Show Notes: extras.show/62

The post Building an Open Source Community: Wirefall | Jupiter Extras 62 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Mandiant researcher doxed by hackers

• HACKERS LEAK DATA FROM MANDIANT SECURITY RESEARCHER IN OPERATION #LEAKTHEANALYST

• The leaked data included more screenshots than documents. Images showed that the hackers might have gained access to the researcher’s Microsoft (Hotmail, OneDrive) and LinkedIn accounts. Earlier in the day, when Bleeping Computer was alerted of the leak, the researcher’s LinkedIn account had been defaced.

• No clear proof that anything more than a personal computer / personal accounts were breeched.

• Other news “sources” used headlines such as Hackers kick off #leaktheanalyst campaign by dumping data of $1bn security firm
  .

70,000 Memcached Servers Can Be Hacked Using Eight-Month-Old Flaws

• Original Talos blog post

• Background: January 2017, a series of Mongodb incidents wherein multiple competing groups were attacking the same servers which leads to the conclusion that there is no hope of actually recovering data, if there ever was in the first place.

• This prompted Talos to investigate memcached

Dan talks about upgrading ZFS arrays

• raidz arrays cannot be expanded. You have n devices; it stays N devices

• you can replace devices

• you can replace devices with bigger devices

• once they area all replaced, BANG, you have more space

• what options exist for replacing devices?

• Pull a drive, insert a new one, issue the zfs replace command.

• Insert a new drive, if you have space, issue the zfs replace command.

• But then Dan had a great idea the other night….

Feedback

• Hypervisor and ZFS setup for home

• PXE boot for imaging servers

• Cheap Managed Switch – Original question from Episode 318

Round Up:

• From the Netflix Technology Blog ChAP: Chaos Automation Platform

• Hacking Voting Machines at DEF CON 25

• real people’ don’t need end-to-end encryption

• FreeNAS 11.0 is Now Here

The post Netflix Lab Rats | TechSNAP 330 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Cisco’s Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to ‘WannaCry’

FCC Filings Overwhelmingly Support Net Neutrality Once Anti-Net Neutrality Spam is Removed

• Net Neutrality II: Last Week Tonight with John Oliver (HBO)

• Because of a procedural quirk, the FCC will not be considering any comments on the issue of net neutrality that are submitted over the next week or so.

• https://youtu.be/qI5y-_sqJT0 — follow up video

Feedback

• IPv6 only

• ZoL and other Linux Filesystems

Round Up:

• Ways in which the WannaCry ransomware could have been much worse

• Postmortem for outage of us-east-1

• 1.9 million Bell customer email addresses stolen by ‘anonymous hacker’ – Technology & Science – CBC News

• Appcanary – Everything you need to know about HTTP security headers

• GitHub – schollz/howmanypeoplearearound: Count the number of people around you by monitoring wifi signals

The post Kill Switch Engage | TechSNAP 320 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool

• Timeline of the attach

• Don’t tell people to turn off Windows Update, just don’t

• U.K. Hospitals Hit in Widespread Ransomware Attack

+The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack

+ Microsoft Issues WanaCrypt Patch for Windows 8, XP

• Global ‘Wana’ Ransomware Outbreak Earned Perpetrators $26,000 So Far

• Tim Cook’s refusal to help FBI hack iPhone is validated by ‘WannaCry’ ransomware attack

• WCry/WanaCry Ransomware Technical Analysis

• Stopping the malware by registering a domain

Keylogger Found in Audio Driver of HP Laptops

• HP issues fix for ‘keylogger’ found on several laptop models

Feedback

• Budget switches By request, some of Dan’s 10G stuff two zpools

• Password Manager – Why No Autofill?

Round Up:

• Fastmail’s https://blog.fastmail.com/2017/05/13/nyi-datacentre-move/

• Debugging Under Fire: Keep your Head when Systems have Lost their Mind • Bryan Cantrill

The post When IT Security Cries | TechSNAP 319 first appeared on Jupiter Broadcasting.

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

— Show Notes —

Episode Links

• Why Did the Saudi Regime and Other Gulf Tyrannies Donate Millions to the Clinton Foundation?
• CNN Canceled Dr. Drew’s Show Days After He Questioned Hillary’s Health – Conservative Outfitters
• CEO who gouged EpiPen price is daughter of Democratic senator | New York Post
• WikiLeaks on Twitter: “WikiLeaks’ #Saudi Cables reveal the Kingdom’s foreign media manipulation strategies https://t.co/e3cx2LIJPA https://t.co/JOUlml7ous”
• Huma Abedin Published Article Attacking Bill Clinton | The Federalist Papers
• Huma Adebin Announces Separation From Anthony Weiner After Latest Sexting Scandal | Zero Hedge
• Anthony Weiner Loses Huma Abedin and Two Jobs on the Same Day – The Daily Beast
• Watch: CNN Alters Trump Tweet By Scrubbing ‘Crooked’ Moniker to Describe Hillary – Breitbart
• FBI says foreign hackers penetrated state election systems [Video]
• U.S. drone enters Iran’s airspace, leaves after warning: Tasnim | Reuters
• Iran deploys long-range missiles to Fordo nuclear site
• Washington Tells DEA to Shove It, Will Conduct Cannabis Research in Violation of the Law
• Wow! Huffington Post Deletes Articles and Terminates Writer for Questioning Hillary’s Health
• Clinton Foundation Scores Higher as a Charity than the Red Cross? : snopes.com
• DN!
• Obama to meet Turkey’s Erdogan in China on September 4 | Reuters
• George Soros’ quiet overhaul of the U.S. justice system – POLITICO
• Flashback 2011: Hillary Clinton Laughs About Killing Moammar Gaddafi: “We Came, We Saw, He Died!” | Video | RealClearPolitics
• Huffington Post Contributor Says He Was Fired For Posting Article About Hillary’s Health | Video | RealClearPolitics
• Hillary Emails Reveal True Motive for Libya Intervention | Foreign Policy Journal
• Senior ISIS Strategist and Spokesman Is Reported Killed in Syria – The New York Times
• DNC staffers used Signal to encrypt messages before email hack – Business Insider
• FBI recovers 30 deleted Clinton emails involving Benghazi attack | TheHill
• The Six Clinton Foundation Scandals Everyone Needs to Know | Observer
• U.S. offers $3 million reward for man it gave anti-terror training
• Clinton emailed classified information after leaving State Dept. | New York Post
• Russian Su-34 Killed ISIS Leader in Syria. Will US Department of State Pay $5M Bounty for His Head to Russian Crew?
• Would you go? War-torn Syria releases glitzy video promoting the country’s tourist hotspot | World | News | Daily Express
• FBI Warned State Election Board Systems of Hacks | Threatpost | The first stop for security news
• Readout of Secretary Johnson’s Call with State Election Officials on Cybersecurity | Homeland Security
• The Drudge factor in 2016: Providing the rumors, scandals and chatter the mainstream press eagerly eats up – Salon.com
• Saudi Arabia sentences a man to 10 years in jail and 2,000 lashes for tweeting that he was an atheist
• PHOTO: Dozens of empty seats for Hillary’s speech to veterans – The American MirrorThe American Mirror
• https://www.rt.com/uk/357768-japan-china-arms-sales/ is not available
• Brazilian President Dilma Rousseff ousted in impeachment vote – The Washington Post
• Dilma Rousseff Is Ousted as Brazil’s President in Impeachment Vote – The New York Times

The post The Red Hack | Unfilter 202 first appeared on Jupiter Broadcasting.

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Links:

• FBI says foreign hackers penetrated state election systems

• Siri Offers Witty Responses About September 7 Event – Mac Rumors

• The EU may hit Apple with a $19 billion tax bill next week over ‘state aid’ – Business Insider

• Google Nexus Smartphones To Get Project Fi’s Wi-Fi Assistant Feature : TECH : Tech Times

• Fitbit’s Charge 2 and Flex 2 are next-gen trackers that blend fitness and style

• Android M details the end of Nexus device support

• Razer Core External Graphics Dock

• Business-Drone Rules to Take Effect

• SETI has observed a “strong” signal that may originate from a Sun-like star | Ars Technica

Kickstarter of the Week:

• The Wolfe: Supercharge Your Laptop by Wolfepack, Inc. — Kickstarter

The Wolfe allows high-performance gaming, virtual reality, graphic design, and video-editing for laptops – especially MacBooks.

The post Play Wolfe | TTT 258 first appeared on Jupiter Broadcasting.

How the NSA might be breaking Crypto, fresh zero day exploit against Flash with a twist & Keylogging before computers.

Plus a great batch of your questions, a rocking round-up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

How might the NSA be breaking crypto?

• “There have been rumors for years that the NSA can decrypt a significant fraction of encrypted Internet traffic. In 2012, James Bamford published an article quoting anonymous former NSA officials stating that the agency had achieved a “computing breakthrough” that gave them “the ability to crack current public encryption.” The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand. However, the documents do not explain how these breakthroughs work, and speculation about possible backdoors or broken algorithms has been rampant in the technical community.”
• “Yesterday at ACM CCS, one of the leading security research venues, we and twelve coauthors presented a paper that we think solves this technical mystery.”
• PDF: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
• “The key is, somewhat ironically, Diffie-Hellman key exchange, an algorithm that we and many others have advocated as a defense against mass surveillance. Diffie-Hellman is a cornerstone of modern cryptography used for VPNs, HTTPS websites, email, and many other protocols. Our paper shows that, through a confluence of number theory and bad implementation choices, many real-world users of Diffie-Hellman are likely vulnerable to state-level attackers.”
• “If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn’t just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.”
• “For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.”
• “Would this be worth it for an intelligence agency? Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous. Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.”
• “Based on the evidence we have, we can’t prove for certain that NSA is doing this. However, our proposed Diffie-Hellman break fits the known technical details about their large-scale decryption capabilities better than any competing explanation. For instance, the Snowden documents show that NSA’s VPN decryption infrastructure involves intercepting encrypted connections and passing certain data to supercomputers, which return the key. The design of the system goes to great lengths to collect particular data that would be necessary for an attack on Diffie-Hellman but not for alternative explanations, like a break in AES or other symmetric crypto. While the documents make it clear that NSA uses other attack techniques, like software and hardware “implants,” to break crypto on specific targets, these don’t explain the ability to passively eavesdrop on VPN traffic at a large scale.”
• “8.4% of Alexa Top 1M HTTPS domains allow DHE_EXPORT, of which 92.3% use one of the two most popular primes”
• “After a week-long precomputation for each of the two top export-grade primes (see Table 1), we can quickly break any key exchange that uses them. Here we show times for computing 3,500 individual logs; the median is 70 seconds.”
• “Our calculations suggest that it is plausibly within NSA’s resources to have performed number field sieve precomputations for at least a small number of 1024-bit Diffie-Hellman groups. This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?”
• If the NSA has precomputed just one DH 1024 group, they would be able to compromise 37% of the HTTPS traffic to the top 1 million sites using an active downgrade attack. If they have precomputed the ten most popular DH 1024 groups, that number increases to 56%
• When applied to VPNs, the single most popular DH 1024 group would comprise 66% of all traffic. For SSH, the number is 25%. For both VPN and SSH, the top 10 does not increase the likelihood of compromise, this suggests that outside of a specific very popular 1024 bit group, most other sites do not reuse the same group as others.
• “we performed a scan in which we mimicked the algorithms offered by OpenSSH 6.6.1p1, the latest version of OpenSSH. In this scan, 21.8% of servers preferred the 1024-bit Oakley Group 2, and 37.4% preferred a server-defined group. 10% of the server-defined groups were 1024-bit, but, of those, near all provided Oakley Group 2 rather than a custom group”
• Recommendations from the paper:
  • Transition to elliptic curves: Transitioning to elliptic curve Diffie-Hellman (ECDH) key exchange with appropriate parameters avoids all known feasible cryptanalytic attacks
  • Increase minimum key strengths: Server operators should disable DHE_EXPORT and configure DHE ciphersuites to use primes of 2048 bits or larger.
  • Avoid fixed-prime 1024-bit groups: For implementations that must continue to use or support 1024-bit groups for compatibility reasons, generating fresh groups may help mitigate some of the damage caused by NFS-style precomputation for very common fixed groups.
  • Don’t deliberately weaken crypto: Our downgrade attack on export-grade 512-bit Diffie-Hellman groups in TLS illustrates the fragility of cryptographic “front doors”. Although the key sizes originally used in DHE_EXPORT were intended to be tractable only to NSA, two decades of algorithmic and computational improvements have significantly lowered the bar to attacks on such key sizes.
• “Prior to our work, Internet Explorer, Chrome, Firefox, and Opera all accepted 512-bit primes, whereas Safari allowed groups as small as 16 bits. As a result of our disclosures, Internet Explorer, Firefox, and Chrome are transitioning the minimum size of the DHE groups they accept to 1024 bits, and OpenSSL and Safari are expected to follow suit.”
• Additional information from the researchers site WeakDH.org
• Sysadmin’s guide to securing your servers

• https://www.onlinemeetingnow.com/register/?id=pmsy0fu2ck&inf_contact_key=c3de960e4fc660a9c3744ecc74a608bdde91a80fc9d58288c71bfd6d9c0209ad

Fresh Zero Day exploit against fully patched Adobe Flash

• Just last week, we were commenting on how quiet things have been on the Adobe Flash front
• Sorry for jinxing it for everyone
• This zero day exploit even affects Flash version 19.0.0.207 which was released on Tuesday
• Adobe expects to release a patch that fixes the Zero day some time next week
• “Attackers are exploiting a previously unknown vulnerability in fully patched versions of Adobe’s Flash Player so they can surreptitiously install malware on end users’ computers”
• “So far, the attacks are known to target only government agencies as part of a long-running espionage campaign carried out by a group known as Pawn Storm, researchers from antivirus provider Trend Micro said in a blog post published Tuesday. It’s not unusual for such zero-day exploits to be more widely distributed once the initial element of surprise wanes. The critical security flaw is known to reside in Flash versions 19.0.0.185 and 19.0.0.207 and may also affect earlier versions. At this early stage, no other technical details are available”
• “In this most recent campaign of Pawn Storm, several Ministries of Foreign Affairs received spear phishing e-mails. These contain links to sites that supposedly contain information about current events, but in reality, these URLs hosted the exploit”
• In this wave of attacks, the emails were about the following topics:
  • “Suicide car bomb targets NATO troop convoy Kabul”
• “Syrian troops make gains as Putin defends air strikes”
• “Israel launches airstrikes on targets in Gaza”
• “Russia warns of response to reported US nuke buildup in Turkey, Europe”
• “US military reports 75 US-trained rebels return Syria”
• The most startling thing here is that you would not expect government employees to get such news via email, so they should know better than to fall for emails with these subjects or follow links with such headlines.
• “It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.”
• It will be interesting to see if any of the exploit kits manage to pick up this Zero-day before the patch is released
• This attack is currently focused on the government, and the attackers likely want to keep their zero-day to themselves
• Once a fix is released, I would expect the regular malware authors to reverse engineer the fix to find the exploit, and see this added to the regular exploit kits
• Additional Coverage: Krebs

Keylogging before computers: How Soviets used IBM Selectric keyloggers to spy on US diplomats

• “A National Security Agency memo that recently resurfaced a few years after it was first published contains a detailed analysis of what very possibly was the world’s first keylogger—a 1970s bug that Soviet spies implanted in US diplomats’ IBM Selectric typewriters to monitor classified letters and memos.”
• “The electromechanical implants were nothing short of an engineering marvel. The highly miniaturized series of circuits were stuffed into a metal bar that ran the length of the typewriter, making them invisible to the naked eye. The implant, which could only be seen using X-ray equipment, recorded the precise location of the little ball Selectric typewriters used to imprint a character on paper. With the exception of spaces, tabs, hyphens, and backspaces, the tiny devices had the ability to record every key press and transmit it back to Soviet spies in real time.”
• “The Soviet implants were discovered through the painstaking analysis of more than 10 tons’ worth of equipment seized from US embassies and consulates and shipped back to the US. The implants were ultimately found inside 16 typewriters used from 1976 to 1984 at the US embassy in Moscow and the US consulate in Leningrad. The bugs went undetected for the entire eight-year span and only came to light following a tip from a US ally whose own embassy was the target of a similar eavesdropping operation.”
• “”Despite the ambiguities in knowing what characters were typed, the typewriter attack against the US was a lucrative source of information for the Soviets,” an NSA document, which was declassified several years ago, concluded. “It was difficult to quantify the damage to the US from this exploitation because it went on for such a long time.” The NSA document was published here in 2012. Ars is reporting the document because it doesn’t appear to have been widely covered before and generated a lively conversation Monday on the blog of encryption and security expert Bruce Schneier.”
• “When the implant was first reported, one bugging expert cited in Discover magazine speculated that it worked by measuring minute differences in the time it took each character to be imprinted. That theory was based on the observation that the time the Selectric ball took to complete a rotation was different for each one. A low-tech listening device planted in the room would then transmit the sounds of a typing Selectric to a Soviet-operated computer that would reconstruct the series of key presses.”
• “In fact, the implant was far more advanced and worked by measuring the movements of the “bail,” which was the term analysts gave to the mechanical arms that controlled the pitch and rotation of the ball.”
• “In reality, the movement of the bails determined which character had been typed because each character had a unique binary movement corresponding to the bails. The magnetic energy picked up by the sensors in the bar was converted into a digital electrical signal. The signals were compressed into a four-bit frequency select word. The bug was able to store up to eight four-bit characters. When the buffer was full, a transmitter in the bar sent the information out to Soviet sensors.”
• “There was some ambiguity in determining which characters had been typed. NSA analysts using the laws of probability were able to figure out how the Soviets probably recovered text. Other factors which made it difficult to recover text included the following: The implant could not detect characters that were typed without the ball moving. If the typist pressed space, tab shift, or backspace, these characters were invisible to the implant. Since the ball did not move or tilt when the typist pressed hyphen because it was located at the ball’s home position, the bug could not read this character either.”
• “The implants were also remarkable for the number of upgrades they received. Far from being a static device that was built once and then left to do its job, the bugs were constantly refined.”
• “There were five varieties or generations of bugs. Three types of units operated using DC power and contained either eight, nine, or ten batteries. The other two types operated from AC power and had beacons to indicate whether the typewriter was turned on or off. Some of the units also had a modified on and off switch with a transformer, while others had a special coaxial screw with a spring and lug. The modified switch sent power to the implant. Since the battery-powered machines had their own internal source of power, the modified switch was not necessary. The special coaxial screw with a spring and lug connected the implant to the typewriter linkage, and this linkage was used as an antenna to transmit the information as it was being typed. Later battery-powered implants had a test point underneath an end screw. By removing the screw and inserting a probe, an individual could easily read battery voltage to see if the batteries were still active.”
• “The devices could be turned off to avoid detection when the Soviets knew inspection teams were in close proximity. Newer devices operated by the US may have had the ability to detect the implants, but even then an element of luck would have been required, since the infected typewriter would have to be turned on, the bug would have to be turned on, and the analyzer would have to be tuned to the right frequency. To lower this risk, Soviet spies deliberately designed the devices to use the same frequency band as local television stations.”
• I thought this was an interesting example of how espionage works and how hard it can be to detect

Feedback:

• 2gbps with direct connections?
  • ifconfig lagg0 create
  • ifconfig lagg0 laggproto roundrobin laggport igb0 laggport igb1
  • ifconfig lagg0 192.168.101.1/24

• VLAN Basics

• PHP-FPM Tweaking

• Remote PC power on
  • APC AP7900 is $600+, but can be cheap on ebay

Round Up:

• Security researcher claims $24k bounty from Microsoft for Hotmail hack
• Turning the FCC’s proposal around, a coalition of 260 security researchers want the FCC to REQUIRE that all router firmwares be open source
• University of Cambridge study finds 87% of Android devices are insecure
• Flaw in Kaspersky’s “Network Attack Blocker” could allow an adversary to trick your firewall into blocking traffic from any address, including Kaspersky and Windows update
• “USB Killer” flash drive can fry your computer’s innards in seconds
• OpenZFS adds new hashing algorithms: SHA512/256, Skein, and Edon-R … and RESUMABLE ZFS REPLICATION!!!!
• EMC agrees to buyout by Dell
• Web Authentication Arms Race — A tale of two security experts
• Windows 10 start menu to include ads for “suggest apps”
• Statically Linking a Windows Kernel Driver as an ELF — A FireEye challenge
• Kemoge: Another Mobile Malicious Adware Infecting Over 20 Countries
• Researcher sets up a DigitalOcean droplet with the shellshock vulnerability, and watches what happens
• Company offers up to $3 million for jailbreak of new “rootless” iOS9
• An XSS vector containing no letters

The post National Security Breaking Agency | TechSNAP 236 first appeared on Jupiter Broadcasting.

Oracle really doesn’t want you to reverse engineer their products but they may have just released the Kraken, we’ll explain.

A massive drop of 35 fixes in one day, great feedback and follow up, a rockin roundup & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Oracle doesn’t think you should try to reverse engineer their products

• “Oracle, never the most researcher-friendly software vendor, has taken its antagonism to another level after publishing a blog post by CSO Mary Ann Davidson that rails against reverse engineering and saying that the company has no need for researchers to look at Oracle’s code for vulnerabilities because “it’s our job to do that, we are pretty good at it”
• The blog post has since been taken down
• Archive.org copy of Oracle Blog post
• Google Cache of Oracle Blog post
• “Davidson, who has been at Oracle for more than 25 years, said in the post that reverse engineering violates Oracle’s license agreement and that the company regularly sends letters to customers and consultants who it believes have violated the EULA. She also said that even when researchers try to report a security vulnerability in an Oracle product, the company often takes issue with how the bug was found and won’t credit researchers.“
• This is where I take the most extreme exception
• First, I don’t imagine that it is most average Oracle customers who are reverse engineering Oracle software looking for bugs
• Often, security research companies will look for bugs in major bits of software (be in Flash, Windows, Firefox, Chrome, Java, etc) with the goal of publishing their research once the bugs they find are fixes, in order to build a reputation, to get security consulting customers
• This system depends on A) Vendors actually accepting and acting upon bug reports, and B) Vendors crediting the people who discover the flaws in the security advisory / patch notes
• When a researcher is helping you better your software, for free, the least you can do is given them credit where it is due
• If Oracle doesn’t want to have a bug bounty program, that is their decision, but they cannot expect the entire security community to just pretend Oracle doesn’t exist, and isn’t an attack surface
• ““I almost hate to answer this question because I want to reiterate that customers Should Not and Must Not reverse engineer our code. However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren’t going to ignore a real problem – that would be a disservice to our customers. We will, however, fix it to protect all our customers, meaning everybody will get the fix at the same time,” Davidson said in the post.“
• So atleast they are going to fix it, eventually …
• ““However, we will not give a customer reporting such an issue (that they found through reverse engineering) a special (one-off) patch for the problem. We will also not provide credit in any advisories we might issue. You can’t really expect us to say ‘thank you for breaking the license agreement.’”“
• But credit? Nope. Ohh, and we might decide to try to engage in litigation against you
• Of course, if you actually read the EULA, Oracle’s software is not warranted for any use what-so-ever. The EULA basically spells out that using any of the software in production is at your own risk, and you probably shouldn’t do that. Of course, that is what every EULA says.
• ““Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers,” Davidson said in the post.“
• Of course, Oracle’s Legal department backpedaled, hard:
• A statement sent by Oracle PR said that the company removed the post because it didn’t fit with the company’s relationship with customers.
• “The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers,” said Edward Screven, Executive Vice President and Chief Corporate Architect, at Oracle.
• Twitter reacted quickly
• An new trend has emerged around the hashtag #OracleFanFic

Why not insider trade on EVERY company?

• This bloomberg view article starts with a typical description of how insider trading works, and how people get away with it
• It then starts to dig into how a group of Ukrainian malactors did it against a huge number of companies, and illegally profited over $100 million.
• The group broke into the systems of Marketwired, PR Newswire, and Business Wire, and lifted the press releases before they became public
• Then, rather than acting on this information themselves, which might have been obvious, they sold the information to various different people, in exchange for a flat fee, or a stake in the action
• They created an entire industry around the information, eventually growing a support infrastructure, and even taking ‘requests’ for releases from specific companies
• “They ran this like a business. They provided customer support: The hackers allegedly set up servers for their customers to access their information, and “created a video tutorial on how to access and use one of the servers they used to share the Stolen Releases.””
• “The defendants allegedly stole approximately 150,000 confidential press releases from the servers of the newswire companies,”
• “The size and professionalization of the business, though, shouldn’t be confused with sophistication. There are some signs that these guys actually weren’t all that sophisticated. For one thing, the traders seem to have gotten caught in the usual way. “The investigation began when prosecutors in Brooklyn and the FBI received a referral from the SEC about a pattern of suspicious trading by some of the defendants,”
• “The other place where the hackers may not have been that sophisticated was in the actual hacking. The hackers “gained unauthorized access to press releases on the networks of Marketwired using a series of SQL Injection Attacks.” They gained access to Business Wire after “the login credentials of approximately fifteen Business Wire employees had been ‘bruted.’”
• The author of the article makes an interesting point: “But I feel like part of it has to be that the people in charge of those databases, like me until today, had a disenchanted view of the financial world. These systems didn’t hold the nuclear launch codes. They held press releases — documents that, by definition, would be released publicly within a few days at most. Speed, convenience and reliability were what mattered, not top-notch security. How important could it be to keep press releases secure? What were the odds that a crack team of criminals would be downloading tens of thousands of press releases before they became public, in order to sell them to further teams of criminals who would trade on them? It just sounds so crazy. You’d have to be paranoid to even think of it. But — allegedly! — it’s exactly what happened.”
• Additional Coverage – Bloomberg
• Additional Coverage – Threat Post
• Justice Department Press Release
• New Jersey Federal Criminal Complaint
• Brooklyn Federal Criminal Complaint
• SEC Press Release
• SEC Civil Complaint

Adobe issues huge patch that fixes 35 vulnerabilities in Flash and AIR

• “The vulnerabilities Adobe patched Tuesday include a number of type confusion flaws, use-after-free vulnerabilities, buffer overflows, and memory corruption vulnerabilities. Many of the vulnerabilities can be used to take complete control of vulnerable machines”
• Make sure your flash version is 18.0.0.232 or newer
• The fixes flaws include:
• 16 use-after-frees
• 8 memory corruptions
• 5 type confusions
• 5 buffer overflow and heap buffer overflow bugs
• 1 integer overflow flaw
• “These updates include further hardening to a mitigation introduced in version 18.0.0.209 to defend against vector length corruptions (CVE-2015-5125).”
• In an interesting turn of events, “On Monday, researchers from Kaspersky Lab disclosed that attackers behind the Darkhotel APT campaign have been using one of the patched Flash bugs developed by Hacking Team in its attacks”
• “Darkhotel seems to have burned through a pile of Flash zero-day and half-day exploits over the past few years, and it may have stockpiled more to perform precise attacks on high-level individuals globally,” Kaspersky Lab principal security researcher Kurt Baumgartner said
• “Note: Beginning August 11, 2015, Adobe will update the version of the “Extended Support Release” from Flash Player 13 to Flash Player 18 for Macintosh and Windows. To stay current with all available security updates, users must install version 18 of the Flash Player Extended Support Release or update to the most recent available version. For full details, please see this blog post “
• Official Adobe Advisory
• The advisory issues thanks to a number of researchers and companies that found the vulnerabilities including:
  • Google Project Zero
  • FortiGuard Labs
  • Alibaba Security Research Team
  • Chromium Vulnerability Rewards Program
  • 360 Vulcan Team
• Additional Coverage

Feedback:

• multiboot linux and running openssh-server on all

• Allan made a comment in response to a question “FreeNAS with Quad GbEthernet

• Get some Fiber in your Freenas.. Fiber Channel

• Server Envy

Round Up:

• The first publicly released Android Security Advisory – Fixing StageFright and other video processing vulnerabilities on Nexus devices
• Sharp announces new line of DC powered appliances, starting with an Air Conditioner. Avoiding the conversion from DC to AC to DC for Solar and other alternative power sources
• Cisco warns customers of attacks replacing IOS bootstrap images on routers
• Why it is important to choose your audience. When you leak documents, and no one takes you seriously
• Facebook’s Internet Defense Prize ($100,000) was awarded to a team of Georgia Tech researchers who found a new class of browser-based memory-corruption vulnerabilities and built a corresponding detection technique
• The team behind the Anthem breach may also be who hit United Airlines
• Steam fixes vulnerability in site that allowed anyone to reset the password of another account, hijacking it
• 3 Chechen women use “CatFishing” scheme to take ISIS combatants for $3300
• Don’t be fooled by phony online reviews – Krebs details the story of someone who got scammed, badly
• Finally, a way to explain IaaS, PaaS, and SaaS

The post Oracle's EULAgy #oraclefanfic | TechSNAP 227 first appeared on Jupiter Broadcasting.

Hammertoss malware using GitHub & Twitter for command & control gets exposed, the US sets out to build the world’s fastest Supercomputer, the second major Android flaw this week & the return of Top Gear …sort of.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Hammertoss: Russian hackers target the cloud, Twitter, GitHub in malware spread | ZDNet

• Trend Micro Discovers Vulnerability That Renders Android Devices Silent

• Jeremy Clarkson, Richard Hammond and James May are reuniting to create an all-new car show, for Amazon Prime.

• Obama’s New Executive Order Says the US Must Build an Exascale Supercomputer | Motherboard

The post Androids Go Silent | TTT 199 first appeared on Jupiter Broadcasting.

Tarah Wheeler Van Vlack is the CEO of Fizzmint, a full end to end employee management HR service. She also has a book titled Women In Tech: The Book on kickstarter right now!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Tarah Wheeler Van Vlack on Twitter

• Women In Tech: The Book

• Fizzmint: HR Automation Services

• University of Michigan

• Hack the People

• Women2.0

• Hackbright Academy

• O’Reilly

Full transcription of previous episodes can be found at heywtr.tumblr.com

The post Women In Tech: The Book | WTR 14 first appeared on Jupiter Broadcasting.

The fear machine is spinning at maximum speed scaring the public over Ebola, but to what end? We discuss what all the fearporn could be cover for.

Plus the new narrative being told to us about ISIS and how polls are showing growing support by the US to send boots into Iraq.

Also a discussion around personal privacy tools & the FBI’s recent campaign to label them as national security threats.

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

— Show Notes —

News

Edward Snowden’s girlfriend living with him in Moscow, film reveals | US news | theguardian.com

The mystery of the whereabouts of Edward Snowden’s long-time girlfriend is solved in a documentary that premiered in New York on Friday night: she has been living with the national security whistleblower in Russia since July.

The surprise revelation in the documentary, filmed by Laura Poitras, upends the widespread assumption that Snowden had deserted Lindsay Mills and that she, in a fit of pique, fled Hawaii where they had been living to stay with her parents in mainland US.

Citizenfour review – Poitras’ victorious film shows Snowden vindicated | Film | theguardian.com

_Citizenfour__opens in US cinemas on 24 October. _

ISIS Update

Revisionist History 101: Bush Was Right About Iraq WMD! – The Intercept

So WMD were, in fact, found in Iraq. Unfortunately, 'Bush Wasn't Lying' is not an especially catchy slogan … https://t.co/iYaZdrT3l0

— Philip Terzian (@PhilipTerzian) October 15, 2014

The latest attempt came yesterday, when The New York Times published an explosive new story on American soldiers who were wounded while handling corroded munitions extracted from Saddam Hussein’s inactive chemical weapons program. The Iraq Study Group has long documented the existence of these decrepit and corroded weapons stocks in Iraq, something which has precisely nothing to do with the “Weapons of Mass Destruction” claims purveyed by war supporters.

The inconvenient truth is that the U.S. was aware of the existence of such weapons at the Al Muthanna site as far back as 1991. Why? Because Al Muthanna was the site where the UN ordered Saddam Hussein to dispose of his declared chemical munitions in the first place. Those weapons that could not safely be destroyed were sealed and left to decay on their own, which they did. The site was neither “active” nor “clandestine” — it was a declared munitions dump being used to hold the corroded weapons which Western powers themselves had in most cases helped Saddam procure.

NBC/WSJ Poll: Majority Say Ground Troops Needed to Fight ISIS

• More Americans Back U.S. Ground Troops in ISIS Fight – NBC News.com

The newest poll shows that 41 percent of respondents think ground troops and airstrikes are necessary, compared with 35 percent who think the actions should be limited to airstrikes. Fifteen percent of those polled said no military action should be taken.

A month ago, just 34 percent — a seven-point difference — favored both airstrikes and combat troops, and 40 percent wanted just airstrikes.

ISIS Threat Top Concern for Republican Voters — WSJ/NBC Poll – Washington Wire – WSJ

In the survey, 41% of Republicans said acting on the ISIS threat is the most important issue in deciding their midterm vote. Just 18% of Democrats agreed, placing the issue fifth behind economic growth, breaking the partisan gridlock in Washington, health care and social security.

US ends ban on ‘domestic propaganda’ — RT USA

The Smith-Mundt Act has ensured for decades that government-made media intended for foreign audiences doesn’t end up on radio networks broadcast within the US. An amendment tagged onto the National Defense Authorization Act removed that prohibition this year

The longstanding federal law made it illegal for the US Department of State to share domestically the internally-authored news stories sent to American-operated
outlets broadcasting around the globe. All of that changed effective July 2, when the Broadcasting Board of Governors (BBG) was given permission to let US households tune-in to hear the
type of programming that has previously only been allowed in outside nations.

Ebola

Obama holds Ebola meeting as White House defends handling of outbreak | Reuters

U.S. President Barack Obama convened a high-level meeting about the Ebola outbreak on Wednesday after abruptly postponing a political trip in what was a sign of growing concern about the deadly virus.

The White House strongly defended the government’s handling of the Ebola problem after it became clear that a second Texas healthcare worker who tested positive for the virus had traveled aboard a commercial airliner.

• Obama: Ebola ‘SWAT teams’ to respond to infections

High Note

2-alarm fire in Federal Way started in marijuana grow op | Local & Regional | Seattle News, Weather, Sports, Breaking News | KOMO News

He said another tenant – a marijuana grow operation – occupied the basement of the building, and investigators later determined the fire started there. It wasn’t immediately known whether it was a legal medical pot grow or an illegal operation. Tenants tell KOMO News they knew about the grow operation, but were told by the owners it was a legal business. A spokesperson with the State Liquor Control Board says their records show nobody at the Federal Way address is licensed to grow recreational marijuana, however the state does not have records or oversight when it comes to medical marijuana growers.

The post The Ebola of Propaganda | Unfilter 118 first appeared on Jupiter Broadcasting.

China goes on a hacking spree, compromising a Point of Sale system is as simple as an ebay purchase.

Plus what’s bad about about GoodGoogle, your questions, our answers, and much much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

What can you find on a used POS terminal off ebay?

• Matt Oh, a senior malware researcher with HP, recently bought a single Aloha point-of-sale terminal — a brand of computerized cash register widely used in the hospitality industry — on eBay for US$200.
• The Aloha POS system is sold by NCR, which came under its wing with its acquisition of Radiant Systems in July 2011 for $1.2 billion. It is one of the most popular systems in the hospitality industry behind those of Micros Systems, which Oracle bought last month for $5.3 billion.
• Oh found default passwords, at least one security flaw and a leftover database containing the names, addresses, Social Security numbers and phone numbers of employees who had access to the system.
• Oh’s research illustrates the security issues facing the hospitality industry, outdated POS systems which it sometimes cannot afford to update.
• Companies don’t appear to be paying enough attention to security issues with their POS terminals, and older systems are often still in use, which may not be as secure.
• The Problem is also impacting the food industry, where there is little budget to upgrade POS systems.
• P.F. Chang’s was listed as a customer of Radiant Systems in an SEC filing in March 2011, a few months before Radiant’s acquisition by NCR.
• P.F. Chang’s disclosed a credit and debit card breach last month.
• P.F. Chang’s said on July 1 the breach remains under investigation. The company temporarily shut down its POS system and switched to an old-style manual imprinting system for processing payment cards to prevent further damage.
• HP Security Research Blog

Hackers breach three Israeli Defense firms behind Iron Dome

• Brian Krebs breaks the news that the three defense contractors responsible for the design and building of the Iron Dome missile defense system have had their computer systems breached
• Iron Dome intercepts inbound rockets and mortars and has been credited with intercepting approximately one-fifth of the more than 2,000 rockets that Palestinian militants have fired at Israel during the current conflict
• The attackers stole huge quantities of sensitive documents pertaining to the missile shield technology
• The breach occurred between Oct. 10, 2011 and August 13, 2012, but was not disclosed
• The three victims were: Elisra Group, Israel Aerospace Industries, and Rafael Advanced Defense Systems
• The breach was investigated by Columbia, Md.-based threat intelligence firm Cyber Engineering Services Inc. (CyberESI)
• CyberESI managed to gain access to the secret communications infrastructure set up by the attackers, and from that learned that a very large volume of data had been exfiltrated from the victim networks
• The stolen material included a 900-page document that provides detailed schematics and specifications for the Arrow III missile, plus documents about Unmanned Aerial Vehicles (UAVs), ballistic rockets, and other related technical documents
• “Joseph Drissel, CyberESI’s founder and chief executive, said the nature of the exfiltrated data and the industry that these companies are involved in suggests that the Chinese hackers were looking for information related to Israel’s all-weather air defense system called Iron Dome.”
• Iron Dome is partially funded by the US Government, and was designed in cooperation with some US defense contractors
• “Most of the technology in the Arrow 3 wasn’t designed by Israel, but by Boeing and other U.S. defense contractors,” Drissel said. “We transferred this technology to them, and they coughed it all up. In the process, they essentially gave up a bunch of stuff that’s probably being used in our systems as well.”
• Many of the documents that were stolen have their distribution restricted by International Traffic in Arms Regulations (ITAR), a U.S. State Department control that regulate the defense industry, raising questions about the lack of timely disclosure
• “According to CyberESI, IAI was initially breached on April 16, 2012 by a series of specially crafted email phishing attacks. Drissel said the attacks bore all of the hallmarks of the “Comment Crew,” a prolific and state-sponsored hacking group associated with the Chinese People’s Liberation Army (PLA) and credited with stealing terabytes of data from defense contractors and U.S. corporations.”
• “Once inside the IAI’s network, Comment Crew members spent the next four months in 2012 using their access to install various tools and trojan horse programs on systems throughout company’s network and expanding their access to sensitive files. The actors compromised privileged credentials, dumped password hashes, and gathered system, file, and network information for several systems. The actors also successfully used tools to dump Active Directory data from domain controllers on at least two different domains on the IAI’s network.
• “Once the actors established a foothold in the victim’s network, they are usually able to compromise local and domain privileged accounts, which then allow them to move laterally on the network and infect additional systems,” the report continues. “The actors acquire the credentials of the local administrator accounts by using hash dumping tools. They can also use common local administrator account credentials to infect other systems with Trojans. They may also run hash dumping tools on Domain Controllers, which compromises most if not all of the password hashes being used in the network. The actors can also deploy keystroke loggers on user systems, which captured passwords to other non-Windows devices on the network.”
• “While some of the world’s largest defense contractors have spent hundreds of millions of dollars and several years learning how to quickly detect and respond to such sophisticated cyber attacks, it’s debatable whether this approach can or should scale for smaller firms.”

Chinese hackers breach National Research Council of Canada computers while they are working on new security system to prevent attacks

• The Canadian federal government revealed on Tuesday that the NRC’s computer networks were the target of a cyber attack, and had been shut down to contain the compromise
• The NRC is working with both the private sector and university research teams to create a physics-based computer encryption system
• “NRC is developing photonics-based, quantum-enhanced cyber security solutions … collaborating to develop technologies that address increased demands for high-performance security for communications, data storage and data processing.” says the NRC’s website.
• “NRC is continuing to work closely with its IT experts and security partners to create a new secure IT infrastructure”. “This could take approximately one year however; every step is being taken to minimize disruption.”
• The intrusion came from “a highly sophisticated Chinese state-sponsored actor,” said the Treasury Board. “We have no evidence that data compromises have occurred on the broader Government of Canada network.”
• The article states “… comes as the agency is working on an advanced computer encryption system that is supposed to prevent such attacks.”
• Encryption does not prevent your computer systems from being breached by attackers, especially if the attackers get a foothold via Phishing and other social engineering type attacks
• The encryption system is a defense against eavesdropping, and possibly can defend sensitive documents in cold storage, but it does not prevent systems from being compromised

Service offers to defeat your competitors online advertising

• Krebs brings us more news, this time about an online service that exhausts the daily advertising budget of your competitors, making your own advertisements less expensive and more visible
• A common scam involving Google’s AdSense service is “click fraud”. A fraudster sets up a website to display ads, then drives fake traffic to the site, and fake clicks on the ads
• The fraudster then gets paid by Google a portion of what the advertiser paid to show the ad
• However, Krebs found someone doing the opposite, defrauding the AdWords side of the business
• “GoodGoogle” is the name of one of these fraudster services. It promises to click the ads of your competitors, driving up their costs and exhausting their advertising budget early in the way (or early in each hour, depending on the Google settings)
• This means your own ads will be less expensive (your lower bid normally wouldn’t win, but if all of the higher bidders have expended their budget for the day, you are now the high bidder), and you cost your competitors more money
• “The prices range from $100 to block between three to ten ad units for 24 hours to $80 for 15 to 30 ad units. For a flat fee of $1,000, small businesses can use GoodGoogle’s software and service to sideline a handful of competitors’s ads indefinitely. Fees are paid up-front and in virtual currencies and the seller offers support and a warranty for his work for the first three weeks.”
• “Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley, speculated that GoodGoogle’s service consists of two main components: A private botnet of hacked computers that do the clicking on ads, and advanced software that controls the clicking activity of the botted computers so that it appears to be done organically from search results”
• This could also be an interesting case of double-dipping, If the fraudster ran fake sites with content specific to the keywords his customers wanted to attack, he could make money via the click fraud from the AdSense side, while charging for his services from the AdWords side
• “Amazingly, the individual responsible for this service not only invokes Google’s trademark in his nickname and advertises his wares via instructional videos on Google’s YouTube service, but he also lists several Gmail accounts as points of contact. My guess is it will not be difficult for Google to shutter this operation, and possibly to identity this individual in real life.”

Feedback:

• RPMfusion.org Not Secure

• William asks on mumble asks if anyone knows of an alternative to the ZeusRAM , a SAS SSD used in many ZFS boxes, but that uses a PCI-E interface, rather than being limited by a SAS interface. Or a modern version of the DDR-Drive, a PCI-E “ram disk”, but using DDR3 or 4 and with a supercapacitor to survive a reboot. I found the ‘SATADIMM’, an SSD that fits in a RAM slot
  • There is also the ULLtraDIMM which actually interfaces with the CPU via the memory controller, but it is not clear how it works or how it interfaces with the operating system. Additional Video – Technical Explaination

Round-Up:

• Symantec Endpoint Protection 0day
• Turning your USB devices against you
• Tor attackers tried to peek into the Deep Web, anonymity network reveals
• New SSL rules go into effect November 1st, no more internal SSL certificates
• Apple’s multi-terabit, $100M CDN is live—with paid connection to Comcast
• Comcast now carries 1Tbit/s of IPv6 traffic
• Android Fake ID Vulnerability Lets Malware Impersonate Trusted Applications, Puts All Android Users Since January 2010 At Risk
• Software that runs US bar exams fails
• Contries do not own their ccTLDs
• Social Engineering attack lets con artist defraud Apple out of over $300,000 in hardware over 42 occasions in 12 states
• How to invent a compression algorithm for a TV show
• Explaining the importance of Software Security

The post GoodGoogle BadUSB | TechSNAP 173 first appeared on Jupiter Broadcasting.

We’ve got the details about critical vulnerabilities in LastPass and other popular password managers, Russian hackers attack the NASDAQ, and how to pull off an SSH Man in Middle attack.

Plus a fantastic batch of your questions, our answers & much, much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Critical vulnerabilities found in online password managers including LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword

• Four researchers from the University of California, Berkeley, did a manual analysis of some of the most popular online password managers
• Their findings are troubling, showing problems with all of the popular services
• “Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem. After all, a vulnerability in a password manager could allow an attacker to steal all passwords for a user in a single swoop”
• The researchers found problems with each of the services they investigated, including bookmarklet vulnerabilities, web vulnerabilities (CSRF and XSS), user interface vulnerabilities, and authorization vulnerabilities.
• The paper shows how an attacker might be able to steal a LastPass users’ dropbox password when the user visits the attackers site
• The paper also discusses a vulnerability in the LastPass OTP (One Time Password) feature, where an attacker specifically targeting you (requires knowing your lastpass username) could access the encrypted LastPass database. While the attacker would have to resort to an offline brute force attack to decrypt it and get the passwords, they would also have a list of all of the sites that the user has saved passwords for. In addition, the attack can delete saved credentials from the database, possibly allowing them to lock the user out of other sites.
• An authorization vulnerability in the password sharing system at My1login could allow an attack to share a web card (url/username/password) they do not own with another user, only needing to know the unique id#, which is a globally unique incrementing counter, so can be predicted. It also allows an attacker to modify another users’ web cards once they are shared
• “Since our analysis was manual, it is possible that other vulnerabilities lie undiscovered”
• “Of the five vendors whose products were tested, only the last one (NeedMyPassword) didn’t respond when they contacted them and responsibly shared their findings. The other four have fixed the vulnerabilities within days after disclosure.”
• Research Paper

How Russian Hackers stole the Nasdaq (2010)

• In October 2010, a Federal Bureau of Investigation system monitoring U.S. Internet traffic picked up an alert. The signal was coming from Nasdaq
• The October alert prompted the involvement of the National Security Agency, and just into 2011, the NSA concluded there was a significant danger.
• The Secret Service had notified NASDAQ of suspicious activity previously and suspected the new activity may be related, and requested to take the lead on the investigation, but was denied and shut out of the investigation.
• “We’ve seen a nation-state gain access to at least one of our stock exchanges, I’ll put it that way, and it’s not crystal clear what their final objective is”
• Bloomberg Businessweek spent several months interviewing more than two dozen people about the Nasdaq attack and its aftermath, which has never been fully reported. Nine of those people were directly involved in the investigation and national security deliberations; none were authorized to speak on the record. “The investigation into the Nasdaq intrusion is an ongoing matter,” says FBI New York Assistant Director.
• The hackers had used two zero-day vulnerabilities in combination to compromise machines on the NASDAQ network
• The NSA claimed they had seen very similar malware before, designed and built by the Federal Security Service of the Russian Federation (FSB), that country’s main spy agency.
• Later in the investigation, some U.S. officials questioned whether the NSA had pushed the evidence too far. Malware often changes hands—it’s sold, stolen, or shared. And the technical differences between attack code and something less destructive can be surprisingly small. At the time, NSA Director Keith Alexander and his agency were locked in a fight with government branches over how much power the NSA should have to protect private companies from this new form of aggression. Such a brazen attack would certainly bolster its case.
• “While the hack was successfully disrupted, it revealed how vulnerable financial exchanges—as well as banks, chemical refineries, water plants, and electric utilities—are to digital assault. One official who experienced the event firsthand says he thought the attack would change everything, that it would force the U.S. to get serious about preparing for a new era of conflict by computer. He was wrong.”
• What the investigators found inside Nasdaq shocked them, according to both law enforcement officials and private contractors hired by the company to aid in the investigation. Agents found the tracks of several different groups operating freely, some of which may have been in the exchange’s networks for years, including criminal hackers and Chinese cyberspies. Basic records of the daily activity occurring on the company’s servers, which would have helped investigators trace the hackers’ movements, were almost nonexistent. Investigators also discovered that the website run by One Liberty Plaza’s building management company had been laced with a Russian-made exploit kit known as Blackhole, infecting tenants who visited the page to pay bills or do other maintenance.
• an FBI team and market regulators analyzed thousands of trades using algorithms to determine if information in Director’s Desk could be traced to suspicious transactions. They found no evidence that had happened
• By mid-2011, investigators began to conclude that the Russians weren’t trying to sabotage Nasdaq. They wanted to clone it
• Without a clear picture of exactly what data was taken from Nasdaq and where it went—impossible given the lack of logs and other vital forensics information—not everyone in the government or even the FBI agreed with the finding

Tutorial: SSH MITM Downgrade Attack

• This is a tutorial on how to perform an SSH Man-In-The-Middle downgrade attack
• This attack involves tricking the user connecting to the SSH server you are intercepting into using the old version 1 of the SSH protocol
• SSH1 uses a separate SSH Fingerprint from SSH2, so the user will be prompted to accept the different key
• Many users will blindly accept this warning
• If the user can be tricked into dropping to SSH1, it may be possible to steal the username and password they use to login with
• Luckily, most modern SSH servers do not allow SSH1
• However, some clients, including PuTTY, allow both SSH1 and SSH2, with a preference for the latter
• Users are encouraged to change the setting on their server and in their client to only allow SSH2
• Many embedded devices still allow SSH1, including many older Cisco Security Appliances
• These devices are perfect targets for this type of downgrade attack

Feedback

• ZFS Transaction Log (ZIL)

• WWAD (What Would Allan Do?)
  • ZFS Stripe Width

• building a new PC

• How to Sysadmin?

• DNS Made Easy (Email backups), and tiny war story

Round-Up:

• US claims jurisdiction over all servers on the internet. “any company with operations in the United States must comply with valid warrants for data, even if the content is stored overseas”
• Only a few days old, OpenSSL fork LibreSSL is declared “unsafe for Linux”
• Canadian ISP Rogers updates privacy policy, promises to require a warrant to turn over data
• Microsoft tells users to stop using strong passwords everywhere
• Sony forgets to renew a domain name (SonyOnline.net) where all of the name servers are hosted, takes out all of SOE (Sony Online Entertainment), including forums and websites. Did not have a valid email address on the domain registration
• Cisco Security Advisory: Cisco Wireless Residential Gateway Remote Code Execution Vulnerability
• Where do online services go when they die?
• fail2ban security update
• Robert Watson and SRI/Cambridge University open source the CHERI secure processor design

The post SSH1tty leakage | TechSNAP 171 first appeared on Jupiter Broadcasting.

Chinese hackers have gained access to the designs of major U.S. weapons systems, a new report claimed on Monday. But we have a few questions about the timing of this announcement, and how it fits into the bigger picture.

And the “March Against Monsanto” protests were held in 52 countries and 436 cities around the world protesting the GMO giant and it’s genetically modified seeds. We’ll dig into the movement’s real goals and see if it has any chance of making a difference.

Plus Why weapons are about to flood into Syria, your feedback, and much much more.

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

HD Feed | Mobile Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter Supporter:

— Show Notes —

Worldwide Monsanto Protests

• March against Monsanto: Rallying for our future — RT Op-Edge

The worldwide March Against Monsanto this past Saturday was no mere political demonstration. Rather, it was a worldwide mobilization against corporate greed, the assault on our health and environment, and the oppression of small farmers.

• Revealed: Monsanto GM corn caused tumors in rats — RT News

French scientists have revealed that rats fed on GMO corn sold by American firm Monsanto, suffered tumors and other complications including kidney and liver damage. When testing the firm’s top brand weed killer the rats showed similar symptoms.

The French government has asked its health and safety agency to assess the study and had also sent it to the European Union’s food safety agency, Reuters reports.

“Based on the conclusion…, the government will ask the European authorities to take all necessary measures to protect human and animal health, measures that could go as far as an emergency suspension of imports of NK603 maize in the European Union,” the French health, environment and farm ministries said in a joint statement.

Researchers from the University of Caen found that rats fed on a diet containing NK603 – a seed variety made tolerant to amounts of Monsanto’s Roundup weedkiller – or given water mixed with the product, at levels permitted in the United States – died earlier than those on a standard diet.

The research conducted by Gilles-Eric Seralini and his colleagues, said the rats suffered mammary tumors, as well as severe liver and kidney damage. The study was published in the journal of Food and Chemical Toxicology and presented at a news conference in London.

Fifty percent of male and 70 percent of female rats died prematurely, compared with only 30 percent and 20 percent in the control group, said the researchers.

China’s Cyber Heist

• Chinese hackers steal U.S. weapons systems designs, report says – U.S. News

Chinese hackers have gained access to designs of more than two dozen major U.S. weapons systems, a U.S. report said on Monday, as Australian media said Chinese hackers had stolen the blueprints for Australia’s new spy headquarters.

Citing a report prepared for the Defense Department by the Defense Science Board, the Washington Post said the compromised U.S. designs included those for combat aircraft and ships, as well as missile defenses vital for Europe, Asia and the Gulf.

Among the weapons listed in the report were the advanced Patriot missile system, the Navy’s Aegis ballistic missile defense systems, the F/A–18 fighter jet, the V–22 Osprey, the Black Hawk helicopter and the F–35 Joint Strike Fighter

– Thanks for Supporting Unfilter –

This Week’s New Supporters:

• Tyler T
• Matthew D

• Why I invest in Unfilter – Unfilter is Nurtional for your Mind

Since unfilter is now my favourite JB show I wanted to share the reason why I subscribed just in case it gets you guys a few more subscriptions from this side of the Atlantic.

• Thanks to our 80 Unfilter supporters!

• Supporter perk: Downloadable Pre and Post show. Extra clips, music, hijinks, and off the cuff comments. The ultimate Unfiltered experience.

Syria: The Proxy War

• Russia slams end of EU arms embargo, calls S–300s ‘stabilizing factor’ in Syria — RT News

The EU’s move, which the Russian diplomat branded as an “example
of double standards”, opens the door for Britain and France to
supply weapons to Syrian rebels fighting the regime of President
Bashar Assad.

Criticizing Europe’s decision to open the way for potential arms shipments to Syrian
rebels, Russia insists that its own sale of arms to the Syrian
government helps the international effort to end the
two-year-long conflict, the diplomat added. He was referring to
the delivery of the advanced S–300 long-range air defense
systems, which Russia is carrying out under a contract signed
with Syria several years ago.

“Those systems by definition cannot be used by militant groups
on the battlefield,” Ryabkov said. “We consider this
delivery a factor of stabilization. We believe that moves like
this one to a great degree restrain some hotheads from escalating
the conflict to the international scale, from involving external
forces.”

The S–300 is a series of Russian long-range
surface-to-air missile systems designed to intercept
ballistic missiles, regarded as the most potent weaponry of
its class. The missiles are capable of engaging aerial
targets as far away as 200km, depending on the version used.

However, Russia has neither confirmed, nor denied “the status of
those shipments.”

• Russia Sending Air Defense Missiles to Syria to Deter Foreign ‘Hot Heads’ – ABC News

The S–300, one of the world’s most advanced air defense systems, could make it harder for foreign forces to carry out airstrikes inside Syria, as Israel has done this year, or to impose a no-fly zone, as some members of Congress have called for.

The move is Russia’s biggest and most public step so far to bolster the government of Syria’s beleaguered President Bashar al-Assad, its longtime ally. Rybakov made no attempt to hide the Kremlin’s intention to prevent outside forces from tipping the scales in the long and bloody civil war.

“We believe such steps are to a great extent restraining some ‘hot heads’ from considering scenarios in which the conflict may assume an international scale with the participation of outside forces,” he said, according to RIA Novosti.

• Israel warns Russia over Syria arms delivery – Middle East – Al Jazeera English

Israeli defence minister: "At this stage I can’t say there is an escalation. The shipments have not been sent on their way yet. And I hope that they will not be sent.

“But if, by misfortune, they arrive in Syria, we will know what to do.”

Yaalon’s comments were made before Benjamin Netanyahu, Israel’s prime minister, ordered his cabinet to stay silent on the issue, according to public radio.

• Israel is Pissed, but they are Prepared

Despite Israel’s protests, the S–300 system will not be a large hurdle for that country’s advanced air force. The system can be easily spotted because it sends out a distinctive signal, and Israel may have already tested its own jets against such a system while working with Greece.

• Israel in Moscow talks to halt supply of missiles to Syrian regime | World news | guardian.co.uk

Top-level Israeli intelligence figures flew into Moscow on Tuesday night in a last-ditch attempt to talk the Kremlin out of supplying sophisticated anti-aircraft missiles to the Assad regime, which once installed in Syria would have the range and power to target civilian and military aircraft over Tel Aviv.

Israeli diplomats will continue to work both privately and publicly to prevent the transfer until the shipment sails, but officials attempted to lower the diplomatic temperature, insisting Israel had no intention of fighting Russia on the issue.

Israel has read Moscow’s insistence on pursuing its deal to supply Damascus with the powerful missile systems as part of a “cold war” power struggle between the US and Russia playing out in the theatre of the Syrian civil war in which it wants no part.

• Obama asked Pentagon to prepare Syria no-fly zone plans – report — RT USA

Officials from the Obama administration have revealed that the White House asked the Pentagon to outline plans for a military no-fly zone over Syria, continuing strategy discussions that have been ongoing for more than a year.

If enacted, the no-fly zone would be enforced by the US military
with help from France, Great Britain and other allies.

• Let’s Be Clear: Establishing a ‘No-Fly Zone’ Is an Act of War – Conor Friedersdorf – The Atlantic

“McCain said a realistic plan for a
no-fly zone would include hundreds of planes, and would be most
effective if it included destroying Syrian airplanes on runways, bombing
those runways, and moving U.S. Patriot missile batteries in Turkey
close to the border so they could protect airspace inside northern
Syria,”

Why Are Police So Desperate to Throw Kids in Jail

• Parents Claim Calif. School District Failed to Protect Autistic Son in Drug Sting – ABC News

“Our son went to school the morning of Dec. 11 and he didn’t show up at home after school, because he was arrested in his classroom,” Snodgrass said. “Police went into his classroom armed, and handcuffed our son. We were not notified by anyone, and he was held for two days, and we were not able to see him,” a

• Thanks to jdmulloy in the Unfilter Subreddit

• Increase in the Number of Kids Exposed to Medical Marijuana: Study

Before Colorado passed Medical Marijuana legislation laws the number of kids treated for marijuana exposure was nil. Whereas in the cases examined after, there were 14 cases, out of which eight of those came directly from consuming marijuana food products.

• Prescription Drug Abuse Drives Huge Spike In Poisoning Deaths Among Childrent

From 2000 to 2009, the number of children aged 15 to 19 who died from poisoning increased by 91 percent, the CDC says.

Childhood death from poisoning rose 80 percent over the 10-year time period, owing largely to the huge increase in such deaths among children aged 15 to 19. Prescription drug abuse is to blame, according to the CDC.

• Drug deaths now outnumber traffic fatalities in U.S., Times analysis shows – Los Angeles Times

Propelled by an increase in prescription narcotic overdoses, drug deaths now outnumber traffic fatalities in the United States, a Times analysis of government data has found.

Drugs exceeded motor vehicle accidents as a cause of death in 2009, killing at least 37,485 people nationwide, according to preliminary data from the U.S. Centers for Disease Control and Prevention.

Feedback:

• We made Paul see RED!

If you’re a Supporter check your inbox!

Call us: 1.425.312.1756

Follow the Us:

• Unfilter on Reddit
• Chris on Twitter
• Chase’s Geek and Gaming Network
• Chase on Twitter

The post China Loves to Cyber | Unfilter 52 first appeared on Jupiter Broadcasting.

The guys wrap up their trip to PAX PRIME 2011, and share their biggest surprises from PAX and their biggest disappointments. Plus why the platformer is stronger than ever!

OUR DRINK:

Honest Tea Certified Organic

TV:

• David Foster Readying To Pitch New STAR TREK T.V. Series To CBS
• io9 has put together a nice concise list of upcoming new fantasy/sci-fi shows, with videos!
• Battlestar Galactica: Blood and Chrome Webseries

MOVIES:

• Star Wars Blu-Ray gets another round of rage-inducing alterations
• Superman’s costume is stupid looking

COMICS:

The Flagship of DC’s relaunch – “Justice League” – hit stores yesterday. Anyone read it?

• Avengers 1959 – A retro romp during Marvel’s Cold War

GAMES:

PAX! Let’s talk indie and retro gaming…

HAPPY FUN MUTUAL MOVING PICTURE TIME THING:

Hackers!

NEXT WEEK

• The Final Countdown
• Amazon.com: The Final Countdown (Widescreen Edition)
• Amazon.com: The Final Countdown [Blu-ray]
• The Final Countdown (1980) – IMDb

The post PAX 2011 Wrap-Up | J@N | 210 first appeared on Jupiter Broadcasting.

This week on TechSNAP:

The UK Prime Minister wants a Kill switch for social media, ebay upgrades their servers to SSD, and you won’t believe the costs, and we take a peak at Microsoft’s data center in a box!

Direct Download Links:

HD Video | Large Video | Mobile Video | WebM Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3

[ad#shownotes]

Show Notes: