HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Extended File Attributes – What?

• Extended File Attributes Rock! – article from 2011

• Extended file attributes are file system features that enable users to associate computer files with metadata not interpreted by the filesystem, whereas regular attributes have a purpose strictly defined by the filesystem (such as permissions or records of creation and modification times). from Wikipedia

• Different namespaces (or attribute spaces if you will), often system and user. You can use the user namespace as non-root.

• Use them for your own purposes, e.g.backup tags, reminders

• If you rely upon them, make sure your archive & restore tools suppor them. – test test test

• Most Linux and BSD modern file systems have had this capability for years. So does Mac OS X. Apart from minor interface differences, the feature works identically on all three systems.

• We mention this mostly to prompt ideas, perhaps you’ve been trying to solve a problem and suddenly this information will show you the solution you’ve been waiting for.

On internet privacy, be very afraid

• In the internet era, consumers seem increasingly resigned to giving up fundamental aspects of their privacy for convenience in using their phones and computers, and have grudgingly accepted that being monitored by corporations and even governments is just a fact of modern life.

• In fact, internet users in the United States have fewer privacy protections than those in other countries. In April, Congress voted to allow internet service providers to collect and sell their customers’ browsing data. By contrast, the European Union hit Google this summer with a $2.7 billion antitrust fine.

• Right now, the answer is basically anything goes. It wasn’t always this way. In the 1970s, Congress passed a law to make a particular form of subliminal advertising illegal because it was believed to be morally wrong. That advertising technique is child’s play compared to the kind of personalized manipulation that companies do today.

• …. The result is that there are more controls over government surveillance in the U.S. than in Europe. On the other hand, Europe constrains its corporations to a much greater degree than the U.S. does.

Inside the Massive 711 Million Record Onliner Spambot Dump

• The mechanics of this spambot

• The one I’m writing about today is 711m records which makes it the largest single set of data I’ve ever loaded into HIBP. Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe. This blog posts explains everything I know about it.

• I’ll take a stab at it and say that there’s not many legitimate drivers using the New South Wales toll road system with Russian email addresses!

• A random selection of a dozen different email addresses checked against HIBP showed that every single one of them was in the LinkedIn data breach.

• Yet another file contains over 3k records with email, password, SMTP server and port (both 25 and 587 are common SMTP ports):

• This immediately illustrates the value of the data: thousands of valid SMTP accounts give the spammer a nice range of mail servers to send their messages from. There are many files like this too; another one contained 142k email addresses, passwords, SMTP servers and ports.

Feedback

• ZFS Comments & Question see How I Learned to Stop Worrying and Love RAIDZ

• Upgrading Bacula

• “Can you please provide the Amazon link to the product Dan mentioned at the beginning of show #334” – Cinolink HA008 USB 2.0 to SATA Converter Adapter Cable for 2.5″/3.5″ Hard Drive Disk HDD and SSD, with On/Off Switch, Power Adapter Included – not yet used but it did arrive

Round Up:

• Internet providers could easily snoop on your smart home

• The very dirty history of on-demand video technology

• Hardening Docker Hosts with User Namespaces

Zsh Configuration From the Ground Up

The post Extended Usefulness | TechSNAP 335 first appeared on Jupiter Broadcasting.

We’re in the middle of an epic battle for power in cyberspace & Bruce Schneier breaks it down. PHP gets broken, PornHub gets hacked & the disgruntled employee who wiped the router configs on his way out the door.

Plus great emails, a packed round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Power in the Age of the Feudal Internet

• “We’re in the middle of an epic battle for power in cyberspace. On one side are the nimble, unorganized, distributed powers such as dissident groups, criminals, and hackers. On the other side are the traditional, organized, institutional powers such as governments and large multinational corporations. During its early days, the Internet gave coordination and efficiency to the powerless. It made them powerful, and seem unbeatable. But now the more traditional institutional powers are winning, and winning big. How these two fare long-term, and the fate of the majority of us that don’t fall into either group, is an open question – and one vitally important to the future of the Internet.”
• “In its early days, there was a lot of talk about the “natural laws of the Internet” and how it would empower the masses, upend traditional power blocks, and spread freedom throughout the world. The international nature of the Internet made a mockery of national laws. Anonymity was easy. Censorship was impossible. Police were clueless about cybercrime. And bigger changes were inevitable. Digital cash would undermine national sovereignty. Citizen journalism would undermine the media, corporate PR, and political parties. Easy copying would destroy the traditional movie and music industries. Web marketing would allow even the smallest companies to compete against corporate giants. It really would be a new world order.”
• “On the corporate side, power is consolidating around both vendor-managed user devices and large personal-data aggregators. It’s a result of two current trends in computing. First, the rise of cloud computing means that we no longer have control of our data. Our e-mail, photos, calendar, address book, messages, and documents are on servers belonging to Google, Apple, Microsoft, Facebook, and so on. And second, the rise of vendor-managed platforms means that we no longer have control of our computing devices. We’re increasingly accessing our data using iPhones, iPads, Android phones, Kindles, ChromeBooks, and so on. Even Windows 8 and Apple’s Mountain Lion are heading in the direction of less user control.”
• “I have previously called this model of computing feudal. Users pledge allegiance to more powerful companies who, in turn, promise to protect them from both sysadmin duties and security threats. It’s a metaphor that’s rich in history and in fiction, and a model that’s increasingly permeating computing today.”
• “Feudal security consolidates power in the hands of the few. These companies act in their own self-interest. They use their relationship with us to increase their profits, sometimes at our expense. They act arbitrarily. They make mistakes.”
• “Government power is also increasing on the Internet. Long gone are the days of an Internet without borders, and governments are better able to use the four technologies of social control: surveillance, censorship, propaganda, and use control. There’s a growing “cyber sovereignty” movement that totalitarian governments are embracing to give them more control – a change the US opposes, because it has substantial control under the current system. And the cyberwar arms race is in full swing, further consolidating government power.”
• “What happened? How, in those early Internet years, did we get the future so wrong?”
• “The truth is that technology magnifies power in general, but the rates of adoption are different. The unorganized, the distributed, the marginal, the dissidents, the powerless, the criminal: they can make use of new technologies faster. And when those groups discovered the Internet, suddenly they had power. But when the already powerful big institutions finally figured out how to harness the Internet for their needs, they had more power to magnify. That’s the difference: the distributed were more nimble and were quicker to make use of their new power, while the institutional were slower but were able to use their power more effectively. So while the Syrian dissidents used Facebook to organize, the Syrian government used Facebook to identify dissidents.”
• “There’s another more subtle trend, one I discuss in my book Liars and Outliers. If you think of security as an arms race between attackers and defenders, technological advances – firearms, fingerprint identification, lockpicks, the radio – give one side or the other a temporary advantage. But most of the time, a new technology benefits the attackers first.”
• “It’s quick vs. strong. To return to medieval metaphors, you can think of a nimble distributed power – whether marginal, dissident, or criminal – as Robin Hood. And you can think of ponderous institutional power – both government and corporate – as the Sheriff of Nottingham.”
• “So who wins? Which type of power dominates in the coming decades? Right now, it looks like institutional power.”
• “This is largely because leveraging power on the Internet requires technical expertise, and most distributed power groups don’t have that expertise. Those with sufficient technical ability will be able to stay ahead of institutional power. Whether it’s setting up your own e-mail server, effectively using encryption and anonymity tools, or breaking copy protection, there will always be technologies that are one step ahead of institutional power. This is why cybercrime is still pervasive, even as institutional power increases, and why organizations like Anonymous are still a social and political force. If technology continues to advance – and there’s no reason to believe it won’t – there will always be a security gap in which technically savvy Robin Hoods can operate.”
• “My main concern is for the rest of us: everyone in the middle. These are people who don’t have the technical ability to evade either the large governments and corporations that are controlling our Internet use, or the criminal and hacker groups who prey on us. These are the people who accept the default configuration options, arbitrary terms of service, NSA-installed back doors, and the occasional complete loss of their data. In the feudal world, these are the hapless peasants. And it’s even worse when the feudal lords – or any powers – fight each other. As anyone watching Game of Thrones knows, peasants get trampled when powers fight: when Facebook, Google, Apple, and Amazon fight it out in the market; when the US, EU, China, and Russia fight it out in geopolitics; or when it’s the US vs. the terrorists or China vs. its dissidents. The abuse will only get worse as technology continues to advance. In the battle between institutional power and distributed power, more technology means more damage. Cybercriminals can rob more people more quickly than criminals who have to physically visit everyone they rob. Digital pirates can make more copies of more things much more quickly than their analog forebears. And 3D printers mean that the data use restriction debate now involves guns, not movies. It’s the same problem as the “weapons of mass destruction” fear: terrorists with nuclear or biological weapons can do a lot more damage than terrorists with conventional explosives.”
• “The more destabilizing the technologies, the greater the rhetoric of fear, and the stronger institutional power will get. This means even more repressive security measures, even if the security gap means that such measures are increasingly ineffective. And it will squeeze the peasants in the middle even more.”
• “Transparency and oversight give us the confidence to trust institutional powers to fight the bad side of distributed power, while still allowing the good side to flourish. For if we are going to entrust our security to institutional powers, we need to know they will act in our interests and not abuse that power. Otherwise, democracy fails.”
• “This won’t be an easy period for us as we try to work these issues out. Historically, no shift in power has ever been easy. Corporations have turned our personal data into an enormous revenue generator, and they’re not going to back down. Neither will governments, who have harnessed that same data for their own purposes. But we have a duty to tackle this problem.”
• “Data is the pollution problem of the information age. All computer processes produce it. It stays around. How we deal with it — how we reuse and recycle it, who has access to it, how we dispose of it, and what laws regulate it — is central to how the information age functions. And I believe that just as we look back at the early decades of the industrial age and wonder how society could ignore pollution in their rush to build an industrial world, our grandchildren will look back at us during these early decades of the information age and judge us on how we dealt with the rebalancing of power resulting from all this new data.”
• “I can’t tell you what the result will be. These are all complicated issues, and require meaningful debate, international cooperation, and innovative solutions. We need to decide on the proper balance between institutional and decentralized power, and how to build tools that amplify what is good in each while suppressing the bad.”

How we broke PHP, hacked PornHub, and earned $20,000

• As we covered a few months ago, PornHub has opened up their new bug bounty program via Hackerone.com
• Now, a group of researchers have collected a $20,000 bounty, and are sharing the details of how they did it
• “We have gained remote code execution on pornhub.com and have earned a $20,000 bug bounty on Hackerone. We were also awarded with $2,000 by the Internet Bug Bounty committee”
• “We have found two use-after-free vulnerabilities in PHP’s garbage collection algorithm. Those vulnerabilities were remotely exploitable over PHP’s unserialize function.”
• “After analyzing the platform we quickly detected the usage of unserialize on the website. Multiple paths (everywhere where you could upload hot pictures and so on) were affected”
• “In all cases a parameter named “cookie” got unserialized from POST data and afterwards reflected via Set-Cookie headers”
• So, whatever data you sent to the website while uploading, was serialized and set as a cookie, which would be unserialized and read back in by each subsequent request. This is how websites maintain state across multiple requests.
• When the researchers modified the POST request to include an a serialized PHP Exception, the PornHub website reacted to the exception
• “This might strike as a harmless information disclosure at first sight, but generally it is known that using user input on unserialize is a bad idea”
• “The core unserializer alone is relatively complex as it involves more than 1200 lines of code in PHP 5.6. Further, many internal PHP classes have their own unserialize methods. By supporting structures like objects, arrays, integers, strings or even references it is no surprise that PHP’s track record shows a tendency for bugs and memory corruption vulnerabilities. Sadly, there were no known vulnerabilities of such type for newer PHP versions like PHP 5.6 or PHP 7, especially because unserialize already got a lot of attention in the past”
• “Hence, auditing it can be compared to squeezing an already tightly squeezed lemon. Finally, after so much attention and so many security fixes its vulnerability potential should have been drained out and it should be secure, shouldn’t it?”
• The implemented a fuzzer, and started running it. Eventually they found a bug in PHP 7, but when they tried it against PornHub, it didn’t work. This suggested that PornHub used PHP 5.6. Running the fuzzer against PHP 5.6 generated more than 1 TB of logs, but no vulnerabilities.
• “Eventually, after putting more and more effort into fuzzing we’ve stumbled upon unexpected behavior again.”
• “A tremendous amount of time was necessary to analyze potential issues. After all, we could extract a concise proof of concept of a working memory corruption bug — a so called use-after-free vulnerability! Upon further investigation we discovered that the root cause could be found in PHP’s garbage collection algorithm, a component of PHP that is completely unrelated to unserialize. However, the interaction of both components occurred only after unserialize had finished its job. Consequently, it was not well suited for remote exploitation. After further analysis, gaining a deeper understanding for the problem’s root causes and a lot of hard work a similar use-after-free vulnerability was found that seemed to be promising for remote exploitation.”
• “Even this promising use-after-free vulnerability was considerably difficult to exploit. In particular, it involved multiple exploitation stages.”
• The article then goes on to explain how they exploited the use-after-free vulnerability in great detail
• Once they had the ability to execute the code they provided, they needed a way to view the output
• “Being able to execute arbitrary PHP code is an important step, but being able to view its output is equally important, unless one wants to deal with side channels to receive responses. So the remaining tricky part was to somehow display the result on Pornhub’s website.”
• “Usually php-cgi forwards the generated content back to the web server so that it’s displayed on the website, but wrecking the control flow that badly creates an abnormal termination of PHP so that its result will never reach the HTTP server. To get around this problem we simply told PHP to use direct unbuffered responses that are usually used for HTTP streaming”
• “Together with our ROP stack which was provided over POST data our payload did the following things:”
  • Created our fake object which was later on passed as a parameter to “setcookie”.
• This caused a call to the provided add_ref function i.e. it allowed us to gain program counter control.
• Our ROP chain then prepared all registers/parameters as discussed.
• Next, we were able to execute arbitrary PHP code by making a call to zend_eval_string.
• Finally, we caused a clean process termination while also fetching the output from the response body.
• “Once running the above code we were in and got a nice view of Pornhub’s ‘/etc/passwd’ file. Due to the nature of our attack we would have also been able to execute other commands or actually break out of PHP to run arbitrary syscalls. However, just using PHP was more convenient at this point. Finally, we dumped a few details about the underlying system and immediately wrote and submitted a report to Pornhub over Hackerone.”
• “We gained remote code execution and would’ve been able to do the following things:”
  • Dump the complete database of pornhub.com including all sensitive user information.
  • Track and observe user behavior on the platform.
• Leak the complete available source code of all sites hosted on the server.
• Escalate further into the network or root the system.
• “It is well-known that using user input on unserialize is a bad idea. In particular, about 10 years have passed since its first weaknesses have become apparent. Unfortunately, even today, many developers seem to believe that unserialize is only dangerous in old PHP versions or when combined with unsafe classes. We sincerely hope to have destroyed this misbelief. Please finally put a nail into unserialize’s coffin so that the following mantra becomes obsolete.”
• “You should never use user input on unserialize. Assuming that using an up-to-date PHP version is enough to protect unserialize in such scenarios is a bad idea. Avoid it or use less complex serialization methods like JSON.”

Ex-Citibank employee wipes router configs and downs entire network

• “Lennon Ray Brown, 38, had been working at Citibank’s Irving, Texas, corporate office since 2012, first as a contractor and later as a staff employee, when he was called in by a manager and reprimanded for poor performance.”
• “At that point, the US Department of Justice said, the rogue employee uploaded a series of commands to Citibank’s Global Control Center routers, deleting the config files for nine of the routers and causing traffic to be re-routed through a set of backup routers. Court documents show that while there was not a complete outage, the re-routing led to “congestion” on the network and at the branch offices.”
• “Brown admits that on December 23, 2013, he issued commands to wipe the configuration files on 10 core routers within Citibank’s internal network. The resulting outage hit both network and phone access to 110 branches nationwide – about 90 per cent of all Citibank branch offices.”
• Brown said the following in a text message to a coworker shortly after the incident:
  • “They was firing me. I just beat them to it. Nothing personal, the upper management need to see what they guys on the floor is capable of doing when they keep getting mistreated. I took one for the team.”
  • “Sorry if I made my peers look bad, but sometimes it take something like what I did to wake the upper management up.”
• Brown admitted the intentional damage charge in February
• Justice Department Announcement
• Brown has been sentenced to 21 months in jail, and a $77,000 fine

Feedback:

• VBulletin Ubuntu Forums Hack

• Kids and Grown Up Networks

• Secure Webmail?

• ZFS snapshot to LUKs External on Linux

Round Up:

• Hijacking Youtube to transmit your Data
• NIST advises against SMS-Based Two-Factor Authentication — PDF
• LastPass: design flaw in communication between privileged and unprivileged components l
• LastPass Security Updates
• GOP delegates suckered into connecting to insecure Wi-Fi hotspots
• Katcr.co: Original KickassTorrents Community Is Back, Without Torrent s
• Tinder safe dating spam uses safety to scam users out of money
• Keys to Chimera crypto ransomware allegedly leaked by rival crime gang
• Pop star asks fans to send their passwords so he can tweet as them. May actually be a violation of the CFAA
• You can’t turn off Cortana in the Windows 10 Anniversary Update
• Vine accidently posts docker image with its source code publicly
• Yahoo ordered to show how it recovered deleted emails
• The sound of dialup, pictured, and explained
• Florida judge: Bitcoins aren’t currency, so state money laws don’t apply

The post Internet Power Struggle | TechSNAP 277 first appeared on Jupiter Broadcasting.

Live from the floor of LinuxCon 2015 we capture Bruce Schneier’s take on hacking attribution, how HP enthusiastically supports Linux internally & our impressions of the big convention.

Plus how Docker is going big this year & which type of Linux event is right for you.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

• Not much to link this week, LinuxCon is the content for this week!

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

Support Jupiter Broadcasting on Patreon

The post Connecting the Docks | LINUX Unplugged 106 first appeared on Jupiter Broadcasting.

We reflect on the lessons learned from the Sony Hack & discuss some of the tools used to own their network.

Plus a overview of what makes up a filesystem, a run down of the Bacula backup system & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Schneier: Lessons from the Sony Hack

• Bruce Schneier, a noted security researcher, discusses the things we can all learn from the Sony hack
• An attack like this can happen to anyone, but that doesn’t mean Sony didn’t make it easy for the attackers
• One of the first things to think about when looking at a hack is: Was this an opportunistic attack, or a targeted attack?
• “You can characterize attackers along two axes: skill and focus. Most attacks are low-skill and low-focus — people using common hacking tools against thousands of networks world-wide. These low-end attacks include sending spam out to millions of email addresses, hoping that someone will fall for it and click on a poisoned link. I think of them as the background radiation of the Internet.”
• “High-skill, low-focus attacks are more serious. These include the more sophisticated attacks using newly discovered “zero-day” vulnerabilities in software, systems and networks. This is the sort of attack that affected Target, J.P. Morgan Chase and most of the other commercial networks that you’ve heard about in the past year or so.”
• “But even scarier are the high-skill, high-focus attacks­ — the type that hit Sony. This includes sophisticated attacks seemingly run by national intelligence agencies”
• That is not to say that all high-skill high-focus attacks are committed by governments, the attacker just needs to be highly motivated
• “This category also includes private actors, including the hacker group known as Anonymous, which mounted a Sony-style attack against the Internet-security firm HBGary Federal, and the unknown hackers who stole racy celebrity photos from Apple’s iCloud and posted them. If you’ve heard the IT-security buzz phrase “advanced persistent threat,” this is it.”
• “The hackers who penetrated Home Depot’s networks didn’t seem to care much about Home Depot; they just wanted a large database of credit-card numbers. Any large retailer would do”
• “Low-focus attacks are easier to defend against: If Home Depot’s systems had been better protected, the hackers would have just moved on to an easier target. With attackers who are highly skilled and highly focused, however, what matters is whether a targeted company’s security is superior to the attacker’s skills, not just to the security measures of other companies. Often, it isn’t. We’re much better at such relative security than we are at absolute security.”
• “We know people who do penetration testing for a living — real, no-holds-barred attacks that mimic a full-on assault by a dogged, expert attacker — and we know that the expert always gets in. Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable.”
• “For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.”
• Additional Coverage
• Investigators believe a newly identified SMB (Server Message Block, mostly used in Windows file sharing and networking) worm was involving in the Sony hack
• “The SMB worm propagates throughout an infected network via brute-force authentication attacks, and connects to a command and control (C2) infrastructure with servers located in Thailand, Poland, Italy, Bolivia, Singapore and the United States, the advisory said”
• The worm had 5 major components: Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning
• US-CERT Advisory

Norse identifies 6 individuals they believe behind Sony hack, including Ex-employees

• Norse, an attack intelligence company, has used its research facilities to investigate the Sony hack, and made some unsurprising conclusions
• “HR files leaked in the hack provided the motive part: a massive restructuring in Spring, 2014, in which many longtime SPE employees were laid off. After researching the online footprint of a list of all the individuals who were fired and had the means to be able to access sensitive data on Sony’s network, Norse said it identified a handful who expressed anger in social media posts following their firing. They included one former employee — a 10-year SPE veteran who he described as having a “very technical background.” Researchers from the company followed that individual online, noting participation in IRC (Internet Relay Chat) forums where they observed communications with other individuals affiliated with underground hacking and hacktivist groups in Europe and Asia. According to Stammberger, the Norse investigation was eventually able to connect an individual directly involved in conversations with the Sony employee with a server on which the earliest known version of the malware used in the attack was compiled, in July, 2014”
• Norse Blog: The nature of Cyber Security and Strategies for Unprecedented attacks
• Video: Norse on MSNBC
• Video: Norse on CBS – is the FBI wrong about North Korea
• Video: Norse on CNN – Former Sony employee implicated in attacks
• Video: Norse on CNN – Norse answers questions about Sony Hack
• Norse Blog – Where do we die first? Find your businesses weakness
• Norse Blog – Breach detection is at least as important as perimeter security
• Additional Coverage
• Do not accept the myth that the attacker is always ahead
• No, North Korea Didn’t Hack Sony – The Daily Beast

Twitter date bug confuses many client applications.

• Many Twitter clients, including the popular client TweetDeck, showed tweets during the last week of the year as being from a year ago
• Many users then found that, even with the official app, they were not able to login anymore
• Turns out the problem was that Twitter’s servers had been sending the incorrect date for all HTTP responses from the API
• The incorrect date format variable was used, strftime(3) defined 2 different ways to express the year
• The most common one: %Y – is replaced by the year with century as a decimal number
• It seems that a programmer at Twitter chose the first one in the man page that mentioned the year:
• %G – is replaced by a year as a decimal number with century. This year is the one that contains the greater part of the week (Monday as the first day of the week).
• So, this went undetected because it would return the correct year, except in the case of the last week of the year, if that week happens to fall more within the new year than within the current year
• So December 30th 2014, was reported was December 30th 2015, which is a year in the future

FreeNAS – up and running!

• Dropbox – Photo 2015-01-02 14 08 50.jpg
• Dropbox – Photo 2015-01-02 14 09 17.jpg
• Dropbox – Photo 2015-01-02 14 11 10.jpg
• Dropbox – Photo 2015-01-02 14 13 26.jpg
• Dropbox – Photo 2015-01-02 14 13 38.jpg

Feedback:

• Re: FW Question

• The Opensource Sphirewall Project

• Filesystem confusion

• UK ISPs using malware-spreading techniques to enforce censorship

• Bacula Overview (with a bit of depth)

• Bacula – Installing on Ubuntu – YouTube

Round Up:

• FBI says search warrants not needed to use “stingrays” in public places
• OpenSSL 1.0.1k, 1.0.0p, and 0.9.8zd released, fixing bugs known since October.
• The OpenSSL dtls1_buffer_record flaw was fixed in OpenBSD’s LibreSSL in May 2014
• ​Android Lollipop is out, but almost no one is using it
• Don’t envy the offense – defenders can be smart too
• Execute arbitrary commands on Asus routers via UDP CVE-2014-10000
• Is it APT if you can buy it off the shelf? New attack uses expensive but easily obtainable pentesting software in attack. May result in analysts incorrectly attributing the attack to nation states or other highly capable attackers
• A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever
• When Security goes right – Should more companies have a Security Officer, and an easy way for researchers to contact them?
• Comcast lobbyists hand out VIP cards, bypass hold when contacting comcast support
• Critical flaws in NTPd could allow code execution
• NTP Flaw marks first time Apple uses automated OS X update, forcing the update on all customers
• Staples (Office Superstore) breach affects over 100 stores and up to 1.16 million credit cards. Breach was originally detected in October
• Samsung announces production of 20nm LPDDR4 – faster than Desktop DDR4 and uses half the energy of LPDDR3 – much longer battery life in mobile devices is expected

The post Sony’s Hard Lessons | TechSNAP 196 first appeared on Jupiter Broadcasting.

Why Hyping Cyber Threats is Counterproductive & not knowing is never good enough. Plus the malware that targets Hotel visitors, FreeNAS themed questions, our answers & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

“Do Diligence”? Why, not knowing is safer…

• “As I travel around speaking, performing network assessments, and discussing security with various corporate leaders, I often hear a fairly consistent and disturbing mantra.”
• “If you find vulnerabilities and risks in our environment, then we will have to fix it.”
• The problem seems to be, especially in larger more bureaucratic organizations, that if you know about a problem and do not fix it, you are at fault; but if you didn’t know there was a problem, you are blameless
• At some point, in order for security to actually be advanced, people need to take responsibility.
• The CTO/CIO/CSO didn’t know that that “might be a problem” and that it “needed to be investigated”, or that the 3rd party vendor access to our “secure” network was a gaping back door, then the person who hired that C*O should be fired, for hiring an incompetent person
• I am not saying that a breach is the fault of the security officer, but if there is no plan in place about what to do in the event of a breach (because it is a question of WHEN it will happen, not IF), then that is the fault of the security officer
• “The old adage comes to mind, “ignorance of the law is no excuse” and this holds true in information security as well.”
• “A common perspective is that cyber security is primarily the responsibility of the IT department. If a data breach incident occurred, the senior IT executive was the only one to take the fall, and usually only if there was incompetence involved vs. simply bad luck.”
• There is always going to be some adversary out there that is smarter than you, so you have to plan in advance. Defense in depth, early detection and isolation, mitigation and remediation, disaster recovery planning, disclosure and compliance procedures, and just generally having procedures to follow in times of crisis are just some of the things that can be done to handle these situations more gracefully

Schneier: Why Hyping Cyber Threats is Counterproductive

• Schneier highlights a pair of essays on the topic, and his blog has a number of interesting comments as well
• The first article details reasons why ‘Cyber-Angst’ rather than real critical thinking and problem solving, are likely to cause more problems
• OMG Cyber! Thirteen Reasons Why Hype Makes For Bad Policy
• In 2014, the market for information-security spending topped $70 billion
• “Several parties think that overstating ‘cyber’ is in their own best interest. Security firms like a clearly stated threat in order to sell their security products. Contractors capitalise on fear to get funding from the executive branch. The Pentagon finds a bit of hype useful to keep the money coming in. The armed services each eye a larger slice of the budget pie. The White House love some good cyber-angst to nudge law-makers into action. Fear of Chinese cyber-attack makes it easier for members of Congress to relate to voters. Reporting cyber-war means that journalists sell more copy. Academics get quotations and attention from the buzz. Hype up cyber, and everybody wins”
• Hype Creates Confusion
• Hype Limits Results
• Hype Betrays Purpose
• Hype Erodes Talent
• Hype Creates Friction
• Hype Breeds Cynicism
• Hype Degrades Quality
• Hype Weakens Products
• Hype Clouds Analysis
• Hype Kills Nuance
• Hype Escalates Conflict
• Hype Feeds Hypocrisy
• Hype Undermines Trust
• A few other great headlines and quotes in the article:
• Most journalists writing about leaked documents do not understand their limitations
• Hype damages the public’s trust and confidence in the Internet
• “in the bureaucratic setup of a large intelligence agency, presentation skills can become more valuable than coding skills. It gets worse once it dawns on ‘PowerPoint warriors’ that technical jargon works like magic on superiors who may not fully grasp the details”
• The second article Schneier links to makes similar points
• Enough! Stop hyping every new security threat
• “Here’s how it works these days: A security firm finds out about a vulnerability, then sends its PR folks into overdrive to promote it as the biggest of all time”
• It started with ‘code names’ for operations, like: Night Dragon, Project Aurora, and Operation Shady Rat, then it got into “proactive marketing of individual exploits with supercool names — Shellshock, Heartbleed, Sandworm — some of which even have logos”
• “Is this the new norm? You find a vulnerability, then get your PR team and graphic designers involved to gin up the most hype that can possibly be created?”
• “I understand why these firms are doing this. They want to get maximum exposure to sell their products and services, like ambulance-chasing lawyers. But McAfee and Symantec made billions after Code Red, Slammer, and Blaster without creating and pushing logos”
• The tone of the article is somewhat dampened by the inline advertisement for other Infoworld articles: “Watch out for 11 signs you’ve been hacked — and learn how to fight back, in InfoWorld’s PDF special report. | Discover how to secure your systems with InfoWorld’s Security newsletter.”
• And I couldn’t help but pull this quote: “Can you imagine how a real “big one” will be marketed in the future? Cue the operatic music and overlay graphics. Will it be like the Weather Channel’s “Storm of the Century” full-time news cycle with cyber security pros blown around in heavy winds, showing crying website widows holding wet cat GIFs among digital portal ruins?”

DarkHotel APT – Infecting Corporate travellers since 2007

• Kaspersky Labs details a newly disclosed Advanced Persistent Threat that targets executives that stay in high end hotels
• “This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics.”
• The APT takes over the WiFi networks of hotels, using a Man-In-the-Middle style attack tricks guests using the wifi into installing a “software update” or other such thing “required to access the internet”
• “… they delegitimize Certificate Authorities to further their attacks. They abuse weakly implemented digital certificates to sign their malcode. The actor abused the trust of at least ten CAs in this manner. Currently they are stealing and re-using other legitimate certificates to sign their mostly static backdoor and infostealer toolset.”
• The updates look legitimate because they are digitally signed, so even corporate security software that blocks unsigned applications is ineffective
• Once the malware is installed, it can start stealing sensitive documents, and keep doing so even after the guest leaves the hotel
• “The more interesting travelling targets include top executives from the US and Asia doing business and investment in the APAC region.” including victims in a number of industries:
• Very large electronics manufacturing
• Investment capital and private equity
• Pharmaceuticals
• Cosmetics and chemicals manufacturing offshoring and sales
• Automotive manufacturer offshoring services
• Automotive assembly, distribution, sales, and services
• Defense industrial base
• Law enforcement and military services
• Non-governmental organizations
• “When Kaspersky Lab researchers visited Darkhotel incident destinations with honeypot machines they did not attract Darkhotel attacks, which suggests the APT acts selectively. Further work demonstrated just how careful these attackers were to hide their activity – as soon as a target was effectively infected, they deleted their tools from the hotel network staging point, maintaining a hidden status”

Feedback:

• New FreeNAS plugins available

• Building a server for FreeNAS and could use some help!

Round Up:

• Unscheduled Windows update kills critical security bug under active attack
• Post Mortem on Azure Storage outage
• Linux Kernel 3.2 has bad performance, it should be avoided, 2.6 best or 3.13 or later the best of the 3.x
• Cricket, one of the US telcos blocking STARTSSL named and shamed
• US spies on mobile phones from the sky, report says
• Computer scientists claim to have developed software that not only detects and eradicates never-before-seen viruses and other malware, but also automatically repairs damage caused by them
• US Cert issues advisory about iOS Masque flaw

The post Security Hype Machine | TechSNAP 189 first appeared on Jupiter Broadcasting.

The nasty Apache Malware we’ve been telling you about has spread to Nginx and others, we’ll update you on the latest.

Plus hackers get access to control systems at Google, a big batch of your questions, and much much more.

On this week’s TechSNAP.

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! 32% off your ENTIRE first order just use our code go32off3 until the end of the month!

Support the Show: