HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Google Will Survive SESTA. Your Startup Might Not.

• Requires unreliastic levels of censorship by platforms; not even the big players will be able to comply 100%

• Proponents consider startups to be outliers, which “will be successfully prosecuted, civilly and criminally under this law”.

• Proponents are overstating the effectiveness of filtering

• Proposed standards actually discourage platforms from filtering

Companies Look to an Old Technology to Protect Against New Threats

• Tape is an old techology. It is also highly reliable and stable

• Tape sales are increasing

• Yep, backup to NAS is great, but do you have different versions of your data?

CBS’s Showtime caught mining crypto-coins in viewers’ web browsers

• This isn’t about CBS. It’s about the potential for abuse by website owners

• Code unlikely to be official sanctioned / added by CBS; mure more likely it was a malicious third party or insider.

• The email address associated with the mining account is personal, not corporate

• Ethical issues for content providers to figure out

Feedback

• Funny sounds throughout the show

• Cox checking for credit score

Round Up:

• One week after

• SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors

• APFS AND HFS+ BENCHMARKS

• What’s New in PostgreSQL 10?

• a 160-terabits-per-second cable

The post Laying Internet Pipe | TechSNAP 339 first appeared on Jupiter Broadcasting.

The US Government is offering free penetration tests, with a catch, we break down the VTech Breakin & the only sure way to protect your credit online.

Plus great questions, a big round up with breaking news & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

• TechSNAP SWAG for the Holidays

— Show Notes: —

Department of Homeland Security giving “critical infrastructure” firms free penetration tests

• “The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies — mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help “critical infrastructure” companies shore up their computer and network defenses against real-world adversaries. And it’s all free of charge (well, on the U.S. taxpayer’s dime).”
• It seems like big banks and oil companies could afford to pay for such services, but, at least the penetration tests are happening
• “KrebsOnSecurity first learned about DHS’s National Cybersecurity Assessment and Technical Services (NCATS) program after hearing from a risk manager at a small financial institution in the eastern United States. The manager was comparing the free services offered by NCATS with private sector offerings and was seeking my opinion. I asked around to a number of otherwise clueful sources who had no idea this DHS program even existed.”
• “DHS declined requests for an interview about NCATS, but the agency has published some information about the program. According to DHS, the NCATS program offers full-scope penetration testing capabilities in the form of two separate programs: a “Risk and Vulnerability Assessment,” (RVA) and a “Cyber Hygiene” evaluation. Both are designed to help the partner organization better understand how external systems and infrastructure appear to potential attackers.”
• “The RVA program reportedly scans the target’s operating systems, databases, and Web applications for known vulnerabilities, and then tests to see if any of the weaknesses found can be used to successfully compromise the target’s systems. In addition, RVA program participants receive scans for rogue wireless devices, and their employees are tested with “social engineering” attempts to see how employees respond to targeted phishing attacks.”
• “The Cyber Hygiene program — which is currently mandatory for agencies in the federal civilian executive branch but optional for private sector and state, local and tribal stakeholders — includes both internal and external vulnerability and Web application scanning.”
• “The reports show detailed information about the organization’s vulnerabilities, including suggested steps to mitigate the flaws. DHS uses the aggregate information from each client and creates a yearly non-attributable report. The FY14 End of Year report created with data from the Cyber Hygiene and RVA program is here (PDF).”
• Manual testing was required to identify 67 percent of the RVA vulnerability findings (as opposed to off-the-shelf, automated vulnerability scans)
• More than 50 percent of the total 344 vulnerabilities found during the scans last year earned a severity rating of “high” (40 percent) or “critical” (13 percent)
• RVA phishing emails resulted in a click rate of 25 percent.
• 46% of RVAs resulted in an EASILY GUESSABLE CREDENTIALS finding
• “I was curious to know how many private sector companies had taken DHS up on its rather generous offers, since these services can be quite expensive if conducted by private companies. In response to questions from this author, DHS said that in Fiscal Year 2015 NCATS provided support to 53 private sector partners. According to data provided by DHS, the majority of the program’s private sector participation come from the energy and financial services industries — with the latter typically at regional or smaller institutions such as credit unions”
• Asking the penetration testing industry what it thought about the DHS offering a free service, Dave Aitel is chief technology officer at Immunity Inc., a Miami Beach, Fla. based security firm that offers many of the same services NCATS bundles in its product said: “DHS is a big player in the ‘regulation’ policy area, and the last thing we need is an uninformed DHS that has little technical expertise in the areas that penetration testing covers,” Aitel said. “The more DHS understands about the realities of information security on the ground – the more it treats American companies as their customers – the better and less impactful their policy recommendations will be. We always say that Offense is the professor of Defense, and in this case, without having gone on the offense DHS would be helpless to suggest remedies to critical infrastructure companies”
• “Even if the DHS team doing the work is great, part of the value of an expensive penetration test is that companies feel obligated to follow the recommendations and improve their security,” he said. “Does the data found by a DHS testing team affect a company’s SEC liabilities in any way? What if the Government gets access to customer data during a penetration test – what legal ramifications does that have? This is a common event and pre-CISPA it may carry significant liability”
• “Aitel, a former research scientist at the National Security Agency (NSA), raised another issue: Any vulnerabilities found anywhere within the government — for example, in a piece of third party software — are supposed to go to the NSA for triage, and sometimes the NSA is later able to use those vulnerabilities in clandestine cyber offensive operations”
• But what about previously unknown vulnerabilities found by DHS examiners? “This may be less of an issue when DHS uses a third party team, but if they use a DHS team, and they find a bug in Microsoft IIS (Web server), that’s not going to the customer – that’s going to the NSA,” Aitel said.
• Alan Paller, director of research at the SANS Institute sees a potential problem
• “The NCATS program could be an excellent service that does a lot of good but it isn’t,” Paller said. “The problem is that it measures only a very limited subset of of the vulnerability space but comes with a gold plated get out of jail free card: ‘The US government came and checked us.’ They say they are doing it only for organizations that cannot afford commercial assessments, but they often go to organizations that have deep enough pockets.”
• I can definitely see this being used as an excuse to spend LESS on network security

Break at VTech (toy manufacturer) exposes pictures and chatlogs of millions of children and parents

• “The hacked data includes names, email addresses, passwords, and home addresses of 4,833,678 parents who have bought products sold by VTech, which has almost $2 billion in revenue. The dump also includes the first names, genders and birthdays of more than 200,000 kids”
• “What’s worse, it’s possible to link the children to their parents, exposing the kids’ full identities and where they live, according to an expert who reviewed the breach for Motherboard”
• “This is the fourth largest consumer data breach to date, according to the website Have I Been Pwned, the most well known repository of data breaches online, which allows users to check if their emails and passwords have been compromised in any publicly known hack”
• “The hacker who claimed responsibility for the breach provided files containing the sensitive data to Motherboard last week. VTech then confirmed the breach in an email on Thursday, days after Motherboard reached out to the company for comment”
• VTech told Motherboard: “We were not aware of this unauthorized access until you alerted us”
• “On November 14 [Hong Kong Time] an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database”
• “On Friday, I asked the hacker what the plan was for the data, and they simply answered, “nothing.” The hacker claims to have shared the data only with Motherboard, though it could have easily been sold online.”
• “When pressed, VTech did not provide any details on the attack. But the hacker, who requested anonymity, told Motherboard that they gained access to the company’s database using a technique known as SQL injection. Also known as SQLi, this is an ancient, yet extremely effective, method of attack where hackers insert malicious commands into a website’s forms, tricking it into returning other data”
• Related: Motherboard: The histroy of SQL injection, the hack that will never go away
• “The passwords were not stored in plaintext, but “hashed” or protected with an algorithm known as MD5, which is considered trivial to break”
• It is not clear if they mean plain MD5 or md5crypt (the former being REALLY bad)
• “Moreover, secret questions used for password or account recovery were also stored in plaintext, meaning attackers could potentially use this information to try and reset the passwords to other accounts belonging to users in the breach—for example, Gmail or even an online banking account”
• Also, “VTech doesn’t use SSL web encryption anywhere, and transmits data such as passwords completely unprotected”, so breaching the database might not even be strictly necessary to gain access to the information
• Additional Coverage: Motherboard followup
• Additional Coverage: ZDNet
• Additional Coverage: TheRegister
• Related: Researcher claims to have hacked “Hello Barbie” toys

Why putting a preemptive freeze on your credit profile is better than credit monitoring

• “Krebs has frequently urged readers to place a security freeze on their credit files as a means of proactively preventing identity theft. Now, a major consumer advocacy group is recommending the same: The U.S. Public Interest Research Group (US-PIRG) recently issued a call for all consumers to request credit file freezes before becoming victims of ID theft.”
• “Each time news of a major data breach breaks, the hacked organization arranges free credit monitoring for all customers potentially at risk from the intrusion. But as I’ve echoed time and again, credit monitoring services do little if anything to stop thieves from stealing your identity. The best you can hope for from these services is that they will alert you when a thief opens or tries to open a new line of credit in your name.”
• “But with a “security freeze” on your credit file at the four major credit bureaus, creditors won’t even be able to look at your file in order to grant that phony new line of credit to ID thieves.”
• “These constant breaches reveal what’s wrong with data security and data breach response. Agencies and companies hold too much information for too long and don’t protect it adequately,” the organization wrote in a report (PDF) issued late last month. “Then, they might wait months or even years before informing victims. Then, they make things worse by offering weak, short-term help such as credit monitoring services.”
• “Whether your personal information has been stolen or not, your best protection against someone opening new credit accounts in your name is the security freeze (also known as the credit freeze), not the often-offered, under-achieving credit monitoring. Paid credit monitoring services in particular are not necessary because federal law requires each of the three major credit bureaus to provide a free credit report every year to all customers who request one. You can use those free reports as a form of do-it-yourself credit monitoring.”
• Related: Krebs: FAQ on Credit File Freezes
• Additional Coverage: Krebs: OPM Credit Monitoring vs Freeze
• One of the things that stops working once you put a security freeze on your credit file, is credit monitoring
• A Krebs reader wrote in: “I just received official notification that I am affected by the OPM data breach. I attempted to sign up for credit monitoring services with the OPM’s contractor ID Experts at opm.myidcare.com, but was denied these services because I have a credit security freeze. I was told by ID Experts that the OPM’s credit monitoring services will not work for accounts with a security freeze.”
• “This supports my decision to issue a security freeze for all my credit accounts, and in my assessment completely undermines the utility and value of the OPM’s credit monitoring services when individuals can simply issue a security freeze. This inability to monitor a person’s credit file when a freeze is in place speaks volumes about the effectiveness of a freeze in blocking anyone — ID protection firms or ID thieves included — from viewing your file.”
• “Removing a security freeze to enable credit monitoring is foolhardy because the freeze offers more comprehensive protection against ID theft. Credit monitoring services are useful for cleaning up your credit file after you’re victimized by ID thieves, but they generally do nothing to stop thieves from applying for and opening new lines of credit in your name.”
• Lifting a freeze to enable credit monitoring is like….
  • installing flash to watch a flash video about the evils of flash
  • leaving your doors and windows unlocked so that burglars can set off your indoor motion sensors
  • taking your gun off safety to check and see if it’s loaded
• Additional Coverage: Credit monitoring used to secretly track ex-wife’s financial moves
• “Many of these third party credit monitoring services also induce people to provide even more information than was leaked in the original breach. For example, ID Experts — the company that OPM has paid $133 million to offer credit monitoring for the 21.5 million Americans affected by its breach — offers the ability to “monitor thousands of websites, chat rooms, forums and networks, and alerts you if your personal information is being bought or sold online.” But in order to use this service, users are encouraged to provide bank account and credit card data, passport and medical ID numbers, as well as telephone numbers and driver’s license information.”

Feedback:

• Proxmox and ZFS

• Autofs and cifs

• ZFS/BSD/QNAP

• Which BSD? // Slexy 2.0

Round Up:

• Large Systems Administrators Conference: It Was Never Going to Work, So Let’s Have Some Tea
  
• OpenSSL Security Advisory — 1.0.2e, 1.0.1q, 1.0.0t, 0.9.8zh released. Reminder: 1.0.0t and 0.9.8zh are EoL December 31, 2015
• Sneaky Microsoft renamed its data slurper before sticking it back in Windows 10
• HGST releases new 10TB spinning disks
• Popular Google Chrome extensions are constantly tracking you per default
• “PortFail” exposes VPN users’ real IP addresses
• FTTH last-mile through your water pipes – in photos
• Security Advisory: Remote exploitation of an information disclosure vulnerability in Oral B’s Triumph Toothbrush 9900 with SmartGuide management system allows attackers to obtain sensitive information
• Google Deceptively Tracks Students’ Internet Browsing, EFF Says in FTC Complaint
• The wrong way to use passwords
• Drug Pump Maker Denies Security Patch to Researcher Who Found Vulnerabilities
• Fans trying to buy Adele tickets are presented with other customers data, apparently because the system was ‘overloaded’
• Lenovo patches serious vulnberabilities in its PC system update tool
• More than 900 different devices found to have the same SSH host keys
• Detecting malware through DNS queries: a Kali Pi / Snort project
• Pulling off arbitrary code execution in Super Mario World
• 3 Attacks on Cisco TACACS+: Bypassing the Cisco’s auth
• A device that knows your next amex card number before you do. Renewed/replaced Amex card numbers are predictable if you know your previous number
• the Soviet Union’s KGB developed software to predict sneak attacks from the U.S., which almost triggered a war In 1983
• I’ve build my own crypto system…

The post SpyFi Barbie | TechSNAP 243 first appeared on Jupiter Broadcasting.

Adobe has a bad week, with exploits in the wild & no patch. We’ll share the details. Had your credit card stolen? We’ll tell you how.

Plus the harsh reality for IT departments, a great batch of questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

New flash zero day found being exploited in the wild, no patch yet

• The new exploit is being used in some versions of the Angler exploit kit (the new top dog, replacing former champ blackhole)
• The exploit kit currently uses three different flash exploits:
• CVE-2014-8440 – which was added to the exploit kit only 9 days after being patched
• CVE-2015-0310 – Which was patched today
• and a 3rd new exploit, which is still being investigated
• Most of these exploit kits rely on reverse engineering an exploit based on the patch or proof of concept, so the exploit kits only gain the ability to inflict damage on users after the patch is available
• However, a 0 day where the exploit kit authors are the first to receive the details, means that even at this point, researchers and Adobe are not yet sure what the flaw is that is being exploited
• Due to a bug in the Angler exploit kit, Firefox users were not affected, but as of this morning, the bug was fixed and the Angler kit is now exploiting Firefox users as well
• Additional Coverage – Krebs On Security
• Additional Coverage – PCWorld
• Additional Coverage – Malware Bytes
• Additional Coverage – ZDNet

How was your credit card stolen

• Krebs posts a write up to answer the question he is asked most often: “My credit card was stolen, can you help me find out how”
• Different ways to get your card stolen, and your chance of proving it:
• Hacked main street merchant, restaurant (low, depends on card use)
• Processor breach (nil)
• Hacked point-of-sale service company/vendor (low)
• Hacked E-commerce Merchant (nil to low)
• ATM or Gas Pump Skimmer (high)
• Crooked employee (nil to low)
• Lost/Stolen card (high)
• Malware on Consumer PC (very low)
• Physical record theft (nil to low)
• “I hope it’s clear from the above that most consumers are unlikely to discover the true source or reason for any card fraud. It’s far more important for cardholders to keep a close eye on their statements for unauthorized charges, and to report that activity as quickly as possible.”
• Luckily, since most consumers enjoy zero liability, they do not have to worry about trying to track down the source of the fraud
• With the coming change to Chip-and-Pin in the US, the liability for some types of fraud will shift from the banks to the retailers, which might see some changes to the way things are done
• Banks have a vested interest in keeping the results of their investigations secret, whereas a retailer who is the victim of fraudulent cards, may have some standing to go after the other vendor that was the source of the leak
• Machine Learning for Fraud Detection

15% of business cloud accounts are hacked

• Research by Netskope, a cloud analysis company, finds that only one in ten cloud apps are secure enough for enterprise use
• In their survey, done using network probes, gateways, and other analysis techniques (rather than asking humans), they found that the average large enterprise uses over 600 cloud applications
• Many of these applications were not designed for enterprise use, and lack features like 2 factor authentication, hierarchical access control, “group” features, etc
• The report also found that 8% of files uploaded to cloud storage provides like Google Drive, Dropbox, Box.com etc, were in violoation of the enterprises’ own Data Loss Prevention (DLP) policies.
• The downloading numbers were worst, 25% of all company files in cloud providers were shared with 1 or more people from outside the company. 12% of outsiders had access to more than 100 files.
• Part of the problem is that many “cloud apps” used in the enterprise are not approved, but just individual employees using personal accounts to share files or data
• When the cloud apps are used that lack enterprise features that allow the IT and Security teams to oversee the accounts, or when IT doesn’t even know that an unapproved app is being used, there is no hope of them being able to properly manage and secure the data
• Management of the account life cycle: password changes, password resets, employees who leave or are terminated, revoking access to contractors when their project is finished, etc, is key
• If an employee just makes a dropbox share, adds a few other employees, then adds an outside contractor that is working on a project, but accidently shares all files instead of only specific project files, then fails to remove that person later on, data can leak.
• When password resets are managed by the cloud provider, rather than the internal IT/Security team, it makes it possible for an attacker to more easily use social engineering to take over an account
• Infographic
• Report

Feedback:

• ZFS me timbers

• Allan’s Modified Lenovo

• Sharing a large movie collection over the internet

• RAID alternatives for a bug

Round Up:

• Yes, Every Freeware Download Site is Serving Crapware (Here’s the Proof)
• CERT-UK offers a new best practices guide to combat social engineering
• FBI seeks to legally hack you if you are using TOR or a VPN
• Java patches 19 security holes (13 with 10/10 exploitability score). Make sure you are running at least 7u75 or 8u31
• NSA says it has proof DPRK was behind Sony hack, because they had already hacked the DPRK
• Government health care website quietly sharing personal data
• Steam shell script bug causes it to rm -rf /
• NSA Preps America for Future Battle
• Diary of an NSA Intern
• Password reuse causes spike in Hotel Rewards fraud
• The Sorry State of In-Flight Wi-Fi
• Technical mistake, not terrorist DDoS downed french media websites
• Blackhat, the movie, gets the technobabble mostly right
• All you need is a clipboard, or a stethoscope

The post Dude Where's My Card? | TechSNAP 198 first appeared on Jupiter Broadcasting.

Data Breaches often result in the companies attacked playing the victim & shrugging off responsible network management.

Samsung reveals new VR gear, a 3D camera with 16 HD cameras & a bunch of other goodies that promise to bring the virtual world to you.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Samsung unveils Project Beyond, a 3D-capturing camera for Gear VR

Samsung has just unveiled a sneak preview of a new camera called Project Beyond, which is a 3D-capturing 360-degree camera designed to capture videos and stream them on the Gear VR. Pranav Mistry, Samsung’s VP of Research, says that Beyond is a “new kind of camera that gives a new kind of immersive experience.” The camera (which apparently houses 16 full HD cameras) shows a 360-degree panoramic view and captures everything in 3D, collecting a gigapixel of 3D data every second. It promises high-speed connectivity, adaptive stitching, ultra wide-angle optics and stereoscopic depth. And, this isn’t just a concept. It’s actually a fully working device.

Samsung launching Gear VR ‘Innovator Edition’ in early December for $199 | The Verge

You’ll be able to get your hands on Samsung’s Gear VR in early December. Today the company announced that it will launch the Gear VR Innovator Edition — essentially what amounts to developer preview hardware (that’s available to everyone) — next month.

Gear VR: $199 for the headset alone, or $249 with one of Samsung’s Bluetooth gamepads. Add that to the cost of a Note 4 — $700 or more, unsubsidized — and it’s not one of the cheaper VR headsets on the market.

91% of US adults say consumers have lost control over how their personal info is collected and used by companies | Pew Research

Some 43% of adults have heard “a lot” about “the government collecting information about telephone calls, emails, and other online communications as part of efforts to monitor terrorist activity,” and another 44% have heard “a little.” Just 5% of adults in our panel said they have heard “nothing at all” about these programs.

• Public Perceptions of Privacy and Security in the Post-Snowden Era | Pew Research Center’s Internet & American Life Project

Widespread concern about surveillance by government and businesses

Perhaps most striking is Americans’ lack of confidence that they have control over their personal information. That pervasive concern applies to everyday communications channels and to the collectors of their information—both in the government and in corporations. For example:

• 91% of adults in the survey “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies.
• 88% of adults “agree” or “strongly agree” that it would be very difficult to remove inaccurate information about them online.
• 80% of those who use social networking sites say they are concerned about third parties like advertisers or businesses accessing the data they share on these sites.
• 70% of social networking site users say that they are at least somewhat concerned about the government accessing some of the information they share on social networking sites without their knowledge.

The post You Are The Product | Tech Talk Today 91 first appeared on Jupiter Broadcasting.

Researchers develop a new way to protect your passwords after they’ve been stolen, the little credit card scam making big money…

Then it’s a great batch of your questions, a rockin round up, and much much more!

On this week’s TechSNAP.

Thanks to:

— Show Notes: —

Researchers are NYU develop PolyPassHash, hard to crack password store

• PolyPassHash is designed to make it significantly harder to crack users’ passwords in the event the password database is leaked
• The system uses SSSS (Shamir’s Secret Sharing Scheme ) which is a system for dividing a secret key (in this case used to encrypt the password database) into many pieces, and requiring only a specific number of those pieces to be combined to return the key
• In the wikipedia example, the secret key is divided into 6 parts and the algorithm defined such that 3 of the parts must be combined in order to return the secret
• The SSSS algorithm is extensible, it allows the number of pieces that the secret is divided into to grow as long as the threshold (the number of pieces required to decrypt) is key fixed
• The SSSS algorithm is also flexible, allowing for some people (say the system administrator) to have more than 1 share
• In the Python reference implementation the threshold is set to 10
• This means that 10 pieces of the secret are required in order to decrypt the password file
• Each regular user’s password is 1 share of the secret, so when that user provides the correct password, 1 share is available
• In the reference implementation, there are 3 administrator users, each of who’s password is 5 shares of the secret, meaning the correct passwords for any 2 of the administrators will be able to decrypt the password database
• Currently PolyPassHash uses just the SHA256 of the users’ password and a random salt, rather than using sha256crypt() which does more than 1 SHA256 round on the password, and uses different mixes of the password and salt
• The drawback with PolyPassHash is that after a reboot, it is not possible for anyone to login until a sufficient number of users have entered the correct password to return the required number (the threshold) of shares to decrypt the password hashes
• There is a proposed solution to this, involving shortening the SSSS key such that some of the hash (the last few bytes) are not encrypted, and using that to authenticate the first few users until sufficient users have successfully logged in to decrypt the password database
• This compromises the security of the passwords because part of the plain hash is leaked, and it also means that an incorrect password could allow a user to login after a reboot before the threshold has been met
• PolyPassHash also has support for thresholdless accounts (accounts that do not have any shares), in order to protect larger systems (like Facebook or Gmail) where an attack may have compromised enough accounts to have sufficient shares to decrypt the entire database. In this case, only administrator (or maybe power user) accounts would have shares
• PolyPassHash also has support for other authentication systems, including things like biometrics, ssh keys, and smart cards, but also external systems like OAuth or OpenID (thresholdless accounts)
• In the case of SSH keys, instead of a password, the share of the SSSS is encrypted with the public key, and the user uses their SSH private key to decrypt the share
• New users cannot be added until the threshold has been reached, since the secret is required to generate a new share of the secret
• Research Paper

Who is behind sub-$15 credit card scam

• A service called ‘BLS Web Learn’ has been identified as being behind a scam that charged numerous credit and debit cards small fees of less than $15
• The scam centers around small charges that appear on your credit card bill, usually for small random amounts such as $9.84, $10.37, or $12.96
• The line item includes a toll free number (as most charges do), and you are encouraged by your bank to call this number and try to identify the charge and resolve any issues with the seller directly, rather than filing a chargeback
• In this case, since the card holder never ordered anything or authorized the charge, the service refunds the small amount
• They make their money off all of the people who don’t notice the small charge
• Unlike many scams, because they maintain the assertion that they are a legitimate business, and refund the charge when a cardholder complains, they do not rack up a large number of chargebacks, and their account with the credit card processor is not red flagged or shut down
• Krebs have investigated a similar case before, which appeared to be based in Malta
• The name of the ‘online learning’ company, and the credit card processor are different, but the scam seems very much the same
• The payment processor, BlueSnap, lists its offices in Massachusetts, California, Israel, Malta and London. Interestingly, the payment network used by the previous scam, Credorax, also lists offices in Massachusetts, Israel, London and Malta

Feedback:

• Who should play Allan Jude in Allan Jude: The Movie

• XP Fail

• Picture of the XP mess

• Checksum your SaaS

• Ubuntu Manpage: debsums – check the MD5 sums of installed Debian packages

• Mulitple Domain Names pointing to same IP address

• The debate continues re: ZFS and ECC

  • ECC is not required, but using non-ECC increases the risk of data loss. Using ECC RAM is the cheapest way to increase the uptime and reliability of the system

• Metal_Geek Needs help: I need help recovering data from a LUKS encrypted partition.

Round-Up:

• How Dropbox Knows When You’re Sharing Copyrighted Stuff
• TarSnap response to similar situation
• New wireless technology MU-MIMO promises to speed up congested WiFi networks
• How WhatsApp Grew to Nearly 500 Million Users, 11,000 cores, and 70 Million Messages a Second
• Dating site spams people, if you actually click through you might get the database password
• EU passes net neutrality law, votes to end throttling, site blocking
• Sophos researcher talks about Secure Credit Card Transactions
• Hack of Boxee.tv exposes password data, messages for 158,000 users
• Being an expert sucks
• Exclusive – NSA infiltrated RSA security more deeply than thought: Study
• FTC settles case about company who claimed to secure data with SSL but did not verify certificates
• Visual explaination of how SQL joins work

The post Not Sharing The Secret | TechSNAP 156 first appeared on Jupiter Broadcasting.

New research reveals your browser cache contains a lot more than you might expect, and we’ve got the details on some security issues WordPress doesn’t have a fix for…

Plus: We’ll answer your questions, chat about rolling your own email server, and much much more!

On this week’s TechSNAP

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! 35% off your ENTIRE first order just use our code 35off3 until the end of the month!
Ang Reports on her Android challange Catch episode 144 find out how things stand after her week on Android

Support the Show:

   

Support the Show: