This week, Chris & allan are both out of town at different shenanigans, but they recorded a sneaky episode for you in which they recap the Target breach, from when the news broke to the lessons learned and everything in between!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Episode Links:

• Cleaning up our Mess | TechSNAP 141
• Target XPoSed | TechSNAP 145
• Tarnished Chrome | TechSNAP 146
• Google’s Automated Outage | TechSNAP 147
• Targeting the HVAC | TechSNAP 148
• Internet Over Packet Loss | TechSNAP 162

The post On Target | TechSNAP 264 first appeared on Jupiter Broadcasting.

Verizon Enterprise gets breached & the irony is strong with this one, details on the NPM fiasco & why the SAMSAM is holding up the doctor.

Plus some great questions, a packed round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

The NPM Fiasco

• NPM is a package manager, for node.js
• The Node.js ecosystem is “special”
• It provides packages that are mostly code snippets, usually individual functions
• Many packages, depend on a number of other packages to work correctly
• For example, the package ‘isArray’, which is a one-line function to tell if an object is an array, is depended upon by 72 other packages
• There was a package called ‘kik’, created by Azer Koçulu
• Kik.com, a mobile messaging app, wanted to create their own new package, called kik, for some new open source project
• Unpleasant discussions occurred
• Eventually kik.com had the NPM managers transfer ownership of the kik package name to the kik.com account
• Azer was offended by this, and deleted all of his packages from NPM (around 250 different packages)
• This fallout had unintended consequences
• One of the modules, left-pad, was a simple 11 line function to left-pad a string or number with spaces or zeros.
• Left-pad had been downloaded 2,486,696 times in the last month
• It was a dependency for a huge number projects, including: Node.js it self, Babel,
• NPM then restored the module to unbreak the other applications
• module’s author’s Medium.com post
• kik.com’s Medium.com post
• Official NPM blog post
• Blog Post: Have we forgotten how to program?
• Left-pad as a service
• “The fact that this is possible with NPM seems really dangerous. The author unpublished (erm, “liberated”) over 250 NPM modules, making those global names (e.g. “map”, “alert”, “iframe”, “subscription”, etc) available for anyone to register and replace with any code they wish. Since these libs are now baked into various package.json configuration files (some with 10s of thousands of installs per month, “left-pad” with 2.5M/month), meaning a malicious actor could publish a new patch version bump (for every major and minor version combination) of these libs and ship whatever they want to future npm builds.”

Verizon Enterprise Customer Data Breached

• “Verizon Enterprise Solutions, a B2B unit of the telecommunications giant that gets called in to help Fortune 500’s respond to some of the world’s largest data breaches, is reeling from its own data breach involving the theft and resale of customer data, KrebsOnSecurity has learned”
• “Earlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise”
• “The seller priced the entire package at $100,000, but also offered to sell it off in chunks of 100,000 records for $10,000 apiece. Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site”
• “Verizon recently discovered and remediated a security vulnerability on our enterprise client portal,” the company said in an emailed statement. “Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible.”
• So it seems to just be contact details from a database on the website, not more intimate details like login credentials for their networks, or other details that Verizon would posses as they administers and investigated the networks of the customers
• It appears the data is in MongoDB format, which suggests that might be the format it was stored in on the Verizon side
• “The irony in this breach is that Verizon Enterprise is typically the one telling the rest of the world how these sorts of breaches take place. I frequently recommend Verizon’s annual Data Breach Investigations Report (DBIR) because each year’s is chock full of interesting case studies from actual breaches, case studies that include hard lessons which mostly age very well (i.e., even a DBIR report from four years ago has a great deal of relevance to today’s security challenges).”
• “According to the 2015 report, for example, Verizon Enterprise found that organized crime groups were the most frequently seen threat actor for Web application attacks of the sort likely exploited in this instance. “Virtually every attack in this data set (98 percent) was opportunistic in nature, all aimed at easy marks,” the company explained.”
• While this attack may have been more targeted in nature. Although it is possible it was just opportunistic, because Verizon failed to secure its database
• Customers of Verizon who’s data was breached are likely targets for various types of spear phishing, including emails pretending to be from Verizon, who provides network security and post-breach investigation services to these customers

Cisco Talos reveals SAMSAM ransom ware

• Cisco Talos is currently observing a widespread campaign leveraging the Samas/Samsam/MSIL.B/C ransomware variant. Unlike most ransomware, SamSam is not launched via user focused attack vectors, such as phishing campaigns and exploit kits.
• This particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom.
• A particular focus appears to have been placed on the healthcare industry.
• Adversaries have been seen leveraging JexBoss, an open source tool for testing and exploiting JBoss application servers, to gain a foothold in the network. Once they have access to the network they proceed to encrypt multiple Windows systems using SamSam.
• Upon compromising the system the sample will launch a samsam.exe process which begins the process of encrypting files on the system.
• SamSam encrypts various file types (see Appendix A) with Rijndael and then encrypts that key with RSA-2048 bit encryption. This makes the files unrecoverable unless the author made a mistake in the implementation of the encryption algorithms.
• One interesting note regarding the samples Talos has observed is that the malware will abort the encryption routine if the system is running a version of Microsoft Windows prior to Vista. This is likely done for compatibility reasons.
• There were a couple of open source tools that were seen being leveraged by the adversaries. The first is JexBoss, which is a testing and exploitation framework for JBoss application servers.
• This was being used as an initial infection vector to gain a foothold in the network to spread the ransomware.
• The second is a component of REGeorg, tunnel.jsp. REGeorg is an open source framework to create socks proxies for communication.
• As we have monitored this activity, we have started to see changes in the amount and types of payment options available to victims. Initially, we saw a payment option of 1 bitcoin for each PC that has been infected.
• Later we saw the price for a single system has been raised to 1.5 bitcoin. It is likely the malware author is trying to see how much people will pay for their files.
• They even added an option for bulk decryption of 22 bitcoin to decrypt all infected systems.

Feedback:

• Peer to Peer Comms
• SNMP vs Syslog
• Backing up a FreeNAS box.

 
HEADS UP Stand ready to patch all of your Windows, Linux, BSD, OS X, iOS, Android, and other servers. And all of your routers, print servers, set-top boxes, smart TVs, IoT devices. And basically anything with a CPU. The “BADLOCK” bug will be releaved on April 12th, 2016 , a critical vulnerability in the SMB protocol, so affects Windows and all other implementations of the protocol (samba, whatever apple uses, whatever android uses, etc)

Round up:

• Docker for Mac and Windows Beta: the simplest way to use Docker on your laptop
• Krebs: Stolen credit cards are now a buyers market, a look inside “Joker’s Stash” to find out
• Microsoft deletes ‘teen girl’ AI after it became a Hitler-loving sex robot within 24 hours
• Spammers and Phishers abusing open redirectors on .GOV domains to hide link destinations
• Once thought safe, DDR4 memory shown to be vulnerable to “Rowhammer”
• Apple suspects server tampering during shipping
• A Government Error Just Revealed Snowden Was the Target in the Lavabit Case
• A proposal for SSTS, a version of HSTS for SMTP — My server claims it will ALWAYS support crypto, if you ever see it not, someone is intercepting the connection
• By boosting the radio signal of your contactless car keys, theives can unlock and start 24 models of car while the owner is 300 feet away, and indoors
• AMEX reveals more about stolen card data
• The firm helping the FBI hack the iPhone may be Cellebrite
• Hackers accidently break into Water Treatment Plant, modify parameters by accident. No one was harmed
• Vulnerability in 70 CCTV DVRs Traced Back to Chinese Firm Who Ignores Researcher
• A cross-site scripting vulnerability, in the national vulnerability database, the site you use to find out about… cross-site scripting vulnerabilities
• Feds arrest man apparently responsible for The Fappening
• Facebook and Wikipedia offer a limited version of the internet in Angola, allowing access to only those two sites. Angola’s embed other sites, and pirated movies into the sites to share access

The post Can You Hack Me Now? | TechSNAP 259 first appeared on Jupiter Broadcasting.

From hacking to hacked, hacking team gets owned & what gets leaked is the best part, we’ll share the details.

Plus, a new OpenSSL vulnerability revealed, Apple tweaks their two factor authentication.. Your questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Italian intrusion software vendor Hacking Team Breached, Data Released

• Hacking Team, a vendor known for selling spyware to governments, suffered a serious data breach
• The incident came to light Sunday evening when unnamed attackers released a torrent with roughly 400 GB of data purported to be taken from Hacking Team’s network.
• Among the more potentially damaging documents made public are invoices showing that Hacking Team has sold its intrusion software to government agencies in countries known to have oppressive regimes, including Sudan, Ethiopia, and Egypt.
• Researchers at Trend Micro have analyzed the leaked data and uncovered several exploits, including a zero-day for Adobe Flash Player.
• A readme document found alongside proof-of-concept (PoC) code for the Flash Player zero-day describes the vulnerability as “the most beautiful Flash bug for the last four years since CVE-2010-2161.”
• Adobe released a patch on July 7th 2015
• Researches also have found that the Adobe Flash zero-day has already been used in the wild.
• “In late June, we learned that a user in Korea was the attempted target of various exploits, including CVE-2014-0497, a Flash vulnerability discovered last year,” threat analyst Weimin Wu explains.
• The exploit was used to download a Trojan on the target’s computer, which then proceeds to download several other malicious payloads and create malicious processes.
• In addition to the Flash Player exploit, Trend Micro said it also spotted an exploit for a Windows kernel zero-day vulnerability in the Hacking Team leak.
• Did the “Hacking Team” find these zero days themselves? With the intent to sell them? Or did they discover them being used by others, and then added them to their own arsenal? Why were they not reported to the vendors?
• Additional Coverage: Hacking Team’s Flash 0-day exploit used against Korean targets before it was leaked
• Additional Coverage: Security Week
• Additional Coverage: CSO Online
• Additional Coverage: Net Security
• Additional Coverage: Daily Dot
• Additional Coverage: Threat Post — Update: Hacking Team to continue operations
• Hacking Team bought Flash 0-days from Russian hacker

iOS 9 will drop the recovery key from two-factor authentication

• After a hacker used social engineering against Apple Support to take over the Apple ID of Mat Honan, a Wired.com reporter, in order to take over his coveted 3 letter twitter handle, everyone raced to setup Two Factor Authentication for their Apple ID
• The hacker was able to remotely erase Honan’s iPhone and iPad, destroying personal data, family photos, and all other content.
• The hacker was able to reset the password for the Apple ID account by socially engineering the operation at Apple by using stolen information from public data, and from a hacked Amazon account
• In the aftermath, Apple promised to increase training of its support operators and improve security
• As part of this, when you enable two factor authentication, Apple issues you a recovery key. A short text string that you should print and store in a safe place
• Without it, you cannot recover your account if you lose the password
• This system is far more secure, but it has its drawbacks
• Journalist loses recovery key, and Apple ID
• If you, like Owen from the link above, lose your recovery ID, and your account is compromised or you lose your password, you have no way to get it back
• Apple has drawn a hard line in the sand, for the sake of security, they can’t recovery an account without that recovery key. You specifically asked to be protected from impersonation etc.
• In the wake of scandals such as “the fappening”, this strong stance on security makes sense
• However, Apple has decided to abandon it, because, as always, they are more focused on customer satisfaction than security.
• But, can you blame them?
• “Apple said at WWDC it would build a more integrated and comprehensive two-factor security system into its next OS releases”
• “Among other changes, the Recovery Key option that has tripped up users in the past, and led in some cases to users having to abandon an Apple ID as permanently unavailable, has been removed, an Apple spokesperson confirmed. With the new system, Apple customer support will work through a detailed recovery process with users who lose access to all their trusted devices and phone numbers.”
• Apple has posted more details about the new system on their Developer site

OpenSSL vuln revealed, while critical, not wide spread. All that hype for nothing

• “During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate. This issue was reported to OpenSSL by Adam Langley/David Benjamin (Google/BoringSSL).”
• Impact: “An attacker could cause certain checks on untrusted certificates, such as the
  CA (certificate authority) flag, to be bypassed, which would enable them to
  use a valid leaf certificate to act as a CA and issue an invalid certificate.”
• If you installed the OpenSSL update from June 11th, which blocks DH parameters shorter than 768 bits, your system is affected
• This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
  • OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
  • OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p
• Older versions of OpenSSL (1.0.0 and 0.9.8) are not affected, but reminder: support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015
• This suggests further than OpenSSL needs to separate new features from bug and security fix releases
• Why are any new features being added to OpenSSL 1.0.1?
• Shouldn’t all new development happen only in the bleeding edge version?
• Why has a sane release model not been adopted yet?

