cPanel’s helpdesk was recently compromised, exposing root credentials for many of their customers, plus the troubles at Zendesk that caused quite a headache for twitter and other popular sites.
And we debate if we’re living in a post-cryptography world, plus a big batch of your questions, and much more on, on this week’s TechSNAP.
Use our code hostdeal4 to practically steal economy hosting for $1 a month, for one year.
Something else in mind? Use go35off4 to save 35% on your entire order!
Support the Show:
Get TechSNAP on your Android:
Browser Affiliate Extension:
- Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox
- Zendesk is a SaaS (Software as a Service) that provides a ticket system, knowledge base and help desk for a monthly fee
- It is quite popular, and used by large online services such as Twitter, Tumblr, Pinterest, Vodafone, 20th Century Fox, Denver Broncos, eLance, Fiverr, Gawker, Groupon, New Zealand Post, Rackspace Cloud, Scribd, Sears Canada, Sony Music, Xerox, and Yousendit
- Zendesk’s blog post says they believe only 3 of their customers were affected (not named, but other sources and the end users who received emails about the issue suggest it was Twitter, Tumblr and Pinterest)
- Apparently the attackers got access to a database with all of the email addresses of users who contacted those Zendesk customers for support, in addition to the email subject lines, apparently the body of the emails was not disclosed
- A help desk is likely to contain sensitive information, especially when used for billing inquiries and password resets, but could also contain API keys, vulnerability disclosures, internal comments, and other information that should not get out
- Self-hosting vulnerable software could leave you just as exposed, so the question comes down to, do you trust a 3rd party to do a better job of protection your customers than you will?
- Additional Coverage
- The sshd rootkit actually targets libkeyutils rather than the sshd binary itself, because previous sshd binary rootkits, have been defeated by updates to the sshd binary
- It is not yet clear what the original attack vector is, that allows the attackers to compromise the libkeyutils in the first place
- Seems to targets Red Hat and other RPM Based Distros, not clear if other distros are vulnerable
- The rootkit does a number of things, including allowing an attacker with a specific password to gain root access, open a listener, and steal all of the credentials that have been used to login to the infected sshd
- cPanel support server compromised, seemingly via sshd rootkit
- the cPanel support system often requests users enter the root credentials for their servers, so support staff can login and assess/fix problems. These credentials must be stored in a format that can be returned to plain text (rather than being hashed), because the support staff need the original password to login. Encrypting the password (normally not what you want) might work here, but the keys to decrypt would need to be accessible to either all support staff (a key management nightmare) or to the system itself (so it can decrypt the passwords for the users)
- Many cPanel customers report that their servers were compromised after they provided their credentials to cPanel support staff, this correlation may be how cPanel determined that they had been compromised, and spawned the investigation
- Speaking at the RSA Conference in San Francisco this week as part of a panel Adi Shamir (of the Weizmann Institute of Science in Israel) spoke about the failure of traditional security mechanisms, including restricting access, virus scanners and IDS (Intrusion Detection Systems) to thwart APT (Advanced Persistent Threat) attacks.
- “It’s very hard to use cryptography effectively if you assume an APT is watching everything on a system, We need to think about security in a post-cryptography world.”
- The panel also included:
- Ron Rivest of MIT (the R in the RSA algorithm)
- Whitfield Diffie of ICANN (of the Diffie-Hellman-Merkle key exchange algorithm)
- Dan Boneh of Stanford University
- Ari Juels of RSA Labs
- Rivest also talked about the problems with the current PKI systems, especially Certificate Authorities (the Comodo and DigiNotar compromises), as well as the more recent problems with TurkTrust, the Turkish CA who gave out signing certificates to a government contractor that used them to create valid but fake google certificates
- Rivest suggests a new system with more tolerance for failures and where users have more control over whom they trust, especially in light of the growing trend where governments pressure CAs to fail, behave strangely or issue certificates they shouldn’t
Last week we had a question of uPNP and pfSense – The pfSense blog has the official answer – pfSense uses an updated version of miniupnp, and has always done so, the vulnerable ones are more than 2 years old. Additionally, even if a new vulnerability in upnp is found, In order for your system to be vulnerable, you’d have had to manually add a firewall rule allowing access to upnp from the Internet.
- Sergey Brin says using a smart phone makes him feel like a girl
- HTML5 Bug in all major browsers except Firefox allows a remote site to fill your hard drive
- Microsoft suffers from same hacking attack as Apple, Facebook, small number of computers infected
- Time Warner CFO says no one wants gigabit internet a home
- How paid apps will work on Firefox OS phones – The start of a ‘buy it once, use it everywhere’ store?
- Symantec Finds Older Version of Stuxnet Dating Back to 2005
- Chrome 25 fixes 9 criticial vulnerabilities
- Comcast Punishes BitTorrent Pirates With Browser Hijack
- Security Explorations finds 2 more vulnerabilities in Java, even after u15
- Court orders UK ISPs to block more piracy sites
- Adobe pushes yet another Flash update, fixes 2 critical vulnerabilities being used in the wild
- Bitcoin reaches an all-time trading high of over $33
- Current trading a CAVirtEx is $34.30/BTC