Data – Jupiter Broadcasting

Need more help than a radio show can offer? Altispeed provides commercial IT services and they’re excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show!

Altispeed Technologies

Contact Noah

asknoah [at] jupiterbroadcasting.com

— Twitter —

The post Tails of Privacy | Ask Noah 13 first appeared on Jupiter Broadcasting.

Check Yo Checksum | TechSNAP 311

chris — Wed, 22 Mar 2017 00:54:22 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Bacula Deep Dive – as requested by Matt Yakel

Feedback

Round Up:

The post Check Yo Checksum | TechSNAP 311 first appeared on Jupiter Broadcasting.

Best of 2016 | TechSNAP 298

chris — Thu, 22 Dec 2016 10:37:02 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Links

The post Best of 2016 | TechSNAP 298 first appeared on Jupiter Broadcasting.

The Bourne Avalanche | TechSNAP 297

chris — Thu, 15 Dec 2016 20:17:34 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Malvertising campaign targets routers with: DNSChanger EK

“Proofpoint researchers have reported frequently this year on the decline in exploit kit (EK) activity. EKs, though, are still vital components of malvertising operations, exposing large numbers of users to malware via malicious ads. Since the end of October, we have seen an improved version of the “DNSChanger EK” [1] used in ongoing malvertising campaigns. DNSChanger attacks internet routers via potential victims’ web browsers; the EK does not rely on browser or device vulnerabilities but rather vulnerabilities in the victims’ home or small office (SOHO) routers. Most often, DNSChanger works through the Chrome browser on Windows desktops and Android devices. However, once routers are compromised, all users connecting to the router, regardless of their operating system or browser, are vulnerable to attack and further malvertising.”
“The router attacks appear to happen in waves that are likely associated with ongoing malvertising campaigns lasting several days. Attack pattern and infection chain similarities led us to conclude that the actor behind these campaigns was also responsible for the “CSRF (Cross-Site Request Forgery) Soho Pharming” operations in the first half of 2015”
“The way this entire operation works is by crooks buying ads on legitimate websites. The attackers insert malicious JavaScript in these ads, which use a WebRTC request to a Mozilla STUN server to determine the user’s local IP address.”
“Based on this local IP address, the malicious code can determine if the user is on a local network managed by a small home router, and continue the attack. If this check fails, the attackers just show a random legitimate ad and move on.”
“For the victims the crooks deem valuable, the attack chain continues. These users receive a tainted ad which redirects them to the DNSChanger EK home, where the actual exploitation begins.”
“The next step is for the attackers to send an image file to the user’s browser, which contains an AES key embedded inside the photo using steganography.”
“The malicious ad uses this AES key to decrypt further traffic it receives from the DNSChanger exploit kit. Crooks encrypt their operations to avoid the prying eyes of security researchers.”
“There are now 166 fingerprints, some working for several router models, versus 55 fingerprints in 2015. For example, some like the exploit targeting “Comtrend ADSL Router CT-5367/5624″ were a few weeks old (September 13, 2016) when the attack began around October 28.”
“When possible (in 36 cases) the exploit kit modifies the network rules to make the administration ports available from external addresses, exposing the router to additional attacks like those perpetrated by the Mirai botnets”
“The malvertising chain is now accepting Android devices as well.”
“The attack chain ensnares victim networks though legitimate web sites hosting malicious advertisements unknowingly distributed via legitimate ad agencies. The complete attack chain is shown in Figure 1.”
So, after you see the malicious ad, it decides if you are an interesting victim or not. If not, the ad slot is resold for money
If you are interesting, you get a different ad, which contains a URL to the exploit kit
This results in a redirect, that sends you to a different PNG, that has an AES key hidden in it, used to decrypt the payload, so that it is not spotted by virus scanners or the advertising agencies
It then examines your router, and decides if it is exploitable
If it is another AES encrypted payload is sent, that tries default username/password combinations to compromise your router from the LAN side using CSRF
It then changes your DNS servers in the settings of your router, and if it is able to, allows administrative access on the WAN interface.
“Once the attack has gained control over the router, he can use it to replace legitimate ads with his own, or add advertisements on websites that didn’t feature ads. While previous malvertising campaigns usually targeted users of Internet Explorer, this campaign focused on Chrome users, on both desktop and mobile devices. Ad replacement and insertion also takes place on traffic to mobile devices, not just desktops.”
“Updating router firmware is the recommended course of action”
Additional Coverage: Bleeping Computer

Avalanche crime ring leader eludes justice

“The accused ringleader of a cyber fraud gang that allegedly rented out access to a criminal cloud hosting service known as “Avalanche” is now a fugitive from justice following a bizarre series of events in which he shot at Ukrainian police, was arrested on cybercrime charges and then released from custody.”
“On Nov. 30, authorities across Europe coordinated the arrest of five individuals thought to be tied to the Avalanche crime gang, in an operation that the FBI and its partners abroad described as an unprecedented global law enforcement response to cybercrime.”
“According to Ukrainian news outlets, the alleged leader of the gang — 33-year-old Russian Gennady Kapkanov — did not go quietly. Kapkanov allegedly shot at officers with a Kalashnikov assault rifle through the front door as they prepared to raid his home, and then attempted to escape off of his 4th floor apartment balcony.”
“Ukrainian police arrested Kapkanov and booked him on cybercrime charges. But a judge in the city of Poltava, Ukraine later ordered Kapkanov released, saying the prosecution had failed to file the proper charges (including charges of shooting at police officers), charges which could have allowed authorities to hold him much longer. Ukrainian media reports that police have since lost track of Kapkanov.”
“Ukraine’s Prosecutor General Yuri Lutsenko is now calling for the ouster of the prosecutor in charge of the case. Meanwhile, the Ukranian authorities are now asking the public for help in re-arresting Kapkanov.”
It seems that the cybercrime charges were not considered “serious” enough to include pretrial confinement. However, had the prosecutor also charged Kapkanov with shooting at the police etc, they could have held him.
It will be interesting to see what else comes of this case

Krebs Mini Roundup:

Operation: Tarpit — Targetting customers of online attack-for-hire services
- “Federal investigators in the United States and Europe last week arrested nearly three-dozen people suspected of patronizing so-called “booter” services that can be hired to knock targeted Web sites offline. The global crackdown is part of an effort by authorities to weaken demand for these services by impressing upon customers that hiring someone to launch cyberattacks on your behalf can land you in jail.”
- “As part of a coordinated law enforcement effort dubbed “Operation Tarpit,” investigators here and abroad also executed more than 100 so-called “knock-and-talk” interviews with booter buyers who were quizzed about their involvement but not formally charged with crimes.”
- “According to Europol, the European Union’s law enforcement agency, the operation involved arrests and interviews of suspected DDoS-for-hire customers in Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom, and the U.S. Europol said investigators are only warning one-time users, but aggressively pursuing repeat offenders who frequented the booter services.”
- “The arrests stemmed at least in part from successes that investigators had infiltrating a booter service operating under the name “Netspoof.” According to the U.K.’s National Crime Agency, Netspoof offered subscription packages ranging from £4 (~USD $5) to £380 (~USD $482) – with some customers paying more than £8,000 (> USD $10,000) to launch hundreds of attacks. The NCA said twelve people were arrested in connection with the Netspoof investigation, and that victims included gaming providers, government departments, internet hosting companies, schools and colleges.”
- “I applaud last week’s actions here in the United States and abroad, as I believe many booter service customers patronize them out of some rationalization that doing so isn’t a serious crime. The typical booter service customer is a teenage male who is into online gaming and is seeking a way to knock a rival team or server offline — sometimes to settle a score or even to win a game. One of the co-proprietors of vDos, for example, was famous for DDoSsing the game server offline if his own team was about to lose — thereby preserving the team’s freakishly high ‘win’ ratios.”
- “But this is a stereotype that glosses over a serious, costly and metastasizing problem that needs urgent attention. More critically, early law enforcement intervention for youths involved in launching or patronizing these services may be key to turning otherwise bright kids away from the dark side and toward more constructive uses of their time and talents before they wind up in jail. I’m afraid that absent some sort of “road to Damascus” moment or law enforcement intervention, a great many individuals who initially only pay for such attacks end up getting sucked into an alluring criminal vortex of digital extortion, easy money and online hooliganism.”
1 billion more Yahoo accounts hacked
My yahoo account was hacked, now what?
Q: I’m not sure if I have a Yahoo account. How do I find out?
A: This is a surprisingly complex question. Thanks to the myriad mergers and business relationships that Yahoo has forged over the years, you may have a Yahoo account and not realize it. That’s because many accounts that are managed through Yahoo don’t actually end in “yahoo.com” (or yahoo. insert country code here). For example, British telecom giant BT uses Yahoo for their customer email, as did/do SBCGlobal, AT&T and BellSouth. Also, Verizon.net email addresses were serviced by Yahoo until AOL took over. Up in Canada, Rogers.net customers may also have Yahoo email addresses. I’m sure there are plenty of others I’m missing, but you get the point: Your Yahoo account may not include the word “yahoo” at all in the address.
Q: So if using hashing methods like MD5 is such a lame security idea, why is Yahoo still doing this?
A: Yahoo says this breach dates back to 2013. To its credit, Yahoo began moving away from using MD5s for new accounts in 2013 in favor of Bcrypt, far more secure password hashing mechanism. But yeah, even by 2013 anyone with half a clue in securing passwords already long ago knew that storing passwords in MD5 format was no longer acceptable and altogether braindead idea. It’s one of many reasons I’ve encouraged my friends and family to ditch Yahoo email for years.
Q: Yahoo said in some cases encrypted or unencrypted security questions and answers were stolen. Why is this a big deal?
A: Because for years security questions have served as convenient backdoors used by criminals to defraud regular, nice people whose only real crime is that they tend to answer questions honestly. But with the proliferation of data that many people post online about themselves on social media sites — combined with the volume of public records that are indexed by various paid and free services — it’s never been easier for a stranger to answer your secret question, “What was the name of your elementary school?” Don’t feel bad if you naively answered your secret questions honestly. Even criminals get their accounts hacked via easily-guessed secret questions, as evidenced by this story about the San Francisco transit extortionist who last month had his own account hacked via weak secret questions.

All the talks from: Systems We Love

Systems We Love is a one day conference where sysadmins and developers come together and describe some system that they love. Some new, some old, all interesting.
The first one I decided to watch was: “Life of an Airline Flight: What Systems Get You From Here to There via the Air”
“This talk was a very enjoyable overview of the scheduling, inventory management, reservation and other systems that coordinate behind the scenes to enable us to fly commercially. It was particularly interesting to see that systems like SABRE were so ahead of their time, enough so that they’ve been able to avoid much innovation for the last five or so decades! I’m looking forward to reading Adam’s book recommendation Hard Landing.”
It goes into great detail about how the Airline reservation system works, and how it has evolved from the original creation of SABRE in the late 50s/early 60s
Did you know that 6 letter reservation code you get, was originally a block pointer to exactly where your reservation was stored on disk? They literally just printed out the pointer and gave it to you.
It talks about where your data is stored, and who has access to it (including the DHS)
Roger’s /proc by Ryan Zezeski
Man, ‘splained: 40-Plus Years of Man Page History by Breanne Boland
Persistent Virtual Memory in the Great New Operating System In the Sky by James Larkby-Lahet
7074 says Hello World by Marianne Bellotti (apparently not recorded?)
Less Ado About NTP by Bryan Fink
Weenix: The system that inspired generations of systems lovers by Jordan Hendricks
The Charming Genius of the Apollo Guidance Computer by Brian Troutwine
I. Love. BGP. by Richard Kiene
Interrupts, that which scared Djikstra by Irfan Ahmad
Lessons from the Cell: What Software Developers Can Learn From Biochemical Systems by Sarah Lohmeier
The Design of the UNIX Terminal by Jesse Hathaway
A Race Detector Unfurled by Kavya Joshi
Down memory lane: Two decades with the slab allocator by Bryan Cantrill
DNS and the Art of Making Systems “Just Complex Enough” by Alex Wilson
“You are Not Expected to Understand This”, But You Will by Arun Thomas
An AWK love story by Cody Mello
UTF-8 by Daniel Morsing
Card-Based Systems: On the Complex, Tactile, and Material Qualities of Cards in Computing by Amelia Abreu

Feedback:

Round Up:

The post The Bourne Avalanche | TechSNAP 297 first appeared on Jupiter Broadcasting.

Root in 70 Seconds | TechSNAP 293

chris — Thu, 17 Nov 2016 23:45:18 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

CryptoSet bug: Get a root shell by holding down enter

“A vulnerability in Cryptsetup, concretely in the scripts that unlock the system partition when the partition is ciphered using LUKS (Linux Unified Key Setup). The disclosure of this vulnerability was presented as part of our talk “Abusing LUKS to Hack the System” in the DeepSec 2016 security conference, Vienna.”
“This vulnerability allows to obtain a root initramfs shell on affected systems. The vulnerability is very reliable because it doesn’t depend on specific systems or configurations. Attackers can copy, modify or destroy the hard disc as well as set up the network to exflitrate data. This vulnerability is especially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protect (password in BIOS and GRUB) and we only have a keyboard or/and a mouse.”
Note that in cloud environments it is also possible to remotely exploit this vulnerability without having “physical access.”
Suddenly that Digital Ocean HTML5 console makes you want to setup 2 Factor Authentication.
“If you use Debian or Ubuntu/ (probably many derived distributions are also vulnerable, but we have not tested), and you have encrypted the system partition, then your systems is vulnerable.”
“Update: We have found that systems that use Dracut instead of initramfs are also vulnerables (tested on Fedora 24 x86_64).”
“During the installation of Ubuntu, one of the first steps is to prepare the target partition (make partitions if needed, and/or format them). At this stage, the user is asked to “Encrypt the new (LXK)ubuntu installation for security”. Nowadays, there is very little performance penalty working with an encrypted disk and it is an effective solution to protect data when the computer is not running. It is advisable to enable this feature.”
“An attacker with access to the console of the computer and with the ability to reboot the computer can launch a shell (with root permissions) when he/she is prompted for the password to unlock the system partition. The shell is executed in the initrd environment. Obviously, the system partition is encrypted and it is not possible to decrypt it (AFAWK). But other partitions may be not encrypted, and so accessible. Just to mention some exploitation strategies:”
- Elevation of privilege: Since the boot partition is typically not encrypted:
  - It can be used to store an executable file with the bit SetUID enabled. Which can later be used to escalate privileges by a local user.
  - If the boot is not secured, then it would be possible to replace the kernel and the initrd image.
- Information disclosure: It is possible to access all the disks. Although the system partition is encrypted it can be copied to an external device, where it can be later be brute forced. Obviously, it is possible to access to non-encrypted information in other devices.
Denial of service: The attacker can delete the information on all the disks.
“The fault is caused by an incorrect handling of the password check in the script file /scripts/local-top/cryptroot. When the user exceeds the maximum number of password tries (by default 3), then boot sequence continues normally.”
“The calling script, /scripts/local, handles the error as if it were caused by a slow device that needs more time to warm-up. The booting scripts then tries to recover/mount the “failing” device, in the function local_deveice_setup(), multiple times (up to 30 times on an x86 system, and 150 on a powerpc machine). Every time the top level script tries to mount the encrypted partition (line 99 in /script/local), the user is allowed to try 3 more LUKS passwords. This gives a total of 93 password trials (on x86).”
“But the real problem happens when the maximum number of trials for transient hardware faults is reached (30 times for non ppc systems), line 114 at function local_device_setup(). In this case, the top level script is not aware of the root cause of the fault and drops a shell (busybox) to the user, line 124. The panic() function (see below) tries to insert additional drivers and runs a shell.”
The Exploit: “The attacker just have to press and keep pressing the [Enter] key at the LUKS password prompt until a shell appears, which occurs after 70 seconds approx.”
“In general, the GNU/Linux ecosystem (kernel, system apps, distros, …) has been designed by developers for developers. Therefore, in the case of a fault, the recovery action is very “developer friendly”, which is very convenient while developing or in controlled environments. But then Linux is used in more hostile environments, this helpful (but naive) recovery services shall not be the default option.”
“UEFI and GRUB contain two complete and very powerful shell facilities. Initrd system has powerful busybox with complete access to the network.”
“May be all this “just in case” functionality shall be removed, or seriously reconsidered, for the sake of security.”
Additional Coverage: TheHackerNews

Comprising a Linux desktop using… 6502 processor opcodes on the NES?!

“A vulnerability and a separate logic error exist in the gstreamer 0.10.x player for NSF music files. Combined, they allow for very reliable exploitation and the bypass of 64-bit ASLR, DEP, etc. The reliability is provided by the presence of a turing complete “scripting” inside a music player. NSF files are music files from the Nintendo Entertainment System.”
“Here is a screenshot of the exploit triggering. Somewhat alarmingly, it does so without the user opening the exploit file — they only have to navigate to the folder containing the file.”
Just the preview of the file, generated by your file manager, is enough to exploit your system, and in this case, pop calculator.
“You can download the file: exploit_ubuntu_12.04.5_xcalc.nsf. In the image above, the file has been renamed to “time_bomb.mp3”. As the filename suggests, this exploit works against Ubuntu 12.04.5. This is an old but still supported distribution. Specifically, for reproducibility, it works against exactly Ubuntu 12.04.5, without further updates. If you take all the updates, you’ll get a new glibc, which changes some code offsets and the exploit will crash. The crash is of course deterministic and it would be possible to code the exploit to cater for arbitrary glibc binaries; this is left as an exercise for the reader.”
“The vulnerability is in libgstnsf.so, an audio decoder present in the gstreamer-0.10 distribution. Ubuntu 12.04 uses gstreamer-0.10 for all its audio handling needs. Ubuntu 14.04 is apparently affected because the default install includes gstreamer-0.10, but most media handling applications use gstreamer-1.0 which is also installed. The exact circumstances under which Ubuntu 14.04 uses the vulnerable gstreamer-0.10 are not clear. The Ubuntu 16.04 default install has only gstreamer-1.0, which is not affected by this vulnerability.”
“Here’s the patch for Ubuntu 12.04: sudo rm /usr/lib/x86_64-linux-gnu/gstreamer-0.10/libgstnsf.so”
“While at first glance, this “patch” would appear to remove functionality, it does not. Your wonderful NSF files will still play. WTF? Would you believe that Ubuntu 12 and 14 ship not one but two different code bases for playing NSF files? That’s a lot of code for a very fringe format. The second NSF player is based on libgme and does not appear to have the vulnerabilities of the first.”
“This exploit abuses a vulnerability in the gstreamer-0.10 plug-in for playing NSF music files. These music files are not like most other music files that your desktop can play. Typical music files are based on compressed samples and are decoded with a bunch of math. NSF music files, on the other hands, are played by actually emulating the NES CPU and sound hardware in real time. Is that cool or what? The gstreamer plug-in creates a virtual 6502 CPU hardware environment and then plays the music by running a bit of 6502 code for a little while and then looking at the resulting values in the virtualized sound hardware registers and then rendering some sound samples based on that.”
“In order to actually exploit this vulnerability, or a vulnerability like it, there are various plausible and different avenues:”
- Send exploit via e-mail attachment. If the victim downloads and opens the file, they are compromised. Note — for this to work, you likely need to rename exploit.nsf to exploit.mp3. Most Linux desktops don’t know what to do with an NSF file, but they’ll happily stuff any sequence of bytes in an MP3 file through a media player. Most gstreamer based media players will ignore a file’s suffix and use file format auto detection to load the file with the most appropriate decoder.
- Partial drive-by download. By abusing Google Chrome’s somewhat risky file download UX, it’s possible to dump files to the victim’s Downloads folder when a booby trapped web page is visited. When the Downloads folder is later viewed in a file manager such as nautilus, an attempt is made to auto thumbnail files with known suffixes (so again, call the NSF exploit something.mp3). The exploit works against the thumbnailer.
- Full drive-by download. Again, abusing Google Chrome download UX, there’s a path to a possible full drive-by download. This will be explored in a separate blog post.
- USB drive based attack. Again, opening a USB drive opens up the thumbnailing attack described above.
The Vulnerabilties:
“1: Lack of checking ROM size when mapping into 6502 memory and bank switching (Absent a CVE, you can uniquely identify this as CESA-2016-0001.) There is a near total lack of bounds checking on proposed ROM mappings. This applies to be the initial ROM load, as well as subsequent ROM bank switching.”
“2: Ability to load or bank switch ROM to writable memory locations (Probably not an actual vulnerability per se; no identified assigned.) Other NES music players I’ve looked at do not permit the loading or bank switching of ROM data at addresses below 0x8000. But this particular player does, either via a ROM load address in the file header that is below 0x8000, or via writes to the bank registers 0x5ff6 or 0x5ff7 (other emulators do not even have bank registers as low as 0x5ff6 or 0x5ff7)”
“Writing e.g. 0x00 to 0x5ff6 will result in the first 4096 bytes of ROM being mapped read and write at 6502 virtual address 0x6000. In our 200 byte file example, this means that a subsequent write of 0x41 to virutal address 0x6048 will result in 0x41 being written out of bounds relative to the host emulator heap. As can be appreciated, we now have a lot of read and write control over the host emulator heap and the more experienced exploit writers will realize that successful exploitation is already all but assured.”
The article them walks through each step of the exploit to actually pop calculator
“There’s a critical reason that decent, reliable exploitation was possible with this bug: the presence of some form of “scripting” language. In this case, that script happens to be 6502 opcodes. Having an exploit running in script enables important exploitation aspects, such as making decisions based on exploitation environment, and in particular, using code to observe the effects of a corruption (such as a memory leak) and make sensible follow-up decisions.”
“One of the reasons that browsers and browser plug-ins (Flash, Java) are popular exploitation targets is precisely because they are fundamentally scripting environments.”
“Another great example of this phenomena is Windows font parsing and rendering. This has traditionally occurred in the kernel(!!) and rending modern fonts involves…. yes, running a little language to make rendering decisions. Well, many times, attackers have used that same language to cause Windows kernel corruptions and proceed to full ring 0 compromise by using a script-inside-font to make decisions about reliably proceeding with the exploit.”
Maybe our file browsers should not be tasting these untrusted files and exposing us to these vulnerabilities

PoisonTap

An updated version of an exploit we covered previously
Plugging a PoisonTap device into most computers allows the attacker to: siphons cookies, exposes internal router & installs web backdoor on locked computers
“When PoisonTap (Raspberry Pi Zero & Node.js) is plugged into a locked/password protected computer, it”:
- emulates an Ethernet device over USB (or Thunderbolt)
- hijacks all Internet traffic from the machine (despite being a low priority/unknown network interface)
- siphons and stores HTTP cookies and sessions from the web browser for the Alexa top 1,000,000 websites
- exposes the internal router to the attacker, making it accessible remotely via outbound WebSocket and DNS rebinding (thanks Matt Austin for rebinding idea!)
- installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies via cache poisoning
- allows attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain
- does not require the machine to be unlocked
- backdoors and remote access persist even after device is removed and attacker sashays away
“PoisonTap is built for the $5 Raspberry Pi Zero without any additional components other than a micro-USB cable & microSD card, but can work on other devices that can emulate USB gadgets such as USB Armory and LAN Turtle.”
“PoisonTap produces a cascading effect by exploiting the existing trust in various mechanisms of a machine and network, including USB/Thunderbolt, DHCP, DNS, and HTTP, to produce a snowball effect of information exfiltration, network access and installation of semi-permanent backdoors.”
How the Web-Based backdoor works:
“While PoisonTap was producing thousands of iframes, forcing the browser to load each one, these iframes are not just blank pages at all, but rather HTML+Javascript backdoors that are cached indefinitely”
“Because PoisonTap force-caches these backdoors on each domain, the backdoor is tied to that domain, enabling the attacker to use the domain’s cookies and launch same-origin requests in the future, even if the user is currently not logged in”
“For example, when the https://nfl.com/PoisonTap iframe is loaded, PoisonTap accepts the diverted Internet traffic, responds to the HTTP request via the Node web server”
“Additional HTTP headers are added to cache the page indefinitely”
“The actual response of the page is a combination of HTML and Javascript that produces a persistent WebSocket out to the attacker’s web server (over the Internet, not on the PoisonTap device)”
“The WebSocket remains open allowing the attacker to, at any point in the future, connect back to the backdoored machine and perform requests across any origin that has the backdoor implemented (the Alexa top 1,000,000 sites – see below)”
“If the backdoor is opened on one site (e.g., nfl.com), but the user wishes to attack a different domain (e.g., pinterest.com), the attacker can load an iframe on nfl.com to the pinterest.com backdoor (https://pinterest.com/PoisonTap)”
“Again, any “X-Frame-Options”, Cross-Origin Resource Sharing, and Same-Origin Policy security on the domain is entirely bypassed as the request will hit the cache that PoisonTap left rather than the true domain”
Securing Against PoisonTap:
“Server-Side Security: If you are running a web server, securing against PoisonTap is simple:”
- Use HTTPS exclusively, at the very least for authentication and authenticated content
Ensure Secure flag is enabled on cookies, preventing HTTPS cookies from leaking over HTTP
- When loading remote Javascript resources, use the Subresource Integrity script tag attribute
- Use HSTS to prevent HTTPS downgrade attacks
Desktop Security:
- Adding cement to your USB and Thunderbolt ports can be effective
- Closing your browser every time you walk away from your machine can work, but is entirely impractical
- Disabling USB/Thunderbolt ports is also effective, though also impractical
- Locking your computer has no effect as the network and USB stacks operate while the machine is locked, however, going into an encrypted sleep mode where a key is required to decrypt memory (e.g., FileVault2 + deep sleep) solves most of the issues as your browser will no longer make requests, even if woken up

Feedback:

Round Up:

The post Root in 70 Seconds | TechSNAP 293 first appeared on Jupiter Broadcasting.

Ai Theater | CR 211

chris — Mon, 27 Jun 2016 15:11:28 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

What is Machine Learning? How are companies & developers using it? We discuss that, the major approaches in the market & Apple’s use of Differential Privacy.

Plus Mike’s new Linux desktop, some feedback & a lot more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Mike’s Linux Buy

Hoopla

Docker Engine 1.12 Comes with Built-in Orchestration Capabilities

The app boom is not over

Deep Learning

Anticipate future concepts before they begin from unlabeled video https://t.co/mvIbqWlxvu https://t.co/VD50AYnjeo pic.twitter.com/abZJc7eWds

— Roelof Pieters (@graphific) June 26, 2016

Differential Privacy

Feedback:

Ruby on Rails Development On Ubuntu 16.04

The post Ai Theater | CR 211 first appeared on Jupiter Broadcasting.

LockedIn | TTT 248

chris — Mon, 13 Jun 2016 17:00:54 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Microsoft to acquire LinkedIn & we bet we know why! Apple has a big day & we cover some of the highlights. The best TV set top box in our estimation, some Plex love & a Kickstarter of the week for the connected family.

Direct Download:

RSS Feeds:

Become a supporter on Patreon

Show Notes:

Kickstarter of the Week: Octopus, the first icon-based watch & scheduler for kids! by Joy — Kickstarter

The post LockedIn | TTT 248 first appeared on Jupiter Broadcasting.

Allan’s Favorite Things | TechSNAP 246

chris — Thu, 24 Dec 2015 09:40:04 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

It’s a collection of Allan’s favorite moments from TechSNAP past.

Plus the week’s new stories in the roundup & much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Episode 24: Ultimate RAID

Before be became a ZFS addict, Allan explains all of the various RAID levels and what you would use them for
If you are not using ZFS, you probably want to watch this
This episode also contains the details of the BEAST attack on SSL, back in the beginning of what would turn out to be an unending onslaught on SSL and its implementations (OpenSSL and friends)

Episode 34: Allan’s ZFS Server Build

Allan shows off his first ZFS server build
16 TB SAS array (12 TB usable), separate 2×2 TB SATA mirrored UFS for the OS, because he didn’t trust root-on-ZFS yet
Paid for a RAID controller, which didn’t work well (was replaced with the onboard LSI HBA built into the motherboard)
Had a bunch of problems, with both Newegg, Adaptec, shipping, and configuration
If only I had known about iXsystems back then

Epsiode 78: Wire-Shark

With Chip-and-Pin finally arriving in the US, let us remember back to TechSNAP from September of 2012, when researchers at the University of Cambridge Computer Lab found a way to defraud the system
While the system is self is fairly secure, it relies on correct implementation, and many ATMs and PoS devices do not do it correctly
In this case a nounce (supposed to be a unique, unpredictable value), was just a counter or timestamp

Episode 128: Gentlemen, Start Your NGINX

Krebs covers crooks registering for your Social Security account, so they could redirect the direct deposits to their own account

Episode 100: 100% Uptime

Special in its own right, as our 100th episode
bit9 story
It was also the first time we mentioned Krebs (who I kept called Kerbs for the first few weeks until I was corrected enough times). At first I wasn’t even sure I liked Krebs, now I am quite the fan.

Episode 236: National Security Breaking Agency

Keylogging before computers
Great story from the Cold War

Round Up:

The post Allan's Favorite Things | TechSNAP 246 first appeared on Jupiter Broadcasting.

Toll Free Exploitation | TTT 226

chris — Fri, 11 Dec 2015 12:21:22 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The open web is being locked down by the very companies that try to slice it up and sell it to you byte by byte. We discuss the major moves big telcos are taking to intrench the incumbents online.

Microsoft drops some more open source code & Tokyo’s rolling out the “drone squad”. Plus a very risqué Kickstarter of the week!

Direct Download:

RSS Feeds:

Become a supporter on Patreon

Tech Talk Today SWAG for the Holidays

Show Notes:

— Episode Links —

Kickstarter of the week: Penis candles for the world by Amanda Murphy —Kickstarter

End of Show Clip:

Building the Steam Controller

The post Toll Free Exploitation | TTT 226 first appeared on Jupiter Broadcasting.

Open Production | LINUX Unplugged 115

chris — Tue, 20 Oct 2015 18:29:12 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

OpenStreetMap might just be one of the most important open source projects in the world. We look at some of the amazing tools built around this open & free infrastructure. Then our tips for producing great content & podcasts under Linux, plus a live unboxing & demo of the new Steam Controller.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Pre-Show:

Happy 11th Birthday, Ubuntu! – OMG! Ubuntu!

The Warty Warthog, better known to most as Ubuntu 4.10, was a rough and ready stab at bringing Linux to the masses.

Mark described his new Linux distribution as one bringing together: “…the extraordinary breadth of Debian with a fast and easy install, regular releases (every six months), a tight selection of excellent packages installed by default and a commitment to security updates with 18 months of security and technical support for every release.”

Feedback:

Open FOSS Training | Indiegogo

The reason I’m doing the IndieGoGo is I have stage 4 esophageal cancer. Haven’t worked since January of 2014 and may not go back to work for a long time. I am on social security disability and have a very limited budget.

TING

Ting – mobile that makes sense

Help with the Kubuntu Podcast

Hello,

I’m one of the hosts of the Kubuntu Podcast, and a big fan of your shows.

Currently we publish our shows only on Youtube (https://www.youtube.com/channel/UC-ChyPPcJSMUw2au2UyIKwQ) and Google+ (https://plus.google.com/u/0/112102796730023795852), and sometimes as audio using Google Drive.

Since we’re big fans of Jupiter Broadcasting, we look to you guys as mentors on how to organize our podcast. However, there are many things that we don’t know or are unsure how to do better.

Currently we use Google Hangouts to record our Podcast, and we’re looking into OBS.

Could you give use some feedback and tell us how do you organize your podcast? Maybe have a video call and discuss this in more detail.

Thank you.

Linux Media Production | LAS 355 | Jupiter Broadcasting

DigitalOcean

DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Why OpenStreetMap is the Most Important thing in Geo

The OpenStreetMap community is maturing and the industry surrounding it is expanding. We have only seen the tip of the proverbial iceberg when it comes to the potential of OpenStreetMap and what it can do. I look forward to being apart of what’s next.

Wheelmap.org is an online map to search, find and mark wheelchair-accessible places. Get involved by marking public places like bars, restaurants, cinemas or supermarkets!

mapsme/omim · GitHub

MAPS.ME – Offline OpenStreetMap maps for iOS/Android/Mac/Linux/Windows

OSMTracker for Android – Android Apps on Google Play

Inspired by OSMTracker for Windows Mobile, allows you to track your journeys, mark waypoints with tags, voice record, and photos.

GPS traces can then be exported in GPX format for later use with OpenStreetMap tools like JOSM, or uploaded directly to OpenStreetMap.

Tracks can be displayed over an OpenStreetMap background or with no background if you don’t have a data plan.

MAPS.ME is beautifully designed, and the maps do load very quickly. It would be a good resource to have in your pocket.

Open Source Mapping and Routing: Mapzen

We’re excited to announce Mapzen Search, our new search engine for places that takes our philosophy of open communities creating data and code to its heart. Mapzen Search will launch in the next week, and in the meantime, we wanted to share some background on why the time is right for a new, open search engine for places.

uNav GPS Navigation – uApp Explorer

Linux Academy

Linux Academy | Linux and AWS Online Training

Gamepad – ArchWiki

Runs Linux from the people:

Send in a pic/video of your runs Linux.
Please upload videos to YouTube and submit a link via email or the subreddit.

Support Jupiter Broadcasting on Patreon

The post Open Production | LINUX Unplugged 115 first appeared on Jupiter Broadcasting.

Key Flaw With GPL | TechSNAP 234

chris — Thu, 01 Oct 2015 09:31:07 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

D-Link publishes its private code signing keys, exploiting Windows Symbolic Links & why encryption is not sufficient protection.

Plus some great questions, our answers, a rockin roundup & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

D-Link accidentally publishes its private code signing keys

As part of its GPL license complain, D-Link makes its firmware source code available for many of its devices
“He had purchased the DCS-5020L-surveillance camera from D-Link and wanted to download the firmware. D-Link firmware source code of many open source under a GPL license available.”
“When looking through the files I accidentally stumbled upon 4 different private keys used for code signing. Only one — the one belonging to D-Link itself — was still valid at the time. I have successfully used this key to sign an executable as D-Link”
“In fact, in some batch files were the commands and pass phrases that were needed.”
The certificates have already been revoked
Fox-IT confirms: “The code signing certificate is indeed in the firmware packages, firmware version 1.00b03 released February 27 of this year, was released this certificate was therefore issued for expired, a big mistake.”
We’ll have to cover this in more detail once more information is available, in English

“Investigating the Computer Security Practices and Needs of Journalists”

A survey found that 50% of journalists do not use any security tools
Those that do, may not realize that the tools they are using are ineffective, or that the way they are using them hurts their security
“Observation: The computer security community builds a lot of tools that might be useful for journalists, but we don’t deeply understand the journalistic process!”
“I report on unauthorized immigrants a great deal and have concerns about how to communicate with them without putting them at risk. That said, asking them to use encrypted methods of communication I think would create a greater sense of threat about talking to me and make it more difficult to report. Many are also not extremely computer-savvy. This is something I struggle with a great deal”
“Objective: Conduct in-depth interviews with full-time journalists at recognized media organizations operating across a range of media, including print, digital, broadcast and wire services”
Figure out the typical workflow for a journalist, model security tools that work with them, instead of forcing them to a workflow dictated by the tools
Findings:
- “Audio recording and digital note-taking were primary forms of interview documentation.”
- “Many participants use third-party cloud services, but few voiced concern about possible security risks”
- Long-term sources are common
Sources like Snowden, a big one-time data dump, are rare
Security Concerns:
Negative effects on source
Loss of credibility if source information was exposed
Government identification of sources
Disciplinary actions (e.g., losing job)
Loss of competitive advantage
Potential financial consequences
The project found that in most cases of a journalist using security tools, it was because the source requested it, or because the journalist had had specific security training
“A lot of services out there say they’re secure, but having to know which ones are actually audited and approved by security professionals — it takes a lot of work to find that out.”
“There were different kinds of litigation software that I was familiar with as a lawyer, where, let’s say, you have a massive case, where you have a document dump that has 15,000 documents. […] There are programs that help you consolidate and put them into a secure database. So it’s searchable [and provides a secure place where you can see everything related to a story at once]. I don’t know of anything like that for journalism.”
It will be interesting to see what comes out of this research

Exploiting Windows Symbolic Links

“For the past couple of years I’ve been researching Windows elevation of privilege attacks. This might be escaping sandboxing or gaining system privileges. One of the techniques I’ve used multiple times is abusing the symbolic link facilities of the Windows operating system to redirect privileged code to create files or registry keys to escape the restrictive execution context.”
“Symbolic links in themselves are not vulnerabilities, instead they’re useful primitives for exploiting different classes of vulnerabilities such as resource planting or time-of-check time-of-use.”
A time-of-check time-of-use vulnerability works like this:
- You setup a symlink to a file you are allowed to access
- You try to access a resource
- The software checks that you are allowed to access the resource, you are
- You quickly re-target the symlink to something else
- You try to access the resource, and the software allows you, since it has already checked that you are allowed
- You now have access to a resource you should not
“This blog post contains details of a few changes Microsoft has made to Windows 10, and now back ported (in MS15-090) as far back as Windows Vista which changes who can use certain types of symbolic links. There’s not been many mitigations of this type which get back ported to so many older versions of Windows. Therefore I feel this is a good example of a vendor developing mitigations in response to increased attacks using certain techniques which wouldn’t have traditionally been considered before for mitigations.”
Almost everything in the Windows file system is a symbolic link. Even C: is actually a symbolic link to \Device\HarddiskVolume4 (since NT 3.1)
Microsoft has released three new mitigations:
“Registry Key Symbolic Link Mitigation (CVE-2015-2429) — The simplest mitigation implementation is for registry keys. Effectively a sandboxed process is not allowed to ever create a registry key symbolic link. This is implemented by calling RtlIsSandboxToken function when creating a new key (you need to specific a special flag when creating a key symbolic link). It’s also called when setting the SymbolicLinkValue value which contains the link target. This second check is necessary to prevent modifying existing symbolic links, although it would be unlikely to be something found on a real system.”
“Object Manager Symbolic Link Mitigation (CVE-2015-2428) — If an application tries to create an object manager symbolic link from a sandbox process it will still seem to work, however if you look at where the check is called you’ll find it doing something interesting. When the symbolic link is created the RtlIsSandboxToken function is called but the kernel doesn’t immediately return an error. Instead it uses it to set a flag inside the symbolic link kernel object which indicates to the object manager a sandboxed process has created this link. This flag is then used in the ObpParseSymbolicLink function which is called when the object manager is resolving the target of a symbolic link. The RtlIsSandboxToken is called again, if the current caller is not in a sandbox but the creator was in a sandbox then the kernel will return an error and not resolve the symbolic link, effective making the link useless for a sandboxed to unsandboxed elevation.”
“NTFS Mount Point Mitigation (CVE-2015-2430) — The final mitigation is for NTFS mount points. In early technical previews of Windows 10 (I first spotted the change in 10130) the check was in the NTFS driver itself and explicitly blocked the creation of mount points from a sandboxed process. Again for presumably application compatibility reasons this restriction has been relaxed in the final release and the back ported mitigations. Instead of completely blocking creation the kernel function IopXxxControlFile has been modified so whenever it sees the FSCTL_SET_REPARSE_POINT file system control code being passed to a driver with a mount point reparse tag it tries to verify if the sandboxed caller has write access to the target directory. If access is not granted, or the directory doesn’t exist then setting the mount point fails. This ensures that in the the majority of situations the sandboxed application couldn’t elevate privileges, as it could already write to the directory already. There’s obviously a theoretical issue in that the target could later be deleted and replaced by something important for a higher privileged process but that’s not very likely to occur in a practical, reliable exploit.”
“These targeted mitigations gives a clear indication that bug hunting and disclosing the details of how to exploit certain types of vulnerabilities can lead into mitigation development, even if they’re not traditional memory corruption bugs. While I didn’t have a hand in the actual development of the mitigation It’s likely my research was partially responsible for Microsoft acting to develop them. It’s very interesting that 3 different approaches ended up being taken, reflecting the potential application compatibility issues which might arise.”
“Excluding any bypasses which might come to light these should make entire classes of resource planting bugs unexploitable from a compromised sandboxed process and would make things like time-of-check time-of-use harder to exploit. Also it shows the level of effort that implementing mitigations without breaking backwards compatibility requires. The fact that these only target sandboxes and not system level escalation is particularly telling in this regard.”

Encryption as Protection? Maybe Not

We often see as part of the coverage of a data breach how the data was not “encrypted”
As it turns out, having data encrypted on the disk, doesn’t necessarily help, if the data is still “live” on the system
If your laptop hard drive is encrypted, but you leave it unlocked at the coffee shop and visit the restroom, anyone can access the files on your computer. Having them encrypted did nothing for you
The way hard drive encryption works, it only protects you if you lock or shutdown the computer, and require a strong passphrase to decrypt the disk to mount it again
The same applies to a file server or database at a company. Encryption is only useful if access to the data is still strictly controlled
“A recent espionage prosecution in West Palm Beach, Florida demonstrates that encryption may not be the panacea that organizations think it is. So rather than relying on encryption alone, companies need to adopt and maintain strategies that continue to provide layered security.”
“After every data breach, we hear the same mantra, “If only the data were encrypted!” As if encryption of data is the answer to data breaches.”
The case centers in this article centers on Christopher Glenn, a 35-year-old former defense contractor living in his mother’s retirement community
He worked for the US Government in Honduras
“He was convicted of stealing and retaining classified documents he obtained which related to U.S. policy in the Middle East”
“In preparation for his theft, Glenn, a “computer specialist” with a U.S. defense contractor, read up on data security in general and encryption in particular. He apparently read articles about TrueCrypt, a popular freeware encryption product used for On-The-Fly Encryption (OTFE), noting in particular an October 2011 article entitled, “FBI Hackers Fail to Crack TrueCrypt”. Glenn figured that he could create an encrypted partition (called 2012 Middle East) on his drive. He created a 30-character passphrase, thinking that the data would be secured. Indeed, he estimated that it would take the FBI “billions of years” to crack the crypto through brute force.”
“He was wrong. And he was sentenced to 10 years in jail.”
“According to case reports, the FBI’s counter-intelligence agents were able to decrypt the encrypted files on Glenn’s computer, which became evidence in his case. Given that this is 2015, they did so in substantially less than the “billions of years” that Glenn anticipated.”
There is no information on how exactly the FBI decrypted the data, but it was likely an attack against the passphrase, or the machine Glenn had used to encrypt the data
“Companies need to evaluate not only WHETHER they encrypt data, but when and how they encrypt data. For example, RAM scrapers capture credit card numbers and other personal information, which is encrypted, before the data is encrypted.”
“All of this must be part of a comprehensive data security program which includes access control, data management, ingress and egress reporting, data loss prevention processes, intrusion detection and prevention, managed and monitored firewalls and other services, threat intelligence, and comprehensive incident response. There are no shortcuts here. Oh yes, and encryption, the right encryption.”
Encryption of “data at rest” in servers

Feedback

Round Up:

The post Key Flaw With GPL | TechSNAP 234 first appeared on Jupiter Broadcasting.

No Crying In Coding | WTR 39

chris — Wed, 09 Sep 2015 03:40:09 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Carolyn went from working in data science to mobile developer at Lookout Mobile. She discusses writing “magic hands” to automate her old job & what it’s like to self teach.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

Transcription:

ANGELA: This is Women’s Tech Radio.
PAIGE: A show on the Jupiter Broadcasting Network, interviewing interesting women in technology. Exploring their roles and how they’re successful in technology careers. I’m Paige.
ANGELA: And I’m Angela.
PAIGE: So, Angela, today we talk to Carolyn and she is a recent mobile developer at Lookout. She comes from a data scientist background and we have some really interesting chat about her transition and just all the things that she’s gotten into; what’s been hard, what’s been awesome, and it’s a really good time.
ANGELA: Yeah. And before we get into the interview I just want to mention that you can support Women’s Tech Radio by going to Patreon.com/today. It is a subscription based support of our network. It supports all the shows, but specifically this show, Women’s Tech Radio. So go to Patreon.com/today.
PAIGE: And we got started by asking Carolyn what she’s up to in technology these days.
CAROLYN: Yeah, so I have sort of an interesting story of, or at least I think it’s interesting, of how I got into tech. I was a business major, not sure what I wanted to do with my life. Ended up in operations at a big company, but I always really, really loved data and I just loved spreadsheets and i met someone that let me, sort of taught me SQL and taught me how to be faster with what I was doing with SQL and I found out I really loved SQL. So I sort of just started building from there. I ended up at Lookout which is a mobile security anti malware company and just sort of opened my eyes to a lot of technology. I started as a data analyst. Started managing the data warehouse and then earlier this year just moved over to Android development. So I’m learning a lot. So I’m new to engineering, but I have been speaking engineer, that’s what I say, for a very long time. So right now I”m working on a side project which we’ll be releasing at the end of this year and currently learning RxJava, which is pretty new. It’s really cool, but there’s definitely not really a lot out there about it. So I spend my days currently just really doing a lot of learning.
PAIGE: All right. So I will admit, I am not familiar with RxJava. How is it different than normal Java?
CAROLYN: It deals with like streaming data and so it’s really good for when you’re trying to chain things together without, you know, the data might not be available yet.
PAIGE: Oh, okay. So it’s Java non-blocking?
CAROLYN: Yeah.
PAIGE: Cool. You can probably continue explaining that for the audience.
ANGELA: And me.
PAIGE: Oh yeah.
CAROLYN: Well I’m still wrapping, I was just, like, so I, earlier this year did an online Android boot camp while I was still doing my data job and managing the data team and just sort of doing 20 things at once. And now, once I started to feel like I really got a foothold in Java, we decided to use RxJava and now I’m relearning a lot of things. So it’s still, I’m still feeling like I’m in a foreign country where I don’t speak the language. So I’m definitely, it’s made me actually have this huge respect for Netflix, because they are the ones that wrote the Android library for it and they’re just doing so much cool stuff over there. And they have a lot of good tutorials about it. So I definitely recommend, there’s a podcast about it and the head at Netflix is talking about RxJava. It’s really interesting. So I can add that to the show links for you guys too.
PAIGE: Netflix is really interesting because they, essentially their stack, they’re really stack agnostic where they look at their teams and they say do what you need to do to get your job done. And find the best way to do it. So I know that they have angular, amber, you know, they have imbedded team. The have the RxJava team and they all just kind of talk together because they really piece these pieces out. It’s really fascinating how they’re kind of making that work with being probably one of the biggest data companies in the world right now.
CAROLYN: Yeah. Well they’re definitely finding, you know, if there’s not a tool out there that meets their needs, they’ll build it. I have a friend who’s a doctor and I was explaining this concept to her and she was like this is so weird. She was like, why would they build it and open source it? You know. For me, personally, one of the things I actually stumbled upon in the tech community, which I didn’t really realize, is just the amount of support that people are willing, and companies are willing to give each other. I mean, there’s obviously companies that are competing and hate each other, but at the same time, I’m sure if you got their engineers together they would talk shop and share things they’re doing and it’s really cool. When I decided to be an engineer, late last year, I had so many people that were giving me free materials and helping me and the tech community, like every night of the week you can go to a meetup and have dinner and meet people and have people help you. Which was sort of a happy accident to find out about the tech community in general.
PAIGE: Yeah. I totally love that. And I love that it comes out of some of our roots of open source and being able to reach out and touch each other’s projects and just help out. I was listening to a podcast recently, ironically, and they were talking about how they’d opened sourced their website, kind of, It’s a paid service. The guy was like, I”m shocked because every week we get somebody who just pops in and was like hey I forked your website and made this change, because I found this problem and here it is back. And this guy that fix things is a paid customer of theirs, but he’s still jumping in to fix things for the company. It’s just like-
CAROLYN: Yeah.
PAIGE: Really awesome.
CAROLYN: Yeah. Actually, the boot camp that I did, um, is Code Path, which is a link in the show notes. And what they do is they go out to companies and do consulting and then they also have a boot camp if you are an engineer that you can, if you’re already two or three years in you can go. So I wasn’t like a candidate to be part of their boot camp. And even part of the consulting, my company said they’d pay for it, but they said you really need to learn Java before you do this boot camp. So they gave me all the materials for free. And they just said I could learn it on my own, which was pretty awesome. And had calls with me and sort of got me started on my path, just totally pro bono, which is really awesome.
ANGELA: That is really awesome.
CAROLYN: Yeah.
PAIGE: Very cool. Okay. So as a developer, I have to ask, how is it that it was SQL that grabbed your attention, because most developers I know just absolutely hate working in SQL, like we will avoid it like the plague. I actually kind of got my start in SQL as well, so I do like it, but most people I talk to they’re like I love all this web stuff, please don’t make me write SQL.
CAROLYN: Yeah, so what’s funny is the engineers on my team, when I see the SQL queries are writing I’m like, I’m so happy because that’s a place I can teach them and be like whoa this is not good. So what happened was, I was working for Williams Sonoma, which is, they also own Pottery Barn and they run it as this big monolithic company where they don’t really care if people are efficient and they would be perfectly happy with people just entering data all day instead of making efficient processes or systems. It was my first job out of college so I didn’t really know that life didn’t really have to be like that. So I was spending a lot of time manually going in and doing things and I just so happened to meet someone in my company named Mark Grassgob [ph] who really opened the door for me. He’s like just learn SQL and you can do this job that took you all day, you can do it in like 20 minutes. So it was more just a fact of me being like this is pretty powerful. These people are really living in the dark ages. So we literally wrote a script that would do our jobs for you. We called it magic hands. And then we’d go to coffee and no one that i worked for really — they just wanted us to get the work done. They didn’t know that we could eliminate everyone’s jobs and we’re like — we called it magic hands. It was so funny. We’d unleash magic hands on three computers and then realize oh the system couldn’t take that much input so we’d bring it down to two. And then it would enter in a price of a million dollars for a couch instead of $1,000 or something and so we’d get a call from like, you know, tech team in India overnight when something process blew up, so we definitely had to fine tune magic hands. Then I moved over to the technical team after that, because they sort of saw she can actually be on this team and do this without having really a background. And then once I moved into data, it’s like SQL is king no matter what anyone says about big data and all these big data tools. It really, the backbone of everything is really SQL. So learning how to do efficient queries will make your job so much happier. If you write SQL wrong you’re going to give people wrong answers. So on the data side, you know, SQL just, to me, just made so much sense. But I guess it was sort of the first real programming I ever got my hands on. I love it.
PAIGE: I actually have had a couple friends recently who have asked me, because I kind of learned SQL the hard way by just throwing my head against Access, which is probably the worst interface ever.
CAROLYN: Yeah.
PAIGE: But do you have any good recommendations for books for online resources for SQL, because it’s kind of like this weird black hole where i can learn almost everything else online and I can’t seem to find anything good for SQL.
CAROLYN: The thing about SQL is that you will not be good at it. You will not really get your hands around it until you actually use it. So it’s one of those things where you need access to a dataset and you need questions to answer and then you’ll get it. So there are resources out there. I actually, when I was hiring data analyst as a manager I just created my own dataset and posted it for people and then had them answer some questions to show me they knew SQL or not. It’s really a learning by doing kind of thing. Which I guess most things are. But if you don’t have an interesting dataset to work with and you’re not trying to solve interesting problems, you’re just never going to pick it up. But I haven’t really found, there are available datasets out there and as bad as Access is and it gives you the graphical interface, don’t use that, you need to actually physically write it out. If you use Access, if you get access to a dataset dump it into Access and then use the, just handwriting the SQL, you know, you’ll get it.
PAIGE: Yeah, totally.
ANGELA: So in the form that you filled out before the show you said that you’re still trying to figure out why you never thought to be an engineer before.
CAROLYN: Yeah.
ANGELA: I think there’s a lot of people that don’t know that the way their personality and skills would make them perfect for a position. What would you recommend people do to figure out what best to be or do or try?
CAROLYN: I’ve been thinking about his a lot, actually. When I was younger, I grew up in San Diego and it was very much a beach culture, like very dude broey. It wasn’t cool to be smart when I was a kid. That’s how I felt. I was networking the internet in my parent’s house, like running the wireless, created their wireless, and I was one of the first people on Napster stealing music and creating CDs. I had this little computer in my room and my friends would come over and they’d be in their bikinis like beep, beep, let’s go to the beach. Did you make us CDs? I’m just like, you know, like stealing music off the internet. But to me, it was like, I mean this is like 1998 so I was really probably one of 10,000 people doing this.
PAIGE: We might have shared that stolen music together.
ANGELA: Yeah, I was just going to say, yeah 1998, that was golden year too for Napster and WinAmp.
CAROLYN: Yeah, totally.
PAIGE: It’s really kicks the llama’s ass.
ANGELA: Yeah.
CAROLYN: But for some reason it never crossed my mind that I was really good at this. I was way more interested in it than any of my friends. But instead I just was like, I’m just going to go to the beach and we’re going to try to get beer and do all these things. And I’m trying to figure out why it never crossed my mind to do that. But I also think it was a different time and technology wasn’t, people weren’t talking about technology. People weren’t interested in talking about apps. You know, like 1 in 20 people had a cell phone back then.
ANGELA: Right.
CAROLYN: So I think maybe it was just kind of like that time. When I went to college I was a business major and I thought I would just do business. I wasn’t really sure what I wanted to do. I think I had all the tools and I knew that i loved computers and I loved building things, but I never really had someone set me down. I never really had that career thought. I just sort of followed the path that I thought was laid out. And it really wasn’t until like mid last year that I thought I could really be an engineer and do it. It was really — what sort of tipped me was all these boot camps coming out and people just going and doing it. I had this deep — this thought of what would I do if I could do anything and I wasn’t scared to do it? To me, engineering was it. Lookout was incredibly supportive and let me move teams, which was really great and sort of a rare find in a company that would support someone to do this. So I got really lucky. But, you know, I think now with Women Who Code and a lot of organizations asking these questions of why women aren’t engineers, I think it’s because no one ever asked me and I never asked myself. And now that it’s sort of becoming the norm, you know, I’m hoping that more women will sort of naturally follow the path to be an engineer, because I think if there would have been more of that growing up that I probably would have found that path earlier.
PAIGE: That’s actually a part of why we started the podcast is because, you know, you say oh it was a different time then. And it was actually my conversation with a 16 year old that spawned me to start this, because I had this conversation and the 16 year old is good at math, enjoyed science, liked tech stuff, you know, didn’t do the assembling computers thing because nobody really do that anymore. But I was like, well have you considered being a programer? And she was like, no that’s for boys, right? And I was like, whoa.
ANGELA: Yeah.
PAIGE: And this was last year.
CAROLYN: Yeah.
PAIGE: But I do think it’s changing. I think organizations like Women Who Code Girl Develop It, Chick Tech, all these different things are kind of getting in there and saying hey guys, or hey ladies you can do this too. And there’s no reason, like — like I like to say, girls type just as well as boys.
ANGELA: So I haven’t been to a boot camp, but it seems like that might be, aside from trying to join Women Who Code or another place like that that would support you, but the boot camp might help you. Is it like a conference where you can go and listen or watch different parts of development?
CAROLYN: I did a lot of research on boot camps at the end of last year and there’s some good and — there’s a lot of good, but there’s also a lot of bad. You can’t expect to just go somewhere for three months and then come out and be a fully fledged engineer and be ready to work, you know. So this boot camp is just a once a week for two hours for eight weeks kind of thing. Or I think it’s twice a week for two hours for eight weeks. But they are teaching mobile development to people who are already engineers. They just gave me — they record their lectures and they have all their assignments online and they just gave me access to their materials so I could write — I could work on apps on my own. I’d say it definitely took me a lot longer to get through it and I ended up just doing the parts of the boot camp that really applied to what I”de be working on at Lookout so I could just get up to speed faster, but, you know, their boot camp, there would be like a week of work would take me three weeks or something just to get done. Definitely was like, it took me a while to get through it. But it really is, I couldn’t say enough good things about Code Path. They do some really cool stuff. And they’re really smart guys. Actually, all men, but they do have a lot of women that go to their boot camps, so.
PAIGE: There’s definitely a really wide range of what we’re calling a boot camp right now. We have Codepath which is this kind of part-time thing. ANd there will be other online part-time things. And then there’s even in-person part-time things where you can go in the evenings and it’s a full five days a week. The boot camp that I worked out of is full five days a week. It’s a 16 week program if you do it at night or a 12 week program if you do it in the day. And it is full stack development. You go from the front end all the way through the back end. And I think that’s probably the most common is that it’s essentially two to three months. Some of them go out as far as six months of get in there, get your hands in code, have a portfolio at the end kind of a thing. But agree with you, Carolyn, that you can’t go into a boot camp expecting to come out the other end like a full fledged developer unless you work your butt off. And there are companies hiring beginners. I think that the market is getting a little bit saturated, because there are so many boot camps.
CAROLYN: Yeah.
PAIGE: I’m in Portland, it’s a fairly small city, and I think right now we have five boot camps.
ANGELA: Wow.
PAIGE: And one of them is turning out two classes of 60 people each every 10 weeks.
ANGELA: Wow.
PAIGE: So it’s getting a bit saturated, but the market is still there.
CAROLYN: Yeah, and so I have friends in San Francisco that are recruiters and when I was switching over they were like whoa, whoa, whoa, don’t do boot camp. Don’t do it. We can’t hire people out of boot camps. There’s like 1 out of 20 that are hireable, you know. And so I was like, okay. And I had some talks with them and they were like, you have to — if you’re going to do a boot camp you also have to have another strategy of how you’re still going to become and engineer, you know. You do the boot camp but where are you going to — who is going to take you on as a junior developer? You need to have all those things sort of lined up.
ANGELA: Right.
CAROLYN: Or else you’re just going to do the boot camp and then go do something else.
PAIGE: Yeah. And I think that there are some things coming into the market that are trying to fill that. There’s a couple places like Thoughtbot has apprenticeship programs. A couple of the other bigger dev shops have that where you can kind of transition from beginner into intermediate. And then there’s some online stuff like Think Full or Upcase where you can kind of build those skills after boot camp. And, of course, I’m always a fan; I think the biggest thing in our industry and most industries is mentorship. Like finding a mentor. Finding those people and going out and shaking hands.
ANGELA: Which you’d likely find at Women Who Code or Meetups or-
PAIGE: Totally.
ANGELA: The social aspect of it.
PAIGE: Meatspace as we like to call it.
CAROLYN: Yeah.
PAIGE: For nerd speak.
ANGELA: Whenever I hear meetspace I picture M-E-A-T.
PAIGE: That’s what it means.
ANGELA: Oh. Not M-E-E-T?
PAIGE: No. It’s it’s M-E-A-T.
ANGELA: Oh.
PAIGE: Meatspace.
ANGELA: Why?
PAIGE: Because we’re nerds and it’s not digital, so it’s fleshy, so it’s meat.
ANGELA: Oh my gosh. Okay. Interesting. Okay.
PAIGE: Sorry.
ANGELA: Wow, that’s a great, I’m glad, okay. Continue with the interview.
PAIGE: Yeah. So you talked a little bit. You’ve moved over to the Android team. What’s fun and what’s hard about Android? I haven’t really dug in on Android development. I’ve done some iOS.
CAROLYN: What’s really fun about Android is, you know, day one you can open up your Android Studio and download the STK and create a page. It has like a button, you know, and you can click the button and it can like play a song. You can do that in two days. You can publish it to the app store. You could put it on your phone. There’s definitely this — you can hit and API and pull data back. You know, you could do that in a couple days, learn all that from scratch. So there’s a very easy sort of, like, you know, there’s a link on Learning to Code in the notes where it’s a graph of — at first you, like, peek. It’s like a honeymoon at first. ANd everything seems really easy, but as you sort of start to unfold things, Android is really complicated and there’s 9,000 versions of Android that people are running out there and different sized devices and tablets and people are going to be using your app only on Wifi, and there’s so many things to think about. As you want to do more, you get royally confused very quickly. So it’s cool to just sort of get up and running and get started, but there’s a lot to learn. There’s things you have to think about like battery usage and memory and all these things that you don’t really deal with if you’re a web developer. So it’s definitely a lot to get started. I work on a team where there’s a lot of senior engineers and a lot of people that really know what’s going on, so it’s like, it’s fun but it’s also — you know, you take some hits to your ego a little bit, because I feel like I used to know everything about the data warehouse and stepping into something where you don’t know what’s going on and you really have to feel your way through it, it can be a shot to your ego and how you feel about yourself. I always say, like, sometimes i feel like Tom Hanks, like when I get code reviews, like in a League of Their Own where he’s like, “There’s no crying in baseball.”
PAIGE: Uh-huh.
CAROLYN: Like, I literally have to tell myself, there’s no crying in coding when I get a lot of comments on a code review or I just totally, like — it’s a lot of falling down. A lot.
PAIGE: I’m so glad I’m not the only person that says, there’s no crying in coding.
CAROLYN: Yes, I say that to myself all the time.
PAIGE: Me too.
CAROLYN: It makes me feel better, because at least I’m out there. I’m out there and I”m like, they’re always like, oh no you’re doing really, really good, you just have this — where you just want — I want to be — I don’t want to say, I want to be perfect, but I want to be contributing and I don’t — I want to be getting things done and moving forward and writing really good code and you’re not going to do that when you move into engineering for like a year or two, you know. So just setting those expectations. You just have to lower your expectations for yourself a little bit.
PAIGE: Yeah. I think — this is a talk that I have with a lot of — I meet a lot of junior developers through Women Who Code and explaining to them, like listen I”ve been doing coding for a lot of years as a professional now, and there’s rarely a week that goes by where I don’t go, wow I feel like I know nothing.
CAROLYN: Yeah.
PAIGE: I”m totally Jon Snow. It’s not fun.
CAROLYN: But then when I share that feeling with other developers they’re like, welcome to being an engineer.
PAIGE: Yep, exactly.
CAROLYN: That’s what everyone says to me. They’re like oh you were frustrated all day and the last 10 minutes of your day everything made sense and you got it to run, like that’s your life.
PAIGE: Uh-huh.
CAROLYN: And I kind of love that. Like, personally. I actually really love that. I love working all day on a problem . To me, the day goes by in 30 minutes to me, even if I want to cry sometimes. It’s fun and I feel like I’m using more of my brain than I ever did before.
PAIGE: Yeah, it’s like 30 minutes of success after an entire day of the crying game.
CAROLYN: Yeah.
PAIGE: It’s totally, it’s where you’re at. And I think that knowing that going in, I like to say that programmers need to be eternally optimistic because it will work this time, I swear.
ANGELA: Thank you for listening to this episode of Women’s Tech Radio. Remember you can find a full transcription of this show over in the show notes at JupiterBroadcasting.com. YOu can also subscribe to the RSS feeds.
PAIGE: And while you’re there you could also reach out to us on the contact form. Let us know what you think about the show or any guests you might like to hear. Don’t forget, we’re also on iTunes and if you have a moment leave a review so we know how we’re doing and how we can improve the show. If you’d like to reach out to Angela and I directly, you can use WTR@JupiterBroadcasting.com for an email or check us at at Twitter, @HeyWTR. Thanks for listening.

Transcribed by Carrie Cotter | Transcription@cotterville.net

The post No Crying In Coding | WTR 39 first appeared on Jupiter Broadcasting.

Trojan Family Ties | TechSNAP 230

chris — Thu, 03 Sep 2015 06:36:10 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Rooting your Android device might be more dangerous than you realize, why the insurance industry will take over InfoSec & the NSA prepares for Quantum encryption.

Plus some great questions, a fantastic roundup & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Taking Root – Malware on Mobile Devices

Since June 2015, we have seen a steady growth in the number of mobile malware attacks that use superuser privileges (root access) on the device to achieve their goals.
Root access is incompatible with the operating system’s security model because it violates the principle that applications should be isolated from each other and from the system. It gives an application using root access a virtually unlimited control of the device, which is completely unacceptable in the case of a malicious application.
Malicious use of superuser privileges is not new in itself: in regions where smartphones are sold with privilege escalation tools preinstalled on them, malware writers have long been using this technique. There are also known cases of Trojans gaining such privileges after the user ‘rooted’ the device, i.e. used vulnerabilities to install applications that give superuser privileges on the phone.
They analyzed the statistics collected from May to August 2015 and identified “Trojan families” that use root privileges without the user’s knowledge: Trojan.AndroidOS.Ztorg, Trojan-Dropper.AndroidOS.Gorpo (which operates in conjunction with Trojan.AndroidOS.Fadeb) and Trojan-Downloader.AndroidOS.Leech. All these mobile malware families can install programs; their functionality is in effect limited to providing the capability to download and install any applications on the phone without the user’s knowledge.
A distinctive feature of these mobile Trojans is that they are packages built into legitimate applications but not in any way connected with these applications’ original purpose. Cybercriminals simply take popular legit apps and add malicious code without affecting the main functionality.
After launching, the Trojan attempts to exploit Android OS vulnerabilities known to it one after another in order to gain superuser privileges. In case of success, a standalone version of the malware is installed in the system application folder (/system/app). It regularly connects to the cybercriminals’ server, waiting for commands to download and install other applications.
There are popular “families” of Android malware.
Leech Family
This malware family is the most advanced of those described.
Some of its versions can bypass dynamic checks performed by Google before applications can appear in the official Google Play Store. Malware from this family can obtain (based on device IP address, using a resource called ipinfo.io) a range of data, including country of registration, address, and domain names matching the IP address. Next, the Trojan checks whether the IP address is in the IP ranges used by Google.
The malware also uses a dynamic code loading technique, which involves downloading all critically important modules and loading them into its context at run time. This makes static analysis of the application difficult. As a result of using all the techniques described above, the Trojan made it to the official Google Play app store as part of an application named “How Old Camera” – a service that attempts to guess people’s ages from their photos.
Ztorg family
On the whole, Trojans belonging to this family have the same functionality as the previous described.
The distribution techniques used also match those employed to spread Trojans from the Gorpo (plus Fadeb) and Leech families – malicious code packages are embedded in legitimate applications. The only significant difference is that the latest versions of this malware use a protection technique that enables them to completely hide code from static analysis.
The attackers use a protector that replaces the application’s executable file with a dummy, decrypting the original executable file and loading it into the process’s address space when the application is launched.
Additionally, string obfuscation is used to make the task of analyzing these files, which is quite complicated as it is, even more difficult.
It is not very common for malicious applications to be able to gain superuser privileges on their own. Such techniques have mainly been used in sophisticated malware designed for targeted attacks.

Will the insurance industry take over InfoSec?

“Insurance is a maturity indicator“
When insurance comes, full scale, to the InfoSec industry, maybe that means we have finally gotten to the point where we understand the risks enough to start putting money on it
While I can definitely see the argument that insurance companies are in a position to force their clients into certain minimum security practises, either to qualify for insurance, or for a reduced rate
At the same time, I foresee a bunch of useless certifications, extra bureaucracy, and more things like PCI-DSS audits that miss the point entirely
“People see insurance entering into security as a bad thing, and maybe it is, but it should not be unexpected. If something involves both risk and significant quantities of money, there are likely people trying to buy or sell insurance around it. The car industry is informative here. As is healthcare, and countless other industries.”
The article points points out the three basic requirements for insurance companies to be interested:
Significant risk associated with the space, e.g., dying in surgery, getting into a car wreck, etc.
Adequate money in the form of a population able to pay premiums.
Sufficient actuarial data on which to base the pricing and payout models.
I don’t know that that last measure can be met yet. Unlike with car insurance, it is much harder to predict what a company’s chances of getting breached are.
Considering factors like how high profile they are (fancier cars get stolen more), what infrastructure they use (newer cars are safer), how often they patch (this can be hard to measure, like how often you service your car, it might not work), doesn’t really give you enough information in order to price the insurance
In the end, pretty much every company has a 100% change to be breached, it can come down to how quickly it will be detected, and how much damage will be done
At this point, I don’t think the insurance industry is qualified, and we’ll either see them making so many payouts that they are losing money, or writing loopholes into insurance with vague sentiments like “industry standard security practises”, to weasel out of paying up
Predictions from the article:
Insurance companies will have strict InfoSec standards that will be used to determine how much insurance, of what type, they will extend to a customer, as well as how much they will charge for it
- As you would expect, companies who are deemed to be in poor security health will either pay exorbitant premiums or will be ineligible for coverage altogether
- In this world, auditors become the center of the InfoSec universe. Either working for the insurance companies themselves, or being private contractors that are hired by the insurance companies, these auditors will be paid to thoroughly assess companies’ security posture in order to determine what coverage they’ll be eligible for, and how much it will cost
- Insurance companies become, in other words, a dedicated entity that uses evidence-based decision making to incentivize improved security
- For both internal and audit companies, those certifications will have to be maintained the same way medical professionals have to maintain their knowledge. Not like a CISSP where you lose a credential if you don’t renew it, but where you’re just instantly fired if it lapses
“When you think about it, it’s not really insurance that’s making this happen, it’s industry maturity as a whole. It’s InfoSec becoming just like every other serious profession.”
“Think about a hospital, or an architecture firm. You can’t hire nurses who have an aptitude for caring, and who helped this guy this one time. Nope—have a credential or you can’t work there. Same with accountants, and architects, and electricians, and civil engineers.”
Insurance won’t fix everything (or anything?)
“We also need to accept that the standardization and insurance agencies won’t fix everything. Auditors make mistakes, companies can and will successfully lie about their controls, certifications only get you so far, and the insurance companies have their own interests that are often in conflict with the goal of increased security.”

The NSA books crypto recommendations

The NSA, in its role as the organization that sets cryptography standards used by the entire government, has updated its recommendations on what algorithms and key sizes to use
Currently, Suite B cryptographic algorithms are specified by the National Institute of Standards and Technology (NIST) and are used by NSA’s Information Assurance Directorate in solutions approved for protecting classified and unclassified National Security Systems (NSS).
A look at the site from a few months ago highlights some of the differences
- AES 128 was dropped. Former used for ‘SECRET’ with AES 256 for ‘TOP Secret’, AES 256 is recommended for both now
- ECDH and ECDSA P-256 were also dropped for ‘less’ secret information in favour of P-384
- SHA256 was also dropped. Surprisingly, SHA-384 remained the recommendation over SHA-512
- Additionally, new requirements that were not specified before were added
- Diffie-Hellman Key Exchange requires at least 3072-bit keys
- RSA for Key Establishment and Digital Signatures also now requires 3072 bit keys
IAD will initiate a transition to quantum resistant algorithms in the not too distant future. Based on experience in deploying Suite B, we have determined to start planning and communicating early about the upcoming transition to quantum resistant algorithms.
We are working with partners across the USG, vendors, and standards bodies to ensure there is a clear plan for getting a new suite of algorithms that are developed in an open and transparent manner that will form the foundation of our next Suite of cryptographic algorithms.
Until this new suite is developed and products are available implementing the quantum resistant suite, we will rely on current algorithms.
With respect to IAD customers using large, unclassified PKI systems, remaining at 112 bits of security (i.e. 2048-bit RSA) may be preferable (or sometimes necessary due to budget constraints) for the near-term in anticipation of deploying quantum resistant asymmetric algorithms upon their first availability.

Feedback

Round Up:

The post Trojan Family Ties | TechSNAP 230 first appeared on Jupiter Broadcasting.

Get Tracked with Windows 10 | TTT 198

chris — Wed, 29 Jul 2015 10:19:01 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Windows 10 is released to the public, but the devil is in the details. Microsoft’s new small print – how your personal data is (ab)used, we share the details.

Plus how the mainstream is reacting to the new release, the sliding market share of the iPad & the teleportation breakthrough scientists are reporting.

Direct Download:

RSS Feeds:

Become a supporter on Patreon

Show Notes:

The post Get Tracked with Windows 10 | TTT 198 first appeared on Jupiter Broadcasting.

Homeland Insecurity | TechSNAP 220

chris — Thu, 25 Jun 2015 17:45:34 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Google’s datacenter secrets are finally being revealed & we’ll share the best bits. Why The US Government is in no position to teach anyone about Cyber Security, how you can still get hacked offline, A batch of great questions, a huge round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

After years of wondering, we can finally find out about Google’s Data Center Secrets

“Google has long been a pioneer in distributed computing and data processing, from Google File System to MapReduce to Bigtable and to Borg. From the beginning, we’ve known that great computing infrastructure like this requires great datacenter networking technology.”
“For the past decade, we have been building our own network hardware and software to connect all of the servers in our datacenters together, powering our distributed computing and storage systems. Now, we have opened up this powerful and transformative infrastructure for use by external developers through Google Cloud Platform.”
““We could not buy, for any price, a data-center network that would meet the requirements of our distributed systems,” Vahdat said. Managing 1,000 individual network boxes made Google’s operations more complex, and replacing a whole data center’s network was too disruptive. So the company started building its own networks using generic hardware, centrally controlled by software. It used a so-called Clos topology, a mesh architecture with multiple paths between devices, and equipment built with merchant silicon, the kinds of chips that generic white-box vendors use. The software stack that controls it is Google’s own but works through the open-source OpenFlow protocol.“
“At the 2015 Open Network Summit, we are revealing for the first time the details of five generations of our in-house network technology.”
“Our current generation — Jupiter fabrics — can deliver more than 1 Petabit/sec of total bisection bandwidth. To put this in perspective, such capacity would be enough for 100,000 servers to exchange information at 10Gb/s each, enough to read the entire scanned contents of the Library of Congress in less than 1/10th of a second.”
“We use a centralized software control stack to manage thousands of switches within the data center, making them effectively act as one large fabric, arranged in a Clos topology”
“We build our own software and hardware using silicon from vendors, relying less on standard Internet protocols and more on custom protocols tailored to the data center”
“Putting all of this together, our datacenter networks deliver unprecedented speed at the scale of entire buildings. They are built for modularity, constantly upgraded to meet the insatiable bandwidth demands of the latest generation of our servers. They are managed for availability, meeting the uptime requirements of some of the most demanding Internet services and customers. Most importantly, our datacenter networks are shared infrastructure. This means that the same networks that power all of Google’s internal infrastructure and services also power Google Cloud Platform. We are most excited about opening this capability up to developers across the world so that the next great Internet service or platform can leverage world-class network infrastructure without having to invent it.”
““The amount of bandwidth that we have to deliver to our servers is outpacing even Moore’s Law,” Vahdat said. Over the past six years, it’s grown by a factor of 50. In addition to keeping up with computing power, the networks will need ever higher performance to take advantage of fast storage technologies using flash and non-volatile memory, he said.”
“For full details you’ll have to wait for a paper we’ll publish at SIGCOMM 2015 in August”
Official Google Cloud Platform Blog Post

The US Government is in no position to teach anyone about Cyber Security

“Why should anyone trust what the US government says on cybersecurity when they can’t secure the systems they have full control over?”
“IRS employees can use ‘password’ as a password? No wonder they get hacked”
As I have long said, you have to assume the worst until you can prove otherwise: “The effects of the massive hack of the Office of Personnel Management (OPM) continue to ripple through Washington DC, as it seems every day we get more information about how the theft of millions of government workers’ most private information is somehow worse than it seemed the day before. (New rule: if you read about a hack of a government or corporate database that sounds pretty bad, you can guarantee it be followed shortly thereafter by another story detailing how the same hack was actually much, much “worse than previously admitted.”)”
“It’d be one thing if this incompetence was exclusively an OPM problem, but despite the government trying to scare private citizens with warnings of a “cyber-Armageddon” or “cyber-Pearl Harbor” for years, they failed to take even the most basic steps to prevent massive data loss on their own systems. As OTI’s Robyn Greene writes, 80-90% of cyber-attacks could be prevented or mitigated with basic steps like “encrypting data, updating software and setting strong passwords.””
Of course, using Multi-Factor Authentication would help a lot too
“The agency that has been singled out for some of the worst criticism in recent years is the Department of Homeland Security, the agency that is supposedly in charge of securing all other government systems. The New York Times reported this weekend that the IRS’s systems still allow users to set their passwords to “password,” along with other hilariously terrible mistakes. “
“Instead of addressing their own problems and writing a bill that would force the government to upgrade all its legacy systems, implement stronger encryption across federal agencies and implement basic cybersecurity best practices immediately, members of both parties have been pushing dangerous “info-sharing” legislation that will end with much more of citizens’ private data in the hands of the government. And the FBI wants tech companies to install “backdoors” that would give the government access to all encrypted communications – thereby leaving everyone more vulnerable to hackers, not less. Two “solutions” that won’t fix any of the glaring problems staring them in the face, and which may make things a lot worse for ordinary people.”
There are plenty of examples of large networks that are fairly well secured, so it isn’t impossible to secure a large network. However, the number of insecure government and corporate networks suggests that more needs to be done.
The solution isn’t something sold by a vendor, it is the same stuff security experts have been preaching for decades:
- Need to know — Only those who actually need data should have access to it. Lets not just store everything in a giant shared network drive with everyone having read/write access to it
- Patching — Software has flaws. These flaws get fixed and then become public (sometimes the other way around, the dreaded Zero-Day flaw). If you do not patch your software quickly, you increase the chance of the flaw being used against you
- Strong Authentication — Password complexity requirements can be annoying, because they are often too vague. Requiring a number, a lower case letter, an upper case letter, and a symbol isn’t necessarily as secure as a passphrase which is longer. Worse, many systems do not securely store the passwords, making them less secure
- Multi-Factor Authentication — Requiring more than one factor, to ensure that if an attacker does shoulder surf, key log, phish, or otherwise gain access to someones password, that they cannot access the secure data
- Encryption — This one is hard, as many solutions turn out to not be good enough. “The harddrive on my laptop is encrypted”, this is fine, except if the attacker gets access while your machine is powered on and logged in. Sensitive data should be offlined when it is not in use, rather than being readily accessible in its decrypted form
- Logging — Knowing who accessed what, and when is useful after-the-fact. Having an intelligence system that looks for anomalies in this data can help you detect a breach sooner, and maybe stop it before the baddies make off with your data
- Auditing — A security appliance like the FUDO to only allow access to secure systems when such access is recorded. This way the actions of all contractors and administrators are recorded on video, and there is no way to access the protected systems except through the FUDO.
As we discussed before in TechSNAP 214, there are other techniques that can be used to help safeguard systems, including whitelisting software, and only allowing approved applications on sensitive systems. The key is deciding which protections to use where, while generating the least amount of ‘user resistance’

Google Project Zero researcher discloses 15 new vulnerabilities

Researcher Mateusz Jurczyk has disclosed 15 new remote code execution vulnerabilities
The most interesting of these including a flaw in Adobe Reader and Windows that appears to get past all known exploit defenses.
“The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far.”
“Any of the 15 vulnerabilities Jurczyk pulled from this old but seemingly unexplored area could trigger remote code execution or privilege escalation in Adobe Reader or the Windows kernel.”
Researcher Blog
Video of Exploit
PDF of Slides
Project Zero has also published some other interesting vulnerabilities recently
Owning Internet Printing — A Case Study in Modern Software Exploitation
Microsoft’s MemoryProtector feature actually counters Microsoft’s new extended ASLR protections
“It is possible to use a timing attack on MemoryProtector to reveal the offset used by High-Entropy Bottom-Up Randomization, thus completely bypassing it.”
Analysis and Exploitation of an ESET Vulnerability — Do we understand the risk vs. benefit trade-offs of security software?
In-Console-Able — Developing a sandbox escape chain for Chrome

Feedback:

Round Up:

The post Homeland Insecurity | TechSNAP 220 first appeared on Jupiter Broadcasting.

Privileged Programmers | CR 158

chris — Mon, 15 Jun 2015 14:24:57 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Mike and Chris share their totally different perspective on the recent Yelp developer’s public exodus & discuss the big new industry trend developers need to take advantage of.

Then after 158 episodes, Mike’s mission in life is realized during our feedback segment.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Hoopla

Feedback

The post Privileged Programmers | CR 158 first appeared on Jupiter Broadcasting.

Inspired – Not Directed By | Unfilter 142

chris — Wed, 06 May 2015 20:45:34 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Home grown terrorists strike in Texas, and “ISIS” is claiming responsibility. We break this story down and poke at the obvious & rather subtle flaws.

Plus a Stingray breakthrough, the NSA’s Big Data problem, a look at the unlikeliest for 2016 & much more!

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Become an Unfilter supporter on Patreon:

Show Notes:

News:

NSA is so overwhelmed with data, it’s no longer effective, says whistleblower | ZDNet

A former National Security Agency official turned whistleblower has spent almost a decade and a half in civilian life. And he says he’s still “pissed” by what he’s seen leak in the past two years.

In a lunch meeting hosted by Contrast Security founder Jeff Williams on Wednesday, William Binney, a former NSA official who spent more than three decades at the agency, said the US government’s mass surveillance programs have become so engorged with data that they are no longer effective, losing vital intelligence in the fray.

That, he said, can — and has — led to terrorist attacks succeeding.

ISIS claim responsibility for shooting at Texas Muhammad cartoon contest | Fox News

The claim was made in an audio message on the group’s Al Bayan radio station, based in the Syria city of Raqqa, which ISIS has proclaimed to be the capital of its self-proclaimed caliphate. It is the first time ISIS has taken credit for an attack on U.S. soil, though it was not immediately clear whether the group’s claim was an opportunistic co-opting of a so-called “lone wolf” attack as its own.

How Western media would cover Baltimore if it happened elsewhere

If what is happening in Baltimore happened in a foreign country, here is how Western media would cover it:

International leaders expressed concern over the rising tide of racism and state violence in America, especially concerning the treatment of ethnic minorities in the country and the corruption in state security forces around the country when handling cases of police brutality. The latest crisis is taking place in Baltimore, Maryland, a once-bustling city on the country’s Eastern Seaboard, where an unarmed man named Freddie Gray died from a severed spine while in police custody.

Black Americans, a minority ethnic group, are killed by state security forces at a rate higher than the white majority population. Young, black American males are 21 times more likely to be shot by police than white American males.

The United Kingdom expressed concern over the troubling turn of events in America in the last several months. The country’s foreign ministry released a statement: “We call on the American regime to rein in the state security agents who have been brutalizing members of America’s ethnic minority groups. The equal application of the rule of law, as well as the respect for human rights of all citizens, black or white, is essential for a healthy democracy.” Britain has always maintained a keen interest in America, a former colony.

The post Inspired - Not Directed By | Unfilter 142 first appeared on Jupiter Broadcasting.

Google “Watch” Me | Tech Talk Today 157

chris — Tue, 14 Apr 2015 10:30:50 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Google Wireless rumors are getting hot, with interesting details leaking out. Apple Watch outsells Android Wear in a day & the long-term reason Android Wear might be the better bet.

Plus some good Bitcoin news & much more!

Direct Download:

RSS Feeds:

Become a supporter on Patreon

Show Notes:

Google’s wireless service could charge you for only the exact amount of data you use

According to details uncovered by Android Police thanks to a leaked app that will be used to support the service, Google’s wireless network — referred to as Nova in many previous rumors, but also now known as Project Fi — could charge you only for the exact amount of data you use. That is to say, there won’t be any unlimited data (as much as we would all hope from an internet-strong company like Google), but instead a “pay-as-you-go” approach.

Google’s MVNO to offer pay-per gigabyte plans, rollover data, accompanying app, more

Apple Watch sales beat Android Wear yearly shipments in a day

In 2014, all manufacturers using Google’s smartwatch operating system — including Motorola, LG, and Samsung — sold 720,000 units.

In contrast, Apple sold an estimated 957,000 Apple Watches on the first day the devices were available for preorder.

Apple bans selfie sticks, monopods from WWDC 2015

In an update to the rules for Worldwide Developers Conference, Apple is banning 2015 attendees from using selfie sticks or any other kind of photo monopod within the bounds of either Moscone West or Yerba Buena Gardens.

New Bitcoin Foundation Director Bruce Fenton Pledges Fiscal Reform

Elected by a 5-to-1 vote, Fenton succeeds interim executive director Patrick Murck and outgoing executive director Jon Matonis, the latter of whom resigned on 30th October amid financial turmoil and ahead of staff cuts at the industry’s top trade organization.

In interview, Fenton stressed that his greatest asset to the Bitcoin Foundation would be his ability to serve as a “bridge” between the organisation’s individual and corporate members. He cited his full-time position as CEO of Atlantic Financial and involvement in bitcoin as a technology enthusiast as factors.

For art’s sake! Photoing neighbors with zoom lens not a privacy invasion | Ars Technica

The appeals court called it a “technological home invasion” but said the defendant used the pictures for art’s sake. Because of that, the First Department of the New York Appellate Division ruled Thursday in favor of artist Arne Svenson, who snapped the pics from his lower Manhattan residence as part of an art exhibit called “The Neighbors.” The ruling says:

Hillary’s Hard Drive : techtalktoday

The post Google "Watch" Me | Tech Talk Today 157 first appeared on Jupiter Broadcasting.