your Own (UNIX)
  • Linux or FreeBSD Based
  • Install Samba for SMB Server (allow windows and other OS machines to see your shared files)
  • Setup FTP (unencrypted unless you do FTPS (ftp over ssl), high speed, doesn’t play well with NAT, not recommended)
  • Configure SSH (provides SCP and SFTP) (encrypted, slightly higher cpu usage, recommended for Internet access)
  • Install rsync (originally designed to keep mirrors of source code and websites up to date, allows you to transfer only the differences between files, rather than the entire file) (although it is recommended you do rsync over SSH not via the native protocol)
  • Configure NFS (default UNIX file sharing system)
  • Build your own iSCSI targets (allows you to mount a remote disk as if it were local, popular in virtualization as it removes a layer of abstraction. required for virtual machines that can be transferred from one host to another.
  • Roll Your Own (Windows)
  • Windows provides built in support for SMB
  • Install Filezilla Server for FTP/FTPs (Alternative: CyberDuck)
  • There are some NFS alternatives for windows, but not are not free
  • There is an rsync client for windows, or you could use cygwin, same goes for SSH. Similar tools like robocopy and synctoy
  • FreeNAS
  • FreeBSD Based. Provides: SMB, NFS, FTP, SFTP/SCP, iSCSI (and more)
  • Supports ZFS
  • Chris’ Previous Coverage of FreeNAS:
  • FreeNAS Vs. HP MediaSmart WHS
  • FreeNAS vs Drobo

Round Up:

Bitcoin Blaster:

Ultimate RAID | TechSNAP 24

without comments

post thumbnail

When your data is important, understanding RAID can make the difference between a major loss, or saving the day. We’ll break down the different types of RAID, and the setups we’ve found to work best!

All that and more, in this week’s TechSNAP.

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

EFF to build early warning system for rouge SSL certificates

Adobe released out-of-band Flash fix for critical vulnerability

New SSL attack targets older versions of SSL and TLS

  • SSL 3.0 and TLS 1.0 are vulnerable to an attack that can disclose private data
  • The researchers proof of concept can be used against popular sites such as PayPal
  • The exploit requires the attacker to be in a ‘man-in-the-middle’ position, and uses a ‘chosen plain-text attack’ against the AES encryption algorithm often used by SSL/TLS.
  • The attack works by having malicious javascript inject known plain text into the encrypted data stream, offering the attackers a chosen plain text to target their cryptanalysis against.
  • Not all SSL implementations default to AES, OpenSSL prefers the Camellia cipher first, however, a man-in-the-middle attack could influence the list of allowable ciphers, causing AES to be chosen as the cipher suite.
  • The researchers have been working with browser vendors since May to develop a solution, however every proposed patch has been found to break compatibility with some major SSL appliance resulting in a number of major sites not being reachable over SSL. Thus far browser vendors have not resolved the issue.
  • The attack is relatively slow, and requires a MiTM position, so it not likely to result in the breakdown of all e-commerce, however, it could be used quite effectively against public wifi spots.
  • Interesting notes from my own research, Cipher Suite Preference Order:
  • PayPal
    • AES256-SHA
    • AES128-SHA
    • DES-CBC3-SHA
    • RC4-SHA
    • RC4-MD5
  • Google (Docs, Gmail)
    • RC4-SHA
    • RC4-MD5
    • AES256-SHA
    • DES-CBC3-SHA
    • AES128-SHA
  • Facebook
    • RC4-MD5
    • RC4-SHA
    • AES128-SHA
    • AES256-SHA
    • DES-CBC3-SHA
  • Hotmail
    • AES128-SHA
    • AES256-SHA
    • RC4-SHA
    • DES-CBC3-SHA
    • RC4-MD5
    • AES256-SHA
    • AES128-SHA
    • DES-CBC3-SHA
    • RC4-SHA
    • RC4-MD5
  • (OpenSSL HIGH:!MD5)
    • DHE-RSA-AES256-SHA, AES256-SHA
    • DHE-RSA-AES128-SHA, AES128-SHA
  • None of these sites support SSLv2
  • Additional Article
  • Statistics shows that as many as 35% of SSL enabled sites are still vulnerable to a 2009 attack. Some sites purposely delay deploying SSL updates due to concerts about compatibility with outdated browsers, especially since SSL is used primary for e-commerce.

Intel integrates RealVNC at the BIOS level, allowing full remote access via the existing Intel vPro management engine

  • Intel has worked with RealVNC to embed a VNC Remote Frame Buffer server directly into the BIOS and vPro management chipset
  • Featuring include allowing you to remotely change BIOS settings, mount virtual images for reinstalling or repairing the OS, full remote-kvm features and remote reboot capability
  • The VNC access is secured using the existing on board encryption and certificate system built into the Intel vPro Management Engine Chipset.
  • vPro must be enabled, assigned an IP address and certificate (or strong password) in order to be used, so this will not expose unconfigured computers to the risk of being unintentionally remotely controlled.


Home Server Segment – Storage. There are many different types of RAID, a set of technologies that allow multiple independent physical disks to act as a single logical disk. The different types of RAID provide different advantages and disadvantages and have various uses.

  • RAID 0 – Striping
  • RAID 0 uses any number of disks and spreads the data between the disks, usually in blocks of 64 or 128kb. The total size of the logical disk will be N * smallest disk
  • This means that while reading and writing data, you have more physical heads doing the work, meaning that when read or writing a large amount of data, all of the disks can work in tandem, resulting in higher throughput
  • The disadvantage to RAID 0 is that there is no redundancy, if any one disk in the set fails to work, all data in the entire RAID array is no longer usable.
  • Common use cases for RAID 0 are things such as Video Editing that requires extremely high throughput rates
  • RAID 1 – Mirroring
  • RAID 1 is the most basic type of RAID, it requires an even number of disks. Each pair of disks contains identical information. The total size of the logical disk is N/2 * smallest disk.
  • When one of the two disks fails, the other contains exactly the same data, and the system can continue to operate. The failed disk can then be replaced, and the remaining disk has it’s data cloned to the new disk (this process is called Resilvering), restoring the system to full operational status.
  • RAID 1 can improve read performance because two heads can be seeking at the same time, however it cannot improve write performance, as both disks must write all changes made to the data
  • The disadvantage to RAID 1 is that you lose half of the storage capacity of the drives you put in to the array
  • RAID 1 is typically used for systems that require high fault tolerance, and the ability to continue to operate even during a disk failure
  • RAID 2 is not currently used, the original specification called for disks that would rotate and seek in unison and offer the possibility of higher transfer rates.
  • RAID 3 is similar to RAID 0, however instead of using large blocks, data is split between the drives at the byte level. This is very rare in practise because of the limited number of IOPS that most disks can handle, and the fact that RAID 3 suffers from a great loss of speed if more than 1 operation is run concurrently
  • RAID 4 works similar to RAID 5 below, except that it uses a dedicated parity disk
  • RAID 5
  • RAID 5 combines striping (RAID 0) with parity. This means that as each group of blocks is written, a parity block is calculated and written to one of the disks. This way, if any one of the disks were to fail, using the remaining blocks and the parity block, it would be possible to calculate what the missing block should be. The total size of the logical disk is N – 1 * smallest disk.
  • During operations, if a disk fails, the RAID array will be in what is know as ‘degraded’ mode, where the controller must do the calculations to determine what the missing data would be. This results in significantly lower performance. However the array can be restored to healthy status by replacing the failed disk, and allowing it to ‘resilver’ (the process of calculating each block of data that should exist on that drive, and writing it to the disk).
  • RAID 5 provides a the advantages of RAID 0 (speed, use of most of your disk capacity), while still providing some fault tolerance.
  • The parity data is storage spread across all of the disks, rather than always one one specific disk, for more even performance, because the parity calculation is
  • RAID 5 is typically used in servers where a large amount of storage and performance is required, but some degree of fault tolerance is also warranted. RAID 5 is rarely available on built-in RAID controllers due to the complexity of the parity calculations.
  • RAID 6
  • RAID 6 works like RAID 5 except with two copies of the parity information. The size of the logical disk is N–2 * the smallest disk
  • RAID 6 provides additional fault tolerance, specifically it allows the array to continue to operate if more than 1 disks fails at once, or if a second disk fails before the first can be resilvered. In a RAID 5 array, if a second disk dies before the first failed disk is completely restored, the entire array is lost.
  • RAID 6 is typically used in servers that require more storage and more fault tolerance than RAID 1 can provide, and where RAID 5 is just not enough fault tolerance. RAID 6 usually requires a rather expensive hardware controller.
  • Some complex controllers can allow you to do ‘nested raid levels’.
  • RAID 0+1
  • A mirrored array of two striped arrays, allowing both speed and fault tolerance
  • RAID 50
  • RAID 60
  • A stripped array of two RAID 6 arrays, providing additional performance on top of the fault tolerance and larger capacity of RAID 6. This setup is also common in setups where the RAID 6 arrays are on separate controllers.



Written by chris

September 22nd, 2011 at 9:58 pm

Rooted Trust | TechSNAP 22

without comments

post thumbnail

Remember the Man in the Middle attack on google from last week? Turns out it was far worse than though, we now have more details on the DigiNotar compromise, and a number of other important sites have had their DNS hijacked.

Plus we cover the advantages of running your own DNS server at home, and how Allan and Chris got their start in the world of IT!

All that and more, in this week’s TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

DigiNotar Hack Details

  • A company spokesman said that “several dozen” certificates had been acquired by the attackers.
  • The confirmed count of fraudulently-issued SSL (secure socket layer) certificates now stands at 531.
  • The first known-bad certificate, for, was created by attackers on July 10, 2011. Between July 19 and July 29, DigiNotar began discovering bad certificates during routine security operations, and blocking them.
  • But the attack didn’t come to light until August 27
  • Comodohacker said the attack against DigiNotar was payback for the Srebrenica massacre.
  • He also suggested that he wasn’t operating under the auspices of Iranian authorities, but that he may have given them the certificates.
  • Comodohacker also posted additional proof that he had the private key for the invalid certificate, by using it to sign a copy of calc.exe, a feature a regular website SSL certificate should not have.
  • The DigiNotar hack has already had wide-ranging repercussions for the 9 million Dutch citizens–in a country with a population of 17 million–that use DigiD , a government website for accessing services, such as paying taxes.
  • According to news reports, the country’s lawyers have been forced to switch to fax and mail, to handle many activities that were supported by an intranet.
  • The Netherlands has also indefinitely extended the country’s tax deadline until DigiD can again be declared secure.
  • Mozilla has made this public statement: “This is not a temporary suspension, it is a complete removal from our trusted root program.”. Such harsh action was taken because DigiNotar did NOT notify everyone when the breech was discovered.
  • F-Secure Weblog says they were hacked by someone who was connected to “ComodoGate” — the hacking of another Certificate Authority earlier this year, by an Iranian attacker.

Removing the DigiNotar Root CA certificate : Ubuntu

Microsoft out-of-cycle patch to fix DigiNotar bogus certificates

Hacker claims to have compromised Other SSL Cert Authorities

  • Soon after the Comodo forged certificates hack an Iranian using the handle Comodohacker posted a series of messages via Pastebin account providing evidence that he carried out the attack.

  • The hacker boasted he still has access to four other (unnamed) “high-profile” CAs and retains the ability to issue new rogue certificates, including code signing certificates.

  • ComodoHacker also claims to have compromised StartSSL, however issuance of invalid certificates was prevented by a policy change that required the CEO to manually offline approve each issued certificate. The HSM (Hardware Signing Module) being offline seems like the only way to be entirely sure that invalid certificates are not issued. A proper policy, more than just rubber stamping any certificate that doesn’t say on it should be required.

  • GlobalSign on Tuesday announced that it would temporarily cease issuing any new certificates.
    “GlobalSign takes this claim very seriously and is currently investigating,” according to a statement released by the company

  • Is the fifth-largest CA

  • GlobalSign Suspends Issuance of SSL Certificates

  • BBC Article

DNS hack hits popular websites: Telegraph, Register, UPS, etc

  • Further websites which have been affected by the DNS hack include National Geographic, BetFair, Vodafone and Acer.
  • Instead of breaching the website itself, the hackers have managed to change the DNS records for the various sites affected.
  • Because of the way that DNS works, it may take some time for corrected DNS entries for the affected websites to propagate worldwide – meaning there could be problems for some hours even after the fix.
  • The attack was against the domain registrars Ascio and NetNames, both owned by the same parent company.
  • Apparently the attacker managed to use an SQL injection attack to gain access to the domain accounts, and change the name servers.
  • BBC Article


Home DNS Software:

A different kind of question for TechSNAP! : techsnap



DistroCast 11.0 – FSCKING EMACS!!!

without comments

- Feedback… TONS OF IT.
— OGG Feed

WE NOW HAVE AN OGG FEED. I expect pictures of Dave Yates and Klaatu touching themselves. ;)

— Peoples needs dates for shows, yo!
— Monolithic vs. Mach kernels and speed/security
— You haz Top Gear! ^_^
— Software patents
- Review of Mepis 8.0
- After the credits, stay tuned for THE BEST MOFO OUTTAKES AYE-VAR!
— Outtakes
— Bonus Mepis discussion
— Mediocre impressions
— FSCKING EMACS!!!!!!!!!!!
— I will repeat … SOAB …
— FSCKING EMACS!!!!!!!!!!!
— *laughter*
— FSCKING EMACS!!!!!!!!!!!
— *laughter*
— Continue your fsck’ing sir
— FSCKING EMACS!!!!!!!!!!!
— You’re on NOTICE
— Torvaldian emacs

MP3 Feed | OGG Feed

Written by Jeremy

January 31st, 2010 at 10:35 pm