del.icio.us
blinklist
digg
Facebook
Furl
ma.gnolia
Newsvine
Pownce
reddit
StumbleUpon
Technorati
Twitter
Researchers find exploits for popular game engines, putting both clients and servers at risk, we’ll share the details.
Plus TerraCom epic privacy breach, a recap from BSDcan 2013, your questions our answers, and much much more!
On this week’s TechSNAP!
Thanks to:
|
Use our code tech249 to score .COM for $2.49! 32% off your ENTIRE first order just use our code go32off3 until the end of the month! |
 |
Direct Download:HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds:HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed |
Support the Show:
|
Show Notes:
Get TechSNAP on your Android:
Browser Affiliate Extension:
- Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox
- Researchers from ReVuln have found various flaws in a number of different video game engines including the Unreal3 Engine, the Quake4 (IDTech4) Engine and CryEngine3
- These vulnerabilities work against a large array of games because the same or slightly modified engines are used in many different titles
- The exploits vary, some allow the attacker to compromise the game server with remote code execution (see video, latter portion shows the attacker remotely starting windows calc.exe on the game server)
- The exploits also allow the servers to be used in denial of service attacks, or to make the servers attack each other, or the master server (from which clients get a list of game servers to connect to)
- Some exploits also attack the client
- Research PDF
- Investigative Journalists from the Scripps Howard News Service were investigate TerraCom and YourTel America, specifically their participation in the US government’s ‘lifeline’ service, which provides telephone service to low-income families
- While doing a google search, the journalists found records stored on a server belonging to Call Centers India Inc., which was working under contract with VCare Inc, which had been hired by TerraCom to verify the eligibility of applicants
- A second google search revealed that more than 44,000 applications had been indexed by google, these applications include sensitive personal information and supporting documentation such as:
- Social Security numbers
- Birth dates
- Home addresses
- Scanned copies of passports and driver’s license
- Financial accounts
- Tax records
- An identity thief would only dream of finding such a treasure trove
- The information appears to have just been dumped into web-accessible directories on a public facing web server, which google eventually found
- The journalists used wget to bulk-download the data
- The journalists then contacted TerraCom to report the exposed data, and were promptly accused of ‘hacking’, and threatened charges under the ‘Computer Fraud and Abuse Act’
- The data was pulled offline within hours
- In a statement on TerraComs website the company claims to have been the victim of a security breach, even though this seem more like a case of negligence
- In a statement, a legal representative for Scripps said “in the process of gathering newsworthy information, the bureau accessed – via a basic Internet search – personal and confidential information that apparently is available to anyone with a computer, an outlet and access to electricity. The search required no special skill and in no way ‘hacked’ or illegally accessed any server or database operated by TerraCom or any other company”
- As computers get more powerful, the possibility of someone managing to crack a specific cryptographic key grows and it becomes time to increase the strength of those cryptographic systems by using longer keys
- As such, Google plans to replace all of their 1024 bit SSL keys with stronger 2048 bit keys, starting August 1st and finishing before the end of the year
- Most SSL Certificate Authorities has not issued new certificates with keys less than 2048 bits since the CA/Browser forum published “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates v1.0” which requires that any certificate issued after 2013–12–31 use a 2048 bit key
- In addition, The US National Institute of Standards and Technology (NIST) issued “NIST Special Publication 800–57, Recommendation for Key Management”. In which they advise that 1024-bit RSA keys are no longer be viable (after 2010) and advises moving to 2048-bit RSA keys. NIST believes that 2048-bit keys should be viable until 2030.
- Google has a number of recommendations to people who implement SSL, to ensure that these changes do not disrupt services or devices, mostly they recommend against using ugly hacks, or assuming anything about the way Google does SSL
- How is Bhyve coming along ?
- There was a talk at BSDCan 2013 about this, in addition to a session at the DevSummit (I was in a different session though)
- Slides from BSDCan 2013
- Semi-Official bhyve website
- Slides from the FreeBSD Developers Summit @ BSDCan 2013 re: behyve
- Dev Summit Slides re: virtualization in general
- Netflix @ BSDCan 2013 – slides
- Google engineer publicizes Windows zero-day bug, claims Microsoft is ‘difficult to work with’
- Charges filed in cyber bank heist, attackers compromised bank computers and increased account balances on prepaid cards, then cashed out $45 million from ATMs in 24 countries
- Hackers Who Breached Google in 2010 Accessed Company’s Surveillance Database
- Exploit for local Linux kernel bug in circulation, introduced in a patch in 2010, backported to older Linux kernels by Redhat. Exploit seems to have existed since 2010
- IE8 bug used in targetted attack against Korean military sites
- Investigating a DDoS for hire service
- Hire DDoS attack service ‘legal’ and connected to FBI
- Order your Internet Password Minder Protector Minder today