nfs – Jupiter Broadcasting

Over 25 years ago, when some of your professional colleagues were still toddlers, Bram Moolenaar started working on a text editor for his Amiga. He was a user of vi on Unix, but the Amiga didn’t have anything quite like it. On November 2, 1991, after three years in development, he released the first version of the “Vi IMitation” editor, or _Vim._

Zotac crams AMD’s Radeon RX 480 into a tiny gaming mini-PC that’s built for VR

Zotac’s selling the new mini PC in three models: _barebones, Plus, and Windows 10. The barebones version is what you’d expect in a kit like this. It comes with a 2.2GHz Intel “Skylake” Core i5-6400T CPU and the aforementioned Radeon RX 480, but lacks RAM, storage, and an operating system._

Official Ubuntu Flavor Mythbuntu Linux Is Dead, What About My TV Shows?

The developers of the Mythbuntu Linux distribution have announced that the development of the official Ubuntu flavor will come to an end in the coming future. The reason stated is the lack of manpower of work on updates and bug fixing. For MythTV, the users can install Xubuntu and add Mythbuntu repository.

ChrisLAS Rocks Cali

Great dumplings, no not Chris. The Shandong restaurant.

TING

Ting – mobile that makes sense

Cinnamon 3.2 Desktop Environment Now Available with Support for Vertical Panels

Cinnamon 3.2 also comes with workspace switcher improvements, simplified background manager, keyboard navigation fo__r context menus, updated appindicators and settings, support for displaying percentage next to the volume slider, vfade effect by default, as well as hover delay functionality to hot corners.

Freeing my tablet (Android hacking, SW and HW)

I wanted to run a Debian chroot in my tablet; and there was no open-source rooting
process for it. That triggered me enough to have a deeper look at Android,
and eventually completely dominate my tablet.

FileZilla Secure – Dedicated to keeping your FTP passwords secure.

tl;dr FileZilla does not encrypt your saved FTP passwords and I got hacked. FileZilla Secure will encrypt your saved FTP passwords with a master password.

DigitalOcean

DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Please explain NFS to me before I destroy something

Are you planning (or have you already) to make a guide/tutorial/segment on setting up NFS at home?

I realize NFS spans a wide range of use cases, but I am interested from the perspective of a desktop Linux user, how to share media and documents with my family on our (W)LAN.

Arch Wiki: NFS

Linux Academy

Linux Academy | Linux and AWS Online Training

New Releases:

AWS Certified DevOps Engineer – Professional Level
The SysAdmins Guide To Bash Scripting
Cloud Essentials Certification Prep Course
Running Container Clusters With Kubernetes
Apache Spark Essentials
Red Hat Certified Engineer Prep Course
AWS Certified SysOps Administrator – Course Refresh
Docker Deep Dive – Course Refresh

Coming This Fall:

AWS Concepts
Linux KVM Virtualization Essentials
Git – Quick Start
VIM – The Improved Editor
Docker – Quick Start
Ansible – Quick Start
Git – Quick Start
Jenkins – Quick Start
LPIC-2 201* LPIC-2 202
Big Data Essentials
Learning Python Development
Linux on Azure Certification Prep

5 terminal commands every Linux newbie should know

Sometimes you’ll need to use the terminal, but it’s not as scary as you think. We come up with the basic commands new users might want to learn.

Post Show

RedHat Redneck Internationalization

The post Nano Users Unite | LINUX Unplugged 170 first appeared on Jupiter Broadcasting.

Botnet of Things | TechSNAP 286

chris — Thu, 29 Sep 2016 19:18:38 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Krebs hit with record breaking DDoS attack

“On Tuesday evening, KrebsOnSecurity.com was the target of an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline. The attack did not succeed thanks to the hard work of the engineers at Akamai/Prolexic, the company that protects my site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack they’d seen previously, and was among the biggest assaults the Internet has ever witnessed.”
“The attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second. Additional analysis on the attack traffic suggests the assault was closer to 620 Gbps in size, but in any case this is many orders of magnitude more traffic than is typically needed to knock most sites offline.”
“Martin McKeay, Akamai’s senior security advocate, said the largest attack the company had seen previously clocked in earlier this year at 363 Gbps. But he said there was a major difference between last night’s DDoS and the previous record holder: The 363 Gpbs attack is thought to have been generated by a botnet of compromised systems using well-known techniques allowing them to “amplify” a relatively small attack into a much larger one.”
Almost all of the previous large scale DDoS attacks were the result of ‘reflection’ and ‘amplification’ attacks
That is, exploiting DNS, NTP, and other protocols to allow the attackers to send a small amount of data, while spoofing their IP address to that of the victim, and cause the reflection server to send a larger amount of data.
Basically, have your bots send spoofed packets of a few bytes, and the reflector send as much as 15 times the amount of data to the victim. This attack harms both the victim and the reflector.
Thanks to the hard work of many sysadmins, most DNS and NTP servers are much more locked down now, and reflection attacks are less common, although there are still some protocols vulnerable to amplification that are not as easy to fix
“In contrast, the huge assault this week on my site appears to have been launched almost exclusively by a very large botnet of hacked devices. According to Akamai, none of the attack methods employed in Tuesday night’s assault on KrebsOnSecurity relied on amplification or reflection. Rather, many were garbage Web attack methods that require a legitimate connection between the attacking host and the target, including SYN, GET and POST floods.”
“There are some indications that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords.”
“I’ll address some of the challenges of minimizing the threat from large-scale DDoS attacks in a future post. But for now it seems likely that we can expect such monster attacks to soon become the new norm.”
“Many readers have been asking whether this attack was in retaliation for my recent series on the takedown of the DDoS-for-hire service vDOS, which coincided with the arrests of two young men named in my original report as founders of the service.”
“I can’t say for sure, but it seems likely related: Some of the POST request attacks that came in last night as part of this 620 Gbps attack included the string “freeapplej4ck,” a reference to the nickname used by one of the vDOS co-owners.”

The shot heard round the world

In this followup post, Krebs discusses “The Democratization of Censorship”
You no longer need to be a nation state to censor someone, you just need a big enough botnet
“Allow me to explain how I arrived at this unsettling conclusion. As many of you know, my site was taken offline for the better part of this week. The outage came in the wake of a historically large distributed denial-of-service (DDoS) attack which hurled so much junk traffic at Krebsonsecurity.com that my DDoS protection provider Akamai chose to unmoor my site from its protective harbor.”
“Let me be clear: I do not fault Akamai for their decision. I was a pro bono customer from the start, and Akamai and its sister company Prolexic have stood by me through countless attacks over the past four years. It just so happened that this last siege was nearly twice the size of the next-largest attack they had ever seen before. Once it became evident that the assault was beginning to cause problems for the company’s paying customers, they explained that the choice to let my site go was a business decision, pure and simple.”
This poses a huge problem. The bad guys now know the magic number, 650 gbps, at which point even the most expensive DDoS protection service will boot you off and shutdown your site.
“Nevertheless, Akamai rather abruptly informed me I had until 6 p.m. that very same day — roughly two hours later — to make arrangements for migrating off their network. My main concern at the time was making sure my hosting provider wasn’t going to bear the brunt of the attack when the shields fell. To ensure that absolutely would not happen, I asked Akamai to redirect my site to 127.0.0.1 — effectively relegating all traffic destined for KrebsOnSecurity.com into a giant black hole.”
“Today, I am happy to report that the site is back up — this time under Project Shield, a free program run by Google to help protect journalists from online censorship. And make no mistake, DDoS attacks — particularly those the size of the assault that hit my site this week — are uniquely effective weapons for stomping on free speech, for reasons I’ll explore in this post.”
This raises another question, what happens when the bad guys perform an attack large enough to disrupt Google?
This was the topic of the closing keynote at EuroBSDCon last weekend, sadly no video recordings are available.
“Why do I speak of DDoS attacks as a form of censorship? Quite simply because the economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists.”
“In an interview with The Boston Globe, Akamai executives said the attack — if sustained — likely would have cost the company millions of dollars. In the hours and days following my site going offline, I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.”
“Earlier this month, noted cryptologist and security blogger Bruce Schneier penned an unusually alarmist column titled, “Someone Is Learning How to Take Down the Internet.” Citing unnamed sources, Schneier warned that there was strong evidence indicating that nation-state actors were actively and aggressively probing the Internet for weak spots that could allow them to bring the entire Web to a virtual standstill.”
“Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services,” Schneier wrote. “Who would do this? It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that.”
“Furthermore, the size and scale of these probes — and especially their persistence — points to state actors. It feels like a nation’s military cyber command trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US’s Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.”
“What exactly was it that generated the record-smashing DDoS of 620 Gbps against my site this week? Was it a space-based weapon of mass disruption built and tested by a rogue nation-state, or an arch villain like SPECTRE from the James Bond series of novels and films? If only the enemy here was that black-and-white.”
“No, as I reported in the last blog post before my site was unplugged, the enemy in this case was far less sexy. There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords. Most of these devices are available for sale on retail store shelves for less than $100, or — in the case of routers — are shipped by ISPs to their customers.”
“Some readers on Twitter have asked why the attackers would have “burned” so many compromised systems with such an overwhelming force against my little site. After all, they reasoned, the attackers showed their hand in this assault, exposing the Internet addresses of a huge number of compromised devices that might otherwise be used for actual money-making cybercriminal activities, such as hosting malware or relaying spam. Surely, network providers would take that list of hacked devices and begin blocking them from launching attacks going forward, the thinking goes.”
While we’d like to think that the hacked devices will be secured, the reality is that they probably won’t be. Even if there was a firmware update, how often do people firmware update their IP Cameras? Their DVRs?
The cable companies might be able to help by pushing firmware updates, and they have some incentive to do so, as the attacks use up their bandwidth
In the end, even if ISPs notified their customers that they were part of the attack, how is a regular person supposed to determine which of the IoT devices was used as part of the attack?
If you don’t know how to use a protocol analyzer, and the attack is not ongoing right now, how do you tell if it was your DVR, your SmartTV, your Thermostat, or your refrigerator that was attacking Krebs?
And if we thought that 650 gbps was enough to make almost any site neel to an attacker, OVH.net reports a botnet of 150,000 CCTV/Camera/DVR units, each with 1 – 30 mbps of upload capacity, attacking their network with a peak of 1.1 terabits (1100gbps) of traffic, but they estimate the capacity of the botnet at over 1.5 terabits
“I don’t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and ecommerce. My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections.”
“The sad truth these days is that it’s a lot easier to censor the digital media on the Internet than it is to censor printed books and newspapers in the physical world. On the Internet, anyone with an axe to grind and the willingness to learn a bit about the technology can become an instant, self-appointed global censor.”
The possible solutions presented at EuroBSDCon were even scarier. Breaking the Internet up along national borders, and only allowing traffic to pass between countries on regulated major services like Facebook and Google.
Additional Coverage: Forbes
Additional Coverage: Ars Technica

Firefox preparing to block Certificate Authority for violating rules

“The organization that develops Firefox has recommended the browser block digital credentials issued by a China-based certificate authority for 12 months after discovering it cut corners that undermine the entire transport layer security system that encrypts and authenticates websites.”
“The browser-trusted WoSign authority intentionally back-dated certificates it has issued over the past nine months to avoid an industry-mandated ban on the use of the SHA-1 hashing algorithm, Mozilla officials charged in a report published Monday. SHA-1-based signatures were barred at the beginning of the year because of industry consensus they are unacceptably susceptible to cryptographic collision attacks that can create counterfeit credentials. To satisfy customers who experienced difficulty retiring the old hashing function, WoSign continued to use it anyway and concealed the use by dating certificates prior to the first of this year, Mozilla officials said. They also accused WoSign of improperly concealing its acquisition of Israeli certificate authority StartCom, which was used to issue at least one of the improperly issued certificates.”
“Taking into account all the issues listed above, Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA,” Monday’s report stated. “Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly issued certificates issued by either of these two CA brands.”
So, existing certificates will continue to work, to avoid impact on those who paid for certificates, but Mozilla will not trust any newly issued certificates
“WoSign’s practices came under scrutiny after an IT administrator for the University of Central Florida used the service to obtain a certificate for med.ucf.edu. He soon discovered that he mistakenly got one for www.ucf.edu. To verify that the error wasn’t isolated, the admin then used his control over the github subdomains schrauger.github.com and schrauger.github.io to get certificates for github.com, github.io, and www.github.io. When the admin finally succeeded in alerting WoSign to the improperly issued Github certificates, WoSign still didn’t catch the improperly issued www.ucf.edu certificate and allowed it to remain valid for more than a year. For reasons that aren’t clear, Mozilla’s final report makes no explicit mention the certificates involving the Github or UCF domains, which were documented here in August.”
Some other issues highlighted in the Mozilla report:
- “WoSign has an “issue first, validate later” process where it is acceptable to detect mis-issued certificates during validation the next working day and revoke them at that point. (Issue N)”
- “If the experience with their website ownership validation mechanism is anything to go by, It seems doubtful that WoSign keep appropriately detailed and unalterable logs of their issuances. (Issue L)”
- “The level of understanding of the certificate system by their engineers, and the level of quality control and testing exercised over changes to their systems, leaves a great deal to be desired. It does not seem they have the appropriate cultural practices to develop secure and robust software. (Issue V, Issue L)”
- “For reasons which still remain unclear, WoSign appeared determined to hide the fact that they had purchased StartCom, actively misleading Mozilla and the public about the situation. (Issue R)”
- “WoSign’s auditors, Ernst & Young (Hong Kong), have failed to detect multiple issues they should have detected. (Issue J, Issue X)”
Mozilla Report
Mozilla Wiki: WoSign issues
WoSign incident report

Feedback:

Round Up:

The post Botnet of Things | TechSNAP 286 first appeared on Jupiter Broadcasting.

iPhishing Expedition | TechSNAP 281

chris — Thu, 25 Aug 2016 18:49:30 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Sophisticated, persistent mobile attack against high-value targets on iOS

“Persistent, enterprise-class spyware is an underestimated problem on mobile devices. However, targeted attack scenarios against high-value mobile users are a real threat.”
“Citizen Lab (Munk School of Global Affairs, University of Toronto) and Lookout have uncovered an active threat using three critical iOS zero-day vulnerabilities that, when exploited, form an attack chain that subverts even Apple’s strong security environment. We call these vulnerabilities “Trident.” Our two organizations have worked directly with Apple’s security team, which was very responsive and immediately fixed all three Trident iOS vulnerabilities in its 9.3.5 patch.”
“Trident is used in a spyware product called Pegasus, which according to an investigation by Citizen Lab, is developed by an organization called NSO Group. NSO Group is an Israeli-based organization that was acquired by U.S. company Francisco Partners Management in 2010, and according to news reports specializes in “cyber war.” Pegasus is highly advanced in its use of zero-days, obfuscation, encryption, and kernel-level exploitation.”
“We have created two reports that discuss the use of this targeted attack against political dissidents and provide a detailed analysis of the malicious code itself. In its report, Citizen Lab details how attackers targeted a human rights defender with mobile spyware, providing evidence that governments digitally harass perceived enemies, including activists, journalists, and human rights workers. In its report, Lookout provides an in-depth technical look at the targeted espionage attack that is actively being used against iOS users throughout the world.”
The target of the attack was Ahmed Mansoor, an internationally recognized human rights defender
“On August 10th and 11th, he received text messages promising “secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. Recognizing the links as belonging to an exploit infrastructure connected to NSO group, Citizen Lab collaborated with Lookout to determine that the links led to a chain of zero-day exploits that would have jailbroken Mansoor’s iPhone and installed sophisticated malware.”
“This marks the third time Mansoor has been targeted with “lawful intercept” malware. Previous Citizen Lab research found that in 2011 he was targeted with FinFisher spyware, and in 2012 with Hacking Team spyware. The use of such expensive tools against Mansoor shows the lengths that governments are willing to go to target activists.”
“Citizen Lab also found evidence that state-sponsored actors used NSO’s exploit infrastructure against a Mexican journalist who reported on corruption by Mexico’s head of state, and an unknown target or targets in Kenya. The NSO group used fake domains, impersonating sites such as the International Committee for the Red Cross, the U.K. government’s visa application processing website, and a wide range of news organizations and major technology companies. This nods toward the targeted nature of this software.”
“Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile — always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists. It is modular to allow for customization and uses strong encryption to evade detection.”
“The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.”
“We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code (e.g., a kernel mapping table that has values all the way back to iOS 7). It is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android, and Blackberry.”
CitizenLab report
Lookout Report PDF
Additional Coverage: Arstechnica: Apple releases iOS 9.3.5 with “an important security update”
Additional Coverage: NY Times
Additional Coverage: Motherboard
Additional Coverage: WaPo

Hacking Electronic Safes

An interesting bit of research was brought to my attention via Bruce Schneier’s blog
“On Friday, a hacker known as Plore presented strategies for identifying a safe custom-selected keycode and then using it to unlock the safe normally, without any damage or indication that the code has been compromised”
“Plore’s techniques interesting is what they lack: any physical or even algorithmic sabotage”
“Plore used side-channel attacks to pull it off. These are ways of exploiting physical indicators from a cryptographic system to get around its protections.”
“Plore was able to figure out the keycodes for locks that are designated by independent third-party testing company Underwriter’s Laboratory as Type 1 High Security. These aren’t the most robust locks on the market by any means, but they are known to be pretty secure. Safes with these locks are the kind of thing you might have in your house.”
“In practice, Plore was able to defeat the security of two different safe locks made by Sargent and Greenleaf, each of which uses a six-digit code. “I chose Sargent and Greenleaf locks due to their popularity. They are the lock manufacturer of choice on Liberty brand gun safes, among others, and safes featuring those locks are widely available at major stores,” Plore told WIRED”
“Plore said he didn’t have time before Defcon to try his attacks on other lock brands, but he added, “I would not be particularly surprised if techniques similar to those I described would apply to other electronic safe locks, other electronic locks in general (e.g., door locks), or other devices that protect secrets (e.g., phones).”
I am glad the 6 digit combination lock that protects my house is mechanical
“For the Sargent and Greenleaf 6120, a lock developed in the 1990s and still sold today, Plore noticed that when he entered any incorrect keycode he could deduce the correct code by simply monitoring the current being consumed by the lock.”
““What you do here is place the resistor in series with the battery and the lock, and by monitoring voltage across that resistor we can learn how much current the lock is drawing at any particular time. And from that we learn something about the state of the lock,” Plore explained. As the lock’s memory checked the input against its stored number sequence, the current on the data line would fluctuate depending on whether the bits storing each number in the code were a 0 or a 1. This essentially spelled out the correct key code until Plore had all of its digits in sequence and could just enter them to unlock the safe. Bafflingly easy.”
“For the second demonstration, he experimented with a newer lock, the Sargent and Greenleaf Titan PivotBolt. This model has a more secure electronics configuration so Plore couldn’t simply monitor power consumption to discover the correct keycode. He was able to use another side-channel approach, though, a timing attack, to open the lock. Plore observed that as the system checked a user code input against its stored values there was a 28 microsecond delay in current consumption rise when a digit was correct. The more correct digits, the more delayed the rise was. This meant that Plore could efficiently figure out the safe’s keycode by monitoring current over time while trying one through 10 for each digit in the keycode, starting the inputs over with more and more correct digits as he pinpointed them. Plore did have to find a way around the safe’s “penalty lockout feature” that shuts everything down for 10 minutes after five incorrect input attempts, but ultimately he was able to get the whole attack down to 15 minutes, versus the 3.8 years it would take to try every combination and brute force the lock.”
This is why cryptography is usually implemented in ‘constant time’, where it is purposely slow. Both the right input and the wrong input take the same amount of time to return the result, so the attack can’t learn anything from the amount of time the response takes
““Burglars aren’t going to bother with this. They’re going to use a crowbar or a hydraulic jack from your garage or if they’re really fancy they’ll use a torch,” Plore said. “I think the more interesting thing here is [these attacks] have applicability to other systems. We see other systems that have these sorts of lockout mechanisms.” Plore said that he has been trying to contact Sargent and Greenleaf about the vulnerabilities since February. WIRED reached out to the company for comment but hadn’t heard back by publication time.”
“Even though no one would expect this type of affordable, consumer-grade lock to be totally infallible, Plore’s research is important because it highlights how effective side-channel attacks can be. They allow a bad actor to get in without leaving a trace. And this adds an extra layer of gravity, because not only do these attacks compromise the contents of the safe, they could also go undetected for long periods of time.”
This practical example makes the software versions much easier to understand

Turkish Journalist Jailed for Terrorism Was Framed, Computer Forensics Report Shows

Turkish investigative journalist Barış Pehlivan spent 19 months in jail, accused of terrorism based on documents found on his work computer.
But when digital forensics experts examined his PC, they discovered that those files were put there by someone who removed the hard drive from the case, copied the documents, and then reinstalled the hard drive.
The attackers also attempted to control the journalist’s machine remotely, trying to infect it using malicious email attachments and thumb drives.
Among the viruses detected in his computer was an extremely rare trojan called Ahtapot, in one of the only times it’s been seen in the wild.
The attackers seemed to pull everything out of their bag of tricks,” Mark Spencer, digital forensics expert at Arsenal Consulting, said.
Pehlivan went to jail in February of 2011, along with six of his colleagues, after electronic evidence seized during a police raid in 2011 appeared to connect all of them to a group accused of terrorism in Turkey.
It is not clear who perpetrated the attack, but the sophistication of the malware used, the tightly-targeted way Ahtapot works, and the timing of Pehlivan’s arrest suggests a highly-coordinated, well-funded attack.
A paper recently published by computer expert Mark Spencer in Digital Forensics Magazine sheds light into the case after several other reports have acknowledged the presence of malware.
Spencer said no other forensics expert noticed the trojan, nor has determined accurately how those documents showed up on the journalist’s computer.
However, almost all the reports have concluded that the incriminating files were planted.
What baffled Spencer the most during the investigation was an unusual malware, one he hasn’t seen before. It was installed on Pehlivan’s computer on the evening of February 11, 2011, a Friday. The police raid took place on the following Monday morning.
Spencer called Gabor Szappanos, principal researcher at Sophos, who has been analyzing computer viruses for over two decades. They worked together to find out what happened.
This malware appeared to be in unfinished beta development. It was a Remote Access Trojan (RAT), a malicious software that allows attackers to control a computer without having physical access.
There are clues to suggest the malware is Turkish in origin, including Turkish words in Ahtapot’s code, yet security experts are almost always uncomfortable talking about attribution.
The Sophos researcher believes this Remote Access Trojan was rushed into use out of desperation, after several attacks failed to deliver expected results. “Looking at the code revealed some mistakes that are typical at the beginning of development processes [of a malware],” the researcher said.
Prior to bringing in Ahtapot trojan, the attackers relied on more common malware. First, they tried to infect Pehlivan’s computer with the Turkojan RAT through a thumb drive. Email attachments were also used.
Spencer said, attackers copied both malware and incriminating documents to Pehlivan’s hard drive the nights of February 9 and 11, to cover their bases in case they won’t be able to control the computer remotely using the malware.
They were smart enough to forge the dates associated with these documents, Spencer said. The key to his investigation was constructing the true timeline of the events.
He suspects the journalist’s PC was attacked locally during those two evenings of February 9 and 11, because previous attempts to remotely infect it with malware failed.
“There were about a dozen different malware samples found. Analyzing them in detail revealed that these were not independent incidents, we could find connection between them,” Szappanos said.
He believes this was an expensive targeted attack, which used malware samples and command and control servers dedicated to this case alone.
Most infosec professionals refrain from saying who the attacker is, as attribution is usually difficult to establish in the cyberworld. “We think it was developed by a Turkish speaking person/people. Internal texts found in the malware samples were all in the Turkish language,” Szappanos said.
Meanwhile in Turkey, Barış Pehlivan is getting ready for his next hearing, scheduled for September 21. He believes the trial could end this year, and hopes to be acquitted.

Feedback:

Round up:

The post iPhishing Expedition | TechSNAP 281 first appeared on Jupiter Broadcasting.

Signature Bloatware Updates | TechSNAP 270

chris — Thu, 09 Jun 2016 10:03:13 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The bloatware shipping on those new computers is way, way worse than you probably thought, Internet exposed printers & the thrilling story of reverse engineering an ATM skimmer. Yes that’s really a thing.

Plus great questions, our answers & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Nice brand new computer you have there, would be a shame if something happened to it

“According to a report published by two-factor authentication service Duo Security, third-party updating tools installed by Dell, HP, Lenovo, Acer, and Asus (the top five Windows PC OEMs) are exposing their devices to man-in-the-middle attacks.”
“OEM PC vendors understandably need a way to maintain and install more of the aforementioned bloatware. The Duo Labs team investigated OEM software update tools spanning five vendors: Acer, Asus, Dell, HP, and Lenovo.”
“Implementing a robust, secure system for delivering software updates to users requires a thorough threat model, and a fundamental understanding of how to correctly make use of the various cryptosystems available to do so. Many OEM vendors don’t seem to understand or care about the need for building basic security measures into their software, resulting in software rife with vulnerabilities.”
“Whether it’s a creep on the coffee shop WiFi or a nation state sitting on all the right trunks, any software that downloads and executes arbitrary binaries is an enticing target to attackers. This is a well-established fact — in 2006, some dude broke Mozilla’s Auto-Update; in 2010, there was Evilgrade; in 2012, Flame malware authors discovered how to man-in-the-middle (MITM) Windows Update; and in January 2016, there was the Sparkle debacle. This shows that targeting the transmission of executable files on the wire is a no-brainer for attackers.”
“The scope of this research paper is limited to OEM updaters, although this wasn’t the only attack surface found on these systems. Basic reverse engineering uncovered flaws that affected every single vendor reviewed, often with a very low barrier to both discovery and exploitation.”
The results:
- Dell — One high-risk vulnerability involving lack of certificate best practices, known as eDellroot
- Hewlett Packard — Two high-risk vulnerabilities that could have resulted in arbitrary code execution on affected systems. In addition, five medium-to-low risk vulnerabilities were also identified.
Asus — One high-risk vulnerability that allows for arbitrary code execution, as well as one medium-severity local privilege escalation
Acer — Two high-risk vulnerabilities that allow for arbitrary code execution.
Lenovo — One high-risk vulnerability that allows for arbitrary code execution.
Other Findings:
“Every vendor shipped with a preinstalled updater, that had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM, allowing for a complete compromise of the affected machine”
Every new machine came with crapware, and an auto-updated for the crapware. The auto-updated made the machine less secure, not more secure as it expected. Not to mention they that this report doesn’t actually look at the crapware itself
“There was a very low level of technical sophistication required – that is, it was trivial to exploit most of the vulnerabilities”
They didn’t have to try very hard, some of these updaters run a local http server that anything can connect to
“Vendors often failed to make even basic use of TLS, properly validate update integrity, or verify the authenticity of update manifest contents”
This means that a random person at the coffee shop, or the government, can pretend to be your OEMs update server, and feed you malware instead of security fixes
“Vendors sometimes had multiple software updaters for different purposes and different implementations, some more secure than others”
Multiple auto-updaters, that is what everyone wants
“The large attack surface presented by ancillary OEM software components makes updater-specific bugs easier to exploit in practice by providing the missing pieces of the puzzle through other tools bundled with their systems”
If the auto-updater isn’t buggy enough, the crapware provides everything else you need to compromise the system
“Microsoft offers ‘Signature Edition’ systems which are intended to be free of the third-party software that plagues so many OEM systems. However, OEM-supplied software updaters and support packages are often still present on these machines.”
So even if you pay extra for a brand new system free of crapware, it still has the auto-updater that makes the system insecure
Additional Coverage
Additional Coverage: Lenovo tells users to uninstall vulnerable updater

Clinton email server — may have had an internet based printer…

“The Associated Press today points to a remarkable footnote in a recent State Department inspector general report on the Hillary Clinton email scandal: The mail was managed from the vanity domain “clintonemail.com.” But here’s a potentially more explosive finding: A review of the historic domain registration records for that domain indicates that whoever built the private email server for the Clintons also had the not-so-bright idea of connecting it to an Internet-based printer.”
According to historic Internet address maps stored by San Mateo, Calif. based Farsight Security, among the handful of Internet addresses historically assigned to the domain “clintonemail.com” was the numeric address 24.187.234.188. The subdomain attached to that Internet address was….wait for it…. “printer.clintonemail.com”.
“Interestingly, that domain was first noticed by Farsight in March 2015, the same month the scandal broke that during her tenure as United States Secretary of State Mrs. Clinton exclusively used her family’s private email server for official communications.”
“I should emphasize here that it’s unclear whether an Internet-capable printer was ever connected to printer.clintonemail.com. Nevertheless, it appears someone set it up to work that way.”
“More importantly, any emails or other documents that the Clintons decided to print would be sent out over the Internet — however briefly — before going back to the printer. And that data may have been sniffable by other customers of the same ISP”
Not necessarily, it can depend on the setup. The reason you might expose a printer to the internet like that on purpose, is to allow printing while you are away from home, but it isn’t a good idea
“Not just because any idiot on the Internet can just waste all your toner. Some of these printers have simple vulnerabilities that leave them easy to be hacked into.”
That printer can then serve as an ‘island hopping’ beachhead, allowing the attacker to do this from an internal IP address that is likely to be trusted, and allowed through firewalls (you do want to be able to talk to the printer right?)
It does appear the Clintons had an SSL VPN, which is a good sign, although I would expect the printer to have been behind that

Reverse engineering an ATM skimmer

“Brian Krebs has produced numerous articles on ATM skimmers. He has essentially become the “go to” journalist on ATM fraud. From reading his stuff, I have learned how the “bad guys” think when it comes to ATM fraud. In a nutshell, they are after two things:”
They want your card number
They want your PIN number
“To get your card number, the thieves have a few options. Traditionally, they affix a device to the ATM card reader that “skims” your card as it passes into the actual machine”
“The devices must look as close to the actual reader as possible so they don’t arouse suspicion. The blackhats go to great lengths to achieve this. Sometimes they will replace entire panels of the atm. They may even go as far as inserting a tiny card reader INSIDE the card slot. Alternatively, a thief may try to record the number “on the wire”. This is called “network skimming””
The post includes a video of a skimmer being installed in just a few seconds
Then it gets interesting, after having read all of Krebs advice, while visiting Indonesia, the author of the post encountered a skimmer
“A quick glance, and I suspected it was a skimmer immediately. It had a tiny switch, a port for a cable of some sort and I could see a faint blue light in the dark.”
“I was not sure what to do. I was tempted to leave it alone since it wasn’t mine and it could possibly be a legitimate piece of the ATM. But if it were a skimmer, I would be knowingly allowing people to get ripped off. I couldn’t allow that to happen, plus I wanted to take it home and see how it works!”
“We decided to take it. On our way out to dinner, Elizabeth and I discussed excitedly about how cool this is to be in the middle of a criminal conspiracy. “It feels like we are in a movie”, she said. We talked about how we think the crooks were getting the data. We talked about how we would report it to the authorities and take it apart. The movie kept getting more and more exciting in our imaginations. Then we got to the part of the movie where a group of men on motorcycles track us to our home and shoot us with automatic weapons.”
“By the time we got to the restaurant, we were pretty scared, A GSM-enabled device could feasibly phone home with its GPS coordinates. Just in case, we asked for some aluminum foil and made a makeshift Faraday cage. When it comes to Indonesian criminal gangs, you can never be too careful.”
“The next day we were still alive and not shot by a gang of criminals. We called the bank to report the device we found on their ATM. The CSR was pretty confused, but he took my name and number and dispatched a technician to look at the machine.”
This reaction is very common, and is starting to be troubling
After some deduction, he determined the ports on the side were for a USB cable
“Threading the braided wires into those tiny holes one at a time was an exercise in patience. After 40 minutes or so, I got them all aligned. I had to hold the wires in with my hand while I plugged the USB cable into my computer. I crossed my fingers and…. Skimmer device mounts as an external hard drive!”
“It mounts! I freak-out a little and begin copying the files from the device. There are two folders. One is named “Google Drive” and one is named “VIDEO”. The “Google Drive” folder was empty, but there is over 11GB of video files in the “VIDEO” folder. 45 minutes later, the files are still copying to my machine. The whole time I have to hold the cable and not move lest I break the transfer.”
“After it’s done, I shake out the cramps in my hand and go over the footage. The camera records 30 minute chunks of video whenever it detects movement. Most of the videos are of people typing in their pin numbers [upside down]”
“The device records sound. At first I thought it was a waste of storage to record this, but after looking at the footage, I realized how helpful the sound is. The beeps correspond to actual keypresses, so you can’t fool the skimmer by pretending to touch multiple keys. Also, the sound of money dispensing means that PIN is valid.”
When they tore the device apart, they found a cell phone battery, a control board, and a pinhole camera
“Googling the number from the controller board revealed that it is a commercially available board used in spy camera gear. The board was modified to include an external on/off switch, the stronger Samsung battery, and the aforementioned USB connection.”
“The overall design choices of the skimmer were actually pretty decent. As mentioned, at first I thought sound recording was a waste, but then found it to be useful for decoding PIN numbers as they are typed. I also initially thought that the cell phone battery was a lazy choice, like they just had one laying around. I have come to believe, however, that this is the best choice for a long-lasting and small-profile power source.”
The researcher did not find the actual card skimmer, but suspected that the data was being “network skimmed”
Going back a few days later, they found a fresh pin number camera installed

Feedback:

Round Up:

The post Signature Bloatware Updates | TechSNAP 270 first appeared on Jupiter Broadcasting.

Certifiable Authority | TechSNAP 238

chris — Thu, 29 Oct 2015 14:44:39 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

TalkTalk gets compromised, Hackers make cars safer & Google plays hardball with Symantec.

Plus a great batch of your questions, a rocking round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

TalkTalk compromise and ransom

“TalkTalk, a British phone and broadband provider with more than four million customers, disclosed Friday that intruders had hacked its Web site and may have stolen personal and financial data. Sources close to the investigation say the company has received a ransom demand of approximately £80,000 (~USD $122,000), with the attackers threatening to publish the TalkTalk’s customer data unless they are paid the amount in Bitcoin.”
“In a statement on its Web site, TalkTalk said a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following “a significant and sustained cyberattack on our website.””
That sounds more like a DDoS, but those same words could be used to describe a persistent compromise, where the attackers were inside the TalkTalk network for a long time
Possibly compromised information includes: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details
“We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.”
So it sounds like they have no way of telling how much data was taken, and are hoping forensic analysis after the fact will tell them. Obviously they didn’t have good audit controls in place
“A source close to the investigation who spoke on condition of anonymity told KrebsOnSecurity that the hacker group who demanded the £80,000 ransom provided TalkTalk with copies of the tables from its user database as evidence of the breach. The database in question, the source said, appears related to at least 400,000 people who have recently undergone credit checks for new service with the company. However, TalkTalk’s statement says it’s too early to say exactly how many customers were impacted. “Identifying the extent of information accessed is part of the investigation that’s underway,” the company said.”
“It appears that multiple hacker collectives have since claimed responsibility for the hack, including one that the BBC described as a “Russian Islamist group” — although sources say there is absolutely no evidence to support that claim at this time.”
With the way things are today, lots of people will try to take credit for an attack. That is why the group demanding the ransom provided a sample of the data as proof that they actually had it
Of course, the real attackers could have posted the data to an underground forum, and multiple groups could have the data
“Separately, promises to post the stolen data have appeared on AlphaBay, a Deep Web black market that specialized in selling stolen goods and illicit drugs. The posting was made by someone using the nickname “Courvoisier.” This member, whose signature describes him as “Level 6 Fraud and Drugs seller,” appears to be an active participant in the AlphaBay market with many vouches from happy customers who’ve turned to him for illegal drugs and stolen credit cards, among other goods and services.”
“It seems likely that Courvoisier is not bluffing, at least about posting some subset of TalkTalk customer data. According to a discussion thread on Reddit.com dedicated to explaining AlphaBay’s new Levels system, an AlphaBay seller who has reached the status of Level 6 has successfully consummated at least 500 sales worth a total of at least $75,000, and achieved a 90% positive feedback rating or better from previous customers.”
Additional Coverage — The Independant
Additional Coverage — ArsTechnica: TalkTalk hit by cyberattack
Additional Coverage — The Register: TalkTalk: Our cybersecurity is head and shoulders above our competitors
Additional Coverage — ArsTechnica: TalkTalk says it was not legally required to encrypt customer data
Additional Coverage — ArsTechnica: 15 year old boy arrested in connection with talktalk breach
Video from TalkTalk CEO
If you do end up having money stolen from your account, TalkTalk, “on a case-by-case basis”, will wait the termination fee if you decide you no longer want to be a TalkTalk customer
New rule: if you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated”
“Significant and sustained cyber attack” “sophisticated”… arrest 15 yr old kid as the hacker

Hackers make cars safer

“Virtually every new car sold today has some sort of network connection. Most of us are aware of these connections because of the remarkable capabilities they place at our fingertips—things like hands-free communication, streaming music, advanced safety features, and navigation. Today’s cars are a rolling network of small computers that control the drivetrain, braking, and other systems. And just like the entertainment and navigation systems, these computers are “connected,” too.”
“This connectivity within—and between—vehicles will allow transformative innovations like self-driving cars. But it also will make our cars targets for hackers. The security research community can play a valuable role in helping the auto industry stay ahead of these threats. But rather than encouraging collaboration, Congress is discussing legislation that would make illegal the kind of research that already has helped improve the industry’s approach to security.”
Last week, “the House Energy and Commerce Committee begins a hearing on a bill to reform the National Highway Traffic Safety Administration. However, tucked into a section concerning the cybersecurity and data collection of automobiles is language that unintentionally could create greater risks for American drivers.”
“Now the industry has established an Intelligence Sharing and Analysis Center (ISAC) to exchange cyber threat information. This initiative is a good start. It would provide a central point of contact and collaboration about what threats are out there and how automakers can respond to them. If done well, the ISAC also could improve security standards among auto manufacturers, benefiting all consumers. (More on that here and here.)”
“The auto industry is taking promising steps toward better security, but the bill before the Energy and Commerce Committee would be a setback. It would make it illegal for security researchers to examine the code written into today’s cars and identify security vulnerabilities or manipulations designed to thwart environmental regulations. This will make our cars more vulnerable by discouraging responsible research and chilling innovation in car security at a critical time. Moreover, tying the hands of white hat researchers will do nothing to prevent bad actors from finding the same vulnerabilities and exploiting them in potentially harmful ways.”
“The auto industry would be better served by following the lead of information technology industry which has developed ways to work with responsible security researchers instead of against them. For years technology companies fought a losing battle on security by threatening hackers, and now many firms have established bounty programs and conferences where researchers are invited to find and report flaws in programs and products. They recognize that bringing researchers to the table and crowd sourcing solutions can be effective in staying ahead of cyber threats. Stopping research before it can start sets a terrible precedent. Rather than make it illegal, Congress should try to spur collaboration between the automakers and the increasingly valuable research community.”
US Regulators grant DMCA exemption to legalize vehicle software tinkering
Additional Coverage: NPR
The ruling uses the terms “good faith security research” and “lawful modification.”
“The government defined good-faith security research as means of “accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.””
“The “lawful modification” of vehicle software was authorized “when circumvention is a necessary step undertaken by the authorized owner of the vehicle to allow the diagnosis, repair or lawful modification of a vehicle function; and where such circumvention does not constitute a violation of applicable law, including without limitation regulations promulgated by the Department of Transportation or the Environmental Protection Agency; and provided, however, that such circumvention is initiated no earlier than 12 months after the effective date of this regulation.””
Under the ruling, both exemptions don’t become law for at least a year

Google plays hardball with Symantec over TLS certificates

“Google has given Symantec an offer it can’t refuse: give a thorough accounting of its ailing certificate authority process or risk having the world’s most popular browser—Chrome—issue scary warnings when end users visit HTTPS-protected websites that use Symantec credentials. The ultimatum, made in a blog post published Wednesday afternoon, came five weeks after Symantec fired an undisclosed number of employees caught issuing unauthorized TLS certificates. The mis-issued certificates made it possible for the holders to impersonate HTTPS-protected Google web pages.”
Google’s Blog Post
Symantec Report
“Following our notification, Symantec published a report in response to our inquiries and disclosed that 23 test certificates had been issued without the domain owner’s knowledge covering five organizations, including Google and Opera. However, we were still able to find several more questionable certificates using only the Certificate Transparency logs and a few minutes of work. We shared these results with other root store operators on October 6th, to allow them to independently assess and verify our research.”
It seems like Symantec was trying to downplay the incident, and gloss over its failings
“Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered.”
“The mis-issued certificates represented a potentially critical threat to virtually the entire Internet population because they made it possible for the holders to cryptographically impersonate the affected sites and monitor communications sent to and from the legitimate servers.”
This brings up serious questions about the management and oversight of the Symantec certificate authority
“It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner. After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products”
“More immediately, we are requesting of Symantec that they further update their public incident report with:”
A post-mortem analysis that details why they did not detect the additional certificates that we found.
Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.
“We are also requesting that Symantec provide us with a detailed set of steps they will take to correct and prevent each of the identified failures, as well as a timeline for when they expect to complete such work. Symantec may consider this latter information to be confidential and so we are not requesting that this be made public.”
“Following the implementation of these corrective steps, we expect Symantec to undergo a Point-in-time Readiness Assessment and a third-party security audit.”
It is good to see Google using its muscle to make the CA industry smarten up and fly right

Feedback:

Round up:

The post Certifiable Authority | TechSNAP 238 first appeared on Jupiter Broadcasting.

A Rip in NTP | TechSNAP 237

chris — Thu, 22 Oct 2015 18:21:21 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The OpenZFS summit just wrapped up and Allan shares the exciting new features coming to the file system, researchers warn about flaws in NTP & of course we’ve got some critical patches.

Plus a great batch of questions, a rockin’ round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

OpenZFS Dev Summit

Earlier this week the OpenZFS Developers Summit was held, as well as the 10th Anniversary party for the open sourcing of ZFS
The first day consisted of networking and presentations
Videos:
The second day was a hackathon at Github’s offices. People worked on a number of different projects, and Nexenta provided prizes to the projects voted to be the best prototypes
Hackathon Presentations
During the hackathon, I worked on a new feature of ZFS to make it easier to tell what command line features the current version of ZFS supports, so my replication script can determine if a new feature is supported or not

Researchers warn about flaws in NTP

NTP is one of the oldest protocols still in use on the Internet. The Network Time Protocol is used to keep a computer’s clock in sync. It is very important for many applications, including cryptography (if your clock is wrong, certificates cannot be verified, expired certificates may be accepted, one-time-passwords may not be valid yet or already expired, etc)
“The importance of NTP was highlighted in a 2012 incident in which two servers run by the U.S. Navy rolled back their clocks 12 years, deciding it was the year 2000. Computers that checked in with the Navy’s servers and adjusted their clocks accordingly had a variety of problems with their phones systems, routers and authentication systems”
Researchers from Boston University announced yesterday that it’s possible for an attacker to cause an organization’s servers to stopping checking the time altogether
“This research was first disclosed on August 20, 2015 and made public on October 21, 2015.”
“NTP has a rate-limiting mechanism, nicknamed the “Kiss O’ Death” packet, that will stop a computer from repeatedly querying the time in case of a technical problem. When that packet is sent, systems may stop querying the time for days or years, according to a summary of the research”
Post by researchers
PDF: Full research paper
The researchers outline 4 different attacks against NTP:
- Attack 1 (Denial of Service by Spoofed Kiss-o’-Death)
- Attack 2 (Denial of Service by Priming the Pump)
- Attack 3 (Timeshifting by Reboot)
- Attack 4 (Timeshifting by Fragmentation)
It is recommended you upgrade your version of NTP to ntp-4.2.8p4
“With the virtual currency bitcoin, an inaccurate clock could cause the bitcoin client software to reject what is a legitimate transaction”
The paper goes on to describe the amount of error that needs to be induced to cause a problem:
- TLS Certificate: years. Make a valid certificate invalid by setting the time past its expiration date, or make an expired certificate valid by turning the clock back
- HSTS: a year. This is a header sent by websites that says “This site will always use a secure connection”, for sanity’s sakes, this header has an expiration date set some time in the future, usually a year. If you forward the clock past then, you can trick a browsers into accepting an insecure connection.
- DNSSEC: months.
- DNS Caches: days.
- Routing (if security is even enabled): days
- Bitcoin: hours
- API Authenticate: minutes
- Kerberos: minutes
Alternatives:
- Ntimed
- OpenNTPd
  - Interesting feature: It can validate the ‘sanity’ of the time returned by the NTP server by comparing it against the time in an HTTPS header from a set of websites you select, like Google.com etc. It doesn’t set the time based on that (too inaccurate), but if the value from the time server is more than a few seconds off from that, ignore that time server as it might be malicious
- tlsdate
- NTPSec (a fork of regular NTP being improved)
Additional Coverage: ArsTechnica

Adobe and Oracle release critical patches

Adobe has issued a patch to fix a zero-day vulnerability in its Flash Player software
All users should upgrade to Flash 19.0.0.226
If you are worried, consider switching Flash to Click-to-Play mode
Oracle has also released its quarterly patch update for Java, addressing at least 25 security vulnerabilities
“According to Oracle, all but one of those flaws may be remotely exploitable without authentication”
All users are strongly encouraged to upgrade to Java 8 Update 65
Again, consider using click-to-play mode, to avoid allowing unexpected execution of Java
“The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.”
“Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java”

Feedback:

Round up:

The post A Rip in NTP | TechSNAP 237 first appeared on Jupiter Broadcasting.

Hacking Henchmen for Hire | TechSNAP 218

chris — Thu, 11 Jun 2015 10:19:19 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week, how hard lessons learned in 1982 could be apply to 2015’s security breaches, hacking for hire goes big & a savage sentient car that needs better programming.

Plus some fantastic questions, a rocking round-up & much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Cyber Security and the Tylenol Murders

“When a criminal started lacing Tylenol capsules with cyanide in 1982, Johnson & Johnson quickly sprang into action to ensure consumer safety. It increased its internal production controls, recalled the capsules, offered an exchange for tablets, and within two months started using triple-seal tamper-resistant packaging. The company focused on fixing weak points in their supply chain so that users could be sure that no one had interfered with the product before they purchased it.”
“This story is taught in business schools as an example of how a company chose to be proactive to protect its users. The FDA also passed regulations requiring increased security and Congress ultimately passed an anti-tampering law. But the focus of the response from both the private and the public sector was on ensuring that consumers remained safe and secure, rather than on catching the perpetrator. Indeed, the person who did the tampering was never caught.”
If only we could learn from this example in the case of Internet Security, or even just security in general
“To folks who understand computer security and networks, it’s plain that the key problem are our vulnerable infrastructure and weak computer security, much like the vulnerabilities in Johnson & Johnson’s supply chain in the 1980s. As then, the failure to secure our networks, the services we rely upon, and our individual computers makes it easy for bad actors to step in and “poison” our information.”
“So if we were to approach this as a safety problem, the way forward is clear: We need better incentives for companies who store our data to keep it secure. In fact, there is broad agreement that we can easily raise the bar against cyberthieves and spies. Known vulnerabilities frequently go unpatched. For instance, The New York Times reported that the J.P. Morgan hack occurred due to an un-updated server. Information is too often stored in the clear rather than in encrypted form and many devices like smart phones or tablets, that increasingly store our entire lives, don’t even allow for key security upgrades.”
“Not only is Congress failing to address the need for increased computer and network security, key parts of the government are working to undermine our safety. The FBI continues to demonize strong cryptography, trying instead to sell the public on “technologically stupid” strategy that will make us all less safe. Equally outrageous, the recent Logjam vulnerabilities show that the NSA has been spending billions of our tax dollars to exploit weaknesses in our computer security—weaknesses caused by the government’s own ill-advised regulation of cryptography in the 1990s—rather than helping us strengthen our systems.”
So how can we actually solve the problem?
“We need to ensure that companies to whom we entrust our data have clear, enforceable obligations to keep it safe from bad guys. This includes those who handle it it directly and those who build the tools we use to store or otherwise handle it ourselves. In the case of Johnson & Johnson, products liability law makes the company responsible for the harm that comes to us due to the behavior of others if safer designs are available, and the attack was foreseeable. Similarly, hotels and restaurants that open their doors to the public have obligations under the law of premises liability to take reasonable steps to keep us safe, even if the danger comes from others. People who hold your physical stuff for you—the law calls them bailees—also have a responsibility to take reasonable steps to protect it against external forces.”
“Looking at the Congressional debate, it’s as if the answer for Americans after the Tylenol incident was not to put on tamper-evident seals, or increase the security of the supply chain, but only to require Tylenol to “share” its customer lists with the government and with the folks over at Bayer aspirin. We wouldn’t have stood for such a wrongheaded response in 1982, and we shouldn’t do so now.”
Additional Coverage: USNews — A cybersecurity bill with White House support may weaken both network security and privacy
Additional Coverage: PBS — How the Tylenol Murders changed how we consume medication

IRS reports thieves stole tax data on over 100,000 people

“Sophisticated criminals used an online service run by the IRS to access personal tax information from more than 100,000 taxpayers, part of an elaborate scheme to steal identities and claim fraudulent tax refunds, the IRS said Tuesday.”
They used the “Get Transcript” feature to steal the data
The criminals already had most of the sensitive data about the users, including their SSN, Date of Birth, and Address
This data was used to attempt to file fraudulent tax returns
The IRS is careful to note that this was not a breach, the data was not stolen in a hack, but rather, Criminals used the sensitive data they had already collected to impersonal each of the 100,000 affected people, an access their IRS account “legitimately”
“The agency estimates it paid out $5.8 billion in fraudulent refunds to identity thieves in 2013”
The thieves tried to access over 200,000 accounts, but were only successful in about half of the cases. The IRS will notify all those who had attempts against their accounts, in the cases where they were successful, the IRS will provide credit monitoring. The users of the accounts that had attempts but were not compromised, should also consider carefully monitoring their credit reports, as it is likely the thieves already have most of your sensitive data to make the attempts in the first place
This attack may actually be a symptom of another breach, where this data was stolen in bulk from somewhere else, and then used against the IRS
It will be interesting to see if there are any commonalities between all of the 200,000 victims
It also suggests that the IRS’ online system doesn’t have a very good IDS (Intrusion Detection System), if a small set of IP addresses are attempting to access 200,000 accounts, this should set off alarms. Especially if half of the attempts are failures, but even if they are not.

CaaS: Crime as a Service — The cybercrime service economy

“In 2013, a pair of private investigators in the Bay Area embarked on a fairly run-of-the-mill case surrounding poached employees. But according to a federal indictment unsealed in February, their tactics sounded less like a California noir and something more like sci-fi: To spy on the clients’ adversaries, prosecutors say, they hired a pair of hackers.”
“Nathan Moser and Peter Siragusa were working on behalf of Internet marketing company ViSalus to investigate a competitor, which ViSalus had sued for poaching some of its former employees. Next, the government alleges, Moser and Siragusa—a retired, 29-year veteran of the San Francisco police department—recruited two hackers to break into the email and Skype accounts of the competing firm. To cover their tracks, they communicated by leaving messages in the draft folder of the Gmail account “krowten.a.lortnoc”—”control a network” in reverse, according to the indictment.”
“The California case sheds light on a burgeoning cybercrime market, where freelance hackers, both on public forums and in black markets, cater to everyone from cheating students and jealous boyfriends to law firms and executives”
Some call it Espionage as a Service (EaaS), but it is really just Crime as a Service.
“While it is difficult to verify the legitimacy or the quality of the hacker postings on a half-dozen online exchanges that Fast Company examined, some sites boast eBay-like feedback mechanisms that let users vouch for reliable sellers and warn each other of scams. Carr describes a range of expertise, from amateur teenagers wielding off-the-shelf spyware who may charge up to $300 for a single operation, to sophisticated industrial espionage services that make tens of thousands of dollars or more smuggling intellectual property across international lines. “The threat landscape is very complex,” he says. “A hacker group will sell to whoever wants to pay.””
“At Hackers List, for instance, hackers bid on projects in a manner similar to other contract-work marketplaces like Elance. Those in the market for hackers can post jobs for free, or pay extra to have their listings displayed more prominently. Hackers generally pay a $3 fee to bid on projects, and users are also charged for sending messages. The site provides an escrow mechanism to ensure vendors get paid only when the hacking’s done.”
How much do you trust a site selling an illegal service?
“In a report released in March, Europol, the European Union’s law enforcement arm, predicts online networking sites and anonymous cash-transfer mechanisms like cryptocurrencies will continue to contribute to the growth of “crime as a service” and to criminals who “work on a freelance basis . . . facilitated by social networking online with its ability to provide a relatively secure environment to easily and anonymously communicate.””
“The environment isn’t always secure. Earlier this month, one security sleuth unmasked the apparent owner of Hackers List as Charles Tendell, a Denver-based security expert. Soon after, Stanford legal scholar Jonathan Mayer crawled the site’s data, revealing the identities of thousands of the site’s visitors and their requests for hacks.”
“Mayer found only 21 satisfied requests, including “i need hack account facebook of my girlfriend,” completed for $90 in January, “need access to a g mail account,” finished for $350 in February, and “I need [a database hacked] because I need it for doxing,” done for $350 in April. A majority of requests on the service involve compromising Facebook (expressly referenced in 23% of projects) and Google (14%), and are sparked by a business dispute, jilted romance, or the desire to artificially improve grades, with targets including the University of California, UConn, and the City College of New York.”
Dell Research: Chart
It will be interesting to see what happens in this area, I expect the more serious hacking forums to go further underground, and the more obvious ones to be infiltrated by researchers and law enforcement. I also expect to see lots of scams.
Additional Coverage: WebPolicy.org

Feedback:

Round Up:

The post Hacking Henchmen for Hire | TechSNAP 218 first appeared on Jupiter Broadcasting.

Painless Plex Migration | Linux Action Show 334

chris — Sun, 12 Oct 2014 14:58:02 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Our guide to moving your Plex, btsync, SmokePing, and others to a new Linux server. And our take on how the Intel NUC performs as a home server with heavy Plex usage.

Plus the big features coming to a distro near you & has Netflix coming to Linux shown us how Linux users are now “all-in with DRM”? We debate.

Thanks to:

Get Paid to Write for DigitalOcean

Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Migrate Plex and btsync to a new server.

Brought to you by: System76

NUC Linux Server

Intel Nuc D54250WYKH

The Intel NUC D54250WYKH has many useful features, including four USB 3.0 ports, an infrared sensor, a headphone/microphone jack, Mini HDMI*, and Mini DisplayPort* video interfaces, and extra space to accommodate 2.5-inch HDD or SSD drives to support a variety of home or small office usages.

The chubby NUC has room for a 2.5 Inch SSD which was great for my OS and still has the standard PCI Mini storage slot

Low noise profile, not silent. But very quiet, about three feet away I can’t hear it.

Performance of the NUC

AnandTech | Intel D54250WYKH Haswell NUC Kit with 2.5″ Drive Slot Mini-Review*
Inital tesiting shows a busy btsync and 1080p Plex stream can nearly max the 4 core i5 out.

The power consumption at the wall was measured with the display being driven through the mini-HDMI port. In the graphs below, we compare the idle and load power of the D54250WYK with other low power PCs evaluated before. For load power consumption, we ran Furmark 1.12.0 and Prime95 v27.9 together.

Moving Plex Media Server to another server

1 . Set up coming UID and GIDs between your NFS and app server.
2. When migrating, try to keep the same file paths. IE: /mnt/nfs was where I had the media nfs mount on the previous box.
3. Setup your fstab, when possible use systemd to mount so the mount is network aware.

Mount using /etc/fstab with systemd

Another method is using the systemd automount service. This is a better option than _netdev, because it remounts the network device quickly when the connection is broken and restored. As well, it solves the problem from autofs, see the example below:

/etc/fstab

servername:/home   /mountpoint/on/client  nfs  users,noauto,x-systemd.automount,x-systemd.device-timeout=10,timeo=14,noatime 0 0

**Tip: **noauto above will not mount the NFS share until it is accessed: use auto for it to be available immediately.
If you have any issues with the mount failing due to the network not being up/available, enable NetworkManager-wait-online.service: this will ensure that network.target has all the links available prior to being active.

Stop Plex on your current server.
Copy your old Plex Media Server configs to the new server:

In general, the location for the various Linux versions of Plex Media Server will be found under:
$PLEX_HOME/Library/Application Support/Plex Media Server/

Make sure that the directories and contents are all owned by plex:plex.

Move an Install to Another System – Plex

SickRage

FEATURES:

XBMC library updates, poster/fanart downloads, and NFO/TBN generation
configurable episode renaming
available for any platform, uses simple HTTP interface
can notify XBMC, Growl, or Twitter when new episodes are available
specials and double episode support
Automatic XEM Scene Numbering/Naming for seasons/episodes
Episode Status Manager now allows for mass failing seasons/episodes to force retrying.
DVD Order numbering for returning the results in DVD order instead of Air-By-Date order.
Improved Failed handling code for shows.
DupeKey/DupeScore for NZBGet 12+
Searches both TheTVDB.com, TVRage.com and AniDB.net for shows, seasons, episodes
Importing of existing video files now allows you to choose which indexer you wish to have SickBeard search its show info from.
Your tvshow.nfo files are now tagged with a indexer key so that SickBeard can easily tell if the shows info comes from TheTVDB or TVRage.
Sports shows are now able to be searched for..

Moving btsync between servers

Copy down your paths and keys
Shutdown btsync on your old system
Depending on your version you need to remove the .sync folder, or the .Sync folders. Newest versionf of btsync will asking you if you want “take owner ship”.
“Add Folder” and put your folder path in.
Edit the sync listing and click “view key” then click update key.
Post your orginal key you copied down early in. Now btsync will connect up to your peers.

Easy SmokePing Install and Setup

Smoke Ping is a challange to setup on Arch

How to use this image

Install Docker
- Docker – ArchWiki
- Docker Documentation

A. Pull down the SmokePing Docker image: mokeping Docker Image | Docker Hub Registry

docker pull dperson/smokeping

B. Start the Docker image

sudo docker run --name smokeping -p 8000:80 -d dperson/smokeping

C. Visit https://localhost:8000/smokeping/smokeping.cgi

— PICKS —

Runs Linux

Scorpion TV Show is using linux as “hacker” os : LinuxActionShow

Scorpion – First Look – YouTube

Desktop App Pick

bithammer · GitHub

BitHammer : LinuxActionShow

Hey Chris and Matt, I thought I’d share this cool program BitHammer if you haven’t already heard of it. If you haven’t BitHammer searches out and bans BitTorrent users on your local sub-net. That means if you travel and work (Ohio LinuxFest), often using shared Wi-Fi. This is nice because many people have been plagued by rogue BitTorrent users who’ve crept onto these public hostpots either with a stolen/cracked password, or who lie (and the Wi-Fi owners) about it.

https://github.com/MichaelJCole/bithammer

Weekly Spotlight

Pocket-sized mobile touchscreen web server runs Tizen

The Egg is available in packages starting at $199 with 64GB through Nov. 6, with devices shipping in July 2015. The Egg is billed as a personal web server, and a way to cut the cord on social networking sites that sell information based on your data.

The Egg | If you care about it, then Egg it! by Eggcyte — Kickstarter

— NEWS —

Linux 3.17 Kernel Released With Many Great Features

Linux 3.17 is a big improvement and brings a ton of great features like working AMD Radeon R9 290 support, Xbox One controller support, DMA-BUF cross-device synchronization, a lot of ARM hardware improvements, free-fall support for Toshiba laptops, Intel Braswell and Cherry Trail enablement work, EFI Xen Dom0 boot support, file-system improvements, and much more. Linux 3.17 is a very exciting update!

At Last! Netflix Now Works On Ubuntu, No Hacks Required

Netflix now works on Ubuntu out of the box — no hacks, plugins or user-agent switching workaround required.

ChromeOS will no longer support ext2/3/4 on external drives/SD cards. Only fully supported filesystems are FAT and NTFS.

let’s drop support for ext2/3/4. Unnecessary features like this make it difficult to implement a feature that matter

AMD Moves Forward With Unified Linux Driver Strategy, New Kernel Driver

Basically converging the open-source Radeon Linux graphics driver and closed-source AMD Catalyst driver to run off the same kernel driver

NVIDIA Presents Its Driver Plans To Support Mir/Wayland & KMS On Linux

No firm time table was provided when NVIDIA’s Unix driver team hope to have their Linux proprietary driver fully running with Wayland/Mir and available to the public, but based upon how things are looking right now, it would likely be a safe bet for 2015.

Firefox OS Shows Continued Global Growth

Firefox OS is now available on three continents with 12 smartphones offered by 13 operators in 24 countries. As the only truly open mobile operating system, Firefox OS demonstrates the versatility of the Web as a platform, free of the limits and restrictions associated with proprietary mobile operating systems.

— FEEDBACK —

Call for help for producing a Linux SDK

— CHRIS’ STASH —

jupiterbroadcasting on Instagram

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— MATT’S STASH —

Find us on Google+

Find us on Twitter

Follow the network on Facebook

Jupiter Broadcasting on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

The post Painless Plex Migration | Linux Action Show 334 first appeared on Jupiter Broadcasting.

Arch Home Server Challenge | LAS 313

chris — Sun, 18 May 2014 16:19:39 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Coming up on this week’s episode of The Linux Action Show!

Arch Linux can make the perfect Home Server, we’ll share our tips to build the ultimate home server running the latest software, powered by Arch Linux.

Plus Ubuntu rocks the OpenStack summit, a first look at Syncthing (the fully OSS Bittorrent Sync killer), results from our Btrfs poll, our picks…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

RSS Feeds:

— Show Notes: —

Ultimate Arch Home Server:

Brought to you by: System76

Ubuntu 12.10 – Quantal Quetzal – End of Life reached on May 16 2014

Arch Home Server Install Notes:

My Arch server philosophy comes down to one word: Focus
Outside of a few exceptions, an Arch server should be an absolutely lean machine, with only the packages required to perform a specific function.
Additional functions should be spun out into separate VMs when possible. VMs are cheap, containers are even cheaper.
We use a Template with a base Arch install, with the correct uids for NFS, the correct groups, and the basic file system mounts entered to fstab. This also simplifies the Arch deployment process.
The best server is a headless server, with no GUI. When you toss out the GUI, the usability playing field for setting up a server gets leveled out to nearly flat.
The invaluable amount of help that comes from the Arch Wiki in many ways gives Arch a usability boost over other possible distributions for a headless home server.

Arch Installation Quick Reference Guide by jmac217

So over the past few months or so I\’ve been just been throwing often-used commands and links into a Google Document to get me up and running quickly when I want to spin up a new Arch installation.

[Google Doc Install Guide by jmac217][https://docs.google.com/document/d/1RC41PnZFX7en8L3l0AYLXQKFsC2kxFrZjxQ1Q36AP-k/edit?usp=sharing]

Proxmox

Proxmox supports a mix of KVM Virtual Machines, and Linux containers.
Arch currently (I believe due to a systemd bug) runs best in KVM, not in a container.
Arch might make a better Linux Container candidate after that bug is fixed.
Our Proxmox box is a Core i7 rig, with 1TB of internal RAID0 storage.
Important data is stored on the NFS FreeNAS box.
We run one Arch VM from the internal 1TB, and one from the NFS mount.

NFS Setup

FreeNAS was our selection for the back-end storage.
A btrfs powered server was considered, but upon a mighty reflection induced by our recent poll, ZFS seemed like the wiser choice.
ZFS does work on Linux, but the utility aspect of FreeNAS appeals.
When the application stuff is handled by front end systems, the backend storage should be a simple, reliable, and appliance like as possible. FreeNAS offers a lot of that, with a native ZFS implementation, backed by a trusted company – iXsystems.
Install NTP on both ends
In Arch use systemd to mount the NFS share
Create a common UID on the NFS server and Client. This makes file permissions much simpler. Have everything owned by your “media” user in your “media” share.

SABnzbd

Configured SABnzbd to work off the NFS mount.
sabnzb modify it to allow network connections:

/opt/sabnzbd/sabnzbd.ini

CouchPotato.

packer -S couchpotato-git
cd /usr/lib/systemd/system
nano couchpotato.service – edit to run as root
chown -R root:root /opt/couchpotato
systemctl enable couchpotato
systemctl start couchpotato

Default port is 5050

SickBeard

SickBeard requires you have some usenet index search APIs. It’s built in search is limited.

Set SickBeard to ping Plex to update once a download completes.

Monitorix

Edit /etc/monitorix/monitorix.conf
Set your hostname and title
Double check the built in httpd port. 8080 is the default. Which is also sabnzbd’s port.
Set to enabled if you want to use the internal webserver.
Further down you can turn on and off what it graphs.
How to set up a web-based lightweight system monitor on Fedora, CentOS or RHEL

SSMTP

SSMTP is a program to deliver an email from a local computer to a configured mailhost (mailhub). It is not a mail server (like feature-rich mail server sendmail) and does not receive mail, expand aliases or manage a queue. One of its primary uses is for forwarding automated email (like system alerts) off your machine and to an external email address.
A lot of server side applications (and the next item down in this list) need to use smtp to send you an email notification. When you have automated processes happening at all different hours of the day, often kicked off my some script running headless in the background, it’s sorta a necessary evil.
/etc/ssmtp/ssmtp.conf

Logwatch

Logwatch is a powerful and versatile log parser and analyzer. Logwatch is designed to give a unified report of all activity on a server, which can be delivered through the command line or email.
A key part of set it and forget it is having your system alert you when it needs help, so you can address it before it becomes a disaster.

Syncthing

Per-user config files, example:

/home/studio/.syncthing/config.xml

— Picks —

Runs Linux

ExoMars Mission, Runs Linux

Desktop App Pick

Castawesome

Castawesome is live screencasting tool for Linux. With it you can broadcast video and audio from your desktop to Twitch.tv/Justin.tv, Hitbox.tv and YouTube

Weekly Spotlight

Syncthing

Syncthing replaces Dropbox and BitTorrent Sync with something open, trustworthy and decentralized. Your data is your data alone and you deserve to choose where it is stored, if it is shared with some third party and how it\’s transmitted over the Internet.

Syncthing – Android Apps on Google Play

— NEWS —

Canonical Goes BIG at

OpenStack Deployments Are Up, And So Is Ubuntu—But Will It Stick?

This year more than 5,000 people showed up to the OpenStack conference, and 1,780 people filled out a survey that drills into how they\’re using OpenStack. Many of the respondents (60%) came from companies that employ fewer than 500 people, while a dwindling percentage was derived from users at companies that employ more than 1,000 people, compared to the October 2013 user survey (34%, down from 39%).

The Orange Box

Canonical Keynote – Mark Unveils the Orange Box

The Orange Box is an innovative, custom designed micro cluster chassis, envisioned by Canonical, and contract manufactured by TranquilPC Limited. The chassis includes a small cluster of Intel NUC (Next Unit of Computing) boards, and is particularly well suited for portable demonstration and local prototyping of cloud workloads. The Orange Box, manufactured in the UK to exacting standards is available to order and ships internationally (free of charge).

Each Orange Box chassis contains:

10x Intel NUCs
Specifically, the Ivy Bridge D53427RKE model

Each Intel NUC contains

i5-3427U CPU
Intel HD Graphics 4000
16GB of DDR3 RAM
120GB SSD root disk
Intel Gigabit ethernet
D-Link DGS-1100-16 managed gigabit switch with 802.1q VLAN support

All 10 nodes are internally connected to this gigabit switch

In aggregate, this micro cluster effectively fields 40 cores, 160GB of RAM, 1.2TB of solid state storage, and is connected over an internal gigabit network fabric. A single fan quietly cools the power supply, while all of the nodes are passively cooled by aluminum heat sinks spanning each side of the chassis.

The first node, node0, additionally contains:

An Intel Centrino Advanced-N 6235 WiFi adapter
A 2TB HDD (spinning)
USB and HDMI ports are wired and accessible from the rear of the box
Access to the USB/HDMI of nodes1-9 is accessible from the underside of the unit
Six GBE LAN ports (all connected to the internal switch) are exposed to the rear panel, for external access, or even clustering of multiple Orange Boxes together.
Mark introduces the Orange Box: https://youtu.be/aEYCjHCderM?t=13m33s

Canonical offers \’Chuck Norris Grade\’ OpenStack private cloud service

This new offering is called Your Cloud. For $15 per day per host, \”Ubuntu offers all the software infrastructure, tools, and services you need to have your own cloud at your fingertips. Built by experts on Ubuntu OpenStack, fully managed and with 24/7 monitoring.\”

Canonical Juju DevOps tool coming to CentOS and Windows

It\’s hard to shock an audience at a technical conference. Mark Shuttleworth, founder of Ubuntu Linux and its parent company Canonical, managed it several times in his OpenStack Summit keynote speech. No news may have been more surprising than that Canonical had ported its Juju DevOps program to its rival\’s operating systems: Red Hat\’s CentOS and Microsoft\’s Hyber-V and Windows Server 2012.

Ubuntu\’s Unity 8 Desktop To Be Release As Separate Flavor?

“The desktop team would like to add a new flavour (we don’t plan to have any formal releases at this point) of Ubuntu which contains the Unity 8 desktop and the new applications which have been developed for the touch project.

The initial intention is to provide a product which developers can use to figure out the work that’s required to make a desktop product based on this software usable, and to create a space for experimentation to figure out the best ways of carrying out the required integration.”

Linux Mint will stick to LTS release

The decision was made to stick to LTS bases. In other words the development team will be focused on the very same package base used by Linux Mint 17 for the next 2 years.

It will also be trivial to upgrade from version 17 to 17.1, then 17.2 and so on.
Important applications will be backported and we expect this change to boost the pace of our development and reduce the amount of regressions in each new Linux Mint release.

This makes Linux Mint 17.x very important to us, not just yet another release, but one that will receive security updates until 2019, one that will receive backports and new features until 2016 and even more importantly, the only package base besides LMDE which we’ll be focused on until 2016.

Our traffic doubled lately and all our stats are on the raise, and we don’t know why. Maybe it’s related to the the end-of-life of Windows XP. We’re not really sure

Antergos\’ Release Candidate plus Partnering with Numix

Antergos is partnering with the Numix Project to create an exclusive edition of Numix Themes for our desktops (both GTK and QT). In this RC, you will be able to enjoy some premature advances of this agreement in the form of the icon theme. We’re not sure if the rest of the design will be make it into this release or if it will be postponed until next stable release.

Antergos – Here we are one year after

— Feedback —

Loading poll…

— Chris\’ Stash —

jupiterbroadcasting on Instagram

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

— Find us on Google+ —

— Find us on Twitter —

— Follow the network on Facebook: —

Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

The post Arch Home Server Challenge | LAS 313 first appeared on Jupiter Broadcasting.

DiskStation vs FreeNAS | LAS s29e03

chris — Sun, 20 Oct 2013 14:43:03 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Synology’s Linux powered DS412+ is a powerful server, wrapped in a ultra compact near silent enclosure. How does this unit stack up to a FreeNAS server you could build? Is the lack of ZFS support a hindrance? Our answers might surprise you.

Plus: Did Mark Shuttleworth shift the tone of the community dialog by labeling his opposition the open source Tea Party? It’s our blow-by-blow guide to the big stink over the weekend, that we will be smelling for weeks….

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Synology DS412+ Review

Brought to you by: System76

Check out System76 on G+

Linux 3.2.40
1GB DDR 3
Intel(R) Atom(TM) CPU D2701 @ 2.13GHz
205.68 MB/sec Reading, 182.66 MB/sec Writing (with link aggregation enabled)
2 LAN with Failover and Link Aggregation Support
USB 3.0
eSATA
CPU Passive Cooling
Windows® ADS and ACL Support
iSCSI support provides a seamless storage solution for virtualization servers
44 watts power consumption in operation
CIFS, AFP, FTP, iSCSI, Telnet, SSH, NFS, SNMP, WebDAV, CalDAV
File Systems:
EXT4
- EXT3 (External Disk Only)
- FAT (External Disk Only)
NTFS (External Disk Read Only)

The Synology Hybrid RAID (SHR) automatically builds an optimal RAID
volume with data protection based on the hard drives installed, eliminating
the need to have hard drives of identical

[asa]B008U68UHG[/asa]
[asa]B007JLE84C[/asa]

– Picks –

Runs Linux:

Desktop App Pick

Weekly Spotlight:

Antergos

Git yours hands all over our STUFF:

— NEWS —

– Feedback: –

Bitmessage:

BM-GuJRSMgViBNXnafzuRQL3tpHHFSJQ5Wm

— Chris’ Stash —

New updates to the Chrome and Firefox extensions!

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

[Matt’s Birthday – a huge thank you ]

— Find us on Google+ —
Chris
Matt Hartley
Jupiter Broadcasting’s Page

— Find us on Twitter —Hang

— Follow the network on Facebook: —

Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

The post DiskStation vs FreeNAS | LAS s29e03 first appeared on Jupiter Broadcasting.

Gentlemen, Start Your NGINX | TechSNAP 128

chris — Thu, 19 Sep 2013 16:15:59 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A zero day flaw has Microsoft scrambling, and the banking hack that only requires a nice jacket.

Then it’s a great big batch of your questions, our answers, and much much more!

On this week’s TechSNAP.

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

Crooks Hijack Retirement Funds Via Social Security Administration Portal

Traditional SSA fraud involves identity thieves tricking the beneficiary’s bank into diverting the payments to another account, either through Social Security’s 800 number or through a financial institution, or through Treasury’s Direct Express program
The newer version of this fraud involves the abuse of the SSA’s my Social Security Web portal
The SSA added the ability to change direct deposit information via their my Social Security Web portal. Shortly thereafter, the agency began receiving complaints that identity thieves were using the portal to hijack the benefits of individuals who had not yet created an account at the site.
As of August 23, 2013, the SSA has received 18,417 allegations of possibly fraudulent mySocialSecurity account activity.
There is no suggestion that SSA’s systems have been compromised; this is an identity theft scheme aimed at redirecting existing benefits, often to prepaid debit cards.” – via Jonathan Lasher, assistant inspector general for external relations at the SSA’s Office of Inspector General.
Banks usually will alert customers if the beneficiary account for SSA payments is changed. But she said those communications typically are sent via snail mail.
Many customers will overlook such notices.
If you receive direct deposits from the Social Security Administration but haven’t yet registered at the agency’s new online account management portal, now would be a good time take care of that.
Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that consumers can avoid becoming victims of this scam.
In Canada, registering on the Canada Revenue Agency’s website, requires information from your previous years tax returns, and an activation code is snail mailed to you

Microsoft warns of a 0day in all versions of Internet Explorer, working on a patch for IE 6 – 11

The flaw in question makes remote code execution possible if you browse to a website containing malicious content for your specific browser type
Actively being exploited against IE8 and 9
Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.
The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
The company is offering the following workarounds and mitigations:
Apply the Microsoft Fix it solution, \”CVE-2013-3893 MSHTML Shim Workaround,\” that prevents exploitation of this issue. Note: This ‘fixit’ solution only works for 32bit versions of IE
Set Internet and local intranet security zone settings to \”High\” to block ActiveX Controls and Active Scripting in these zones.
Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.
CVE-2013-3893
Additional Coverage

Cyber Police Arrest 12 Over Santander Bank Heist Plot

The Metropolitan Police’s Central e-Crime Unit (PCeU) has arrested 12 men as part of an investigation into an “audacious” plot to take control of a Santander Banking computer.
The PCeU is committed to tackling cyber-crime and the damage it can cause to individuals, organisations and the wider economy.”
According to the police, the group sent a man in dressed as a maintenance engineer, who managed to attach a IP-KVM (keyboard video mouse) device to a machine in the bank, allowing the attackers to remotely carry out actions on the computer
The men, aged between 23 and 50, were arrested yesterday, whilst searches were carried out addresses in Westminster, Hounslow, Hillingdon, Brent, Richmond and Slou

Feedback

10.1.10.254:/mnt/fart /mnt/nfs nfs auto,noatime,nolock,defaults,user=1001 0 0

Round Up:

iOS 7 Swamps the Internet

The post Gentlemen, Start Your NGINX | TechSNAP 128 first appeared on Jupiter Broadcasting.

Easy Linux Remote Desktop | LAS s28e03

chris — Sun, 11 Aug 2013 14:03:43 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Our straightforward approach to setting up Remote access to a Linux, Windows, or Mac. Control your desktop from your mobile device, or another computer.

PLUS: An overview of the Drives for Jupiter project, why Chris went with FreeNAS, the joys of NFS, an epic announcement….

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

GoDaddy.com

Use our code linux249 to score .COM for just $2.49!

For new orders save 32% with our code go32off2

Ting.com

Visit las.ting.com to save $25 off your device or service credits.

Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

— Show Notes: —

Remote Linux Desktop with Splashtop

Brought to you by: System76

Splashtop Streamer for Linux | Splashtop

Splashtop Streamer is a high-performance audio-video streaming server, enabling remote access from an Android device (tablet/phone) or an iOS device (iPad/iPhone/iPod). You can connect within a Local Area Network or through a cross-network or Internet connection.

Due to its efficient protocol, algorithms and optimizations, Splashtop has been shown in performance benchmarks to deliver up to 15x higher video frame rates and up to 10x lower latency times than its competition. Splashtop sessions are secured with SSL and 256-bit AES encryption, allowing it to serve as a secure pipe between devices, in some cases allowing users to eliminate their need for separate VPN solutions.

Splashtop Streamer for Ubuntu Controls Your Linux Desktop, Streams Video, and More

Just like its Windows and Mac versions, Splashtop Streamer for Linux aims to be a faster way to connect to your desktop PC from a mobile device. Coupled with the Splashtop apps for iOS and Android, you can view or edit files, run Linux programs, stream music and videos, and more right from your iPhone, iPad, or Android device.

Splashtop For Linux Claims 10x Performance Advantage

While at first it seems boring yet another remote desktop application for Linux when there’s already VNC and friends, the features offered are fairly interesting. In the press release being issued today, Splashtop claims a 10x performance advantage over VNC.

Splashtop 2 client devices can connect to a remote computer running Ubuntu and the company attributes their “efficient protocol, algorithms, and optimizations” that allow it to deliver 10x the performance over VNC in latencies. Splashtop also claims 15x higher video frame-rates than the competition. I haven’t yet tried out this software on Linux myself so I cannot attest to these performance claims.

Splashtop Streamer for Ubuntu Linux (Beta) — Ubuntu Apps Directory

Installing to Splashtop to Arch:

For the machine to be accessed, server even, install splashtop-streamer.
For the client, install splashtop-client and for your phone, Splashtop 2 Remote Desktop.

– Picks –

Runs Linux:

SAM, Runs Linux (Sample Analysis at Mars) had a Birthday
Sent in by Jeff

Android Pick:

GrooVe IP

Desktop App Pick:

Search our past picks:

LASAppPicks

Git yours hands all over our STUFF:

— NEWS —

— /etc: Managing 24TB For Fun and Profit —

Brought to you by: Untangle

– Feedback: –

FreeNAS Woes
Send a Bitmessage to LAS:

BM-GuJRSMgViBNXnafzuRQL3tpHHFSJQ5Wm

— Chris’ Stash —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

Hell froze over, Matt’s on Facebook

— Find us on Google+ —

— Find us on Twitter —

— Follow the network on Facebook: —

Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

The post Easy Linux Remote Desktop | LAS s28e03 first appeared on Jupiter Broadcasting.

Linux Drive Recovery | LAS s27e10

chris — Sun, 21 Jul 2013 13:38:15 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Some of the best tools to save and recover data from a failing drive are free, and built for Linux. We’ll demo some of the best tools to save your data, and make the best of a bad situation. Plus a few tips to prevent data loss and monitor the health of your drives.

PLUS: Setting up a Honeypot for security and fun, things to keep in mind, and using a Raspberry Pi as the Honeypot.

Then: A big batch of your emails, dev drama of the week, Ubuntu Forums is hacked…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

GoDaddy.com

Use our code linux249 to score .COM for just $2.49!

Free Private Registration with your .COM just use our code free3 until the end of the month!

Ting.com

Visit las.ting.com to save $25 off your device or service credits.

Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

— Show Notes: —

Save Your Data From a Dying Drive with Linux:

Brought to you by: System76

GSmartControl – Home / News

GSmartControl is a graphical user interface for smartctl (from smartmontools package), which is a tool for querying and controlling SMART (Self-Monitoring, Analysis, and Reporting Technology) data on modern hard disk drives. It allows you to inspect the drive’s SMART data to determine its health, as well as run various tests on it.

Ddrescue

GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.

Recover a data disk with ddrescue

Basic Syntax

ddrescue /dev/disk /mnt/tuna/partimg/mydisk.img logfile
Be sure to write the image to a separate disk/storage location.

Mount the Image

mount -t loop -o ro mydisk.img /somewhere

Comparison to GNU dd

The following features are available in dc3dd that are not found in GNU dd:

On the fly hashing with multiple algorithms (MD5, SHA–1, SHA–256, and SHA–512) with variable sized piecewise hashing
Able to write errors directly to a file
Combined error log. Groups errors together (e.g. Had 1,023 ‘Input/ouput errors’ between blocks 17–233’ )
Pattern wiping. Wipe output files with a single hex digit or a text pattern
Verify mode
Progress reports. See the progress of the operation while it’s running
Split output. Able to split output files into fixed size chunks

The following changes to GNU dd’s behavior were made:

On a partial read, the whole block is wiped with zeros. This allows for repeatable reads/hashes of a drive with errors.

A Geek’s Guide to Digital Forensics – YouTube

“A Geek’s Guide to Digital Forensics, or How i Learned to Stop Worrying and Love the Hex Editor”
Presented by Andrew Hoog.

Boot a Failing System

SystemRescueCd

Description: SystemRescueCd is a Linux system rescue disk available as a bootable CD-ROM or USB stick for administrating or repairing your system and data after a crash. It aims to provide an easy way to carry out admin tasks on your computer, such as creating and editing the hard disk partitions. It comes with a lot of linux software such as system tools (parted, partimage, fstools, …) and basic tools (editors, midnight commander, network tools). It can be used for both Linux and windows computers, and on desktops as well as servers. This rescue system requires no installation as it can be booted from a CD/DVD drive or USB stick, but it can be installed on the hard disk if you wish. The kernel supports all important file systems (ext2/ext3/ext4, reiserfs, btrfs, xfs, jfs, vfat, ntfs), as well as network filesystems (samba and nfs).

Tuxboot – About

Tuxboot helps you to create a bootable Live USB drive for Clonezilla live, DRBL live, GParted live and Tux2live. It is modified from UNetbootin and runs on both MS Windows and GNU/Linux. You can choose to download the latest version of Clonezilla live, DRBL live, or GParted live ISO/zip file then create the live USB.

Features:

Support Clonezilla live, DRBL live, GParted live and Tux2live. Tuxboot uses the syslinux in the ISO/zip file to make your USB drive bootable, so it is compatible with the same version of syslinux boot menu in the ISO/zip file.
Auto find the latest version.
Download an ISO file and build bootable USB flash drive on the fly.

OSFClone – Open source utility to create and clone forensic disk images

OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system. In addition to raw disk images, OSFClone also supports imaging drives to the open Advance Forensics Format (AFF).

– Picks –

Runs Linux:

Modern Society, Runs Linux

– Linux Foundation Executive Director Jim Zemlin

Android Pick:

BitTorrent® Sync

Desktop App Pick:

iftop: display bandwidth usage on an interface
Bonus Pick: Gateways

– From viewer David

Search our past picks:

LASAppPicks

Git yours hands all over our STUFF:

— NEWS —

Angry Linus is BACK!
Kernel developer Sarah Sharp tells Linus Torvalds to stop using abusive language
Linus Torvalds defends his right to shame Linux kernel developers
Linux 3.11 Officially Named “Linux For Workgroups”
Linus Torvalds Calls For More Linux Kernel Patches
Interview: Ubuntu/Canonical founder | Mobile World Live
The Ubuntu Edge Phone?
Ubuntu forums hacked; 1.82M logins, email addresses stolen
ubuntuforums.org hacked
screenshot: https://i.imgur.com/15u3X7V.png

— /etc: Protect Your Network with a Honeypot —

Brought to you by: Untangle

HoneyDrive honeypot bundle distro

HoneyDrive is a virtual appliance (OVA) with Xubuntu Desktop 12.04 32-bit edition installed. It contains various honeypot software packages such as Kippo SSH honeypot, Dionaea malware honeypot, Honeyd low-interaction honeypot, Glastopf web honeypot along with Wordpot, Thug honeyclient and more. Additionally it includes useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, and much more. Lastly, many other helpful security, forensics and malware related tools are also present in the distribution.

I installed a Kippo honeypot on a Raspberry Pi to log attacks against a specific service,

Glastopf Pi: A Simple Yet Cool Web Honeypot for your Raspberry Pi

– Feedback: –

Hard Drives For Jupiter: Amazon.com: Hard Drives for Jupiter Whishlist
Android x86 -An Interesting Use Case
Sucess with Bittorrent Sync
Switching back to POP3!
CentOS vs Oracle Linux(OEL)
ReactOS Review
Send a Bitmessage to LAS:

BM-GuJRSMgViBNXnafzuRQL3tpHHFSJQ5Wm

— Chris’ Stash —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

— Find us on Google+ —

— Find us on Twitter —

— Follow the network on Facebook: —

Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

The post Linux Drive Recovery | LAS s27e10 first appeared on Jupiter Broadcasting.

Preparing for Orwell’s Internet | TechSNAP 114

chris — Thu, 13 Jun 2013 18:56:13 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We’ve got a bunch of options to protect your privacy online, things to consider before you self host.

Plus: With a little planning ahead, you can protect yourself from compelled disclosure, we’ll share the details. Then your questions our answers, and much much more!

Thanks to:

GoDaddy.com

Use our code tech249 to score .COM for $2.49!

35% off your ENTIRE first order just use our code 35off3 until the end of the month!

Ang Goes Android

Catch episode 143 where Angela takes the Android challenge!

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Security against compelled disclosure

How to protect yourself from laws that allow the government to force you to give up your encryption keys
Use many short-lived sub-keys
Decrypt encrypted emails, re-encrypt them with a long term storage key, and destroy the original key. If your encrypted email was intercepted as it passed over the insecure internet, the only key that can decrypt it has now been securely destroyed
Use a separate key for each item, so when they force you to give up the key, it does not disclose any additional information
use Steganographic File Systems to disclose only non sensitive data

ZFS TRIM supported merged in to FreeBSD 9-stable, enabled by default

ZFS TRIM has been in 10-current since 2012–09–23
ZFS will TRIM/initialize new devices when they are first added to the zpool unless the sysctl is turned off, this may cause new devices to take a while to add
Also supports TRIM on the L2ARC

Feedback:

NFS vs iSCSI Revisited
pfSense = Very Costly Overhead?
Scale Engine and RTMP / HTTP?
Best way to download JB Shows?
The Argument For Owncloud
Securing OwnCloud?
How do you retain some semblance of privacy on the Internet?
KeePass on Android Sounds Great
For the paranoid: Clipboard purging with xclip and cron.
Good Things from hackers?
Backup Fail
Tales From Tech Support – Thx to Drumm in the TechSNAP subreddit
Switching from Linux to FreeBSD

[asa]1250010454[/asa]

A thoroughly revised and updated edition of the essential guide to preserving your personal security

Round-Up:

The post Preparing for Orwell’s Internet | TechSNAP 114 first appeared on Jupiter Broadcasting.