InfoSec Daily Podcast Episode 466 for September 6, 2011. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Karthik Rangarajan, Them and Big Pappy.
Announcements:
OWASP NY/NJ
When: September 8, 2011
Where: New York City, NY
https://www.owasp.org/index.php/NYNJMetro#tab=SEPTEMBER_MEETINGS
Nashville Infosec
When: September 15, 2011
Where: Nashville, TN
http://www.technologycouncil.com/connect/infosec-2011/
Wim Remes ISC2 Official Petition
When: Deadline September 19, 2011
What: CISSP’s can send their e-mail address registered with NAME, EMAIL ADDRESS and CERTIFICATION NUMBER to wim@remes-it.be.
http://blog.remes-it.be/petition.html
#BruCon
When: September 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
Louisville Infosec
When: September 29th
Where: Louisville, KY
http://louisvilleinfosec.com/
If you registered for DerbyCon and want to go to the Louisville Infosec the day before email chair (at) LouisvilleInfoSec.com for a $50 off discount code.
@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504
Hack3rCon 2011
When: October 21-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/
SkyDogCon
When: November 4th – Nov 6th
Where: Holiday Inn Airport, Nashville, TN
http://www.skydogcon.com
CFP Open Now!
Phreaknic
When: November 4th – Nov 6th
Where: Days Inn Stadium, Nashville, TN
http://www.phreaknic.info
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
Stories:
Source: http://nakedsecurity.sophos.com/2011/09/04/dns-hack-hits-popular-websites-telegraph-register-ups-etc/
Popular websites including The Register, The Daily Telegraph, UPS, and others have fallen victim to a DNS hack that has resulted in visitors being redirected to third-party webpages.
Part of the message reads:
TurkGuvengligi
"Gel Babana"
HACKED
"h4ck1n9 is not a cr1m3"
"4 Sept. We TurkGuvenligi declare this day as World Hackers Day – Have fun 
h4ck y0u"
The phrase "Gel Babana" is Turkish for "Come to Papa", and "Guvenligi" is Turkish for "Security".
Further websites which have been affected by the DNS hack include National Geographic, BetFair, Vodafone and Acer.
It's important to note that the websites themselves have *not* been hacked, although to web visitors there is little difference in what they experience – a webpage under the control of hackers.
Instead of breaching the website itself, the hackers have managed to change the DNS records for the various sites affected.
DNS records work like a telephone book, converting human-readable website names like nakedsecurity.sophos.com into a sequence of numbers understandable by the internet. What seems to have happened is that someone changed the lookup, so when you entered telegraph.co.uk or theregister.co.uk into your browser you were instead taken to a website that wasn't under the control of those websites.
Because of the way that DNS works, it may take some time for corrected DNS entries for the affected websites to propagate worldwide – meaning there could be problems for some hours ahead. If you're in the habit of visiting and logging into the affected sites, you might be wise to clear your cookies so the hackers aren't able to steal any information from you.
In many ways we have to be grateful that the message displayed appears to be graffiti, rather than an attempt to phish information from users or install malware.
The question now is how did the hackers manage to change the DNS records for these sites?
Source: http://www.theregister.co.uk/2011/09/02/icloud_runs_on_microsoft_azure_and_amazon/
Apple has selected Microsoft's Azure and Amazon's AWS to jointly host its iCloud service, The Reg has learned.
We understand that Apple has barred Microsoft and Amazon from discussing what would otherwise be a high-profile deal, especially for Microsoft's fledgling Azure cloud service.
But Reg sources close to Microsoft this week confirmed rumours circulating in June that Apple's iCloud is running on Azure and Amazon. Customers' data is being striped between the pair. iCloud was released as a beta in August and is expected by the end of this year.
Apple and Amazon did not respond to our requests to comment, while Microsoft told us: "At this time, we don't have any comment around whether Apple is a Windows Azure customer."
According to our sources, Microsoft insiders see the iCloud deal as a validation of Azure. So far, Microsoft has pushed Azure using the marketing 101 playbook. Redmond has flagged up the start-ups and websites it has attracted in an attempt to prove to other devs that Azure is "cool". It is also promoting those corporate customers who've floated onboard to prove its cloud is being taken seriously by business users.
iCloud puts Azure into a different league, given the brand love for Apple and the Apple management's fanatical attitude to perfection. It is a "huge consumer brand, a great opportunity to get Azure under a very visible workload," our sources told us.
Apple is understood to have elected to outsource the plumbing of iCloud because its core competence lies in "building great consumer experiences". It didn't make sense for Apple to become a cloud provider.
By selecting two suppliers, both very different in their services and their level of maturity, Apple is reducing its risk of becoming hostage to a single supplier.
Microsoft and Amazon will now need to ensure they keep up with the other on reliability, new features, security, and price.
Apple has had a recent unpleasant experience in providing online services: in a famous memo, Steve Jobs admitted his company had "more to learn about internet services" following the outages and failures of his precursor to iCloud for email, contacts, calendar, photos and other files – MobileMe.
Also, there's the cost and delay involved in building the infrastructure that iCloud requires as well as assembling and building the core services. Buildings, power, servers, storage, the recruitment of personnel and having the facility certified would cost a minimum of $100m. A more realistic cost for full-scale roll-out could be closer to $1bn.
Microsoft has already built several mega data centres to run Azure, in addition to its search engine Bing, in anticipation of big customers. The company has at least 24 data centres running Azure worldwide.
To give you an idea of the scale, the first phase of one of these in Chicago is 700,000 square feet; it uses a modular design based on containers. Chicago has a capacity of 112 containers, with each holding 224,000 servers – Microsoft uses Dell.
That said, Apple could be biding its time in using Microsoft and Amazon.
Apple is building a $500m data centre in North Carolina. If reports of the hardware going in there are correct, the centre's data capacity should run into tens of petabytes and be more than suited to running iCloud – for now, at least.
iCloud is believed to be running on the full Azure service – the Windows Azure compute and controller part and SQL Azure storage which hosts tables, queues and flat files. It's not clear how many of Microsoft's Dell servers are hosting iCloud.
The iCloud data is being striped between the Amazon and Microsoft clouds. That means Apple or Microsoft or Amazon or all three have to implement through the software a way of identifying which user's information is stored in what locations and then to route requests to the correct server.
If the data is duplicated, then software would handle load-balancing or randomly send user's requests to one cloud or the other, or change access policies depending on things like network speed and server availability.
The striping process segments logically sequential data such as single files so segments can be written to different physical devices. The process can help speed up access to data because you don't rely on read/write access speeds of a single disk in a machine.
The challenge in running two clouds under an overall service, if there is one, will be in smoothly managing a unified system where the controllers could well be running on different operating systems or be written in different languages.
This is a very real possibility; while AWS and Azure emulate virtual servers, most AWS users run on Linux while all Azure users have to run on Windows. Even if a cross-platform language like Java is used to bridge the gap, then tuning the software for both will mean additional cost and complexity.
One way to avoid managing different code bases and ensuring the best levels of performance could be for iCloud to also run on Windows on AWS. This would be a potentially even bigger victory for Microsoft as it would mean iCloud isn't just running on Azure from Microsoft but is also running on Windows while on Amazon.
Hints reader nathanator11 discovered that Lion includes a handy app that provides all sorts of diagnostic information surrounding your wireless network. Much of the information the software generates gets pretty technical, but even Wi-Fi novices may find some of the details that the utility aggregates useful.
Wi-Fi Diagnostics is tucked away in the /System/Library/CoreServices folder. To get there, I pressed Shift-Command-G in the Finder (the equivalent of going to the Go menu and choosing Go to Folder), and then typed in the /System/Library/CoreServices path and pressed Return. Once in the folder, I found Wi-Fi Diagnostics and double-clicked it. Alternatively, you could launch the Terminal and type open "/System/Library/CoreServices/Wi-Fi Diagnostics.app", and then press Return.
However you find and launch it, Wi-Fi Diagnostics gives you four options: Monitor Performance (which shows you signal strength, noise level, transmit power, and data rate); Record Events (which can keep a log of network happenings); Capture Raw Frames (which records everything coming and going on your Mac's wireless connection); and Turn on Debug Logs.
If you’re at all interested in what’s going on with your Mac's Wi-Fi connection or your wireless network, Wi-Fi Diagnostics is freely included with your copy of Lion, and you can’t break anything by poking around the app—so enjoy!
Source: http://rscott.org/dns/GoDaddy_Selective_DNS_Blackouts.htm
Since the beginning of the Internet, DNS (the protocol that converts domain names into IP addresses) has always been a sacred service. It is low cost, and mission critical. Blocking any DNS packets was always used as a last resort, only after all other options were exhausted, for fear of the consequences of what might happen. When you block DNS, you effectively block the web, E-mail, FTP, IM… just about everything.
Now that GoDaddy is a near monopoly (larger than the next 8 closest registrar competitors combined), and just got bought out on July 1, 2011, they have decided they can defy the sacred. Customers be damned.
Less than a month after the new owners came on board, GoDaddy implemented a "Selective DNS Blackout" policy for all domains using their DNS hosting (roughly 32 million domains). With this policy, they are choosing to allow their DNS servers to be underprovisioned (meaning that their servers are unable to gracefully handle their normal load). To prevent slow DNS, which would generate complaints quickly, they decided to block 100% of packets from hand-picked DNS servers based on volume and visibility. This reduces load somewhat, while making it difficult for customers to pinpoint GoDaddy as the problem.
A GoDaddy employee (who prefers to remain anonymous) confirmed that they have a policy in place to block DNS queries, but their Advanced Technical Support Team refused to provide any details on the policy. The GoDaddy PR department declined to comment, but did not deny that the policy exists (they went silent after saying they would be happy to look into it). Perhaps the PR department realized that it will be a very controversial policy.
One example of a service affected by the "Selective DNS Blackout" policy is a niche search engine in development that helps people locate local businesses. The DNS service they use was blocked by GoDaddy without warning on July 30, 2011. GoDaddy later stated that the DNS traffic was a problem due to the traffic load (despite that traffic load being less than 15% higher than a year prior). Another example is a project that collects Internet statistics, with information on websites going back several years, that now cannot include new data for domains with DNS hosted by GoDaddy (and cannot, unless the policy is revoked).
The GoDaddy website, and other websites they own (bobparsons.com, godaddycash.com, jomax.net, spamfilter.com, supportwebsite.com, etc.), use their own DNS servers that do not have such load problems. As for why GoDaddy is doing this, we can only make educated guesses, as GoDaddy's PR department declined to comment. It doesn't appear to be the obvious reason, cost. Adding servers to handle the small 15% increase in load over a year ago would cost roughly the same as adding 1 employee — a drop in the bucket for a company that already has over 3,000 employees, that gained more than $30M in revenue from those domains, and just got a cash infusion.
What seems more likely is that the new owners of GoDaddy are trying to improve on the "Premium DNS" service, which appears to have been a failure. The Premium DNS service started around January, 2011. However, it appears not to be meeting their sales goals (99% of domains using GoDaddy DNS hosting are still using the free service).
According to data by alexa.com, the weekday traffic to the godaddy.com website declined since this policy was put into effect, to its worst ranking in over 6 months. According to webhosting.info, the number of new domains registered with GoDaddy has plummeted since the policy was put into effect (from 248,036 per week on July 25, 2011 to 55,007 per week on August 8, 2011). It is not known whether DNS queries by Alexa or webhosting.info are now being blocked by GoDaddy; however, these are the types of applications that will be affected.
We now know that GoDaddy is willing to block DNS queries. Will it continue, or will others follow? What will happen to the Internet if all DNS hosting companies follow the same path? Only time will tell.
