Friday, January 25, 2013

Secret backdoors found in firewall, VPN gear from Barracuda Networks

The undocumented accounts may have been around for a decade

A variety of firewall, VPN, and spam filtering gear sold by Barracuda Networks contains undocumented backdoor accounts that allow people to remotely log in and access sensitive information, researchers with an Austrian security firm have warned.

The SSH, or secure shell, backdoor is hardcoded into "multiple Barracuda Networks products" and can be used to gain shell access to vulnerable appliances, according to an advisory published Thursday by SEC Consult Vulnerability Lab.

"This functionality is entirely undocumented and can only be disabled via a hidden 'expert options' dialog," the advisory states. The boxes are configured to listen for SSH connections to the backdoor accounts and will accept the username "product" with a "very weak" password to log in and gain access to the device's MySQL database. While the backdoors can be accessed by only a small range of IP addresses, many of them belong to entities other than Barracuda.

"The public ranges include servers run by Barracuda Networks Inc. but also servers from other, unaffiliated entities—all of whom can access SSH on all affected Barracuda Networks appliances exposed to the Internet," the advisory explained.

Barracuda issued several of its own security advisories on Wednesday here. "Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log in to a non-privileged account on the appliance from a small set of IP addresses," one advisory with a risk rating of "medium" stated. "The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit."

A timestamp and version relevant for the code that enables the backdoor bears a date from 2003, suggesting it may have existed in the Barracuda appliances for a decade. Advisories from SEC Consult and Barracuda also reference a serious authentication bypass bug. In an age of sophisticated advanced persistent threats, administrations who oversee any of this gear should update as soon as possible.


Don't upload your important passwords to GitHub

The same goes for private SSH keys and other sensitive credentials.

It's akin to warning someone not to brush her teeth with a brick or to dry her hair with a blow torch, but based on numerous links circulating on Twitter Thursday morning, it bears saying: don't post sensitive account credentials to GitHub, or any other code repository.

On Thursday morning, the microblogging site was awash with messages linking to passwords and private cryptographic keys that are publicly accessible. Searches like this, this, and this turned up dozens of accounts that appeared to be exposing credentials that should never be made public. (Just minutes before Ars published this post, the searches stopped working, most likely as a result of GitHub admins who were trying to save users from their own carelessness. Many of the same GitHub accounts could still be located using Google, however.) Assuming they're still being used to log in to valid accounts, their exposure compromises the entire security that users attempted to establish when they generated the keys in the first place.

Ars won't be calling out individual accounts, although one GitHub offender appeared to reveal a password for an account on, the repository that stores the source code for Google's open-source browser. An eagle-eyed security researcher reported finding "an ssh password to a production server of a major, MAJOR website in China." Another tweet showed what appeared to be a sensitive GitHub authentication token used by a prominent front end developer for Bitly. In the wrong hands, a valid token could help miscreants redirect millions of people to malicious sites.

And it's not just GitHub users who appear to be loose-lipped, at least judging from links such as this one.

The practice of stashing sensitive log-in credentials in publicly accessible code repositories isn't exactly new, so it's unclear why it's only now receiving so much attention. It has touched off a major debate about whether GitHub bears any responsibility, with some arguing the fault lies solely with users and others saying GitHub has a duty to prevent misuse of its site.

Whatever view prevails, the tweets should come as a stern rebuke and a graphic demonstration that the practice is an extreme faux pas. Transgressors should reset or regenerate any compromised passwords or keys and purge the old ones right away. As in now.


Cisco to sell Linksys to Belkin, will exit home networking market

After 10 years of owning Linksys, Cisco will get rid of home router business.

Belkin has struck a deal to buy Linksys from Cisco, bringing Cisco's 10-year dalliance with the consumer networking market closer to an end.

Cisco's Linksys division sells routers and wireless access points to consumers, which is in line with Cisco's overall focus on networking gear but diverges from the company's core focus on selling to big businesses rather than home users. Cisco has been gradually stepping out of the consumer business—for example, by killing off the Flip camera line and Umi home videoconferencing.

Cisco recently engaged Barclays to help sell off the home networking division. Belkin's purchase of Linksys is expected to close in March 2013, but the companies did not reveal the purchase price. Cisco bought Linksys in 2003 for $500 million.

