Chris: Coming up on this week's episode of TechSNAP, a zero day exploit is affecting WIndows boxes all over the web, and you won't believe how it's getting there. A weaponized powerpoint presentation. I'm not even kidding. The details are fascinating. Plus, we'll tell you why old ATMs are much bigger of a target that you might expect, but it's not because they're running Windows XP. And then it's a great big batch of your questions, our answers, and much much more. On this week's episode of TechSNAP.
C: Hi everyone, and welcome to TechSNAP! This is episode 185 of Jupiter Broadcasting's weekly Systems Network and Administration Podcast. We streamed this episode live on October 23rd, 2014. This episode is brought to you by our three fine sponsors, Digital Ocean, Ting, and ix systems. I'll tell you more about those great sponsors as this here show goes on. Our live stream, why that's powered by the incredible ScaleEngine, over at scaleengine.com. You've gotta go check them out. My name is Chris, and joining us every single week, is our host, the admin, the tech, and the teacher, mister Allan Jude -- Hey there, Allan.
Allan: Hey Chris, everybody, thanks for watching.
C: Hey Allan, a hundred and eighty five episodes, in a row...
A: in a row...
C: And that's kind of...
A: Kind of ridiculous.
C: Kind of amazing. There was one or two close calls,
A: Not really.
C: but all in all... No, no, now we've got it down. Both of us are about to leave, we're gonna go out of town, TechSNAP show continues on, you'd never even know. You'd never even know! Pros. That's what we.. I guess I just feel like bragging at the top of the show today. I don't know what my problem is. I'm just excited.
A: Yeah, turned out that MeetBSD structured their stuff so that the dev summit is two days after, so I'll get home on wednesday, and be fine for thursday.
C: Right. And I'm leaving first thing in the morning after today, after I get off the air today, uh, I'm going home, and I have to watch the kids so that way my wife can get her nails done, because obviously, that's important before you go on a trip.
C: I don't, I don't really, I don't know, Allan... But then we're going. We're leavin'. It's going to be fun. So maybe some of you watching today will meet us out at Ohio LinuxFest, and then next week, you'll meet Allan at MeetBSD, and the TechSNAP show will continue on in the meantime.
C: So a lot has happened this week, and one of the stories that I've noticed a few times, over and over again, seems to be different iterations of 'XYZ happens, and ATM is now spitting out cash', with no record or anything like that, and it seems to be catching on more and more. And we have an article here from Brian Krebs where he kind of digs into this. Can you set it up?
A: So, yeah. He's talked, you know, he's covered this before, and we saw the ones, was it, I think it was F-Secure or somebody was actually showing, we showed a video from it the other week, too, uhm, and so on. But in this time, he managed to get an interview with somebody that works in one of these ATM companies, and, uh, get their perspective on it. So first he describes the growing trend of ATM Jackpotting. RIght, so before, kind of six months or so, the most common attack against an ATM was skimming, right? And Krebs was always interested in seeing, he found these little devices that they use that's ingenious, right? And they got smaller and smaller, like, he talked about one we featured like a month or two ago, and it was like razor thin, and it just kind of slid in there, you wouldn't even notice it. So those scan your card, read the magnetic strip on your card as you put it in the machine, and usually have an overlay over the buttons somehow, so they can tell what your PIN code is. And once they have the stripe from your card and your PIN code, they can program that on a buying card, and go to an ATM and empty your account.
A: And you know, that was working for them. The problem with that is that it only works if the cards you steal are attached to accounts that have money in them.
C: [Laughs] Okay, that makes sense.
A: A lot of people don't have that much money.
C: Yeah, that's true. (I know how they feel.)
A: The new trend is install malware on the computer that's inside the ATM, and that allows the attackers to just make the ATM spit out all of the money.
C: There you go.
A: It doesn't require some compromised account that has a large balance to offset it, and the fraud is harder to detect because the money doesn't go missing from somebody's bank account who's going to complain about it, or the banks don't see the transaction. Right, if the bank all of a sudden sees that this one ATM, you know, or money is disappearing from a lot of accounts or something, all going to the same ATM, then they'll look into it. But if the ATM is spitting out money and not recording it, the bank doesn't know until all of a sudden, the ATM is empty when it shouldn't be.
C: Right. "Wha, what happend here? Can you go out there? Hey Chris, go out there and check this ATM. We're getting an error report back that it's low on funds. Can you go out there and check that?" And then I get out there, and I'm the shmo that has to say "hey, this thing is empty."
A: Yeah. And you know, most times, they're smart enough to leave some money in it so it doesn't trigger that alarm, and so on. So then, he's got a quote here. "Last month, media outlets in Malaysia reported than an organized crime gang had stolen the equivalent of about a million US Dollars with the help of the malware they installed on 18 different ATMs across the country. Several stories about the Malaysian attack mentioned that the ATMs involved were all made by the ATM company NCR", which is a really big ATM company.
A: And so Krebs managed to get an interview with, where-did-his-name-go-here, Owen Wild, who is NCR's global marketing director for security compliance solutions.
C: Okay. All right, I'll take it.
A: Which is kind of an awesome title, I suppose.
C: [Chuckles] [in dramatic voice]Owen Wild, global marketing director for security compliance solutions.
A: Yeah, it's like, those two things, it's like 'Marketing director' and 'security compliance solutions' doesn't seem... But anyway.
A: And he said that more than half of the ATM's install base, half the ATMs that are out there that come from this company, are a model that they stopped making 7 years ago.
C: Oh jeez.
A: And so, you know, does that mean that all those are running Windows XP or whatever? And so Brian Krebs asked him about that. And he says most of these attacks involve physically assaulting the ATM, removing the top or the front casing to get access to the PC that's inside, and then infecting it via a CD-ROM or a USB stick or something.
A: And then the quote from the marketing guy is "What we’re finding is these types of attacks are occurring on standalone, unattended types of units where there is much easier access to the top of the box than you would normally find in the wall-mounted or attended models."
A: Right, so they're not attacking the ones that are built into the wall at the bank, they're attacking the little ones that are completely free standing, maybe nailed down, but that's it, that are, you know, in little stores, or in dark alleys and so on. Not the ones that are built into the wall that are hard to attack, because A, if it's in a busy spot, people are going to notice somebody going up there and like cutting a big hole on the front of the ATM.
C: Yeah! Well, yeah, you're more likely to get caught.
A: And then...
C: (If...) A lot of these ones are probably, like the ones you mentioned before, maybe the ones that are at the Kwik-e-mart store around the corner or something like that.
A: Right, but even one in a store, there's probably a sales person in the store who would notice somebody screwing with it. So these are the ones that are just, you know, out in the middle of nowhere or something. And so they're specifically targeting ones where they can have access to it for a while with no one knowing what's up.
A: So then Brian Krebs is like, you know, we've also heard a lot about Windows XP being a big part of the problem here.
A: and he asked the guy, and this guy's response about XP was "Right now, that’s not a major factor. It is certainly something that has to be considered by ATM operators in making their migration move to newer systems. Microsoft discontinued updates and security patching on Windows XP, with very expensive exceptions." So this makes me automatically assume that NCR isn't providing the Windows license to the customers or something. Like, NCR isn't going to pay the big, was it like 2 million dollars to Microsoft to get extended support for this.
C: Uh, It's huge, yeah.
A: Because they've discontinued that model 7 years ago.
A: And so, you know, each individual store or whatever that owns one of these ATMs would have to buy the license from Microsoft, and that's not gonna happen.
C: No. Not if, if that cost goes not to the manufacturer but the end user, which I guess it probably would, wouldn't it. It does in PCs.
A: Where it becomes an issue for the ATM operators is in maintaining their Payment Card Industry Data Security Standard, or PCI-DSS. Right, compliance requires that the ATM operator be running an operating system that recieves ongoing security updates.
A: So your machine won't mee the PCI compliance if it's running XP, and if you haven't paid for the updates. So while many ATM operators clearly have compliance issues because they're not running XP with the updates, at this point we're not seeing the operating system really come into play. Because honestly, if they're walking up to the machine, breaking into the ATM, and have physical access to the machine, it doesn't really matter which version of Windows you're running, they can install malware.
A: It might be slightly easier to make a rootkit for Windows XP with a known vulnerability,
C: Yeah, there's probably more resources to do it.
A: But really, if you're making malware that's going to run on the machine and you have physical access to it, it's just as easy to install that malware on Windows 7 as Windows XP. It's not like they're trying to come in through the network or something, right? They've actually isolated these on the network properly, right, so nobody's remotely haking these ATMs. They're walking up to it, punching a hole in the plastic, and getting at the USB ports or something.
C: Yeah, I suppose so. I mean, I guess after all other things have failed, then you get to XP, and it's easy, but you have to go through physically entering the machine. It could be a linux machine at that point.
A: Yeah, exactly. The operating system isn't really the cause of the problem in these cases. It's the fact that they're using standard off-the-shelf PCs and not hardening them.
A: Now, the company goes on to say that for years now, they've recommended that the customers go into those PCs and disable booting from CD-ROMs and USBs and stuff. But it seems like, well, obviously, they haven't shipped a new unit of this type in seven years, so it's not like they thought to change that before they, when they were still shipping them or whatever, right? They've only been saying that since when this attack became a thing.