Feedback:

• SSDs and ZFS

• storing your salty password hashes

• hp-ux, owncloud investigation?

Round Up:

• FBI’s James Comey: I Know All The Experts Insist Backdooring Encryption Is A Bad Idea, But Maybe It’s Because They Haven’t Really Tried
• 14 world renowned security experts including: Whitfield Diffie, Ronald L. Rivest, and Bruce Schneier have write a paper to the US and UK governments informing them that their ask for crypto backdoors are impossible and unsafe. Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications
• The FBI Spent $775K on Hacking Team’s Spy Tools Since 2011
• Click-Fraud trojan helpfully updates your flash player so you don’t get exploited by ads
• All US United Airlines Flights Are Grounded Due to “Automation Issues”
• The story of a company changing their proprietary code to an open source license
• NPR and Panoply on the economics of podcasting
• Bitcoin miners running outdated software are generating invalid blocks. However the hashing power of the invalid miners is high enough that the block chain is building on those blocks
• Windows Server 2003 end of support
• Data centers dropped into war zones

The post ZFS does not prevent Stupidity | TechSNAP 222 first appeared on Jupiter Broadcasting.

Google’s datacenter secrets are finally being revealed & we’ll share the best bits. Why The US Government is in no position to teach anyone about Cyber Security, how you can still get hacked offline, A batch of great questions, a huge round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

After years of wondering, we can finally find out about Google’s Data Center Secrets

• “Google has long been a pioneer in distributed computing and data processing, from Google File System to MapReduce to Bigtable and to Borg. From the beginning, we’ve known that great computing infrastructure like this requires great datacenter networking technology.”
• “For the past decade, we have been building our own network hardware and software to connect all of the servers in our datacenters together, powering our distributed computing and storage systems. Now, we have opened up this powerful and transformative infrastructure for use by external developers through Google Cloud Platform.”
• ““We could not buy, for any price, a data-center network that would meet the requirements of our distributed systems,” Vahdat said. Managing 1,000 individual network boxes made Google’s operations more complex, and replacing a whole data center’s network was too disruptive. So the company started building its own networks using generic hardware, centrally controlled by software. It used a so-called Clos topology, a mesh architecture with multiple paths between devices, and equipment built with merchant silicon, the kinds of chips that generic white-box vendors use. The software stack that controls it is Google’s own but works through the open-source OpenFlow protocol.“
• “At the 2015 Open Network Summit, we are revealing for the first time the details of five generations of our in-house network technology.”
• “Our current generation — Jupiter fabrics — can deliver more than 1 Petabit/sec of total bisection bandwidth. To put this in perspective, such capacity would be enough for 100,000 servers to exchange information at 10Gb/s each, enough to read the entire scanned contents of the Library of Congress in less than 1/10th of a second.”
• “We use a centralized software control stack to manage thousands of switches within the data center, making them effectively act as one large fabric, arranged in a Clos topology”
• “We build our own software and hardware using silicon from vendors, relying less on standard Internet protocols and more on custom protocols tailored to the data center”
• “Putting all of this together, our datacenter networks deliver unprecedented speed at the scale of entire buildings. They are built for modularity, constantly upgraded to meet the insatiable bandwidth demands of the latest generation of our servers. They are managed for availability, meeting the uptime requirements of some of the most demanding Internet services and customers. Most importantly, our datacenter networks are shared infrastructure. This means that the same networks that power all of Google’s internal infrastructure and services also power Google Cloud Platform. We are most excited about opening this capability up to developers across the world so that the next great Internet service or platform can leverage world-class network infrastructure without having to invent it.”
• ““The amount of bandwidth that we have to deliver to our servers is outpacing even Moore’s Law,” Vahdat said. Over the past six years, it’s grown by a factor of 50. In addition to keeping up with computing power, the networks will need ever higher performance to take advantage of fast storage technologies using flash and non-volatile memory, he said.”
• “For full details you’ll have to wait for a paper we’ll publish at SIGCOMM 2015 in August”
• Official Google Cloud Platform Blog Post

The US Government is in no position to teach anyone about Cyber Security

• “Why should anyone trust what the US government says on cybersecurity when they can’t secure the systems they have full control over?”
• “IRS employees can use ‘password’ as a password? No wonder they get hacked”
• As I have long said, you have to assume the worst until you can prove otherwise: “The effects of the massive hack of the Office of Personnel Management (OPM) continue to ripple through Washington DC, as it seems every day we get more information about how the theft of millions of government workers’ most private information is somehow worse than it seemed the day before. (New rule: if you read about a hack of a government or corporate database that sounds pretty bad, you can guarantee it be followed shortly thereafter by another story detailing how the same hack was actually much, much “worse than previously admitted.”)”
• “It’d be one thing if this incompetence was exclusively an OPM problem, but despite the government trying to scare private citizens with warnings of a “cyber-Armageddon” or “cyber-Pearl Harbor” for years, they failed to take even the most basic steps to prevent massive data loss on their own systems. As OTI’s Robyn Greene writes, 80-90% of cyber-attacks could be prevented or mitigated with basic steps like “encrypting data, updating software and setting strong passwords.””
• Of course, using Multi-Factor Authentication would help a lot too
• “The agency that has been singled out for some of the worst criticism in recent years is the Department of Homeland Security, the agency that is supposedly in charge of securing all other government systems. The New York Times reported this weekend that the IRS’s systems still allow users to set their passwords to “password,” along with other hilariously terrible mistakes. “
• “Instead of addressing their own problems and writing a bill that would force the government to upgrade all its legacy systems, implement stronger encryption across federal agencies and implement basic cybersecurity best practices immediately, members of both parties have been pushing dangerous “info-sharing” legislation that will end with much more of citizens’ private data in the hands of the government. And the FBI wants tech companies to install “backdoors” that would give the government access to all encrypted communications – thereby leaving everyone more vulnerable to hackers, not less. Two “solutions” that won’t fix any of the glaring problems staring them in the face, and which may make things a lot worse for ordinary people.”
• There are plenty of examples of large networks that are fairly well secured, so it isn’t impossible to secure a large network. However, the number of insecure government and corporate networks suggests that more needs to be done.
• The solution isn’t something sold by a vendor, it is the same stuff security experts have been preaching for decades:
  • Need to know — Only those who actually need data should have access to it. Lets not just store everything in a giant shared network drive with everyone having read/write access to it
  • Patching — Software has flaws. These flaws get fixed and then become public (sometimes the other way around, the dreaded Zero-Day flaw). If you do not patch your software quickly, you increase the chance of the flaw being used against you
  • Strong Authentication — Password complexity requirements can be annoying, because they are often too vague. Requiring a number, a lower case letter, an upper case letter, and a symbol isn’t necessarily as secure as a passphrase which is longer. Worse, many systems do not securely store the passwords, making them less secure
  • Multi-Factor Authentication — Requiring more than one factor, to ensure that if an attacker does shoulder surf, key log, phish, or otherwise gain access to someones password, that they cannot access the secure data
  • Encryption — This one is hard, as many solutions turn out to not be good enough. “The harddrive on my laptop is encrypted”, this is fine, except if the attacker gets access while your machine is powered on and logged in. Sensitive data should be offlined when it is not in use, rather than being readily accessible in its decrypted form
  • Logging — Knowing who accessed what, and when is useful after-the-fact. Having an intelligence system that looks for anomalies in this data can help you detect a breach sooner, and maybe stop it before the baddies make off with your data
  • Auditing — A security appliance like the FUDO to only allow access to secure systems when such access is recorded. This way the actions of all contractors and administrators are recorded on video, and there is no way to access the protected systems except through the FUDO.
• As we discussed before in TechSNAP 214, there are other techniques that can be used to help safeguard systems, including whitelisting software, and only allowing approved applications on sensitive systems. The key is deciding which protections to use where, while generating the least amount of ‘user resistance’

Google Project Zero researcher discloses 15 new vulnerabilities

• Researcher Mateusz Jurczyk has disclosed 15 new remote code execution vulnerabilities
• The most interesting of these including a flaw in Adobe Reader and Windows that appears to get past all known exploit defenses.
• “The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far.”
• “Any of the 15 vulnerabilities Jurczyk pulled from this old but seemingly unexplored area could trigger remote code execution or privilege escalation in Adobe Reader or the Windows kernel.”
• Researcher Blog
• Video of Exploit
• PDF of Slides
• Project Zero has also published some other interesting vulnerabilities recently
• Owning Internet Printing — A Case Study in Modern Software Exploitation
• Microsoft’s MemoryProtector feature actually counters Microsoft’s new extended ASLR protections
• “It is possible to use a timing attack on MemoryProtector to reveal the offset used by High-Entropy Bottom-Up Randomization, thus completely bypassing it.”
• Analysis and Exploitation of an ESET Vulnerability — Do we understand the risk vs. benefit trade-offs of security software?
  
• In-Console-Able — Developing a sandbox escape chain for Chrome

Feedback:

• Somewhat nervous: how to mitigate Samsung SSD firmware + Linux major corruption risk?

• To delta sync or not to delta sync

• Changing domain registrars and want to maximize email up-time

• Keys

Round Up:

• Samsung deliberately disabling Windows Update
• Adobe issues out-of-band patch for Flash Player after zero-day exploit is discovered being used in the wild
• Google reveals that it was forced to hand over journalist’s data during wikileaks grand jury investigation
• As many as 1 in 3 servers in data centers are powered on but not doing anything
• Chinese may have had access to US Security Clearance data for over a year
• Bruce Schneier: China and Russia Almost Definitely Have the Snowden Docs
• Default Authorized SSH key found in many Cisco security appliances
• Richard Bejtlich: If you can’t keep hackers out, find and remove them faster
• Snowden leak shows NSA and GCHQ attacked security software vendors
• Stealing your GPG private key using a cell phone and an AM radio
• Secunia will block access to vulnerabilities less than 9 months old for non-members after they “frequently encounter organizations engaged in wrongful use of Secunia Advisories”
• Great tool for building regular expressions, better than most in that it supports lookbehind, which most basic javascript implementations do not
• Many Android apps do HTTPS wrong, or not at all
• US Navy Warfare Systems command paid $9.1 million to get security updates for 100,000 Windows XP and 2003 computers. Contract could be worth up to $30 million and extend to 2017
• Sony has killed off the Aibo robots, making replacement parts hard to come by. This raises questions about the next generation of robots. Softbank is soon to release a “Child” robot called Pepper. What will people do when spare parts for their child can only be gotten by cannibalizing other children?
• Google, Mozilla, Webkit, and Microsoft team up to launch ‘Webassembly’ a new binary format for web applications
• HP’s Adventures with the Zero-Day Initiative and bug bounties
• 5 intrusion vectors that cannot be spotted by going offline
• Cryptography jokes

The post Homeland Insecurity | TechSNAP 220 first appeared on Jupiter Broadcasting.

A massive breach of the Federal Government’s employment record has exposed millions of confidential details & the scope of the breach keeps expanding as the story develops.

Plus a look at what really scares us about the Trans-Pacific Partnership, we’ll bust the attempted takedown of Edward Snowden over the weekend, the claims Russia and China cracked his encrypted documents, an update on ISIS in America & more!

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

Show Notes:

• Questionnaire for National Secuirty Postion PDF
• US Government Begins Outreach To Office Of Personnel Management Hack Victims | TechCrunch
• Journalists slam article claiming Russia, China cracked Edward Snowden files – World – CBC News
• Reporter Who Wrote Sunday Times ‘Snowden’ Propaganda Admits That He’s Just Writing What UK Gov’t Told Him | Techdirt
• Where ISIS Has Directed and Inspired Attacks Around the World – The New York Times

• Can Cannabis Curb Parasites in Your Gut? – Leafly

The post America the Hacked | Unfilter 148 first appeared on Jupiter Broadcasting.

LastPass discloses it’s been compromised, we discuss the scope of the hack & what our best and worst options are moving forward.

Plus a recap of the most interesting things from E3 so far & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• LastPass Security Notice | The LastPass Blog
• Microsoft unveils new $150 Xbox One Elite controller—and we’ve held it | Ars Technica
• Microsoft is building a special version of Minecraft for HoloLens | The Verge
• Microsoft is also partnering with Valve for VR on Windows 10
• The Kinect is dead | Polygon
• LeanChair: The portable, reclining standing desk by Wayne Yeager — Kickstarter
• Nintendo Digital Event @ E3 2015 – YouTube
• “For the Love of Spock” – A Documentary Film by Adam Nimoy — Kickstarter

The post LostPass | Tech Talk Today 183 first appeared on Jupiter Broadcasting.

This week, how hard lessons learned in 1982 could be apply to 2015’s security breaches, hacking for hire goes big & a savage sentient car that needs better programming.

Plus some fantastic questions, a rocking round-up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Cyber Security and the Tylenol Murders

• “When a criminal started lacing Tylenol capsules with cyanide in 1982, Johnson & Johnson quickly sprang into action to ensure consumer safety. It increased its internal production controls, recalled the capsules, offered an exchange for tablets, and within two months started using triple-seal tamper-resistant packaging. The company focused on fixing weak points in their supply chain so that users could be sure that no one had interfered with the product before they purchased it.”
• “This story is taught in business schools as an example of how a company chose to be proactive to protect its users. The FDA also passed regulations requiring increased security and Congress ultimately passed an anti-tampering law. But the focus of the response from both the private and the public sector was on ensuring that consumers remained safe and secure, rather than on catching the perpetrator. Indeed, the person who did the tampering was never caught.”
• If only we could learn from this example in the case of Internet Security, or even just security in general
• “To folks who understand computer security and networks, it’s plain that the key problem are our vulnerable infrastructure and weak computer security, much like the vulnerabilities in Johnson & Johnson’s supply chain in the 1980s. As then, the failure to secure our networks, the services we rely upon, and our individual computers makes it easy for bad actors to step in and “poison” our information.”
• “So if we were to approach this as a safety problem, the way forward is clear: We need better incentives for companies who store our data to keep it secure. In fact, there is broad agreement that we can easily raise the bar against cyberthieves and spies. Known vulnerabilities frequently go unpatched. For instance, The New York Times reported that the J.P. Morgan hack occurred due to an un-updated server. Information is too often stored in the clear rather than in encrypted form and many devices like smart phones or tablets, that increasingly store our entire lives, don’t even allow for key security upgrades.”
• “Not only is Congress failing to address the need for increased computer and network security, key parts of the government are working to undermine our safety. The FBI continues to demonize strong cryptography, trying instead to sell the public on “technologically stupid” strategy that will make us all less safe. Equally outrageous, the recent Logjam vulnerabilities show that the NSA has been spending billions of our tax dollars to exploit weaknesses in our computer security—weaknesses caused by the government’s own ill-advised regulation of cryptography in the 1990s—rather than helping us strengthen our systems.”
• So how can we actually solve the problem?
• “We need to ensure that companies to whom we entrust our data have clear, enforceable obligations to keep it safe from bad guys. This includes those who handle it it directly and those who build the tools we use to store or otherwise handle it ourselves. In the case of Johnson & Johnson, products liability law makes the company responsible for the harm that comes to us due to the behavior of others if safer designs are available, and the attack was foreseeable. Similarly, hotels and restaurants that open their doors to the public have obligations under the law of premises liability to take reasonable steps to keep us safe, even if the danger comes from others. People who hold your physical stuff for you—the law calls them bailees—also have a responsibility to take reasonable steps to protect it against external forces.”
• “Looking at the Congressional debate, it’s as if the answer for Americans after the Tylenol incident was not to put on tamper-evident seals, or increase the security of the supply chain, but only to require Tylenol to “share” its customer lists with the government and with the folks over at Bayer aspirin. We wouldn’t have stood for such a wrongheaded response in 1982, and we shouldn’t do so now.”
• Additional Coverage: USNews — A cybersecurity bill with White House support may weaken both network security and privacy
• Additional Coverage: PBS — How the Tylenol Murders changed how we consume medication

IRS reports thieves stole tax data on over 100,000 people

• “Sophisticated criminals used an online service run by the IRS to access personal tax information from more than 100,000 taxpayers, part of an elaborate scheme to steal identities and claim fraudulent tax refunds, the IRS said Tuesday.”
• They used the “Get Transcript” feature to steal the data
• The criminals already had most of the sensitive data about the users, including their SSN, Date of Birth, and Address
• This data was used to attempt to file fraudulent tax returns
• The IRS is careful to note that this was not a breach, the data was not stolen in a hack, but rather, Criminals used the sensitive data they had already collected to impersonal each of the 100,000 affected people, an access their IRS account “legitimately”
• “The agency estimates it paid out $5.8 billion in fraudulent refunds to identity thieves in 2013”
• The thieves tried to access over 200,000 accounts, but were only successful in about half of the cases. The IRS will notify all those who had attempts against their accounts, in the cases where they were successful, the IRS will provide credit monitoring. The users of the accounts that had attempts but were not compromised, should also consider carefully monitoring their credit reports, as it is likely the thieves already have most of your sensitive data to make the attempts in the first place
• This attack may actually be a symptom of another breach, where this data was stolen in bulk from somewhere else, and then used against the IRS
• It will be interesting to see if there are any commonalities between all of the 200,000 victims
• It also suggests that the IRS’ online system doesn’t have a very good IDS (Intrusion Detection System), if a small set of IP addresses are attempting to access 200,000 accounts, this should set off alarms. Especially if half of the attempts are failures, but even if they are not.

CaaS: Crime as a Service — The cybercrime service economy

• “In 2013, a pair of private investigators in the Bay Area embarked on a fairly run-of-the-mill case surrounding poached employees. But according to a federal indictment unsealed in February, their tactics sounded less like a California noir and something more like sci-fi: To spy on the clients’ adversaries, prosecutors say, they hired a pair of hackers.”
• “Nathan Moser and Peter Siragusa were working on behalf of Internet marketing company ViSalus to investigate a competitor, which ViSalus had sued for poaching some of its former employees. Next, the government alleges, Moser and Siragusa—a retired, 29-year veteran of the San Francisco police department—recruited two hackers to break into the email and Skype accounts of the competing firm. To cover their tracks, they communicated by leaving messages in the draft folder of the Gmail account “krowten.a.lortnoc”—”control a network” in reverse, according to the indictment.”
• “The California case sheds light on a burgeoning cybercrime market, where freelance hackers, both on public forums and in black markets, cater to everyone from cheating students and jealous boyfriends to law firms and executives”
• Some call it Espionage as a Service (EaaS), but it is really just Crime as a Service.
• “While it is difficult to verify the legitimacy or the quality of the hacker postings on a half-dozen online exchanges that Fast Company examined, some sites boast eBay-like feedback mechanisms that let users vouch for reliable sellers and warn each other of scams. Carr describes a range of expertise, from amateur teenagers wielding off-the-shelf spyware who may charge up to $300 for a single operation, to sophisticated industrial espionage services that make tens of thousands of dollars or more smuggling intellectual property across international lines. “The threat landscape is very complex,” he says. “A hacker group will sell to whoever wants to pay.””
• “At Hackers List, for instance, hackers bid on projects in a manner similar to other contract-work marketplaces like Elance. Those in the market for hackers can post jobs for free, or pay extra to have their listings displayed more prominently. Hackers generally pay a $3 fee to bid on projects, and users are also charged for sending messages. The site provides an escrow mechanism to ensure vendors get paid only when the hacking’s done.”
• How much do you trust a site selling an illegal service?
• “In a report released in March, Europol, the European Union’s law enforcement arm, predicts online networking sites and anonymous cash-transfer mechanisms like cryptocurrencies will continue to contribute to the growth of “crime as a service” and to criminals who “work on a freelance basis . . . facilitated by social networking online with its ability to provide a relatively secure environment to easily and anonymously communicate.””
• “The environment isn’t always secure. Earlier this month, one security sleuth unmasked the apparent owner of Hackers List as Charles Tendell, a Denver-based security expert. Soon after, Stanford legal scholar Jonathan Mayer crawled the site’s data, revealing the identities of thousands of the site’s visitors and their requests for hacks.”
• “Mayer found only 21 satisfied requests, including “i need hack account facebook of my girlfriend,” completed for $90 in January, “need access to a g mail account,” finished for $350 in February, and “I need [a database hacked] because I need it for doxing,” done for $350 in April. A majority of requests on the service involve compromising Facebook (expressly referenced in 23% of projects) and Google (14%), and are sparked by a business dispute, jilted romance, or the desire to artificially improve grades, with targets including the University of California, UConn, and the City College of New York.”
• Dell Research: Chart
• It will be interesting to see what happens in this area, I expect the more serious hacking forums to go further underground, and the more obvious ones to be infiltrated by researchers and law enforcement. I also expect to see lots of scams.
• Additional Coverage: WebPolicy.org

Feedback:

• ZFS pools: swimmingly brilliant or a sink hole for randomly sized disks?

• Honeypots

• Deploying PostgreSQL and Ruby on Rails with Docker

• Backup Paranoia melts my face off

Round Up:

• Hunting for Hackers, N.S.A. Secretly Expands Internet Spying at U.S. Border
• Tests show robotic surgery is not that sensitive to Internet latency, surgery from 1200 miles away becomes possible. 200ms: no problem, 300-500: gets harder, if it is just bursts of lag, surgeons just pause and wait for it to resolve. Only at 600ms did they become unconfortable with continuing
• Bank of England accidently emails top secret “brexit” plan to news paper
• Linux systems with hwclock SUID root vulnerable, allows unprivleged users to execute arbitrary commands as root
• Official list of features that will be removed as you upgrade from Windows 7 or 8 to Windows 10
• Insurance company refuses to pay out after breach at Cottage Health, cites lax security practises
• Volvo self-parking car runs people over if owner doesn’t pay for extra “Pedestrian Detection” feature
• Funny email I got, that looked promising at first
• Researchers show how tor hidden services can easily be de-anonymized
• Intel releases its new “Kernel Guard Technology” — Installation instructions: curl | bash…
• New Russian billboard detects uniforms and insignias, and hides adverts for banned items
• x86 emulator for ARM extends support to older ARMv6 platforms including the original Raspberry Pi. Now both Pi and Pi2 can run unmodified x86 apps
• Is security really stuck in the dark ages?
• Researchers write a secure online voting system, only problem is, it is hard to use. Neither the vote device, nor your computer, can determine how you voted though. Paper
• GitHub Commit Crawler is a tool that looks for people’s public commits and parses those commits for keywords/regexes that may contain sensitive information

The post Hacking Henchmen for Hire | TechSNAP 218 first appeared on Jupiter Broadcasting.

Over the weekend the media blew the doors off the Cyber propaganda, cranking up the fear machine over ISIS radicalization via one tweet at a time. We’ll give you our analysis on the larger motive behind this media blitz.

Plus the new plan to fight ISIS that’s just like the old plan, the details on that big gov data breach & a high-note that might inspire your next big idea!

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

Show Notes:

• In Shift, U.S. Will Send 450 Advisers to Help Iraq Fight ISIS – NYTimes.com
• US Will Send 400 More Troops To Iraq Bringing Total To 3,500; Open New Military Base | Zero Hedge
• 3 Hours and 47 Mins After Obama Says He’ll Sign Law BANNING Bulk Collection, DOJ Asks Secret Court to CONTINUE Bulk Collection | Zero Hedge
• President Obama to boost army advisers in Iraq – BBC News
• Snowden leaks confirm: CISA is a surveillance bill — Plain Text — Medium
• One year of ISIS and Obama still has no plan – YouTube
• 22 Killed as Al-Qaeda Linked Forces Attack ISIS in East Libya
• Senate Dems Slam GOP Effort to Embed Cybersecurity Bill in Military Budget

The post Radicalized and Viral | Unfilter 147 first appeared on Jupiter Broadcasting.

Preparing for a camping trip in the woods has never been more stressful, we debate how much tech to take. Plus the US suspects China breached about 4 million government records, Steam Machines get a ship date & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• U.S. Suspects Hackers in China Breached About 4 Million People’s Records, Officials Say – WSJ
• Meet Cinch!– The ultimate pop-up tent with solar power & LED by Jake Jackson — Kickstarter
• Apple Still Negotiating With Music Labels Over Streaming Terms Days Before WWDC Launch – Mac Rumors
• Review #Jolla #SailfishOS: [News] New Sailfish OS phone manufacturer confirmed
• Steam Machines, Steam Link, & Steam Controller Launching November 10th
• Spotify Client 1.x beta for Linux has been release… – The Spotify Community
• Skype for Web (Beta) in US and UK | Skype Blogs – – Skype Blogs
• Jupiter Broadcasting Meetup (Seattle, WA) – Meetup
• Support Tech Talk Today creating DAILY PODCASTS
• Portable Generators – Power Practical

The post Solar Freaking Tents! | Tech Talk Today 179 first appeared on Jupiter Broadcasting.

A new major security breach at a large health insurance firm could expose 10s of millions, a phone phishing scam anyone could fall for & we celebrate our 200th episode with your TechSNAP stories.

Then its a storage spectacular Q&A & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Security breach at health insurance firm Anthem, could expose 10s of millions

• “Anthem Inc., the nation’s second largest health insurer, disclosed Wednesday that hackers had broken into its servers and stolen Social Security numbers and other personal data from all of its business lines. “
• “Anthem didn’t specify how many consumer records may have been breached, but it did say all of the company’s business units are affected. The figures from Anthem’s Web site offer a glimpse at just how big this breach could be: “With nearly 69 million people served by its affiliated companies including more than 37 million enrolled in its family of health plans, Anthem is one of the nation’s leading health benefits companies.””
• “The company said it is conducting an extensive IT forensic investigation to determine what members are impacted.”
• It is reported that Anthem has hired Mandiant to investigate the attack
• Exposed data:
• Full Name
• date of birth
• member ID
• Social Security number
• address
• phone numbers
• email addresses
• employment information
• “According to Anthem’s statement, the impacted (plan/brands) include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. The company said impacted members will receive notice via mail which will advise them of the protections being offered to them as well as any next steps.”
• “Anthem said once the attack was discovered, the company immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.”
• More detailed information is not available yet, but I am sure we’ll be following this story in the weeks to come
• Additional Coverage – ThreatPost
• Additional Coverage

Hacked hotel phones used in bank phishing scam

• “A recent phishing campaign targeting customers of several major U.S. banks was powered by text messages directing recipients to call hacked phone lines at Holiday Inn locations in the south. Such attacks are not new, but this one is a timely reminder that phishers increasingly are using lures blasted out via SMS as more banks turn to text messaging to communicate with customers about account activity.”
• “The above-mentioned phishing attacks were actually a mix of scams known as “SMiShing” — phishing lures sent via SMS text message — and voice phishing or “vishing,” where consumers are directed to call a number that answers with a voice prompt spoofing the bank and instructing the caller to enter his credit card number and expiration date”
• It seems Holiday Inn’s telephone switching system may have been hacked, and used to record and exfiltrate the stolen information
• It is likely the hotel also lost out on business from customers actually trying to reach the hotel, and instead getting fake voice prompts for various banks
• “According to Jan Volzke, Numbercop’s chief executive, these scams typically start on a Saturday afternoon and run through the weekend when targeted banks are typically closed.”
• ““Two separate Holiday Inns getting hijacked in such short time suggests there is a larger issue at work with their telephone system provider,” he said. “That phone line is probably sitting right next to the credit card machine of the Holiday Inn. In a way this is just another retail terminal, and if they can’t secure their phone lines, maybe you shouldn’t be giving them your credit card.”
• “A front desk clerk who answered the line on Tuesday said the hotel received over 100 complaints from people who got text messages prompting them to call the hotel’s main number during the time it was hacked.”
• “Numbercop says the text message lures were sent using email-to-SMS gateways, but that the company also has seen similar campaigns sent from regular in-network numbers (prepaid mobile phones e.g.), which can be harder to catch. In addition, Volzke said, phishers often will target AT&T and Verizon users for use in furthering these schemes.”
• Volzke says it’s unfortunate that more financial institutions aren’t communicating with their customers via mobile banking apps. “Banking apps are among the most frequently downloaded and used apps,” Volzke said. “If the user has an app from the bank installed, then if the bank really has something to say they should use the in-app messaging method, not text messages which can be spoofed and are not secure. And yet we see almost no bank making use of this.”
• “Regardless of whether you communicate with your bank via text message, avoid calling phone numbers or clicking links that appear to have been sent via text message from your bank. Also, be extremely wary of any incoming calls from someone calling from your bank. If you think there may be an issue with your account, your best bet is to simply call the number on the back of your credit or debit card.”
• Example call recording from Numbercop

Your TechSNAP Story

• TechSNAP 200

• TechSNAP 200 – FreeNAS Deployed!

• Episode 200 – Thx Allan!

• TechSNAP 200 : How its helped

• Episode 200 – Thx for BSD!

• TechSNAP Changed my Life!

• How has TechSNAP affected me?

• For 200 episode TechSnap

Feedback:

• Network Switches

• Adopted Drive Solution

• QUESTION: ZFS riskiness

• ELI5 Storage: Blocks, Extents, Pages …

Round-Up:

• Forget North Korea – Russian Hackers Are Selling Access To Sony Pictures, Claims US Security Firm
• Why Gmail has better security than your bank does
• Warning – Microsofts Outlook app for iOS breaks your company security
• More flash updates, 16.0.0.305 fixes CVE-2015-0313 through CVE-2015-0330, 15 of the 18 could lead to code execution
• Slew of Flash zero day exploits dominate malware landscape, new exploid kit emerges called Hanjuan
• The problem with crypto-challenges – a challenge constructed of known various bad practises and algorithms, is still hard to crack, does not prove security
• Fix for ‘Fancybox’ plugin for WordPress resolved zero day exploit seen in the wild
• Universal Cross site scripting vulnerability in IE could be used for Phishing or injecting malware into legitimate sites
• More serious bugs found in Siemens “RuggedCom” switches, one allows administrative and settings changes without authentication
• Google designs new SSL warning messages after more research into the subject. The hypothesis of their researched failed, but important lessons were learned

The post Your TechSNAP Story | TechSNAP 200 first appeared on Jupiter Broadcasting.

Adobe has a bad week, with exploits in the wild & no patch. We’ll share the details. Had your credit card stolen? We’ll tell you how.

Plus the harsh reality for IT departments, a great batch of questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

New flash zero day found being exploited in the wild, no patch yet

• The new exploit is being used in some versions of the Angler exploit kit (the new top dog, replacing former champ blackhole)
• The exploit kit currently uses three different flash exploits:
• CVE-2014-8440 – which was added to the exploit kit only 9 days after being patched
• CVE-2015-0310 – Which was patched today
• and a 3rd new exploit, which is still being investigated
• Most of these exploit kits rely on reverse engineering an exploit based on the patch or proof of concept, so the exploit kits only gain the ability to inflict damage on users after the patch is available
• However, a 0 day where the exploit kit authors are the first to receive the details, means that even at this point, researchers and Adobe are not yet sure what the flaw is that is being exploited
• Due to a bug in the Angler exploit kit, Firefox users were not affected, but as of this morning, the bug was fixed and the Angler kit is now exploiting Firefox users as well
• Additional Coverage – Krebs On Security
• Additional Coverage – PCWorld
• Additional Coverage – Malware Bytes
• Additional Coverage – ZDNet

How was your credit card stolen

• Krebs posts a write up to answer the question he is asked most often: “My credit card was stolen, can you help me find out how”
• Different ways to get your card stolen, and your chance of proving it:
• Hacked main street merchant, restaurant (low, depends on card use)
• Processor breach (nil)
• Hacked point-of-sale service company/vendor (low)
• Hacked E-commerce Merchant (nil to low)
• ATM or Gas Pump Skimmer (high)
• Crooked employee (nil to low)
• Lost/Stolen card (high)
• Malware on Consumer PC (very low)
• Physical record theft (nil to low)
• “I hope it’s clear from the above that most consumers are unlikely to discover the true source or reason for any card fraud. It’s far more important for cardholders to keep a close eye on their statements for unauthorized charges, and to report that activity as quickly as possible.”
• Luckily, since most consumers enjoy zero liability, they do not have to worry about trying to track down the source of the fraud
• With the coming change to Chip-and-Pin in the US, the liability for some types of fraud will shift from the banks to the retailers, which might see some changes to the way things are done
• Banks have a vested interest in keeping the results of their investigations secret, whereas a retailer who is the victim of fraudulent cards, may have some standing to go after the other vendor that was the source of the leak
• Machine Learning for Fraud Detection

15% of business cloud accounts are hacked

• Research by Netskope, a cloud analysis company, finds that only one in ten cloud apps are secure enough for enterprise use
• In their survey, done using network probes, gateways, and other analysis techniques (rather than asking humans), they found that the average large enterprise uses over 600 cloud applications
• Many of these applications were not designed for enterprise use, and lack features like 2 factor authentication, hierarchical access control, “group” features, etc
• The report also found that 8% of files uploaded to cloud storage provides like Google Drive, Dropbox, Box.com etc, were in violoation of the enterprises’ own Data Loss Prevention (DLP) policies.
• The downloading numbers were worst, 25% of all company files in cloud providers were shared with 1 or more people from outside the company. 12% of outsiders had access to more than 100 files.
• Part of the problem is that many “cloud apps” used in the enterprise are not approved, but just individual employees using personal accounts to share files or data
• When the cloud apps are used that lack enterprise features that allow the IT and Security teams to oversee the accounts, or when IT doesn’t even know that an unapproved app is being used, there is no hope of them being able to properly manage and secure the data
• Management of the account life cycle: password changes, password resets, employees who leave or are terminated, revoking access to contractors when their project is finished, etc, is key
• If an employee just makes a dropbox share, adds a few other employees, then adds an outside contractor that is working on a project, but accidently shares all files instead of only specific project files, then fails to remove that person later on, data can leak.
• When password resets are managed by the cloud provider, rather than the internal IT/Security team, it makes it possible for an attacker to more easily use social engineering to take over an account
• Infographic
• Report

Feedback:

• ZFS me timbers

• Allan’s Modified Lenovo

• Sharing a large movie collection over the internet

• RAID alternatives for a bug

Round Up:

• Yes, Every Freeware Download Site is Serving Crapware (Here’s the Proof)
• CERT-UK offers a new best practices guide to combat social engineering
• FBI seeks to legally hack you if you are using TOR or a VPN
• Java patches 19 security holes (13 with 10/10 exploitability score). Make sure you are running at least 7u75 or 8u31
• NSA says it has proof DPRK was behind Sony hack, because they had already hacked the DPRK
• Government health care website quietly sharing personal data
• Steam shell script bug causes it to rm -rf /
• NSA Preps America for Future Battle
• Diary of an NSA Intern
• Password reuse causes spike in Hotel Rewards fraud
• The Sorry State of In-Flight Wi-Fi
• Technical mistake, not terrorist DDoS downed french media websites
• Blackhat, the movie, gets the technobabble mostly right
• All you need is a clipboard, or a stethoscope

The post Dude Where's My Card? | TechSNAP 198 first appeared on Jupiter Broadcasting.

Been putting off that patch? This week we’ll cover how an out of date Joomla install led to a massive breach, Microsoft and Google spar over patch disclosures & picking the right security question…

Plus a great batch of your feedback, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Data thieves target parking lots

• “Late last year, KrebsOnSecurity wrote that two huge swaths of credit card numbers put up for sale in the cybercrime underground had likely been stolen from Park ‘N Fly and from OneStopParking.com, competing airport parking services that lets customers reserve spots in advance of travel via Internet reservation systems. This week, both companies confirmed that they had indeed suffered a breach.”
• “When contacted by Krebs on Dec. 15, Atlanta-based Park ‘N Fly said while it had recently engaged multiple security firms to investigate breach claims, it had not found any proof of an intrusion. In a statement released Tuesday, however, the company acknowledged that its site was hacked and leaking credit card data, but stopped short of saying how long the breach persisted or how many customers may have been affected”
• “OneStopParking.com reached via phone this morning, the site’s manager Amer Ghanem said the company recently determined that hackers had broken in to its systems via a vulnerability in Joomla for which patches were made available in Sept. 2014. Unfortunately for OneStopParking.com and its customers, the company put off applying that Joomla update because it broke portions of the site.”
• “Unlike card data stolen from main street retailers — which can be encoded onto new plastic and used to buy stolen goods in physical retail stores — cards stolen from online transactions can only be used by thieves for fraudulent online purchases. However, most online carding shops that sell stolen card data in underground stores market both types of cards, known in thief-speak as “dumps” and “CVVs,” respectively.”
• “Interestingly, the disclosure timeline for both of these companies would have been consistent with a new data breach notification law that President Obama called for earlier this week. That proposal would require companies to notify consumers about a breach within 30 days of discovering their information has been hacked.”
• Krebs also appears to be having fun with the LizzardSquad

Microsoft pushes emergency fixes, blames Google

• Microsoft and Adobe both released critical patches this week
• “Leading the batch of Microsoft patches for 2015 is a drama-laden update to fix a vulnerability in Windows 8.1 that Google researchers disclosed just two days ago. Google has a relatively new policy of publicly disclosing flaws 90 days after they are reported to the responsible software vendor — whether or not that vendor has fixed the bug yet. That 90-day period elapsed over the weekend, causing Google to spill the beans and potentially help attackers develop an exploit in advance of Patch Tuesday.”
• Yahoo recently announced a similar new policy, to disclose all bugs after 90 days
• This is the result of too many vendors take far too long to resolve bugs after they are notified
• Researchers have found that need to straddle the line between responsible disclosure, and full disclosure, as it is irresponsible to not notify the public when it doesn’t appear as if the vendor is taking the vulnerability seriously.
• Microsoft also patched a critical telnet vulnerability
• “For its part, Microsoft issued a strongly-worded blog post chiding Google for what it called a “gotcha” policy that leaves Microsoft users in the lurch”
• There is also a new Adobe flash to address multiple issues
• Krebs notes: “Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).” because of the way Microsoft bundles flash
• Infact, if you use Chrome and Firefox on windows, you’ll need to make sure all 3 have properly updated.

What makes a good security question?

• Safe: cannot be guessed or researched
• Stable: does not change over time
• Memorable: you can remember it
• Simple: is precise, simple, consistent
• Many: has many possible answers
• It is important that the answer not be something that could easily be learned by friending you on facebook or twitter
• Some examples:
• What is the name of the first beach you visited?
• What is the last name of the teacher who gave you your first failing grade?
• What is the first name of the person you first kissed?
• What was the name of your first stuffed animal or doll or action figure?
• Too many of the more popular questions are too easy to research now
• Some examples of ones that might not be so good:
  • In what town was your first job? (Resume, LinkedIn, Facebook)
  • What school did you attend for sixth grade?
  • What is your oldest sibling’s birthday month and year? (e.g., January 1900) (Now it isn’t your facebook, but theirs that might be the leak, you can’t control what information other people expose)
• Sample question scoring

Feedback:

• FreeNAS Replication

• Ep 196 – Staples Hack

• Best at home router solution

• OpenWrt

• MyOpenRouter

• FQDN on LAN? Peace of mind on WAN?

• hardware upgrade

Round Up:

• Apache Spark: 100 terabytes (TB) of data sorted in 23 minutes
• Quick wins for cyber security
• The New CISPA Bill Is Literally Exactly the Same as the Last One
• Sony: Losses from hack will be covered by insurance
• Forget Wearable Tech. People Really Want Better Batteries.
• New data breach notification law not good enough
• Panasonic Arbitrator Back-End Server (BES) uses unencrypted communication
• US CENTCOM gets its twitter account hacked — Why no 2FA?
• Verizon Cloud system schedules 48 hour downtime
• Canadian Federal Police refuse to pay fees to telco for tracking suspects
• The path from beginner to expert
• Mac “bootkit” permanently backdoors macs

The post Patch and Notify | TechSNAP 197 first appeared on Jupiter Broadcasting.

More and more data breaches are leading to blackmail but the stats don’t tell the whole story. We’ll explain.

Plus the latest in the Sony hack, and the wider reaction. Plus a great batch of emails & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Illinois Hospital being blackmailed with stolen Patient Data

• “An Illinois hospital says someone attempted to blackmail it to stop the release of data about some of its patients.”
• The hospital chain received an anonymous email asking for a substantial amount of money in order to prevent the release of patient data. A sample of the data was included in the email as proof
• “The hospital says it immediately notified law enforcement agencies.”
• “An investigation discovered the data relates to patients who visited Clay County Hospital clinics on or before February 2012. A hospital representative declined to disclose how many people are involved but said the data is limited to their names, addresses, Social Security numbers and dates of birth. No medical information was compromised in the breach”
• “The hospital believes the data has not been released so far. It didn’t disclose how the data was obtained but said an audit by an outside expert concluded the hospital hadn’t been hacked.”
• The age of the data suggests that the compromise may have involved backups and/or cold storage
• It is not clear of the Hospital stores the older data themselves, or if they rely on a 3rd party provider that may have been compromised
• “A recent report by the Identity Theft Report Center found that by early December there had been 304 breaches so far this year in the U.S. healthcare sector. That’s 42 percent of the 720 breaches reported across the country. But, in part because of the massive breaches at major retailers, the entire healthcare sector only accounted for 9.7 percent of all records compromised in reported breaches so far in 2014.”

Sony cancels the release of “The Interview” – plays the victim

• Sony has apparently cancelled the release of the film that is apparently the cause of the hack of their systems
• A number of cinemas had declined to screen the file after vague threats of physical violence were made
• “We are deeply saddened at this brazen effort to suppress the distribution of a movie, and in the process do damage to our company, our employees, and the American public,” Sony’s statement continues. “We stand by our filmmakers and their right to free expression and are extremely disappointed by this outcome.”
• If they stand for freedom of expression, they wouldn’t have cancelled the movie
• A number of people believe that the hackers may have found something especially damaging to Sony, and Sony is hoping to avoid the disclosure
• Bruce Schneier – “It’s really a phenomenally awesome hack—they completely owned this company,”
• “this is like Snowden, only with Sony.” He said that releases from the hack could go on for months.
• That seems to suggest that the hackers will soon leak something that will look very, very bad for the company, Schneier says.
• Earlier this week, Sony sent a letter to news outlets reporting on the leaks, saying that they could face prosecution for downloading stolen information. That letter, Schneier said, was a signal that the worst is still to come.
• Gawker posts a copy of the threatening letter
• “The fact that they sent that letter tells me there is stuff still to be found that Sony is terrified of. There’s some really bad stuff in there—stuff they did, stuff they said, stuff that’s illegal. Someone [from Sony] is going to jail for this.”
• Reaction to the Sony hack is beyond the realm of stupid – This is not terrorism
• Cisco analysis of Wiper malware used at Sony
• Newer version of Wiper malware signed with stolen Sony certificate
• ThreatPost Digital Undergound Podcast – Details of the Sony Breach
• The leak has also covered a number of different plans and plots by the MPAA
• Inclusing the MPAA’s post-SOPA plan to make ISP DNS Servers block sites

Feedback:

• FW Question

• IP management with 257 devices

• Isolating a server

• Certificate for web site
  • Mozilla TLS Server Side settings

• OpenYourMouth · GitHub

• Cipherli.st – Strong Ciphers for Apache, nginx and Lighttpd

Round Up:

• Viber calls out ESET for flagging them, ESET responds with a digital uppercut
• Yahoo releases new disclosure policy, all new bugs it finds will be disclosed within 90 days
• Report: Mysterious Russian Malware Is Infecting 100,000+ WordPress Sites
• Red October APT team is back, with the CloudAtlas APT attack
• Verizon’s new “end-to-end” encrypted calling app, includes “Government Access Option” – Cellcrypt’s vice president for North America, disputes the idea that building technology to allow wiretapping is a security risk. “It’s only creating a weakness for government agencies,” he says. “Just because a government access option exists, it doesn’t mean other companies can access it.”
• Leaked Government documents reveal Canadian Telco’s offering the Government “Surveillance Ready Networks”, to avoid legislation, and to force small operators out of the market
• Ars was briefly hacked yesterday; here’s what we know (Ars uses PHPass to hash passwords, that is 2048 rounds of MD5. Not as bad as it sounds: If you want to put this into “OL Hashcat” terms, a single R9 290X (video card) can pull ~ 12.2 GH/s on raw MD5, but only 3 MH/s against PHPass. Divide that by 1,071,734 unique salts, and that means our effective speed is only 2.86 H/s. That’s beyond properly slow.)
• A small bank in Kansas may be the future of banking, replacing ‘batched processed’ ACH transfers with instant transfers backed by the existing ATM processing network
• phpBB Status Update
• Study by Dell SecureWorks researchers finds that prices on the Internet Underground are rising

The post Don’t Fire IT | TechSNAP 193 first appeared on Jupiter Broadcasting.

Data Breaches often result in the companies attacked playing the victim & shrugging off responsible network management.

Samsung reveals new VR gear, a 3D camera with 16 HD cameras & a bunch of other goodies that promise to bring the virtual world to you.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Samsung unveils Project Beyond, a 3D-capturing camera for Gear VR

Samsung has just unveiled a sneak preview of a new camera called Project Beyond, which is a 3D-capturing 360-degree camera designed to capture videos and stream them on the Gear VR. Pranav Mistry, Samsung’s VP of Research, says that Beyond is a “new kind of camera that gives a new kind of immersive experience.” The camera (which apparently houses 16 full HD cameras) shows a 360-degree panoramic view and captures everything in 3D, collecting a gigapixel of 3D data every second. It promises high-speed connectivity, adaptive stitching, ultra wide-angle optics and stereoscopic depth. And, this isn’t just a concept. It’s actually a fully working device.

Samsung launching Gear VR ‘Innovator Edition’ in early December for $199 | The Verge

You’ll be able to get your hands on Samsung’s Gear VR in early December. Today the company announced that it will launch the Gear VR Innovator Edition — essentially what amounts to developer preview hardware (that’s available to everyone) — next month.

Gear VR: $199 for the headset alone, or $249 with one of Samsung’s Bluetooth gamepads. Add that to the cost of a Note 4 — $700 or more, unsubsidized — and it’s not one of the cheaper VR headsets on the market.

91% of US adults say consumers have lost control over how their personal info is collected and used by companies | Pew Research

Some 43% of adults have heard “a lot” about “the government collecting information about telephone calls, emails, and other online communications as part of efforts to monitor terrorist activity,” and another 44% have heard “a little.” Just 5% of adults in our panel said they have heard “nothing at all” about these programs.

• Public Perceptions of Privacy and Security in the Post-Snowden Era | Pew Research Center’s Internet & American Life Project

Widespread concern about surveillance by government and businesses

Perhaps most striking is Americans’ lack of confidence that they have control over their personal information. That pervasive concern applies to everyday communications channels and to the collectors of their information—both in the government and in corporations. For example:

• 91% of adults in the survey “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies.
• 88% of adults “agree” or “strongly agree” that it would be very difficult to remove inaccurate information about them online.
• 80% of those who use social networking sites say they are concerned about third parties like advertisers or businesses accessing the data they share on these sites.
• 70% of social networking site users say that they are at least somewhat concerned about the government accessing some of the information they share on social networking sites without their knowledge.

The post You Are The Product | Tech Talk Today 91 first appeared on Jupiter Broadcasting.

13 gigabytes of stolen images from Snapchat but Snapchat themselves are not to blame. The Linux Foundation is working on open source drones. Apple Pay is facing headwinds & our Kickstarter of the week sparks quite the debate!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Snapchat images stolen from third-party Web app using hacked API [Updated] | Ars Technica

An alleged cache of about 13 gigabytes of stolen images from Snapchat—some of them apparently of nude, underage users of the “ephemeral” messaging platform—was posted online Thursday night, many of them to the image-sharing site 4chan’s /b/ discussion board. However, the threads linking to the images have largely been shut down by 4Chan over concerns of trafficking in what could be considered child pornography. Over 100,000 user images and videos were in the cache, according to 4chan discussions.

According to 4Chan posters, the files were moved by the operator of the site SnapSaved.com—a site that was operating as a web-based SnapChat viewer—from the original server to a non-indexed site, where they were discovered. The original poster on the leak has said he will not be sharing the contents in both a comment on 4Chan and in a “release” posted on Pastebin.

The leak was apparently caused by SnapSaved.com (which has apparently been offline for several months; the link is to the developers’ Facebook page). SnapSaved was a Web-based client built for Snapchat that allowed users to access “snaps” from a Web browser. However, the service, which according to DNS records ran on a server at the hosting company HostGator, apparently kept all images received or sent by its users without their knowledge.

Snapchat does not publish its API for third-party developers, but it has been reverse-engineered.

Linux Foundation Launches Open Source Dronecode Project

“The Linux Foundation, the nonprofit organization dedicated to accelerating the growth of Linux and collaborative development, today announced the founding of the Dronecode Project. The Project will bring together existing open source drone projects and assets under a nonprofit structure governed by The Linux Foundation. The result will be a common, shared open source platform for Unmanned Aerial Vehicles (UAVs). Founding members include 3D Robotics, Baidu, Box, DroneDeploy, Intel, jDrones, Laser Navigation, Qualcomm, SkyWard, Squadrone System, Walkera and Yuneec. Dronecode includes the APM UAV software platform and associated code, which until now has been hosted by 3D Robotics, a world leader in advanced UAV autopilot and autonomous vehicle control. The company was co-founded by Chris Anderson, formerly editor-in-chief of Wired”

Many Retailers Hesitant About Offering Support for Apple Pay

Though Apple is launching Apple Pay with a number of high-profile retail partners including Macy’s, Disney, Whole Foods, Sephora, Walgreens, and Staples, among others, there’s a long list of retailers who have decided not to offer Apple Pay in their stores.

Walmart and Best Buy, for example, have been two high-profile companies that have vocally opted out, and The Daily Dot has compiled a list of several other retail outlets that have no current plans to support Apple Pay. Clothing store H&M said that it has no plans to accept Apple Pay at this time, as did high-end retailer Coach.

A Bed, Bath & Beyond spokesperson said the company was “unable to participate,” while a spokesperson for retailer Belk also said “we don’t have the capability to accept Apple Pay right now,” suggesting the store has not adopted payment systems with NFC capabilities.

Sears, Kmart, and Publix have also said they won’t be accepting Apple Pay, as has gas company BP, though BP stations may be able to accept Apple Pay in 2016.

Some fast food restaurants aren’t on board yet either, including Pizza Hut and Chipotle, while others, like KFC, are “looking into the prospect of accepting Apple Pay” but have no timetable for support.

The list of merchants not on board with Apple Pay is considerable, but contactless payments are growing in popularity and with the help of Apple Pay, the adoption of NFC systems may accelerate even faster. According to Apple, more than 220,000 retail stores across the United States will be able to accept Apple Pay.

Apple Pay is expected to roll out in October as an update to iOS 8. iOS 8.1, with hidden Apple Pay settings, has already been seeded to developers for testing.

Wells Fargo employee emails CEO asking for a raise — copies 200,000 other employees

Tyrel Oates, a 30-year-old Portland, Oregon-based employee of Wells Fargo, shot to Internet fame after emailing the company’s CEO John Stumpf (and cc’ing 200,000 other employees) to ask for a $10,000 raise… for everyone at the company.

The Charlotte Observer reports:

Oates proposed that Wells Fargo give each of its roughly 263,500 employees a $10,000 raise. That, he wrote, would “show the rest of the United States, if not the world, that, yes, big corporations can have a heart other than philanthropic endeavors.”

In an interview Tuesday, Oates…said he has no regrets and that he has received many thank-yous from co-workers who told him they shared his views.

And, at least as of Tuesday afternoon, he said he’s still employed by the company, where he processes requests from Wells Fargo customers seeking to stop debt-collection calls.

“I’m not worried about losing my job over this,” Oates said.

Kickstarter of the Week: Boxie: A speaker with a built-in LED light-show by Michael K.

An elegant, synchronized light-show built into a great sounding speaker. Place Boxie on your desk or in a bookshelf and see the music.

The post SnatchedChat | Tech Talk Today 74 first appeared on Jupiter Broadcasting.

An AT&T insider steals customer info, Samsung’s sales could be slipping by as much as 60% and Yahoo gets bit by Shellshock.

Plus our Kickstarter of the week & much more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

AT&T Hit By Insider Breach | Threatpost | The first stop for security news

AT&T is warning consumers about a data breach involving an insider who illegally accessed the personal information of an unspecified number of users. The compromised data includes Social Security numbers and driver’s license numbers.

In a letter sent to the Vermont attorney general, AT&T officials said that the breach occurred in August and that the employee in question also was able to access account information for AT&T customers.

“We recently determined that one of our employees violated our strict privacy and security guidelines by accessing your account without authorization in August 2014, and while doing so, would have been able to view and may have obtained your account information including your social security number and driver’s license number. Additionally, while accessing your account, the employee would have been able to view your Customer Proprietary Network Information (CPNI), without proper authorization,” said Michael A. Chiarmonte, director of finance billing operations at AT&T, in a letter to the Vermont AG.

The CPNI he referred to in the letter includes data that’s related to the services that consumers buy from the company. Chiarmonte said that the letter that the employee responsible for the breach no longer works for AT&T. It’s not clear from AT&T’s disclosure how many consumers have been affected by the breach or which other states may have citizens who are affected.

As a result of the breach, AT&T is offering affected customers a year of free credit monitoring, as has become customary in these incidents.

Samsung Warns Weak Q3 Earnings – Business Insider

Samsung warned Monday night that its third-quarter earnings will be weaker than expected.

The company said it would report an operating profit of $3.8 billion for the quarter ending in September — a decline of nearly 60 percent from the same time a year earlier. Sales fell to $44 billion, off 20 percent from a year ago. […]

The South Korean electronics giant said that while smartphone shipments increased, its operating margins fell because of higher marketing costs, fewer shipments of high-end phones and a lower average selling price for the devices.

The company said it is responding with a new smartphone lineup that will include new mid-range and low-end devices, which would make Samsung’s products more competitive in markets such as China.

Hackers Compromised Yahoo’s Servers Using Shellshock

The exploits were first discovered by security researcher, Jonathan Hall. Hall pointed to two Yahoo Games servers that had been exploited. After Yahoo was contacted by Security Week it issued the following statement:

A security flaw, called Shellshock, that could expose vulnerabilities in many web servers was identified on September 24. As soon as we became aware of the issue, we began patching our systems and have been closely monitoring our network. Last night, we isolated a handful of our impacted servers and at this time we have no evidence of a compromise to user data. We’re focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users’ data.

• Yahoo! got hacked this morning… Hooray for Shellshock! : technology

• Shellshock: Romanian hackers are accessing Yahoo servers, claims security expert

Plex Launches On Xbox One

The Plex app for Xbox One is a new approach to Plex overall, with a landscape interface that Plex co-founder and Chief Product Officer Scott Olechowski says is admittedly due partly to design requirements set out by the Xbox team, but that also will make its way back to the wider suite of Plex software on other platforms, too.

“[Xbox] certainly kind of encouraged this landscape type scrolling, but the more we used this the more we realized how well it works,” he said. “You’ll see this approach taken in other places. The more we used it, the more we realized it’s more natural. We kind of fell in love with aspects of it, [and] over time we want to have a more consistent experience.”

• Report: Microsoft Sells 100,000 Xbox Ones in China

The Xbox One, the first official video game console to launch in China in 14 years, has started its console life in the middle kingdom with a bang! According to Chinese news sources, the Xbox One sold over 100,000 units within the first week of sales.

KICK STATER OF THE WEEK: Granola Strolla – Portable Solar USB charger by Granola Strolla Inc. — Kickstarter

GranolaStrolla is a portable, affordable and easy to use solar charged batterypack able to charge USB devices as fast as a wall charger

The post AT&T's Identity Giveaway! | Tech Talk Today 71 first appeared on Jupiter Broadcasting.

Did Home Depot get struck by the same malware that attacked Target? How the FBI found the Silkroad server, and Reddit just got a big cash infusion… But is it enough?

Plus a nostalgic look back at the WORM drive & much more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Reddit Raising Big Funding Round With Help From Y Combinator Contacts

Reddit, the social news site with a big Web footprint, is raising a big funding round — with help from some of the people who helped launch the site nine years ago, including co-founder Alexis Ohanian and other people associated closely with startup incubator Y Combinator.

Sources said the site has reached a preliminary agreement to sell less than 10 percent of the company for more than $50 million. That could give the company a valuation of upwards of $500 million.

Home Depot Hit By Same Malware as Target — Krebs on Security

The apparent credit and debit card breach uncovered last week at Home Depot **was aided in part by a new variant of the same malicious software program that stole card account data from cash registers at **Target last December, according to sources close to the investigation.

A source close to the investigation told this author that an analysis revealed at least some of Home Depot’s store registers had been infected with a new variant of “BlackPOS” (a.k.a. “Kaptoxa”), a malware strain designed to siphon data from cards when they are swiped at infected point-of-sale systems running Microsoft Windows.

BlackPOS also was found on point-of-sale systems at Target last year. What’s more, cards apparently stolen from Home Depot shoppers first turned up for sale on Rescator[dot]cc, the same underground cybercrime shop that sold millions of cards stolen in the Target attack.

