backdoors – Jupiter Broadcasting

Russian Nothing Burger | Unfilter 242

chris — Wed, 28 Jun 2017 22:06:05 +0000

RSS Feeds:

Video Feed | MP3 Feed | HD Torrent | iTunes

Become an Unfilter supporter on Patreon:

— Show Notes —

Links:

The post Russian Nothing Burger | Unfilter 242 first appeared on Jupiter Broadcasting.

Justin Time for Twitch.tv | Tech Talk Today 39

chris — Wed, 06 Aug 2014 09:34:50 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Live streaming site Justin.tv shuts down, and we reflect on the early days of our broadcasting on the service.

Plus the crypto-malware spreading to NAS boxes, Sprint pulls out of the T-Mobile deal and why Tech Talk Today might soon have a party mode.

Direct Download:

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Goodbye from Justin.tv

Justin.tv was created by Justin Kan, Emmett Shear, Michael Seibel and Kyle Vogt in March 2007.

Twitch today announced that the Justin.tv website, mobile apps, and APIs are no longer in service. A very simple explanation is given for the shutdown: since rebranding the company to Twitch Interactive in February 2014, all resources are now focused on Twitch.tv.

Twitch Shuts Down Justin.tv, Google Acquisition to Blame?

The news today will almost certainly further fuel the rumors that Google is acquiring, or has already acquired, Twitch. Purchases are often followed by consolidation, as well as cutting off any excess limbs.

SynoLocker demands 0.6 Bitcoin to decrypt Synology NAS devices – CSO | The Resource for Data Security Executives

The new attack on Synology kit comes within a year of Synology NAS devices being struck by fraudulent Bitcoin mining operators, with several owners on Sunday reporting that they had found a message from the “SynoLocker Automated Decryption Service” — when accessing the main page of the Web-server for their NAS device — stating that “all important files on this NAS have been encrypted using strong cryptography”.

As one victim on Synology’s English user forum commented, the SynoLocker “service” asks for 0.6 Bitcoins to unlock the encrypted files

News – Synology – Network Attached Storage (NAS)

Report: Sprint abandons bid for T-Mobile because US would block merger | Ars Technica

Sprint owner SoftBank has been talking about buying T-Mobile US for months, but is reportedly abandoning the plan because US regulators would likely object.

AT&T tried to buy T-Mobile in 2011 but gave up in the face of opposition from the Justice Department and Federal Communications Commission. While AT&T had to pay a $4-billion breakup fee, which helped T-Mobile build out its LTE network, Sprint apparently wouldn’t suffer that fate because no deal was ever finalized.

Exclusive: Sprint to Name Brightstar’s Marcelo Claure as CEO | Re/code

Sprint plans to name Marcelo Claure, one of its board members and head of wireless distributor Brightstar, as its new CEO, Re/code has learned from a number of sources.

Japan’s Softbank, which owns a controlling stake in Sprint, also acquired a majority stake in Brightstar last year.

Apple is Making Progress | Jonathan Zdziarski’s Domain

Shortly after my talk at HOPE/X, citing my paper, “Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices”, along with a proof of concept, Apple released Beta 5, and a number of the “high value forensic services” I’d outlined in my paper have now been disabled wirelessly, including the packet sniffer service that got many upset

Apple’s fixes are clearly still a work in progress, and not all of my security concerns have been addressed yet

Given that a number of my threat models involved government spying, it feels good to know that Apple has taken my research seriously enough to address these concerns. Keep in mind, the threat model we’re dealing with also includes foreign governments, many of which have long histories of spying on our country’s diplomats.

Apple would be wise to add additional protections to ensure that sensitive data is protected in cases involving data at rest and physical security. This, too, is achievable with a small amount of effort, and will ensure that Apple is the only entity capable of extracting sensitive, encrypted data from the device. To do this, Apple’s file_relay service, which they claim is for “diagnostics purposes” would need to be closed off, or at least fixed so that it doesn’t bypass the user’s backup password and the encryption it is tied to. Additionally, the house_arrest service would need to be patched so that it doesn’t allow sandbox access while the device is locked, or some other creative approach.

WOULD YOU FUND IT: LIGHTFREQ: The First Genius Light Bulb With HD Audio by LightFreq Inc — Kickstarter

LightFreq, the genius multi-functioning HD audio light bulb that offers an audio system, wake-up mode, phone alerts, intercom and more!

The post Justin Time for Twitch.tv | Tech Talk Today 39 first appeared on Jupiter Broadcasting.

The Cloud Fails | TechSNAP 2

chris — Mon, 25 Apr 2011 04:00:55 +0000

Reality rained on Amazon’s Cloud recently as aspects of their EC2 hosting service suffered major outages. We look at the many issues facing cloud computing.

Plus we dig into the iPhone location tracking story, and brainstorm a few possible solutions to a potentially necessary evil.

Then we’ll look at How HBGary wrote backdoors for the government, and exactly how the recent RSA security hack actually happened, and why it’s still a major issue!

iTunes & RSS Feeds:

[ad#shownotes]

Show Notes:

Topic: iPhone GPS History and new IP geolocation techniques

Involuntary Geolocation To Within One Kilometer
How Apple tracks your location without consent, and why it matters
Major Issues with the Latest iPhone Tracking “Discovery”

Why does this data need to be stored for more than an hour?
Who else can read this data?
Why does this data follow you between devices?
Can this data be used against you in court?

Topic: Hashed Passwords and why they are important

A new data retention law in France proposed to force all websites to keep the name, address, telephone number and plain text password for it’s users. This would include e-commerce sites, webmail providers, and online video hosts. This would effectively outlaw the practice of hashing passwords. Using cryptographic hashes is standard practise for a reason, it is secure.

Allan on hashing and passwords:
https://geekrt.com/read/91/What-is-a-Hash/
https://geekrt.com/read/88/Myths-of-Password-Security/
https://appfail.com/read/184/Password-Security-Misconceptions/
https://appfail.com/read/55/WebCT-fails-at-password-hashing/

Background:
All modern secure websites use ‘hashing’ to store passwords, an irreversible one-way ‘encryption’ (not actually encryption, but you get the idea). This means that the website does not actually know what your password is, it just uses the same algorithm on the password you attempt to login with, if the hash matches the one in the database, you have entered the correct password. Hashing algorithms are deterministic, meaning the same input always generates the same output. This is both a critical part of the system, as well as a potential vulnerability. If two users have the same password, they will have the same hash. To combat this, and to make techniques such as rainbow tables more difficult, secure hashing algorithms use a salt, some amount of randomness added to the password to make it more unique, and harder to brute force, this bit of randomness is stored as part of the hash, because the plain text of the randomness is needed to compare the attempted password.

Data retention is evil. The government does not have the right to force other people to collect data on you.
the onus is on ISPs and in this case Individual websites to pay for warehousing all of this data in case the french government or law enforcement ask for it.
Secure password hashing is imperative to security. The main reason some of the major security compromises of the past few years, such as gawker, thepiratebay, and more were not far worse, was due to the hashing of the passwords in the stolen databases.
If, for example, the database for a web forum is hacked, if it does not use any security, then all of the passwords are in plain text and ripe for the picking. If regular hashes are used (MD5, SHA1, SHA256/512) then brute force or a rainbow table can be used to retrieve the plain text passwords, this can require a lot of time and resources depending on the strength of the passwords that were used. If secure salted hashing algorithms are used, (MD5, SHA256/512, Blowfish) then only brute force is an option, and the algorithms beyond MD5 are adjustable, allowing for a trade off between performance and security, as well as allowing the algorithms to scale as computers get faster and brute force becomes less improbable.
The law is being opposed by Google, Facebook, eBay, Dailymotion and many other major online brands.

https://www.bbc.co.uk/news/technology-12983734

Topic: Today Reality rained on Amazon’s Cloud

You need to consider using more than 1 provider if you want to achieve high availability in the cloud. This is where portability is important, being able to easily move in and out of different cloud providers. Many cloud systems attempt to lock you in, using non-standard systems that are highly specialized to their own service.

Brought down a huge list of sites, including reddit, fourshare, quora, hootsuite, and about.me
Latency on EBS volumes, which are the data store backing EC2 instances
Internet connectivity issues on EC2 instances (unreachable at times)
Effected multiple ‘availability zones’ across the US-EAST-1 region (degraded high availiabilty)
Increased error rates on API calls
Extreme delays launching and stopping EC2 instances (billing implications, you are billed for each hour or partial hour that an instance is running)
Cause: “A networking event early this morning triggered a large amount of re-mirroring of EBS volumes in US-EAST-1. This re-mirroring created a shortage of capacity in one of the US-EAST-1 Availability Zones”
Issues have been ongoing for more than 12 hours
Amazon has no direct support for users, outside some extremely large consumers who pay extra for professional services
Does amazon have an SLA?
Effecting other services such a Relational Database Service
Last issue was March 17th when a router suffered a partial failure and nearby routes did not detect the issue and kick in to failover

https://status.aws.amazon.com/rss/EC2.rss
Amazon servers take down Reddit, Foursquare, and more
Amazon’s Cloud Crashed Overnight, And Brought Several Other Companies Down Too
Amazon Outage Shows Limits of Failover ‘Zones’

Topic: How HBGary wrote backdoors for the government

HBGary’s engineering team working with defence contractor General Dynamics (5th largest defense contractor in the world, used to make the F-16) was tasked with creating malware and/or root kits that could surreptitiously infect a computer via USB, Firewire, PCMCIA, or Wifi. The end goal being that an operative could infect a computer from near by, or with only brief physical access to the machine. Like is a spy movie, just walk up to the laptop, plug in the usb, wait a few seconds, remove it, walk away, instantly owned. This was ‘Task B’. Later, ‘Task C’ involved exploiting the preview pain in MS Outlook with a specially crafted email.

HBGary claimed to have unreported 0-day exploits for:

VMWare ESX/ESXi
Java
Flash
Windows 2k3
Solaris 10

[ad#shownotes]

Topic: RSA Servers hacked, SecurID suffers reduced security

RSA confirmed on Friday that the attack that compromised the company’s high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file.

Malware payload sent to groups of employees at RSA
At least one employee retrieved the email from their spam folder and opened it
The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609)
Used the Poison Ivy remote administration tool
Collected the data on an RSA staging server using stolen credentials and privilege escalation
Attacker then transfered the data (password protected rar files) via FTP to an external compromised dedicated server at a hosting provider. Then the files were removed from the staging server and the compromised external server

Open Letter to RSA Customers
RSA Breached: SecurID Affected
RSA: SecurID Attack Was Phishing Via an Excel Spreadsheet

Followup:

facebook followup: https://hardware.slashdot.org/story/11/04/19/2322248/Facebooks-Server-Room-Penthouse-Cooling-Caught-On-Video

dropbox followup:
https://tirania.org/blog/archive/2011/Apr-19.html
It turns out that Dropbox claims in one place that encrypted data makes it impossible for employees to see into user files (making it sound as if files are encrypted separately to each users key), but in another says that they’re only ‘prohibited’ from doing so. (because dropbox uses a single key that they control for all encryption, making it mostly worthless)

Download:

The post The Cloud Fails | TechSNAP 2 first appeared on Jupiter Broadcasting.