Security by Mediocrity | TechSNAP 125

Security by Mediocrity | TechSNAP 125

DNS Hijacking takes down the New York Times, Twitter, and more. We’ll explain what happened.

Plus researchers bypass Dropbox’s authentication, a big batch of your questions our answers, and much much more!

On this week’s TechSNAP.

Thanks to:

Use our code techsnap249 to get a .COM for $2.49.


Visit use code tech for an extended trial and a year of maintenance.


Visit to save $25 off your device or service credits.


Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

DNS hijacking takes down New York Times and Twitter

  • A number of high profile domain names were taken offline on Tuesday
  • Attackers claiming to be part of SEA (Syrian Electronic Army) hacked the domain registrar Melbourne IT and changed whois records and DNS records for a number of major domains
  • The affected domains included:
  • Some were affected more than others. was down for quite some time, resulting in all images on twitter failing to load
  • New York Times article about the outage
  • The New York Times reports “The Web site first went down after 3 p.m.; once service was restored, the hackers quickly disrupted the site again. Shortly after 6 p.m”
  • This brings into question the viability of DNSSEC, since the public key is published via the domain registrar

Researchers publish paper detailing how to defeat security at Dropbox

  • Researchers Dhiru Kholia (Openwall / University of British Columbia), and Przemysław W ̨egrzyn (CodePainters) released their paper at USENIX 2013
  • Research Paper
  • The research is not entirely focused on Dropbox, but on cloud services in general: \”These techniques are generic enough and we believe would aid in future software development, testing and security research,\”
  • The work may also have some positive side effects: \”Our work reveals the internal API used by Dropbox client and makes it straightforward to write a portable open-source Dropbox client,\”
  • \”Additionally, we show how to bypass Dropbox\’s two-factor authentication and gain access to users\’ data.\”
  • The attack involves discovering the host_id value (this used to be in an unencrypted SQLite database, and was discussed in the very first episode of TechSNAP). The value is now stored in an encrypted SQLite database, however the various bits of data that make up the encryption key are all stored in plain text on the device (there is no way around this)
  • Dropbox also uses a second variable, the host_int (which seems to be a unique id assigned by dropbox, it never changes)
  • The second variable can be requested from dropbox, using the first, by posting to
  • Until the latest version that has added some obfuscation (researchers are working on cracking this now), it was possible using the host_id and host_int to post to and be logged in to the users dropbox account, without needing their username, password any bypassing 2-factor authentication
  • This login method is only meant to be used by the user, when they click the menu option to launch from the tray icon of the desktop dropbox client

Snowden used sysadmin privledges to assume other NSA employees’ user profiles

  • NSA leaker Edward Snowden (who did not work for the NSA, but for a contractor, Booz Allen Hamilton), used his access as a sysadmin to “become” other users (in the eyes of the NSAnet system)
  • This allowed him to access files that only the top tier of users are supposed to have access to
  • His access as a sysadmin also allowed him to work around a key limitation imposed on NSA computers, the right to write data to an external storage device (like a USB stick)
  • Snowden downloaded a reported 20,000 documents onto thumb drives before leaving Hawaii for Hong Kong on May 20
  • “The damage, on a scale of 1 to 10, is a 12,” said a former intelligence official.
  • The scariest quote went like this: “Every day, they are learning how brilliant [Snowden] was,” said a former U.S. official with knowledge of the case. “This is why you don’t hire brilliant people for jobs like this. You hire smart people. Brilliant people get you in trouble.”
  • FUDO Security Appliance
  • BSDCan Talk about FUDO


Round Up:

Question? Comments? Contact us here!