Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Virgin Mobile USA customers may be at risk

• Virgin Mobile customers in the USA access their customer portal using their mobile phone number and a 6 digit pin
• In addition to the obvious lack of security of using such a limited keyspace, it seems that the Virgin portal does not implement any type of lockout or intrusion detection
• Specifically, they do not block an IP after 100s of failed attempts, meaning an attacker can quickly run through the entire 1 million possible passwords and gain access to any account
• Kevin Burke, the researcher who discovered the flaw, said that after several phone and email exchanges with parent company Sprint in which he attempted to warn them about the exploit, he was ignored and his concerns were dismissed
• Later, a fix was applied to the portal, blocking users after 4 failed attempts, however it relied on a browser cookie to keep track of the number. In additional to how easily this mitigation is evaded, most attack scripts don’t keep cookies anyway
• Virgin’s portal now correctly blocks an IP address after 20 failed attempts
• Virgin uses a 404 error instead of 503 or another more proper error code
• Additional Coverage

Security Explorations finds another Java 0-day, for Java SE 5, 6 and 7

• Security Explorations, the Polish research firm that found the previous Java exploits, has now topped 50 different vulnerabilities reported to Oracle, and the 50th one is the worst to date
• The flaw affects fully patched Windows 7 machine, using all major browsers
• Oracle has produced a comprehensive status report regarding upcoming Java Critical Patch Update. The company claims to have fixes for all, except two issues (29 and 50) integrated and undergoing testing for release in the October 2012 Java SE CPU. Oracle is still evaluating fixes for Issue 50 and will provide further update on whether a fix for it will be also included in the October 2012 Java SE CPU
• Additional Coverage

IEEE passwords exposed via FTP site

• A researcher found a log file on a publically accessible IEEE FTP site
• The file contained logs from 01/Aug/2012:20:46:28 +0000​ to 18/Sep/2012:08:47:17 +0000
• The log contained around 375 million lines, 400,000 of which contained plain text passwords, 17k of which were password reset requests
• A total of 99,979 unique usernames were found
• 7 of the top 10 passwords were all numeric, variations of 123 – 1234567890
• Other popular passwords included ieee2012, IEEE2012, password, library and ADMIN123
• 38% of users use gmail, 7.6% use yahoo
• It does not appear that the IEEE actually stores usernames and passwords in plaintext in its authentication database, but it is unclear why or how the passwords were included in the access logs
• The IEEE acknowledged the breach
• And issues a notice to its members, encouraging them to use strong passwords when they are forced to reset thier password
• Additional Coverage

Your Android phone could be remotely erased by a malicious website

• Security Researcher Ravi Borgaonkar revealed the exploit at ekoparty 2012
• An apparent bug in the Samsung TouchWiz UI makes it possible for a malicious website or remote attacker to reset your Android device
• The vulnerability can be exploited via NFC, QR code, SMS, or a web link
• Remote wipe attack not limited to Samsung phones, Android dialer may be to blame
• The vulnerability may actually be in the Android dialer, which would mean all devices are vulnerable
• As a temporary fix you can get the TelStop app, which publishes a URL handler for tel: URLs and prevents the exploit from being used via websites
• Additional Coverage:
• Major Samsung Galaxy TouchWiz exploit hard resets a device by just visiting a website
• Critical vulnerability in Samsung Galaxy S3, possibly other smartphones. – Spiceworks
• Samsung has released new firmware that resolves the issue
  • Samsung applies quick patch to dailer vulnerability

Feedback:

• spleeeem submitted something handy for a common theme on our show, secure passwords: Password Storage Cheat Sheet

• Best Way to Migrate a lot of Sites from Apache to NGINX

• How to benchmark nginx?

• Why can’t you just send the “finished” hash?

• Mail Server with Blocked Port 25?

• I wonder if I could get your thoughts on https://www.sendfilessecurely.com

• Followup: rikai found an SSH SVR record wrapper script

Book: Nginx HTTP Server

It provides a step-by-step tutorial to replace your existing web server with Nginx. With commented configuration sections and in-depth module descriptions

Have some fun:

• What will be in the news the week in October when Allan is at Euro BSD Con? Let make a prediction on the head lines or just make up funny stuff to read

What I wish the new hires “knew”

Round-Up:

• Adobe Announces Rapid Release Cycle for Flash Player
• Compromised phpMyAdmin download reinforces importance of verifying checksums . SourceForge is investigating how the copy of the file on a Korean mirror was compromised and downloaded by over 400 users
• Android 4.0.4 NFC vulnerability exposed at Pwn2Own contest
• How to build a passive ethernet tap, to spy on traffic as it crosses the wire
• Microsoft may have known about IE 0-day flaw for months, credit goes to “TippingPoint Zero Day Initiative” on July 24th, not to researcher who disclosed the flaw in September
• Bruce Schneier doesn’t want his algorithm, or any other, to win the SHA–3 competition
• Guild Wars 2’s Mike O’Brien on Account Security

HALL of SHAME: Secret Microsoft policy limited Hotmail passwords to 16 characters