HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Security Breach at Oracle’s MICROS point of sales division

A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp.
More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.
Asked this weekend for comment on rumors of a large data breach potentially affecting customers of its retail division, Oracle acknowledged that it had “detected and addressed malicious code in certain legacy MICROS systems.” It also said that it is asking all MICROS customers to reset their passwords for the MICROS online support portal.
Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.
A source briefed on the investigation says the breach likely started with a single infected system inside of Oracle’s network that was then used to compromise additional systems. Among those was a customer “ticketing portal” that Oracle uses to help MICROS customers remotely troubleshoot problems with their point-of-sale systems.
Those sources further stated that the intruders placed malicious code on the MICROS support portal, and that the malware allowed the attackers to steal MICROS customer usernames and passwords when customers logged in the support Web site.
This breach could be little more than a nasty malware outbreak at Oracle. However, the Carbanak Gang’s apparent involvement makes it unlikely the attackers somehow failed to grasp the enormity of access and power that control over the MICROS support portal would grant them.
This [incident] could explain a lot about the source of some of these retail and merchant point-of-sale hacks that nobody has been able to definitively tie to any one point-of-sale services provider, I’d say there’s a big chance that the hackers in this case found a way to get remote access” to MICROS customers’ on-premises point-of-sale devices.

• It is not clear if the breach at Oracle may have resulted in the attackers being able to remotely control MICROS payment terminals.
• According to comments on the Krebs articles, the actual credit card processing is usually done on the pinpad unit, and just the results are processed by the cash register running MICROS

After investigative reporter Brian Krebs reported a compromise of Oracle’s MICROS unit earlier this week, it now appears the same allegedly Russian cybercrime gang has hit five others in the last month: Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell. Together, they supply as many as, if not more than, 1 million point-of-sale systems globally.

TCP stack bug in Linux 3.6+ means many systems vulnerable

At the 25th Usenix Security Symposium on Wednesday, researchers with the University of California at Riverside and the US Army Research Laboratory will demonstrate a proof-of-concept exploit that allows them to inject content into an otherwise legitimate USA Today page that asks viewers to enter their e-mail and passwords.
Computer scientists have discovered a serious Internet vulnerability that allows attackers to terminate connections between virtually any two parties and, if the connections aren’t encrypted, inject malicious code or content into the parties’ communications.
The vulnerability resides in the design and implementation of RFC 5961, a relatively new Internet standard that’s intended to prevent certain classes of hacking attacks.

• However, in order to prevent a denial of service attack, there is a global rate limit to the number of responses this new code will send. The issue is, an attacker can now exploit this, by eliciting enough responses to research that limit, it means that the server will not send legitimate responses to the user. This then allows the attacker to send a response pretending to be the server, and shutdown the connection between the user and the server.

Attackers can go on to exploit the flaw to shut down the connection, inject malicious code or content into unencrypted data streams, and possibly degrade privacy guarantees provided by the Tor anonymity network.
The flawed code was introduced into the Linux operating system kernel starting with version 3.6 in 2012, has added a largely complete set of functions implementing the standard. Linux kernel maintainers released a fix with version 4.7 almost three weeks ago, but the patch has not yet been applied to most mainstream distributions. For the attack to work, only one of the two targeted parties has to be vulnerable, meaning many of the world’s top websites and other services running on Linux remain susceptible.

• What makes this attack especially bad is that the attacker does not need to be Man-in-the-Middle, it works as a so called “off-path” attack. The attacker just sits on the sidelines with their regular internet connection, and sends packets to one or both parties, and by guessing the port numbers used on each side (usually by brute force), can inject content into the flow of packets between the two parties.
• This is normally prevented by the TCP three-way handshake (which gets a positive acknowledgement from both sides, to prevent someone from being able to spoof their IP), and the sequence numbers prevent an attacker from easily injecting packets in the connection stream.

In this paper, we discover a much more powerful off-path attack that can quickly 1) test whether any two arbitrary hosts on the Internet are communicating using one or more TCP connections (and discover the port numbers associated with such connections); 2) perform TCP sequence number inference which allows the attacker to subsequently, forcibly terminate the connection or inject a malicious payload into the connection. We emphasize that the attack can be carried out by a purely off-path attacker without running malicious code on the communicating client or server. This can have serious implications on the security and privacy of the Internet at large.
The root cause of the vulnerability is the introduction of the challenge ACK responses and the global rate limit imposed on certain TCP control packets. The feature is outlined in RFC 5961, which is implemented faithfully in Linux kernel version 3.6 from late 2012. At a very high level, the vulnerability allows an attacker to create contention on a shared resource, i.e., the global rate limit counter on the target system by sending spoofed packets. The attacker can then subsequently observe the effect on the counter changes, measurable through probing packets.
Through extensive experimentation, we demonstrate that the attack is extremely effective and reliable. Given any two arbitrary hosts, it takes only 10 seconds to successfully infer whether they are communicating. If there is a connection, subsequently, it takes also only tens of seconds to infer the TCP sequence numbers used on the connection. To demonstrate the impact, we perform case studies on a wide range of applications.

• So the features introduced by the new RFC make it possible for the attacker to figure out the sequence number of the TCP connection to inject traffic into it

Besides injecting malicious JavaScript into a USA Today page, the researchers also show how the vulnerability can be exploited to break secure shell, or SSH, connections and tamper with communications traveling over Tor. In the latter case, attackers can terminate key links in the Tor chain—for instance, those connecting an end user to an entry node, an entry node to a middle relay, or a middle relay to the exit node. The Tor attack could be particularly effective if it knocked out properly functioning exit nodes because the technique would increase the chances that connections would instead use any malicious exit nodes that may exist.

• PDF: Research Paper: Off-Path TCP Exploits: Global Rate Limit Considered
  Dangerous
• Additional Coverage: ArsTechnica
• Additional Coverage: ISS Source

Microsoft bungles SecureBoot key handling, golden keys can unlock any system

Microsoft has accidentally leaked the keys to the kingdom, permitting attackers to unlock devices protected by Secure Boot — and it may not be possible to fully resolve the leak.
If you provision this magic policy, that is, if you install it into your firmware, the Windows boot manager will not verify that it is booting an official Microsoft-signed operating system. It will boot anything you give it provided it is cryptographically signed, even a self-signed binary – like a shim that loads a Linux kernel.

• This signed policy was never meant to leave the lab, but it seems it did

The Register understands that this debug-mode policy was accidentally shipped on retail devices, and discovered by curious minds including Slip and MY123. The policy was effectively inert and deactivated on these products but present nonetheless.
For internal debugging purposes, Microsoft created and signed a special Secure Boot policy that disables the operating system signature checks, presumably to allow programmers to boot and test fresh OS builds without having to sign each one.
This, in turn, allows someone with admin rights or an attacker with physical access to a machine not only to bypass Secure Boot and run any operating system they wish, such as Linux or Android, but also permits the installation and execution of bootkit and rootkits at the deepest level of the device
A backdoor, which MS put into secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere!
You can see the irony. Also the irony in that MS themselves provided us several nice “golden keys” (as the FBI would say for us to use for that purpose

• Between June and July, Microsoft awarded a bug bounty, and pushed a fix — MS16-094. However, this fix was deemed “inadequate,” although it had somewhat mitigated the problem, resulting in a second patch, MS16-100, being issued in August.
• This update blacklists a bunch of revoked keys and signatures so they can no longer be used, but Microsoft cannot revoke all old keys, because they are used on things like read-only installation disks

If you’re using a locked-down Secure Boot PC and you have admin rights on the box, and you want to boot something else, all the above is going to be of interest to you. If you’re an IT admin who is relying on Secure Boot to prevent the loading of unsigned binaries and drivers – such as rootkits and bootkits – then all the above is going to worry you.

• Additional Coverage: TheRegister
• The article at The Register provides links to a number of scripts and tools to be able to unlock the UEFI firmware on Windows RT tablets, and be able to install an alternative OS
• Researcher Blog (with demoscene music)
• The point raised by the researchers is especially poignant: Having “secure” secret backdoor keys will never work. They will always end up getting leaked, and there is no way to undo that damage when it happens.
• Secure Golden Key Boot: (MS16-094 / CVE-2016-3287, and MS16-100 / CVE-2016-3320)

Feedback:

• zpool on sd cards for a mobile storage?
• Using a Laptop as a FreeNAS server
• WiFi Backup storage…
• Next best thing after ZFS?

Round Up:

• Researchers crack open unusually advanced malware that hid for 5 years
• BTRFS raid56 considered dangerous btrfs developers recommend you switch to ZFS
• Linux malware? That’ll never happen. Ok, just this once then
• Ardunio based tool can unlock every Volkswagen sold since 1995 (~100 million cars)
• London’s Met Police has missed the Windows XP escape deadline
• The dark side of Certificate Transparency
• How I hacked imgur for fun and profit
• A look at the first generation of 3D X-Point NVMe devices
• Demystifying the “Secure Enclave Processor” in the iPhone
• Google will now allow customers to use their own encryption keys in Google Compute Engine
• Year long study by Google finds users 3x more likely to get ‘Unwanted Software’ than malware. Blame: Adobe Flash (Mcafee), Oracle Java (Yahoo toolbar, previously: ask toolbar), Ad Injectors, etc
• Sex toys with phone apps, often send all your data back to the manufacturer
• First ransomware for Smart Thermostats
• In December, Chrome 55 will make HTML5 the default experience, except for sites which only support Flash. For those, you’ll be prompted to enable Flash when you first visit the site.
• Microsoft disables RC4 algorithm in Internet Explorer 11 and Microsoft Edge — Can be cracked in only a matter of hours or days
• Government-Backed Study Finds Piracy Fight a Low Priority for Canadian Rights Holders
• Remote code execution, by opening a MS Word doc

The post Microsoft’s Golden Ticket | TechSNAP 280 first appeared on Jupiter Broadcasting.

This week, the FBI says APT6 has pawned the government for the last 5 years, Unaoil: a company that’s bribing the world & Researchers find a flaw in the visa database.

All that plus a packed feedback, roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

FBI says APT6 has pwning the government for the last 5 years

• The feds warned that “a group of malicious cyber actors,” whom security experts believe to be the government-sponsored hacking group known as APT6, “have compromised and stolen sensitive information from various government and commercial networks” since at least 2011, according to an FBI alert obtained by Motherboard
• The official advisory is available on the Open Threat Exchange website
• The alert, which is also available online, shows that foreign government hackers are still successfully hacking and stealing data from US government’s servers, their activities going unnoticed for years. This comes months after the US government revealed that a group of hackers, widely believed to be working for the Chinese government, had for more than a year infiltrated the computer systems of the Office of Personnel Management, or OPM. In the process, they stole highly sensitive data about several millions of government workers and even spies.
• In the alert, the FBI lists a long series of websites used as command and control servers to launch phishing attacks “in furtherance of computer network exploitation (CNE) activities [read: hacking] in the United States and abroad since at least 2011.” Domains controlled by the hackers were “suspended” as of late December 2015, according to the alert, but it’s unclear if the hackers have been pushed out or they are still inside the hacked networks.
• Looks like they were in for years before they were caught, god knows where they are,” Michael Adams, an information security expert who served more than two decades in the US Special Operations Command, and who has reviewed the alert, told Motherboard. “Anybody who’s been in that network all this long, they could be anywhere and everywhere.
• “This is one of the earlier APTs, they definitely go back further than 2011 or whatever—more like 2008 I believe,” Kurt Baumgartner, a researcher at the Russian security firm Kaspersky Lab, told me. (Baumgartner declined to say whether the group was Chinese or not, but said its targets align with the interest of a state-sponsored attacker.)
• Kyrk Storer, a spokesperson with FireEye, confirmed that the domains listed in the alert “were associated with APT6 and one of their malware backdoors,” and that the hackers “targeted the US and UK defense industrial base.” APT6 is ”likely a nation-state sponsored group based in China,” according to FireEye, which ”has been dormant for the past several years.”
• Another researcher at a different security company, who spoke on condition of anonymity because he wasn’t authorized to speak publicly about the hacker’s activities, said this was the “current campaign of an older group,” and said there “likely” was an FBI investigation ongoing. (Several other security companies declined to comment for this story.) At this point, it’s unclear whether the FBI’s investigation will lead to any concrete result. But two years after the US government charged five Chinese military members for hacking US companies, it’s clear hackers haven’t given up attacking US targets.

Unaoil: the company that bribed the world

• After a six-month investigation across two continents, Fairfax Media and The Huffington Post are revealing that billions of dollars of government contracts were awarded as the direct result of bribes paid on behalf of firms including British icon Rolls-Royce, US giant Halliburton, Australia’s Leighton Holdings and Korean heavyweights Samsung and Hyundai.
• A massive leak of confidential documents, and a large email, has for the first time exposed the true extent of corruption within the oil industry, implicating dozens of leading companies, bureaucrats and politicians in a sophisticated global web of bribery.
• The investigation centres on a Monaco company called Unaoil.
• Following a coded ad in a French newspaper, a series of clandestine meetings and midnight phone calls led to our reporters obtaining hundreds of thousands of the Ahsanis’ leaked emails and documents.
• The leaked files expose as corrupt two Iraqi oil ministers, a fixer linked to Syrian dictator Bashar al-Assad, senior officials from Libya’s Gaddafi regime, Iranian oil figures, powerful officials in the United Arab Emirates and a Kuwaiti operator known as “the big cheese”.
• Western firms involved in Unaoil’s Middle East operation include some of the world’s wealthiest and most respected companies: Rolls-Royce and Petrofac from Britain; US companies FMC Technologies, Cameron and Weatherford; Italian giants Eni and Saipem; German companies MAN Turbo (now know as MAN Diesal & Turbo) and Siemens; Dutch firm SBM Offshore; and Indian giant Larsen & Toubro. They also show the offshore arm of Australian company Leighton Holdings was involved in serious, calculated corruption.
• The leaked files reveal that some people in these firms believed they were hiring a genuine lobbyist, and others who knew or suspected they were funding bribery simply turned a blind eye.
• The files expose the betrayal of ordinary people in the Middle East. After Saddam Hussein was toppled, the US declared Iraq’s oil would be managed to benefit the Iraqi people. Today, in part one of the ‘Global Bribe Factory’ expose, that claim is demolished.
• It is the Monaco company that almost perfected the art of corruption.
• It is called Unaoil and it is run by members of the Ahsani family – Monaco millionaires who rub shoulders with princes, sheikhs and Europe’s and America’s elite business crowd.
• How they make their money is simple. Oil-rich countries often suffer poor governance and high levels of corruption. Unaoil’s business plan is to play on the fears of large Western companies that they cannot win contracts without its help.
• Its operatives then bribe officials in oil-producing nations to help these clients win government-funded projects. The corrupt officials might rig a tender committee. Or leak inside information. Or ensure a contract is awarded without a competitive tender.
• On a semi-related note, another big story for you to go read:
• How to hack an Election from someone who has done it, more than once

Researchers find flaw in Visa database

• No, not that kind of Visa, the other one.
• Systems run by the US State Department, that issue Travel Visas that are required for visitors from most countries to be admitted to the US
• This has very important security considerations, as the application process for getting a visa is when most security checks are done
• Cyber-defense experts found security gaps in a State Department system that could have allowed hackers to doctor visa applications or pilfer sensitive data from the half-billion records on file, according to several sources familiar with the matter –- though defenders of the agency downplayed the threat and said the vulnerabilities would be difficult to exploit.
• Briefed to high-level officials across government, the discovery that visa-related records were potentially vulnerable to illicit changes sparked concern because foreign nations are relentlessly looking for ways to plant spies inside the United States, and terrorist groups like ISIS have expressed their desire to exploit the U.S. visa system, sources added
• After commissioning an internal review of its cyber-defenses several months ago, the State Department learned its Consular Consolidated Database –- the government’s so-called “backbone” for vetting travelers to and from the United States –- was at risk of being compromised, though no breach had been detected, according to sources in the State Department, on Capitol Hill and elsewhere.
• As one of the world’s largest biometric databases –- covering almost anyone who has applied for a U.S. passport or visa in the past two decades -– the “CCD” holds such personal information as applicants’ photographs, fingerprints, Social Security or other identification numbers and even children’s schools.
• “Every visa decision we make is a national security decision,” a top State Department official, Michele Thoren Bond, told a recent House panel.
• Despite repeated requests for official responses by ABC News, Kirby and others were unwilling to say whether the vulnerabilities have been resolved or offer any further information about where efforts to patch them now stand.
• State Department documents describe CCD as an “unclassified but sensitive system.” Connected to other federal agencies like the FBI, Department of Homeland Security and Defense Department, the database contains more than 290 million passport-related records, 184 million visa records and 25 million records on U.S. citizens overseas.
• “Because of the CCD’s importance to national security, ensuring its data integrity, availability, and confidentiality is vital,” the State Department’s inspector general warned in 2011.

Feedback:

• SSH key protection

• Router Thoughts from Allan

• rmh from the chatroom asks…

Round Up:

• Microsoft Sues Justice Department Over Client Data Gag Orders
• Root cause analysis of a recent Flash zero day
• Exclusive: Canadian Police Obtained BlackBerry’s Global Decryption Key
• After an outage, an Australian mobile provider credited customers with a single day of unlimited data usage. One customer managed to use 994 GB of mobile usage in a single day
• Sophisticated bribe scheme gets game company with access to antivirus whitelist to falsely list malware was trusted
• Microsoft releases optional Windows update to mitigate “mousejacking”, where an attacker can take over your wireless mount and keyboard from up to 100 meters away
• Github commits can now be GPG signed to prove their authenticity
• If you can’t break crypto, break the client. Recovery of plaintext from iMessage
• Renting a movie on your iOS device might free up some space for you
• The Italian Ministry of Economical Progress has revoked “HackingTeam”’s licence to export their Galileo remote control software outside of the EU, must ask special permission for each sale
• Laziness remains the greatest enemy of password security
• The “All Prior Art” project seems to machine generate every possible patent and release it under a creative commons license, so it can never be patented by anyone else. The ultimate reverse patent troll?
• How to identify a vehicle at risk of collisions

The post One Key to Rule Them All | TechSNAP 263 first appeared on Jupiter Broadcasting.

The real fallout from the Ashley Madison hack gets personal. The Android StageFright patch that doesn’t cover all of the holes, and turning a KVM into a spying appliance.

Plus a great batch of questions, our answers, and a rocking round up.

All that and a heck of a lot more on this week’s TechSNAP!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Ashley Madison Fallout

• According to security firms and to a review of several emails shared with this author, extortionists already see easy pickings in the leaked AshleyMadison user database.
• Earlier today Krebs heard from Rick Romero, the information technology manager at VF IT Services, an email provider based in Milwaukee. Romero said he’s been building spam filters to block outgoing extortion attempts against others from rogue users of his email service.
• The individual “Mac” who received that extortion attempt — an AshleyMadison user who agreed to speak about the attack on condition that only his first name be used — said he’s “loosely concerned” about future extortion attacks, but not especially this one in particular.
• Mac says he’s more worried about targeted extortion attacks. A few years ago, he met a woman via AshleyMadison and connected both physically and emotionally with the woman, who is married and has children. A father of several children who’s been married for more than 10 years, Mac said his life would be “incredibly disrupted” if extortionists made good on their threats.
• Mac said he used a prepaid card to pay for his subscription at AshleyMadison.com, but that the billing address for the prepaid ties back to his home address.
• Unfortunately, the extortion attempts like the one against Mac are likely to increase in number, sophistication and targeting, says Tom Kellerman, chief cybersecurity officer at Trend Micro.
• The leaked AshleyMadison data could also be useful for extorting U.S. military personnel and potentially stealing U.S. government secrets, experts fear. Some 15,000 email addresses ending in dot-mil (the top-level domain for the U.S. military) were included in the leaked AshleyMadison database, and this has top military officials just a tad concerned.
• According to The Hill, the U.S. Defense Secretary Ash Carter said in his daily briefing Thursday that the DoD is investigating the leak.
• Almost None of the Women in the Ashley Madison Database Ever Used the Site
• A light-weight forensic analysis of the AshleyMadison Hack
• City employees among emails listed in Ashley Madison hack
  
• John McAfee thinks he knows who hacked Ashley Madison
• Leaked AshleyMadison Emails Suggest Execs Hacked Competitors
• The only thing potentially interesting or useful in AshMad CEO’s inbox…

Android StageFright patch doesn’t cover all of the holes

• Google released to the open source Android project a new patch for the Stagefright vulnerability found in 950 million Android devices after researchers at Exodus Intelligence discovered the original patch was incomplete and Android devices remain exposed to attack.
• “We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update,” a Google spokesperson told Threatpost. Last week at Black Hat, Google announced that it would begin
• The original four-line code fix for CVE-2015-3824, one of several patches submitted by researcher Joshua Drake of Zimperium Mobile Security’s zLabs who discovered the flaw in Stagefright, still leads to a crash and device takeover. Jordan Gruskovnjak, a security researcher at Exodus, found the problem with the patch, and Exodus founder Aaron Portnoy today hinted that there could be similar problems in all the patches.
• “They failed to account for an integer discrepancy between 32- and 64 bit,” Portnoy told Threatpost this morning. “They’re not accounting for specific integer types, and [Gruskovnjak] was able to bypass the patch with specific values that cause a heap buffer allocated to overflow.”
• “According to public sources, many more issues have been discovered since they reported the bugs in MPEG4 processing on Android. I expect we will see continuing fixes to the Stagefright code base for the coming months,” Drake said in an email to Threatpost. “The story is long from over.”
• Exodus Intelligence notified Google on Aug. 7, the first day of DEF CON in Las Vegas and two days after Drake’s Stagefright presentation at the Black Hat conference. Google has assigned CVE-2015-3864 to the issue.
• In addition to Nexus devices, Google said it sent the original patches to other mobile providers, including: Samsung for its Galaxy and Note devices; HTC for the HTC One; LG for the G2, G3 and G4; Sony for its Xperia devices; and Android One.
• The vulnerabilities affect Android devices going back to version 2.2; newer versions of Android have built-in mitigations such as ASLR that lessen the effects of Stagefright exploits. Google said last week that 90 percent of Android devices have ASLR enabled, and that the next release of its Messenger SMS app also contains a mitigation requiring users to click on videos in order to play them.
• Additional Coverage: Forbes
• The news is compounded by yet more Android vulnerabilities
• Checkpoint Security: Certifigate
• Major Android remote-access vulnerability is now being exploited

Turning a KVM into a spying appliance

• Researchers presented their work at BlackHat on how to teach a keyboard switch to spy on its users
• “When it comes to large systems, there are a lot more computers than there are people maintaining them. That’s not a big deal since you can simply use a KVM to connect one Keyboard/Video/Mouse terminal up to all of them, switching between each box simply and seamlessly. The side effect is that now the KVM has just as much access to all of those systems as the human who caresses the keyboard. [Yaniv Balmas] and [Lior Oppenheim] spent some time reverse engineering the firmware for one of these devices and demonstrated how shady firmware can pwn these systems, even when some of the systems themselves are air-gapped from the Internet.”
• Early KVM switches were just physical hardware switches that allowed more than one computer to be controlled by a single Keyboard, Video (Monitor), and Mouse
• By the year 2000, we had Matrix KVMs that could be chained together and used to control more than 1000 computers from a single keyboard
• USB Stacks, Video Transcoding, Virtual Media (mount an ISO from your workstation as if it was a usb cdrom drive) drove KVMs towards being entire computers in and of themselves, with an operating system, that could be hacked
• The firmware shipped with the device was obfuscated, and at the start, the researchers were unable to find anything useful. Not a single string in the firmware
• By comparing a number of different firmware versions, they were able to figure out which part of the firmware image was the version number. This gave them a starting point
• Looking at the circuit board of the KVM they found some common ASICs, which provided more clues
• Once they cracked the obfuscation, they now had code they could analyze
• “Of course reading the firmware is only the first step, you need to show that something useful (insidious) can be done with it. During the talk the pair demonstrated their custom firmware switching to a different system, “typing” in the password (which would have been logged earlier when a human typed it in), and echoing out a binary file which was then executed to load malware onto the system.”
• “Yes, you need physical access to perform this attack with the KVM used during the talk. But some KVMs allow firmware updates over IP, and many of them have web interfaces for configuration. There are many vectors available here and knowing that, the discussion turns to prevention. Keystroke statistics are one way to prevent this kind of attack. By logging how fast characters are being typed, how tight the cadence is, and other human traits like use of backspace, the effectiveness of this type of attack can be greatly reduced.”
• This is interesting research, and makes me even more suspicious of the 16 port, 2 user, IP-KVM I use to manage some of my servers.

Feedback

• Get your BSDNow 2 year anniversary t-shirt before time runs out

• Corporate email being hacked?

• PfSense vs cheap off-the-shelf router for home network

• Self-Hosted RMM Software

• Allan and Chris: Your personal SSH key management methodologies?
  • Allow storage of SSH private keys in LastPass, and use lpass CLI to retrieve and load into ssh-agent. The general idea is to store the private key armored ASCII in an “SSH Key” Secure Note, in a specific folder (i.e.: “Secure Notes\SSH” ). · GitHub
  • SSH Authentication with YubiKey | LAS 373 | Jupiter Broadcasting
• FUDO

Round Up:

• Microsoft has no plans to tell us what’s in Windows patches
• DNSSEC – Fighting the FUD
• Researcher catches AT&T injecting ads on free airport Wi-Fi hotspot
• OpenSSH privilege separation accidently disabled on pkgsrc platforms, for the last 9 years
• A data center of liquid cooled servers
• GitHub attacked again as Chinese developers forced by police to pull code
• UK Police investigate first instance of “Cyber Flashing”, iOS AirDrop
• The security content of the latest OS X update

The post Extortion Startups | TechSNAP 229 first appeared on Jupiter Broadcasting.

Lenovo & Google are victims of DNS hijacking, we’ll share the details, Everyone wants you to secure your data, just not from them & how Turbotax profits from Cyber tax fraud!

Plus a great batch of your questions, a fantastic round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Attackers Hijack Lenovo Domain, Spoof Website and Intercept Company Emails

• The lenovo.com website was replaced with a slideshow of some random person
• The attack was apparently carried about by members of LizardCircle (or LizardSquad)
• The identity of the person in the slideshow is unclear, but reports suggest they are two members of another hacking group (Hack The Planet) that have been trying to undermine LizardSquad for months
• The pictures on the Lenovo site suggest that the webcam of the target may have been compromised
• It seems the Lizard Squad was able to compromise webnic.cc, a large domain name registrar via a remote command injection vulnerability
• They then reported installed a rootkit and took over the registrars infrastructure
• Using this access, they were able to change the authoritative nameservers for the Lenovo.com domain to their own, and post the defacement page
• This allow allowed them to intercept all incoming email sent to @lenovo.com addresses
• They apparently used CloudFlare to host the site, and CloudFlare engineers eventually returned control of the site to Lenovo, while the DNS changes propagated
• The attackers apparently also got access to the ‘auth codes’ required to transfer ownership of the domain to another registrar
• Same attack also compromised google.com.vn domain in Vietnam
• Additional Coverage: Krebs On Security
• Additional Coverage: Ars Technica

Everyone wants you to secure your data, just not from them

• Bruce Schneier writes a blog post about security and privacy
• Google and Facebook was your data to be secure, on their server, so they can analyze it
• Your government wants you to have security communications, as long as they have the magic keys to decrypt it, but other governments do not
• “Governments are no different. The FBI wants people to have strong encryption, but it wants backdoor access so it can get at your data. UK Prime Minister David Cameron wants you to have good security, just as long as it’s not so strong as to keep the UK government out. And, of course, the NSA spends a lot of money ensuring that there’s no security it can’t break.”
• Schneier also quotes Whitfield Diffie (pioneering cryptographer, co-developed the Diffie-Hellman key exchanged used in SSH and TLS): “You can’t have privacy without security, and I think we have glaring failures in computer security in problems that we’ve been working on for 40 years. You really should not live in fear of opening an attachment to a message. It ought to be confined; your computer ought to be able to handle it. And the fact that we have persisted for decades without solving these problems is partly because they’re very difficult, but partly because there are lots of people who want you to be secure against everyone but them. And that includes all of the major computer manufacturers who, roughly speaking, want to manage your computer for you. The trouble is, I’m not sure of any practical alternative.”
• Corporations want access to your data for profit; governments want it security purposes, be they benevolent or malevolent. But Diffie makes an even stronger point: we give lots of companies access to our data because it makes our lives easier.
• Bruce wrote in his recent book: Data and Goliath: “Convenience is the other reason we willingly give highly personal data to corporate interests, and put up with becoming objects of their surveillance. As I keep saying, surveillance-based services are useful and valuable. We like it when we can access our address book, calendar, photographs, documents, and everything else on any device we happen to be near. We like services like Siri and Google Now, which work best when they know tons about you. Social networking apps make it easier to hang out with our friends. Cell phone apps like Google Maps, Yelp, Weather, and Uber work better and faster when they know our location. Letting apps like Pocket or Instapaper know what we’re reading feels like a small price to pay for getting everything we want to read in one convenient place. We even like it when ads are targeted to exactly what we’re interested in. The benefits of surveillance in these and other applications are real, and significant.”
• “Last week, we learned that the NSA broke into the Dutch company Gemalto and stole the encryption keys for billions ­ yes, billions ­ of cell phones worldwide. That was possible because we consumers don’t want to do the work of securely generating those keys and setting up our own security when we get our phones; we want it done automatically by the phone manufacturers. We want our data to be secure, but we want someone to be able to recover it all when we forget our password.”
• “We’ll never solve these security problems as long as we’re our own worst enemy. That’s why I believe that any long-term security solution will not only be technological, but political as well. We need laws that will protect our privacy from those who obey the laws, and to punish those who break the laws. We need laws that require those entrusted with our data to protect our data. Yes, we need better security technologies, but we also need laws mandating the use of those technologies.”
• I think at some level, part of the onus needs to be on the user as well, you are responsible for managing your passwords and security.
• Transcript: NSA Director Mike Rogers vs. Yahoo! on Encryption Back Doors | Just Security

The rise of tax refund fraud

• Fraudsters made billions of dollars last year by filing fake federal tax refund requests in the names of millions of unsuspecting Americans
• The IRS added a number of security measures and better automated screening, which drove the fraudsters to focus on state-level tax fraud
• “Anti-fraud Improvements by IRS Fuel Up To 3700 Percent Rise in Phony State Filings”
• “Earlier this month, TurboTax was forced to briefly suspend state tax refund filings while it investigated the source of the unprecedented fraud spike”
• To learn more about what was going on, Krebs interviewed Indu Kodukula, chief information security officer at Intuit
• “The IRS has gotten much better than a few years ago from the perspective of fighting fraud,” Kodukula said. “We think what’s happening is that as a result the fraudsters are starting to target the states.”
• In the 2014 tax season, the Treasury Inspector General for Tax Administration (TIGTA) found that the IRS identified and confirmed 28,076 fraudulent tax returns involving identity theft. That was down significantly from a year earlier (PDF), when the IRS identified and confirmed 85,385 fraudulent tax returns involving identity theft
• “But there are 46 states in the Union where taxpayers can file what’s called an ‘unlinked return,’ meaning they can file a state return without having a file a federal return at the same time. So when the [tax fraudsters] file an unlinked return, it leaves the state at its own disposal to fight this fraud, and we think that’s what has taken the states by surprise this year.”
• “States allow unlinked returns because most taxpayers owe taxes at the federal level but are due refunds from their state. Thus, unlinked returns allow taxpayers who owe money to the IRS to pay some or all of that off with state refund money.”
• “Unlinked returns typically have made up a very small chunk of Intuit’s overall returns, Kodukula said. However, so far in this year’s tax filing season, Intuit has seen between three and 37-fold increases in unlinked, state-only returns. Convinced that most of those requests are fraudulent, the company now blocks users from filing unlinked returns via TurboTax.”
• “It’s very hard to imagine a fundamental demographic shift that could cause that kind of pattern,” Kodukula said. “Our thought is that the vast majority of this is clearly not legitimate activity.”
• The traditional way that income tax fraud has been perpetrated was to steal the identity of an individual, then create an online tax account on their behalf and file the fraudulent return
• However, there has been a spike in compromised tax accounts, most appear to be because of password reuse
• We have seen many sites being compromised in the last few years, like LinkedIn, and Adobe. When huge piles of passwords like that are dropped on the Internet, the attackers try those same username/email and password combinations on other sites, like tax preparation sites
• “Over the past one-and-a-half years, we started to see much more of this type type of account takeover attack, where a customer’s TurboTax credentials were compromised at another site,” Kodukula said, describing wave after wave of attempts by fraudsters to log in at TurboTax using huge lists of credentials leaked in the wake of breaches at other companies.
• Currently, about 60 percent of the returns flagged as likely fraudulent by Intuit appear to come from SIRF, while the other 40 percent are the result of account takeovers, Kodukula said. But the account takeover attacks are definitely growing in frequency and intensity, he said.
• “From the list validation attacks we’ve seen, we know the credentials came from somewhere else,” he added. “When you look at credentials that have never been used in our system [trying to log in] it’s a pretty good indicator that those are credentials not from our space.”
• Security experts (including Krebs) have long called on TurboTax to implement two-step authentication for customers to help address the account takeover the problem of password re-use by consumers. Earlier this month, Intuit announced it would be implementing this very feature, although the company’s choice of approaches may fall short of what many security experts think of when they talk about real two-step or two-factor authentication.
• Krebs’ article also has some links and guidance for those who fall victim to this type of attack
• A week after the above interview, Krebs interviewed Robert Lee, a security business partner at Intuit’s consumer tax group until his departure from the company in July 2014
• Kreb’s 2nd Interview
• Lee said that he and his team at Intuit developed sophisticated fraud models to help Intuit quickly identify and close accounts that were being used by crooks to commit massive amounts of SIRF fraud.
• But Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company’s service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns
• “If I sign up for an account and file tax refund requests on 100 people who are not me, it’s obviously fraud,” Lee said in an interview with KrebsOnSecurity. “We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts.”
• “The Federal Trade Commission (FTC) said it received 332,646 identity theft complaints in the calendar year 2014, and that almost one-third of them — the largest portion — were tax-related identity theft complaints. Tax identity theft has been the largest ID theft category for the last five years.”
• Lee said the scammers who hijack existing TurboTax accounts most often will use stolen credit cards to pay the $25-$50 TurboTax fee for processing and sending the refund request to the IRS.
• But he said the crooks perpetrating SIRF typically force the IRS — and, by extension, U.S. taxpayers — to cover the fee for their bogus filings. That’s because most SIRF filings take advantage of what’s known in the online tax preparation business as a ‘refund transfer’, which deducts TurboTax’s filing fee from the total amount of the fraudulent refund request. If the IRS then approves the fraudulent return, TurboTax gets paid.
• “The reason fraudsters love this system is because they don’t even have to use stolen credit cards to do it,” Lee said. “What’s really going on here is that the fraud business is actually profitable for Intuit.”
• Lee confirmed Kodukula’s narrative that Intuit is an industry leader in sending the IRS regular reports about tax returns that appear suspicious. But he said the company eventually scaled back those reports after noticing that the overall fraud the IRS was reporting wasn’t decreasing as a result of Intuit’s reporting: Fraudsters were simply taking their business to Intuit’s competitors.
• “We noticed the IRS started taking action, and because of this, we started to see not only our fraud numbers but also our revenue go down before the peak of tax season a couple of years ago,” Lee recalled. “When we stopped or delayed sending those fraud numbers, we saw the fraud and our revenue go back up.”
• “Then, there was a time period where we didn’t deliver that information at all,” he said. “And then at one point there was a two-week delay added between the time the information was ready and the time it was submitted to the IRS. There was no technical reason for that delay, but I can only speculate what the real justification for that was.”
• KrebsOnSecurity obtained a copy of a recording made of an internal Intuit conference call on Oct. 14, 2014, in which Michael Lyons, TurboTax’s deputy general counsel, describes the risks of the company being overly aggressive — relative to its competitors — in flagging suspicious tax returns for the IRS.
• “As you can imagine, the bad guys being smart and savvy, they saw this and noticed it, they just went somewhere else,” Lyons said in the recording. “The amount of fraudulent activity didn’t change. The landscape didn’t change. It was like squeezing a balloon. They recognized that TurboTax returns were getting stopped at the door. So they said, ‘We’ll just go over to H&R Block, to TaxSlayer or TaxAct, or whatever.’ And all of a sudden we saw what we call ‘multi-filer activity’ had completely dropped off a cliff but the amount that the IRS reported coming through digital channels and through their self reported fraud network was not changing at all. The bad guys had just gone from us to others.”
• That recording was shared by Shane MacDougall, formerly a principal security engineer at Intuit. MacDougall resigned from the company last week and filed an official whistleblower complaint with the U.S. Securities and Exchange Commission, alleging that the company routinely placed profits ahead of ethics. MacDougall submitted the recording in his filing with the SEC.
• “Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn’t do anything that would ‘hurt the numbers’,” MacDougall wrote in his SEC filing. “Complainant repeatedly offered solutions to help stop the fraud, but was ignored.”
• Robert Lanesey, Inuit’s chief communications officer, said Intuit doesn’t make a penny on tax filings that are ultimately rejected by the IRS.
• “Revenue that comes from reports included in our suspicious activity reports to the IRS has dropped precipitously as we have changed and improved our reporting mechanisms,” Lanesey said. “When it comes to market share, it doesn’t count toward our market share unless it’s a successful return. We’ve gotten better and we’ve gotten more accurate, but it’s not about money.”
• Williams added that it is not up to Intuit to block returns from being filed, and that it is the IRS’s sole determination whether to process a given refund request.
• “We will flag them as suspicious, but we do not get to determine if a return is fraud,” Williams said. “It’s the IRS’s responsibility and ultimately they make that decision. What I will tell you is that of the ones we report as suspicious, the IRS rejects a very high percentage, somewhere in the 80-90 percent range.”
• It will be interesting to see how this story develops

Feedback:

• pfSense “advanced” routing question

• Transfer a huge files while it is being created (Linux shell scripting?)

• Lets encrypt

• PHK on HTTP/2

• Allan’s Tetris lamps are driving me crazy.

Round Up:

• Intel Security warns of six Social Engineering techniques being used against businesses
• Remote Code Execution (as root) vulnerability in all versions of Samba (windows file sharing daemon for UNIX-like operating systems)
• SSL-busting code that threatened Lenovo users found in a dozen more apps
• Some of todays hackers are more sophisticated than you think
• Replacing my 10+ years old home router
• Ad blocking software PrivDog, may actually be worse than Superfish
• Moxie Marlinspike – GPG, with its old technology, bad design, and small userbase, is dead; it’s time for a more usable encryption system
• The most vulnerable operating systems and applications of 2014
• FCC approves net neutrality rules, reclassifies broadband as a utility
• Tens of thousands of home routers all using the same SSH private key, defeating the security provided by the private key
• Intel To Rebrand Atom Chips Along Lines of Core Processors
• Facebook posts results of its research into SSL Interception against Facebook visitors

The post TurboHax | TechSNAP 203 first appeared on Jupiter Broadcasting.

If we could rebuild the Internet from scratch, what would we change? It’s more than just a thought experiment. We’ll share the details about real world research being done today!

Plus we dig through the Sony hack, answer a ton of great question & a rocking roundup!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Reinventing Computers And The Internet From Scratch, For The Sake Of Security

• DARPA funded research is looking at how we might design the Internet if we had to do it over again
• Many decisions that were made 30 and 40 years ago when UNIX and TCP/IP were designed, may be done differently today
• The overall project has a number of sub-projects:
  • CRASH – Clean-Slate Design of Resilient, Adaptive, Secure Hosts
  • MRC – Mission-Oriented Resilient Clouds
  • CTSRD – Clean Slate Trustworthy Secure Research and Development (Custard)
• BERI: Bluespec Extensible RISC Implementation: a open-source hardware-software research and teaching platform: a 64-bit RISC processor implemented in the high-level Bluespec hardware description language (HDL), along with compiler, operating system, and applications
• CHERI: capability hardware enhanced RISC instructions: hardware-accelerated in-process memory protection and sandboxing model based on a hybrid capability model
• TESLA: temporally enforced security logic assertions: compiler-generated runtime instrumentation continuously validating temporal security properties
• SOAAP: security-oriented analysis of application programs: automated program analysis and transformation techniques to help software authors utilize Capsicum and CHERI features
• The goal is to design newer secure hosts and networks, without having to maintain backwards compatibility with legacy systems, the biggest problem with changing anything on the Internet
• This is why there are still things like SSLv3 (instead of just TLS 1.2+), why we have not switched to IPv6, and why spam is still such a large problem
• I for one would definitely like to replaced SMTP, but no one has yet devised a plan for a system that the world could transition to without breaking legacy email while we wait for the rest of the world to upgrade
• “Corporations are elevating security experts to senior roles and increasing their budgets. At Facebook, the former mantra “move fast and break things” has been replaced. It is now “move slowly and fix things.””
• For performance reasons, when hardware and programming languages were designed 30 and 40 years ago, it was decided that security would be left up to the programmer
• The CHERI project aim to change this, by implementing ‘Capabilities’, a sandboxing and security mechanism into the hardware, allowing the hardware rather than the software to enforce protections, preventing unauthorized access or modification of various regions of memory by malicious or compromised applications.
• CHERI, and the software side of the project, Capsicum, are based on FreeBSD, but are also being ported to Linux, where Google plans to make extensive use of it in its Chrome and Chromium browsers.
• Additional Coverage

Sony Internal Network Hacked

• No, this is not Episode 3 of TechSNAP, Sony was hacked, again
• Hackers identifying the selves as Guardians of Peace (GOP) claim to have stolen as much as 100TB of data from Sony
• One questions how they managed to exfiltrate such a huge amount of data without being noticed. A full 1 GBPS internet connection would have to run at full capacity for 10 days to move that much data. It seems a lot of the data was likely compressible, but unreleased movies etc would not be
• At this point, only about 40GB of data has been leaked, mostly internal documents
• “The data dump includes employee criminal background checks, salary negotiations, and doctors’ letters explaining the medical rationale for leaves of absence. There are spreadsheets containing the salaries of 6,800 global employees, along with Social Security numbers for 3,500 U.S. staff. And there is extensive documentation of the company’s operations, ranging from the script for an unreleased pilot written by Breaking Bad creator Vince Gilligan to the results of sales meetings with local TV executives.”
• When will companies learn that a spread sheet is not a secure place to store sensitive information
• In a memo to Employees Sony Pictures Entertainment chiefs Michael Lynton and Amy Pascal said “While we are not yet sure of the full scope of information that the attackers have or might release, we unfortunately have to ask you to assume that information about you in the possession of the company might be in their possession,”
• Additional Coverage – CNET – 47,000 Social Security Numbers leaked, Celebrity Data included
• Additional Coverage – Sony Employees receive email threats: “your family will be in danger”
• Additional Coverage – BuzzFeed – Inside the Sony Data
• Additional Coverage – Gizmodo – Sony hack worse than thought
• Additional Coverage – Washington Post
• Additional Coverage – Edgadget
• Additional Coverage – The Verge
• George Clooney predicted the Sony Hack in December (in a now leaked email)
• Additional Coverage – BitDefender – Take Aways from the Sony Hack
• Additional Coverage – ArsTechnica – Attackers also stole certificates to sign malware

Feedback:

• Jupiter Dev Summit on Monday the 15th

• Remotely activate/disable firewall rules?

• AuthPF (works, especially remotely)

• FreeNAS/ZFS Filesystem Relationships

• Screenshot

• Naming software bugs like storms

• [ways to use as much bandwidth a possible? ](https://www.reddit.com/r/techsnap/comments/2oftzo/ways_to_use_as_much_bandwidth_a_p
  ossible/)

• Malware Authorship Language

• 31C3 – The 31st Chaos Communication Congress Who will be there?

Round Up:

• Sony hack: Studio Tries to Disrupt Downloads of its Stolen Files
• Brian Krebs interviewed on 60 Minutes
• Reset Linux Root Password
• Payment Processor “Charge Anywhere” transmitted some data in plain text, finds malware on their network stealing the data
• Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory
• Fabrice Bellard (FFMPEG, QEMU, etc) introduces BPG, a replacement for JPG based on HEVC, better image quality in smaller size. Javascript based decoder means all browsers can render the images already
• Ron Wyden (D-OR) Introduces bill to prevent FBI backdoors — “The Secure Data Act would ban agencies from making manufacturers alter their products to allow easier surveillance or search”
• Man arrested for trying to sell detailed plans for next US Air Craft Carrier to Egypt
• DMCA should be altered to allow tinkering with hardware
• Flaw in Mantis bug tracker allow attackers and spammers to bypass captchas
• Keurig 2.0 Genuine K-Cup Spoofing Vulnerability
• Why you should only trust open source for your sensitive emails

The post Signed by Sony | TechSNAP 192 first appeared on Jupiter Broadcasting.

We explore some common misconceptions about Linux security. Plus the 0-Day hitting Microsoft Office users…

A great big batch of your questions, our answers, and much much more!

On this week’s episode, of TechSNAP.

Thanks to:

— Show Notes: —

Exploring the misconceptions of Linux Security

• “There is a perception out there that Linux systems don\’t need additional security”
• As Linux grows more and more mainstream, attacks become more prominent
• We have already seen malware with variants targeting Linux desktop users, Flash and Java exploits with Linux payloads
• Linux servers have been under attack for more than a decade, but these incidents are rarely publicized
• The most common attacks are not 0day exploits against the kernel or some critical service, but compromised web applications, or plain old brute force password cracking
• However, it is still important to keep services up to date as well (openssh, openssl, web server, mail server, etc)
• Typical ‘best practice’ involves having firewalls, web application firewalls and intrusion detection systems. These systems cannot prevent every type of attack.
• Firewalls generally do not help attacks against web applications, because they operate at layer 3 & 4 and can no detect an attempted exploit
• Web Application Firewalls operate at layer 7 and inspect HTTP traffic before it is sent to the application and attempt to detect exploit or SQL injection attempts. These are limited by definitions of what is an attack, and are also often limited to providing protection for specific applications, since protecting an application generally means knows exactly what legitimate traffic will look like
• Intrusion detection systems again rely on detecting specific patterns and are often unable to detect an attack, or detect so many false positives that the attack is buried in a report full of noise and isn’t recognized
• Linux backdoors have become remarkably sophisticated, taking active steps to avoid detection, including falling silent when an administrator logs in, and suspending exfiltration when an interface is placed in promiscuous mode (such as when tcpdump is run)
• Linux servers are often out of date, because most distributions do not have something similar to Microsoft’s “Patch Tuesday”. Security updates are often available more frequently, but the irregular cadence can cause operational issues. Most enterprise patch management systems do not include support for Linux, and it is often hard to tell if a Linux server is properly patched
• “The main problem is that these system administrators think their [Linux] systems are so secure, when they haven\’t actually done anything to secure them,” David Jacoby, a senior security researcher for the Global Research and Analysis Team at Kaspersky Lab said. For example, the default Linux configuration for most distributions does not restrict login attempts, Jacoby warned. Attackers can attempt to brute-force passwords by running through a list of possibilities without having to worry about locking out the account or getting disconnected from the server. This is something the administrator has to configure manually, and many don\’t, Jacoby said.

0day exploit in MS Word triggered by Outlook preview

• Microsoft issued a warning on Monday of a new 0day exploit against MS Word being exploited in the wild
• Microsoft has released an emergency Fix-It Solution until a proper patch can be released
• This attack is especially bad since it doesn’t not require the victim to open the malicious email, looking at the message in Outlook’s preview mode will trigger the exploit
• According to Microsoft’s advisory the flaw is also present in Word 2003, 2007, 2010, 2013, Word Viewer and Office for Mac 2011
• The attack uses a malicious RTF (Rich-Text file), Outlook renders RTF files with MS Word by default
• The Fix-It solution disables automatically opening emails with RTF content with MS Word
• This attack can also be worked around by configuring your email client to view all emails in plain-text only
• Instructions for Office 2003, 2007 and 2010
• Instructions for Outlook 2013
• “The attack is very sophisticated, making use of an ASLR bypass, ROP techniques (bypassing the NX bit and DEP), shellcode, and several layers of tools designed to detect and defeat analysis”
• The code attempts to determine if it is running in a sandbox and will fail to execute, to hamper analysis and reverse engineering
• The exploit also checks how recently windows updates have been installed on the machine. “The shellcode will not perform any additional malicious action if there are updates installed after April, 8 2014”
• Additional Coverage – ThreatPost

Feedback:

• Multiple ISPs

• Securing my fortress

• Can you please explain some basic terms

• Is better/safer to use keys than passwords?

• Proper use of SSH keys

• SSH: Best Practices | HowtoForge – Linux Howtos and Tutorials

• IPv6

Round Up:

• Tarsnap now accepts Bitcoin
• Fake GPG keys for crypto developers found in the wild
• Apps with millions of Google Play downloads covertly mine cryptocurrency
• More holes in SCADA systems, 7600 power, chemical and petrochemical plants at risk
• Gordon Lyon reboots the Full Disclosure mailing list
• Deanonymizing tor with denial of service attacks
• Sony Pictures Plans Movie About Brian Krebs
• Robbing ATMs using SMS messages
• Hackers transform EA Web page into Apple ID phishing scheme
• Cabling done right More cable porn
• WPA2 vulnerabilities found in deauthentication phase, may allow an attacker to temporarily gain access to the network
• Trendjacking – New phishing campaign against governement targets using MH-370
• California DMV breach leaks credit cards

The post Misconceptions of Linux Security | TechSNAP 155 first appeared on Jupiter Broadcasting.

Researches prove its possible to extract an RSA key from the noises your computer makes, the NSA foils the great BIOS plot, but we’re a little skeptical….

Then it’s a batch of your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

RSA Key Extraction via Acoustic Cryptanalysis

• Many computers emit a high-pitched noise during operation, due to vibration in some of their electronic components.
• These acoustic emanations are more than a nuisance: they can convey information about the software running on the computer, and in particular leak sensitive information about security-related computations.
• In the report they describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG\’s current implementation of RSA.
• The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts.
• Experimentally they demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters (13 feet) away.
• A modern mobile phone placed next to the computer is sufficient to carry out the attack, but up to four meters have been successfully tested using specially designed microphones.
• They have disclosed the attack to GnuPG developers under CVE-2013-4576, suggested suitable countermeasures, and worked with the developers to test them. New versions of GnuPG 1.x and of libgcrypt (which underlies GnuPG 2.x), containing these countermeasures and resisting our current key-extraction attack, were released concurrently with the first public posting of these results
• PDF Report
• Adi Shamir – Wikipedia
• Inventor of SSSS (Shamir\’s secret-sharing scheme)
• CVE – CVE-2013-4576

NSA Says It Foiled the BIOS Plot

• Called a BIOS plot, the exploit would have ruined, or \”bricked,\” computers across the country, causing untold damage to the national and even global economy.
• Debora Plunkett, director of cyber defense for the The National Security Agency described for the first time a cataclysmic cyber threat the NSA claims to have stopped On Sunday\’s \”60 Minutes.\”
• CBS suggest China is to Blame, the NSA does not confirm or deny that in the interview.
• CBS reported the “virus” would be delivered via a software update to every computer’s BIOS.
• The NSA says it closed this vulnerability by working with computer manufacturers.
• No further technical, or general details provided.
• CBS Airs NSA Propaganda Informercial Masquerading As \’Hard Hitting\’ 60 Minutes Journalism By Reporter With Massive Conflict Of Interes
• In the end, this appears to be the NSA stealing the plot from our book recommendation a few weeks ago. Mark Russinovich’s Zero Day – which is very much the same plot (Copyright March 2011), except the attackers were wealthy backers of Al Qaeda instead of the Chinese
• In the sequel Trojan Horse , China uses APT techniques to compromise computers at the UN Office for Disarmament Affairs, and alter a report about Iran’s Nuclear Weapons Program to disrupt international attempts to prevent Iran from getting Nuclear Weapons. Look for this story on the news next year…

Krebs: The Case For a Global, Compulsory Bug Bounty

• Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products
• This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products
• Stefan Frei, director of research at NSS Labs, suggests compelling companies to purchase all available vulnerabilities at above black-market prices.
• The director of research for Austin, Texas-based NSS Labs examined all of the software vulnerabilities reported in 2012, and found that the top 10 software makers were responsible for more than 30 percent of all flaws fixed.
• Even if vendors were required to pay $150,000 per bug, it would still come to less than two-tenths of one percent of these companies\’ annual revenue
• To ensure that submitted bugs get addressed and not hijacked by regional interests, Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers.
• The questions is, would this result in a reduction in cybercrime overall, or would it simply hamper innovation? As one person quoted in the article points out, a majority of data breaches that cost companies tens of millions of dollars have far more to do with other factors unrelated to software flaws, such as social engineering, weak and stolen credentials, and sloppy server configurations.
• The Case for a Compulsory Bug Bounty — Krebs on Security
• How many Zero-Days hit you today?

Feedback:

• How do you verify if a website is legitimate or not?
• Ghostery
• DNSSEC Validator

• Chrome Web Store – DNSSEC Validator

• IPMI

Round Up:

• Report: Bot traffic is up to 61.5% of all website traffic
• The inspiration behind many of todays tech symbols and icons
• Google Said to Mull Designing Server Chips in Threat to Intel
• Google blocks ability to search for credit cards (in hex), but snubs researcher who reported it
• DRM has always been a horrible idea
• NSA Spying costs Boeing $4.5 billion military contract in Brazil
• NSA has long had the ability to crack the encryption used by GSM phones, and the carriers have known about it
• Security Researcher Bruce Schneier leaves British Telecom
• The Year in Downtime: The Top 10 Outages of 2013

The post The Sound of Security | TechSNAP 142 first appeared on Jupiter Broadcasting.

A BGP hack reroutes the traffic of banks, Amazon and many others. We’ll explain how this can happen, and why we don’t see it more often.

Plus an Interview with Brendan Gregg author of a new book that focuses on Systems Performance in the Enterprise and the Cloud, plus a big batch of your questions, our answers, and much much more!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! Get private registration FOR FREE with a .COM! code: free5
UnitySync Visit dirwiz.com/unitysync use code tech for an extended trial and a year of maintenance.

BGP hijack used to redirect traffic destin for online banking

• On 24 July 2013 a number of specific IP addresses were maliciously mis-routed to an ISP in the Netherlands
• This is especially unusual because most all BGP routes are /24 or larger (because routers only have so much RAM in which to hold the routing table for the entire Internet), and most of these were specific /32s (a single IP address).
• This might be considering a mistake or something, however the owners of the specific IP addresses suggest otherwise:
  • AMAZON-AES – Amazon.com, Inc.
  • AS-7743 – JPMorgan Chase & Co.
  • ASN-BBT-ASN – Branch Banking and Trust Company
  • BANK-OF-AMERICA Bank of America
  • CEGETEL-AS Societe Francaise du Radiotelephone S.A
  • FIRSTBANK – FIRSTBANK
  • HSBC-HK-AS HSBC HongKong
  • PFG-ASN-1 – The Principal Financial Group
  • PNCBANK – PNC Bank
  • REGIONS-ASN-1 – REGIONS FINANCIAL CORPORATION
• The ISP, NedZone.nl normally announced about 30 prefixes of various sizes between /18 and /24, but on the date in question, they were announcing 369, most all of which were smaller than /24 (usually the smallest that would be announced)
• It is most likely this was caused by a malicious customer, rather than NedZone or one of it’s Employees
• The attack appears to have been an attempt to run a MITM attack against online banking
• RIPE AS Dashabout for AS25459, showing list of prefixes announced in the last 30 days
• HE BGP Looking Glass AS25459 Prefixes

Digital Ocean Cloud ‘Droplets’ found to be reusing same SSH private keys

• While using Digital Ocean’s cloud server to write a comparison of Ansible and Salt, two different administration/orchestration tools, Joshua Lund discovered that many of his ‘Droplets’ had the same SSH fingerprint
• While rapidly creating and destroying Droplets, he ended up with the same ip address, and noticed that he did not receive an SSH fingerprint mismatch, warning him that this server is not the same as the one that resided at this IP address previously
• Upon further investigation he found that the SSH keys appeared to be part of the base image, rather than being generated on first boot
• While this was likely a simple oversight while creating the images, or an attempt to make the droplets boot faster by foregoing the SSH key generation, it is a significant security issue
• This means someone could replace your droplet with their own and have the same SSH private key (and therefore fingerprint), if you or one of your old users connected to your old IP which now belonged to someone else, they could capture your password or otherwise perform a MITM attack
• The issue was reported to Digital Ocean and they responded the same day
• The immediate fix did not resolve all instances of the issue, but within 7 days the issue had been resolved
• Digital Ocean then started working with their customers to have them replace their SSH host keys with unique ones
• 6 weeks later a public security advisory was issued
• If you do not install the OS your self, it may be a good idea to regenerate the SSH keys as part of the initial setup process
• Official Advisory
• On a future Episode of TechSNAP we’ll talk about SSHFP DNS records and maintaining a system wide ssh_known_hosts file

Interview with Brendan Gregg

[asa]0133390098[/asa]

Feedback:

• Starting out as a Sysadmin

• Question about a home webserver

• How do I double check my encryption?

• Backing up a live VM

• FreeNAS Crashing

• Hitting the sweet spot on a low power home server?

Directory Dive:

• Central User Management? Check out Zentyal

• LDAP + SMB4 + Windows = Win

• What graphical remote desktop software do you recommend?

Round Up:

• XKeyscore – NSA program allows analysts to search vast databases of emails, online chats and the browsing histories
• Feds tell Web firms to turn over user account passwords | Politics and Law – CNET News
• Canada’s hangup with foreign owned telcos
• Google gives AT&T the boot, will supply 7000 US Starbucks locations with WiFi starting next month
• College students misdirect an $80 million Yacht with GPS spoofing
• Russia proposes ban on foul language on the internet with a law named \”On the protection of children from information harmful to their health and development\”
• A look at LZ4 in ZFS

The post Grand Theft BGP | TechSNAP 121 first appeared on Jupiter Broadcasting.

A huge amount of SIM cards are susceptible to an Over the Air attack, Allan’s got the details, Apple’s hacker outs himself, and the trouble with the Ubuntu forums!

Plus a batch of your questions, and much much more!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! Get private registration FOR FREE with a .COM! code: free5
Ting.com Visit techsnap.ting.com to save $25 off your device or service credits.

Security Researcher Claims Apple Developer Website Hack

• Apple\’s Developer Center first went offline last Thursday, and on Sunday, Apple revealed that it had been taken down as a precaution after a security breach. It is unclear who was responsible for the hacking, but a security researcher, Ibrahim Balic has suggested that he might be to blame for the outage.
• The company added that critical developer data had not been compromised and that they were working day n’ night to fix the vulnerability and bring the site back online.
• According to 9 to 5 Mac adds that, “In an email… Balic … is persistent in stating he did this for security research purposes and does not plan to use the information in any malicious manner.”
• The comment comes from independent security researcher Ibrahim Balic, who claims that his effort was not intended to be malicious and that he reported his findings to Apple just hours before the developer site was taken down by the company.
• Balic, who has reported 13 different bugs to Apple, originally discovered an iAd Workbench vulnerability on June 18 that allowed a request sent to the server to be manipulated. This security hole could be used to acquire the names and email addresses of iTunes users (even non-developers).
• After finding the loophole, Balic wrote a Python script to harvest data from the vulnerability and then displayed it in a YouTube video, which may have put him on Apple\’s radar.
• In addition to the iAd Workbench bug, Balic also discovered and submitted a report on a bug that caused the Dev Center site to be vulnerable to a stored XSS attack. While Balic says that it was possible to access user data by exploiting the Dev Center issue, he claims that he did not do so.
• New Details Emerge on Security Researcher Potentially Responsible for Dev Center Outage s
• Apple Outlines Plan for Bringing Developer Center Back Online
  Additional Coverage

Ubuntu Forums compromised

• The forums were defaced and the database compromised
• There were approximately 1.82 million registered accounts in the forum database
• Attackers have access to each of these user\’s username, password and email address
• The passwords were salted hashes, but by which algorithm was not made clear. Where these cryptographic hashes, or just md5(salt+md5(password)) or similar like some forum software?
• If you were a registered user, and reused that password anywhere else, you are likely going to have a bad time
• “Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach”
• Timeline:
• 2013-07-20 2011 UTC: Reports of defacement
• 2013-07-20 2015 UTC: Site taken down, this splash page put in place while investigation continues.
• 2013-07-21: we believe the root cause of the breach has been identified. We are currently reinstalling the forums software from scratch. No data (posts, private messages etc.) will be lost as part of this process.
• 2013-07-22: work on reinstalling the forums continues.

Feedback:

TechSNAP Bitmessage: BM-GuGEaEtsqQjqgHRAfag5FW33Dy2KHUmZ

• Voicemail from OSCON
• 389 Directory Server (Open Source LDAP)

The enterprise-class Open Source LDAP server for Linux. It is hardened by real-world use, is full-featured, supports multi-master replication, and already handles many of the largest LDAP deployments in the world. The 389 Directory Server can be downloaded for free and set up in less than an hour using the graphical console.

• Too many VMs in One Place?

• An Excellent Chance to Talk about FreeBSD for Allan!

• PPA for PHP5 : Ondřej Surý

• How does one learn how to become a PenTester?

  • Metaspolitable
  • Backtrack view by example
• Linux Drive Recovery | LAS s27e10 | Jupiter Broadcasting

Round Up:

• Feds Demand the Keys, Preparing for the Death of Public-Key Encryption
• The UNIX Issue of the Bell System Technical Journal turns 35 Spotted by Poul-Henning Kamp @bsdphk
• UK MP leading the charge for default blocking porn, has website hacked and filled with porn, accuses random blogger who comments on it of being behind the attack #doesnotknowhowtheinternetworks
• MIT Uses Machine Learning Algorithm To Make TCP Twice As Fast
• NSA says it cannot search its own emails to fulfill FOIA requests
• US-CERT releases advisory about DNS Amplification attacks, includes configuration suggestions to prevent your servers from being part of an attack
• True tales of white-hat hacking

The post Ethically Hacked | TechSNAP 120 first appeared on Jupiter Broadcasting.

A compromise at Apple turns Mike’s week upside down. Reeling from the setback we dig into Mike’s concerns with Canonical’s crowd sourced Ubuntu Edge phone.

Why we\’re a bit dismayed at Firefox OS’ attempts to kill the app store…

And we answer your hard questions.

Thanks to:

GoDaddy.com Use our code coder249 to get a .COM for $2.49.

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Feedback

• ZOMG, MIKE! Crypto is NOT broken… except that it is….
• Patrick’s Email
• Kyle was inspired by our Pomo love and wrote this web app
• Cary’s email: [In defense of Apple(https://slexy.org/view/s216d3rIzI)
• David is working on a project for a school system and though the law does not require that he encrypt the data itself in the database (make it not human readable that is) he wonders if he should anyway.
• Matty’s email: Could talk about \”environments\”
• Chris asks if we believe that devs who focus on langs that are run by corps are hurting their careers long term.
• Isak’s email: Working on a Game

Dev World Hoopla

• Apple Dev Center Down

• Apple Developer Website Hacked: Developer Names, Addresses May Have Been Taken

In an email to developers today, Apple revealed that its Developer Center website was breached by unknown hackers and was taken offline last Thursday as a precaution.

• UPDATE: Turkish hacker posts video of Apple Dev Centre breach | ITProPortal.com

\”This is definitely not an hack attack. I have reported all the bugs I have found to the company and waited for approval. I am being accused of hacking but I have not given any harm to the system and i did notwanted to damage [sic],\” writes the user Ibrahim Baliç.

He has since told the Guardian, \”My intention was not attacking. In total I found 13 bugs and reported [them] directly one by one to Apple straight away. Just after my reporting [the] dev center got closed. I have not heard anything from them, and they announced that they got attacked. My aim was to report bugs and collect the datas [sic] for the purpose of seeing how deep I can go with it.\”

• FireFox wants to kill App Stores

• How Firefox OS plans to kill — not reinvent — the app store | VentureBeat

\”In essence, with Firefox OS, we made app discovery as easy as browsing the web, and we give you a very good reason to brush up the mobile optimised web sites you already have on the web,\” writes Mozillan Chris Heilmann on the company blog.

• Ubuntu Edge | Indiegogo

In the car industry, Formula 1 provides a commercial testbed for cutting-edge technologies. The Ubuntu Edge project aims to do the same for the mobile phone industry — to provide a low-volume, high-technology platform, crowdfunded by enthusiasts and mobile computing professionals.

Tool of the Week

[asa]B005JN9310[/asa]

Hard Drives for Jupiter:

• Hard Drives for Jupiter

Follow the show

• Email the show
• Join the Coder Radio Subreddit
• Live Monday 9am PST
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post Sour Apple | CR 59 first appeared on Jupiter Broadcasting.

We demo tools for Linux to protect your privacy. And we’ll highlight Bitmessage, an up and coming open source project designed to kill email, and encrypt your communications from the start.

Plus: The big plans for Cinnamon, FireFox OS’ get a big boost, the conclusion to our Let’s Play giveaway…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

GoDaddy.com Use our code linux249 to score .COM for just $2.49! 35% off your ENTIRE first order just use our code 35off2 until the end of the month!
Ting.com Visit las.ting.com to save $25 off your device or service credits.

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

— Show Notes: —

Privacy Under Linux:

Brought to you by: System76

• Tech Companies Concede to Surveillance Program

• Funny: goshakkk/nsa_panel · GitHub

• Off-the-Record Messaging

• Tochat

• Bitmessage is the Bitcoin of online communicatio

• PyBitmessage-Daemon · GitHub

• Tor Browser Bundle

• Seahorse – Encryption Made Easy

• GPG-Crypter | Main / HomePage browse

• P2P Search: YaCy – The Peer to Peer Search Engine: Home

---

– Picks –

Runs Linux:

• Chinese supercomputer destroys speed records, Runs Linux

• Thanks to CptFlashdrive in the Linux Action Show SubReddit

Android Pick:

• Orbot: Proxy with Tor – Android Apps on Google Play

• Android Picks so far thanks to Madjo in the IRC Chat room!

Desktop App Pick:

• Guake terminal

• Drop Down Terminal – GNOME Shell Extensions

• Picks so far

• Madjo

Search our past picks:

• LASAppPicks

This tumblr contains the Linux app picks from the Linux Action Show. Both the Linux apps and the Android apps

Git yours hands all over our STUFF:

• Jupiter Broadcasting Affiliate Extensions
• Callisto-app – Google Project Hosting
• Quick Update to the Jupiter Broadcasting Android App

---

— NEWS —

• Foxconn and Mozilla are collaborating to develop 5 devices for OEMs, including a tablet

• Cinnamon 2.0 in Linux Mint 16, no GNOME back-end

• The Linus and Dirk show [LWN.net]

• Garry’s Mod Running On Linux

— /etc: Let’s Play —

Brought to you by: Untangle

• Let’s Play Amnesia: The Dark Descent- On Linux!

I promise, I only cut out one part where I freaked out really bad, and only then because it was during the footage I cut out because I wasn’t sure where to go. I may or may not have been scared by my lantern running out of oil and suddenly turning off.

• Lets Play – Alpha Centauri on Linux

– Feedback: –

• Made a opensource python app to play hotkeyable soundclips after ChrisLAS sayd he was looking for such a tool

• Made a Web Based Soundboard

• Arch = Gentoo 5 Years Ago?

• Tails – About – Thx Q5sys

Gary’s Mod Comes to Linux… Sells 7 Copies.. What say you?

• https://twitter.com/garrynewman/status/343127745317986304

• https://twitter.com/garrynewman/status/343128562745892865

— Chris’ Stash —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• reglue.org
• Open Source Windows Applications
• Writing about Linux, sometimes, even asking tough questions
• Hell froze over, Matt’s on Facebook

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post Privacy Under Linux | LAS s27e04 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/37056/bittorrent-sync-vs-aerofs-las-s26e10/ Sun, 12 May 2013 14:29:34 +0000 https://original.jupiterbroadcasting.net/?p=37056 Bittorrent Sync is out, and it promises to enable p2p Dropbox style filesharing, for free, with no limits. But has AeroFS already beat them to the punch?

The post Bittorrent Sync vs AeroFS | LAS s26e10 first appeared on Jupiter Broadcasting.

]]>

Bittorrent Sync is out, and it promises to enable p2p Dropbox style file sharing, for free, with no limits. But has AeroFS already beat them to the punch? We put these two Dropbox killers head to head.

Plus: The systemic issues facing Microsoft that have lead to open source code remaining the benchmark of quality, Gabe prepares to address the Linux faithful, Gnome upsets users, Ubuntu has a new package format, a double picks blowout…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

GoDaddy.com Use our code linux249 to score .COM for just $2.49! 32% off your ENTIRE order just use our code go32off2 until the end of the month!
Ting.com Visit las.ting.com to save $25 off your device or service credits.

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

— Show Notes: —

Bittorrent Sync for Linux:

Brought to you by: System76

• Go with the supported system – LESSON LEARNED!

• 12char

• Debian and Ubuntu Packages for BitTorrent Sync Available – BitTorrent Sync – BitTorrent Forums

• Security Now 402: BitTorrent Sync

---

– Picks –

Runs Linux:

• Paris Metro traffic info system runs Linux
• International Space Station making laptop migration from Windows XP to Debian 6

Android Pick:

• Schemes – Scheduled Networking

• AntennaPod

• Android Picks so far thanks to Madjo in the IRC Chat room!

Desktop App Pick:

• Iotop’s homepage

• Atoptool.nl

• Picks so far

• Madjo

Search our past picks:

• Linux Action Show Lookup
• Thanks to sakuramboo!

Git yours hands all over our STUFF:

• Jupiter Broadcasting Affiliate Extensions
• Callisto-app – Google Project Hosting
• Quick Update to the Jupiter Broadcasting Android App

---

— NEWS —

• Linux still “benchmark of quality” in this year’s Coverity Scan

• “I Contribute to the Windows Kernel. We Are Slower Than Other Operating Systems. Here Is Why.”

• Leaders from Raspberry Pi and Valve Top Keynote Speaker Line Up for LinuxCon

• Ubuntu Might Get A New Simplified Packaging Format And App Installer

• Ubuntu Touch developers announced the successful “first run of Unity on top of MIR”

• Gnome team continues failed strategy of removing features and ignoring users. Story hits top of HN. What will it take for them to listen?

  — /etc: AeroFS —

Brought to you by: Untangle

• AeroFS

– Feedback: –

• Reasons for using Firefox instead of Chromium : LinuxActionShow

• Proxmox Rox!

• The developer of ServeStream

• A distro to learn from the inside out?

— Chris’ Stash —

• Check out Plan B

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Ubuntu Software
• Writing about Linux, sometimes, even asking tough questions
• Hell froze over, Matt’s on Facebook

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post Bittorrent Sync vs AeroFS | LAS s26e10 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/29371/ssh-fud-busting-techsnap-90/ Thu, 27 Dec 2012 17:11:42 +0000 https://original.jupiterbroadcasting.net/?p=29371 We’ll bust the FUD around the media’s overreaction to SSH Key mismanagement, plus the details on millions of WordPress databases exposed by a popular plugin.

The post SSH FUD Busting | TechSNAP 90 first appeared on Jupiter Broadcasting.

]]>

We bust the FUD around the media’s overreaction to SSH Key mismanagement, plus the details on millions of WordPress databases exposed by a popular plugin.

Plus a rockin round-up and a batch of your questions, and our answers!

All that and more on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our code tech295 to get a .COM for $2.95.

Something else in mind? use go20off5 to save 20% on your entire order!

$4.99 SSL certificates, just use our code 499ssl2. Expires 12-31-12!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   

Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Shop Amazon – Year End Deals

W3 Total Cache (a popular wordpress plugin) may expose sensitive data

• W3 Total Cache is a very popular and powerful caching plugin
• The recently discovered problems are technically a configuration error, not a vulnerability, but because it is the default configuration, most sites are vulnerable
• It can provide significant speed gains over stock wordpress
• Page Cache – By creating flat .html versions of the page after it is dynamically generated, subsequent anonymous visitors can be shown the cached version of the page, significantly reducing server load and response times
• Database Cache – By caching the results of database queries, if the same read query needs to be is executed again, the cached result can be used, significantly reducing the number of database queries required to render a page
• Object Cache – A higher level cache than the database cache, Objects may be constructed from the results of many queries and plugins, caching the complete object may result in significant page load time improvements
• Minify Cache – By removing comments and whitespace from .css and .js files and gzipping them, less bandwidth is required to download the file
• JS and CSS Combining – By combining many files into only 1 or 2 files, the total number of requests to the server is reduced, which can markedly improve performance
• CDN Offloading – W3TC can automatically change the URLs of content such as .css and .js files in addition to media such as images and thumbnails. My loading these content from a CDN instead of the main site, users get faster responses and the site gets reduced load. W3TC can also use multiple subdomains for the loading, allowing it to take advantage of browser’s parallel downloading features
• All of these caches offer a number of numbers, allowing you to choose between caching to disk, advanced caching to disk, Opcode caches such as APC or dedicated caches such as memcache
• All of these features make W3TC very popular and well respected
• However, W3TC defaults to disk based caching because it does not require any additional configuration or server side features (such as APC or the IP address of a memcache server)
• The problem stems from the fact that W3TC keeps its database and object caches in a web accessible directory (alongside the page and minification caches, which need to be web accessible)
• This means that if your web server is configured to allow directory listing, any visitor can browse to /wp-content/w3tc/dbcache and see a list of all of the items in your database cache, and by downloading and analyzing these files, they may be able to recover sensitive information, such as the hashed passwords of users or administrators
• If an attacker were to get the password hash for an administrative account, if they brute forced that hash, they could then take over that wordpress installation
• Disabling directory indexing does not entirely solve the problem, as the filenames of the cache objects are the md5 hash of the string: w3tc${host}${site_id}_sql_${query}
• You should configure your web server to deny access to the /wp-content/w3tc/dbcache , /wp-content/w3tc/objectcache and /wp-content/w3tc/log directories (using .htaccess will work for apache)
• If you use an Opcode cache, or Memcache, you site is not affected by this configuration error
• Make sure your memcache instances are secured, as if they are publicly addressable, any information cached in them may be accessible
• The creators of W3TC are working on an update to address the issue
• Allan’s slides on improving your Blog with ScaleEngine

---

Inventor of SSH warns that improper key management makes SSH less secure than it should be

• This news story has created a significant amount of FUD due to the general media’s lack of understanding of what SSH is and what it does
• SSH is not vulnerable or compromised
• The story started with an interview of Tatu Ylonen, the inventor of SSH
• “In the worst-case scenario, most of the data on the servers of every company in the developed world gets wiped out."
• The problem is actually caused by users, and bad management practises
• Users often generate many SSH keys, and store them unencrypted in predictable locations (~/.ssh/id_rsa) where they may be stolen if someone compromises their account or the server they are stored on
• Many logins, especially those that are shared, will contain large authorized_keys files, allowing many keys to access that account, often these lists are not pruned because keys are hard to identify
• While auditing a large financial institution, auditors found more than 1 million unaccounted-for keys — 10 percent of which granted root access, or control of the server at the most basic level
• federal rules for classified computer networks cover the “issuance and assignment and storage of keys” but do not dictate what should be done with used keys. Auditing guidelines require that administrators be able to enumerate exactly who has access to specific systems, but often times SSH access is not properly accounted for, as each line in the authorized_keys file is not easily linked to a specific person, and the control of those keys is not guaranteed
• A stolen SSH key is what lead to the compromise of the FreeBSD Packaging Building Cluster last month
• It is recommended that companies refresh keys on a regular basis and remove old keys to prevent them being used to access sensitive servers, although most companies do not have such a policy
• Tools such as puppet can help with the management of authorized_keys files across a large number of servers, but it is up to the user to ensure the security of their private key
• One solution to this problem may be a new feature of OpenSSH that allows it to be configured to check the results of a command, before optionally checking the authorized_keys file
• This feature can be used to check for keys in directory services such as LDAP or Active Directory, simplifying the administration of multiple servers and SSO by storing cannonical keys in a central location

---

Feedback:

• Raspberry Pi Used To Replace A 30-Foot GSM Base Station And Create A Working Mobile Network

• Compare bare-metal HVs?

• Open Source Virtual Desktop Broker?

• Management Tools – KVM

• VPS Suggestions?

• [Hall of Shame] Claro (Latam ISP) is installing routers with passphrase based on their BSSID and is also shown on WLAN name.

Round-Up:

• Steam suffers ‘no connection’ outage on Christmas morning
• Netflix is down: AWS outage takes down service on some devices — Online Video News
• Aaron Toponce : Linux. GNU. Freedom.
• Plain Text Offenders
• Daily Dot | YouTube strips Universal and Sony of 2 billion fake views
• Brazil blocks port 25
• Congress tweaks US video-privacy law so Netflix can get on Facebook
• I probably should not have admin access to this… : pwned
• How the Internet is becoming a closed shop

Amazon Book:
[asa]B003F3PKTK[/asa]

Audible Book Pick: The Master Switch: The Rise and Fall of Information Empires Audio Book

The post SSH FUD Busting | TechSNAP 90 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/27761/tales-from-the-bcrypt-techsnap-85/ Thu, 22 Nov 2012 00:08:38 +0000 https://original.jupiterbroadcasting.net/?p=27761 How Allan saved PayPal from an embarrassing leak and a bunch of cash, details on the FreeBSD project’s compromise, and the latest advances in password hashing.

The post Tales from the BCrypt | TechSNAP 85 first appeared on Jupiter Broadcasting.

]]>



How Allan saved PayPal from an embarrassing leak and a bunch of cash, details on the FreeBSD project’s compromise, and the latest advances in password hashing.

Plus the bug in iOS 6 that could cost you money, and a batch of your questions and our answers!

All that and a lot more in this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our code tech495 to get a .COM for $4.95, or go20off5 to save 20% on your entire order!

$4.99 SSL certificates, just use our code 499ssl2. Expires 12-31-12!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   

Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Researcher finds flaw in PayPal that may expose sensitive data

• PayPal’s new bug bounty program opened on June 21st 2012
• On June 29th, the security researcher in this story decided to take a look at PayPal and see if he could make some money
• He started his quest with a search on SHODAN (search engine for service information, like version numbers etc) for ‘admin paypal’
• He found a number of publically accessible ‘staging’ servers for PayPal (such as stage2mb106.paypal.com)
• He started by trying to do an authentication bypass by using SQL injection using the randomly selected username ‘lsmith’
• This returned an error message, but also the string ‘You are logged in as Lori Smith’
• After some more testing, he found jsmith was Janine Smith
• He wasn’t sure what this staging admin area did yet, but after some googing he found examples of court documents dumping the details of a paypal account that are generated by the tool at admin.paypal.com
• This is where the researcher found the first problem with PayPal’s bug bounty program. PayPal asks that all submissions be encrypted with PGP to ensure privacy, however the PGP key posted on the bug bounty program website had expired
• On July 5th he finally got a proper PGP key and sent his report
• July 19th – automated report that submission was received
• August 7th – submission closed as ‘invalid’
• August 8th – submission recategorized and reopened
• August 21st – A hand written reply to another bug report, says the current report is still open and payment will be sent when it is fixed
• August 29th – received payment for a ‘XSS Vulnerability’, which seems like a miscategorization, asks if this is a mistake, never gets a reply
• Researcher’s Writeup

---

• Allan has also participated in the PayPal Bug Bounty program, after finding a cache of stolen paypal accounts totaling millions of dollars (a story to be covered in depth when I get time)
• My own disclosure to the program started on September 15th and was finally concluded today, November 21st
• The first automated reply saying they had received the report was September 17th
• September 20th they replied asking for some additional information
• October 26th, Paypal apologized for the delay and notified me that while my submission did not qualify under the Bug Bounty program, due to the nature of the information they were still going to award me $1000, I should expect payment in 3 weeks
• November 21st, I received my payment and clearance to talk about the incident

---

Two FreeBSD project servers compromised by leaked SSH key

• On November 17th the FreeBSD security officer announced that intrusions into two servers operated by the FreeBSD project had been detected on November 11th
• The affected machines were taken offline for analysis
• A large portion of the remaining infrastructure machines were also taken offline as a precaution
• The two machines that were compromised were part of the legacy third-party package building infrastructure
• It is believed that the compromise may have occurred as early as the 19th September 2012
• The compromise is believed to have occurred due to the leak of an SSH key from a developer who legitimately had access to the machines in question, and was not due to any vulnerability or code exploit within FreeBSD
• At no time did this attack place the core FreeBSD operating system (kernel, userland, contributed apps (ssh/sshd, bind, etc)) at risk
• However, the attacker had access sufficient to potentially allow the compromise of third-party packages. No evidence of this has been found during in-depth analysis, however the FreeBSD Project is not taking any risks, and has thrown out all of the packages it was building for the release of FreeBSD 9.1 and building them from scratch
• If you are running a system that has had no third-party packages installed or updated on it between the 19th September and 11th November 2012, you have no reason to worry
• The Source, Ports and Documentation Subversion repositories have been audited, and the project is confident that no changes have been made to them. Any users relying on them for updates have no reason to worry
• The project cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012, or of any ports compiled from trees obtained via any means other than through svn.freebsd.org or one of its mirrors. Although there is no evidence to suggest any tampering took place and such interference is unlikely, the FreeBSD Project recommends you consider reinstalling any such machines from scratch, using trusted sources
• Additional Source

---

PHP 5.5 to introduce new password hashing API

• Official PHP RFC Wiki
• Why do we need password hashing: to store passwords in a way such that we can verify the a user is entering the correct password, but if our database is compromised, the attacker cannot easily determine the users password
• Why do we need strong cryptographic password hashing: Using regular hashing functions such as MD5 or even SHA512 is not sufficient. Regular hashing algorithms are designed to be fast and that is undesirable. Additionally, a straight hash is subject to attack by rainbow tables (precalculated hashes). Cryptographic hashes add a salt, to make each hash unique (even if multiple users use the same password, because the salt will be different, the hash will be different). Cryptographic hashes also usually include a stretching or slowing algorithm, that makes the hash take longer to calculate, sha512crypt uses a loop count, doing the hash 10000 times. Some algorithms like bcrypt are resistant to acceleration by a GPU, and other algorithms such as scrypt are designed to be memory intensive to resist acceleration for ASIC or FPGAs.
• The new PHP password hashing API makes the process of generating and validating hashes much easier, and includes a system for upgrading hashes
• The new API allows you to optionally specify the hash to use, and if not defaults to bcrypt (the old crypt() defaulted to DES). This also means that in the future, if PHP changes the default password hash, all new hashes will be made using the new algorithm
• The API introduces a function that checks if a password hash needs to be upgraded. So when a user attempts to login, you check that they have entered the correct password (your database contains a hash from the old algorithm, but the hashes contain a marker at the front that identifies the hashing algorithm), if it is correct, you then use the attempted password (which you have in plain text, since you require that to generate a hash to check against the hash in your database) and hash it with the new algorithm, and overwrite the copy in your database. With this system, the first time a user with an old hash logs in, their hash is upgraded to the new algorithm
• PHP 5.5 is just coming out in beta, and will likely not see production use for a while, but you do not have to wait, there is a pure-PHP implementation for PHP 5.3

---

iOS 6 streaming bug causes excessive data user

• The issue has been detailed in a blog post at PRX.org
• They looked into it after being approached by folks at This American Life about extremely high bills from their CDN for the month of October.
• Chris has heard from other podcasters about this issue, and for some less prepared networks/shows it’s caused a semi-DDoS effect for many hours after an episode release.
• PRX.org was able to reproduce the issue with several podcasts in the Podcast app, including podcasts using Limelight and Akamai CDNs.
• PRX.org was unable to reproduce the issue using iOS 5 or using iOS 6.0.1, but there are still many people using iOS 6.0.0. We believe that this issue, combined with the bug causing the phone to behave as though it is connected to WiFi even when it is not, could account for the significant data overages reported with the release of iOS 6.
• Others have reported the issue remains in iOS 6.0.1, but is perhaps alleviated by the resolution of the wifi bug.
• When the file has completed downloading, it begins downloading again from the beginning of the file and continues for as long as one is streaming the file.
• As long as one is listening to audio being streamed with iOS 6, it is using significant amounts of data.
• There appears to be a system-wide problem with the AV Foundation framework in iOS 6.0.0, impacting any App in the app store that uses that backend.
• Apple does not appear to have acknowledged the specific issue.
• Original PRX Labs post
• More Coverage at Ars Technica and The Next Web

---

Openwall gives talk at YaC2012 about password hashing

• Openwall are the developers behind John the Ripper
• Talk covers the challenges of securing against online and offline attacks
• Covers the Pros and Cons of the YubiHSM, a USB hardware security module for servers from the makers of the YubiKey
• Covers the future vulnerabilities of PBKDF2 and bcrypt
• Talks about the advantages of scrypt
• scrypt was invented by Colin Percival (former FreeBSD Security Officer), for his tarsnap secure online backup product
• scrypt is designed to be much more secure against hardware brute-force attacks (using ASICs and FPGAs etc), it uses a time-memory trade off, requiring a large amount of ram to lower the required amount of CPU cycles, making dedicated hardware attacks much more expensive to carry out
• “if 5 seconds are spent computing a derived key, the cost of a hardware brute-force attack against scrypt is roughly 4000 times greater than the cost of a similar attack against bcrypt (to find the same password), and 20000 times greater than a similar attack against PBKDF2”
• When used for file encryption, the cost of cracking the password is 100 billion times more than the cost of cracking the same password on a file encrypted by openssl enc
• scrypt is now an IETF internet draft

---

Feedback:

• Bustin some Debian kFreeBSD chops!
• PSA to Android ROM Lovers
• Password Policies on Hosted Panels?
• Getting around ISP Compression

Round Up:

• New malware variant uses googledocs to call home
• Facebook enabling HTTPS by default
• New Linux Rootkit Emerges
• Thieves use Airport’s own forklifts to steal $1.5 million worth of iPad Minis. Apple crime wave
• Leahy scuttles his warrantless e-mail surveillance bill
• Experts debate the legality of counter-hacking
• Microsoft gives away free Media Center Pack activation keys, turns out they can be used to activate Windows 8 Preview as Windows 8 Pro
• Online activist to found AT&T was leaking information about customers’ iPads found guilty under the Computer Fraud and Abuse Act for unauthorized access to the leaked material
• Paypal Bans Usenet Providers Over Piracy Concerns
• Dutch webhosting provider develops application that automatically patches customers’ wordpress if they do not patch it them selves within 2 weeks
• A $600 battery powered transmitter that could crash an entire city’s 4G network

The post Tales from the BCrypt | TechSNAP 85 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/27496/patch-your-password-techsnap-84/ Thu, 15 Nov 2012 20:59:13 +0000 https://original.jupiterbroadcasting.net/?p=27496 Allan will build the case for abandoning the password, the Skype flaw that will shock you. And we discuss picking the right server OS.

The post Patch Your Password | TechSNAP 84 first appeared on Jupiter Broadcasting.

]]>



Allan will build the case for abandoning the password, the Skype flaw that will shock you,

And we discuss picking the right server OS, when to RAID or not to RAID, and a BIG batch of your questions, and our answers.

All that and more on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our code tech495 to get a .COM for $4.95, or go20off5 to save 20% on your entire order!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   

Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Why a password isn’t good enough anymore

• An article by Mat Honan, the Wired writer who had his entire online existence destroyed earlier this year
• An attacker wanted to steal the twitter handle @mat, and so started by trying to do a password reset on twitter.
• This directed the attacker to Mat’s gmail account
• When trying to initiate a password reset set on the gmail account, he was directed to Mat’s Apple account
• The attacker called Apple and using information about Mat from Twitter, Facebook, Google etc, he managed to reset the password for Mat’s Apple account
• Using the Apple account, the attacker was able to disable and remotely wipe Mat’s Apple devices (iPhone, iPad and Macbook)
• Once the attacker was in control of the Apple account, he was able to reset the password for the Gmail account
• Then to reset the password for the Twitter account
• Watch TechSNAP 70 for the full story
• In this followup article we get an even closer look at what happened, and an in-depth analysis of other recent happenings
• A lot of the problems discussed in the article are not weaknesses in passwords specifically, but in the people and systems that use them
• Authentication Bypass – When an attacker finds a way to access an account or service without needing the password at all. We have seen this with Dropbox, Oracle and others in past episodes of TechSNAP, or the recent case with Skype, where it failed to properly authenticate you before allowing you to reset account, we’ll cover that later in this episode.
• Brute Force – Accounts for services like POP3, FTP, SSH, and SIP are under constant attack, all day, every day. Attackers attempt to compromise the accounts in order to gain access for various reasons, from using the initial password as a stepping stone to gain access to more sensitive accounts, to using your machine to scan for yet more weak passwords, or as a source of spam. Attackers are constantly attempting common username and password combinations against every public facing server on the internet, using apps such as DenyHosts, Fail2Ban or SSHGuard to protect these servers is a must.
• Database Compromise – Services such as Sony PSN, Gawker, LinkedIn, Yahoo, eHarmony, LastFM and others had their databases compromised, and their lists of passwords dumped online. Often these passwords were hashed (MD5, SHA1, SHA256), but not always. Even a hashed password is little protection, it doesn’t immediately disclose your password, but with tools like Rainbow Tables and GPU accelerated cracking, these hashes were quickly cracked and the plain text passwords posted online. Hopefully more services will start using properly secure Cryptographic Hashes (sha512crypt, bcrypt) that take tens of thousands of times more computational power for each attempt to crack a password. Some algorithms like bcrypt are also, thus far, immune to GPU acceleration, actually taking longer on a GPU than a CPU.
• Disclosure – People often share their passwords, I don’t know how many facebook accounts have been ‘hacked’ by friends or ex’s because you willingly gave them your password, or you gave them the password to something else, and they used one of the other techniques described here to gain access to something you didn’t mean for them to have access to.
• Eavesdropping – Someone could be listening on the wire (or in the air in the case of wireless or mobile data connections) and see your password as it goes between your computer and the remote service. Most services now login over SSL to prevent this, but older services such as FTP (still very popular for web hosting, where your password may be shared with the web hosting control panel that has access to reset your email password) are not encrypted.
• Exposure – This is when you accidently give away your password, it happens on IRC at least once a week, someone attempts to enter the command to identify, but prefixes it with a space or something and ends up displaying their password to the entire chat room. Users will also sometimes accidentally enter their password in the username field, or their credit card number in the field that is for the ‘name as it appears on the card’, which causes it not to be treated with the same level of security.
• Guessing and Inference – When people base their password on birthdays or pet’s names, they become easy to guess. If you compile a largish list of keywords about a person, including bands and songs they like, their family and friends names, important dates, sports teams etc, and run it through an app like John The Ripper, which will make variations of those passwords, including l33t speak transformations, adding numbers and symbols, are are likely to get a fairly high success rate. In addition to guessing, there is inference, if you know that Bob’s password for gmail is: bobisgreat@gmail then you can probably guess that his password for facebook is: bobisgreat@facebook. If there is a pattern or ‘system’ to your passwords, once someone compromises ONE of those passwords, they have a much greater chance of compromising them all.
• Key Logging – When an attacker, using hardware or software, is able to record the keys you type in your keyboard, thus capturing your password as you input it. Apps like LastPass may seem to help with this, but they usually use an OS API to simulate typing the keys to remain compatible with all applications. Clipboard scanners can also often catch passwords.
• Man-in-the-Middle – An attack that intercepts your traffic and pretends to be the service you are trying to connect to, allowing it to capture your password, even if it was encrypted. SSL/TLS was designed to prevent Man-in-the-Middle attacks by verifying the identity of the remote server, however with Certificate Authority being compromised and issuing false certificates and tools such as SSLStrip to trick you into not using SSL, it is still possible for your communications to be intercepted.
• Phishing – Emails meant to look like they are from an official source, whether is be eBay, PayPal or your bank, prompt you to login on a page that looks like the legitimate one, but is not. Once you enter your details, the attackers have all they need to know to compromise your real account. Combine this with the weak DKIM keys from a few weeks ago, a compromised Certificate Authority and a man-in-the-middle DNS attack, and you have no way of knowing that when you entered https://www.paypal.com in to your browser, you actually ended up on an attackers site instead.
• Reply Attack – When an attacker is able to capture you authenticating in some secure manner, but is able to resend that same information and authenticate as you later, without ever knowing your password
• Reuse – Using the same password on multiple sites means that when one of them is compromised, they all are. I keep telling you, use lastpass.
  • Secret Questions – So, when you setup that new account and it prompts you for some secret questions/answers, consider carefully what you put down. You’re going to need to be able to remember it later to regain access to the account (or some accounts ask them when they suspect you are logging in from a different computer), but if they are simple ones that someone could look up via google or facebook (remember, the attacker could be someone you know, so your privacy settings on facebook might not be enough), then it isn’t good enough.
  • Social Engineering – In the case of the Mat Honan compromise, the weakest link turned out to be AppleCare Support, they very much wanted to be helpful and allow him to recover his accounts, the only problem was, the caller was not Mat Honan, but the attacker, to managed to guess and trick his way through the security questions and gain control of the Apple and Amazon accounts.
  • See some old Blog post by Allan for more reading at [GeekRoundTable] ](https://www.geekrt.com/read/88/Myths-of-Password-Security/) and AppFail
• These issues are endemic across the entire internet, and it is important that you be aware of them and take steps to protect yourself as best you can
• A comparison of two major password dumps has shown that half of all passwords were used on both sites, the problem of password reuse is growing rather than shrinking
• Having a long and strong password is important, but you have to consider the other ways someone could compromise your account, the weakest link is the most likely avenue of attack
• If you have the option, you should enable two-factor authentication, adding one more step makes the attackers job that much harder, but remember, this doesn’t mean you are immune, RSA and Blizzard authenticators have been compromised in the past when their seed values were stolen from the central databases.

---

Skype IDs hijackable by anyone who knows your email address

• An attacker found a way to bypass the authentication in skype’s password reset system, and take over any target account for which the email address was known
• The Instructions
• Register for a new account, using the email address of the victim
• Login to Skype using that new account
• Initiate a password reset for the victim’s account
• Skype will email the victim a password reset token, but the token will also pop up in the skype client for all accounts that use that email address, allowing the attacker to get the token
• Use the token to reset the password of the victim account
• Login to the victim’s account and remove their email address and add your own (one that no one knows) and you now own that account
• Skype disabled the password reset system a few hours later, then fixed the issue and re-enabled the password reset system. Tokens are no longer displayed in logged-in skype clients. This makes sense, and I question why it was ever the other way around, because if you are logged in, you are unlikely to have forgotten your password (unless it was saved I guess).
• Skype’s Reaction
• NextWeb Coverage
• NextWeb Followup

---

Feedback:

• Which server OS should I use?
• Home Server Hardware Swap
• SHODAN search
• Keeping FreeBSD Up to Date?
• Why did Allan decide to use hardware RAID with ZFS?
• Why would MD5 security be important to verifying a download?
• Multi-Master MySQL backups

Round Up:

• Origin Accounts Hacked – Maybe Change Your Password
• StackExchange podcast talks more about hurrican sandy and the effort to keep the Peer1 datacenter online
• Google declares Flash is now ‘fully sandboxed’ in Chrome for Windows, Mac, Linux and Chrome OS
• Google reveals seven years of evolving data-center strategy
• NSA Outs Top-Secret Report That Missed the Future of Supercomputing
• Hardcoded passwords leave Telstra routers wide open
• CyanogenMod’s domain hijacked by community member, now using .org
• Adobe’s Connectusers.com site was compromised via SQL injection, 150k user accounts and plain MD5 hashes leaked
• Blizzard sued over the cost of Battlenet Authenticators
• Researchers scan public malware infection forums (such as BleepingComputer) and find HJT and DDS logs from computers running SCADA software
• Critical Vulnerabilities in Call of Duty: Modern Warfare 3 and the Cryengine3 could compromise the systems of both gamers, the game servers, and the game companies
• NASA to have all laptops encrypted before the end of the year, and laptops containing sensitive information no longer allowed to leave it’s facilities

The post Patch Your Password | TechSNAP 84 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/26536/breaking-dkm-techsnap-81/ Thu, 25 Oct 2012 19:41:52 +0000 https://original.jupiterbroadcasting.net/?p=26536 How an aviation blogger unlocked the secrets of the TSA’s barcode, and a serious bug in the Linux Kernel.

The post Breaking DKIM | TechSNAP 81 first appeared on Jupiter Broadcasting.

]]>



How an aviation blogger unlocked the secrets of the TSA’s barcode, if you’re a Barnes and Noble shopper we’ve got a story you need to hear, and a serious bug in the Linux Kernel.

Plus a batch of your questions, and our answers.

All that and so much more, in this week’s TechSNAP.

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

BONOUS ROUND PROMO:

Get your .COMs just $5.99 per year up to 3 domains! Additional .COMs just $7.99 per year!
CODE: 599tech

Expires 10/31/12

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   

Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Barnes and Noble POS Terminals compromised, debit card pin numbers stolen

• Barnes and Noble discovered on Sept 14th that a number of the PIN Pads for its Point of Sales system had been compromised
• Barnes and Noble did not go public with the information until this week at the request of investigators
• Tampered PIN Pads were found in 63 stores all over the country, including California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania, and Rhode Island
• The retailer reported that only about 1% of their PIN pads had been tampered with, but when the compromise was discovered on Sept 14th, they disconnected all PIN pads at their 700 stores
• It appears that a coordinated criminal enterprise infected PIN pads with malware that would record credit/debit card numbers and PIN numbers
• B&N recommends that you change your debit card PIN number and watch your debit and credit accounts for unauthorized transactions
• Online purchases were not affected
• Official Announcement from Barnes and Noble

---

Avaition Blogger finds that he can determine what security screening he will get from this boarding pass

• Frequent Flyer John Butler wrote a blog post this week, after he was able to determine what level of security screening he was going to be subjected to at the airport by reading the unencrypted barcode on his boarding pass
• This raises the possibility that terrorist or smuggling groups could buy multiple tickets, then check each and use the ones that subjects them to the less intense screening process
• The barcodes also appear to lack any form of MAC (Message Authentication Code), to protect them from unauthorized modification
• It is unclear if a modified barcode would work, or if it is checked against a central database
• It is illegal under US law to tamper or alter a boarding pass
• The vulnerability appears to be confirmed by reading the specifications for the system published by the IATA (International Air Transport Association)
• Every airport I’ve been through (YYZ, YHM, YYC, CDG, WAW, AMS) has not had any way to avoid the screening process, it appears that only the TSA allows you to pass through security without the basic screening. I have been randomly selected for additional screening (chemical residue test) twice

---

Serious bug in Linux kernel results in EXT4 data corruption

• A bug was accidently introduced in Linux Kernel version 3.6.2, and then backported into 3.4 and 3.5
• The bug has to do with the way the superblock and journal are updated, and can result in extensive data corruption, especially if a filesystem is unmounted shorted after it was mounted
• A patch was posted, but was found to not fully solve the problem, so a second patch was posted later
• Kernel 3.4.x is reaching end of life, and may not get an official patch

---

Dreamhost decides to change its SSH keys without notifying customers

• DreamHost, a large shared web hosting provider, generated new SSH keys for all of its servers on Wednesday
• DreamHost claims it is the “result of a security maintenance which we are performing to prevent exploitation of weak or outdated keys”
• It seems like an excessive step, unless one or more of the SSH host private keys were compromised, in which case that is huge security news
• If the keys were compromised, this means that someone could impersonate the DH server and log the login attempts, capturing valid username and password combinations
• DreamHost made a number of mistakes:
• Not giving users a heads up about the change before it happened, no email was sent, just a blog post that users were directed two when they contacted support about the error message
• The blog post encourages users to just delete the old SSH key from their known_hosts and accept the new one, without verifying its authenticity
• DreamHost did not publish a list of the fingerprints of the new keys, so that customers could verify the authenticity of the new keys they are presented with when they connect
• The purpose of SSH fingerprints is to verify the identity of the remote host, they work in much the same way as SSL certificates except that there is no central certificate authority, it is up to the user to verify the identity of the key the first time. The main goal is to notify the user if the key suddenly changes, suggesting that you are not infact connecting to the intended server, but to some other server that may be trying to get your credentials or perform a man-in-the-middle attack on you
• An attacker that is able to perform a man-in-the-middle attack during a time when a user is willing to just ignore the security warning (or even, take the additional steps OpenSSH requires before allowing you to accept a new key), could be very successful

---

Mathematician finds that Google and others were using weak keys for DKIM

• Mathematician Zachary Harris got an email from a Google headhunter for a job as a Site Reliability Engineer
• Seeing as he is not an expert in that field, he assumed that the email was a phishing scam
• He examined the headers, and determined that it was signed with the proper DKIM keys, appearing to actually be from Google
• DKIM (DomainKeys Identified Mail), is a process where all outbound email is cryptographically signed with a private key, that can then be verified against a public key published in DNS, such that only emails that are actually from the domain can be signed with the key, it is a common anti-spam and anti-phishing mechanism
• He noticed that Google was only using 512bit keys for DKIM,
• Harris explored other sites and found the same problem with the keys used by Amazon, Apple, Dell, eBay, HP, HSBC, LinkedIn, Match.com, PayPal, SBCGlobal, Twitter, US Bank and Yahoo
• He found keys in 384, 512 and 768 bits, despite the fact that the DKIM standard calls for a minimum of 1024 bit keys
• A 384-bit key can factor on a laptop in 24 hours, while a 512-bit keys can be factored in about 72 hours using Amazon EC2 for around $75
• In 1998 it was an academic breakthrough of great concerted effort to crack a 512 bit key. Today anyone can do it by myself in 72 hours on AWS

---

Feedback:

• How do you keep your Linux (and BSD) servers (safely) up to date?
• How to host multiple web servers behind a single external IP?
• FreeBSD on the Raspberry Pi?
• How does FreeBSD Jail Networking…. Work?
• ISP birding by routing through a VPS?
• Sean wants to say THANKS!

While having lunch at EuroBSDCon, a FreeBSD developer recognized me from the Linux Action Show. He just so happened to be one of the main USB developers, and proceeded to correct (yell at) me. He recently expended a great deal of effort to improve support for webcams and other USB devices under FreeBSD 9.1 (and therefore PC-BSD as well). As further evidence of this, once we were done talking, someone walked up and handed him a USB ethernet adapter that was not supported, a hardware donation to drive development.

• Allan and Stefan speaking at EuroBSDCon 2012 another
• Shots of the conference: 1 2 3 4

Roundup

• Apple removes Java from all OS X Web browsers
• Facebook publishes modified version of Open Compute hardware spec to work with regular leased datacenter space
• Diigo Emergency Announcement – Domain Hijacked
• Chinese Telco manufacturer Huawei offers access to its source code to allay security concerns
  
• Demo of “serious” networking vulnerabilities cancelled at HP’s request
• US says it will retaliate against cyber attacks, if it can figure out how, and who did it…
• Obama agrees to exclude social networks for new Cyber Security plans
• CyanogenMod Android ROM accidently logged your swipe to unlock gestures

The post Breaking DKIM | TechSNAP 81 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/25876/dont-copy-that-floppy-techsnap-79/ Thu, 11 Oct 2012 16:04:46 +0000 https://original.jupiterbroadcasting.net/?p=25876 How a Russian Spy ring used floppies to pass sensitive information, how Backblaze made it through the great hard drive shortage. Plus GPG explained!

The post Don't Copy That Floppy | TechSNAP 79 first appeared on Jupiter Broadcasting.

]]>



How a Russian Spy ring used floppies to pass sensitive information, how Backblaze made it through the great hard drive shortage, and why the US congress is saying no to Chinese Telco manufactures.

Plus a big batch of your questions, and our answers.

All that and much more, on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

BONOUS ROUND PROMO:

Get your .COMs just $5.99 per year up to 3 domains! Additional .COMs just $7.99 per year!
CODE: 599tech

Expires 10/31/12

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   

Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

How Backblaze dealt with the hard drive shortage

• During the hard drive shortage that started a year ago, Backblaze found itself in a rather tight spot, in order to continue offering unlimited storage for $5/month, they needed more drives
• The price of a 3TB internal drive shot up from $129 to $349 overnight
• However external drives, were prices around $169, at least $100 cheaper than their internal counterparts (mostly because HP, Dell and Apple had bought up most of the supply of internal drives)
• BackBlaze fills about 50TB worth of drives per day, so they need a continuous supply of new drives
• Between November 2011 and February 2012, Backblaze farmed 5.5 Petabytes worth of hard drives from retailers, mostly consisting of external drives that needed to be removed from their enclosures
• The external drives incurred other costs, shucking the drives out of the enclosures, and recycling the leftover shells afterwards
• Many stores had ‘limit 2 per customer’ (I remember this well with my own drive buying), and BackBlaze employees employed many devious tactics to try to squeeze more out of each store, including pretending to be a grandmother buying drives for each of her grandchildren for Christmas
• Backblaze employees were banned from a number of CostCo and BestBuy stores, or asked to leave empty handed
• On Christmas Eve, the CEO of BackBlaze stopped at a friend’s house to pick up 80x 3TB drives his friend had acquired from an online site that forgot to limit the quantity he could order. It had taken the FedEx driver more than 30 minutes to unload all of the drives into the apartment. While loading them into his car, the BackBlaze CEO reflected that the drives he was loading into his car, were worth more than the car
• Backblaze still buys external drives when the price is right, ~$30 cheaper than internal drives, to cover the additional cost of preparing the drives
• The ‘shucked’ drives can usually not be returned for warranty replacement
• Additional Coverage
• Additional Coverage
• The backblaze storage pod 2.0

---

Russian spy ring relied on notepad and floppy disks

• Sub-Lt. Jeffrey Delisle pled guilty today on charges of breach of trust and two counts of communicating safeguarded information to a foreign entity
• The maximum sentence for ‘communicating safeguarded information to a foreign entity’ is life in prison
• Delisle was an Analyst at HMCS Trinity, an intelligence facility that tracks vessels entering and exiting Canadian waters via satellites, drones and underwater devices, it is located at the naval base in Halifax, Nova Scotia
• He would search for and copy sensitive materials from a secure computer at the base
• Copy/pasting the data into notepad, it would then save it to a floppy disk
• The floppy was then moved to a regular non-secure computer, where the data was transferred to a USB drive
• After taking the USB home, he would access a webmail account, and draft an email, but never send it
• His Russian handlers had the username and password to the email account, and would access it, and retrieve the stolen intelligence
• The emails were never sent, lessening the chance that they might be intercepted
• Delisle walked into the Russian Embassy in Ottawa in 2007 and asked to speak to someone from the GRU (Russian Military Intelligence), offering to sell the secrets he had access to
• He was paid $3000/month in prepaid credit cards
• the RCMP (Royal Canadian Mounted Police, Equivalent to the FBI in Canada) started investigating him after CBSA (Canada Border Services Acency) Officers alerted the Military when Delisle returned from a short trip to Brazil with a large amount of cash
• Additional CBC Coverage

---

SEC hands out first ever fine for ‘failure to protect customer data’

• In the spring of 2005, network traffic at the Florida officers of GunnAllen Financial had slowed to a crawl
• The company had outsourced its entire IT department to The Revere Group
• GunnAllen’s acting CIO, a partner at Revere Group, asked the manager of the IT team to investigate
• A senior network engineer had disabled the WatchGuard firewalls and routed all of the broker-dealer’s IP traffic–including trades and VoIP calls–through his home cable modem
• As a result, none of the company’s trades, emails, or phone calls were being archived, in violation of Securities and Exchange Commission regulation
• However, this did not appear in the final report from the SEC about the settlement with GunnAllen Financial, which was actually about other breaches of security and policy
• Some of the data that was routed through the engineering some connection include: bank routing information, account balances, account numbers, social security numbers, customers’ home addresses and driver’s license numbers
• “He’d purposefully break things, then come in in the morning and be the hero, I ended up key-logging all the servers, and I logged him logging in from home at 2:30 in the morning, logging on to BlackBerry servers and breaking them."
• Although required by the SEC to keep copies of all emails for 7 years, “There was a point in time for probably two months where no one’s email was logged. I brought it up in a meeting once and was told to shut up [by the acting CIO]”
• In 2008 FINRA (Financial Industry Regulatory Authority) fined GunnAllen $750,000 for a “trade allocation scheme” conducted by former head trader, in which profitable stock trades were allocated to his wife’s personal account instead of to the accounts of firm customers
• Employees at The Revere Group were afraid to report issues because other employees had been fired

---

Bug in facebook mobile app could expose your phone number

• A feature of the facebook mobile app allows you to compare your mobile contacts list against facebook, and find any people you have in your phone, but not on facebook
• A researcher exploited this feature by adding random phone numbers to his phone’s contact list and was able to determine many users’ mobile phone numbers, despite their privacy settings
• Facebook originally denied that this was an issue when he reported it to them, they claimed that rate limiting and privacy settings prevented the exploit
• The researcher posted proof , in the form of 100s of phone numbers (random digits blocked out to protect the innocent) with the corresponding person’s name
• Facebook has since tightened up the rate limiting
• TheNextWeb has an article on how to protect your phone number on facebook

---

TechSNAP viewer discovers IE flaw

• IE8 and IE9 in compatibility mode will sometimes mistakenly render plain text content as HTML
• This means that the ‘raw’ view of a pastebin of some javascript source code, could cause the browser to execute it, rather than display it
• A proof of concept is providers for you to test your browser

---

US congressional report says Huawei and ZTE are a security threat

• A draft of a report by the House Intelligence Committee said Huawei and another Chinese telecom, ZTE, “cannot be trusted” to be free of influence from Beijing and could be used to undermine US security
• The report recommends that the chinese hardware manufacturers should be barred from US contracts and acquisitions, due to the security implications of chinese controlled devices in sensitive US installations
• US set to reject UN ITU proposals for changes to Global Telecom systems, citing danger of increased foreign espionage
• The US fears nations like China and Russia will gain too much control and impose tracking and monitoring, and assert control over content and user information
• US says that ITU regulations are “not an appropriate or useful venue to address cybersecurity,”

---

Feedback

• More Info on digi-pass
  • PDF with more info
• Could provide some insight to GPG Keys?
  • Packages are signed by the GPG key of the person or group who created them
  • Your package manager maintains a list of the GPG keys you trust (the default is usually to trust official packages from your distro)
  • If you use 3rd party packages, you will get a warning
  • You must decide if you trust the 3rd party that signed the package, not to include an exploit in the package
  • If you trust the 3rd party, you can add their key to your allow list, and you will not receive the warning
  • It is unsafe to ignore the warning if you do not trust the source of the packages, especially if you are trying to install an official package
• Switching to Publicly Signed SSL?
  • Wildcard SSL certificates cover *.domain.com (something.domain.com, otherthing.domain.com)
  • This does not include *.something.domain.com
  • Covers future sub domains that you might create
  • There are also ‘UCC’ (Unified Communications Certificates) certificates, that allow you to enumerate many domains to be covered by a single certificate. Adding or removing a domain to the certificate requires it to be reissued
  • UCC certificates are expensive, but are popular for Exchange servers that must cover multiple domains
• Securing Cookies
• Darwin writes in with a note that in addition to limiting the length of your password, ‘Microsoft Account’ also prevents you using some special characters, including ‘space’

Round-Up

• iOS6 maps accidently reveal secret tiawanese military base
• ICANN wants the WHOIS database to contain accurate customer data, possibly even including the credit card used to purchase the domain, for 2 years after a domain expires. FTC says yes, EU says no
• RSA executive chairman Art Coviello has drawn strong reactions from Privacy advocates for his criticism of privacy advocates
  
• Cybercriminals offering ‘insurance’ from prosecution, claiming they specialize in bribing or intimidating Russian/Eastern European police
• Spreadsheet Blamed For UK Rail Bid Fiasco
• PGP Creators new project provides industrial-strength encryption for Android and iOS
• Google launches Civic Information API

The post Don't Copy That Floppy | TechSNAP 79 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/21556/network-benchmarking-techsnap-66/ Thu, 12 Jul 2012 16:18:57 +0000 https://original.jupiterbroadcasting.net/?p=21556 Our tools to benchmark and monitor your network, plus Formspring leaks your password, and how to steal a BMW in a few seconds!

The post Network Benchmarking | TechSNAP 66 first appeared on Jupiter Broadcasting.

]]>



Our tools to benchmark and monitor your network.

Plus: Formspring leaks your password, Microsoft finally kills off old certificates and how to steal a BMW in a few seconds!

All that and more, in this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offers:

$1.99/mo economy hosting for 3 months – special offer!
Code:  199tech
Expires:  June 30, 2012

$3.99 .US domain!
Code:  399us4

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   


Show Notes:

Formspring detects intrusion – 420,000 hashed passwords leaked

• Formspring was alerted when password hashes were posted on a hacking forum
• After determining that the hashes were in fact from their site, administrators shut the service down
• The attackers managed to compromise a development server at FormSpring, and then was able to access the production database, and gain access to customer information
• Formspring used SHA256 hashes with a random salt
• While this is better than a plain SHA256 without a salt, it is still not very strong
• SHA hashes are designed to be calculated very quickly, because that is what you want in a hashing algorithm
• Cryptographic hashing algorithms, like SHA256crypt on the other hand, is ‘adaptive’, it use a variable number of ‘rounds’ of the hashing algorithm to slow the process down, to make cracking the passwords more expensive. SHA256crypt defaults to 5000 rounds (hash of the hash of the hash…), and this value can be adjusted over time, to keep pace with faster CPUs and GPUs
• So while the random salts make the Formspring passwords immune to rainbow tables (thus making even the more trivial passwords require brute forcing, unlike the LinkedIn passwords), they can still be cracked with tools such as John the Ripper, and the cracking can be accelerated with GPUs
• Formspring came to this same realization and as part of the mandatory password reset for all users, new passwords will be stored using the adaptive cryptographic hashing algorithm bcrypt
• There have been no reports of any accounts being compromised, although the news has triggered a wave of trend-jacking phishing attacks, malicious emails to users directing them to the wrong place to reset their formspring password

---

Microsoft revokes 28 of its own certificates because they are insecure

• In the wake of the Flame malware, which used a forged Microsoft certificate for code signing and to impersonate Windows Update, Microsoft has revoked other certificates that may be susceptible
• In order to prevent this from happening again, Microsoft is revoking trust in all certificates that do not meet their current security standards
• We assume this means revoking certificates with insufficient key strength and certificates generated with MD5 hashes
• Microsoft also released its Certificate Updater application, which was released previously as an optional update to help mitigate the Flame malware, but with this update is not marked as ‘Critical’, which will see it be installed on the majority of updated Windows machines

---

One of Stuxnet’s spreading mechanisms hits kill switch

• Three years after Stuxnet was originally seeded, one of the main spreading mechanisms has shut itself off
• Spreading of the malware via Windows .lnk files spread via USB sticks has stopped after reaching the cutoff date specified in the Stuxnet source code
• The three known variants of Stuxnet were seeded on 2009–06–23, 2009–06–28 and 2009–07–07
• This is not the first time Stuxnet has expired some of its capabilities, spread via the MS10–061 exploit stopped on 2011–06–01, and the MS08–067 exploit checks for dates before January 2030

---

Court case reveals inner workings of IPP International IP Tracker, a BitTorrent tracking software

• Defendant’s motion to dismiss
• Declaration of forensic investigator
• Functional description of ‘International IPTracker’

---

Web exploit figures out what OS victim is using, customizes payload

• The exploit uses ‘TrustedSec’s Social Engineering Toolkit’ to generate a signed .jar file that is embedded in compromised websites via the applet tag
• If the user allows the .jar file to run, it detects the OS of the machine, and performs a different action
• The Social Engineering Toolkit is open source software
• In this case, the attackers used the toolkit as a basis for their malware downloader, it downloads and runs a different exploit depending on the OS of the victim
• This exploit targets Windows, Mac and Linux users, with a custom malware payload for each
• All three exploits appear to be targeted at giving the attacker a shell on the machine, so they can perform whatever actions they wish
• Additional Link

Feedback:

• Félim loves his new pfSense rig
• What is the best way to measure a firewall’s throughput?
• Depends what you want to measure (bytes/sec, packets/sec, dropped packets, etc)
• It is important to be able to tell what is ‘normal’, so some type of historical information is very useful
• Live throughput: nload
• Live Source/Destination: iftop
• Traffic patterns / by interface: routers2 / mrtg / rrdtool
• Bandwidth Benchmarking: iperf
• Other tools: ntop rtg darkstat

Round Up:

• BSDCan 2012 Highlight: Optimizing ZFS for Block Storage
• Android Forums hacked: 1 million user credentials stolen
• Dutch ISP finds 140,000 customers using default password ‘welkom01’
• SOPA IS BACK: Lamar Smith trying to quietly revive SOPA and cram it down the world’s throats
• New worm targets AutoCAD users, steals blueprints and designs
• Keyless BMW cars prove to be very easy to steal
• Icelandic court rules Credit Card processor must reopen wikileaks account
• Introducing BitTorrent Torque
• Microsoft Security Advisory (2719662): Vulnerabilities in Gadgets Could Allow Remote Code Execution
• Microsoft sponsored Android “security” report flawed : it’s a Yahoo app problem
• Hackers expose 453,000 credentials allegedly taken from Yahoo service

The post Network Benchmarking | TechSNAP 66 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/20592/bypassing-authentication-techsnap-62/ Thu, 14 Jun 2012 17:04:57 +0000 https://original.jupiterbroadcasting.net/?p=20592 A MySQL flaw so awful, I simply had to laugh. And how a simple SSH config mistake, lead to a really bad day.

The post Bypassing Authentication | TechSNAP 62 first appeared on Jupiter Broadcasting.

]]>



A MySQL flaw so awful, I simply had to laugh. And how a simple SSH config mistake, lead to a really bad day.

Plus we answer some great audience questions, all that and much more on this week’s TechSNAP.

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offers:

$1.99/mo economy hosting for 3 months – special offer!
Code:  199tech
Expires:  June 30, 2012

$3.99 .US domain!
Code:  399us4

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | Torrent File RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes:

MySQL authentication Bypass

• The Developers of MariaDB (a fork of MySQL) recently found a major flaw in MySQL (and MariaDB) that gives an attacker a 1 in 256 chance to login to your MySQL server with an incorrect password
• All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
• This exploit is even worse than it sounds, because once an attacker gains access to the MySQL server, they can dump the MySQL users table, which contains the hashed passwords of all other users
• This would allow the attacker to then do an offline attack against those hashes (with a brute force password cracking program such as John the Ripper)
• In this way, even if the administrator patches their MySQL server, preventing further access by the attacker via the exploit, the attacker can then use the actual passwords for real user accounts once they are cracked
• The error is an incorrect assumption about the return value of memcmp(), a C function that compares to memory addresses
• Due to the fact that memcmp() is implemented differently by different OSs and compilers, only some systems are known to be vulnerable
• Vulnerable:
  • Ubuntu Linux 64-bit ( 10.04, 10.10, 11.04, 11.10, 12.04 )
• OpenSuSE 12.1 64-bit
• Debian Unstable 64-bit (maybe others)
• Fedora (unspecified versions)
• Arch Linux (unspecified versions)
• Not Vulnerable:
  • Official builds from MySQL.com (including Windows)
• Red Hat Enterprise Linux 4, 5, and 6 (confirmed by Red Hat)
• CentOS using official RHEL rpms
• Ubuntu Linux 32-bit (10.04, 11.10, 12.04, likely all)
  • FreeBSD (all versions)
• Vulnerable/Not Vulnerable list source, more details, mitigation steps
• Part of the reason for the vulnerability of 64bit based OSs seems to be the different behavior of memcmp() with SSE4 optimizations (which results in a 3–5x performance increase)
• The following shell one-liner will grant you root access to a vulnerable MySQL server: for i in seq 1 1000; do mysql -u root –password=techsnap -h 127.0.0.1 2>/dev/null; done
• memcmp() man pages
  • Ubuntu 11.10 memcmp()
  • Ubuntu 12.04 memcmp()
  • FreeBSD memcmp()

---

F5 SSH Root login keys leaked

• F5 makes high end IP load balancers, designed to distribute traffic among web servers, handle SSL offloading, and more
• Fixed in a recently released patch, it seems that all F5s came out of the box authorized for root login over SSH with an RSA public key
• The issue being that the corresponding RSA private key, was also included on every F5 device
• This means that anyone that owns an F5, or has access to that key file (everyone now, we have to assume it was posted online) can now login as root on your F5
• Why is login as root over SSH even permitted?
• Vulnerability Announcement
• Official Advisory

---

AMD/ATI Windows Video drivers insecure, cause BSOD when security features in windows enabled

• Microsoft has a toolkit, called EMET (Enhanced Mitigation Experience Toolkit) that works to reduce the chance that unknown vulnerabilities in windows can be successfully exploited
• EMET relies on DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization), which are designed to prevent buffer overflow and remote code execution attacks
• EMET includes an option to force DEP and ASLR system wide, rather than on a per-application basis, where only applications that opt-in to DEP/ASLR are protected
• Enabling ASLR causes AMD/ATI video drivers to blue screen the system
• This means that any system with an AMD/ATI graphics adapter cannot be secured as strongly as a system with an Intel or nVidia graphics adapter
• CERT Vulnerability Notice VU#458153
• Download Microsoft Enhanced Mitigation Experience Toolkit

---

Feedback:

Q: Jason asks about using CNAMEs for customer domains

A:
The problem with what you are proposing is that any resource record that is a CNAME cannot have any other record types defined. This means that if you set the root of the domain example.com to CNAME to server1.scaleengine.com, you then cannot define an MX record, and therefore you cannot host email addresses @example.com

Q: Mario asks about blocking possibly malicious ad networks on his network

Eivind writes in about a game company handling a security breech correctly

Note: from their findings that 10,000 users shared the same password, it is obvious that they are doing regular hashing (ala LinkedIn), rather than salted cryptographic hashes. When will people learn.

Round-Up:

• FOLLOWUP: Some funny LinkedIn passwords found to be in the database: ihatemyjob, iwantanewjob, linkedinblows, password, strongpassword, and 123456
• FOLLOWUP: Lessons learned from cracking 2 million LinkedIn passwords
• Researchers Connect Flame to US-Israel Stuxnet Attack
• Discover Card storing passwords in plaintext
• Skype calls to feature ads big enough to interrupt any conversation
• Microsoft patches another RDP flaw that count allow remote code execution
• eHarmony hacked , passwords leaked
• VB6 platform still supported up to 24 years after released

The post Bypassing Authentication | TechSNAP 62 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/20097/feedback-blowout-1-techsnap-60/ Thu, 31 May 2012 17:52:35 +0000 https://original.jupiterbroadcasting.net/?p=20097 Software that’s supposed to get you around censorship, could be logging your activities online, plus we’ve got a classic Social Engineering story for you.

The post Feedback Blowout #1 | TechSNAP 60 first appeared on Jupiter Broadcasting.

]]>



Software that’s supposed to get you around censorship, could be logging your activities online, plus we’ve got a classic Social Engineering story for you.

And then we clear the decks and answer a ton of your questions, in our feedback blowout!

All that and so much more, in this week’s episode of, TechSNAP.

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offer:

$1.99/mo economy hosting for 3 months – special offer!
Code:  199tech
Expires:  June 30, 2012

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | Torrent File RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes:

Anti censorship application circulating with backdoor keylogger

• The anti-censorship application Simurgh, used heavily in Iran and Syria to get around government internet censorship, has been spotted on P2P networks and download sites
• The official version of the application from the official site is legitimate, however the version being propagated via P2P networks has been modified to log keystrokes and send the data back to a server in the USA on an IP block registered in Saudi Arabia
• The infected version injects javascript into pages, and removes the windows navigation sounds to prevent the user noticing the automated activity
• Anyone who has run a compromised version should consider all of their online accounts (email, IM, social networks, banking) compromised

---

WHMCS databases compromised via Social Engineering

• WHMCS (Web Hosting Management Complete Solution) is a commonly used billing, help desk and client management system for web hosting companies
• The attackers called the hosting company where WHMCS has their servers, managed to successfully answer the security questions and have the administrative passwords etc send to them
• The attackers made off with 1.7GB of data including the usernames, email addresses, hashed passwords, and encrypted credit card details
• The hashed passwords as not immediately vulnerable, however they can still be brute forced with time (especially if they are plain MD5 rather than salted MD5)
• It is highly recommended that you change all of your passwords if you were a WHMCS customer
• The attackers claim they targetted WHMCS because they refused to stop doing business with cyber criminals, specifically, script kiddies selling exploits, malware and running scams while using WHMCS to process the payments
• Additional Coverage
• Official Response
• It seems the group that comprised the data, has since analyzed the source code for WHMCS and found a number of vulnerabilities
• PHP Register Globals
• SQL Injection

---

Cambridge Researchers find backdoor in US Military chips

• The backdoor is in the chip, not the firmware, so it cannot be resolved with a firmware update
• The backdoor was discovered using a newly developed scanning technique
• The backdoor seems to have been left by the designers, not added by the Chinese manufacturers as has been incorrectly reported in the last few weeks
• This vulnerability could allow a remote attacker to disable or alter the functionality of the chips
• The research also suggests it is possible to steal the AES encryption keys used by these chips
• Open letter from researchers at Cambridge University to interested Governments
• Additional Coverage
• Errata Security: Bogus story: no Chinese backdoor in military chip

---

Feedback:

KatsumeBlisk wrote:

The Blizzard thing is why I use their 2-factor authentication. There’s no reason not to when there’s an app for the major mobile OSes and the $6.50 physical one.

• Blizzard Store
• How to clone RSA software tokens

Wayne Merricks asks: How can I replace DFS

• DRBD: What is DRBD
• HAST: Highly Available Storage
• AFS: Andrew File System
• CODA: COnstant Data Availability

Justin Bates asks: Backing up Between two Windows Hosts

• CrashPlan Backup

Chris Urie asks: How to Setup SSH Keys

• SSH/OpenSSH/Keys – Community Ubuntu Documentation
• SSH Keys – ArchWiki
• Using PuTTYgen
• Quick Logins with ssh Client Keys

Jono asks: Safely Storing Local Passwords

A few of you asked: WHY U NO MIRO?

• TechSNAP in HD in the Miro Guide now!

---

Round-Up:

• Microsoft forbids class actions in new Windows licence
• Google: Microsoft, Not The Film Or Music Industry, Leads Copyright Takedown
• Meet ‘Flame,’ The Massive Spy Malware Infiltrating Iranian Computers
• Microsoft cloud calendar gives the UK the wrong day off
• NoMachine Announces Free Remote Desktop Control for Windows, Linux and Mac
• Fake AV scammers called a security researcher
• Hacked Bitcoin bank had no backups

The post Feedback Blowout #1 | TechSNAP 60 first appeared on Jupiter Broadcasting.

]]>