HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Links

• Virtual Private Surveillance | TechSNAP 248
• Internet of Threats | TechSNAP 249
• Pay to Boot | TechSNAP 260
• Insecure Socket Layer | TechSNAP 265
• Curl Sleeper Agent | TechSNAP 266
• Signature Bloatware Updates | TechSNAP 270
• Internet Power Struggle | TechSNAP 277

The post Best of 2016 | TechSNAP 298 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Researcher accidently roots Microsoft Azure’s Redhat Update Infrastructure servers

• “I was tasked with creating a machine image of Red Hat Enterprise Linux that was compliant to the Security Technical Implementation guide defined by the Department of Defense.”
• “This machine image was to be used for both Amazon Web Services and Microsoft Azure. Both of which offer marketplace images which had a metered billing pricing model. Ideally, I wanted my custom image to be billed under the same mechanism, as such the virtual machines would be able to consume software updates from a local Red Hat Enterprise Linux repository owned and managed by the cloud provider.”
• “Both Amazon Web Services and Microsoft Azure utilise a deployment of Red Hat Update Infrastructure for supplying this functionality.”
• “There is only one Red Hat Update Appliance per Red Hat Update Infrastructure installation, however, both Amazon Web Services and Microsoft Azure create one per region.”
• “Both Amazon Web Services and Microsoft Azure use SSL certificates for authentication against the repositories. However, these are the same SSL certificates for every instance.”
• “On Amazon Web Services having the SSL certificates is not enough, you must have booted your instance from an AMI that had an associated billing code. It is this billing code that ensures you pay the extra premium for running Red Hat Enterprise Linux.”
• “On Azure it remains undefined how they manage to track billing. At the time of research, it was possible to copy the SSL certificates from one instance to another and successfully authenticate. Additionally, if you duplicated a Red Hat Enterprise Linux virtual hard disk and created a new instance from it all billing association seemed to be lost but repository access was still available.”
• “On Azure to setup repository connectivity, they provide an RPM with the necessary configuration. The installation script it references comes from the following archive. If you expand this archive you will find the client configuration for each region.
• The post goes over how the hostnames for all of the Update Appliances were discovered
• “The build host is interesting rhui-monitor.cloudapp.net, at the time of research running a port scan revealed an application running on port 8080.”
• “Despite the application requiring username and password based authentication, It was possible to execute a run of their “backend log collector” on a specified content delivery server. When the collector service completed the application supplied URLs to archives which contain multiple logs and configuration files from the servers.”
• “Included within these archives was an SSL certificate that would grant full administrative access to the Red Hat Update Appliances”
• So now, the researcher could access each Update Appliance with full administrative access, create new packages, or newer versions of common packages, that include a backdoor. Every Redhat VM on the entire cloud provider would then install this “important security update”, giving the attack full access to every machine
• “Given no gpgcheck is enabled, with full administrative access to the Red Hat Enterprise Linux Appliance REST API one could have uploaded packages that would be acquired by client virtual machines on their next yum update.”
• Even if gpgcheck was enabled, it is likely that the GPG key would be exposed to the administrator of the update appliance
• “The issue was reported in accordance to the Microsoft Online Services Bug Bounty terms. Microsoft agreed it was a vulnerability in their systems. Immediate action was taken to prevent public access to rhui-monitor.cloudapp.net. Additionally, they eventually prevented public access to the Red Hat Update Appliances and they claim to have rotated all secrets.”

Newly discovered router flaw being hammered by in-the-wild attacks

• “Online criminals—at least some of them wielding the notorious Mirai malware that transforms Internet-of-things devices into powerful denial-of-service cannons—have begun exploiting a critical flaw that may be present in millions of home routers.”
• “Routers provided to German and Irish ISP customers for Deutsche Telekom and Eircom, respectively, have already been identified as being vulnerable, according to recently published reports from researchers tracking the attacks. The attacks exploit weaknesses found in routers made by Zyxel, Speedport, and possibly other manufacturers. The devices leave Internet port 7547 open to outside connections. The exploits use the opening to send commands based on the TR-069 and related TR-064 protocols, which ISPs use to remotely manage large fleets of hardware. According to this advisory published Monday morning by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploits every five to 10 minutes.”
• “SANS Dean of Research Johannes Ullrich said in Monday’s post that exploits are almost certainly the cause behind an outage that hit Deutsche Telekom customers over the weekend. In a Facebook update, officials with the German ISP said 900,000 customers are vulnerable to the attacks until they are rebooted and receive an emergency patch. Earlier this month, researchers at security firm BadCyber reported that the same one-two port 7547/TR-064 exploit hit the home router of a reader in Poland.”
• “The Shodan search engine shows that 41 million devices leave port 7547 open, while about five million expose TR-064 services to the outside world.”
• “The attacks started shortly after researchers published attack code that exploited the exposed TR-064 service. Included as a module for the Metasploit exploitation framework, the attack code opens the port 80 Web interface that enables remote administration. From there, devices that use default or otherwise weak authentication passwords can be remotely commandeered and made to join botnets that carry out Internet-crippling denial-of-service attacks.”
• Exploit Code
• “To infect as many routers as possible, the exploits deliver three separate exploit files, two tailored to devices running different types of MIPS chips and a third that targets routers with ARM silicon. Just like the Metasploit code, the malicious payloads use the exploit to open the remote administration interface and then attempt to log in using three different default passwords. The attack then closes port 7547 to prevent other criminal enterprises from taking control of the devices”
• “The malware itself is really friendly as it closes the vulnerability once the router is infected. It performs the following commands:”
  • busybox iptables -A INPUT -p tcp –destination-port 7547 -j DROP
• busybox killall -9 telnetd
• “which should make the device “secure”… until next reboot. The first one closes port 7547 and the second one kills the telnet service, making it really hard for the ISP to update the device remotely.”
• So while exploited routers will stop being vulnerable to other attackers, they will be harder for the ISP to fix properly
• ISPs could help protect their customers, and their own command-and-control of customers’ routers, by blocking inbound port 7547 from outside of their network

Hack Windows 10 by holding down Shift+F10

• “Every Windows 10 in-place Upgrade is a SEVERE Security risk”
• During the update process, when the computer boots into the updater, holding Shift+F10 will pop a command prompt, running as SYSTEM, the highest privilege level possible on windows.
• What makes this worse, is that this happens after the volume encryption keys have been loaded, so even bitkeeper encrypted disks are vulnerable to access by unauthorized people
• “This is a big issue and it has been there for a long time. Just a month ago I finally got verification that the Microsoft Product Groups not only know about this but that they have begun working on a fix. As I want to be known as a white hat I had to wait for this to happen before I blog this.”
• “There is a small but CRAZY bug in the way the “Feature Update” (previously known as “Upgrade”) is installed. The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment). This has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker. I demonstrate this in the following video.”
• “The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft’s hard disk encryption) protected machine. And of course that this doesn’t require any external hardware or additional software.”
• Additional Coverage: BleepingComputer
• “In an email conversation with Bleeping Computer, Laiho reveals that because of certain defaults in Windows 10 configurations, computers might be forced to perform an update, even if a user is not present, or has logged on for a long period of time.”
• “At some point, every computer that is not managed by WSUS/SCCM or such will force the installation of a new version of Windows. Microsoft has decided that these will be forced by default.”
• “Laiho recommends that users not leave their computers unattended during a Windows 10 update and that users remain on Windows 10 LTSB (Long Time Servicing Branch) versions for the time being.”
• “The LTSB-version of Windows 10 is not affected by this as it doesn’t automatically do upgrades”
• “Furthermore, Laiho says that Windows SCCM (System Center Configuration Manager) can block access to the command-line interface during update procedures if users add a file named DisableCMDRequest.tag to the %windir%\Setup\Scripts\ folder.”
• The Police could use this on seized laptops, just keep the machine offline until the next “feature update”, then pop a command prompt during the installation, and have unrestricted access to the encrypted disk.

Feedback:

• Chris’ MeetBSD Road Trip Videos

• MeetBSD Videos

• Two Factor authentication

• All eggs in one basket

• VMDKs on ZFS vs. ZFS on VMDKs

• ZFS Send/Receive Question

• Backblaze Hard Drive Failure Rates for Q3 of 2016

• HGST drives still the most reliable
• Seagate ST4000DM000 still the most plentiful, good reliability, great SMART data
• WD drives still hard to get in quantity
• BackBlaze continued its migration from 2TB to 8TB drives. Resulting in the first time they have ever had fewer drives than the previous quarter.
• Replacing 4400 2TB drives with 5100 8TB drives, turned 9 PB into 40 PB

Round Up:

• Ransomware creep accidentally hijacks San Francisco Muni, won’t give it back
• San Francisco Rail System Hacker Hacked
• UK’s new Snoopers’ Charter just passed an encryption backdoor law by the backdoor
• The GeoCities cagge at the Exodus data center, circa 1999
• FBI to gain expanded hacking powers as Senate effort to block fails
• Exploiting a game to create a software updater
• AWS launches Amazon Lightsail, a DigitalOcean killer offering $5 virtual private servers
• SSH using Certificates
• AWS launches Shield to protect web applications from DDoS attacks
• The Internet Archive (archive.org) is creating a complete backup of its 15 Petabytes of data in Canada, to shield it from the US government
• Plex Gets Its Own Kodi Add-On
• Schneier: The Key to IoT Security Incentives
• Slack client for Commodore 64
• ClickClickClick dot Click

The post Shift+F10 and Done | TechSNAP 295 first appeared on Jupiter Broadcasting.

This week, the FBI says APT6 has pawned the government for the last 5 years, Unaoil: a company that’s bribing the world & Researchers find a flaw in the visa database.

All that plus a packed feedback, roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

FBI says APT6 has pwning the government for the last 5 years

• The feds warned that “a group of malicious cyber actors,” whom security experts believe to be the government-sponsored hacking group known as APT6, “have compromised and stolen sensitive information from various government and commercial networks” since at least 2011, according to an FBI alert obtained by Motherboard
• The official advisory is available on the Open Threat Exchange website
• The alert, which is also available online, shows that foreign government hackers are still successfully hacking and stealing data from US government’s servers, their activities going unnoticed for years. This comes months after the US government revealed that a group of hackers, widely believed to be working for the Chinese government, had for more than a year infiltrated the computer systems of the Office of Personnel Management, or OPM. In the process, they stole highly sensitive data about several millions of government workers and even spies.
• In the alert, the FBI lists a long series of websites used as command and control servers to launch phishing attacks “in furtherance of computer network exploitation (CNE) activities [read: hacking] in the United States and abroad since at least 2011.” Domains controlled by the hackers were “suspended” as of late December 2015, according to the alert, but it’s unclear if the hackers have been pushed out or they are still inside the hacked networks.
• Looks like they were in for years before they were caught, god knows where they are,” Michael Adams, an information security expert who served more than two decades in the US Special Operations Command, and who has reviewed the alert, told Motherboard. “Anybody who’s been in that network all this long, they could be anywhere and everywhere.
• “This is one of the earlier APTs, they definitely go back further than 2011 or whatever—more like 2008 I believe,” Kurt Baumgartner, a researcher at the Russian security firm Kaspersky Lab, told me. (Baumgartner declined to say whether the group was Chinese or not, but said its targets align with the interest of a state-sponsored attacker.)
• Kyrk Storer, a spokesperson with FireEye, confirmed that the domains listed in the alert “were associated with APT6 and one of their malware backdoors,” and that the hackers “targeted the US and UK defense industrial base.” APT6 is ”likely a nation-state sponsored group based in China,” according to FireEye, which ”has been dormant for the past several years.”
• Another researcher at a different security company, who spoke on condition of anonymity because he wasn’t authorized to speak publicly about the hacker’s activities, said this was the “current campaign of an older group,” and said there “likely” was an FBI investigation ongoing. (Several other security companies declined to comment for this story.) At this point, it’s unclear whether the FBI’s investigation will lead to any concrete result. But two years after the US government charged five Chinese military members for hacking US companies, it’s clear hackers haven’t given up attacking US targets.

Unaoil: the company that bribed the world

• After a six-month investigation across two continents, Fairfax Media and The Huffington Post are revealing that billions of dollars of government contracts were awarded as the direct result of bribes paid on behalf of firms including British icon Rolls-Royce, US giant Halliburton, Australia’s Leighton Holdings and Korean heavyweights Samsung and Hyundai.
• A massive leak of confidential documents, and a large email, has for the first time exposed the true extent of corruption within the oil industry, implicating dozens of leading companies, bureaucrats and politicians in a sophisticated global web of bribery.
• The investigation centres on a Monaco company called Unaoil.
• Following a coded ad in a French newspaper, a series of clandestine meetings and midnight phone calls led to our reporters obtaining hundreds of thousands of the Ahsanis’ leaked emails and documents.
• The leaked files expose as corrupt two Iraqi oil ministers, a fixer linked to Syrian dictator Bashar al-Assad, senior officials from Libya’s Gaddafi regime, Iranian oil figures, powerful officials in the United Arab Emirates and a Kuwaiti operator known as “the big cheese”.
• Western firms involved in Unaoil’s Middle East operation include some of the world’s wealthiest and most respected companies: Rolls-Royce and Petrofac from Britain; US companies FMC Technologies, Cameron and Weatherford; Italian giants Eni and Saipem; German companies MAN Turbo (now know as MAN Diesal & Turbo) and Siemens; Dutch firm SBM Offshore; and Indian giant Larsen & Toubro. They also show the offshore arm of Australian company Leighton Holdings was involved in serious, calculated corruption.
• The leaked files reveal that some people in these firms believed they were hiring a genuine lobbyist, and others who knew or suspected they were funding bribery simply turned a blind eye.
• The files expose the betrayal of ordinary people in the Middle East. After Saddam Hussein was toppled, the US declared Iraq’s oil would be managed to benefit the Iraqi people. Today, in part one of the ‘Global Bribe Factory’ expose, that claim is demolished.
• It is the Monaco company that almost perfected the art of corruption.
• It is called Unaoil and it is run by members of the Ahsani family – Monaco millionaires who rub shoulders with princes, sheikhs and Europe’s and America’s elite business crowd.
• How they make their money is simple. Oil-rich countries often suffer poor governance and high levels of corruption. Unaoil’s business plan is to play on the fears of large Western companies that they cannot win contracts without its help.
• Its operatives then bribe officials in oil-producing nations to help these clients win government-funded projects. The corrupt officials might rig a tender committee. Or leak inside information. Or ensure a contract is awarded without a competitive tender.
• On a semi-related note, another big story for you to go read:
• How to hack an Election from someone who has done it, more than once

Researchers find flaw in Visa database

• No, not that kind of Visa, the other one.
• Systems run by the US State Department, that issue Travel Visas that are required for visitors from most countries to be admitted to the US
• This has very important security considerations, as the application process for getting a visa is when most security checks are done
• Cyber-defense experts found security gaps in a State Department system that could have allowed hackers to doctor visa applications or pilfer sensitive data from the half-billion records on file, according to several sources familiar with the matter –- though defenders of the agency downplayed the threat and said the vulnerabilities would be difficult to exploit.
• Briefed to high-level officials across government, the discovery that visa-related records were potentially vulnerable to illicit changes sparked concern because foreign nations are relentlessly looking for ways to plant spies inside the United States, and terrorist groups like ISIS have expressed their desire to exploit the U.S. visa system, sources added
• After commissioning an internal review of its cyber-defenses several months ago, the State Department learned its Consular Consolidated Database –- the government’s so-called “backbone” for vetting travelers to and from the United States –- was at risk of being compromised, though no breach had been detected, according to sources in the State Department, on Capitol Hill and elsewhere.
• As one of the world’s largest biometric databases –- covering almost anyone who has applied for a U.S. passport or visa in the past two decades -– the “CCD” holds such personal information as applicants’ photographs, fingerprints, Social Security or other identification numbers and even children’s schools.
• “Every visa decision we make is a national security decision,” a top State Department official, Michele Thoren Bond, told a recent House panel.
• Despite repeated requests for official responses by ABC News, Kirby and others were unwilling to say whether the vulnerabilities have been resolved or offer any further information about where efforts to patch them now stand.
• State Department documents describe CCD as an “unclassified but sensitive system.” Connected to other federal agencies like the FBI, Department of Homeland Security and Defense Department, the database contains more than 290 million passport-related records, 184 million visa records and 25 million records on U.S. citizens overseas.
• “Because of the CCD’s importance to national security, ensuring its data integrity, availability, and confidentiality is vital,” the State Department’s inspector general warned in 2011.

Feedback:

• SSH key protection

• Router Thoughts from Allan

• rmh from the chatroom asks…

Round Up:

• Microsoft Sues Justice Department Over Client Data Gag Orders
• Root cause analysis of a recent Flash zero day
• Exclusive: Canadian Police Obtained BlackBerry’s Global Decryption Key
• After an outage, an Australian mobile provider credited customers with a single day of unlimited data usage. One customer managed to use 994 GB of mobile usage in a single day
• Sophisticated bribe scheme gets game company with access to antivirus whitelist to falsely list malware was trusted
• Microsoft releases optional Windows update to mitigate “mousejacking”, where an attacker can take over your wireless mount and keyboard from up to 100 meters away
• Github commits can now be GPG signed to prove their authenticity
• If you can’t break crypto, break the client. Recovery of plaintext from iMessage
• Renting a movie on your iOS device might free up some space for you
• The Italian Ministry of Economical Progress has revoked “HackingTeam”’s licence to export their Galileo remote control software outside of the EU, must ask special permission for each sale
• Laziness remains the greatest enemy of password security
• The “All Prior Art” project seems to machine generate every possible patent and release it under a creative commons license, so it can never be patented by anyone else. The ultimate reverse patent troll?
• How to identify a vehicle at risk of collisions

The post One Key to Rule Them All | TechSNAP 263 first appeared on Jupiter Broadcasting.

The OpenZFS summit just wrapped up and Allan shares the exciting new features coming to the file system, researchers warn about flaws in NTP & of course we’ve got some critical patches.

Plus a great batch of questions, a rockin’ round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

OpenZFS Dev Summit

• Earlier this week the OpenZFS Developers Summit was held, as well as the 10th Anniversary party for the open sourcing of ZFS
• The first day consisted of networking and presentations
• Videos:
  • Opening Keynote and OpenZFS Success Stories
  • OpenZFS Internals
  • Masked ZFS Send, and ZFS Send Compression
  • Live Migration of NFS shares with Zmotion
  • The birth of ZFS, with Jeff Bonwick
  • Declustered RAID
  • Eager Zero, improving performance on AWS and VMWare
  • Compressed ARC
  • Discontiguous Caching with ABD
  • Dedup Ceiling, Persistent L2ARC, and ZFS native TRIM/UNMAP
  • Sandboxing ZFS on Linux
  • Metadata Allocation Classes, and Ztour
  • Writeback Caching
  • Story Time / Q and A with Matt and Jeff
• The second day was a hackathon at Github’s offices. People worked on a number of different projects, and Nexenta provided prizes to the projects voted to be the best prototypes
• Hackathon Presentations
• During the hackathon, I worked on a new feature of ZFS to make it easier to tell what command line features the current version of ZFS supports, so my replication script can determine if a new feature is supported or not

Researchers warn about flaws in NTP

• NTP is one of the oldest protocols still in use on the Internet. The Network Time Protocol is used to keep a computer’s clock in sync. It is very important for many applications, including cryptography (if your clock is wrong, certificates cannot be verified, expired certificates may be accepted, one-time-passwords may not be valid yet or already expired, etc)
• “The importance of NTP was highlighted in a 2012 incident in which two servers run by the U.S. Navy rolled back their clocks 12 years, deciding it was the year 2000. Computers that checked in with the Navy’s servers and adjusted their clocks accordingly had a variety of problems with their phones systems, routers and authentication systems”
• Researchers from Boston University announced yesterday that it’s possible for an attacker to cause an organization’s servers to stopping checking the time altogether
• “This research was first disclosed on August 20, 2015 and made public on October 21, 2015.”
• “NTP has a rate-limiting mechanism, nicknamed the “Kiss O’ Death” packet, that will stop a computer from repeatedly querying the time in case of a technical problem. When that packet is sent, systems may stop querying the time for days or years, according to a summary of the research”
• Post by researchers
• PDF: Full research paper
• The researchers outline 4 different attacks against NTP:
  • Attack 1 (Denial of Service by Spoofed Kiss-o’-Death)
  • Attack 2 (Denial of Service by Priming the Pump)
  • Attack 3 (Timeshifting by Reboot)
  • Attack 4 (Timeshifting by Fragmentation)
• It is recommended you upgrade your version of NTP to ntp-4.2.8p4
• “With the virtual currency bitcoin, an inaccurate clock could cause the bitcoin client software to reject what is a legitimate transaction”
• The paper goes on to describe the amount of error that needs to be induced to cause a problem:
  • TLS Certificate: years. Make a valid certificate invalid by setting the time past its expiration date, or make an expired certificate valid by turning the clock back
  • HSTS: a year. This is a header sent by websites that says “This site will always use a secure connection”, for sanity’s sakes, this header has an expiration date set some time in the future, usually a year. If you forward the clock past then, you can trick a browsers into accepting an insecure connection.
  • DNSSEC: months.
  • DNS Caches: days.
  • Routing (if security is even enabled): days
  • Bitcoin: hours
  • API Authenticate: minutes
  • Kerberos: minutes
• Alternatives:
  • Ntimed
  • OpenNTPd
    • Interesting feature: It can validate the ‘sanity’ of the time returned by the NTP server by comparing it against the time in an HTTPS header from a set of websites you select, like Google.com etc. It doesn’t set the time based on that (too inaccurate), but if the value from the time server is more than a few seconds off from that, ignore that time server as it might be malicious
  • tlsdate
  • NTPSec (a fork of regular NTP being improved)
• Additional Coverage: ArsTechnica

Adobe and Oracle release critical patches

• Adobe has issued a patch to fix a zero-day vulnerability in its Flash Player software
• All users should upgrade to Flash 19.0.0.226
• If you are worried, consider switching Flash to Click-to-Play mode
• Oracle has also released its quarterly patch update for Java, addressing at least 25 security vulnerabilities
• “According to Oracle, all but one of those flaws may be remotely exploitable without authentication”
• All users are strongly encouraged to upgrade to Java 8 Update 65
• Again, consider using click-to-play mode, to avoid allowing unexpected execution of Java
• “The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.”
• “Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java”

Feedback:

• Bandwidth vs the speed of light

• Unison and an encrypted remote-mounted filesystem

• ZFS pool configuration

• Chinese woman made platform shoes for penetration testing

Round up:

• Android 6.0 re-implements mandatory storage encryption for new devices
• A tale of software maintenance, or lack there of
• Apple’s claim of unbreakable iMessage encryption ‘basically lies’
• To follow up last weeks news that Zerodium/VUPEN will pay $1 – $3 million for an iOS 9 jailbreak, if they can keep it private, PANGU released their Jailbreak for 9.0 – 9.0.2 to the public
• Apple tells US Court that “accessing data stored on a locked iPhone would be “impossible” with devices using its latest operating system (iOS8 at the time)”
• Yahoo mail app for mobile is getting rid of passwords, and using push notifications for authentication
• Remote code exec hijack hole found in Huawei 4G USB modems
• Don’t be fooled by fake online reviews, part 2
• Teen Who Hacked CIA Director’s Email Tells How He Did It
• Cisco TALOS offers expert assistance to any hosting provider to finds they are hosting malicious content or actors
• Tim Berners-Lee warns Facebook against creating a walled garden, “don’t you dare make a phone that can only go to facebook.com.”
• Google switches to BoringSSL, but they don’t recommend that you do
• Battery Tests Find No iPhone 6s Chipgate Problems – Consumer Reports
• XVWA (Xtreme Vulnerable Web Application) is a PHP/MySQL application purposely built with one of each different type of classic vulnerability, to help security enthusiasts learn about application security

The post A Rip in NTP | TechSNAP 237 first appeared on Jupiter Broadcasting.

How the NSA might be breaking Crypto, fresh zero day exploit against Flash with a twist & Keylogging before computers.

Plus a great batch of your questions, a rocking round-up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

How might the NSA be breaking crypto?

• “There have been rumors for years that the NSA can decrypt a significant fraction of encrypted Internet traffic. In 2012, James Bamford published an article quoting anonymous former NSA officials stating that the agency had achieved a “computing breakthrough” that gave them “the ability to crack current public encryption.” The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand. However, the documents do not explain how these breakthroughs work, and speculation about possible backdoors or broken algorithms has been rampant in the technical community.”
• “Yesterday at ACM CCS, one of the leading security research venues, we and twelve coauthors presented a paper that we think solves this technical mystery.”
• PDF: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
• “The key is, somewhat ironically, Diffie-Hellman key exchange, an algorithm that we and many others have advocated as a defense against mass surveillance. Diffie-Hellman is a cornerstone of modern cryptography used for VPNs, HTTPS websites, email, and many other protocols. Our paper shows that, through a confluence of number theory and bad implementation choices, many real-world users of Diffie-Hellman are likely vulnerable to state-level attackers.”
• “If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn’t just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.”
• “For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.”
• “Would this be worth it for an intelligence agency? Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous. Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.”
• “Based on the evidence we have, we can’t prove for certain that NSA is doing this. However, our proposed Diffie-Hellman break fits the known technical details about their large-scale decryption capabilities better than any competing explanation. For instance, the Snowden documents show that NSA’s VPN decryption infrastructure involves intercepting encrypted connections and passing certain data to supercomputers, which return the key. The design of the system goes to great lengths to collect particular data that would be necessary for an attack on Diffie-Hellman but not for alternative explanations, like a break in AES or other symmetric crypto. While the documents make it clear that NSA uses other attack techniques, like software and hardware “implants,” to break crypto on specific targets, these don’t explain the ability to passively eavesdrop on VPN traffic at a large scale.”
• “8.4% of Alexa Top 1M HTTPS domains allow DHE_EXPORT, of which 92.3% use one of the two most popular primes”
• “After a week-long precomputation for each of the two top export-grade primes (see Table 1), we can quickly break any key exchange that uses them. Here we show times for computing 3,500 individual logs; the median is 70 seconds.”
• “Our calculations suggest that it is plausibly within NSA’s resources to have performed number field sieve precomputations for at least a small number of 1024-bit Diffie-Hellman groups. This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?”
• If the NSA has precomputed just one DH 1024 group, they would be able to compromise 37% of the HTTPS traffic to the top 1 million sites using an active downgrade attack. If they have precomputed the ten most popular DH 1024 groups, that number increases to 56%
• When applied to VPNs, the single most popular DH 1024 group would comprise 66% of all traffic. For SSH, the number is 25%. For both VPN and SSH, the top 10 does not increase the likelihood of compromise, this suggests that outside of a specific very popular 1024 bit group, most other sites do not reuse the same group as others.
• “we performed a scan in which we mimicked the algorithms offered by OpenSSH 6.6.1p1, the latest version of OpenSSH. In this scan, 21.8% of servers preferred the 1024-bit Oakley Group 2, and 37.4% preferred a server-defined group. 10% of the server-defined groups were 1024-bit, but, of those, near all provided Oakley Group 2 rather than a custom group”
• Recommendations from the paper:
  • Transition to elliptic curves: Transitioning to elliptic curve Diffie-Hellman (ECDH) key exchange with appropriate parameters avoids all known feasible cryptanalytic attacks
  • Increase minimum key strengths: Server operators should disable DHE_EXPORT and configure DHE ciphersuites to use primes of 2048 bits or larger.
  • Avoid fixed-prime 1024-bit groups: For implementations that must continue to use or support 1024-bit groups for compatibility reasons, generating fresh groups may help mitigate some of the damage caused by NFS-style precomputation for very common fixed groups.
  • Don’t deliberately weaken crypto: Our downgrade attack on export-grade 512-bit Diffie-Hellman groups in TLS illustrates the fragility of cryptographic “front doors”. Although the key sizes originally used in DHE_EXPORT were intended to be tractable only to NSA, two decades of algorithmic and computational improvements have significantly lowered the bar to attacks on such key sizes.
• “Prior to our work, Internet Explorer, Chrome, Firefox, and Opera all accepted 512-bit primes, whereas Safari allowed groups as small as 16 bits. As a result of our disclosures, Internet Explorer, Firefox, and Chrome are transitioning the minimum size of the DHE groups they accept to 1024 bits, and OpenSSL and Safari are expected to follow suit.”
• Additional information from the researchers site WeakDH.org
• Sysadmin’s guide to securing your servers

• https://www.onlinemeetingnow.com/register/?id=pmsy0fu2ck&inf_contact_key=c3de960e4fc660a9c3744ecc74a608bdde91a80fc9d58288c71bfd6d9c0209ad

Fresh Zero Day exploit against fully patched Adobe Flash

• Just last week, we were commenting on how quiet things have been on the Adobe Flash front
• Sorry for jinxing it for everyone
• This zero day exploit even affects Flash version 19.0.0.207 which was released on Tuesday
• Adobe expects to release a patch that fixes the Zero day some time next week
• “Attackers are exploiting a previously unknown vulnerability in fully patched versions of Adobe’s Flash Player so they can surreptitiously install malware on end users’ computers”
• “So far, the attacks are known to target only government agencies as part of a long-running espionage campaign carried out by a group known as Pawn Storm, researchers from antivirus provider Trend Micro said in a blog post published Tuesday. It’s not unusual for such zero-day exploits to be more widely distributed once the initial element of surprise wanes. The critical security flaw is known to reside in Flash versions 19.0.0.185 and 19.0.0.207 and may also affect earlier versions. At this early stage, no other technical details are available”
• “In this most recent campaign of Pawn Storm, several Ministries of Foreign Affairs received spear phishing e-mails. These contain links to sites that supposedly contain information about current events, but in reality, these URLs hosted the exploit”
• In this wave of attacks, the emails were about the following topics:
  • “Suicide car bomb targets NATO troop convoy Kabul”
• “Syrian troops make gains as Putin defends air strikes”
• “Israel launches airstrikes on targets in Gaza”
• “Russia warns of response to reported US nuke buildup in Turkey, Europe”
• “US military reports 75 US-trained rebels return Syria”
• The most startling thing here is that you would not expect government employees to get such news via email, so they should know better than to fall for emails with these subjects or follow links with such headlines.
• “It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.”
• It will be interesting to see if any of the exploit kits manage to pick up this Zero-day before the patch is released
• This attack is currently focused on the government, and the attackers likely want to keep their zero-day to themselves
• Once a fix is released, I would expect the regular malware authors to reverse engineer the fix to find the exploit, and see this added to the regular exploit kits
• Additional Coverage: Krebs

Keylogging before computers: How Soviets used IBM Selectric keyloggers to spy on US diplomats

• “A National Security Agency memo that recently resurfaced a few years after it was first published contains a detailed analysis of what very possibly was the world’s first keylogger—a 1970s bug that Soviet spies implanted in US diplomats’ IBM Selectric typewriters to monitor classified letters and memos.”
• “The electromechanical implants were nothing short of an engineering marvel. The highly miniaturized series of circuits were stuffed into a metal bar that ran the length of the typewriter, making them invisible to the naked eye. The implant, which could only be seen using X-ray equipment, recorded the precise location of the little ball Selectric typewriters used to imprint a character on paper. With the exception of spaces, tabs, hyphens, and backspaces, the tiny devices had the ability to record every key press and transmit it back to Soviet spies in real time.”
• “The Soviet implants were discovered through the painstaking analysis of more than 10 tons’ worth of equipment seized from US embassies and consulates and shipped back to the US. The implants were ultimately found inside 16 typewriters used from 1976 to 1984 at the US embassy in Moscow and the US consulate in Leningrad. The bugs went undetected for the entire eight-year span and only came to light following a tip from a US ally whose own embassy was the target of a similar eavesdropping operation.”
• “”Despite the ambiguities in knowing what characters were typed, the typewriter attack against the US was a lucrative source of information for the Soviets,” an NSA document, which was declassified several years ago, concluded. “It was difficult to quantify the damage to the US from this exploitation because it went on for such a long time.” The NSA document was published here in 2012. Ars is reporting the document because it doesn’t appear to have been widely covered before and generated a lively conversation Monday on the blog of encryption and security expert Bruce Schneier.”
• “When the implant was first reported, one bugging expert cited in Discover magazine speculated that it worked by measuring minute differences in the time it took each character to be imprinted. That theory was based on the observation that the time the Selectric ball took to complete a rotation was different for each one. A low-tech listening device planted in the room would then transmit the sounds of a typing Selectric to a Soviet-operated computer that would reconstruct the series of key presses.”
• “In fact, the implant was far more advanced and worked by measuring the movements of the “bail,” which was the term analysts gave to the mechanical arms that controlled the pitch and rotation of the ball.”
• “In reality, the movement of the bails determined which character had been typed because each character had a unique binary movement corresponding to the bails. The magnetic energy picked up by the sensors in the bar was converted into a digital electrical signal. The signals were compressed into a four-bit frequency select word. The bug was able to store up to eight four-bit characters. When the buffer was full, a transmitter in the bar sent the information out to Soviet sensors.”
• “There was some ambiguity in determining which characters had been typed. NSA analysts using the laws of probability were able to figure out how the Soviets probably recovered text. Other factors which made it difficult to recover text included the following: The implant could not detect characters that were typed without the ball moving. If the typist pressed space, tab shift, or backspace, these characters were invisible to the implant. Since the ball did not move or tilt when the typist pressed hyphen because it was located at the ball’s home position, the bug could not read this character either.”
• “The implants were also remarkable for the number of upgrades they received. Far from being a static device that was built once and then left to do its job, the bugs were constantly refined.”
• “There were five varieties or generations of bugs. Three types of units operated using DC power and contained either eight, nine, or ten batteries. The other two types operated from AC power and had beacons to indicate whether the typewriter was turned on or off. Some of the units also had a modified on and off switch with a transformer, while others had a special coaxial screw with a spring and lug. The modified switch sent power to the implant. Since the battery-powered machines had their own internal source of power, the modified switch was not necessary. The special coaxial screw with a spring and lug connected the implant to the typewriter linkage, and this linkage was used as an antenna to transmit the information as it was being typed. Later battery-powered implants had a test point underneath an end screw. By removing the screw and inserting a probe, an individual could easily read battery voltage to see if the batteries were still active.”
• “The devices could be turned off to avoid detection when the Soviets knew inspection teams were in close proximity. Newer devices operated by the US may have had the ability to detect the implants, but even then an element of luck would have been required, since the infected typewriter would have to be turned on, the bug would have to be turned on, and the analyzer would have to be tuned to the right frequency. To lower this risk, Soviet spies deliberately designed the devices to use the same frequency band as local television stations.”
• I thought this was an interesting example of how espionage works and how hard it can be to detect

Feedback:

• 2gbps with direct connections?
  • ifconfig lagg0 create
  • ifconfig lagg0 laggproto roundrobin laggport igb0 laggport igb1
  • ifconfig lagg0 192.168.101.1/24

• VLAN Basics

• PHP-FPM Tweaking

• Remote PC power on
  • APC AP7900 is $600+, but can be cheap on ebay

Round Up:

• Security researcher claims $24k bounty from Microsoft for Hotmail hack
• Turning the FCC’s proposal around, a coalition of 260 security researchers want the FCC to REQUIRE that all router firmwares be open source
• University of Cambridge study finds 87% of Android devices are insecure
• Flaw in Kaspersky’s “Network Attack Blocker” could allow an adversary to trick your firewall into blocking traffic from any address, including Kaspersky and Windows update
• “USB Killer” flash drive can fry your computer’s innards in seconds
• OpenZFS adds new hashing algorithms: SHA512/256, Skein, and Edon-R … and RESUMABLE ZFS REPLICATION!!!!
• EMC agrees to buyout by Dell
• Web Authentication Arms Race — A tale of two security experts
• Windows 10 start menu to include ads for “suggest apps”
• Statically Linking a Windows Kernel Driver as an ELF — A FireEye challenge
• Kemoge: Another Mobile Malicious Adware Infecting Over 20 Countries
• Researcher sets up a DigitalOcean droplet with the shellshock vulnerability, and watches what happens
• Company offers up to $3 million for jailbreak of new “rootless” iOS9
• An XSS vector containing no letters

The post National Security Breaking Agency | TechSNAP 236 first appeared on Jupiter Broadcasting.

D-Link publishes its private code signing keys, exploiting Windows Symbolic Links & why encryption is not sufficient protection.

Plus some great questions, our answers, a rockin roundup & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

D-Link accidentally publishes its private code signing keys

• As part of its GPL license complain, D-Link makes its firmware source code available for many of its devices
• “He had purchased the DCS-5020L-surveillance camera from D-Link and wanted to download the firmware. D-Link firmware source code of many open source under a GPL license available.”
• “When looking through the files I accidentally stumbled upon 4 different private keys used for code signing. Only one — the one belonging to D-Link itself — was still valid at the time. I have successfully used this key to sign an executable as D-Link”
• “In fact, in some batch files were the commands and pass phrases that were needed.”
• The certificates have already been revoked
• Fox-IT confirms: “The code signing certificate is indeed in the firmware packages, firmware version 1.00b03 released February 27 of this year, was released this certificate was therefore issued for expired, a big mistake.”
• We’ll have to cover this in more detail once more information is available, in English

“Investigating the Computer Security Practices and Needs of Journalists”

• A survey found that 50% of journalists do not use any security tools
• Those that do, may not realize that the tools they are using are ineffective, or that the way they are using them hurts their security
• “Observation: The computer security community builds a lot of tools that might be useful for journalists, but we don’t deeply understand the journalistic process!”
• “I report on unauthorized immigrants a great deal and have concerns about how to communicate with them without putting them at risk. That said, asking them to use encrypted methods of communication I think would create a greater sense of threat about talking to me and make it more difficult to report. Many are also not extremely computer-savvy. This is something I struggle with a great deal”
• “Objective: Conduct in-depth interviews with full-time journalists at recognized media organizations operating across a range of media, including print, digital, broadcast and wire services”
• Figure out the typical workflow for a journalist, model security tools that work with them, instead of forcing them to a workflow dictated by the tools
• Findings:
  • “Audio recording and digital note-taking were primary forms of interview documentation.”
  • “Many participants use third-party cloud services, but few voiced concern about possible security risks”
  • Long-term sources are common
• Sources like Snowden, a big one-time data dump, are rare
• Security Concerns:
• Negative effects on source
• Loss of credibility if source information was exposed
• Government identification of sources
• Disciplinary actions (e.g., losing job)
• Loss of competitive advantage
• Potential financial consequences
• The project found that in most cases of a journalist using security tools, it was because the source requested it, or because the journalist had had specific security training
• “A lot of services out there say they’re secure, but having to know which ones are actually audited and approved by security professionals — it takes a lot of work to find that out.”
• “There were different kinds of litigation software that I was familiar with as a lawyer, where, let’s say, you have a massive case, where you have a document dump that has 15,000 documents. […] There are programs that help you consolidate and put them into a secure database. So it’s searchable [and provides a secure place where you can see everything related to a story at once]. I don’t know of anything like that for journalism.”
• It will be interesting to see what comes out of this research

Exploiting Windows Symbolic Links

• “For the past couple of years I’ve been researching Windows elevation of privilege attacks. This might be escaping sandboxing or gaining system privileges. One of the techniques I’ve used multiple times is abusing the symbolic link facilities of the Windows operating system to redirect privileged code to create files or registry keys to escape the restrictive execution context.”
• “Symbolic links in themselves are not vulnerabilities, instead they’re useful primitives for exploiting different classes of vulnerabilities such as resource planting or time-of-check time-of-use.”
• A time-of-check time-of-use vulnerability works like this:
  • You setup a symlink to a file you are allowed to access
  • You try to access a resource
  • The software checks that you are allowed to access the resource, you are
  • You quickly re-target the symlink to something else
  • You try to access the resource, and the software allows you, since it has already checked that you are allowed
  • You now have access to a resource you should not
• “This blog post contains details of a few changes Microsoft has made to Windows 10, and now back ported (in MS15-090) as far back as Windows Vista which changes who can use certain types of symbolic links. There’s not been many mitigations of this type which get back ported to so many older versions of Windows. Therefore I feel this is a good example of a vendor developing mitigations in response to increased attacks using certain techniques which wouldn’t have traditionally been considered before for mitigations.”
• Almost everything in the Windows file system is a symbolic link. Even C: is actually a symbolic link to \Device\HarddiskVolume4 (since NT 3.1)
• Microsoft has released three new mitigations:
• “Registry Key Symbolic Link Mitigation (CVE-2015-2429) — The simplest mitigation implementation is for registry keys. Effectively a sandboxed process is not allowed to ever create a registry key symbolic link. This is implemented by calling RtlIsSandboxToken function when creating a new key (you need to specific a special flag when creating a key symbolic link). It’s also called when setting the SymbolicLinkValue value which contains the link target. This second check is necessary to prevent modifying existing symbolic links, although it would be unlikely to be something found on a real system.”
• “Object Manager Symbolic Link Mitigation (CVE-2015-2428) — If an application tries to create an object manager symbolic link from a sandbox process it will still seem to work, however if you look at where the check is called you’ll find it doing something interesting. When the symbolic link is created the RtlIsSandboxToken function is called but the kernel doesn’t immediately return an error. Instead it uses it to set a flag inside the symbolic link kernel object which indicates to the object manager a sandboxed process has created this link. This flag is then used in the ObpParseSymbolicLink function which is called when the object manager is resolving the target of a symbolic link. The RtlIsSandboxToken is called again, if the current caller is not in a sandbox but the creator was in a sandbox then the kernel will return an error and not resolve the symbolic link, effective making the link useless for a sandboxed to unsandboxed elevation.”
• “NTFS Mount Point Mitigation (CVE-2015-2430) — The final mitigation is for NTFS mount points. In early technical previews of Windows 10 (I first spotted the change in 10130) the check was in the NTFS driver itself and explicitly blocked the creation of mount points from a sandboxed process. Again for presumably application compatibility reasons this restriction has been relaxed in the final release and the back ported mitigations. Instead of completely blocking creation the kernel function IopXxxControlFile has been modified so whenever it sees the FSCTL_SET_REPARSE_POINT file system control code being passed to a driver with a mount point reparse tag it tries to verify if the sandboxed caller has write access to the target directory. If access is not granted, or the directory doesn’t exist then setting the mount point fails. This ensures that in the the majority of situations the sandboxed application couldn’t elevate privileges, as it could already write to the directory already. There’s obviously a theoretical issue in that the target could later be deleted and replaced by something important for a higher privileged process but that’s not very likely to occur in a practical, reliable exploit.”
• “These targeted mitigations gives a clear indication that bug hunting and disclosing the details of how to exploit certain types of vulnerabilities can lead into mitigation development, even if they’re not traditional memory corruption bugs. While I didn’t have a hand in the actual development of the mitigation It’s likely my research was partially responsible for Microsoft acting to develop them. It’s very interesting that 3 different approaches ended up being taken, reflecting the potential application compatibility issues which might arise.”
• “Excluding any bypasses which might come to light these should make entire classes of resource planting bugs unexploitable from a compromised sandboxed process and would make things like time-of-check time-of-use harder to exploit. Also it shows the level of effort that implementing mitigations without breaking backwards compatibility requires. The fact that these only target sandboxes and not system level escalation is particularly telling in this regard.”

Encryption as Protection? Maybe Not

• We often see as part of the coverage of a data breach how the data was not “encrypted”
• As it turns out, having data encrypted on the disk, doesn’t necessarily help, if the data is still “live” on the system
• If your laptop hard drive is encrypted, but you leave it unlocked at the coffee shop and visit the restroom, anyone can access the files on your computer. Having them encrypted did nothing for you
• The way hard drive encryption works, it only protects you if you lock or shutdown the computer, and require a strong passphrase to decrypt the disk to mount it again
• The same applies to a file server or database at a company. Encryption is only useful if access to the data is still strictly controlled
• “A recent espionage prosecution in West Palm Beach, Florida demonstrates that encryption may not be the panacea that organizations think it is. So rather than relying on encryption alone, companies need to adopt and maintain strategies that continue to provide layered security.”
• “After every data breach, we hear the same mantra, “If only the data were encrypted!” As if encryption of data is the answer to data breaches.”
• The case centers in this article centers on Christopher Glenn, a 35-year-old former defense contractor living in his mother’s retirement community
• He worked for the US Government in Honduras
• “He was convicted of stealing and retaining classified documents he obtained which related to U.S. policy in the Middle East”
• “In preparation for his theft, Glenn, a “computer specialist” with a U.S. defense contractor, read up on data security in general and encryption in particular. He apparently read articles about TrueCrypt, a popular freeware encryption product used for On-The-Fly Encryption (OTFE), noting in particular an October 2011 article entitled, “FBI Hackers Fail to Crack TrueCrypt”. Glenn figured that he could create an encrypted partition (called 2012 Middle East) on his drive. He created a 30-character passphrase, thinking that the data would be secured. Indeed, he estimated that it would take the FBI “billions of years” to crack the crypto through brute force.”
• “He was wrong. And he was sentenced to 10 years in jail.”
• “According to case reports, the FBI’s counter-intelligence agents were able to decrypt the encrypted files on Glenn’s computer, which became evidence in his case. Given that this is 2015, they did so in substantially less than the “billions of years” that Glenn anticipated.”
• There is no information on how exactly the FBI decrypted the data, but it was likely an attack against the passphrase, or the machine Glenn had used to encrypt the data
• “Companies need to evaluate not only WHETHER they encrypt data, but when and how they encrypt data. For example, RAM scrapers capture credit card numbers and other personal information, which is encrypted, before the data is encrypted.”
• “All of this must be part of a comprehensive data security program which includes access control, data management, ingress and egress reporting, data loss prevention processes, intrusion detection and prevention, managed and monitored firewalls and other services, threat intelligence, and comprehensive incident response. There are no shortcuts here. Oh yes, and encryption, the right encryption.”
• Encryption of “data at rest” in servers

Feedback

• Will the ZFS port to Linux make BSD less attractive?

• ZFS and low memory machines

• Any drawbacks to hosting multiple domains on one nginx instance?

• LVM?

Round Up:

• LeCie and Seagate wireless external hard drives contain multiple vulnerabilities
• APT malactors using poorly secured satellite links to hide their identity, and the location of their C&C operations
• Apple mitigates but doesn’t fully fix critical iOS Airdrop vulnerability
• Intel says: “OpenSSL – When you come to a fork in the road, take the well-worn path”
• GM stealth patches 5 year old OnStar vulnerability
• Microsoft researcher breaks the security of CryptDB, responds to their dismissal of his research
• How to complain about being spied upon by the government
• 70 year old programmer trying to preserve ancient programming language, on github
• In the Internet of Things, uptime is important
• WSJ: We Need the Right to Repair Our Gadgets
• Woz: “Steve Jobs Played No Role In My Designs For the Apple I & II”
• Symantec/GeoTrust have revoked all SSL certificates issues under the .pw top level domain
• The US State Dept’s email server is named after Henry Stimson, who famously said “Gentlemen do not read each other’s mail”

The post Key Flaw With GPL | TechSNAP 234 first appeared on Jupiter Broadcasting.

Vulnerabilities in iOS & Android devices announced today, both are in the wild with no fix yet. We’ll share the details. Comcast wants to buy T-Mobile, Microsoft shakes it up, Kodi gets banned & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Episode Links:

• Researchers Find Major Keychain Vulnerability in iOS and OS X – Slashdot
• Samsung Cellphone Keyboard Software Vulnerable To Attack – Slashdot
• Comcast said to be leading suitor in T-Mobile buyout – CNET
• Microsoft Shakes Up Its Leadership And Internal Structure As Its Fiscal Year Comes To A Close | TechCrunch
• Let’s Encrypt Launch Schedule
• Amazon Bans Kodi/XBMC App Over Piracy Concerns | TorrentFreak

The post Comcast's Next Prey | Tech Talk Today 184 first appeared on Jupiter Broadcasting.

Spotify announces some major fund raising in the shadow of Apple Music’s announcement, SpaceX wants to beam Internet from space, thoughts on Apple open sourcing Swift, and…

A special bonus lost episode of Tech Talk Today is embedded at the end of today’s show!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Spotify Raises $526 Million Amid Battle With Apple – Digits – WSJ
• Apple Music and Labels Investigated in 2 States – NYTimes.com
• SpaceX Wants Permission To Test Satellite Internet – Slashdot
• 49 Suspected Members of Cybercriminal Group Arrested In Europe – Slashdot
• 49 suspected members of cybercriminal group arrested in Europe
• Apple Is Open-Sourcing Swift, Its New Programming Language | TechCrunch
• Early Tech Obsession | WTR 30 | Jupiter Broadcasting

The post Exploited iOS Email | Tech Talk Today 181 first appeared on Jupiter Broadcasting.

A WordPress flaw in the wild is under attack & Microsoft releases more software for Linux. Plus a sneak peak at Google I/O & what new features might land in Android M.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Actively exploited WordPress bug puts millions of sites at risk | Ars Technica

The cross-site scripting (XSS) vulnerability resides in genericons, a package that’s part of a WordPress theme known as Twenty Fifteen that’s installed by default, according to a blog post published Wednesday by security firm Sucuri. The XSS vulnerability is “DOM based,” meaning it resides in the document object model that’s responsible for how text, images, headers, and links are represented in a browser. The Open Web Application Security Project has much more about DOM-based XSS vulnerabilities here.

Microsoft Releases PowerShell DSC For Linux – Slashdot

jones_supa writes: Microsoft is announcing that PowerShell Desired State Configuration (DSC) for Linux is available for download in form of RPM and DEB packages. DSC is a new management platform that provides a set of PowerShell extensions that you can use to declaratively specify how you want your software environment to be configured. You can now use the DSC platform to manage the configuration of both Windows and Linux workloads with the PowerShell interface. Microsoft says that bringing DSC to Linux is another step in the company’s “broader commitment to common management of heterogeneous assets in your datacenter or the public cloud.” Adds reader benjymouse: DSC is in the same space as Chef and Puppet (and others); but unlike those, Microsofts attempts to build a platform/infrastructure based on industry standards like OMI to allow DSC to configure and control both Windows, Linux and other OSes as well as network equipment like switches, etc.

Confirmed: Media Center is Dead – Thurrott.com

“Due to decreased usage, Windows Media Center will not be part of Windows 10,” Mr. Aul tweeted recently.

Digging into the Google I/O 2015 schedule: Android M, voice access, and more | Ars Technica

Google has posted the schedule for Google I/O 2015. While the company tries not to give away too many things with the early schedule, the release always ends up being full of new information. We dug into all the session descriptions, and here’s all the info we could squeeze out of it.

Android M—It looks like Android M, the next version of Android, will be at the show. One sandbox session is called “Android for Work Update” and says, “Android M is bringing the power of Android to all kinds of workplaces.” While full Android releases have alphabetical snack code names, “Android L” launched last year at Google I/O, and the release was a developer preview for what would eventually become Lollipop. So it sounds like Android [letter] is a new pattern that indicates a dev preview.

The post M is for Monopoly | Tech Talk Today 168 first appeared on Jupiter Broadcasting.

The internet of dangerous things is arriving but what about taking care of the devices we already have? We’ll discuss!

Plus details on critical updates from Adobe, the surprising number of Gas Stations vulnerable to exploitation via the internet, your questions, our answers & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Flash Updates

• On January 22nd Adobe released an emergency patch for Flash Player to resolve the zero day vulnerability that we discussed last week
• Adobe released Flash Player 16.0.0.287 on the 22nd
• It turns out that this fix did not completely close the vulnerability, and the exploit kit quickly worked around the fix and continued to exploit the vulnerability
• Adobe issued a security advisory (different than an bulletin) about the issue
• On January 27th, Adobe released Flash Player 16.0.0.296 in another bulletin
• The latest release, 16.0.0.296 fixes both CVE-2015-0311 and CVE-2015-0311
• The researcher who originally discovered the exploits in the wild, has also pointed out that the 2015-0311 flaw is being used outside of the exploit kit now as well
• FireEye also discovered the 2015-0311 vulnerability being exploited in a different way

Gas Stations vulnerable to exploitation via the internet

• “An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms, and locking the monitoring service out of the system,” said HD Moore, the chief research officer at security firm Rapid7
• “Tank gauge malfunctions are considered a serious issue due to the regulatory and safety issues that may apply.”
• While doing research, HD Moore found that more than 5000 gas gauge devices are connected to the internet with no authentication. The automated tank gauges generally only have a serial port.
• “Approximately 5,800 ATGs (Automated Tank Gauge) were found to be exposed to the Internet without a password,” Moore said. “Over 5,300 of these ATGs are located in the United States, which works out to about 3 percent of the approximately 150,000 fueling stations in the country.”
• Some of the devices have TCP/IP interfaces, and those that do not can be connected to a serial server, a common device in the IT industry, then be connected to the internet. Most serial servers do offer the ability to require a password to access the port, however this feature is often not enabled, and is not very secure
• “Operators should consider using a VPN [virtual private network] gateway or other dedicated hardware interface to connect their ATGs with their monitoring service,” the researcher said. “Less-secure alternatives include applying source IP address filters or setting a password on each serial port.”
• Another example of taking devices that were not meant to be put on the internet, and then doing so, without taking into account the security implications. Even with a password and source IP filtering, these devices should not be directly connected to the Internet. That is what VPNs are for
• Additional Coverage – ITWorld

The internet of dangerous things

• Krebs talks about the trends in Distributed Denial of Service Attacks
• Krebs cites data from Arbor networks, and their subsidiary Prolexic, which Krebs uses to protect his site, which was under constant attack from various sources throughout December
• The point needs to be raised that a growing number of these attacks are sources from ‘Internet of Things’ type devices, small consumer devices with an embedded operating system that receives no updates after it ships
• The attacks against Sony and Microsoft over Christmas used exploited routers, but a growing number of other devices could be vulnerable, especially in light of things like the new Linux Ghost vulnerability
• We have seen viruses attacking NAS and other types of storage devices, and I am sure it will not be long before the first attack against set-top boxes like the Boxee and Roku.
• “As Arbor notes, some of the biggest attacks take advantage of Internet-based hardware — everything from gaming consoles to routers and modems — that ships with networking features that can easily be abused for attacks and that are turned on by default. Perhaps fittingly, the largest attacks that hit my site in the past four months are known as SSDP assaults because they take advantage of the Simple Service Discovery Protocol — a component of the Universal Plug and Play (UPnP) standard that lets networked devices (such as gaming consoles) seamlessly connect with each other.”
• “Arbor also found that attackers continue to use reflection/amplification techniques to create gigantic attacks.”
• It has been over a year since these amplification vulnerabilities were patches, but there are still many systems being exploited to perform these attacks
• “According to the Open Resolver Project, a site that tracks devices which can be abused to help launch attacks online, there are currently more than 28 million Internet-connected devices that attackers can abuse for use in completely anonymous attacks.”
• “According to Arbor, the top three motivations behind attacks remain nihilism vandalism, online gaming and ideological hacktivism— all of which the company said have been in the top three for the past few years.”
• While analyzing the data from the dump of the Lizard Stresser database, Krebs found that one of the most popular targets for attack were small personal minecraft servers
• Krebs: “Tech pundits and Cassandras of the world like to wring their hands and opine about the coming threat from the so-called “Internet of Things” — the possible security issues introduced by the proliferation of network-aware devices — from fitness trackers to Internet-connected appliances. But from where I sit, the real threat is from The Internet of Things We Already Have That Need Fixing Today.”

Feedback:

• Click to play usefulness?

• Recommendations to Build or to Buy SAN?

• How can I explain password security to others if I am not an expert myself?
  • What is a cryptographic hash

Round Up:

• Highly critical “Ghost” allowing code execution affects most Linux systems
• German data center with no air
• Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3
• Making a disk array that will survive 4 years with 99.999% reliability, with no human interaction
• Canada Casts Global Surveillance Dragnet Over File Downloads
• Using gas to blow open an ATM
• Deploying tor relays | Mozilla IT
• NANOG reacts to LizardSquad taking credit for outage at Facebook, Instagram, Hipchat, Tinder, and Myspace
• iTunes Connect Issue Logging Developers Into Other Accounts
• Verizon ends expansion of its FiOS network, will focus on building out existing locations
• Internet Crime Complaint Center issues advisory about business email scam
• Oxford university puzzles over 175 year old dry pile battery that is still ringing a bell

The post Internet of Problems | TechSNAP 199 first appeared on Jupiter Broadcasting.

Researchers discover a deep flaw in the way cellular networks interconnect, you won’t believe the scope of information they can obtain. Many Git users are getting bit by a bad bug & controlling robot arms with your mind is now a reality.

Plus some feedback & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Researchers Discover SS7 Flaw, Allowing Total Access To Any Cell Phone, Anywhere

Researchers discovered security flaws in SS7 that allow listening to private phone calls and intercepting text messages on a potentially massive scale — even when cellular networks are using the most advanced encryption now available. The flaws, to be reported at a hacker conference in Hamburg this month, are actually functions built into SS7 for other purposes — such as keeping calls connected as users speed down highways, switching from cell tower to cell tower — that hackers can repurpose for surveillance because of the lax security on the network. It is thought that these flaws were used for bugging German Chancellor Angela’s Merkel’s phone.

Those skilled at the housekeeping functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption (Google translation of German original). There is also potential to defraud users and cellular carriers by using SS7 functions, the researchers say. This is another result of security being considered only after the fact, as opposed to being part of the initial design.

• Hackers Can Read Your Texts Thanks to Huge Security Flaw

Critical Git Security Vulnerability Announced

Github has announced a security vulnerability and has encouraged users to update their Git clients as soon as possible. The blog post reads in part: “A critical Git security vulnerability has been announced today, affecting all versions of the official Git client and all related software that interacts with Git repositories, including GitHub for Windows and GitHub for Mac. Because this is a client-side only vulnerability, github.com and GitHub Enterprise are not directly affected. The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem….Updated versions of GitHub for Windows and GitHub for Mac are available for immediate download, and both contain the security fix on the Desktop application itself and on the bundled version of the Git command-line client.”

Double amputee controls two robotic arms with his mind

The project’s researchers have been developing these Modular Prosthetic Limbs (MPL) over the past decade, but they say Baugh is the “first bilateral shoulder-level amputee” to wear two MPLs at the same time. Unlike Jan Scheuermann who controlled a robotic arm with a pair of neural implants, though, Baugh had to undergo a procedure called targeted muscle reinnervation, which reassigned the nerves that once controlled his arms and hands.

Once that was done, the team recorded the patterns his brain makes for each muscle he moves, and then they had him control virtual arms to prepare for the real things.

First Ubuntu Phone Will Launch In Europe This February

For its first Ubuntu Phone Bq is launching a repurposed version of the its popular Aquaris e4.5 handset preloaded with Ubuntu for Phones.

Unlike the version that developers can (and have) been downloading and flashing to their Nexus devices, the commercial version of Ubuntu on phones will ship with a number of differences in software, including new ‘Aggregator Scopes‘ and support for paid content.

• 4.5-inch screen (qHD resolution @ 540×960)
• 1.3 GHz Quad Core ARM Cortex A7 (MediaTek)
• Mali 400 GPU @ 500 MHz (MediaTek)
• 8GB eMMC Storage
• 1GB RAM
• 2150 mAh Battery
• Dual micro-SIM

Feedback:

• WaveTop – Data in VBI Ep #105 : techtalktoday

The post Augmented Arm Control | Tech Talk Today 109 first appeared on Jupiter Broadcasting.

A vulnerability in wget exposes more flaws in commonly used tools, the major flaw in Drupal that just got worse & the new protocol built into your router you need to disable.

Plus a great batch of your feedback, a rocking round up & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

wget vulnerability exposes more flaws in commonly used tools

• wget is a command line downloading client from the GNU project, often found on linux and unix servers, and even available for windows
• It was originally designed for mirroring websites, it has a ‘recursive’ mode where it will download an entire website (by crawling links) or an entire FTP site (or subdirectory) by traversing the directory tree
• It is this mode that is the subject of the vulnerability
• Versions of wget before the patched 1.16 are vulnerable to CVE-2014-4877, a symlink attack when recursively downloading (or mirroring) an FTP site
• A malicious FTP site can change its ‘LIST’ response (the directory listing command in the FTP protocol) to indicate the same file twice, first as a symbolic link, then the second time as a directory. This is not possible on a real FTP server, since the file system can not have 2 objects with the same name
• This vulnerability allows the operator of the malicious FTP site you are downloading from, to cause wget to create arbitrary files, directories and symlinks on your system
• The creation of new symlinks allows files to be overwritten
• An attacker could use this to overwrite or create an additional bash profile, or ssh authorized_keys file, causing arbitrary commands to be executed when the user logs in
• So an attacker could upload malware or an exploit of some kind, then cause the user to run it unintentionally the next time they start a shell
• “If you use a distribution that does not ship a patched version of wget, you can mitigate the issue by adding the line “retr-symlinks=on” to either /etc/wgetrc or ~/.wgetrc”
• Note: wget is often mislabeled as a ‘hacker’ tool because it has been used to bulk-download files from websites. Most times it is merely used an an HTTP client to download a file from a url
• Redhat Bug Tracker
• Some have proposed calling this bug “wgetmeafreeshell” or “wtfget” or “wgetbleed”, thankfully, we were spared such theatrics
• HD Moore Tweets
• HD Moore Blog Post
• Metasploit Module

Drupal flaw from 2 weeks ago, if you have not patched, assume your site is compromised

• Drupal 7 included a new database abstraction API specifically designed to help prevent SQL injection attacks
• It turns out to be vulnerable, a specially crafted request results in the execution of arbitrary SQL commands
• “Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks”
• All users running Drupal core 7.x versions prior to 7.32 need to upgrade
• Drupal Security Advisory
• One line patch — It seems the code assumed $data would always be a simple array, and if it was an associative array (had named keys instead of integers) it would have unintended affects
• Additional Coverage: Threat Post
• It was announced today that a wide spread automated attack has been detected against unpatched Drupal instances
• Because of the nature of the vulnerability, a valid user account is not required to exploit the vulnerability, and no traces are left behind when a site is compromised
• “Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” says a statement released by the Drupal maintainers on Wednesday
• Drupal Public Sevice Announcement
• Additional Coverage: Thread Post
• It is entirely possible that attackers could have dumped the contents of databases in Drupal, it is probably best to reset all passwords

NAT-PMP flaw puts 1.2 million home routers at risk

• NAT-PMP is a UDP protocol designed in 2005 and standardized in 2013 RFC6886 to replace part of uPNP with a more simple implementation
• It allows hosts on the internal network to request ‘please open tcp (or udp) port XXXX on the internet interface and forward that traffic to me’, and ‘what is our internet facing IP’
• This allows hosts to accept incoming connections (like game servers, skype calls, etc) without having to manually create a ‘port forwarding’ rule
• However, it seems some implementation are configured incorrectly, and accept requests from both the internal (expected) and external (very bad!) interface
• The NAT-PMP protocol uses the source IP address of the request to create the mapping, to help prevent abuse (so host A on the LAN cannot open up ports on host B, exposing it to the internet), however, because it is UDP, the source address can be spoofed
• Researcher Post
• Of the 1.2 million internet exposed devices Project Sonar found to be in some way vulnerable:
• 2.5% are vulnerable to ‘interception of internal NAT traffic’, specifically, an attacker can create a mapping to forward attempts to connect to the router itself, to an external address, allowing the attacker to take over DNS and other services, as well as the administrative interface of the NAT device
• 86% are vulnerable to ‘interception of external traffic’, allows the attacker to create a mapping on the external interface, for example, since more routers have the HTTP server disabled on the external interface for security reasons, an attacker could use your router to ‘reflect’ their website. Allowing them to keep the true address of their site secret, by directing traffic to your router, which would then reflect it to their address.
• 88% are vulnerable to ‘Access to Internal NAT Client Services’, because NAT-PMP is over UDP, it is often times possible to send a spoofed packet, with a fake from address. This allows an attacker to basically create port-forwarding rules from outside, gaining access to machines behind the router, that are normally not exposed to the Internet.
• 88% are vulnerable to a Denial of Service attack, by creating a mapping to the NAT-PMP service, the device will forward all real NAT-PMP requests off to some other host, basically breaking the NAT-PMP feature on the device
• 100% of the 1.2 million devices were vulnerable to ‘Information Disclosure’, where they exposed more data about the NAT-PMP device than they should have
• Also found during the SONAR scan: “7,400 devices responses were from a single ISP in Israel that responds to unwarranted UDP requests of any sort with HTTP responses from nginx. Yes, HTTP over UDP”
• Because of the nature of project SONAR and the wide spread of the vulnerability, it is not possible to tell which brands or models of device are vulnerable. It may be easier for users to test known routers with the metasploit module, and attempt to create a database

Feedback:

• Why I switched from Puppet to Saltstack

• Salt vs ansible vs puppet

• Possible to Spoof a Source IP Across the Internet

• Solution for SMTP from home lab

• Network throughput/bandwidth Issues.

• Woes with tar

Round Up:

• FBI cut hotel Internet access, sent agents to “fix” it without warrants
• Interview with the developers of the Gopher protocol
• Brazil Is Keeping Its Promise to Avoid the U.S. Internet
• Botnet uses gmail drafts as a “dead drop” for command and control
• Lawyer doesn’t know what Java is, thinks Bill Gates is trying to get out of a question.
• Don’t run the gnu ‘strings’ command on untrusted files
• SQL Injection attack against speed cameras in France
• Paul Vixie: “Abuse of CPE Devices and Recommended Fixes”
• Whitehouse unclassfied network breached by attackers
• Twitter possibly vulnerable to command injection via new ‘card’ URLs
• Researchers publish report investigating the bitcoin theft from CryptoRush.in
• Security is hard
• Computer hardware identification chart

The post wget a Shell | TechSNAP 186 first appeared on Jupiter Broadcasting.

A 0-Day vulnerability is in the wild that impacts all current versions of windows, Microsoft is sunsetting the Nokia brand, Samsung has a patch for your SSD, and our Kickstarter of the week!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Windows 0-Day Exploited In Ongoing Attacks

Microsoft is warning users about a new Windows zero-day vulnerability that is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects. The vulnerability is currently being exploited via PowerPoint files. These specially crafted files contain a malicious OLE (Object Linking and Embedding) object. This is not the first time a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.

User interaction is required to exploit this vulnerability,” Microsoft explained in the security advisory. “In an email attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user. For this attack scenario to be successful, the user must be convinced to open the specially crafted file containing the malicious OLE object. All Microsoft Office file types as well as many other third-party file types could contain a malicious OLE object.”

The vulnerability affects all supported Windows versions, and there is currently no patch for it. Microsoft is still investigating the matter and deciding whether they will issue an out-of-band patch or wait for the next Patch Tuesday to plug the hole.

Microsoft Lumia will replace the Nokia brand | The Verge

Microsoft Lumia is the new brand name that takes the place of Nokia for the software maker. The name change follows a slow transition from Nokia.com over to Microsoft’s new mobile site, and Nokia France will be the first of many countries that adopt “Microsoft Lumia” for its Facebook, Twitter, and other social media accounts. Microsoft has confirmed to _The Verge _that other countries will follow the rebranding steps in the coming weeks.

Microsoft’s decision to drop the Nokia brand itself doesn’t mean that Nokia is going away fully. Nokia still exists as a separate company without its phones business, and the Finnish firm now focuses on mapping and network infrastructure. Microsoft’s choice to use Lumia as the Nokia replacement won’t come as a surprise to many. Nokia’s Windows Phone apps have been rebranded to Lumia recently, and holiday ads will be pushing Lumia instead of Nokia.

Apple Aware of iCloud Login Harvesting in China, Launches Browser Security Guide

Earlier this week, web censorship blog Great Fire suggested that hackers aligned with Chinese authorities were using man-in-the-middle attacks in order to harvest Apple ID information from Chinese users that visited Apple’s iCloud.com website.

In a newly released support document (via The Wall Street Journal), Apple has confirmed that it is aware of the “intermittent organized network attacks” on iCloud users, but says that its own servers have not been compromised.

Unfortunately, many of the victims falling prey to the fake iCloud sites are not using secure browsers that issue warnings when fake websites are visited. According to Great Fire, many Chinese users access the Internet through popular Chinese browser Qihoo, which does not let users know that a fake site is harvesting their information.

The attack works by redirecting Chinese users attempting to access iCloud.com to a fake website that resembles the iCloud website. Users that log into the fake site provide attackers with logins and passwords that can be used to access contacts, messages, photos, and documents stored within iCloud.

Though Great Fire has suggested that Chinese authorities may be involved in the attacks, a spokeswoman for China’s Foreign Ministry (via CNBC) said that Beijing was “resolutely opposed” to hacking.

Samsung Acknowledges and Fixes Bug On 840 EVO SSDs

Samsung has issued a firmware fix for a bug on its popular 840 EVO triple-level cell SSD. The bug apparently slows read performance tremendously for any data more than a month old that has not been moved around on the NAND. Samsung said in a statement that the read problems occurred on its 2.5-in 840 EVO SSDs and 840 EVO mSATA drives because of an error in the flash management software algorithm. Some users on technical blog sites, such as Overclock.net, say the problem extends beyond the EVO line. They also questioned whether the firmware upgrade was a true fix or if it just covers up the bug by moving data around the SSD.

Samsung now producing 32GB DRAM modules, 128GB to follow | Computerworld

Samsung Electronics is now mass producing its most advanced 8Gbit, DDR4 memory and 32GB registered dual in-line memory modules

Using the new 8Gb DDR4 chip, Samsung began producing the 32GB module earlier this month. The new module’s data transfer rate per pin reaches up to 2.4Gbps, which represents about a 29% performance increase over the previous 1.866Mbps bandwidth DDR3 server module.

Beyond the 32GB RDIMM modules, the new 8Gb chips will allow production of server modules with a maximum capacity of 128GB by applying 3D through silicon via (TSV) technology, which will encourage further expansion of the high-density DRAM market, the company said.

Kickstarter of the Week: Hendo Hoverboards – World’s first REAL hoverboard by Hendo

Hendo is introducing the world’s first REAL hoverboard and hover developer kit. We are putting hover technology in YOUR hands.

The post NoMokia | Tech Talk Today 79 first appeared on Jupiter Broadcasting.

A major flaw in SSL 3.0 has been discovered by Google & the web springs into action. The Double Irish is getting shut down & Google has something very sweet for us all!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback

Today we are publishing details of a vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.

SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

ImperialViolet – POODLE attacks on SSLv3

Fundamentally, the design flaw in SSL/TLS that allows this is the same as with Lucky13 and Vaudenay’s two attacks: SSL got encryption and authentication the wrong way around — it authenticates before encrypting.

The POODLE Attack and the End of SSL 3.0 | Mozilla Security Blog

SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information.

SSLv3 will be disabled by default in Firefox 34, which will be released on Nov 25. The code to disable it is landing today in Nightly, and will be promoted to Aurora and Beta in the next few weeks. This timing is intended to allow website operators some time to upgrade any servers that still rely on SSLv3.

“Double Irish” Tax Loophole Used By US Companies To Be Closed

The Irish Finance Minister announced on Tuesday that Ireland will no longer allow companies to register in Ireland unless the companies are also tax resident. This will effectively close off the corporate tax evasion scheme known as the “Double Irish” used by the likes of Google, Apple, and Facebook to route their earnings through their Irish holdings in order to garner an effective tax rate of, as in Google FY2013, 0.16%. Ireland’s new policy will take effect in 2015 for new companies. “For existing companies, there will be provision for a transition period until the end of 2020.”

GT Advanced COO sold $1.2M in shares before bankruptcy, Apple asks court to seal documents | 9to5Mac

There has been some indication that executives anticipated the bankruptcy with reports that the company’s CEO unloaded approximately $160,000 in stock days before the iPhone 6 launched without GT’s sapphire cover that was previously rumored to make an appearance on the device. Today, The Wall Street Journal reports that another GT Advanced executive, COO Daniel Squiller, sold $1.2 million of stock in May and “set up a plan under which he sold another $750,000 of shares over ensuing months before the company filed for bankruptcy.”

Details of Apple’s contracts with supplier GT Advanced have been trickling out since the company filed for Chapter 11 bankruptcy earlier this month. While asking courts for permission to “wind down” operations at its Arizona plant, the company called its agreement with Apple “oppressive and burdensome” and reportedly requested courts disclose more information about its relationship with Apple. The exact reason behind what lead to the bankruptcy filing is still unclear, but there has been speculation that it’s related to a final $139 million payment that was reportedly withheld by Apple.

Google Teases Android L Ahead of Rumored Nexus Launch

Among rumors that the newest Nexus devices will be announced as soon as tomorrow, Google Senior VP Sundar Pichai sent out this tweet earlier today:

Met some sweet new friends today.

The post Poodle Bytes your SSL | Tech Talk Today 76 first appeared on Jupiter Broadcasting.

A major Xen flaw forces the “cloud” to reboot, we share the details. ComputerCop malware pitched as saving the children turns out to be major spyware.

Plus a big Adobe Linux support rant, the Mac botnet that reads reddit & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Rackspace Joined Amazon in Patching, Rebooting Cloud Servers

About a quarter of Rackspace’s 200,000-plus customers were impacted when the cloud provider had to patch a flaw in the Xen hypervisor.
Rackspace, like cloud competitor Amazon Web Services, was forced to reboot some of its servers after patching them to fix a security flaw in some versions of the XenServer hypervisor.

The cloud provider had to patch an untold number of servers in its global data centers over the weekend and then reboot them, which caused disruption to about a quarter of Rackspace’s more than 200,000 customers, according to President and CEO Taylor Rhodes. The issue was further complicated by a tight deadline—the vulnerability was first discovered early last week, and a patch wasn’t worked out with Xen engineers until late Sept. 26.

AWS started sending out letters to its customers Sept. 24 informing them that there was an issue, but assured them that the problem was not related to the Bash bug that arose last week as a threat to systems running Unix and Linux. Officials instead let them know that the problem was with the Xen hypervisor, and that a patch was being worked on.

• Security bug in Xen may have exposed Amazon, other cloud services [Updated] | Ars Technica

The bug, introduced in versions of Xen after version 4.1, is in HVM code that emulates Intel’s x2APIC interrupt controller. While the emulator restricts the ability of a virtual machine to write to memory reserved specifically for its own emulated controller, a program running within a virtual machine could use the x2APIC interface to read information stored outside of that space. If someone were to provision an inadvertently buggy or intentionally malicious virtual machine on a server using HVM, Beulich found that VM could use the interface to look at the physical memory on the physical machine hosting the VM reserved for other virtual machines or for the virtualization server software itself. In other words, an “evil” virtual machine could essentially read over the shoulder of other virtual machines running on the same server, bypassing security.

• XSA-108 – Xen Security Advisories

EFF: Security software distributed by cops is actually spyware in disguise

Various schools, libraries and ordinary American families might have been using a “security” software called ComputerCOP for years. After all, they probably got their copy from cops, attorney’s offices or other branches of law enforcement, which tout it as a way to protect children online.

One of the main feature of ComputerCop is a keylogger called KeyAlert. Keyloggers record all keystrokes made on a computer keyboard, including credit card information and username and password combinations. KeyAlert’s logs are stored unencrypted on Windows computers, and on Macs they can be decrypted with the software’s default password. The software can also be configured so that trigger words email an alert to the computer’s owner.

KeyAlert must be installed separately from the rest of the ComputerCop software, but not all versions of ComputerCop have been distributed with it. There’s no way to configure KeyAlert for a particular user, so it’s possible to use it against anybody using the computer — not just kids.

“When that happens, the software transmits the key logs, unencrypted, to a third-party server, which then sends the email,” the EFF report said.

According to the foundation, law enforcement agencies typically buy between 1,000 and 5,000 copies of ComputerCOP for a few dollars per piece — and yes, they use taxpayer dollars for the purchase. Within the past two years for instance, several Attorney’s Offices, including San Diego’s, bought 5,000 pieces for 25 grand.

• ComputerCOP: The Dubious ‘Internet Safety Software’ That Hundreds of Police Agencies Have Distributed to Families | Electronic Frontier Foundation

Adobe Pulls Linux PDF Reader Downloads From Website – OMG! Ubuntu!

As flagged by a Reddit user who visited the Adobe site to grab the app, Linux builds are no longer listed alongside other ‘supported’ operating systems.

Adobe is no stranger to giving penguins the brush off. The company stopped releasing official builds of Flash for Linux in 2012 (leaving it to Google to tend to), and excluded Tux-loving users from its cross-platform application runtime “Air” the year before.

All is not lost. While the links are no longer offered through the website the Debian installer remains accessible from the Adobe FTP server.

China pre-orders 2 million iPhone 6 handsets in just 6 hours

The iPhone 6 and 6 Plus were delayed in China as the result of trouble for Apple securing the necessary regulatory approvals from the country’s Ministry of Industry and Information Technology. In its absence, rival company Samsung rushed to release their new flagship handset in the country.

Despite China’s absence, however, Apple’s eagerly-anticpated handsets sold 10 million+ units in their opening weekend alone.

According to new reports coming out of China, both retailers and carriers have taken in a massive 2 million reservations just six hours after putting the iPhone 6 and 6 Plus on earlier-than-expected pre-order.

New Mac botnet malware uses Reddit to find out what servers to connect to

Mac users should beware of some new malware spreading, that tries to connect infected machines with a botnet for future exploitation. As detected by Dr Web, the malicious worm (dubbed Mac.BackDoor.iWorm) first checks whether any interfering applications are installed on the Mac.

If it is clear, it calls out to Reddit posts to find the IP addresses of possible servers to callback too. Although these posts have been deleted, it’s not hard for the people behind the exploit to repost them at a later time. Once connected to the botnet, the infected Mac can be literally instructed to perform almost any task the hackers want, such as redirect browsing traffic to potentially steal account credentials for instance.

Dr.Web estimates over 15,000 distinct IP addresses have been connected to the botnet already. Although 15,000 IPs does not directly translate into 15,000 separate infected users, it is indicative of a rather large base for a Mac worm.

The post ComputerCop Malware | Tech Talk Today 69 first appeared on Jupiter Broadcasting.

The Shellshock bug is taking the internet by storm, Fedora project lead Matthew Miller joins us to discuss how this Bash bug works, how big of a problem it really is, and how large projects are responding to the issue. Plus we chat a little Fedora.next and more!

Then it’s our look at what’s great in Gnome 3.14, Ubuntu 14.10 & another systemd alternative that’s doing it right.

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Shellshock with Matthew Miller – FedoraProject

Brought to you by: System76

Shellshock BASH Vulnerability Tester

Shellshock (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187) is a vulnerability in GNU’s bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in the last 24 hours (See patch history), you’re most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.

Shellshock: How does it actually work? | Fedora Magazine

And there’s quite a lot of other little cleanups in there too — security people at Fedora, at Red Hat, and around the world sure have been busy for the couple of days. Thanks to all of you for your hard work, and to Fedora’s awesome QA and Release Engineering teams, who sprung into action to make sure that these updates got to you quickly and safely.

Still more vulnerabilities in bash? Shellshock becomes whack-a-mole | Ars Technica

Here’s how the Shellshock vulnerability works, in a nutshell: an attacker sends a request to a Web server (or Git, a DHCP client, or anything else affected) that uses bash internally to interact with the operating system. This request includes data stored in an environmental variable. Environmental variables are like a clipboard for operating systems, storing information used to help it and software running on it know where to look for certain files or what configuration to start with. But in this case, the data is malformed so as to trick bash into treating it as a command, and that command is executed as part of what would normally be a benign set of script. This ability to trick bash is the shellshock bug. As a result, the attacker can run programs with the same level of access as the part of the system launching a bash shell.

Shellshock just ‘a blip’ says Richard Stallman as Bash bug attacks increase | Technology

GNU Project founder: ‘Any program can have a bug. But a proprietary program is likely to have intentional bugs’

The bash vulnerability and Docker containers | Colin Walters

In a previous post about Docker, I happened to randomly pick bash as a package shared between the host and containers. I had thought of it as a relatively innocent package, but the choice turned out to be prescient. The bash vulnerability announced today shows just how important even those apparently innocent packages can be.

shellshock – What does env x='() { :;}; command’ bash do and why is it insecure? – Unix & Linux Stack Exchange

bash stores exported function definitions as environment variables. Exported functions look like this:

$ foo() { bar; }
$ export -f foo
$ env | grep -A1 foo
foo=() {  bar
}

That is, the environment variable foo has the literal contents:

() {  bar
}

When a new instance of bash launches, it looks for these specially crafted environment variables, and interprets them as function definitions. You can even write one yourself, and see that it still works:

$ export foo='() { echo "Inside function"; }'
$ bash -c 'foo'
Inside function

Unfortunately, the parsing of function definitions from strings (the environment variables) can have wider effects than intended. In unpatched versions, it also interprets arbitrary commands that occur after the termination of the function definition. This is due to insufficient constraints in the determination of acceptable function-like strings in the environment. For example:

$ export foo='() { echo "Inside function" ; }; echo "Executed echo"'
$ bash -c 'foo'
Executed echo
Inside function

Note that the echo outside the function definition has been unexpectedly executed during bash startup. The function definition is just a step to get the evaluation and exploit to happen, the function definition itself and the environment variable used are arbitrary. The shell looks at the environment variables, sees foo, which looks like it meets the constraints it knows about what a function definition looks like, and it evaluates the line, unintentionally also executing the echo (which could be any command, malicious or not).

This is considered insecure because variables are not typically allowed or expected, by themselves, to directly cause the invocation of arbitrary code contained in them. Perhaps your program sets environment variables from untrusted user input. It would be highly unexpected that those environment variables could be manipulated in such a way that the user could run arbitrary commands without your explicit intent to do so using that environment variable for such a reason declared in the code.

— PICKS —

Runs Linux

India’s Mission to Mars, runs Linux

India has made history today by being the first and only country in the world to send a space craft to Mars in first attempt. The country also made history as it achieved it in a budget lesser than the un-scientific Hollywood block buster Gravity; India spent only $71 million on the mission.

Desktop App Pick

• How to Protect your Server Against the Shellshock Bash Vulnerability | DigitalOcean

Shellshock BASH Vulnerability Tester

You can use this website to test if your system is vulnerable, and also learn how to patch the vulnerability so you are no longer at risk for attack.

• shellshocker · GitHub

Weekly Spotlight

RockStor: Store Smartly: Free Advanced File Storage

Installs on 64-bit commodity hardware or virtual machine
Built on top of Enterprise Linux operating system
Supports NA sharing protocols including Samba/CIFS, NFS and SFTP
Efficient storage management functionility with web-ui or CLI
Extend functionality with plugins

— NEWS —

GNOME 3.14 Released, See What`s New

After six months of development, GNOME 3.14 was released today and it includes quite a few interesting changes such as multi-touch gestures for both the system and applications, re-worked default theme, new animations as well as various enhancements for the code GNOME applications.

• Gnome 3.14 reviewed on Arch Linux

In a nutshell I like Gnome 3.14 a lot. It’s a really nice release. Though I am a hard core Plasma user, I see myself spending some time with Gnome, enjoying things like online integration, easy-to-set-up Evolution and many more features which I can’t find in KDE’s Plasma. That said, both are my favorite. They both excel in their focus areas. If you have not tried Gnome yet, do give it a try.

• Gesture support in Shell Apart from Touch support in Shell there is also…

Apart from Touch support in Shell there is also support for GNOME apps and in fact some GNOME apps they do use gestures!

• GTK+ 3.14 Brings Much Better Wayland Support, Multi-Touch, New Theme

The Wayland changes for GTK+ 3.14 include support for the recently released Wayland 1.6, touch input is now supported, working drag-and-drop support, and support for the GNOME classic mode.

• Download GNOME 3.14 ISO (based on Fedora 21)

• Touching on Touchscreen Support | Erich Eickmeyer

Touchscreens are no longer just for tablets and phones. Touchscreen laptop computers and desktops are becoming the norm, if not more common, in the computer market. Much of this has been spurred-on by Microsoft and Windows 8, whose “Modern” interface is about as touchscreen-friendly as you can get. In fact, it is what is driving the laptop market to include capacitive touchscreens.

The nosh package

It should also be suitable for filling the gap caused by the
systemd tool not being portable outwith the Linux kernel since it
is known to work on proper BSD and on Debian Linux, and therefore
should work on Debian kFreeBSD.

Ubuntu 14.10 Beta Downloads Now Available

There’s not even a new default desktop wallpaper.

• Why GNOME 3.14 Won’t Be Included in Ubuntu 14.10 – OMG! Ubuntu!

Feature Freeze is the point past which no new features, packages or APIs are introduced, with emphasis placed on polish and bug fixing to ensure as stable an experience as possible. Feature Freeze for Ubuntu 14.10 and its flavors came into effect on August 21 — a month prior to the release of GNOME 3.14 Stable.

It’s this tight timeframe that conspires against the Ubuntu GNOME team, making it impossible for them to include latest GNOME stack. If you were one of those who hoped to find GNOME 3.12 in Ubuntu 14.04 LTS, you’ll be familiar with the impact this has.

A series of maintained PPAs — Stable, Staging, and Next — provide backports of newer GNOME releases to Ubuntu, allowing you to optionally roll with (potentially untested) newer software should you want to.

Tech Talk Today | A Daily Tech News Show with a Linux Perspective

• Tech Talk Today Subreddit

— FEEDBACK —

• Jupiter Broadcasting Fall/Spring Jacket | Teespring

• Jupiter Broadcasting at Ohio LinuxFest – Google+

— CHRIS’ STASH —

• jupiterbroadcasting on Instagram

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— MATT’S STASH —

• Check out LINUX Unplugged
• Articles by Matt Hartley

Find us on Google+

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Matt – matthartley

Follow the network on Facebook

• Jupiter Broadcasting on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

• https://jblive.tv
• Network Calendar

The post Weaponized Bash | Linux Action Show 332 first appeared on Jupiter Broadcasting.

We’ll tell you about a major German hack that lasted 12 years, and struck over 300 business. Plus researchers discover a nasty Android bug that impacts over 70% of users.

Then it’s a great big batch of your networking questions, our answers & much much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Operation Harkonnen, a 12 year long intrusion to over 300 businesses

• “From 2002 a German cybercrime network performed numerous targeted penetrations to over 300 organizations, including tier one commercial companies, government institutions, research laboratories and critical infrastructure facilities in the German speaking countries. The attackers planted Trojans in specific workstations in the organizations, gained access to sensitive confidential documents and information and silently exfiltrating them to the organizations who ordered the attack”
• “Once embedded in the system the files started to send data from the target computer to an external domain. The analysis revealed the domain was registered by a UK company, with the exact address and contact details of 833 other companies, most of which are already dissolved”
• “The British relatively tolerant requirements to purchasing SSL security certificates were exploited by the network to create pseudo legitimate Internet service names and to use them to camouflage their fraudulent activity”
• Specifically, it is quite easy to establish a new company in England
• It is estimated that the attackers spent as much as $150,000 establishing fake companies, and arming them with domains and SSL certificates in order to make their spear-phishing campaign appear more legitimate
• “The discovery happened at a leading, 30 year old, 300 employees’ German organization that holds extremely sensitive information with a strategic value to many adverse organizations and countries. The organizational network contains 5 domains with complex architecture of multiple network segments and sites, connected through VPN.“
• Additional Coverage: TheHackerNews

Researcher finds same-origin-policy bypass for Android browser, allows attacker to read your browser tabs

• Android versions before 4.4 (75% of all current Android phones) are vulnerable
• CVE-2014-6041, and was disclosed on September 1, 2014 by Rafay Baloch on his blog.
• By malforming a javascript: URL handler with a prepended null byte, an attacker can avoid the Android Open Source Platform (AOSP) Browser’s Same-Origin Policy (SOP) browser security control.
• What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page.
• The attacker could scrape your e-mail data and see what your browser sees.
• Or snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.
• As part of its attempts to gain more control over Android, Google has discontinued the AOSP Browser.
• Android Browser used to be the default browser on Google, but this changed in Android 4.2, when Google switched to Chrome.
• The core parts of Android Browser were still used to power embedded Web view controls within applications, this changed in Android 4.4, when it switched to a Chromium-based browser engine.
• Users of Android 4.0 and up can avoid much of the exposure by switching to Chrome, Firefox, or Opera, none of which should use the broken code.
• Update: Google has offered the following statement:

We have reviewed this report and Android users running Chrome as their browser, or those who are on Android 4.4+ are not affected. For earlier versions of Android, we have already released patches (1, 2) to AOSP.

• Additional Coverage: ThreatPost
• Additional Coverage: Rapid7, includes metasploit module

Feedback:

• Where do you Apply Network Qos?

• Where are packets going?

• Double Trouble NAT

• Unsafe internet of things (IoT) devices

Round Up:

• Yet Another Reason Containers Don’t Contain: Kernel Keyrings
• Micron announces new 16nm SSD chips, only $0.45/GB, dynamically programmable as SLC or MLC
• What Exactly Is the Facebook Messenger App for iOS Tracking?
• Citadel banking trojan repurposed in attack against middle eastern oil companies
• Apple’s “warrant canary” disappears, suggesting new Patriot Act demands
• Details emerge about Home Depot hack, malware attempted to look like McAfee PoS protection system, looks like different attackers than Target
• The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) disclosed four different remotely exploitable vulnerabilities in IntegraXor, a popular SCADA server
  

The post Bait and Phish | TechSNAP 181 first appeared on Jupiter Broadcasting.

Sony is under attack again, but this time the hackers have taken it to the physical world. Another Android flaw is getting over hyped, Windows 9 gets a release date, the most popular open source cloud projects & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Sony PlayStation Network taken down by attack

Sony Corp said on Sunday its PlayStation Network was taken down by a denial of service-style attack and the FBI was investigating the diversion of a flight carrying a top Sony executive amid reports of a claim that explosives were on board.

The company said in a posting on its PlayStation blog that no personal information of the network was accessed in the attack, which overwhelmed the system with heavy traffic.

Plane carrying Sony Online Entertainment President John Smedley was diverted on Sunday, Smedley said in a post on microblogging site Twitter.

A group called Lizard Squad sent a message through its Twitter account to American Airlines saying Smedley’s flight had explosives on board, according to a report by USA Today. The group also used Twitter to claim credit for the network attack, the newspaper said.

USA Today reported that the Dallas/Fort Worth flight to San Diego was diverted and landed safely in Phoenix.

A PlayStation spokeswoman in the United States said the diverted flight was being handled by the FBI and had no comment.

Android attack improves timing, allows data theft | Ars Technica

According to a team of researchers from the University of Michigan and the University of California at Riverside.

The attack, known as a user interface (UI) inference attack, makes use of the design of programming frameworks that share memory, allowing one application to gather information about the state of other applications. The information can be gathered without any special Android permissions or by grabbing screen pixels, according to a paper presented at the USENIX Security Conference on Friday.

The technique gives attackers the ability to infer the state of a targeted application, enabling more convincing attacks. If malware knows that the targeted user has just clicked on a “login” button, then it can throw up a dialog box asking for a username and password. If the malware can infer that a user is about to take a picture of a check or sensitive document, it can quickly take a second picture.

An attack application must be running in the background, where it can determine the foreground activity of a targeted app with 80 to 90 percent accuracy in most applications, the researchers said. The technique detects transitions in the UI state of the targeted app and then uses a signature to identify the new state.

In videos demonstrating the UI inference attack, the research group showed the malicious software stealing a username and password from the H&R Block application, copying an image of a check taken by the Chase Bank application, and stealing credit-card information from the NewEgg store.

“By design, Android allows apps to be preempted or hijacked,” Qian said in a statement. “But the thing is you have to do it at the right time so the user doesn’t notice. We do that and that’s what makes our attack unique.”

Because the attack does not focus on any specific vulnerability in the operating system, hardening the software to attack will be difficult, according to the paper.

While the researchers focused on the Android operating system, the operating-system architecture that they exploit is present on most other major OSes, including MacOS X, iOS and Windows, the paper stated.

“We believe our attack on Android is likely to be generalizable to other platforms,” the paper stated.

• Cyber security experts find 92 percent successful Gmail hack- The Inquirer

Most smartphone users download zero apps per month

Mobile apps have skyrocketed in popularity and utility since Apple introduced the iPhone App Store in the summer of 2008. Apps now represent 52% of time spent with digital media in the US, according to comScore, up from 40% in early 2013. Apple boasted 75 billion all-time App Store downloads at its developers conference in June, and followed up by declaring July the best month ever for App Store revenue, with a record number of people downloading apps.

Yet most US smartphone owners download zero apps in a typical month, according to comScore’s new mobile app report.

Only about one-third of smartphone owners download any apps in an average month, with the bulk of those downloading one to three apps. The top 7% of smartphone owners account for “nearly half of all download activity in a given month,” comScore reports.

Microsoft set to unveil Windows 9 on September 30th | The Verge

Microsoft is planning to unveil its Windows 8 successor next month at a special press event. Sources familiar with Microsoft’s plans tell The Verge that the software maker is tentatively planning its press event for September 30th to detail upcoming changes to Windows as part of a release codenamed “Threshold.” This date may change, but the Threshold version of Windows is currently in development and Microsoft plans to release a preview version of what will likely be named Windows 9 to developers on September 30th or shortly afterwards. The date follows recent reports from ZDNet that suggested Microsoft is planning to release a preview version of Windows 9 in late September or early October.

Most popular open-source cloud projects of 2014 | ZDNet

At CloudOpen, a Linux Foundation tradeshow held in conjunction with LinuxCon, the Foundation announced that an online survey of open-source cloud professionals found OpenStack to be the most popular overall project.

That wasn’t surprising. Although OpenStack is only four years old, the Infrastructure-as-a-Service (IaaS) cloud project is very popular with support from such industry giants HP, Red Hat, and VMware. What was somewhat surprising was that number two was Docker, the just-over-a-year old container technology.

Behind those two, you’ll find KVM, the x86 virtualization technology that’s recently been ported to Power; CloudStack, one of the older open-source IaaS cloud projects; and Ceph, the open-source, software-defined storage stack.

The post Sony's the Bomb | Tech Talk Today 48 first appeared on Jupiter Broadcasting.

An Android flaw from 2010 allows any app to break out of the Android sandbox. But is it really a threat in practice? We’ll dig in.

The Podcast patent troll takes it on the nose, and some highlights from the Gnome development conference this week.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Android crypto blunder exposes users to highly privileged malware | Ars Technica

This is the issue in a nutshell.

The Fake ID vulnerability stems from the failure of Android to verify the validity of cryptographic certificates that accompany each app installed on a device. The OS relies on the credentials when allocating special privileges that allow a handful of apps to bypass Android sandboxing. Under normal conditions, the sandbox prevents programs from accessing data belonging to other apps or to sensitive parts of the OS. Select apps, however, are permitted to break out of the sandbox. Adobe Flash in all but version 4.4, for instance, is permitted to act as a plugin for any other app installed on the phone, presumably to allow it to add animation and graphics support. Similarly, Google Wallet is permitted to access Near Field Communication hardware that processes payment information.

The App simply needs to claim its Adobe flash, and it gets to break out of the sandbox.

The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.

Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.

Google’s Response to Ars

After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability.

The Reality of the Situation

First, a patch been sent to OEMs and AOSP, but with Android’s abysmal update situation, this is a moot point. The crux, however, lies with Google Play and Verify Apps. These have already been updated to detect this issue, and prevent applications that try to abuse this flaw from being installed. This means two things.

First, that there are no applications in Google Play that exploit this issue. If you stick to Google Play, you’re safe from this issue, period. No ifs and buts. Second, even if you install applications from outside of Google Play, you are still safe from this issue. Verify Apps is part of Play Services, and runs on every Android device from 2.3 and up. It scans every application at install and continuously during use for suspect behaviour. In this case, an application that tries to exploit this flaw will simply be blocked from installing or running.

• New Android ‘Fake ID’ flaw empowers stealthy new class of super-malware

A new Android design error discovered by Bluebox Security allows malicious apps to grab extensive control over a user’s device without asking for any special permissions at installation. The problem affects virtually all Android phones sold since 2010.

• Android ‘supermalware’ can impersonate any app- The Inquirer

The vulnerability in the Android code that allows “Fake ID” in was first noticed in the now dormant Adobe Flash integration, which had been present since 2010 and was only patched with the arrival of Android 4.4 Kitkat earlier this year. The flaw is so deeply embedded in Android that it can affect all forks of the Android Open Source Project including Amazon’s Fire OS.

• Android Fake ID Vulnerability Lets Malware Impersonate Trusted Applications, Puts All Android Users Since January 2010 At Risk – Bluebox Security

Dubbed “Fake ID,” the vulnerability allows malicious applications to impersonate specially recognized trusted applications without any user notification. This can result in a wide spectrum of consequences. For example, the vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM.

• Old Apache Code At Root of Android FakeID Mess – Slashdot

Podcasting patent troll: We tried to drop lawsuit against Adam Carolla | Ars Technica

In a statement released today, Personal Audio says that Carolla, who has raised more than $450,000 from fans to fight the case, is wasting their money on an unnecessary lawsuit. The company, which is a “patent troll” with no business other than lawsuits, has said Carolla just doesn’t care since his fans are paying his lawyers’ bills.

Adam Carolla’s assertions that we would destroy podcasting were ludicrous on their face,” said Personal Audio CEO Brad Liddle. “But it generated sympathy from fans and ratings for his show.

According to Personal Audio, they’ve lost interest in suing podcasters because the podcasters—even one of Adam Carolla’s size—just don’t make enough money for it to care.

“[Personal Audio] was under the impression that Carolla, the self-proclaimed largest podcaster in the world, as well as certain other podcasters, were making significant money from infringing Personal Audio’s patents,” stated the company. “After the parties completed discovery, however, it became clear this was not the case.”

Personal Audio also says it has a patent covering playlists.

Personal Audio has already dropped its lawsuits against two other podcasting defendants from the case (Togi Net and How Stuff Works) apparently without getting paid anything.

The patent company is charging ahead with its patent case against the big three television networks, CBS, NBC, and ABC. Personal Audio is trying to wring a royalty from those companies for releasing video “episodic content” over the Internet.

In response, Carolla sent Ars a statement saying he’ll continue to pursue counterclaims against Personal Audio, seeking to invalidate the patent “so that Personal Audio cannot sue other podcasters for infringement of US Patent 8,112,504.” Lotzi (Carolla’s company) has already “incurred hundreds of thousands of dollars in fees and expenses to defend itself” against the Personal Audio patents.

GUADEC 2014, Day Four: Hardware, New IDE for GNOME | Fedora Magazine

The fourth day of GUADEC was devoted to hardware and its interaction with desktop. The first talk was “Hardware Integration, The GNOME Way” by Bastien Nocera who has been a contributor to GNOME and Fedora for many years.

Performance Testing on Actual Hardware

Owen Taylor talked on continuous integration performance testing on actual hardware. According to Owen, continuous performance testing is very important. It helps find performance regressions more easily because the delta between the code tested last time and the code tested now is much smaller, thus there are much fewer commits to investigate.

He noted that desktop performance testing in VMs is not very useful which is why he has several physical machines that are connected to a controller which downloads new builds of GNOME Continuous and installs them on the connected machines. The testing can be controlled by GNOME Hardware Testing app Owen has created. And what is tested?

Here are currently used metrics:

• time from boot to desktop
• time redraw entire empty desktop
• time to show overview
• time to redraw overview with 5 windows
• time to show application picker
• time to draw frame from test application, time to start gedit.

Tests are scripted right in the shell (javascript) and events logged with timestamp. The results are uploaded to perf.gnome.org. In the future, he’d like to have results in the graph linked to particular commits (tests are triggered after very commit), have more metrics (covering also features in apps), assemble more machines and various kinds of them (laptops, ARM devices,…).

Builder: a new IDE for GNOME

The last talk of the day was “Builder, a new IDE for GNOME” by Christian Hergert. Christian started the talk by clearly stating what Builder is not intended to be: a generic IDE (use Eclipse, Anjuta, MonoDevelop,… instead). And it most likely won’t support plugins. Builder should be an IDE specializing on GNOME development.

Here are some characteristics of Builder:

• components are broken into services and services are contained in sub-processes,
• uses basic autotools management,
• source editor uses GtkSourceView,
• has code highlighting, auto-completation,
• cross-reference, change tracking,
• snippets,
• auto-formatting,
• distraction free mode.
• Vim/Emacs integration may be possible.
• The UI designer will use Glade and integrate GTK+ Inspector.
• Builder will also contain resource manager, simulator (something similar to Boxes, using OSTree), debugger, profiler, source control.

After naming all Builder’s characteristics Christian demoed a prototype.

For Later Reading Pick:

• AnandTech | The NVIDIA SHIELD Tablet Review

Feedback:

• More information on the “Trans Pacific Partnership” from an Avid Australian listener – Magentium

Hey Guys at Jupiter Broadcasting. Just wanted to put a bit more info to you that I saw on Tech Talk Today about the Copyright Act that’s being brought into Australia. Someone mentioned that “Netflix could come in” and make some serious mone. Netflix would be awesome if our Internet Infrastructure wasnt at a maximum of 12Mbps speeds (If you are lucky).

On a good day (and ive got some of the best net here) i get around 8mbps down. Netflix wouldn’t be viable because it wouldnt be available to even 30% of the country. We have Foxtel (like SKY / Cable) which is Premium Paid TV and costs a FORTUNE. It’s still not viable.

In regards to the Copyrighting, the Government also has it all wrong. The number one reason that I am always told by people I know as to why they pirate TV shows, movies and Games, is that the pricing of this stuff over here is unbelievable. For instance, the box set of Star Trek : The Next Generation will cost you over US$250 if you convert the costs, depending if its on special / discount or not.

Either way, you guys were spot on. Keep up the great work, Love the show, and a big shoutout from Australia! CRICKEY! ( we dont actually say that, so don’t get fooled by the stereotype). And no I don’t have a pet Kangeroo (not anymore).

The post Android's Leaky Sandbox | Tech Talk Today 35 first appeared on Jupiter Broadcasting.

An exploit that leaves Docker containers leaky, who really owns your email account and one hash algorithm to rule them all.

Then it’s a great batch of your questions and much, much more!

Thanks to:

— Show Notes: —

Docker Linux containers spring a security leak

• A security exploit has surfaced that can allow rogue programs to break out of Docker containers and access files on their host OS.
• The flaw has been solved in the latest version of the tech.
• The flaw \”Demonstrates that any given Docker image someone is asking you to run in your Docker setup can access ANY file on your host, e.g. dumping hosts /etc/shadow or other sensitive info, compromising security of the host and any other docker container is on\”
• \”The proof of concept exploit relies on a kernel capability that allows a process to open any file in the host based on its inode. On most systems, the inode of the / (root) filesystem is 2. With this information and the kernel capability it is possible to walk the host’s filesystem tree until you find the object you wish to open and then extract sensitive information like passwords,\” Docker explained in a blog post published after the flaw came out.
• \”In earlier Docker Engine releases (pre-Docker Engine 0.12) we dropped a specific list of kernel capabilities, ( a list which did not include this capability), and all other kernel capabilities were available to Docker containers. In Docker Engine 0.12 (and continuing in Docker Engine 1.0) we drop all kernel capabilities by default. Essentially, this changes our use of kernel capabilities from a blacklist to a whitelist.\”
• \”Please remember, however, that at this time we don\’t claim that Docker Engine out-of-the-box is suitable for containing untrusted programs with root privileges,\”
• Proof of Concept exploit prints /etc/shadow from the host from within Docker

Generalized Secure Hashing Algorithm

• Ted Unangst (one of the lead developers of LibreSSL, as well as OpenBSDs secure signing infrastructure and many other things) posted a thought experiment to his blog
• How would you design an uncrackable password hashing algorithm?
• Ted’s idea: create a very large number of unique hashing algorithms, or rather, a generalized hashing algorithm that takes a ‘tweaking’ parameters that changes how the hash is generated
• “Consider a hash function GSHA512, very similar to SHA512, but with slight variations on each of its constants. You could use GSHA512 #42, or GSHA512 #98765, or even GSHA512 #658743092112345678890 if there were enough variants available. 2^512 variants should be enough for anyone.”
• Now, instead of having to spend a few million on specialized SHA512 cracking hardware, an attacker (the NSA) would have to build 2^512 different specialized cracking chips
• The results?
• “Safe to say we’ve defeated custom silicon. Nobody has a fab that can trace out millions of distinct custom circuits per second.”
• “FPGA is finished too. Assuming you don’t melt it trying, you can’t reprogram an FPGA fast enough.”
• “GPUs are harder. Without having tried it, my gut tells me you won’t be able to copy out the GSHA code to the GPU fast enough to make it worthwhile.”
  • “An attacker with lots of CPUs can still crack our password, but CPUs are very expensive. What if somebody could fab their own very cheap, very limited CPUs? Like a 100000 core CPU with only just enough cache to implement GSHA? Now we may be in trouble. The transistor count for GSHA is quite low, but they need to be the special high speed general purpose kind of transistor circuit. The scrypt paper notes that a CPU could be cheaper than RAM if stripped of all its extra functionality, but in practice it’s hard to calculate all the tradeoffs.”
  • “This part isn’t very practical The idea is that a cracker would look less like a SHA512 cracker, capable only of performing one hash, and more like a typical CPU, capable of performing many hashes. Requiring the attacker to be adaptable in this way brings their costs in line with our costs. Maybe. Waves hands.”
• Of course, to defeat custom CPUs, one could just use GSHA512 as the core to something like scrypt, which tries to defeat customer hardware by requiring a lot of memory instead
• Example Implementation
• “Don’t use these functions for anything but password hashing. (Don’t use them at all is even sounder advice.)”

Who owns your email account?

• A user had their Yahoo email account terminated by Yahoo for violation of its terms of service
• The violation was apparently for flaming another user in the comments thread under Yahoo news articles
• Since the email address is part of the overall ‘Yahoo Account’, it was terminated
• Eric Goldman, law professor at Santa Clara University says: \”A cloud service can lock off your assets,\” he adds. \”They may still be your assets from a matter of legal ownership, but if you have no access to them, who cares?\” (Possession is 9/10th of the law?)
• Microsoft and Google have similar terms, although Google adds: \”If we discontinue a Service, where reasonably possible, we will give you reasonable advance notice and a chance to get information out of that Service\”
• This is why it is probably best to always use your own domain, that you own it
• Even if you use gmail or some other service to actually host the mail, if your gmail account gets terminated, you can move your hosting elsewhere and most importantly, your email address does not change
• There is also the option to host your own email, with a hosting account, VPS or dedicated server
• In these cases, especially when you do not have multiple servers to provide backup MX, I recommend a service such as: DNSMadeEasy Backup Email Service

Feedback:

• Rolling out disk-level encryption on a domain (healthcare, gasp)

• mail archiving help

• Question: Unix machines (Linux or BSD) In an office setting

• DNS fuckery from my ISP

• Why not SSH as root?

• Canada’s Anti-Spam Legislation

Round Up:

• Hackers Claim to Leak 1.2 Million Origin Accounts and Passwords; Electronic Arts Finds No Evidence

• Hackers attempt to ransom 600,000 Domino’s Pizza customer records from France and Belgium. Demand 30,000 EUR, $40,000, USD or they will release the data. Data said to include full names, addresses, phone numbers, email addresses, passwords, delivery instructions, and favourite toppings. Dominos says no credit card or financial information was compromised, and they will not pay the ransom

• In 2007 (when half of all smart phones were made by Nokia), Nokia paid a random of millions of euros to an attacker who managed to steal the encryption/signing keys used for Symbian. If the keys had been leaked or used, Nokia would not have had a way to ensure that phones only accepted updated from Nokia, and not malware. The money was left in a bag in a parking lot at a nearby amusement park. The blackmailer took the bag. Police, however, lost track of the blackmailer and the money was gone. Finnish authorities have had no luck solving the case.

• The SSD Endurance Experiment: Casualties on the way to a petabyte
• Intel introduces new Xeons with embedded FPGAs, compatible with existing sockets/motherboards (may require BIOS update), can greatly accelerately specific tasks
• Hacker Hijacks Storage Devices, Mines $620,000 in Dogecoin
• FOIA request releases FBIs translations of ‘twitter shorthand’
• TW Telecom (provider of business internet connections, was spun off from Time Warner Cable years ago) has been purchased by Level3 Communications (major internet backbone) for 5.7 billion USD
• After admitting it has no idea how attackers compromised its payment processing system, PF Changs restaurants switch back to old fashion analog ‘imprint’ machines for credit card processing
• Auditor asks one TrueCrypt author about forking the project, anonymous author says “I am sorry, but I think what you\’re asking for here is impossible. I don\’t feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn\’t require much more work than actually learning and understanding all of truecrypts current codebase. I have no problem with the source code being used as reference.”

The post Docker Shocker | TechSNAP 167 first appeared on Jupiter Broadcasting.