HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

OpenSSH CLI escape sequences

• Notes from when Dan was experimenting with this: Only work if ~ is the first character you type; typing something, then backspace, then ~ will not invoke the escape sequence. Must be the first character after ENTER.

Kaspersky Confirms It Downloaded Classified Docs, Blames NSA Contractor’s Dumb Mistake

• According to Kaspersky, the fault rests of the shoulders of the NSA contractor, who allegedly brought home government surveillance tools and then decided to activate their consumer antivirus software

• The analyst’s computer was infected with malware while Kaspersky’s product was disabled

• When Kaspersky’s product was re-enabled, the user apparently scanned their system multiple times

• A 7-zip archive of documents was retrieved for analysis because the user had set the software to send reports of malicious detections.

‘I Forgot My PIN’: An Epic Tale of Losing $30,000 in Bitcoin

• Spent $3,000 to buy 7.4 bitcoins. Saved them to Trezor hardware wallet. Wrote down a 24-word recovery key. Saved a PIN.

• Paper went missing

• Could not remember PIN

• Tried many times.

• Tried an exploit…..

Feedback

• Backup to tapes

• Feedback on Krack Updates

  • KRACK Test Python Script

• It is worth reporting malware etc?

Round Up:

• grafana – Datasources as configuration

• curl statistics made simple: davecheney/httpstat (written in GO) refers to reorx/httpstat (written in Python) which is in FreeBSD Ports as net/py-httpstat – Dan tweeted his test case

• Gentoo system ransomware’d

• Backblaze Hard Drive Stats for Q3 2017

• ​A flaw in Google’s bug database exposed private security vulnerability reports – original blog post

• Staging Best Practices

• Protocol standards not publicly available

• Oracle ZFS man calls for Big Red to let filesystem upstream into Linux – sounds like Oracle wants to get ZFS into Linux

• Things You Can Do on the Dark Web That Aren’t Illegal

The post Low Security Pillow Storage | TechSNAP 343 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Extended File Attributes – What?

• Extended File Attributes Rock! – article from 2011

• Extended file attributes are file system features that enable users to associate computer files with metadata not interpreted by the filesystem, whereas regular attributes have a purpose strictly defined by the filesystem (such as permissions or records of creation and modification times). from Wikipedia

• Different namespaces (or attribute spaces if you will), often system and user. You can use the user namespace as non-root.

• Use them for your own purposes, e.g.backup tags, reminders

• If you rely upon them, make sure your archive & restore tools suppor them. – test test test

• Most Linux and BSD modern file systems have had this capability for years. So does Mac OS X. Apart from minor interface differences, the feature works identically on all three systems.

• We mention this mostly to prompt ideas, perhaps you’ve been trying to solve a problem and suddenly this information will show you the solution you’ve been waiting for.

On internet privacy, be very afraid

• In the internet era, consumers seem increasingly resigned to giving up fundamental aspects of their privacy for convenience in using their phones and computers, and have grudgingly accepted that being monitored by corporations and even governments is just a fact of modern life.

• In fact, internet users in the United States have fewer privacy protections than those in other countries. In April, Congress voted to allow internet service providers to collect and sell their customers’ browsing data. By contrast, the European Union hit Google this summer with a $2.7 billion antitrust fine.

• Right now, the answer is basically anything goes. It wasn’t always this way. In the 1970s, Congress passed a law to make a particular form of subliminal advertising illegal because it was believed to be morally wrong. That advertising technique is child’s play compared to the kind of personalized manipulation that companies do today.

• …. The result is that there are more controls over government surveillance in the U.S. than in Europe. On the other hand, Europe constrains its corporations to a much greater degree than the U.S. does.

Inside the Massive 711 Million Record Onliner Spambot Dump

• The mechanics of this spambot

• The one I’m writing about today is 711m records which makes it the largest single set of data I’ve ever loaded into HIBP. Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe. This blog posts explains everything I know about it.

• I’ll take a stab at it and say that there’s not many legitimate drivers using the New South Wales toll road system with Russian email addresses!

• A random selection of a dozen different email addresses checked against HIBP showed that every single one of them was in the LinkedIn data breach.

• Yet another file contains over 3k records with email, password, SMTP server and port (both 25 and 587 are common SMTP ports):

• This immediately illustrates the value of the data: thousands of valid SMTP accounts give the spammer a nice range of mail servers to send their messages from. There are many files like this too; another one contained 142k email addresses, passwords, SMTP servers and ports.

Feedback

• ZFS Comments & Question see How I Learned to Stop Worrying and Love RAIDZ

• Upgrading Bacula

• “Can you please provide the Amazon link to the product Dan mentioned at the beginning of show #334” – Cinolink HA008 USB 2.0 to SATA Converter Adapter Cable for 2.5″/3.5″ Hard Drive Disk HDD and SSD, with On/Off Switch, Power Adapter Included – not yet used but it did arrive

Round Up:

• Internet providers could easily snoop on your smart home

• The very dirty history of on-demand video technology

• Hardening Docker Hosts with User Namespaces

Zsh Configuration From the Ground Up

The post Extended Usefulness | TechSNAP 335 first appeared on Jupiter Broadcasting.

MP3 Feed | HD Video Feed | iTunes Feed

Become a supporter on Patreon:

— Show Notes: —

— The Cliff Notes —

• Have a Backup Plan

• Retro Thinkpad – it’s Alive!

• KeepassX 2.2 Release with Yubikey Support

• Linux Surprises Linus

• Veronica on Twitter

• IRL Podcast

— Noobs Corner —

• Check out the Ask Noah Dashboard

— Stay In Touch —

Find all the resources for this show on the Ask Noah Dashboard

Ask Noah Dashboard

Need more help than a radio show can offer? Altispeed provides commercial IT services and they’re excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show!

Altispeed Technologies

Contact Noah

asknoah [at] jupiterbroadcasting.com

— Twitter —

• Noah – Kernellinux
• Ask Noah Show
• Altispeed Technologies
• Jupiter Broadcasting

The post Belmont IRL | Ask Noah 14 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Red alert! Intel patches remote execution hole that’s been hidden in biz, server chips since 2008

• Bug is in Intel’s Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6.

• Every Intel platform with either Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the IME (Intel Management Engine)

• Are you affected? Read this!

Tarsnap

• Costs about $0.75 a day – storing about 87G total, and adding about 1.6GB / month

• I have not deleted any old backups since I started.

• Dan’s first big backup with Tarsnap

Feedback

• bareos – a bacula fork

• Backing up a Raspberry Pi TB disk photos

  • rdiff-backup
  • rsnapshot
  • duplicity
  • Borg

• mixing HDD batches in raid

Round Up:

• Why use Postgres (Updated for last 5 years) – Craig Kerstiens

• That grumpy BSD guy: Forcing the password gropers through a smaller hole with OpenBSD’s PF queues

• N.S.A. Halts Collection of Americans’ Emails About Foreign Targets – The New York Times

The post Some Fishy Chips | TechSNAP 317 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Apple’s New File System: Who Cares?

• Apple’s Hierarchical File System

• Apple File System

ZFS, jails, FreeBSD

• FreeBSD Jails

• Origins of FreeBSD Jail and why imperfect virtualization is good

• Jails are like little virtual machines (jails) running on a bigger machine (the jail host)

• From the jail host (often just referred to as the host), you can see into the jails, see everything that’s running, monitor, etc.

• Stuff in the jail cannot see outside the jail and have no interactions with the host

• You can configure the host so that the jail can access stuff on the host (e.g. a tape drive) but that requires explicit action by the sysadmin.

• Simplified concept of a FreeBSD Jail: create a directory, install FreeBSD in there, chroot, done.

Feedback

• Changing bacula volume sizes pt2

• When to choose MySQL over Postgres?

• Bacula System

• File sharing in diverse environment

• Pin entry pad randomised feature

• Good $TIME_OF_DAY!

Round Up:

• FreeNAS Corral relegated to “TECHNOLOGY PREVIEW” status

• Dallas’ emergency sirens were hacked with a rogue radio signal

• Malware Reaches Play Store as Google Wages War Against BankBot Trojan

• Prisoners built two PCs from parts, hid them in ceiling, connected to the state’s network and did cybershenanigans

• Historian

Other links:

• Bacula copy job via SQL

• The Cuckoo’s Egg

• Acme Klein Bottle

The post Tales of FileSystems | TechSNAP 315 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Bacula Deep Dive – as requested by Matt Yakel

• Bacula: Cross-Platform Client-Server Backups – from 2004, FYI only

• Sony SDT 10000 Tape Drive

• Bacula – Digital DLT MiniLibrary – TL891

• Integrating the Tape Library with an existing Bacula installation

Feedback

• Open Source remote monitoring and management recommendations

  • OCS Inventory NG use an agent which launch an inventory on the clients computers…

• FreeNAS 10 Corral

• File syncing

Round Up:

• How Discord Indexes Billions of Messages

• Using Let’s Encrypt for phishing

• Firefox gets complaint for labeling unencrypted login page insecure

• Man jailed indefinitely for refusing to decrypt hard drives loses appeal

• SHA-1 collision detection added to GitHub.com

• How I Store My 1’s and 0’s: ZFS + Bargain HP Microserver = JOY

• 300 models of switches it sells contain a critical vulnerability

• More on Alexsey Belan, the Yahoo hack

• Four Men Charged With Hacking 500M Yahoo Accounts

• What computer users see in security warning boxes

The post Check Yo Checksum | TechSNAP 311 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Malware found preinstalled on 38 Android phones used by 2 companies

• Malicious apps were surreptitiously added somewhere along the supply chain.

• Check Point didn’t disclose the names of the companies that owned the infected phones. One of the affected parties was a “large telecommunications company” and the other was a “multinational technology company.”

• It’s interesting how this came on out March 10 and the WikiLeaks notice about compromised cellphones came out a few days earlier. Coincidence?

“Vault 7” by WikiLeaks

• A total of 8,761 documents have been published as part of ‘Year Zero’, the first in a series of leaks the whistleblower organization has dubbed ‘Vault 7.’ WikiLeaks said that ‘Year Zero’ revealed details of the CIA’s “global covert hacking program,” including “weaponized exploits” used against company products including “Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.”

• Among the more notable disclosures which, if confirmed, “would rock the technology world”, the CIA had managed to bypass encryption on popular phone and messaging services such as Signal, WhatsApp and Telegram. According to the statement from WikiLeaks, government hackers can penetrate Android phones and collect “audio and message traffic before encryption is applied.”

• NOTE: From what I’ve read, this compromise involves first compromising the phone in question and as such is not an attack on the apps themselves.

• Kreb’s coverage

• Krebs says: “The documents for the most part don’t appear to include the computer code needed to exploit previously unknown flaws in these products, although WikiLeaks says those exploits may show up in a future dump. This collection is probably best thought of as an internal corporate wiki used by multiple CIA researchers who methodically found and documented weaknesses in a variety of popular commercial and consumer electronics.”

• Krebs also says: “Some of the exploits discussed in these leaked CIA documents appear to reference full-on, remote access vulnerabilities. However, a great many of the documents I’ve looked at seem to refer to attack concepts or half-finished exploits that may be limited by very specific requirements — such as physical access to the targeted device.”

• See also Espionage vs. Surveillance

• Best advice: patch your shit, secure physical access, it is not as bad as WikiLeaks is making it out to be.

Feedback

• VLANing vs. subnetting

• [Just getting into freebsd](https://slexy.org/view/s2GHEJe0zR

• Bacula disk autochanger

• Blocking ip from attempting connections to postfix email server

  • https://techarena51.com/index.php/confiigure-fail2ban-block-brute-force-ips-scanning-postfix-logs/

  • WordPress and Fail2ban

Round Up:

• Year 2036/2038 problems

• Vibrator Maker To Pay Millions Over Claims It Secretly Tracked Use

• These are the 24 Senators that introduced a bill to let telecoms sell your private internet history

• EFF Applauds Amazon For Pushing Back on Request for Echo Data

• If Your iPhone is Stolen, These Guys May Try to iPhish You

• internet-connected backup drive was not password protected – contains military data

• Congratulations @freebsdfndation for the @Intel partnership and $250,000 donation!

• The CIA’s “Development Tradecraft DOs and DON’Ts”

• Nintendo Switch ships with unpatched 6-month-old WebKit vulnerabilities

• exploit toolkit for the Nintendo Switch

+Silent Data Corruption Is Real

The post Don’t Panic & P your S | TechSNAP 310 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Russians Engineer a Brilliant Slot Machine Cheat—And Casinos Have No Fix

• In this case, it was the accountants who noticed something was wrong.

• What? No centralised real-time monitoring?

• IN EARLY JUNE 2014, accountants at the Lumiere Place Casino in St. Louis noticed that several of their slot machines had—just for a couple of days—gone haywire. The government-approved software that powers such machines gives the house a fixed mathematical edge, so that casinos can be certain of how much they’ll earn over the long haul—say, 7.129 cents for every dollar played. But on June 2 and 3, a number of Lumiere’s machines had spit out far more money than they’d consumed, despite not awarding any major jackpots, an aberration known in industry parlance as a negative hold. Since code isn’t prone to sudden fits of madness, the only plausible explanation was that someone was cheating.

• Casino security pulled up the surveillance tapes and eventually spotted the culprit, a black-haired man in his thirties who wore a Polo zip-up and carried a square brown purse. Unlike most slots cheats, he didn’t appear to tinker with any of the machines he targeted, all of which were older models manufactured by Aristocrat Leisure of Australia. Instead he’d simply play, pushing the buttons on a game like Star Drifter or Pelican Pete while furtively holding his iPhone close to the screen.

• He’d walk away after a few minutes, then return a bit later to give the game a second chance. That’s when he’d get lucky. The man would parlay a $20 to $60 investment into as much as $1,300 before cashing out and moving on to another machine, where he’d start the cycle anew. Over the course of two days, his winnings tallied just over $21,000. The only odd thing about his behavior during his streaks was the way he’d hover his finger above the Spin button for long stretches before finally jabbing it in haste; typical slots players don’t pause between spins like that.

• On June 9, Lumiere Place shared its findings with the Missouri Gaming Commission, which in turn issued a statewide alert. Several casinos soon discovered that they had been cheated the same way, though often by different men than the one who’d bilked Lumiere Place. In each instance, the perpetrator held a cell phone close to an Aristocrat Mark VI model slot machine shortly before a run of good fortune.

• By examining rental-car records, Missouri authorities identified the Lumiere Place scammer as a 37-year-old Russian national. He had flown back to Moscow on June 6, but the St. Petersburg–based organization he worked for, which employs dozens of operatives to manipulate slot machines around the world, quickly sent him back to the United States to join another cheating crew. The decision to redeploy him to the US would prove to be a rare misstep for a venture that’s quietly making millions by cracking some of the gaming industry’s most treasured algorithms.

• Russia has been a hotbed of slots-related malfeasance since 2009, when the country outlawed virtually all gambling. (Vladimir Putin, who was prime minister at the time, reportedly believed the move would reduce the power of Georgian organized crime.) The ban forced thousands of casinos to sell their slot machines at steep discounts to whatever customers they could find. Some of those cut-rate slots wound up in the hands of counterfeiters eager to learn how to load new games onto old circuit boards. Others apparently went to the supect’s bosses in St. Petersburg, who were keen to probe the machines’ source code for vulnerabilities.

• By early 2011, casinos throughout central and eastern Europe were logging incidents in which slots made by the Austrian company Novomatic paid out improbably large sums. Novomatic’s engineers could find no evidence that the machines in question had been tampered with, leading them to theorize that the cheaters had figured out how to predict the slots’ behavior. “Through targeted and prolonged observation of the individual game sequences as well as possibly recording individual games, it might be possible to allegedly identify a kind of ‘pattern’ in the game results,” the company admitted in a February 2011 notice to its customers.

• Recognizing those patterns would require remarkable effort. Slot machine outcomes are controlled by programs called pseudorandom number generators that produce baffling results by design. Government regulators, such as the Missouri Gaming Commission, vet the integrity of each algorithm before casinos can deploy it.

• But as the “pseudo” in the name suggests, the numbers aren’t truly random. Because human beings create them using coded instructions, PRNGs can’t help but be a bit deterministic. (A true random number generator must be rooted in a phenomenon that is not manmade, such as radioactive decay.) PRNGs take an initial number, known as a seed, and then mash it together with various hidden and shifting inputs—the time from a machine’s internal clock, for example—in order to produce a result that appears impossible to forecast. But if hackers can identify the various ingredients in that mathematical stew, they can potentially predict a PRNG’s output. That process of reverse engineering becomes much easier, of course, when a hacker has physical access to a slot machine’s innards.

• Knowing the secret arithmetic that a slot machine uses to create pseudorandom results isn’t enough to help hackers, though. That’s because the inputs for a PRNG vary depending on the temporal state of each machine. The seeds are different at different times, for example, as is the data culled from the internal clocks. So even if they understand how a machine’s PRNG functions, hackers would also have to analyze the machine’s gameplay to discern its pattern. That requires both time and substantial computing power, and pounding away on one’s laptop in front of a Pelican Pete is a good way to attract the attention of casino security.

• On December 10, not long after security personnel spotted the suspect inside the Hollywood Casino in St. Louis, four scammers were arrested. Because he and his cohorts had pulled their scam across state lines, federal authorities charged them with conspiracy to commit fraud. The indictments represented the first significant setbacks for the St. Petersburg organization; never before had any of its operatives faced prosecution.

• The Missouri and Singapore cases appear to be the only instances in which scammers have been prosecuted, though a few have also been caught and banned by individual casinos. At the same time, the St. Petersburg organization has sent its operatives farther and farther afield. In recent months, for example, at least three casinos in Peru have reported being cheated by Russian gamblers who played aging Novomatic Coolfire slot machines.

• The economic realities of the gaming industry seem to guarantee that the St. Petersburg organization will continue to flourish. The machines have no easy technical fix. As Hoke notes, Aristocrat, Novomatic, and any other manufacturers whose PRNGs have been cracked “would have to pull all the machines out of service and put something else in, and they’re not going to do that.” (In Aristocrat’s statement to WIRED, the company stressed that it has been unable “to identify defects in the targeted games” and that its machines “are built to and approved against rigid regulatory technical standards.”) At the same time, most casinos can’t afford to invest in the newest slot machines, whose PRNGs use encryption to protect mathematical secrets; as long as older, compromised machines are still popular with customers, the smart financial move for casinos is to keep using them and accept the occasional loss to scammers.

• So the onus will be on casino security personnel to keep an eye peeled for the scam’s small tells. A finger that lingers too long above a spin button may be a guard’s only clue that hackers in St. Petersburg are about to make another score.

Netgear Exploit Found in 31 Models Lets Hackers Turn Your Router Into a Botnet

• This came to our attention from Shawn
• For most people, routers are the little boxes which sit between you and your ISP. They do NAT, possibly firewall, and general stop the outside world from getting in without your permission. Well, that’s what they are supposed to do. The issue, long standing, is updates. When vulnerabilities are found, the code needs to be patched. With these devices, that issues can be troublesome, given that everyday consumers cannot be expected to update them. For us geeks, this isn’t so much as an issue, if the updates are made available to us
• We patch our own systems already, patching the firmware on a device… we can do that too.
• The vast majority of router users are unaware that they require an update. They sit there waiting, and sometimes they are found. When they are found to have a vulnerability, they can become part of a bot-net, a huge collection of devices ready to do the bidding of those with ill-intent. These bot-nets can be used for a variety of malicious purposes. Why do this? Most often, it’s money.
• This story is about someone discovering a problem with their router, and then exploring it.

GitLab.com melts down after wrong directory deleted, backups fail

• This also came from Shawn

• Source-code hub GitLab.com is in meltdown after experiencing data loss as a result of what it has suddenly discovered are ineffectual backups.

• On Tuesday evening, Pacific Time, the startup issued a sobering series of tweets we’ve listed below. Behind the scenes, a tired sysadmin, working late at night in the Netherlands, had accidentally deleted a directory on the wrong server during a frustrating database replication process: he wiped a folder containing 300GB of live production data that was due to be replicated.

• Just 4.5GB remained by the time he canceled the rm -rf command. The last potentially viable backup was taken six hours beforehand.

• That Google Doc mentioned in the last tweet notes: “This incident affected the database (including issues and merge requests) but not the git repos (repositories and wikis).”

• So some solace there for users because not all is lost. But the document concludes with the following:

• So in other words, out of 5 backup/replication techniques deployed none are working reliably or set up in the first place.

• The world doesn’t contain enough faces and palms to even begin to offer a reaction to that sentence. Or, perhaps, to summarise the mistakes the startup candidly details as follows:

  • LVM snapshots are by default only taken once every 24 hours. YP happened to run one manually about 6 hours prior to the outage

  • Regular backups seem to also only be taken once per 24 hours, though YP has not yet been able to figure out where they are stored. According to JN these don’t appear to be working, producing files only a few bytes in size.

  • SH: It looks like pg_dump may be failing because PostgreSQL 9.2 binaries are being run instead of 9.6 binaries. This happens because omnibus only uses Pg 9.6 if data/PG_VERSION is set to 9.6, but on workers this file does not exist. As a result it defaults to 9.2, failing silently. No SQL dumps were made as a result. Fog gem may have cleaned out older backups.

  • Disk snapshots in Azure are enabled for the NFS server, but not for the DB servers.

  • The synchronisation process removes webhooks once it has synchronised data to staging. Unless we can pull these from a regular backup from the past 24 hours they will be lost

  • The replication procedure is super fragile, prone to error, relies on a handful of random shell scripts, and is badly documented

  • Our backups to S3 apparently don’t work either: the bucket is empty

• Making matters worse is the fact that GitLab last year decreed it had outgrown the cloud and would build and operate its own Ceph clusters. GitLab’s infrastructure lead Pablo Carranza said the decision to roll its own infrastructure “will make GitLab more efficient, consistent, and reliable as we will have more ownership of the entire infrastructure.”

• See also GitLab.com Database Incident

• see also Catastrophic Failure – Myth Weavers – My thanks to Rikai for bringing this to our attention.

• example of why making sure your backup solution is solid as hell is extremely important

• The guy is completly honest and takes ownership of the mistakes he made. Hopefully others can learn from his mistakes.

• For context, myth-weavers is a website that handles things like the creation/managing and sharaing of D&D (and other tabletop RPG) character sheets online ( https://www.myth-weavers.com/sheetindex.php ), they lost about 6 months of data.

• Backup automation is good, because people will fail and skip steps more often than computers will, and this is a perfect example of that.

• The trick is getting it done RIGHT and having it NOTIFY you when something ISN’T right. As well as making it consistent, reproducible and redundant if possible. This is also an example of why if you have data you care about, that step should not be skipped.

• Automated backups are a lot of up-front work that people often avoid doing, at least partially and regret it later. This is a well documented postmortem of what happens when you do that and why you should set aside the time and get it done

• Not exactly mission-critical data, but still very important data for the audience they cater too. Handcrafted, imagination-related kinda stuff

• This GitLab outage and database deletion & lack of backups is a great reminder to routinely test your disaster recovery strategies

• Dataloss at GitLab

• Thoughts On Gitlab Data Incident

• Blameless PostMortems and a Just Culture

Feedback:

• Mesos and software that is impossible to back up

• Windows backup to FreeNAS

• FreeNAS Transmission Permissions

Round Up:

• AT&T and Verizon just got a free pass from the FCC to divide up the internet

• These 10 cities have the worst malware infection rates in the US

• Anonymous Hacks and Takes Down 10,613 Dark Web Portals

• We don’t want to alarm you, but PostScript makes your printer an attack vector – From Shawn

• A Hacker Just Pwned Over 150,000 Printers Left Exposed Online

• Dark net markets moving to adopt bug bounty programs

• FOSDEM video recordings

• 70% of D.C. CCTV cameras infected with Ransomware 8-days before presidential inauguration

• iOS Cracking Tools Allegedly Stolen from Cellebrite Get Dumped Online by Hackers

• Microsoft’s DRM can expose Windows-on-Tor users’ IP address

• Got an OpenBSD Web server? Better patch it

• LibTLS: Rethinking the TLS/SSL API

The post Gambling with Code | TechSNAP 305 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Dropbox Kept Files Around For Years Due To ‘Delete’ Bug

• Dropbox has fixed a bug that caused old, deleted data to reappear on the site. The bug was reported by multiple support threads in the last three weeks and merged into one issue here. An anonymous Slashdot reader writes
• In some of the complaints users reported seeing folders they deleted in 2009 reappear on their devices overnight. After seeing mysterious folders appear in their profile, some users thought they were hacked. Last week, a Dropbox employee provided an explanation to what happened, blaming the issue on an old bug that affected the metadata of soon-to-be-deleted folders. Instead of deleting the files, as users wanted and regardless of metadata issues, Dropbox choose to keep those files around for years, and eventually restored them due to a blunder. In its File retention Policy, Dropbox says it will keep files around a maximum 60 days after users deleted them
• If you have sensitive data, do not rely on delete, rely on encryption.
• If you have sensitive data, you shouldn’t have it on third-party systems without encryption.
• The encryption and decryption should occur on your system, not theirs.
• Imagine you deleted those risky files just before an international trip, you get requested to power up your laptop, and bang, there’s those deleted files back….!

Twitter Activist Security – Guidelines for safer resistance

• We’ve covered privacy on the Internet before. We’ve stated very clearly that using privacy tools such as Tor is not illegal nor is it suspicious, no more so than someone paying cash at the grocery store.
• This guideline is specfically for Twitter, but many of the suggestions can be apply to other social media as well, but I am not sure how well they will travel. Chose carefully
• Many people are starting to get politically active in ways they fear might have negative repercussions for their job, career or life. It is important to realise that these fears are real, but that public overt resistance is critical for political legitimacy. This guide hopes to help reduce the personal risks to individuals while empowering their ability to act safely.
  I am not an activist, and I almost certainly don’t live in your country. These guidelines are generic with the hope that they will be useful for a larger number of people.
• Security Principles To Live By The basic principles of operational security are actually very simple, they’re what we call the three Cs: Cover, Concealment, Compartmentation

Move over skimmers, ‘shimmers’ are the newest tool for stealing credit card info

• Consumers and retailers be on guard: there’s a new and more devious way for fraudsters to steal your credit and debit card information.
• “Shimmers” are the newest form of credit card skimmers, only smaller, more powerful and practically impossible to detect. And they’re popping up all over the place, says RCMP Cpl. Michael McLaughlin, who sounded the alarm after four shimmers were extracted from checkout card readers at a Coquitlam, B.C., retailer.
• “Something this sophisticated, this organized and multi-jurisdictional has all the classic hallmarks of organized crime,” said McLaughlin.
• Unlike skimmers, a shimmer — named for its slim profile — fits inside a card reader and can be installed quickly and unobtrusively by a criminal who slides it into the machine while pretending to make a purchase or withdrawal.
• Once installed, the microchips on the shimmer record information from chip cards, including the PIN. That information is later extracted when the criminal inserts a special card — also during a purchase or cash withdrawal — which downloads the data. The information is then used to make fake cards.
• Shimmers have rendered the bigger and bulkier skimmers virtually obsolete, according to Const. Alex Bojic of the Coquitlam RCMP economic crime unit.
• “You can’t see a shimmer from the outside like the old skimmer version,” Bojic said in a statement. “Businesses and consumers should immediately report anything abnormal about the way their card is acting … especially if the card is sticking inside the machine.”
• McLaughlin said the Coquitlam retailer detected the shimmers through its newly introduced daily testing of point-of-sales terminals. A test card inserted into the machines kept on getting stuck and the shimmers were found when the terminals were opened.
• “We want to get the word out,” said McLaughlin. “Businesses really need to be checking for these kinds of devices and consumers need to be aware of them.”
• Bojic said using the tap function of a chip card is one way to avoid being “shimmed.”
  “It’s actually very secure. Each tap transfers very limited banking information, which can’t be used to clone your card,” Bojic said.
• Krebs wrote about this and has a post which is all about skimmer and shimmer
• Not new tech, been around since at least 2015

Feedback:

• FreeBSD + Bacula as a portable VM
• Bank security or lack of!

Round Up:

• Hotel ransomed by hackers as guests locked out of rooms
• ShmooCon 2017 Videos
• Google – Site Reliability Engineering
• Booted up in 1993, this server still runs — but not for much longer
• Digital Ocean re-enabling password authentication for snapshot-based droplets
• HP recalls 101,000 laptop batteries due to fire concerns.
• A Shakeup in Russia’s Top Cybercrime Unit
• Hardening Windows 10 With Zero Day Exploit Mitigations Under The Microscope
• Delta Airlines cancels at least 150 flights due to IT issue
• Texas Police Department Loses Years Worth of Evidence in Ransomware Incident
• A crowd funded effort to review “Secure HTTP without HTTPS”, from the Unity Asset Store, finds it critically flawed
• Backblaze Hard Drive Stats for 2016

The post Three C's to Tweet By | TechSNAP 304 first appeared on Jupiter Broadcasting.

We reflect on the lessons learned from the Sony Hack & discuss some of the tools used to own their network.

Plus a overview of what makes up a filesystem, a run down of the Bacula backup system & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Schneier: Lessons from the Sony Hack

• Bruce Schneier, a noted security researcher, discusses the things we can all learn from the Sony hack
• An attack like this can happen to anyone, but that doesn’t mean Sony didn’t make it easy for the attackers
• One of the first things to think about when looking at a hack is: Was this an opportunistic attack, or a targeted attack?
• “You can characterize attackers along two axes: skill and focus. Most attacks are low-skill and low-focus — people using common hacking tools against thousands of networks world-wide. These low-end attacks include sending spam out to millions of email addresses, hoping that someone will fall for it and click on a poisoned link. I think of them as the background radiation of the Internet.”
• “High-skill, low-focus attacks are more serious. These include the more sophisticated attacks using newly discovered “zero-day” vulnerabilities in software, systems and networks. This is the sort of attack that affected Target, J.P. Morgan Chase and most of the other commercial networks that you’ve heard about in the past year or so.”
• “But even scarier are the high-skill, high-focus attacks­ — the type that hit Sony. This includes sophisticated attacks seemingly run by national intelligence agencies”
• That is not to say that all high-skill high-focus attacks are committed by governments, the attacker just needs to be highly motivated
• “This category also includes private actors, including the hacker group known as Anonymous, which mounted a Sony-style attack against the Internet-security firm HBGary Federal, and the unknown hackers who stole racy celebrity photos from Apple’s iCloud and posted them. If you’ve heard the IT-security buzz phrase “advanced persistent threat,” this is it.”
• “The hackers who penetrated Home Depot’s networks didn’t seem to care much about Home Depot; they just wanted a large database of credit-card numbers. Any large retailer would do”
• “Low-focus attacks are easier to defend against: If Home Depot’s systems had been better protected, the hackers would have just moved on to an easier target. With attackers who are highly skilled and highly focused, however, what matters is whether a targeted company’s security is superior to the attacker’s skills, not just to the security measures of other companies. Often, it isn’t. We’re much better at such relative security than we are at absolute security.”
• “We know people who do penetration testing for a living — real, no-holds-barred attacks that mimic a full-on assault by a dogged, expert attacker — and we know that the expert always gets in. Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable.”
• “For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.”
• Additional Coverage
• Investigators believe a newly identified SMB (Server Message Block, mostly used in Windows file sharing and networking) worm was involving in the Sony hack
• “The SMB worm propagates throughout an infected network via brute-force authentication attacks, and connects to a command and control (C2) infrastructure with servers located in Thailand, Poland, Italy, Bolivia, Singapore and the United States, the advisory said”
• The worm had 5 major components: Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning
• US-CERT Advisory

Norse identifies 6 individuals they believe behind Sony hack, including Ex-employees

• Norse, an attack intelligence company, has used its research facilities to investigate the Sony hack, and made some unsurprising conclusions
• “HR files leaked in the hack provided the motive part: a massive restructuring in Spring, 2014, in which many longtime SPE employees were laid off. After researching the online footprint of a list of all the individuals who were fired and had the means to be able to access sensitive data on Sony’s network, Norse said it identified a handful who expressed anger in social media posts following their firing. They included one former employee — a 10-year SPE veteran who he described as having a “very technical background.” Researchers from the company followed that individual online, noting participation in IRC (Internet Relay Chat) forums where they observed communications with other individuals affiliated with underground hacking and hacktivist groups in Europe and Asia. According to Stammberger, the Norse investigation was eventually able to connect an individual directly involved in conversations with the Sony employee with a server on which the earliest known version of the malware used in the attack was compiled, in July, 2014”
• Norse Blog: The nature of Cyber Security and Strategies for Unprecedented attacks
• Video: Norse on MSNBC
• Video: Norse on CBS – is the FBI wrong about North Korea
• Video: Norse on CNN – Former Sony employee implicated in attacks
• Video: Norse on CNN – Norse answers questions about Sony Hack
• Norse Blog – Where do we die first? Find your businesses weakness
• Norse Blog – Breach detection is at least as important as perimeter security
• Additional Coverage
• Do not accept the myth that the attacker is always ahead
• No, North Korea Didn’t Hack Sony – The Daily Beast

Twitter date bug confuses many client applications.

• Many Twitter clients, including the popular client TweetDeck, showed tweets during the last week of the year as being from a year ago
• Many users then found that, even with the official app, they were not able to login anymore
• Turns out the problem was that Twitter’s servers had been sending the incorrect date for all HTTP responses from the API
• The incorrect date format variable was used, strftime(3) defined 2 different ways to express the year
• The most common one: %Y – is replaced by the year with century as a decimal number
• It seems that a programmer at Twitter chose the first one in the man page that mentioned the year:
• %G – is replaced by a year as a decimal number with century. This year is the one that contains the greater part of the week (Monday as the first day of the week).
• So, this went undetected because it would return the correct year, except in the case of the last week of the year, if that week happens to fall more within the new year than within the current year
• So December 30th 2014, was reported was December 30th 2015, which is a year in the future

FreeNAS – up and running!

• Dropbox – Photo 2015-01-02 14 08 50.jpg
• Dropbox – Photo 2015-01-02 14 09 17.jpg
• Dropbox – Photo 2015-01-02 14 11 10.jpg
• Dropbox – Photo 2015-01-02 14 13 26.jpg
• Dropbox – Photo 2015-01-02 14 13 38.jpg

Feedback:

• Re: FW Question

• The Opensource Sphirewall Project

• Filesystem confusion

• UK ISPs using malware-spreading techniques to enforce censorship

• Bacula Overview (with a bit of depth)

• Bacula – Installing on Ubuntu – YouTube

Round Up:

• FBI says search warrants not needed to use “stingrays” in public places
• OpenSSL 1.0.1k, 1.0.0p, and 0.9.8zd released, fixing bugs known since October.
• The OpenSSL dtls1_buffer_record flaw was fixed in OpenBSD’s LibreSSL in May 2014
• ​Android Lollipop is out, but almost no one is using it
• Don’t envy the offense – defenders can be smart too
• Execute arbitrary commands on Asus routers via UDP CVE-2014-10000
• Is it APT if you can buy it off the shelf? New attack uses expensive but easily obtainable pentesting software in attack. May result in analysts incorrectly attributing the attack to nation states or other highly capable attackers
• A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever
• When Security goes right – Should more companies have a Security Officer, and an easy way for researchers to contact them?
• Comcast lobbyists hand out VIP cards, bypass hold when contacting comcast support
• Critical flaws in NTPd could allow code execution
• NTP Flaw marks first time Apple uses automated OS X update, forcing the update on all customers
• Staples (Office Superstore) breach affects over 100 stores and up to 1.16 million credit cards. Breach was originally detected in October
• Samsung announces production of 20nm LPDDR4 – faster than Desktop DDR4 and uses half the energy of LPDDR3 – much longer battery life in mobile devices is expected

The post Sony’s Hard Lessons | TechSNAP 196 first appeared on Jupiter Broadcasting.

The TrueCrypt project has shut down, and we’ll run down what we think is the most likely answer to this sudden mystery is.

Plus the good news for openSSL, the top 10 Windows configuration mistakes, and big batch of your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

TrueCrypt shuts down unexpectedly

• TrueCrypt is a cross-platform image or whole disk encryption system
• The website for TrueCrypt changed yesterday, stating that “it may contain unfixed security issues”
• The page states now that Windows XP is EOL and all supported versions of Windows support ‘BitLocker’ disk encryption, TrueCrypt is no longer necessary
• The website provides information about transitioning data from TrueCrypt to the OS disk encryption system for various different OSs
• The website has been updated with version 7.2 of TrueCrypt, which only allows the user to decrypt their files, not encrypt any new files
• This was originally thought to be a hack of the site, or a hoax
• The new binary is signed with the correct key, the same as previous versions of TrueCrypt, suggesting that this post is legitimate
• While the code is available, the license is restrictive
• The developers of TrueCrypt are anonymous
• GIST tracking various bits of information and speculating about possible causes
• ThreatPost coverage
• One of the suspicious things about the announcement is the recommendation to use BitLocker, the authors of TrueCrypt had previously expressed concerns about how BitLocker stores the secret keys in the TPM (Trusted Platform Module), which may also allow the NSA to access the secret key
• There is some speculation that this could be a ‘warrant canary’, the authors’ way to telling the public that they were forced to do something to TrueCrypt, or divulge something about TrueCrypt
• However, it is more likely that the developers just no longer have an interest in maintaining TrueCrypt
• The last major version release was 3 years ago, and the most recent release before the announcement was over a year ago. An actively developed project would likely have had at least some maintenance releases in that time
• The code for TrueCrypt was being audited after a crowdfunding effort. The first phase of the audit found no obvious backdoors, but the actual cryptography had not been analyzed yet.
• Additional Coverage – Krebs On Security

Core Infrastructure Initiative provides OpenSSL with 2 full time developers and funds a security audit

• The CII has announced its Advisory board and the list of projects it is going to support
• Advisory Board members include:
• longtime Linux kernel developer and open source advocate Alan Cox
• Matt Green of Open Crypto Audit Project
• Dan Meredith of the Radio Free Asia’s Open Technology Fund
• Eben Moglen of Software Freedom Law Center
• Bruce Schneier of the Berkman Center for Internet & Society at Harvard Law School
• Eric Sears of the MacArthur Foundation
• Ted T’so of Google and the Linux kernel community
• Projects identified as core infrastructure:
• Network Time Protocol
• OpenSSH
• OpenSSL
• Open Crypto Audit Project to conduct security audit of OpenSSL
• The security audit will be difficult due to the lack of a consistent style in the code and the maze of ifdef and ifndef segments
• the OCAP (Open Crypto Audit Project) team, which includes Johns Hopkins professor and cryptographer Matthew Green and Kenn White, will now have the money to fund an audit of OpenSSL
• OCAP was originally created by a crowdfunded project to audit TrueCrypt

The top 10 windows server security misconfigurations

• NCCGroup does what it calls ‘Build Surveys’, where they check production environments to ensure they are configured properly
• The following is the result of an analysis of their last 50 such surveys:
  • Missing Microsoft Patches: 82%
  • Insufficient Auditing: 50%
  • Third-Party Software Updates: 48%
  • Weak Password Policy: 38%
  • UAC Disabled for Administrator Account: 34%
  • Disabled Host-Based Firewall: 34%
  • Clear Text Passwords and Other Sensitive Information: 24%
  • Account Lockout Disabled: 20%
  • Out-of-Date Virus Definitions: 18%
  • No Antivirus Installed: 12%
• Conclusions: Everyone makes the same mistakes, over and over
• Most of these problems are trivial to fix
• Part of the problem is this culture of ‘patch averseness’, partly this is the fault of software vendors often issuing patches that break more things than they fix, but in general Microsoft has actually done a good job of ensuring their patches apply smoothly and do not break things
• Part of this is the fact that they only issue updates once a month, and only once they have been tested
• In the study, most of the machines that were missing patches, were missing patches that were more than a year old, so it isn’t just conservatism, but just a complete lack of proper patch management

Feedback:

• FreeBSD Developers Summit

• BSDCan 2014 videos

• Replacing failed disk in Freenas

• Am I too old?

• Bacula Retention and Storage Guidance

• VLAN Tag You\’re It

• Virtualisation as a Work LAN Solution

• devops is specialization

• DevOps – Wikipedia, the free encyclopedia

• Can you please talk about load balancing?

• Update on me not getting a job.

Round-Up:

• DISH Teams Up with Coinbase to Become Largest Company to Accept Bitcoin
• Post Mortem at Joyent — Opps, I accidently rebooted every server in the data center at once
• Official Google Blog: Getting to work on diversity at Google
• PeakScale’s list of PostMortems from all around the web
• YouTube starts rating U.S. ISPs, puts its weight behind settlement-free peering
• Why you don’t want to use AES-XTS encryption for anything except FDE
• Apple Forgets to Renew SSL Certificate, Breaking OS X Software Update [Fixed]
• Security concerns about HTTP/2.0 — rushing to finish and cutting corners
• Separate from the recent eBay hack, an XSS vulnerability that has not been fixed
• Last night on IRC to topic changes to VGA, and Peter Wemm dug out his old dual cpu Pentium 90mhz running FreeBSD
• Windows XP hack to get updates — Not a great idea

The post Tales from the TrueCrypt | TechSNAP 164 first appeared on Jupiter Broadcasting.

We’ll tell you about AT&T leaving Android open to a hack so easy, my two year old son could pull it off. Plus FireFox goes to battle with McAfee and is Bank of America Under attack?

Then – We delve into backups, from the fundamentals to the very best tools!

All that and more, in this week’s TechSNAP!

HD Video | Large Video | Mobile Video | WebM | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3

[ad#shownotes]

Show Notes: