Show Notes: linuxactionnews.com/174

The post Linux Action News 174 first appeared on Jupiter Broadcasting.

Show Notes/Links: https://www.bsdnow.tv/342

The post Layout the DVA | BSD Now 342 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/149

The post Linux Action News 149 first appeared on Jupiter Broadcasting.

Show Notes: error.show/70

The post Old and Insecure | User Error 70 first appeared on Jupiter Broadcasting.

MP3 Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Follow Up / Catch Up

Linux Action News Episode 1

Canonical IPO is a go, Microsoft brings more Linux to Windows, OpenWRT, LEDE agree on Linux-for-routers peace plan & Google launches project Treble.

Linux On Windows Server: Linux Admin Scripts Will Now Run On Windows

Last week, at its developer conference Build 2017, Microsoft announced that it’s bringing Windows Subsystem for Linux to Windows Server. Apart from this, Windows Server will also be joining Windows Insider program. The other new features of Windows Server will be aligned with the next release of Windows 10.

• Windows Server for Developers: News from Microsoft Build 2017 – Hybrid Cloud Blog

I am pleased to share that we are also bringing the Windows Subsystem for Linux (WSL), commonly known as Bash on Windows, to Windows Server. This unique combination allows developer and application administrators to use the same scripts, tools, procedures and container images they have been using for Linux containers on their Windows Server container host. These containers use our Hyper-V isolation technology combined with your choice of Linux kernel to host the workload while the management scripts and tools on the host use WSL.

explainshell.com – match command-line arguments to their help text

write down a command-line to see the help text that matches each argument

• ShellCheck – shell script analysis tool

finds bugs in your shell scripts.

Linux Academy

• Linux Academy | Linux and AWS Online Training

SELF 2017 Registration, Schedule, Hotel Rooms, Parties, Carpools, and Room Shares

T- 1 Month. We're pleased to announce registration is up, our schedule is released, and MUCH much more! #self2017 https://t.co/Cout5ZEvCi

— SouthEast LinuxFest (@SELinuxFest) May 15, 2017

LINUX Unplugged Subreddit

CasterSoundboard: A soundboard for hot-keying and playing back sounds. (For podcasting)

audio-visualizer-python: a little GUI tool to render visualization videos of audio files

a little GUI tool to render visualization videos of audio files

Netflix confirms it is blocking rooted/unlocked devices, app itself is still working (for now)

Earlier today, Netflix started showing up as ‘incompatible’ on the Play Store for rooted and unlocked Android devices.

TING

• Ting – mobile that makes sense

magic-device-tool: A simple and feature full batch tool to handle installing/replacing Operating Systems (Ubuntu Phone / Ubuntu Touch, Android, LineageOS, Maru OS, Sailfish OS and Phoenix OS) on your mobile devices.

A simple and featureful tool to handle installing/replacing Operating Systems (Ubuntu Phone / Ubuntu Touch, Android, LineageOS, Maru OS, Sailfish OS, and Phoenix OS) on your mobile devices.

I just flashed LineageOS onto a OnePlus One (Bacon) using Magic Device Tool. Made the process so much easier. https://t.co/StMdp7ixOR

— Alan Pope (@popey) May 16, 2017

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Galago Pro – Review

Galago Pro is a 13.3” machine that weighs 2.87 lbs

Galago Pro comes with one USB-C with Thunderbolt, Ethernet, HDMI, SD Card slot and DisplayPort.

It also has a slot for a nano SIM card to get cellular connectivity while on the move. But I have been told the corresponding motherboard hardware bits are not installed.

• CPU Intel Core i7-7500 @ 2.70 Ghz
• GPU Intel HD Graphics 620
• RAM 8 GB
• Disk 256GB nvme
• Battery 36.2WH

The post That New User Smell | LINUX Unplugged 197 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Researcher accidently roots Microsoft Azure’s Redhat Update Infrastructure servers

• “I was tasked with creating a machine image of Red Hat Enterprise Linux that was compliant to the Security Technical Implementation guide defined by the Department of Defense.”
• “This machine image was to be used for both Amazon Web Services and Microsoft Azure. Both of which offer marketplace images which had a metered billing pricing model. Ideally, I wanted my custom image to be billed under the same mechanism, as such the virtual machines would be able to consume software updates from a local Red Hat Enterprise Linux repository owned and managed by the cloud provider.”
• “Both Amazon Web Services and Microsoft Azure utilise a deployment of Red Hat Update Infrastructure for supplying this functionality.”
• “There is only one Red Hat Update Appliance per Red Hat Update Infrastructure installation, however, both Amazon Web Services and Microsoft Azure create one per region.”
• “Both Amazon Web Services and Microsoft Azure use SSL certificates for authentication against the repositories. However, these are the same SSL certificates for every instance.”
• “On Amazon Web Services having the SSL certificates is not enough, you must have booted your instance from an AMI that had an associated billing code. It is this billing code that ensures you pay the extra premium for running Red Hat Enterprise Linux.”
• “On Azure it remains undefined how they manage to track billing. At the time of research, it was possible to copy the SSL certificates from one instance to another and successfully authenticate. Additionally, if you duplicated a Red Hat Enterprise Linux virtual hard disk and created a new instance from it all billing association seemed to be lost but repository access was still available.”
• “On Azure to setup repository connectivity, they provide an RPM with the necessary configuration. The installation script it references comes from the following archive. If you expand this archive you will find the client configuration for each region.
• The post goes over how the hostnames for all of the Update Appliances were discovered
• “The build host is interesting rhui-monitor.cloudapp.net, at the time of research running a port scan revealed an application running on port 8080.”
• “Despite the application requiring username and password based authentication, It was possible to execute a run of their “backend log collector” on a specified content delivery server. When the collector service completed the application supplied URLs to archives which contain multiple logs and configuration files from the servers.”
• “Included within these archives was an SSL certificate that would grant full administrative access to the Red Hat Update Appliances”
• So now, the researcher could access each Update Appliance with full administrative access, create new packages, or newer versions of common packages, that include a backdoor. Every Redhat VM on the entire cloud provider would then install this “important security update”, giving the attack full access to every machine
• “Given no gpgcheck is enabled, with full administrative access to the Red Hat Enterprise Linux Appliance REST API one could have uploaded packages that would be acquired by client virtual machines on their next yum update.”
• Even if gpgcheck was enabled, it is likely that the GPG key would be exposed to the administrator of the update appliance
• “The issue was reported in accordance to the Microsoft Online Services Bug Bounty terms. Microsoft agreed it was a vulnerability in their systems. Immediate action was taken to prevent public access to rhui-monitor.cloudapp.net. Additionally, they eventually prevented public access to the Red Hat Update Appliances and they claim to have rotated all secrets.”

Newly discovered router flaw being hammered by in-the-wild attacks

• “Online criminals—at least some of them wielding the notorious Mirai malware that transforms Internet-of-things devices into powerful denial-of-service cannons—have begun exploiting a critical flaw that may be present in millions of home routers.”
• “Routers provided to German and Irish ISP customers for Deutsche Telekom and Eircom, respectively, have already been identified as being vulnerable, according to recently published reports from researchers tracking the attacks. The attacks exploit weaknesses found in routers made by Zyxel, Speedport, and possibly other manufacturers. The devices leave Internet port 7547 open to outside connections. The exploits use the opening to send commands based on the TR-069 and related TR-064 protocols, which ISPs use to remotely manage large fleets of hardware. According to this advisory published Monday morning by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploits every five to 10 minutes.”
• “SANS Dean of Research Johannes Ullrich said in Monday’s post that exploits are almost certainly the cause behind an outage that hit Deutsche Telekom customers over the weekend. In a Facebook update, officials with the German ISP said 900,000 customers are vulnerable to the attacks until they are rebooted and receive an emergency patch. Earlier this month, researchers at security firm BadCyber reported that the same one-two port 7547/TR-064 exploit hit the home router of a reader in Poland.”
• “The Shodan search engine shows that 41 million devices leave port 7547 open, while about five million expose TR-064 services to the outside world.”
• “The attacks started shortly after researchers published attack code that exploited the exposed TR-064 service. Included as a module for the Metasploit exploitation framework, the attack code opens the port 80 Web interface that enables remote administration. From there, devices that use default or otherwise weak authentication passwords can be remotely commandeered and made to join botnets that carry out Internet-crippling denial-of-service attacks.”
• Exploit Code
• “To infect as many routers as possible, the exploits deliver three separate exploit files, two tailored to devices running different types of MIPS chips and a third that targets routers with ARM silicon. Just like the Metasploit code, the malicious payloads use the exploit to open the remote administration interface and then attempt to log in using three different default passwords. The attack then closes port 7547 to prevent other criminal enterprises from taking control of the devices”
• “The malware itself is really friendly as it closes the vulnerability once the router is infected. It performs the following commands:”
  • busybox iptables -A INPUT -p tcp –destination-port 7547 -j DROP
• busybox killall -9 telnetd
• “which should make the device “secure”… until next reboot. The first one closes port 7547 and the second one kills the telnet service, making it really hard for the ISP to update the device remotely.”
• So while exploited routers will stop being vulnerable to other attackers, they will be harder for the ISP to fix properly
• ISPs could help protect their customers, and their own command-and-control of customers’ routers, by blocking inbound port 7547 from outside of their network

Hack Windows 10 by holding down Shift+F10

• “Every Windows 10 in-place Upgrade is a SEVERE Security risk”
• During the update process, when the computer boots into the updater, holding Shift+F10 will pop a command prompt, running as SYSTEM, the highest privilege level possible on windows.
• What makes this worse, is that this happens after the volume encryption keys have been loaded, so even bitkeeper encrypted disks are vulnerable to access by unauthorized people
• “This is a big issue and it has been there for a long time. Just a month ago I finally got verification that the Microsoft Product Groups not only know about this but that they have begun working on a fix. As I want to be known as a white hat I had to wait for this to happen before I blog this.”
• “There is a small but CRAZY bug in the way the “Feature Update” (previously known as “Upgrade”) is installed. The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment). This has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker. I demonstrate this in the following video.”
• “The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft’s hard disk encryption) protected machine. And of course that this doesn’t require any external hardware or additional software.”
• Additional Coverage: BleepingComputer
• “In an email conversation with Bleeping Computer, Laiho reveals that because of certain defaults in Windows 10 configurations, computers might be forced to perform an update, even if a user is not present, or has logged on for a long period of time.”
• “At some point, every computer that is not managed by WSUS/SCCM or such will force the installation of a new version of Windows. Microsoft has decided that these will be forced by default.”
• “Laiho recommends that users not leave their computers unattended during a Windows 10 update and that users remain on Windows 10 LTSB (Long Time Servicing Branch) versions for the time being.”
• “The LTSB-version of Windows 10 is not affected by this as it doesn’t automatically do upgrades”
• “Furthermore, Laiho says that Windows SCCM (System Center Configuration Manager) can block access to the command-line interface during update procedures if users add a file named DisableCMDRequest.tag to the %windir%\Setup\Scripts\ folder.”
• The Police could use this on seized laptops, just keep the machine offline until the next “feature update”, then pop a command prompt during the installation, and have unrestricted access to the encrypted disk.

Feedback:

• Chris’ MeetBSD Road Trip Videos

• MeetBSD Videos

• Two Factor authentication

• All eggs in one basket

• VMDKs on ZFS vs. ZFS on VMDKs

• ZFS Send/Receive Question

• Backblaze Hard Drive Failure Rates for Q3 of 2016

• HGST drives still the most reliable
• Seagate ST4000DM000 still the most plentiful, good reliability, great SMART data
• WD drives still hard to get in quantity
• BackBlaze continued its migration from 2TB to 8TB drives. Resulting in the first time they have ever had fewer drives than the previous quarter.
• Replacing 4400 2TB drives with 5100 8TB drives, turned 9 PB into 40 PB

Round Up:

• Ransomware creep accidentally hijacks San Francisco Muni, won’t give it back
• San Francisco Rail System Hacker Hacked
• UK’s new Snoopers’ Charter just passed an encryption backdoor law by the backdoor
• The GeoCities cagge at the Exodus data center, circa 1999
• FBI to gain expanded hacking powers as Senate effort to block fails
• Exploiting a game to create a software updater
• AWS launches Amazon Lightsail, a DigitalOcean killer offering $5 virtual private servers
• SSH using Certificates
• AWS launches Shield to protect web applications from DDoS attacks
• The Internet Archive (archive.org) is creating a complete backup of its 15 Petabytes of data in Canada, to shield it from the US government
• Plex Gets Its Own Kodi Add-On
• Schneier: The Key to IoT Security Incentives
• Slack client for Commodore 64
• ClickClickClick dot Click

The post Shift+F10 and Done | TechSNAP 295 first appeared on Jupiter Broadcasting.

Zero-day exploits striking over 100 systems, if you think copying links to bash scripts from the internet is okay, maybe you shouldn’t be root & the day Google automated itself off the internet.

Plus your questions, our answers, a huge round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Zero-day exploits against Microsoft used against PoS systems of over 100 companies

• “More than 100 North American companies were attacked by crooks exploiting a Windows zero day vulnerability. The attacks began in early March and involved the zero day vulnerability CVE-2016-0167 reported and partially fixed in April’s Patch Tuesday security bulletins by Microsoft. The zero day was found by researchers at FireEye, who on Tuesday disclosed details.”
• “The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka “Win32k Elevation of Privilege Vulnerability””
• “FireEye said the flaw is a local elevation of privilege flaw in the win32k Windows Graphics subsystem. Attackers are able to exploit the flaw once they are able to remotely execute code on the targeted PC. Microsoft patched the vulnerability on April 12 and released a subsequent update (MS16-062) this week”
• “In March 2016, a financially motivated threat actor launched several tailored spear phishing campaigns primarily targeting the retail, restaurant, and hospitality industries. The emails contained variations of Microsoft Word documents with embedded macros that, when enabled, downloaded and executed a malicious downloader that we refer to as PUNCHBUGGY.”
• “PUNCHBUGGY is a dynamic-link library (DLL) downloader, existing in both 32-bit and 64-bit versions, that can obtain additional code over HTTPS. This downloader was used by the threat actor to interact with compromised systems and move laterally across victim environments.”
• “In some victim environments, the threat actor exploited a previously unknown elevation of privilege (EoP) vulnerability in Microsoft Windows to selectively gain SYSTEM privileges on a limited number of compromised machines”
• “This actor has conducted operations on a large scale and at a rapid pace, displaying a level of operational awareness and ability to adapt their operations on the fly. These abilities, combined with targeted usage of an EoP exploit and the reconnaissance required to individually tailor phishing emails to victims, potentially speaks to the threat actors’ operational maturity and sophistication”
• “Security experts say, as more U.S. companies snuff out point of sale malware by deploying chip-and-PIN bank card technology, attackers are rushing to exploit existing magnetic strip card systems still vulnerable to malware. FireEye, for example, reported last month that that a group of hackers that go by the name Bears Inc. are behind the latest barrage of attacks with a custom-built point of sale malware called Treasurehunt. This latest zero day vulnerability follows the same trend.”
• I would argue that chip&pin does not make the PoS terminal any less vulnerable to malware
• While it does make it harder to clone cards, it think it should not be viewed as a solution to malware
• FireEye Report

If you think doing curl|bash is ok, you shouldn’t have root

• “Installing software by piping from curl to bash is obviously a bad idea and a knowledgeable user will most likely check the content first. So wouldn’t it be great if a malicious payload would only render when piped to bash?”
• So, we all know it is bad, some some people do it anyway. They tell themselves it is alright because they check the contents of the script before they run it
• That only works if what you end up downloading is the same as what you actually reviewed
• “Luckily the behaviour of curl (and wget) changes subtly when piped into bash. This allows an attacker to present two different versions of their script depending on the context :)”
• “It’s not that the HTTP requests from curl when piped to bash look any different than those piped to stdout, in fact for all intents and purposes they are identical”
• “Execution in bash is performed line by line and so the speed that bash can ingest data is limited by the speed of execution of the script. This means if we return a sleep at the start of our script the TCP send stream will pause while we wait for the sleep to execute. This pause can be detected and used to render different content streams.”
• “Unfortunately it’s not just a simple case of wrapping a socket.send(“sleep 10”) in a timer and waiting for a send call to block. The send and receive TCP streams in linux are buffered on a per socket basis, so we have to fill up these buffers before the call to send data will block. We know the buffer is full when the receiving client to replies to a packet with the Window Size flag set to 0”
• “The only character you can really use to fill the buffer is a null byte as it won’t render in most consoles. It also won’t render in chrome when the charset text/html is specified. As we don’t know the content-length data is transferred with chunked encoding with each chunk being a string of null bytes same size as the TCP send buffer.”
• So, the attacker sends chunks of null bytes until all of the buffers on the client side are full, because bash is sleeping and not reading any more data yet
• So the attacker just has to see if you are piping the content to bash, or to your terminal or browser. Only in the case of bash do they send the “payload”
• There is a nice demo included in the article

Post Mortem: When google automated itself off the internet

• “On Monday, 11 April, 2016, Google Compute Engine instances in all regions lost external connectivity for a total of 18 minutes, from 19:09 to 19:27 Pacific Time.”
• This is the story of how automation knocked all of GCE off of the internet
• “Google uses contiguous groups of internet addresses — known as IP blocks — for Google Compute Engine VMs, network load balancers, Cloud VPNs, and other services which need to communicate with users and systems outside of Google. These IP blocks are announced to the rest of the internet via the industry-standard BGP protocol, and it is these announcements which allow systems outside of Google’s network to ‘find’ GCP services regardless of which network they are on.”
• “To maximize service performance, Google’s networking systems announce the same IP blocks from several different locations in our network, so that users can take the shortest available path through the internet to reach their Google service. This approach also enhances reliability; if a user is unable to reach one location announcing an IP block due to an internet failure between the user and Google, this approach will send the user to the next-closest point of announcement. This is part of the internet’s fabled ability to ‘route around’ problems, and it masks or avoids numerous localized outages every week as individual systems in the internet have temporary problems.”
• Also know as “anycast”
• “At 14:50 Pacific Time on April 11th, our engineers removed an unused GCE IP block from our network configuration, and instructed Google’s automated systems to propagate the new configuration across our network. By itself, this sort of change was harmless and had been performed previously without incident. However, on this occasion our network configuration management software detected an inconsistency in the newly supplied configuration. The inconsistency was triggered by a timing quirk in the IP block removal – the IP block had been removed from one configuration file, but this change had not yet propagated to a second configuration file also used in network configuration management. In attempting to resolve this inconsistency the network management software is designed to ‘fail safe’ and revert to its current configuration rather than proceeding with the new configuration. However, in this instance a previously-unseen software bug was triggered, and instead of retaining the previous known good configuration, the management software instead removed all GCE IP blocks from the new configuration and began to push this new, incomplete configuration to the network.”
• “One of our core principles at Google is ‘defense in depth’, and Google’s networking systems have a number of safeguards to prevent them from propagating incorrect or invalid configurations in the event of an upstream failure or bug. These safeguards include a canary step where the configuration is deployed at a single site and that site is verified to still be working correctly, and a progressive rollout which makes changes to only a fraction of sites at a time, so that a novel failure can be caught at an early stage before it becomes widespread. In this event, the canary step correctly identified that the new configuration was unsafe. Crucially however, a second software bug in the management software did not propagate the canary step’s conclusion back to the push process, and thus the push system concluded that the new configuration was valid and began its progressive rollout.”
• So, the automation software detected that the new configuration was bad, but, ignored this signal and went ahead anyway
• “As the rollout progressed, those sites which had been announcing GCE IP blocks ceased to do so when they received the new configuration. The fault tolerance built into our network design worked correctly and sent GCE traffic to the the remaining sites which were still announcing GCE IP blocks.”
• “With no sites left announcing GCE IP blocks, inbound traffic from the internet to GCE dropped quickly, reaching >95% loss by 19:09. Internal monitors generated dozens of alerts in the seconds after the traffic loss became visible at 19:08, and the Google engineers who had been investigating a localized failure of the asia-east1 VPN now knew that they had a widespread and serious problem. They did precisely what we train for, and decided to revert the most recent configuration changes made to the network even before knowing for sure what the problem was. This was the correct action, and the time from detection to decision to revert to the end of the outage was thus just 18 minutes.”
• “With the immediate outage over, the team froze all configuration changes to the network, and worked in shifts overnight to ensure first that the systems were stable and that there was no remaining customer impact, and then to determine the root cause of the problem. By 07:00 on April 12 the team was confident that they had established the root cause as a software bug in the network configuration management software.”
• Moving forward, Google will add:
• Monitoring targeted GCE network paths to detect if they change or cease to function
• Comparing the IP block announcements before and after a network configuration change to ensure that they are identical in size and coverage
• Semantic checks for network configurations to ensure they contain specific Cloud IP blocks.
• “We take all outages seriously, but we are particularly concerned with outages which affect multiple zones simultaneously because it is difficult for our customers to mitigate the effect of such outages. This incident report is both longer and more detailed than usual precisely because we consider the April 11th event so important, and we want you to understand why it happened and what we are doing about it. It is our hope that, by being transparent and providing considerable detail, we both help you to build more reliable services, and we demonstrate our ongoing commitment to offering you a reliable Google Cloud platform.”

Drama at the Internet’s malware dumping ground

• VirusTotal is a popular online malware aggregation service started in 2004, and acquired by Google in 2012.
• It allows researchers and users to submit malware samples which are tested against the static detection engines of some 50+ anti-virus vendors
• An example analysis
• However, there is concern that many “NextGen” Security startups, are just abusing the VirusTotal API rather than building their own detection engine
• Worse, this type of use doesn’t contribute anything back to the community
• So Google has changed the Terms of Services: “All scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API services”
• “Additionally, new scanners joining the community will need to prove a certification and/or independent reviews from security testers according to best practices of Anti-Malware Testing Standards Organization (AMTSO)”
• Traditional vendors have applauded the move:
• Trend Micro
• MalwareBytes
• Of course, there is also a response from the other side
• The AV Bomb That Never Was
• Includes responses from Cylance, and SentinelOne, two of the larger “NextGen” security companies
• Also has summaries from Palo Alto Networks and CrowdStrike
• How this actually impacts the industry is yet to be seen, but I don’t expect much outside of a few shady startups going away, but they were going to do that anyway
• Additional Coverage

Feedback:

• Remote Access

• Remote Tracking of Log files

• Logstash | Elastic
• How To Install Elasticsearch, Logstash, and Kibana (ELK Stack) on Ubuntu 14.04 | DigitalOcean

• Centralized Logging with ELK Stack (Elasticsearch, Logstash, and Kibana) On Ubuntu 14.04 | DigitalOcean

• FreeNAS DMZ

• Adobe releases emergency patch, Flash 21.0.0.242, to fix Zero Day

Round Up:

• FBI Can Obtain A Warrant If You Run Tor Come December
• AllWinner ships SDK containing a custom kernel with root backdoor, used in many devices including the OrangePi, BananaPi, Cubietruck, pcDuino8 Uno, and many more. Just echo “rootmydevice” > /proc/sunxi_debug/sunxi_debug and you own the device
• Schools are recording student’s results on the blockchain
• Developers of the “SmartGrid” developed their own crypto, which is never a “smart” idea
• Medical Equipment Crashes During Heart Procedure Because of Antivirus Scan
• 40 Maps that explain the origins of the Internet
• This Isn’t a Google Streetview Car, It’s a Government Spy Truck
• In the online black market of exploits, what is the cost of getting caught?
• How we found a bug in Amazon’s Elastic Load Balancer
• PornHub offers new Bug Bountry program, rewards of up to $25,000
• Security Researcher arrested for pointing out SQL injection flaw in voting system
• Attackers targetting SAP, the most enterprisey or enterprise software
• Twitter to block the US Federal Government from accessing its data mining service
• Data on Google employees leaks when benefits contractor accidently emails details including SSN to the benefits manager of another company
• A policy that requires you to frequently change your password is likely to lead to you using a weaker password
• US Congress blocks Yahoo Mail, Gmail, and Google App Spot, in attempt to stem flood of ransomware attacks

The post Curl Sleeper Agent | TechSNAP 266 first appeared on Jupiter Broadcasting.

A new touchscreen display goes ons ale for the Raspberry Pi that nearly makes it a complete computer, researchers hack the sensors of self driving cars & we speculate rampantly about the iPad Pro, but definitely not the iPhone 6s!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• Raspberry Pi’s official 7″ touchscreen display goes on sale today for $60 | VentureBeat | Dev | by Paul Sawers
• Researcher Hacks Self-driving Car Sensors – IEEE Spectrum
• Time to patch your firmware! Backdoor discovered into Seagate NAS drives

The post Speculated Apples | TTT 210 first appeared on Jupiter Broadcasting.

Rooting your Android device might be more dangerous than you realize, why the insurance industry will take over InfoSec & the NSA prepares for Quantum encryption.

Plus some great questions, a fantastic roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Taking Root – Malware on Mobile Devices

• Since June 2015, we have seen a steady growth in the number of mobile malware attacks that use superuser privileges (root access) on the device to achieve their goals.
• Root access is incompatible with the operating system’s security model because it violates the principle that applications should be isolated from each other and from the system. It gives an application using root access a virtually unlimited control of the device, which is completely unacceptable in the case of a malicious application.
• Malicious use of superuser privileges is not new in itself: in regions where smartphones are sold with privilege escalation tools preinstalled on them, malware writers have long been using this technique. There are also known cases of Trojans gaining such privileges after the user ‘rooted’ the device, i.e. used vulnerabilities to install applications that give superuser privileges on the phone.
• They analyzed the statistics collected from May to August 2015 and identified “Trojan families” that use root privileges without the user’s knowledge: Trojan.AndroidOS.Ztorg, Trojan-Dropper.AndroidOS.Gorpo (which operates in conjunction with Trojan.AndroidOS.Fadeb) and Trojan-Downloader.AndroidOS.Leech. All these mobile malware families can install programs; their functionality is in effect limited to providing the capability to download and install any applications on the phone without the user’s knowledge.
• A distinctive feature of these mobile Trojans is that they are packages built into legitimate applications but not in any way connected with these applications’ original purpose. Cybercriminals simply take popular legit apps and add malicious code without affecting the main functionality.

• After launching, the Trojan attempts to exploit Android OS vulnerabilities known to it one after another in order to gain superuser privileges. In case of success, a standalone version of the malware is installed in the system application folder (/system/app). It regularly connects to the cybercriminals’ server, waiting for commands to download and install other applications.

• There are popular “families” of Android malware.

• Leech Family

• This malware family is the most advanced of those described.
• Some of its versions can bypass dynamic checks performed by Google before applications can appear in the official Google Play Store. Malware from this family can obtain (based on device IP address, using a resource called ipinfo.io) a range of data, including country of registration, address, and domain names matching the IP address. Next, the Trojan checks whether the IP address is in the IP ranges used by Google.

• The malware also uses a dynamic code loading technique, which involves downloading all critically important modules and loading them into its context at run time. This makes static analysis of the application difficult. As a result of using all the techniques described above, the Trojan made it to the official Google Play app store as part of an application named “How Old Camera” – a service that attempts to guess people’s ages from their photos.

• Ztorg family

• On the whole, Trojans belonging to this family have the same functionality as the previous described.
• The distribution techniques used also match those employed to spread Trojans from the Gorpo (plus Fadeb) and Leech families – malicious code packages are embedded in legitimate applications. The only significant difference is that the latest versions of this malware use a protection technique that enables them to completely hide code from static analysis.
• The attackers use a protector that replaces the application’s executable file with a dummy, decrypting the original executable file and loading it into the process’s address space when the application is launched.

• Additionally, string obfuscation is used to make the task of analyzing these files, which is quite complicated as it is, even more difficult.

• It is not very common for malicious applications to be able to gain superuser privileges on their own. Such techniques have mainly been used in sophisticated malware designed for targeted attacks.

Will the insurance industry take over InfoSec?

• “Insurance is a maturity indicator“
• When insurance comes, full scale, to the InfoSec industry, maybe that means we have finally gotten to the point where we understand the risks enough to start putting money on it
• While I can definitely see the argument that insurance companies are in a position to force their clients into certain minimum security practises, either to qualify for insurance, or for a reduced rate
• At the same time, I foresee a bunch of useless certifications, extra bureaucracy, and more things like PCI-DSS audits that miss the point entirely
• “People see insurance entering into security as a bad thing, and maybe it is, but it should not be unexpected. If something involves both risk and significant quantities of money, there are likely people trying to buy or sell insurance around it. The car industry is informative here. As is healthcare, and countless other industries.”
• The article points points out the three basic requirements for insurance companies to be interested:
• Significant risk associated with the space, e.g., dying in surgery, getting into a car wreck, etc.
• Adequate money in the form of a population able to pay premiums.
• Sufficient actuarial data on which to base the pricing and payout models.
• I don’t know that that last measure can be met yet. Unlike with car insurance, it is much harder to predict what a company’s chances of getting breached are.
• Considering factors like how high profile they are (fancier cars get stolen more), what infrastructure they use (newer cars are safer), how often they patch (this can be hard to measure, like how often you service your car, it might not work), doesn’t really give you enough information in order to price the insurance
• In the end, pretty much every company has a 100% change to be breached, it can come down to how quickly it will be detected, and how much damage will be done
• At this point, I don’t think the insurance industry is qualified, and we’ll either see them making so many payouts that they are losing money, or writing loopholes into insurance with vague sentiments like “industry standard security practises”, to weasel out of paying up
• Predictions from the article:
• Insurance companies will have strict InfoSec standards that will be used to determine how much insurance, of what type, they will extend to a customer, as well as how much they will charge for it
  • As you would expect, companies who are deemed to be in poor security health will either pay exorbitant premiums or will be ineligible for coverage altogether
  • In this world, auditors become the center of the InfoSec universe. Either working for the insurance companies themselves, or being private contractors that are hired by the insurance companies, these auditors will be paid to thoroughly assess companies’ security posture in order to determine what coverage they’ll be eligible for, and how much it will cost
  • Insurance companies become, in other words, a dedicated entity that uses evidence-based decision making to incentivize improved security
  • For both internal and audit companies, those certifications will have to be maintained the same way medical professionals have to maintain their knowledge. Not like a CISSP where you lose a credential if you don’t renew it, but where you’re just instantly fired if it lapses
• “When you think about it, it’s not really insurance that’s making this happen, it’s industry maturity as a whole. It’s InfoSec becoming just like every other serious profession.”
• “Think about a hospital, or an architecture firm. You can’t hire nurses who have an aptitude for caring, and who helped this guy this one time. Nope—have a credential or you can’t work there. Same with accountants, and architects, and electricians, and civil engineers.”
• Insurance won’t fix everything (or anything?)
• “We also need to accept that the standardization and insurance agencies won’t fix everything. Auditors make mistakes, companies can and will successfully lie about their controls, certifications only get you so far, and the insurance companies have their own interests that are often in conflict with the goal of increased security.”

The NSA books crypto recommendations

• The NSA, in its role as the organization that sets cryptography standards used by the entire government, has updated its recommendations on what algorithms and key sizes to use
• Currently, Suite B cryptographic algorithms are specified by the National Institute of Standards and Technology (NIST) and are used by NSA’s Information Assurance Directorate in solutions approved for protecting classified and unclassified National Security Systems (NSS).
• A look at the site from a few months ago highlights some of the differences
  • AES 128 was dropped. Former used for ‘SECRET’ with AES 256 for ‘TOP Secret’, AES 256 is recommended for both now
  • ECDH and ECDSA P-256 were also dropped for ‘less’ secret information in favour of P-384
  • SHA256 was also dropped. Surprisingly, SHA-384 remained the recommendation over SHA-512
  • Additionally, new requirements that were not specified before were added
  • Diffie-Hellman Key Exchange requires at least 3072-bit keys
  • RSA for Key Establishment and Digital Signatures also now requires 3072 bit keys
• IAD will initiate a transition to quantum resistant algorithms in the not too distant future. Based on experience in deploying Suite B, we have determined to start planning and communicating early about the upcoming transition to quantum resistant algorithms.
• We are working with partners across the USG, vendors, and standards bodies to ensure there is a clear plan for getting a new suite of algorithms that are developed in an open and transparent manner that will form the foundation of our next Suite of cryptographic algorithms.
• Until this new suite is developed and products are available implementing the quantum resistant suite, we will rely on current algorithms.
• With respect to IAD customers using large, unclassified PKI systems, remaining at 112 bits of security (i.e. 2048-bit RSA) may be preferable (or sometimes necessary due to budget constraints) for the near-term in anticipation of deploying quantum resistant asymmetric algorithms upon their first availability.

Feedback

• Flexible NAS storage

• sound problems

• Something I’ve always wondered….

• VPN and Tails

• LG made a foldable keyboard

Round Up:

• The Way GCHQ Obliterated The Guardian’s Laptops May Have Revealed More Than It Intended
• Two years later, researchers finally allowed to publish paper on fauly immobilizer chip in volkswagen products
• Reflective satellites may be the future of high-end encryption
• Cisco to develop new royalty free video codec, “Thor”
• ‘We Should Put A Metal Detector On The Other Side’: The Laughable Waste Of TSA Body Scanners
• Frontier’s password reset system is a guy named Shawn
• Survey Shows 81% of Healthcare Organizations Suffered Cyberattacks
• Single unprivileged instruction can hang a Raspberry Pi, requiring a power cycle

The post Trojan Family Ties | TechSNAP 230 first appeared on Jupiter Broadcasting.

The rumors around Google’s own wireless services are on fire, we speculate on Google’s possible path to world domination one mobile at a time.

Plus the trouble with rooting your Galaxy device & why we’re trying to sell a MacBook Pro like its hot!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Google Set to Unveil Wireless Service – WSJ

Google Inc. GOOGL 0.63% is set to unveil its new U.S. wireless service as early as Wednesday, pushing the Internet giant further into telecom and injecting fresh uncertainty into a wireless industry already locked in a price war.

In a key development, the service is expected to allow customers to pay only for the amount of data they actually use each month, people familiar with the matter said—a move that could further push carriers to do away with lucrative “breakage.”

Thinking of rooting your Galaxy S6 or S6 edge? Don’t, or you’ll lose this important feature – SamMobile

If you think that Samsung Pay is of no use to you, think again. Samsung Pay debuted with the Galaxy S6, and makes use of your fingerprint to authorize payments through your smartphone at payment gateways. Just like Apple Pay you would think, but that is not the case. Samsung Pay is better than its competitors — Apple Pay and Android Pay — as it is compatible with MST (Magnetic Secure Transmission) as well as NFC based payment systems.

Microsoft Announces Device Guard For Windows 10

Microsoft has announced a new feature for Windows 10 called Device Guard, which aims to give administrators full control over what software can or cannot be installed on a device. “It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization. … To help protect users from malware, when an app is executed, Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege.” It’s intended to be used in conjunction with traditional anti-virus, not as a replacement.

Star Trek 3 Will Be Titled Star Trek Beyond

Well, according to TrekMovie.com, who admittedly has a pretty good track record with Trek movie rumors. The title matches the volume-number-less installment of Star Trek Into Darkness, but seems to confirms the new Enterprise crew will finally be going on its five-year mission to explore strange new worlds, etc.

Apple MacBook Pro | eBay

The post Google Wireless All The Things | Tech Talk Today 161 first appeared on Jupiter Broadcasting.

If we could rebuild the Internet from scratch, what would we change? It’s more than just a thought experiment. We’ll share the details about real world research being done today!

Plus we dig through the Sony hack, answer a ton of great question & a rocking roundup!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Reinventing Computers And The Internet From Scratch, For The Sake Of Security

• DARPA funded research is looking at how we might design the Internet if we had to do it over again
• Many decisions that were made 30 and 40 years ago when UNIX and TCP/IP were designed, may be done differently today
• The overall project has a number of sub-projects:
  • CRASH – Clean-Slate Design of Resilient, Adaptive, Secure Hosts
  • MRC – Mission-Oriented Resilient Clouds
  • CTSRD – Clean Slate Trustworthy Secure Research and Development (Custard)
• BERI: Bluespec Extensible RISC Implementation: a open-source hardware-software research and teaching platform: a 64-bit RISC processor implemented in the high-level Bluespec hardware description language (HDL), along with compiler, operating system, and applications
• CHERI: capability hardware enhanced RISC instructions: hardware-accelerated in-process memory protection and sandboxing model based on a hybrid capability model
• TESLA: temporally enforced security logic assertions: compiler-generated runtime instrumentation continuously validating temporal security properties
• SOAAP: security-oriented analysis of application programs: automated program analysis and transformation techniques to help software authors utilize Capsicum and CHERI features
• The goal is to design newer secure hosts and networks, without having to maintain backwards compatibility with legacy systems, the biggest problem with changing anything on the Internet
• This is why there are still things like SSLv3 (instead of just TLS 1.2+), why we have not switched to IPv6, and why spam is still such a large problem
• I for one would definitely like to replaced SMTP, but no one has yet devised a plan for a system that the world could transition to without breaking legacy email while we wait for the rest of the world to upgrade
• “Corporations are elevating security experts to senior roles and increasing their budgets. At Facebook, the former mantra “move fast and break things” has been replaced. It is now “move slowly and fix things.””
• For performance reasons, when hardware and programming languages were designed 30 and 40 years ago, it was decided that security would be left up to the programmer
• The CHERI project aim to change this, by implementing ‘Capabilities’, a sandboxing and security mechanism into the hardware, allowing the hardware rather than the software to enforce protections, preventing unauthorized access or modification of various regions of memory by malicious or compromised applications.
• CHERI, and the software side of the project, Capsicum, are based on FreeBSD, but are also being ported to Linux, where Google plans to make extensive use of it in its Chrome and Chromium browsers.
• Additional Coverage

Sony Internal Network Hacked

• No, this is not Episode 3 of TechSNAP, Sony was hacked, again
• Hackers identifying the selves as Guardians of Peace (GOP) claim to have stolen as much as 100TB of data from Sony
• One questions how they managed to exfiltrate such a huge amount of data without being noticed. A full 1 GBPS internet connection would have to run at full capacity for 10 days to move that much data. It seems a lot of the data was likely compressible, but unreleased movies etc would not be
• At this point, only about 40GB of data has been leaked, mostly internal documents
• “The data dump includes employee criminal background checks, salary negotiations, and doctors’ letters explaining the medical rationale for leaves of absence. There are spreadsheets containing the salaries of 6,800 global employees, along with Social Security numbers for 3,500 U.S. staff. And there is extensive documentation of the company’s operations, ranging from the script for an unreleased pilot written by Breaking Bad creator Vince Gilligan to the results of sales meetings with local TV executives.”
• When will companies learn that a spread sheet is not a secure place to store sensitive information
• In a memo to Employees Sony Pictures Entertainment chiefs Michael Lynton and Amy Pascal said “While we are not yet sure of the full scope of information that the attackers have or might release, we unfortunately have to ask you to assume that information about you in the possession of the company might be in their possession,”
• Additional Coverage – CNET – 47,000 Social Security Numbers leaked, Celebrity Data included
• Additional Coverage – Sony Employees receive email threats: “your family will be in danger”
• Additional Coverage – BuzzFeed – Inside the Sony Data
• Additional Coverage – Gizmodo – Sony hack worse than thought
• Additional Coverage – Washington Post
• Additional Coverage – Edgadget
• Additional Coverage – The Verge
• George Clooney predicted the Sony Hack in December (in a now leaked email)
• Additional Coverage – BitDefender – Take Aways from the Sony Hack
• Additional Coverage – ArsTechnica – Attackers also stole certificates to sign malware

Feedback:

• Jupiter Dev Summit on Monday the 15th

• Remotely activate/disable firewall rules?

• AuthPF (works, especially remotely)

• FreeNAS/ZFS Filesystem Relationships

• Screenshot

• Naming software bugs like storms

• [ways to use as much bandwidth a possible? ](https://www.reddit.com/r/techsnap/comments/2oftzo/ways_to_use_as_much_bandwidth_a_p
  ossible/)

• Malware Authorship Language

• 31C3 – The 31st Chaos Communication Congress Who will be there?

Round Up:

• Sony hack: Studio Tries to Disrupt Downloads of its Stolen Files
• Brian Krebs interviewed on 60 Minutes
• Reset Linux Root Password
• Payment Processor “Charge Anywhere” transmitted some data in plain text, finds malware on their network stealing the data
• Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory
• Fabrice Bellard (FFMPEG, QEMU, etc) introduces BPG, a replacement for JPG based on HEVC, better image quality in smaller size. Javascript based decoder means all browsers can render the images already
• Ron Wyden (D-OR) Introduces bill to prevent FBI backdoors — “The Secure Data Act would ban agencies from making manufacturers alter their products to allow easier surveillance or search”
• Man arrested for trying to sell detailed plans for next US Air Craft Carrier to Egypt
• DMCA should be altered to allow tinkering with hardware
• Flaw in Mantis bug tracker allow attackers and spammers to bypass captchas
• Keurig 2.0 Genuine K-Cup Spoofing Vulnerability
• Why you should only trust open source for your sensitive emails

The post Signed by Sony | TechSNAP 192 first appeared on Jupiter Broadcasting.

Charlie Reisinger the pioneer of an extremely forward looking program to give every student a Linux laptop joins us. Find out how they integrate the students into the IT program, why they give their students root access & much more. It’s a truly inspiring story of how Linux can make a difference in education.

Plus the Jolla tablet is real, and boy is it funded! Ubuntu Phone rumors get white hot, our picks of the week…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

• Get Paid to Write for DigitalOcean

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Charlie Reisinger

Brought to you by: System76

Our Runs Linux from HDR Photography on Linux | LAS s30e06 | January 19, 2014

• Many large Commercial software vendors are transitioning to a subscription model. Does this create an even great lockin for schools?

• One-to-One programs are very expensive, and the argument I’ve always heard was: Must use Windows, must use Office. Have get the kids ready for the “real world” that uses those tools. Is there a sound argument to that “concern”?

• Linux and open source give students the ability to go very deep into how the computer works, if they are motivated and want to embrace their inquisitive nature. How far down the rabbit hole are your young Linux users permitted to go? How much can they explore?

• Can you tell us how the Fast Linux Deployment Toolkit was created, and what it does?

• What are some of the most useful open source software and tools you, or the students use?

• What is the biggest road block others should expect?

Charlie Reisinger of Penn Manor gives talk at All Things Open 2014 | Opensource.com

Charlie Reisinger from the Penn Manor School District talked to us next about open source at his school. This talk was an expanded version of his lightning talk from the previous night.

Penn Manor has nine IT team members which is a very lean staff for 4500 devices. They also do a lot of their technology in house. But, before we talk about open source, Charlie took a tangent into the nature of education today. He says that school districts are so stuck on the model they’re using and have used for centuries, but today kids can learn anything they would like with a simple connection to the Internet. You can be connected to the most brilliant minds that you’d like, so teachers are no longer the fountains of all knowledge. A glaring gap in this evolution is that the classroom hasn’t been transformed by technology; if you walked into a classroom 60 years ago, it would look pretty much like a classroom today.

Enabling students in a digital age: Charlie Reisinger at TEDxLancaster – YouTube

Charlie Reisinger, an innovative IT Director for Penn Manor school district in Lancaster County, shows how to provide affordable, new digital technologies to high school students. The answer is not only a cost-effective way to improve the quality of education, it is opening students’ minds.

1:1 Laptop Program | PM Technology Blog

During the 2012-2013 school year, a committee comprised of faculty, administrators and a school board liaison worked to evaluate the viability of a district 1:1 computing program. After several months of internal discussion and public board presentations, a recommendation to proceed with a 1:1 laptop program at Penn Manor High School was unanimously approved at the April 1, 2013 school board meeting. The recommendation called for the program to commence with a pilot during the Fall of 2013. The full building implementation began in January 2014. At that time, each full-time high school student was provided with a personal laptop computer for use throughout the school day and at home.

Parents: We encourage you to read the Frequently Asked Questions (FAQ) document: 1to1ParentFAQ.pdf.

Penn Manor School District · GitHub

— PICKS —

Runs Linux

Jaguar Cars and System Architects, Run Linux

Desktop App Pick

MOC – music on console

• Sent in by Kyle on Twitter

MOC (music on console) is a console audio player for LINUX/UNIX designed to be powerful and easy to use.

You just need to select a file from some directory using the menu similar to Midnight Commander, and MOC will start playing all files in this directory beginning from the chosen file. There is no need to create playlists as in other players.

Jupiter Broadcasting Holiday Store

Weekly Spotlight

Corebird

Native Gtk+ Twitter client for the Linux desktop

Corebird is a modern, easy and fun Twitter client, just what you were looking for, right?

— NEWS —

Jolla Tablet

Be a part of making the world’s first truly crowdsourced tablet, powered by Sailfish OS 2.0.

To celebrate #JollaTablet's #PeoplePowered $1M success, we're offering Jolla at a crazy price! https://t.co/xlHXYTEvfB pic.twitter.com/uSfDxFkw9Q

— Jolla (@JollaHQ) November 21, 2014

Mozilla ends Google relationship, Firefox will now default to Yahoo in the US

Mozilla and Yahoo have signed a five-year deal. As part of the deal, Yahoo is going to start honoring the Do Not Track feature when used by Firefox users to limit Yahoo’s ability to track user activity across the Web through advertisements. Yahoo is also going to roll out a new search interface for American Firefox users, starting in December.

Crowdfunding project promises a “laptop that respects essential freedoms”

Based on the Intel i7-4712MQ processor, the 15.6-inch Librem 15’s base configuration will come with an Nvidia GT840M, 4GB of RAM, a 500 gigabyte hard drive, and an actual CD/DVD drive. The Librem will have three USB 3.0 ports, an HDMI port, an SDXC card slot, and a “pop-down” RJ-45 Ethernet port, in addition to an Atheros-based 802.11n Wi-Fi adapter, a 720p built-in camera, HD audio, and a backlit keyboard.

Ubuntu Phone Partner ‘Bq’ Holding Mystery Press Event Next Week

BQ Readers, one of two companies who plan to ship mobile handsets powered by Ubuntu for Phones, is holding a mystery media event next week, November 25, 2014, to announce three new products.

— FEEDBACK —

• Crazy Turkey Sale! at FTT

• Fingertip Tech, INC | Technology at Your Fingertips

• Amazon.com: Dell Computer S2240T Touch Panel H6V56 21.5-Inch Screen LED-lit Monitor

• Women’s Tech Radio | Jupiter Broadcasting

• Women’s Tech Radio – A show just for women? No!

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— MATT’S STASH —

• Check out LINUX Unplugged
• The Case Against Rolling Release Linux Distros

Find us on Google+

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Matt – matthartley

Follow the network on Facebook

• Jupiter Broadcasting on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

• https://jblive.tv
• Network Calendar

The post Rooting for the Kids | LAS 340 first appeared on Jupiter Broadcasting.

Pre-crime is here, with technology that lets you predicting a hack before it happens. We’ll tell you how. Google’s project zero goes to war, we get real about virtualization.

And then its a great batch of your questions, our answers & much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Predicting which sites will get hacked, before it happens

• Researchers from Carnegie Mellon University have developed a tool that can help predict if a website is likely to become compromised or malicious in the future
• Using the Archive.org “Wayback Machine” they looked at websites before they were hacked, and tried to identify trends and other information that may be predictors
• “The classifier correctly predicted 66 percent of future hacks in a one-year period with a false positive rate of 17 percent”
• “The classifier is focused on Web server malware or, put more simply, the hacking and hijacking of a website that is then used to attack all its visitors”
• The tool looks at the server software, outdated versions of Apache and PHP can be good indicators of future vulnerabilities
• It also looks at how the website is laid out, how often it is updated, what applications it runs (outdated wordpress is a good hacking target)
• It also compares the sites to sites that have been compromised. If a site is very like another, and that other was compromised, there is an increased probability that the first site will also be compromised
• The classifier looks at many other factors as well: “For instance, if a certain website suddenly sees a change in popularity, it could mean that it became used as part of a [malicious] redirection campaign,”
• The most common marker for a hackable website: The presence of the ‘generator’ meta tag with a value of ‘Wordpress 3.2.1’ or ‘Wordpress 3.3.1’
• Research PDF from USENIX
• There are tools like those from Norse, that analyze network traffic and attempt to detect new 0-day exploits before they are known

Google’s Project Zero exploits the unexploitable bug

• Well over a month ago Google’s Project Zero reported a bug in glibc, however there was much skepticism about the exploitability of the bug, so it was not fixed
• However, this week the Google researchers were able to create a working exploit for the bug, including an ASLR bypass for 32bit OSs
• The blog post details the process the Project Zero team went through to develop the exploit and gain root privileges
• The blog post also details an interesting (accidental) mitigation found in Ubuntu, they caused the researchers to target Fedora to more easily develop the exploit
• The blog also discusses a workaround for other issues they ran into. Once they had exploited the set-uid binary, they found that running: system(“/bin/bash”) started the shell with their original privileges, rather than as root. Instead, they called chroot() on a directory they had setup to contain their own /bin/sh that calls setuid(0) and then executes a real shell as the system root user.
• The path they used to get a root shell relies on a memory leak in the setuid binary pkexec, which they recommend be fixed as well as the original glibc bug
• “The ability to lower ASLR strength by running setuid binaries with carefully chosen ulimits is unwanted behavior. Ideally, setuid programs would not be subject to attacker-chosen ulimit values”
• “The exploit would have been complicated significantly if the malloc main linked listed hardening was also applied to the secondary linked list for large chunks”
• The glibc bug has since been fixed

Secret Service warns over 1000 businesses hit by Backoff Point-of-Sales terminal malware

• The Secret Service and DHS have released an advisory warning businesses about the POS (Point-of-Sales terminal) malware that has been going around for a while
• Advisory
• “The Department of Homeland Security (DHS) encourages organizations, regardless of size, to proactively check for possible Point of Sale (PoS) malware infections. One particular family of malware, which was detected in October 2013 and was not recognized by antivirus software solutions until August 2014, has likely infected many victims who are unaware that they have been compromised”
• “Seven PoS system providers/vendors have confirmed that they have had multiple clients affected“
• “Backoff has experts concerned because it’s effective in swiping customer credit card data from businesses using a variety of exfiltration tools, including memory, or RAM scraping, techniques, keyloggers and injections into running processes”
• “A report from US-CERT said attackers use Backoff to steal payment card information once they’ve breached a remote desktop or administration application, especially ones that are using weak or default credentials”
• “Backoff is then installed on a point-of-sale device and injects code into the explorer.exe process that scrapes memory from running processes in order to steal credit card numbers before they’re encrypted on the device and sent to a payment processor. “
• “Keylogging functionality is also present in most recent variants of ‘Backoff’. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware,”
• US-CERT Advisory
• Krebs reports that Dairy Queen may also be a victim of this attack
• “Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters”

Feedback:

• HVAC remote access protection fear.

• Deconstruct malware?

• Virtualisation

• Metric for success of an attack campaign

Round Up:

• Chromecast software vulnerability paves way for another root exploit
• Netflix releases two of their internal threat monitoring tools, used to detect origanization of attacks against their networks
• FBI, Secret Service investigate reports of cyber attacks on U.S. banks
• Seagate ships worlds first 8TB hard drive, with “Enhanced Rotational Vibration (RV) tolerance for reliable performance in multi-drive environments”, allowing more drives to stuffed in a single chassis
• Feds warn first responders of dangerous hacking tool: Google Search
• UK Ministry of Justice fined 180,000 GBP for not encrypting data. Data was being backed up to an external hard drive that was then lost, potentially exposing data on almost 3000 prisoners. The external drive supported some type of ‘encryption’, but it was not enabled
• 300 oil companies hacked in Norway
• Google, Facebook, and others did not read the Apple Documentation. In iOS, clicking a tel:// link in Safari prompts the user to confirm they want to place the call. However in native apps, it is left up to the app to check for permission, to allow apps to initiate calls at the users request, without the user having to confirm it a 2nd time. Apple’s docs state that the app should confirm that the user wants to place the call, but they do not. Using javascript or server-side redirects, a malicious attacker can have your phone place calls without your permission when you click a link in a Facebook, Gmail or G+ message on iOS.
• CouchSurfing email system compromised, many users sent AirBnB prank message
• Browsers will be removing 1024 bit CA certificates from the trust chain in the latest NSS, which will ship in FireFox 32, due for release September 2nd. Even though these certificates have not expired, they will no longer be trusted because of their low security
• Comcast training material leaked, shows how employees are directed to upsell customers during support calls
• Krebs: new razor think ATM insert skimmer goes inside the card slot, nearly impossible to spot. Most skimmers now use hidden cameras to capture your PIN number, rather than a pinpad overlay. Krebs recommends covering the keypad with your free hand while entering your pin number

The post Project Zero Goes To War | TechSNAP 177 first appeared on Jupiter Broadcasting.

It’s great to be a malware author, if your selling to the government, Bypassing PayPal’s two-factor authentication is easier than you might think. Plus a great batch of your questions and our answers and much, much more!

Thanks to:

— Show Notes: —

Flaw in mobile app allows attackers to bypass PayPal two-factor authentication

• Researchers at Duo Security have produced a proof-of-concept app that is able to bypass the two-factor authentication when using the PayPal mobile app, allowing an attacker to transfer funds out of a PayPal account with only the username and password, without needing to provide the one-time password
• The PayPal bug was discovered by an outside researcher, Dan Saltman, who asked Duo Security for help validating it and communicating with the PayPal security team
• “PayPal has been aware of the issue since March and has implemented a workaround, but isn’t planning a full patch until the end of July”
• Currently, the PayPal mobile apps do not support 2 factor authentication, meaning if you have 2FA enabled on your PayPal account, you cannot use the mobile app
• The exploit tricks the PayPal app into ignoring the 2FA flag and allowing the mobile app to work anyway
• The researchers found that in the PayPal mobile app, the only thing preventing a 2FA enabled account from working was a flag in the response from the server
• After modifying that flag, it was found that the client could login, and transfer funds
• The check to prevent 2FA enabled accounts from logging in without the one-time passwords appears to only be enforced on the client, not the server as it should be
• Once logged in with a valid session_id, the proof-of-concept app is able to use the API to transfer funds
• “There are plenty of cases of PayPal passwords being compromised in giant database dumps, and there’s also been a giant rise in PayPal related phishing”
• It is not clear how large the bug bounty on this vulnerability will be

“Hacking Team”

• “Hacking Team” is an Italian company that develops “legal” spyware used by law enforcement and other government agencies all over the world
• They originally came to light in 2011 after WikiLeaks released documents from 2008 where Hacking Team was trying to sell its software to governments
• The software bills itself as “Offensive Security”, allowing LEAs to remotely monitor and control infected machines
• The software claims to be undetectable, however when samples were anonymously sent to AV vendors in July of 2012, most scanners added definitions to detect some variants of the malware
• In newly released research, Kaspersky has tracked the Command & Control (C2) servers used by “HackingTeam”
• The countries with the most C2 servers include the USA, Kazakhstan, Ecuador, the UK and Canada
• It is not clear if all of the C2 servers located in these countries are for the exclusive use of LEAs in those countries
• “several IPs were identified as “government” related based on their WHOIS information and they provide a good indication of who owns them.”
• The malware produced by Hacking Team has evolved to include modern malware for mobile phones
• Although this is rarely seen, if it is only used by LEAs rather than for mass infection, this is to be expected
• On a jail broken iOS device, the malware has the following features:
• Control of Wi-Fi, GPS, GPRS
• Recording voice
• E-mail, SMS, MMS
• Listing files
• Cookies
• Visited URLs and Cached web pages
• Address book and Call history
• Notes and Calendar
• Clipboard
• List of apps
• SIM change
• Live microphone
• Camera shots
• Support chats, WhatsApp, Skype, Viber
• Log keystrokes from all apps and screens via libinjection
• The Android version is heavily obfuscated, but it appears to target these specific applications:
• com.tencent.mm
• com.google.android.gm
• android.calendar
• com.facebook
• jp.naver.line.android
• com.google.android.talk
• The article also provides details about how mobile phones are infected. Connecting a phone to an already compromised computer can silently infect it. In addition, the research includes screenshots of the iOS “Infector”, that merely requires LEAs connect the phone to their computer, where they can manually infect it before returning it to the owner
• Additional Coverage – ThreatPost
• Additional Coverage – SecureList
• Additional Coverage – SecureList – Original article on HackingTeam from April 2013

Feedback:

• What is the point of SUDO?
  • SUDO Mastery

• Sending E-mail from a server

• How To Install and Setup Postfix on Ubuntu 14.04 | DigitalOcean

• How To Configure a Mail Server Using Postfix, Dovecot, MySQL, and SpamAssasin | DigitalOcean

• Securing data in a database with GnuPG or OpenSSL

Round Up:

• Google Starts Removing Search Results Under Europe’s ‘Right to be Forgotten’
• Malware authors targeting vendors of legitimate apps as new infection vector. By hacking the websites of legitimate applications used by plants that also employ ICS (Industrial Control Systems), such as power plants, they gain a way to get a foothold in secure networks.
• Nation States implicated in two airports hacked with spear-phishing emails
• Yeah, I trust that ATM, looks totally legit
• Intel offering x86 based robot kits designed to be augmented with 3d printed parts
• MIT researchers unveil 36 core ‘tile’ processor that uses a routed network to move data between cores
• Red Hat Assistant General Counsel posts analysis of Supreme Court’s patent ruling
• Intuit defeats patent troll that bested NewEgg, may finally put an end to the SSL+RC4 trials

The post Big Brother's Malware | TechSNAP 169 first appeared on Jupiter Broadcasting.

Facebook admits to manipulating users emotions for research, the first review of the privacy protecting Blackphone hits the web and how you can create your own secure phone today.

Plus a quick review of The Internet’s Own Boy: The Story of Aaron Swartz and more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a Tech Talk Today supporter on Patreon:

Show Notes:

— Headlines —

Facebook Manipulated 689,003 Users’ Emotions For Science – Forbes

A recent study shows Facebook playing a whole new level of mind gamery with its guinea pigs users. As first noted by The New Scientist and Animal New York, Facebook’s data scientists manipulated the News Feeds of 689,003 users, removing either all of the positive posts or all of the negative posts to see how it affected their moods. If there was a week in January 2012 where you were only seeing photos of dead dogs or incredibly cute babies, you may have been part of the study.

The researchers, led by data scientist Adam Kramer, found that emotions were contagious. “When positive expressions were reduced, people produced fewer positive posts and more negative posts; when negative expressions were reduced, the opposite pattern occurred,”

“These results indicate that emotions expressed by others on Facebook influence our own emotions, constituting experimental evidence for massive-scale contagion via social networks.”

The experiment ran for a week — January 11–18, 2012 — during which the hundreds of thousands of Facebook users unknowingly participating may have felt either happier or more depressed than usual, as they saw either more of their friends posting ’15 Photos That Restore
Our Faith In Humanity’ articles or despondent status updates about losing jobs, getting screwed over by X airline, and already failing to live up to New Year’s resolutions. “Probably nobody was driven to suicide,” tweeted one professor linking to the study, adding a “#jokingnotjoking” hashtag.

In it’s initial response to the controversy around the study — a statement sent to me late Saturday night — Facebook doesn’t seem to really get what people are upset about, focusing on privacy and data use rather than the ethics of emotional manipulation and whether Facebook’s TOS lives up to the definition of “informed consent” usually required for academic studies like this.

“This research was conducted for a single week in 2012 and none of the data used was associated with a specific person’s Facebook account,” says a Facebook spokesperson. “We do research to improve our services and to make the content people see on Facebook as relevant and engaging as possible.

Serious Android crypto key theft vulnerability affects 10% of devices

The vulnerability resides in the Android KeyStore, a highly sensitive region of the Google-made operating system dedicated to storing cryptographic keys and similar credentials, according to an advisory published this week by IBM security researchers.

By exploiting the bug, attackers can execute malicious code that leaks keys used by banking and other sensitive apps, virtual private network services, and the PIN or finger patterns used to unlock handsets.

There are several technical hurdles an attacker must overcome to successfully exploit the vulnerability. Android is fortified with modern software protections, including data execution prevention and address space layout randomization, both of which are intended to make it much harder for hackers to execute code when they identify security bugs.

Exclusive: A review of the Blackphone, the Android for the paranoid

The Blackphone is the first consumer-grade smartphone to be built explicitly for privacy. It pulls together a collection of services and software that are intended to make covering your digital assets simple—or at least more straightforward. The product of SGP Technologies, a joint venture between the cryptographic service Silent Circle and the specialty mobile hardware manufacturer Geeksphone, the Blackphone starts shipping to customers who preordered it sometime this week. It will become available for immediate purchase online shortly afterward.

• A two-year subscription to Silent Circle’s secure voice and video calling and text messaging services, plus three one-year “Friend and Family” Silent Circle subscriptions that allow others to install the service on their existing smartphones;
• Two years of 1GB-per-month Disconnect virtual private network service, plus Disconnect’s anonymizing search as part of the phone’s web browser;
• Two years of SpiderOak cloud file storage and sharing, with a limit of five gigabytes a month.

PrivatOS’ main innovation is its Security Center, an interface that allows the user to explicitly control just what bits of hardware functionality and data each application on the phone has access to. It even provides control over the system-level applications—you can, if you wish for some reason, turn off the Camera app’s access to the camera hardware and turn off the Browser app’s access to networks.

The good

• Excellent Security Center feature of PrivatOS does what stock Android should do, giving you fine control over app permissions.
• Bundled Silent Voice and Silent Text services anonymize and encrypt communications so no one can eavesdrop on voice, video, and text calls at all.
• Bundled Kismet Smart Wi-Fi Manager keeps phone from connecting to unfriendly networks.
• Disconnect VPN and Search keep web trackers away from your phone, anonymize your searches and Internet traffic.

The bad

• The phone’s performance, while acceptable, is mediocre (even though it isn’t the phone’s selling point).
• Silent Phone calling ran into trouble when network switched between calls, and the user interface may baffle some users.

The ugly

• A custom OS means no Google Play library or any of the other benefits of the Google ecosystem, spotty support for sideloaded apps, and reliance on Amazon or other third-party app stores. Such is the price of privacy.

The first units of the $629 handset to ship are for European LTE users, and U.S. units will follow. In both cases, preorder production runs come first, then units for those who have not already ordered the device.

M66B/XPrivacy

XPrivacy – The ultimate, yet easy to use, privacy manager

https://www.xprivacy.eu/

Xposed Installer | Xposed Module Repository

Xposed is a framework for modules that can change the behavior of the system and apps without touching any APKs. That’s great because it means that modules can work for different versions and even ROMs without any changes (as long as the original code was not changed too much). It’s also easy to undo. As all changes are done in the memory, you just need to deactivate the module and reboot to get your original system back. There are many other advantages, but here is just one more: Multiple modules can do changes to the same part of the system or app. With modified APKs, you to decide for one. No way to combine them, unless the author builds multiple APKs with different combinations.

Smarter Wi-Fi Manager – Android Apps on Google Play

Smarter Wi-Fi Manager improves the security and privacy of your device by only enabling Wi-Fi in locations where you actually use it. Instead of letting your device advertise the name of your home network or try to connect to anyone who has left an access point set to the default name just because you once used a friends network who didn’t configure it, Smarter Wi-Fi Manager will turn it off when you’re not near somewhere you’ve used Wi-Fi before.

The Internet’s Own Boy: The Story of Aaron Swartz

The Internet’s Own Boy depicts the life of American computer programmer, writer, political organizer and Internet activist Aaron Swartz. It features interviews with his family and friends as well as the internet luminaries who worked with him. The film tells his story up to his eventual suicide after a legal battle, and explores the questions of access to information and civil liberties that drove his work.

The post Facebook Manipulates YOU! | Tech Talk Today 17 first appeared on Jupiter Broadcasting.

Google announces their own domain name management service, the Internet of things has arrived, and it’s already been hacked. We’ll chat about the Nest thermostats rooting, Google buying Dropcam and more.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a Tech Talk Today supporter on Patreon:

Show Notes:

— Headlines —

Google Begins Testing Domain Registrations

When Google Domains launches to the public, you’ll be able to buy and sell domains through the service. Unlike some other domain registration offerings, Google won’t charge you extra to register your domain privately. You’ll be able to create up to 100 email addresses on the domain and as many as 100 customized sub-domains. Google Domains will also use the company’s own DNS servers, so visitors should get a snappy response time when they hit up your site.

GTV Hacker » Google Nest: Exploiting DFU For Root

Today, popular Google TV hacking site GTV Hacker, announces it has hacked the device to enable the booting of unsigned code. If you own a Nest, hackers could have a backdoor into your home.

By leveraging the device’s DFU mode to boot unsigned code at the boot-loader level.

The attack on the Nest thermostat is simple, we use the device’s recovery mode to run our own modified boot-loader (stage one and two). We then use our loaded boot-loaders to initiate a Linux kernel that is used to modify the file system on the Nest. We then add a SSH server running as root as well as functionality to create a reverse SSH tunnel to a specified host using the Nest’s virtual drive.

They found this “feature” back in November 2013, and mentioned it publicly on December 5th, 2013 (see this tweet). Initially, we planned on releasing our findings at a conference this summer (along with new root methods for the Chromecast and Roku), but our talk was declined. Their loss!

They will, however, be speaking this year at DEF CON 22! Our talk, entitled Hack All The Things: 20 Devices in 45 Minutes, will feature unreleased exploits for 20 devices being released in a 45 minute period. If you are in Las Vegas this August, make sure to stop in!

If you are a Nest user, I probably wouldn’t panic yet. It seems the hacker would need physical access to the device, which limits the risk. However, a devious person could exploit it while in your home and then control it remotely later. Hopefully Google can release an update to make the thermostat more secure and block the exploit.

Nest Labs Joins Race to Define Platform for the Internet of Things

Last Friday, Nest moved to broaden its reach in the home, buying a fast-growing maker of Internet-connected video cameras, DropCam, for $555 million. And on Tuesday, Nest is expected to announce a software strategy backed by manufacturing partners and a venture fund from Google Ventures and Kleiner Perkins Caufield & Byers.

Whirlpool and Nest, Mr. Dibkey said, have worked together for more than year to develop a few applications. One allows a Whirlpool clothes dryer and a Nest thermostat to work together to conserve energy and save money. The thermostat detects a local utility’s peak load times, when electricity is most expensive. It sends a signal to the dryer to run on a cooler, slower drying cycle at those times.

In a Jawbone application, the company’s activity-monitoring wristband detects when a person gets up on a winter morning. It then sends a message to the Nest thermostat, telling it to heat up the house

Nest’s Internet of Things strategy will be backed by the Thoughtful Things Fund, a venture capital fund created by Google Ventures and Kleiner Perkins.

Google I/O 2014

How to Watch Google I/O 2014 Keynote Livestream

Google I/O 2014 runs from June 25 to 26. If you are interested in watching the Google I/O 2014 keynote as a livestream, you have a couple of options.

The post Nest Root Attack | Tech Talk Today 14 first appeared on Jupiter Broadcasting.

An exploit that leaves Docker containers leaky, who really owns your email account and one hash algorithm to rule them all.

Then it’s a great batch of your questions and much, much more!

Thanks to:

— Show Notes: —

Docker Linux containers spring a security leak

• A security exploit has surfaced that can allow rogue programs to break out of Docker containers and access files on their host OS.
• The flaw has been solved in the latest version of the tech.
• The flaw \”Demonstrates that any given Docker image someone is asking you to run in your Docker setup can access ANY file on your host, e.g. dumping hosts /etc/shadow or other sensitive info, compromising security of the host and any other docker container is on\”
• \”The proof of concept exploit relies on a kernel capability that allows a process to open any file in the host based on its inode. On most systems, the inode of the / (root) filesystem is 2. With this information and the kernel capability it is possible to walk the host’s filesystem tree until you find the object you wish to open and then extract sensitive information like passwords,\” Docker explained in a blog post published after the flaw came out.
• \”In earlier Docker Engine releases (pre-Docker Engine 0.12) we dropped a specific list of kernel capabilities, ( a list which did not include this capability), and all other kernel capabilities were available to Docker containers. In Docker Engine 0.12 (and continuing in Docker Engine 1.0) we drop all kernel capabilities by default. Essentially, this changes our use of kernel capabilities from a blacklist to a whitelist.\”
• \”Please remember, however, that at this time we don\’t claim that Docker Engine out-of-the-box is suitable for containing untrusted programs with root privileges,\”
• Proof of Concept exploit prints /etc/shadow from the host from within Docker

Generalized Secure Hashing Algorithm

• Ted Unangst (one of the lead developers of LibreSSL, as well as OpenBSDs secure signing infrastructure and many other things) posted a thought experiment to his blog
• How would you design an uncrackable password hashing algorithm?
• Ted’s idea: create a very large number of unique hashing algorithms, or rather, a generalized hashing algorithm that takes a ‘tweaking’ parameters that changes how the hash is generated
• “Consider a hash function GSHA512, very similar to SHA512, but with slight variations on each of its constants. You could use GSHA512 #42, or GSHA512 #98765, or even GSHA512 #658743092112345678890 if there were enough variants available. 2^512 variants should be enough for anyone.”
• Now, instead of having to spend a few million on specialized SHA512 cracking hardware, an attacker (the NSA) would have to build 2^512 different specialized cracking chips
• The results?
• “Safe to say we’ve defeated custom silicon. Nobody has a fab that can trace out millions of distinct custom circuits per second.”
• “FPGA is finished too. Assuming you don’t melt it trying, you can’t reprogram an FPGA fast enough.”
• “GPUs are harder. Without having tried it, my gut tells me you won’t be able to copy out the GSHA code to the GPU fast enough to make it worthwhile.”
  • “An attacker with lots of CPUs can still crack our password, but CPUs are very expensive. What if somebody could fab their own very cheap, very limited CPUs? Like a 100000 core CPU with only just enough cache to implement GSHA? Now we may be in trouble. The transistor count for GSHA is quite low, but they need to be the special high speed general purpose kind of transistor circuit. The scrypt paper notes that a CPU could be cheaper than RAM if stripped of all its extra functionality, but in practice it’s hard to calculate all the tradeoffs.”
  • “This part isn’t very practical The idea is that a cracker would look less like a SHA512 cracker, capable only of performing one hash, and more like a typical CPU, capable of performing many hashes. Requiring the attacker to be adaptable in this way brings their costs in line with our costs. Maybe. Waves hands.”
• Of course, to defeat custom CPUs, one could just use GSHA512 as the core to something like scrypt, which tries to defeat customer hardware by requiring a lot of memory instead
• Example Implementation
• “Don’t use these functions for anything but password hashing. (Don’t use them at all is even sounder advice.)”

Who owns your email account?

• A user had their Yahoo email account terminated by Yahoo for violation of its terms of service
• The violation was apparently for flaming another user in the comments thread under Yahoo news articles
• Since the email address is part of the overall ‘Yahoo Account’, it was terminated
• Eric Goldman, law professor at Santa Clara University says: \”A cloud service can lock off your assets,\” he adds. \”They may still be your assets from a matter of legal ownership, but if you have no access to them, who cares?\” (Possession is 9/10th of the law?)
• Microsoft and Google have similar terms, although Google adds: \”If we discontinue a Service, where reasonably possible, we will give you reasonable advance notice and a chance to get information out of that Service\”
• This is why it is probably best to always use your own domain, that you own it
• Even if you use gmail or some other service to actually host the mail, if your gmail account gets terminated, you can move your hosting elsewhere and most importantly, your email address does not change
• There is also the option to host your own email, with a hosting account, VPS or dedicated server
• In these cases, especially when you do not have multiple servers to provide backup MX, I recommend a service such as: DNSMadeEasy Backup Email Service

Feedback:

• Rolling out disk-level encryption on a domain (healthcare, gasp)

• mail archiving help

• Question: Unix machines (Linux or BSD) In an office setting

• DNS fuckery from my ISP

• Why not SSH as root?

• Canada’s Anti-Spam Legislation

Round Up:

• Hackers Claim to Leak 1.2 Million Origin Accounts and Passwords; Electronic Arts Finds No Evidence

• Hackers attempt to ransom 600,000 Domino’s Pizza customer records from France and Belgium. Demand 30,000 EUR, $40,000, USD or they will release the data. Data said to include full names, addresses, phone numbers, email addresses, passwords, delivery instructions, and favourite toppings. Dominos says no credit card or financial information was compromised, and they will not pay the ransom

• In 2007 (when half of all smart phones were made by Nokia), Nokia paid a random of millions of euros to an attacker who managed to steal the encryption/signing keys used for Symbian. If the keys had been leaked or used, Nokia would not have had a way to ensure that phones only accepted updated from Nokia, and not malware. The money was left in a bag in a parking lot at a nearby amusement park. The blackmailer took the bag. Police, however, lost track of the blackmailer and the money was gone. Finnish authorities have had no luck solving the case.

• The SSD Endurance Experiment: Casualties on the way to a petabyte
• Intel introduces new Xeons with embedded FPGAs, compatible with existing sockets/motherboards (may require BIOS update), can greatly accelerately specific tasks
• Hacker Hijacks Storage Devices, Mines $620,000 in Dogecoin
• FOIA request releases FBIs translations of ‘twitter shorthand’
• TW Telecom (provider of business internet connections, was spun off from Time Warner Cable years ago) has been purchased by Level3 Communications (major internet backbone) for 5.7 billion USD
• After admitting it has no idea how attackers compromised its payment processing system, PF Changs restaurants switch back to old fashion analog ‘imprint’ machines for credit card processing
• Auditor asks one TrueCrypt author about forking the project, anonymous author says “I am sorry, but I think what you\’re asking for here is impossible. I don\’t feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn\’t require much more work than actually learning and understanding all of truecrypts current codebase. I have no problem with the source code being used as reference.”

The post Docker Shocker | TechSNAP 167 first appeared on Jupiter Broadcasting.

The classic battle flairs up this week, and the guys discuss how an over controlling sysadmin can slow down an important project, and why that problem seems to be so much worse in business.

Plus the market is still hot for Java, but don\’t discount Python or C#, making a big career change, and the standard for replacing your own inhouse tools.

Thanks to:

• Help the DigitalOcean community by submitting articles and get paid $50 per published piece!

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

— Show Notes: —

Feedback

• About C#/.NET
• Software Craftsmanship.
• Needs to replace in house tool, not sure which language to use.
• The new hotness: C++11?!
• Feedback on Windows
• You Asked for a Microsoft Windows Plug
• Digital Ocean

Handy Tool:

• TLDRLegal – Compare Open Source Licenses

The post Ops vs Dev | CR 84 first appeared on Jupiter Broadcasting.

We talk to Devin Teske about his work with bsdinstall, bsdconfig and all the other interesting things he’s been up to lately.

This week we’re at EuroBSDCon, so we’ve just got an interview for you today. BSD Now will be back next week with a normal episode and lots of stories from the conference. We’ll also try to get some more interviews there.

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Interview – Devin Teske – dteske@freebsd.org / @devinteske

bsdconfig, bsdinstall, sysrc and fdpv

Sr. FreeBSD Architect and Systems Integration Specialist at FISGlobal

• Q: Could you tell us a little bit about yourself and how you got involved with FreeBSD?
• Q: What tools in base did you have a hand in creating?
• Q: What are you working on for bsdinstall?
• Q: A question many want to know: when we will we have a zfs-on-root option in the default installer? Or full disk encryption?
• Q: Tell us about your new tools: bsdconfig, sysrc and fdpv
• Q: Any chance of seeing the boot menu’s 4th code being replaced with something else?
• Q: Are there any secret projects have you been working on lately?
• Q: What is DruidBSD?

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, etc to feedback@bsdnow.tv
• We don’t check YouTube comments, JB comments, Reddit, etc. If you want us to see it, send it via email (the preferred way) or Twitter (also acceptable)
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Teskeing the Possibilities | BSD Now 4 first appeared on Jupiter Broadcasting.

Opera’s code signing certificate gets compromised, resulting in malware getting push out via their automatic update system.

Plus the backdoor that ships in some high-end HP products, your questions, and much much more.

On this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! 35% off your ENTIRE first order just use our code 35off3 until the end of the month!

Opera code signing certificate compromised

• On June 19th Opera uncovered, halted and contained a targeted attack on their internal network infrastructure.
• There is no evidence of any user data being compromised.
• The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware.
• This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser.
• It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software.

How much is your gmail account worth?

• University of Illinois at Chicago has developed ‘CloudSweeper’
• Connects to your gmail account via oauth and scans all of your email
• Finds which accounts you have connected to your gmail
• If an attacker were to compromise your gmail account, they could reset the passwords for and gain control over all of these accounts
• The service uses an index of the value of these accounts from various underground forums
• Tells you how much your gmail account would be worth to an attacker
• Finds services such as: Amazon, Apple, Groupon, Hulu, Newegg, Paypal, Skype, UPlay and Yahoo
• Optionally, it can also scan your email for plain text passwords in emails
• If found, CloudSweeper can connect to gmail via imap and edit these emails, either removing the password entirely (redacting), or encrypting it (replacing it with an encrypted string), Then provides you with a decryption key (a long string of text, or a QRcode for simplicity)
• If you ever need to decrypt the password, you return to CloudSweeper and scan the QRCode
• Krebs on Naming and Shaming Plain Text Passwords
• PlainTextOffenders.com
• PasswordFail.com – Browser extension to warn you before you sign up

$80,000 HP Backup device contains undocumented support user with fixed password

• HP announced that their D2D/StoreOnce deduplication backup products contained a flaw
• It seems there is an undocumented support user, named ‘HPSupport’, with a fixed 7 character password
• That means that if a person were to brute force that password, they would have SSH access to every StoreOnce device deployed around the world
• It just so happens, that is what someone has done, and they have even been helpful enough to provide the SHA1 hash of the password, so with a little effort, everyone else can brute force the password too
• HP will release a patch to disable this account on July 7th
• “In the interim, customers who wish to disable the backdoor can contact HP support for assistance on this,” the advisory noted. “HP support personnel will provide the assistance to manually disable the HPSupport user account.”
• Full Disclosure researcher

• HP Said: “HP identified a potential security issue with older HP StoreOnce models. This does not impact StoreOnce systems with the current version 3.0 software, including the HP StoreOnce B6200 and HP StoreOnce VSA product offerings. HP takes security issues very seriously and is working actively on a fix.”

• In December 2010, a similar problem was exposed with some HP NAS devices

Feedback

• Project Morris from the chat room (a frequent contributor) writes in: I was just wondering if you could make this evenings show extra BIG as today is my birthday.

• How long will data last on a hard drive that is rarely powered up

• Captive Portal Solution?

• Web browser security in WIndows. Question about my set-up.

• TOR in a VM

• Allan, why not run a home email server? : techsnap

• New NAS Best Practices?

• I was wondering if there was any sort of SSL that provided verification in a way that can be cached by any proxy (example squid)

• FreeNAS 9.1-BETA released, based on FreeBSD 9-STABLE. Latest and greatest ZFS features including LZ4 compression (better compression with less cpu time), ZFS TRIM Support, Improvements to disk encryption and overhaulted plugin jails (with a fancy GUI editor for PCBSD)

• Co-Founder of FreeBSD, Jordan Hubbard, leaves Apple after 12 years to return to working with FreeBSD full time at iXsystems – Focus on FreeNAS/TrueNAS and new products – Happy 20th Anniversary FreeBSD

Round Up:

• Use of Tor and e-mail crypto could increase chances that NSA keeps your data
• Political groups not the only ones targetted for IRS attention, Open Source Foundations were targetted as well
• Design student tries to push ‘NSA Proof’ Crypto-font, that isn’t crypto
• EU creates new rules for ISPs and Telcos, must report to national data protection authorities within 24 hours the full nature and size of the breach, where this is not possible an initial report must be made with full details to follow within 72 hours
• Facebook accidently exposes over 6 million users’ phone numbers and email addresses over the last year (details of friends were added to your address book, even if the privacy settings were not supposed to allow you access to that information)
• Java 6 EOL (no more updates unless you pay for support from Oracle)
• Fixing your NAS by using Open Source

The post HP’s Backdoor | TechSNAP 116 first appeared on Jupiter Broadcasting.