—

Other clues in the new BlackPOS malware variant further suggest a link between the cybercrooks behind the apparent breach at Home Depot and the hackers who hit Target. The new BlackPOS variant includes several interesting text strings. Among those are five links to Web sites featuring content about America’s role in foreign conflicts, particularly in Libya and Ukraine.

One of the images linked to in the guts of the BlackPOS code.

Three of the links point to news, editorial articles and cartoons that accuse the United States of fomenting war and unrest in the name of Democracy in Ukraine, Syria, Egypt and Libya. One of the images shows four Molotov cocktails with the flags of those four nations on the bottles, next to a box of matches festooned with the American flag and match ready to strike. Another link leads to an image of the current armed conflict in Ukraine between Ukrainian forces and pro-Russian separatists.

Dread Pirate Sunk By Leaky CAPTCHA — Krebs on Security

“The IP address leak we discovered came from the Silk Road user login interface. Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the “Subject IP Address”) was the only non-Tor source IP address reflected in the traffic we examined.”

“The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal. When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP Address was the IP address of the SR Server, and that it was ‘leaking’ from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.”

• Nik Cubrilovic – New Web Order » Analyzing the FBI’s Explanation of How They Located Silk Road

Doubts cast over FBI ‘leaky CAPTCHA’ Silk Road rapture • The Register

“The idea that the CAPTCHA was being served from a live IP is unreasonable. Were this the case, it would have been noticed not only by me — but the many other people who were also scrutinizing the Silk Road website. Silk Road was one of the most scrutinized sites on the web, for white hats because it was an interesting challenge and for black hats since it hosted so many Bitcoin (with little legal implication if you managed to steal them).”

Moreover, an externally hosted image would still be routed over Tor and any packet sniffer would be unable to detect the Silk Road’s IP address.

Cubrilovic claimed it was more likely the FBI found and exploited a security vulnerability or discovered an information leak in the Silk Road login page and application.

CenturyLink Said to Seek to Acquire Rackspace Hosting – Bloomberg

CenturyLink has discussed the idea with San Antonio-based Rackspace, which last month said it is still conducting an internal review of its strategic options, according to the people, who asked not to be identified talking about private information. One person said a deal may not be reached for the company, which had a stock-market valuation of $5.33 billion at the end of last week.

Odds of the deal going through are less than 50 percent unless Rackspace is willing to take payment in stock or enter a joint venture, Jaegers said. CenturyLink wants to avoid a debt downgrade that may come with financing a large deal, she said.

What is WORM (write once, read many)?

In computer storage media, WORM (write once, read many) is a data storage technology that allows information to be written to a disc a single time and prevents the drive from erasing the data. The discs are intentionally not rewritable, because they are especially intended to store data that the user does not want to erase accidentally. Because of this feature, WORM devices have long been used for the archival purposes of organizations such as government agencies or large enterprises. A type of optical media, WORM devices were developed in the late 1970s and have been adapted to a number of different media. The discs have varied in size from 5.25 to 14 inches wide, in varying formats ranging from 140MB to more than 3 GB per side of the (usually) double-sided medium. Data is written to a WORM disc with a low-powered laser that makes permanent marks on the surface.

• IBM 3363 optical WORM drive | 102671161 | Computer History Museum

The post Grand Theft Depot | Tech Talk Today 54 first appeared on Jupiter Broadcasting.

Home Depot is breached, and the scale could be much larger than the recent Target hack & we discuss the explosion of fake cell towers in the US, and whats behind it. Then the tools used in the recent celebrity photo leak & the steps that need to be taken.

Plus a great batch of your questions, our answers & much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Krebs: Banks report breach at Home Depot. Update: Almost all home depot stores hit

• Sources from multiple banks have reported to Brian Krebs that the common retailer in a series of stolen credit cards appears to be Home Depot
• Home Depots Spokesperson Paula Drake says: “I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Drake said, reading from a prepared statement. “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further – but we will provide further information as soon as possible.”
• “Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period”
• “The breach appears to extend across all 2,200 Home Depot stores in the United States. Home Depot also operates some 287 stores outside the U.S. including in Canada, Guam, Mexico, and Puerto Rico”
• Zip-code analysis shows 99.4% overlap between stolen cards and home depot store locations
• This is important, as the fraud detection system at many banks is based on proximity
• If a card is used far away from where the card holder normally shops, that can trigger the card being frozen by the bank
• By knowing the zip code of the store the cards were stolen from, the criminal who buys the stolen card information to make counterfeit cards with, can use cards that are from the same region they intent to attack, increasing their chance of successfully buying gift cards or high value items that they can later turn into cash
• The credit card numbers are for sale on the same site that sold the Target, Sally Beauty, and P.F. Chang’s cards
• “How does this affect you, dear reader? It’s important for Americans to remember that you have zero fraud liability on your credit card. If the card is compromised in a data breach and fraud occurs, any fraudulent charges will be reversed. BUT, not all fraudulent charges may be detected by the bank that issued your card, so it’s important to monitor your account for any unauthorized transactions and report those bogus charges immediately.”
• Some retailers, including Urban Outfitters, say they do not plan to notify customers, vendors or the authorities if their systems are compromised

Fake cell towers found operating in the US

• Seventeen mysterious cellphone towers have been found in America which look (to your phone) like ordinary towers, and can only be identified by a heavily customized handset built for Android security – but have a much more malicious purpose. Source: Popular Science
• Mobile Handsets are supposed to warn the user when the tower does not support encryption, as all legitimate towers do support encryption, and the most likely cause of a tower not supporting encryption, is that it is a rogue tower, trying to trick your phone into not encrypting calls and data, so they can be eavesdropped upon
• The rogue towers were discovered by users of the CryptoPhone 500, a Samsung SIII running a modified Android that reports suspicious activity, like towers without encryption, or data communications over the baseband chip without corresponding activity from the OS (suggesting the tower might be trying to install spyware on your phone)
• “One of our customers took a road trip from Florida to North Carolina and he found eight different interceptors on that trip. We even found one near the South Point Casino in Las Vegas.”
• “What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases.” says Goldsmith. “Whose interceptor is it? Who are they, that’s listening to calls around military bases? The point is: we don’t really know whose they are.”
• Documents released last week by the City of Oakland reveal that it is one of a handful of American jurisdictions attempting to upgrade an existing cellular surveillance system, commonly known as a stingray.
• The Oakland Police Department, the nearby Fremont Police Department, and the Alameda County District Attorney jointly applied for a grant from the Department of Homeland Security to “obtain a state-of-the-art cell phone tracking system,” the records show.
• Stingray is a trademark of its manufacturer, publicly traded defense contractor Harris Corporation, but “stingray” has also come to be used as a generic term for similar devices.
• According to Harris’ annual report, which was filed with the Securities and Exchange Commission last week, the company profited over $534 million in its latest fiscal year, the most since 2011.
• Relatively little is known about how stingrays are precisely used by law enforcement agencies nationwide, although documents have surfaced showing how they have been purchased and used in some limited instances.
• Last year, Ars reported on leaked documents showing the existence of a body-worn stingray. In 2010, Kristin Paget famously demonstrated a homemade device built for just $1,500.
• According to the newly released documents, the entire upgrade will cost $460,000—including $205,000 in total Homeland Security grant money, and $50,000 from the Oakland Police Department (OPD). Neither the OPD nor the mayor’s office immediately responded to requests for comment.
• One of the primary ways that stingrays operate is by taking advantage of a design feature in any phone available today. When 3G or 4G networks are unavailable, the handset will drop down to the older 2G network. While normally that works as a nice last-resort backup to provide service, 2G networks are notoriously insecure.
• Handsets operating on 2G will readily accept communication from another device purporting to be a valid cell tower, like a stingray. So the stingray takes advantage of this feature by jamming the 3G and 4G signals, forcing the phone to use a 2G signal.
• Cities scramble to upgrade “stingray” tracking as end of 2G network looms

The Nude Celebrity Photo Leak Was Made Possible By Law Enforcement Software That Anyone Can Get

• Elcomsoft Phone Password Breaker requires the iCloud username and password, but once you have it you can impersonate the phone of the valid user, and have access to all of their iCloud information, not just photos
• “If a hacker can obtain a user’s iCloud username and password, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages.”
• “It’s important to keep in mind that EPPB doesn’t work because of some formal agreement between Apple and Elcomsoft, but because Elcomsoft reverse-engineered the protocol that Apple uses for communicating between iCloud and iOS devices. This has been done before —Wired specifically refers to two other computer forensic firms called Oxygen and Cellebrite that have done the same thing — but EPPB seems to be a hacker’s weapon of choice. As long as it is so readily accessible, it’s sure to remain that way”
• All of this still requires the attacker to know the celebrities username and password
• This is where iBrute came in
• A simple tool that takes advantage of the fact that when Apple built the ‘Find My iPhone’ service, they failed to implement login rate limiting
• An attacker can sit and brute force the passwords at high speed, with no limitations
• The API should block an IP address after too many failed attempts. This has now been fixed
• Another way to deal with this type of attack is to lockout an account after too many failed attempts, to ensure a distributed botnet cannot do something like try just 3 passwords each from 1000s of different IP addresses
• When it becomes obvious that an account is under attack, locking it so that no one can gain access to it until the true owner of the account can be verified and steps can be taken to ensure the security of the account (change the username?)
• The issue with this approach is that Apple Support has proven to be a weak link in regards to security in the past. See TechSNAP Episode 70 .
• Obviously, the iPhone to iCloud protocol should not depend of obscurity to provide security either. We have seen a number of different attacks against the iPhone based on reverse engineering the “secret” Apple protocols
• Security is often a trade-off against ease-of-use, and Apple keeps coming down on the wrong side of the scale

Feedback:

• Server Setup: Windows Man Gone To The Darkside.

• ZFS Snapshots

• Puppet or CFEngine

• Question about online banking security

• PFSense Bandwidth Limiters Don’t Work with Squid Web Cache Package

Round Up:

• Watch Infected Windows Machines Interact with Each Other in a “Virus Farm” – We Can Has The Technology
• Prolexic (owned by Akamai) sounding alarm about IptabLes and IptabLex infections. Attackers are using unmaintained servers to launch large DDoS attacks
• WordPress 4.0 “Benny”
• Stick Figure’s guide to AES encryption
• Twitter now pays bounties for vulnerabilities
• Another WPS flaw, crack some wireless routers in a single try
• IEEE publishes paper “Avoiding the top 10 software security design flaws”
• Technical Difficulties with home delivery by drones
• Microsoft still struggling with last months patch tuesday patches
• Shortage of skilled security people leads to hiring problems for enterprises. Skilled people change jobs every 2-3 years for large pay bumps, leads to a lack of retained ‘institutionalized security’ and ‘operational knowledge’
• NameCheap reports bit russian list of usernames and passwords being used against accounts, some successful logins
• Intel announces new i7-5960x processor and new X99 chipset. 8 cores (16 with hyperthreading), 3ghz (turbo boost to 3.5ghz), 20mb cache, support for up to 64 gigabytes of DDR4 across 4 channels, 40 lanes of PCI-E 3.0, 10 SATA3 ports, 6 USB3 and 8x USB2
• Microsoft to defy federal court order and not turn over emails stored in europe to US authorities

The post Home Depot Credit Repo | TechSNAP 178 first appeared on Jupiter Broadcasting.

Pre-crime is here, with technology that lets you predicting a hack before it happens. We’ll tell you how. Google’s project zero goes to war, we get real about virtualization.

And then its a great batch of your questions, our answers & much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Predicting which sites will get hacked, before it happens

• Researchers from Carnegie Mellon University have developed a tool that can help predict if a website is likely to become compromised or malicious in the future
• Using the Archive.org “Wayback Machine” they looked at websites before they were hacked, and tried to identify trends and other information that may be predictors
• “The classifier correctly predicted 66 percent of future hacks in a one-year period with a false positive rate of 17 percent”
• “The classifier is focused on Web server malware or, put more simply, the hacking and hijacking of a website that is then used to attack all its visitors”
• The tool looks at the server software, outdated versions of Apache and PHP can be good indicators of future vulnerabilities
• It also looks at how the website is laid out, how often it is updated, what applications it runs (outdated wordpress is a good hacking target)
• It also compares the sites to sites that have been compromised. If a site is very like another, and that other was compromised, there is an increased probability that the first site will also be compromised
• The classifier looks at many other factors as well: “For instance, if a certain website suddenly sees a change in popularity, it could mean that it became used as part of a [malicious] redirection campaign,”
• The most common marker for a hackable website: The presence of the ‘generator’ meta tag with a value of ‘Wordpress 3.2.1’ or ‘Wordpress 3.3.1’
• Research PDF from USENIX
• There are tools like those from Norse, that analyze network traffic and attempt to detect new 0-day exploits before they are known

Google’s Project Zero exploits the unexploitable bug

• Well over a month ago Google’s Project Zero reported a bug in glibc, however there was much skepticism about the exploitability of the bug, so it was not fixed
• However, this week the Google researchers were able to create a working exploit for the bug, including an ASLR bypass for 32bit OSs
• The blog post details the process the Project Zero team went through to develop the exploit and gain root privileges
• The blog post also details an interesting (accidental) mitigation found in Ubuntu, they caused the researchers to target Fedora to more easily develop the exploit
• The blog also discusses a workaround for other issues they ran into. Once they had exploited the set-uid binary, they found that running: system(“/bin/bash”) started the shell with their original privileges, rather than as root. Instead, they called chroot() on a directory they had setup to contain their own /bin/sh that calls setuid(0) and then executes a real shell as the system root user.
• The path they used to get a root shell relies on a memory leak in the setuid binary pkexec, which they recommend be fixed as well as the original glibc bug
• “The ability to lower ASLR strength by running setuid binaries with carefully chosen ulimits is unwanted behavior. Ideally, setuid programs would not be subject to attacker-chosen ulimit values”
• “The exploit would have been complicated significantly if the malloc main linked listed hardening was also applied to the secondary linked list for large chunks”
• The glibc bug has since been fixed

Secret Service warns over 1000 businesses hit by Backoff Point-of-Sales terminal malware

• The Secret Service and DHS have released an advisory warning businesses about the POS (Point-of-Sales terminal) malware that has been going around for a while
• Advisory
• “The Department of Homeland Security (DHS) encourages organizations, regardless of size, to proactively check for possible Point of Sale (PoS) malware infections. One particular family of malware, which was detected in October 2013 and was not recognized by antivirus software solutions until August 2014, has likely infected many victims who are unaware that they have been compromised”
• “Seven PoS system providers/vendors have confirmed that they have had multiple clients affected“
• “Backoff has experts concerned because it’s effective in swiping customer credit card data from businesses using a variety of exfiltration tools, including memory, or RAM scraping, techniques, keyloggers and injections into running processes”
• “A report from US-CERT said attackers use Backoff to steal payment card information once they’ve breached a remote desktop or administration application, especially ones that are using weak or default credentials”
• “Backoff is then installed on a point-of-sale device and injects code into the explorer.exe process that scrapes memory from running processes in order to steal credit card numbers before they’re encrypted on the device and sent to a payment processor. “
• “Keylogging functionality is also present in most recent variants of ‘Backoff’. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware,”
• US-CERT Advisory
• Krebs reports that Dairy Queen may also be a victim of this attack
• “Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters”

Feedback:

• HVAC remote access protection fear.

• Deconstruct malware?

• Virtualisation

• Metric for success of an attack campaign

Round Up:

• Chromecast software vulnerability paves way for another root exploit
• Netflix releases two of their internal threat monitoring tools, used to detect origanization of attacks against their networks
• FBI, Secret Service investigate reports of cyber attacks on U.S. banks
• Seagate ships worlds first 8TB hard drive, with “Enhanced Rotational Vibration (RV) tolerance for reliable performance in multi-drive environments”, allowing more drives to stuffed in a single chassis
• Feds warn first responders of dangerous hacking tool: Google Search
• UK Ministry of Justice fined 180,000 GBP for not encrypting data. Data was being backed up to an external hard drive that was then lost, potentially exposing data on almost 3000 prisoners. The external drive supported some type of ‘encryption’, but it was not enabled
• 300 oil companies hacked in Norway
• Google, Facebook, and others did not read the Apple Documentation. In iOS, clicking a tel:// link in Safari prompts the user to confirm they want to place the call. However in native apps, it is left up to the app to check for permission, to allow apps to initiate calls at the users request, without the user having to confirm it a 2nd time. Apple’s docs state that the app should confirm that the user wants to place the call, but they do not. Using javascript or server-side redirects, a malicious attacker can have your phone place calls without your permission when you click a link in a Facebook, Gmail or G+ message on iOS.
• CouchSurfing email system compromised, many users sent AirBnB prank message
• Browsers will be removing 1024 bit CA certificates from the trust chain in the latest NSS, which will ship in FireFox 32, due for release September 2nd. Even though these certificates have not expired, they will no longer be trusted because of their low security
• Comcast training material leaked, shows how employees are directed to upsell customers during support calls
• Krebs: new razor think ATM insert skimmer goes inside the card slot, nearly impossible to spot. Most skimmers now use hidden cameras to capture your PIN number, rather than a pinpad overlay. Krebs recommends covering the keypad with your free hand while entering your pin number

The post Project Zero Goes To War | TechSNAP 177 first appeared on Jupiter Broadcasting.

Finally Microsoft’s patent war chest against Android has been revealed, and we dig in.

Plus Apple, Cisco, and AT&T join Microsoft in a pushback against US government overreach, Steam summer sale rumors, and more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a Tech Talk Today supporter on Patreon:

Show Notes:

— Headlines —

Apple, Cisco, AT&T join Microsoft in fight against global search warrant

Apple, Cisco and AT&T all filed amicus curiae briefs on Friday supporting Microsoft in its appeal of a decision requiring it to hand over data about an Irish customer to U.S. law enforcement officials. Verizon filed an amicus brief on Microsoft’s behalf on Tuesday.

In this case, U.S. magistrate judge James Francis IV decided that pursuant to the Stored Communication Act, Microsoft must provide law enforcement officials with the contents of an Irish customer’s email, which is stored on servers located in Dublin, Ireland. Microsoft and its peers argue the warrant defies both the Stored Communications Act and numerous international law constructs, including treaties the United States has in place with other countries — Ireland among them — regarding how to handle requests for data about each others’ citizens.

Chinese gov’t reveals Microsoft’s secret list of Android-killer patents

Microsoft has held to the line that it has loads of patents that are infringed by Google’s Android operating system. “Licensing is the solution,” wrote the company’s head IP honcho in 2011, explaining Microsoft’s decision to sue Barnes & Noble’s Android-powered Nook reader.

For the most part, they’ve remained secret. That’s led to a kind of parlor game where industry observers have speculated about what patents Microsoft might be holding over Android.

A list of hundreds of patents that Microsoft believes entitle it to royalties over Android phones, and perhaps smartphones in general, has been published on a Chinese language website.

The patents Microsoft plans to wield against Android describe a range of technologies.

They include lots of technologies developed at Microsoft, as well as patents that Microsoft acquired by participating in the Rockstar Consortium, which spent $4.5 billion on patents that were auctioned off after the Nortel bankruptcy.

The Chinese agency published two lists on a Chinese-language webpage

The longer list is divided into three sections: 73 patents that are said to be “standard-essential patents,” or SEPs, implemented in smartphones generally, followed by 127 patents that Microsoft says are implemented in Android. The final section includes another section of “non-SEP” assets, which includes 68 patent applications and 42 issued patents.

Many newer and previously unrevealed patents, like 8,255,379 “Customer Local Search,” 5,813,013 “Representing Recurring Events,” and 6,999,047 “Locating and tracking a user in a wireless network through environmentally profiled data.”

Steam Summer Sale – Start Date Leaked!

According to a leaked listing posted on “Neogaf” this year’s Steam Summer Sale will begin on June 19th and end on June 30th leaving most Steam users no more than a week.

Now none of these dates or listings have been confirmed however they do appear to coincide with recent posts on both the Stream’s Developer Network and also fit in with Valve’s International DOTA 2 Championship Schedule, not only that but other Game Sale sites such as “GreenManGaming” and “GOG (Good Old Games)” have started to have massive clear-out sales and bundles

— Security Update —

Massive security flaws allowed for Stratfor hack, leaked report reveals

In December 2011, a group of skilled hackers broke into the network of Strategic Forecasting, Inc. (Stratfor), compromising the personal data of some 860,000 customers, including a former U.S. vice president, CIA director, and secretary of state, among others.
The hackers, known collectively as AntiSec, exfiltrated approximately 60,000 credit card numbers and associated data, resulting in a reported $700,000 in fraudulent charges. Roughly 5 million internal emails were obtained by the hackers and later released by the whistleblower organization WikiLeaks as the “Global Intelligence Files.”

Based on confidential internal documents obtained by the Daily Dot and Motherboard, Stratfor employed substandard cybersecurity prior to the infiltration that left thousands of customers vulnerable to potential identity theft.

According to the documents, Stratfor engaged Verizon Business/Cybertrust to “conduct a forensic investigation” into the breach on Dec. 30, 2011
In a 66-page report filed Feb. 15, 2012, Verizon concludes in painful detail that Stratfor had insufficient control over remote access to vital systems, and that those systems were not protected by a firewall and lacked proper file integrity-monitoring.

For starters, at the time of the attack, no password management policy existed within Stratfor. Passwords were at times shared between employees, and nothing prevented the same passwords from being used on multiple devices.

“Users commonly use the same password to access email as the password to remotely access a system containing sensitive information,” the report states.

According to Verizon, no anti-virus software had been deployed on any of the examined systems, which left Stratfor “wide open to not only the more sophisticated and customized hacker attempts, but also to other viruses.”

Another “significant factor” in the breach was the design of Stratfor’s e-commerce environment, which facilitated the electronic transfer of payments by its customers. According to the report, this system was accessible, needlessly, from anywhere within the company’s network, “as well as the Internet directly.”

UglyGorilla Hack of U.S. Utility Exposes Cyberwar Threat

Somewhere in China, a man typed his user name, “ghost,” and password, “hijack,” and proceeded to rifle the computers of a utility in the Northeastern U.S.

He plucked schematics of its pipelines. He copied security-guard patrol memos. He sought access to systems that regulate the flow of natural gas. He cruised channels where keystrokes could cut off a city’s heat, or make a pipeline explode.

That didn’t appear to be his intention, and neither was economic espionage. While he was one of the Chinese officers the U.S. charged last month with infiltrating computers to steal corporate secrets, this raid was different. The hacker called UglyGorilla invaded the utility on what was probably a scouting mission, looking for information China could use to wage war.

UglyGorilla is one of many hackers the FBI has watched. Agents have recorded raids by other operatives in China and in Russia and Iran, all apparently looking for security weaknesses that could be employed to disrupt the delivery of water and electricity and impede other functions critical to the economy, according to former intelligence officials with knowledge of the investigation.

UglyGorilla’s surveillance sortie was one of dozens conducted on natural gas pipelines and electric utilities by People’s Liberation Army Unit 61398 over at least 14 months in 2012 and 2013, according to documents obtained by Bloomberg News and people involved in the investigations but who asked not to be named because they weren’t authorized to speak publicly.

Support Tech Talk Today creating DAILY PODCASTS

Hosts:

Chris:

• Twitter ChrisLAS
• Google+ +ChrisFisher

The post Microsoft Patents Exposed | Tech Talk Today 9 first appeared on Jupiter Broadcasting.