cryptography – Jupiter Broadcasting

Notes from when Dan was experimenting with this: Only work if ~ is the first character you type; typing something, then backspace, then ~ will not invoke the escape sequence. Must be the first character after ENTER.

Kaspersky Confirms It Downloaded Classified Docs, Blames NSA Contractor’s Dumb Mistake

According to Kaspersky, the fault rests of the shoulders of the NSA contractor, who allegedly brought home government surveillance tools and then decided to activate their consumer antivirus software
The analyst’s computer was infected with malware while Kaspersky’s product was disabled
When Kaspersky’s product was re-enabled, the user apparently scanned their system multiple times
A 7-zip archive of documents was retrieved for analysis because the user had set the software to send reports of malicious detections.

‘I Forgot My PIN’: An Epic Tale of Losing $30,000 in Bitcoin

Spent $3,000 to buy 7.4 bitcoins. Saved them to Trezor hardware wallet. Wrote down a 24-word recovery key. Saved a PIN.
Paper went missing
Could not remember PIN
Tried many times.
Tried an exploit…..

Feedback

Round Up:

grafana – Datasources as configuration
curl statistics made simple: davecheney/httpstat (written in GO) refers to reorx/httpstat (written in Python) which is in FreeBSD Ports as net/py-httpstat – Dan tweeted his test case
Gentoo system ransomware’d
Backblaze Hard Drive Stats for Q3 2017
A flaw in Google’s bug database exposed private security vulnerability reports – original blog post
Staging Best Practices
Protocol standards not publicly available
Oracle ZFS man calls for Big Red to let filesystem upstream into Linux – sounds like Oracle wants to get ZFS into Linux
Things You Can Do on the Dark Web That Aren’t Illegal

The post Low Security Pillow Storage | TechSNAP 343 first appeared on Jupiter Broadcasting.

Cloudy with a chance of ABI | TechSNAP 342

chris — Tue, 24 Oct 2017 21:10:20 +0000

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Exclusive: Microsoft responded quietly after detecting secret database hack in 2013

Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago, according to five former employees, in only the second known breach of such a corporate database.
The company did not disclose the extent of the attack to the public or its customers after its discovery in 2013, but the five former employees described it to Reuters in separate interviews. Microsoft declined to discuss the incident.

How I Socially Engineer Myself Into High Security Facilities

A few months ago, a client had hired me to test two of their facilities. A manufacturing plant, plus data center and office building nearby.
I scour profiles of employees who work at these facilities, and cross-reference them to other social media sites.
This is not an advanced investigation. I’m not a private investigator and I don’t have the resources of the NSA. But I can do a lot of damage with simple methods.
X could have saved the company a lot of heartache by simply verifying that I was who I claimed to be.
I’ve been doing this job for a couple years now, and almost every job is a variant of this story. Very rarely do I go through an entire assessment without some sort of social engineering.

Crippling crypto weakness opens millions of smartcards to cloning

Yubico not aware of any security breaches due to this issue

Millions of smartcards in use by banks and large corporations for more than a decade have been found to be vulnerable to a crippling cryptographic attack. That vulnerability allows hackers to bypass a wide range of protections, including data encryption and two-factor authentication.

At this time, we are not aware of any security breaches due to this issue. We are committed to always improving how we protect our customers and continuously invest in making our products even more secure.

Feedback

Workaround for the WPA2 exploit – from Jonathan
SNAPs for… Windows?
Server Layout for Linux System with LXC – There is an interesting project kind of related to this idea called CloudABI – CloudABI for FreeBSD
IT Land before time COMPUTERS THAT NEVER WERE Software Emulator for the Cardboard Illustrative Aid to Computationn

Round Up:

The post Cloudy with a chance of ABI | TechSNAP 342 first appeared on Jupiter Broadcasting.

HAMR Time | TechSNAP 341

chris — Tue, 17 Oct 2017 20:32:42 +0000

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Update Every Device — This KRACK Hack Kills Your Wi-Fi Privacy

use a VPN & https, which would reduce the attack surface, but it’s not ‘perfect’.
Update from Forbes
Lots of stuff updated. Lots of stuff not. This is where it pays to know what you have in use and monitor your suppliers for notices.

Mobile carriers selling personal data

Mobile carriers sell users’ personal information to third parties

Western Digital Stuns Storage Industry with MAMR Breakthrough for Next-Gen HDDs

Western Digital Hard Drives Will Provide Over 40TB of Storage by 2025
new tech is MAMR – microwave-assisted magnetic recording instead of HAMR (Heat-assisted magnetic recording) with a laser
[Why MAMR over HAMR?]](https://www.extremetech.com/computing/257352-western-digital-reveals-mamr-technology-allow-40tb-hard-drives)

Feedback

Round Up:

The post HAMR Time | TechSNAP 341 first appeared on Jupiter Broadcasting.

Laying Internet Pipe | TechSNAP 339

chris — Thu, 05 Oct 2017 14:43:57 +0000

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Google Will Survive SESTA. Your Startup Might Not.

Requires unreliastic levels of censorship by platforms; not even the big players will be able to comply 100%
Proponents consider startups to be outliers, which “will be successfully prosecuted, civilly and criminally under this law”.
Proponents are overstating the effectiveness of filtering
Proposed standards actually discourage platforms from filtering

Companies Look to an Old Technology to Protect Against New Threats

Tape is an old techology. It is also highly reliable and stable
Tape sales are increasing
Yep, backup to NAS is great, but do you have different versions of your data?

CBS’s Showtime caught mining crypto-coins in viewers’ web browsers

This isn’t about CBS. It’s about the potential for abuse by website owners
Code unlikely to be official sanctioned / added by CBS; mure more likely it was a malicious third party or insider.
The email address associated with the mining account is personal, not corporate
Ethical issues for content providers to figure out

Feedback

Round Up:

The post Laying Internet Pipe | TechSNAP 339 first appeared on Jupiter Broadcasting.

Patch Your S3it | TechSNAP 338

chris — Tue, 26 Sep 2017 23:40:04 +0000

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Distrustful U.S. allies force spy agency to back down in encryption fight

Some ISO delegates said much of their skepticism stemmed from the 2000s, when NSA experts invented a component for encryption called Dual Elliptic Curve and got it adopted as a global standard.
In 2007, mathematicians in private industry showed that Dual EC could hide a back door, theoretically enabling the NSA to eavesdrop without detection. After the Snowden leaks, Reuters reported that the U.S. government had paid security company RSA $10 million to include Dual EC in a software development kit that was used by programmers around the world.

Viacom exposes crown jewels to world+dog in AWS S3 bucket blunder

Researchers found a wide-open, public-facing misconfigured AWS S3 bucket containing pretty much everything a hacker would need to take down the company’s IT systems.
“The contents of the repository appear to be nothing less than either the primary or backup configuration of Viacom’s IT infrastructure,” Vickery revealed today.
The Amazon-hosted bucket could be accessed by any netizen stumbling upon it, and contained the passwords and manifests for Viacom’s servers, as well as the access key and private key for the corporation’s AWS account. Some of the data was encrypted using GPG, but that wouldn’t be an issue because the bucket also contained the necessary decryption keys.

Equifax sends customers to wrong website, not theirs, for help

The credit management company Equifax has been sending customers to a fake “phishing” website for weeks, potentially causing them to hand over their personal data and full financial information to hackers.
After the data breach was revealed earlier this month, Equifax established the domain www.equifaxsecurity2017.com to handle incoming customer questions and complaints. This website is not connected to Equifax’s main website.
On Wednesday, a user reached out to Equifax on Twitter asking for assistance. The responding tweet sent the user to www.securityequifax2017.com, which is an impostor site designed to look like the Equifax splash page.

FinFisher government spy tool found hiding as WhatsApp and Skype

This week (21 September), experts from cybersecurity firm Eset claimed that new FinFisher variants had been discovered in seven countries, two of which were being targeted by “man in the middle” (MitM) attacks at an ISP level – packaging real downloads with spyware.
When a target of surveillance was downloading the software, they would be silently redirected to a version infected with FinFisher, research found.
When downloaded, the software would install as normal – but Eset found it would also be covertly bundled with the surveillance tool.

Feedback

Stored passwords & Amazon Fire Stick

+Hey Dan. What is a good and inexpensive tape backup drive for LTO tapes? What works for you best? Thx!

Round Up:

Apache Struts Vulnerability: More Than 3,000 Organizations At Risk Of Breach

Facebook re-licenses React under MIT license after developer backlash

The post Patch Your S3it | TechSNAP 338 first appeared on Jupiter Broadcasting.