Show Notes: linuxunplugged.com/348

The post OK OOMer | LINUX Unplugged 348 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/421

The post Firewall Fun | TechSNAP 421 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/413

The post The Coffee Shop Problem | TechSNAP 413 first appeared on Jupiter Broadcasting.

Show Notes/Links: linuxunplugged.com/285

The post Pain the APT | LINUX Unplugged 285 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/391

The post Firecracker Fundamentals | TechSNAP 391 first appeared on Jupiter Broadcasting.

The bloatware shipping on those new computers is way, way worse than you probably thought, Internet exposed printers & the thrilling story of reverse engineering an ATM skimmer. Yes that’s really a thing.

Plus great questions, our answers & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Nice brand new computer you have there, would be a shame if something happened to it

• “According to a report published by two-factor authentication service Duo Security, third-party updating tools installed by Dell, HP, Lenovo, Acer, and Asus (the top five Windows PC OEMs) are exposing their devices to man-in-the-middle attacks.”
• “OEM PC vendors understandably need a way to maintain and install more of the aforementioned bloatware. The Duo Labs team investigated OEM software update tools spanning five vendors: Acer, Asus, Dell, HP, and Lenovo.”
• “Implementing a robust, secure system for delivering software updates to users requires a thorough threat model, and a fundamental understanding of how to correctly make use of the various cryptosystems available to do so. Many OEM vendors don’t seem to understand or care about the need for building basic security measures into their software, resulting in software rife with vulnerabilities.”
• “Whether it’s a creep on the coffee shop WiFi or a nation state sitting on all the right trunks, any software that downloads and executes arbitrary binaries is an enticing target to attackers. This is a well-established fact — in 2006, some dude broke Mozilla’s Auto-Update; in 2010, there was Evilgrade; in 2012, Flame malware authors discovered how to man-in-the-middle (MITM) Windows Update; and in January 2016, there was the Sparkle debacle. This shows that targeting the transmission of executable files on the wire is a no-brainer for attackers.”
• “The scope of this research paper is limited to OEM updaters, although this wasn’t the only attack surface found on these systems. Basic reverse engineering uncovered flaws that affected every single vendor reviewed, often with a very low barrier to both discovery and exploitation.”
• The results:
  • Dell — One high-risk vulnerability involving lack of certificate best practices, known as eDellroot
  • Hewlett Packard — Two high-risk vulnerabilities that could have resulted in arbitrary code execution on affected systems. In addition, five medium-to-low risk vulnerabilities were also identified.
• Asus — One high-risk vulnerability that allows for arbitrary code execution, as well as one medium-severity local privilege escalation
• Acer — Two high-risk vulnerabilities that allow for arbitrary code execution.
• Lenovo — One high-risk vulnerability that allows for arbitrary code execution.
• Other Findings:
• “Every vendor shipped with a preinstalled updater, that had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM, allowing for a complete compromise of the affected machine”
• Every new machine came with crapware, and an auto-updated for the crapware. The auto-updated made the machine less secure, not more secure as it expected. Not to mention they that this report doesn’t actually look at the crapware itself
• “There was a very low level of technical sophistication required – that is, it was trivial to exploit most of the vulnerabilities”
• They didn’t have to try very hard, some of these updaters run a local http server that anything can connect to
• “Vendors often failed to make even basic use of TLS, properly validate update integrity, or verify the authenticity of update manifest contents”
• This means that a random person at the coffee shop, or the government, can pretend to be your OEMs update server, and feed you malware instead of security fixes
• “Vendors sometimes had multiple software updaters for different purposes and different implementations, some more secure than others”
• Multiple auto-updaters, that is what everyone wants
• “The large attack surface presented by ancillary OEM software components makes updater-specific bugs easier to exploit in practice by providing the missing pieces of the puzzle through other tools bundled with their systems”
• If the auto-updater isn’t buggy enough, the crapware provides everything else you need to compromise the system
• “Microsoft offers ‘Signature Edition’ systems which are intended to be free of the third-party software that plagues so many OEM systems. However, OEM-supplied software updaters and support packages are often still present on these machines.”
• So even if you pay extra for a brand new system free of crapware, it still has the auto-updater that makes the system insecure
• Additional Coverage
• Additional Coverage: Lenovo tells users to uninstall vulnerable updater

Clinton email server — may have had an internet based printer…

• “The Associated Press today points to a remarkable footnote in a recent State Department inspector general report on the Hillary Clinton email scandal: The mail was managed from the vanity domain “clintonemail.com.” But here’s a potentially more explosive finding: A review of the historic domain registration records for that domain indicates that whoever built the private email server for the Clintons also had the not-so-bright idea of connecting it to an Internet-based printer.”
• According to historic Internet address maps stored by San Mateo, Calif. based Farsight Security, among the handful of Internet addresses historically assigned to the domain “clintonemail.com” was the numeric address 24.187.234.188. The subdomain attached to that Internet address was….wait for it…. “printer.clintonemail.com”.
• “Interestingly, that domain was first noticed by Farsight in March 2015, the same month the scandal broke that during her tenure as United States Secretary of State Mrs. Clinton exclusively used her family’s private email server for official communications.”
• “I should emphasize here that it’s unclear whether an Internet-capable printer was ever connected to printer.clintonemail.com. Nevertheless, it appears someone set it up to work that way.”
• “More importantly, any emails or other documents that the Clintons decided to print would be sent out over the Internet — however briefly — before going back to the printer. And that data may have been sniffable by other customers of the same ISP”
• Not necessarily, it can depend on the setup. The reason you might expose a printer to the internet like that on purpose, is to allow printing while you are away from home, but it isn’t a good idea
• “Not just because any idiot on the Internet can just waste all your toner. Some of these printers have simple vulnerabilities that leave them easy to be hacked into.”
• That printer can then serve as an ‘island hopping’ beachhead, allowing the attacker to do this from an internal IP address that is likely to be trusted, and allowed through firewalls (you do want to be able to talk to the printer right?)
• It does appear the Clintons had an SSL VPN, which is a good sign, although I would expect the printer to have been behind that

Reverse engineering an ATM skimmer

• “Brian Krebs has produced numerous articles on ATM skimmers. He has essentially become the “go to” journalist on ATM fraud. From reading his stuff, I have learned how the “bad guys” think when it comes to ATM fraud. In a nutshell, they are after two things:”
• They want your card number
• They want your PIN number
• “To get your card number, the thieves have a few options. Traditionally, they affix a device to the ATM card reader that “skims” your card as it passes into the actual machine”
• “The devices must look as close to the actual reader as possible so they don’t arouse suspicion. The blackhats go to great lengths to achieve this. Sometimes they will replace entire panels of the atm. They may even go as far as inserting a tiny card reader INSIDE the card slot. Alternatively, a thief may try to record the number “on the wire”. This is called “network skimming””
• The post includes a video of a skimmer being installed in just a few seconds
• Then it gets interesting, after having read all of Krebs advice, while visiting Indonesia, the author of the post encountered a skimmer
• “A quick glance, and I suspected it was a skimmer immediately. It had a tiny switch, a port for a cable of some sort and I could see a faint blue light in the dark.”
• “I was not sure what to do. I was tempted to leave it alone since it wasn’t mine and it could possibly be a legitimate piece of the ATM. But if it were a skimmer, I would be knowingly allowing people to get ripped off. I couldn’t allow that to happen, plus I wanted to take it home and see how it works!”
• “We decided to take it. On our way out to dinner, Elizabeth and I discussed excitedly about how cool this is to be in the middle of a criminal conspiracy. “It feels like we are in a movie”, she said. We talked about how we think the crooks were getting the data. We talked about how we would report it to the authorities and take it apart. The movie kept getting more and more exciting in our imaginations. Then we got to the part of the movie where a group of men on motorcycles track us to our home and shoot us with automatic weapons.”
• “By the time we got to the restaurant, we were pretty scared, A GSM-enabled device could feasibly phone home with its GPS coordinates. Just in case, we asked for some aluminum foil and made a makeshift Faraday cage. When it comes to Indonesian criminal gangs, you can never be too careful.”
• “The next day we were still alive and not shot by a gang of criminals. We called the bank to report the device we found on their ATM. The CSR was pretty confused, but he took my name and number and dispatched a technician to look at the machine.”
• This reaction is very common, and is starting to be troubling
• After some deduction, he determined the ports on the side were for a USB cable
• “Threading the braided wires into those tiny holes one at a time was an exercise in patience. After 40 minutes or so, I got them all aligned. I had to hold the wires in with my hand while I plugged the USB cable into my computer. I crossed my fingers and…. Skimmer device mounts as an external hard drive!”
• “It mounts! I freak-out a little and begin copying the files from the device. There are two folders. One is named “Google Drive” and one is named “VIDEO”. The “Google Drive” folder was empty, but there is over 11GB of video files in the “VIDEO” folder. 45 minutes later, the files are still copying to my machine. The whole time I have to hold the cable and not move lest I break the transfer.”
• “After it’s done, I shake out the cramps in my hand and go over the footage. The camera records 30 minute chunks of video whenever it detects movement. Most of the videos are of people typing in their pin numbers [upside down]”
• “The device records sound. At first I thought it was a waste of storage to record this, but after looking at the footage, I realized how helpful the sound is. The beeps correspond to actual keypresses, so you can’t fool the skimmer by pretending to touch multiple keys. Also, the sound of money dispensing means that PIN is valid.”
• When they tore the device apart, they found a cell phone battery, a control board, and a pinhole camera
• “Googling the number from the controller board revealed that it is a commercially available board used in spy camera gear. The board was modified to include an external on/off switch, the stronger Samsung battery, and the aforementioned USB connection.”
• “The overall design choices of the skimmer were actually pretty decent. As mentioned, at first I thought sound recording was a waste, but then found it to be useful for decoding PIN numbers as they are typed. I also initially thought that the cell phone battery was a lazy choice, like they just had one laying around. I have come to believe, however, that this is the best choice for a long-lasting and small-profile power source.”
• The researcher did not find the actual card skimmer, but suspected that the data was being “network skimmed”
• Going back a few days later, they found a fresh pin number camera installed

Feedback:

• Adam asks about running pfSense on top of FreeNAS
• Mark asks about Direct Access to home while on the road
• RAM Disk
• Ceph on FreeBSD

Round Up:

• Armed FBI agents raid home of researcher who found unsecured patient data
• Core windows utility can be used to bypass application whitelisting
• Internet Explorer use in freefall as people flock to Google Chrome
• The guy who swatted Krebs is going to prison
• Police are filing warrants for Android’s vast store of location data
• 50 people arrested in Russia in connection with $45m bank hack
• SELinux is beyond saving at this point
• CoreOS launches Torus, a new open source distributed storage system
• Off-The-Record (OTR) protocol patched against remote code execution flaw
• 2016 Internet Trends Report: Global Smartphone User Growth Slowing as Android Outpaces iOS
• Slack plugs token security hole that was leaking private code and chat transcripts to anyone on the internet
• New tool out of MIT/Berkeley called “Space”, is a static analyzer for web applications

The post Signature Bloatware Updates | TechSNAP 270 first appeared on Jupiter Broadcasting.

The Backronym vulnerability hits MySQL right in the SSL protection, we’ll share the details. The hacker Group that hit Apple & Microsoft intensifies their attacks & a survey shows many core Linux tools are at risk.

Plus some great questions, a rockin’ roundup & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Backronym – ssl stripping mysql connections

• Researchers have identified a serious vulnerability in some versions of MySQL that allows an attacker to strip SSL/TLS connections of their security wrapping transparently.
• Researchers at Duo Security realized that even when they set the correct option to initiate an SSL connection with the MySQL server, they could not make the client enforce a secure connection.
• This means that an attacker with a man-in-the-middle position could force an unencrypted connection and passively sniff all of the unencrypted queries from the client to the MySQL database.
• The vulnerability lies within the behaviour of the ‘–ssl’ client option, which on affected versions it is being treated as “advisory”. Therefore while the option would attempt an SSL/TLS connection to be initiated towards a server, it would not actually require it. This allows a MITM attack to transparently “strip” the SSL/TLS protection.
• The issue affects the ssl client option whether used directly or triggered automatically by the use of other ssl options.
• The vulnerability affects MySQL 5.7.2 and earlier versions, along with MySQL Connector versions 6.1.2 and earlier, all versions of Percona Server and all versions of MariaDB.
• The vulnerability is nicknamed BACKRONYM (Bad Authentication Causes Kritical Risk Over Networks Yikes MySQL) by the Duo researchers, who also put up a site that riffs on the recent trend of researchers putting up sites for major vulnerabilities.
• What does BACKRONYM stand for? Bad Authentication Causes Kritical Risk Over Networks, Yikes MySQL!
• They say: “We spent countless hours analyzing the BACKRONYM vulnerability to come up with a human-readable description that would convey the underlying root-cause to infosec professionals.”
• What do I need to do to fix BACKRONYM?
• Step 1: PANIC! I mean look at that logo – your database is basically exploding!
• Step 2: Tell all your friends about BACKRONYM. Use your thought leadership talents to write blog post about BACKRONYM to reap sweet Internet karma. Leverage your efforts in responding to BACKRONYM to build political capital with the executives in your organization. Make sure your parents know it’s not safe to shop online until BACKRONYM is eradicated.
• Step 3: Actually remediate the vulnerability in any of your affected MySQL client-side libraries (also MariaDB and Percona). Unfortunately, there’s no patch backported for MySQL <= 5.7.2. So if you’re on MySQL 5.6 like 99.99% of the Internet is, you’re basically out of luck and have to upgrade to the MySQL 5.7 “preview release” or figure out how to pull in libmysqlclient >= 6.1.3. Backporting security fixes is hard, apparently.
• Additional Coverage: New PHP release to fix backronym flaw
• The BACKRONYM Vulnerability

Hacker Group That Hit Twitter, Facebook, Apple and Microsoft Intensifies Attacks

• The hacker group, which security researchers from Kaspersky Lab and Symantec call Wild Neutron or Morpho, has broken into the networks of over 45 large companies since 2012.
• After the 2013 attacks against Twitter, Facebook, Apple and Microsoft were highly publicized, the group went underground and temporarily halted its activity.
• Symantec has named the group behind the attacks “Butterfly”.
• Butterfly is technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero-day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it cleans up after itself before moving on to its next target.
• The first signs of Butterfly’s activities emerged in early 2013 when several major technology and internet firms were compromised. Twitter, Facebook, Apple and Microsoft disclosed that they had been compromised by very similar attacks. This was done by compromising a website used by mobile developers (that we covered before on the show) using a Java zero-day exploit to infect them with malware.
• The malware used in these attacks was a Mac OS X back door known as OSX.Pintsized. Subsequent analysis by security researcher Eric Romang identified a Windows back door, Backdoor.Jiripbot, which was also used in the attacks.
• Symantec has to date discovered 49 different organizations in more than 20 countries that have been attacked by Butterfly.
• Butterfly has also shown an interest in the commodities sector, attacking two major companies involved in gold and oil in late 2014. In addition to this, the Central Asian offices of a global law firm were compromised in June 2015. The company specializes in finance and natural resources specific to that region. The latter was one of at least three law firms the group has targeted over the past three years.
• Butterfly has also developed a number of its own hacking tools. Hacktool.Securetunnel is a modified version of OpenSSH which contains additional code to pass a command-and-control (C&C) server address and port to a compromised computer.
• Hacktool.Bannerjack is meanwhile used to retrieve default messages issued by Telnet, HTTP, and generic Transmission Control Protocol (TCP) servers. Symantec believes it is used to locate any potentially vulnerable servers on the local network, likely including printers, routers, HTTP servers, and any other generic TCP server.
• The group uses Hacktool.Eventlog to parse event logs, dumping out ones of interest, and delete entries. It also kills processes and performs a secure self-delete. Hacktool.Proxy.A is used to create a proxy connection that allows attackers to route traffic through an intermediary node, onto their destination node.
• Based on the profile of the victims and the type of information targeted by the attackers, Symantec believes that Butterfly is financially motivated, stealing information it can potentially profit from. The group appears to be agnostic about the nationality of its targets, leading us to believe that Butterfly is unaffiliated to any nation state.
• Links:
• Butterfly: Profiting from high-level corporate attacks | Symantec Connect Community
• Hacktool.Securetunnel | Symantec
• Wild Neutron – Economic espionage threat actor returns with new tricks – Securelist

