LulzSec – Jupiter Broadcasting https://www.jupiterbroadcasting.com Open Source Entertainment, on Demand. Fri, 26 Apr 2013 16:42:09 +0000 en-US hourly 1 https://wordpress.org/?v=5.5.3 https://original.jupiterbroadcasting.net/wp-content/uploads/2019/04/cropped-favicon-32x32.png LulzSec – Jupiter Broadcasting https://www.jupiterbroadcasting.com 32 32 Dedupe Gone Wrong | TechSNAP 107 https://original.jupiterbroadcasting.net/36296/dedupe-gone-wrong-techsnap-107/ Thu, 25 Apr 2013 16:19:55 +0000 https://original.jupiterbroadcasting.net/?p=36296 ZFS Deduplication requires a certain amount of setup, and understand of some important requirements. We'll cover those and share tips to get it right.

The post Dedupe Gone Wrong | TechSNAP 107 first appeared on Jupiter Broadcasting.

]]>

post thumbnail

Oracle patches 128 vulnerabilities, you won’t believe how many of them are critical.

Plus how twitter can solve their hacking problem, ZFS questions galore, and much much more!

On this week’s TechSNAP.

Thanks to:

Use our code tech295 to score .COM for $2.95!

35% off your ENTIRE first order just use our code go35off4 until the end of the month!

  

Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

   

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

 

Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

   

Show Notes:

Java 0-day exploit in the wild

Google publishes important information about hosting user generated content

  • Google loads all user generated content from an isolated domain, googleusercontent.com
  • Google uses subdomains to separate different bits of UGC
  • One of the reasons for this is attacks such as GIFAR, which an attacker takes a valid .gif file, and concatenates a java exploit .jar (which is just a zip file containing the compiled code)
  • Now an attacker can embed on their site an HTML appet tag with a src pointing to a google domain (such as Picasa)
  • By shifting the content from official google domains, to the googleusercontent.com, the browser’s ‘same origin’ policy should prevent malicious UGC from accessing the users’ google.com authentication cookie
  • Google goes on to detail their solutions for content that requires authentication (private documents, google apps for enterprise), where not being able to access the google authentication cookie would pose a problem
  • Google uses a number of solutions (temporary cookies on googleusercontent.com URL passed authorization tokens, URLs bound to a specific user), to trade off usability and the risk of accidental disclosure (if access to a private image is controlled by a URL parameter, what if the user copies the link to the picture and uses it elsewhere?)

Feedback:

  • Tool for provisioning new servers
    FreeBSD’s install can be scripted in a few different ways, the easiest is likely to start with the 225 line shell script that is the current FreeBSD installed
    /usr/src/usr.sbin/bsdinstall/scripts/auto
    You can set a few environment variables, and remove the dialogs, and you’ll have a fully automated install tuned just the way you like, then just PXE boot that, or make your own CD
    There are also some nice tutorials out there:
    Scripting a FreeBSD 9.x Install
    HOWTO: Modern FreeBSD Install RELOADED
    I generally do not script the installs of my BSD boxes, it takes only 5–10 minutes to do the install, and since each machine tends to have a different disk layout, it wouldn’t save much time
    Also, many of my servers are in foreign data centers, and they do the FreeBSD install for me, then just provide me with my SSH credentials. (Although a great many now provide IPMI/KVMoIP and allow me to install the OS myself)

  • Thoughts on OpenID
    OpenID moves the trust from a number of separate sites, to a single site, your ‘identity provider’
    This is likely more secure, since OpenID is based on strong practices, but also presents a more tempting target
    The advantage is that you can be your own OpenID provider, and then you only have to trust yourself

  • Tricks to conserve Bandwidth?

  • Daniel writes in with a note that he uses Puppet to manage over 2000 nodes from a pair of redundant Puppetmasters running via Apache/mod_passenger without issue.

  • Shlomi writes in with a question about moving an LVM to ZFS.
    Your best bet is to do something like I did when I moved from a number of separate UFS drives, to a ZFS array (not, there is some performance penalty for doing it this way, more on that later)
    Use these instructions to remove one of the disks from your LVM volume (the biggest one you have enough free space to remove).
    Now create your ZFS pool, and add this now empty disk
    Start filling the ZFS pool until you have free enough space in the LVM to remove another disk, then add that disk to the ZFS pool
    Repeat as necessary
    ZFS will do write-biasing to try to ensure the drives reach ‘full’ at the same rate, so the emptier drives will receive a higher portion of the new writes. If you can create the pool from scratch, you will get better write performance, since all disks will be used to their maximum bandwidth
    ZFS had a planned feature called ‘block pointer rewriting’ that would allow for re-balancing the disk space across devices and for defragmenting files (fragmentation gets excessive due to copy-on-write)
    Personally, I am going to build a fresh array with 4x3TB disks in RAID Z1, and then recycle my 1.5TB disks for other purposes

  • I want to hear more about Scale Engine and what it does and some of the services. How about a segment on just Scale
    We provide a few main services:

    • Origin Web Cluster – Accelerated PHP/MySQL platform (Hosts JB’s site, and forums)
    • Edge Side Cache – an extremely fast memory backed geographically distributed MRU cache. Stores frequently accessed content in memory close to the users for fastest delivery. Great for images, css and javascript, but can also cache entire pages (Hosts JBs images, css and js)
    • Content Distribution Network – Disk backed geographically distributed MFU cache, stores static content close to the user for faster delivery. Works great for static content, especially larger content like audio and video podcasts. (Hosts JB episode downloads)
    • Video Streaming Network – Hosting Live, On-Demand, Pay-Per-View and Fake-Live video streaming. Provides multi-bitrate streaming to ‘any screen’ via RTMP (Flash), HLS (iOS, Safari, Android, Roku, VLC), or RTSP (Android, Blackberry, Quicktime, VLC). ScaleEngine’s SEVU API allows extensive content control for Geo-Blocking and Pay-Per-View/Subscription based viewing (Hosts JB live stream)

Have some fun:

What I wish the new hires “knew”

Round-Up:

The post Double 0-Java | TechSNAP 73 first appeared on Jupiter Broadcasting.

]]> Federal Bureau of Lulz | TechSNAP 48 https://original.jupiterbroadcasting.net/17752/federal-bureau-of-lulz-techsnap-48/ Thu, 08 Mar 2012 20:00:49 +0000 https://original.jupiterbroadcasting.net/?p=17752 We cover the amazing story of how the FBI infiltrated and exposed LulzSec. And in a retro war story, Microsoft miss more than just a leap day!

The post Federal Bureau of Lulz | TechSNAP 48 first appeared on Jupiter Broadcasting.

]]>

post thumbnail

We cover the amazing story of how the FBI infiltrated and exposed LulzSec.

And in a retro war story, Microsoft miss more than just a leap day and we answer some of your feedback questions.

All that and on, on this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Super special savings for TechSNAP viewers only. Get a .co domain for only $7.99 (regular $29.99, previously $17.99). Use the GoDaddy Promo Code cofeb8 before the end of March to secure your own .co domain name for the same price as a .com.

Private Registration use code: march8

Pick your code and save:
cofeb8: .co domain for $7.99
techsnap7: $7.99 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans

   

 

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Support the Show:

Show Notes:

LulzSec leader arrested more than 6 months ago, has been working for the FBI

  • Hector Xavier Monsegur (Sabu) was arrested by the FBI on June 7th, 2011
  • Sabu plead guilty to the following charges
  • Conspiracy to Engage in Computer Hacking—Anonymous
  • Conspiracy to Engage in Computer Hacking—Internet Feds
  • Conspiracy to Engage in Computer Hacking—LulzSec
  • Computer Hacking—Hack of HBGary
  • Computer Hacking—Hack of Fox
  • Computer hacking—Hack of Sony Pictures
  • Computer Hacking—Hack of PBS
  • Computer Hacking—Hack of Infraguard-Atlanta
  • Computer Hacking in Furtherance of Fraud
  • Conspiracy to Commit Access Device Fraud
  • Conspiracy to Commit Bank Fraud
  • Aggravated Identity Theft
  • Sabu’s complicity with authorities has been suspected for some time, leaking to him being doxed (having his personal information released) here
  • Sabu gave a number of interviews to reporters while under the control of the FBI, and was directed to feed them misinformation
  • The FBI alerted more than 300 companies and agencies to potential vulnerabilities that were discovered
  • Sabu was directed by the FBI to have attacks against the CIAs website ceased
  • The FBI provided Sabu with a server, on which other members of LulzSec were encouraged to dump stolen information, including copies of the StratFor data (emails, credit card numbers, etc)
  • Slashdot Coverage

Attackers breach Sony Records, steal unreleased Michael Jackson recordings

  • More than 50,000 files were copied by the attackers
  • Included in that were a large number of unreleased tracks that Sony paid the Michael Jackson estate 250 million dollars for in 2010
  • Other major names included in the breach: Jimi Hendrix, Paul Simon, the Foo Fighters and Avril Lavigne
  • The attack occurred shortly after the PSN breach in April of 2011, but was only announced recently
  • Two of the alleged attackers appeared in British court last week, after having been arrested in May of 2011

Security design flaw in libVTE writes your terminal buffer to disk

  • Terminals based on libVTE, which include gnome-terminal and xcfe4-terminal, may store your scrollback buffer to a plain file in /tmp, where it might be readable by others
  • libVTE v0.21.6 and later (since September 17th, 2009) are vulnerable
  • When libVTE starts, it created a file in /tmp (named vte.), and then immediately unlinks the file, this removes the file from the filesystem, however the file handle is still open, allowing libVTE to write your scrollback buffer to the file, and read it back if needed
  • The issue with this design is that the user is unaware that the data displayed in their terminal is being written to disk
  • Anyone with root or physical access to the machine could then possibly read the contents of your terminal sessions, even once they are closed
  • When you SSH in to a secure machine to do something, you would not expect a record of everything you are doing to be stored on your location machine
  • Your disk may contain your terminal buffers in its slack space, so be careful who else has access to your machine, and be sure to properly erase the disks before recycling them

Feedback:

Q: Sean (aka Jungle-Boogie) asks… Can you give me some tips to make SSH servers more secure?

Helpful Links:
SSH/OpenSSH/Configuring – Community Ubuntu Documentation
SSH Server: A more secure configuration – Ubuntu Forums

Q: Paolo asks… Are there any more security risks for connecting to the Internet using a static IP?

War Story:

It was October 1996. Microsoft Windows 95 was the relatively new kid on the block (at least over here in Ireland) and I had just accepted a job working at a PC retailer. After realising that my Chemistry degree was not going to get me a job that I’d actually want to have I trained up in electronic engineering and was building and testing emergency lighting systems when the chance to turn my computer hobby into a job presented itself. The company wanted me to build PCs, sell PCs and handle repairs when possible. It sounded like a good entry level position to get me into the industry.

The company wanted to ramp their sales up for the Christmas period and the demand was certainly there so I proposed an expansion of the operation. The retail unit had a small workshop in the back which was fine for one tech to work in, but that was about the limit. There was a Pharmacy near by that apparently had a warehouse out back that was unused. A couple of weeks later, after the holidays, we moved the system building operation into that warehouse. We took on 7 more people and I put together a crash course in PC building for them. My basic idea was to make a production line. One guy pulled the cases out of their packaging and prepped them for the next guy who setup the motherboards before passing it to the next guy who hooked up the drives and cables. I had two lines doing that and myself and one more guy in a side office doing quality control.

Once a PC got through quality control i.e. it booted up and POSTed properly, it was time to install the operating system. The guy who owned the company decided that every machine should be preloaded with a vanilla Windows 95 installation. I found that the fastest way to accomplish that with my limited knowledge at the time was to have a Windows 95 bootdisk that loaded up, formatted the hard disk and made it bootable, loaded up a parallel port Iomega Zipdrive config and then copied over the Windows 95 folder structure that I had taken from a pre-configured machine with an identical hardware spec. Ah, if only I had known then what I know now about drive cloning and sysprep etc. Anyway, the process worked for us and we were able to produce a built PC every 12 minutes with a further 15 mins for imaging. One computer ready for sale every 30 mins was pretty good for a rookie with a bunch of luddite minions…er…I mean assistants.

We kept up that pace for a couple of months with slight tweaks and improvements applied over that period. When I “cloned” that original PC operating system, I had been told that the product key was a “system builder key” that was good for 10,000 uses. Being a dumb ass, naive geek who just wanted to make more and more computers work, I never questioned that point. I even had the key written in huge letters on a banner above the door to the side office in the warehouse. In fact, it is still burned into my memory today: 13895-oem–001x05x–4xx37 (masked, it’s old but I don’t wanna get sued by MS).

The fun began when it turned out that over the course of our highly successful and prolific sales of computers, we had apparently sold one to an actual Microsoft employee. This guy was apparently going from store to store around the country and purchasing computers to see if they came with proper licences. One frosty day in April, some Microsoft suits and some police officers showed up at the retail office and announced that they were “raiding” the operation under suspicion of software piracy. The warehouse was a 5 minute walk from the office and when the raiders were walking around, the officer rang us in the warehouse to tell us what was happening. It was time to think fast or flee. I figured my brain moved faster than my body so I stood still and put my grey matter to work in the short amount of time that I had.

There were about 14 PCs on a wooden pallet at the door ready for sale. It dawned on me that those computers were all back in the original box that the cases arrived with. We moved the pallet to the start of the production line right beside the empty, unopened PC cases. I grabbed my lunch, hopped up onto the PCs and acted like I was on a break. A minute or so later, the raid party with Police accompaniment arrived and presented their warrant to search the warehouse. I told them to have at it and stayed on my “seat” to observe. One of the suits grabbed a few computers from inside the QC room and asked one of my helpers to hook it up to a monitor so it could be checked. The computer powered on, POSTed perfectly and then displayed a black screen proclaiming a lack of an operating system. The suit looked positively perplexed by this. He went through every PC in the stack outside the QC room over the course of an hour or so and every one did the exact same thing.

He consulted with his companion and they decided to question me about the computers. I explained that we would build them, test them thoroughly in the QC room and then send them up to the retail office to be sold. I told him how sometimes the hard disks were refurbs and might contain old data but we didn’t really have the time to format them all as the owner was such a damned slave driver. There was a little more questioning but for the most part, the guy looked genuinely disheartened. Afterwards, I thought about it and I think he had a “Geraldo Rivera with the Capone safe” scenario. He had probably bragged about busting this huge pirate operation and had fallen flat on his face.

He apologised for the inconvenience, thanked me for my cooperation and shook my hand. I jumped down off my pile of computers to see him, his companion and their police escort off the premises. The ordeal was over and we’d had a lucky escape. Every time that guy walked into the QC room he just had to look up and see the product key banner above the door and we would have been sunk. If he had looked at what I was sitting on and gotten even slightly curious then I was completely screwed. Suffice it to say, none of that happened and I got away with my deception.

I immediately started looking for my next job in the industry away from that particular style of PC business but I learned a valuable lesson that day – “hiding in plain sight really is the best approach sometimes”.

Round Up:

The post Federal Bureau of Lulz | TechSNAP 48 first appeared on Jupiter Broadcasting.

]]> Bitcoin Explained | TechSNAP 9 https://original.jupiterbroadcasting.net/9276/bitcoin-explained-techsnap-9/ Fri, 10 Jun 2011 07:41:55 +0000 https://original.jupiterbroadcasting.net/?p=9276 We’ll dig into bitcoin and explain what it is, and how it works. Is there a future for this Cryptocurrency?

The post Bitcoin Explained | TechSNAP 9 first appeared on Jupiter Broadcasting.

]]>

post thumbnail

We’ll dig into bitcoin and explain what it is, and how it works. Is there a future for this Cryptocurrency?

Plus Sony is in the news again, and its not good… And we talk about a new ruling on how far your bank has to go to protect you from cyber criminals.

Please send in more questions so we can continue doing the Q&A section every week! techsnap@jupiterbroadcasting.com

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:


Topic: Sony hacked yet again

  • Lulzsec has compromised a few more Sony properties in the last week
  • at 11 a.m. EST on June 6, Lulzsec leaked the source code to the Sony PSN Developers Network
  • This could allow people to find more flaws with the Sony system very quickly
  • This also opens up the possibility of a ‘private’ version of the PSN network, allowing owners of hacked playstations to get the benefits of a number of PSN services without cost or worrying about being identified.
  • The fact that Lulzsec was able to access the source code also opens up the possibility that they could have made changes to the code, allowing all sorts of mayhem (unlocking paid content for everyone, or damaging the users by streaming all credit card transactions offsite somewhere)
  • Lulzsec also uses an SQL injection attack against Sony Pictures, and was able to export 150,000 records from a database of more than 4.5 million records
  • SQL injection attacks are very common, with the number that have been successfully executed against Sony in the last 2 months, one would expect that would have made efforts to repair some of their software
  • One apparent member of Lulzsec, Robert Cavanaugh, was taken in to custody by the FBI. Lulzsec claims he is not a member.
  • Lulzsec also compromised a Nintendo server and published it’s configuration file as proof. No corporate or customer data was taken.
  • Lulzsec has also started going after sites affiliated with the FBI
  • In addition, Lulzsec has taken responsibility for compromising Fox TV, and publishing a list of X-Factor contestants.

Topic: RSA Admits SecurID tokens compromised

  • RSA is expected to have to replace all 40 million tokens that are in use world wide
  • Popular users of RSA SecurID Tokens: The Pentagon, Lockheed Martin and other military contractors, World of Warcraft, PayPal/eBay, major account holders at some banks

Topic: US Court ruling to define ‘Reasonable Security’

  • An ongoing court battle is nearing an end, the final ruling will likely determine the standard for how much commercials banks must do to protect their customers from cyber thieves.
  • The case stems from an incident where a construction company that used online banking to do it’s payroll, had it’s PC compromised with the ZeuS trojan. The botnet operators managed to siphon $588,000 out of the companies account using a series of ACH transfers over the course of 7 days.
  • The Bank managed to recover $243,406 of the funds, leaving the contractor on the hook for the remaining $345,445
  • The bank had recently changed its policies to require users to answer one of their security questions for each transaction. This change actually made it easier for the botnet operators to capture the answers to these questions, which allowed them to initiate their own transfers
  • Guidelines established in 2005 by the Federal Financial Institutions Examination Council (FFIEC) require two-factor authentication
  • The bank claims it was doing two factor authentication by checking the username/password (something you know) and a ‘device id’ (something you have). The device ID appears to have been nothing more than the browser string, which is easily faked, or in this case, circumvented by the ZeuS trojan, which users the victims own browsers on their own PC to initiate the fraudulent transfers.

Topic: Bit Coin farmers raided by police for suspected pot farm

  • A local law allowed the police to get a warranty for any property that used more than an average amount of electricity each month

Topic: What is bitcoin?

Bitcoin is a digital currency created in 2009 by Satoshi Nakamoto. It is also the name of the open source software designed in order to use this currency.
Bitcoin is one of the first implementations of a concept called cryptocurrency, which was first described in 1998 by Wei Dai on the cypherpunks mailing list.

Building upon the notion that money is any object, or any sort of record, accepted as payment for goods and services and repayment of debts in a given country or socio-economic context, Bitcoin is designed around the idea of using cryptography to control the creation and transfer of money, rather than relying on central authorities.

Great video: https://www.weusecoins.com/
Ars Technica also has a great write up.

Isn’t it just a fake vaporware currency?

  • It’s already valued at $200 million USD.
  • There are various definitions of success here. Bitcoin may always see value as simply serious competition to PayPal.
  • Bitcoin’s value is as “fake” as the dollar, or many other things we as a people agree to collectively assign value to.

Ugh.. Another virtual money? Linden dollars, Xbox Points, Atari Credits, ENOUGH!!

  • bitcoin goes beyond just another online “virtual dollar”.
  • It’s distributed P2P nature means no single controlling interest can shutdown your account, or refuse a transaction, or charge a transfer fee.
  • No single controlling party can impact the value of the bitcoin.
  • Bitcoin could have the potential to unify everything to a single online currency.
  • Users value would move with them between games/services. This is more critical to those with limited funds to spend on these types of services/games.
  • Mining bitcoins gives advantages that level the playing field to those who otherwise can not economically participate in the common up-sale environments found with online gaming and services.

What are the REAL issues?

One pool to rule them all?
deepbit.net: If too much of the network power goes to one pool, don’t we just create a single point of failure? MANY in the bitcoin community are very worried about deepbit.net aproaching 50% of the mining power of the network. Many are calling/asking for miners to switch to new pools to balance things out.

Hashrate Distribution:

Comparison of mining pools

What about the Exchange?
Mt. Gox is the #1 way to get cash into Bitcoin, if this site were taken down by the gov, or something else, it would be a massive blow to the value of bitcoin.

What happens if Mt. Gox goes down?

What is next?

More places* need to accept bitcoin, this is starting to happen more and more:

*The online porn industry could really win big here. Bitcoin for porn could be huge. Anonymous money, that can be generated via your GPU.

Legal Battles:
US senitors seek crackdown of Bitcoin and could possibly try to target Mt. Gox

Safley transfer bitcoin between parties with escrow?

Bitcoin for a little fun?

Bitcoin Poker Room
Chris’ captured footage of the live poker stream

How to Mine & Get Started with Bitcoin:

Is it worth it? Use this: Bitcoin Mining Calculator
Check out Nean’s guide in the Colony

Download any of these bitcoin miners:

How to get started with GPU Mining with bitcoin:
Mining hardware comparison
Ubuntu Natty Narwhal 11.04 Mining Guide / HOWTO
Profit Calculator

Buy them:
Trade bitcoins IRL
Mt Gox
#bitcoin-otc marketplace – Currently the best way to buy bitcoin with PayPal.

How can bitcoin help business like JB?

Donate some coins: 1CirPhywbP9qNEL1CH8dTMPiqSfY1SmV4m

Community pooling, with a network “fee” that goes to support the network. The community mines for each other, and the network. Fans helping fans.

Bitcoin Javascript page, easy mining to help the network –

  • Could less reputable sites hide/embed this JS code to steal your CPU cycles? YES.
  • Could it become a way to replace Ads on a site? Maybe…

Follow Chris’ always up-to-date obsession feed with bitcoin!

Want to know more about bitcoin?

Download & Comment:

The post Bitcoin Explained | TechSNAP 9 first appeared on Jupiter Broadcasting.

]]> Hijacking the News | TechSNAP 8 https://original.jupiterbroadcasting.net/9026/hijacking-the-news-techsnap-8/ Thu, 02 Jun 2011 21:32:26 +0000 https://original.jupiterbroadcasting.net/?p=9026 Find out about the hack that leaked the "truth" about Tupac, and the details of 100s of GMail accounts that have been snooped on!

The post Hijacking the News | TechSNAP 8 first appeared on Jupiter Broadcasting.

]]>

post thumbnail

Google has confirmed that 100s of Gmail accounts were being snooped on, and the targets of this attack are not happy!

The cookie catastrophe in the UK continues, we’ll share the brutal details!

And Find out about the hack that leaked the truth about Tupac.

Plus some great audience submitted questions, and our answers!

Please send in more questions so we can continue doing the Q&A section every week! techsnap@jupiterbroadcasting.com

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:

Topic: 100s of GMail accounts hacked from China

  • Users were all victims of a phishing scam
  • Attackers used stolen passwords and setup forwarding and delegation to be able to spy on all current and future mail for that account, even if the password was changed
  • Google stresses “It’s important to stress that our internal systems have not been affected—these account hijackings were not the result of a security problem with Gmail itself.”
  • Targets seemed to be politically motivated, going after government officials and journalists

Topic: PBS website hacked

  • LulzSec, one of the hacker groups from the Sony attacks we discussed last night, managed to gain access to several areas of the PBS website.
  • They published the user login information they were able to siphon from the database
  • They were able to posted fake news stories and could have causes serious harm (however their story was that rapped Tupac Shakur was still alive and living in New Zealand)
  • If they had published specially crafted news stories, they could have infected the computers of visitors to the site, or have caused havoc on the stock market by falsely reporting news about various companies.
  • LulzSec says the attack was in protest about a PBS Frontline episode that was critical of WikiLeaks

Topic: I told you so

https://yro.slashdot.org/story/11/05/27/2249210/BBC-Site-Uses-Cookies-To-Inform-Visitors-of-Anti-Cookie-Law

  • In order to comply with a new UK law governing website cookies, when you visit some BBC websites such as radiotimes.com you will be presented with a message telling you about the new law. This message uses a cookie to remember that it has been displayed to you, and will not appear next time you visit the site, to avoid annoying you.
  • This means they are using a cookie, to tell you about how they are not going to use cookies without your consent.
  • In the future, without the use of something like the google/mozilla ‘do not track’ system, users who decline to accept a cookie will be prompted with such warnings every time, because there will be no way to store their acceptance of the agreement to accept cookies, without using a cookie.
  • This is why this issue should have been left to the users and the browsers manufactures, who already have the issue well in hand with security settings, private browsing modes, and the do-not-track system.
  • This law will become effectively unenforceable

Topic: Defense Contractor Lockheed Martin compromised by duplicate RSA SecureID Tokens

  • Attacks broke in to the secure networks of Lockheed Martin and other government contractors by creating duplicates of RSA SecureID Tokens
  • It is not clear what data may have been taken. It is unlikely that this information will ever be released by Lockheed Martin because it is likely highly sensitive.
  • RSA SecureID is a two-factor authentication system. It is designed to thwart key-loggers and similar attacks by combining the usual username/password combination with a dynamic token they changes every few seconds.
  • Senior defense officials claim that while contractors networks contain sensitive data, all classified data is on a separate, closed networks managed by the U.S. government
  • The pentagon also uses RSA SecureID tokens, but declined to say how many
  • Apparently the hackers learned how to duplicate the SecureID tokens using formation stolen during the Advanced Persistant Threat attacks of RSA that we discussed in episode 002 of TechSNAP
  • The RSA attack was followed by targeted malware and phishing attacks on customers who used the RSA SecureID system in an effort to collection the information necessary to duplicate the SecureID Tokens
  • This raises questions about the RSA SecureID system, can it be fixed or does the entire system need to be redesigned. It seems that it is far too easy to duplicate the SecureID tokens.

Q: (Swadhin) What are the differences between the virtualization that we do on our home pc and the virtualization  that you people do on enterprise servers
A: Mostly the virtualization used in enterprises is the same as what you can do on your home PC. One of the main differences is that in an enterprise, they will have many different servers hosting the virtualized systems, but they will all use what is called ‘shared storage’. Usually something like iSCSI. This does not mean that all of the virtual disks reside on the same physical drive, just that they are accessible in a single place. The advantage to this system is that it becomes possible to ‘migrate’ a virtual machine from one physical host to another, without rebooting the virtual machine. The disk is not moved at all, so all that happens is the memory footprint is transferred between the first host and a second host. Then the virtual machine is paused, and any changes in the memory footprint are synchronized, and the virtual machine is unpaused on the new host. This allows for individual physical host machines to be shutdown for maintenance without taking down the virtual machines hosted there. It also allows for load balancing, if a few virtual machines on the same physical host are very busy, one or more of them can be moved to other less busy hosts to maintain the highest possible performance. Another feature of this system is to allow you to maximize the efficiency of your hardware. Some physical machines can be turned off when the load level is lower, and then if the currently running machines are approaching their maximum load levels, you can turn some more physical machines on, and have the load balanced to them. Then when the load levels fall again, you can turn some physical machines back off. This reduces your power usage, and makes sure you don’t have a bunch of servers just sitting around idle wasting electricity and running up your cooling bill.

Q: (Alexander) I am building a new home network for my roommates and I at college, we plan to build a virtualization server as described on the ‘build your own cloud’ episode of LAS. I have a few questions:

  1. Should I buy a managed or an unmanaged switch

A: Likely you do not need a managed switch. Managed switches provide features like ‘VLANs’, a way to basically break the switch up in to logical groups of ports, and simulate having multiple separate switches (that can even span between physical switches). This functionality is good for keeping different parts of the network separate (like having a DMZ to put your servers in, and then separate internal LANs), but is likely unnecessary in your setup. You can save your self 100s of dollars by just getting an unmanaged switch.

  1. Should I build a virtualization server and a storage server or one that functions as both?

A: The advantage to having the storage server setup, if you use something like iSCSI for the storage system, is the ability to move the virtual machines between physical hosts. This is really only helpful if you have more than 1 virtualization server, so again, you can probably save money by building only a single server.

  1. How much power would you think a system like this would draw?

A: That depends, you would be able to see that in the specs for the server when you go to buy it, but overall not that much. Hard drives draw fairly little power, and a quad core processor is usually between 94 and 135 watts, unless you get a lower power version. Servers also tend to have higher efficiency power supplies, at least 80% efficient, so less of the power draw is exhausted as waste heat.

  1. How would I run multiple web servers in my network and have them all accessible to the outside world with only one external IP address?

A: If you only have a single external IP, your options are fairly limited. Either you run each web server on a different port, which is cumbersome to the users, or you use a reverse proxy to do virtual hosting. All web servers are capable of doing Virtual Hosting, that is, serving a different page based on the ‘Host’ header that the user’s browser sends when they visit a website. The idea here would be to setup something like NGINX or LigHTTPd to listen on your single ip, and then route the connection to the right internal web server based on the hostname or path that is being requested. This solution also works for routing different parts of a website to different internal servers while maintaining a single ‘domain’, which can be important for cookies, javascript and flash ‘same domain’ policies.
Reverse Proxy: https://nginx.org/

User submitted War Story:
(StayFrosty) I was building a new Windows 2008R2 server for a small business client of mine. The machine was little more than a glorified desktop, but it had a support contract. After installing the OS I started installing the drivers, and noticed that there was a BIOS update. I figured since the machine was not in production yet, I might as well install that too. During the flashing process, one of the steps failed. I flipped the KVM over to use a different machine to research the problem, while doing so, I heard the fans in the server spin down and then back up. The machine had rebooted automatically to install some windows updates. When I flipped the KVM back, nothing but a black screen. Luckily, when I contacted the hardware provider, they told me about the BIOS recovery jumper and I was able to get the machine back online.

Download & Comment:

The post Hijacking the News | TechSNAP 8 first appeared on Jupiter Broadcasting.

]]>