A: It seems like, how many people that own an ATM are really going to tear it apart, go in there, and change the BIOS settings on the computer inside, right? Say that the company publishing guidelines telling you how to secure it, and when nobody's going to do that, and then they're like "Sorry, you didn't follow our guidelines" isn't really a solution. But then again, its like, well, when you buy an ATM, do you get a support contract with it or something, where they're actually going to do something to fix it? Or do you just get "you own an ATM now. Ummm. Have fun!"
C: No, I think in almost all cases there's a support contract, right?
A: RIght, and if there is, well, don't you guys have to send me a tech to change the BIOS for me then?
C: You would think so.
A: But, if the BIOS is that easy to change, then what's stopping the attacker from doing that? Just going back into the BIOS and turning it back on.
A: Do you put a password on the BIOS? Well, depending on how much access you have to the machine, pull the battery for five seconds and put it back, and the BIOS is reset, and the password's gone.
A: So, that doesn't really help anything either.
C: No, and like you mentioned, I think it was last week, in some of these, they're able to buy certain models right off of Ebay, and experiment with them for hours. They could find all kinds of different ways to get access to them.
A: Right, and because even if you did, like you mentioned the other week, the group policy stuff, that can help, but in the one case, they were booting off the CD.
A: So they're actually running a live OS off the CD drive in the ATM, so they're bypassing whatever the ATM was.
C: (So, what's the fix?)
A: Well, and then, they also, the next quote kind of addresses your question. "Most of these attacks come down to two different ways of jackpotting the ATM." -- Jackpotting meaning making it spit out money for free, right. It looks like a casino slot machine when it's like "Here! Have all my money!"
C: Ding ding ding ding ding! Yeah. [laughs]
A: [continuing the quote] "The first is what we call "black box" attacks, where some form of electronic device is hooked up to the ATM — basically bypassing the infrastructure-" basically, it, you know, the ATM is two parts. There's the computer than runs the screen and makes the decisions, and then there's the actual "ATM" part which is the part that counts out and dispenses the bills.
C: The machinery, yeah.
A: Well, by connecting a little electronic device to the ATM part, you could just simulate the signals from the computer, saying, "Hey, spit out all the money." and so, in the one type of blackboxing, they wouldn't actually bother with malware, they would just hook up a device that would cause the motors to start running and spitting out bills. Those were really popular back in, started in like 2012, and then kind of went quiet for a while, but became active again in 2013. And then we obviously have the malware based ones, where they actually install malware, and do it that way. So I think part of the real solution is to basically make the machines more vandal proof.
A: Right, we've seen the, the original security cameras were very easy to just break, or scratch up the lens or whatever.
A: And then they were useless. And so they started making vandal-proof ATMs, or, um, security cameras, that would resist people trying to scratch them or break them or whatver, right? It's like, if a cord is hanging out of your security camera, that someone can just yank out of it, then it's not a very good security camera.
C: Yeah, and, what about, I mean, I realize it would cause problems for serviceability, but what about custom built systems that maybe don't have exposed USB ports?
A: Right. It's really not that hard to not have USB ports on these machines, I don't think.
C: Yeah, and anything you do, anything you do would help. Like make them ARM based systems. I don't know, maybe that'd help a little. Maybe make them...
A: Maybe, not so much. I think, just physically, you know, harder...
C: Anything that makes it a little bit harder. Any little...
A: Encase the computer part in some metal instead of some plastic.
C: Yeah, yeah. Put 'em all Raspberry Pis, destroy the USB ports, XBMC for the interface would be the best looking ATM you've ever used.
A: [shakes head] But, doing ARM is just obfuscation, and it doesn't make it any more secure.
C: No, I know, I know. Well, it's just because I think about all of these little, like, downloads off the web that are all for x86, Windows XP boxes. But it really is just a small thing, because it's really more about getting physical access.
A: Exactly. It doesn't matter what operating system you have. If the attacker has physical access, they can get around almost any security.
C: Right. True for really all, for all types of systems, not just ATMs. True for servers, true for a lot of things.
A: Exactly. That's why, you know, I used to do servers with those little locks on the drive cages.
C: Mhmm, mhmm.
A: Although that wasn't, you know, those aren't exactly secure, either. But the idea was that it will keep someone who shouldn't from pulling a drive out of there or something.
C: My Hulk strength, Allan. I could just go in there, I have super strength, apparently, because I just rip those things out like Hulk.
C: Yeah. Well, all right ...
A: But, you know, that's why data centers have security. So that people can't just walk in and walk out with data.