Core Linux tools top list of most at-risk software

• The CII (Core Infrastructure Initiative), a Linux Foundation effort assembled in the wake of the Heartbleed fiasco to provide development support for key Internet protocols, has opened the doors on its Census Project — an effort to figure out what projects need support now, instead of waiting for them to break.
• The Census, with both its code and results available on GitHub, assembles metrics about open source projects found in Debian Linux’s package list and on openhub.net, then scores them based on the amount of risk each presents.
• A copy of the census data downloaded from GitHub on Friday morning showed 395 projects in the census, with the top-listed projects to be core Linux utilities. Ftp, netcat-traditional, tcpd, and whois all scored 11 out of a possible 15.
• High scores in the survey, said the CII in its page on the project, don’t mean a given program should be ditched, or that it’s to be presumed vulnerable. Rather, it means “the project may not be getting the attention that it deserves and that it merits further investigation.”
• Apache’s https Web server, a large and “vitally important” project with many vulnerabilities tracked over the years, ranked as an 8 in part because “there’s already large development & review team in place.”
• Busybox, a project found in many embedded Linux applications that has been implicated before with security concerns, ranked even lower, at 6.
• One of tricky issues that bubbles up is the complications posed by dependencies between projects. For the libaprutil1-ldap project (with a score of 8), the notes indicate that “the general Apache Portable Runtime (APR) appears to be actively maintained. However, it’s not as clear that the LDAP library in it is as actively managed.” Likewise, anything that uses the Kerberos authentication system — recently implicated in a security issue — typically has “Kerberos” in the notes.
• linuxfoundation/cii-census · GitHub

Feedback:

• 6gig SAS

• fail2ban

• Colo or No-Go

Round Up:

• International cybercrime marketplace taken down
• Larry Wall on Perl 6 and teaching kids to code
• Uninstalled Google Photos? Thought your pics safe from slurping? WRONG, bozo
• Toshiba owned OCZ launches new line of SSDs at $0.40/GB. Uses new flash memory and controller directly from Toshiba. Do you trust something new? From
• ID Theft Service Proprietor Gets 13 Years
• When security and politics collide: Lifespan in the SES (Senior Executive Service)
• Intel confirms tick-tock-shattering Kaby Lake processor as Moore’s Law falters

The post Butterflies & Backronyms | TechSNAP 224 first appeared on Jupiter Broadcasting.

We’ve got the details about critical vulnerabilities in LastPass and other popular password managers, Russian hackers attack the NASDAQ, and how to pull off an SSH Man in Middle attack.

Plus a fantastic batch of your questions, our answers & much, much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Critical vulnerabilities found in online password managers including LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword

• Four researchers from the University of California, Berkeley, did a manual analysis of some of the most popular online password managers
• Their findings are troubling, showing problems with all of the popular services
• “Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem. After all, a vulnerability in a password manager could allow an attacker to steal all passwords for a user in a single swoop”
• The researchers found problems with each of the services they investigated, including bookmarklet vulnerabilities, web vulnerabilities (CSRF and XSS), user interface vulnerabilities, and authorization vulnerabilities.
• The paper shows how an attacker might be able to steal a LastPass users’ dropbox password when the user visits the attackers site
• The paper also discusses a vulnerability in the LastPass OTP (One Time Password) feature, where an attacker specifically targeting you (requires knowing your lastpass username) could access the encrypted LastPass database. While the attacker would have to resort to an offline brute force attack to decrypt it and get the passwords, they would also have a list of all of the sites that the user has saved passwords for. In addition, the attack can delete saved credentials from the database, possibly allowing them to lock the user out of other sites.
• An authorization vulnerability in the password sharing system at My1login could allow an attack to share a web card (url/username/password) they do not own with another user, only needing to know the unique id#, which is a globally unique incrementing counter, so can be predicted. It also allows an attacker to modify another users’ web cards once they are shared
• “Since our analysis was manual, it is possible that other vulnerabilities lie undiscovered”
• “Of the five vendors whose products were tested, only the last one (NeedMyPassword) didn’t respond when they contacted them and responsibly shared their findings. The other four have fixed the vulnerabilities within days after disclosure.”
• Research Paper

How Russian Hackers stole the Nasdaq (2010)

• In October 2010, a Federal Bureau of Investigation system monitoring U.S. Internet traffic picked up an alert. The signal was coming from Nasdaq
• The October alert prompted the involvement of the National Security Agency, and just into 2011, the NSA concluded there was a significant danger.
• The Secret Service had notified NASDAQ of suspicious activity previously and suspected the new activity may be related, and requested to take the lead on the investigation, but was denied and shut out of the investigation.
• “We’ve seen a nation-state gain access to at least one of our stock exchanges, I’ll put it that way, and it’s not crystal clear what their final objective is”
• Bloomberg Businessweek spent several months interviewing more than two dozen people about the Nasdaq attack and its aftermath, which has never been fully reported. Nine of those people were directly involved in the investigation and national security deliberations; none were authorized to speak on the record. “The investigation into the Nasdaq intrusion is an ongoing matter,” says FBI New York Assistant Director.
• The hackers had used two zero-day vulnerabilities in combination to compromise machines on the NASDAQ network
• The NSA claimed they had seen very similar malware before, designed and built by the Federal Security Service of the Russian Federation (FSB), that country’s main spy agency.
• Later in the investigation, some U.S. officials questioned whether the NSA had pushed the evidence too far. Malware often changes hands—it’s sold, stolen, or shared. And the technical differences between attack code and something less destructive can be surprisingly small. At the time, NSA Director Keith Alexander and his agency were locked in a fight with government branches over how much power the NSA should have to protect private companies from this new form of aggression. Such a brazen attack would certainly bolster its case.
• “While the hack was successfully disrupted, it revealed how vulnerable financial exchanges—as well as banks, chemical refineries, water plants, and electric utilities—are to digital assault. One official who experienced the event firsthand says he thought the attack would change everything, that it would force the U.S. to get serious about preparing for a new era of conflict by computer. He was wrong.”
• What the investigators found inside Nasdaq shocked them, according to both law enforcement officials and private contractors hired by the company to aid in the investigation. Agents found the tracks of several different groups operating freely, some of which may have been in the exchange’s networks for years, including criminal hackers and Chinese cyberspies. Basic records of the daily activity occurring on the company’s servers, which would have helped investigators trace the hackers’ movements, were almost nonexistent. Investigators also discovered that the website run by One Liberty Plaza’s building management company had been laced with a Russian-made exploit kit known as Blackhole, infecting tenants who visited the page to pay bills or do other maintenance.
• an FBI team and market regulators analyzed thousands of trades using algorithms to determine if information in Director’s Desk could be traced to suspicious transactions. They found no evidence that had happened
• By mid-2011, investigators began to conclude that the Russians weren’t trying to sabotage Nasdaq. They wanted to clone it
• Without a clear picture of exactly what data was taken from Nasdaq and where it went—impossible given the lack of logs and other vital forensics information—not everyone in the government or even the FBI agreed with the finding

Tutorial: SSH MITM Downgrade Attack

• This is a tutorial on how to perform an SSH Man-In-The-Middle downgrade attack
• This attack involves tricking the user connecting to the SSH server you are intercepting into using the old version 1 of the SSH protocol
• SSH1 uses a separate SSH Fingerprint from SSH2, so the user will be prompted to accept the different key
• Many users will blindly accept this warning
• If the user can be tricked into dropping to SSH1, it may be possible to steal the username and password they use to login with
• Luckily, most modern SSH servers do not allow SSH1
• However, some clients, including PuTTY, allow both SSH1 and SSH2, with a preference for the latter
• Users are encouraged to change the setting on their server and in their client to only allow SSH2
• Many embedded devices still allow SSH1, including many older Cisco Security Appliances
• These devices are perfect targets for this type of downgrade attack

Feedback

• ZFS Transaction Log (ZIL)

• WWAD (What Would Allan Do?)
  • ZFS Stripe Width

• building a new PC

• How to Sysadmin?

• DNS Made Easy (Email backups), and tiny war story

Round-Up:

• US claims jurisdiction over all servers on the internet. “any company with operations in the United States must comply with valid warrants for data, even if the content is stored overseas”
• Only a few days old, OpenSSL fork LibreSSL is declared “unsafe for Linux”
• Canadian ISP Rogers updates privacy policy, promises to require a warrant to turn over data
• Microsoft tells users to stop using strong passwords everywhere
• Sony forgets to renew a domain name (SonyOnline.net) where all of the name servers are hosted, takes out all of SOE (Sony Online Entertainment), including forums and websites. Did not have a valid email address on the domain registration
• Cisco Security Advisory: Cisco Wireless Residential Gateway Remote Code Execution Vulnerability
• Where do online services go when they die?
• fail2ban security update
• Robert Watson and SRI/Cambridge University open source the CHERI secure processor design

The post SSH1tty leakage | TechSNAP 171 first appeared on Jupiter Broadcasting.

We\’ve got some special treats for you this week on the show. It\’s the long-awaited \”installfest\” segment, where we go through the installer of each of the different BSDs. Of course we also have your feedback and the latest news as well… and… we even have our very first viewer contest! There\’s a lot to get to today on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD\’s new testing infrastructure

• A new test suite was added to FreeBSD, with 3 powerful machines available
• Both -CURRENT and stable/10 have got the test suite build infrastructure in place
• Designed to help developers test and improve major scalability across huge amounts of CPUs and RAM
• More details available here
• Could the iXsystems monster server be involved…?

OpenBSD gets signify

• At long last, OpenBSD gets support for signed releases!
• For \”the world\’s most secure OS\” it was very easy to MITM kernel patches, updates, installer isos, everything
• A commit to the -current tree reveals a new \”signify\” tool is currently being kicked around
• More details in a blog post from the guy who committed it
• Quote: \”yeah, briefly, the plan is to sign sets and packages. that\’s still work in progress.\”

Faces of FreeBSD

• This time they interview Isabell Long, a 19 year old female that\’s involved with FreeBSD
• She\’s a volunteer staff member on the freenode IRC network
• In 2011, she participated in the Google Code-In contest and became involved with documentation
• \”The new committer mentoring process proved very useful and that, plus the accepting community of FreeBSD, are reasons why I stay involved.\”

pkgsrc-2013Q4 branched

• The quarterly pkgsrc branch from NetBSD is out
• 13472 total packages for NetBSD-current/amd64 + 13049 binary packages built with clang!
• Lots of numbers and stats in the announcement
• pkgsrc works on quite a few different OSes, not just NetBSD
• See our interview with Amitai Schlair for a bit about pkgsrc

OpenBSD on Google\’s Compute Engine

• Google Compute Engine is a \”cloud computing\” platform similar to EC2
• Unfortunately, they only offer poor choices for the OS (Debian and CentOS)
• Recently it\’s been announced that there is a custom OS option
• It\’s using a WIP virtio-scsi driver, lots of things still need more work
• Lots of technical and networking details about the struggles to get OpenBSD working on it

This episode was brought to you by

The Installfest

We\’ll be showing you the installer of each of the main BSDs. As of the date this episode airs, we\’re using:
+ FreeBSD 10.0
+ OpenBSD 5.4
+ NetBSD 6.1.2
+ DragonflyBSD 3.6
+ PCBSD 10.0

News Roundup

Building an OpenBSD wireless access point

• A neat write up we found around the internet about making an OpenBSD wifi router
• Goes through the process of PXE booting, installing base, using a serial console, setting up networking and wireless
• Even includes a puffy sticker on the Soekris box at the end, how cute

FreeBSD 4.X jails on 10.0

• Blog entry from our buddy Michael Lucas
• For whatever reason (an \”in-house application\”), he needed to run a FreeBSD 4 jail in FreeBSD 10
• Talks about the options he had: porting software, virtualizing, dealing with slow old hardware
• He goes through the whole process of making an ancient jail
• It\’s \”an acceptable trade-off, if it means I don’t have to touch actual PHP code.\”

Unscrewed: a story about OpenBSD

• Pretty long blog post about how a network admin used OpenBSD to save the day
• To set the tone, \”It was 5am, and the network was down\”
• Great war story about replacing expensive routers and networking equipment with cheaper hardware and BSD
• Mentions a lot of the built in tools and how OpenBSD is great for routers and high security applications

PCBSD weekly digest

• 10.0-RC3 is out and ready to be tested
• New detection of ATI Hybrid Graphics, they\’re working on nVidia next
• Fixed an issue with detecting disk drives that take a LONG time to probe
• Re-classifying Linux jails as unsupported / experimental (and all 4 people that use them wept)

Feedback/Questions

• Daniel writes in: https://slexy.org/view/s2uns1hMml
• Erik writes in: https://slexy.org/view/s2MeJNCCiu
• SW writes in: https://slexy.org/view/s21fBXkP2K
• Bostjan writes in: https://slexy.org/view/s20N9bfkum
• Samuel writes in: https://slexy.org/view/s20FU9wUO5

Contest

• We\’re going to be having our first viewer contest!
• We\’ll be giving away a handmade FreeBSD pillow – yes you heard right
• All you need to do is write a tutorial for the show
• Submit your BSD tutorial write-ups to feedback@bsdnow.tv
• If you want to email us your idea first, I can tell you if I already have a tutorial for that topic prewritten for the show in the backlog
• Check bsdnow.tv/contest for all the rules, details, instructions and a picture of the pillow.

• All the tutorials are posted in their entirety at bsdnow.tv
• The OpenBSD router tutorial has gotten some improvements. It now includes an option to encrypt all your DNS lookups, as well as some cool utilities you can use for bandwidth monitoring, performance improvements and other fun router stuff
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
• BSD Now got some unintended publicity at the 30th Chaos Communication Congress (1:28:16 – 1:31:00 in the video)

The post The Installfest | BSD 19 first appeared on Jupiter Broadcasting.

13 of the most popular home routes are wide open to attack, is your’s one of them? Tune in to find out.

Plus details on the Malwarebytes update that rendered some systems unbootable, the latest on CISPA, your questions our answers…

And so much more, On this week’s episode of… TechSNAP!

Thanks to:

GoDaddy.com Use our code tech295 to score .COM for $2.95! 35% off your ENTIRE first order just use our code go35off4 until the end of the month!
FauxShow Awards Catch episode 137 for the TechSNAP 100 T-Shirt awards. Angela and Chris share stroies, pictures, and jokes sent in by the TechSNAP audience!

Support the Show: