HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

OpenSSH CLI escape sequences

• Notes from when Dan was experimenting with this: Only work if ~ is the first character you type; typing something, then backspace, then ~ will not invoke the escape sequence. Must be the first character after ENTER.

Kaspersky Confirms It Downloaded Classified Docs, Blames NSA Contractor’s Dumb Mistake

• According to Kaspersky, the fault rests of the shoulders of the NSA contractor, who allegedly brought home government surveillance tools and then decided to activate their consumer antivirus software

• The analyst’s computer was infected with malware while Kaspersky’s product was disabled

• When Kaspersky’s product was re-enabled, the user apparently scanned their system multiple times

• A 7-zip archive of documents was retrieved for analysis because the user had set the software to send reports of malicious detections.

‘I Forgot My PIN’: An Epic Tale of Losing $30,000 in Bitcoin

• Spent $3,000 to buy 7.4 bitcoins. Saved them to Trezor hardware wallet. Wrote down a 24-word recovery key. Saved a PIN.

• Paper went missing

• Could not remember PIN

• Tried many times.

• Tried an exploit…..

Feedback

• Backup to tapes

• Feedback on Krack Updates

  • KRACK Test Python Script

• It is worth reporting malware etc?

Round Up:

• grafana – Datasources as configuration

• curl statistics made simple: davecheney/httpstat (written in GO) refers to reorx/httpstat (written in Python) which is in FreeBSD Ports as net/py-httpstat – Dan tweeted his test case

• Gentoo system ransomware’d

• Backblaze Hard Drive Stats for Q3 2017

• ​A flaw in Google’s bug database exposed private security vulnerability reports – original blog post

• Staging Best Practices

• Protocol standards not publicly available

• Oracle ZFS man calls for Big Red to let filesystem upstream into Linux – sounds like Oracle wants to get ZFS into Linux

• Things You Can Do on the Dark Web That Aren’t Illegal

The post Low Security Pillow Storage | TechSNAP 343 first appeared on Jupiter Broadcasting.

A typo stops a billion dollar bank hack, a vulnerability in 7zip that might surprise you & the best solutions for secure remote network access.

Your great questions, our answers, a packed round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Attackers compromise banks and steal millions

• Attackers compromised the credentials of Bangladesh Bank (the Country’s central bank), and used those credentials to make SWIFT wire transfers
• “Cyber criminals broke into Bangladesh Bank’s system and in early February tried to make fraudulent transfers totaling $951 million from its account at the Federal Reserve Bank of New York.”
• Using the credentials, they started a wave of transfers. The first four went through, transferring a total of more than $81 million, the largest bank heist in history
• The fifth, was stopped only because of a typo
• “a transfer for $20 million, to a Sri Lankan non-profit organization was held up because the hackers misspelled the name of the NGO, Shalika Foundation. Hackers misspelled “foundation” in the NGO’s name as “fandation”, prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction”
• “The details of how the hacking came to light and was stopped before it did more damage have not been previously reported. Bangladesh Bank has billions of dollars in a current account with the Fed, which it uses for international settlements.”
• “The transactions that were stopped totaled $850-$870 million, one of the officials said”
• So if it wasn’t for the typo, the hackers may have made off with almost $1 billion
• “Bangladesh Bank has said it has recovered some of the money that was stolen, and is working with anti-money laundering authorities in the Philippines to try to recover the rest.”
• “More than a month after the attack, Bangladeshi officials are scrambling to trace the money, shore up security and identify weaknesses in their systems. They said there is little hope of ever catching the hackers, and it could take months before the money is recovered, if at all.”
• Additional Coverage
• “Bangladesh’s central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network”
• “The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank’s SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police’s criminal investigation department.”
• Experts in bank security said that the findings described by Alam were disturbing. “You are talking about an organization that has access to billions of dollars and they are not taking even the most basic security precautions”
• “Two (SWIFT) engineers came and visited the bank after the heist and suggested to upgrade the system”
• “Bangladesh police said earlier this week they had identified 20 foreigners involved in the heist but they appear to be people who received some of the payments, rather than those who initially stole the money.”
• “The SWIFT room is roughly 12 feet by 8 feet, a window-less office located on the eight floor of the bank’s annex building in Dhaka. There are four servers and four monitors in the room”
• “The SWIFT facility should have been walled off from the rest of the network. That could have been done if the bank had used the more expensive, “managed” switches, which allow engineers to create separate networks, said Alam, whose institute includes a cyber-crime division.”
• My kingdom for a vlan…
• Last week, a second bank was hit
• Additional Coverage
• “The second case targeted a commercial bank, Swift spokeswoman Natasha de Teran said, without naming it. It was not immediately clear how much money, if any, was stolen in the second attack.”
• Swift said in a statement that the attackers exhibited a “deep and sophisticated knowledge of specific operational controls” at targeted banks and may have been aided by “malicious insiders or cyber attacks, or a combination of both”.
• “News of a second case comes as law enforcement authorities in Bangladesh and elsewhere investigate the February cyber theft from the Bangladesh central bank account at the New York Federal Reserve Bank. Swift has acknowledged that that scheme involved altering Swift software to hide evidence of fraudulent transfers, but that its core messaging system was not harmed.”
• “In the second case SWIFT said attackers had also used a kind of malware called a “Trojan PDF reader” to manipulate PDF reports confirming the messages in order to hide their tracks.”
• That sounds a lot more sophisticated than the first attack. Of course, it could just be that sophisticated attackers hit an unsophisticated bank, and so did not need to use such techniques, or that they just went undetected, because of the lax security at the first bank
• SWIFT network issues security advisory about malware targetting banks
• “In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT. The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognise the fraud.”

Cisco TALOS finds vulnerability in 7zip

• “Recently Cisco Talos has discovered multiple exploitable vulnerabilities in 7-Zip. These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.”
• For example, a number of virus and malware scanners using the 7-Zip library to scan inside various archive formats
• This means an attacker could send you a file, which would automatically be scanned by your virus scanner, which would trigger the exploit
• The Talos article includes a link to a Google search for the 7-Zip license, which you can find embedded in a huge number of open and closed source applications
• “An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format (UDF) files. The UDF file system was meant to replace the ISO-9660 file format, and was eventually adopted as the official file system for DVD-Video and DVD-Audio.”
• “Central to 7-Zip’s processing of UDF files is the CInArchive::ReadFileItem method. Because volumes can have more than one partition map, their objects are kept in an object vector. To start looking for an item, this method tries to reference the proper object using the partition map’s object vector and the “PartitionRef” field from the Long Allocation Descriptor. Lack of checking whether the “PartitionRef” field is bigger than the available amount of partition map objects causes a read out-of-bounds and can lead, in some circumstances, to arbitrary code execution.”
• “An exploitable heap overflow vulnerability exists in the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip. In the HFS+ file system, files can be stored in compressed form using zlib. There are three different ways of keeping data in that form depending on the size of the data. Data from files whose compressed size is bigger than 3800 bytes is stored in a resource fork, split into blocks.”
• “Block size information and their offsets are kept in a table just after the resource fork header. Prior to decompression, the ExtractZlibFile method reads the block size and its offset from the file. After that, it reads block data into static size buffer “buf”. There is no check whether the size of the block is bigger than size of the buffer “buf”, which can result in a malformed block size which exceeds the mentioned “buf” size. This will cause a buffer overflow and subsequent heap corruption.”
• “Sadly, many security vulnerabilities arise from applications which fail to properly validate their input data. Both of these 7-Zip vulnerabilities resulted from flawed input validation. Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications’ security. Talos has worked with 7-Zip to responsibly disclose, and then patch these vulnerabilities. Users are urged to update their vulnerable versions of 7-Zip to the latest revision, version 16.00, as soon as possible.”
• 2016-03-03 – Vendor Notification
• 2016-05-10 – Public Disclosure

Two large middle eastern banks hit by hackers

• “A massive collection of documents from Qatar National Bank, based in Doha, was leaked and posted online to the whistleblower site Cryptome on April 26. The leaked data, which totals 1.4 GBs, apparently includes internal corporate files and sensitive financial data for QNB’s customers.”
• “Cryptome reports that the leak comprises 15,460 files, containing details, including passwords, PINs and payment card data, for hundreds of thousands of the bank customers’ accounts. Multiple experts have also examined the data, and likewise report that it appears to be legitimate. But Cryptome offered no insights into how the data was obtained, for example, if it was via an external hack attack, or an inside job.”
• “Multiple sources who have reviewed the data dump have also confirmed to ISMG that the data appears to be genuine. One researcher, speaking on condition of anonymity, also confirmed that he had successfully used leaked customer internet banking credentials from the data dump to begin logging in to the customer’s account, purely for research purposes. But he said the bank’s systems then sent a one-time password to the customer’s registered mobile number, which would serve as a defense against any criminals who might now attempt to use the leaked data to commit fraud.”
• Additional Coverage: IBTimes
• “Although analysis of the leaked data remains ongoing, there are reports that it contains additional, unusual information. U.K.-based digital media news site IBTimes, for example, reports that in addition to consumer data, the leaked information also includes documents with information on Qatar’s Al-Thani royal family as well as the broadcaster Al Jazeera, which is partly funded by the same family.”
• “In addition, some leaked folders are marked “Spy” and contain what appear to be intelligence dossiers on individuals, according to IBTimes. Some files contained in the dump are labeled as “MI6” – in apparent reference to the British intelligence agency – with others naming Qatar’s state security bureau, known as the Mukhabarat, as well as French and Polish intelligence agencies, IBTimes reports.”
• “Interestingly, there is also additional data about mainly foreign bank account holders, which includes information such as their Facebook and LinkedIn profiles, along with ‘friends’ associated through those social networks. This data doesn’t appear to have come directly from the bank itself, rather the perpetrator used the data held by the bank to then build up profiles of further targets.”
• A second breach occurred at InvestBank, in the UAE
• Additional Coverage
• “A massive tranche of nearly 10GB of files alleged to be from Sharjah, UAE-based InvestBank appears to have been dumped online by the hacking group “Bozkurtlar” – Turkish for “Gray Wolves” – on May 7. The zip archive released by the attackers appears to contain internal files and sensitive financial documents, including InvestBank customers’ data.”
• “The Bozkurtlar hacker or hacking group appears to have Turkish ties, and also claimed credit for a similar data dump on April 26, involving Doha-based Qatar National Bank. In that case, leaked customer data for QNB was quickly posted online by the Cryptome.org whistleblower site”
• “The dumped data appears to include a massive amount of information tied to InvestBank’s systems, including SQL databases and some backup folders. Speaking on condition of anonymity, one expert who’s reviewed the data says it appears to date from 2011 to September 2015.”
• “Customer data included in the leak includes copies of ID documents, photographs of individuals, documents relating to land purchases – such as stamp papers and financials, as well as bank statements and nearly 100,000 credit card numbers, including expiry dates in clear text. Security researchers, however, note that customer credentials such as account passwords and PINs appear to be encrypted.”
• “The dump also contains comprehensive details on InvestBank’s IT setup, including clear-text credentials for its production systems, switches, routers, virtual machines and Windows servers – many of which appear to have been using easily guessable vendor default passwords. Screenshots of server settings and diagrams of server and data center layouts have also been found in the dump, in addition to details of VPN setups with the bank’s branch offices.”
• “The dump also appears to contain complete details of InvestBank’s Oracle FLEXCUBE core banking solution implementation, including costs, deliverables, scope of work, licensing information and the entire database pertaining to InvestBank’s FLEXCUBE implementation.”
• “In December 2015, a hacker broke into InvestBank’s systems and released records for thousands of customers, after the bank refused to pay the $3 million bitcoin ransom demanded by the attacker”
• InvestBank claims this is not a new hack, but just the old data being fully released
• It is possible the original attacker gave up on trying to ransom or sell the data, and just released it publicly

Feedback:

• Remote access possibilities

• Episode 266 – OwnCloud Cloud Proxy

• Pagekite – The fast, reliable localhost tunneling solution

• Storing client sensitive data

• Dynamic DNS via scp, and remote support for my mother’s computer

• Researchers get United Airlines bug bounty of 1 million air miles. Find out that that has a “street value” of $20,000, and it will be considered income by the IRS, so they donate it to Charity instead.

Round Up:

• Federal Judge Says Internet Archive’s Wayback Machine A Perfectly Legitimate Source Of Evidence
• Backblaze releases their 2016Q1 hard drive reliability stats
• Senators introduce bill to block expansion of FBI hacking authority
• Backwards compatibility layer used to bypass EMET, defeating advanced protections in Windows
• Cisco Adaptive Security Appliance VPN Memory Block Exhaustion Vulnerability
• How do you deal with a petabyte of disks with sensitive data you need to destroy? Basically a wood chipper.
• Internet Speed Test by Netflix
• The “Ping of Death” is back, this time in the Linux Kernel
• Sites Turn to Audio Fingerprinting to Track Users
• Remember back to the last US Presidential Election, and some guy claimed he hacked Mitt Romney’s lawyers and stole his tax records? It was fake, but, you can still go to jail for that
• Microsoft Disables Wi-Fi Sense on Windows 10
• The printer works fine, except on Tuesdays…
• High CPU use by taskhost.exe when Windows 8.1 user name contains “user”
• A kickstarter campaign full of nonsense and false buzzwords. Watch what people promise you
• How the internet works, a story in pictures

The post My Kingdom for a VLAN | TechSNAP 267 first appeared on Jupiter Broadcasting.

Take your Linux logins up to the next level with YubiKey. YubiKeys support one-time passcode, smart card & more – enabling one security key to an unlimited number of applications. Today we’ll show you how to make it work with SSH under Linux.

Plus our thoughts on the NSA using Red Hat, the big changes coming to openSUSE, our picks & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Setting up a Yubikey with Linux

Brought to you by: O’REILLY OSCON

• Link from Yubico Support regarding U2F and CCID

Getting started with Yubikey

• YubiKey Family of Products | Strong Two-Factor Authentication for Secure Logins | Yubico

Introducing the YubiKey Nano – YouTube

• YubiKey Nano

Install Yubikey Support in Linux

sudo apt-get install opensc

sudo apt-add-repository ppa:yubico/stable

sudo apt-get install yubico-piv-tool

yubico-piv-tool -s 9a -a generate -o public.pem

yubico-piv-tool -a verify-pin -P 123456 -a selfsign-certificate -s 9a
-S \"/CN=SSH key/\" -i public.pem -o cert.pem

yubico-piv-tool -a import-certificate -s 9a -i cert.pem

ssh-keygen -D $OPENSC_LIBS/opensc-pkcs11.so

ssh -I $OPENSC_LIBS/opensc-pkcs11.so user@remote.example.com

Change Pin

yubico-piv-tool -a change-pin -P 123456 -N TheNewPinHere

yubico-piv-tool -a change-puk -P 12345678 -N TheNewPinHere

Edit SSH Client to look for Yubikey

vi /etc/ssh/ssh_config

Append the line For Ubuntu

PKCS11Provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Get Key

ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

For Ubuntu 32bit

PKCS11Provider /usr/lib/i386-linux-gnu/opensc-pkcs11.so

For Arch

PKCS11Provider /usr/lib/opensc-pkcs11.so

For Fedora

PCKS11Provider /usr/lib64/opensc-pkcs11.so

— PICKS —

Runs Linux

• Personal Trainer Robot Runs Linux

Vizzy will be a personal assistant robot, designed to teach exercise routines and provide physical therapy support, while also ensuring proper exercise form and monitoring physiological responses. So, much like human personal trainers, Vizzy will encourage users to keep exercising, even when they say they are tired.

Portuguese Robotics research is poised to become a reference in the field with the creations like Vizzy, a personal training robot created in the scope of one of the Entrepreneurial Research Initiatives of the Carnegie Mellon Portugal Program.
Vizzy will be a personal assistant robot, designed to teach exercise routines and provide physical therapy support, while also ensuring proper exercise form and monitoring physiological responses. This will be accomplished with its motion detectors that, much like the technology currently present in gaming consoles, is able to read the user’s body positioning. But Vizzy will also be able to detect other responses, such as body temperature and breathing pattern to gauge the user\’s physical reaction to the routine and adjusting it accordingly. So, much like human personal trainers, Vizzy will encourage users to keep exercising, even when they say they are tired.

Vizzy is under development within the “AHA – Augmented Human Assistance” project, lead by Profs. Alexandre Bernardino (IST) and Daniel P. Siewiorek (CMU). AHA is one of the six selected proposals of the CMU Portugal Program Entrepreneurial Research Initiative in 2014.

• vislab-tecnico-lisboa/vizzy · GitHub
• RBCog-Lab
• Vizzy. Com este robô não vai poder fingir que está cansado para fazer exercício

Desktop App Pick

• PeaZip | Free archiver and RAR file extractor utility

PeaZip is a sleek open source file and archive manager that supports a wide array of compression and encryption standards. It provides many helpful security features such as two-factor authentication, secure deletion, checksum and hash verification and WinZip\’s, PKZip\’s and 7\’s AES256 encryption, to name a few. PeaZip is a simple, sleek feature packed archive manager I recommend for any desktop.

Weekly Spotlight

• Hydrogen Rythem Sequencer

• Pattern-based sequencer, with unlimited number of patterns and ability to chain patterns into a song.

• Up to 192 ticks per pattern with individual level per event and variable pattern length.
• Unlimited instrument tracks with volume, mute, solo, pan capabilities.
• Multi layer support for instruments (up to 16 samples for each instrument).
• Sample Editor, with basic cut and loop functions. (NEW)
• Time-stretch and pitch functions via rubberband cli. Require the rubberband-cli package. (NEW)
• Play-lists with scripting function. (NEW)
• Advanced tab-tempo. (NEW)
• Director Window with a visual metronome and song position tags. (NEW)
• Time-line with variable tempo. (NEW)
• Single and stacked pattern mode. (NEW)
• Export/Import single patterns into song projects. (NEW)
• Midi learning via Shift+MouseClick on many gui-cotrollers combined with a midi settings editor. *(NEW)
• Ability to import/export song files.
• Unique human velocity, human time, pitch and swing functions.
• Multiple patterns playing at once.

— NEWS —

RedHat used by NSA Spies

• Richard Stallman \’basically\’ has no problem with the NSA using GNU/Linux

Rebasing openSUSE

• openSUSE Stuck in the middle: https://youtu.be/BH99TSrfvq0?t=6m33s

• OBS is getting SLE Sources, and MX fixed: https://youtu.be/BH99TSrfvq0?t=11m6s

Canonical partners with Lenovo to launch Ubuntu-powered ThinkPad L450 laptops in India

As for the specs of the ThinkPad L450 series, users have the choice of Intel Core i3 and i5 processors, paired with AMD Radeon R5 M240 2GB VRAM Intel HD 5500 GPU, 4GB of RAM, and 500GB hard drives. The laptops sport a 14-inch display with HD (1,280 x 720) screen resolution.

VirtualBox 5.0 final available

2 Months after the Beta 3 release Oracle has announced that Oracle VM VirtualBox 5.0 is available today. The guest OS performance has been improved by leveraging built-in virtualization support.

Feedback:

Linux Academy

• Linux Academy | Linux and AWS Online Training

• https://slexy.org/view/s21um5h1kd

• https://slexy.org/view/s21OaIYbZk

• https://slexy.org/view/s20yT3fyHs

• https://slexy.org/view/s2TSOlSr1k

• Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS\’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH\’S STASH —

Noah\’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

• https://jblive.tv
• Network Calendar

The post SSH Authentication with YubiKey | LAS 373 first appeared on Jupiter Broadcasting.