Show Notes/Links: https://www.bsdnow.tv/323

The post OSI Burrito Guy | BSD Now 323 first appeared on Jupiter Broadcasting.

Been putting off that patch? This week we’ll cover how an out of date Joomla install led to a massive breach, Microsoft and Google spar over patch disclosures & picking the right security question…

Plus a great batch of your feedback, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Data thieves target parking lots

• “Late last year, KrebsOnSecurity wrote that two huge swaths of credit card numbers put up for sale in the cybercrime underground had likely been stolen from Park ‘N Fly and from OneStopParking.com, competing airport parking services that lets customers reserve spots in advance of travel via Internet reservation systems. This week, both companies confirmed that they had indeed suffered a breach.”
• “When contacted by Krebs on Dec. 15, Atlanta-based Park ‘N Fly said while it had recently engaged multiple security firms to investigate breach claims, it had not found any proof of an intrusion. In a statement released Tuesday, however, the company acknowledged that its site was hacked and leaking credit card data, but stopped short of saying how long the breach persisted or how many customers may have been affected”
• “OneStopParking.com reached via phone this morning, the site’s manager Amer Ghanem said the company recently determined that hackers had broken in to its systems via a vulnerability in Joomla for which patches were made available in Sept. 2014. Unfortunately for OneStopParking.com and its customers, the company put off applying that Joomla update because it broke portions of the site.”
• “Unlike card data stolen from main street retailers — which can be encoded onto new plastic and used to buy stolen goods in physical retail stores — cards stolen from online transactions can only be used by thieves for fraudulent online purchases. However, most online carding shops that sell stolen card data in underground stores market both types of cards, known in thief-speak as “dumps” and “CVVs,” respectively.”
• “Interestingly, the disclosure timeline for both of these companies would have been consistent with a new data breach notification law that President Obama called for earlier this week. That proposal would require companies to notify consumers about a breach within 30 days of discovering their information has been hacked.”
• Krebs also appears to be having fun with the LizzardSquad

Microsoft pushes emergency fixes, blames Google

• Microsoft and Adobe both released critical patches this week
• “Leading the batch of Microsoft patches for 2015 is a drama-laden update to fix a vulnerability in Windows 8.1 that Google researchers disclosed just two days ago. Google has a relatively new policy of publicly disclosing flaws 90 days after they are reported to the responsible software vendor — whether or not that vendor has fixed the bug yet. That 90-day period elapsed over the weekend, causing Google to spill the beans and potentially help attackers develop an exploit in advance of Patch Tuesday.”
• Yahoo recently announced a similar new policy, to disclose all bugs after 90 days
• This is the result of too many vendors take far too long to resolve bugs after they are notified
• Researchers have found that need to straddle the line between responsible disclosure, and full disclosure, as it is irresponsible to not notify the public when it doesn’t appear as if the vendor is taking the vulnerability seriously.
• Microsoft also patched a critical telnet vulnerability
• “For its part, Microsoft issued a strongly-worded blog post chiding Google for what it called a “gotcha” policy that leaves Microsoft users in the lurch”
• There is also a new Adobe flash to address multiple issues
• Krebs notes: “Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).” because of the way Microsoft bundles flash
• Infact, if you use Chrome and Firefox on windows, you’ll need to make sure all 3 have properly updated.

What makes a good security question?

• Safe: cannot be guessed or researched
• Stable: does not change over time
• Memorable: you can remember it
• Simple: is precise, simple, consistent
• Many: has many possible answers
• It is important that the answer not be something that could easily be learned by friending you on facebook or twitter
• Some examples:
• What is the name of the first beach you visited?
• What is the last name of the teacher who gave you your first failing grade?
• What is the first name of the person you first kissed?
• What was the name of your first stuffed animal or doll or action figure?
• Too many of the more popular questions are too easy to research now
• Some examples of ones that might not be so good:
  • In what town was your first job? (Resume, LinkedIn, Facebook)
  • What school did you attend for sixth grade?
  • What is your oldest sibling’s birthday month and year? (e.g., January 1900) (Now it isn’t your facebook, but theirs that might be the leak, you can’t control what information other people expose)
• Sample question scoring

Feedback:

• FreeNAS Replication

• Ep 196 – Staples Hack

• Best at home router solution

• OpenWrt

• MyOpenRouter

• FQDN on LAN? Peace of mind on WAN?

• hardware upgrade

Round Up:

• Apache Spark: 100 terabytes (TB) of data sorted in 23 minutes
• Quick wins for cyber security
• The New CISPA Bill Is Literally Exactly the Same as the Last One
• Sony: Losses from hack will be covered by insurance
• Forget Wearable Tech. People Really Want Better Batteries.
• New data breach notification law not good enough
• Panasonic Arbitrator Back-End Server (BES) uses unencrypted communication
• US CENTCOM gets its twitter account hacked — Why no 2FA?
• Verizon Cloud system schedules 48 hour downtime
• Canadian Federal Police refuse to pay fees to telco for tracking suspects
• The path from beginner to expert
• Mac “bootkit” permanently backdoors macs

The post Patch and Notify | TechSNAP 197 first appeared on Jupiter Broadcasting.

We’ve got the details about critical vulnerabilities in LastPass and other popular password managers, Russian hackers attack the NASDAQ, and how to pull off an SSH Man in Middle attack.

Plus a fantastic batch of your questions, our answers & much, much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Critical vulnerabilities found in online password managers including LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword

• Four researchers from the University of California, Berkeley, did a manual analysis of some of the most popular online password managers
• Their findings are troubling, showing problems with all of the popular services
• “Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem. After all, a vulnerability in a password manager could allow an attacker to steal all passwords for a user in a single swoop”
• The researchers found problems with each of the services they investigated, including bookmarklet vulnerabilities, web vulnerabilities (CSRF and XSS), user interface vulnerabilities, and authorization vulnerabilities.
• The paper shows how an attacker might be able to steal a LastPass users’ dropbox password when the user visits the attackers site
• The paper also discusses a vulnerability in the LastPass OTP (One Time Password) feature, where an attacker specifically targeting you (requires knowing your lastpass username) could access the encrypted LastPass database. While the attacker would have to resort to an offline brute force attack to decrypt it and get the passwords, they would also have a list of all of the sites that the user has saved passwords for. In addition, the attack can delete saved credentials from the database, possibly allowing them to lock the user out of other sites.
• An authorization vulnerability in the password sharing system at My1login could allow an attack to share a web card (url/username/password) they do not own with another user, only needing to know the unique id#, which is a globally unique incrementing counter, so can be predicted. It also allows an attacker to modify another users’ web cards once they are shared
• “Since our analysis was manual, it is possible that other vulnerabilities lie undiscovered”
• “Of the five vendors whose products were tested, only the last one (NeedMyPassword) didn’t respond when they contacted them and responsibly shared their findings. The other four have fixed the vulnerabilities within days after disclosure.”
• Research Paper

How Russian Hackers stole the Nasdaq (2010)

• In October 2010, a Federal Bureau of Investigation system monitoring U.S. Internet traffic picked up an alert. The signal was coming from Nasdaq
• The October alert prompted the involvement of the National Security Agency, and just into 2011, the NSA concluded there was a significant danger.
• The Secret Service had notified NASDAQ of suspicious activity previously and suspected the new activity may be related, and requested to take the lead on the investigation, but was denied and shut out of the investigation.
• “We’ve seen a nation-state gain access to at least one of our stock exchanges, I’ll put it that way, and it’s not crystal clear what their final objective is”
• Bloomberg Businessweek spent several months interviewing more than two dozen people about the Nasdaq attack and its aftermath, which has never been fully reported. Nine of those people were directly involved in the investigation and national security deliberations; none were authorized to speak on the record. “The investigation into the Nasdaq intrusion is an ongoing matter,” says FBI New York Assistant Director.
• The hackers had used two zero-day vulnerabilities in combination to compromise machines on the NASDAQ network
• The NSA claimed they had seen very similar malware before, designed and built by the Federal Security Service of the Russian Federation (FSB), that country’s main spy agency.
• Later in the investigation, some U.S. officials questioned whether the NSA had pushed the evidence too far. Malware often changes hands—it’s sold, stolen, or shared. And the technical differences between attack code and something less destructive can be surprisingly small. At the time, NSA Director Keith Alexander and his agency were locked in a fight with government branches over how much power the NSA should have to protect private companies from this new form of aggression. Such a brazen attack would certainly bolster its case.
• “While the hack was successfully disrupted, it revealed how vulnerable financial exchanges—as well as banks, chemical refineries, water plants, and electric utilities—are to digital assault. One official who experienced the event firsthand says he thought the attack would change everything, that it would force the U.S. to get serious about preparing for a new era of conflict by computer. He was wrong.”
• What the investigators found inside Nasdaq shocked them, according to both law enforcement officials and private contractors hired by the company to aid in the investigation. Agents found the tracks of several different groups operating freely, some of which may have been in the exchange’s networks for years, including criminal hackers and Chinese cyberspies. Basic records of the daily activity occurring on the company’s servers, which would have helped investigators trace the hackers’ movements, were almost nonexistent. Investigators also discovered that the website run by One Liberty Plaza’s building management company had been laced with a Russian-made exploit kit known as Blackhole, infecting tenants who visited the page to pay bills or do other maintenance.
• an FBI team and market regulators analyzed thousands of trades using algorithms to determine if information in Director’s Desk could be traced to suspicious transactions. They found no evidence that had happened
• By mid-2011, investigators began to conclude that the Russians weren’t trying to sabotage Nasdaq. They wanted to clone it
• Without a clear picture of exactly what data was taken from Nasdaq and where it went—impossible given the lack of logs and other vital forensics information—not everyone in the government or even the FBI agreed with the finding

Tutorial: SSH MITM Downgrade Attack

• This is a tutorial on how to perform an SSH Man-In-The-Middle downgrade attack
• This attack involves tricking the user connecting to the SSH server you are intercepting into using the old version 1 of the SSH protocol
• SSH1 uses a separate SSH Fingerprint from SSH2, so the user will be prompted to accept the different key
• Many users will blindly accept this warning
• If the user can be tricked into dropping to SSH1, it may be possible to steal the username and password they use to login with
• Luckily, most modern SSH servers do not allow SSH1
• However, some clients, including PuTTY, allow both SSH1 and SSH2, with a preference for the latter
• Users are encouraged to change the setting on their server and in their client to only allow SSH2
• Many embedded devices still allow SSH1, including many older Cisco Security Appliances
• These devices are perfect targets for this type of downgrade attack

Feedback

• ZFS Transaction Log (ZIL)

• WWAD (What Would Allan Do?)
  • ZFS Stripe Width

• building a new PC

• How to Sysadmin?

• DNS Made Easy (Email backups), and tiny war story

Round-Up:

• US claims jurisdiction over all servers on the internet. “any company with operations in the United States must comply with valid warrants for data, even if the content is stored overseas”
• Only a few days old, OpenSSL fork LibreSSL is declared “unsafe for Linux”
• Canadian ISP Rogers updates privacy policy, promises to require a warrant to turn over data
• Microsoft tells users to stop using strong passwords everywhere
• Sony forgets to renew a domain name (SonyOnline.net) where all of the name servers are hosted, takes out all of SOE (Sony Online Entertainment), including forums and websites. Did not have a valid email address on the domain registration
• Cisco Security Advisory: Cisco Wireless Residential Gateway Remote Code Execution Vulnerability
• Where do online services go when they die?
• fail2ban security update
• Robert Watson and SRI/Cambridge University open source the CHERI secure processor design

The post SSH1tty leakage | TechSNAP 171 first appeared on Jupiter Broadcasting.

A mobile provider is hacked, customer records are breached, and the authorities suspect it was an inside job, we’ll share the details.

Then we’ll discuss the NSA induced crisis of trust we now collectively share, plus your questions, our answers, and much much more!

On this week’s TechSNAP!

Thanks to:

— Show Notes: —

Vodafone Germany breached, possibly by insiders

• The internal servers of Vodafone Germany were compromised, and data for over 2 million customers was stolen
• The breach only disclosed information on German customers, who will be notified by mail
• The way the attackers managed to compromise the servers suggest they had help from an insider
• Vodafone turned their evidence over to German police, “An individual has been identified by the police and their assets have been seized.”
• Compromised data:
• customer names
• address
• gender
• birth date
• bank account numbers and bank sort codes
• Other data including phone numbers, credit card numbers and passwords are currently thought to be safe. “No personal call information or browsing data was accessed by the attacker”
• The attack was originally discovered on September 5th, however Police asked the company to withhold the notification while they executed their investigation and made arrests and seizures
• “German news agency DPA reported that the suspect had worked for a contractor of the company and was not a Vodafone employee”
• Additional Coverage
• Vodafone is advising customers to be on the lookout for targeted Phishing scams that might use the personal information gained from this attack to make successful attacks against the victims and their banking and credit card accounts
• eu data breach notification law

Trust

• to believe that someone is good and honest and will not harm you, or that something is safe and reliable
• Bruce Schneier – Trust in Man/Machine Security Systems
• Colin Percival – Don\’t trust me: I might be a spook
• Kevin Mitnick – Use a VPN
• Bruce Schneier – The US Government Has Betrayed the Internet. We Need to Take It Back
• TechRepublic – Escaping the dragnet of surveillance
• Kurt Roeckx – State of encryption
• Bruce Schneier – How Advanced Is the NSA\’s Cryptanalysis—And Can We Resist It?
• The Guardian – How to foil NSA sabotage: use a dead man\’s switch
• Matthew Green – On the NSA
• BoingBoing – Firsthand account of NSA sabotage of Internet security standards
• BBC – \’Money reduces trust\’ in small groups, study shows – Bruce Schneier – The Effect of Money on Trust
• Ed Felton – NSA Apparently Undermining Standards, Security, Confidence
• Bruce Schneier – Americans Must Sacrifice Some Security to Reform the NSA

You can buy a 2 letter domain name like IG.com sells for $4.7 million – Or you can buy your .com from GoDaddy for $1.99

Feedback

• Thoughts on fingerprint scanners?

• Syncing of contacts?

• Home Fileserver

• Question about fail2ban

• TechSnap is on Halloween this year…

Round Up:

• NSA surveillance: how to stay secure | Bruce Schneier
• ISC looking for help tracking a new adaptive botnet, possibly related to Blackhole malware toolkit
• LastPass : The last password you\’ll have to remember: LastPass and the NSA Controversy
• Intel announces new Atom Z3000 series
• Google’s plan to make it harder for the NSA to spy on users
• Seagate announces new ‘Shingled Magnetic Recording’, layers tracks on top of each other to increase bit density.
• Researchers find flaws in the installation mechanism of of the GameHouse platform
• New paper details keylogged that stealthily runs on your GPU
• Google, Yahoo and Facebook ammend requests to publish transparency reports
• The challenges of running a PriateBay Proxy to defeat Censorship
• New zeroday exploit for USB internet modem puts millions of PCs at risk

The post NSA SSLeaze | TechSNAP 127 first appeared on Jupiter Broadcasting.

Tips, trick, and software to secure your Linux desktop, laptop, or server. Most people think antivirus software when we say desktop security. This week, we’ll show you how there is a lot more to securing your Linux box then installing ClamAV!

Plus: Valve opens the floodgates, and we run down the community resources cropping up for future Steam beta testers, plus the cool new Linux hardware and games on the way!

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

GoDaddy.com


Limited time offer:
SPECIAL OFFER! SPECIAL OFFER! .COMs just $5.99* per year up to 3 domains! Additional .COMs just $7.99* per year! – code: 599linux

BONOUS ROUND PROMO:

Save 20% off your order!
Code: go20off6

Expires 10/31/12

Download:

HD Video | Mobile Video | Ogg Video | MP3 Audio | Ogg Audio | YouTube | Torrent File

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

[asa]1133935613[/asa]

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes:

Secure Your Linux Box:

Brought to you by: System76

Matt’s Protecting Your Ubuntu Desktop Article

• Fail2ban

• Welcome to DenyHosts

• Logcheck – Logfile Scanner

• Logcheck: Keep an eye on your Linux server logs

• Installing Tripwire on Ubuntu

• Tiger – The UNIX Security audit and intrusion detection tool
  • Tiger in Action
  • Tiger Report

• 3 3 4 Chris Jenks Intro to Linux system hardening

Runs Linux:

• Parallella: A Supercomputer For Everyone, Runs Linux
• $99 Raspberry Pi-sized “supercomputer” hits Kickstarter goal

Android Pick:

• dSploit – Android Network Penetration Suite
• Android Picks so far thanks to Madjo in the IRC Chat room!

Search our past picks:

• Linux Action Show Lookup
• Thanks to sakuramboo!

Git yours hands all over our STUFF:

• Jupiter Broadcasting Afiliate Extensions
• Callisto-app – Google Project Hosting
• Quick Update to the Jupiter Broadcasting Android App

News:

• Apply To Be Part Of The Valve Linux Beta

• Ubuntu Nexus 7 Installer App Released to Devs

• Mark Shuttleworth Singles Out Red Hat in Open Development Brouhaha

• Ubuntu Looks To An SDK, Improved App Development

• AppDevUploadProcess – Ubuntu Wiki

• An update about the ext4 corruption report that has spread…

• PLANETARY ANNIHILATION: Coming to Linux

• Raspberry Pi Gets Open Sourced Down to the Hardware Core

• Airlie: raspberry pi drivers are NOT useful

Feedback:

• Free as in?
• Linux or FreeNAS?
• OakRaider4Life APT Backup Script

Chris’ Stash:

• Unfilter is looking for foreign correspondents!

What’s Matt Doin?

• Protecting Your Ubuntu Desktop
• Writing about Linux, sometimes, even asking tough questions
• Offering newbie centric advice, in my articles

Find us on Google+

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

Find us on Twitter:

• Chris – ChrisLAS
• Matt – matthartley

Follow the network on Facebook:

• Jupiter Broadcasting on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 5pm UTC:

• https://jblive.tv
• Network Calendar

The post Secure Your Linux Box | LAS | s24e03 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/14267/stuffed-war-stories-techsnap-33/ Thu, 24 Nov 2011 22:57:28 +0000 https://original.jupiterbroadcasting.net/?p=14267 Microsoft’s flawed code signing infrastructure puts your machine at risk, and a batch of great audience submitted questions, and we share a few IT war stories!

The post Stuffed War Stories | TechSNAP 33 first appeared on Jupiter Broadcasting.

]]>

Microsoft’s flawed code signing infrastructure puts your machine at risk, find out how.

A batch of great audience submitted questions, and we share a few IT war stories!

All that and more, on this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

   
Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3
   

Show Notes: