Show Notes: linuxactionnews.com/209

The post Linux Action News 209 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/428

The post RAID Reality Check | TechSNAP 428 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/424

The post AMD Inside | TechSNAP 424 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/413

The post The Coffee Shop Problem | TechSNAP 413 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/123

The post Linux Action News 123 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/407

The post Old School Outages | TechSNAP 407 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/309

The post The Future is Open | LINUX Unplugged 309 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/385

The post 3 Things to Know About Kubernetes | TechSNAP 385 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/384

The post Interplanetary Peers | TechSNAP 384 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/381

The post Here Comes Cloud DNS | TechSNAP 381 first appeared on Jupiter Broadcasting.

RSS Feeds:

MP3 Feed | Video Feed | iTunes Feed

Become a supporter on Patreon:

Links:

• Gero Lifespan on the App Store
• Scientists use AI to predict biological age based on smartphone and wearables data — Moscow Institute of Physics and Technology
• Kodi No More! | Kodi | Open Source Home Theater Software
• Stream Movies, TV Shows, Music, and Play Games | NVIDIA SHIELD TV
• Home: LinuxMCE home automation
• Announcing 1.1.1.1: the fastest, privacy-first consumer DNS service

The post Pen is Mightier | User Error 47 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Announcing the first SHA1 collision

• Not just Google on this, they worked with CWI

• SHA1 is a Cryptographic hash function

• SHA-1 was developed as part of the U.S. Government’s Capstone project. The original specification of the algorithm was published in 1993

• two PDFs that have identical SHA-1 hashes but different content

• Lifetimes of cryptographic hash functions – by Valerie Aurora

• Git fscked by SHA-1 collision? Not so fast, says Linus Torvalds – Attack is hard, discovery is easy, so fix it right
  rather than right now

• Suggestion: Don’t panic. Things aren’t suddenly going to become vulnerable. Take your time, review your systems looking for SHA-1 usage and evaluate the risk, but best to get it of it all if you have not already.

CloudBleed

• Affects millions of websites, literally.

• Google Project Zero

• Could someone from cloudflare security urgently contact me. – 0011 UTC – 18 Feb 2018 UTC 0011

• bug report on chromium.org – 17:15 UTC – 19 Feb 2017

• Corpus distillation? What is that?

• Incident report on memory leak caused by Cloudflare parser bug 23 Feb 2017

• My work here is done 9:24 PM – 23 Feb 2017

• HIPPA implications

• List of Sites possibly affected by Cloudflare’s #Cloudbleed HTTPS Traffic Leak

Feedback

• Transmission Permission Follow-up (see original question in episode 305

• Dan’s pfSense box

Round Up:

• Hello False Flags! The Art of Deception in Targeted Attack Attribution – see also False Flag and Perfidy

• Researchers exfiltrate data by blinking the LEDs on the hard drives

• ZFS based replication and failover script from bolthole.com – note: ksh required

• FCC reverses net neutrality ISP transparency rules

• security analysis on the most popular Android password manager applications

• AWS service status about s3 outage couldn’t be updated b/c of s3

• Data from connected CloudPets teddy bears leaked and ransomed, exposing kids’ voice messages

The post Cloudy with a Chance of Leaks | TechSNAP 308 first appeared on Jupiter Broadcasting.

We go inside the epic takedown of SpamHaus, then we break down why CloudFlare’s Flexible SSL is the opposite of security.

Followed by a great batch of questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Krebs covers the arrest of one of the attackers in the SpamHaus attack, but digs even deeper

• “A 17-year-old male from London, England pleaded guilty this week to carrying out a massive denial-of-service attack last year against anti-spam outfit SpamHaus and content delivery network CloudFlare”
• In late March 2013, a massive distributed denial-of-service (DDoS) attack hit the web site of SpamHaus, an organization that distributes a blacklist of spammers to email and network providers.
• When SpamHaus moved its servers behind CloudFlare, which specializes in blocking such attacks — the attackers pelted CloudFlare’s network, taking it down as well.
• “The New York Times called the combined assault the largest known DDoS attack ever on the Internet at the time; for its part, CloudFlare dubbed it “the attack that almost broke the Internet.”
• Both of these were wrong, the attack was no larger than others seen every day on the internet
• The only clever part of the DDoS was attacking the, supposed to be unpublished and unreachable, IP address of the route server at the London Internet Exchange (LINX)
• A response from the CTO of nLayer/GTT (major backbone providers)
• TechSNAP Episode 104 – We tear down the hype around this attack
• The Krebs article also digs much deeper into the story, covering StopHaus, the group that ordered the attack, uncovering who is behind it
• “this seems as good a time as any to look deeper into who’s likely the founder and driving force behind the Stophaus movement itself. All signs point to an angry, failed spammer living in Florida who runs an organization that calls itself the Church of Common Good”
• The Church of Common Good lists as its leader a Gulfport, Fla. man named Andrew J. Stephens, whose LinkedIn page says he is a “media mercenary” at the same organization (hours after this story was posted, large chunks of text were deleted from Stephens’ profile; a PDF of the original profile is here).
• Stephens’ CV lists a stint in 2012 as owner of an email marketing firm variously called Digital Dollars and IBT Inc, moneymaking schemes which Stephens describes as a “beginner to intermediate level guide to successful list marketing in today’s email environment. It incorporates the use of both white hat and some sketchy techniques you would find on black hat forums, but has avoided anything illegal or unethical…which you would also find on black hat forums.”
• Under his “Featured Work” heading, he lists “The Stophaus Project,” “Blackhat Learning Center,” and a link to an spamming software tool called “Quick Send v.1.0.”
• “Putting spammers and other bottom feeders in jail for DDoS attacks may be cathartic, but it certainly doesn’t solve the underlying problem: That the raw materials needed to launch attacks the size of the ones that hit SpamHaus and CloudFlare last year are plentiful and freely available online. As I noted in the penultimate chapter of my new book — Spam Nation (now a New York Times bestseller, thank you dear readers!), the bad news is that little has changed since these ultra-powerful attacks first surfaced more than a decade ago.”

Why CloudFlare’s Flexible SSL is the opposite of security

• “Flexible SSL makes it easy to create a secure connection and have it mean nothing. Do you need a trusted certificate for your latest phishing scheme? Just host it regularly on your insecure server and set it up on Cloudflare: that padlock might just seal the deal to the distracted user”
• The issue is that, to buy real SSL certificates, costs money for each domain
• But setting up 100s of sites and using Flexibile SSL costs much less
• “I’m not giving the reader a brilliant criminal idea, I’m sure this is rather obvious to any serious cybercriminal that creates those realistic website copies and the appealing emails that lead people to them – they have been trying to emulate the security features of real websites, but setting up trusted SSL has been a challenge. Now SSL is within their reach, even without the minimum knowledge on how to configure SSL servers.”
• “It subverts the idea of a secure channel, because it is not secure by any reasonable definition, given the data is transmitted in the clear at some point through the public internet; the idea of authentication, given you no longer are interacting with the websites’ actual servers; and the idea of trust, since thousands of bogus certificates emitted this way will not ensure users’ security, leading me to distrust the trust model of the entire Web. That’s pretty severe right there.”
• “I’m all for the proliferation of SSL, and security is indeed too difficult for the average webmaster to figure out. This means, unfortunately, that some websites that ask for your private data send it in the clear. Certainly SSL for everybody is much better?
  I’d argue that not really. Not only does it empower anyone to create malicious websites (see above) but it empowers people who don’t know security to do it badly. And by making Flexible SSL available, the easiest and default option is just that.“
• Do you trust Cloudflare entirely? — Enabling Universal SSL gives your users a sense of security: that the data they are sending is protected from the preying eyes of attackers. Remember though, in this setup, Cloudflare has access to the entire data stream in cleartext, thus your transmission is only as secure as Cloudflare’s infrastructure: one zero-day exploit is all it takes to read traffic of potentially millions of websites with a single attack (this means it could take more than one attack, but certainly not proportional to the number of websites affected, in the sense that a single Cloudflare endpoint mediates traffic to multiple websites).
• Full SSL allows you to use an untrusted certificate between your server and CloudFlare, then CloudFlare uses a real certificate between them and your users, but they can still snoop on everything
• Sure, Cloudflare may be in a better position than you are to combat a zero day, but what about combating the government?
• So, while CloudFlare touts itself as providing SSL for everyone, we are left questioning if that is actually a good thing. Should people that don’t understand how SSL works really be hosting sites using SSL, leaving them and their users trusting that things are secure when they likely aren’t, and trusting CloudFlare doesn’t seem like the best idea

