Show Notes: linuxunplugged.com/465

The post Too Nixy for My Shirt | LINUX Unplugged 465 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Responsible Disclosure Is Hard

• When a responsible person discovers a security issue, disclosing it properly is difficult

• Uses Tesla’s policy as a good example of how companies should do this

• “This is not hard stuff and it basically amounts to text on a page. Consider whether your own organisation has something to this effect and is actually ready to handle disclosure by those who attempt to do so ethically. Listen to these people and be thankful they exist; there’s a whole bunch of others out there who are far less charitable and by the time you hear from those guys, it’s already too late.”

RedHat deprecates Btrfs

• The Btrfs file system has been in Technology Preview state since the initial release of Red Hat Enterprise Linux 6. Red Hat will not be moving Btrfs to a fully supported feature and it will be removed in a future major release of Red Hat Enterprise Linux.

• The Btrfs file system did receive numerous updates from the upstream in Red Hat Enterprise Linux 7.4 and will remain available in the Red Hat Enterprise Linux 7 series. However, this is the last planned update to this feature.

320 Million Freely Downloadable Pwned Password hashes

• NOTE: these are SHA-1 hashes, not the raw passwords: 320,335,236 to be precise

• Password checking page – that same URL has links for downloading the hashes

• To unzip the files, you need p7zip. Command to extract is: 7z x pwned-passwords-update-1.txt.7z

• to generate a sha1 hash, Dan used: ‘sha1 -s TechSNAP’ – SHA1 (“TechSNAP”) = c6586a62febc8706d814fe28fe397e9dca146992. Use “tr ‘[a-z]’ ‘[A-Z]'” to upper case.

• takes about 0.176ms to locate a hash on a PostgreSQL 9.6 database

• Example query construction

• Passwords Evolved: Authentication Guidance for the Modern Era

• API for using Troy’s service

• Troy’s donation page

Feedback

• PXE Boot Imaging

• +1 for FOG! Versatile and reliable

• slobeck retweets x0rz 1960’s vs. now

Round Up:

• How Dropbox securely stores your passwords

• gedit is unmaintained, some thoughts

• DigiCert to Acquire Symantec’s Website Security Business and Related PKI Solutions

• Microsoft didn’t sandbox Windows Defender, so I did

• Should I revoke no longer used Let’s Encrypt certificates before destroying them?

The post BTRFS is Toast | TechSNAP 331 first appeared on Jupiter Broadcasting.

Entroware’s Apollo laptop has arrived, and we share our first hands on impressions of their ultra Linux laptop, how does it compare to the Purism, and a quick chat with Entroware’s co-founder.

Plus we discuss the Mint hack, and solutions we could create as a community to solve the bigger problems, updates from some of our favorite open source projects, and chat about Beep Beep Yarr, and more!

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Follow Up / Catch Up

Beep Beep Yarr! by Linux Voice

<< Silk Guardian >> is an anti-forensic kill-switch

Silk Guardian is an anti-forensic LKM kill-switch that waits for a change on your usb ports and then wipes your ram and turns off your computer.

MUTINY! — Ubuntu MATE 16.04 Adds Unity-Style Desktop Layout

“There’s a Mutiny coming!,” the Ubuntu MATE team teases. “Yes, that is a top menu. Yes, this is Ubuntu MATE. See you Thursday for the Beta 1 release!”.

Cnchi v0.14 Moves Into Stable Branch

The most notable change in Cnchi 0.14 is beta support for ZFS (in Automatic Installation Mode). It is now possible to install Antergos with ZFS as your chosen filesystem. You simply tell Cnchi which drive to use and it will take care of formatting the drive and configuring ZFS for you.

TING

• Ting – mobile that makes sense

The most powerful Ubuntu phone is still not good enough

The Meizu Pro 5 has the Galaxy S6’s processor, but not its performance

100,000,000 Monthly Active Users

Now Telegram has more than 100,000,000 monthly active users. 350,000 new users sign up each day. We’re delivering 15 billion messages daily.

• Telegram: Contact @itsecalert

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

“The Mint Hack”

Hacker explains how he put “backdoor” in hundreds of Linux Mint downloads | ZDNet

The hacker responsible, who goes by the name “Peace,” told me in an encrypted chat on Sunday that a “few hundred” Linux Mint installs were under their control — a significant portion of the thousand-plus downloads during the day.

• How can a server that hosts a high-profile website like linuxmint.com be so low on security

Backdoored Linux Mint, and the Perils of Checksums

But it’s also important to note that comparing the checksum of a file you downloaded with what you see on the website you downloaded it from isn’t secure either, even if you are using SHA256. If a hacker can hack the website to modify the download link, they can modify the checksum at the same time to match their malicious download.

The only solution to this problem is to use public key cryptography.

Linux Academy

• Linux Academy | Linux and AWS Online Training

Apollo by Entroware

• Pictures of the Apollo

Support Jupiter Broadcasting on Patreon

The post Apollo Has Landed | LINUX Unplugged 133 first appeared on Jupiter Broadcasting.

Adobe is making changes to Flash to mitigate 0day exploits, with help from Google. Chrysler recalls 1.4M vehicles due to a software flaw, we go inside the “Business Club” cyber crime gang.

Plus a great batch of questions, the roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

0day exploits against Flash will be harder thanks to new mitigations

• Three new exploit mitigations are being added to Adobe’s Flash player in an effort to prevent future exploits
• The mitigations were developed in a collaboration between Adobe and Google’s Project Zero
• The mitigations are:
  • “buffer heap partitioning” – Specific types of objects have been moved to an entirely separate heap (the OS Heap instead of the Flash Heap), preventing an overflow in the Flash Heap from ever being able to corrupt those objects. “It’s worth noting that this defense is much more powerful in a 64-bit build of Flash, because of address space limitations of 32-bit processes. This mitigation is now available in the Chrome version of Flash, and is expected to come to all other browsers sometime in August. Now is a good time to upgrade to a 64-bit browser and Flash.”
  • “stronger randomization for the Flash heap” – The flash heap is no longer stores in a predictable location, so it is harder to exploit. In addition, especially on 64-bit platforms, large allocations are further randomized. And older exploit developed by Project Zero used up to a 1GB allocation in order to hit a predictable location. With the large 64bit address space to play with, these allocations can be so far apart that it will be very difficult for an attacker to overflow the flash heap to run into the binary sections.
  • “Vector.<*> length validation secret” – Many of the recent and previous exploits have worked by overwriting the length of the Vector objects, to make them overflow into other areas of memory. The previous two mitigations make it harder to do this, but Adobe have developed a validation technique to detect when the length has been altered unexpectedly. The Adobe mitigation works by storing a “validation secret”, a hash of the correct length and a secret value, the attack doesn’t know the secret value, so cannot write the correct hash, and Flash will exit with a runtime error. This mitigation is available in all Flash builds as of 18.0.0.209.
• “Had they been widely available earlier, they likely would have blunted the effects of at least some of the three most recent zero-day vulnerabilities”
• Hopefully these will propagate quickly and reduce the frequency of flash 0 days
• Google Project Zero Blog Post

1.4M Vehicle Recall After Bug in Chrysler UConnect System

• Fiat Chrysler Automobiles NV is recalling about 1.4 million cars and trucks equipped with radios that are vulnerable to hacking, the first formal safety campaign in response to a cybersecurity threat.
• The recall covers about a million more cars and trucks than those initially identified as needing a software patch. The action includes 2015 versions of Ram pickups, Jeep Cherokee and Grand Cherokee SUVs, Dodge Challenger sports coupes and Viper supercars.
• This isn’t the first time automobiles have been shown to be vulnerable to hacking. What elevates this instance is that researchers were able to find and disable vehicles from miles away over the cellular network that connects to the vehicles’ entertainment and navigation systems.
• Fiat Chrysler’s UConnect infotainment system uses Sprint Corp.’s wireless network.
• It’s not a Sprint issue but they have been “working with Chrysler to help them further secure their vehicles”.
• Unauthorized remote access to certain vehicle systems was blocked with a network-level improvement on Thursday, the company said in a statement. In addition, affected customers will receive a USB device to upgrade vehicles’ software with internal safety features.
• Senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut, both Democrats, introduced legislation on July 21 that would direct NHTSA and the Federal Trade Commission to establish rules to secure cars and protect consumer privacy.
• The senators’ bill would also establish a rating system to inform owners about how secure their vehicles are beyond any minimum federal requirements.
• Chrysler Recalls
• After Jeep Hack, Chrysler Recalls 1.4M Vehicles for Bug Fix
• Fiat Chrysler Automobiles (FCA) Uconnect Vulnerability
• FCA Uconnect Vulnerability | ICS-CERT

Inside the “Business Club” crime gang

• Krebs profiles the “Business Club” crime gang, which apparently managed to steal more than $100 million from European banks and businesses
• The story centers on the “Gameover ZeuS” trojan and botnet. The commercial ZeuS malware had been popular for years for stealing banking credentials, but this was a closely held private version built for himself by the original author
• “Last year’s takedown of the Gameover ZeuS botnet came just months after the FBI placed a $3 million bounty on the botnet malware’s alleged author — a Russian programmer named Evgeniy Mikhailovich Bogachev who used the hacker nickname “Slavik.””
• “That changed today with the release of a detailed report from Fox-IT, a security firm based in the Netherlands that secretly gained access to a server used by one of the group’s members. That server, which was rented for use in launching cyberattacks, included chat logs between and among the crime gang’s core leaders, and helped to shed light on the inner workings of this elite group.”
• “The chat logs show that the crime gang referred to itself as the “Business Club,” and counted among its members a core group of a half-dozen people supported by a network of more than 50 individuals. In true Oceans 11 fashion, each Business Club member brought a cybercrime specialty to the table, including 24/7 tech support technicians, third-party suppliers of ancillary malicious software, as well as those engaged in recruiting “money mules” — unwitting or willing accomplices who could be trained or counted on to help launder stolen funds.”
• “Business Club members who had access to the GameOver ZeuS botnet’s panel for hijacking online banking transactions could use the panel to intercept security challenges thrown up by the victim’s bank — including one-time tokens and secret questions — as well as the victim’s response to those challenges. The gang dubbed its botnet interface “World Bank Center,” with a tagline beneath that read: “We are playing with your banks.””
• “The Business Club regularly divvied up the profits from its cyberheists, although Fox-IT said it lamentably doesn’t have insight into how exactly that process worked. However, Slavik — the architect of ZeuS and Gameover ZeuS — didn’t share his entire crime machine with the other Club members. According to Fox-IT, the malware writer converted part of the botnet that was previously used for cyberheists into a distributed espionage system that targeted specific information from computers in several neighboring nations, including Georgia, Turkey and Ukraine.”
• “Beginning in late fall 2013 — about the time that conflict between Ukraine and Russia was just beginning to heat up — Slavik retooled a cyberheist botnet to serve as purely a spying machine, and began scouring infected systems in Ukraine for specific keywords in emails and documents that would likely only be found in classified documents, Fox-IT found.”
• The botnet was also used against Turkey
• “The keywords are around arms shipments and Russian mercenaries in Syria,” Sandee said. “Obviously, this is something Turkey would be interested in, and in this case it’s obvious that the Russians wanted to know what the Turkish know about these things.”
• “The espionage side of things was purely managed by Slavik himself,” Sandee said. “His co-workers might not have been happy about that. They would probably have been happy to work together on fraud, but if they would see the system they were working on was also being used for espionage against their own country, they might feel compelled to use that against him.”
• The full Fox-IT report is available as a PDF here

Feedback:

• FreeNAS with Quad GbEthernet

• eSata enclosure

• pfSense Minix Router

• GlusterFS alternatives

• Enhanced commit privileges: Allan Jude (src)

Round Up:

• Kim Dotcom: ‘I don’t think your data is safe on Mega anymore’
• Get root on any OS X machine, with a shell command that fits in a tweet
• The Martian author says Comcast let hacker take over his e-mail
• Scaling Netflix – From 0 to a Terabit
• “Thunderstrike 2” rootkit uses Thunderbolt accessories to infect Mac firmware
• Why Netflix chose NGINX and FreeBSD to build its CDN
• An Update to Nexus Devices
• PHP mt_rand only returns odd numbers? Looks even worse in hex, low bits not being set?
• Breach at PNI Digital Media Inc., a company that makes photo kiosks, has affected customers a many large retailers including Walmart, CVS, Rite Aid, Sam’s Club and Costco
  
• How coordinated disclosure works in the real world
• HP Researchers find the Smart Watches are a security risk
• Belgian Government accidently includes 20,000 employees of transit operator in its phishing test

The post Solving the Flash Plague | TechSNAP 226 first appeared on Jupiter Broadcasting.

We explain the Venom vulnerability, what the impact is & the steps major providers are taking to protect themselves.

Plus strategies to mitigate Cyber Intrusions, a truly genius spammer, great questions, a huge round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

VENOM: Virtualized Environment Neglected Operations Manipulation

• A flaw in the way qemu emulates floppy disks could allow an attacker to break out of a virtual machine and take over the host
• “This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.”
• This vulnerability affects qemu, KVM, VirtualBox, and some types of Xen, because they all share the same qemu floppy emulation code
• Unaffected hypervisors include: VMWare, Hyper-V, Bochs, and bhyve
• The issue has been assigned the identifier CVE-2015-3456
• “Since the VENOM vulnerability exists in the hypervisor’s codebase, the vulnerability is agnostic of the host operating system (Linux, Windows, Mac OS, FreeBSD, etc.).”
• “It needs to be noted that even if a guest does not explicitly have a virtual floppy disk configured and attached, this issue is exploitable. The problem exists in the Floppy Disk Controller, which is initialized for every x86 and x86_64 guest regardless of the configuration and cannot be removed or disabled.”
• “The guest operating system communicates with the FDC by sending commands such as seek, read, write, format, etc. to the FDC’s input/output port. QEMU’s virtual FDC uses a fixed-size buffer for storing these commands and their associated data parameters. The FDC keeps track of how much data to expect for each command and, after all expected data for a given command is received from the guest system, the FDC executes the command and clears the buffer for the next command. This buffer reset is performed immediately at the completion of processing for all FDC commands, except for two of the defined commands. An attacker can send these commands and specially crafted parameter data from the guest system to the FDC to overflow the data buffer and execute arbitrary code in the context of the host’s hypervisor process.”
• “The VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase.”
• “After verifying the vulnerability, CrowdStrike responsibly disclosed VENOM to the QEMU Security Contact List, Xen Security mailing list, Oracle security mailing list, and the Operating System Distribution Security mailing list on April 30, 2015.
• After a patch was developed CrowdStrike publicly disclosed VENOM on May 13, 2015. Since the availability of the patch, CrowdStrike has continued to work with major users of these vulnerable hypervisors to make sure that the vulnerability is patched as quickly as possible.”
• CrowdStrike blog about the disclosure
• “While it seems obvious that infrastructure providers could be impacted, there are many other less obvious technologies that depend on virtualization. For example, security appliances that perform virtual detonation of malware often run these untrusted files with administrative privileges, potentially allowing an adversary to use the VENOM vulnerability to bypass, crash or gain code execution on the very device designed to detect malware.”
• “CrowdStrike would also like to publicly recognize Dan Kaminsky, Chief Scientist at White Ops, who is a renowned researcher with extensive experience discovering and disclosing major vulnerabilities. Dan provided invaluable advice to us throughout this process on how best to coordinate the release of open source patches across the numerous vendors and users of these technologies.”
• Xen Advisory
• Amazon Statement
• Digital Ocean statement
• Redhat Advisory
• Working PoC exploit
• This has refocused attention on some older work to exploit qemu/KVM, like this from DEFCON / BlackHat 2011
• Or this paper from a Google researcher from 2007: An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments
• There is also some backlash against the naming and glamorization of vulnerabilities, as seen with the recent announcement of AnalBleed

Strategies to Mitigate Targeted Cyber Intrusions – From the Australian Signals Directorate

• The Australian equivalent to the NSA has published a study on the top 35 mitigation methods to protect networks for targeted cyber attacks
• They say that 85% of all network intrusions could be prevented if organizations adopted just the top 4 recommendations
• These 4 recommendations are:
  • Use application whitelisting, to prevent malicious software from being able to run
  • Install application updates (especially java, flash, PDF readers, browsers, etc)
  • Install OS updates (quickly!), Do not use Windows XP
  • Do not give administrator privileges to more people than absolutely required
• Video: Catch, Patch, and Match
• Table: The full list of 35 mitigation strategies
• How to employ the top 4 mitigations in a Linux environment
• The ASD even goes so far as to rank each mitigation strategy by its effectiveness, how much users will resist/complain, how much work it will be to setup, and how much work it will be to maintain.
• “Once organisations have implemented the Top 4 mitigation strategies, first on the computers of users who are most likely to be targeted by cyber intrusions and then on all computers and servers, additional mitigation strategies can be selected to address security gaps until an acceptable level of residual risk is reached. “
• Of these, only the application whitelisting is likely to rise the ire of the average end user
• Additional Coverage – SecureList
• The list of 35 mitigation methods can be roughly divided into 4 categories:
• Administrative — Training, physical security
• Networking — These measures are easier to implement at a network hardware level
• System administration — The OS contains everything needed for implementation
• Specialized security solutions — Specialized security software is applicable
• Kaspersky SecureList has broken its analysis of the ASD publication down into 4 parts in its Security Encyclopedia:
• Part 1. How to mitigate APTs. Applied theory
• Part 2. Top-4 mitigation strategies which address 85% of threats
• Part 3. Strategies outside the Top-4. For real bulletproof defense
• Part 4. Forewarned is Forearmed: the Detection Strategy against Advanced Persistent Threats (APTs)
• Gartner: Best Practices for Mitigating Advanced Persistent Threats

Mumblehard — Muttering spam from your servers

• “Several thousand computers running the Linux and FreeBSD operating systems have been infected over the past seven months with sophisticated malware that surreptitiously makes them part of a renegade network blasting the Internet with spam”
• The virus consisted of perl code packed into an ELF binary
• During a 7 month monitoring period, Eset researchers saw 8,867 IP addresses connect to one of the command and control servers
• “The Mumblehard malware is the brainchild of experienced and highly skilled programmers. It includes a backdoor and a spam daemon, which is a behind-the-scenes process that sends large batches of junk mail.”
• “These two main components are written in Perl and they’re obfuscated inside a custom “packer” that’s written in assembly, a low-level programming language that closely corresponds to the native machine code of the computer hardware it runs on. Some of the Perl script contains a separate executable with the same assembly-based packer that’s arranged in the fashion of a Russian nesting doll. The result is a very stealthy infection that causes production servers to send spam and may serve other nefarious purposes.”
• “Malware targeting Linux and BSD servers is becoming more and more complex,” researchers from Eset wrote. “The fact that the authors used a custom packer to hide the Perl source code is somewhat sophisticated. However, it is definitely not as complex as the Windigo Operation we documented in 2014. Nonetheless, it is worrying that the Mumblehard operators have been active for many years without disruption.”
• The way the malware was architected, it polled a list of Command and Control servers, accepting commands from any of them
• The list included some legitimate sites, to throw researchers off
• “A version of the Mumblehard spam component was uploaded to the VirusTotal online malware checking service in 2009, an indication that the spammer program has existed for more than five years. The researchers were able to monitor the botnet by registering one of the domain names that Mumblehard-infected machines query every 15 minutes.”
• At some point, one of the domains on the command and control list became available, so the researchers registered it and directed all of the infected machines to talk to their own command and control server
• The communications with the C&C servers was cleverly hidden in what look like PHP Session cookies, and in the fake browser user-agent strings
• One of the giveaways is the fact that the base browser user-agent string is for Firefox 7.0.1 on Windows 7
• Part of the version string would be replaced with the command id, http status, and number of bytes downloaded by the infected machine
• “The Eset researchers still aren’t certain how Mumblehard is installed. Based on their analysis of the infected server, they suspect the malware may take hold by exploiting vulnerabilities in the Joomla and WordPress content management systems. Their other theory is that the infections are the result of installing pirated versions of the DirecMailer program.”
• Eset research PDF

Feedback:

• Jupiter Broadcasting Meetup

• zfs send (and receive)

• What really is DevOps?

• Is my FreeNAS open?

• answer to question last week

Round-Up:

• Cybersecurity Firm May Have Hacked Its Own Clients To Extort Them Additional Coverage – CNN Money
• Enterprise SSDs may start to lose data if left powered off for even just a few days
• RHEL 7 will break with its typical long term backporting strategy, and update GTK3/Gnome3 mid-cycle
• Interesting issue with PHP Hash comparisons could result in many vulnerability announcements in the coming weeks. In php: 0e == 0 (or 0e), so hashes could falsely match
• Military Strategy: A West Point Teacher’s Last Letter to His Cadets
• Brian Krebs Discusses Investigative Security Journalism – Indepth interview with Norse “Dark Matters” blog
• Top cyber attack vectors for critical SAP systems
• Proof of concept Linux rootkit uses processor and memory of GPU to hide from operating system
• Beware the ticking Internet of Things security time bomb
• Ad network compromised, spreads “nuclear exploit kit”
• Australia outlaws warrant canaries
• Dropbox updates Terms of Service, users ourside North America will be served from Ireland instead of the USA
• Virus Scanners need to be more than just a GUI with a big “SAFE” label on them
• Intels new Core M 5Y71 keeps pace with its Core i5 cousins
• Adallom is not a Bureaucracy checkbox
• What year is this: Researcher Richard Bejtlich posts an excerpt from a novel about computer security, guess when it was written
• Bug Bounty Program | United Airlines

The post Venomous Floppy Legacy | TechSNAP 214 first appeared on Jupiter Broadcasting.

Is it possible to make a truly private phone call anymore? The answer might surprise you. Cisco and Level 3 battle a huge SSH botnet & how to Build a successful Information Security career.

Plus a great batch of your questions, a rocking round up, and much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

How to make secret phone calls

• “There’s a lot you can find in the depths of the dark web, but in 2013, photographer and artist Curtis Wallen managed to buy the ingredients of a new identity”
• “After purchasing a Chromebook with cash, Wallen used Tor, virtual marketplaces, and a bitcoin wallet to purchase a fake driver’s license, insurance card, social security number, and cable bill, among other identifying documents. Wallen saw his new identity, Aaron Brown, as more than just art: Brown was a political statement on the techno-surveillance age.”
• The article sets out the steps required to conduct untraceable phone calls
• The instructions are based on looking at how CIA OpSec was compromised by cell phones in the cases of the 2005 extraordinary rendition of Hassan Mustafa Osama in Italy and their surveillance of Lebanese Hezbollah
• “using a prepaid “burner” phone, posting its phone number publicly on Twitter as an encrypted message, and waiting for your partner to decrypt the message and call you at a later time”
• Analyze your daily movements, paying special attention to anchor points (basis of operation like home or work) and dormant periods in schedules (8-12 p.m. or when cell phones aren’t changing locations);
• Leave your daily cell phone behind during dormant periods and purchase a prepaid no-contract cell phone (“burner phone”);
• After storing burner phone in a Faraday bag, activate it using a clean computer connected to a public Wi-Fi network;
• Encrypt the cell phone number using a onetime pad (OTP) system and rename an image file with the encrypted code. Using Tor to hide your web traffic, post the image to an agreed upon anonymous Twitter account, which signals a communications request to your partner;
• Leave cell phone behind, avoid anchor points, and receive phone call from partner on burner phone at 9:30 p.m.—or another pre-arranged “dormant” time—on the following day;
• Wipe down and destroy handset.
• “The approach is “very passive” says Wallen. For example, “Posting an image to Twitter is a very common thing to do, [and] it’s also very common for image names to have random numbers and letters as a file name,” he says. “So, if I’ve prearranged an account where I’m going to post an encrypted message, and that message comes in the form of a ‘random’ filename, someone can see that image posted to a public Twitter account, and write down the filename—to decrypt by hand—without ever actually loading the image. Access that Twitter account from Tor, from a public Internet network, and there’s hardly any trace that an interaction even happened.””
• “This is not easy, of course. In fact, it’s really, comically hard. “If the CIA can’t even keep from getting betrayed by their cell phones, what chance do we have?””
• “Central to good privacy, says Wallen, is eliminating or reducing anomalies that would pop up on surveillance radars, like robust encryption or SIM card swapping. To understand the risks of bringing unwanted attention to one’s privacy practices, Wallen examined the United States Marine Corps’ “Combat Hunter” program, which deals with threat assessment through observation, profiling, and tracking.”
• “Anomalies are really bad for what I’m trying to accomplish—that means any overt encryption is bad, because it’s a giant red flag,” Wallen said. “I tried to design the whole system to have as small a footprint as possible, and avoid creating any analyzable links.”
• “I was going out and actually buying phones, learning about different ways to buy them, to activate them, to store them, and so on,” said Wallen, who eventually bought a burner phone from a Rite Aid. “I kept doing it until I felt like I’d considered it from every angle.”
• “After consulting on commercially available Faraday bags, Wallen settled on the Ramsey Electronics STP1100”
• Wallen cautions his audience about taking his instructions too literally. The project, he says, “was less about arriving at a necessarily practical system for evading cell phone tracking, than it was about the enjoyment of the ‘game’ of it all. In fact, I think that it is so impractical says a lot.”
• “Bottom line,” he adds. “If your adversary is a nation state, don’t use a cellphone.”
• Guide to creating and using One-Time Pads
• John Oliver: Government Surveillance — Interview with Edward Snowden

Cisco and Level 3 battle a huge SSH botnet

• “Talos has been monitoring a persistent threat for quite some time, a group we refer to as SSHPsychos or Group 93. This group is well known for creating significant amounts of scanning traffic across the Internet. Although our research efforts help inform and protect Cisco customers globally, sometimes it is our relationships that can multiply this impact. Today Cisco and Level 3 Communications took action to help ensure a significantly larger portion of the Internet is also protected.”
• “The behavior consists of large amounts of SSH brute force login attempts from 103.41.124.0/23, only attempting to guess the password for the root user, with over 300,000 unique passwords. Once a successful login is achieved the brute forcing stops. The next step involves a login from a completely different IP ranges owned by shared hosting companies based out of the United States. After login is achieved a wget request is sent outbound for a single file which has been identified as a DDoS rootkit. “
• “Once the rootkit is installed additional instructions are downloaded via an XOR encoded file from one of the C2 servers. The config file is largely constructed of a list of IP addresses that are being denied and filenames, and files to be deleted.”
• “At times, this single attacker accounted for more than 35% of total Internet SSH traffic”
• Level 3 then worked to block the malicious traffic
• “Our goal, when confirming an Internet risk, is to remove it as broadly as possible; however, before removing anything from the Internet, it is important to fully understand the impact that may have to more benign hosts. To do this, we must understand more details of the attacker’s tools and infrastructure.”
• “As part of the process, Level 3 worked to notify the appropriate providers regarding the change. On March 30th SSHPsychos suddenly pivoted. The original /23 network went from a huge volume of SSH brute force attempts to almost no activity and a new /23 network began large amounts of SSH brute forcing following the exact same behavior associated with SSHPsychos. The new network is 43.255.190.0/23 and its traffic was more than 99% SSH immediately after starting communication. The host serving the malware also changed and a new host (23.234.19.202) was seen providing the same file as discussed before a DDoS Rootkit.”
• “Based on this sudden shift, immediate action was taken. Talos and Level 3 decided to remove the routing capabilities for 103.41.124.0/23, but also add the new netblock 43.255.190.0/23. The removal of these two netblocks introduced another hurdle for SSHPsychos, and hopefully slows their activity, if only for a short period.”
• “For those of you who have Linux machines running sshd on the open Internet, be sure to follow the best practice of disabling root login in your sshd config file. That step alone would stop this particular attacker from being successful in your environment.”
• Remote root login should never be allowed anyway
• Hopefully this will send a clear message to the providers that allow these type of attackers to operate on their network. If you don’t clean up your act, you’ll find large swaths of your IP space unusable on the public internet.

How to Build a Successful Information Security Career

• A question I often get is “how do I get into InfoSec”
• Myself, not actually being an InfoSec professional, and never having really worked in that space, do not have the answer
• Luckily, someone who is in that space, finally wrote it all down
• “One of the most important things for any infosec professional is a good set of inputs for news, articles, tools, etc.”
  • So, keep watching TechSNAP
• Basic Steps:
• Education (Sysadmin, Networking, Development)
• Building Your Lab (VMs, VPSs from Digital Ocean)
• You Are Your Projects (Build something)
• Have a Presence (Website, Blog, Twitter, etc)
• Certifications (“Things have the value that others place on them”)
• Networking With Others (Find a mentor, be an intern)
• Conferences (Go to Conferences. Speak at them)
• Mastering Professionalism (Dependability, Well Written, Good Speaker)
• Understanding the Business (Businesses want to quantify risk so they can decide how much should be spent on mitigating it)
• Having Passion (90% of being successful is simply getting 100,000 chances to do so. You get chances by showing up)
• Becoming Guru
• It is a very good read, broken down into easy to understand steps, with the justification for each requirement, as well as some alternatives, because one size does not fit all
• Related, but Roundup is already full enough: How to Avoid a Phone Call from Brian Krebs – The Basics of Intrusion Detection and Prevention with Judy Novak

Feedback:

• Data Delivery/Syncing over WAN

• TOR Question

• Upgrading password hash algorithm

Round Up:

• Announcing Git Large File Storage (LFS)
• Amazon EFS
• One in seven employees will self corporate passwords for $150 or less
• Hidden backdoor API to root privileges in Apple OS X
• Vulnerability in Firefox forced Mozilla to disable opportunistic encryption
• The FBI Has Its Own Secret Brand of Malware
• AT&T Call Center staff sold hundres of thousands of customer records to criminals
• Expired SSL certificate
• Google lets the Root CA certificate that issues the smtp.gmail.com certificate expire
• Congress must end mass NSA surveillance with next Patriot Act vote
• Greenwald criticized universities which open up their campuses to government agencies in exchange for funding
• 8 Ways You Didn’t Know Hackers Could Steal Your Identity
• Apple did not remove CNNIC Root CA from trust lists in latest security update
• Every Wi-Fi Router Should Look Like The USS Enterprise
• IT Security in a nutshell

The post Day-0 of an InfoSec Career | TechSNAP 209 first appeared on Jupiter Broadcasting.

Been putting off that patch? This week we’ll cover how an out of date Joomla install led to a massive breach, Microsoft and Google spar over patch disclosures & picking the right security question…

Plus a great batch of your feedback, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Data thieves target parking lots

• “Late last year, KrebsOnSecurity wrote that two huge swaths of credit card numbers put up for sale in the cybercrime underground had likely been stolen from Park ‘N Fly and from OneStopParking.com, competing airport parking services that lets customers reserve spots in advance of travel via Internet reservation systems. This week, both companies confirmed that they had indeed suffered a breach.”
• “When contacted by Krebs on Dec. 15, Atlanta-based Park ‘N Fly said while it had recently engaged multiple security firms to investigate breach claims, it had not found any proof of an intrusion. In a statement released Tuesday, however, the company acknowledged that its site was hacked and leaking credit card data, but stopped short of saying how long the breach persisted or how many customers may have been affected”
• “OneStopParking.com reached via phone this morning, the site’s manager Amer Ghanem said the company recently determined that hackers had broken in to its systems via a vulnerability in Joomla for which patches were made available in Sept. 2014. Unfortunately for OneStopParking.com and its customers, the company put off applying that Joomla update because it broke portions of the site.”
• “Unlike card data stolen from main street retailers — which can be encoded onto new plastic and used to buy stolen goods in physical retail stores — cards stolen from online transactions can only be used by thieves for fraudulent online purchases. However, most online carding shops that sell stolen card data in underground stores market both types of cards, known in thief-speak as “dumps” and “CVVs,” respectively.”
• “Interestingly, the disclosure timeline for both of these companies would have been consistent with a new data breach notification law that President Obama called for earlier this week. That proposal would require companies to notify consumers about a breach within 30 days of discovering their information has been hacked.”
• Krebs also appears to be having fun with the LizzardSquad

Microsoft pushes emergency fixes, blames Google

• Microsoft and Adobe both released critical patches this week
• “Leading the batch of Microsoft patches for 2015 is a drama-laden update to fix a vulnerability in Windows 8.1 that Google researchers disclosed just two days ago. Google has a relatively new policy of publicly disclosing flaws 90 days after they are reported to the responsible software vendor — whether or not that vendor has fixed the bug yet. That 90-day period elapsed over the weekend, causing Google to spill the beans and potentially help attackers develop an exploit in advance of Patch Tuesday.”
• Yahoo recently announced a similar new policy, to disclose all bugs after 90 days
• This is the result of too many vendors take far too long to resolve bugs after they are notified
• Researchers have found that need to straddle the line between responsible disclosure, and full disclosure, as it is irresponsible to not notify the public when it doesn’t appear as if the vendor is taking the vulnerability seriously.
• Microsoft also patched a critical telnet vulnerability
• “For its part, Microsoft issued a strongly-worded blog post chiding Google for what it called a “gotcha” policy that leaves Microsoft users in the lurch”
• There is also a new Adobe flash to address multiple issues
• Krebs notes: “Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).” because of the way Microsoft bundles flash
• Infact, if you use Chrome and Firefox on windows, you’ll need to make sure all 3 have properly updated.

What makes a good security question?

• Safe: cannot be guessed or researched
• Stable: does not change over time
• Memorable: you can remember it
• Simple: is precise, simple, consistent
• Many: has many possible answers
• It is important that the answer not be something that could easily be learned by friending you on facebook or twitter
• Some examples:
• What is the name of the first beach you visited?
• What is the last name of the teacher who gave you your first failing grade?
• What is the first name of the person you first kissed?
• What was the name of your first stuffed animal or doll or action figure?
• Too many of the more popular questions are too easy to research now
• Some examples of ones that might not be so good:
  • In what town was your first job? (Resume, LinkedIn, Facebook)
  • What school did you attend for sixth grade?
  • What is your oldest sibling’s birthday month and year? (e.g., January 1900) (Now it isn’t your facebook, but theirs that might be the leak, you can’t control what information other people expose)
• Sample question scoring

Feedback:

• FreeNAS Replication

• Ep 196 – Staples Hack

• Best at home router solution

• OpenWrt

• MyOpenRouter

• FQDN on LAN? Peace of mind on WAN?

• hardware upgrade

Round Up:

• Apache Spark: 100 terabytes (TB) of data sorted in 23 minutes
• Quick wins for cyber security
• The New CISPA Bill Is Literally Exactly the Same as the Last One
• Sony: Losses from hack will be covered by insurance
• Forget Wearable Tech. People Really Want Better Batteries.
• New data breach notification law not good enough
• Panasonic Arbitrator Back-End Server (BES) uses unencrypted communication
• US CENTCOM gets its twitter account hacked — Why no 2FA?
• Verizon Cloud system schedules 48 hour downtime
• Canadian Federal Police refuse to pay fees to telco for tracking suspects
• The path from beginner to expert
• Mac “bootkit” permanently backdoors macs

The post Patch and Notify | TechSNAP 197 first appeared on Jupiter Broadcasting.

The Internet suffers from some growing pains, we explain how some old assumptions have come back to haunt us, victims of a cyberheist go after the bank that failed them, and we go deep on the Synology crypto-malware.

Then it’s a great big batch of your emails and much more!!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Internet suffers growing pains as global routing table exceeds 500,000 entries

• High end routers use a special system called TCAM Ternary Content-Addressable Memory to store the routing tables for faster lookups
• CAM memory works different than regular memory, basically working like an associative array, or hash, where the information can be looked up based on a ‘key’ or ‘tag’. Rather than the data living at a specific address in memory, and the application having to keep track of that address, the application can simply ask for the data stored with a specific key
• A TCAM works similar, except it is ternary, meaning it has three possible states. Similar to binary, except in addition to on and off bits, it has a ‘do not care’ bit. This makes it perfect for storing routing information, because network addresses are binary addresses split into two parts, the network part (that the router cares about), and the host part (that the router does not care about)
• So using a TCAM, a router can lookup the destination address for any network by simply requesting the data stored with the key of the destination network address
• Because of the way TCAMs work, they have to be of a fixed size. The default on some older internet core routers is too small to hold the current global routing table
• On some routers, if the TCAM gets full, the router can callback to software routing mode, where it has to search the entire routing table in regular memory for the most specific matching network address. This is much slower, and uses a lot of CPU time, which most core routers have very little of
• To resolve this issue, the size of the TCAM must be changed (if there is enough memory in the device to support a larger size), and the router must be reloaded, causing downtime
• This issue is further complicated by a manufacturing defect with the memory in the routers and on the line cards, which can fail catastrophically during a reboot, leaving the device unbootable or unable to access the network via the line card. Cisco: Memory Component Issues page
• This issue was brought up at NANOG – North American Network Operators Group on May 6th
• Heads Up on the FreeBSD mailing list
• Cisco announced the problem ahead of time
• Cisco: How to adjust the TCAM allocation on Catalyst 6500 and 7600

Tennessee based company sues bank over cyberheist

• Tennessee Electric was the target of a cyberheist, where Russian or Ukrainian based mal-actors took over their corporate bank account and proceeded to siphon $327,804 out of the companies accounts at TriSummit Bank
• The company had an agreement with their bank, that the bank would phone and verify all transfers of funds
• The company only became aware that they had been the victims of a heist when they were called by Brian Krebs
• “According to the complaint, the attackers first struck on May 8, after Tennessee Electric’s controller tried, unsuccessfully, to log into the bank’s site and upload that week’s payroll batch (typically from $200,000 to $240,000 per week). When the controller called TriSummit to inquire about the site problems, the bank said the site was probably undergoing maintenance and that the controller was welcome to visit the local bank branch and upload the file there. The controller did just that, uploading four payroll batches worth $202,664.47”
• “On May 9, Tennessee Electric alleges, TriSummit Bank called to confirm the $202,664.47 payroll batch — as per an agreement the bank and the utility had which called for the bank to verbally verify all payment orders by phone. But according to Tennessee Electric, the bank for some reason had already approved a payroll draft of $327,804 to be sent to 55 different accounts across the United States — even though the bank allegedly never called to get verification of that payment order.”
• “Tennessee Electric alleges that the bank only called to seek approval for the fraudulent batch on May 10, more than a day after having approved it and after I contacted Tennessee Electric to let them know they’d been robbed by the Russian cyber mob.”
• Tennessee Electric’s account appears to have been compromised using a Man-in-the-Browser attack
• Malware on the computer changed what was displayed to the user when they visited the online banking site
• “the controller for the company said she was asked for and supplied the output of a one-time token upon login.”
• The man-in-the-browser virus will then return either a modified version of the regular account balance page (only, showing the amount the user expects there to be in the account, basically adding back the stolen monies)
• In this case, the virus returned a “down for maintenance” page
• Asking the user to try again in a few minutes may allow the attacker access to a series of one-time tokens, allowing them to complete more transactions
• TriSummit Bank was able to get back $135,000 of the stolen funds, leaving the company out almost $200,000.
• The company is now suing the bank for that money and the interest they would have earned on it
• Unlike personal accounts, corporate bank accounts do not enjoy the same liability protection from unauthorized transactions that personal accounts do
• Krebs also mentions his Online Banking Best Practises for Businesses

Synolocker for sale, plus in-depth look at how it works

• F-Secure does an in-depth look at how Synolocker encrypts your files
• F-Secure was looking to see if there were many similarities between CryptoLocker and SynoLocker, but found that there were not
• It appears that SynoLocker may be using better encryption, and uses a unique key pair per victim, which will most likely prevent an online service like the one that is rescuing the files on CryptoLocker victims
• SynoLocker appears to take additional steps to ensure that the original file is only destroyed
• It appears the author of the Synolocker virus is looking to get out of the business
• Posted online that the website will be closing soon, and if you want the keys to decrypt your data you better pay soon
• If you updated DSM software to try to fix the vulnerability, then you’ll need to use a custom tool to decrypt your data
• The author is also willing to sell the remain ~5500 decryption keys to someone else for 200 bitcoins
• It seems he wants to get out before he gets caught, but is willing to let someone else attempt to continue selling the decryption keys (which sold for 0.6 bitcoin previously)

Feedback:

• Allan’s Firefox OS phone

• Job possibilities and lack of a college degree

• Building a private cloud for IaaS

• HP takes OpenVMS off deathrow

Round Up:

• Google spends a ton of money just to keep sharks from eating its underwater cables
• Researchers at French graduate school Eurecom find firmware plagued by poorly implemented encryption and badly hidden backdoors, find 38 unique vulnerabilities across 123 different devices – Paper from USENIX – Available Monday Aug 18th
• Snowden: The NSA, not Assad, took Syria off the Internet in 2012
• Why spam and scam emails are so poorly written
• Microsoft Black Tuesday Patches Bring Blue Screens of Death
• Biggest security risk for your iPhone is connecting it to a computer or enabling wifi sync
• Russia PM’s Twitter hacked, posts ‘I am resigning’
• Chinese smartphone steals your data
• Password guessing bots fall for a spam trap
• Understanding Targeted malware attacks by looking at those against NGOs by the Chinese government

The post The Day the Routers Died | TechSNAP 175 first appeared on Jupiter Broadcasting.

We cover the facts and events around the downed MH17 flight as we now know them. Then we’ll dig into some of the credible and troubling indications and motivations possibly behind the tragedy.

Plus the secret government rule book for deciding who goes on the terrorist list, and why Washington is bringing in the Feds to crack down on the new “Cannabis meth”.

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

— Show Notes —

The Slow Death of Privacy

Blacklisted: The Secret Government Rulebook For Labeling You a TerroristThe Intercept

The Obama administration has quietly approved a substantial expansion of the terrorist watchlist system, authorizing a secret process that requires neither “concrete facts” nor “irrefutable evidence” to designate an American or foreigner as a terrorist, according to a key government document obtained by The Intercept.

“Instead of a watchlist limited to actual, known terrorists, the government has built a vast system based on the unproven and flawed premise that it can predict if a person will commit a terrorist act in the future,” says Hina Shamsi, the head of the ACLU’s National Security Project. “On that dangerous theory, the government is secretly blacklisting people as suspected terrorists and giving them the impossible task of proving themselves innocent of a threat they haven’t carried out.” Shamsi, who reviewed the document, added, “These criteria should never have been kept secret.”

— MH17 The Crash —

MH17 disaster: few hard facts so far

As mourning continues for the 298 people killed in the Malaysia Airlines crash in Ukraine, few hard facts about the disaster’s causes are available. DW reviews the past week’s mix of sketchy details and speculation.

Recently published photographs show a piece of fuselage from the Malaysia Airlines plane peppered with “a fairly dense but also widespread shrapnel pattern” typical for a blast from an SA-11 surface-to-air missile, said defense analyst Justin Bronk, a military science analyst at the Royal United Services Institute in London.
“The shrapnel damage on the airframe parts that’s been seen so far is consistent with what you would expect to see from an SA-11 warhead exploding in close proximity,” Bronk told AFP. “But to get a conclusive answer, you would have to take the aircraft away and completely reconstruct it as best as you could.”

The boxes – which are actually orange – were handed over by the OVV to the Air Accidents Investigation Branch (AAIB) in Farnborough, UK, for examination. **On Wednesday, AAIB experts downloaded “valid data” from the first black box, the cockpit voice recorder, which is expected to give them hours of the pilots’ conversations. **Investigators have now started examining the second black box, the flight data recorder.

Satellites Track Malaysian Airlines MH17 Crash Site from Space (Images)

The images show a charred wheat field close to the village of Grabovo where the bulk of the plane went down. But the wreckage of the crash, which killed all 298 people on board, was strewn across about 13 square miles (33 square kilometers) of farmland. The Earth-observing satellites could not capture the images until Sunday (July 20) since smoke from the wreckage and cloud cover initially blocked the view.

The bird’s-eye view of the site was imaged by DigitalGlobe, a company based in Colorado that programmed three of its five satellites to track the area after reports of the plane crash came flooding in. [See the top images from the DigitalGlobe contest in 2013]

• Video: MH17: SA-11 Buk missile system facts

What you need to know about the surface-to-air missile system known as the
SA-11 or Buk, which is believed to have shot down the MH17 flight.

• “We know that very shortly (after the crash), separatists were bragging in the social media about having shot down a transport plane”| PolitiFact

The Internet Archives website shows that a post appeared on Strelkov’s social media profile bragging about shooting down a transport plane close to the MH 17 crash site. In a subsequent post, Strelkov said the information passed along came not from him directly, but from militia members on the scene. He said the information was unofficial and incorrect.

— Thanks for Supporting Unfilter —

Become an Unfilter supporter on Patreon

• Thanks to our 294 patrons

• 5 Slots at the SWAG pledge level have opened.

• Supporter perk: Downloadable Pre and Post show. Extra clips, music, hijinks, and off the cuff comments. The ultimate Unfiltered experience. ‘

• Supporter perk: Exclusive BitTorrent Sync share of our production and non-production clips, notes, and more since the NSA scandal broke in episode 54. The ultimate Unfiltered experience, just got more ultimate.

• Supporter Perk: Past 5 supporters shows, in a dedicated bittorrent sync folder.

— MH17 The Bacon —

• South Stream

Route

South Stream’s offshore section with the total length of 930 kilometers will run under the Black Sea through the exclusive economic zones of Russia, Bulgaria and Turkey. The maximum depth will be more than two kilometers and the design capacity will amount to 63 billion cubic meters.

The onshore section will cross Bulgaria, Serbia, Hungary and Slovenia. The gas pipeline will end at the Tarvisio gas metering station in Italy. Gas branches from the main pipeline route will be built to Croatia and to Republika Srpska (the state formation within Bosnia and Herzegovina).

In order to feed the required amount of gas into the South Stream gas pipeline, Russia’s gas transmission system will be expanded by means of constructing the additional 2,506.2 kilometers of linepipe and 10 compressor stations with the total capacity of 1,516 MW. This project has been named Southern Corridor and will be implemented in two phases before 2018.

Russia sues EU over its ‘Third Energy Package’

Russia has sued the EU to the World Trade Organization (WTO) over the EU’s so-called “Third Energy Package”, a source said to RIA Novosti. The Third Energy Package stipulates that pipe lines on the territory of the EU can’t belong to that companies that extract the natural gas. These companies should either sell their shares in the EU or pass the management of the pipe lines to independent companies.

The Netherlands was a mailbox paradise for Russia

The Netherlands is a true paradise for mailboxes Russia at the Amsterdam Zuidas are many Russian billions parked. Not only for tax reasons, but also the legal climate in the Netherlands protects – often obscure – Russian companies against the wrath of Putin.

It is perhaps not obvious, but the Netherlands is the second largest investor in Russia. Netherlands in 2012 accounted for over 12 percent of all investments and 15.9 percent of all investments from Russia. Only the smaller Cyprus scored higher. In third place graced the smaller British Virgin Islands.

Lukoil, the second largest Russian company, for example, has been sitting 59 subsidiaries in the Netherlands. A Dutch holding company owns all of its European operations. End of 2013 the company had 15.9 billion in assets.

Sanctions Victim Novatek, Russia’s second largest gas producer, has 800 million euros in a Dutch company called Arctic Russia BV sit. And that’s not all.

Perhaps the most notable name on the U.S. sanctions list was Genaddy Timchenko, founder of one of the world’s largest commodity traders Gunvor.

Since 2010 the company has, in contradiction with the law, all financial statements filed no more. In that year, the company had $ 59 billion in revenues and paraded there are 7 billion of assets on its balance sheet.
In short, Russia, the Netherlands is a true paradise mailboxes.

Pushing Ukraine to the Brink » CounterPunch

BY MIKE WHITNEY on July 9th 2014

In Ukraine, the US is using a divide and conquer strategy to pit the EU against trading partner Moscow. The State Department and CIA helped to topple Ukraine’s elected President Viktor Yanukovych and install a US stooge in Kiev who was ordered to cut off the flow of Russian gas to the EU and lure Putin into a protracted guerilla war in Ukraine. The bigwigs in Washington figured that, with some provocation, Putin would react the same way he did when Georgia invaded South Ossetia in 2006. But, so far, Putin has resisted the temptation.

But here’s the odd part: Washington doesn’t have a back-up plan. It’s obvious by the way Poroshenko keeps doing the same thing over and over again expecting a different result. That demonstrates that there’s no Plan B. Either Poroshenko lures Putin across the border and into the conflict, or the neocon plan falls apart, which it will if they can’t demonize Putin as a “dangerous aggressor” who can’t be trusted as a business partner.

So all Putin has to do is sit-tight and he wins, mainly because the EU needs Moscow’s gas. If energy supplies are terminated or drastically reduced, prices will rise, the EU will slide back into recession, and Washington will take the blame. So Washington has a very small window to draw Putin into the fray, which is why we should expect another false flag incident on a much larger scale than the fire in Odessa. Washington is going to have to do something really big and make it look like it was Moscow’s doing. Otherwise, their pivot plan is going to hit a brick wall.**

“Ukraine’s Parliament adopted .. a bill under which up to 49% of the country’s gas pipeline network could be sold to foreign investors. This could pave the way for US or EU companies, which have eyed Ukrainian gas transportation system over the last months.

US corporations will be able to buy up nearly half of a pipeline that moves 60 percent of the gas that flows from Russia to Europe. That’s what you call a tollbooth, my friend; and US companies will be in just the right spot to gouge Moscow for every drop of natural gas that transits those pipelines. And gouge they will too, you can bet on it.

This also explains why the Obama crowd is trying to torpedo Russia’s other big pipeline project called Southstream. Southstream is a good deal for Europe and Russia. On the one hand, it would greatly enhance the EU’s energy security, and on the other, it will provide needed revenues for Russia so they can continue to modernize, upgrade their dilapidated infrastructure, and improve standards of living. But “the proposed pipeline (which) would snake about 2,400 kilometers, or roughly 1,500 miles, from southern Russia via the Black Sea to Bulgaria, Serbia, Hungary and ultimately Austria. (and) could handle about 60 billion cubic meters of natural gas a year, enough to allow Russian exports to Europe to largely bypass Ukraine” (New York Times) The proposed pipeline further undermines Washington’s pivot strategy, so Obama, the State Department and powerful US senators (Ron Johnson, John McCain, and Chris Murphy) are doing everything in their power to torpedo the project.

“What gives Vladimir Putin his power and control is his oil and gas reserves and West and Eastern Europe’s dependence on them,” Senator Johnson said in an interview. “We need to break up his stranglehold on energy supplies. We need to bust up that monopoly.” (New York Times)

• Russia only provides 30 percent of the gas the EU uses every year.

[The US] believe that if they sabotage South stream and nail down 49 percent ownership of Ukraine’s pipeline infrastructure, then the vast majority of Russian gas will have to flow through Ukrainian pipelines. They think that this will give them greater control over Moscow.

Europe and Russia are a perfect fit. Europe needs gas to heat its homes and run its machinery. Russia has gas to sell and needs the money to strengthen its economy. It’s a win-win situation. What Europe and Russia don’t need is the United States. In fact, the US is the problem.

• ​Waging war against Russia, one pipeline at a time

As many commentators have noted, Russia provides upwards of one
third of Europe’s gas imports, with 60-80 percent of that supply
traveling through pipelines on the territory of Ukraine.

Ukrainian Su-25 fighter detected in close approach to MH17 before crash

The Russian military detected a Ukrainian SU-25 fighter jet gaining height towards the MH17 Boeing on the day of the catastrophe.

“A Ukraine Air Force military jet was detected gaining
height, it’s distance from the Malaysian Boeing was 3 to
5km,” said the head of the Main Operations Directorate of
the HQ of Russia’s military forces, Lieutenant-General Andrey
Kartopolov speaking at a media conference in Moscow on Monday.

“[We] would like to get an explanation as to why the military
jet was flying along a civil aviation corridor at almost the same
time and at the same level as a passenger plane,” he stated.

Ukraine fighter jet flew close to Malaysian plane before crash, says Russian Defense Ministry #MH17 pic.twitter.com/g7ktU7ZGJ3

— Paul Gypteau (@paulgypteau) July 21, 2014

2 Ukrainian fighters seen following Malaysian jet minutes before crash

According to the Spanish air traffic controller, two Ukrainian fighters had been seen near the Malaysian jet three minutes before it disappeared from radars.

This information is confirmed by eyewitnesses in the Donetsk region who saw Ukrainian warplanes near the passenger jet. They say they heard sounds of powerful blasts and saw a Ukraine warplane shortly before the crash.

Air Traffic Control: Radar interference by NATO maneuvers – SPIEGEL ONLINE

Twice disappeared in June several machines from the radar of air traffic control in Germany and neighboring countries. Now came out: Military maneuvers of NATO were apparently the cause.

So far puzzled experts about the quite dangerous disruption in air traffic control. So lost ground controllers of air traffic on 5 June from 13.55 bis 16 clock five on 10 June from 13.22 bis 14.40 clock, the so-called secondary signal from a total of 54 transport planes in southern Germany.

The air traffic controllers on the ground immediately hit the alarm about the disorder. Immediately the number of aircraft, As a security, the density of air traffic, so in the airspace, reduced to prevent possible collisions. Due to the security measure created with the airlines delays of around 40 hours.

‘Every single day we’re lying’: Russia Today reporter resigns over coverage of Malaysia Airlines MH17 crash

Sara Firth, who has worked for the state-backed TV network since 2009, said station management suggested Ukraine was at fault for the deadly Thursday crash. ‘I didn’t want to watch a story like that, where people have lost loved ones and we’re handling it like that,’ she said

EU discuss punishing Putin following MH17 crash

The EU’s foreign ministers have met to discuss new sanctions on Russia following the destruction of the MH17 passenger plane. Only the Netherlands – of all nations – has been delaying proceedings.

Air India flight was 90 seconds away when missile struck Malaysia Airlines Flight MH17

An Air India Dreamliner flight going from Delhi to Birmingham was in fact less than 25km away from the Malaysian aircraft, a distance covered by a Dreamliner or Boeing 777 in about 90 seconds, when the latter was hit. Because of this closeness, the Dnipropetrovsk (local Ukrainian) air traffic controller asked the AI pilots to try and establish contact with pilots of the Malaysian aircraft who had stopped responding to its calls.

Minutes before the crash caused by a missile strike, the AI pilots had also heard the controller give the Malaysian aircraft MH17 what is called “a direct routing”. This permits an aircraft to fly straight, instead of tracking the regular route which is generally a zig-zag track that goes from one ground-based navigation aid or way point to another. “Direct routing saves fuel and time and is preferred by pilots. In this case, it proved fatal,” said an airline source.

“The AI Dreamliner was less than 25km away from the Malaysian aircraft when the latter was hit by a missile. When the pilots learnt the cause of the crash later, they were stunned. It’s like the person standing next to you has been hit by a sniper bullet,” said the source.

Soon after the tragedy, the media picked up data from flightradar24, a live flight tracker website which showed the AI aircraft in the vicinity. But the next day, on Friday, the civil aviation ministry issued a statement that “there was no Air India flight near the ill-fated Malaysian plane at the time of the incident”.

Brics countries create $100bn bank to ease western grip on global finances | Global development | theguardian.com

Brics leaders, from left: Russia’s president Vladimir Putin, India’s prime minister Narendra Modi, Brazil’s president Dilma Rousseff, Chinese president Xi Jinping and South Africa’s president Jacob Zuma. Photograph: Mikhail Klimentyev / Ria Novosti / Kremlin Pool/EPA

The Brics group comprises Brazil, Russia, India, China and South Africa. The bank, aimed at funding infrastructure projects in developing nations, will be based in Shanghai, and India will preside over its operations for the first five years, followed by Brazil and then Russia

The bank will begin with a subscribed capital of $50bn divided equally between its five founders, with an initial total of $10bn in cash put in over seven years and $40bn in guarantees. It is scheduled to start lending in 2016 and be open to membership by other countries, but the capital share of the Brics cannot drop below 55%.

Weed Wackers:

Federal charges filed in hash oil apartment explosion on Kirkland, Kenmore boundary – Kirkland Reporter

A Kirkland man is among seven people charged in connection with explosions tied to the practice of extracting has oil from marijuana.

Kirkland resident Robby Wayne Meiser, 46, is charged with the Jan. 1 explosion and fire at the Inglenook Apartments on the Kirkland and Kenmore boundary.

“Manufacturing hash oil is illegal and poses a significant risk to families, neighbors and the general public,” U.S. Attorney Jenny A. Durkan said. “An explosion and fire caused by hash oil production at a Bellevue apartment complex caused significant injuries to people trying to escape the flames. We will not stand by and allow this dangerous conduct to endanger the public.”

• Blasts blamed on hash oil lead to federal charges | Latest News | The Seattle Times

According to the U.S. Attorney’s Office, endangering human life while manufacturing controlled substances is punishable by up to 10 years in prison; maintaining drug-involved premises can bring up to 20 years; and manufacturing hash oil can result in up to five years.

• Hash oil explosions lead to seven arrests | KING5.com Seattle
• Federal prosecutors charge two in hash oil explosion at Puyallup house | Crime | The News Tribune

Dog nearly dies after eating apple marijuana pipe

Misty is a 6-month old lab whose favorite treat just so happens to be a bite of apple here and there. So it was no surprise to see her grab a free one sitting along the beach at the Edmonds dog park.

“I look over and she’s got an apple in her mouth and she’s happily chewing away on it,” said Misty’s owner, Chaya Anderson.

Feedback:

• Nobel Economist Joseph Stiglitz Hails New BRICS Bank Challenging U.S.-Dominated World Bank & IMF – on Democracy Now!
  • DRIP – Why Emgency Law was “needed” in the UK to Ratain user data

Secure Ways to Contact the Show:

• Chris Fisher (chrislas) | Keybase

• Chase Nunes (chase) | Keybase

• Secure Rig Public Key

• Bitmessage: BM-2cWRitZG3LdjgV4AjZL4Lk6aiA97VonpAu

Follow the Us:

• Unfilter on Reddit
• Chris on Twitter
• Chase’s Geek and Gaming Network
• Chase on Twitter

Call us: 1.425.312.1756

If you’re a Supporter check Patreon for this epsiodes supporter exclusives!

The post The Truth of MH17 | Unfilter 107 first appeared on Jupiter Broadcasting.

Researchers develop a new way to protect your passwords after they’ve been stolen, the little credit card scam making big money…

Then it’s a great batch of your questions, a rockin round up, and much much more!

On this week’s TechSNAP.

Thanks to:

— Show Notes: —

Researchers are NYU develop PolyPassHash, hard to crack password store

• PolyPassHash is designed to make it significantly harder to crack users’ passwords in the event the password database is leaked
• The system uses SSSS (Shamir’s Secret Sharing Scheme ) which is a system for dividing a secret key (in this case used to encrypt the password database) into many pieces, and requiring only a specific number of those pieces to be combined to return the key
• In the wikipedia example, the secret key is divided into 6 parts and the algorithm defined such that 3 of the parts must be combined in order to return the secret
• The SSSS algorithm is extensible, it allows the number of pieces that the secret is divided into to grow as long as the threshold (the number of pieces required to decrypt) is key fixed
• The SSSS algorithm is also flexible, allowing for some people (say the system administrator) to have more than 1 share
• In the Python reference implementation the threshold is set to 10
• This means that 10 pieces of the secret are required in order to decrypt the password file
• Each regular user’s password is 1 share of the secret, so when that user provides the correct password, 1 share is available
• In the reference implementation, there are 3 administrator users, each of who’s password is 5 shares of the secret, meaning the correct passwords for any 2 of the administrators will be able to decrypt the password database
• Currently PolyPassHash uses just the SHA256 of the users’ password and a random salt, rather than using sha256crypt() which does more than 1 SHA256 round on the password, and uses different mixes of the password and salt
• The drawback with PolyPassHash is that after a reboot, it is not possible for anyone to login until a sufficient number of users have entered the correct password to return the required number (the threshold) of shares to decrypt the password hashes
• There is a proposed solution to this, involving shortening the SSSS key such that some of the hash (the last few bytes) are not encrypted, and using that to authenticate the first few users until sufficient users have successfully logged in to decrypt the password database
• This compromises the security of the passwords because part of the plain hash is leaked, and it also means that an incorrect password could allow a user to login after a reboot before the threshold has been met
• PolyPassHash also has support for thresholdless accounts (accounts that do not have any shares), in order to protect larger systems (like Facebook or Gmail) where an attack may have compromised enough accounts to have sufficient shares to decrypt the entire database. In this case, only administrator (or maybe power user) accounts would have shares
• PolyPassHash also has support for other authentication systems, including things like biometrics, ssh keys, and smart cards, but also external systems like OAuth or OpenID (thresholdless accounts)
• In the case of SSH keys, instead of a password, the share of the SSSS is encrypted with the public key, and the user uses their SSH private key to decrypt the share
• New users cannot be added until the threshold has been reached, since the secret is required to generate a new share of the secret
• Research Paper

Who is behind sub-$15 credit card scam

• A service called ‘BLS Web Learn’ has been identified as being behind a scam that charged numerous credit and debit cards small fees of less than $15
• The scam centers around small charges that appear on your credit card bill, usually for small random amounts such as $9.84, $10.37, or $12.96
• The line item includes a toll free number (as most charges do), and you are encouraged by your bank to call this number and try to identify the charge and resolve any issues with the seller directly, rather than filing a chargeback
• In this case, since the card holder never ordered anything or authorized the charge, the service refunds the small amount
• They make their money off all of the people who don’t notice the small charge
• Unlike many scams, because they maintain the assertion that they are a legitimate business, and refund the charge when a cardholder complains, they do not rack up a large number of chargebacks, and their account with the credit card processor is not red flagged or shut down
• Krebs have investigated a similar case before, which appeared to be based in Malta
• The name of the ‘online learning’ company, and the credit card processor are different, but the scam seems very much the same
• The payment processor, BlueSnap, lists its offices in Massachusetts, California, Israel, Malta and London. Interestingly, the payment network used by the previous scam, Credorax, also lists offices in Massachusetts, Israel, London and Malta

Feedback:

• Who should play Allan Jude in Allan Jude: The Movie

• XP Fail

• Picture of the XP mess

• Checksum your SaaS

• Ubuntu Manpage: debsums – check the MD5 sums of installed Debian packages

• Mulitple Domain Names pointing to same IP address

• The debate continues re: ZFS and ECC

  • ECC is not required, but using non-ECC increases the risk of data loss. Using ECC RAM is the cheapest way to increase the uptime and reliability of the system

• Metal_Geek Needs help: I need help recovering data from a LUKS encrypted partition.

Round-Up:

• How Dropbox Knows When You’re Sharing Copyrighted Stuff
• TarSnap response to similar situation
• New wireless technology MU-MIMO promises to speed up congested WiFi networks
• How WhatsApp Grew to Nearly 500 Million Users, 11,000 cores, and 70 Million Messages a Second
• Dating site spams people, if you actually click through you might get the database password
• EU passes net neutrality law, votes to end throttling, site blocking
• Sophos researcher talks about Secure Credit Card Transactions
• Hack of Boxee.tv exposes password data, messages for 158,000 users
• Being an expert sucks
• Exclusive – NSA infiltrated RSA security more deeply than thought: Study
• FTC settles case about company who claimed to secure data with SSL but did not verify certificates
• Visual explaination of how SQL joins work

The post Not Sharing The Secret | TechSNAP 156 first appeared on Jupiter Broadcasting.

We\’ll be showing you how to do a fully-encrypted installation of FreeBSD and OpenBSD. We also have an interview with Damien Miller – one of the lead developers of OpenSSH – about some recent crypto changes in the project. If you\’re into data security, today\’s the show for you. The latest news and all your burning questions answered, right here on BSD Now – the place to B.. SD.

Thanks to:

• iXsystems: This is what 80 cores and 1TB of RAM looks like!

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

Secure communications with OpenBSD and OpenVPN

• Starting off today\’s theme of encryption…
• A new blog series about combining OpenBSD and OpenVPN to secure your internet traffic
• Part 1 covers installing OpenBSD with full disk encryption (which we\’ll be doing later on in the show)
• Part 2 covers the initial setup of OpenVPN certificates and keys
• Parts 3 and 4 are the OpenVPN server and client configuration
• Part 5 is some updates and closing remarks

FreeBSD Foundation Newsletter

• The December 2013 semi-annual newsletter was sent out from the foundation
• In the newsletter you will find the president\’s letter, articles on the current development projects they sponsor and reports from all the conferences and summits they sponsored
• The president\’s letter alone is worth the read, really amazing
• Really long, with lots of details and stories from the conferences and projects

Use of NetBSD with Marvell Kirkwood Processors

• Article that gives a brief history of NetBSD and how to use it on an IP-Plug computer
• The IP-Plug is a \”multi-functional mini-server was developed by Promwad engineers by the order of AK-Systems. It is designed for solving a wide range of tasks in IP networks and can perform the functions of a computer or a server. The IP-Plug is powered from a 220V network and has low power consumption, as well as a small size (which can be compared to the size of a mobile phone charger).\”
• Really cool little NetBSD ARM project with lots of graphs, pictures and details

Experimenting with zero-copy network IO

• Long blog post from Adrian Chad about zero-copy network IO on FreeBSD
• Discusses the different OS\’ implementations and options
• He\’s able to get 35 gbit/sec out of 70,000 active TCP sockets, but isn\’t stopping there
• Tons of details, check the full post

Interview – Damien Miller – djm@openbsd.org / @damienmiller

Cryptography in OpenBSD and OpenSSH

Full disk encryption in FreeBSD & OpenBSD

• Shows how to install both FreeBSD and OpenBSD with full disk encryption
• We\’ll be using geli and bioctl and doing it step by step

News Roundup

OpenZFS office hours

• Our buddy George Wilson sat down to take some ZFS questions from the community
• You can see more info about it here

License summaries in pkgng

• A discussion between Justin Sherill and some NYCBUG guys about license frameworks in pkgng
• Similar to pkgsrc\’s \”ACCEPTABLE_LICENSES\” setting, pkgng could let the user decide which software licenses he wants to allow
• Maybe we could get a \”pkg licenses\” command to display the license of all installed packages
• Ok bapt, do it

The post Cryptocrystalline | BSD Now 16 first appeared on Jupiter Broadcasting.

Striking a balance between performance and reliability can be a challenge, we’ll share our thoughts. Hackers figure out how to take over twitter account they want, while Adobe stores your private data in reversible encryption.

Plus your questions, our answers, and much much more.

Thanks to:

Adobe encrypted passwords, rather than cryptographically hashing them

• This is a detail reporters often get wrong, saying that passwords were ‘encrypted’ when they meant ‘hashed’
• Turns out, Adobe actually did it WRONG
• The Adobe breach gave the attackers access to a 9.3 GB database containing 130 million user accounts and their passwords
• The problem is that the passwords are stored using ‘reversible’ encryption (standard symmetric encryption, normally used on files), rather than cryptographic hashes (one-way encryption)
• This means that if the attacker manages to get or brute force the private key that was used to encrypt the passwords, they would be able to decrypt EVERY password, in one go
• Many of the accounts in the Adobe database belong to government organizations including the FBI, as well as many large corporations
• The passwords were encrypted using 3DES (Triple DES)
• DES was originally introduced in 1977, and 3DES in 1998 because the 56 bit keys in DES were no longer strong enough
• Adobe also used ECB (Electronic Code Book) mode, which is known to leak information about the passwords
• 3DES was superseded in 2001 by AES
• Unliking with a cryptographic hashing algorithm, where the server does not know each users’ password, upgrading from 3DES to AES would have been easy, just decrypt all passwords and encrypt them with the new algorithm
• Or better yet, decrypt all passwords, and properly cryptographically hash them and then throw away the plain text
• “For more than a year, Adobe’s authentication system has cryptographically hashed customer passwords using the SHA-256 algorithm, including salting the passwords and iterating the hash more than 1,000 times. This system was not the subject of the attack we publicly disclosed on October 3, 2013. The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used Triple DES encryption to protect all password information stored.”

Hackers Take Limo Service Firm for a Ride

• A break in at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities.
• The high-value data cache was found on the same servers where hackers stashed information stolen from PR Newswire, as well as huge troves of source code data lifted from Adobe Systems Inc.
• Suggesting that the same attacker(s) may have been involved in all three compromises.
• The name on the file archive reads “CorporateCarOnline.”
• That name matches a company based in Kirkwood, Missouri which bills itself as “the leading provider of on-demand software management solutions for the limousine and ground transportation industry.”
• Inside the plain text archive apparently stolen from the firm are more than 850,000 credit card numbers, expiry dates and associated names and addresses.
• More than one-quarter (241,000) of all compromised card numbers were high- or no-limit American Express accounts.
• Further pointing to a compromise at the site is the presence of a vulnerability in its implementation of ColdFusion.

Researcher finds way to take over ANY twitter account

• Security researcher Henry Hoggard discovered a cross-site request forgery (CSRF) vulnerability in Twitter’s “add a mobile device” feature
• Using this, he was able to read any user’s tweets and DMs
• A victim that went to a malicious page, would unexpectedly authorize a new device to access their twitter account
• This should have been prevented by Twitter’s verification step, except it seems that twitter was not actually checking the value, so an attacker would authorize their mobile device on your account by entering any value in place of the verification code
• Twitter fixed the issue within 24 hours of it being reported

Feedback:

• My First Home Server: Noob question

• 24TB freenas

• deploy FreeBSD jails

• Learning Nagios?

  • FAN « Fully Automated Nagios

• ZPool recovered

• ZFS Question

• UPDATE: A plea from a weary sysadmin

Round Up:

• Internet Archive building damaged by fire
• Krebs finds humourous ad placement on pastebin
• DEF CON 19 Presentations
• Cryptolocker ransomware FAQ
• Microsoft warns of zero-day attack on MS Office
• The truth about big data
• Attackers link to your site with SQL injection urls, google bot does the damage
• Making vim better
• Redhat fixes missing commands in OpenSSL packages
• Helium filled disks, first to 6 TB
• What every admin should know about email
• Cisco fixes blank admin password flaw in their Telepresence product

The post Ideal ZFS Configurations | TechSNAP 135 first appeared on Jupiter Broadcasting.

A new Apache exploit hinds in shared memory, making it hard to detect. We’ll tell you all about this new type Intelligent malware.

Plus: Why all passwords are crackable no matter what anyone says, a great batch of your questions, and much more!

Thanks to:

GoDaddy.com Use our code tech295 to score .COM for $2.49! 32% off your ENTIRE first order just use our code go32off3 until the end of the month!

Support the Show:

   

Support the Show:

   

Support the Show:

   

Support the Show:

   

Support the Show: