Show Notes: selfhosted.show/68

The post Unwyze Choices | Self-Hosted 68 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/342

The post Shrimps have SSHells | LINUX Unplugged 342 first appeared on Jupiter Broadcasting.

Show Notes: coder.show/343

The post Say My Functional Name | Coder Radio first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Using VPN for all WAN traffic

• “I have a server with 2 1GB NICs, an un-managed switch, and a single gateway. Ideally, I would like WAN traffic routed through a PIA VPN
  using openVPN, and LAN traffic to be routed locally without a VPN.”

• Unmanaged switch isn’t ideal, but it’s far from bad.

• Assuming the server will act as firewall / gateway

• NIC #1 to router/modem, NIC #2 to switch with a static IP (say 10.1.1.1)

• run a DHCP server on there, handing out 10.1.1.1 as the default gateway, DNS as you see fit

• everything from LAN will go out via NIC #2 of server

• server connects to VPN provider via OpenVPN. There are options on to set the default gateway. This is the gateway which the server will use. All traffic leaving your network will go out to that destination.

• Not having used PIA, but I’ll guess you want your OpenVPN connection to accept their configuration settings (dns, etc) and use that on your server while it is running OpenVPN.

A Protocol For Distributed Multiparty Chat Encryption

• review by nccgroup.

• The protocol has the following security properties for group messaging:

• Confidentiality: the conversation is not readable to an outsider

• Forward secrecy: conversation history remains unreadable to an outsider even if participants’ encryption keys are compromised
• Deniable authentication: Nobody can prove your participation in a chat
• Authorship: A message recipient can be assured of the sender’s authenticity even if other participants in the room try to impersonate the sender
• Room consistency: Group chat participants are confident that they are in the same room
• Transcript consistency: Group chat participants are confident that they are seeing the same sequence of messages

I’m giving up on HPKP

• what is HTTP PKP?

• https://securityheaders.io – belongs to author

• Be Afraid Of HTTP Public Key Pinning (HPKP)

• Certificate Authority Authorisation – Later this year all CAs will be required to check a new DNS record called CAA before issuing a certificate – you can set a DNS record that specifies which CA you authorise to issue certs for your domain

• Certificate Transparency – Once CT is a requirement no CA will be able to issue a certificate in secret without the owner of the domain knowing about it because it will be present in publicly visible CT logs. See crt.sh

• OCSP leaks information

• What is OCSP (Online Certificate Status Protocol)?

Feedback

• Database migrations in Episode 332

• Extra skimming prevention tip

• Let’s Encrypt uses ~/.well-known/ directory – referenced in How It Works, but not named and explicity named in the Integration Guide

Round Up:

• Write a hash table in C

• BGP leak causes Internet outages in Japan and beyond

• The Right Way to Manage Secrets with AWS

• How to Incrementally Move an Ecommerce Site to HTTPS

• Google Removes 300 Apps Used to Launch DDoS Attacks From Play Store

• Hardening Framework Components

• 10% of the Internet Is Encrypted with Lava Lamps

The post HPKP: Hard to Say, Hard to Use | TechSNAP 334 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

How I tricked Symantec with a Fake Private Key

• If true, not very good.

• The Baseline Requirements – a set of rules that browsers and certificate authorities agreed upon – regulate this and say that in such a case a certificate authority shall revoke the key within 24 hours (Section 4.9.1.1 in the current Baseline Requirements 1.4.8).

• I registered two test domains at a provider that would allow me to hide my identity and not show up in the whois information. I then ordered test certificates from Symantec (via their brand RapidSSL) and Comodo.

• Comodo didn’t fall for it. They answered me that there is something wrong with this key. Symantec however answered me that they revoked all certificates – including the one with the fake private key

Alert, backup, whatever on DNS NOTIFY with nsnotifyd

• Fair warning: blog post is from 2015, but with Let’s Encrypt all around us, I think this is relevant now.

• “Tony Finch has created a gem of a utility called nsnotifyd. It’s a teeny-tiny DNS “server” which sits around and listens for DNS NOTIFY messages which are sent by authority servers when they instruct their slaves that the zone has been updated and they should re-transfer (AXFR / IXFR) them. As soon as nsnotifyd receives a NOTIFY, it executes a shell script you provide.

• offical repo

• nsnotifyd on GitHub

• man 1 nsnotifyd

• man 1 nsnotify

• man 4 metazone

New details emerge on Fruitfly, highly-invasive Mac malware

• Mysterious Mac Malware Has Infected Victims for Years

• The recently discovered Fruitfly malware is a stealthy, but highly-invasive, malware for Macs that went undetected for years. The controller of the malware has the capability to remotely take complete control of an infected computer — files, webcam, screen, keyboard and mouse.

• Apple released security patches for Fruitfly earlier this year, but variants of the malware have since emerged. The core of the malware is an obfuscated perl script using antiquated code, with indicators in the code that suggest the malware may go back almost half a decade or more, the security firm said.

• Wardle said based on the target victims, the malware is less likely run by a nation state attacker, and more likely operated by a single hacker “with the goal to spy on people for perverse reasons.” He wouldn’t say how many were affected by the malware, but suggested it wasn’t widespread like other forms of malware.

Feedback

• Tell me more on XML vs JSON
• JSON – data format
• XML – language
• Stop Comparing JSON and XML
• Extensible Data Notation
• https://www.compoundtheory.com/clojure-edn-walkthrough/
• Transit is a format and set of libraries for conveying values between applications written in different programming languages.

• https://github.com/cognitect/transit-js

• Thanks for Dan’s recommendations
  +Lee Valley Divider boxes

• Duluth Fire Hose Pants

Round Up:

• Vulnerabilities discovered in Windows security protocols

• With Patch Tuesday imminent, make sure you have Automatic Update turned off + From Matthew Garrett‏ – YOU ARE EVERYTHING WRONG WITH SOCIETY
  

• Post mortums from NASA: flight test & Avionics cooling

• Interesting analysis by Bitdefender suggests Petya/Goldeneye/NotPetya gave Kaspersky AV users a pass

• Adobe to pull plug on Flash, ending an era

• Roomba’s Next Big Step Is Selling Maps of Your Home to the Highest Bidder

• How the coffee-machine took down a factory control room

The post Teeny Weeny DNS Server | TechSNAP 329 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

‘Devil’s Ivy’ Vulnerability

• Original work

• Bug is in gSOAP by Genivia

• gSOAP is a C and C++ software development toolkit for SOAP/XML web services and generic XML data bindings. The gSOAP tools generate efficient source code for XML serialization of any type of C/C++ data with zero-copy overhead.

• Plant is toxic to dogs & cats, and it is almost impossible to kill

Beyond public key encryption

• One of the saddest and most fascinating things about applied cryptography is how 6689264031_4c7516b3e1_zlittle cryptography we actually use. In fact, with a few minor exceptions, the vast majority of the cryptography we use was settled by the early-2000s.*

• Identity Based Cryptography – In the mid-1980s, a cryptographer named Adi Shamir proposed a radical new idea. The idea, put simply, was to get rid of public keys.

• Attribute Based Encryption – The beautiful thing about this idea is not fuzzy IBE. It’s that once you have a threshold gate and a concept of “attributes”, you can more interesting things. The main observation is that a threshold gate can be used to implement the boolean AND and OR gates

Dan’s Let’s Encrypt Tool

• use case is centralized Let’s Encrypt with dns-01 challenges

Feedback

• ARM & risc systems not readily sold. Intel and AMD have a very compelling AESNI and virt instructions, and PCIe

• Host your own mail server – see https://www.nethserver.org/

• PXE boot – see Zalman ZM-VE350

  • iPXE – open source boot firmware
  • netboot.xyz
  • PXE – ArchWiki
• HOWTO: setup a PXE Server with dnsmasq
• Cobbler – Linux install and update server

Round Up:

• Alexa is listening to what you say – and might share that with developers – see https://nakedsecurity.sophos.com/2017/07/17/alexa-is-listening-to-what-you-say-and-might-share-that-with-developers/

• Life Is About to Get a Whole Lot Harder for Websites Without HTTPS

• BCBS sent out USB cards telling people to insert into their computer. Here is the prototype for the next big wave of security breaches.

• Google Glass 2.0 is a startling second act

• Google Glass is officially back with a clearer vision

The post LetsEncrypt is a SNAP | TechSNAP 328 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Ansible vulnerability

• “Ansible is an open-source automation engine that automates cloud provisioning, configuration management, and application deployment. Once installed on a control node, Ansible, which is an agentless architecture, connects to a managed node through the default OpenSSH connection type.”
• Similar tools are Puppet, Chef, SaltStack, cfEngine
• Summary: Command execution on Ansible controller from host
• Why is this important? First, if one of your ansible-controlled hosts is compromised, they can execute a command on your ansible controller.
• So what you might ask? Your ansible controller accesses all your systems….
• Computest notes: Not a full audit, might be other issues
• Affected versions: < 2.1.4, < 2.2.1
• A big threat to a configuration management system like Ansible, Puppet, SaltStack and others, is compromise of the central node. In Ansible terms this is called the Controller. If the Controller is compromised, an attacker has unfettered access to all hosts that are controlled by the Controller. As such, in any deployment, the central node receives extra attention in terms of security measures and isolation, and threats to this node are taken even more Seriously.
• Fortunately for team blue (team blue is the defense team), in the case of Ansible the attack surface of the Controller is pretty small. Since Ansible is agent-less and based on push, the
  Controller does not expose any services to hosts.
• A very interesting bit of attack surface though is in the Facts. When Ansible runs on a host, a JSON object with Facts is returned to the Controller. The Controller uses these facts for various housekeeping purposes. Some facts have special meaning, like the fact “ansible_python_interpreter” and “ansible_connection”. The former defines the command to be run when Ansible is looking for the python interpreter, and the second determines the host Ansible is running against. If an attacker is able to control the first fact he can execute an arbitrary command, and if he is able to control the second fact he is able to execute on an arbitrary (Ansible-controlled) host. This can be set to “local” to execute on the Controller itself.
• Because of this scenario, Ansible filters out certain facts when reading the facts that a host returns. However, we have found 6 ways to bypass this filter.
• Bypass #1: Adding a host – Ansible allows modules to add hosts or update the inventory. This can be very useful, for instance when the inventory needs to be retrieved from a IaaS platform like as the AWS module does. If we’re lucky, we can guess the inventory_hostname, in which case the host_vars are overwritten and they will be in effect at the next task. If host_name doesn’t match inventory_hostname, it might get executed in the play for the next hostgroup, also depending on the limits set on the commandline.
• Bypass #2: Conditionals – Ansible actions allow for conditionals. If we know the exact contents of a “when” clause, and we register it as a fact, a special case checks whether the
  “when” clause matches a variable. In that case it replaces it with its
  contents and evaluates them.
• Bypass #3: Template injection in stat module – The template module/action merges its results with those of the stat module.This allows us to bypass the stripping of magic variables from ansible_facts, because they’re at an unexpected location in the result tree.
• Bypass #4: Template injection by changing jinja syntax – Remote facts always get quoted. Set_fact unquotes them by evaluating them.
  UnsafeProxy was designed to defend against unquoting by transforming jinja
  syntax into jinja comments, effectively disabling injection.
• Bypass #5: Template injection in dict keys – Strings and lists are properly cleaned up, but dictionary keys are not.
• Bypass #6: Template injection using safe_eval – There’s a special case for evaluating strings that look like a list or dict. Strings that begin with “{” or “[” are evaluated by safe_eval [2]. This allows us to bypass the removal of jinja syntax: we use the whitelisted Python to re-create a bit of Jinja template that is interpreted.
• Computest is not aware of mitigations short of installing fixed versions of the
  software.
• Ansible has released new versions that fix the vulnerabilities described in this advisory: version 2.1.4 for the 2.1 branch and 2.2.1 for the 2.2 branch.
• The handling of Facts in Ansible suffers from too many special cases that allow for the bypassing of filtering. We found these issues in just hours of code review, which can be interpreted as a sign of very poor security. However, we don’t believe this is the case.
• The attack surface of the Controller is very small, as it consists mainly of the Facts. We believe that it is very well possible to solve the filtering and quoting of Facts in a sound way, and that when this has been done, the opportunity for attack in this threat model is very small.
• Furthermore, the Ansible security team has been understanding and professional in their communication around this issue, which is a good sign for the handling of future issues.

Who is Anna-Senpai, the Mirai Worm Author?

• Way too long to go into full detail, so I will only outline a few interesting bits
  +On September 22, 2016, this site was forced offline for nearly four days after it was hit with “Mirai,” a malware strain that enslaves poorly secured Internet of Things (IoT) devices like wireless routers and security cameras into a botnet for use in large cyberattacks. Roughly a week after that assault, the individual(s) who launched that attack — using the name “Anna-Senpai” — released the source code for Mirai, spawning dozens of copycat attack armies online.
• After months of digging, KrebsOnSecurity is now confident to have uncovered Anna-Senpai’s real-life identity, and the identity of at least one co-conspirator who helped to write and modify the malware.
  +Before we go further, a few disclosures are probably in order. First, this is easily the longest story I’ve ever written on this blog. It’s lengthy because I wanted to walk readers through my process of discovery, which has taken months to unravel. The details help in understanding the financial motivations behind Mirai and the botnet wars that preceded it. Also, I realize there are a great many names to keep track of as you read this post, so I’ve included a glossary.
• The story you’re reading now is the result of hundreds of hours of research. At times, I was desperately seeking the missing link between seemingly unrelated people and events; sometimes I was inundated with huge amounts of information — much of it intentionally false or misleading — and left to search for kernels of truth hidden among the dross. If you’ve ever wondered why it seems that so few Internet criminals are brought to justice, I can tell you that the sheer amount of persistence and investigative resources required to piece together who’s done what to whom (and why) in the online era is tremendous.
• As noted in previous KrebsOnSecurity articles, botnets like Mirai are used to knock individuals, businesses, governmental agencies, and non-profits offline on a daily basis. These so-called “distributed denial-of-service (DDoS) attacks are digital sieges in which an attacker causes thousands of hacked systems to hit a target with so much junk traffic that it falls over and remains unreachable by legitimate visitors. While DDoS attacks typically target a single Web site or Internet host, they often result in widespread collateral Internet disruption.
• A great deal of DDoS activity on the Internet originates from so-called ‘booter/stresser’ services, which are essentially DDoS-for-hire services which allow even unsophisticated users to launch high-impact attacks. And as we will see, the incessant competition for profits in the blatantly illegal DDoS-for-hire industry can lead those involved down some very strange paths, indeed.
• Talks about the variants of the IoT botnet, mentions Minecraft webservers were a frequent target.
• Goes into a lot of detail of DDoS protection services, how Minecraft customers would come under attack, and how a competing DDoS protection company made threats directly preceding attacks
• Discusses how the attacks where are way to boost business by not attacking your own customers, but by attacker customers of other DDoS proection services.
• Boils down to the classic: nice business you have here, it’d be a shame if anything happened to it.

TechSNAP Career Challenge

• I was at the [Grace Hopper Celebration(https://ghc.anitaborg.org/) of Women in Computing is the world’s largest gathering of women technologists. It is huge. I met people from many different technology areas (medicine, robotics, software design, someone who built a chip for the iPhone).
• I was there on behalf of The FreeBSD Foundation to give a talk about how to contribute to open source.
• Many were students and often were not sure of what part of technology they wanted to pursue.
• I’ve seen many people go for years in their careers then suddenly discover a passion they previously didn’t know about and their life completely changes.
• This point was mentioned to me by a Google Employee who gave me this list of steps which I then incorporated into my talk, then I wrote a blog post about it.
• Seeing the eyes light up made me think we need to send this wider.
• Allan Jude suggested I include this into the show
• Here is what you do
• Here is what I challeng our listeners to do:
• Take this challenge
• Blog about it
• Then send us your blog URL and tell us what you got out of the challenge

Feedback:

• Bareos/bacula for which I suggest my jail snapshot script
• Malware in the browser

Round Up:

• Dan’s t-shirt challenge
• straight stick, curved slot – tweet by Amanda Rousseau
• Google Infrastructure Security Design Overview
• Criminal cases, public and police safety put at risk by IT failures, RCMP documents say – Politics
• The 32-Bit Dog Ate 16 Million Kids’ CS Homework
• Oren Jacob’s answer to Did Pixar accidentally delete Toy Story 2 during production? – Quora
• Heartbleed Report (2017-01)
• Already on probation, Symantec issues more illegit HTTPS certificates

The post DDos Mafia | TechSNAP 303 first appeared on Jupiter Broadcasting.

Dell pulls a Superfish with easily cloneable root certificates, Amazon has some passwords leak & Jeff wants to show you his self landing rocket.

Plus the fun news for Sci Fi and Netflix fans & of course, our Kickstarter of the week!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• Dell does a Superfish, ships PCs with easily cloneable root certificates | Ars Technica
• Response to Concerns Regarding eDellroot Certificate
• iamwpj comments on Dell ships laptops with rogue root CA, exactly like what happened with Lenovo and Superfish
• Amazon force-resets some account passwords, citing password leak | ZDNet
• Google Received More Than 65 Million URL Takedown Requests In The Past Month
• Blue Origin Rocket Landing Gets Jeff Bezos to Tweet for First Time | Re/code
• Netflix remake Lost in Space in development
• Pillow Talk: Feel the presence of your loved one by Little Riot — Kickstarter

The post Dell's Bad Latitude | TTT 224 first appeared on Jupiter Broadcasting.

We round off the week’s tech news & follow up on the big Lenovo story & discuss HP’s push into Linux powered Networking.

Then Chris share’s the start of his lifestyle reboot & then a in depth discussion on getting into the IT job market.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Lenovo To Wipe Superfish Off PCs t

An anonymous reader send news from the Wall Street Journal, where Lenovo CTO Peter Hortensius said in an interview that the company will roll out a software update to remove the Superfish adware from its laptops. “As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, we’ll issue a press release with information on how to get it.” When asked whether his company vets the software they pre-install on their machines, he said, “Yes, we do. Obviously in this case we didn’t do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation.”

HP Targets Cisco and Facebook With New Line of Open-Source Networking Gear

Hewlett-Packard said on Thursday that it would sell a new line of networking switches that are manufactured by a Taiwanese company and depend on Linux-based, open-source software from another company.

Epic Games offers up $5 million in Unreal Dev Grants

Today Epic Games has announced a new initiative — one that could see your game netting between $5,000 and $50,000 in no-strings-attached funding from the engine provider.

HEALTH WATCH: sweatthesweetstuff — Eating healthy doesn’t have to be boring and that working out can be fun!

I want people to understand their bodies. To know that there is a connection between what we put in it and on it, and how that makes us feel. That eating right isn’t just about losing weight, it’s about how good we can feel! On the inside and out. It doesn’t stop at our dress size and energy levels (which are great) but it can help improve other things like your skin, hair & nails, achy joints, headaches, allergies, asthma, your menstrual cycle, IBS, indigestion, several diseases, even cancer. Your body is smart. It knows what to do. You just have to give it the right stuff.

The post Chris' Lifestyle Reboot | Tech Talk Today 137 first appeared on Jupiter Broadcasting.

Our tools to benchmark and monitor your network.

Plus: Formspring leaks your password, Microsoft finally kills off old certificates and how to steal a BMW in a few seconds!

All that and more, in this week’s TechSNAP!

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offers:

$1.99/mo economy hosting for 3 months – special offer!
Code:  199tech
Expires:  June 30, 2012

$3.99 .US domain!
Code:  399us4

Support the Show:

   

Show Notes: