Show Notes: linuxunplugged.com/393

The post Perfecting Our Plasma | LINUX Unplugged 393 first appeared on Jupiter Broadcasting.

Show Notes: extras.show/59

The post Brunch with Brent: Brandon Bruce | Jupiter Extras 59 first appeared on Jupiter Broadcasting.

Episode Links:

linuxactionnews.com/100

The post Linux Action News 100 first appeared on Jupiter Broadcasting.

RSS Feeds:

MP3 Feed | HD Video Feed | iTunes Feed

Become a supporter on Patreon:

— Show Notes: —

— The Cliff Notes —

• Open Source Version of WebOS
• WebOS OSE
• Private Internet Access goes Open Source
• PIA Tested in FBI Case
• First Fatal Crash with Uber Self Driving Car
• Microsoft joins group working to ‘cure’ open-source licensing issues
• Open Source Visitor Software
• Chef Getting Started Guide
• Keep Your Children Safe
• Dell Mini Computer
• 15″ Depth Case
• Behind The Ask Noah Show
• See How the Ask Noah Show Got Started (video)
• VoxTeleSys

— Stay In Touch —

Find all the resources for this show on the Ask Noah Dashboard

Ask Noah Dashboard

Need more help than a radio show can offer? Altispeed provides commercial IT services and they’re excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show!

Altispeed Technologies

Contact Noah

asknoah [at] jupiterbroadcasting.com

— Twitter —

• Noah – Kernellinux
• Ask Noah Show
• Altispeed Technologies
• Jupiter Broadcasting

The post Getting Started with Chef | Ask Noah 55 first appeared on Jupiter Broadcasting.

RSS Feeds:

MP3 Feed | Video Feed | iTunes Feed

Become a supporter on Patreon:

Links

• Well-capitalized Seattle start-up seeks Unix developers – Google Groups
• Remember when Amazon only sold books? – LA Times
• Amazon CEO Jeff Bezos sold more than $1 billion worth of stock this week – The Verge
• Pranksters create fake Apple store at subway station with 50 people waiting in line / Boing Boing
• Seriously, don’t drop your iPhone X
• NOW L-Tryptophan 500 mg,120 Veg Capsules: Health & Personal Care
• Best Naturals Inositol 1000mg 120 Tablets – also called vitamin B8: Health & Personal Care

The post Dongs and Noodles | User Error 34 first appeared on Jupiter Broadcasting.

The cultural challenges of living too far out of a “tech hotzone” hit home today. We discuss the recent revelations both of us have had.

And our reactions and lessons learned from LastPass selling, if Microsoft has nailed convergence & the practicality of the Surface Book.

Plus a quick chat about Chef & other automation platforms great for developers & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

Show Notes:

Hoopla

Slack

Trello

LogMeIn buys LastPass password manager for $110 million | Ars Technica

The maker of LastPass, a popular password manager, is being acquired by LogMeIn in a sale worth at least $110 million.

Microsoft Display Dock

Plug your Lumia 950 or 950 XL into a Display Dock and the external monitor starts up. The keyboard and mouse are ready to go, and with a 60 FPS refresh rate, catching up on email is flicker-free and super-smooth. With full HD output and a USB-C port that charges your phone while you work

Surface Book

Feedback

• Have you considered using Chef to automate updating and installing software on your Linux boxes?
• Intro to Chef – YouTube

The post Below the Surface | CR 174 first appeared on Jupiter Broadcasting.

Authentic iOS Apps can be replaced with malware, the US Postal service gets breached & Microsoft has a hot mess of critical patches.

Plus some great feedback, a rocking round-up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Masque Attack — authentic iOS apps can be replaced by malware with ease

• Last week we talked about new malware for OS X that infected iOS devices with malicious apps
• Part of the problem seemed to stem from the fact that if a corporation got a certificate from Apple to sign internally developed apps for use by employees, these apps were innately trusted by all iOS devices, even those not part of the corporation who signed the application
• While we suspected this may be a fairly major vulnerability in the architecture of iOS, it turns out was was only the tip of the iceberg
• “In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier”
• This means that the malicious app, signed by a random corporate certificate issued by Apple (supposedly only for internal use), can replace any application on your phone, except those directly from Apple
• “An attacker can leverage this vulnerability both through wireless networks and USB”
• If you install ‘new flappy bird’, or, connect your iOS device to an infected computer, a malicious charging port in some public space, or untrusted wifi, the Twitter app on your device could be replaced with one that steals the credentials for your account and tweets spam, or worse
• “That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly”
• FireEye shared this information with Apple in July, but after the news about the WireLurker malware, which uses a very limited form of this attack (the attackers may not have realized the full extend of what they had discovered), FireEye felt it necessary to go public with the information so customers can take steps to protect themselves
• “As mentioned in our Virus Bulletin 2014 paper “Apple without a shell – iOS under targeted attack”, apps distributed using enterprise provisioning profiles (which we call “EnPublic apps”) aren’t subjected to Apple’s review process. Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring (CVE-2014-1276) and mimic iCloud’s UI to steal the user’s Apple ID and password.”
• “The attacker can also use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team”

USPS computer networks compromised, telecommuting VPN temporarily shutdown

• Attackers compromised the internal network of the United States Postal Service
• It is not clear how or where the compromise happened, although some information suggestions a call center was compromised, possibly via the VPN
• Possibly compromised information includes: Employee names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment, emergency contact information and other information
• “The intrusion also compromised call center data for customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1, 2014, and Aug. 16, 2014. This compromised data consists of names, addresses, telephone numbers, email addresses and other information for those customers who may have provided this information. At this time, we do not believe that potentially affected customers need to take any action as a result of this incident”
• Additional Information
• “VPN was identified as vulnerable to this type of intrusion and will remain unavailable as we work to make modifications to this type of remote access to our networks. When VPN is available again users will notice changes in functionality. We will have additional information about VPN in the near future”
• I wonder if this might have been related to Heartbleed. We have had stories in the recent past about SSL based VPNs that were compromised before they could be upgraded with the heartbleed fix, and then this access was used later on because passwords were not changed
• “Should I change my ACE ID and password, Postal EIN or other postal passwords as a result of this incident?”
• “At this time there is no requirement to change your ACE password or other passwords unless prompted to do so by email prompts from IT as part of the normal password change process. You will be notified if other password changes are required.”
• Having IT email you to ask you to change your password just seems like a really bad idea. This is a great opening for a phishing campaign. If a password change is required, it should be prompted for from a more trustworthy source than email
• After a breach, out of an abundance of caution, all passwords should be changed.

Microsoft releases patch for OLE vulnerability

• As part of this months Patch Tuesday, Microsoft has released an official patch for both OLE vulnerability (specially crafted website, and malicious office document) used in the “Sandworm Team” attacks against NATO and other government agencies that we discussed on episode 185
• This new patch, MS14-064 replaces the patch from October’s Patch Tuesday MS14-060
• Microsoft – November Patch Update Summary
• Microsoft Advisory – MS14-064
• Microsoft Advisory – MS14-070 – Local user remote code execution via vulnerability in Windows TCP/IP stack
• Also included was a cumulative patch for Internet Explorer, however this patch breaks compatibility with EMET (Enhanced Mitigation Experience Toolkit
  ) 5.0, and customers are instructed to upgrade to EMET 5.1 before upgrading IE
• “If you are using Internet Explorer 11, either on Windows 7 or Windows 8.1, and have deployed EMET 5.0, it is particularly important to install EMET 5.1 as compatibility issues were discovered with the November Internet Explorer security update and the EAF+ mitigation”
• “Microsoft also patched a remote code execution vulnerability in Microsoft Secure Channel, or Schannel, a Windows encryption security package used for SSL and TLS connections”
• “MS14-067 is the final bulletin ranked critical by Microsoft. The vulnerability can be exploited by a malicious website designed to invoke Microsoft XML Core Services through IE. MSXML improperly parses XML content, which can then in turn corrupt the system state and enable remote code execution”
• The previous patch for the OLE vulnerability merely marked files that come from the internet as untrusted. However there are a number of ways around this, some of which may already be in use by attackers
• McAfee Labs – Bypassing Microsofts Patch for Sandworm Zero Day
• In addition, the Microsoft ‘workaround’ for the flaw, by marking the file as untrusted, only applies when you try to ‘execute’ a file. If you right click and file and open it for ‘editing’, or open it from within an application, the untrusted flag is never checked
• McAfee also found samples in the wild that ran the untrusted file as administrator, which only pops up the standard ‘run this program as admin?’ prompt (only if UAC is not disabled), and does not show the ‘this file is not trusted’ prompt

• OpenZFS Developer Summit – OpenZFS

Feedback:

• Instant Answer tutorial

• SGID SFTP Uploads
  • This only works on some file systems
  • On FreeBSD, only set-uid on a directory works (sets owner on all newly created files), only if the file system is UFS, only if the file system is mounted with the MNT_SUIDDIR flag, and only if the Kernel is compiled with support for SUIDDIR (not enabled by default)
  • ZFS is working on a feature to force the owner/group on a dataset

• caryhartline comments on Apple Approved Malware

• FreeBSD ZFS – preferred method of auto snapshot
  • ZFSTools
• shared root password or sudo?
  • SUDO Master

Round Up:

• ISPs caught stripping StartTLS flag from servers, causing clients to not be aware that the remote server supports encryption
• FBI’s most wanted cybercriminal used his cat’s name as a password
• Pwn2Own event in Tokyo breaks security on slew of modern mobile devices
• Home Depot attackers also got 53 million customer email addresses. Other details about the attack, original compromise was via stolen 3rd party vendor credentials
• 4 NOAA (National Oceanic and Atmospheric Administration) websites hacked, services including satelite weather and ice data temporarily suspended
• ‘Replay’ attack used to pilfer money from stolen Home Depot credit cards via chip-and-pin system, even though the bank has never issued cards with chips – because banks do not check properly
• German Spy Agency Wants To Buy Zero-Day Vulnerabilities In Order To Undermine SSL Security
• Silk Road 2.0 and other ‘hidden services’ sites may have been decloaked via DDoS, sending huge amounts of traffic and looking for where it ended up
• Retailers ask to be regulated to protect customers, is the government too gridlocked to actually do it?
• BrowserStack a website testing service for developers, has a rather embarassing security breach
• Mozilla’s “Open Standard” interviews Brian Krebs

The post Hackers Go Postal | TechSNAP 188 first appeared on Jupiter Broadcasting.

How a Man in the Browser attack could expose an airport VPN, RuggedCom’s messed up the very fundamentals again, and the big update from Adobe.

Plus – Running Linux in a FreeBSD Jail, virtual networking basics, and a great batch of your questions.

All that and more, in this week’s TechSNAP!

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show: