Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Shop Amazon – Year End Deals

W3 Total Cache (a popular wordpress plugin) may expose sensitive data

• W3 Total Cache is a very popular and powerful caching plugin
• The recently discovered problems are technically a configuration error, not a vulnerability, but because it is the default configuration, most sites are vulnerable
• It can provide significant speed gains over stock wordpress
• Page Cache – By creating flat .html versions of the page after it is dynamically generated, subsequent anonymous visitors can be shown the cached version of the page, significantly reducing server load and response times
• Database Cache – By caching the results of database queries, if the same read query needs to be is executed again, the cached result can be used, significantly reducing the number of database queries required to render a page
• Object Cache – A higher level cache than the database cache, Objects may be constructed from the results of many queries and plugins, caching the complete object may result in significant page load time improvements
• Minify Cache – By removing comments and whitespace from .css and .js files and gzipping them, less bandwidth is required to download the file
• JS and CSS Combining – By combining many files into only 1 or 2 files, the total number of requests to the server is reduced, which can markedly improve performance
• CDN Offloading – W3TC can automatically change the URLs of content such as .css and .js files in addition to media such as images and thumbnails. My loading these content from a CDN instead of the main site, users get faster responses and the site gets reduced load. W3TC can also use multiple subdomains for the loading, allowing it to take advantage of browser’s parallel downloading features
• All of these caches offer a number of numbers, allowing you to choose between caching to disk, advanced caching to disk, Opcode caches such as APC or dedicated caches such as memcache
• All of these features make W3TC very popular and well respected
• However, W3TC defaults to disk based caching because it does not require any additional configuration or server side features (such as APC or the IP address of a memcache server)
• The problem stems from the fact that W3TC keeps its database and object caches in a web accessible directory (alongside the page and minification caches, which need to be web accessible)
• This means that if your web server is configured to allow directory listing, any visitor can browse to /wp-content/w3tc/dbcache and see a list of all of the items in your database cache, and by downloading and analyzing these files, they may be able to recover sensitive information, such as the hashed passwords of users or administrators
• If an attacker were to get the password hash for an administrative account, if they brute forced that hash, they could then take over that wordpress installation
• Disabling directory indexing does not entirely solve the problem, as the filenames of the cache objects are the md5 hash of the string: w3tc${host}${site_id}_sql_${query}
• You should configure your web server to deny access to the /wp-content/w3tc/dbcache , /wp-content/w3tc/objectcache and /wp-content/w3tc/log directories (using .htaccess will work for apache)
• If you use an Opcode cache, or Memcache, you site is not affected by this configuration error
• Make sure your memcache instances are secured, as if they are publicly addressable, any information cached in them may be accessible
• The creators of W3TC are working on an update to address the issue
• Allan’s slides on improving your Blog with ScaleEngine

---

Inventor of SSH warns that improper key management makes SSH less secure than it should be

• This news story has created a significant amount of FUD due to the general media’s lack of understanding of what SSH is and what it does
• SSH is not vulnerable or compromised
• The story started with an interview of Tatu Ylonen, the inventor of SSH
• “In the worst-case scenario, most of the data on the servers of every company in the developed world gets wiped out."
• The problem is actually caused by users, and bad management practises
• Users often generate many SSH keys, and store them unencrypted in predictable locations (~/.ssh/id_rsa) where they may be stolen if someone compromises their account or the server they are stored on
• Many logins, especially those that are shared, will contain large authorized_keys files, allowing many keys to access that account, often these lists are not pruned because keys are hard to identify
• While auditing a large financial institution, auditors found more than 1 million unaccounted-for keys — 10 percent of which granted root access, or control of the server at the most basic level
• federal rules for classified computer networks cover the “issuance and assignment and storage of keys” but do not dictate what should be done with used keys. Auditing guidelines require that administrators be able to enumerate exactly who has access to specific systems, but often times SSH access is not properly accounted for, as each line in the authorized_keys file is not easily linked to a specific person, and the control of those keys is not guaranteed
• A stolen SSH key is what lead to the compromise of the FreeBSD Packaging Building Cluster last month
• It is recommended that companies refresh keys on a regular basis and remove old keys to prevent them being used to access sensitive servers, although most companies do not have such a policy
• Tools such as puppet can help with the management of authorized_keys files across a large number of servers, but it is up to the user to ensure the security of their private key
• One solution to this problem may be a new feature of OpenSSH that allows it to be configured to check the results of a command, before optionally checking the authorized_keys file
• This feature can be used to check for keys in directory services such as LDAP or Active Directory, simplifying the administration of multiple servers and SSO by storing cannonical keys in a central location

---

Feedback:

• Raspberry Pi Used To Replace A 30-Foot GSM Base Station And Create A Working Mobile Network

• Compare bare-metal HVs?

• Open Source Virtual Desktop Broker?

• Management Tools – KVM

• VPS Suggestions?

• [Hall of Shame] Claro (Latam ISP) is installing routers with passphrase based on their BSSID and is also shown on WLAN name.

Round-Up:

• Steam suffers ‘no connection’ outage on Christmas morning
• Netflix is down: AWS outage takes down service on some devices — Online Video News
• Aaron Toponce : Linux. GNU. Freedom.
• Plain Text Offenders
• Daily Dot | YouTube strips Universal and Sony of 2 billion fake views
• Brazil blocks port 25
• Congress tweaks US video-privacy law so Netflix can get on Facebook
• I probably should not have admin access to this… : pwned
• How the Internet is becoming a closed shop

Amazon Book:
[asa]B003F3PKTK[/asa]

Audible Book Pick: The Master Switch: The Rise and Fall of Information Empires Audio Book