LinkedIn password dump strikes Mark Zuckerberg & Google Two Factor authenticator users & others. We round it all up. Plus some of the new security features coming to Android N, the era of backpack PC’s is here & what the heck is going on with Nest?

Plus our Kickstarter of the week & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Links

• Mark Zuckerberg’s Twitter and Pinterest accounts hacked, LinkedIn password dump likely to blame
• Nest’s time at Alphabet: A “virtually unlimited budget” with no results
• How Android N addresses security
• Need to bypass Google’s two-factor authentication? Send a text message
• Are backpack VR PCs really a thing now? MSI, Zotac and HP think so
• Superyacht is converted from supply ship – Tech Insider

Kickstater of the week

• Portal: Turbocharged WiFi by Ignition Design Labs — Kickstarter

The post Zuckerpunched | TTT 247 first appeared on Jupiter Broadcasting.

Find out why everyone’s just a little disappointed in Badlock, the bad security that could be connected to the Panama Papers leak & the story of a simple delete command that took out an entire hosting provider.

Plus your batch of networking questions, our answers & a packed round up!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Badlock vulnerability disclosed

• The badlock vulnerability was finally disclosed on Tuesday after 3 weeks of hype
• It turns out to not have been as big a deal as we were lead to believe
• The flaw was not in the SMB protocol itself, but in the related SAM and LSAD protocols
• The flaw itself is identified as https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2118
• It affects all versions of Samba clear back to 3.0
• “Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases are available”
• “Please be aware that Samba 4.1 and below are therefore out of support, even for security fixes. There will be no official security releases for Samba 4.1 and below published by the Samba Team or SerNet (for EnterpriseSAMBA). We strongly advise users to upgrade to a supported release.”
• See the Samba Release Planning page for more details about support lifetime for each branch
• Microsoft releases MS16-047 but rated it only “Important”, not “Critical”
• The patch fixes an “elevation of privilege bug in both SAM and LSAD that could be exploited in a man-in-the-middle attack, forcing a downgrade of the authentication level of both channels. An attacker could then impersonate an authenticated user”
• Microsoft was also careful to note: “Only applications and products that use the SAM or LSAD remote protocols are affected by this issue. The SMB protocol is not vulnerable.”
• It seems most of the “badlock” bugs were actually in Samba itself, rather than the protocol as we were lead to believe
• “There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user. Impact examples of intercepting administrator network traffic:”
• Samba AD server – view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
• standard Samba server – modify user permissions on files or directories.
• There were also a number of related CVEs that are also fixed:
  • CVE-2015-5370 3.6.0 to 4.4.0: Errors in Samba DCE-RPC code can lead to denial of service (crashes and high cpu consumption) and man in the middle attacks. It is unlikely but not impossible to trigger remote code execution, which may result in an impersonation on the client side.
  • CVE-2016-2110 3.0.0 to 4.4.0: The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags, especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL. Which has implications on encrypted LDAP traffic.
  • CVE-2016-2111 3.0.0 to 4.4.0: When Samba is configured as Domain Controller it allows remote attackers to spoof the computer name of a secure channel’s endpoints, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic.
  • CVE-2016-2112 3.0.0 to 4.4.0: A man in the middle is able to downgrade LDAP connections to no integrity protection. It’s possible to attack client and server with this.
  • CVE-2016-2113 4.0.0 to 4.4.0: Man in the middle attacks are possible for client triggered LDAP connections (with ldaps://) and ncacn_http connections (with https://).
  • CVE-2016-2114 4.0.0 to 4.4.0: Due to a bug Samba doesn’t enforce required smb signing, even if explicitly configured. In addition the default for the active directory domain controller case was wrong.
  • CVE-2016-2115 3.0.0 to 4.4.0: The protection of DCERPC communication over ncacn_np (which is the default for most the file server related protocols) is inherited from the underlying SMB connection. Samba doesn’t enforce SMB signing for this kind of SMB connections by default, which makes man in the middle attacks possible.
• Additional Coverage: Threadpost – Badlock vulnerability falls flat against its type
• “As it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it’s a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services.”
• “Red Hat security strategist Josh Bressers said Badlock could have been much worse, especially if it had turned out to be a memory corruption issue in SMB as some had surmised. Such a scenario would have cleared a path for remote code execution, for example.”
• Additional Coverage: sadlock.org

Panama Papers: Mossack Fonseca

• Eleven million documents were leaked from one of the world’s most secretive companies, Panamanian law firm Mossack Fonseca.
• They show how Mossack Fonseca has helped clients launder money, dodge sanctions and avoid tax.
• The documents show 12 current or former heads of state and at least 60 people linked to current or former world leaders in the data.
• Eleven million documents held by the Panama-based law firm Mossack Fonseca have been passed to German newspaper Sueddeutsche Zeitung, which then shared them with the International Consortium of Investigative Journalists. BBC Panorama is among 107 media organisations – including UK newspaper the Guardian – in 76 countries which have been analysing the documents.
• There are many conspiracy theories about the source of the Panama Papers leak. One of the more prominent theories today blames the CIA.
• Bradley Birkenfeld is “the most significant financial whistleblower of all time,” and he has opinions about who’s responsible for leaking the Panama Papers rattling financial and political power centers around the world.
• Wikileaks is also getting attention today for blaming USAID and George Soros for the leaks.
• What little is known about the source of the leak comes from details published by German newspaper Suddeutsche Zeitung. Communicating via encrypted chat in late 2014, the source warned his or her life was “in danger” but that they had data from law firm Mossack Fonseca that they wanted to share. When asked how much data they had, the source replied “more than you have ever seen,” according to the newspaper.
• Regardless, the front-end computer systems of Mossack Fonseca are outdated and riddled with security flaws, analysis has revealed.
• Mossack Fonseca’s client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site’s changelog.
• On its main website Mossack Fonseca claims its Client Information Portal provides a “secure online account” allowing customers to access “corporate information anywhere and everywhere”. The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal’s backend can also be accessed by guessing the URL structure, a security researcher noted.
• Mossack Fonseca’s webmail system, which runs on Microsoft’s Outlook Web Access, was last updated in 2009, while its main site runs a version of WordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca’s site simply by guessing the URL.
• Mossack Fonseca’s emails were also not transport encrypted, according to privacy expert Christopher Soghoian who noted the company did not use the TLS security protocol.
• Who leaked the Panama Papers? A famous financial whistleblower says: CIA. / Boing Boing
• Wikileaks Accuses US Of Funding Panama Papers Putin Expose | The Daily Caller
• Panama Papers: The security flaws at the heart of Mossack Fonseca (Wired UK)
• Additional Coverage: The Register – Mossack Fonseca website found vulnerable to SQL injection
• Additional Coverage: Forbes
• Additional Coverage: WordFence
• Additional Coverage: Slashdot
• In general, it seems there were so many flaws in the website we may never know which one was used to compromise the server

I accidently rm -rf /’d, and destroyed my entire company

• “I run a small hosting provider with more or less 1535 customers and I use Ansible to automate some operations to be run on all servers. Last night I accidentally ran, on all servers, a Bash script with a rm -rf {foo}/{bar} with those variables undefined due to a bug in the code above this line.”
• “All servers got deleted and the offsite backups too because the remote storage was mounted just before by the same script (that is a backup maintenance script).
  How I can recover from a rm -rf / now in a timely manner?”
• There is not usually any easy way to recover from something like this
• That is why you need backups. Backups are not just a single copy of your files in another location, you need time series data, in case you need to go back more than the most recent backup
• It is usually best to not have your backups mounted directly, for exactly this reason
• Even if you will never rm -rf /, an attacker might run rm -rf /backup/*
• While cleaning up after an attacker attempted to use a Linux kernel exploit against my FreeBSD machine in 2003, I accidently rm -rf /’d in a roundabout way, Trying to remove a symlink to / that had a very funky name (part of the exploit iirc), i used tab complete, and instead of: rm -rf badname, it did rm -rf badname/, which deletes the target of the symlink, which was /.
• Obviously this was my fault for using -r for a symlink, since I only wanted to delete one thing
• When the command took too long, I got worried, and when I saw ‘can’t delete /sbin/init’, I panicked and aborted it with control+c
• Luckily, I had twice daily backups with bacula, to another server. 30 minutes later, everything was restored, and the server didn’t even require a reboot. The 100+ customers on the machine never noticed, since I stopped the rm before it hit /usr/home
• There are plenty of other examples of this same problem though
• Steam accidently deletes ALL of your files
• Bryan Cantrill tells a similiar story from the old SunOS days
• Discussion continues and talks about why rm -rf / is blocked by on SunOS and FreeBSD
• Additional Coverage: ServerFault
• When told to dd the drive to a file, to use testdisk to try to recover files, the user reports accidentally swapping if= and of=, which likely would just error out if the input file didn’t exist, but it might also mean that this entire thing is just a troll. Further evidence: rm -rf / usually doesn’t work on modern linux, without the –no-preserve-root flag

Feedback:

• NAS or SAN?
• Full SSD ZFS array

Round Up:

• “FreeBSD Mastery: Advanced ZFS” has been released as ebook for $9.99, print version in a few weeks
• Book features a fancy “Wrap Around” cover, the secret art not revealed yet
• How to not get pwned on Windows: Don’t run any virtual machines, open any web pages, Office docs, hyperlinks
• OpenWhisperSystems has integrated its Signal Protocol public key encryption systems into WhatsApp, now fully end-to-end encrypted with identity verification
• FBI bought previously undisclosed zeroday to crack the iPhone 5c
• After Apple claims to have fixed iOS 1970 bug in February, researchers demo a new remote version, bricks your device 20 minutes after connecting to their rouge WiFi, if your battery doesn’t catch fire first…
• 0-day exploits more than double as attackers prevail in security arms race
• Proving apps don’t take data security seriously, new website uses Tinder’s official API to let you spy on other users
• Google’s monthly Android update fixes Linux kernel flaw from 2014 that was being used to root Android devices
• Nest pulls the plug on the Resolv Hub, leaving owners who were promised a lifetime service subscription with a $299 paperweight
• The entire Turkish citizenship database appears to have been hacked and leaked online
• Python, Go, and PHP (before 5.6), failed to check for self-signed, expired, or worse revoked SSL certificates, also older versions may still accept RC4 and weak DH (logjam)
• Cellebrite, the company originally rumoured to have helped the FBI crack the iPhone, set to release a road side ‘textalyzer’, to determine if you were using your cell phone at the time of an accident
• Google’s new “BeyondCorp” security model, all networks are untrusted, users earn trust with good behaviour, devices earn trust with known good state
• All the resources in the world are not use if you don’t know how to use them

The post rm -rf $ALLTHETHINGS/ | TechSNAP 262 first appeared on Jupiter Broadcasting.

Google announces their own domain name management service, the Internet of things has arrived, and it’s already been hacked. We’ll chat about the Nest thermostats rooting, Google buying Dropcam and more.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a Tech Talk Today supporter on Patreon:

Show Notes:

— Headlines —

Google Begins Testing Domain Registrations

When Google Domains launches to the public, you’ll be able to buy and sell domains through the service. Unlike some other domain registration offerings, Google won’t charge you extra to register your domain privately. You’ll be able to create up to 100 email addresses on the domain and as many as 100 customized sub-domains. Google Domains will also use the company’s own DNS servers, so visitors should get a snappy response time when they hit up your site.

GTV Hacker » Google Nest: Exploiting DFU For Root

Today, popular Google TV hacking site GTV Hacker, announces it has hacked the device to enable the booting of unsigned code. If you own a Nest, hackers could have a backdoor into your home.

By leveraging the device’s DFU mode to boot unsigned code at the boot-loader level.

The attack on the Nest thermostat is simple, we use the device’s recovery mode to run our own modified boot-loader (stage one and two). We then use our loaded boot-loaders to initiate a Linux kernel that is used to modify the file system on the Nest. We then add a SSH server running as root as well as functionality to create a reverse SSH tunnel to a specified host using the Nest’s virtual drive.

They found this “feature” back in November 2013, and mentioned it publicly on December 5th, 2013 (see this tweet). Initially, we planned on releasing our findings at a conference this summer (along with new root methods for the Chromecast and Roku), but our talk was declined. Their loss!

They will, however, be speaking this year at DEF CON 22! Our talk, entitled Hack All The Things: 20 Devices in 45 Minutes, will feature unreleased exploits for 20 devices being released in a 45 minute period. If you are in Las Vegas this August, make sure to stop in!

If you are a Nest user, I probably wouldn’t panic yet. It seems the hacker would need physical access to the device, which limits the risk. However, a devious person could exploit it while in your home and then control it remotely later. Hopefully Google can release an update to make the thermostat more secure and block the exploit.

Nest Labs Joins Race to Define Platform for the Internet of Things

Last Friday, Nest moved to broaden its reach in the home, buying a fast-growing maker of Internet-connected video cameras, DropCam, for $555 million. And on Tuesday, Nest is expected to announce a software strategy backed by manufacturing partners and a venture fund from Google Ventures and Kleiner Perkins Caufield & Byers.

Whirlpool and Nest, Mr. Dibkey said, have worked together for more than year to develop a few applications. One allows a Whirlpool clothes dryer and a Nest thermostat to work together to conserve energy and save money. The thermostat detects a local utility’s peak load times, when electricity is most expensive. It sends a signal to the dryer to run on a cooler, slower drying cycle at those times.

In a Jawbone application, the company’s activity-monitoring wristband detects when a person gets up on a winter morning. It then sends a message to the Nest thermostat, telling it to heat up the house

Nest’s Internet of Things strategy will be backed by the Thoughtful Things Fund, a venture capital fund created by Google Ventures and Kleiner Perkins.

Google I/O 2014

How to Watch Google I/O 2014 Keynote Livestream

Google I/O 2014 runs from June 25 to 26. If you are interested in watching the Google I/O 2014 keynote as a livestream, you have a couple of options.

The post Nest Root Attack | Tech Talk Today 14 first appeared on Jupiter Broadcasting.

We follow up on some of the most innovative Linux powered devices at CES, and this discuss Google buying Nest Labs. Is the future of the “Internet of Things” locked down to proprietary devices running locked down software? And what are the ramifications for the home?

Plus some practical thoughts on Steam OS, 4k Displays coming to Linux, a new way to interface with your PC, and your feedback.

Thanks to:

• Help the DigitalOcean community by submitting articles and get paid $50 per published piece!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Show Notes:

FU

• My most exciting feature for SteamMachines

• Gnome still has a long uphill battle ahead of them.

• DigitalOcean posted droplets distro usage statistics. Pretty much what you would expect

The Closed Internet of Things

From the crockpot to your smoke detector, the famous “Internet of Things” is slowly, and half hazardly coming into reality. Unfortunately it’s dominated by sealed off devices you have no direct control over. As these devices fill our homes, are we taking something fundamental away from the homeowner, and from the open source community?

• Google buys Nest for $3.2B — its key to the connected home | VentureBeat | Deals | by Devindra Hardawar

Google just announced that it\’s snapping up Nest, maker of smart thermostat and smoke detectors, for $3.2 billion in cash. Nest has raised around $80 million from investors including Shasta Ventures, Kleiner Perkins, and Google Ventures.

• Google purchases Nest for $3.2 billion | The Verge

It\’s not yet clear exactly how Google plans to use Nest, but the company obviously sees it as an important part of its future. A combination of Nest\’s home solutions coupled with Google\’s language recognition could give Google its strongest path yet into your home. \”Google will help us fully realize our vision of the conscious home and allow us to change the world faster than we ever could if we continued to go it alone,\” writes Fadell on the Nest blog. \”We\’ve had great momentum, but this is a rocket ship.\”

Mailsack:

• Bringing Digital Sight to the Vision Impaired by the Accessible Foundation

• Distro review

• Direct Link to Form

The post Google Invades Your Nest | LUP 23 first appeared on Jupiter Broadcasting.