Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Barracuda Networks devices contain multiple undocumented SSH users

• Vulnerable products include:
• Barracuda Spam and Virus Firewall
  • Barracuda Web Filter
  • Barracuda Message Archiver
  • Barracuda Web Application Firewall
  • Barracuda Link Balancer
  • Barracuda Load Balancer
  • Barracuda SSL VPN
• The issue was fixed in Security Definitions 2.0.5, it is highly recommended that all devices be upgraded
• These devices contain undocumented backdoor accounts with static passwords including:
  • root*
  • build* (uid 0)
  • shutdown
  • product
  • ca
  • support
  • websupport
  • qa_test*
• Only Items marked with a * were not able to be cracked with a short wordlist
• These users and their easily cracked passwords can be used to login at the terminal, the user ‘product’ is given a full bash shell
• Some additional users were also set up no password but with authorized ssh keys to allow remote access:
  • remote (uid 0)
  • cluster
• Both of these users also have full bash shells
• Once a user has a shell, they are able to access the local MySQL database (root@localhost with no password) and can add new users with administrative privileges
• A shell also could allow the user to enable debugging that could allow them to compromise the device
• The Barracuda devices use iptables to restrict access via SSH, however in addition to allowing SSH via the internal network, they also allow incoming SSH connections from two remote /24s on the internet
• Timestamps on the iptables rules file suggests they ips have been allowed in to every device since 2003
• These ranges belong to two different ISPs, Layer42.net which appears to host the colocation for Barracuda networks, and XO.net, which does not appear to be used by Barracuda Networks (it may have been in the past) and the IPs appear to belong to a number of unrelated parties, including a small IT firm that offers remote management, some voip servers, and a number of poorly maintainted websites (some not updated since 2007)
• If any of these sites or servers were compromised, they could be used to gain access to all public facing Barracuda Networks devices
• Most of these devices are public facing, because they are firewalls, web filter and spam filters
• A user may be able to spoof their ip via the local network to appear to be coming from one of the two internet ranges that have been whitelisted
• As part of the 2.0.5 update, Barracuda has disabled the product user, and all other users except for ‘cluster’ (ssh key only), ‘remote’ (uid 0, ssh key only, key is possessed by Barracuda Networks) and ‘root’ (password, likely crackable)
• According to Barracuda Networks, these accounts are critical for customer support and will not be removed
• Barracuda has done nothing to address the statically defined whitelisted ranges of IPs
• Because of the risk, it is recommended to place the Barracuda Networks devices behind a proper firewall
• Customers can contact Barracuda Networks Support for instructions on enabling ‘expert mode’ in order to disable the SSH daemon
• Barracuda Networks – Tech Alerts

---

Barracuda Networks SSL-VPN devices vulnerable to authentication bypass

• Unauthenticated users are able to set arbitrary Java system properties to arbitrary values, allowing an attacker to perform a Denial of Service attack against the device, or allowing them to break the applications security mechanisms
• By using the above vulnerability, an attacker is able to access the API functionality of the appliance, and is then able to download the device configuration, dump the SQL database (including passwords), reset the passwords of all superusers, disclose local files on the appliance (possibly secret keys), and restart or shutdown the device entirely.
• Barracuda Networks has issued ‘Security Definition 2.0.5’ that resolves these issues

---

Just because your password is long, does not mean it cannot be cracked

• A researcher from Carnagie Mellon University has developed a new password cracking tool that considers grammatical correctness to reduce the search space
• Based on a survey of 1434 user selected passwords of 16 characters or more, 18% of users voluntarily chose passwords that were grammatically correct (such as “abiggerbetterpassword” or “longestpasswordever”)
• The survey also found other structions, including postal addresses, URLs, and email addresses
• The password search space is significantly reduced when you move away from considering random combinations of characters, and instead consider dictionary words, and reduced further when you consider words only in combinations that are grammatically correct
• If a password consists of 3 words, applying the rules of grammar reduces the search space to 96.90%. However, if the password consists of 5 words, the search space is reduced to 46.95%, and 8 words lowers the search space to 0.99% of its original size
• Consider this when you are selecting passwords XKCD style
• Full Paper

---

Feedback:

• New viewer with some troubles!

• Pen Testing

• Some First Time ZFS Questions

• Removable ZIL
  • Removing a ZIL has only been available in ZFS Zpool v19+, which is only FreeBSD 8.3 and 9.0, FreeNAS before November 2012 does not support ZIL removal

• Setting up an Internet Radio

• Google Caching akismet password change page

• ZFS Problems Solved!

• Hall of Shame – Match.com

• How to Secure SSH with Google Authenticator’s Two-Factor Authentication – Submited by techsnapp

Round-Up:

• FOLLOWUP: The UK Information Commissioner’s Office has fined Sony 250,000 GBP (~$400,000) for the PlayStation Network breach. Finds that the attack could have been prevented if the software had been up to date and if proper password hashing had been implemented
• Arch gnu/linux on BSD kernel – just for Allan
• Polish researchers find 2 MORE sandbox bypass vulnerabilities in the lastest version of Java
• Cracking tool milks weakness to reveal some Mega passwords (Updated)
• Google’s VP of Security to publish paper on ways to replace passwords
• Student expelled for hacking Quebec college system gets job offers
• Traffic and BGP analysis suggests that Cuba has activated an undersea fibre optical cable connecting it to Venezuela
• Attention shoppers: Retailers can now track you across the mall
• SEA-ME-WE 3 – a submarine fibre optic link between Australia and Singapore was damaged last week, not expected to be repaired until mid-February, traffic routed via other cables

The post Barricade Your Barracuda | TechSNAP 94 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/7268/portal-2-wins-jn-41911/ Tue, 19 Apr 2011 22:56:45 +0000 https://original.jupiterbroadcasting.net/?p=7268 We review Portal 2 and tell you why it’s addictive, and completely adorable! Plus we killed hours playing Portal 2's co-op mode, tune in for the details!

The post Portal 2 WINS! | J@N | 4.19.11 first appeared on Jupiter Broadcasting.

]]>



We have to do a show? Can’t I just keep playing?! Ugh, fine.

Here’s a show about Portal 2. We review it, tell you why it’s incredible and addictive and completely adorable, then show you a little why others think the same. Oh and there’s a couple newsy bits, too. And swag to buy.

Fascinating, I’m sure, but can I go play some more now? There’s science to be done!

Show Feeds:

• HD Video RSS
• Large Video RSS
• iPod Video RSS
• MP3 RSS
• iTunes Feeds

[ad#shownotes]

Show Notes:

ThinkGeek affiliate link

WSJ Review: Portal 2 Is A Hole In One
Techland(TIME) Gives it a Perfect 10
PC Gamer Scores at 94/100

The Early Launch Project — Potato Sack
– Players that purchased and played indie games on Steam fueled a launch ahead of schedule.
– Served to promote indie gaming, Steam, and PC gaming in general.
– Also probably made Valve a few hundred thousand dollars. And I have no problem with that.

Review Points (SINGLE PLAYER)

PROS
– ENVIRONMENT ART / ANIMATION
The intro is breath-taking. The environments built to re-introduce you are magnificent. And the way they grow and change throughout the game is brilliant. The environment IS a character, or at the very least a bodily extension of one (or … two …)

– RE-INTRODUCTION
Being a test subject “again” was fun because of how it was introduced. Also good for brand new players that didn’t play the first, or have taken a long break. A nice easy way to get you back into the swing of things.

– OLD FRIENDS
I’ve been worried for months now that the “soul” of Portal 2 would end up feeling bland and overworked, because Valve might put too much effort into making another landmark game, where the first felt like sort of an accident. Those fears have been put to rest.

– NEW FRIENDS
* Cave Johnson, the voice in many of the trailers released so far, is a ridiculous fossil of manliness from the 50s/60s. And he lampoons it with such efficiency that it becomes AWESOME. (think, “Mad Men”)
– “When life gives you lemons, invent combustible lemons and burn life’s house down with them. You don’t deserve lemons!”
* Getting to know GladOS on a more personal basis was worth the price of the game.

– LENGTH/DEPTH
Whereas Portal1 felt like nothing more than a clever puzzle game that could be beaten in a single sitting, Portal2 is an awesome ride through an incredible story, as it tells you the history of Aperture Labs without actually having to TELL you anything. Incredible storytelling.

– NO ENEMIES
I like having a sense of danger without actually having to kill anything. Too many puzzle games introduce enemies, when their gameplay could be designed in a way to do without it. (e.g., “The Ball”)

– AUDIO/MUSIC
* Some of the more complicated puzzles give you a subtle musical cue when you’re on the right track to solving it.
* Top notch ambient audio all over. Distant explosions, whirring machinery, etc.

CON
– Some REALLY tough puzzles, involving extremely fast hand-eye coordination. I may not be able to beat this game because of it.
– Did not like Wheatley. I know a lot of people did, but it’s tough to sympathize or enjoy interacting with him. I can’t put my finger on it.
– A few (VERY few) cut corners, it feels like. With so much attention given to the atmosphere, it was a minor moment of disappointment to see some missed opportunities (eg. the ‘intro movies’ playing near each lift, many were repeated dozens of times.)
– No explanation given (as far as I know) for your character’s reintroduction to the Labs. At the end of Portal1, you seem to escape to the surface. So why are you back inside at the start of Portal2?
– Few achievements. Or maybe I suck. Either way, it comes across as a negative to me. I’d like more badges for my efforts, even if they’re not uber leet..

[ad#shownotes]

Co-Op Review

PROS
– Very easy to start up, well integrated into Steam network (obviously…)
– Communication is excellent, over Steam. Also with press F to point, use timers, etc.
– Incredible variation of maps. Some were just STUPIDLY awesome to complete. Aiming lasers using your partner’s mini-viewscreen, etc.
– GladOS’ commentary keeps it light hearted, even when you die repeatedly. Especially when you die repeatedly.
– Fully featured, completely time consuming. We finished the first 6 maps, thought that was it, and were still satisfied. Then found a dozen more, and there are probably even more after that.

CONS
– No chatting during load screens.
– Complicated. Requires a teammate with lots of patience. Not recommended for strangers.
– It can, at times, feel like playing pool with a friend. But both of you can only use one hand each, and you’re both using the same cue. At the same time.

Download:

The post Portal 2 WINS! | J@N | 4.19.11 first appeared on Jupiter Broadcasting.

]]>