Best Practices – Jupiter Broadcasting

Security Amateur Hour | LINUX Unplugged 257

chris — Wed, 11 Jul 2018 07:27:15 +0000

Show Notes/Links: linuxunplugged.com/257

The post Security Amateur Hour | LINUX Unplugged 257 first appeared on Jupiter Broadcasting.

Operation FreeNAS Rescue | TechSNAP 355

chris — Thu, 08 Feb 2018 14:54:24 +0000

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

In just 24 hours, 5,000 Android devices are conscripted into mining botnet

A fast-moving botnet that appeared over the weekend has already infected thousands of Android devices with potentially destructive malware that mines digital coins on behalf of the unknown attackers, researchers said.

Early Warning: ADB.Miner A Mining Botnet Utilizing Android ADB Is Now Rapidly Spreading

Google Cloud Platform Blog: 12 best practices for user account, authorization and password management

Account management, authorization and password management can be tricky. For many developers, account management is a dark corner that doesn’t get enough attention. For product managers and customers, the resulting experience often falls short of expectations.

The Future of Network Security: BeyondCorp

Operation FreeNAS Rescue

eSata vs new Hardware rig.
Staged upgrade, move the USB Internal header drive FreeNAS drive.
Slide in the new disks, and power it up!

After it booted, and we verified it saw the drives.. It was time to create our pool.

Feedback / Follow Up

Google’s partnership with WordPress aims to jump-start the platform’s support of the latest web technologies — particularly those involving performance & mobile experience. And they’re hiring WordPress experts.

The post Operation FreeNAS Rescue | TechSNAP 355 first appeared on Jupiter Broadcasting.

The Dev Jungle | CR 57

chris — Mon, 08 Jul 2013 11:18:22 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The guys bust some myths around outsourcing, and insourcing development work. Striking a balance when trying to codify better practices in the workplace, sticking with good old tech for bad reasons…

Plus a big batch of your feedback!

Thanks to:

GoDaddy.com

Use our code coder249 to get a .COM for $2.49.

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

Feedback

Nehemiah’s Email: Leader of the Dev Ops Revolution
Cary asks if Mike’s ever been in a situation where coders reject progress — uses Python3 as an example.
Kevin’s email
Mike and NDA’s
Donald is concerned about getting a job in the software industry out of uni.

Importing Outsourcing:

Skilled Jobs Are Difficult to Fill – WSJ.com

\”There\’s a tremendous shortage of skilled workers,\” said Craig Giffi, a vice chairman of the consulting firm Deloitte. A recent survey it did found that 83% of manufacturers reported a moderate or severe shortage of skilled production workers to hire.

Microsoft Says 6,000 Jobs Open, Wants More Visas – Windows –

\”We are creating unfilled jobs,\” said Microsoft chief counsel Brad Smith, speaking at a forum on immigration policy at the Brookings Institution in Washington, D.C. \”We have a shortage.\”

Smith said Microsoft currently has 6,000 openings, 3,400 of which are for software engineers, developers, programmers, and the like. He said Microsoft can\’t fill many of the positions because it is unable to find enough applicants with the high-tech skills it needs in key areas like cloud computing and mobility.

Microsoft offers U.S. big bucks for H-1B visas | Microsoft | The Seattle Times

\”It\’s a problem that\’s approaching dimensions of a genuine crisis,\” said Brad Smith, Microsoft executive vice president and general counsel.

Follow the show

The post The Dev Jungle | CR 57 first appeared on Jupiter Broadcasting.

Perfect Passwords | TechSNAP 11

chris — Thu, 23 Jun 2011 23:38:50 +0000

We’ve got the details of an FBI raid that knocked several popular sites off-line.

The WordPress plugin repository was compromised, and backdoors were added to a few popular plugins, and we’ll share the details.

Plus Dropbox’s shockingly bad security issue this week, and we’ll cover why you always want a little salt with your passwords!

All that and more, on this week’s TechSNAP!

Direct Download Links:

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:

TechSNAP has a new Sub-Reddit, submit links and questions for the show, and vote away!

Topic: FBI raids data center and takes 3 entire racks

At 1am on Tuesday the FBI raided the Virginia, USA data center of Swiss web hosting company DigitalOne.
DigitalOne’s website was still offline late Wednesday
DigitalOne does not have any staff on-site, and relies on remote hands from the data center operator, CoreSite. DigitalOne was not aware of what the problem was until hours later when the data center contracted them and passed along the name of the agent in charge and a phone number for DigitalOne to contact the FBI.
When requested DigitalOne had given the FBI information on the IP address they inquired about and told them the exact location of the server. However the FBI seized 3 entire racks of servers rather than only the server they were after.
There are rumours that this raid was related to an investigation in to LulzSec
A number of services like Pinboard and Instapaper were effected.

Topic: WordPress.org gets hacked, plug-ins compromised

WordPress.org is not sure exactly what happened
Plug-in repository compromised
Malacious code was found in commits to popular plugins like W3 Total Cache, AddThis and WPTouch
WordPress took the prophylactic step of forcing all users to reset their passwords to prevent any further compromised code from being pushed out.

Topic: Adobe patches two 0-day exploits in 9 days

Adobe issued a second ‘out of band’ security update for Flash player in only 9 days due to another exploit
Reportedly, one of the 0-day exploits was being used to steal users’ gmail passwords
The vulnerability was listed as critical, as it might allow an attack to take complete control of a system
Nightmare scenario is a trusted page is compromised and flash malware is inserted
Make sure you update to the latest version of Adobe Flash

Topic: Dropbox goes passwordless, for 4 hours

A flaw at dropbox allowed users to login with any password, and access the account
This means anyone who knew your email address could have accessed your account and files. They could have authorized additional devices so they can continue to access your files even once this flaw was fixed.
Dropbox claims less than 1% of users logged in during that time (seems low)
Official Notice from Dropbox
If dropbox used proper encryption with one key per user, files could not be accessed without the correct password. However this security measure would take away a lot of the ‘easiness’ of dropbox that people are so fond of.

Topic: Bitcoin currency exchange compromised

The major bitcoin currency exchange MtGox had it’s database compromised and was taken offline when a large number of fraudulent trades were made, swinging the market.
The compromised account sold all of it’s coins, forcing the market price down, then bought them all back, and tried to cash out
Accounts that had not been used recently, had not had their passwords upgraded from the original unsalted md5 hash to the standard FreeBSD crypt() md5 salted hash.
MtGox managed to get a hold of someone at google and google forced all users with gmail accounts at MtGox were forced to reset their passwords
Once MtGox is back up, they plan to switch to SHA-512 salted hashes.
MtGox claims that the computer of a 3rd party auditor who had read-only access to the database was compromised, and then insecurely hashed passwords were cracked and those accounts were then used by the attackers.

Q: (Keith) Can you explain salted hashing and two factor authentication in more detail?
A: Some websites, especially older forums and bespoke software, will store your password as a plain md5 or sha1 hash. These can easily be broken by a rainbow table, and can also be brute forced rather quickly using GPUs. To protect passwords against rainbow tables, modern password hashing algorithms use a ‘salt’. A salt is just some random characters added to the password to make it better. In the FreeBSD crypt() MD5, the default is 8 base64 characters. This means that the rainbow table would have to include those extra 8 possible characters to be able to crack the password. Also, the salt is different for each account, so that means a separate rainbow table would be required for each user, and that two users with the same password won’t have the same hash. What many people don’t realize when they try to implement their own password hashing using regular md5, is that the FreeBSD crypt() md5 does 100 rounds of hashing, not just one. This was sufficiently slow when ti was design, but is much less so now. That is why other algorithms, like SHA-512 and Blowfish have become more popular. On top of having larger salts (16 and 22 characters respectively), they use an adjustable number of rounds of the hashing algorithm. This allows the administrator to decide on a performance/security trade off that best fits their needs.
Lecture notes by Allan on how Password Hashing Works

To answer the other part of your question, multi-factor authentication means using more than one way to confirm the user is who they claim to be. Two-factor authentication just means using 2 of the 3 factors to confirm the users identity, rather than just one. The three types are:

Something you know (username/password, secret question, pin #)
Something you have (ID card, security token, RFID, Cell phone)
Something you are (Fingerprint, Retina Scan, Signature, Voice sample)

So, the typical ATM card system, is who factor authentication, something you have (bank card) and something you know (pin number), however, the pin number is not a very strong authenticator. As we’ve seen in recent weeks, even a security token can be compromised, and some forms of attack like the ZeuS trojan, just wait until you authenticate to perform their attack.

Best Practices – Jupiter Broadcasting

Security Amateur Hour | LINUX Unplugged 257

Show Notes/Links: linuxunplugged.com/257

Operation FreeNAS Rescue | TechSNAP 355

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

In just 24 hours, 5,000 Android devices are conscripted into mining botnet

Google Cloud Platform Blog: 12 best practices for user account, authorization and password management

Operation FreeNAS Rescue

Feedback / Follow Up

The Dev Jungle | CR 57

Direct Download:

RSS Feeds:

Feedback

Importing Outsourcing:

Follow the show

Perfect Passwords | TechSNAP 11

Show Notes:

Bitcoin Blaster:

Lulz Roundup:

Lightning Round:

Download & Comment: