We’ll break down Apple’s major SSL flaw, and what it says about Apple’s general security posture, then the Zeus trojan evolves…

Plus an awesome batch of your questions, our answers.

On this week’s episode of, TechSNAP.

Thanks to:

— Show Notes: —

Apple fixes certificate validation flaw in iOS and OS X

• The flaw in the certificate verification step allowed an attacker to sign a certificate with any private key, or no key at all, and the certificate would still be accepted by the device
• This means an attacker could trivially perform a man-in-the-middle (MitM) attack, and intercept all traffic between you and a secure destination
• This would allow an attack to get your email passwords, logins for services like facebook and twitter, and compromise your online banking account
• A MitM attack is what TLS/SSL are designed to prevent
• A MitM is trivial to perform if you can trick a user into connecting to a WiFi access point you control, say at a coffee shop or other public space
• The flaw is also present in Mac OS X and fixed in 10.9.2 (Released Feb 25th, 4 days after the iOS update)
• The issue is caused by a duplicate ‘goto’ statement. The first is inside the if structure (with implied curly braces), but the 2nd is unconditional, causing the goto fail to happen in every case
• It is unclear how long Apple has known about the flaw, but the CVE for the bug was reserved on January 8th
• diff between Mac OS X 10.8.5 and 10.9 showing the addition of the errant goto
• OS X 10.9.2 also fixes an issue with cURL, where the TLS/SSL verification code did not check the hostname again the certificate if the URL was an IP address
• Hacker News thread
• More analysis
• Why were there gotos in apple software in the first place?
• Apple Announcement

University of Maryland ID card system breached

• 309,079 of the students, faculty, and staff of the University of Maryland College Park and Shady Grove campuses have had their personal information exposed in an attack against the ID card system
• The breach occurred about 04:00 February 18th
• An attacker was able to get access to the ID card database that holds information on all card holders dating back to 1998
• The data includes full name, SSN, birth date and University ID number
• Brian Voss, CIO of U Md., said “what most concerns him is the sophistication of the attack: The hacker or hackers must have had a “very significant understanding” of how the school’s data are designed and protected”
• Voss claims that this was not a case of a ‘door left open’, that the attackers had to ‘pick through multiple locks’
• It will be interesting to see if details of the attack are published
• Related: The total cost of unmasked data

New Zeus trojan variant targets SalesForce.com

• “The Adallom Labs team recently discovered an unusual variant of the Zeus trojan that targets Salesforce users. We’ve been internally referring to this type of attack as “landmining”, since the attackers laid “landmines” on unmanaged devices used by employees to access company resources. The attackers, now bypassing traditional security measures, wait for the user to connect to *.my.salesforce.com in order to exfiltrate company data from the user’s Salesforce instance.”
• We have covered the Zeus trojan before, it is a sophisticated malware used to steal online banking credentials and perform transactions, even in the face of two-factor authentication schemes by performing ‘man-in-the-browser’ attacks
• This attack does not exploit a vulnerability of SalesForce, it is just taking over the user’s device used to access the site, in order to steal data from the site once logged in
• This attack seems to be a totally new kind of attack, not described by any existing Common Attack Pattern Enumeration and Classification (CAPEC) pattern.
• When the Adallom security system detected an employee accessing a large number of records in a short period of time, it triggered an ‘insider thread’ alert. This alert is fairly common and is usually related to a sales agent downloading their entire rolodex, sometimes in preparation for leaving the company
• When corporate security integrated the employee in question, they claimed no knowledge of the bulk download
• The employees laptop was scanned and found to be clean
• Further investigation lead to the employees home PC, which was running outdated windows XP, an unpatched version of Internet Explorer, and an expired virus scanner
• The machine was infected with various bits of malware, but specifically, a modified version of the Zeus Trojan (win32/ZBot)
• The interesting part is that the Trojan targets *.my.salesforce.com instead of banking sites
• The attack also leveraged devices not controlled by corporate security
• This highlights the risks involved with BYOD and allowing employees to use their home computers to access corporate applications, especially SaaS applications

Feedback:

• sshshark

• Fibre internet in Australia

• Advice for low data rate network?

• GCHQ Revelations

• Webmin Alternative

• Flight of the Intruder

• Flight of the Intruder Audiobook – Full Cast
• Influx Audiobook | Daniel Suarez

Round Up:

• Apple Drops Snow Leopard Security Updates, Doesn\’t Tell Anyone
• GCHQ hijacked webcams of Yahoo chat and stored images of over 1.8 million users in 6 months, program ran for 2 years and collected a large quantity of sexually explicit images
• MakerBot Starts Taking Pre-Orders For Their Itty-Bitty 3D Printer
• Netflix shuts down gift card sales temporarily after rash of fraud from Brazil
• Microsoft introduces Microsoft Lync, allows companies to spy on their employees the same way the NSA does. Find out who is dating who, and who is looking for a new job
• OpenBSD revs bcrypt password hash to solve issue with passwords over 255 characters
• Phishing scam sends fake credit card fraud alerts, targeting real companies to trick customers
• Zero day flaw in IE9 and 10 exploited in watering hole attacks targeting Veterans and Military contractors. CVE-2014-0322
• Operation Greedy Wonk, Flash and AIR exploit, CVE-2014-0502
• Inside the Flash zero day CVE-2014-0502
• Breaking the Bitcrypt ransomware
• Why is broadband not getting any fasters? ISPs don’t want to spend any money. Verizon and TWC not set to lay any new lines any time soon
• The problem with 3rd party email, sometimes it goes away. Facebook is shutting down its email service. Will forward to your registered email address, for now
• DDoSing Cell Phone Networks
• Schneier highlights a recent profile of Brian Krebs

The post Go Directly to Fail | TechSNAP 151 first appeared on Jupiter Broadcasting.

Angela and Chris go over some projects that didn’t quite turn out the way their creators had hoped. Plus how just changing your perspective, can dramatically change what you see in a picture.

Direct Download:

HD Download | Mobile Download | MP3 Download | YouTube

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Torrent Feed | iTunes Feeds

Show Notes:

Food Doing it wrong: https://www.buzzfeed.com/rachelysanders/people-worse-at-cooking-than-you-food-fails

Punography: https://www.dumpaday.com/wp-content/uploads/2013/03/funny-puns.jpg

Worst ANalogies ever: https://www.c4vct.com/kym/humor/analog.htm

Pinterest Fails: https://www.buzzfeed.com/ariellecalderon/reasons-you-should-never-reenact-pinterest-photos

WTF Pics: https://www.buzzfeed.com/awesomer/photos-you-really-need-to-look-at-to-understand

close calls: https://www.buzzfeed.com/kmallikarjuna/21-incredibly-close-calls?sub=1974727_879340/

Penis Sizes: https://www.targetmap.com/viewer.aspx?reportId=3073

Find FauxShow!

• LIVE: https://jblive.tv – 8pm Pacifc – 11pm Eastern – 3am UTC
• Facebook: https://www.facebook.com/thefauxshow
• Twitter: https://www.twitter.com/angerz
• G+: https://www.gplus.to/fauxshow
• Subscribe to Jupiter Signal: https://www.bit.ly/jupitersignal
• Jupiter Radio: https://jblive.info
• Affiliates Firefox Extension: https://addons.mozilla.org/en-US/firefox/addon/jupiterbroadcasting/
• Affiliates Chrome Extension: https://chrome.google.com/webstore/detail/bjekemhblnilimncanbehhjijdpjgimj
• Donations: https://original.jupiterbroadcasting.net/donate
• Shows & Shownotes: https://original.jupiterbroadcasting.net/show/fauxshow/

The post Doing it Wrong | FauxShow 141 first appeared on Jupiter Broadcasting.

Oracle patches 128 vulnerabilities, you won’t believe how many of them are critical.

Plus how twitter can solve their hacking problem, ZFS questions galore, and much much more!

On this week’s TechSNAP.

Thanks to:

GoDaddy.com Use our code tech295 to score .COM for $2.95! 35% off your ENTIRE first order just use our code go35off4 until the end of the month!

Support the Show: