CDN – Jupiter Broadcasting

Prefork Pitfalls | TechSNAP 404

Wes Payne — Sat, 25 May 2019 18:11:55 +0000

Show Notes: techsnap.systems/404

The post Prefork Pitfalls | TechSNAP 404 first appeared on Jupiter Broadcasting.

Ripping me a new Protocol | TechSNAP 221

chris — Thu, 02 Jul 2015 19:05:26 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Amazon has a new TLS implementation & the details look great, we’ll share them with you. The technology that powers the NSA’s XKEYSCORE you could have deployed yourself.

Some fantastic questions, a big round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Amazon releases s2n, a new TLS implementation

s2n (signal2noise) is a brand new implementation of the TLS protocol in only ~6000 lines of code
It has been fully audited, and will be re-audited once per year, paid for by Amazon
It does not replace OpenSSL, as it only implements the TLS protocol (libssl) not the crypto primitives and algorithms (libcrypto). s2n can be built against any of the various libcrypto implementations, including: OpenSSL, LibreSSL, BoringSSL, and the Apple Common Crypto framework
The API appears to be very easy to use, and prevent many common errors
The client side of the library is not ready for use yet
Features:
- “s2n encrypts or erases plaintext data as quickly as possible. For example, decrypted data buffers are erased as they are read by the application.”
- “s2n uses operating system features to protect data from being swapped to disk or appearing in core dumps.”
- “s2n avoids implementing rarely used options and extensions, as well as features with a history of triggering protocol-level vulnerabilities. For example there is no support for session renegotiation or DTLS.”
- “s2n is written in C, but makes light use of standard C library functions and wraps all memory handling, string handling, and serialization in systematic boundary-enforcing checks.”
- “The security of TLS and its associated encryption algorithms depends upon secure random number generation. s2n provides every thread with two separate random number generators. One for “public” randomly generated data that may appear in the clear, and one for “private” data that should remain secret. This approach lessens the risk of potential predictability weaknesses in random number generation algorithms from leaking information across contexts. “
One of the main features is that, instead of having to specify which set of crypto algorithms you want to prefer, in what order, as we have discussed doing before for OpenSSL (in apache/nginx, etc), to can either use ‘default’, which will change with the times, or a specific snapshot date, that corresponds to what was the best practise at that time
Github Page
Additional Coverage – ThreatPost
It will be interesting to see how this compares with the new TLS API offered by LibreSSL, and which direction various applications choose to go.

How the NSA’s XKEYSCORE works

“The NSA’s XKEYSCORE program, first revealed by The Guardian, sweeps up countless people’s Internet searches, emails, documents, usernames and passwords, and other private communications. XKEYSCORE is fed a constant flow of Internet traffic from fiber optic cables that make up the backbone of the world’s communication network, among other sources, for processing. As of 2008, the surveillance system boasted approximately 150 field sites in the United States, Mexico, Brazil, United Kingdom, Spain, Russia, Nigeria, Somalia, Pakistan, Japan, Australia, as well as many other countries, consisting of over 700 servers.”
“XKEYSCORE allows for incredibly broad surveillance of people based on perceived patterns of suspicious behavior. It is possible, for instance, to query the system to show the activities of people based on their location, nationality and websites visited. For instance, one slide displays the search “germansinpakistn,” showing an analyst querying XKEYSCORE for all individuals in Pakistan visiting specific German language message boards.”
“The sheer quantity of communications that XKEYSCORE processes, filters and queries is stunning. Around the world, when a person gets online to do anything — write an email, post to a social network, browse the web or play a video game — there’s a decent chance that the Internet traffic her device sends and receives is getting collected and processed by one of XKEYSCORE’s hundreds of servers scattered across the globe.”
“In order to make sense of such a massive and steady flow of information, analysts working for the National Security Agency, as well as partner spy agencies, have written thousands of snippets of code to detect different types of traffic and extract useful information from each type, according to documents dating up to 2013. For example, the system automatically detects if a given piece of traffic is an email. If it is, the system tags if it’s from Yahoo or Gmail, if it contains an airline itinerary, if it’s encrypted with PGP, or if the sender’s language is set to Arabic, along with myriad other details.”
You might expect some kind of highly specialized system to be required to do all of this, but that is not the case:
“XKEYSCORE is a piece of Linux software that is typically deployed on Red Hat servers. It uses the Apache web server and stores collected data in MySQL databases. File systems in a cluster are handled by the NFS distributed file system and the autofs service, and scheduled tasks are handled by the cron scheduling service. Systems administrators who maintain XKEYSCORE servers use SSH to connect to them, and they use tools such as rsync and vim, as well as a comprehensive command-line tool, to manage the software.”
The security of the system is also not as good as than you might imagine:
“Analysts connect to XKEYSCORE over HTTPS using standard web browsers such as Firefox. Internet Explorer is not supported. Analysts can log into the system with either a user ID and password or by using public key authentication.”
“When systems administrators log into XKEYSCORE servers to configure them, they appear to use a shared account, under the name “oper.” Adams notes, “That means that changes made by an administrator cannot be logged.” If one administrator does something malicious on an XKEYSCORE server using the “oper” user, it’s possible that the digital trail of what was done wouldn’t lead back to the administrator, since multiple operators use the account.”
“There appears to be another way an ill-intentioned systems administrator may be able to cover their tracks. Analysts wishing to query XKEYSCORE sign in via a web browser, and their searches are logged. This creates an audit trail, on which the system relies to assure that users aren’t doing overly broad searches that would pull up U.S. citizens’ web traffic. Systems administrators, however, are able to run MySQL queries. The documents indicate that administrators have the ability to directly query the MySQL databases, where the collected data is stored, apparently bypassing the audit trail.”
The system is not well designed, and could likely have been done better with existing open source tools, or commercial software designed to classify web traffic
“When data is collected at an XKEYSCORE field site, it is processed locally and ultimately stored in MySQL databases at that site. XKEYSCORE supports a federated query system, which means that an analyst can conduct a single query from the central XKEYSCORE website, and it will communicate over the Internet to all of the field sites, running the query everywhere at once.”
Your traffic is analyzed and will probably match a number of classifiers. The most specific classifier is added as a tag to your traffic. Eventually (3-5 days), your actual traffic is deleted to make room for newer traffic, but the metadata (those tags) are kept for 30-45 days
“This is done by using dictionaries of rules called appIDs, fingerprints and microplugins that are written in a custom programming language called GENESIS. Each of these can be identified by a unique name that resembles a directory tree, such as “mail/webmail/gmail,” “chat/yahoo,” or “botnet/blackenergybot/command/flood.””
“One document detailing XKEYSCORE appIDs and fingerprints lists several revealing examples. Windows Update requests appear to fall under the “update_service/windows” appID, and normal web requests fall under the “http/get” appID. XKEYSCORE can automatically detect Airblue travel itineraries with the “travel/airblue” fingerprint, and iPhone web browser traffic with the “browser/cellphone/iphone” fingerprint.”
“To tie it all together, when an Arabic speaker logs into a Yahoo email address, XKEYSCORE will store “mail/yahoo/login” as the associated appID. This stream of traffic will match the “mail/arabic” fingerprint (denoting language settings), as well as the “mail/yahoo/ymbm” fingerprint (which detects Yahoo browser cookies).”
“Sometimes the GENESIS programming language, which largely relies on Boolean logic, regular expressions and a set of simple functions, isn’t powerful enough to do the complex pattern-matching required to detect certain types of traffic. In these cases, as one slide puts it, “Power users can drop in to C++ to express themselves.” AppIDs or fingerprints that are written in C++ are called microplugins.”
All of this information is based on the Snowden leaks, and is from any years ago
“If XKEYSCORE development has continued at a similar pace over the last six years, it’s likely considerably more powerful today.”
Part 2 of Article

[SoHo Routers full of fail]

Home Routers that still support RIPv1 used in DDoS reflection attacks

RIPv1 is a routing protocol released in 1988 that was deprecated in 1996
It uses UDP and so an attacker can send a message to a home router with RIP enabled from a spoofed IP address, and that router will send the response to the victim, flooding their internet connection
““Since a majority of these sources sent packets predominantly of the 504-byte size, it’s pretty clear as to why they were leveraged for attack purposes. As attackers discover more sources, it is possible that this vector has the potential to create much larger attacks than what we’ve observed thus far,” the advisory cautions, pointing out that the unused devices could be put to work in larger and more distributed attacks.”
“Researchers at Akamai’s Prolexic Security Engineering and Research Team (PLXsert) today put out an advisory about an attack spotted May 16 that peaked at 12.9 Gbps. Akamai said that of the 53,693 devices that responded to RIPv1 queries in a scan it conducted, only 500 unique sources were identified in the DDoS attack. None of them use authentication, making them easy pickings.”
Akamai identified Netopia 2000 and 3000 series routers as the biggest culprits still running the vulnerable and ancient RIPv1 protocol on devices. Close to 19,000 Netopia routers responded in scans conducted by Akamai, which also noted that more than 5,000 ZET ZXv10 and TP-Link TD-8000 series routers collectively responded as well. Most of the Netopia routers, Akamai said, are issued by AT&T to customers in the U.S. BellSouth and MegaPath also distribute the routers, but to a much lesser extent.

Home Routers used to host Malware

Home routers were found to be hosting the Dyre malware
Symantec Research Paper of Dyre
Affected routers include MikroTik and Ubiquiti’s AirOS, which are higher end routers geared towards “power user” and small businesses
“We have seen literally hundreds of wireless access points, and routers connected in relation to this botnet, usually AirOS,” said Bryan Campbell, lead threat intelligence analyst at Fujitsu. “The consistency in which the botnet is communicating with compromised routers in relation to both distribution and communication leads us to believe known vulnerabilities are being exploited in the firmware which allows this to occur.”
“Campbell said it’s not clear why so many routers appear to be implicated in the botnet. Perhaps the attackers are merely exploiting routers with default credentials (e.g., “ubnt” for both username and password on most Ubiquiti AirOS routers). Fujitsu also found a disturbing number of the systems in the botnet had the port for telnet connections wide open.”

Feedback:

ZFS with 4K drives?
ZFS Replication Between FreeNAS and Linux
Splitting a pool
DNS Transfer Email Downtime Followup
FreeBSD Mastery: ZFS — Not just about ZFS

Round Up:

The post Ripping me a new Protocol | TechSNAP 221 first appeared on Jupiter Broadcasting.

Not Sharing The Secret | TechSNAP 156

chris — Thu, 03 Apr 2014 16:18:21 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Researchers develop a new way to protect your passwords after they’ve been stolen, the little credit card scam making big money…

Then it’s a great batch of your questions, a rockin round up, and much much more!

On this week’s TechSNAP.

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

Researchers are NYU develop PolyPassHash, hard to crack password store

PolyPassHash is designed to make it significantly harder to crack users’ passwords in the event the password database is leaked
The system uses SSSS (Shamir’s Secret Sharing Scheme ) which is a system for dividing a secret key (in this case used to encrypt the password database) into many pieces, and requiring only a specific number of those pieces to be combined to return the key
In the wikipedia example, the secret key is divided into 6 parts and the algorithm defined such that 3 of the parts must be combined in order to return the secret
The SSSS algorithm is extensible, it allows the number of pieces that the secret is divided into to grow as long as the threshold (the number of pieces required to decrypt) is key fixed
The SSSS algorithm is also flexible, allowing for some people (say the system administrator) to have more than 1 share
In the Python reference implementation the threshold is set to 10
This means that 10 pieces of the secret are required in order to decrypt the password file
Each regular user’s password is 1 share of the secret, so when that user provides the correct password, 1 share is available
In the reference implementation, there are 3 administrator users, each of who’s password is 5 shares of the secret, meaning the correct passwords for any 2 of the administrators will be able to decrypt the password database
Currently PolyPassHash uses just the SHA256 of the users’ password and a random salt, rather than using sha256crypt() which does more than 1 SHA256 round on the password, and uses different mixes of the password and salt
The drawback with PolyPassHash is that after a reboot, it is not possible for anyone to login until a sufficient number of users have entered the correct password to return the required number (the threshold) of shares to decrypt the password hashes
There is a proposed solution to this, involving shortening the SSSS key such that some of the hash (the last few bytes) are not encrypted, and using that to authenticate the first few users until sufficient users have successfully logged in to decrypt the password database
This compromises the security of the passwords because part of the plain hash is leaked, and it also means that an incorrect password could allow a user to login after a reboot before the threshold has been met
PolyPassHash also has support for thresholdless accounts (accounts that do not have any shares), in order to protect larger systems (like Facebook or Gmail) where an attack may have compromised enough accounts to have sufficient shares to decrypt the entire database. In this case, only administrator (or maybe power user) accounts would have shares
PolyPassHash also has support for other authentication systems, including things like biometrics, ssh keys, and smart cards, but also external systems like OAuth or OpenID (thresholdless accounts)
In the case of SSH keys, instead of a password, the share of the SSSS is encrypted with the public key, and the user uses their SSH private key to decrypt the share
New users cannot be added until the threshold has been reached, since the secret is required to generate a new share of the secret
Research Paper

Who is behind sub-$15 credit card scam

A service called ‘BLS Web Learn’ has been identified as being behind a scam that charged numerous credit and debit cards small fees of less than $15
The scam centers around small charges that appear on your credit card bill, usually for small random amounts such as $9.84, $10.37, or $12.96
The line item includes a toll free number (as most charges do), and you are encouraged by your bank to call this number and try to identify the charge and resolve any issues with the seller directly, rather than filing a chargeback
In this case, since the card holder never ordered anything or authorized the charge, the service refunds the small amount
They make their money off all of the people who don’t notice the small charge
Unlike many scams, because they maintain the assertion that they are a legitimate business, and refund the charge when a cardholder complains, they do not rack up a large number of chargebacks, and their account with the credit card processor is not red flagged or shut down
Krebs have investigated a similar case before, which appeared to be based in Malta
The name of the ‘online learning’ company, and the credit card processor are different, but the scam seems very much the same
The payment processor, BlueSnap, lists its offices in Massachusetts, California, Israel, Malta and London. Interestingly, the payment network used by the previous scam, Credorax, also lists offices in Massachusetts, Israel, London and Malta

Feedback:

Who should play Allan Jude in Allan Jude: The Movie
XP Fail
Picture of the XP mess
Checksum your SaaS
Ubuntu Manpage: debsums – check the MD5 sums of installed Debian packages
Mulitple Domain Names pointing to same IP address
The debate continues re: ZFS and ECC
- ECC is not required, but using non-ECC increases the risk of data loss. Using ECC RAM is the cheapest way to increase the uptime and reliability of the system
Metal_Geek Needs help: I need help recovering data from a LUKS encrypted partition.

Round-Up:

The post Not Sharing The Secret | TechSNAP 156 first appeared on Jupiter Broadcasting.

The Gift of Giving | BSD Now 17

chris — Tue, 24 Dec 2013 22:46:33 +0000

Merry Christmas everyone! We\’re taking the holiday off and just have an interview for you today. We sat down with Scott Long to discuss using FreeBSD at Netflix and lots of other things. Next week we will return with the normal round of news and tutorials.

Thanks to:

iXsystems: This is what 80 cores and 1TB of RAM looks like!

Direct Download:

RSS Feeds:

– Show Notes: –

Interview – Scott Long – scottl@freebsd.org

FreeBSD at Netflix, OpenConnect, network performance, various topics

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post The Gift of Giving | BSD Now 17 first appeared on Jupiter Broadcasting.

WebRTC Game Changer | LAS s29e01

chris — Sun, 06 Oct 2013 14:17:59 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

WebRTC is going to bring a whole new category of applications to Linux, and the web. We’ll demo some of our favorite and surprisingly powerful uses of WebRTC that go way beyond basic video chat.

Plus Steambox specs get real, Mir gets dropped from Ubuntu 13.10…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

— Show Notes: —

Fun with WebRTC

Brought to you by: System76

Check out System76 on G+

RTCPeerConnection

Webcam Toy
Instant Video Chat: https://apprtc.webrtc.org
Multi-Party WebRTC Demo

Audio Only Chat with WebRTC

Conspire – Alpha

Anonymous, browser-based voice chat.

Audio Recorder

Screen Sharing with WebRTC

Same.io – Extremely easy screensharing directly in the browser – no downloads or plugins.

Welcome to extremely easy screensharing
directly in the browser – no downloads or plugins

RTCDataChannel

Send Arbitrary data between browsers, for online games, p2p chat, etc.
RTCDataChannel Demo
Sharefest

Send files directly

Secured, anonymous, instant, without a cloud.

peerCDN

peerCDN utilizes WebRTC DataChannel to establish peer-to-peer connections between a site’s visitors. Chrome and Firefox already support WebRTC, which together account for 58% of global browser usage (according to StatCounter). IE and Safari will likely add support soon. Graceful fallback for unsupported browsers.

You Need a Server, but You’ve Got Options

What codecs to use
Which security keys to use
The network route to take (behind a NAT, direct, etc)
Server can be: Websockets, Google Cloud Message, XHR
Protocol can be lots of things, like: JSON, SIP, XMPP
That setups up the p2p link between the WebRTC sessions.
STUN: WebRTC Uses a STUN Server so WebRTC clients can figure out their public IP from behind a NAT.
TURN: WebRTC uses a TURN server to provide a cloud fallback if p2p fails. Uses server bandwidth for the relay, but makes the call work in almost every environment.
WebRTC uses ICE to get the direct IP and at the same time spool up the TURN server, and then makes a decision as to which can be used.
Prefers STUN for direct p2p.
You can use Google’s “test” servers: stun.l.google.com:19302
Deploy your own: rfc5766-turn-server:
restund – Open Source STUN/TURN Server

More on WebRTC

APIs and RTCWEB Protocols of the HTML5 Real-Time Web, Second Edition

– Picks –

Runs Linux:

Underwater Drone That Goes Faster and Longer, Runs Linux

Weekly Spotlight Pick:

Geary 0.4 is here! | Yorba Blog

Yorba is proud to announce the release of Geary 0.4, the newest version of our lightweight email client.

Shotwell 0.15 has arrived | Yorba Blog

We at Yorba are pleased to bring you Shotwell 0.15.

Desktop App Pick:

ocenaudio

Git yours hands all over our STUFF:

Watch List:

Cloud Guilt | LINUX Unplugged 8 | Jupiter Broadcasting

Should Linux users be anti-cloud? Why do so many of us feel guilty for using the “cloud”?

— NEWS —

– Feedback: –

Chris was gifted XCOM on Steam but I did not catch by who. But a big thank you!
Interviews on LAS
Charlie

Bitmessage:

BM-GuJRSMgViBNXnafzuRQL3tpHHFSJQ5Wm

— Chris’ Stash —

New updates to the Chrome and Firefox extensions!

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

Matt’s Birthday – a huge thank you

— Find us on Google+ —

— Find us on Twitter —Hang

— Follow the network on Facebook: —

Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

The post WebRTC Game Changer | LAS s29e01 first appeared on Jupiter Broadcasting.

WHOIS Hiding | TechSNAP 129

chris — Thu, 26 Sep 2013 08:35:11 +0000

Big changes could be coming to the WHOIS database in the name of privacy, but security experts have major concerns.

Plus our suggestions for rolling your own server, a huge batch of questions, and much much more!

On this week’s TechSNAP.

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

WHOIS Privacy Plan Draws Fire

Internet regulators are pushing a controversial plan to restrict public access to WHOIS Web site registration records. Proponents of the proposal say it would improve the accuracy of WHOIS data and better protect the privacy of people who register domain names.
According to an interim report (PDF) by the ICANN working group, the WHOIS data would be accessible only to \”authenticated requestors that are held accountable for appropriate use\” of the information.
The working group’s current plan envisions creating what it calls an “aggregated registration directory service” (ARDS) to serve as a clearinghouse that contains a non-authoritative copy of all of the collected data elements.
The registrars and registries that operate the hundreds of different generic top-level domains (gTLDs, like dot-biz, dot-name, e.g.) would be responsible for maintaining the authoritative sources of WHOIS data for domains in their gTLDs.
Those who wish to query WHOIS domain registration data from the system would have to apply for access credentials to the ARDS, which would be responsible for handling data accuracy complaints, auditing access to the system to minimize abuse, and managing the licensing arrangement for access to the WHOIS data.
The interim proposal has met with a swell of opposition from some security and technology experts who worry about the plan\’s potential for harm to consumers and cybercrime investigators.

\”Internet users (individuals, businesses, law enforcement, governments, journalists and others) should not be subject to barriers — including prior authorization, disclosure obligations, payment of fees, etc. — in order to gain access to information about who operates a website, with the exception of legitimate privacy protection services,\” reads a letter (PDF) jointly submitted to ICANN last month by G2 Web Services, OpSec Security, LegitScript and DomainTools.

Kerbs says: the working group’s interim report leaves open in my mind the question of how exactly the ARDS would achieve more accurate and complete WHOIS records. Current accreditation agreements that registrars/registries must sign with ICANN already require the registrars/registries to validate WHOIS data and to correct inaccurate records, but these contracts have long been shown to be ineffective at producing much more accurate records.

WeChat security found to be lax, your password is at risk

The WeChat Android client has an undocumented debugging interface that can be accessed by other apps on your Android device
This interface allows an attacker to intercept all data flowing through the WeChat application, including your username and hashed password
The password is only hashed with straight md5, making it trivial to brute force or rainbow table
“In WeChat versions up to 4.3.5 we identified several vulnerabilities which allow an attacker who can intercept the traffic to quickly decrypt the message body, thus being able to access the messages sent and received by the user. More recent versions seems to be immune to these attacks, but we still have to perform a more in-depth analysis of the encryption scheme implemented in the latest WeChat releases. “
The local SQLite database used by WeChat is encrypted, but the key is a derived from the WeChat uid and the local DeviceID, meaning an attacker with access to this debug interface has access to both parameters
“We tried to contact developers to notify our findings, but with no luck: we wrote an e-mail to Tencent technical support both on August 30th and on September 3th, but we got no reply.”

DRAM prices still being driven up by plant fire

As TechSNAP reported previously, there was a chemical explosion and fire at the SK Hynix plant in Wuxi China on September 4th
SK Hynix is attempting to rush repairs to the damaged fab, and has reopened the remaining fab at the Wuxi site on September 7th. The two fabs are isolated to prevent a problem at one from crippling the other
SK Hynix is also shifting some production to other plants in Korea
However the expected shortage has still driven DRAM prices up 27 percent
The Wuxi plant makes approximately 10% of the worlds supply of DRAM
SK Hynix expects the plant to be back at full capacity sometime in October
Full repairs will take between three months and six months and reduce total output by two months’ worth of production
Even once the repaired plant is online, SK Hynix plans to ram up production beyond the previous levels as well as maintain the increased production in Korea
SK Hynix will also ramp up production in stages as portions of the damaged plant are cleaned and repaired to match what analysts expect will be a spike in demand for PC-oriented chips as the Oct. 18 ship date of Windows 8.1 approaches, analysts said.

Feedback:

Build your own Google Reader replacement, or check out one of the hosted options. Will run down the list of the candidates we think have the best potential to replace Google Reader on Linux.

Round Up:

The post WHOIS Hiding | TechSNAP 129 first appeared on Jupiter Broadcasting.

Gentlemen, Start Your NGINX | TechSNAP 128

chris — Thu, 19 Sep 2013 16:15:59 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A zero day flaw has Microsoft scrambling, and the banking hack that only requires a nice jacket.

Then it’s a great big batch of your questions, our answers, and much much more!

On this week’s TechSNAP.

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

Crooks Hijack Retirement Funds Via Social Security Administration Portal

Traditional SSA fraud involves identity thieves tricking the beneficiary’s bank into diverting the payments to another account, either through Social Security’s 800 number or through a financial institution, or through Treasury’s Direct Express program
The newer version of this fraud involves the abuse of the SSA’s my Social Security Web portal
The SSA added the ability to change direct deposit information via their my Social Security Web portal. Shortly thereafter, the agency began receiving complaints that identity thieves were using the portal to hijack the benefits of individuals who had not yet created an account at the site.
As of August 23, 2013, the SSA has received 18,417 allegations of possibly fraudulent mySocialSecurity account activity.
There is no suggestion that SSA’s systems have been compromised; this is an identity theft scheme aimed at redirecting existing benefits, often to prepaid debit cards.” – via Jonathan Lasher, assistant inspector general for external relations at the SSA’s Office of Inspector General.
Banks usually will alert customers if the beneficiary account for SSA payments is changed. But she said those communications typically are sent via snail mail.
Many customers will overlook such notices.
If you receive direct deposits from the Social Security Administration but haven’t yet registered at the agency’s new online account management portal, now would be a good time take care of that.
Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that consumers can avoid becoming victims of this scam.
In Canada, registering on the Canada Revenue Agency’s website, requires information from your previous years tax returns, and an activation code is snail mailed to you

Microsoft warns of a 0day in all versions of Internet Explorer, working on a patch for IE 6 – 11

The flaw in question makes remote code execution possible if you browse to a website containing malicious content for your specific browser type
Actively being exploited against IE8 and 9
Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.
The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
The company is offering the following workarounds and mitigations:
Apply the Microsoft Fix it solution, \”CVE-2013-3893 MSHTML Shim Workaround,\” that prevents exploitation of this issue. Note: This ‘fixit’ solution only works for 32bit versions of IE
Set Internet and local intranet security zone settings to \”High\” to block ActiveX Controls and Active Scripting in these zones.
Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.
CVE-2013-3893
Additional Coverage

Cyber Police Arrest 12 Over Santander Bank Heist Plot

The Metropolitan Police’s Central e-Crime Unit (PCeU) has arrested 12 men as part of an investigation into an “audacious” plot to take control of a Santander Banking computer.
The PCeU is committed to tackling cyber-crime and the damage it can cause to individuals, organisations and the wider economy.”
According to the police, the group sent a man in dressed as a maintenance engineer, who managed to attach a IP-KVM (keyboard video mouse) device to a machine in the bank, allowing the attackers to remotely carry out actions on the computer
The men, aged between 23 and 50, were arrested yesterday, whilst searches were carried out addresses in Westminster, Hounslow, Hillingdon, Brent, Richmond and Slou

Feedback

10.1.10.254:/mnt/fart /mnt/nfs nfs auto,noatime,nolock,defaults,user=1001 0 0

Round Up:

iOS 7 Swamps the Internet

The post Gentlemen, Start Your NGINX | TechSNAP 128 first appeared on Jupiter Broadcasting.

SSH FUD Busting | TechSNAP 90

chris — Thu, 27 Dec 2012 17:11:42 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We bust the FUD around the media’s overreaction to SSH Key mismanagement, plus the details on millions of WordPress databases exposed by a popular plugin.

Plus a rockin round-up and a batch of your questions, and our answers!

All that and more on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our code tech295 to get a .COM for $2.95.

Something else in mind? use go20off5 to save 20% on your entire order!

$4.99 SSL certificates, just use our code 499ssl2. Expires 12-31-12!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Shop Amazon – Year End Deals

W3 Total Cache (a popular wordpress plugin) may expose sensitive data

W3 Total Cache is a very popular and powerful caching plugin
The recently discovered problems are technically a configuration error, not a vulnerability, but because it is the default configuration, most sites are vulnerable
It can provide significant speed gains over stock wordpress
Page Cache – By creating flat .html versions of the page after it is dynamically generated, subsequent anonymous visitors can be shown the cached version of the page, significantly reducing server load and response times
Database Cache – By caching the results of database queries, if the same read query needs to be is executed again, the cached result can be used, significantly reducing the number of database queries required to render a page
Object Cache – A higher level cache than the database cache, Objects may be constructed from the results of many queries and plugins, caching the complete object may result in significant page load time improvements
Minify Cache – By removing comments and whitespace from .css and .js files and gzipping them, less bandwidth is required to download the file
JS and CSS Combining – By combining many files into only 1 or 2 files, the total number of requests to the server is reduced, which can markedly improve performance
CDN Offloading – W3TC can automatically change the URLs of content such as .css and .js files in addition to media such as images and thumbnails. My loading these content from a CDN instead of the main site, users get faster responses and the site gets reduced load. W3TC can also use multiple subdomains for the loading, allowing it to take advantage of browser’s parallel downloading features
All of these caches offer a number of numbers, allowing you to choose between caching to disk, advanced caching to disk, Opcode caches such as APC or dedicated caches such as memcache
All of these features make W3TC very popular and well respected
However, W3TC defaults to disk based caching because it does not require any additional configuration or server side features (such as APC or the IP address of a memcache server)
The problem stems from the fact that W3TC keeps its database and object caches in a web accessible directory (alongside the page and minification caches, which need to be web accessible)
This means that if your web server is configured to allow directory listing, any visitor can browse to /wp-content/w3tc/dbcache and see a list of all of the items in your database cache, and by downloading and analyzing these files, they may be able to recover sensitive information, such as the hashed passwords of users or administrators
If an attacker were to get the password hash for an administrative account, if they brute forced that hash, they could then take over that wordpress installation
Disabling directory indexing does not entirely solve the problem, as the filenames of the cache objects are the md5 hash of the string: w3tc${host}${site_id}_sql_${query}
You should configure your web server to deny access to the /wp-content/w3tc/dbcache , /wp-content/w3tc/objectcache and /wp-content/w3tc/log directories (using .htaccess will work for apache)
If you use an Opcode cache, or Memcache, you site is not affected by this configuration error
Make sure your memcache instances are secured, as if they are publicly addressable, any information cached in them may be accessible
The creators of W3TC are working on an update to address the issue
Allan’s slides on improving your Blog with ScaleEngine

Inventor of SSH warns that improper key management makes SSH less secure than it should be

This news story has created a significant amount of FUD due to the general media’s lack of understanding of what SSH is and what it does
SSH is not vulnerable or compromised
The story started with an interview of Tatu Ylonen, the inventor of SSH
“In the worst-case scenario, most of the data on the servers of every company in the developed world gets wiped out."
The problem is actually caused by users, and bad management practises
Users often generate many SSH keys, and store them unencrypted in predictable locations (~/.ssh/id_rsa) where they may be stolen if someone compromises their account or the server they are stored on
Many logins, especially those that are shared, will contain large authorized_keys files, allowing many keys to access that account, often these lists are not pruned because keys are hard to identify
While auditing a large financial institution, auditors found more than 1 million unaccounted-for keys — 10 percent of which granted root access, or control of the server at the most basic level
federal rules for classified computer networks cover the “issuance and assignment and storage of keys” but do not dictate what should be done with used keys. Auditing guidelines require that administrators be able to enumerate exactly who has access to specific systems, but often times SSH access is not properly accounted for, as each line in the authorized_keys file is not easily linked to a specific person, and the control of those keys is not guaranteed
A stolen SSH key is what lead to the compromise of the FreeBSD Packaging Building Cluster last month
It is recommended that companies refresh keys on a regular basis and remove old keys to prevent them being used to access sensitive servers, although most companies do not have such a policy
Tools such as puppet can help with the management of authorized_keys files across a large number of servers, but it is up to the user to ensure the security of their private key
One solution to this problem may be a new feature of OpenSSH that allows it to be configured to check the results of a command, before optionally checking the authorized_keys file
This feature can be used to check for keys in directory services such as LDAP or Active Directory, simplifying the administration of multiple servers and SSO by storing cannonical keys in a central location

Feedback:

Round-Up:

Amazon Book:
[asa]B003F3PKTK[/asa]

Audible Book Pick: The Master Switch: The Rise and Fall of Information Empires Audio Book

The post SSH FUD Busting | TechSNAP 90 first appeared on Jupiter Broadcasting.

No Pay? No Patch! | TechSNAP 58

chris — Thu, 17 May 2012 16:58:19 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Adobe tells customers to upgrade to get the latest security fixes, Kickstarter has an embarrassing security lapse.

PLUS: Self-destructing SSDs, and Mirroring vs a CDN, what’s the difference and when are they used. We answer that, and so much more in this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offer:

New customers 25% off your entire order, code: 25MAY7
Expires: May 31, 2012

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes:

Credit Card Processor Breach led to prepaid card fraud

Global Payments, a very large credit card processing firm, was breached some time before March of this year, and as many as 1.5 million cards were leaked. Some industry analysts place the number closer to 7 million
It was originally believed that the breach occurred sometime in January or February of 2012, but now it appears as if it might have been as far back as June of 2011
Global Payments claims that they self-discovered and self-reported the compromise, however some banks had detected the fraud earlier, and alerted Visa that the commonality between all of the compromised accounts were purchases at Merchants that use Global Payments
Some of the cards that were compromised were apparently debit cards, rather than credit cards
Some of these debit cards appear to have been sold to criminals, who then used them to defraud stores
The offenders would buy low denomination prepaid cards (usually $10 or $20), then go away and reprogram the magnetic strips on the cards with the data from stolen debit cards
The offenders would then return to the stores and purchase high denomination prepaid cards
The high value prepaid cards would then be used to purchase expensive electronics and other goods with high resale values
One of the reasons that such scams are not more common is that stored value instruments, such as prepaid cards, gift cards and money orders can not be purchased with a credit card, due to the fact that credit card transactions can be reversed. Debit card transactions are usually considered irreversible and more secure
Global Payments claimed that only Track 2 data from the cards are compromise, and that Track 1 data, which contains the account holder’s name and other information, was not compromised
This successful attack shows how even just Track 2 data can be exploited

Adobe discloses security flaw in Photoshop CS5, solution? Buy CS6

A vulnerability has been discovered in the way Photoshop CS5.1 (version 12.1) parses .TIFF files
The vulnerability appears to affect every version of Photoshop prior of CS6
The vulnerability can be used to execute attacker supplied code as the user who is running photoshop
The vulnerability was reported to Adobe in September of 2011
After 180 days without a patch, researchers publicly disclosed the vulnerability
Adobe’s vulnerability announcement recommends users upgrade to CS6 (a paid upgrade)
Adobe claims a patch for CS 5.1 is forthcoming, but does not provide any timeline or details
Additional Advisory Link
Proof of Concept Exploit Code
CVE–2012–2027
CVE–2012–2028

Kickstarter Security Lapse leaks details of 70000 unpublished projects

The revelation was made by the Wall Street Journal that roughly 70,000 yet-to-be-launched project ideas had been left exposed for more than two weeks.
“The information that could be seen didn’t include credit-card numbers or other sensitive personal details, but it could make users more wary of Kickstarter’s data practices and lower their expectations of privacy on the site.”
On Friday one of our engineers uncovered a bug involving Kickstarter’s private API
This bug allowed some data from unlaunched projects to be made accessible via the API
It was immediately fixed upon discovering the error. No account or financial data of any kind was made accessible.
The bug was introduced when we launched the API in conjunction with our new homepage on April 24 and was live until it was discovered and fixed on Friday,
Based on our research (Kickstarter’s internal team), the overwhelming majority of the private API access was by a computer programmer/Wall Street Journal reporter who contacted us.
Official Announcement

Feedback:

Jungle Boogie asks… What’s the diff between a mirror & CDN?

Round Up:

The post No Pay? No Patch! | TechSNAP 58 first appeared on Jupiter Broadcasting.

Obscurity is not Security | TechSNAP 55

chris — Thu, 26 Apr 2012 18:59:25 +0000

Cryptic Studios suffered a database breach, but we’ve got more questions than answers, more vulnerabilities have been found in critical infrastructure hardware, and a WiFi hack you can so easy its fun!

Plus why you might have had trouble downloading Jupiter Broadcasting shows, and so much more!

All that and more on this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offer: $5.99 .coms, up to 5 domains! just use our code 599com7

Want to save money on your entire order? Use our code spring7 and save 15%!

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes:

Rugged OS contains backdoor maintenance account with insufficent security

Rugged OS makes devices for controlling SCADA systems, including enabling management of non-networked SCADA devices via an IP-to-Serial interface
Rugged OS devices are used to manage traffic control systems, railroad communications systems, power plants, electrical substations, and even US military sites
The issue is that all Rugged OS devices contain an account with the username ‘factory’, that cannot be disabled
This account is obviously meant to allow the manufacturer to service the device, however it is insufficiently secured
Instead of using strong cryptography or SSL/SSH keys or something like that, the Factory Account uses a password derived from the MAC address of the device (so, the password is unique per device)
However, this password is simple the MAC address run through a short perl script that reverses the octets and takes the modulus of a static constant
This means that all of the factory user passwords are at most 9 digits in length and always contain only numeric values
The RuggedCom devices appear to use plain Telnet, rather than SSH, so all communications to and from the device are in the clear, meaning the password to the device could be sniffed by another with access to the network segment
The MAC address of the device is presented automatically as part of the login banner, making the compromise of these devices extremely trivial
Researchers notified the manufacturer more than a year ago, but rarely got a response
The researchers forced the issue via US-CERT in February of this year, and in the beginning of April CERT set a disclosure date due to a lack of response
This vulnerability was discovered by analyzing the firmware of a used Rugged OS device bought on eBay by the researchers
RuggedCom was acquired by the Canadian subsidiary of Siemens last month
Full Disclosure Mailing List Post

Cryptic Studios Customer Database Stolen, in Dec 2010

The database that was compromised contained user login names, game handles, and ‘encrypted’ passwords
The official notice is sparse on details and does not explain what type of ‘encryption’ was used for the passwords
“Even though the passwords were encrypted, it is apparent that the intruder has been able to crack some portion of the passwords in this database”
Given the fact that it has been more than a year since the database was compromised before a string of accounts started being compromised suggests that the passwords may have been properly hashed
The delay suggests that the attackers had to brute force the password database, and that this took significant time, however the time factor is relative, if the attacker only used a single machine to crack the passwords, or was unaware of Rainbow Tables, plain MD5 sums could easily take this long
Cryptographically hashed MD5 (meaning, with a salt) or better yet SHA256 would take significantly longer to crack and would be immune to rainbow tables
Salted passwords mean that even if two users have the same password, you have to brute force each hash separately (if you use plain MD5 sums, then all users with the same password can be cracked in one attempt)
It is also very likely that the attacker saved up the passwords they were able to crack in order to compromise all of the accounts at once, to avoid Cryptic taking the step they have taken now, and forcing a password reset on all affected accounts
The risk in waiting is that users will change their passwords over time, and the cracked passwords will then be rendered useless
Even cryptographic hashes can be cracked eventually, that is why it is important to change your passwords periodically

Arcadyan Wifi Routers have accidental backdoor in WPS

The flaw, which was likely originally in place as a debugging tool, allows any user to authenticate to your network using the WPS pin 12345670
This attack is worse than the previous WPS attach that reduced the keyspace, because it does not require someone to press the WPS button on the device
Worse, this override pin still works even if the WPS feature is disabled in the settings on the router
Arcadyan makes routers specifically for ISPs, and there are more than 100,000 of these $275 routers deployed in Germany alone, all of which are vulnerable
Both the stock shipped 1.08 and the latest downloadable version 1.16 of the firmware are vulnerable
The only available workaround is to disable wireless entirely
Since the routers are often white labeled to the name of your ISP, Arcadyan devices will have MAC addresses that start with one of the following:
00–12-BF
00–1A–2A
00–1D–19
00–23–08
00–26–4D
1C-C6–3C
74–31–70
7C–4F-B5
88–25–2C

Feedback:

Q: The entire Internet writes….

Why can’t I download JB shows? My world is ending!

A: Blip.tv (our video CDN) has made changes, that are stupid. We are moving off blip.tv and will keep you updated. If you want to grab something that is still hosted on blip.tv and are having issues downloading the files, here are some example work arounds:

Round-Up:

The post Obscurity is not Security | TechSNAP 55 first appeared on Jupiter Broadcasting.

Leaky Authentication | TechSNAP 12

chris — Thu, 30 Jun 2011 23:18:17 +0000

How many times have your credentials been leaked online? Think your safe? Chris thought he was. In today’s episode he’ll find out how many times his information has been leaked online, and we tell you how you check for your self.

Plus we’ll cover how to build your own layered spam defense, and why you probably want to leave that USB thumb drive, on the ground!

Sneak peek: Next week we’re going to be talking about the future of Cyber Warfare in our special episode #13. Please send us any stories, suggestions or questions you have so we can include them for next week.

Direct Download Links:

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:

Thanks to the TechSNAP Redditors!

Topic: Groupon India leaks SQL database, plain text passwords

Groupon’s Indian subsidiary Sosasta.com accidentally published an SQL dump of it’s users table, including email addresses and passwords. The file was indexed and cached by google, so even once it was taken down, it was still visible.
This raises the question as to why the passwords were ever stored in plain text, instead of as salted hashes
Does the North American version of Groupon also store user passwords in plain text?
Leaked data was found by a security researching using a google search query for “filetype:sql” “password” and “gmail”
Once Sosasta was notified of the issue, they started sending out emails to their customers recommending that they change their password. This is definitely the wrong approach, the passwords were leaked, in plain text. All accounts should have had their passwords forcibly reset and a password reset email sent to the customer. Otherwise, customers may have their account compromised before they can change their password, and customers who no longer use the service will have their personal information exposed.

shouldichangemypassword.com – Check your address

Submitted by: refuse2speak

Topic: EA Forums hacked, Sega Database Compromised

a “Highly sophisticated cyber attack” was used to compromise the database of the forums for Bioware’s Neverwinter Nights.
Stolen data included username, password, email, and birth date
How many users were effected was not specified
EA says no credit card information was in the stolen database
Sega was also compromised, 1.29 million customers had their data exposed via the website of the European unit’s “Sega Pass” website.
Again, username, password, email and birth date were exposed, but it appears that no financial information was leaked.

TechSNAP reminds you: use a different password for every service. We know it’s hard, but cleaning up behind an identity thief is worse.

Submitted by: Raventiger

Topic: US Government Study shows alarming attack vector

60% of Government or Contractor employees who found a USB stick or CD on the ground outside their office plugging the device in to their computer.
90% of the employees installed the software if it had an official looking logo on it.
This is reminiscent of the StuxNet worm, which targeted isolated computers that were not on the Internet. It is believed that they were infected via a hardware device containing the payload.

Topic: Research reveals that pin numbers are predictable

15% of iPhones could be unlocked in fewer than 10 tries using the most common pin codes
The most common first character in a pin number is 1
The most common second character is 2
The values 1980 through 2000 make up a huge portion of the top 100 pin codes, meaning if you know or can guess a users date of birth, you can increase your chance of cracking their code
Other popular codes include repeating digits or patterns, such as 2222 or 1212, or lines drawn on the input screen, such as 2580, 0852 or 1241
Another popular value is 5683, which didn’t seem to fit any pattern until you realize that is spells ‘love’ with standard phone letter substitution.
This means that if you know the users birthday and relationship status, you can increase your chance of cracking their pin code just by applying a little statistical analysis. If you can shoulder surf them, and further reduce the pool of possible codes, you can almost guarantee success.
Users tend to reuse passwords, if you guess their phone password, there is a good chance that is also their ATM pin. Either way, the exact same techniques can be applied to ATM, Voicemail and other pin codes.