We’ll break down Apple’s major SSL flaw, and what it says about Apple’s general security posture, then the Zeus trojan evolves…

Plus an awesome batch of your questions, our answers.

On this week’s episode of, TechSNAP.

Thanks to:

— Show Notes: —

Apple fixes certificate validation flaw in iOS and OS X

• The flaw in the certificate verification step allowed an attacker to sign a certificate with any private key, or no key at all, and the certificate would still be accepted by the device
• This means an attacker could trivially perform a man-in-the-middle (MitM) attack, and intercept all traffic between you and a secure destination
• This would allow an attack to get your email passwords, logins for services like facebook and twitter, and compromise your online banking account
• A MitM attack is what TLS/SSL are designed to prevent
• A MitM is trivial to perform if you can trick a user into connecting to a WiFi access point you control, say at a coffee shop or other public space
• The flaw is also present in Mac OS X and fixed in 10.9.2 (Released Feb 25th, 4 days after the iOS update)
• The issue is caused by a duplicate ‘goto’ statement. The first is inside the if structure (with implied curly braces), but the 2nd is unconditional, causing the goto fail to happen in every case
• It is unclear how long Apple has known about the flaw, but the CVE for the bug was reserved on January 8th
• diff between Mac OS X 10.8.5 and 10.9 showing the addition of the errant goto
• OS X 10.9.2 also fixes an issue with cURL, where the TLS/SSL verification code did not check the hostname again the certificate if the URL was an IP address
• Hacker News thread
• More analysis
• Why were there gotos in apple software in the first place?
• Apple Announcement

University of Maryland ID card system breached

• 309,079 of the students, faculty, and staff of the University of Maryland College Park and Shady Grove campuses have had their personal information exposed in an attack against the ID card system
• The breach occurred about 04:00 February 18th
• An attacker was able to get access to the ID card database that holds information on all card holders dating back to 1998
• The data includes full name, SSN, birth date and University ID number
• Brian Voss, CIO of U Md., said “what most concerns him is the sophistication of the attack: The hacker or hackers must have had a “very significant understanding” of how the school’s data are designed and protected”
• Voss claims that this was not a case of a ‘door left open’, that the attackers had to ‘pick through multiple locks’
• It will be interesting to see if details of the attack are published
• Related: The total cost of unmasked data

New Zeus trojan variant targets SalesForce.com

• “The Adallom Labs team recently discovered an unusual variant of the Zeus trojan that targets Salesforce users. We’ve been internally referring to this type of attack as “landmining”, since the attackers laid “landmines” on unmanaged devices used by employees to access company resources. The attackers, now bypassing traditional security measures, wait for the user to connect to *.my.salesforce.com in order to exfiltrate company data from the user’s Salesforce instance.”
• We have covered the Zeus trojan before, it is a sophisticated malware used to steal online banking credentials and perform transactions, even in the face of two-factor authentication schemes by performing ‘man-in-the-browser’ attacks
• This attack does not exploit a vulnerability of SalesForce, it is just taking over the user’s device used to access the site, in order to steal data from the site once logged in
• This attack seems to be a totally new kind of attack, not described by any existing Common Attack Pattern Enumeration and Classification (CAPEC) pattern.
• When the Adallom security system detected an employee accessing a large number of records in a short period of time, it triggered an ‘insider thread’ alert. This alert is fairly common and is usually related to a sales agent downloading their entire rolodex, sometimes in preparation for leaving the company
• When corporate security integrated the employee in question, they claimed no knowledge of the bulk download
• The employees laptop was scanned and found to be clean
• Further investigation lead to the employees home PC, which was running outdated windows XP, an unpatched version of Internet Explorer, and an expired virus scanner
• The machine was infected with various bits of malware, but specifically, a modified version of the Zeus Trojan (win32/ZBot)
• The interesting part is that the Trojan targets *.my.salesforce.com instead of banking sites
• The attack also leveraged devices not controlled by corporate security
• This highlights the risks involved with BYOD and allowing employees to use their home computers to access corporate applications, especially SaaS applications

Feedback:

• sshshark

• Fibre internet in Australia

• Advice for low data rate network?

• GCHQ Revelations

• Webmin Alternative

• Flight of the Intruder

• Flight of the Intruder Audiobook – Full Cast
• Influx Audiobook | Daniel Suarez

Round Up:

• Apple Drops Snow Leopard Security Updates, Doesn\’t Tell Anyone
• GCHQ hijacked webcams of Yahoo chat and stored images of over 1.8 million users in 6 months, program ran for 2 years and collected a large quantity of sexually explicit images
• MakerBot Starts Taking Pre-Orders For Their Itty-Bitty 3D Printer
• Netflix shuts down gift card sales temporarily after rash of fraud from Brazil
• Microsoft introduces Microsoft Lync, allows companies to spy on their employees the same way the NSA does. Find out who is dating who, and who is looking for a new job
• OpenBSD revs bcrypt password hash to solve issue with passwords over 255 characters
• Phishing scam sends fake credit card fraud alerts, targeting real companies to trick customers
• Zero day flaw in IE9 and 10 exploited in watering hole attacks targeting Veterans and Military contractors. CVE-2014-0322
• Operation Greedy Wonk, Flash and AIR exploit, CVE-2014-0502
• Inside the Flash zero day CVE-2014-0502
• Breaking the Bitcrypt ransomware
• Why is broadband not getting any fasters? ISPs don’t want to spend any money. Verizon and TWC not set to lay any new lines any time soon
• The problem with 3rd party email, sometimes it goes away. Facebook is shutting down its email service. Will forward to your registered email address, for now
• DDoSing Cell Phone Networks
• Schneier highlights a recent profile of Brian Krebs

The post Go Directly to Fail | TechSNAP 151 first appeared on Jupiter Broadcasting.

HTML5 went big in 2012, but how are things looking for 2013? With some high profile moves away from HTML5, is the Internet’s darling fading or just getting started?

Plus where to start with game design, playing the app store game, and do we hate Firefox?

And much more on this week’s Coder Radio.

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Show Notes:

Feedback

• Chris writes in:

“When I referenced \”beauty\” I meant the design of C++ as a language, and how one can write in it very freely.”

• A web developer wants to know why we hate Firefox and sees a trend for web devs to focus on webKit.
• Jason asks:

So, here is where I am really stuck. How do you sit down and design something like a game? What tips would you give for actually laying out the design of the code, and the UI that you need? I come from a heavy web background, and have been doing mostly procedural languages for the past 10 years. I have the training in OO, but haven\’t been using the skills.

Mostly, I\’m curious about the design side of apps and gaming. How do you do this so it doesn\’t take on a life of its own, but still gives me the direction I need to move forward?”

• Harley shares that Goto’s are still used and can be useful in generated code and also that Vala depends on Glib
• Charles wrties in to share Just Java 2 for AP Comp Sci students and does not recommend CodeAcademy.
• Anthony asks is the money to be made on the Ubuntu Software Center
• Kyle shares https://www.greenteapress.com/thinkapjava/ for you AP Java student

This Week’s Dev World Hoopla

• Perspective: Why C++ is not back

• Game Dev Rages Over Not Getting Special Treatment

• BananaBread

Pick:

[asa]B008PFABI8[/asa]

Follow the show

• Email the show
• Live Monday 9am PDT
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post HTML4++ | CR 27 first appeared on Jupiter Broadcasting.