Show Notes: linuxunplugged.com/316

The post Self Hosted Secrets | LINUX Unplugged 316 first appeared on Jupiter Broadcasting.

Show Notes: error.show/69

The post Partner Password Policy | User Error 69 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/399

The post Ethics in AI | TechSNAP 399 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/398

The post Proper Password Procedures | TechSNAP 398 first appeared on Jupiter Broadcasting.

Show Notes: error.show/54

The post Backup to the Moon | User Error 54 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Tales of an IT professional sailing around the Antarctic loop – sent in by Eric Miller

• CTD device – A CTD or Sonde is an oceanography instrument used to measure the conductivity, temperature, and pressure of seawater (the D stands for “depth,” which is closely related to pressure). The reason to measure conductivity is that it can be used to determine the salinity.

• Had to reinstall software for a winch to get it working

• Registered a new website and webmail and created a custom email solution so scientists would remotely access their email

security.txt – an RFC in the making

• Based on /.well-known/ of RFC5785 and similar in nature to robots.txt

• JSON was discussed, but dismissed

• CWE (Common Weakness Enumeration) will be used

• Versioning of security.txt by third parties

• Generation utilities have been created](https://github.com/EdOverflow/security-txt/issues/10)

Dumping Data from Deep-Insert Skimmers

• Deep-insert skimmers

• Romanian links to US crime

• European data skimmed from cards, then used in US because chip technology is not widely deployed there

• ‘wands’ inserted deep into the ATM to retrieve data

Feedback

• re Database migrations in Episode 332 jungle boogie writes in to mention Sqitch github by David Wheeler. JB says “This is a program written in perl and looks to have support for many databases”. JB also mentioned [pgBackRest](https://www.pgbackrest.org/] github

• Gary Foard writes in about a command line utility called shred. He uses to erase laptops from a live Linux disc. I checked the FreeBSD manual pages to check it’s there also, and it is – although I had to search for gshred instead of shred to find shred which I find weird. – See sysutils/coreutils in the FreeBSD Ports tree. – Dan notes: not recommended for erasing files any more. Not feasible for COW filesystems.

• prime62 mentioned on the TechSNAP sub-reddit mentioned some password hashing/salting resources: Salted Password Hashing – Doing it Right and The definitive guide to form-based website authentication

• Also seen on Reddit: There is no point [on max password lengths] since the field is hashed.

Round Up:

• Mobile operators deploying portable Cell-On-Wheels/Cell-On-Truck units along eclipse path to handle huge data usage of photos and streaming

• Security Keys

• 83601 is a supervisor number

• Brian Krebs Fan Creates New Cryptocurrency Miner for Linux Devices

• Random Thoughts – next release of OpenSSL see Password Strength

• Create randomly insecure VMs

• This algorithm cleverly recreates 3D objects from tiny 2D images

The post Rsync On Ice | TechSNAP 333 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Responsible Disclosure Is Hard

• When a responsible person discovers a security issue, disclosing it properly is difficult

• Uses Tesla’s policy as a good example of how companies should do this

• “This is not hard stuff and it basically amounts to text on a page. Consider whether your own organisation has something to this effect and is actually ready to handle disclosure by those who attempt to do so ethically. Listen to these people and be thankful they exist; there’s a whole bunch of others out there who are far less charitable and by the time you hear from those guys, it’s already too late.”

RedHat deprecates Btrfs

• The Btrfs file system has been in Technology Preview state since the initial release of Red Hat Enterprise Linux 6. Red Hat will not be moving Btrfs to a fully supported feature and it will be removed in a future major release of Red Hat Enterprise Linux.

• The Btrfs file system did receive numerous updates from the upstream in Red Hat Enterprise Linux 7.4 and will remain available in the Red Hat Enterprise Linux 7 series. However, this is the last planned update to this feature.

320 Million Freely Downloadable Pwned Password hashes

• NOTE: these are SHA-1 hashes, not the raw passwords: 320,335,236 to be precise

• Password checking page – that same URL has links for downloading the hashes

• To unzip the files, you need p7zip. Command to extract is: 7z x pwned-passwords-update-1.txt.7z

• to generate a sha1 hash, Dan used: ‘sha1 -s TechSNAP’ – SHA1 (“TechSNAP”) = c6586a62febc8706d814fe28fe397e9dca146992. Use “tr ‘[a-z]’ ‘[A-Z]'” to upper case.

• takes about 0.176ms to locate a hash on a PostgreSQL 9.6 database

• Example query construction

• Passwords Evolved: Authentication Guidance for the Modern Era

• API for using Troy’s service

• Troy’s donation page

Feedback

• PXE Boot Imaging

• +1 for FOG! Versatile and reliable

• slobeck retweets x0rz 1960’s vs. now

Round Up:

• How Dropbox securely stores your passwords

• gedit is unmaintained, some thoughts

• DigiCert to Acquire Symantec’s Website Security Business and Related PKI Solutions

• Microsoft didn’t sandbox Windows Defender, so I did

• Should I revoke no longer used Let’s Encrypt certificates before destroying them?

The post BTRFS is Toast | TechSNAP 331 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

New password guidelines say everything we thought about passwords is wrong

• No more periodic password changes

• No more imposed password complexity

• Mandatory validation of newly created passwords against a list of commonly-used, expected, or compromised passwords.

• We recommend you use a password manager, use a different password on every login

• Rainbow tables used to convert hashes to passwords

Enterprise hard disks are faster and use more power, but are they more reliable?

• The enterprise disks also use more power: 9W idle and 10W operational, compared to 7.2W idle and 9W operational for comparable consumer disks.

• If you have one or two spindles, that’s no big deal, but each Backblaze rack has 20 “storage pods” with 60 disks each. An extra 2.2kW for an idle rack is nothing to sniff at.

• Other HGST models are also continuing to show impressive longevity, with three 4TB models and one 3TB model both boasting a sub-1 percent annualized failure rate.

Don’t trust OAuth: Why the “Google Docs” worm was so convincing

• Access to all your mail

• access to any of your google hangout chats

• access to all your contacts

• makes a good case for encryption/decryption at the client

• OAuth

Feedback

• Intel AMT bug

• bhyve VGA pass-through see also mailing list post

• Amazing, and keep it up!

• Borg Backup see Borg Documentation

  • Borg demonstration

• inexpensive, managed switches

Round Up:

• Why Security Backdoors are Bad (Common Sense Version)

• How to remote hijack computers using Intel’s insecure chips: Just use an empty login string

• Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable

• NASA wants YOU (to make its Fortran code run faster)

The post All Drives Die | TechSNAP 318 first appeared on Jupiter Broadcasting.

LinkedIn password dump strikes Mark Zuckerberg & Google Two Factor authenticator users & others. We round it all up. Plus some of the new security features coming to Android N, the era of backpack PC’s is here & what the heck is going on with Nest?

Plus our Kickstarter of the week & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Links

• Mark Zuckerberg’s Twitter and Pinterest accounts hacked, LinkedIn password dump likely to blame
• Nest’s time at Alphabet: A “virtually unlimited budget” with no results
• How Android N addresses security
• Need to bypass Google’s two-factor authentication? Send a text message
• Are backpack VR PCs really a thing now? MSI, Zotac and HP think so
• Superyacht is converted from supply ship – Tech Insider

Kickstater of the week

• Portal: Turbocharged WiFi by Ignition Design Labs — Kickstarter

The post Zuckerpunched | TTT 247 first appeared on Jupiter Broadcasting.

This week, the FBI says APT6 has pawned the government for the last 5 years, Unaoil: a company that’s bribing the world & Researchers find a flaw in the visa database.

All that plus a packed feedback, roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

FBI says APT6 has pwning the government for the last 5 years

• The feds warned that “a group of malicious cyber actors,” whom security experts believe to be the government-sponsored hacking group known as APT6, “have compromised and stolen sensitive information from various government and commercial networks” since at least 2011, according to an FBI alert obtained by Motherboard
• The official advisory is available on the Open Threat Exchange website
• The alert, which is also available online, shows that foreign government hackers are still successfully hacking and stealing data from US government’s servers, their activities going unnoticed for years. This comes months after the US government revealed that a group of hackers, widely believed to be working for the Chinese government, had for more than a year infiltrated the computer systems of the Office of Personnel Management, or OPM. In the process, they stole highly sensitive data about several millions of government workers and even spies.
• In the alert, the FBI lists a long series of websites used as command and control servers to launch phishing attacks “in furtherance of computer network exploitation (CNE) activities [read: hacking] in the United States and abroad since at least 2011.” Domains controlled by the hackers were “suspended” as of late December 2015, according to the alert, but it’s unclear if the hackers have been pushed out or they are still inside the hacked networks.
• Looks like they were in for years before they were caught, god knows where they are,” Michael Adams, an information security expert who served more than two decades in the US Special Operations Command, and who has reviewed the alert, told Motherboard. “Anybody who’s been in that network all this long, they could be anywhere and everywhere.
• “This is one of the earlier APTs, they definitely go back further than 2011 or whatever—more like 2008 I believe,” Kurt Baumgartner, a researcher at the Russian security firm Kaspersky Lab, told me. (Baumgartner declined to say whether the group was Chinese or not, but said its targets align with the interest of a state-sponsored attacker.)
• Kyrk Storer, a spokesperson with FireEye, confirmed that the domains listed in the alert “were associated with APT6 and one of their malware backdoors,” and that the hackers “targeted the US and UK defense industrial base.” APT6 is ”likely a nation-state sponsored group based in China,” according to FireEye, which ”has been dormant for the past several years.”
• Another researcher at a different security company, who spoke on condition of anonymity because he wasn’t authorized to speak publicly about the hacker’s activities, said this was the “current campaign of an older group,” and said there “likely” was an FBI investigation ongoing. (Several other security companies declined to comment for this story.) At this point, it’s unclear whether the FBI’s investigation will lead to any concrete result. But two years after the US government charged five Chinese military members for hacking US companies, it’s clear hackers haven’t given up attacking US targets.

Unaoil: the company that bribed the world

• After a six-month investigation across two continents, Fairfax Media and The Huffington Post are revealing that billions of dollars of government contracts were awarded as the direct result of bribes paid on behalf of firms including British icon Rolls-Royce, US giant Halliburton, Australia’s Leighton Holdings and Korean heavyweights Samsung and Hyundai.
• A massive leak of confidential documents, and a large email, has for the first time exposed the true extent of corruption within the oil industry, implicating dozens of leading companies, bureaucrats and politicians in a sophisticated global web of bribery.
• The investigation centres on a Monaco company called Unaoil.
• Following a coded ad in a French newspaper, a series of clandestine meetings and midnight phone calls led to our reporters obtaining hundreds of thousands of the Ahsanis’ leaked emails and documents.
• The leaked files expose as corrupt two Iraqi oil ministers, a fixer linked to Syrian dictator Bashar al-Assad, senior officials from Libya’s Gaddafi regime, Iranian oil figures, powerful officials in the United Arab Emirates and a Kuwaiti operator known as “the big cheese”.
• Western firms involved in Unaoil’s Middle East operation include some of the world’s wealthiest and most respected companies: Rolls-Royce and Petrofac from Britain; US companies FMC Technologies, Cameron and Weatherford; Italian giants Eni and Saipem; German companies MAN Turbo (now know as MAN Diesal & Turbo) and Siemens; Dutch firm SBM Offshore; and Indian giant Larsen & Toubro. They also show the offshore arm of Australian company Leighton Holdings was involved in serious, calculated corruption.
• The leaked files reveal that some people in these firms believed they were hiring a genuine lobbyist, and others who knew or suspected they were funding bribery simply turned a blind eye.
• The files expose the betrayal of ordinary people in the Middle East. After Saddam Hussein was toppled, the US declared Iraq’s oil would be managed to benefit the Iraqi people. Today, in part one of the ‘Global Bribe Factory’ expose, that claim is demolished.
• It is the Monaco company that almost perfected the art of corruption.
• It is called Unaoil and it is run by members of the Ahsani family – Monaco millionaires who rub shoulders with princes, sheikhs and Europe’s and America’s elite business crowd.
• How they make their money is simple. Oil-rich countries often suffer poor governance and high levels of corruption. Unaoil’s business plan is to play on the fears of large Western companies that they cannot win contracts without its help.
• Its operatives then bribe officials in oil-producing nations to help these clients win government-funded projects. The corrupt officials might rig a tender committee. Or leak inside information. Or ensure a contract is awarded without a competitive tender.
• On a semi-related note, another big story for you to go read:
• How to hack an Election from someone who has done it, more than once

Researchers find flaw in Visa database

• No, not that kind of Visa, the other one.
• Systems run by the US State Department, that issue Travel Visas that are required for visitors from most countries to be admitted to the US
• This has very important security considerations, as the application process for getting a visa is when most security checks are done
• Cyber-defense experts found security gaps in a State Department system that could have allowed hackers to doctor visa applications or pilfer sensitive data from the half-billion records on file, according to several sources familiar with the matter –- though defenders of the agency downplayed the threat and said the vulnerabilities would be difficult to exploit.
• Briefed to high-level officials across government, the discovery that visa-related records were potentially vulnerable to illicit changes sparked concern because foreign nations are relentlessly looking for ways to plant spies inside the United States, and terrorist groups like ISIS have expressed their desire to exploit the U.S. visa system, sources added
• After commissioning an internal review of its cyber-defenses several months ago, the State Department learned its Consular Consolidated Database –- the government’s so-called “backbone” for vetting travelers to and from the United States –- was at risk of being compromised, though no breach had been detected, according to sources in the State Department, on Capitol Hill and elsewhere.
• As one of the world’s largest biometric databases –- covering almost anyone who has applied for a U.S. passport or visa in the past two decades -– the “CCD” holds such personal information as applicants’ photographs, fingerprints, Social Security or other identification numbers and even children’s schools.
• “Every visa decision we make is a national security decision,” a top State Department official, Michele Thoren Bond, told a recent House panel.
• Despite repeated requests for official responses by ABC News, Kirby and others were unwilling to say whether the vulnerabilities have been resolved or offer any further information about where efforts to patch them now stand.
• State Department documents describe CCD as an “unclassified but sensitive system.” Connected to other federal agencies like the FBI, Department of Homeland Security and Defense Department, the database contains more than 290 million passport-related records, 184 million visa records and 25 million records on U.S. citizens overseas.
• “Because of the CCD’s importance to national security, ensuring its data integrity, availability, and confidentiality is vital,” the State Department’s inspector general warned in 2011.

Feedback:

• SSH key protection

• Router Thoughts from Allan

• rmh from the chatroom asks…

Round Up:

• Microsoft Sues Justice Department Over Client Data Gag Orders
• Root cause analysis of a recent Flash zero day
• Exclusive: Canadian Police Obtained BlackBerry’s Global Decryption Key
• After an outage, an Australian mobile provider credited customers with a single day of unlimited data usage. One customer managed to use 994 GB of mobile usage in a single day
• Sophisticated bribe scheme gets game company with access to antivirus whitelist to falsely list malware was trusted
• Microsoft releases optional Windows update to mitigate “mousejacking”, where an attacker can take over your wireless mount and keyboard from up to 100 meters away
• Github commits can now be GPG signed to prove their authenticity
• If you can’t break crypto, break the client. Recovery of plaintext from iMessage
• Renting a movie on your iOS device might free up some space for you
• The Italian Ministry of Economical Progress has revoked “HackingTeam”’s licence to export their Galileo remote control software outside of the EU, must ask special permission for each sale
• Laziness remains the greatest enemy of password security
• The “All Prior Art” project seems to machine generate every possible patent and release it under a creative commons license, so it can never be patented by anyone else. The ultimate reverse patent troll?
• How to identify a vehicle at risk of collisions

The post One Key to Rule Them All | TechSNAP 263 first appeared on Jupiter Broadcasting.

Twitch gets hacked, Microsoft rolls back its Windows 10 for pirates pledge, Glass will be sticking around & hacking computers with heat!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Twitch Accounts Were Compromised, All Passwords Reset

Uh oh, game streaming service Twitch has posted a short notice to its blog warning that there “may have been” some unauthorized access to some Twitch user information.

Upgrading to Windows 10 on pirated versions won’t get you a valid license

Unfortunately, the company had scaled back a bit on its plans saying that the free upgrade, though available, won’t actually change the license state of a user’s OS. In plain speak this means that if you were running a pirated copy of Windows, you’ll still be running a pirated copy even after upgrading to Windows 10.

Google Isn’t Giving Up on Glass, Eric Schmidt Says – Digits – WSJ

“It is a big and very fundamental platform for Google,” Schmidt said. “We ended the Explorer program and the press conflated this into us canceling the whole project, which isn’t true. Google is about taking risks and there’s nothing about adjusting Glass that suggests we’re ending it.”

He said Glass, like Google’s self-driving car, is a long-term project. “That’s like saying the self-driving car is a disappointment because it’s not driving me around now,” he said. “These things take time.”

Hack Air-Gapped Computers Using Heat – Slashdot

Ben-Gurion University of the Negev (BGU) researchers have discovered a new method to breach air-gapped computer systems called “BitWhisper,” which enables two-way communications between adjacent, unconnected PC computers using heat. BitWhisper bridges the air-gap between the two computers, approximately 15 inches apart that are infected with malware by using their heat emissions and built-in thermal sensors to communicate. It establishes a covert, bi-directional channel by emitting heat from one PC to the other in a controlled manner.

The post Computers In Heat | Tech Talk Today 148 first appeared on Jupiter Broadcasting.

The Chaos Computer Club gets blocked by UK “porn filters” & YouTube is ramping up the heat with secret exclusive deals to content creators.

Then its a full round-up in the Sony Pictures trainwreck of a hack, Fedora 21 is released, emails & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Chaos Computer Club website in blocked by UK “porn filter”

A significant portion of British citizens are currently blocked from accessing the Chaos Computer Club’s (CCC) website. On top of that, Vodafone customers are blocked from accessing the ticket sale to this year’s Chaos Communication Congress (31C3).

Since July 2013, a government-backed so-called opt out list censors the open internet. These internet filters, authorized by Prime Minister David Cameron, are implemented by UK’s major internet service providers (ISPs). Dubbed as the “Great Firewall of Britain”, the lists block adult content as well as material related to alcohol, drugs, smoking, and even opinions deemed “extremist”.

Users can opt-out of censorship, or bypass it by technical means, but only a minority of users know how to bypass those filters.

YouTube Offering Its Stars Bonuses – WSJ

Facebook Inc. and video startup Vessel, among others, have tried to lure YouTube creators to their services in recent months, according to people familiar with the discussions.

In response, Google is offering some of its top video makers bonuses to sign multiyear deals in which they agree to post content exclusively on YouTube for a time before putting it on a rival service. The bonuses can be tied to how well videos perform, but YouTube is making a wide range of offers to counter rivals, according to people involved in the discussions. For several months, YouTube also has been offering to fund additional programming by some of its video makers.

These people say YouTube executives are particularly concerned about Vessel, though the startup has yet to disclose any details about its service or video makers it has signed.

In recent weeks “YouTube has been in a fire drill” led by Robert Kyncl, global head of business, trying to hold on to its stars, according to a person close to the company.

It’s Here! Announcing Fedora 21!

Fedora 21 Release Announcement

The Fedora Project is pleased to announce Fedora 21, the final release, ready to run on your desktops, servers, and in the cloud. Fedora 21 is a game-changer for the Fedora Project, and we think you’re going to be very pleased with the results.

TL;DR?

Impatient? Go straight to https://getfedora.org/ and get started. Otherwise, read on!

Sony Pictures hack was a long time coming, say former employees — Fusion

“Sony’s ‘information security’ team is a complete joke,” one former employee tells us. “We’d report security violations to them and our repeated reports were ignored. For example, one of our Central European website managers hired a company to run a contest, put it up on the TV network’s website and was collecting personally identifying information without encrypting it. A hack of our file server about a year ago turned out to be another employee in Europe who left himself logged into the network (and our file server) in a cafe.”

The information security team is a relatively tiny one. On a company roster in the leaked files that lists nearly 7,000 employees at Sony Pictures Entertainment, there are just 11 people assigned to a top-heavy information security team. Three information security analysts are overseen by three managers, three directors, one executive director and one senior-vice president.

Another former employee says the company did risk assessments to identify vulnerabilities but then failed to act on advice that came out of them. “The real problem lies in the fact that there was no real investment in or real understanding of what information security is,” said the former employee. One issue made evident by the leak is that sensitive files on the Sony Pictures network were not encrypted internally or password-protected.

Sony Pictures has said little about its security failures since the hack, but seven years ago, its information security director was very chatty about “good-enough security.” Back in 2007, Jason Spaltro, then the executive director of information security at Sony Pictures Entertainment, was shockingly cavalier about security in an interview with CIO Magazine. He said it was a “valid business decision to accept the risk” of a security breach, and that he wouldn’t invest $10 million to avoid a possible $1 million loss.

Seven years later, Spaltro is still overseeing data security. Now senior vice president of information security, his salary is over $300,000 this year according to one of the leaked salary documents — and will get bumped over $400,000 if he gets his bonus.

• Sony Describes Hack Attack as ‘Unprecedented’ | Re/code

In his comments, Mandia described the malicious software used in the attack against Sony as “undetectable by industry standard antivirus software.” He also said that the scope of the attack is unlike any other previously seen, primarily because its perpetrators sought to both destroy information and to release it to the public. The attack is one “for which neither SPE nor other companies could have been fully prepared,” Mandia said.

• Expat Newswire | Sony Pictures Hack Traced to Bangkok Hotel

The hacks were traced to the St. Regis Bangkok, a 4.5 star resort where basic rooms cost over $400 per night. It remains unclear whether the hacks were done from a room or a public area, but investigations into the breach have traced the attack to the hotel on December 2nd at 12:25 am, local time.

• Sony saved thousands of passwords in a folder named ‘Password’ – Telegraph

It appears that the leaked files include the Social
Security numbers of 47,000 employees and actors, including Sylvester
Stallone, Judd Apatow and Rebel Wilson.

They also include a file directory entitled ‘Password’, which includes 139
Word documents, Excel spreadsheets, zip files, and PDFs containing thousands
of passwords to Sony Pictures’ internal computers, social media accounts,
and web services accounts.

• DOJ Launches New Cybercrime Unit, Claims Privacy Top Priority – Slashdot

Leslie Caldwell, assistant attorney general in the criminal division of the Department of Justice, announced on Thursday the creation of a new Cybercrime Unit, tasked with enhancing public-private security efforts. A large part of the Cybersecurity Unit’s mission will be to quell the growing distrust many Americans have toward law enforcement’s high-tech investigative techniques. (Even if that lack of trust, as Caldwell claimed, is based largely on misinformation about the technical abilities of the law enforcement tools and the manners in which they are used.) “In fact, almost every decision we make during an investigation requires us to weigh the effect on privacy and civil liberties, and we take that responsibility seriously,” Caldwell said. “Privacy concerns are not just tacked onto our investigations, they are baked in.”

Feedback:

• dyslexic pc readers

The post Sony Security Café | Tech Talk Today 102 first appeared on Jupiter Broadcasting.

Angela and Chris discuss with the mumble chat room all about passwords. Mostly things we don’t like about passwords, security questions, captchas, services and devices to store passwords.

Direct Download:

HD Download | Mobile Download | MP3 Download | YouTube

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Torrent Feed | iTunes Feeds

— Show Notes: —

Hi Angerz, and Chris

When Chris said he wanted some ideas about things that bug me on the internet during LAS preshow I was too lazy to open IRC and thought you guys would probably get it anyway, well surprise surprise you missed it, and I dont see how.

Its such a big issue you can probably do a whole show on it.

Its passwords! all aspects of passwords and not just passwords but logging’s too, I know we cant do without them but here is what bugs me:

1. People forget their passwords, before the good ol days of social networks, I setup a gallery for family photos so my family abroad could see them, the thing is they never logged in to use it and constantly forgot their passwords.
2. having to create a login for each site to download content or post comments is annoying
3. sites that have silly rules like username has to be between 8 and 13 characters long and contain the letter ‘n’, password is too long you password cant be longer than 5 characters, etc.
4. password management has become a nightmare, if you not using something to keep track of all your passwords how will you remember which sites you registered on and what username.password you used? and dont suggest have a common username and password you will get Alan(TechSnap) started on how thats a bad idea
5. Talking about techsnap the other thing is people using weak passwords and then get hacked
6. Security question, like this really ever helped anyone
7. image captures required when logging in, I can never read those stupid things
8. ‘Remeber me’, keeping people logged in is just silly once the browser window is closed they should have to log in again
9. browsers remembering passwords for you, why dont you just throw your security out the window

Chris, Im sorry I wasnt there for you buddy, but seriously how could you miss this one! I know I know you use last pass and its a non issue but having all your eggs (or nuts or balls, whatever you call them) in one basket is a bit risky especially since that basket belongs to someone else, if they trip and fall you might get hurt.

So Angerz, im sorry its a bit longwinded and if you already done a Faux on passwords I suppose its all in vain. Just thought I should give my 2 cent.

GX

• Mooltipass: Open Source Offline Password Keeper | Indiegogo

• Everykey Wants To Put Your Passwords On Your Wrist | TechCrunch

— December 7th Awards —

Tell us about your holiday traditions, feel free to share embarrassing family pictures, or show us the one thing you want this holiday season (consider including your Amazon wishlist!).

Send your pic and/or link, IRC nick and explanation to:

Email: angela@jupiterbroadcasting.com

• See more pics: https://instagram.com/jupiterbroadcasting#
• Sign up for Jupiter Signal: www.bit.ly/jupitersignal

Unfilter is on Patreon! https://www.patreon.com/unfilter

Tech Talk Today is on Patreon! https://www.patreon.com/jupitersignal

— Find the FauxShow! —

Facebook: https://www.facebook.com/thefauxshow
Twitter: https://www.twitter.com/angerz
G+: https://www.gplus.to/fauxshow
Subscribe to Jupiter Signal: https://www.bit.ly/jupitersignal
Jupiter Radio: https://jblive.info
Affiliates Firefox Extension: https://addons.mozilla.org/en-US/firefox/addon/jupiterbroadcasting/
Affiliates Chrome Extension: https://chrome.google.com/webstore/detail/bjekemhblnilimncanbehhjijdpjgimj
Donations: https://original.jupiterbroadcasting.net/donate
Shows & Shownotes: https://original.jupiterbroadcasting.net/show/fauxshow/

The post Your Password | FauxShow 199 first appeared on Jupiter Broadcasting.

A batch of Dropbox usernames and passwords hit the web, Court document reveal Apple’s $50 Million for product leak fine & Newsweek comes under fire.

Plus our thoughts on the return of PC market growth & much more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Change Your Password: Hackers Are Leaking Dropbox User Info

After first surfacing Reddit, several Pastebin files have been found to contain hundreds of Dropbox users’ usernames and passwords—and the anonymous poster claims that there are millions more to come.

• According to the Next Web, the leaked lists are meant to entice users to donate Bitcoin, at which point the purported hacker will release more users’ info. The message atop the list reads:
  

  Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts

  To see plenty more, just search on [redacted] for the term Dropbox hack.

  More to come, keep showing your support

• To put it another way: You need to change your password. Now. And then make sure that two-factor authentication is turned on.

Update 11:29pm:

• A spokesperson from Dropbox has provided us with the following statement:
  

  Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.

• DROPBOX.COM HACKED First Teaser – Pastebin.com

• Two Factor Auth List

Court document reveals that Apple could fine sapphire glass manufacturer $50 Million for product leaks

GT Advanced Technologies filed for Chapter 11 bankruptcy protection last week and the court documents have revealed an interesting agreement with Apple. GT Advanced, who was contracted to make sapphire glass displays for Apple, stated that there was a clause in its contract that would see them fined upward of a $50 million (USD) penalty for any leaked products.

Man Pegged By Newsweek as Satoshi Nakamoto Plans Legal Action | NEWSBTC

Dorian Prentice Satoshi Nakamoto’s name became public — very public — in a highly sensationalized exposé entitled The Face Behind Bitcoin _written by journalist Leah McGrath Goodman, employed by _Newsweek.

Legal defense fund

Nakamoto, along with the Kirschner & Associates law firm, have started a website at NewsweekLied.com to ask for donations to help establish a defense fund in an ultimate lawsuit against Newsweek.

Yes. Bitcoin accepted.

You can read all the reasons that Dorian is angry here on the site’s background page, and it’s perfectly understandable where he’s coming from.

“Newsweek must be held accountable for its reckless reporting,” the site reads.

• Background — The Dorian Nakamoto Legal Defense Fund

With This Tiny Box, You Can Anonymize Everything You Do Online | WIRED

Today a group of privacy-focused developers plans to launch a Kickstarter campaign for Anonabox. The $45 open-source router automatically directs all data that connects to it by ethernet or Wifi through the Tor network, hiding the user’s IP address and skirting censorship. It’s also small enough to hide two in a pack of cigarettes.

Decline in PC Sales Starts to Slow; Largest Makers See Growth – NYTimes.com

IDC and Gartner on Wednesday released numbers on the worldwide demand for PCs that showed only a slight drop in demand, a distinct contrast to the trend of the last three years. This likely means, analysts said, that consumers may not be choosing tablets and smartphones over PCs to the same degree they had in the past. Soon, they said, the industry might see growth again.

It has come already for the biggest manufacturers. Companies like Lenovo, Hewlett- Packard and Dell all had good growth, particularly in a strong U.S. market.

In the United States, IDC said 17.3 million PCs were shipped, an increase of 4.3 percent from a year ago. Gartner put the number at 16.9 million, a rise of 4.2 percent. The top five companies were HP, Dell, Apple, Lenovo and Toshiba, both IDC and Gartner said.

• Stocks Benefiting From Increasing PC Sales Include Hewlett-Packard (NYSE: HPQ), Seagate Technology (NASDAQ: STX) – 24/7 Wall St.

The post Dropbox Those Passwords | Tech Talk Today 75 first appeared on Jupiter Broadcasting.

Russian hackers collect 1.2 billion usernames and passwords, and while questions remain the details are compelling.

Plus simply working around two-factor authentication, crypto-malware that targets NAS Boxes, your questions, our answers and much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Reportedly 1.2 billion username and password combinations found in Russian cybercrime stash

• The data was apparently stolen from 420,000 different websites using SQL injection and other common techniques
• Original post at Hold Security
• “So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.”
• The Russian cybercrime group (called CyberVor by Hold Security) appears to have used a large botnet to scan most of the internet looking for vulnerable sites and software and collecting as much data as possible
• “Criminals were able to collect 4.5 billion records — each a user name and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique”
• Because of the varied sources of the data, the passwords are likely a combination of plain text, simple hashes (md5, sha1, sha256), esoteric hashes like md5(salt.password.salt) or md5(salt.md5(password)) etc, and proper cryptographic hashes
• Original Coverage from 6 months ago
• Alex Holden was the researcher who originally discovered the Adobe breach late last year, and tracked the trafficking of the stolen Target data
• Krebs has a Q&A on the subject, based on his past working with Alex Holden, or Holden Security
• There has been a bit of backlash against Hold Security, because they are charging $120/year for their “Breach Notification Service” (BNS) to be alerted if your website was one of the ones compromised
• Sophos and others still have questions about the data from CyberVor
• While still under construction, there is a individual version of the service that will allow you to find out if your electronic identity was found in possession of the CyberVor gang, which will be provided free for the first 30 days
• This service will take a SHA512 hash of your password(s), and then compare that to the passwords in the data dump, notifying you which of your passwords may have been compromised
• The issue with this is that if a compromised site used proper cryptographic hashes, the only way to compare the passwords without knowing your original password in plain text, is to brute force the hash and return it to the plain text. If Hold Security had your plain text password, they could compare it to the database much more quickly and accurately, but it would then lead them to being a bigger security threat than the exposure of the hashed passwords
• Additional Coverage: Forbes

PayPal 2 factor authentication contained simple bypass used for linking ebay account

• While investigating the usefulness of the PayPal 2 Factor Authentication system, a security researcher (Joshua Rogers) was astonished to find a simple by pass
• PayPal (owned by eBay) has a system to link your eBay account to your PayPal account to facilitate sending and receiving payments in connection with auctions
• This system works by sending an additional HTTP GET parameter when directing the user to the PayPal login or signup page
• By using “cmd=_integrated-registration” in the request, PayPal skips asking for any two factor authentication, allowing an attacker that knows your username and password to access your account without requiring the second factor
• The exploit can be used without needing to have an affiliated eBay account
• The issue was reported to PayPal on June 5th 2014, who replied on June 27th and July 4th
• After two months the issue has not been resolved, so the researcher released his findings
• It is not clear if the issue was reported via the PayPal Bug Bounty program, but if it was, publicly disclosing the vulnerability voids the researchers eligibility for the bug bounty reward

SynoLocker malware targets Synology NAS appliances, encrypts files and demands ransom

• New malware has serviced that has been targeting Synology NAS appliances exposed to the Internet
• Users will be greeted by a screen telling them that the files on their NAS have been encrypted, and directing them to use tor to visit a website and pay a 0.6 Bitcoin (~$350) ransom to get the decryption keys to regain access to their files
• It was not immediately clear how the NAS devices were being compromised
• Synology reports: “Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0”
• Users are encouraged to upgrade to the latest DSM 5.0 or:
• For DSM 4.3, please install DSM 4.3-3827 or later
• For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
• For DSM 4.0, please install DSM 4.0-2259 or later
• If you suspect you have been affected by this, Synology recommends following these steps:
  1. Shutdown the Synology NAS to prevent any more files being encrypted
  2. Contact the Synology support team at security@synology.com or fill out the support form
• Users whose files have already been encrypted may not be out of luck, yesterday a new service launched that can decrypt files locked by CryptoLocker similar malware that targetted Windows

Feedback:

• DNSsec and DANE

• LastPass Trick

• USB 3 faster then HDD 7200rpm

• cruelfate comments on “Kreb’s Law”

• ZM-VE300-B 2.5″ SATA USB 3.0 External HDD Enclosure

Round Up:

• PFChangs posts update about security breach
• Microsoft blocks older versions of Skype, leaving customers using older versions of OS X without a version they can install. Linux users also need to upgrade to 4.3.0 or higher in order to connect
• Mozilla accidently discloses email addresses of 76,000 members of the Mozilla Developers Network, as well as 4000 hashes passwords. The email and password columns were supposed to be sanitized from the database before it was disclosed, but for a period of approximately 30 days this was not happening correctly
• Dan Geer @ Blackhat – Cybersecurity as Realpolitik
  
• CIA infosec guru: US govt must buy all zero-days and set them free
• US State Department Passport database (largest known Oracle database in the world) suffers outage, “crashed shortly after maintenance was performed. We believe the root cause of the problem was a combination of software optimization and hardware compatibility issues.”
• David Litchfield @ Blackhat: Oracle Database Redaction service is trivial to bypass
• Catherine Pearce and Patrick Thomas @ Blackhat: Multipath TCP may leave security appliances blind to new types of attacks
• The FinFisher spyware used by governments, cannot intercept calls from the Metro version of Skype
• Docker does not provide security, stop assuming it does

The post Two-factor Exemption | TechSNAP 174 first appeared on Jupiter Broadcasting.

A list of the most hackable cars has been released on the eve of a highly anticipated Black Hat presentation, Mozilla developers get hacked, getting started with Linux and why a little video games can be good for kids.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Least Secure Cars Revealed At Black Hat

Research by two security experts presenting at Black Hat this week has labeled the 2014 Jeep Cherokee, the 2015 Cadillac Escalade and the 2014 Toyota Prius as among the vehicles most vulnerable to hacking because of security holes that can be accessed through a car’s Bluetooth, telematics, or on-board phone applications. The most secure cars include the Dodge Viper, the Audi A8, and the Honda Accord, according to Researchers Charlie Miller and Chris Valasek. Millar and Valasek will reveal the full report on Wednesday, but spoke to Dark Reading today with some preliminary data.

The two security experts didn’t physically test the vehicles in question, but instead used information about the vehicles’ automated capabilities and internal network. “We can’t say for sure we can hack the Jeep and not the Audi,” Valasek told Dark Reading. “But… the radio can always talk to the brakes” because both are on the same network. According to the “Connected Car Cybersecurity” report from ABI Research, there have been “quite a few proof of concepts” demonstrating interception of wireless signals of tire pressure monitoring systems, impairing anti-theft systems, and taking control of self-driving and remote control features through a vehicle’s internal bus, known as controller area network (CAN).

• Researchers to name the most hackable cars at Black Hat – Computerworld

Thousands of Mozilla developers’ e-mail addresses, password hashes exposed | Ars Technica

About 76,000 e-mail addresses and 4,000 password hashes were left on a publicly accessible server for about 30 days beginning June 23, according to a blog post. There is no indication the data was accessed, but Mozilla officials investigating the disclosure can’t rule out the possibility.

The code Mozilla uses for their developer login site is open source and posted on GitHub. It looks like from the code they didn’t key stretch the hash. While the salt keeps things ‘safer’ (no rainbow tables, etc), against a GPU brute-forcing attempt, the fact these are straight hashes means they are a little weak against brute-forcing.

Introduction to Linux | edX

Beginning August 1st, The Linux Foundation, in conjunction with online education giant edX, is offering a free Introduction to Linux course.

This class, first announced in early March, is available for free. That’s not bad for a class that usually runs $2,400!

This massively open online course (MOOC) is being taught by Jerry Cooperstein. Cooperstein is a nuclear astrophysicist who’s been using Linux since 1994 and teaching it for almost that long.

According to Dice, the leading career site for technology and engineering professionals, nine out of ten IT hiring managers are looking for Linux pros.

This class looks at Linux from a very high level. You’ll be able to use Linux distributions from any of the three major Linux families, including Red Hat, with Fedora or CentOS; Debian, including Ubunt or Mint; and SUSE, including openSUSE.

This course will cover the various tools and techniques commonly used by Linux programmers, system administrators and end users to do day-to-day work in Linux.

• Linux Foundation’s free online intro to Linux class opens its doors | ZDNet

Could a Little Video Game Play Be Good for Kids?

Researchers found that kids who played video games for less than one hour a day were more likely to be happy, helpful and emotionally stable than kids who never grab a controller, according to findings published online Aug. 4 in the journal Pediatrics.

More than three hours daily of gaming had the opposite effect, however. Video game junkies were more likely to be moody, unhappy with their life and apt to act out in negative ways.

To examine both the positive and negative effects of gaming, researchers assessed the video game habits and emotional growth of nearly 5,000 British boys and girls aged 10 to 15.

The post BlackHat Carmageddon | Tech Talk Today 38 first appeared on Jupiter Broadcasting.

We break down the critical flaw in OpenSSL, and explain why the Heartbleed catastrophe impacts so many systems we use. the timeline of events, and more.

Plus your great questions, our answers, and much much more.

On this week’s TechSNAP!

Thanks to:

— Show Notes: —

Critical flaw in OpenSSL discloses usernames, passwords and possibly encryption keys

• Two separate groups of researchers discovered a disastrous flaw in OpenSSL, the cryptographic library that protects almost all information on the Internet.
• The flaw is in the rarely used OpenSSL feature ‘heartbeat’ which allows the client to send a block of data to the server and have it returned to the client, keeping the connection and session alive
• The flaw stems from a missing security check, where the software assumes that the ‘length’ of the data send by the client matches the length the client included in the header. When the actual length of the data sent by the client is less than that size, the software returns a larger chunk of memory that intended, disclosing the contents of segments of memory that were recently freed
• This flaw allows an attacker to send a malformed request and in response get up to a 64kb chunk of memory from the server that may contain sensitive information
• There are a number of proof-of-concept tools out there, and when used against an HTTPS server, they often return the HTTP headers of recent requests, which can include POST data (usernames, password, private emails) as well as cookies and other data that could be used for session hijacking
• There also exists the possibility that by brute forcing this exploit an attacker may get some or all of the private key used to decrypt data sent to the server over TLS. In the common case of sessions that lack the newer PFS (Perfect Forward Secrecy) feature, if an attacker managed to compromise the private key, they would be able to decrypt all traffic that was ever encrypted to that key
• It is possible that even PFS sessions may be compromised, if the flaw also leaks the temporary tokens used to make PFS sessions unique
• People I’ve talked to have managed to compromise data from their own servers using only very basic tools, including capturing the admin username and password for a router and hijacking a web forum session
• Because of the risk that the private key for the SSL certificate was compromised, the proper course of action after patching all of the servers and applications, is to re-key the certificate (generate a new private key, and get a fresh certificate signed), and then revoke the old certificate. It is unclear how well the root CAs will handle the load caused by this, or how the CRL and/or OCSP infrastructures will handle the mass revocation of keys
• Luckily, the root CA keys are not likely to have been compromised, as they will not have been on servers exposed to the Internet
• OpenSSL provides SSL/TLS for protocols such as HTTPS (encrypted HTTP, used for online banking, logging in to services including gmail and facebook), IMAP/SMTP and POP3 (encryption for email delivery. This affects all email, and especially the usernames and passwords used to access email), chat servers (IRC and XMPP), many types of VPN (SSL VPNs like OpenVPN) and much more
• The flaw was originally discovered by Neel Mehta of Google Security, and around the same time was independently discovered by Riku, Antti and Matti at Codenomicon. The fix was written by Adam Langley agl@chromium.org and Bodo Moeller bmoeller@acm.org
• OpenSSL versions 1.0.1 through 1.0.1f (including 1.01-beta) are vulnerable. 1.0.2-beta1 is also vulnerable. Versions 1.0.0 and 0.9.8 are not affected. All users of 1.0.1 are encouraged in the strongest terms to upgrade to OpenSSL 1.0.1g (or 1.0.2-beta2).
• Questions are being raised about the fumbling of the responsible disclosure. It seems some companies like CloudFlair and CacheFly were notified as much as a week before anyone else.
• Amazon appears to have not been given any advanced warning – A later post describes steps customers should take
• Also, the security officers of major open source projects including all of the BSDs, Debian/Ubuntu, Suse etc, received absolutely no advanced warning, just the initial security advisory.
• It appears that RedHat has approximately 2 days warning because one of the OpenSSL developers is also on their security team
• The researchers at Codenomicon notified the National Cyber Security Centre Finland (NCSC-FI) and tasked them with coordinating the disclosure to OpenSSL, operating system vendors (which should have included the various BSD and Linux projects), appliance and service vendors (Amazon, Cisco, CloudFlare etc)
• The issue appears to be that while the responsible disclosure was being organized, someone leaked the information and forced OpenSSL to issue the advisory. This was followed quickly by the publishing of the heartbleed.com website (by the researchers at Codenomicon) and the CloudFlare blog post.
• It is unclear why CloudFlare was notified, but Amazon and most open source operating systems were not
• CloudFlare Blog Post features a very long comment thread
• Long thread discussing the issue on the Open Source Software Security list
• Insight on the FreeBSD security process
• Timeline:
  • 2012-01-03 – OpenSSL 1.0.1-beta1 is available
  • 2012-03-14 – OpenSSL 1.0.1 is released, first GA version with heartbeat support
  • (sometime prior to 2014-04-05): Researchers at Codenomicon and Google discover the flaw. The flaw is reported to NCSC-FI (CERT) and OpenSSL
  • 2014-04-07 05:56 – Huzaifa Sidhpurwala (RedHat) add a bug to Red Hat bugzilla
  • 2014-04-07 06:10 – Huzaifa Sidhpurwala sends a mail to linux distros list with no details but an offer to request them privately
  • 2014-04-07 11:34 – Timestamp on RedHat OpenSSL 1.0.1g build
  • 2014-04-07 ??:?? – Information about the bug leaks, forces OpenSSL to issue advisory immediately
  • 2014-04-07 16:53 – Fix is committed to OpenSSL git
  • 2014-04-07 17:27 – OpenSSL releases advisory
  • 2014-04-07 18:00 – CloudFlare posts blog entry (claiming they were notified a week ago)
  • 2014-04-07 19:00 – Heartbleed.com is published
  • 2014-04-09 – The planned disclosure of the bug was to happen here
• Vulnerable:
  • Debian Wheezy (stable) (OpenSSL 1.0.1e-2+deb7u4)
  • Ubuntu 12.04.4 LTS (OpenSSL 1.0.1-4ubuntu5.11)
  • CentOS 6.5 (OpenSSL 1.0.1e-15)
  • Fedora 18 (OpenSSL 1.0.1e-4)
  • OpenBSD 5.3 and 5.4 (OpenSSL 1.0.1c 10 May 2012)
  • FreeBSD 10.0 (OpenSSL 1.0.1e 11 Feb 2013)
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)
• Not Vulnerable:
  • Debian Squeeze (oldstable) (OpenSSL 0.9.8o-4squeeze14)
  • SUSE Linux Enterprise Server
  • FreeBSD 8.4 (OpenSSL 0.9.8y 5 Feb 2013)
  • FreeBSD 9.2 (OpenSSL 0.9.8y 5 Feb 2013)
  • FreeBSD Ports – OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
• It is not clear how many appliances are vulnerable, but many consumer grade appliances are likely to be vulnerable and unlikely to receive a fix. If the only solution for these devices is to throw them in the trash and replace them, the issue remains that it would likely take 2-12 months for fresh embedded devices to make it to stores where users could buy new ones
• Analysis:
  • Reddit conspiracy theory – Suggest PHK was right. Did the NSA/GCHQ pay someone to insert this flaw in OpenSSL?
  • Bruce Schneier – Heartbleed is a catastrophic bug in OpenSSL
  • Theo de Raadt – OpenSSL has mitigation counter measures to break the operating systems ability to mitigate such attacks
  • Ted Unangst – Why this didn’t have to happen
  • Ted Unangst – Fixing the mitigation counter measures
  • Brian Krebs – heartbleed exposes web traffic
  • Brian Krebs – heartbleed, what can you do?
  • Elastica – Video explaing heartbleed
  • Sean Cassidy – Diagnosis of Heart Bleed
  • Matthew Green – Attack of the week: OpenSSL Heartbleed
    
  • Matthew Sullivan – Hijacking user sessions with the Heartbleed vulnerability
  • EFF – Possibile evidence that HeartBleed was used by Intelligence Agencies last year
  • [RETRACTED] Errata Security – Why heartbleed doesn’t leak private keys
  • The Hacker News OpenSSL Game
  • List of sites that were vulnerable
  • XKCD
• Canada Halts Online Tax-Filing Services
• The Heartbleed Hit List: The Passwords You Need to Change Right Now
• Additional Coverage – The Register
• Additional Coverage – Washington Post
• Additional Coverage – ThreatPost
• IDS Signature for detecting heartbleed
• What you should know about heartbleed
• Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style
• FreeBSD Security Advisory

Feedback:

• Heartbleed is manna from heaven for spooks and criminals?

• Amazing FreeNAS Motherboard

• PKI at Home

• Applying for an internship at an IT security consulting company

Round Up:

• Comcast: Without Time Warner Cable, we can’t compete against Google, Netflix
• 18 year old security researcher claims to have ability to print airline boarding passes and get free flights around Europe – Will present at “Hack in the box” next month in Amsterdam
• The #1 New Paid App In The Play Store Costs $4, Has Over 10,000 Downloads, A 4.7-Star Rating… And It\’s A Total Scam
• Seagate releases first 6TB drives using perpendicular magnetic recording, no helium required. 25% faster than the WD 6TB Helium drive (which never specified what RPM it ran at). Available in 2, 4, 5 and 6 TB sizes, with SAS 12g/s or SATA 6g/s interfaces and featuring 128mb of cache with a max sustained data transfer rate of 216 MB/s (226 MB/s with SAS interface)
• Drop Condoleezza Rice or we will #dropdropbox
• 5 year old discovered XBox security flaw, access an account without the password by pressing the sparebar a few times… Microsoft sends a gift package including four free games, US$50 and a one-year Xbox Live subscription
• Hewlett-Packard Admits To International Bribery and Money Laundering Schemes
• Before anyone called it “the cloud”, game companies depended on GameSpy to do multiplayer matchmaking “in the cloud”. Since is now shutting down, leaving many older makes unplayable
• Zeus malware found with valid digital certificate
• Scenes from the 2014 Kaspersky Security Analyst Summit
• Microsoft announces Skype TX with studio-grade audio and video for broadcasters
• Schneier: Unbreaking encryption is likely not unbreakable
• MtGox CEO faces likely US arrest as legal woes mount over failed bitcoin exchange

The post SSL Heartbreak | TechSNAP 157 first appeared on Jupiter Broadcasting.

Target stores suffer a massive breach, we’ll round up everything you need to know. In light of recent events some of us have called for greater use of Encryption, but are we too late? Has the Internet already been broken? We’ll discuss.

Plus a batch of your questions, our answers, and much more!

Thanks to:

— Show Notes: —

Target PoS systems breached, more than 40 million credit and debit cards may have been compromised

• “Target confirmed the breach and in a statement said 40 million credit and debit cards were accessed starting the day before Thanksgiving and that hackers had access to the company’s systems until Dec. 15”
• “According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores”
• Because the breach was of the PoS system, the attackers have the full ‘track data’ from the magnetic stripe and could encode that data on blank cards (or gift cards) and use them to make fraudulent purchases
• If the attackers also managed to capture PIN numbers of debit cards, they could also program new cards in order to make cash withdrawals at ATMs
• It is not yet clear how the attackers compromised the Point-of-Sales systems
• Official Statement
• Additional Coverage
• Additional Coverage

PHK: We made this mess…

• Prolific software developer Poul-Henning Kamp (Varnish, FreeBSD, md5crypt) talks about how more encryption is not the answer, how the people who created and use the Internet need to fight politics with politics
• “And that \”we\” is people like you and me, people who connected computers, people who wrote software, people who ran ISPs, and people who told everybody and their grandmother how great the Internet was. … without thinking it fully through.“ “In particular without fully thinking through what people who are not like us might use the Internet for.”
• “Any attempt from now on to claw back the privacy which have been illegally removed from our lives, will be met by similar fierce resistance.”
• “Resistance from the military industrial complex, for whom \”Cyberwar\” and \”Total Situational Awareness\” is the new cash-cow.”
• “A lot of the \”we\”, are currently arguing that adding more encryption will solve the problem, but they are deceiving nobody but themselves: More encryption only means that more encryption will be broken, backdoored, trojaned or otherwise circumvented .”
• “If you think you can solve political problems with technical means, you\’re going to fail: Politicians have armies and police forces, you do not.”
• Also talks about how Jordan Hubbard (founder of the FreeBSD project) accidentically invented spam and warned that it needed to be controlled, as well as other examples of events the presaged the technical problems of the modern Internet

Krebs: RDP and weak passwords still a huge problem

• “Businesses spend billions of dollars annually on software and hardware to block external cyberattacks, but a shocking number of these same organizations shoot themselves in the foot by poking gaping holes in their digital defenses and then advertising those vulnerabilities to attackers”
• Many servers have remote administration tools enabled, like SSH or in the case of Windows servers, RDP
• Just like the constant barrage of attacks against an SSH server, RDP is also subjected to constant brute force attack, however these servers are often less well defended
• Worse yet, there are still prolific numbers of servers with easily guessed username/password combinations remote1/Remote1 and sisadmin/sisadmin
• Krebs profiles a service advertised on cybercrime forums that sells credentials to these compromised servers
• “Prices range from $3 to $10 based on a variety of qualities, such as the number of CPUs, the operating system version and the PC’s upload and download speeds”
• Looking at the owners of the IP addresses, Krebs even wrote a little seasonal jingle

Feedback:

• Cleaning your server
• NAS Enclosure : techsnap
  • Ask iXsystems about a FreeNAS Mini starting at only $795
• Roll Over Social Buttons

Round Up:

• Research shows how MacBook Webcams can spy on their users without warning
• Dell SecureWorks analysis of Cryptolocker suggests the authors made at least $300,000 and possibly over $1 million in random
• Stolen Passwords as Art in Germany
• Inside Microsoft’s Digital Crimes Unit
• The NSA may never know the full extent of the Snowden leaks
• As you might expect, the UK Internet Filter has many false positives and an even greater number of misses
• IEC develops new standardized laptop power adapter
• IETF to work on making a new version of TLS that is easier to implement, harder to implement incorrectly, and easier to use for additional applications
• Video – LISA13: Managing access using SSH keys (by the Inventor of SSH)
• GitHub takes down satirical C+ equality language repo

The post Cleaning up our Mess | TechSNAP 141 first appeared on Jupiter Broadcasting.

SSDs in your Network Attached Storage? Maybe! We’ll share our thoughts. Two Million passwords stolen by Keylogging malware, but the data is where the fun is at.

Plus a great batch of your questions, our answers!

Thanks to:

Show Notes:

D-Link finally released fix for some vulnerable routers, over a month late

• In TechSNAP 132 (October 17 2013) we told you about a flaw in D-Link routers that allowed an attacker to entirely bypass the authentication system
• Any user accessing a vulnerable device with the string “xmlset_roodkcableoj28840ybtide” (backwards: edit by 04882 joel backdoor) as their useragent is granted administrative privileges
• D-Link promised to issue fixed firmware by the end of October
• That updated firmware has finally be released, in December
• Newer firmware does not seem to be available for all of the devices

2 Million passwords stolen by Key logging malware

• Spider Labs managed to take over a Pony botnet controller
• The botnet of infected machines was harvesting passwords with a keylogger
• Total Haul:
• ~1,580,000 website login credentials stolen
• ~320,000 email account credentials stolen
• ~41,000 FTP account credentials stolen
• ~3,000 RDP credentials stolen
• ~3,000 SSH account credentials stolen
• Top Domains:
  • 325,000 Facebook
  • 70,000 Google
  • 60,000 Yahoo
  • 22,000 Twitter
  • 8,000 Linkedin
• While the statistics make it look like many of the compromised machines were from the Netherlands, it seems most of the traffic was from a few IP addresses that seem to have been acting as reverse proxies for the infected machines
• Strength of the observed passwords:
  • 6% Terrible
  • 28% Bad
  • 44% Medium
  • 17% Good
  • 5% Excellent
• Conclusion: Even have years of being told to pick good unique passwords, and after multiple breaches like MySpace, Gawker, LinkedIn, and Adobe etc, people still choose terrible passwords
• Additional Coverage

• GoDaddy ad: https://hostcabi.net/hosting_infographic Godaddy hosts one of the largest proportion of the 100,000 most popular websites on the Internet

Hackers courted by Governments for Cyber Warfare jobs

• Rolling Stone does profiles and Interviews at HackMiami, a meetup for hackers to show off their skills to corporate and government recruiters. There is also a ‘Cyber War Games’, where hackers simulate attacks against various targets and networks
• One recruiters pitch: “We built an environment that allows people to legally do the things that would put them in jail”
• “A leaked report from the Department of Homeland Security in May found “increasing hostility” aimed online against “U.S. critical infrastructure organizations” – power grids, water supplies, banks and so on. “
• Dave Marcus, director of threat intelligence and advance research at McAfee Federal Advanced Programs Groups, says the effects would be devastating. “If you shut off large portions of power, you’re not bringing people back to 1960, you’re bringing them back to 1860,” he says. “Shut off an interconnected society’s power for three weeks in this country, you will have chaos.”
• In one profile, Rolling Stone looks at ‘Street’, an expert at social engineering. “Government agencies and corporations fly Street around the world to see if he can bullshit his way into their most sensitive data centers. He has scammed his way into a bank in Beirut, a financial center across from Ground Zero, a state treasury department. He usually records his infiltrations on a spy watch, a 16-gigabyte HD video recorder with infrared lights, then turns over the footage to his clients. When I ask Street the tricks of his trade, he tells me there are two keys to stealing data in person: act like you’re supposed to be there and carry a tablet PC, which convinces victims he’s a tech-support worker. “People see this thing,” he says, waving his tablet, “and think it’s magical.”” — The digital equivalent to a clipboard
• “To see what the front line of cyberwar really looks like, I visit the National Cybersecurity and Communications Integration Center in Arlington, Virginia, the Department of Homeland Security’s mission control. It’s one of our most important hubs in digital warfare, alongside the FBI and NSA. A wall of video screens show online the attacks on the IRS and NASA – both agencies were compromised by a Distributed Denial of Service Attack, a technique that floods a site with access requests, slowing or downing it completely. “

Feedback:

• Dedup in ZFS is a bad implementation

• Using SSD drives for storage?

  • Enterprise Drive Pricing:
  • Intel DC S3700 100, 200, 400 and 800GB: $2.50/GB
  • WD NL SAS: 1TB: $0.135/GB
  • WD NL SAS: 2TB: $0.115/GB
  • WD NL SAS: 3TB: $0.106/GB
  • WD NL SAS: 4TB: $0.092/GB
  • Seagate Barracuda SATA (Desktop): 3TB: $0.030/GB

• Forward Secrecy

• Web Site Hosting

• Google and DNS reflection attacks

• Worst leak in Icelands history

• Contact Server?

Round Up:

• Hack on JPMorgan website exposes data for 465,000 card holder
• Brazilian ISP appears to be suffering DNS poisioning or hijack causing users to received malware instead of Google Analytics
• USB 3.1 connector will be square, fit either way up
• Ways the NSA might break SSL/TLS
• Microsoft blogs about their renewed commitment to privacy and security, expanded encryption
• A paper describing DANE to augment or replace SSL CAs using DNSSEC
• Court: Open Source Project Liable For 3rd Party DRM-Busting Coding
• Why people are so bad at picking passwords
• US Nuclear launch code was 00000000
• Yet Another PoS Skimmer
• OCZ the SSD and computer peripheral manufacturer going out of business

The post SSD Powered NAS? | TechSNAP 139 first appeared on Jupiter Broadcasting.

Attackers use BGP to redirect and monitor Internet traffic, 42 Million dating site passwords leaked, and the data center that could be coming to a town near you.

Plus a great batch of your questions, our answers, and much much more!

On this week’s TechSNAP!

Thanks to:

Show Notes:

Attackers compromise core routers and redirect internet traffic

• Attackers have managed to compromise some routers running BGP (Border Gateway Protocol), and cause them to inject additional hops into some routes on the Internet, allowing them to execute man-in-the-middle (MitM) attacks and/or monitor some users’ traffic
• Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year
• “[The attacker is] getting one side of conversation only,” Cowie said. “If they were to hijack the addresses belonging to the webserver, you’re seeing users requests—all the pages they want. If they hijack the IP addresses belonging to the desktop, then they’re seeing all the content flowing back from webservers toward those desktops. Hopefully by this point everyone is using encryption.”
• In one attack the hop starting in Guadalajara, Mexico and ending in Washington, D.C., included hops through London, Moscow and Minsk before it’s handed off to Belarus, all because of a false route injected at Global Crossing, now owned by Level3
• “In a second example, a provider in Iceland began announcing routes for 597 IP networks owned by a large U.S. VoIP provider; normally the Icelandic provider Opin Kerfi announces only three IP networks, Renesys said. The company monitored 17 events routing traffic through Iceland”
• Renesys does not have any information on who was behind the route hijacking

Cupid Media Hack Exposed 42M Passwords

• The data stolen from Southport, Australia-based dating service Cupid Media was found on the same server where hackers had amassed tens of millions of records stolen from Adobe, PR Newswire and the National White Collar Crime Center (NW3C), among others.
• Plain text passwords for more than 42 million accounts
• Andrew Bolton, the company’s managing director. Bolton said the information appears to be related to a breach that occurred in January 2013.
• When Krebs told Bolton that all of the Cupid Media users I’d reached confirmed their plain text passwords as listed in the purloined directory, he suggested I might have “illegally accessed” some of the company’s member accounts. He also noted that “a large portion of the records located in the affected table related to old, inactive or deleted accounts.”
• > “The number of active members affected by this event is considerably less than the 42 million that you have previously quoted,” Bolton said.
• The danger with such a large breach is that far too many people reuse the same passwords at multiple sites, meaning a compromise like this can give thieves instant access to tens of thousands of email inboxes and other sensitive sites tied to a user’s email address.
• Facebook has been mining the leaked Adobe data for information about any of its own users who might have reused their Adobe password and inadvertently exposed their Facebook accounts to hijacking as a result of the breach.
• The Date of Birth field is a ‘datetime’ rather than just a ‘date’, and seems to include a random timestamp, maybe from when the user signed up
• Additional Coverage

Feedback:

• Need some help with a HP Server question

• Don\’t be Evil

  • DNS Made Easy

• ZFS on Linux for Production

• Legal mumbo jumbo at the bottom of emails.

Round Up:

• DoctorBeet\’s Blog: LG Smart TVs logging USB filenames and viewing info to LG servers
• Gartner says OpenStack lacks clarity and will be hard to sell
• Swansea police pay ransom to open files locked by hackers
• Allan Jude Interviewed about ScaleEngine on BSD Talk podcast
• Not all USB power is created equal
• Sears teams up with Ubiquity Critical Environments to convert disused Sears Auto Centers into hyper-local data centers

[asa]B00GHME0RE[/asa]

The post Scenic BGP Route | TechSNAP 137 first appeared on Jupiter Broadcasting.