Feedback:

• Distributed File Store for MOTF

• sysadmin process

• Best virtualization for cross building?

• Cross-platform encryption

Round Up:

• Our 6 TB Hard Drive Face-Off
• Researchers Make BitTorrent Anonymous and Impossible to Shut Down | TorrentFreak
• Global Internet Authority ICANN Has Been Hacked
• Google’s End-To-End Email Encryption Tool Gets Closer To Launch
• Software glitch in 3rd party software used by some Amazon sellers results in 1000s of products being priced at 0.01 GBP – Brendan Doherty, the chief executive of Northern Ireland and New York-based Repricer Express, said its investigation was continuing but the problem had been corrected after an hour. However, it took “a further few hours” to get incorrect prices to revert to the originals, he added.
• 9 Data breaches that cost someone their job
• ShellShock exploit being used in the wild against unpatched QNAP NAS devices

The post Cloudy With a Chance of SSL | TechSNAP 195 first appeared on Jupiter Broadcasting.

2014 has been the year of the celebrity bugs, we take a look at the new trend of giving security vulnerabilities names & logos & ask who it truly benefits.

Plus practical way to protect yourself from ATM Skimmers, how they work & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

• Are you a BSD User? The first question we ask in every interview is “How did you get started with BSD?” Send your video clip or writeup before December 17th for our Christmas Episode

• Spam Nation: The Inside Story of Organized Cybercrim

• Brian Krebs’s “Spam Nation”

• Best of JB Submission Form

Wiretapping ATMs

• “Banks in Europe are warning about the emergence of a rare, virtually invisible form of ATM skimmer involving a so-called “wiretapping” device that is inserted through a tiny hole cut in the cash machine’s front. The hole is covered up by a fake decal, and the thieves then use custom-made equipment to attach the device to ATM’s internal card reader.”
• “The criminals cut a hole in the fascia around the card reader where the decal is situated,” EAST described in a recent, non-public report. “A device is then inserted and connected internally onto the card reader, and the hole covered with a fake decal”
• “It’s where a tap is attached to the pre-read head or read head of the card reader,” Lachlan said. “The card data is then read through the tap. We still classify it as skimming, but technically the magnetic stripe [on the customer/victim’s card] is not directly skimmed as the data is intercepted.”
• So, they attach to the REAL card reader, and siphon off a copy of the data as the card is read
• That makes this form of skimming pretty much undetectable (except possibly by the fake decal used to cover the hole cut in the front of the ATM)
• The Krebs article also talks about new “insert transmitter skimmers”, that use a small battery and transmit the skimmed data a short distance, meaning the attacker does not have to return to the scene of the crime to collect the stolen data, decreasing their risk of getting caught
• “It’s best to focus instead on protecting your own physical security while at the cash machine. If you visit an ATM that looks strange, tampered with, or out of place, try to find another ATM. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots”
• “Last, but certainly not least, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).”

Bug naming and shaming

• This article discusses the advantages and disadvantages to having named and branded bugs like Heartbleed, as well as some behind the scenes info on that exploit, and the people behind the naming of various other vulnerabilities since then
• “If the bug is dangerous enough, it gets a name. Heartbleed’s branding changed the way we talk about security, but did giving a bug a logo make it frivolous… or is this the evolution of infosec?”
• Heartbleed was discovered some time before Friday, March 21, 2014 by a Google security researcher. It was later shared with Open SSL, Red Hat, CloudFlare, Facebook, and Akamia
• Finnish security company Codenomicon separately discovered Heartbleed on April 3, and informing the National Cyber Security Centre Finland the next day”
• They then immediately went to work on a marketing plan. This discovery was going to launch their small firm into super stardom. They had a logo and website designed, and prepared for the public disclosure of the bug
• The original public disclosure was supposed to be made on April 9th. However, after details started to leak, and the OpenSSL team decided that if more than 1 group had already discovered the bug, more would quickly follow, they released the details early, on April 7th
• “Half an hour after OpenSSL published a security advisory the morning of April 7, CloudFlare bragged in a blog post and a tweet that it was first to protect its customers, and how CloudFlare was enacting an example for “responsible disclosure.”
• “An hour after CloudFlare’s little surprise, Codenomicon tweeted to announce the bug, now named Heartbleed, linking to a fully prepared website, with a logo, and an alternate SVG file of the logo made available for download.”
• “Heartbleed — birth name CVE-2014-0160 — became a household term overnight, even though average households still don’t actually understand what it is.”
• “The media mostly didn’t understand what Heartbleed was either, but its logo was featured on every major news site in the world, and the news spread quickly. Which was good, because for the organizations who needed to remediate Heartbleed, it was critical to move fast.”
• In the end, it seems Heartbleed was a success, most systems were patched quite quickly, although many systems did not follow the full procedure, and that has had some fallout that we have covered
• In justifying the name given to a Russian hacking group, iSight Partners said: “Without naming these teams, it would be impossible for a network defender to keep track of them all. We think that’s essential, because intimately understanding these teams is the first step to mounting an effective defense. Giving a name to a team — as we have done with Sandworm — helps practitioners and researchers track and attribute tactics, techniques, procedures and ongoing campaigns back to the team. By assigning identities, It helps to bring these actors out of the shadows and into the light.“
• Other vulnerabilities, like POODLE, had alarmingly bad reporting that may have done more harm than good
• ShellShock was the anti-case. It didn’t have a logo, or an official website. ShellShock timeline
• It was actually originally dubbed BashDoor by its creator, but when it was leaked to the press by someone else, they provided the name ShellShock
• Further, because the initial fix for the ShellShock vulnerability did not entirely solve the problem, there was much confusion, where people thought they had already patched, but didn’t have the “latest” patch
• Then, there were a number of follow-on vulnerabilities in bash, that didn’t have names, but were lumped in with ShellShock, which lead to even more confusion
• Closing Quote: “The researchers didn’t tell their closest biz-buddies in a game of telephone, one in which Heartbleed became an arms race of egos, insider information trading, and opportunism”
• Who gets to decide what bugs are bad enough to get a name instead of just a CVE number? Should MITRE start tracking names along with the CVE numbers?
• Who gains more for naming bugs, the end users who might become more aware of the issue and be able to protect themselves, or the PR powered firms that exploit it for their own good?

Feedback:

• Why is md5 not secure?

• Md5crypt Password scrambler is no longer considered safe by author — PHKs Bikeshed

• VMware’s page-sharing woes

• Brute Force, How Do They Know They Got It?

• Thank you – seriously

• BSDCan 2015 Call for Papers — Due by Jan 19th

Round Up:

• NSA spies on carriers to break call encryption, report suggests
• Government sites remain hacked 2 weeks later — The problem with not disclosing security breaches
• U.S. Intelligence Agency Aims to Develop Superconducting Computer
• The Cost of HTTPS everywhere
• Google Can Now Tell You’re Not a Robot With Just One Click
• Samsung announces 3.2TB PCI-E SSD, Intel/Micron announce 3D NAND, hard drives stuck at 7200rpm (or lower)
• “Its signed, must be legit” — Lessons in Interface Design
• ExplainShell.com — Explain what that code is actually doing, a quick way to learn to read shell scripts
• Prosecutors charge “hacker” with 44 felonies in typical scare tactics (10 year max on each, resulting in a total sentence that would be multiple lifetimes), final charges: a single misdemeanor with a $10,000 fine
• Crash CentOS6 init by touching a bunch of files
• Judge rules that IP addresses should not be exempt from a public records request because of “security”
• Nuclear weapons use fluctuating radiation fields to generate their own one-time passwords to restrict their use
• Your new 500GB external hard drive, guaranteed to be quieter than any other external hard drive

The post Celebrity Bugs | TechSNAP 191 first appeared on Jupiter Broadcasting.

Is it time to replace openSSL? We’ll follow up on the Heartbleed story, discuss how attackers got read access to Google’s production servers and then it’s a great batch of your questions and our answers.

All that and much much more…

On this week’s TechSNAP!

Thanks to:

— Show Notes: —

Heartbleed followup

• The developer who introduced the heartbeat feature, that lead to the heartbleed flaw, claims it was an honest mistake and denies the involvement of any intelligence agencies or other mischief
• An investigation and some insider info has allowed the construction of a more much accurate timeline of the events leading up to heartbleed and the breakdown of responsible disclosure
• 2014-03-21 (or earlier): Neel Mehta of Google Security discovers Heartbleed vulnerability
• 2014-03-21: Bodo Moeller and Adam Langley of Google commit a patch for the flaw (based on timestamp of the patch sent to OpenSSL and Redhat)
• 2014-03-31 (or earlier): CloudFlare is notified about the flaw under a non-disclosure agreement
• 2014-04-01: Google notifies OpenSSL of the flaw. OpenSSL was going to release a patch that week, but changed the planned release to April 9th to allow more coordination
• 2014-04-02: Researchers at Codenomicon find the same bug
• 2014-04-03: Codenomicon notifies NCSC-FI
• 2014-04-04: Akamai finds out about the bug from an undisclosed source and patches their servers
• 2014-04-04: Rumors begin about a flaw in OpenSSL, but no details are available
• 2014-04-05: Codenomicon purchases the heartbleed.com domain, OpenSSL team commits the Google patch to their private git repo
• 2014-04-06: NCSC-FI (CERT-FI) requests that CERT/CC (Computer Emergency Response Team Coordination Center) allocate a CVE for the bug, no details given. Mark Cox of OpenSSL notifies Redhat about the issue and asks them to coordinate with the other operating systems since Mark is on holiday. RedHat security engineer sends the email to the private distributions list with no details, distros that agree to the embargo (no notification until April 9th) are given the details. These distros include SuSE (Monday, April 7 at 01:15), Debian (01:16), FreeBSD (01:49) and AltLinux (03:00). Other operating systems, Ubuntu (asked at 04:30), Gentoo (07:14) and Chromium (09:15), request details during the night, but by time the RedHat engineer gets up in the morning, the flaw has become public
• 2014-04-07 (or earlier): Facebook is notified and patches their servers
• 2014-04-07: NCSC-FI notifies OpenSSL that Codenomicon has discovered a flaw. OpenSSL team decides that \”the coincidence of the two finds of the same issue at the same time increases the risk while this issue remained unpatched. OpenSSL therefore released updated packages [later] that day.\”
• 2014-04-09: Facebook and Microsoft donate $US15,000 to Neel Mehta via the Internet Bug Bounty program for finding the OpenSSL bug. Mehta gives the funds to the Freedom of the Press Foundation
• In summary, those who knew about the issue before it was public: Google (March 21 or prior), CloudFlare (March 31 or prior), OpenSSL (April 1), Codenomicon (April 2), National Cyber Security Centre Finland (April 3), Akamai (April 4 or earlier) and Facebook (no date given)
• Those who had a few hours of advanced warning: SuSE, Debian, FreeBSD and AltLinux
• There is also a timeline from the perspective of the OpenSSL team
• Researchers at Lawrence Berkeley National Laboratory find No evidence that heartbleed was exploited before it became public
• Meanwhile, researchers at the University of Michigan setup a honeypot and monitored who tried to heartbleed it. Of the 41 groups that attacked the honeypot, the majority of those groups — 59 percent — were in China.
• What is worse than heartbleed? Bugs in heartbleed detection scripts
• Akamai claimed to be protected from heartbleed by their own patches
• They were proven wrong
• Akamai updated their blog post explaining the fault
• Akamai was forced to rekey all of their customers’ SSL certificates

• The Akamai post raises an interesting questions about EV-SSL certificates, and how much longer they might take to re-key

• Is the IETF to blame for allowing the heartbeat feature to be added to the standard in the first place?

• See BSD Now episode 033 for news on the OpenBSD fork of OpenSSL
• Why I quit writing Internet standards
• Statement by the CRA about 900 SIN numbers leaking due to heartbleed
• RCMP arrests 19 year old from London, Ontario for using heartbleed against the CRA
• CloudFlare launched a challenge to see if anyone could capture their private key
• two or more people were successful, and the certificate has since been revoked
• ACM Queue – PHK: Putting OpenSSL out of its misery
• PHK shares his experience making a living while working on open source in “Raking in the dough on Free and Open Source Software”
• Open source is a thankless job, we do it anyway
• Does the OpenSSL flaw alter the “open source is safer” equation?
• Coverity report finds open source software to be higher quality Coverity\’s analysis found an average defect density of .59 for open source C/C++ projects that leverage the Scan service, compared to an average defect density of .72 for proprietary C/C++ code
• 863 CIOs surveyed, 18% said their orgs are unaffected by Heartbleed because they use anti-virus

How we got read access to Google’s production servers

• A group of researchers decided to target Google
• Looking at the trends in the industry, flaws are most often found in:
• Old and deprecated software
• Unknown and hardly accessible software
• Proprietary software that only a few people have access to
• Alpha/Beta releases and otherwise new technologies
• So they did their homework
• They used the Google search engine, to search for software and companies that Google had acquired, antique systems, and products with very few users
• They found the Google Toolbar button gallery
• The product allows users to customize the toolbar by uploading XML that controls the style etc
• They quickly managed to perform an XXE attack
• They were then able to read files on Google’s production servers, including /etc/passwd, and some custom init scripts that Google uses to manage their cluster of servers
• They likely could have escalated the attack, and possibly accessed Google’s internal servers
• The team reporting the issue to Google, and was awarded a $10,000 bug bounty

Feedback:

• LastPass

• Automated bare-metal backups for a physical server?

• SLAs and Daylight Savings

• pfsense and logs

• Heartbleed

• Memory allocation in OpenSSL

Round Up:

• PSA: Fraudulent Crypto Kickstarter Campaign
• weev (AT&T iPad data incident) conviction vacated, the information was not protected by a password or other security mechanism, so accessing it was not “misuse”
• HAM Radio operators accidently tripping arc fault circuit interrupters, American Radio Relay League labs working with manufacturer on fix
• When Azure breaks: Lessons for every cloud programmer
• Obama: NSA Must Reveal Bugs Like Heartbleed, Unless They Help the NSA
• Canadian Government publishes guidelines for staying safe online
• Comcast PAC gave money to every senator examining Time Warner Cable merger | Ars Technica
• 7 Habits of highly successful UNIX admins
• Over $100K in Bitcoin Was Stolen in a Ridiculously Low-Tech Heist

The post Time to Kill openSSL | TechSNAP 158 first appeared on Jupiter Broadcasting.

A CloudFlare outage takes down three quarter of a million sites, we’ll tell you what went wrong.

Some old school malware gets the job done, Allan’s cool toys from Japan, a big batch of your questions our answers, and much more on this week’s TechSNAP.

Thanks to:

GoDaddy.com Use our code hostdeal4 to score economy hosting for $1 a month, for one year. 35% off your ENTIRE order just use our code go35off4 until the end of the month!
Ting.com Visit techsnap.ting.com to save $25 off your device or service credits.

Support the Show: