godaddy – Jupiter Broadcasting

Impress with WordPress | WTR 57

chris — Wed, 06 Apr 2016 12:32:03 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Kronda makes wordpress sites, manages a blog & offers educational resources for learning wordpress!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

Interview – Kronda – @kronda

Are you looking for the transcription? Please let us know you use it and we may bring it back!

WTR Transcription Poll

The post Impress with Wordpress | WTR 57 first appeared on Jupiter Broadcasting.

Two Factor Falsification | TechSNAP 206

chris — Thu, 19 Mar 2015 18:47:44 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Microsoft takes 4 years to fix a nasty bug, how to bypass 2 factor authentication in the popular ‘Authy’ app.

Hijacking a domain with photoshop, hardware vs software RAID revisited, tons of great questions, our answers & much much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Microsoft took 4 years to recover privileged TLS certificate addresses

The way TLS certificates are issued currently is not always foolproof
In order to get a TLS certificate, you must prove you own the domain that you are attempting to request the certificate for
Usually, the way this is done is sending an email to one of the administrative addresses at the domain, like postmaster@, hostmaster@, administrator@, or abuse@
The problem comes when webmail services, like hotmail, allow these usernames to be registered
That is exactly what happened with Microsoft’s live.be and live.fi
A Finnish man reported to Microsoft that he had been able to get a valid HTTPS certificate for live.fi by registering the address hostmaster@live.fi
It took Microsoft four to six weeks to solve the problem
Additional Coverage – Ars Technica
When this news story came out, another man, from Belgium, came forward to say he reported the same problem with live.be over 4 years ago
“After the Finnish man used his address to obtain a TLS certificate for the live.fi domain, Microsoft warned users it could be used in man-in-the-middle and phishing attacks. To foreclose any chance of abuse, Microsoft advised users to install an update that will prevent Internet Explorer from trusting the unauthorized credential. By leaving similar addresses unsecured, similar risks may have existed for years.”

Bypass 2 factor authentication in popular ‘Authy’ app

Authy is a popular reusable 2 factor authentication API
It allows 3rd party sites to easily implement 2 factor authentication
Maybe a little too easily
When asked for the verification code that is sent to your phone after a request to Authy is received, simply entering ../sms gives you access to the application
The problem is that the 3rd party sites send the request, and just look for a ‘success’ response
However, because the input is interpreted in the URL, the number you enter is not fed to: https://api.authy.com/protected/json/verify/1234/authy_id as it is expected to be
But rather, the url ends up being: https://api.authy.com/protected/json/verify/../sms/authy_id
Which is actually interpreted by the Authy API as: https://api.authy.com/protected/json/sms/authy_id
This API call is the one used to actually send the code to the user
This call sends another token to the user and returns success
The 3rd party application sees the ‘success’ part, and allows the user access
It seems like a weak design, there should be some kind of token that is returned and verified, or the implementation instructions for the API should be explicit about checking “token”:”is valid” rather than just “success”:true
Also, the middleware should probably not unescape and parse the user input

Hijacking a domain

An article where a reporter had a security researcher steal his GoDaddy account, and document how it was done
A combination of social engineering, publically available information, and a photoshopped government ID, allowed the security researcher to take over the GoDaddy account, and all of the domains inside of it
This could allow:
an attacker to inject malware into your site
redirect your email, capturing password reset emails from other services
redirect traffic from your website to their own
issue new SSL certificates for your sites, allowing them to perform man-in-the-middle attackers on your visitors with a valid SSL certificate
Some of the social engineering steps:
- Create a fake Social Media profile in the name of the victim (with the fake picture of them)
- Create a gmail address in the name of the victim
- Call and use myriad plausible excuses why you do not have the required information:
- please provide your pin #? I don’t remember setting up a pin number
- my assistant registered the domain for me, so I don’t have access to the email address used
- my assistant used the credit card ending in: 4 made up numbers
- create a sense of urgency: “I apologized, both for not having the information and for my daughter yelling in the background. She laughed and said it wasn’t a problem”
- GoDaddy requires additional verification is the domain is registered to a business, however, since many people make up a business name when they register a domain, it is very common for these business to not actually exist, and there are loopholes
- Often, you can create a letter on a fake letterhead, and it will be acceptable
In the end, Customer Support reps are there to help the customer, it is usually rather difficult for them to get away with refusing to help the customer because they lack the required details, or seem suspicious
GoDaddy’s automated system sends notifications when changes are made, however in this case it is often too later, the attacker has already compromised your account
GoDaddy issued a response: “GoDaddy has stringent processes and a dedicated team in place for verifying the identification of customers when a change of account/email is requested. While our processes and team are extremely effective at thwarting illegal requests, no system is 100 percent efficient. Falsifying government issued identification is a crime, even when consent is given, that we take very seriously and will report to law enforcement where appropriate.”
It appears that Hover.com (owned by Tucows, the same company that owns Ting) is one of the only registrars that does not allow photo ID as a form of verification, stating “anyone could just whip something up in Photoshop.”
GoDaddy notes that forging government ID (in photoshop or otherwise) is illegal

Feedback:

Round Up:

The post Two Factor Falsification | TechSNAP 206 first appeared on Jupiter Broadcasting.

Priyanka Sharma | WTR 11

chris — Wed, 28 Jan 2015 03:21:00 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Priyanka is a cofounder of Wakatime, a fully automatic time tracking service for programmers!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

WakaTime is fully automatic time tracking for programmers. Using open-source text editor plugins, you never need to start or stop a timer again.
3 Hacks to Increase Your Productivity
Priyanka on Twitter

The post Priyanka Sharma | WTR 11 first appeared on Jupiter Broadcasting.

The Human Factor | TechSNAP 75

chris — Thu, 13 Sep 2012 15:46:38 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

It was a tough week for the cloud, we’ll run down the list and summarize what happened to the services we all depend on so much!

Plus a big batch of your questions, our answers, and a rocking round-up!

All that and a lot more, on this week’s TechSNAP.

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

GoDaddy outage was caused by router snafu, not DDoS attack

GoDaddy’s services started to drop off of the internet
The outage lasted approximately 6 hours, from 10:00 PDT (17:00 UTC) and being fully restored about 16:00 PDT (23:00 UTC)
A twitter account, claiming to represent part of Anonymous, took responsibility, claiming to have launched a massive DDoS attack against GoDaddy
Some news outlets and blogs misunderstand what a DDoS attack is, and report that Anonymous has hacked GoDaddy
“We have determined the service outage was due to a series of internal network events that corrupted router data tables.” – Interim Godaddy CEO Scott Wagner
The issue was compounded because the downtime affected not only GoDaddy hosting customers, but also customers that only used GoDaddy for DNS
GoDaddy hosts 5 million web sites and manages a total of 52 million domain names
For example, the DNS for jupiterbroadcasting.com is hosted at GoDaddy, while the actual site resides at ScaleEngine, but because the DNS was down, viewers were unable to lookup the IP address of jupiterbroadcasting.com in order to connect to ScaleEngine
DNS caching will have helped reduce the effect of this downtime somewhat, especially for more popular sites, and for users coming from larger ISPs, the DNS records for JB have a TTL of 1 day, so users would only have issues reaching the site if the records had not yet been cached, or once the cache expired. At the time of this writing, the records for JB still had 28461 seconds left in my local Google Public DNS cache, but we not cached at my local OpenDNS
This event ruined GoDaddy’s previous 99.999% uptime record for DNS (99.999%, or 5 nines as it is called in the industry, allows for only 6 minutes of cumulative downtime in an entire year, compared to 4 nines, which allows about 53 minutes of downtime per year, or 99.9% which is nearly 9 hours)
GoDaddy uses Anycast for the DNS servers, this means that while it looks like each domain is only assigned to 2 DNS servers, each of those two IP addresses actually exists in multiple data centers around the world. Traffic is routed to the closest server, and if that servers route fails, after a few minutes the BGP routers at your ISP or an intervening transit provider route the traffic to the next closest server
However, due to what I assume was some human error after the failure of one or more network components, the routes that GoDaddy broadcasted to their upstream providers were in some way incorrect, and caused traffic to no longer reach the GoDaddy servers
Anycast is commonly used for DNS but is not very often used for TCP based services due to the fact that the routes can change at any time, and suddenly the same IP address points to a different server, and your connection is dropped. There are some cases where people have successfully used Anycast for short lived TCP connections
Additional Coverage
Go Daddy Site Outage Investigation Completed – GoDaddy.com

Blue Toad comes forward as the source of the leaked Apple UDIDs

Security researcher David Schuetz was analyzing the the data posted online, and found an unusually large number of devices that mentioned Blue Toad, 19 out of the 1 million records analyzed
Schuetz then contacted Blue Toad to report what he had found
Schuetz also said he couldn’t say conclusively if Anonymous’ claims about the FBI were false or true
Blue Toad makes apps for publishing companies, long known for collecting extensive data about their readers for market research and marketing purposes
Paul DeHart, CEO of Blue Toad said his firm would not be contacting individual consumers to notify them that their information had been compromised, instead leaving it up to individual publishers to contact readers as they see fit
The company’s forensic analysis claims to show the data had been stolen “in the past two weeks”
This is contrary to the original claim that the data was stolen from an FBI computer months ago

Feedback:

Techsnap drinking game
Windows Server 2012 review
Shoeboxed.com security sufficient for personal documents, eg. tax returns?
10 Char Password Enough?
Bad to use scripts to set stuff up?
Siemens Admits Issues
Are you a PHP programmer with time to spare for an open source security project? I am considering building an open source web service to handle sensitive information disclosure, and I am looking for some help building the site and API. email allan@jupiterbroadcasting.com

Round-Up:

The post The Human Factor | TechSNAP 75 first appeared on Jupiter Broadcasting.

Skype Exposes Pirates | TechSNAP 29

chris — Thu, 27 Oct 2011 18:43:12 +0000

Coming up on this week’s TechSNAP…

Researches have developed a way to tie your file sharing to your Skype account. We’ll share the details on how this works, and what you can do to prevent being tracked!

Plus we cover the Ultimate way to host your own email, and what happened when Chinese hackers took control of US Satellites!

All that and more, on this week’s episode of TechSNAP!

Direct Download Links:

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:

Audible.com:

Ready Player One

Suspected Chinese Military Hackers take control of US Satellites

On four separate occasions during 2007 and 2008 US satellites were hijacked by way of their ground control stations.
The effected satellites were Landsat–7 (Terrain Mapping and Satellite Photography, example 1 example 2) and Terra AM–1 (Climate and Environmental Monitoring, 2010 Hurricane Karl)
While the US does not directly accuse the Chinese government in writing, these types of actions are consistent with known war plans that involve disabling communications, command and control, and GPS satellites as a precursor to war.
In one incident with NASA’s Terra AM–1, “the responsible party achieved all steps required to command the satellite,” however the attackers never actually took control of the satellite.
It was not until the 2008 investigation that the previous compromises in 2007 were detected
This raises an important question, are the US military and other NATO members, too reliant of satellite communications and GPS?
In a recent NATO exercise called ‘Joint Warrior’, it was planned to jam GPS satellite signals, however the jamming was suspended after pressure on the governments over civilian safety concerns. Story

Researchers develop a procedure to link Skype users to their Bittorrent downloads

The tools developed by the researchers at New York University allow any to determine a strong correlation between bittorrent downloads and a specific skype user.
Importantly, unlike RIAA/MPAA law suites, the researchers consider the possibility of false positives because of multiple users behind NAT.
The researchers resolve this issue by probing both the skype and bittorrent clients after a correlation is suspected. By generating a response from both clients at nearly the same time and comparing the IP ID (similar to a sequence number) of the packets, if the ID numbers are close together, than it is extremely likely that the response was generated by the same physical machine. If the IDs are very different, then it is likely that the Skype and BitTorrent users are on different machines, and there is no correlation between them.
This same technique could be made to work with other VoIP and P2P applications, and could be used to gather enough evidence to conclusively prove a bittorrent user’s identity.
This situation can be mitigated by using the feature of some OS’s that randomizes the IP ID to prevent such tracking. (net.inet.ip.random_id in FreeBSD, separate ‘scrub random-id’ feature in the BSD PF firewall)
The discovery could also be prevented by fixing the skype client such that it will not reply with its IP address if the privacy settings do not allow calls from that user. The current system employed by the researches does not actually place a call to the user, just tricks skype into thinking that a call will be placed, and skype then leaks the sensitive information by returning its IP address or initiating a connection to the attacker.
Read the full research paper

NASDAQ web application Directors Desk hacked

Directors Desk is a web application designed to allow executives to share documents and other sensitive information
When NASDAQ was hacked in February, they did not believe that any customer data was stolen
The attackers implanted spyware into the Directors Desk application and were able to spy on the sensitive documents of publicly traded companies as they were passed back and forth through the system
This is another example of the Advanced Persistent Threat (APT) as we saw with the RSA and South Korea Telecom hacks, where the attackers went after a service provider (in his case NASDAQ) to compromise the ultimate targets, the publicly traded companies and their sensitive documents.
It is not known what if any protection or encryption systems were part of Directors Desk, but it seems that the application was obviously lacking some important security measures, including an Intrusion Detection System that would have detected the modifications to the application.

SEC says companies may need to disclose cyber attacks in regulatory filings

The new guidance from the SEC spells out some of the things that companies may need to disclose to investors and others, depending upon their situation.
Some of the potential items companies may need to disclose include:
Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences
To the extent the registrant outsources functions that have material cyber security risks, description of those functions and how the registrant addresses those risks
Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences
Risks related to cyber incidents that may remain undetected for an extended period
“For example, if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition,” the statement says.
From the SEC guidance: The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision”
CF Disclosure Guidance: Topic No. 2 – Cybersecurity

Feedback:

Q: Owning my own Email?
Roundcube – Free webmail for the masses
MailServer – Community Ubuntu Documentation
Postfix – Community Ubuntu Documentation
Setting up a Forwarding Account in the Email Control Center – GoDaddy Help Center (Remember to use the coupon code LINUX or LINUX20)
Google apps for your domain (free)

It is definitely advantageous to own the domain that your email address is on. On top of looking more professional than a hotmail, or even gmail address, it also allows you to choose your host and have full control over everything. There are some caveats though, of course you must remember to renew your domain name, else your email stops working (just ask Chris about that one), you also have to be careful about picking where to host your domain, having your site or email hosted by a less reputable service can result in your domain being included on blacklists and stopping delivery of your mail to some users. The biggest problem with hosting your own email, from your home, is that you must keep the server up 24/7, and it must have a reasonable static IP address. If you are going to host from your home, I recommend you get a ‘backup mx’ service, a backup mail server that will collect mail sent to you while you are offline, and then forward it to your server when it is back up. Even if you are using a dedicated server or VPS, this is important, because email is usually the most critical service on your server. The other major issue with hosting your email from home, is that most ISPs block port 25 inbound and outbound, to prevent infected computers from sending spam. This means that you will not be able to send or receive email to other servers. Usually your ISP will require you to have a more expensive business class connection with a dedicated static IP address in order to allow traffic on port 25. Also, a great many spam filtering systems, such as spamassassin, use blacklists that contain the IP ranges of all consumer/home Internet providers, designed to stop spam from virus infected machines, because email should not be send from individual client machines, but through the ISP or Domain email server.

Round Up:

The post Skype Exposes Pirates | TechSNAP 29 first appeared on Jupiter Broadcasting.