C: Mhmm. It's an important part. Well, why don't I mention our first sponsor, speaking of data centers, and that is Digital Ocean. Head over to digitalocean.com right now, and grab our promo code. That way you can get a 10 dollar credit. It's snapoctober. One word. snapoctober. Systems Network Administration Podcast october, snapoctober. So what is Digital Ocean? Oh, what a great question. They might just be the solution to a problem you've had. Digital Ocean is a simple cloud hosting provider that is dedicated to offering the most intuitive and easy way to spin up a cloud server. You can get going in no time. Most folks, 55 seconds, probably, to get their first server spun up. And pricing plans start at only 5 dollars a month. So in 55 seconds, you can get 500 MBs of RAM, a 20 GB SSD, one CPU, and a terabyte of transfer. And Digital Ocean has awesome data centers. I think I've mentioned it on this show. I know you guys like your data center porn. The Digital Ocean instagram account has some great Digital Ocean data center pictures in there. It was, I'm just saying, I like those pictures. If I could double like, I would be double liking those pictures. 'Cause they've got data centers in New York, San Francisco, Singapore, Amsterdam, London, they support multiple features in all of those data centers, like private networking which doesn't count towards your bandwidth total, so if you wanna have a front end nginx box that's connecting back to a bunch of back end Apache or whatever it's proxying connections, you can do that. You want to have a front end web server with a database back end, you can do that. You want to have a front end server, you can do it. I'm just saying, private networking doesn't go against your transfer, that's awesome, right? And Digital Ocean's dashboard, that's really the secret sauce. They've managed to take all of this technology, they made the early investment in SSDs, they've got the best data centers with tier 1 bandwidth, then they bring it all together with their simple and intuitive control panel, which power users can replicate on a larger scale with Digital Ocean's straightforward API. There's lots of neat apps that are already out there to take advantage of that to manage your Digital Ocean droplets. You have a puppet system to manage your boxes? Digital Ocean will run with that. That API is super handy. And right now, if you go over to DIgital Ocean's community section, at the top of their page, and look at the tutorial section, you'll see that they have a "Write a Tutorial" button. DIgital Ocean is paying up to 200 dollars for technical tutorials. They're looking for potential authors to come over there, and start out. They've got editors that will work with you, and you can get up to 200 dollars for writing a tutorial for Digital Ocean. 'Cause they're trying to get their documentation really to be the best. I think it is now. That is the best in the business now, and it's because they're willing to pay for it. I think that really shows. digitalocean.com, go try out a droplet. Grab the 5 dollar rig. And with our 10 dollar promo, you can try it out 2 months for absolutely free. That's snapoctober. Fire up a Digital Ocean droplet, try it out for 2 months. Go try something like GitLab, Wordpress, Bittorrent Sync, Pulse, Owncloud, all kinds of stuff. digitalocean.com, snapoctober when you check out, and a big thank you to Digital Ocean for sponsoring the TechSNAP program.
C: Okay Allan, I've heard the term "the Sandworm team" thrown around a little bit.
A: Well, when I first heard it, it was just "Sandworm" without the team part, and,
C: Everybody thought it was a worm.
A: But it's not a worm, so why is it called Sandworm? It's Sandworm team.
C: So what is it?
A: and I guess it was the connotation is more like the gravelings or whatever. The team is like that.
C: Yeah, yeah.
A: So while it's not a worm, it's still a big deal. It's my little thing, but... So Microsoft announced the discovery of a zero day vulnerability affecting all supported versions of Windows, including Windows server 2008 and 2012, reports were also coming in that this specific vulnerability has been exploited and used to attack the North Atlantic Treaty Organization, or NATO, and several European industries and sectors including the Ukranian government. This particular vulnerability is alleged to have been in use since august of 2013, making it more than a year old, and apparently, mostly used through weaponized Powerpoint documents.
C: [laughs] Weaponized Powerpoint?
A: Yes, I've only ever seen powerpoint used as weapons to put people to sleep, but ...
C: Right. It could be an Excel file with a flash object. You never know.
A: So this vulnerability exploits a flaw in the Microsoft OLE functionality, which is the one that lets you embed a flash object into an Excel document, but instead in this case, or in this one case they're talking about here, they embedded an INF file, which could then download and launch malware. So this allowed a powerpoint or other office documents to have an embedded file, and to embed an external untrusted resource. This caused remote code execution, allowing the attacker to run whatever code they embed into the powerpoint file or whatever.
C: (The powerpoint file? Oh my gosh.)
A: Whatever, instead of, To avoid making the powerpoint file bigger, or to have this file attached where it might be detected by a virus scanner, it did, it had the inf file but then it'd go get the virus from the internet and install it.
A: And so in that case, it would, whatever user powerpoint is running as, the virus runs as.
C: Right, yeah.
A: And many users still have administrative rights, especially if it's a separate desktop. Maybe in an Active Directory type of environment, maybe they don't have that much access, but, they have enough access to access all the documents, which is often times what the attacker's after so it doesn't really matter.
C: They just want the data, yeah. They want the data that person has access to.
A: Yeah, and if the malware has full control of that user, that might be good enough, or, they can just spread around until they find an admin user and take over that machine, and get access to everything from there. And then, so iSight partners, the company that found the flaw, said "we are actively monitoring multiple intrusion teams, with different missions, targets, and attack capabilities." and then they say at least five distinct intrusion teams, and they're saying that they're all coming out of Russia. They say, "For example, we recently disclosed the activities of one of those teams (dubbed Tsar team) surrounding the use of mobile malware. This team has previously launched campaigns targeting the United States and European intelligence communities, militaries, defense contractors, news organizations, NGOs and multilateral organizations. It has also targeted jihadists and rebels in Chechnya". And that's another reason why they're thinking these are kind of more state style Russian attackers, because what they're going after isn't money, right. It's actually going after...
C: The Ukranian government, western European government organizations, energy sector firms, ...
A: Or the rebels in Chechnya.
A: And you know, there's more intelligence gathering, right. They want documents and information rather than money or control or whatever. Then separately, Trend Micro found the same flaw being used against SCADA systems. They say "These attacks target Microsoft Windows PCs running the GE Intelligent Platform’s CIMPLICITY HMI solution", and those machines are being targetted with a spear phishing attack. And apparently, the way they word it in Trend Micro, they're saying the CIMPLICITY software opens the email. I'm not sure if that's how it actually worked, or if they just mean that if you open it in CIMPLICITY, I'm not sure. But either way, then you'd download the Black Energy malware kit, which then takes over the machine, and then, you know, whatever industrial control systems are being managed by the SCADA system are now under the control of the hacker.
C: ... managed by this Windows box. This Windows box.
A: Some box running software from GE.
C: Right. [Laughs]
A: And they can't even spell simplicity properly. They spelled it with a C.
A: So then I have links to the researcher's post over at isightparterns.com, a technical analysis by HP security research, more coverage from ZDNet, and the official bulletin from Microsoft.
C: The headlines I've been seeing, "Russian hackers target NATO and Ukraine", is, is the same, it's all been related. It's all related to this Windows zero day.
A: Yes. But basically, iSight says that they found at least five separate teams working on different parts of the thing. Right, one of them is going after mobile phones, one of them seems to be going after SCADA systems, and another one maybe after desktops and documents, and, you know, so on.
C: Hm. When I heare these stories, I don't mean to sound like a broken record, but I ... I wish we had a more solid way to prove who it was. Because it sounds political when the country gets identified. It always to me sounds political.
A: Yes, although in this case, the evidence does actually point to it a little bit more than usual. Often times, "Oh, it's just china, blah blah blah blah..." But, you know, this one, the specific targets, it's like there's not many people that are interested in what the rebels in Chechnya are doing, except for the Russians.
A: Well, obviously, I guess, other Intelligence agencies want to know what everybody's doing too, but.
C: That's kind of my thinking. It seems like all intelligence agencies want to know all the things at all the time, so it could be any one of them.
A: Exactly. Now, sometimes, again, you know, they find stuff in the code that kind of suggest one thing or another, but they don't usually, a lot of these reports don't actually come out and say what evidence they used to decide that it was Russia.
C: Yeah, I do like that, like the chatroom is observing, kellercw in the chatroom is noticing the awesome Sandworm logo.
C: That's pretty good. Now, also, Microsoft, didn't Microsoft release a statement saying they weren't sure yet if they were going to issue an out of band patch?
A: I'm not sure. The HP article actually tears apart the fix, and finds that the fix makes the attack harder, but someone might still be able to re-exploit this by making a better attack.
C: Yeah, it's like a workaround fix. It's one of those microsoft fix-it fixes. It's not like a fix fix.
A: So basically, it adds another user prompt or something, and does some other stuff, but...
C: It's not good enough. It's not good enough.
A: Basically, the thing we're embedding over OLE is an executable, do these extra things. It' like, well, one of the attackers were already just using an inf file to avoid being an executable.
C: Yeah, right, right.
C: And it affects all supported versions of Microsoft Windows right now.
A: Well, I think technically, it only affects office..? I guess OLE is sytem-wide.
C: Yeah. OLE. OLE has been the source of so many problems over the years.
A: It's like, why do we really need to be able to embed random files into our office documents.
C: Do you ever, if you've ever gotten a document, do you ever want that?
A: well, people still want to use it or whatever.
C: Maybe images, maybe, but there's better ways to do images.
A: I see people try to embed like a giant video they made in Windows Movie Maker into a powerpoint, and was just like 'oh my god, what are you doing.'
C: It is no good. It is no good. It breaks frequently for end users, it doesn't produce consistent results. Microsoft should just kill it in Windows 10. Say the reason why we're calling it Windows 10 is because we killed OLE, and to make that big of a change, we had to call it version 10. Then you've got your excuse right there.
C: All right, Allan,
A: Also, ActiveX. If that's not already dead, it should be dead.
C: Right. Microsoft, listen. Satya, if you're watching, I'm sure you do. If you could just make those tweaks, the TechSNAP show would really appreciate it. Okay Allan, well before we go on, let's thank Ting.
C: Ting is mobile that makes sense. My mobile service provider now for, I'm gonna be coming on two years soon, not yet, not yet. But you know what I love about Ting? I only pay for what I use. It's a flat six dollars a month for the line, and then it's just my usage on top of that. Ting takes my minutes, my messages, and my megabytes, they add them all up, and that's just what I pay. So I pay for the six dollars, easy, and then my usage. Well guess what. I'm usually sitting in this studio or at home, and I'm on wifi all the time, so I use like Viber to make my calls, or Hangouts, and my minutes are super super low. So thanks to that, I have three phone lines, and I'm still paying like 40 something a month, for three smartphones. An iPhone 5, an HTC One, and a Nexus 5, all smartphones, all with data, all with hotspot, tethering, caller ID, picture messaging, all the features you'd expect, for like 40 something a month. Plus, I own my phones outright, I'm not stuck in some sort of contract, where there's an early termination fee, that feels awesome. And if I ever get stuck, I can call Ting and speak to an actual human, at 1855-tingftw if you call them between 8 am and 8 pm. They've also just recently updated their dashboard so it rocks even harder than before. They've got a great new line of devices as well, and also worth a look, when you visit techsnap.ting.com, would you go there? techsnap.ting.com, that'll give you a 25 dollar discount off your first device. It lets them know, too, that you appreciate them supporting the TechSNAP show. And if you've got a Ting compatible device already, like you're a pro, you're pro level, and you're bringing like a Moto G, or your own Ting device, they'll give you 25 dollars of service. So go to techsnap.ting.com, check 'em out. Try out that savings calcuator, see how much you'd save by putting in your actual usage into the savings calculator. It's kind of ridiculous. And then go to the blog, as well. And they've got a great post up right now, I think this'd probably work for any network, I don't think this is anything Ting specific, but I'm not sure -- I haven't read it yet, but I love it. How to block unwanted callers. And they tell you how to do it natively, using native applications in the app, how to do it in android and iOS, and they also talk about a couple of android apps, or one android app, Mr. Number, that you can use. This is a great post, that I think would apply to anybody who wants to know how to block unwanted callers in android and iOS. So go to techsnap.ting.com, try out that savings calculator, see how much you'd actually save by switching to Ting, then you'll see why I did it. techsnap.ting.com, techsnap.ting.com, finally, mobile that makes sense with no contract, no early termination fee, and only paying for what you use. Plus, they have an early termination relief program, so if you're in a contract, they'll pay up to 75 dollars per line you have to get cancelled. techsnap.ting.com.
C: You know, Allan, I'm bringing, I've been debating which phone I'd bring on my trip, do you go through this at all? Do you ever have this problem?
A: I only really have the one phone.
A: I have the Firefox phone, but it doesn't have a sim card in it, so it's not very much use.
C: My android L phone started crashing on me a little bit in the last few days, so I'm not bringing my android L phone, I don't think, but otherwise, I'm loving the android L.
C: Speaking of android, our first story, oh I'm sorry, our third story. I can count. I promise. I can count. Our third story today is actually about android and delivering malicious apps to android, isn't it.
C: Tell me about it.
A: So this one is some researcher who's presented their findings at Blackhat Europe which was last week in Amsterdam, and basically what they found is a way to hide their malware in another application that looks legitimate.
A: So, basically, what they, one of the researchers wrote this tool, it basically allows you to encrypt an apk file, which is kind of just a zip file with all the android stuff in it.
C: Like a package file, yeah.
A: Yeah. Encrypt it kind of like, almost with stenography into a jpeg or a png file.
C: No way. Really?
A: Take an existing picture, and you basically encrypt the apk file, and then hide it in a jpeg, so that whem even if someone's reverse engineering your app, you know, kind of manually checking your app to make sure it's not malicious, all they see is a jpeg or a png that actually is a picture and looks fine.
C: This is crazy.
A: But then, when your dummy app that has this picture as one of its resources, like, your company logo or something, that you would see in every app, it can then decrypt the apk out of the image, and run it. and run the malware.
C: I love their demo example here. This is really great.
A: Thus, the malicious app remains hidden from reverse engineering, anti virus programs, and the goolge bouncer, so this wrapper app can go up into google Play store or something, and seem legitimate. In their testing, android did show a permission request when the wrapper file tried to install the malicious apk, but the researchers say that they can prevent that using the dex class loader to be able to reference the app without running it normally and so, android wouldn't pop up a popup saying "hey, do you want to allow this app to run?"
A: The really interesting one is the researchers kind of got the idea from a malware they'd seen in the past. This one was Android/gamex.a!tr. And what this one did is, in its resources, there was a file called logos.png, but it wasn't a png. It was just a zip file. And so, that might be detected fairly obviously. But they somehow made it very clever. If you open the zip file, it'd open, and there were files in it, you could extract them, and they were legitimate, regular files, and everything was fine. However, if you did an xor, which is not really encryption, it's just kind of shifting all the bits, with a certain key, on that zip file, it would be a different zip file, that contained the malware payload. So they kind of hide the zip in plain sight, as a zip that looks like it contains some files, but if you do an xor of it with a certain key, it's now a different zip file that contains the malware. That's pretty ingenious.
A: And so, that's where they got the idea from originally. And then it turns out that the way zip files work, the header that says "this is a zip file and contains blah", doesn't have to be at the very very start of the file. The header for a png file does, right. And most files are that way. The header that says this is a png file, this is a jpeg or whatever, goes at the very front of the file. So they found that if you just use like the Linux cat utility, cat "some png file" "some zip file", then if you do 'file' on it, then it says "this is a png". If you open it in a web browser or whatever, this is a png, right, it shows the picture.
C: "Looks like a png to me, Boss!"
A: Yeah, but if you open it in a zip utility like unzip, it will see the files that are in the zip, and let you extract them. However, the android zip thing is a little pickier, right. It doesn't except quite such a, you know, programs are, especially in open source, like, be liberal with what you expect from other people, but make sure you're following the spec very closely when you're making something. But the android version basically won't accept zip files like that because they're technically probably not valid. It just happens that most implementations will open a zip file that's just cat'ed on to the end of a png file. So what they ended up doing was basically make their apk which is a zip file, then encrypt it, and embed it in this png file.
A: And then the interesting thing is, since then, they've added to the file, called AngeCrypt, which allows you to take any preexisting png, jpeg, flv, which is a flash video, or pdf file, and embed the apk into it. It's a little python scrypt that I've linked to. You can grab the code and play with it. And now, I've also included the slides from the Blackhat, and the paper they wrote for their talk.
C: Yeah, this is great stuff. And it looks like it's current as of android 4.4.2 at least.
A: Yeah. It's quite interesting that they managed to do that.
C: Yeah. "Anakin Skywalker encrypted with AES in CBC mode".
C: Key is "Anger=DarkSide". [laughs]
A: So they took a picture of vader, encrypted it with AES, with that key, and a certain initialization vector, and the output is an image of Anakin Skywalker.
A: So they actually kind of took advantage of messing with the input to get a certain output.
C: Pretty respectable work here.
C: I've got to imagine that's gotta be a thrill to see a presentation like that.
C: And they say they did notify the google security team as well. So Google has been notified, and I think a patch has been pushed upstream to AOSP, but who, again, every time we talk about one of these android things, when it hits your device...
A: Yeah. We'll talk about this a little later in the show, but just because somebody wrote a patch and made it available to everyone doesn't mean that it actually got used.
C: [chuckles] That's the problem.
A: That'll be an interesting one a little bit later in the show in the roundup.
C: Very good, Allan, very good. Well, any other thoughts on that story?
A: No, but the whole paper's there if you're more interested in this,
C: Yes, great slideshow.
A: quite interesting.
C: Very good slideshow which explains, if you had any trouble following along, there are good visuals in the slideshow which explains a lot of it.
A: Exactly. And then there's the pdf from the actual paper which has all the technical details if you want to learn more about how it actually works.
C: Indeed, indeed. Richard is in fact, your sister's brother. All right, Allan, why don't we move on to ix systems?
C: ixsystems.com/techsnap. Go there, won't you? ixsystems.com/techsnap. Why ix systems? The same reason probably why Allan and I purchase our hardware from ix systems. We trust them. We trust them implicitly to know that they can meet our needs, that they're going to build the best box possible, they're going to burn-in test that box for me, and I'm going to get a white glove experience, end to end. From customer service, pre purchase, all of that. ix systems has it covered. And I know that some of the people that are helping engineer their products and solutions are some of the most experienced in the industry. In fact, some of them are creating the very technologies that we rely on, so talk about having experts. And you know, that's why here at Jupiter Broadcasting, when we decided to have serious storage, we went with a FreeNAS mini. Don't be fooled by the term 'mini'. There's nothing mini about the FreeNAS mini except for the size of the box. It's incredibly powerful, and they've got a brand new one with these server grade intel atom processors. Yeah. I can't believe I'm saying it either, but such a thing actually exists now, and they rock.
A: And especially with a lot of people's, always, the complaint people had about taking some PC they have and turning that into a FreeNAS instead of buying a NAS at Bestbuy or whatever, was that "well, my old PC is going to use more power than this little embedded box". It's like, well, now, ix sells this little box that only uses 17 watts for the processor.
A: Because' it's Atom based.
C: You've heard about the reliability and rock solid performance of FreeBSD and ZFS. So why not get a storage solution built by the people behind FreeNAS, right? You're starting to see the logic here. When you go with ix systems, it's a different experience from any other hardware vendor you've ever bought from. These are people who don't just kind of know how to implement the technology, right? It goes so far beyond that. They have connections with the hardware industry, and partners with the hardware industry, that goes so much deeper than your average company. They have the people that are creating the software. They have the deep connections to the community. In fact, that's why Allan's going to MeetBSD, and where's that at, Allan? Where are they holding that at?
A: They're actually hosting that at Western Digital's headquarters in San Jose, California. which is just down the street from where ix has their headquarters.
C: When ix wants to party, they party with one of their hardware buddies. They got that situation dialed in, they really do.
A: Yes. Intel and Western Digital are big sponsors of the company.
C: Mhmm, mhmm. All right, so check out ixsystems.com/techsnap and go see why so many folks have chosen ix systems for their solution. You can also grab that free white paper, "The Ultimate Guide to Buying a New Server for Open Source: 11 key traits you should demand from your provider". That will help you grease the wheels if you're trying to make a decision about switching, there's some really good points in there, it's a really, really great white paper. ixsystems.com/techsnap, and a big thank you to ix systems for sponsoring the techsnap program.
C: You know, they're also sponsors of another Jupiter Broadcasting show, those crazy guys over at BSD Now. The ones who just hit their 60th episode.
C: "Don't Buy a Router." [laughs] That's sick. Oh, Allan. There you go, episode 60 of BSD Now.
A: Acutally, if you're interested, that's an interview with Olivier Cochard - I forget his last name. Anyway, he's the guy who actually founded FreeNAS and then gave it to ix systems, because he's actually a network guy, not a storage guy, and didn't know anything about storage. He just wanted to store some files, so he wrote FreeNAS, and you know, ix are like, storage experts, so he's like, "yeah, you guys take that. I'm going to go and start the BSD Router project, and design an appliance to replace a Cisco. So it's actually not a competitor to Pfsense. Pfsense is replace that little linksys or netgear or whatever you have at your house, whereas the BSD Router project is is to replace that big 200,000 dollar Cisco you have at work.
C: Mm. Go and find out more about that, episode 60 of BSD Now. I'll give a quick plug to unfilter 119, Weapons of Mass Encryption. We played a few unbelievable clips by the FBI director, who's going to be petitioning congress to force Google and Apple to modify android and iOS to make it easier for them to decrypt the files that they've now announced they'll be encrypting in ios 8 and android L. So there's some fascinating audio that we played in unfilter 119 Weapons of Mass Encryption. So if you're interested about that, check that out. Two great episodes, BSD Now 60 and unfilter 119.
C: But Allan, you know what, the news is all done, so that means it's time for the TechSNAP Feedback!
C: Thanks for sending your emails to email@example.com or popping that contact link at the top of the Jupiter Broadcasting website, or even better, starting a thread in our subreddit over at techsnap.reddit.com.
C: And our first bit of feedback is actually a followup from the folks at DuckDuckGo. They wrote in last week to tell us about DuckDuckHack, duckduckhack.com, and they said they've gotten some great responses and I wanted to mention it again. So are you familiar with DuckDuckHack? That's DuckDuckGo's open source instant answer platform. And any developer can create an instant answer which is then showcased in Duck Duck Go's search results. And I, last week, showed you a couple of them, and I found a couple of more really cool ones, to kind of show you the idea of anyone out there that has a subject they're passionate about and an expert on can go over to duckduckhack.com, submit a pull request, and then go help make search terms on DuckDuckGo more relevent, becaue the answers you submit will show up in the DuckDuckGo search results. So check out, how cool is this, Allan. So you know I'm going to Columbus, Ohio, right? If I go... There's a command in DuckDuckGo where you can just type "bars", space the location, so I did "bar columbus oh", and I got a bunch of great bars in Columbus, Ohio, with their Yelp ratings all listed out for me right here on DuckDuckGo.