Show Notes: techsnap.systems/413

The post The Coffee Shop Problem | TechSNAP 413 first appeared on Jupiter Broadcasting.

Show Notes/Links: linuxunplugged.com/294

The post Tainted Love | LINUX Unplugged 294 first appeared on Jupiter Broadcasting.

Show Notes: coder.show/329

The post OpenJDK or Death | Coder Radio 329 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Links

• Virtual Private Surveillance | TechSNAP 248
• Internet of Threats | TechSNAP 249
• Pay to Boot | TechSNAP 260
• Insecure Socket Layer | TechSNAP 265
• Curl Sleeper Agent | TechSNAP 266
• Signature Bloatware Updates | TechSNAP 270
• Internet Power Struggle | TechSNAP 277

The post Best of 2016 | TechSNAP 298 first appeared on Jupiter Broadcasting.

We’ll break down Apple’s major SSL flaw, and what it says about Apple’s general security posture, then the Zeus trojan evolves…

Plus an awesome batch of your questions, our answers.

On this week’s episode of, TechSNAP.

Thanks to:

— Show Notes: —

Apple fixes certificate validation flaw in iOS and OS X

• The flaw in the certificate verification step allowed an attacker to sign a certificate with any private key, or no key at all, and the certificate would still be accepted by the device
• This means an attacker could trivially perform a man-in-the-middle (MitM) attack, and intercept all traffic between you and a secure destination
• This would allow an attack to get your email passwords, logins for services like facebook and twitter, and compromise your online banking account
• A MitM attack is what TLS/SSL are designed to prevent
• A MitM is trivial to perform if you can trick a user into connecting to a WiFi access point you control, say at a coffee shop or other public space
• The flaw is also present in Mac OS X and fixed in 10.9.2 (Released Feb 25th, 4 days after the iOS update)
• The issue is caused by a duplicate ‘goto’ statement. The first is inside the if structure (with implied curly braces), but the 2nd is unconditional, causing the goto fail to happen in every case
• It is unclear how long Apple has known about the flaw, but the CVE for the bug was reserved on January 8th
• diff between Mac OS X 10.8.5 and 10.9 showing the addition of the errant goto
• OS X 10.9.2 also fixes an issue with cURL, where the TLS/SSL verification code did not check the hostname again the certificate if the URL was an IP address
• Hacker News thread
• More analysis
• Why were there gotos in apple software in the first place?
• Apple Announcement

University of Maryland ID card system breached

• 309,079 of the students, faculty, and staff of the University of Maryland College Park and Shady Grove campuses have had their personal information exposed in an attack against the ID card system
• The breach occurred about 04:00 February 18th
• An attacker was able to get access to the ID card database that holds information on all card holders dating back to 1998
• The data includes full name, SSN, birth date and University ID number
• Brian Voss, CIO of U Md., said “what most concerns him is the sophistication of the attack: The hacker or hackers must have had a “very significant understanding” of how the school’s data are designed and protected”
• Voss claims that this was not a case of a ‘door left open’, that the attackers had to ‘pick through multiple locks’
• It will be interesting to see if details of the attack are published
• Related: The total cost of unmasked data

New Zeus trojan variant targets SalesForce.com

• “The Adallom Labs team recently discovered an unusual variant of the Zeus trojan that targets Salesforce users. We’ve been internally referring to this type of attack as “landmining”, since the attackers laid “landmines” on unmanaged devices used by employees to access company resources. The attackers, now bypassing traditional security measures, wait for the user to connect to *.my.salesforce.com in order to exfiltrate company data from the user’s Salesforce instance.”
• We have covered the Zeus trojan before, it is a sophisticated malware used to steal online banking credentials and perform transactions, even in the face of two-factor authentication schemes by performing ‘man-in-the-browser’ attacks
• This attack does not exploit a vulnerability of SalesForce, it is just taking over the user’s device used to access the site, in order to steal data from the site once logged in
• This attack seems to be a totally new kind of attack, not described by any existing Common Attack Pattern Enumeration and Classification (CAPEC) pattern.
• When the Adallom security system detected an employee accessing a large number of records in a short period of time, it triggered an ‘insider thread’ alert. This alert is fairly common and is usually related to a sales agent downloading their entire rolodex, sometimes in preparation for leaving the company
• When corporate security integrated the employee in question, they claimed no knowledge of the bulk download
• The employees laptop was scanned and found to be clean
• Further investigation lead to the employees home PC, which was running outdated windows XP, an unpatched version of Internet Explorer, and an expired virus scanner
• The machine was infected with various bits of malware, but specifically, a modified version of the Zeus Trojan (win32/ZBot)
• The interesting part is that the Trojan targets *.my.salesforce.com instead of banking sites
• The attack also leveraged devices not controlled by corporate security
• This highlights the risks involved with BYOD and allowing employees to use their home computers to access corporate applications, especially SaaS applications

Feedback:

• sshshark

• Fibre internet in Australia

• Advice for low data rate network?

• GCHQ Revelations

• Webmin Alternative

• Flight of the Intruder

• Flight of the Intruder Audiobook – Full Cast
• Influx Audiobook | Daniel Suarez

Round Up:

• Apple Drops Snow Leopard Security Updates, Doesn\’t Tell Anyone
• GCHQ hijacked webcams of Yahoo chat and stored images of over 1.8 million users in 6 months, program ran for 2 years and collected a large quantity of sexually explicit images
• MakerBot Starts Taking Pre-Orders For Their Itty-Bitty 3D Printer
• Netflix shuts down gift card sales temporarily after rash of fraud from Brazil
• Microsoft introduces Microsoft Lync, allows companies to spy on their employees the same way the NSA does. Find out who is dating who, and who is looking for a new job
• OpenBSD revs bcrypt password hash to solve issue with passwords over 255 characters
• Phishing scam sends fake credit card fraud alerts, targeting real companies to trick customers
• Zero day flaw in IE9 and 10 exploited in watering hole attacks targeting Veterans and Military contractors. CVE-2014-0322
• Operation Greedy Wonk, Flash and AIR exploit, CVE-2014-0502
• Inside the Flash zero day CVE-2014-0502
• Breaking the Bitcrypt ransomware
• Why is broadband not getting any fasters? ISPs don’t want to spend any money. Verizon and TWC not set to lay any new lines any time soon
• The problem with 3rd party email, sometimes it goes away. Facebook is shutting down its email service. Will forward to your registered email address, for now
• DDoSing Cell Phone Networks
• Schneier highlights a recent profile of Brian Krebs

The post Go Directly to Fail | TechSNAP 151 first appeared on Jupiter Broadcasting.