Show Notes/Links: https://www.bsdnow.tv/325

The post Cracking Rainbows | BSD Now 325 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/309

The post The Future is Open | LINUX Unplugged 309 first appeared on Jupiter Broadcasting.

A new trick up Fedora’s sleeve might be worth trying on your own Linux install, the new mini-pc revolution is here & the Raspberry Pi Zero brings it for $5. Adobe announces the death of Flash… Kind of. But we’ll share how to finish the job & truly banish flash from your Linux rig.

Plus open source gaming just got an upgrade, GIMP has some fancy & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• Offline Media solution for the Rover / Bandwidth challenged.

• Emby? tablet/PC?

• Plex and Plex Pass on a tablet?

• rsync and vlc on a laptop?

• Amazon.com: Kingston Digital 5-in-1 Mobile Companion, Expanded Storage, 4640 mAh Battery Charger, and more for iOS and Android devices (MLWG2): Computers & Accessories

Follow Up / Catch Up

Warsow 2.0 Released With Better Graphics, CC-Licensed Game Assets

Warsow 2.0 adds a tutorial level to help new gamers, many graphical effects were revamped, weapon parameters were tweaked, new HUDs, and many other changes.

The Warsow 2.0 renderer is reported to be 30~50% faster for overall performance, reduced vRAM footprint for textures, KTX texture format support, support for the GLSL binary cache, multi-threading to speed-up map loading, and many other interesting changes.

GIMP 2.9.2 Released

with 2.9.2, you can already benefit from certain aspects of the new engine, such as:

• 16/32bit per color channel processing
• Basic OpenEXR support
• On-canvas preview for many filters
• Experimental hardware-accelerated rendering and processing via OpenCL
• Higher-quality downscaling

Additionally, native support for PNG, TIFF, PSD, and FITS files in GIMP has been upgraded to read and write 16/32bit per color channel data.

• GIMP 2.9.2 Released, How About Features Trivia?

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

F24 System Wide Change: Default Local DNS Resolver – devel-announce – Fedora List Archives

Plain DNS protocol is insecure and therefore vulnerable from various
attacks (e.g. cache poisoning). A client can never be sure that there
is no man-in-the-middle, if it does not do the DNSSEC validation
locally.

We want to have Unbound server installed and running on localhost by
default on Fedora systems.

• Against DNSSEC — Quarrelsome

Linux Academy

• Linux Academy | Linux and AWS Online Training

The Mini PC Roundup

Raspberry Pi Zero: the $5 computer – Raspberry Pi

Today, I’m pleased to be able to announce the immediate availability of Raspberry Pi Zero, made in Wales and priced at just $5. Zero is a full-fledged member of the Raspberry Pi family, featuring:

• A Broadcom BCM2835 application processor
  • 1GHz ARM11 core (40% faster than Raspberry Pi 1)
• 512MB of LPDDR2 SDRAM
• A micro-SD card slot
• A mini-HDMI socket for 1080p60 video output
• Micro-USB sockets for data and power
• An unpopulated 40-pin GPIO header
  • Identical pinout to Model A+/B+/2B
• An unpopulated composite video header
• Our smallest ever form factor, at 65mm x 30mm x 5mm

Raspberry Pi Zero runs Raspbian and all your favourite applications, including Scratch, Minecraft and Sonic Pi. It is available today in the UK from our friends at The Pi Hut and Pimoroni, and in the US from Adafruit

Kodi on the $5 Raspberry Pi Zero

Omega – Onion

Omega is an invention platform for the Internet of Things. It comes WiFi-enabled and supports most of the popular languages such as Python and Node.JS. Omega makes hardware prototyping as easy as creating and installing software apps.

Dimensions: 28mm x 42mm
OS: OpenWRT Linux
Processor: 400MHz
RAM: 64MB DDR2
Flash: 16MB
Wireless: 802.11 b/g/n
Ports: 18 GPIO
Language: Python, Node.JS, PHP, Ruby, Lua and more…

Wireless Raspberry Pi speaker | Linux User & Developer – the Linux and FOSS mag for a GNU generation

AirPlay uses Apple technology that was reverse-engineered in 2011, which means that third-party devices can now participate in the fun. AirPlay allows any Apple device to broadcast whatever is coming out of its speakers to an AirPlay receiver (which will be our Pi in this case). There is a way to send audio from PulseAudio to AirPlay receivers

GeekBox | by geekbuying the Pioneering Versatile Open Source TV Box

The RK3368 is an Octa Core 64bit, ARM Cortex-A53 processor with PowerVR G6110 graphics chip, 28nm processing design, Support OPENGL ES 3.1. RK3368 with super video capabilities, 4K×2K, H.265 and HDMI 2.0@60Hz output support.

TING

• Ting – mobile that makes sense

Adobe kills the ‘Flash’ name after twenty years

Adobe revealed that the Flash product will be called Adobe Animate CC from January’s update of the Creative Cloud suite. There’s no explicit mention of what the browser plug-in will be called, but presumably it will mirror the change of name.

Support Jupiter Broadcasting on Patreon

The post Raspberry Pi Does What? | LINUX Unplugged 121 first appeared on Jupiter Broadcasting.

The first remote administration trojan that targets Android, Linux, Mac and Windows. Joomla and vBulletin have major flaws & tips for protecting your online privacy from some very motivated public figures.

Plus some great questions, a rockin’ roundup & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

First remote administration trojan that targets Android, Linux, Mac, and Windows: OmniRat

• “On Friday, Avast discovered OmniRat, a program similar to DroidJack. DroidJack is a program that facilitates remote spying and recently made news when European law enforcement agencies made arrests and raided the homes of suspects as part of an international malware investigation.”
• “OmniRat and DroidJack are RATs (remote administration tools) that allow you to gain remote administrative control of any Android device. OmniRat can also give you remote control of any Windows, Linux or Mac device. Remote administrative control means that once the software is installed on the target device, you have full remote control of the device.”
• “On their website, OmniRat lists all of the things you can do once you have control of an Android, which include: retrieving detailed information about services and processes running on the device, viewing and deleting browsing history, making calls or sending SMS to any number, recording audio, executing commands on the device and more.”
• “Like DroidJack, OmniRat can be purchased online, but compared to DroidJack, it’s a bargain. Whereas DroidJack costs $210, OmniRat costs only $25 to $50 depending on which device you want to control.”
• “A custom version of OmniRat is currently being spread via social engineering. A user on a German tech forum, Techboard-online, describes how a RAT was spread to his Android device via SMS. After researching the incident, I have come to the conclusion that a variant of OmniRat is being used.”
• “The author of the post received an SMS stating an MMS from someone was sent to him (in the example, a German phone number is listed and the SMS was written in German). The SMS goes on to say “This MMS cannot be directly sent to you, due to the Android vulnerability StageFright. Access the MMS within 3 days [Bitly link] with your telephone number and enter the PIN code [code]“. Once the link is opened, a site loads where you are asked to enter the code from the SMS along with your phone number. Once you enter your number and code, an APK, mms-einst8923, is downloaded onto the Android device. The mms-einst8923.apk, once installed, loads a message onto the phone saying that the MMS settings have been successfully modified and loads an icon, labeled “MMS Retrieve” onto the phone.”
• “The OmniRat APK requires users to accept and give OmniRat access many permissions, including edit text messages, read call logs and contacts, modify or delete the contents of the SD card. All of these permissions may seem evasive and you may be thinking, “Why would anyone give an app so much access?”, but many of the trusted and most downloaded apps on the Google Play Store request many of the same permissions. The key difference is the source of the apps. I always recommend that users read app permissions carefully. However, when an app you are downloading directly from the Google Play Store requests permissions, it is rather unlikely the app is malicious.”
• “The victim then has no idea their device is being controlled by someone else and that every move they make on the device is being recorded and sent back to a foreign server. Furthermore, once cybercriminals have control over a device’s contact list, they can easily spread the malware to more people. Inside this variant of OmniRat, there is a function to send multiple SMS messages. What makes this especially dangerous is that the SMS spread via OmniRat from the infected device will appear to be from a known and trusted contact of the recipients, making them more likely to follow the link and infect their own device.”
• Additional Coverage: Softpedia
• “The Softpedia article about OmniRAT includes a video, but declined to post the tool’s homepage. You can easily find it via a Google search.”

Joomla, one of the most popular web platforms after wordpress, has critical flaw affecting millions of sites

• “Joomla is a very popular open-source Content Management System (CMS) used by no less than 2,800,000 websites (as of September 2015).”
• An SQL injection attack was discovered that affects versions 3.2 through 3.4.4
• “Unrestricted administrative access to a website’s database can cause disastrous effects, ranging from complete theft, loss or corruption of all the data, through obtaining complete remote control of the web server and abusing or repurposing it (for instance, as a host for malicious or criminal content), and ending in infiltration into the internal network of the organization, also-known-as lateral movement.”
• “3 CVEs has been assigned to the vulnerability – CVE-2015-7297, CVE-2015-7857 and CVE-2015-7858. It has been tested and found working on a number of large websites, representing different business verticals”
• “We encourage site administrators to update their Joomla installations immediately, deploy a 3rd-party protection product, or at the very least take their site down until a proper solution is found. According to the Verizon 2015 Database Breach Investigation Report, “99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published” so not patching your system will almost guarantee it will be hacked.”
• Timeline:
• Oct 15, 2015 – Disclosure to the Joomla security team
• Oct 19, 2015 – Vulnerability is acknowledged by Joomla
• Oct 22, 2015 – Patch released by Joomla
• Oct 30, 2015 – Disclosure published by PerimeterX
• It turns out, proper sanitization of the ‘select’ (columns) and ‘limit’ (pagination) parameter was not being done. One of the most obvious and ubiquitous SQL injection vectors.
• “Using this SQLI we could extract all users, reset password tokens, sessions, and other configuration data stored in the DB. This will ultimately allow an attacker to obtain admin credentials, and therefore control the system’s PHP code using the ‘edit theme’ interface, effectively compromising the entire server.”
• So I can replace the hash of the admin user with one I know the password for (or just create my own new admin user), as well as extract the hashed passwords of all other users.
• “This vulnerability is a classic example of how having a too-dynamic code can reflect very severely on security. I expect this disclosure will stir up a hornet’s nest regarding the system’s dynamic nature, and more vulnerabilities exploiting it will be discovered. When you are developing a complex system, keep in mind that although your design is convenient for other developers, it is convenient for vulnerability researchers, too.”

Camgirl OPSEC: How the worlds newest porn stars protection their online privacy

• Not the type of thing you would normally expect us to cover on TechSNAP, but it turns out, if you want to maintain your privacy online, it helps to take advice from the experts
• Women already have more crap to deal with online, but camgirls often receive the worst of it
• “But with modern technology comes modern problems: swatting, doxxing, and the fact that on most sites, there’s a large chat window right by the camgirl’s face, into which anyone with a credit card can say anything.”
• If people can find out who you are, or where you live, they can do all sorts of nasty things.
• Most “performers” use an alias, so for them, the first step is to protect their true identity
• Related to this, they also wish to keep their location secret
• Some examples of ways your location can be exposed:
  • Pandora, the music streaming service, uses location based advertisements. In this case, they ask for your ZIP code, enter a fake one
  • Many other sites also use location based advertisements, use a VPN to hide your real location
  • “Speaking of VPNs, use one. If you use Skype, there’s Skype Resolvers out there that can show your IP by simply entering a username”
  • “Amazon wishlists reveal your town, which is why people use PO boxes”
• “People can simply call Amazon/the shipper and find out the address their purchase was sent to if they pry enough. I don’t know what the company policy is for this, but it’s happened”
• “Camgirl #OpSec tip: I know craft beers are delicious, but they circumscribe your location to a very tight circle.”
• Make sure photos that you post online do not have GPS or location metadata included
• Even things as “smalltalk” as the weather, with multiple samples, can give away your location
• “Also make sure you don’t go to your PO box alone, because someone may be waiting for you there, especially if you publicly reveal your PO box address and/or say specifically when you’ll be going to it”
• “Google Voice provides fake numbers, so you can use them for texting, or any apps/sites that require a number”
• “Do not accept gift cards as payments towards your service from random people”, they may be able to track how/where it was spent
• Use a separate browser for “work” and “personal” internet use, to ensure cookies and logins do not get contaminated
• Especially things like Facebook and Google that track you all over the internet
• Avoid creating ‘intersections”, where your two identities can be correlated. Make sure your username doesn’t give it away
• Consider changing your alias on a regular basis. Balance building a reputation against OPSEC
• Use strong passwords, and DO NOT reuse passwords for multiple sites, use 2FA whenever possible

Feedback:

• Authenticated and encrypted DNS

• email spoofing

• Do end users need a public IP

• ZFS question

Round Up:

• Almost 2000 Vodafone UK accounts compromised using email addresses and passwords from an unknown source. Stop reusing passwords.
• FBI re: ransomware “we often advise people just to pay the ransom”. FBI can’t be tasked with recovering your data
• All CoinVault and Bitcryptor ransomware victims can now recover their files for free
• 25 GPU cluster can crack every 8 character NTLM password hash in 6 hours, at 350 billion-guess-per-second. Can make only 71,000 guesses/sec against Bcrypt and 364,000 guesses/sec against SHA512crypt
• Car hacking for plebs
• PageFair compromised by phishing attack, CDN account reset and used to distribute malware
• Malware that deletes your Chrome browser and replaces it with a fake one
• Inside the Shifu malware
• Unknown group sells iOS 9.1/9.2 zero-day exploit to Zerodium for $1 million. No details, will be hard to tell who VUPEN sells it to
• Top Germany government official infected with highly spohpistcated regin malware that may have ties to the NSA
• History: In 1988, the first internet worm infected more than 10% of the internet
• x86 considered harmful
• New LTE-U standard may distrupt WiFi, proponents’ labs show different results than detractors’ labs
• Microsoft drops unlimited OneDrive storage after people use it for unlimited storage
• XORsearch, brute force decryption against basical obfuscation like XOR, ROL, ROT, and SHIFT
• vBulletin zero-day in versions 5.1.4 to 5.1.9 used against vBulletin and Foxit. Appears to be SQL injection. May be used in watering hole attacks

The post Zero-Days Of Our Lives | TechSNAP 240 first appeared on Jupiter Broadcasting.

The sad state of SMTP encryption, a new huge round of flaws has been found in consumer routers & the reviews of Intel’s new Broadwell desktop processors are in!

Plus some great questions, a huge round-up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

The sad state of SMTP (email) encryption

• This article talks about the problems with the way email transport encryption is done
• When clients submit mail to a mail server, and when mail servers talk to each other to exchange those emails, they have the option of encrypting that communication to prevent snooping
• This “opportunistic” encryption happens if the server you are connecting to (as a client, or as another server), advertises the STARTTLS option during the opening exchange
• If that keyword is there, then your client can optionally send the STARTTLS command, and switch further communications to be encrypted
• The first problem with this is that it happens over plain text, which has no protection against modification
• Some cisco firewalls, and most bad guys, will simply modify the message from the server before it gets to you, to remove the STARTTLS keyword, so you client will assume the server just doesn’t speak TLS.
• Do we maybe need something like HSTS for SMTP?
• When submitting email from my client machine, I always use a special port that is ALWAYS SSL.
• But this is only the beginning of the problem
• SSL/TLS are designed to provide 3 guarantees:
  • Authenticity: You are talking to who you think you are talking to (not someone pretending to be them). This is provided by verifying that the presented SSL Certificate is issued by a trusted CA
  • Integrity: The message was not modified or tampered with by someone during transit. This is provided by the MAC (Message Authentication Code), a hash that is used to ensure the message has not been modified
  • Privacy: The contents of the message are encrypted so no one else can read them. This is provided by symmetric encryption using a session key negotiated with the other side using asymmetric cryptography based on the SSL Certificate.
• Mail servers rarely actually check authenticity, because many mail servers use self-signed certificates.
• Many domains are hosted on one server, so the certificate is not likely to match the name of the email domain
• The certificate check is done against the hostname in the MX record, but most people prefer to use a ‘vanity’ name here, mail.mydomain.com, which won’t match in2-smtp.messagingengine.com or whatever the mail server ends up being called
• But, even if we did enforce this, and reject mail sent by servers with self-signed certificates, without DNSSEC, someone could just spoof the MX records, and instead of my email being sent over an encrypted channel to your server, which I have verified, I would be given an incorrect MX record, telling me to deliver mail to mx1.evilguy.com, which has a perfectly vaild SSL certificate for that domain
• In the end, the better solution looks like it will be DNSSEC + DANE (publish the fingerprint of the correct SSL certificate as a DNS entry, alongside your MX record)
• With this setup, you still get all 3 protections of SSL, without needing to trust the Certificate Authorities, who do not have the best record at this point
• Don’t think MitM is a big deal? The ongoing problem of BGP hijacking suggests otherwise. A lot of internet traffic is getting misdirected. If it eventually makes it to its destination, people are much less likely to notice.

Researchers find 60 flaws in 22 common consumer network devices

• A group of security researchers doing their IT Security Master’s Thesis at Universidad Europea de Madrid in Spain have published their research
• They found serious flaws in 22 different SOHO network devices, including those from D-Link, Belkin, Linksys, Huawei, Netgear, and Zyxel
• Most of the devices they surveyed were ones distributed by ISPs in Spain, so these vulnerabilities have a very large impact, since almost every Internet user in Spain has one of these 22 devices
• They found 11 unique types of vulnerability, for a total of 60 flaws across the 22 devices
• Persistent Cross Site Scripting (XSS)
  • Unauthenticated Cross Site Scripting
  • Cross Site Request Forgery (CSRF)
  • Denial of Service (DoS)
  • Privilege Escalation
  • Information Disclosure
  • Backdoor
  • Bypass Authentication using SMB Symlinks
  • USB Device Bypass Authentication
  • Bypass Authentication
  • Universal Plug and Play related vulnerabilities
• All of this makes me glad my router runs FreeBSD.
• Luckily, there are finally some consumer network devices like these that can run a real OS, like the TP-LINK WDR3600, which has a 560mhz MIPS CPU and can run FreeBSD 11 or Linux distros such as DD-WRT
• Additional Coverage – ITWorld

CareFirst Blue Cross hit by security breach affecting 1.1 million customers

• “CareFirst BlueCross BlueShield last week said it had been hit with a data breach that compromised the personal information on approximately 1.1 million customers. There are indications that the same attack methods may have been used in this intrusion as with breaches at Anthem and Premera, incidents that collectively involved data on more than 90 million Americans.”
• It would be interesting to know if there are common bits of infrastructure or software in use at these providers that made these compromises possible, or if security was just generally lax enough that the attackers were able to compromise the three insurance providers separately
• “According to a statement CareFirst issued Wednesday, attackers gained access to names, birth dates, email addresses and insurance identification numbers. The company said the database did not include Social Security or credit card numbers, passwords or medical information. Nevertheless, CareFirst is offering credit monitoring and identity theft protection for two years.”
• “There are clues implicating the same state-sponsored actors from China thought to be involved in the Anthem and Premera attacks.”
• “As Krebs noted in this Feb. 9, 2015 story, Anthem was breached not long after a malware campaign was erected that mimicked Anthem’s domain names at the time of the breach. Prior to its official name change at the end of 2014, Anthem was known as Wellpoint. Security researchers at cybersecurity firm ThreatConnect Inc. had uncovered a series of subdomains for we11point[dot]com (note the “L’s” in the domain were replaced by the numeral “1”) — including myhr.we11point[dot]com and hrsolutions.we11point[dot]com. ThreatConnect also found that the domains were registered in April 2014 (approximately the time that the Anthem breach began), and that the domains were used in conjunction with malware designed to mimic a software tool that many organizations commonly use to allow employees remote access to internal networks.”
• “On Feb. 27, 2015, ThreatConnect published more information tying the same threat actors and modus operandi to a domain called “prennera[dot]com” (notice the use of the double “n” there to mimic the letter “m”)
• So it seems that the compromises may have just been a combination of spear phishing and malware, to trick employees into divulging their credentials to sites they thought were legitimate
• Such targeted attacks on teleworkers are a disturbing new trend
• The same Chinese bulk registrant also bought careflrst[dot]com (the “i” replaced with an “L”) and caref1rst[dot]com (the “i” replaced with the number “1”).
• “Additionally, ThreatConnect has unearthed evidence showing the same tactics were used on EmpireB1ue.com (note the “L” replaced with a number “1”), a domain registered April 11, 2014 (the same day as the phony Carefirst domains). EmpireBlue BlueCross BlueShield was one of the organizations impacted by the Anthem breach.”
• Anthem has broken the trend, and is offering “AllClear ID” credit and identity theft monitoring, rather than Experian

First review of Intel’s new Broadwell desktop processors

• The long awaited new line of desktop processors has landed
• Problems with the new 14nm fabrication process resulted in the entire broadwell line being delayed, significantly in the case of the desktop chip
• The two new models are the Core i7 5775c, and Core i5 5765c with a 65W TDP
• These Broadwell chips are a lower TDP than the top-end Haswell cousins, actually being closer to the lower clocked i7-4790S than the top end i7-4770K
• Overall, speeds are not quite as fast as the current generation Haswell flagship processors
• These new processors use Intel’s Iris Pro 6200 Integrated GPU, with performance numbers that now outpace rival AMD’s offerings, although at a higher price point
• Broadwell will soon be replaced by Skylake, later this year, so you might want to wait to make your next big purchase
• Broadwell also features: “128MB of eDRAM that acts almost like an L4 cache. This helps alleviate memory bandwidth pressure by providing a large(ish) pool near the CPU but with lower latency and much greater bandwidth than main memory. The eDRAM has the greatest effect in graphics, but we also saw some moderate increases in our non-3D regular benchmark suite”
• In the end, it is a bit unexpected for the desktop range to include only 2 processors, and in the middle TDP, with no offerings at the lower end (35W) or higher end (88W)
• Some of the benchmarks suggest the eDRAM may help with video encoding

Feedback:

• FreeNAS question

• iSCSI Question

• ZFS mirrored vdevs, raidz1, or raidz2

Round Up:

• PayPal Draws Consumer Ire Over Robo-Texting Right
• Comparison of SSD firmware reliability of different brands after using thousands of drives for five years
• Facebook announces you’ll be able to give them your PGP key, and they will encrypt all emails they send you. Separately, you can also publish your PGP key on your profile page
• New study finds fake answers to security questions may be more predictable than the real answers
• Everything moving to the cloud may be hurting consumer PC sales, but is bolstering server and storage sales
• Red Hat CEO publishes book on running an open source organization
• Creator of sleeper ransomware appologizes and released decryption keys – possibly due to unwanted attention from either law enforcement or Eastern European organized cybercrime syndicates
• A year later, another text message that can permanently crash all iOS devices
• Feds crack a million dollar coupon counterfeiting site
• Hacked emails claim to reveal Russian operation to steal US military thermal Imaging tech
• Interesting course, learn to hack software by hacking the hardware it runs on
• Why powerpoint presentations should be banned
• Writing more robush shell scripts
• Researchers find that Firefox’s optional tracking protection feature makes news sites load 44% faster and use 39% less data
• Putting your Mac to sleep may make it vulnerable to an EFI rootkit
• Android factory reset fails to delete all sensitive data
• Turns out, powering off your SSD will not cause it to lose all of your data after all. Data was based on SSDs at the end of their live, not at the beginning

The post An Encryptioner's Conscience | TechSNAP 217 first appeared on Jupiter Broadcasting.

Russian hackers collect 1.2 billion usernames and passwords, and while questions remain the details are compelling.

Plus simply working around two-factor authentication, crypto-malware that targets NAS Boxes, your questions, our answers and much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Reportedly 1.2 billion username and password combinations found in Russian cybercrime stash

• The data was apparently stolen from 420,000 different websites using SQL injection and other common techniques
• Original post at Hold Security
• “So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.”
• The Russian cybercrime group (called CyberVor by Hold Security) appears to have used a large botnet to scan most of the internet looking for vulnerable sites and software and collecting as much data as possible
• “Criminals were able to collect 4.5 billion records — each a user name and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique”
• Because of the varied sources of the data, the passwords are likely a combination of plain text, simple hashes (md5, sha1, sha256), esoteric hashes like md5(salt.password.salt) or md5(salt.md5(password)) etc, and proper cryptographic hashes
• Original Coverage from 6 months ago
• Alex Holden was the researcher who originally discovered the Adobe breach late last year, and tracked the trafficking of the stolen Target data
• Krebs has a Q&A on the subject, based on his past working with Alex Holden, or Holden Security
• There has been a bit of backlash against Hold Security, because they are charging $120/year for their “Breach Notification Service” (BNS) to be alerted if your website was one of the ones compromised
• Sophos and others still have questions about the data from CyberVor
• While still under construction, there is a individual version of the service that will allow you to find out if your electronic identity was found in possession of the CyberVor gang, which will be provided free for the first 30 days
• This service will take a SHA512 hash of your password(s), and then compare that to the passwords in the data dump, notifying you which of your passwords may have been compromised
• The issue with this is that if a compromised site used proper cryptographic hashes, the only way to compare the passwords without knowing your original password in plain text, is to brute force the hash and return it to the plain text. If Hold Security had your plain text password, they could compare it to the database much more quickly and accurately, but it would then lead them to being a bigger security threat than the exposure of the hashed passwords
• Additional Coverage: Forbes

PayPal 2 factor authentication contained simple bypass used for linking ebay account

• While investigating the usefulness of the PayPal 2 Factor Authentication system, a security researcher (Joshua Rogers) was astonished to find a simple by pass
• PayPal (owned by eBay) has a system to link your eBay account to your PayPal account to facilitate sending and receiving payments in connection with auctions
• This system works by sending an additional HTTP GET parameter when directing the user to the PayPal login or signup page
• By using “cmd=_integrated-registration” in the request, PayPal skips asking for any two factor authentication, allowing an attacker that knows your username and password to access your account without requiring the second factor
• The exploit can be used without needing to have an affiliated eBay account
• The issue was reported to PayPal on June 5th 2014, who replied on June 27th and July 4th
• After two months the issue has not been resolved, so the researcher released his findings
• It is not clear if the issue was reported via the PayPal Bug Bounty program, but if it was, publicly disclosing the vulnerability voids the researchers eligibility for the bug bounty reward

SynoLocker malware targets Synology NAS appliances, encrypts files and demands ransom

• New malware has serviced that has been targeting Synology NAS appliances exposed to the Internet
• Users will be greeted by a screen telling them that the files on their NAS have been encrypted, and directing them to use tor to visit a website and pay a 0.6 Bitcoin (~$350) ransom to get the decryption keys to regain access to their files
• It was not immediately clear how the NAS devices were being compromised
• Synology reports: “Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0”
• Users are encouraged to upgrade to the latest DSM 5.0 or:
• For DSM 4.3, please install DSM 4.3-3827 or later
• For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
• For DSM 4.0, please install DSM 4.0-2259 or later
• If you suspect you have been affected by this, Synology recommends following these steps:
  1. Shutdown the Synology NAS to prevent any more files being encrypted
  2. Contact the Synology support team at security@synology.com or fill out the support form
• Users whose files have already been encrypted may not be out of luck, yesterday a new service launched that can decrypt files locked by CryptoLocker similar malware that targetted Windows

Feedback:

• DNSsec and DANE

• LastPass Trick

• USB 3 faster then HDD 7200rpm

• cruelfate comments on “Kreb’s Law”

• ZM-VE300-B 2.5″ SATA USB 3.0 External HDD Enclosure

Round Up:

• PFChangs posts update about security breach
• Microsoft blocks older versions of Skype, leaving customers using older versions of OS X without a version they can install. Linux users also need to upgrade to 4.3.0 or higher in order to connect
• Mozilla accidently discloses email addresses of 76,000 members of the Mozilla Developers Network, as well as 4000 hashes passwords. The email and password columns were supposed to be sanitized from the database before it was disclosed, but for a period of approximately 30 days this was not happening correctly
• Dan Geer @ Blackhat – Cybersecurity as Realpolitik
  
• CIA infosec guru: US govt must buy all zero-days and set them free
• US State Department Passport database (largest known Oracle database in the world) suffers outage, “crashed shortly after maintenance was performed. We believe the root cause of the problem was a combination of software optimization and hardware compatibility issues.”
• David Litchfield @ Blackhat: Oracle Database Redaction service is trivial to bypass
• Catherine Pearce and Patrick Thomas @ Blackhat: Multipath TCP may leave security appliances blind to new types of attacks
• The FinFisher spyware used by governments, cannot intercept calls from the Metro version of Skype
• Docker does not provide security, stop assuming it does

The post Two-factor Exemption | TechSNAP 174 first appeared on Jupiter Broadcasting.

This time on the show we\’ll be talking with Jon Anderson about Capsicum and Casper to securely sandbox processes. After that, our tutorial will show you how to encrypt all your DNS lookups, either on a single system or for your whole network. News, emails and all the usual fun, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

BSDCan 2014 talks and reports

• The majority of the BSDCan talks are finally uploaded, so prepare to be flooded with links
• Karl Lehenbauer\’s keynote (he\’s on next week\’s episode)
• Mariusz Zaborski and Pawel Jakub Dawidek,
  Capsicum and Casper (relevant to today\’s interview)
• Luigi Rizzo,
  In-kernel OpenvSwitch on FreeBSD
• Dwayne Hart, Migrating from Linux to FreeBSD for Backend Data Storage
• Warner Losh, NAND Flash and FreeBSD
• Simon Gerraty, FreeBSD bmake and Meta Mode
• Bob Beck, LibreSSL – The First 30 Days
• Henning Brauer, OpenBGPD Turns 10 Years Old
• Arun Thomas, BSD ARM Kernel Internals
• Peter Hessler, Using BGP for Realtime Spam Lists
• Pedro Giffuni, Features and Status of FreeBSD\’s Ext2 Implementation
  
• Matt Ahrens, OpenZFS Upcoming Features and Performance Enhancements
• Daichi Goto, Shellscripts and Commands
• Benno Rice, Keeping Current
• Sean Bruno, MIPS Router Hacking
• John-Mark Gurney, Optimizing GELI Performance
• Patrick Kelsey, Userspace Networking with libuinet
• Massimiliano Stucchi, IPv6 Transitioning Mechanisms
• Roger Pau Monné, Taking the Red Pill
• Shawn Webb, Introducing ASLR in FreeBSD
• There\’s also a trip report from Peter Hessler and one from Julio Merino
• The latter report also talks about how, unfortunately, NetBSD basically had no presence in the event at all (and how that\’s a recurring trend)

Defend your network and privacy with a VPN and OpenBSD

• After all the recent news about spying, backdoored routers, deep packet inspection and everything else, you might want to start taking steps at getting some privacy back
• This article describes how to set up a secure network gateway and VPN using OpenBSD and related crypto utilities
• There are bits for DHCP, DNS, OpenVPN, DNSCrypt and a watchdog script to make sure your tunnel is always being used
• You can transparently tunnel all your outbound traffic over the VPN with this configuration, nothing is needed on any of the client systems – this could also be used with Tor (but it would be very slow)
• It also includes a few general privacy tips, recommended browser extensions, etc
• The intro to the article is especially great, so give the whole thing a read
• He mentions our OpenBSD router guide and other tutorials being a big help for this setup, so hello if you\’re watching!

You should try FreeBSD

• In this blog post, the author talks a bit about how some Linux people aren\’t familiar with the BSDs and how we can take steps to change that
• He goes into some FreeBSD history specifically, then talks about some of the apparent (and not-so-apparent) differences between the two
• Possibly the most useful part is how to address the question \”my server already works, why bother switching?\”
• \”Stackoverflow’s answers assume I have apt-get installed\” ← lol
• It includes mention of the great documentation, stability, ports, improved security and much more
• A takeaway quote for would-be Linux switchers: \”I like to compare FreeBSD to a really tidy room where you can find everything with your eyes closed. Once you know where the closets are, it is easy to just grab what you need, even if you have never touched it before\”

OpenBSD and the little Mauritian contributor

• This is a story about a guy from Mauritius named Logan, one of OpenBSD\’s newest developers
• Back in 2010, he started sending in patched for OpenBSD\’s \”mg\” editor, among other small things, and eventually added file transfer resume support for SFTP
• The article talks about his journey from just a guy who submits a patch here and there to joining the developer ranks and even getting his picture taken with Theo at a recent hackathon
• It really shows how easy it is to get involved with the different BSDs and contribute back to the software ecosystem
• Congrats to Logan, and hopefully this will inspire more people to start helping out and contributing code back

Interview – Jon Anderson – jonathan@freebsd.org

Capsicum and Casperd

Tutorial

Encrypting DNS lookups

News Roundup

FreeBSD Journal, May 2014 issue

• The newest issue of the FreeBSD Journal is out, following the bi-monthly release cycle
• This time the topics include: a letter from the foundation, a ports report, some 9.3-RELEASE plans, an events calendar, an overview of ipfw, exploring network activity with dtrace, an article about kqueue, data distribution with dnssec and finally an article about TCP scaling
• Pick up your (digital) copy at Amazon, Google Play or on iTunes and have a read

LibreSSL porting update

• Since the last LibreSSL post we covered, a couple unofficial \”portable\” versions have died off
• Unfortunately, people still think they can just port LibreSSL to other BSDs and Linux all willy-nilly – stop doing that!
• This post reiterates that LibreSSL currently relies on a lot of OpenBSD-specific security functions that are not present in other systems, and also gives a very eye-opening example
• Please wait for an official portable version instead of wasting time with these dime-a-dozen github clones that do more harm than good

BSDMag May 2014 issue is out

• The usual monthly release from BSDMag, covering a variety of subjects
• This time around the topics include: managing large development projects using RCS, working with HAMMER FS and PFSes, running MeteorJS on FreeBSD 11, another bhyve article, more GIMP tutorials and a few other things
• It\’s a free PDF, go grab it

BSDTalk episode 241

• A new episode of BSDTalk is out, this time with Bob Beck
• He talks about the OpenBSD foundation\’s recent activities, his own work in the project, some stories about the hardware in Theo\’s basement and a lot more
• The interview itself isn\’t about LibreSSL at all, but they do touch on it a bit too
• Really interesting stuff, covers a lot of different topics in a short amount of time

Feedback/Questions

• We got a number of replies about last week\’s VPN question, so thanks to everyone who sent in an email about it – the vpnc package seems to be what we were looking for
• Tim writes in
• AJ writes in
• Peter writes in
• Thomas writes in
• Martin writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• We\’re looking for new tutorial ideas, so if there\’s something specific you\’d like to learn about, let us know
• FreeBSD core team elections are in progress – nominations ended today. There are 21 candidates, and voting is open for the next month. We\’ll let you know how it goes in a future episode.
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post The Friendly Sandbox | BSD Now 39 first appeared on Jupiter Broadcasting.

Researches prove its possible to extract an RSA key from the noises your computer makes, the NSA foils the great BIOS plot, but we’re a little skeptical….

Then it’s a batch of your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

RSA Key Extraction via Acoustic Cryptanalysis

• Many computers emit a high-pitched noise during operation, due to vibration in some of their electronic components.
• These acoustic emanations are more than a nuisance: they can convey information about the software running on the computer, and in particular leak sensitive information about security-related computations.
• In the report they describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG\’s current implementation of RSA.
• The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts.
• Experimentally they demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters (13 feet) away.
• A modern mobile phone placed next to the computer is sufficient to carry out the attack, but up to four meters have been successfully tested using specially designed microphones.
• They have disclosed the attack to GnuPG developers under CVE-2013-4576, suggested suitable countermeasures, and worked with the developers to test them. New versions of GnuPG 1.x and of libgcrypt (which underlies GnuPG 2.x), containing these countermeasures and resisting our current key-extraction attack, were released concurrently with the first public posting of these results
• PDF Report
• Adi Shamir – Wikipedia
• Inventor of SSSS (Shamir\’s secret-sharing scheme)
• CVE – CVE-2013-4576

NSA Says It Foiled the BIOS Plot

• Called a BIOS plot, the exploit would have ruined, or \”bricked,\” computers across the country, causing untold damage to the national and even global economy.
• Debora Plunkett, director of cyber defense for the The National Security Agency described for the first time a cataclysmic cyber threat the NSA claims to have stopped On Sunday\’s \”60 Minutes.\”
• CBS suggest China is to Blame, the NSA does not confirm or deny that in the interview.
• CBS reported the “virus” would be delivered via a software update to every computer’s BIOS.
• The NSA says it closed this vulnerability by working with computer manufacturers.
• No further technical, or general details provided.
• CBS Airs NSA Propaganda Informercial Masquerading As \’Hard Hitting\’ 60 Minutes Journalism By Reporter With Massive Conflict Of Interes
• In the end, this appears to be the NSA stealing the plot from our book recommendation a few weeks ago. Mark Russinovich’s Zero Day – which is very much the same plot (Copyright March 2011), except the attackers were wealthy backers of Al Qaeda instead of the Chinese
• In the sequel Trojan Horse , China uses APT techniques to compromise computers at the UN Office for Disarmament Affairs, and alter a report about Iran’s Nuclear Weapons Program to disrupt international attempts to prevent Iran from getting Nuclear Weapons. Look for this story on the news next year…

Krebs: The Case For a Global, Compulsory Bug Bounty

• Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products
• This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products
• Stefan Frei, director of research at NSS Labs, suggests compelling companies to purchase all available vulnerabilities at above black-market prices.
• The director of research for Austin, Texas-based NSS Labs examined all of the software vulnerabilities reported in 2012, and found that the top 10 software makers were responsible for more than 30 percent of all flaws fixed.
• Even if vendors were required to pay $150,000 per bug, it would still come to less than two-tenths of one percent of these companies\’ annual revenue
• To ensure that submitted bugs get addressed and not hijacked by regional interests, Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers.
• The questions is, would this result in a reduction in cybercrime overall, or would it simply hamper innovation? As one person quoted in the article points out, a majority of data breaches that cost companies tens of millions of dollars have far more to do with other factors unrelated to software flaws, such as social engineering, weak and stolen credentials, and sloppy server configurations.
• The Case for a Compulsory Bug Bounty — Krebs on Security
• How many Zero-Days hit you today?

Feedback:

• How do you verify if a website is legitimate or not?
• Ghostery
• DNSSEC Validator

• Chrome Web Store – DNSSEC Validator

• IPMI

Round Up:

• Report: Bot traffic is up to 61.5% of all website traffic
• The inspiration behind many of todays tech symbols and icons
• Google Said to Mull Designing Server Chips in Threat to Intel
• Google blocks ability to search for credit cards (in hex), but snubs researcher who reported it
• DRM has always been a horrible idea
• NSA Spying costs Boeing $4.5 billion military contract in Brazil
• NSA has long had the ability to crack the encryption used by GSM phones, and the carriers have known about it
• Security Researcher Bruce Schneier leaves British Telecom
• The Year in Downtime: The Top 10 Outages of 2013

The post The Sound of Security | TechSNAP 142 first appeared on Jupiter Broadcasting.

A tutorial on pkgng, we talk with the developers of OpenSMTPD about running a mail server OpenBSD-style, answer YOUR questions and, of course, discuss all the latest news.

All that and more on BSD Now! The place to B… SD.

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

pfSense 2.1-RELEASE is out

• Now based on FreeBSD 8.3
• Lots of IPv6 features added
• Security updates, bug fixes, driver updates
• PBI package support
• Way too many updates to list, see the full list

New kernel based iSCSI stack comes to FreeBSD

• Brief explanation of iSCSI
• This work replaces the older userland iscsi target daemon and improves the in-kernel iscsi initiator
• Target layer consists of:
• ctld(8), a userspace daemon responsible for handling configuration, listening for incoming connections, etc, then handing off connections to the kernel after the iSCSI Login phase
• iSCSI frontend to CAM Target Layer, which handles Full Feature phase.
• The work is being sponsored by FreeBSD Foundation
• Commit here

MTier creates openup utility for OpenBSD

• MTier provides a number of things for the OpenBSD community
• For example, regularly updated (for security) stable packages from their custom repo
• openup is a utility to easily check for security updates in both base and packages
• It uses the regular pkg tools, nothing custom-made
• Can be run from cron, but only emails the admin instead of automatically updating

OpenSSH in FreeBSD -CURRENT supports DNSSEC

• OpenSSH in base is now compiled with DNSSEC support
• In this case the default setting for ‘VerifyHostKeyDNS’ is yes
• OpenSSH will silently trust DNSSEC-signed SSHFP records
• It is the secteam’s opinion that this is better than teaching users to blindly hit “yes” each time they encounter a new key

Interview – Gilles Chehade & Eric Faurot – gilles@openbsd.org / @poolpOrg & eric@openbsd.org

OpenSMTPD

• Q: Could you tell us a little bit about yourselves and how you got involved with OpenBSD?
• Q: What exactly is OpenSMTPD and why was it created?
• Q: How big is your team of developers? Who’s doing what?
• Q: How compatible is it with things like dovecot, spamassassin, etc?
• Q: Are there any advantages over the other mail servers like Postfix or Exim?
• Q: If someone wanted to switch from them, is it an easy replacement?
• Q: The config syntax is very nice and easy to grasp. Was inspired from PF’s at all?
• Q: What made you decide to develop a portable version, a la OpenSSH?
• Q: Tell us some cool, upcoming features in a future release
• Q: Anything else you’d like to mention about the project?
• Q: Where can people find more info and help with development if they want?

Tutorial

Using pkgng for binary package management

• Live demo
• pkgng is the replacement for the old pkg_add tools
• Much more modern, supports an array of features that the old system didn’t
• Works on DragonflyBSD as well

News Roundup

New progress with Newcons

• Newcons is a replacement console driver for FreeBSD
• Supports unicode, better graphics modes and bigger fonts
• Progress is being made, but it’s not finished yet

relayd gets PFS support

• relayd is a load balancer for OpenBSD which does protocol layers 3, 4, and 7
• Currently being ported to FreeBSD. There is a WIP port
• Works by negotiating ECDHE (Elliptic curve Diffie-Hellman) between the remote site and relayd to enable TLS/SSL Perfect Forward Secrecy, even when the client does not support it

OpenZFS Launches

• Slides from LinuxCon
• Will feature ‘Office Hours’ (Ask an Expert)
• Goal is to reduce the differences between various open source implementations of ZFS, both user facing and pure lines of code

FreeBSD 10-CURRENT becomes 10.0-ALPHA

• Glen Barber tagged the -CURRENT branch as 10.0-ALPHA
• In preparation for 10.0-RELEASE, ALPHA2 as of 9/18
• Everyone was rushing to get their big commits in before 10-STABLE, which will be branched soon
• 10 is gonna be HUGE

September issue of BSD Mag

• BSD Mag is a monthly online magazine about the BSDs
• This month’s issue has some content written by Kris
• Topics include MidnightBSD live cds, server maintenance, turning a Mac Mini into a wireless access point with OpenBSD, server monitoring, FreeBSD programming, PEFS encryption and a brief introduction to ZFS

The FreeBSD IRC channel is official

• For many years, the FreeBSD freenode channel has been “unofficial” with a double-hash prefix
• Finally it has freenode’s blessing and looks like a normal channel!
• The old one will forward to the new one, so your IRC clients don’t need updating

OpenSSH 6.3 released

• After a big delay, Damien Miller announced the release of 6.3
• Mostly a bugfix release, with a few new features
• Of note, SFTP now supports resuming failed downloads via -a

Feedback/Questions

• A couple people wrote in to tell us not only OpenBSD have 64bit time. We misspoke.
• James writes in: https://slexy.org/view/s2wBbbSWGz
• Elias writes in: https://slexy.org/view/s2LMDF3PYx
• Gabor writes in: https://slexy.org/view/s2aCodo65X
• Possibly the coolest feedback we’ve gotten thus far: Baptiste Daroussin, leader of the FreeBSD ports management team and author of poudriere and pkgng, has put up the BSD Now poudriere tutorial on the official documentation!
• We always want more feedback, especially tutorial ideas and show topics you want to see

• Big thanks to TJ for writing most of the show notes and the tutorials, as well as handling most of your feedback
• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, etc to feedback@bsdnow.tv
• We don’t check YouTube comments, JB comments, Reddit, etc. If you want us to see it, send it via email (the preferred way) or Twitter (also acceptable)
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post MX with TTX | BSD Now 3 first appeared on Jupiter Broadcasting.

DNS Hijacking takes down the New York Times, Twitter, and more. We’ll explain what happened.

Plus researchers bypass Dropbox’s authentication, a big batch of your questions our answers, and much much more!

On this week’s TechSNAP.

Thanks to:

GoDaddy.com Use our code techsnap249 to get a .COM for $2.49.
UnitySync Visit dirwiz.com/unitysync use code tech for an extended trial and a year of maintenance.
Ting.com Visit techsnap.ting.com to save $25 off your device or service credits.

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

DNS hijacking takes down New York Times and Twitter

• A number of high profile domain names were taken offline on Tuesday
• Attackers claiming to be part of SEA (Syrian Electronic Army) hacked the domain registrar Melbourne IT and changed whois records and DNS records for a number of major domains
• The affected domains included:
• nytimes.com
• huffingtonpost.com
• huffingtonpost.co.uk
• mapquest.com
• patch.com
• starbucks.com
• techcrunch.com
• tweetdeck.com
• twimg.com
• vine.co
• t.co
• Some were affected more than others. twimg.com was down for quite some time, resulting in all images on twitter failing to load
• New York Times article about the outage
• The New York Times reports “The Web site first went down after 3 p.m.; once service was restored, the hackers quickly disrupted the site again. Shortly after 6 p.m”
• This brings into question the viability of DNSSEC, since the public key is published via the domain registrar

Researchers publish paper detailing how to defeat security at Dropbox

• Researchers Dhiru Kholia (Openwall / University of British Columbia), and Przemysław W ̨egrzyn (CodePainters) released their paper at USENIX 2013
• Research Paper
• The research is not entirely focused on Dropbox, but on cloud services in general: \”These techniques are generic enough and we believe would aid in future software development, testing and security research,\”
• The work may also have some positive side effects: \”Our work reveals the internal API used by Dropbox client and makes it straightforward to write a portable open-source Dropbox client,\”
• \”Additionally, we show how to bypass Dropbox\’s two-factor authentication and gain access to users\’ data.\”
• The attack involves discovering the host_id value (this used to be in an unencrypted SQLite database, and was discussed in the very first episode of TechSNAP). The value is now stored in an encrypted SQLite database, however the various bits of data that make up the encryption key are all stored in plain text on the device (there is no way around this)
• Dropbox also uses a second variable, the host_int (which seems to be a unique id assigned by dropbox, it never changes)
• The second variable can be requested from dropbox, using the first, by posting to https://client10.dropbox.com/register_host
• Until the latest version that has added some obfuscation (researchers are working on cracking this now), it was possible using the host_id and host_int to post to https://www.dropbox.com/tray_login and be logged in to the users dropbox account, without needing their username, password any bypassing 2-factor authentication
• This login method is only meant to be used by the user, when they click the menu option to launch dropbox.com from the tray icon of the desktop dropbox client

Snowden used sysadmin privledges to assume other NSA employees’ user profiles

• NSA leaker Edward Snowden (who did not work for the NSA, but for a contractor, Booz Allen Hamilton), used his access as a sysadmin to “become” other users (in the eyes of the NSAnet system)
• This allowed him to access files that only the top tier of users are supposed to have access to
• His access as a sysadmin also allowed him to work around a key limitation imposed on NSA computers, the right to write data to an external storage device (like a USB stick)
• Snowden downloaded a reported 20,000 documents onto thumb drives before leaving Hawaii for Hong Kong on May 20
• “The damage, on a scale of 1 to 10, is a 12,” said a former intelligence official.
• The scariest quote went like this: “Every day, they are learning how brilliant [Snowden] was,” said a former U.S. official with knowledge of the case. “This is why you don’t hire brilliant people for jobs like this. You hire smart people. Brilliant people get you in trouble.”
• FUDO Security Appliance
• BSDCan Talk about FUDO

Feedback:

• Early bird registration for EuroBSDCon ends on September 1st. Register now to save 20%

• Remote Access to his FreeNAS Box

• Modeling network behavior

• Regarding Episode 124 | Smart/Managed Switch

• Cluster/Failover server questions

• Mesh internet to cure NSA woes

• Monitoring servers

• My private IP is leaking?

Round Up:

• With spying dominating the news (until Syria replaced it…), TOR traffic more than doubles in August Over 500,000 new clients in one week
• Apple OS X and iOS vulnerable to now exploit in CoreText, the Apple font rendering framework. Specially crafted strings can crash applications. Sending an SMS with this string will crash the messaging app repeatedly, making it unusable
• BitTorrent Sync is Now Available for FreeBSD
• Tour a Google data center with streetview
• New Zealand bans software patents

The post Security by Mediocrity | TechSNAP 125 first appeared on Jupiter Broadcasting.