patch – Jupiter Broadcasting

We covered the WordPress bug in TechSNAP 306
See also [Security Firm Trend Micro’s Blog Falls Victim To Content Spoofing Attack]https://www.silicon.co.uk/security/trendmicro-blog-security-205197
and WordPress Quietly Fixes Zero-Day Flaw Tom
WordPress was alerted to the flaw on 20 January
WordPress officially released WordPress 4.7.2 to the world on Thursday 26 January.
- “The release went out over our autoupdate system and, over a couple of hours, millions of WordPress 4.7.x users were protected without knowing about the issue or taking any action at all.”
Dan confirms the above upgrade timeline; his WordPress sites were updated on 26 January, between 2:30 and 3:30 EST
Researcher’s Feb 1 blog post with details
WordPress’ Feb 1 10:59 AM blog post
NOTE: Virally growing attacks on unpatched WordPress sites affect ~2m pages
Attacks on websites running an outdated version of WordPress are increasing at a viral rate. Almost 2 million pages have been defaced since a serious vulnerability in the content management system came to light nine days ago. The figure represents a 26 percent spike in the past 24 hours
Google trend chart

Hackers who took control of PC microphones siphon >600 GB from 70 targets

Real information in the blog post
Suggestions: put such devices on their own VLAN, but I’m not sure how their connections work
Large-scale ~= 70 organisations
Most of the targets are located in the Ukraine, but there are also targets in Russia and a smaller number of targets in Saudi Arabia and Austria. Many targets are located in the self-declared separatist states of Donetsk and Luhansk, which have been classified as terrorist organizations by the Ukrainian government.

Feedback

Round Up:

The post State Sponsored Audiophiles | TechSNAP 307 first appeared on Jupiter Broadcasting.

Unix Security Trifecta | TechSNAP 292

chris — Thu, 10 Nov 2016 08:48:15 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Unix Trifecta — Patch Your Shit

This week saw the trifecta, critical vulnerabilities in 3 of the most important and widely used server applications
CVE-2016-8610 – OpenSSL: A remote attacker who can initiate handshakes with an OpenSSL based server can cause the server to consume a lot of computation power with very little bandwidth usage, and may be able to use this technique in a leveraged Denial of Service attack.
The flaw is in the way OpenSSL handles “SSL Alerts”. The SSL alert protocol is a way to communicate problems within a SSL/TLS session. Due to improper handling of alert packets, OpenSSL would consume an excessive amount of CPU time processing undefined alert messages.
- CVE-2016-8864 – Bind: A remote attacker who could cause a server to make a query deliberately chosen to trigger the failed assertions could cause named(8) to stop, resulting in a Denial of Service condition to its clients.
- A defect in BIND’s handling of responses containing a DNAME answer could cause a resolver to exit after encountering an assertion failure in db.c or resolver.c.
- CVE-2016-8858 – OpenSSH: A remote attacker may be able to cause a SSH server to allocate an excessive amount of memory. Note that the default MaxStartups setting on FreeBSD will limit the effectiveness of this attack.
During the SSH handshake procedure, the client and server exchanges the supported encryption, MAC and compression algorithms along with other information to negotiate algorithms for initial key exchange, with a message named SSH_MSG_KEXINIT.
When processing the SSH_MSG_KEXINIT message, the server could allocate up to a few hundreds of megabytes of memory per each connection, before any authentication take place.
Patches for most OSes should be out by now, make sure you install them.

LessPass, an open source, storage-less password manager? Or is it…

“Managing your Internet passwords is not easy. You probably use a password manager to help you. The system is simple, the tool generates random passwords whenever you need them and save them into a file protected with a strong password. This system is very robust, you only need to remember one password to rule them all! Now you have a unique password for each site on the Internet.”
But, there are some shortcomings to that type of password manager
How do I synchronize this file on all my devices?
How do I access a password on my parents’ computer without installing my password manager?
How do I access a password on my phone, without any installed app?
To solve this, LessPass does it differently
“The system uses a pure function, i.e. a function that given the same parameters will always give the same result. In our case, given a login, a master password, a site and options it will returns a unique password”
“No need to save your passwords in an encrypted file. You just need to access the tool to recalculate a password from information that you know (mostly the login)”
There are some issues though.
- Some sites have different password complexity requirements, such as banks that limit the length of your password, or require a PIN that is all digits
- Some sites obviously do not hash passwords correctly, and do not allow some characters
- What if you want to, or need to, change your password?
LessPass has a solution for all of these, where you specify “password profile”, to remember the different complexity settings to generate the valid password
To manage to change the password, there is also a counter, that starts at 1, and you increment to get a different password.
Of course now, you have to remember: your login, your master password, the password complexity profile for each site, and how many times you have changed your password on that site
So, they have a “connected” version, that remembers each site, your login, the password profile, and your password change counter.
There are obviously some privacy concerns, and security concerns here.
How do you restrict access in the connected version, with a username and password? Is that password the same or different from your master password. Is your profile data encrypted per user?
Of course, being an open source project, there is the option to self-host, which eliminates a number of those concerns
“You can host your own LessPass database if you do not want to use the official one. The requirement for self-hosting is to have docker and docker-compose installed on your machine.”
The fact that the installation instructions are curl | bash (written the other way around, so that when you stick sudo in front of it it works), does raise some other concerns
This leaves a few problems:
- You can never change your master password, as it will effectively change all of your passwords
- It is still technically possible for someone to brute force your master password. Each attempt will require them to do the full PBKDF2 run, but 8192 rounds will take only a small fraction of a second, and it can be parallelized quite well. If someone does compromise your master password (via brute force, or with a keylogger, or whatever), they have access to all of your passwords, but worse, they even have access to your ‘new’ passwords, if you change your password, it just changes the ‘count’ parameter, so I could generate your next 10 gmail passwords and keep them for later.
- The key-derivation seems weak, 8192 rounds of PBKDF2 is likely not enough. LastPass uses 100,000 rounds for its server-side key-derivation. FreeBSD’s GELI disk encryption uses a number of rounds that will take approximately 2 seconds, which on modern machines is over 1 million rounds. The issue is that changing this number in the future will change all of your passwords. At a minimum, it should be part of the password profile, so you can select a different value for each site, so you can change the default for new sites in the future, and increase the strength of the password for one site by changing the password.
- LessPass cannot deal with SSO (Single Sign On). There are a number of sites for which I have the same password, because they all authenticate against the same LDAP database (or ActiveDirectory). LessPass ONLY allows you to use its derived passwords, which might not always work.
There are definitely some interesting aspects to LessPass, especially being able to self host, but, I don’t think I’ll be switching to it.

A very valuable vulnerability

It all started with a facebook post by Colin Percival: “I think I just accidentally exploited a “receive arbitrarily large amounts of money” security vulnerability. Oops.”
Colin Percival is a security and cryptography expert, and a former FreeBSD Security Officer
Colin’s day job is running Tarsnap – backups for the truly paranoid.
To accept payments for his business, he uses Stripe – a credit card processing service, which also allows him to accept bitcoins
“While I very firmly wear a white hat, it is useful to be able to consider things from the perspective of the bad guys, in order to assess the likelihood of a vulnerability being exploited and its potential impact. For the subset of bad guys who exploit security vulnerabilities for profit — as opposed to selling them to spy agencies, for example — I imagine that there are some criteria which would tend to make a vulnerability more valuable:”
- the vulnerability can be exploited remotely, over the internet;
the attack cannot be blocked by firewalls;
- the attack can be carried out without any account credentials on the system being attacked;
- the attack yields money (as opposed to say, credit card details which need to be separately monetized);
- once successfully exploited, there is no way for a victim to reverse or mitigate the damage; and
- the attack can be performed without writing a single line of code.
“Much to my surprise, a few weeks ago I stumbled across a vulnerability satisfying every one of these criteria.”
“The vulnerability — which has since been fixed, or else I would not be writing about it publicly — was in Stripe’s bitcoin payment functionality. Some background for readers not familiar with this: Stripe provides payment processing services, originally for credit cards but now also supporting ACH, Apple Pay, Alipay, and Bitcoin, and was designed to be the payment platform which developers would want to use; in very much the way that Amazon fixed the computing infrastructure problem with S3 and EC2 by presenting storage and compute functionality via simple APIs, Stripe fixed the “getting money from customers online” problem. I use Stripe at my startup, Tarsnap, and was in fact the first user of Stripe’s support for Bitcoin payments: Tarsnap has an unusually geeky and privacy-conscious user base, so this functionality was quite popular among Tarsnap users.”
“Despite being eager to accept Bitcoin payments, I don’t want to actually handle bitcoins; Tarsnap’s services are priced in US dollars, and that’s what I ultimately want to receive. Stripe abstracts this away for me: I tell Stripe that I want $X, and it tells me how many bitcoins my customer should send and to what address; when the bitcoin turns up, I get the US dollars I asked for. Naturally, since the exchange rate between dollars and bitcoins fluctuates, Stripe can’t guarantee the exchange rate forever; instead, they guarantee the rate for 10 minutes (presumably they figured out that the exchange rate volatility is low enough that they won’t lose much money over the course of 10 minutes). If the “bitcoin receiver” isn’t filled within 10 minutes, incoming coins are converted at the current exchange rate.”
“For a variety of reasons, it is sometimes necessary to refund bitcoin transactions: For example, a customer cancelling their order; accidentally sending in the wrong number of bitcoins; or even sending in the correct number of bitcoins, but not within the requisite time window, resulting in their value being lower than necessary. Consequently, Stripe allows for bitcoin transactions to be refunded — with the caveat that, for obvious reasons, Stripe refunds the same value of bitcoins, not the same number of bitcoins. (This is analogous to currency exchange issues with credit cards — if you use a Canadian dollar credit card to buy something in US dollars and then get a refund later, the equal USD amount will typically not translate to an equal number of CAD refunded to your credit card.)”
The vulnerability lay in the exchange rate handling. As I mentioned above, Stripe guarantees an exchange rate for 10 minutes; if the requisite number of bitcoins arrive within that window, the exchange rate is locked in. So far so good; but what Stripe did not intend was that the exchange rate was locked in permanently — and applied to any future bitcoins sent to the same address. This made a very simple attack possible:
- Pay for something using bitcoin.
- Wait until the price of bitcoin drops.
- Send more bitcoins to the address used for the initial payment.
- Ask for a refund of the excess bitcoin.
“Because the exchange rate used in step 3 was the one fixed at step 1, this allowed for bitcoins to be multiplied by the difference in exchange rates; if step 1 took place on July 2nd and steps 3/4 on August 2nd, for example, an arbitrary number of bitcoins could be increased by 30% in a matter of minutes. Moreover, the attacker does not need an account with Stripe; they merely need to find a merchant which uses Stripe for bitcoin payments and is willing to click “refund payment” (or even better, is set up to automatically refund bitcoin overpayments).”
“Needless to say, I reported this to Stripe immediately. Fortunately, their website includes a GPG key and advertises a vulnerability disclosure reward (aka. bug bounty) program; these are two things I recommend that every company does, because they advertise that you take security seriously and help to ensure that when people stumble across vulnerabilities they’ll let you know. (As it happens, I had Stripe security’s public GPG key already and like them enough that I would have taken the time to report this even without a bounty; but it’s important to maximize the odds of receiving vulnerability reports.) Since it was late on a Friday afternoon and I was concerned about how easily this could be exploited, I also hopped onto Stripe’s IRC channel to ask one of the Stripe employees there to relay a message to their security team: “Check your email before you go home!””
“Stripe’s handling of this issue was exemplary. They responded promptly to confirm that they had received my report and reproduced the issue locally; and a few days later followed up to let me know that they had tracked down the code responsible for this misbehaviour and that it had been fixed. They also awarded me a bug bounty — one significantly in excess of the $500 they advertise, too.”
“As I remarked six years ago, Isaac Asimov’s remark that in science “Eureka!” is less exciting than “That’s funny…” applies equally to security vulnerabilities. I didn’t notice this issue because I was looking for ways to exploit bitcoin exchange rates; I noticed it because a Tarsnap customer accidentally sent bitcoins to an old address and the number of coins he got back when I clicked “refund” was significantly less than what he had sent in. (Stripe has corrected this “anti-exploitation” of the vulnerability.) It’s important to keep your eyes open; and it’s important to encourage your customers to keep their eyes open, which is the largest advantage of bug bounty programs — and why Tarsnap’s bug bounty program offers rewards for all bugs, not just those which turn out to be vulnerabilities.”
“And if you have code which handles fluctuating exchange rates… now might be a good time to double-check that you’re always using the right exchange rates.”
A very interesting attack, that was only found because someone accidentally did the wrong thing

Feedback:

ipV6 vs Mirai
Freenas replication
Freenas 10 question
Backup & LUKS
Chromecast across subnets
A user wrote in about the mention of BCP38 the other week, and asked what other best practises there are: here is a list

Round Up:

The post Unix Security Trifecta | TechSNAP 292 first appeared on Jupiter Broadcasting.

Librem 15 is FAN-tastic! | LINUX Unplugged 132

chris — Tue, 16 Feb 2016 18:56:42 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We discuss the official release of Vulkan, look at who has shipping code & why this is much bigger than you might realize.

Plus Chris share’s his first hands on impressions of Purism’s Librem 15 laptop, some big Ubuntu Mobile noise, the Linux security bug you need to patch for right away & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Pre-Show

Purism Librem Shipping Status

Follow Up / Catch Up

Ubuntu Phone To Gain Biometric Security Features

Ubuntu Phones running secure biometric identity tools will be demoed at next week’s Mobile World Congress.

Canonical has partnered with ConsenSYS and BlockApps to provide “web wallet and biometric identity tools on Ubuntu devices” using Ethereum, the decentralized public blockchain protocol.

Maru is open source! – Maru Blog

_I’ve gotta say, the open source community never ceases to amaze me. I’ve had emails from people asking if they can help test Maru on other devices ___on a Sunday___. How many normal people do you know that willingly want to give up their Sundays to help test software?

TING

Ting – mobile that makes sense

Google Online Security Blog: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

FFmpeg 3.0 Released, Supports VP9 VA-API Acceleration

There are many changes to FFmpeg 3.0 and among them are:

Extensive native AAC encoder improvements
VA-API VP9 hardware acceleration.
Zero-copy Intel QSV transcoding.
Cineform HD decoder

DigitalOcean

DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Vulkan 1.0 Released: What You Need To Know About This Cross-Platform, High-Performance Graphics API

AMD Simplified: Vulkan API – YouTube
Vulkan – Industry Forged
https://github.com/KhronosGroup/Vulkan-Docs
https://github.com/KhronosGroup/Vulkan-LoaderAndValidationLayers
https://github.com/KhronosGroup/Vulkan-CTS

Open-source Vulkan drivers for Intel hardware

The Intel Open Source Technology 3D Graphics Team is excited to announce the availability of our Vulkan driver for fifth and sixth generation Intel(r) Core(tm) processors (Broadwell and Skylake). The driver passes the Vulkan 1.0 Conformance Test Suite on these platforms and have experimental support for older platforms.

AMD state they will support Vulkan on Linux in an upcoming amdgpu driver, not ready yet

AMD has been participating in Vulkan’s development since its inception and providing builds of our Vulkan-enabled driver to game developers for many months. As we transition into the public phase, our initial driver release enables Vulkan support for select Radeon(tm) GPUs on Windows(r) 7, Windows(r) 8.1, and Windows(r) 10. An upcoming release of the amdgpu Linux driver will also feature Vulkan support.

Gaming: Radeon GPUs are ready for the Vulkan API

Today is an exciting day for PC gaming enthusiasts: the Khronos Group has announced immediate public release of the open standard Vulkan(tm) 1.0 graphics API! To mark the occasion, we’ve posted a Radeon Software beta for Vulkan. This graphics driver is primarily intended to enable a wider audience of game developers to work with Vulkan on Radeon(tm) graphics.

Vulkan Driver Support | NVIDIA Developer

Windows driver version 356.39 and Linux driver version 355.00.26 provide beta support for Vulkan.

Nvidia release Linux beta driver with Vulkan

Vulkan demo running on ARM Mali GPU

Demo to show ARM’s implementation of Vulkan, the new graphics API from Khronos, running on a Mali GPU. You can read how we did it here

ARM Mali Graphics: Porting a Graphics Engine to…

Here Are Your Vulkan Download Links

Qt Company Joins Khronos, Working On Vulkan Support In Qt

The Qt Company confirmed in this blog post that they are working on implementing already Qt support for Vulkan.

Talos and Vulkan Q & A

Ok, first, in GPU-bound scenarios (ultra settings, resolution higher than full HD), you’ll see lower performance, 20 to 30% lower. This is work in progress, and we (both Croteam and IHVs) are analyzing and optimizing the performance. We’ll get to the bottom of this!

Vulkan Webinar – Khronos Group Events, Seminars and Presentations

Date: Feb 18, 2016, 9:00am (PT)
Location: Online Webinar

What’s Vulkan all about? Learn more about this upcoming new graphics and compute API directly from Khronos, the people who have been creating it. In this 1-hour session, we will talk about the API, and also go into details about the Vulkan SDK from LunarG, and much more. We’ll of course end with a Q&A session, and a recording of the session will be available here.

Linux Academy

Linux Academy | Linux and AWS Online Training

Librem 15 – IS HERE!

Librem Laptop – Earliest Bird

Librem 15: A Laptop That Respects Your Rights

Memory: 8GB +$100
Storage: 500GB SSD +$275
Drive Bay: CD/DVD ROM
Screen: Full HD (1920×1080)
Keyboard: English (US)
AC Adapter Power Plug: US

Qty 1 $1,824.00 ea.

Shipped 286 days late! Originally expected to ship on April 2015

No Ethernet in Librem 15?

Librem 15: A Laptop That Respects Your Rights – Purism Librem 15 rev1 vs rev2 | Crowd Supply

Purism Librem 15 rev1 vs rev2

Support Jupiter Broadcasting on Patreon

The post Librem 15 is FAN-tastic! | LINUX Unplugged 132 first appeared on Jupiter Broadcasting.

Ripping me a new Protocol | TechSNAP 221

chris — Thu, 02 Jul 2015 19:05:26 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Amazon has a new TLS implementation & the details look great, we’ll share them with you. The technology that powers the NSA’s XKEYSCORE you could have deployed yourself.

Some fantastic questions, a big round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Amazon releases s2n, a new TLS implementation

s2n (signal2noise) is a brand new implementation of the TLS protocol in only ~6000 lines of code
It has been fully audited, and will be re-audited once per year, paid for by Amazon
It does not replace OpenSSL, as it only implements the TLS protocol (libssl) not the crypto primitives and algorithms (libcrypto). s2n can be built against any of the various libcrypto implementations, including: OpenSSL, LibreSSL, BoringSSL, and the Apple Common Crypto framework
The API appears to be very easy to use, and prevent many common errors
The client side of the library is not ready for use yet
Features:
- “s2n encrypts or erases plaintext data as quickly as possible. For example, decrypted data buffers are erased as they are read by the application.”
- “s2n uses operating system features to protect data from being swapped to disk or appearing in core dumps.”
- “s2n avoids implementing rarely used options and extensions, as well as features with a history of triggering protocol-level vulnerabilities. For example there is no support for session renegotiation or DTLS.”
- “s2n is written in C, but makes light use of standard C library functions and wraps all memory handling, string handling, and serialization in systematic boundary-enforcing checks.”
- “The security of TLS and its associated encryption algorithms depends upon secure random number generation. s2n provides every thread with two separate random number generators. One for “public” randomly generated data that may appear in the clear, and one for “private” data that should remain secret. This approach lessens the risk of potential predictability weaknesses in random number generation algorithms from leaking information across contexts. “
One of the main features is that, instead of having to specify which set of crypto algorithms you want to prefer, in what order, as we have discussed doing before for OpenSSL (in apache/nginx, etc), to can either use ‘default’, which will change with the times, or a specific snapshot date, that corresponds to what was the best practise at that time
Github Page
Additional Coverage – ThreatPost
It will be interesting to see how this compares with the new TLS API offered by LibreSSL, and which direction various applications choose to go.

How the NSA’s XKEYSCORE works

“The NSA’s XKEYSCORE program, first revealed by The Guardian, sweeps up countless people’s Internet searches, emails, documents, usernames and passwords, and other private communications. XKEYSCORE is fed a constant flow of Internet traffic from fiber optic cables that make up the backbone of the world’s communication network, among other sources, for processing. As of 2008, the surveillance system boasted approximately 150 field sites in the United States, Mexico, Brazil, United Kingdom, Spain, Russia, Nigeria, Somalia, Pakistan, Japan, Australia, as well as many other countries, consisting of over 700 servers.”
“XKEYSCORE allows for incredibly broad surveillance of people based on perceived patterns of suspicious behavior. It is possible, for instance, to query the system to show the activities of people based on their location, nationality and websites visited. For instance, one slide displays the search “germansinpakistn,” showing an analyst querying XKEYSCORE for all individuals in Pakistan visiting specific German language message boards.”
“The sheer quantity of communications that XKEYSCORE processes, filters and queries is stunning. Around the world, when a person gets online to do anything — write an email, post to a social network, browse the web or play a video game — there’s a decent chance that the Internet traffic her device sends and receives is getting collected and processed by one of XKEYSCORE’s hundreds of servers scattered across the globe.”
“In order to make sense of such a massive and steady flow of information, analysts working for the National Security Agency, as well as partner spy agencies, have written thousands of snippets of code to detect different types of traffic and extract useful information from each type, according to documents dating up to 2013. For example, the system automatically detects if a given piece of traffic is an email. If it is, the system tags if it’s from Yahoo or Gmail, if it contains an airline itinerary, if it’s encrypted with PGP, or if the sender’s language is set to Arabic, along with myriad other details.”
You might expect some kind of highly specialized system to be required to do all of this, but that is not the case:
“XKEYSCORE is a piece of Linux software that is typically deployed on Red Hat servers. It uses the Apache web server and stores collected data in MySQL databases. File systems in a cluster are handled by the NFS distributed file system and the autofs service, and scheduled tasks are handled by the cron scheduling service. Systems administrators who maintain XKEYSCORE servers use SSH to connect to them, and they use tools such as rsync and vim, as well as a comprehensive command-line tool, to manage the software.”
The security of the system is also not as good as than you might imagine:
“Analysts connect to XKEYSCORE over HTTPS using standard web browsers such as Firefox. Internet Explorer is not supported. Analysts can log into the system with either a user ID and password or by using public key authentication.”
“When systems administrators log into XKEYSCORE servers to configure them, they appear to use a shared account, under the name “oper.” Adams notes, “That means that changes made by an administrator cannot be logged.” If one administrator does something malicious on an XKEYSCORE server using the “oper” user, it’s possible that the digital trail of what was done wouldn’t lead back to the administrator, since multiple operators use the account.”
“There appears to be another way an ill-intentioned systems administrator may be able to cover their tracks. Analysts wishing to query XKEYSCORE sign in via a web browser, and their searches are logged. This creates an audit trail, on which the system relies to assure that users aren’t doing overly broad searches that would pull up U.S. citizens’ web traffic. Systems administrators, however, are able to run MySQL queries. The documents indicate that administrators have the ability to directly query the MySQL databases, where the collected data is stored, apparently bypassing the audit trail.”
The system is not well designed, and could likely have been done better with existing open source tools, or commercial software designed to classify web traffic
“When data is collected at an XKEYSCORE field site, it is processed locally and ultimately stored in MySQL databases at that site. XKEYSCORE supports a federated query system, which means that an analyst can conduct a single query from the central XKEYSCORE website, and it will communicate over the Internet to all of the field sites, running the query everywhere at once.”
Your traffic is analyzed and will probably match a number of classifiers. The most specific classifier is added as a tag to your traffic. Eventually (3-5 days), your actual traffic is deleted to make room for newer traffic, but the metadata (those tags) are kept for 30-45 days
“This is done by using dictionaries of rules called appIDs, fingerprints and microplugins that are written in a custom programming language called GENESIS. Each of these can be identified by a unique name that resembles a directory tree, such as “mail/webmail/gmail,” “chat/yahoo,” or “botnet/blackenergybot/command/flood.””
“One document detailing XKEYSCORE appIDs and fingerprints lists several revealing examples. Windows Update requests appear to fall under the “update_service/windows” appID, and normal web requests fall under the “http/get” appID. XKEYSCORE can automatically detect Airblue travel itineraries with the “travel/airblue” fingerprint, and iPhone web browser traffic with the “browser/cellphone/iphone” fingerprint.”
“To tie it all together, when an Arabic speaker logs into a Yahoo email address, XKEYSCORE will store “mail/yahoo/login” as the associated appID. This stream of traffic will match the “mail/arabic” fingerprint (denoting language settings), as well as the “mail/yahoo/ymbm” fingerprint (which detects Yahoo browser cookies).”
“Sometimes the GENESIS programming language, which largely relies on Boolean logic, regular expressions and a set of simple functions, isn’t powerful enough to do the complex pattern-matching required to detect certain types of traffic. In these cases, as one slide puts it, “Power users can drop in to C++ to express themselves.” AppIDs or fingerprints that are written in C++ are called microplugins.”
All of this information is based on the Snowden leaks, and is from any years ago
“If XKEYSCORE development has continued at a similar pace over the last six years, it’s likely considerably more powerful today.”
Part 2 of Article

[SoHo Routers full of fail]

Home Routers that still support RIPv1 used in DDoS reflection attacks

RIPv1 is a routing protocol released in 1988 that was deprecated in 1996
It uses UDP and so an attacker can send a message to a home router with RIP enabled from a spoofed IP address, and that router will send the response to the victim, flooding their internet connection
““Since a majority of these sources sent packets predominantly of the 504-byte size, it’s pretty clear as to why they were leveraged for attack purposes. As attackers discover more sources, it is possible that this vector has the potential to create much larger attacks than what we’ve observed thus far,” the advisory cautions, pointing out that the unused devices could be put to work in larger and more distributed attacks.”
“Researchers at Akamai’s Prolexic Security Engineering and Research Team (PLXsert) today put out an advisory about an attack spotted May 16 that peaked at 12.9 Gbps. Akamai said that of the 53,693 devices that responded to RIPv1 queries in a scan it conducted, only 500 unique sources were identified in the DDoS attack. None of them use authentication, making them easy pickings.”
Akamai identified Netopia 2000 and 3000 series routers as the biggest culprits still running the vulnerable and ancient RIPv1 protocol on devices. Close to 19,000 Netopia routers responded in scans conducted by Akamai, which also noted that more than 5,000 ZET ZXv10 and TP-Link TD-8000 series routers collectively responded as well. Most of the Netopia routers, Akamai said, are issued by AT&T to customers in the U.S. BellSouth and MegaPath also distribute the routers, but to a much lesser extent.

Home Routers used to host Malware

Home routers were found to be hosting the Dyre malware
Symantec Research Paper of Dyre
Affected routers include MikroTik and Ubiquiti’s AirOS, which are higher end routers geared towards “power user” and small businesses
“We have seen literally hundreds of wireless access points, and routers connected in relation to this botnet, usually AirOS,” said Bryan Campbell, lead threat intelligence analyst at Fujitsu. “The consistency in which the botnet is communicating with compromised routers in relation to both distribution and communication leads us to believe known vulnerabilities are being exploited in the firmware which allows this to occur.”
“Campbell said it’s not clear why so many routers appear to be implicated in the botnet. Perhaps the attackers are merely exploiting routers with default credentials (e.g., “ubnt” for both username and password on most Ubiquiti AirOS routers). Fujitsu also found a disturbing number of the systems in the botnet had the port for telnet connections wide open.”

Feedback:

ZFS with 4K drives?
ZFS Replication Between FreeNAS and Linux
Splitting a pool
DNS Transfer Email Downtime Followup
FreeBSD Mastery: ZFS — Not just about ZFS

Round Up:

The post Ripping me a new Protocol | TechSNAP 221 first appeared on Jupiter Broadcasting.

Spy vs MSpy | TechSNAP 216

chris — Thu, 28 May 2015 08:36:33 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Spyware creator mSpy hacked, find out why this breach is particularly egregious, what’s wrong with pcap & why RSA’s death has been greatly exaggerated.

Plus a great batch of questions, a rocking round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

What is wrong with pcap filters

pcap filters are the language used to filter packet captures, and is used by tcpdump, wireshark and the like
This post is an attempt to look at some classes of problems that the pcap filtering language fails on, why those deficiencies exist, and why I continue using it even despite the flaws.
It also includes a link to a video about the history of pcap
Just to be clear, libpcap is an amazing piece of software. It was originally written for one purpose, and it really is my fault that I end up too often using it for a different one.
pcap is a usermode implementation of BPF, allowing
BPF (Berkeley Packet Filter) is a UNIX interface that allows an application to read and write raw packets
In addition to providing the interface to get raw packets into an application (like tcpdump) so you can read them, it also has the ability to filter the packets, so you only have to read the ones you care about
This is especially important when there are gigabits per second of traffic flowing back and forth
BPF Internals – Part 1
Why We Need eBPF
Towards Faster Trace Filters using eBPF and JIT

Mobile Spyware Maker mSpy Hacked, Customer Data Leaked

mSpy, the makers of a dubious software-as-a-service product that claims to help more than two million people spy on the mobile devices of their kids and partners, appears to have been massively hacked.
Last week, a huge trove of data apparently stolen from the company’s servers was posted on the Deep Web, exposing countless emails, text messages, payment and location data on an undetermined number of mSpy “users.”
KrebsOnSecurity learned of the apparent breach from an anonymous source who shared a link to a Web page that is only reachable via Tor.
The Tor-based site hosts several hundred gigabytes worth of data taken from mobile devices running mSpy’s products, including some four million events logged by the software.
The message left by the unknown hackers who’ve claimed responsibility for this intrusion suggests that the data dump includes information on more than 400,000 users, including Apple IDs and passwords, tracking data, and payment details on some 145,000 successful transactions.
There is a crazy amount of personal and sensitive data in this cache, including photos, calendar data, corporate email threads, and very private conversations. Also included in the data dump are thousands of support request emails from people around the world who paid between $8.33 to as much as $799 for a variety of subscriptions to mSpy’s surveillance software.
U.S. regulators and law enforcers have taken a dim view of companies that offer mobile spyware services like mSpy. In September 2014, U.S. authorities arrested a 31-year-old Hammad Akbar, the CEO of a Lahore-based company that makes a spyware app called StealthGenie. The FBI noted that while the company advertised StealthGenie’s use for “monitoring employees and loved ones such as children,” the primary target audience was people who thought their partners were cheating. Akbar was charged with selling and advertising wiretapping equipment.
mSpy Denies Breach, Even as Customers Confirm I
Child spy firm hit by blackmailers – BBC News

About the supposed factoring of a 4096 bit RSA key

Last week a blog was posted claiming to have published the factoring of a 4096-bit RSA key
“The key in question was the PGP key of a well-known Linux kernel developer.”
The other of the rebuttal post, thinks that the researchers are mistaken
He thinks this because, he once thought that he had factored the same key, but then found out otherwise.
A little background:
- “RSA public keys consist of two values called N and e. The N value, called the modulus, is the interesting one here. It is the product of two very large prime numbers. The security of RSA relies on the fact that these two numbers are secret. If an attacker would be able to gain knowledge of these numbers he could use them to calculate the private key. That’s the reason why RSA depends on the hardness of the factoring problem. If someone can factor N he can break RSA. For all we know today factoring is hard enough to make RSA secure (at least as long as there are no large quantum computers).”
- “Now imagine you have two RSA keys, but they have been generated with bad random numbers. They are different, but one of their primes is the same. That means we have N1=pq1 and N2=pq2. In this case RSA is no longer secure, because calculating the greatest common divisor (GCD) of two large numbers can be done very fast with the euclidean algorithm, therefore one can calculate the shared prime value.”
“PGP keyservers have been around since quite some time and they have a property that makes them especially interesting for this kind of research: They usually never delete anything. You can add a key to a keyserver, but you cannot remove it, you can only mark it as invalid by revoking it. Therefore using the data from the keyservers gives you a large set of cryptographic keys.”
He noticed that some keys appeared to contain subkeys that are near identical copies of a valid subkey, but with tiny errors
“I don’t know how they appear on the key servers, I assume they are produced by network errors, harddisk failures or software bugs. It may also be that someone just created them in some experiment.”
“The important thing is: Everyone can generate a subkey to any PGP key and upload it to a key server. That’s just the way the key servers work. They don’t check keys in any way. However these keys should pose no threat to anyone. The only case where this could matter would be a broken implementation of the OpenPGP key protocol that does not check if subkeys really belong to a master key.”
“However you won’t be able to easily import such a key into your local GnuPG installation. If you try to fetch this faulty sub key from a key server GnuPG will just refuse to import it. The reason is that every sub key has a signature that proves that it belongs to a certain master key. For those faulty keys this signature is obviously wrong.”
“Now here’s my personal tie in to this story: Last year I started a project to analyze the data on the PGP key servers. And at some point I thought I had found a large number of vulnerable PGP keys – including the key in question here. In a rush I wrote a mail to all people affected. Only later I found out that something was not right and I wrote to all affected people again apologizing. Most of the keys I thought I had found were just faulty keys on the key servers.”

Feedback:

digital preservation
Pfsense question
ZFS … is Raidz2 fault tolerance offset by rebuild stress/time?
FreeBSD Mastery: ZFS has been sent to the publisher

Round Up:

The post Spy vs MSpy | TechSNAP 216 first appeared on Jupiter Broadcasting.

Dude Where’s My Card? | TechSNAP 198

chris — Thu, 22 Jan 2015 21:16:58 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Adobe has a bad week, with exploits in the wild & no patch. We’ll share the details. Had your credit card stolen? We’ll tell you how.

Plus the harsh reality for IT departments, a great batch of questions, our answers & much much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

New flash zero day found being exploited in the wild, no patch yet

The new exploit is being used in some versions of the Angler exploit kit (the new top dog, replacing former champ blackhole)
The exploit kit currently uses three different flash exploits:
CVE-2014-8440 – which was added to the exploit kit only 9 days after being patched
CVE-2015-0310 – Which was patched today
and a 3rd new exploit, which is still being investigated
Most of these exploit kits rely on reverse engineering an exploit based on the patch or proof of concept, so the exploit kits only gain the ability to inflict damage on users after the patch is available
However, a 0 day where the exploit kit authors are the first to receive the details, means that even at this point, researchers and Adobe are not yet sure what the flaw is that is being exploited
Due to a bug in the Angler exploit kit, Firefox users were not affected, but as of this morning, the bug was fixed and the Angler kit is now exploiting Firefox users as well
Additional Coverage – Krebs On Security
Additional Coverage – PCWorld
Additional Coverage – Malware Bytes
Additional Coverage – ZDNet

How was your credit card stolen

Krebs posts a write up to answer the question he is asked most often: “My credit card was stolen, can you help me find out how”
Different ways to get your card stolen, and your chance of proving it:
Hacked main street merchant, restaurant (low, depends on card use)
Processor breach (nil)
Hacked point-of-sale service company/vendor (low)
Hacked E-commerce Merchant (nil to low)
ATM or Gas Pump Skimmer (high)
Crooked employee (nil to low)
Lost/Stolen card (high)
Malware on Consumer PC (very low)
Physical record theft (nil to low)
“I hope it’s clear from the above that most consumers are unlikely to discover the true source or reason for any card fraud. It’s far more important for cardholders to keep a close eye on their statements for unauthorized charges, and to report that activity as quickly as possible.”
Luckily, since most consumers enjoy zero liability, they do not have to worry about trying to track down the source of the fraud
With the coming change to Chip-and-Pin in the US, the liability for some types of fraud will shift from the banks to the retailers, which might see some changes to the way things are done
Banks have a vested interest in keeping the results of their investigations secret, whereas a retailer who is the victim of fraudulent cards, may have some standing to go after the other vendor that was the source of the leak
Machine Learning for Fraud Detection

15% of business cloud accounts are hacked

Research by Netskope, a cloud analysis company, finds that only one in ten cloud apps are secure enough for enterprise use
In their survey, done using network probes, gateways, and other analysis techniques (rather than asking humans), they found that the average large enterprise uses over 600 cloud applications
Many of these applications were not designed for enterprise use, and lack features like 2 factor authentication, hierarchical access control, “group” features, etc
The report also found that 8% of files uploaded to cloud storage provides like Google Drive, Dropbox, Box.com etc, were in violoation of the enterprises’ own Data Loss Prevention (DLP) policies.
The downloading numbers were worst, 25% of all company files in cloud providers were shared with 1 or more people from outside the company. 12% of outsiders had access to more than 100 files.
Part of the problem is that many “cloud apps” used in the enterprise are not approved, but just individual employees using personal accounts to share files or data
When the cloud apps are used that lack enterprise features that allow the IT and Security teams to oversee the accounts, or when IT doesn’t even know that an unapproved app is being used, there is no hope of them being able to properly manage and secure the data
Management of the account life cycle: password changes, password resets, employees who leave or are terminated, revoking access to contractors when their project is finished, etc, is key
If an employee just makes a dropbox share, adds a few other employees, then adds an outside contractor that is working on a project, but accidently shares all files instead of only specific project files, then fails to remove that person later on, data can leak.
When password resets are managed by the cloud provider, rather than the internal IT/Security team, it makes it possible for an attacker to more easily use social engineering to take over an account
Infographic
Report

Feedback:

Round Up:

The post Dude Where's My Card? | TechSNAP 198 first appeared on Jupiter Broadcasting.

Building a Better Gnome | LINUX Unplugged 76

chris — Tue, 20 Jan 2015 19:13:31 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Christian Hergert the creator of Gnome Builder joins us to discuss his projects funding campaign, quitting his full time job to work on open source & answering a major concern of developers looking to target Linux.

Ubuntu announces their Internet of Things OS, we’re a bit skeptical. Plus Linus takes a firm stance on public disclosure of vulnerabilities & Kernel documentation.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Pre-Show:

SteamLeft

FU:

XPS 13 Ultrabook with Touch Screen Details | Dell
8GB RAM
512GB SSD
i7-5500U Processor
13.3-inch UltraSharp(TM) QHD+ (3200 x 1800) display
McAfee(R) Live Safe Image (Trial Version)
An Early Look At Intel 5Th Gen Core Series Broadwell Performance For Notebooks

In some quick-take graphics and gaming tests, we’re seeing something like a 20 percent boost over the previous generation, which is a major upgrade for most users.

USD charts | BitcoinAverage – bitcoin price index

Mark Shuttleworth » Smart things powered by snappy Ubuntu Core on ARM and x86

Transactional updates. App store. A huge range of hardware. Branding for device manufacturers.

In this release of Ubuntu Core we’ve added a hardware abstraction layer where platform-specific kernels live. We’re working commercially with the major silicon providers to guarantee free updates to every device built on their chips and boards. We’ve added a web device manager (“webdm”) that handles first-boot and app store access through the web consistently on every device. And we’ve preserved perfect compatibility with the snappy images of Ubuntu Core available on every major cloud today. So you can start your kickstarter project with a VM on your favourite cloud and pick your processor when you’re ready to finalise the device.

Robots embrace Ubuntu as it invades the internet of things

“Snappy” Ubuntu Core came out of Canonical‘s mobile efforts (which are yet to go anywhere) and was made available on Amazon Web Services, Microsoft Azure and the Google Cloud Platform at the end of 2014. Now it’s available for smart devices, and Canonical has already got players such as the Open Source Robotics Foundation (OSRF), drone outfit Erle Robotics and connected hub maker NinjaBlocks on board.

Security problems need to be made public: Linus Torvalds

In the Q&A session at Linux.conf.au, Torvalds also said he is pleased that the Linux kernel played a part in making free software more approachable and open.

“I actually think one of the things that Linux has been really good at … and this is going to raise a few hackles. I like open source, and I like this whole working together with commercial companies, and this whole notion that you don’t need to vilify people who also do closed source,” he said.

“So, for me personally, one of the big things I’m happy about is that I was part of the group, who tried to take — and now, this is when Tridge will stand up and give the other answer — who tried to take this very us against the world approach of free software and made it more open, not just in name, but also acceptable to people who don’t necessarily believe in our values, but believe that our model is better and that’s, to me, something that Linux was really instrumental in.

“At the same time, I’m really happy about Git too, because I think Git has spread more than the kernel in some respects, and maybe I’ll be remembered more for Git than Linux. We’ll see.”

Keynote: Linus Torvalds – YouTube

Runs Linux from the people:

Send in a pic/video of your runs Linux.
Please upload videos to YouTube and submit a link via email or the subreddit.

New Shows : Tech Talk Today (Mon – Thur)

Tech Talk Today Today | Jupiter Broadcasting

Support Jupiter Broadcasting on Patreon

Post-Show

Linux Mint Unveils Pocket-Sized ‘MintBox Mini’ PC – OMG! Ubuntu!

The post Building a Better Gnome | LINUX Unplugged 76 first appeared on Jupiter Broadcasting.

Patch and Notify | TechSNAP 197

chris — Thu, 15 Jan 2015 22:21:43 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Been putting off that patch? This week we’ll cover how an out of date Joomla install led to a massive breach, Microsoft and Google spar over patch disclosures & picking the right security question…

Plus a great batch of your feedback, a rocking round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Data thieves target parking lots

“Late last year, KrebsOnSecurity wrote that two huge swaths of credit card numbers put up for sale in the cybercrime underground had likely been stolen from Park ‘N Fly and from OneStopParking.com, competing airport parking services that lets customers reserve spots in advance of travel via Internet reservation systems. This week, both companies confirmed that they had indeed suffered a breach.”
“When contacted by Krebs on Dec. 15, Atlanta-based Park ‘N Fly said while it had recently engaged multiple security firms to investigate breach claims, it had not found any proof of an intrusion. In a statement released Tuesday, however, the company acknowledged that its site was hacked and leaking credit card data, but stopped short of saying how long the breach persisted or how many customers may have been affected”
“OneStopParking.com reached via phone this morning, the site’s manager Amer Ghanem said the company recently determined that hackers had broken in to its systems via a vulnerability in Joomla for which patches were made available in Sept. 2014. Unfortunately for OneStopParking.com and its customers, the company put off applying that Joomla update because it broke portions of the site.”
“Unlike card data stolen from main street retailers — which can be encoded onto new plastic and used to buy stolen goods in physical retail stores — cards stolen from online transactions can only be used by thieves for fraudulent online purchases. However, most online carding shops that sell stolen card data in underground stores market both types of cards, known in thief-speak as “dumps” and “CVVs,” respectively.”
“Interestingly, the disclosure timeline for both of these companies would have been consistent with a new data breach notification law that President Obama called for earlier this week. That proposal would require companies to notify consumers about a breach within 30 days of discovering their information has been hacked.”
Krebs also appears to be having fun with the LizzardSquad

Microsoft pushes emergency fixes, blames Google

Microsoft and Adobe both released critical patches this week
“Leading the batch of Microsoft patches for 2015 is a drama-laden update to fix a vulnerability in Windows 8.1 that Google researchers disclosed just two days ago. Google has a relatively new policy of publicly disclosing flaws 90 days after they are reported to the responsible software vendor — whether or not that vendor has fixed the bug yet. That 90-day period elapsed over the weekend, causing Google to spill the beans and potentially help attackers develop an exploit in advance of Patch Tuesday.”
Yahoo recently announced a similar new policy, to disclose all bugs after 90 days
This is the result of too many vendors take far too long to resolve bugs after they are notified
Researchers have found that need to straddle the line between responsible disclosure, and full disclosure, as it is irresponsible to not notify the public when it doesn’t appear as if the vendor is taking the vulnerability seriously.
Microsoft also patched a critical telnet vulnerability
“For its part, Microsoft issued a strongly-worded blog post chiding Google for what it called a “gotcha” policy that leaves Microsoft users in the lurch”
There is also a new Adobe flash to address multiple issues
Krebs notes: “Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).” because of the way Microsoft bundles flash
Infact, if you use Chrome and Firefox on windows, you’ll need to make sure all 3 have properly updated.

What makes a good security question?

Safe: cannot be guessed or researched
Stable: does not change over time
Memorable: you can remember it
Simple: is precise, simple, consistent
Many: has many possible answers
It is important that the answer not be something that could easily be learned by friending you on facebook or twitter
Some examples:
What is the name of the first beach you visited?
What is the last name of the teacher who gave you your first failing grade?
What is the first name of the person you first kissed?
What was the name of your first stuffed animal or doll or action figure?
Too many of the more popular questions are too easy to research now
Some examples of ones that might not be so good:
- In what town was your first job? (Resume, LinkedIn, Facebook)
- What school did you attend for sixth grade?
- What is your oldest sibling’s birthday month and year? (e.g., January 1900) (Now it isn’t your facebook, but theirs that might be the leak, you can’t control what information other people expose)
Sample question scoring

Feedback:

Round Up:

The post Patch and Notify | TechSNAP 197 first appeared on Jupiter Broadcasting.

Base ISO 100 | BSD Now 44

chris — Thu, 03 Jul 2014 11:46:54 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This time on the show, we’ll be sitting down to talk with Craig Rodrigues about Jenkins and the FreeBSD testing infrastructure. Following that, we’ll show you how to roll your own OpenBSD ISOs with all the patches already applied… ISO can’t wait!

This week’s news and answers to all your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

pfSense 2.1.4 released

The pfSense team has released 2.1.4, shortly after 2.1.3 – it’s mainly a security release
Included within are eight security fixes, most of which are pfSense-specific
OpenSSL, the WebUI and some packages all need to be patched (and there are instructions on how to do so)
It also includes a large number of various other bug fixes
Update all your routers!

DragonflyBSD’s pf gets SMP

While we’re on the topic of pf…
Dragonfly patches their old[er than even FreeBSD’s] pf to support multithreading in many areas
Stemming from a user’s complaint, Matthew Dillon did his own work on pf to make it SMP-aware
Altering your configuration‘s ruleset can also help speed things up, he found
When will OpenBSD, the source of pf, finally do the same?

ChaCha usage and deployment

A while back, we talked to djm about some cryptography changes in OpenBSD 5.5 and OpenSSH 6.5
This article is sort of an interesting follow-up to that, showing which projects have adopted ChaCha20
OpenSSH offers it as a stream cipher now, OpenBSD uses it for it’s random number generator, Google offers it in TLS for Chromium and some of their services and lots of other projects seem to be adopting it
Both Google’s fork of OpenSSL and LibReSSL have upcoming implementations, while vanilla OpenSSL does not
Unfortunately, this article has one mistake: FreeBSD does not use it – they still use the broken RC4 algorithm

BSDMag June 2014 issue

The monthly online BSD magazine releases their newest issue
This one includes the following articles: TLS hardening, setting up a package cluster in MidnightBSD, more GIMP tutorials, “saving time and headaches using the robot framework for testing,” an interview and an article about the increasing number of security vulnerabilities
The free pdf file is available for download as always

Interview – Craig Rodrigues – rodrigc@freebsd.org

FreeBSD’s continuous testing infrastructure

Tutorial

Creating pre-patched OpenBSD ISOs

News Roundup

Preauthenticated decryption considered harmful

Responding to a post from Adam Langley, Ted Unangst talks a little more about how signify and pkg_add handle signatures
In the past, the OpenBSD installer would pipe the output of ftp straight to tar, but then verify the SHA256 at the end – this had the advantage of not requiring any extra disk space, but raised some security concerns
With signify, now everything is fully downloaded and verified before tar is even invoked
The pkg_add utility works a little bit differently, but it’s also been improved in this area – details in the post
Be sure to also read the original post from Adam, lots of good information

FreeBSD 9.3-RC2 is out

As the -RELEASE inches closer, release candidate 2 is out and ready for testing
Since the last one, it’s got some fixes for NIC drivers, the latest file and libmagic security fixes, some serial port workarounds and various other small things
The updated bsdconfig will use pkgng style packages now too
A lesser known fact: there are also premade virtual machine images you can use too

pkgsrcCon 2014 wrap-up

In what may be the first real pkgsrcCon article we’ve ever had!
Includes wrap-up discussion about the event, the talks, the speakers themselves, what they use pkgsrc for, the hackathon and basically the whole event
Unfortunately no recordings to be found…

PostgreSQL FreeBSD performance and scalability

FreeBSD developer kib@ writes a report on PostgreSQL on FreeBSD, and how it scales
On his monster 40-core box with 1TB of RAM, he runs lots of benchmarks and posts the findings
Lots of technical details if you’re interested in getting the best performance out of your hardware
It also includes specific kernel options he used and the rest of the configuration
If you don’t want to open the pdf file, you can use this link too

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
There, you’ll also find a link to Bob Beck’s LibReSSL talk from the end of May – we finally found a recording!
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you want to come on for an interview or have a tutorial you’d like to see, let us know
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
Next week Allan will be at BSDCam, so we’ll have a prerecorded episode then

The post Base ISO 100 | BSD Now 44 first appeared on Jupiter Broadcasting.

Misconceptions of Linux Security | TechSNAP 155

chris — Thu, 27 Mar 2014 17:01:59 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We explore some common misconceptions about Linux security. Plus the 0-Day hitting Microsoft Office users…

A great big batch of your questions, our answers, and much much more!

On this week’s episode, of TechSNAP.

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

Exploring the misconceptions of Linux Security

“There is a perception out there that Linux systems don\’t need additional security”
As Linux grows more and more mainstream, attacks become more prominent
We have already seen malware with variants targeting Linux desktop users, Flash and Java exploits with Linux payloads
Linux servers have been under attack for more than a decade, but these incidents are rarely publicized
The most common attacks are not 0day exploits against the kernel or some critical service, but compromised web applications, or plain old brute force password cracking
However, it is still important to keep services up to date as well (openssh, openssl, web server, mail server, etc)
Typical ‘best practice’ involves having firewalls, web application firewalls and intrusion detection systems. These systems cannot prevent every type of attack.
Firewalls generally do not help attacks against web applications, because they operate at layer 3 & 4 and can no detect an attempted exploit
Web Application Firewalls operate at layer 7 and inspect HTTP traffic before it is sent to the application and attempt to detect exploit or SQL injection attempts. These are limited by definitions of what is an attack, and are also often limited to providing protection for specific applications, since protecting an application generally means knows exactly what legitimate traffic will look like
Intrusion detection systems again rely on detecting specific patterns and are often unable to detect an attack, or detect so many false positives that the attack is buried in a report full of noise and isn’t recognized
Linux backdoors have become remarkably sophisticated, taking active steps to avoid detection, including falling silent when an administrator logs in, and suspending exfiltration when an interface is placed in promiscuous mode (such as when tcpdump is run)
Linux servers are often out of date, because most distributions do not have something similar to Microsoft’s “Patch Tuesday”. Security updates are often available more frequently, but the irregular cadence can cause operational issues. Most enterprise patch management systems do not include support for Linux, and it is often hard to tell if a Linux server is properly patched
“The main problem is that these system administrators think their [Linux] systems are so secure, when they haven\’t actually done anything to secure them,” David Jacoby, a senior security researcher for the Global Research and Analysis Team at Kaspersky Lab said. For example, the default Linux configuration for most distributions does not restrict login attempts, Jacoby warned. Attackers can attempt to brute-force passwords by running through a list of possibilities without having to worry about locking out the account or getting disconnected from the server. This is something the administrator has to configure manually, and many don\’t, Jacoby said.

0day exploit in MS Word triggered by Outlook preview

Microsoft issued a warning on Monday of a new 0day exploit against MS Word being exploited in the wild
Microsoft has released an emergency Fix-It Solution until a proper patch can be released
This attack is especially bad since it doesn’t not require the victim to open the malicious email, looking at the message in Outlook’s preview mode will trigger the exploit
According to Microsoft’s advisory the flaw is also present in Word 2003, 2007, 2010, 2013, Word Viewer and Office for Mac 2011
The attack uses a malicious RTF (Rich-Text file), Outlook renders RTF files with MS Word by default
The Fix-It solution disables automatically opening emails with RTF content with MS Word
This attack can also be worked around by configuring your email client to view all emails in plain-text only
Instructions for Office 2003, 2007 and 2010
Instructions for Outlook 2013
“The attack is very sophisticated, making use of an ASLR bypass, ROP techniques (bypassing the NX bit and DEP), shellcode, and several layers of tools designed to detect and defeat analysis”
The code attempts to determine if it is running in a sandbox and will fail to execute, to hamper analysis and reverse engineering
The exploit also checks how recently windows updates have been installed on the machine. “The shellcode will not perform any additional malicious action if there are updates installed after April, 8 2014”
Additional Coverage – ThreatPost

Feedback:

Round Up:

The post Misconceptions of Linux Security | TechSNAP 155 first appeared on Jupiter Broadcasting.

SSD Powered NAS? | TechSNAP 139

chris — Thu, 05 Dec 2013 17:39:04 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

SSDs in your Network Attached Storage? Maybe! We’ll share our thoughts. Two Million passwords stolen by Keylogging malware, but the data is where the fun is at.

Plus a great batch of your questions, our answers!

Thanks to:

Direct Download:

RSS Feeds:

Show Notes:

D-Link finally released fix for some vulnerable routers, over a month late

In TechSNAP 132 (October 17 2013) we told you about a flaw in D-Link routers that allowed an attacker to entirely bypass the authentication system
Any user accessing a vulnerable device with the string “xmlset_roodkcableoj28840ybtide” (backwards: edit by 04882 joel backdoor) as their useragent is granted administrative privileges
D-Link promised to issue fixed firmware by the end of October
That updated firmware has finally be released, in December
Newer firmware does not seem to be available for all of the devices

2 Million passwords stolen by Key logging malware

Spider Labs managed to take over a Pony botnet controller
The botnet of infected machines was harvesting passwords with a keylogger
Total Haul:
~1,580,000 website login credentials stolen
~320,000 email account credentials stolen
~41,000 FTP account credentials stolen
~3,000 RDP credentials stolen
~3,000 SSH account credentials stolen
Top Domains:
- 325,000 Facebook
- 70,000 Google
- 60,000 Yahoo
- 22,000 Twitter
- 8,000 Linkedin
While the statistics make it look like many of the compromised machines were from the Netherlands, it seems most of the traffic was from a few IP addresses that seem to have been acting as reverse proxies for the infected machines
Strength of the observed passwords:
- 6% Terrible
- 28% Bad
- 44% Medium
- 17% Good
- 5% Excellent
Conclusion: Even have years of being told to pick good unique passwords, and after multiple breaches like MySpace, Gawker, LinkedIn, and Adobe etc, people still choose terrible passwords
Additional Coverage

GoDaddy ad: https://hostcabi.net/hosting_infographic Godaddy hosts one of the largest proportion of the 100,000 most popular websites on the Internet

Hackers courted by Governments for Cyber Warfare jobs

Rolling Stone does profiles and Interviews at HackMiami, a meetup for hackers to show off their skills to corporate and government recruiters. There is also a ‘Cyber War Games’, where hackers simulate attacks against various targets and networks
One recruiters pitch: “We built an environment that allows people to legally do the things that would put them in jail”
“A leaked report from the Department of Homeland Security in May found “increasing hostility” aimed online against “U.S. critical infrastructure organizations” – power grids, water supplies, banks and so on. “
Dave Marcus, director of threat intelligence and advance research at McAfee Federal Advanced Programs Groups, says the effects would be devastating. “If you shut off large portions of power, you’re not bringing people back to 1960, you’re bringing them back to 1860,” he says. “Shut off an interconnected society’s power for three weeks in this country, you will have chaos.”
In one profile, Rolling Stone looks at ‘Street’, an expert at social engineering. “Government agencies and corporations fly Street around the world to see if he can bullshit his way into their most sensitive data centers. He has scammed his way into a bank in Beirut, a financial center across from Ground Zero, a state treasury department. He usually records his infiltrations on a spy watch, a 16-gigabyte HD video recorder with infrared lights, then turns over the footage to his clients. When I ask Street the tricks of his trade, he tells me there are two keys to stealing data in person: act like you’re supposed to be there and carry a tablet PC, which convinces victims he’s a tech-support worker. “People see this thing,” he says, waving his tablet, “and think it’s magical.”” — The digital equivalent to a clipboard
“To see what the front line of cyberwar really looks like, I visit the National Cybersecurity and Communications Integration Center in Arlington, Virginia, the Department of Homeland Security’s mission control. It’s one of our most important hubs in digital warfare, alongside the FBI and NSA. A wall of video screens show online the attacks on the IRS and NASA – both agencies were compromised by a Distributed Denial of Service Attack, a technique that floods a site with access requests, slowing or downing it completely. “

Feedback:

Dedup in ZFS is a bad implementation
Using SSD drives for storage?
- Enterprise Drive Pricing:
- Intel DC S3700 100, 200, 400 and 800GB: $2.50/GB
- WD NL SAS: 1TB: $0.135/GB
- WD NL SAS: 2TB: $0.115/GB
- WD NL SAS: 3TB: $0.106/GB
- WD NL SAS: 4TB: $0.092/GB
- Seagate Barracuda SATA (Desktop): 3TB: $0.030/GB
Forward Secrecy
Web Site Hosting
Google and DNS reflection attacks
Worst leak in Icelands history
Contact Server?

Round Up:

The post SSD Powered NAS? | TechSNAP 139 first appeared on Jupiter Broadcasting.

SoDDing D-Link Backdoor | TechSNAP 132

chris — Thu, 17 Oct 2013 17:19:35 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

It’s never been easier to break a D-Link Router, we’ll share the details about the built in backdoor.

Plus a huge batch of Java fixes land, a look at iMessage security, and much much more!

On this week’s TechSNAP

Thanks to:

Direct Download:

RSS Feeds:

Reverse engineering a D-Link router

Researchers found an authentication bypass backdoor in some D-Link routers
Research was conducted on a D-Link DIR-100 revA
The firmware is made by a company called Alpha Networks which was spun off from D-Link in 2003
Other devices known to be vulnerable from D-Link:
- DIR-100
- DIR-120
- DI-624S
- DI-524UP
- DI-604S
- DI-604UP
- DI-604+
- TM-G5240
Some devices from Planex appear to use the same firmware:
BRL-04R
BRL-04UR
BRL-04CW
If the router is accessed user a User-Agent string of: xmlset_roodkcableoj28840ybtide then the user bypasses the username/password requirement and has full access to the router
If read backwards: edit by 04882 joel backdoor
This backdoor also allows an attacker to perform remote code execution and could be used to infect a router with spyware
D-Link promises to issue fixed firmware by the end of the month

Akamai finds most DDoS attacks come from Asia

Threatpost reports on Akamai’s “State of the Internet report”
Akamai is a global CDN that services many large websites including Microsoft Update
“The Pacific rim region (especially China and Indonesia) accounted for just over 79 percent of all observed attacks” according to the firm’s studies
The report also discussed the Syrian Electronic Army’s (SEA) and its attacks on media outlets, the exhaustion of IPv4 address space, and a rise in mobile data traffic
The data does not quite match up with reports from other DDoS protection vendors
The Prolexic report for Q1 2013 shows China as the source of 40.68% of all DDoS attacks, and Indonesia did not even register. USA: 21.88%, Germany: 10.59%
The Prolexic report for Q2 2013 shows slightly different results, with China holding strong at 39.08% with Mexico coming in at a surprising second with 27.32% and Russian at 7.58%
The wild differences are partly due to the fact that each company is measuring attacks against their clients, not the wider internet
There is also the methodology for localizing the source of the attack to consider, GeoIP databases and the like are often inaccurate
Each company may also have a different definition of a DDoS attack. Are bots crawling a website an attack? What about SQL injection attempts?

Oracle releases the October Critical Patch Update, with updates for Java

This is the first time that the Oracle quarterly CPU (Critical Patch Update) has included updates for Java, usually Java is updated on a separate cycle
“Of the 51 Java patches released, 50 allow for remote code execution and 20 were given the highest criticality rating by Oracle”
All users should immediately upgrade to Java 7u45
Java 6 is vulnerable to nearly a dozen critical vulnerabilities, but updates are only provided to Oracle customers with support contracts (Apple)
Rapid7 (maintainers of Metasploit) recommend that if you must use Java: “run Java in the most restricted mode and only allow signed applets from white-listed sites”
“Noted Java bug hunter Adam Gowdiak told Threatpost that the patches also harden interactions of LiveConnect code, a browser feature that allows applets to communicate with the javascript engine in the browser, and Java Rich Internet Applications”
“Overall, there are 127 patches in the Oracle CPU that touch most of the Oracle product line. Aside from the Java vulnerabilities, the only other bug approaching the same level of criticality is in MySQL Enterprise Monitor, but it is not a remote execution bug.“

Feedback:

[asa]0133390098[/asa]

Technical Book Recommendation: Systems Performance by Brendon Gregg

Round-Up:

iMessage Privacy
Surge 2013 Lightning Talk – Brendon Gregg – Benchmarking gone wrong 17:30
More than 35,000 vBulletin forums hacked weeks after release of fix for vulnerability
THC: SSL/TLS IN A POST-PRISM ERA
SQLi Capture the Flag, with Prizes Story
Surge 2013 Lightning Talk – Bryan Cantrill – Fun with tail 41:00
Flaws found in Linux /dev/random pRNG
- Insecurities in the Linux /dev/random | Hacker News
FreeBSD now goes up to 11
World\’s 3rd Largest Chinese Bitcoin exchange hit by 100Gbps DDoS attack
Why internet pathing matters
Skype under investigation in Luxembourg over link to NSA
PR Newswire hacked on or before March 8th, related to Adobe hack “It’s unsettling to imagine the possible outcomes if the stolen data fell into the hands of any groups that are trying to affect political and economic stability”
Further evidence that attacks against Adobe and others are related to ColdFusion exploits

The post SoDDing D-Link Backdoor | TechSNAP 132 first appeared on Jupiter Broadcasting.

ZFS Can Do that | TechSNAP 130

chris — Thu, 03 Oct 2013 17:46:33 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We’ll look back at 10 years of Patch Tuesday, then the shutdown of Lavabit and Silkroad.

Plus a big batch of your questions, our answers, and much much more!

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

Microsoft Patch Tuesday turns 10

On Oct. 9, 2003, Microsoft announced its new security patching process, it ended up changing the entire industry
Microsoft promised:
“Improved patch management processes, policies and technologies to help customers stay up to date and secure.”
“Global education programs to provide better guidance and tools for securing systems.”
“Our goal is simple: Get our customers secure and keep them secure. Our commitment is to protect our customers from the growing wave of criminal attacks.”
Microsoft started blogging about security issues and also embarked on serious outbound communication campaigns to educate users
Even Microsoft’s security bulletin text format and sections were delivered in a consistent format that security professionals have come to rely upon
Today public disclosure of serious Microsoft security holes is now the exception

2 new vulnerabilities bypass Java ‘Click2Play’ security system

A new variant of the \”Kore-ish\” Cool Exploit Kit appears to make use of two new zero-day exploits in Java7u21
CVE-2013-2460
CVE-2013-2472
It appears this vulnerability may have originally been discovered by VUPEN and solid to governments and used for an indeterminate amount of time, until it was fixed by Oracle in Java7u25
The current version of Java is Java7u40
The latest version of Java includes a new ‘deployment rule set’ feature, that allows enterprise customers to create a whitelist of allowable applications, preventing drive-by attacks

Barclay’s hit by KVM attack, 1.3 million GBP stolen

An person pretending to be an IT admin, walked in to the branch and installed an IP-KVM connected to a 3G Router, then later used it to take over the workstation it was connected to
Barclays claims to have recovered “a significant amount” of the stolen money
When police raided a number of properties to arrest the perpetrators, they found thousands of credit cards and other personal data, plus drugs, jewellery and cash
This is not the first time Barclay’s has been hit. “We have been working closely with the Metropolitan Police following a security breach at our Swiss Cottage branch in April 2013. We identified the fraud and acted swiftly to recover funds on the same day,” said Alex Grant, managing director of fraud prevention at Barclays.

Feedback

[asa]B00457X7XQ[/asa]

Round Up:

The post ZFS Can Do that | TechSNAP 130 first appeared on Jupiter Broadcasting.

Snakes in a Bank | TechSNAP 96

chris — Thu, 07 Feb 2013 16:55:14 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Using phone tones and a little Python to get access to someone’s bank account, and Oracle steps up with an early patch for Java but it doesn’t fix everything.

Then we answer a big batch of your questions, and much more on this week’s TechSNAP.

Thanks to:

GoDaddy.com

Use our code tech295 to get a .COM for $2.95.

Something else in mind? Use go47off1 to save 47% on your entire order!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Oracle responds, February Critical Patch Update released early

The February CPU was originally scheduled for February 19th, but was released February 1st
The patch fixes 50 different issues, more than half of which have a CVSS risk score of 10 out of 10
This CPU covers issues #29, 50, 52 and 53 reported by Security Explorations, however a fix for issue #51 is still outstanding. Each of these issues is a sandbox security bypass
In addition to the new ‘disable java in all browsers’ setting in the java control panel that was introduced in the last CPU, this update also changes the default security setting to high, requiring users to approve all unsigned applets, rather than letting them run silently
“The size of this Critical Patch Update, as well as its early publication, demonstrate Oracle’s intention to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.”
The next Java CPU is not scheduled until June 18th 2013

Researchers develop attack against micro-financing banks in Africa

Banks is Africa uses Audio-One-Time-Passwords (AOTP), since most users do not have smart phones, and SMS is not widely deployed
The way the system works, is that after a user logs in to their bank and makes a transaction, the bank calls their mobile phone to verify the transaction. The user holds their mobile phone up to the speakers on their computer, and the browser plays some audio, which is then received by the bank via the open phone line, and compared
The researchers wrote a python script to simulate logging in to the bank 10,000 times, and recorded the audio for each of these attempts
There are a number of issues with the implementation of this system
- Users login to their bank with their mobile phone number and a 4 digit pin, this is obviously not very secure, and is also open to brute force attacks, since both credentials are numeric, and the phone numbers are fairly predictable
- The researchers found that the AOTPs are not cryptographically random
- The AOTPs are only 1000ms long
- Based on analysis, the AOTPs only contain 55 bits of information
- The system assumes it is connecting to the users’ mobile phone, when it may actually be redirected
Based on predictable AOTPs, the researchers were able to save a AOTP as the voicemail greeting on a target users’ number, so when the bank made the verification call, it got the expected tones
Brute force attacks against voicemail passwords are fairly trivial, as most are only 3 or 4 digit pins, and users often leave them at defaults such as the last 3–4 digits of the phone number, a birth date or 1234
Some carriers also offer a web interface for retrieving your voicemail making web based attacks possible as well
Presentation Slides

Twitter servers compromised

The twitter security team detected an unusual pattern of attempts to access their infrastructure
In the process of investigating, they found a live ongoing attack
They believe the attackers may have had access to: usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users
If twitter believes you were affected, you will have already received a password reset email
Twitter reminds you to choose a password that is at least 10 characters long, a mix of case and symbols, and to never use the same password on multiple sites
The blog post needlessly mentions the recent Java exploits, and how browsers are disabling the plugin, creating a false equivalency or relationship between what happened to the Twitter servers and the ongoing saga of Java
At the end of the blog post, they again remind users to disable Java, even though java played no part in this attack

Packet of death disables Intel 82574L network cards

While debugging a problem that would cause their on-premise VoIP devices to suddenly fail, a sysadmin discovered a bug in the Intel EEPROM
A very interesting story of the steps required to reliably reproduce the problem, in order to attempt to isolate it
If a specific bit has a value of 32 (ASCII 2) the nic will die, and can only be revived by a full power cycle
However, to complicate things, if a value of 34 (ASCII 4) happens to fall at this specific offset, the NIC is ‘inoculated’, and won’t crash if it subsequently receives a 32 or 33
It took a great deal of testing to reproduce the problem, because if a nic got inoculated, it wouldn’t fail again until it was power cycled
Packets for TCPReplay to test your nic

Feedback:

Another question or 2 regarding my home server…
What’s the advantage of a VM over a Physical Box?
Protecting your self on shared hosting?
W3 Total Cache update
The TechSNAP 100 shirt campaign launches on Tuesday Feb 12th!
Working Remotely
How a sysadmin looks when there is an emergency

Round Up:

The post Snakes in a Bank | TechSNAP 96 first appeared on Jupiter Broadcasting.

No Pay? No Patch! | TechSNAP 58

chris — Thu, 17 May 2012 16:58:19 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Adobe tells customers to upgrade to get the latest security fixes, Kickstarter has an embarrassing security lapse.

PLUS: Self-destructing SSDs, and Mirroring vs a CDN, what’s the difference and when are they used. We answer that, and so much more in this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offer:

New customers 25% off your entire order, code: 25MAY7
Expires: May 31, 2012

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes:

Credit Card Processor Breach led to prepaid card fraud

Global Payments, a very large credit card processing firm, was breached some time before March of this year, and as many as 1.5 million cards were leaked. Some industry analysts place the number closer to 7 million
It was originally believed that the breach occurred sometime in January or February of 2012, but now it appears as if it might have been as far back as June of 2011
Global Payments claims that they self-discovered and self-reported the compromise, however some banks had detected the fraud earlier, and alerted Visa that the commonality between all of the compromised accounts were purchases at Merchants that use Global Payments
Some of the cards that were compromised were apparently debit cards, rather than credit cards
Some of these debit cards appear to have been sold to criminals, who then used them to defraud stores
The offenders would buy low denomination prepaid cards (usually $10 or $20), then go away and reprogram the magnetic strips on the cards with the data from stolen debit cards
The offenders would then return to the stores and purchase high denomination prepaid cards
The high value prepaid cards would then be used to purchase expensive electronics and other goods with high resale values
One of the reasons that such scams are not more common is that stored value instruments, such as prepaid cards, gift cards and money orders can not be purchased with a credit card, due to the fact that credit card transactions can be reversed. Debit card transactions are usually considered irreversible and more secure
Global Payments claimed that only Track 2 data from the cards are compromise, and that Track 1 data, which contains the account holder’s name and other information, was not compromised
This successful attack shows how even just Track 2 data can be exploited

Adobe discloses security flaw in Photoshop CS5, solution? Buy CS6

A vulnerability has been discovered in the way Photoshop CS5.1 (version 12.1) parses .TIFF files
The vulnerability appears to affect every version of Photoshop prior of CS6
The vulnerability can be used to execute attacker supplied code as the user who is running photoshop
The vulnerability was reported to Adobe in September of 2011
After 180 days without a patch, researchers publicly disclosed the vulnerability
Adobe’s vulnerability announcement recommends users upgrade to CS6 (a paid upgrade)
Adobe claims a patch for CS 5.1 is forthcoming, but does not provide any timeline or details
Additional Advisory Link
Proof of Concept Exploit Code
CVE–2012–2027
CVE–2012–2028

Kickstarter Security Lapse leaks details of 70000 unpublished projects

The revelation was made by the Wall Street Journal that roughly 70,000 yet-to-be-launched project ideas had been left exposed for more than two weeks.
“The information that could be seen didn’t include credit-card numbers or other sensitive personal details, but it could make users more wary of Kickstarter’s data practices and lower their expectations of privacy on the site.”
On Friday one of our engineers uncovered a bug involving Kickstarter’s private API
This bug allowed some data from unlaunched projects to be made accessible via the API
It was immediately fixed upon discovering the error. No account or financial data of any kind was made accessible.
The bug was introduced when we launched the API in conjunction with our new homepage on April 24 and was live until it was discovered and fixed on Friday,
Based on our research (Kickstarter’s internal team), the overwhelming majority of the private API access was by a computer programmer/Wall Street Journal reporter who contacted us.
Official Announcement

Feedback:

Jungle Boogie asks… What’s the diff between a mirror & CDN?

Round Up:

The post No Pay? No Patch! | TechSNAP 58 first appeared on Jupiter Broadcasting.

Tank, Heal or Damage | TORked 2

chris — Wed, 04 Apr 2012 14:12:25 +0000

Crafting and crew skills are getting an update, we’ll run through the important bits, we share new flash point details, and give you are tips for rocking the key binds!

All that and more, in this week’s episode of TORked!

Direct Download:

RSS Feeds:

HD Feed | Mobile Feed | MP3 Feed | iTunes Feeds

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!

Show Notes:

> News

Bioware Podcast –
Crafting & Crew Skills Update
Community Q&A –
In Game Events –
Patch 1.3 Teases –

> Main Content

1.2 Patch Notes Continued

Class Updates – Brief Overview
New Flashpoint / Operation / Dailies / Warzone
Guild Bank & New Armour sets
Further additions slated for Patch 1.3

The MMO Holy Trinity

Tank – Leading the charge in battle, Holds Aggro of the enemy(s)
Healer – Support Role repairing damage taken from enemy fire
Damage Dealer (DPS) – Kick the everloving shit out of the enemy
The “perfect” team – balance of all 3 (including differences of advanced classes)
SWTOR Advanced Class Combinations
PvE Group Composition Example (flashpoint) 1 Tank, 1 Healer, 2 DPS,
Strong Group Composition Example (operation / raid) 2 Tank, 2 Healer, 3 DPS, 1 Hybrid (Someone who can DPS or Heal)
Class Diversity in SWTOR –

Tips & Tricks

Key binds
Focus targeting

> Ep3 Teaser

1.2 patch notes part 3 – SO many changes and updates to investigate
Test server feedback from our team as they continue to explore
The “Power Of The Sith” – we delve into the dark side to see just why the Sith Warrior and Sith Inquisitor classes are so popular. It might be a “shocking” experience so be prepared.

Community Feedback

Community Question – What are your ideas to bring the other Crew Skills up to par with the earning power of slicing?

The post Tank, Heal or Damage | TORked 2 first appeared on Jupiter Broadcasting.

Lightsabers & Legacies | TORked 1

chris — Wed, 28 Mar 2012 17:14:11 +0000

The massive 1.2 Patch is very near and we share what we’re looking forward to, plus we have companion complaints, and the great things you can expect to see in the legacy system.

All that and more on this week’s episode of TORked!

Direct Download:

RSS Feeds:

HD Feed | Mobile Feed | MP3 Feed | iTunes Feeds

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!

Show Notes:

> News

1.2 patch notes
Guild Summit
Weekend Passes
SWTOR – largest entertainment project ever

> Main Content

Legacy System Features

Family Tree – set up relationships including non-familial ones e.g. rivals
Race Unlocks
Specific account bound “legacy” items & emailing them to alts
Cross class powers due to genetic heritage
Further additions slated for Patch 1.3

Mention of poor romance options

Lack of flirting options for female characters
Why are female Sith Warriors not getting more action (Pathetic Men)?
Poor selection of male companions (exception Andronikos Revel)
Expected possibility of same gender romances in future

> Community Feedback

What topics do you want covered? Email us or leave a comment!

> Next Week

1.2 patch notes part 2 – SO many changes and updates to investigate
Test server feedback from our team as they continue to explore
MMO “holy trinity” of Tank-Healer-Damage Dealer and how it works in SWTOR

The post Lightsabers & Legacies | TORked 1 first appeared on Jupiter Broadcasting.