Show Notes: selfhosted.show/23

The post Shields Up | Self-Hosted 23 first appeared on Jupiter Broadcasting.

A huge amount of SIM cards are susceptible to an Over the Air attack, Allan’s got the details, Apple’s hacker outs himself, and the trouble with the Ubuntu forums!

Plus a batch of your questions, and much much more!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! Get private registration FOR FREE with a .COM! code: free5
Ting.com Visit techsnap.ting.com to save $25 off your device or service credits.

Security Researcher Claims Apple Developer Website Hack

• Apple\’s Developer Center first went offline last Thursday, and on Sunday, Apple revealed that it had been taken down as a precaution after a security breach. It is unclear who was responsible for the hacking, but a security researcher, Ibrahim Balic has suggested that he might be to blame for the outage.
• The company added that critical developer data had not been compromised and that they were working day n’ night to fix the vulnerability and bring the site back online.
• According to 9 to 5 Mac adds that, “In an email… Balic … is persistent in stating he did this for security research purposes and does not plan to use the information in any malicious manner.”
• The comment comes from independent security researcher Ibrahim Balic, who claims that his effort was not intended to be malicious and that he reported his findings to Apple just hours before the developer site was taken down by the company.
• Balic, who has reported 13 different bugs to Apple, originally discovered an iAd Workbench vulnerability on June 18 that allowed a request sent to the server to be manipulated. This security hole could be used to acquire the names and email addresses of iTunes users (even non-developers).
• After finding the loophole, Balic wrote a Python script to harvest data from the vulnerability and then displayed it in a YouTube video, which may have put him on Apple\’s radar.
• In addition to the iAd Workbench bug, Balic also discovered and submitted a report on a bug that caused the Dev Center site to be vulnerable to a stored XSS attack. While Balic says that it was possible to access user data by exploiting the Dev Center issue, he claims that he did not do so.
• New Details Emerge on Security Researcher Potentially Responsible for Dev Center Outage s
• Apple Outlines Plan for Bringing Developer Center Back Online
  Additional Coverage

Ubuntu Forums compromised

• The forums were defaced and the database compromised
• There were approximately 1.82 million registered accounts in the forum database
• Attackers have access to each of these user\’s username, password and email address
• The passwords were salted hashes, but by which algorithm was not made clear. Where these cryptographic hashes, or just md5(salt+md5(password)) or similar like some forum software?
• If you were a registered user, and reused that password anywhere else, you are likely going to have a bad time
• “Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach”
• Timeline:
• 2013-07-20 2011 UTC: Reports of defacement
• 2013-07-20 2015 UTC: Site taken down, this splash page put in place while investigation continues.
• 2013-07-21: we believe the root cause of the breach has been identified. We are currently reinstalling the forums software from scratch. No data (posts, private messages etc.) will be lost as part of this process.
• 2013-07-22: work on reinstalling the forums continues.

Feedback:

TechSNAP Bitmessage: BM-GuGEaEtsqQjqgHRAfag5FW33Dy2KHUmZ

• Voicemail from OSCON
• 389 Directory Server (Open Source LDAP)

The enterprise-class Open Source LDAP server for Linux. It is hardened by real-world use, is full-featured, supports multi-master replication, and already handles many of the largest LDAP deployments in the world. The 389 Directory Server can be downloaded for free and set up in less than an hour using the graphical console.

• Too many VMs in One Place?

• An Excellent Chance to Talk about FreeBSD for Allan!

• PPA for PHP5 : Ondřej Surý

• How does one learn how to become a PenTester?

  • Metaspolitable
  • Backtrack view by example
• Linux Drive Recovery | LAS s27e10 | Jupiter Broadcasting

Round Up:

• Feds Demand the Keys, Preparing for the Death of Public-Key Encryption
• The UNIX Issue of the Bell System Technical Journal turns 35 Spotted by Poul-Henning Kamp @bsdphk
• UK MP leading the charge for default blocking porn, has website hacked and filled with porn, accuses random blogger who comments on it of being behind the attack #doesnotknowhowtheinternetworks
• MIT Uses Machine Learning Algorithm To Make TCP Twice As Fast
• NSA says it cannot search its own emails to fulfill FOIA requests
• US-CERT releases advisory about DNS Amplification attacks, includes configuration suggestions to prevent your servers from being part of an attack
• True tales of white-hat hacking

The post Ethically Hacked | TechSNAP 120 first appeared on Jupiter Broadcasting.