Show Notes:

Linux at CES 2013:

Brought to you by: System76

• Exclusive interview: Valve’s Gabe Newell on Steam Box, biometrics, and the future of gaming

• Canonical received massive attention and award at CES 2013

• A $17,000 Linux-Powered, Auto-Aiming Hunting Rifle

• Mark Shuttleworth about Ubuntu for phones: “We have a new build of this, like as of tonight, that’s even snappier” (CES 2013)

• Ubuntu At CES | jonobacon@home

• Pebble Says It’s Finally Ready to Ship

• Pebble. The smartwatch with Linux at its heart!

• Lego Mindstorms EV3 hands-on: an incredible toy right out of the box (video)

• OLPC XO–4 convertible laptop is faster than ever and coming soon (hands-on)

• Samsung: Windows RT tablets cancelled in the U.S.

Runs Linux:

• Shane’s Raspberry Pi Cluster, Runs Linux

Android Pick:

• Chrome Beta
• Beta for Chrome on Android now available
• Android Picks so far thanks to Madjo in the IRC Chat room!

Desktop App Pick:

• nmon for Linux

• Picks so far

• Madjo

Search our past picks:

• Linux Action Show Lookup
• Thanks to sakuramboo!

Git yours hands all over our STUFF:

• Jupiter Broadcasting Affiliate Extensions
• Callisto-app – Google Project Hosting
• Quick Update to the Jupiter Broadcasting Android App

News:

• Blizzard Entertainment Planning A Linux Game For 2013

• Samba: Less Important Because Windows is Less Important

• Time to move on… – WebcamStudio

• Ubuntu 12.04.2 LTS Release With Hardware-Enablment Gets Delayed

• Plasma Active, Sailfish, and Ubuntu Phone Developers Discussing Common APIs

• aseigo: QML component API’s to come together?

• Report: ZTE to bring Firefox OS to Europe

Feedback:

• I want to get a local library to switch to Linux

• You can develop for Android on Android.

• ARM Driver Troubles

• Are we supposed to like Android just because we love Linux?

• HDD + SSD = Save power?

• knockd + Android = Remote Admin Bliss

• undistract-me

Chris’ Stash:

• Resolutions & Martian Meteorite | SciByte76

What’s Matt Doin?

• Is The New Ubuntu Phone An Android-Killer? Probably Not.
• Writing about Linux, sometimes, even asking tough questions
• Offering newbie centric advice, in my articles

Find us on Google+

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

Find us on Twitter:

• Chris – ChrisLAS
• Matt – matthartley

Follow the network on Facebook:

• Jupiter Broadcasting on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

• https://jblive.tv
• Network Calendar

The post Linux Wins CES | LAS | s25e03 first appeared on Jupiter Broadcasting.

Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Why a password isn’t good enough anymore

• An article by Mat Honan, the Wired writer who had his entire online existence destroyed earlier this year
• An attacker wanted to steal the twitter handle @mat, and so started by trying to do a password reset on twitter.
• This directed the attacker to Mat’s gmail account
• When trying to initiate a password reset set on the gmail account, he was directed to Mat’s Apple account
• The attacker called Apple and using information about Mat from Twitter, Facebook, Google etc, he managed to reset the password for Mat’s Apple account
• Using the Apple account, the attacker was able to disable and remotely wipe Mat’s Apple devices (iPhone, iPad and Macbook)
• Once the attacker was in control of the Apple account, he was able to reset the password for the Gmail account
• Then to reset the password for the Twitter account
• Watch TechSNAP 70 for the full story
• In this followup article we get an even closer look at what happened, and an in-depth analysis of other recent happenings
• A lot of the problems discussed in the article are not weaknesses in passwords specifically, but in the people and systems that use them
• Authentication Bypass – When an attacker finds a way to access an account or service without needing the password at all. We have seen this with Dropbox, Oracle and others in past episodes of TechSNAP, or the recent case with Skype, where it failed to properly authenticate you before allowing you to reset account, we’ll cover that later in this episode.
• Brute Force – Accounts for services like POP3, FTP, SSH, and SIP are under constant attack, all day, every day. Attackers attempt to compromise the accounts in order to gain access for various reasons, from using the initial password as a stepping stone to gain access to more sensitive accounts, to using your machine to scan for yet more weak passwords, or as a source of spam. Attackers are constantly attempting common username and password combinations against every public facing server on the internet, using apps such as DenyHosts, Fail2Ban or SSHGuard to protect these servers is a must.
• Database Compromise – Services such as Sony PSN, Gawker, LinkedIn, Yahoo, eHarmony, LastFM and others had their databases compromised, and their lists of passwords dumped online. Often these passwords were hashed (MD5, SHA1, SHA256), but not always. Even a hashed password is little protection, it doesn’t immediately disclose your password, but with tools like Rainbow Tables and GPU accelerated cracking, these hashes were quickly cracked and the plain text passwords posted online. Hopefully more services will start using properly secure Cryptographic Hashes (sha512crypt, bcrypt) that take tens of thousands of times more computational power for each attempt to crack a password. Some algorithms like bcrypt are also, thus far, immune to GPU acceleration, actually taking longer on a GPU than a CPU.
• Disclosure – People often share their passwords, I don’t know how many facebook accounts have been ‘hacked’ by friends or ex’s because you willingly gave them your password, or you gave them the password to something else, and they used one of the other techniques described here to gain access to something you didn’t mean for them to have access to.
• Eavesdropping – Someone could be listening on the wire (or in the air in the case of wireless or mobile data connections) and see your password as it goes between your computer and the remote service. Most services now login over SSL to prevent this, but older services such as FTP (still very popular for web hosting, where your password may be shared with the web hosting control panel that has access to reset your email password) are not encrypted.
• Exposure – This is when you accidently give away your password, it happens on IRC at least once a week, someone attempts to enter the command to identify, but prefixes it with a space or something and ends up displaying their password to the entire chat room. Users will also sometimes accidentally enter their password in the username field, or their credit card number in the field that is for the ‘name as it appears on the card’, which causes it not to be treated with the same level of security.
• Guessing and Inference – When people base their password on birthdays or pet’s names, they become easy to guess. If you compile a largish list of keywords about a person, including bands and songs they like, their family and friends names, important dates, sports teams etc, and run it through an app like John The Ripper, which will make variations of those passwords, including l33t speak transformations, adding numbers and symbols, are are likely to get a fairly high success rate. In addition to guessing, there is inference, if you know that Bob’s password for gmail is: bobisgreat@gmail then you can probably guess that his password for facebook is: bobisgreat@facebook. If there is a pattern or ‘system’ to your passwords, once someone compromises ONE of those passwords, they have a much greater chance of compromising them all.
• Key Logging – When an attacker, using hardware or software, is able to record the keys you type in your keyboard, thus capturing your password as you input it. Apps like LastPass may seem to help with this, but they usually use an OS API to simulate typing the keys to remain compatible with all applications. Clipboard scanners can also often catch passwords.
• Man-in-the-Middle – An attack that intercepts your traffic and pretends to be the service you are trying to connect to, allowing it to capture your password, even if it was encrypted. SSL/TLS was designed to prevent Man-in-the-Middle attacks by verifying the identity of the remote server, however with Certificate Authority being compromised and issuing false certificates and tools such as SSLStrip to trick you into not using SSL, it is still possible for your communications to be intercepted.
• Phishing – Emails meant to look like they are from an official source, whether is be eBay, PayPal or your bank, prompt you to login on a page that looks like the legitimate one, but is not. Once you enter your details, the attackers have all they need to know to compromise your real account. Combine this with the weak DKIM keys from a few weeks ago, a compromised Certificate Authority and a man-in-the-middle DNS attack, and you have no way of knowing that when you entered https://www.paypal.com in to your browser, you actually ended up on an attackers site instead.
• Reply Attack – When an attacker is able to capture you authenticating in some secure manner, but is able to resend that same information and authenticate as you later, without ever knowing your password
• Reuse – Using the same password on multiple sites means that when one of them is compromised, they all are. I keep telling you, use lastpass.
  • Secret Questions – So, when you setup that new account and it prompts you for some secret questions/answers, consider carefully what you put down. You’re going to need to be able to remember it later to regain access to the account (or some accounts ask them when they suspect you are logging in from a different computer), but if they are simple ones that someone could look up via google or facebook (remember, the attacker could be someone you know, so your privacy settings on facebook might not be enough), then it isn’t good enough.
  • Social Engineering – In the case of the Mat Honan compromise, the weakest link turned out to be AppleCare Support, they very much wanted to be helpful and allow him to recover his accounts, the only problem was, the caller was not Mat Honan, but the attacker, to managed to guess and trick his way through the security questions and gain control of the Apple and Amazon accounts.
  • See some old Blog post by Allan for more reading at [GeekRoundTable] ](https://www.geekrt.com/read/88/Myths-of-Password-Security/) and AppFail
• These issues are endemic across the entire internet, and it is important that you be aware of them and take steps to protect yourself as best you can
• A comparison of two major password dumps has shown that half of all passwords were used on both sites, the problem of password reuse is growing rather than shrinking
• Having a long and strong password is important, but you have to consider the other ways someone could compromise your account, the weakest link is the most likely avenue of attack
• If you have the option, you should enable two-factor authentication, adding one more step makes the attackers job that much harder, but remember, this doesn’t mean you are immune, RSA and Blizzard authenticators have been compromised in the past when their seed values were stolen from the central databases.

---

Skype IDs hijackable by anyone who knows your email address

• An attacker found a way to bypass the authentication in skype’s password reset system, and take over any target account for which the email address was known
• The Instructions
• Register for a new account, using the email address of the victim
• Login to Skype using that new account
• Initiate a password reset for the victim’s account
• Skype will email the victim a password reset token, but the token will also pop up in the skype client for all accounts that use that email address, allowing the attacker to get the token
• Use the token to reset the password of the victim account
• Login to the victim’s account and remove their email address and add your own (one that no one knows) and you now own that account
• Skype disabled the password reset system a few hours later, then fixed the issue and re-enabled the password reset system. Tokens are no longer displayed in logged-in skype clients. This makes sense, and I question why it was ever the other way around, because if you are logged in, you are unlikely to have forgotten your password (unless it was saved I guess).
• Skype’s Reaction
• NextWeb Coverage
• NextWeb Followup

---

Feedback:

• Which server OS should I use?
• Home Server Hardware Swap
• SHODAN search
• Keeping FreeBSD Up to Date?
• Why did Allan decide to use hardware RAID with ZFS?
• Why would MD5 security be important to verifying a download?
• Multi-Master MySQL backups

Round Up:

• Origin Accounts Hacked – Maybe Change Your Password
• StackExchange podcast talks more about hurrican sandy and the effort to keep the Peer1 datacenter online
• Google declares Flash is now ‘fully sandboxed’ in Chrome for Windows, Mac, Linux and Chrome OS
• Google reveals seven years of evolving data-center strategy
• NSA Outs Top-Secret Report That Missed the Future of Supercomputing
• Hardcoded passwords leave Telstra routers wide open
• CyanogenMod’s domain hijacked by community member, now using .org
• Adobe’s Connectusers.com site was compromised via SQL injection, 150k user accounts and plain MD5 hashes leaked
• Blizzard sued over the cost of Battlenet Authenticators
• Researchers scan public malware infection forums (such as BleepingComputer) and find HJT and DDS logs from computers running SCADA software
• Critical Vulnerabilities in Call of Duty: Modern Warfare 3 and the Cryengine3 could compromise the systems of both gamers, the game servers, and the game companies
• NASA to have all laptops encrypted before the end of the year, and laptops containing sensitive information no longer allowed to leave it’s facilities

The post Patch Your Password | TechSNAP 84 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/23236/server-puppeteering-techsnap-71/ Thu, 16 Aug 2012 15:46:51 +0000 https://original.jupiterbroadcasting.net/?p=23236 Automating your server deployments and configurations has never been easier, find out what Allan uses to get the job done! Plus Blizzards database beach details

The post Server Puppeteering | TechSNAP 71 first appeared on Jupiter Broadcasting.

]]>



Rumor has it the playstation network has been hacked again, but we’ve got the real story. Blizzard suffered a nasty database breach, and it might be much worse then they are letting on.

Plus: Automating your server deployments and configurations has never been easier, find out what Allan uses to get the job done!

All that and a lot more, in this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Show Notes:

Attacker claims to have broken in to Sony PSN again, Sony denies claim

• Attackers have pasted 3000 password hashes and email addresses from an alleged list of 10 million
• The official Playstation twitter account has denied the claim
• Most of the password hashes appear to be the phpBB modified version of the openwall phpass hashing system, although some appear to be raw SHA1 hashes
• This specific hashing algorithm suggests that the passwords are not from PSN, but from a forum database
• However, since the Sony network might use a single-signon system, it may be possible that these passwords are the same as ones on the PSN network
• Others have suggested it is just data from the previous attack last year

Blizzard admits Battlenet was compromised

• This week the security team at Blizzard discovered unauthorized access to their internal servers
• Information that is known to have been accessed includes:
  • Email Address
  • Answer to security question
  • Cryptographic verifiers for account passwords
  • Information relating to Mobile and Dial-In Authenticators
• Blizzard does not believe at this time that any payment information (credit card numbers, billing addresses, real names) were taken
• Battlenet uses the Secure Remote Password protocol (SRP), which is designed to allow remote users to authenticate in such a way that an network eavesdropper would not be able to retrieve the user’s password, or perform an offline dictionary attack against it
• The need for such a protocol has long been obviated by SSL/TLS, which provider stronger protection against eavesdroppers, and also prevents attacks that involve altering the messages or spoofing the identity of the endpoint
• This might have made sense when battlenet was originally introduced, SSL was too costly in terms of performance
• Using a standard password cryptographic hashing algorithm, even just md5crypt would likely have been more secure (obviously bcrypt would have been better) as far as a compromised database. Maybe they will transition to something better now

• One blogger who took the time to read the official SRP whitepaper written by the protocol author has gone so far as to request a retraction or clarification from Blizzard President Mike Morhaime.

  “Blizzard is incorrect in claiming that SRP ‘is designed to make it extremely difficult to extract the actual password’ after the verifier database is stolen,”

• Jeremy Spilman, the founder of a company called TapLink, wrote in a blog post titled “SRP Won’t Protect Blizzard’s Stolen Passwords,”
• However: a Battle.net 2.0 emulator suggests that at least some of the hashed Blizzard’s passwords were generated with an SRP implementation that uses a 1024-bit modulus, rather than the 256-bit modulus described in the whitepaper. The tweak makes password cracking take about 64 times longer than it would using the lower-bit setting.
• Why hacked Blizzard passwords aren’t as hard to crack as company says
• Additional Coverage: PCMag
• Additional Coverage: Gamespot

Feedback:

• Raymii created a Security Question Answers Generator Page!
  • Violates rule #3 of a security question, the answers are not ‘memorable’
  • Randomly generated answers are technically not stable or definitive either
  • Relies on you remembering or storing the answer, in case you fail to remember or store your password… (the secret answers should not be stored, or stored as security as the original password itself, since they can be used in place of, or to reset the password)
  • Cool site, decent random password generator ala XKCD
• White Spiral from the chatroom wrote in with a number of suggestions for security questions
  • Your questions are not very applicable to average users (none of my ex-girlfriends had bad breath)
  • Questions related to sex pose numerous problems, including offending customers, or causing an unpleasant work environment for support employees who must ask these questions over the phone
  • User generated questions require more database resources, but likely solve the problems of applicability
  • Most users are likely worse at coming up with their own questions than the site will be
• Jim emails in and suggests: why not use pictures of people you know! The first question might be their name and the second question may be the location.
  • You can’t use this type of security question over the phone
  • There may be privacy issues with storing pictures of 3rd parties on behalf of the customer (what if the database gets hacked, and now pictures of me uploaded by someone else are leaked)
  • I may not be able to remember the location the picture was taken in a few years

• Peter suggests committing a lot of crimes , and confessing one to each company that requires a security answer

• Q: I did bad-do I have to give up my internet license?

• Q: Configuration management automation?
  • BSDMagazine’s January issue has a how-to for deploying Puppet on FreeBSD, the steps would be very similar on any linux distro

Question for a future episode:

Sr. SysAdmins and Techs, what would you like your Jr. co-workers to know or learning more about before joining the work force?

Round-Up:

• BBC Olympics Coverage – Visitor & Data throughput statistics
• Wikileaks gets $37K in donations via Bitcoin
• Saudi Arabia’s National Oil Company Kills Network After Cyber Attack

The post Server Puppeteering | TechSNAP 71 first appeared on Jupiter Broadcasting.