Existing customers don't have to worry about whether their Linksys products will continue to be supported, Belkin said in its announcement. "Belkin intends to maintain the Linksys brand and will offer support for Linksys products as part of this transaction," Belkin said. "All valid warranties will be honored by Belkin for current and future Linksys products. After the transaction closes, Belkin will account for approximately 30 percent of the US retail home and small business networking market."

Belkin's existing business includes wireless and wired networking products as well as an assortment of device cases, mobile accessories, cables, and audio and video products.

Cisco's stewardship of Linksys annoyed some users (including me) last year when certain routers were automatically linked to a cloud-based management service that was less functional than the traditional, local router management interface. (Cisco backpedaled after an uproar.)

Belkin said it will expand Linksys's market presence, hinting that Linksys products will somehow be linked to or sold alongside Belkin's WeMo home automation platform. Besides home users, Belkin wants to use Linksys to target service providers and small businesses.

While no purchase price was announced today, Bloomberg reported last month that Linksys is "likely to fetch much less than the $500 million Cisco paid for it in 2003 because it is a mature consumer business with low margins."

Although Cisco is selling Linksys to Belkin, it will maintain some ties to the business as part of a cross-marketing deal. "Belkin and Cisco intend to develop a strategic relationship on a variety of initiatives including retail distribution, strategic marketing and products for the service provider market," Belkin's announcement said. "Having access to Cisco’s specialized software solutions across all of Belkin’s product lines will bring a more seamless user experience for customers."


Three charged in Gozi Trojan bank raids

NASA computers among 1 million machines infected by malware used to steal from bank accounts.

United States prosecutors accused three people of creating and distributing a virulent malware which has infected more than a million computers around the world including those operated by the U.S. National Aeronautic Space Administration.

Nikita Kuzmin, 25, or Russia, Deniss Colovski, 27, of Latvia and Mihaj Ionut Paunescu, 28 of Romania, were behind a long-running scam which involved the creation and distribution of the so-called Gozi Trojan that helped cyber criminals siphon millions of dollars from bank accounts from the U.S., Europe and other countries, according to an indictment unsealed on Wednesday.

Alleged mastermind Kuzmin, was arrested in the U.S. back in November 2010 and pled guilty to a number of computer hacking and fraud charges in 2011. Calovski is alleged to have helped in programing Gozi. He was arrested in Latvia in November 2012. Paunescu, is alleged to have provided the hosting service that enabled Kuzmin and other cyber criminals to distribute Gozi and other malware. He was arrested in Romania in December 2012.

U.S. prosecutors are seeking the extradition of Paunescu and Calovski.


Tuesday, January 15, 2013

You know flash is king when disk giant Seagate grows its SSD line

Plus: Might elbow its way into PCIe server flash card market.

Seagate is going to expand its solid state drive (SSD) line this year using co-developed Samsung controller technology and introducing its first multi-level cell drive.

Seagate and Samsung have a flash chip supply and controller partnership. Stifel Nicolaus analyst Aaron Rakers has talked to Seagate execs and gleaned that:

Seagate ... will have a refreshed line-up of SATA and SAS solid state drives, based on the co-development work with Samsung on controller technology, in 2013. Additionally, our conversations suggested that the company also plans to launch its first MLC-based PCIe SSDs in 2013.

Seagate currently ships its fast single level cell (SLC) Pulsar XT and Pulsar.2 MLC SSDs. Its recent flash activity includes investing in controller company DensBits, whose technology makes slow, shorter-life TLC (3-bits per cell) flash work for longer.

Just over a year ago, Seagate bought Samsung's disk drive business as part of its reaction to Western Digital buying Hitachi GST and leap-frogging Seagate into the disk drive market revenue leadership. Both Seagate and Western Digital appear to realise that the performance data access market is moving away from fast spinning hard drives into a high-end pure-flash market and a mid-range/low-end hybrid solid state hard drive (SSHD) market. Flash is where the strongest growth prospects are - for both Seagate and WD. Of course, just last year, Seagate was singing a different tune.

A move into the PCIe flash card for servers space from Seagate would be logical. We note Samsung has invested in PCIe server flash card market leader Fusion-io, which will make its relationship with Seagate interesting. The PCIe flash card product space is pretty crowded and the entry of Seagate would not be welcomed by other suppliers.


How to build a perfect private cloud with Windows Server 2012

Microsoft's handy kit.

So you want to build a Microsoft-based private cloud. While using the latest software is not always the best move (never use version 1.0 of anything) Microsoft's 2012 stack of products is mature, stable and capable of meeting all your cloudy needs.

Let's take a look at what's required for a private cloud in Microsoft's world.

It's all about the apps
In a Microsoft world, what you want to virtualise determines how you design the infrastructure that underpins it. If you need real-time, continuous high availability or fault tolerance, you need to determine if this exists at an application level, or if you will have to try to provide it at an infrastructure level.

Application-level fault tolerance – such as SQL replication, which can now include replication to Microsoft's Azure cloud – is usually preferred. It typically means far greater flexibility in your configuration options, including full hybrid-cloud and WAN deployments.

Microsoft's massive investment in making true software as a service delivery possible – IIS8, SQL server, Hyper-V 3.0 and System Center Virtual Machine Manager being one great combination – make services an easily deployable, environmentally aware option.

Think about storage
Before we even consider lighting up virtual machines, we need to think about where they will live. Knowing what degree of high availability or fault tolerance we need allows us to make educated decisions about the storage that will underpin them.

For a truly fault-tolerant infrastructure, Server 2012 ships with Cluster Shared Volumes (CSV). While thin provisioning of virtual machines on CSVs is supported, deduplication is not.

If you are using Server 2012 as the storage underpinning your private cloud this can be a critical consideration, especially in virtual desktop infrastructure scenarios.

Microsoft is aware that this is a compromise some systems administrators will not like, so offloaded data transfer (ODX) support has been baked into the operating system. If you decide you need a third-party filer to bridge the feature gap, ODX can save huge amounts of both network bandwidth and CPU time by instructing filers to carry out various operations internally.

iSCSI, Fibre Channel support and Multipath I/O (MPIO) are all also part of the operating system; indeed you can now add virtual Fibre Channel adaptors to virtual machines.

Not only does this increase the flexibility of Server 2012 as the host hypervisor running your cloud, the availability of – and support for – these features in guest environments allows for additional redundancy configurations from within the virtual machines.

For those using thin provisioning – which I suspect is most of us – the disk defragmenter is Unmap aware, making it directly compatible with thin-provisioned VHDX files.

This is important because fragmentation of virtual disks is the only downside to thin provisioning; with a little attention, Server 2012 can be set up to minimise the issue. The full thin provisioning benefits now also apply to both virtual IDE and virtual SCSI-attached disks.

For workloads that are not so mission critical, there's Hyper-V Replica. This takes a snapshot of a virtual machine and replicates it to another host.

It then shuffles change blocks along, ensuring that the backup copy of your virtual machine takes five to 15 minutes to catch up with the prime instance, even if you are replicating over the WAN. Replica also supports versioning.

Server 2012 is increasingly virtualisation aware, with services roles such as Active Directory Domain Controller being capable of detecting if they have been rolled back to a previous version via Replica or are clones of a previous domain controller template.

This dramatically increases the utility of technologies such as Replica while decreasing the need for truly fault-tolerant virtual machines to occupy precious CSV space.

Those virtual machines for which Replica is a good fit are also likely to be a good fit for storing on systems without CSVs. This allows you to take full advantage of both thin provisioning and deduplication, while still maintaining important core functionality such as virtual machine migration via Hyper-V 3.0's shared-nothing migration.

That's right: unless you have a burning need for zero-downtime fault tolerance, you can do without shared storage to make Microsoft's 2012 stack do infrastructure-as-a-service-like cloudy things.

Server 2012 can also store virtual machines on SMB 3.0 shares, further reducing cost and complexity for various deployments. Reliability is not an issue here: SMB 3.0 has gained a number of features, including MPIO for resiliency and remote direct memory access for speed.

Underpinning the whole shebang is Storage Spaces, Microsoft's second go at storage virtualisation. While it sheds some of the features of its beloved Home Server predecessor Drive Extender, Storage Spaces is far more reliable and entirely enterprise ready. It allows you to abstract how the storage is connected to the host from how it is delivered to applications and services such as Hyper-V.

Knit your own solution
Once you have your availability and storage requirements sorted, the last piece of the puzzle is System Center 2012 SP1. This plugs into the various features of Server 2012 to do such things as push the hypervisor onto bare metal, join the newly installed system to the domain and get all the initial settings configured for use with the rest of the cloud.

Cluster-Aware Updates combine with System Center's various features to ensure that outages of the host – be they scheduled for updates or unscheduled because of a power failure – are handled smoothly and with minimal disruption to running virtual machines.

System Center orchestrates not only the flow of virtual machines across your infrastructure, but is aware of the contents of those virtual machines, enabling you to break your virtual machines down into tiers according to the features and services they need.

There's more – much more – to explore in Microsoft's 2012 stack. It all depends on your requirements. If you are comfortable living in a powershell-only environment, you can build a private cloud with Microsoft's free Hyper-V Server. To use the oft-abused car analogy, consider this the systems administration equivalent of building your own fleet of cars from parts.

If you want basic virtualisation management tools, Server 2012's Remote Server Administration Tools can provide able service. This is like maintaining a fleet of cars that came handily pre-assembled from the factory.

If the previous two options are the equivalent of maintaining a fleet of cars, System Center 2012 is like automating the management and monitoring of every train in the country. It is the difference between hypervisor-plus-management and a true private (or even hybrid) cloud.


Lenovo said to release Intel and ARM Android convertibles

Hmm... which will prove more popular?

Lenovo will reportedly release Android-based convertibles in the first half of this year, and they'll be powered by your choice of either Intel or ARM processors.

Convertibles – clamshell laptops that can be converted to tablets – were one of the most talked about items at last week's CES 2013. Intel, for its part, sees them as the future of mobile computing.

But the devices that Intel was most effusive about during its CES 2013 press event were running Microsoft's Windows 8. According to a Monday report by DigiTimes citing those ever-helpful "industry sources", Lenovo – the world's second-largest PC maker – will add convertibles running Android to its stable of mobile PCs.

Or tablets – whichever incarnation of the convertible form factor you choose to emphasize.

According to DigiTimes' sources, Lenovo had planned to release Android-based convertibles in the third quarter of last year, but delayed the roll-out due to the market noise caused by the iPad 4 and iPad mini, Windows 8 and Windows RT tablets, "as well as a proliferation of low-priced Android tablets."

Intel has been talking about Android-on-Intel for quite some time, and soon-to-be-ex-CEO Paul Otellini said way back in October 2010 that Chipzilla would "win" in the tablet market.

Hasn't happened – and it's still to early to add "yet" to that observation.

If and when Lenovo releases Android convertibles based on both ARM and Intel chips – which will join its Core i5/i7 IdeaPad Yoga 11S convertible that was announced at CES and is scheduled to ship this June – we'll keep an eye on how the market responds to that choice.


DefenseCode turns up Linksys zero-day

World awaits patch.

With more than 70 million home networking devices in service, a zero-day for Linksys has a very wide reach. According to DefenseCode, an information security consultancy that’s just what turned up in a recent product evaluation for a client.

The company has not released full details of the root access vulnerability yet, but has posted a demonstration video (below) to YouTube:

In the video, DefenseCode researchers open the router’s shell (without authentication) and list the contents of files and directories.

According to Help-Net Security, it took DefenseCode just 12 days to develop the exploit. The company says it contacted Cisco, Linksys's owner, “months ago”.

The vulnerability affects all versions of Linksys firmware up to and including the current version, 4.30.14. DefenseCode intends to release a full description of the vulnerability within two weeks.

It’s an unwelcome development for Cisco, which in December began casting around for potential buyers for the consumer kit brand. ®

Update: Cisco has made the following statement to The Register: "Linksys takes the security of our products and customers’ home networks very seriously. Although we can confirm contact with DefenseCode, we have no new vulnerability information to share with customers – for our WRT54GL or other home routers. We will continue to review new information that comes to light and will provide customer updates as appropriate."


'Red October' malware spies on governments worldwide

It might have taken five years to discover, but a government-snooping spying campaign dubbed Red October has been exposed by Kaspersky Lab.

Kaspersky Lab has discovered yet another worldwide spying campaign that targets governmental bodies, political groups and research institutions.

On par with the memorable Flame malware, Kaspersky and a number of Cyber Emergency Response Teams (CERTs) discovered the malware -- known as Rocra or Red October -- which mostly targets institutions based in Eastern Europe, former USSR members and countries in Central Asia.

Kaspersky says that Red October has been gathering data and intelligence from "mobile devices, computer systems and network equipment" and is currently still active. Data is gathered and sent to multiple command-and-control servers which the security firm says rivals the complex nature of Flame.

The malware is sent via a spear-phishing email which, according to the firm, targets carefully-selected victims with an organization. Containing at least three different exploits in Microsoft Excel and Word, the infected files, once downloaded, drops a trojan on to the machine which then scans the local network to detect if any other devices are vulnerable to the same security flaw.

By dropping modules that can complete a number of "tasks," usually as .dll libraries, an infected machine obeys commands sent by the command center and then immediately discards the evidence. Separated in to "persistent" and "one-time" tasks, the malware is able to spy and steal in a number of ways, including:

Waiting for a Microsoft Office or PDF document and executing a malicious payload embedded in that document;

  • Creating one-way covert channels of communication,
  • Recording keystrokes, making screenshots,
  • Retrieve e-mail messages and attachments;
  • Collect general software and hardware environment information,
  • Extracting browsing history from Chrome, Firefox, Internet Explorer, Opera, and saving passwords,
  • Extracting Windows account hashes;
  • Extract Outlook account information,
  • Performing network scans, dump configuration data from Cisco devices if available.

Some .exe tasks remain on the system while waiting for the correct environment, for example, waiting for a phone to connect. Microsoft's Windows Phone, the iPhone and Nokia models are all said to be vulnerable.

Designed to steal encrypted files and even those that have been deleted from a victim's computer, the malware -- named as a hat-tip to the novel "The Hunt for Red October" -- has several key features which suggests it may be state-sponsored, although there is no official word on this yet.

Among the features, there is a "resurrection module" within the malware which keeps the infection hidden, disguised as a plugin for a program such as Microsoft Office, which can then reincarnate the infection after removal.

In addition, Red October does not simply focus on standard machines, but is also able to infect and steal data from mobile devices, hijacking information from external storage drives, accessing FTP servers and thieving information from email databases.

In order to control the network of infection, Kaspersky says that over 60 domain names and several different servers, hosted in various countries, are employed. In order to keep the main command center secret, the C&C infrastructure works as a huge network of proxies.

Kaspersky believes that the cyberattackers have been active for a minimum of five years, based on domain name registration dates and PE timestamps, and the firm "strongly believes" that the origins of the malware are Russian.

This high-profile network may suggest that state sponsorship could be involved. As Kaspersky Labs notes:

The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states. Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere.

Any information harvested, including stolen credentials or confidential data, is stored for later use. For example, if an attacker needs to guess a password in another location, it is possible that harvested data could provide clues -- creating an espionage network full of intelligence that hackers can refer to in need. After at least five years of activity, the Russian security firm believes that at least 5 terabytes of confidential information could have been stolen.

"During the past five years, the attackers collected information from hundreds of high profile victims although it's unknown how the information was used. It is possible that the information was sold on the black market, or used directly," Kaspersky said.

The majority of infections are based in Russia, although Kazakhstan, Azerbaijan, the U.S. and Italy have all reported cases. The exploits appear to have Chinese origins, whereas the malware modules may have a Russian background.

Red October was first brought to Kaspersky's attention in October 2012 after a tip of of an anonymous source. A full report on the spying campaign is due to be published this week.


Homeland Security still advises disabling Java, even after update

DHS says an unpatched vulnerability may still put Web browsers using the plugin at risk of remote attack.

Despite an emergency software update issued yesterday by Oracle, the U.S. Department of Homeland Security is still advising computer users to disable Java on their Web browsers, fearing that an unpatched vulnerability remains.

Oracle released a software update on Sunday to address a critical vulnerability in Oracle's Java 7 after the DHS' Computer Emergency Readiness Team issued an advisory last week recommending users disable the cross-platform plugin on systems where it was installed. The flaw could allow a remote, unauthenticated attacker to execute arbitrary code when a vulnerable computer visits a Web site that hosts malicious code designed to take advantage of the hole.

Oracle said in an advisory yesterday that it "strongly" recommended users update their Java software to repair the vulnerability. But the DHS is still worried that further, unknown flaws may exist in Java.

"This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered," DHS said in an updated alert published on the CERT Web site. "To defend against this and future Java vulnerabilities, consider disabling Java in Web browsers until adequate updates are available."

Security company Immunity reported that Oracle's update addressed only one vulnerability and that another still existed.

"The patch did stop the exploit, fixing one of its components," Immunity said in a blog post today. "But an attacker with enough knowledge of the Java code base and the help of another zero day bug to replace the one fixed can easily continue compromising users."