HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Internet of Terror roundup

• Krebs has been machine-gunning articles about the Internet of Terror devices that were used to attack him recently
• Who makes the IoT things that are under attack
• This first post breaks down the manufacturers of the devices, who is to blame for this nonsense.
• “As KrebsOnSecurity observed over the weekend, the source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released. Here’s a look at which devices are being targeted by this malware”
• “The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords. Many readers have asked for more information about which devices and hardware makers were being targeted. As it happens, this is fairly easy to tell just from looking at the list of usernames and passwords included in the Mirai source code.”
• “In all, there are 68 username and password pairs in the botnet source code. However, many of those are generic and used by dozens of products, including routers, security cameras, printers and digital video recorder (DVRs).”
• All of the passwords are quite bad. A few look almost random, but using one random password on every device doesn’t help. It is as if they tried, but totally missed the point
• “Regardless of whether your device is listed above, if you own a wired or wireless router, IP camera or other device that has a Web interface and you haven’t yet changed the factory default credentials, your system may already be part of an IoT botnet. Unfortunately, there is no simple way to tell one way or the other whether it has been compromised.”
• “However, the solution to eliminating and preventing infections from this malware isn’t super difficult. Mirai is loaded into memory, which means it gets wiped once the infected device is disconnected from its power source.”
• “Several readers have pointed out that while advising IoT users to change the password via the device’s Web interface is a nice security precaution, it may or may not address the fundamental threat. That’s because Mirai spreads via communications services called “telnet” and “SSH,” which are command-line, text-based interfaces that are typically accessed via a command prompt (e.g., in Microsoft Windows, a user could click Start, and in the search box type “cmd.exe” to launch a command prompt, and then type “telnet” to reach a username and password prompt at the target host). The trouble is, even if one changes the password on the device’s Web interface, the same default credentials may still allow remote users to log in to the device using telnet and/or SSH.”
• Europe to push for new security rules amid IoT mess
• “The European Commission is drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). News of the expected proposal comes as security firms are warning that a great many IoT devices are equipped with little or no security protections.”
• “The Commission would encourage companies to come up with a labeling system for internet-connected devices that are approved and secure. The EU labelling system that rates appliances based on how much energy they consume could be a template for the cybersecurity ratings.”
• That sounds great, but how do you rate the cyber security of a device? Who is going to be allowed to these audits? Who decides if the Auditor is qualified enough?
• “One of those default passwords — username: root and password: xc3511 — is in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use it in their own products.”
• “That information comes in an analysis published this week by Flashpoint Intel, whose security analysts discovered that the Web-based administration page for devices made by this Chinese company (https://ipaddress/Login.htm) can be trivially bypassed without even supplying a username or password, just by navigating to a page called “DVR.htm” prior to login.”
• “The issue with these particular devices is that a user cannot feasibly change this password. The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”
• IoT devices as proxies for cybercrime
• “This post looks at how crooks are using hacked IoT devices as proxies to hide their true location online as they engage in a variety of other types of cybercriminal activity — from frequenting underground forums to credit card and tax refund fraud.”
• The criminals are using your IoT device as a proxy, so when the police hunt down the person who committed the fraud, it looks like it was you.
• “Recently, I heard from a cybersecurity researcher who’d created a virtual “honeypot” environment designed to simulate hackable IoT devices. The source, who asked to remain anonymous, said his honeypot soon began seeing traffic destined for Asus and Linksys routers running default credentials. When he examined what that traffic was designed to do, he found his honeypot systems were being told to download a piece of malware from a destination on the Web.”
• “The researcher found that the malware being pushed to his honeypot system was designed to turn his faux infected router into a “SOCKS proxy server,” essentially a host designed to route traffic between a client and a server. Most often, SOCKS proxies are used to anonymize communications because they can help obfuscate the true origin of the client that is using the SOCKS server.”
• “What he observed was that all of the systems were being used for a variety of badness, from proxying Web traffic destined for cybercrime forums to testing stolen credit cards at merchant Web sites. Further study of the malware files and the traffic beacons emanating from the honeypot systems indicated his honeypots were being marketed on a Web-based criminal service that sells access to SOCKS proxies in exchange for Bitcoin.”
• Krebs’ site has a number of tips on securing your router to prevent this
• SSH TCP Forwarding on-by-default in IoT devices, used in new cedential stuffing attacks
• Of course, routers and other IoT devices can sometimes be used as a proxy without having to be compromised.
• The default SSH configuration used on a number of IoT devices allows the SSH feature ‘AllowTCPForwarding’
• This allows the attacker to login to the IoT device using the default credentials (that you sometimes cannot change), and then bounce their connection off of the device, in such a way that it leaves no trace
• Ezra Caltum, senior security research team leader at Akamai: “We are in for an Internet of unpatchable things. This is my personal opinion, but I’m terrified about it.”

Researchers discover way to factor certain 1024 bit Diffie-Hellman keys

• “Researchers have devised a way to place undetectable backdoors in the cryptographic keys that protect websites, virtual private networks, and Internet servers. The feat allows hackers to passively decrypt hundreds of millions of encrypted communications as well as cryptographically impersonate key owners.”
• While there is a lot of media hype, it isn’t necessarily the end of the world just yet
• Researcher Post
• “We have completed a cryptanalysis computation which is at the same time a formidable achievement in terms of size (a 1024-bit discrete logarithm computation), and a small-scale undertaking in terms of computational resources (two months of calendar time on 2000 to 3000 cores). In comparison, the “real” record for discrete logarithm is 768 bits (announced this spring) and required 10 times as much computational power.”
• “To achieve this, we cheated. Deliberately. We chose the prime number which defines the problem to be solved in a special way, so that the computation can be made much more efficient. However, we did this in a subtle way, so that the trapdoor we inserted cannot be detected.”
• “Unfortunately, for most of the prime numbers used in cryptography today, we have no guarantee that they have not been generated with such a trapdoor. We estimate that breaking a non-trapdoored 1024-bit prime is at least 10,000 times harder than breaking our trapdoored prime was for us once we knew the trapdoor.”
• “Our computation raises questions about some Internet standards that contain opaque, fixed primes. Theoretically, we know how to guarantee that primes have not been generated with a trapdoor, but most widely used primes come with no such public guarantee. A malicious party who inserted a trapdoored prime into a standard or an implementation would be able to break any communication whose security relies on one of these primes in a short amount of time.”
• “Solving discrete log for a Diffie-Hellman key exchange lets an attacker decrypt messages encrypted with the negotiated key. Solving discrete log for a DSA signature lets an attacker forge signatures.”
• So, we have a way to make sure that the process used to select a prime is not backdoored, but not a way to tell if a given prime has been backdoored
• “We have not been able to find any documented seeds or verifiable randomness for widely used 1024-bit primes such as the RFC 5114 primes. Using “nothing up my sleeve” numbers to generate primes like the Oakley groups or the TLS 1.3 negotiated finite field Diffie-Hellman groups (RFC 7919) is a reasonable guarantee of not containing a backdoor.”
• Some older standards contain ‘magic’ numbers, without information about the process that was used to come up with the number. Only numbers in some newer standards, where a “nothing up my sleeve” policy allows anyone to audit the process used to select the prime, are considered secure.
• “The attack we describe affects only Diffie-Hellman and DSA, not ECDH or ECDSA. For RSA, there are not global public parameters like the primes used for Diffie-Hellman that could contain a backdoor like this.”
• “If you run a server, use elliptic-curve cryptography or primes of at least 2048 bits.”
• DH primes less than 1024 were banned recently, after the Logjam attack. Hopefully most people who generated new primes are already using 2048 or bigger primes
• “If you are a developer or standards committee member, use verifiable randomness to generate any fixed cryptographic parameters, and publicly document your seeds. Appendix A.1.1.2 of FIPS 186 describes how to do this for DSA primes.”

Android Fragmentation Sinks Patching Gains — 60,000 unique models of Android device

• It’s been 13 months since Google began releasing Android security bulletins and software patches on a scheduled, monthly basis. So far, the benefits of the new strategy to shore up Android’s defenses are mixed at best.
• Security experts say look no further than to this past August and Google’s patching of the high-profile QuadRooter vulnerability that took 96 days for Google to go from vulnerability notification by Qualcomm to the release of the final patch for the critical flaws on Sept. 6. By comparison, it took Apple just 10 days from the time researchers tipped off the company to the notorious Trident vulnerabilities, which were publicly attacked unlike QuadRooter, to Apple releasing its iOS patch.
• That stark difference in patch times, illustrates to many mobile security experts that despite security gains within the Android platform
• From MediaServer hardening and file-level encryption – Google’s security efforts are still stymied by the nagging problem of fragmentation.
• For example, only a fraction of phones vulnerable to the QuadRooter vulnerability have received Google’s patches.
• Kyle Lady, research and development engineer at Duo Labs, says issues tied to fragmentation are hurting the Android ecosystem on two fronts.
• One front is Google’s efforts to work with a myriad partners on identifying risks and prepping patches for Google’s monthly security updates.
• The second is making sure those patches are deployed by Android handset makers and wireless carriers to consumers in a timely manner.
• Since Google released its last patch to fix the QuadRooter vulnerability, only 15 percent of Android phones capable of receiving the security update had done so, according to the most recent data available from Duo Labs collected Oct. 5.
• The patching results are interesting, “percentage of Android phones that have not patched in the last 90 days”:
  • Nexus: 2.3% (almost every phone is patched)
  • Samsung: 55% (slightly more than half of all phones are unpatched)
  • LG: 73% (almost 3/4s of all phones are unpatched)
  • Motorola: 96% unpatched
  • Sony: 98% unpatched
• For the first time that I have seen, Google’s support policy is also spelled out:
• “For Google’s part, it says it will provide support for its Nexus brand phones for at least three years from device availability, or 18 months after the last device is sold by Google”
• Motorola’s phone unit was recently sold to Lenovo, which had this to say:
• “We understand that keeping phones up-to-date with security patches is important to our customers and strive to push security patches as quickly as we can. We work with our carrier partners, software providers and other partners to extensively test patches before they are delivered, which can be in various forms, such as pure Security Maintenance Releases, scheduled Maintenance Releases and OS Upgrades.”
• “In August, Motorola said it couldn’t promise its flagship Moto Z and Moto G4 would receive monthly Android security patches. Instead, Motorola said updates would be quarterly. Samsung and LG said they have committed to monthly security updates for their handsets. HTC did not respond to a request for comment on this story.”
• It would be interesting to see these same numbers while looking at a more confined view, say, Phones sold in the last 18 months, rather than all phones on the market.
• Google is also trying to solve the problem by going around the Manufacturers and the Carriers: “with the release of Android 7.0 (Nougat) Google is attempting to become more self-reliant by creating independent apps that might have otherwise been Android OS baked-in features. For example, Google recently introduced its Allo and Duo (formerly Hangouts) messaging features as standalone apps. Now, Google can push out software updates if needed to those apps, independent of device makers and carriers.”

Feedback:

• FreeNAS, Hot Laptops and Cisco Routers

• HomeServer question

• Removing SSL at a network level

  • multicast into adjacent network0

Round Up:

• Telegram Messenger on Twitter: “Issues in North and Latin America: cooling system died in one data center, massive overheating. Data safe, working with DC staff to fix.”
• Microsoft patches 5 zero-day flaws and Adobe releases update to address 81 flaws in Acrobat, Reader, and Flash
• BitTorrent reportedly fires its CEOs, gets out of the media game
• More OpenSSL vulnerabilities, project decides there is no need for a CVE
• Yahoo makes it difficult to leave its service by disabling automatic email forwarding
• Microsoft no longer allows you to pick and choose updates. You just get the “October 2016 Security Monthly Quality Rollup for Windows”
• Ford engineer called MyFord Touch infotainment system ‘a polished turd’
• macOS Sierra permanently remembers SSH key passphrase by default
• Comcast Deploys 1-Terabyte Data Plan | Multichannel
• British man spends 11 hours trying to make a cup of tea with his WiFi kettle
• Microsoft: No More Pick-and-Choose Patching
• Why Sonic the Hedgehog ran faster in America
• Ex-Yahoo Employee: Government Spy Program Could Have Given a Hacker Access to All Email

The post Internet of Default Passwords | TechSNAP 288 first appeared on Jupiter Broadcasting.

From the Orlando shooting, secret drone emails, to the Brexit this episode of Unfilter covers a lot of ground. We share our thoughts & questions about the shooting, discuss the DNC hack & the latest scandals in the 2016 race.

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

— Show Notes —

Episode Links

• FBI ‘manufacturing terrorism cases’ – Business Insider
• Bill Boyarsky: AP’s Clinton ‘Victory’ Story Breaches Journalism Ethics and Public Trust – Bill Boyarsky – Truthdig
• Hillary Clinton Google suggestions accused of favoring candidate – Election 2016 – CBS News
• Was Hillary Caught Colluding With AP To Announce Delegate Win Before California | Zero Hedge
• The AP Announcing Clinton’s “Victory” Was an Embarrassment to Journalism and U.S. Politics :: Politics :: Features :: Paste
• Google involved with Clinton campaign, controls information flow – Assange — RT America
• Google Public Policy Blog: The Trans-Pacific Partnership: A Step Forward for the Internet
• The Eric Schmidt-Backed Startup Working to Put Hillary Clinton in the White House – Tech – GovExec.com
• I am being sued, in East Texas, for using Google – YouTube
• How Clinton Donor Got on Sensitive Intelligence Board – ABC News
• Marijuana News 2016: Scientists, Frustrated By Funding Shortfalls, Launch Institute For Research On Cannabinoids
• Why Microsoft just bought LinkedIn: It’s all about the data | ZDNet
• Vladimir Putin ‘Complete Works’ Made Available In A Multi-Volume Edition
• The New York Times – Breaking News, World News & Multimedia
• When it comes to the Clintons, always follow the money « The Hugh Hewitt Show
• Orlando shooting gunman Omar Mateen was gay, say ex-wife Sitora Yusufiy and friend | Daily Mail Online
• Jeh Johnson: Gun control is now a matter of homeland security – CBS News
• Leaked Direct Messages from BlackLivesMatter Leader’s Twitter Account Preparing for Massive Riots. 10,000 are Planned to Arrive at Convention. : The_Donald
• Trevor Timm on Twitter: “”Solutions” post-Orlando: 1. More spying powers—even tho he was under surveillance 2. Use watch list for guns—even tho he wasn’t on the list”
• Russian Hackers Penetrate Democratic National Committee, Steal Trump Research : NPR One
• Judge links Clinton aide’s immunity to ‘criminal investigation’ – POLITICO
• Cameron Slammed in Sweden as EU Rancor Over Brexit Vote Mounts – Bloomberg
• Democrats shout down Paul Ryan after Orlando shooting moment of silence – CBS News
• Orlando Shooting Victim Recalls Horrifying Moment Gunman Returned to Kill Him – ABC News
• Armed Hostage Taker at Texas Walmart Identified as 54-Year-Old Longtime Employee: Walmart – ABC News
• 504 Gateway Time-out
• Will EU roaming become more expensive after Brexit? | iMore
• Hillary Clinton Had Secret Memo on Obama Admin ‘Support’ for ISIS
• Hillary and Bernie Met Privately Last Night, And Everyone Is Talking About It
• NATO to send troops to deter Russia, Putin orders snap checks | Reuters
• Orlando survivor Patience Carter: Gunman tried to spare black people – CBS News
• Clinton, Sanders Discuss Party Unity, Path Forward Against Trump : NPR
• ISIS Praises Mateen as ‘Lion of Caliphate,’ Urges Attacks at Theaters, Hospitals, Amusement Parks | PJ Media
• McConnell: I might be open to “serious suggestions” on gun control after I meet with the FBI « Hot Air
• EU judges could limit UK surveillance powers before referendum | World news | The Guardian
• Orlando Shooter Wasn’t the First Murderer Employed By Global Mercenary Firm
• Media Refusing to Cover Numerous Witness Accounts of Multiple Shooters in Orlando Massacre
• Shades of San Bernardino: Orlando shooters apt. left wide open for media TRUNEWS with Rick Wiles
• Orlando shooter Omar Mateen’s home has Star Wars themed bathroom | Daily Mail Online
• ORLANDO SHOOTING DAD A LONGTIME CIA ASSET – Daniel Hopsicker’s MadCowNewsDaniel Hopsicker’s MadCowNews
• Søk | Scanpix
• Do F.B.I. Stings Help the Fight Against ISIS? – The New Yorker
• Brexit Countdown: 8 days to go – FT.com
• Saudi Crown Prince: We Fund 20% Of Clinton’s Presidential Campaign

The post Pulsed Gun Control | Unfilter 192 first appeared on Jupiter Broadcasting.

Frank & Jos of Nextcloud join us to discuss their fork of ownCloud, some of the history behind the fork, the reaction by ownCloud, & what they plan to do differently this time around.

Plus we debate if Valve’s Steam Machines are a bust, a bit more on Oracle vs Google & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

What is nextcloud?

• OwnCloud foundation announcement:

nextcloud announcement: About – Nextcloud | nextcloud.com

• OwnCloud Has Been Forked By Former Developers, Founder – Phoronix
• Frank Karlitschek_ » Nextcloud
• all mine!: Nextcloud is the future of open source file sync and share
• Lukas: Farewell, ownCloud Inc.
• Nextcloud · GitHub

ownCloud reacts to nextcloud: ownCloud Statement concerning nextcloud

• ​OwnCloud closes US office, blames Nextcloud | ZDNet

nextCloud reacts to ownCloud’s reaction:

Wow. ownCloud Inc. collapses only 12 hours after the Nextcloud announcement. I didn't expect it to be so fragile. Sad day.

— Frank Karlitschek (@fkarlitschek) June 3, 2016

Nextcloud GmbH has enough funding to hire everyone from ownCloud who is looking for a job.

— Frank Karlitschek (@fkarlitschek) June 3, 2016

Contributors to owncloud/core · GitHub

— PICKS —

Runs Linux

This Good old country wedding runs Linux

Desktop App Pick

Turtl: A secure, encrypted Evernote alternative | Turtl

Turtl lets you take notes, bookmark websites, and store documents
for sensitive projects. From sharing passwords with your
coworkers to tracking research on an article you’re writing,
Turtl keeps it all safe from everyone but you and those you
share with.

Spotlight

QLC Plus

QLC+ is a free software to control DMX or analog lighting systems like moving heads, dimmers, scanners etc.

This project is a fork of the great QLC project written by Heikki Junnila that aims to continue the development of QLC and to introduce new features.

The primary goal is to bring QLC+ at the level of other lighting control commercial softwares.

https://www.amazon.com/RioRand-Interface-Adapter-Lighting-Controller/dp/B00V7MQ99G/ref=sr_1_9?ie=UTF8&qid=1465147589&sr=8-9&keywords=USB+DMX

— NEWS —

• https://slexy.org/view/s29Xzr9wZr

Seven months later, Valve’s Steam Machines look dead in the water

_Put it together, and you find that there have been less than half a million Steam Machines sold over a span of more than half a year.

_

Google’s fair use victory is good for open source

Let me first explain the main facts and claims in the lawsuit, and then why Google’s fair use victory is a good thing not only for Google but also for open source developers, for software developers more generally, and for the public.

So why is this a victory for the open source community as well as for Google? The main reason is because open source programs are often designed to interoperate with, either as complements or substitutes for, existing programs.

Hurst is wrong in asserting that Google’s fair use victory means that anyone can freely appropriate whatever they want from open source and other programs.

Mail Bag

• https://slexy.org/view/s2yZF9Wwwl
• https://slexy.org/view/s21Hz2u1PH
• https://slexy.org/view/s20f9jXkOO

Call Box

• Chris’ call out for the community to help him with his background

Catch the show LIVE SUNDAY:

• Noon Pacific
• https://jblive.tv
• Network Calendar

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

The post Jumping to the Nextcloud | LAS 420 first appeared on Jupiter Broadcasting.

Is the “Dark Cloud” hype, or a real technology? Using DNS tunneling for remote command and control & the big problem with 1-Day exploits.

Plus your great question, our answers, a breaking news roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

APT Groups still successfully exploiting Microsoft Office flaw patched 6 months ago

• “A Microsoft Office vulnerability patched six months ago continues to be a valuable tool for APT gangs operating primarily in Southeast Asia and the Far East.”
• “CVE-2015-2545 is a vulnerability discovered in 2015 and corrected with Microsoft’s update MS15-099. The vulnerability affects Microsoft Office versions 2007 SP3, 2010 SP2, 2013 SP1 and 2013 RT SP1.”
• “The error enables an attacker to execute arbitrary code using a specially crafted EPS image file. The exploit uses PostScript and can evade Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protection methods.”
• One of the groups using the exploit targeted the Japanese military industrial complex
• “In December 2015, Kaspersky Lab became aware of a targeted attack against the Japanese defense sector. In order to infect victims, the attacker sent an email with an attached DOCX file exploiting the CVE-2015-2545 vulnerability in Microsoft Office using an embedded EPS (Encapsulated Postscript) object. The EPS object contained a shellcode that dropped and loaded a 32-bit or 64-bit DLL file depending on the system architecture. This, in turn exploited another vulnerability to elevate privileges to Local System (CVE-2015-1701) and download additional malware components from the C&C server.”
• “The C&C server used in the attack was located in Japan and appears to have been compromised. However, there is no indication that it has ever been used for any other malicious purpose. Monitoring of the server activity for a period of several months did not result in any new findings. We believe the attackers either lost access to the server or realized that it resulted in too much attention from security researchers, as the attack was widely discussed by the Japanese security community.”
• The report details a number of different teams, with different targets
• Some or all of the teams may be related
• “The attackers used at least one known 1-day exploit: the exploit for CVE-2015-2545 – EPS parsing vulnerability in EPSIMP32.FLT module, reported by FireEye, and patched by Microsoft on 8 September 2015 with MS15-099. We are currently aware of about four different variants of the exploit. The original one was used in August 2015 against targets in India by the Platinum (TwoForOne) APT group.”
• Kaspersky Lab Report

Krebs investigates the “Dark Cloud”

• “Crooks who peddle stolen credit cards on the Internet face a constant challenge: Keeping their shops online and reachable in the face of meddling from law enforcement officials, security firms, researchers and vigilantes.”
• “In this post, we’ll examine a large collection of hacked computers around the world that currently serves as a criminal cloud hosting environment for a variety of cybercrime operations, from sending spam to hosting malicious software and stolen credit card shops.”
• How do you keep your site online while hosting it on hacked machines you do not control
• How do you keep the data secure? Who is going to pay for stolen credit cards when they can just hack one of the compromised machines hosting your site?
• “I first became aware of this botnet, which I’ve been referring to as the “Dark Cloud” for want of a better term, after hearing from Noah Dunker, director of security labs at Kansas City-based vendor RiskAnalytics. Dunker reached out after watching a Youtube video I posted that featured some existing and historic credit card fraud sites. He asked what I knew about one of the carding sites in the video: A fraud shop called “Uncle Sam,” whose home page pictures a pointing Uncle Sam saying “I want YOU to swipe.””
• “I confessed that I knew little of this shop other than its existence, and asked why he was so interested in this particular crime store. Dunker showed me how the Uncle Sam card shop and at least four others were hosted by the same Dark Cloud, and how the system changed the Internet address of each Web site roughly every three minutes. The entire robot network, or “botnet,” consisted of thousands of hacked home computers spread across virtually every time zone in the world, he said.”
• So, most of these hacked machines are likely just “repeaters”, accepting connections from end users and then relaying those connections back to the secret central server
• This also works fairly well as a DDoS mitigation mechanism
• “the Windows-based malware that powers the botnet assigns infected hosts different roles, depending on the victim machine’s strengths or weaknesses: More powerful systems might be used as DNS servers, while infected systems behind home routers may be infected with a “reverse proxy,” which lets the attackers control the system remotely”
• “It’s unclear whether this botnet is being used by more than one individual or group. The variety of crimeware campaigns that RiskAnalytics has tracked operated through the network suggests that it may be rented out to multiple different cybercrooks. Still, other clues suggests the whole thing may have been orchestrated by the same gang.”
• A more indepth report on the botnet is expected next week
• “If you liked this story, check out this piece about another carding forum called Joker’s Stash, which also uses a unique communications system to keep itself online and reachable to all comers.”

Wekby APT gang using DNS tunneling for C&C

• “Palo Alto Networks is reporting a shift in malware tactics used by the APT group Wekby that has added a rare but effective new tool to its bag of tricks. Wekby attackers are turning to the technique known as DNS tunneling in lieu of more conventional HTTP delivery of command and controls for remote access control of infected computer networks.”
• “Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeam’s Flash zero-day exploit.”
• “The malware used by the Wekby group has ties to the HTTPBrowser malware family, and uses DNS requests as a command and control mechanism. Additionally, it uses various obfuscation techniques to thwart researchers during analysis. Based on metadata seen in the discussed samples, Palo Alto Networks has named this malware family ‘pisloader’.”
• “The initial dropper contains very simple code that is responsible for setting persistence via the Run registry key, and dropping and executing an embedded Windows executable. Limited obfuscation was encountered, where the authors split up strings into smaller sub-strings and used ‘strcpy’ and ‘strcat’ calls to re-build them prior to use. They also used this same technique to generate garbage strings that are never used. This is likely to deter detection and analysis of the sample.”
• “The payload is heavily obfuscated using a return-oriented programming (ROP) technique, as well as a number of garbage assembly instructions. In the example below, code highlighted in red essentially serves no purpose other than to deter reverse-engineering of the sample. This code can be treated as garbage and ignored. The entirety of the function is highlighted in green, where two function offsets are pushed to the stack, followed by a return instruction. This return instruction will point code execution first at the null function, which in turn will point code execution to the ‘next_function’. This technique is used throughout the runtime of the payload, making static analysis difficult.”
• “The malware is actually quite simplistic once the obfuscation and garbage code is ignored. It will begin by generating a random 10-byte alpha-numeric header. The remaining data is base32-encoded, with padding removed. This data will be used to populate a subdomain that will be used in a subsequent DNS request for a TXT record.”
• “The use of DNS as a C2 protocol has historically not been widely adopted by malware authors.”
• “The use of DNS as a C2 allows pisloader to bypass certain security products that may not be inspecting this traffic correctly.”
• “The C2 server will respond with a TXT record that is encoded similar to the initial request. In the response, the first byte is ignored, and the remaining data is base32-encoded. An example of this can be found below.”
• The Malware also looks for specific flags in the DNS response, to prevent it being spoofed by a DNS server not run by the authors. Palo Alto Networks has reverse engineered the malware and found the special flags
• The following commands, and their descriptions are supported by the malware:
  • sifo – Collect victim system information
  • drive – List drives on victim machine
  • list – List file information for provided directory
  • upload – Upload a file to the victim machine
  • open – Spawn a command shell
• “The Wekby group continues to target various high profile organizations using sophisticated malware. The pisloader malware family uses various novel techniques, such as using DNS as a C2 protocol, as well as making use of return-oriented programming and other anti-analysis tactics.”
• Palo Alto Networks Report

Feedback:

• Colo

• Snapshot best practices

• SELinux is cruel to animals

• Work in IT, got this in the mail today.

• Parts of a computer labeled by someone who thinks they know how a computer works

Round up:

• Tor To Use Distributed RNG To Generate Truly Random Numbers
• Skimmers Found at Walmart: A Closer Look
• Foxconn replaces ‘60,000 factory workers with robots’
• FBI warns of wireless keystroke loggers that look like harmless USB chargers
• A third of new cellular customers last quarter were cars
• NIST publishes guide on: Security for Full Virtualization Technologies
• Google aims to kill passwords by the end of this year
• DARPA gives out 7 multi-million dollar grants for research into DDoS mitigation
• Fox ‘Stole’ a Game Clip, Used it in Family Guy & DMCA’d the Original
• Analog malicious hardware, how to slip a backdoor into a chip
• Microsoft promises to stop tricking people into upgrading to Windows 10 when they clearly do not want to
• Google might name and shame slow-to-update Android vendors
• Foul-mouthed worm takes control of wireless ISPs around the globe

The post PIS Poor DNS | TechSNAP 268 first appeared on Jupiter Broadcasting.

A critical flaw in that bit of software tucked far far away that you never think about… Until now, we explain why ImageTragick is a pain. More OpenSSL flaws & fraudsters stealing tax data from the motherload.

Plus great questions, our answers, a packed Round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Critical flaw found in ImageMagick

• ImageMagick is a very popular suite of applications for working with images
• It is used by many websites, to process, convert, and resize uploaded images
• It is used for photos, avatars, and any other type of image a website might process
• “There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.”
• “If you use ImageMagick or an affected library, we recommend you mitigate the known vulnerabilities by doing at least one of these two things (but preferably both!):”
• Verify that all image files begin with the expected “magic bytes” corresponding to the image file types you support before sending them to ImageMagick for processing. (see FAQ for more info)
• Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in “/etc/ImageMagick”. The below policy.xml example will disable the coders EPHEMERAL, URL, MVG, and MSL.
• A first draft of the fix was released as ImageMagick to 6.9.3-9, on 2016-04-30
• However, it is not clear that this entirely resolves the problem
• “Insufficient filtering for filename passed to delegate’s command allows remote code execution during conversion of several file formats.”
• “ImageMagick allows to process files with external libraries. This feature is called ‘delegate’. It is implemented as a system() with command string (‘command’) from the config file delegates.xml with actual value for different params (input/output filenames etc). Due to insufficient %M param filtering it is possible to conduct shell command injection. One of the default delegate’s command is used to handle https requests:”
• “wget” -q -O “%o” “https:%M”
• If instead of a URL, you provide say: https://example.com;ls -la
• It runs your command in addition to the normal operation, allowing the attacker to run any command they wish
• “The most dangerous part is ImageMagick supports several formats like svg, mvg, and maybe some others – which allow to include external files from any supported protocol including delegates. As a result, any service, which uses ImageMagick to process user supplied images and uses default delegates.xml / policy.xml, may be vulnerable to this issue.”
• Why are you disclosing a vulnerability like this?
• “We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software. ImageMagick also disclosed this on their forum a few hours ago.”
• Additional Coverage – OSS Security List
• Additional Coverage – Ars Technica – Huge number of sites imperiled by critical image-processing vulnerability [Updated]

Fraudsters steal tax and salary data from ADP

• “Identity thieves stole tax and salary data from payroll giant ADP by registering accounts in the names of employees at more than a dozen customer firms”
• “ADP says the incidents occurred because the victim companies all mistakenly published sensitive ADP account information online that made those firms easy targets for tax fraudsters.”
• “ADP provides payroll, tax and benefits administration for more than 640,000 companies”
• “Last week, U.S. Bancorp (U.S. Bank) — the nation’s fifth-largest commercial bank — warned some of its employees that their W-2 data had been stolen thanks to a weakness in ADP’s customer portal.”
• “ID thieves are interested in W-2 data because it contains much of the information needed to fraudulently request a large tax refund from the U.S. Internal Revenue Service (IRS) in someone else’s name.”
• US Bancorp: “Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP. During the course of that investigation we have learned that an external W-2 portal, maintained by ADP, may have been utilized by unauthorized individuals to access your W-2, which they may have used to file a fraudulent income tax return under your name.”
• “The incident originated because ADP offered an external online portal that has been exploited. For individuals who had never used the external portal, a registration had never been established. Criminals were able to take advantage of that situation to use confidential personal information from other sources to establish a registration in your name at ADP. Once the fraudulent registration was established, they were able to view or download your W-2.”
• “ADP emphasized that the fraudsters needed to have the victim’s personal data — including name, date of birth and Social Security number — to successfully create an account in someone’s name. ADP also stressed that this personal data did not come from its systems, and that thieves appeared to already possess that data when they created the unauthorized accounts at ADP’s portal.”
• “According to ADP, new users need to be in possession of two other things (in addition to the victim’s personal data) at a minimum in order to create an account: A custom, company-specific link provided by ADP, and a static code assigned to the customer by ADP.”
• “The problem, ADP Chief Security Officer Roland Cloutier said, seems to stem from ADP customers that both deferred the signup process for some or all of their employees and at the same time inadvertently published online the link and the company code. As a result, for users who never registered, criminals were able to register as them with fairly basic personal info, and access W-2 data on those individuals.”
• “We viewed the code as an identification code, not as an authentication code, and we posted it to a Web site for the convenience of our employees so they could access their W-2 information,” Ripley said. “We have discontinued that practice.”
• A secret can only be protected if everyone that possesses it, knows it is a secret
• “ADP’s portal, like so many other authentication systems, relies entirely on static data that is available on just about every American for less than $4 in the cybercrime underground (SSN/DOB, address, etc). It’s true that companies should know better than to publish such a crucial link online along with the company’s ADP code, but then again these are pretty weak authenticators.”
• “Cloutier said ADP does offer an additional layer of authentication — a personal identification code (PIC) — basically another static code that can be assigned to each employee. He added that ADP is trialing a service that will ask anyone requesting a new account to successfully answer a series of questions based on information that only the real account holder is supposed to know.”
• Of course, “supposed to know” is the problem
• The IRS learned this the hard way, and has already had to replace 2 different authentication systems because the ‘knowledge based authentication’ questions were easily guessed by attackers
• “It’s truly a measure of the challenges ahead in improving online authentication that so many organizations are still looking backwards to obsolete and insecure approaches. ADP’s logo includes the clever slogan, “A more human resource.” It’s hard to think of a more apt mission statement for the company. After all, it’s high time we started moving away from asking people to robotically regurgitate the same static identifiers over and over, and shift to a more human approach that focuses on dynamic elements for authentication. But alas, that’s fodder for a future post.”
• Apparently Kreb’s report caused a large temporary dip in ADP’s stock price

Another OpenSSL Advisory

• More fun with OpenSSL
• Memory corruption in the ASN.1 encoder (CVE-2016-2108) [HIGH]
• The advisory notes that the most severe of the issues was partially fixed over a year ago: “This issue affected versions of OpenSSL prior to April 2015. The bug causing the vulnerability was fixed on April 18th 2015, and released as part of the June 11th 2015 security releases. The security impact of the bug was not known at the time.”
• However, because of a second bug, this issue turned out to be a critical flaw
• Padding oracle in AES-NI CBC MAC check (CVE-2016-2107) [HIGH]
  • “This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes.”
• In both of these cases it seems that, in a rush to fix a bug, a further flaw was created
• Additional Fixes:
• EVP_EncodeUpdate overflow (CVE-2016-2105) [LOW]
• EVP_EncryptUpdate overflow (CVE-2016-2106) [LOW]
• ASN.1 BIO excessive memory allocation (CVE-2016-2109) [LOW]
• EBCDIC overread (CVE-2016-2176) [LOW]
• Note: support for OpenSSL version 1.0.1 will cease on 31st December 2016. Support for versions 0.9.8 and 1.0.0 already ended on 31st December 2015. Those versions are no longer receiving security updates.
• Additional Coverage: Ars Technica

How do fraudsters get the CVV number for your credit card?

• “A longtime reader recently asked: “How do online fraudsters get the 3-digit card verification value (CVV or CVV2) code printed on the back of customer cards if merchants are forbidden from storing this information? The answer: If not via phishing, probably by installing a Web-based keylogger at an online merchant so that all data that customers submit to the site is copied and sent to the attacker’s server.”
• The CVV is the 3 (or 4 in the case of AMEX) digit number on the back of your credit card
• This number is not normally used for “card present” transactions, like checking out at the supermarket
• The CVV is designed for “card not present” transactions, like shopping online
• The idea was, this number was NEVER to be stored, so even in the event of a credit card database breach, the attackers would not get the CVV number, and so could not use the stolen cards in online transactions
• The CVV is basically how you prove that you have the card in your hands
• This of course works in theory, but just because merchants are not SUPPOSED to not store the CVV, doesn’t mean they don’t
• “The vast majority of the time, this CVV data has been stolen by Web-based keyloggers. This is a relatively uncomplicated program that behaves much like a banking Trojan does on an infected PC, except it’s designed to steal data from Web server applications.”
• “PC Trojans like ZeuS, for example, siphon information using two major techniques: snarfing passwords stored in the browser, and conducting “form grabbing” — capturing any data entered into a form field in the browser before it can be encrypted in the Web session and sent to whatever site the victim is visiting.”
• “Web-based keyloggers also can do form grabbing, ripping out form data submitted by visitors — including names, addresses, phone numbers, credit card numbers and card verification code — as customers are submitting the data during the online checkout process.”
• “These attacks drive home one immutable point about malware’s role in subverting secure connections: Whether resident on a Web server or on an end-user computer, if either endpoint is compromised, it’s ‘game over’ for the security of that Web session. With PC banking trojans, it’s all about surveillance on the client side pre-encryption, whereas what the bad guys are doing with these Web site attacks involves sucking down customer data post- or pre-encryption (depending on whether the data was incoming or outgoing).”

Feedback:

• Standard Components in NAS devices

• Decentralized cloud. Where to start? ZFS would be awesome!

• Backing up family member’s machines

Round Up:

• Windows 10 upgrade nag screen interrupts live weather broadcast
• Blackhole exploit kit author gets 8 years in prison
• Software Update Destroys $286 Million Japanese Satellite
• What.CD site totally compromised because of weak RNG
• Craig Wright Is Not Satoshi Nakamoto – the Technical Proof
• CV of Failures — Seeing how often successful people fail
• German nuclear plant infected with computer viruses, operator says
• Dental Association sends malware via snailmail
• How to setup Wi-Fi with pfSense
• Norms of Computer Trespass — Rethinking the law
• Google Migrates All Blogspot Sites to HTTPS but Some Features May Not Work
• 5 year old Android vulnerability may still be exposing users’ data
• ‘Apple Stole My Music. No, Seriously’
• New malware uses Windows “god mode” to be irremovable
• FBI Harassing Core Tor Developer, Demanding She Meet With Them, But Refusing To Explain Why t
• Slack will disable a slew of accounts whos API keys were leaked when slackbot config files committed to github

The post Insecure Socket Layer | TechSNAP 265 first appeared on Jupiter Broadcasting.

The US Government’s war on encryption is going from cold to hot. The stage has been set for a rough 2016 for US companies that employ encryption in their products. We’ll break down the major talking points for backdoors, intercepted communications & the general need to invade your privacy.

Plus the United States massive concessions in Syria your not being told about, big news for Drones & a little bit of good news in Unflter’s last episode of 2015!

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

Show Notes:

— Episode Links —

• Daesh Godfathers? Turkey, Saudi Arabia, Qatar Spotted Funding Terrorists
• How John McCain Crippled Obama’s War on ISIS | New Eastern Outlook
• US-backed Syrian rebel group on verge of collapse – Stripes
• The Pulse: New book suggests terror fears are overblown
• Plumber sues Ford dealer after truck with company logo was used by extremists in Syria – The Washington Post
• U.S. Working on Plan to Scrutinize Social Media in Visa Reviews – WSJ
• One Woman’s Case Proves: It’s Basically Impossible to Get Off the ‘No-Fly List’ – The Daily Beast
• Congress Drops All Pretense: Quietly Turns CISA Into A Full On Surveillance Bill | Techdirt
• Marco Rubio and Ted Cruz bicker over NSA at Las Vegas GOP debate 2015 | Daily Mail Online
• Federal Reserve embarks on historic new era of higher interest rates – MarketWatch
• San Bernardino Killers Did Not Post Public Terror Messages – NBC News
• Lawmakers Have Snuck CISA Into a Bill That Is Guaranteed to Become a Law | Motherboard
• U.S. Government Concedes to Putin After NATO’s Support of ISIS Exposed | The Free Thought Project
• News from The Associated Press
• Assad can stay, for now: Kerry accepts Russian stance
• Kelly McParland: Assad can stay. Once again U.S. capitulates to Russian demands on Syria | National Post
• No ‘regime change’ in Syria: After talks in Moscow, Kerry accepts Russian stance on Assad | Fox News

The post Terrorgram | Unfilter 170 first appeared on Jupiter Broadcasting.

D-Link publishes its private code signing keys, exploiting Windows Symbolic Links & why encryption is not sufficient protection.

Plus some great questions, our answers, a rockin roundup & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

D-Link accidentally publishes its private code signing keys

• As part of its GPL license complain, D-Link makes its firmware source code available for many of its devices
• “He had purchased the DCS-5020L-surveillance camera from D-Link and wanted to download the firmware. D-Link firmware source code of many open source under a GPL license available.”
• “When looking through the files I accidentally stumbled upon 4 different private keys used for code signing. Only one — the one belonging to D-Link itself — was still valid at the time. I have successfully used this key to sign an executable as D-Link”
• “In fact, in some batch files were the commands and pass phrases that were needed.”
• The certificates have already been revoked
• Fox-IT confirms: “The code signing certificate is indeed in the firmware packages, firmware version 1.00b03 released February 27 of this year, was released this certificate was therefore issued for expired, a big mistake.”
• We’ll have to cover this in more detail once more information is available, in English

“Investigating the Computer Security Practices and Needs of Journalists”

• A survey found that 50% of journalists do not use any security tools
• Those that do, may not realize that the tools they are using are ineffective, or that the way they are using them hurts their security
• “Observation: The computer security community builds a lot of tools that might be useful for journalists, but we don’t deeply understand the journalistic process!”
• “I report on unauthorized immigrants a great deal and have concerns about how to communicate with them without putting them at risk. That said, asking them to use encrypted methods of communication I think would create a greater sense of threat about talking to me and make it more difficult to report. Many are also not extremely computer-savvy. This is something I struggle with a great deal”
• “Objective: Conduct in-depth interviews with full-time journalists at recognized media organizations operating across a range of media, including print, digital, broadcast and wire services”
• Figure out the typical workflow for a journalist, model security tools that work with them, instead of forcing them to a workflow dictated by the tools
• Findings:
  • “Audio recording and digital note-taking were primary forms of interview documentation.”
  • “Many participants use third-party cloud services, but few voiced concern about possible security risks”
  • Long-term sources are common
• Sources like Snowden, a big one-time data dump, are rare
• Security Concerns:
• Negative effects on source
• Loss of credibility if source information was exposed
• Government identification of sources
• Disciplinary actions (e.g., losing job)
• Loss of competitive advantage
• Potential financial consequences
• The project found that in most cases of a journalist using security tools, it was because the source requested it, or because the journalist had had specific security training
• “A lot of services out there say they’re secure, but having to know which ones are actually audited and approved by security professionals — it takes a lot of work to find that out.”
• “There were different kinds of litigation software that I was familiar with as a lawyer, where, let’s say, you have a massive case, where you have a document dump that has 15,000 documents. […] There are programs that help you consolidate and put them into a secure database. So it’s searchable [and provides a secure place where you can see everything related to a story at once]. I don’t know of anything like that for journalism.”
• It will be interesting to see what comes out of this research

Exploiting Windows Symbolic Links

• “For the past couple of years I’ve been researching Windows elevation of privilege attacks. This might be escaping sandboxing or gaining system privileges. One of the techniques I’ve used multiple times is abusing the symbolic link facilities of the Windows operating system to redirect privileged code to create files or registry keys to escape the restrictive execution context.”
• “Symbolic links in themselves are not vulnerabilities, instead they’re useful primitives for exploiting different classes of vulnerabilities such as resource planting or time-of-check time-of-use.”
• A time-of-check time-of-use vulnerability works like this:
  • You setup a symlink to a file you are allowed to access
  • You try to access a resource
  • The software checks that you are allowed to access the resource, you are
  • You quickly re-target the symlink to something else
  • You try to access the resource, and the software allows you, since it has already checked that you are allowed
  • You now have access to a resource you should not
• “This blog post contains details of a few changes Microsoft has made to Windows 10, and now back ported (in MS15-090) as far back as Windows Vista which changes who can use certain types of symbolic links. There’s not been many mitigations of this type which get back ported to so many older versions of Windows. Therefore I feel this is a good example of a vendor developing mitigations in response to increased attacks using certain techniques which wouldn’t have traditionally been considered before for mitigations.”
• Almost everything in the Windows file system is a symbolic link. Even C: is actually a symbolic link to \Device\HarddiskVolume4 (since NT 3.1)
• Microsoft has released three new mitigations:
• “Registry Key Symbolic Link Mitigation (CVE-2015-2429) — The simplest mitigation implementation is for registry keys. Effectively a sandboxed process is not allowed to ever create a registry key symbolic link. This is implemented by calling RtlIsSandboxToken function when creating a new key (you need to specific a special flag when creating a key symbolic link). It’s also called when setting the SymbolicLinkValue value which contains the link target. This second check is necessary to prevent modifying existing symbolic links, although it would be unlikely to be something found on a real system.”
• “Object Manager Symbolic Link Mitigation (CVE-2015-2428) — If an application tries to create an object manager symbolic link from a sandbox process it will still seem to work, however if you look at where the check is called you’ll find it doing something interesting. When the symbolic link is created the RtlIsSandboxToken function is called but the kernel doesn’t immediately return an error. Instead it uses it to set a flag inside the symbolic link kernel object which indicates to the object manager a sandboxed process has created this link. This flag is then used in the ObpParseSymbolicLink function which is called when the object manager is resolving the target of a symbolic link. The RtlIsSandboxToken is called again, if the current caller is not in a sandbox but the creator was in a sandbox then the kernel will return an error and not resolve the symbolic link, effective making the link useless for a sandboxed to unsandboxed elevation.”
• “NTFS Mount Point Mitigation (CVE-2015-2430) — The final mitigation is for NTFS mount points. In early technical previews of Windows 10 (I first spotted the change in 10130) the check was in the NTFS driver itself and explicitly blocked the creation of mount points from a sandboxed process. Again for presumably application compatibility reasons this restriction has been relaxed in the final release and the back ported mitigations. Instead of completely blocking creation the kernel function IopXxxControlFile has been modified so whenever it sees the FSCTL_SET_REPARSE_POINT file system control code being passed to a driver with a mount point reparse tag it tries to verify if the sandboxed caller has write access to the target directory. If access is not granted, or the directory doesn’t exist then setting the mount point fails. This ensures that in the the majority of situations the sandboxed application couldn’t elevate privileges, as it could already write to the directory already. There’s obviously a theoretical issue in that the target could later be deleted and replaced by something important for a higher privileged process but that’s not very likely to occur in a practical, reliable exploit.”
• “These targeted mitigations gives a clear indication that bug hunting and disclosing the details of how to exploit certain types of vulnerabilities can lead into mitigation development, even if they’re not traditional memory corruption bugs. While I didn’t have a hand in the actual development of the mitigation It’s likely my research was partially responsible for Microsoft acting to develop them. It’s very interesting that 3 different approaches ended up being taken, reflecting the potential application compatibility issues which might arise.”
• “Excluding any bypasses which might come to light these should make entire classes of resource planting bugs unexploitable from a compromised sandboxed process and would make things like time-of-check time-of-use harder to exploit. Also it shows the level of effort that implementing mitigations without breaking backwards compatibility requires. The fact that these only target sandboxes and not system level escalation is particularly telling in this regard.”

Encryption as Protection? Maybe Not

• We often see as part of the coverage of a data breach how the data was not “encrypted”
• As it turns out, having data encrypted on the disk, doesn’t necessarily help, if the data is still “live” on the system
• If your laptop hard drive is encrypted, but you leave it unlocked at the coffee shop and visit the restroom, anyone can access the files on your computer. Having them encrypted did nothing for you
• The way hard drive encryption works, it only protects you if you lock or shutdown the computer, and require a strong passphrase to decrypt the disk to mount it again
• The same applies to a file server or database at a company. Encryption is only useful if access to the data is still strictly controlled
• “A recent espionage prosecution in West Palm Beach, Florida demonstrates that encryption may not be the panacea that organizations think it is. So rather than relying on encryption alone, companies need to adopt and maintain strategies that continue to provide layered security.”
• “After every data breach, we hear the same mantra, “If only the data were encrypted!” As if encryption of data is the answer to data breaches.”
• The case centers in this article centers on Christopher Glenn, a 35-year-old former defense contractor living in his mother’s retirement community
• He worked for the US Government in Honduras
• “He was convicted of stealing and retaining classified documents he obtained which related to U.S. policy in the Middle East”
• “In preparation for his theft, Glenn, a “computer specialist” with a U.S. defense contractor, read up on data security in general and encryption in particular. He apparently read articles about TrueCrypt, a popular freeware encryption product used for On-The-Fly Encryption (OTFE), noting in particular an October 2011 article entitled, “FBI Hackers Fail to Crack TrueCrypt”. Glenn figured that he could create an encrypted partition (called 2012 Middle East) on his drive. He created a 30-character passphrase, thinking that the data would be secured. Indeed, he estimated that it would take the FBI “billions of years” to crack the crypto through brute force.”
• “He was wrong. And he was sentenced to 10 years in jail.”
• “According to case reports, the FBI’s counter-intelligence agents were able to decrypt the encrypted files on Glenn’s computer, which became evidence in his case. Given that this is 2015, they did so in substantially less than the “billions of years” that Glenn anticipated.”
• There is no information on how exactly the FBI decrypted the data, but it was likely an attack against the passphrase, or the machine Glenn had used to encrypt the data
• “Companies need to evaluate not only WHETHER they encrypt data, but when and how they encrypt data. For example, RAM scrapers capture credit card numbers and other personal information, which is encrypted, before the data is encrypted.”
• “All of this must be part of a comprehensive data security program which includes access control, data management, ingress and egress reporting, data loss prevention processes, intrusion detection and prevention, managed and monitored firewalls and other services, threat intelligence, and comprehensive incident response. There are no shortcuts here. Oh yes, and encryption, the right encryption.”
• Encryption of “data at rest” in servers

Feedback

• Will the ZFS port to Linux make BSD less attractive?

• ZFS and low memory machines

• Any drawbacks to hosting multiple domains on one nginx instance?

• LVM?

Round Up:

• LeCie and Seagate wireless external hard drives contain multiple vulnerabilities
• APT malactors using poorly secured satellite links to hide their identity, and the location of their C&C operations
• Apple mitigates but doesn’t fully fix critical iOS Airdrop vulnerability
• Intel says: “OpenSSL – When you come to a fork in the road, take the well-worn path”
• GM stealth patches 5 year old OnStar vulnerability
• Microsoft researcher breaks the security of CryptDB, responds to their dismissal of his research
• How to complain about being spied upon by the government
• 70 year old programmer trying to preserve ancient programming language, on github
• In the Internet of Things, uptime is important
• WSJ: We Need the Right to Repair Our Gadgets
• Woz: “Steve Jobs Played No Role In My Designs For the Apple I & II”
• Symantec/GeoTrust have revoked all SSL certificates issues under the .pw top level domain
• The US State Dept’s email server is named after Henry Stimson, who famously said “Gentlemen do not read each other’s mail”

The post Key Flaw With GPL | TechSNAP 234 first appeared on Jupiter Broadcasting.

NSA Metadata collection provisions of the Patriot Act were suspended this weekend, followed by a nasty political battle. We examine where things stand now, the new powers granted to the NSA, who came down on which side & more!

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

Show Notes:

• The Internet Knew About the Government’s Spy Planes Two Years Ago
• Someone Is Pretending to Be an FBI Shell Company | Motherboard
• More than 10,000 Isis fighters killed since start of coalition assault, US claims | World news | The Guardian
• How The USA Freedom Act is Actually Reducing Freedom in America | The Fifth Column
• Declassified Pentagon Report Proves US Helped Create ISIS

The post Unpatriotic Act | Unfilter 146 first appeared on Jupiter Broadcasting.

We explain the Venom vulnerability, what the impact is & the steps major providers are taking to protect themselves.

Plus strategies to mitigate Cyber Intrusions, a truly genius spammer, great questions, a huge round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

VENOM: Virtualized Environment Neglected Operations Manipulation

• A flaw in the way qemu emulates floppy disks could allow an attacker to break out of a virtual machine and take over the host
• “This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.”
• This vulnerability affects qemu, KVM, VirtualBox, and some types of Xen, because they all share the same qemu floppy emulation code
• Unaffected hypervisors include: VMWare, Hyper-V, Bochs, and bhyve
• The issue has been assigned the identifier CVE-2015-3456
• “Since the VENOM vulnerability exists in the hypervisor’s codebase, the vulnerability is agnostic of the host operating system (Linux, Windows, Mac OS, FreeBSD, etc.).”
• “It needs to be noted that even if a guest does not explicitly have a virtual floppy disk configured and attached, this issue is exploitable. The problem exists in the Floppy Disk Controller, which is initialized for every x86 and x86_64 guest regardless of the configuration and cannot be removed or disabled.”
• “The guest operating system communicates with the FDC by sending commands such as seek, read, write, format, etc. to the FDC’s input/output port. QEMU’s virtual FDC uses a fixed-size buffer for storing these commands and their associated data parameters. The FDC keeps track of how much data to expect for each command and, after all expected data for a given command is received from the guest system, the FDC executes the command and clears the buffer for the next command. This buffer reset is performed immediately at the completion of processing for all FDC commands, except for two of the defined commands. An attacker can send these commands and specially crafted parameter data from the guest system to the FDC to overflow the data buffer and execute arbitrary code in the context of the host’s hypervisor process.”
• “The VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase.”
• “After verifying the vulnerability, CrowdStrike responsibly disclosed VENOM to the QEMU Security Contact List, Xen Security mailing list, Oracle security mailing list, and the Operating System Distribution Security mailing list on April 30, 2015.
• After a patch was developed CrowdStrike publicly disclosed VENOM on May 13, 2015. Since the availability of the patch, CrowdStrike has continued to work with major users of these vulnerable hypervisors to make sure that the vulnerability is patched as quickly as possible.”
• CrowdStrike blog about the disclosure
• “While it seems obvious that infrastructure providers could be impacted, there are many other less obvious technologies that depend on virtualization. For example, security appliances that perform virtual detonation of malware often run these untrusted files with administrative privileges, potentially allowing an adversary to use the VENOM vulnerability to bypass, crash or gain code execution on the very device designed to detect malware.”
• “CrowdStrike would also like to publicly recognize Dan Kaminsky, Chief Scientist at White Ops, who is a renowned researcher with extensive experience discovering and disclosing major vulnerabilities. Dan provided invaluable advice to us throughout this process on how best to coordinate the release of open source patches across the numerous vendors and users of these technologies.”
• Xen Advisory
• Amazon Statement
• Digital Ocean statement
• Redhat Advisory
• Working PoC exploit
• This has refocused attention on some older work to exploit qemu/KVM, like this from DEFCON / BlackHat 2011
• Or this paper from a Google researcher from 2007: An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments
• There is also some backlash against the naming and glamorization of vulnerabilities, as seen with the recent announcement of AnalBleed

Strategies to Mitigate Targeted Cyber Intrusions – From the Australian Signals Directorate

• The Australian equivalent to the NSA has published a study on the top 35 mitigation methods to protect networks for targeted cyber attacks
• They say that 85% of all network intrusions could be prevented if organizations adopted just the top 4 recommendations
• These 4 recommendations are:
  • Use application whitelisting, to prevent malicious software from being able to run
  • Install application updates (especially java, flash, PDF readers, browsers, etc)
  • Install OS updates (quickly!), Do not use Windows XP
  • Do not give administrator privileges to more people than absolutely required
• Video: Catch, Patch, and Match
• Table: The full list of 35 mitigation strategies
• How to employ the top 4 mitigations in a Linux environment
• The ASD even goes so far as to rank each mitigation strategy by its effectiveness, how much users will resist/complain, how much work it will be to setup, and how much work it will be to maintain.
• “Once organisations have implemented the Top 4 mitigation strategies, first on the computers of users who are most likely to be targeted by cyber intrusions and then on all computers and servers, additional mitigation strategies can be selected to address security gaps until an acceptable level of residual risk is reached. “
• Of these, only the application whitelisting is likely to rise the ire of the average end user
• Additional Coverage – SecureList
• The list of 35 mitigation methods can be roughly divided into 4 categories:
• Administrative — Training, physical security
• Networking — These measures are easier to implement at a network hardware level
• System administration — The OS contains everything needed for implementation
• Specialized security solutions — Specialized security software is applicable
• Kaspersky SecureList has broken its analysis of the ASD publication down into 4 parts in its Security Encyclopedia:
• Part 1. How to mitigate APTs. Applied theory
• Part 2. Top-4 mitigation strategies which address 85% of threats
• Part 3. Strategies outside the Top-4. For real bulletproof defense
• Part 4. Forewarned is Forearmed: the Detection Strategy against Advanced Persistent Threats (APTs)
• Gartner: Best Practices for Mitigating Advanced Persistent Threats

Mumblehard — Muttering spam from your servers

• “Several thousand computers running the Linux and FreeBSD operating systems have been infected over the past seven months with sophisticated malware that surreptitiously makes them part of a renegade network blasting the Internet with spam”
• The virus consisted of perl code packed into an ELF binary
• During a 7 month monitoring period, Eset researchers saw 8,867 IP addresses connect to one of the command and control servers
• “The Mumblehard malware is the brainchild of experienced and highly skilled programmers. It includes a backdoor and a spam daemon, which is a behind-the-scenes process that sends large batches of junk mail.”
• “These two main components are written in Perl and they’re obfuscated inside a custom “packer” that’s written in assembly, a low-level programming language that closely corresponds to the native machine code of the computer hardware it runs on. Some of the Perl script contains a separate executable with the same assembly-based packer that’s arranged in the fashion of a Russian nesting doll. The result is a very stealthy infection that causes production servers to send spam and may serve other nefarious purposes.”
• “Malware targeting Linux and BSD servers is becoming more and more complex,” researchers from Eset wrote. “The fact that the authors used a custom packer to hide the Perl source code is somewhat sophisticated. However, it is definitely not as complex as the Windigo Operation we documented in 2014. Nonetheless, it is worrying that the Mumblehard operators have been active for many years without disruption.”
• The way the malware was architected, it polled a list of Command and Control servers, accepting commands from any of them
• The list included some legitimate sites, to throw researchers off
• “A version of the Mumblehard spam component was uploaded to the VirusTotal online malware checking service in 2009, an indication that the spammer program has existed for more than five years. The researchers were able to monitor the botnet by registering one of the domain names that Mumblehard-infected machines query every 15 minutes.”
• At some point, one of the domains on the command and control list became available, so the researchers registered it and directed all of the infected machines to talk to their own command and control server
• The communications with the C&C servers was cleverly hidden in what look like PHP Session cookies, and in the fake browser user-agent strings
• One of the giveaways is the fact that the base browser user-agent string is for Firefox 7.0.1 on Windows 7
• Part of the version string would be replaced with the command id, http status, and number of bytes downloaded by the infected machine
• “The Eset researchers still aren’t certain how Mumblehard is installed. Based on their analysis of the infected server, they suspect the malware may take hold by exploiting vulnerabilities in the Joomla and WordPress content management systems. Their other theory is that the infections are the result of installing pirated versions of the DirecMailer program.”
• Eset research PDF

Feedback:

• Jupiter Broadcasting Meetup

• zfs send (and receive)

• What really is DevOps?

• Is my FreeNAS open?

• answer to question last week

Round-Up:

• Cybersecurity Firm May Have Hacked Its Own Clients To Extort Them Additional Coverage – CNN Money
• Enterprise SSDs may start to lose data if left powered off for even just a few days
• RHEL 7 will break with its typical long term backporting strategy, and update GTK3/Gnome3 mid-cycle
• Interesting issue with PHP Hash comparisons could result in many vulnerability announcements in the coming weeks. In php: 0e == 0 (or 0e), so hashes could falsely match
• Military Strategy: A West Point Teacher’s Last Letter to His Cadets
• Brian Krebs Discusses Investigative Security Journalism – Indepth interview with Norse “Dark Matters” blog
• Top cyber attack vectors for critical SAP systems
• Proof of concept Linux rootkit uses processor and memory of GPU to hide from operating system
• Beware the ticking Internet of Things security time bomb
• Ad network compromised, spreads “nuclear exploit kit”
• Australia outlaws warrant canaries
• Dropbox updates Terms of Service, users ourside North America will be served from Ireland instead of the USA
• Virus Scanners need to be more than just a GUI with a big “SAFE” label on them
• Intels new Core M 5Y71 keeps pace with its Core i5 cousins
• Adallom is not a Bureaucracy checkbox
• What year is this: Researcher Richard Bejtlich posts an excerpt from a novel about computer security, guess when it was written
• Bug Bounty Program | United Airlines

The post Venomous Floppy Legacy | TechSNAP 214 first appeared on Jupiter Broadcasting.

Why a stolen healthcare record is harder to track than you might think, Security pros name their must have tools & blame as a service, the new Cybersecurity hot product.

Plus great questions, a huge Round Up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

A day in the life of a stolen healthcare record

• “When your credit card gets stolen because a merchant you did business with got hacked, it’s often quite easy for investigators to figure out which company was victimized. The process of divining the provenance of stolen healthcare records, however, is far trickier because these records typically are processed or handled by a gauntlet of third party firms, most of which have no direct relationship with the patient or customer ultimately harmed by the breach.”
• “I was reminded of this last month, after receiving a tip from a source at a cyber intelligence firm based in California who asked to remain anonymous. My source had discovered a seller on the darknet marketplace AlphaBay who was posting stolen healthcare data into a subsection of the market called “Random DB ripoffs,”
• “Eventually, this same fraudster leaked a large text file titled, “Tenet Health Hilton Medical Center,” which contained the name, address, Social Security number and other sensitive information on dozens of physicians across the country.”
• “Contacted by KrebsOnSecurity, Tenet Health officials said the data was not stolen from its databases, but rather from a company called InCompass Healthcare. Turns out, InCompass disclosed a breach in August 2014, which reportedly occurred after a subcontractor of one of the company’s service providers failed to secure a computer server containing account information. The affected company was 24 ON Physicians, an affiliate of InCompass Healthcare.”
• “The breach affected approximately 10,000 patients treated at 29 facilities throughout the U.S. and approximately 40 employed physicians,” wrote Rebecca Kirkham, a spokeswoman for InCompass.
• So who was the subcontractor that leaked the data? According to PHIprivacy.net (and now confirmed by InCompass), the subcontractor responsible was PST Services, a McKesson subsidiary providing medical billing services, which left more than 10,000 patients’ information exposed via Google search for over four months.
• Think about that for a minute. The information must have just been laying around on their website for it to be able to be found by Google search
• “Still, not all breaches involving health information are difficult to backtrack to the source. In September 2014, I discovered a fraudster on the now-defunct Evolution Market dark web community who was selling life insurance records for less than $7 apiece. That breach was fairly easily tied back to Torchmark Corp., an insurance holding company based in Texas; the name of the company’s subsidiary was plastered all over stolen records listing applicants’ medical histories.”
• “Health records are huge targets for fraudsters because they typically contain all of the information thieves would need to conduct mischief in the victim’s name — from fraudulently opening new lines of credit to filing phony tax refund requests with the Internal Revenue Service. Last year, a great many physicians in multiple states came forward to say they’d been apparently targeted by tax refund fraudsters, but could not figure out the source of the leaked data. Chances are, the scammers stole it from hacked medical providers like PST Services and others.”
• As we have previously discussed, a stolen credit card may be worth a few dollars, even high end corporate cards rarely fetch more than $10 or $15 each. Health care records are worth upwards of $100 each.
• “Sensitive stolen data posted to cybercrime forums can rapidly spread to miscreants and ne’er-do-wells around the globe. In an experiment conducted earlier this month, security firm Bitglass synthesized 1,568 fake names, Social Security numbers, credit card numbers, addresses and phone numbers that were saved in an Excel spreadsheet. The spreadsheet was then transmitted through the company’s proxy, which automatically watermarked the file. The researchers set it up so that each time the file was opened, the persistent watermark (which Bitglass says survives copy, paste and other file manipulations), “called home” to record view information such as IP address, geographic location and device type.”
• “The company posted the spreadsheet of manufactured identities anonymously to cyber-crime marketplaces on the Dark Web. The result was that in less than two weeks, the file had traveled to 22 countries on five continents, was accessed more than 1,100 times. “Additionally, time, location, and IP address analysis uncovered a high rate of activity amongst two groups of similar viewers, indicating the possibility of two cyber crime syndicates, one operating within Nigeria and the other in Russia,” the report concluded.“

Security pros name their must have tools

• Network World asked some “security pros” from around the industry to name their must have tools
• Lawyers Without Borders uses Intralinks VIA to securely share files
• Yell.com (a yellow pages site) uses Distil Networks’ bot detection and mitigation service to prevent content theft and avoid excess load from web scraper bots
• SureScripts.com (online perscription service) uses Invincea FreeSpace Enterprise for endpoint security. “stops advanced end user attacks (spear phishing, drive-by downloads, etc.) via containment, and stops our machines from getting infected
• a biotechnology company uses EMC Syncplicity to secure and distribute content to mobile devices. “It is an amazing mobile app that offers a great user experience and also offers the security and control we need as a therapeutics company with lots of sensitive information”
• A private health insurance software application provider uses Forum Sentry API gateway to protect its API from malactors. “Forum Sentry enabled us to securely expose our APIs to our private health insurance funds, third parties and internal clients and has provided a policy-based platform that is easy to maintain and extend – all while reducing development time and resources”
• Firehouse Subs, a large restaurant chain uses Netsurion’s Managed PCI to manage their Payment Card Industry Data Security Standard compliance. “Netsurion simplifies PCI for myself, and our franchisees, allowing us to maintain focus on other portions of our business”
  • A software vendor that makes heavy uses of Software as a Service (SaaS) relies on Adallom for SaaS to monitor, provides visibility into, and protection of SaaS applications.
  • Iowa Vocational Rehabilitation Services, raved about the configurability and reliability of NCP’s enterprise VPN solution
• I am sorry, when I started writing this news item for TechSNAP, I thought the list was going to be useful
• These were not the kinds of tools I was expecting
• Instead it just shows a random reporter who knows nothing about Cyber Security, asking a bunch of random businesses who know nothing about Cyber Security and just buy magic software and services what they think
• If your approach to cyber security is: buy some magic software, then you’re in trouble
• Cyber Security is a mindset, and requires defense in depth. It is about doing as much as can be done, and more importantly, planning for when that turns out to not be enough.
• What you really need is a cyber security disaster kit, like the one you have in your house in the event of a nature disaster. All of the things you need to survive until the mess is cleaned up.
• What companies really need, is to do cyber security fire drills, and have better fire alarms
• Software can’t solve everything, but it can help automate the task of getting the attention of a human at the right time

Intel launches new line of E7 v3 Haswell-EX processors

• Intel has announced its new E7-8800 and E7-4800 line of processors, featuring:
• 20% more cores/threads
• 20% more Last-Level Cache
• Benchmarks show actual 15-20% gains over the E7-4890 v2
• Support for DDR3 or DDR4 memory (not at the same time). “Support for the two differing memory types comes by way of Intel’s C112 and C114 scalable memory buffers.”
• 1.5 TB of ram per socket, quad channel, 102 GB/s memory bandwidth
• This means a 4 socket motherboard can have 6TB of ram, and an 8 socket board can have 12TB of ram
• 32 PCI-E 3.0 lanes per socket
• The highest end versions also feature QPI links at 9.6 GT/s (the previous maximum was 8.0 GT/s)
• E7-4xxx models are designed for 4 socket motherboards, while the E7-8xxx models are for 8 socket motherboards
• Models include:
  • E7-4809 v3 – 8x 2.00 GHz + HT, 20MB LLC
  • E7-4820 v3 – 10x 1.90 GHz + HT, 25MB LLC
  • E7-4830 v3 – 12x 2.10 GHz (Turbo: 2.70 GHz) + HT, 30MB LLC
  • E7-4850 v3 – 14x 2.20 GHz (Turbo: 2.80 GHz) + HT, 35MB LLC
  • E7-8860 v3 – 16x 2.20 GHz (Turbo: 3.20 GHz) + HT, 40MB LLC
  • E7-8880 v3 – 18x 2.30 GHz (Turbo: 3.10 GHz) + HT, 45MB LLC
  • E7-8890 v3 – 18x 2.50 GHz (Turbo: 3.30 GHz) + HT, 45MB LLC
  • E7-8891 v3 – 10x 2.80 GHz (Turbo: 3.50 GHz) + HT, 45MB LLC
  • E7-8893 v3 – 4x 3.20 GHz (Turbo: 3.50 GHz) + HT, 45MB LLC
• “Want!”

Feedback:

• Looking for a better/different back-up solution.

• Question about NAS versus SAN

• A response to the docker criticism in Episode 212 “Dormant Docker Disasters”

• The concept of a Virtual/Logical DMZ?

Round Up:

• Actively exploited WordPress bug puts millions of sites at risk
• Learn about how Windows kernel exploits work with the “HackSys Extreme Vulnerable Driver”
• PillPack.com online pharmacy vulnerability could have allowed anyone to view your entire perscription history, with only your name a birthdate
• Network reconnaissance without actually probing the network, using DNS
• Hospira Lifecare PCA infusion pump has telnet enabled with no password, allows anyone to root it with a tcp connection
• Boeing 787 dreamliner generator control units contain software bug that causes them to fail after 248 days of uptime
• Microsoft bangs the cybersecurity drum with Advanced Threat Analytics
• How to make two C binaries with the same MD5 hash – Why you shouldn’t trust MD5
• Understanding Docker Security and Best Practices
• Netflix open sources FIDO – Fully Integrated Defense Operation
• Docker vs the container world: Techies rally around CoreOS-led spec
• Lab of a Pen Tester — Dumping Windows 8.1 passwords in plain text
• System Crash for Starbucks Leads to Free Coffee for Some
• L3 cache mapping on Sandy Bridge CPUs
• Google Can’t Ignore The Android Update Problem Any Longer
• Researcher finds another method of bypassing Google’s password alert feature
• Windows 10 to do away with Patch Tuesday
• “unnamed FreeBSD Developer: OMG!!! I found a place where an ex-employee went to the repo, checked out the distribution tarball of freeipmi… unpacked it… edited the Makefiles, re-tarred it up and checked it back in under same name…”

The post Blame as a Service | TechSNAP 213 first appeared on Jupiter Broadcasting.

What’s really the key to detecting a breach before its become much too late? We’ll share some key insights, plus a technical breakdown of China’s great cannon & the new New French Surveillance Law that should be a warning to us all.

Plus a great round up, fantastic questions, our answers & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Security analytics: The key for breach detection

• “Although security spending is at an all-time high, security breaches at major organizations are also at an all-time high, according to Gartner, Inc. The impact of advanced attacks has reached boardroom-level attention, and this heightened attention to security has freed up funds for many organizations to better their odds against such attacks.”
• “Breach detection is top of mind for security buyers and the field of security technologies claiming to find breaches or detect advanced attacks is at an all-time noise level,” said Eric Ahlm, research director at Gartner. “Security analytics platforms endeavor to bring situational awareness to security events by gathering and analyzing a broader set of data, such that the events that pose the greatest harm to an organization are found and prioritized with greater accuracy.”
• The approach that seems to be in favour at the moment is: security information and event management (SIEM)
• “While most SIEM products have the ability to collect, store and analyze security data, the meaning that can be pulled from a data store (such as the security data found in a SIEM) depends on how the data is reviewed. How well a SIEM product can perform automated analytics — compared with user queries and rules — has become an area of differentiation among SIEM providers.”
• “User behavior analytics (UBA) is another example of security analytics that is already gaining buyer attention. UBA allows user activity to be analyzed, much in the same way a fraud detection system would monitor a user’s credit cards for theft. UBA systems are effective at detecting meaningful security events, such as a compromised user account and rogue insiders. Although many UBA systems can analyze more data than just user profiles, such as devices and geo-locations, there is still an opportunity to enhance the analytics to include even more data points that can increase the accuracy of detecting a breach.”
• “As security analytics platforms grow in maturity and accuracy, a driving factor for their innovation is how much data can be brought into the analysis. Today, information about hosts, networks, users and external actors is the most common data brought into an analysis. However, the amount of context that can be brought into an analysis is truly boundless and presents an opportunity for owners of interesting data and the security providers looking to increase their effectiveness.”
• “Analytics systems, on average, tend to do better analyzing lean, or metadata-like, data stores that allow them to quickly, in almost real-time speed, produce interesting findings. The challenge to this approach is that major security events, such as breaches, don’t happen all at once. There may be an early indicator, followed hours later by a minor event, which in turn is followed days or months later by a data leakage event. When these three things are looked at as a single incident that just happens to span, say, three months, the overall priority of this incident made up of lesser events is now much higher, which is why “look backs” are a key concept for analytics systems.”
• “Ultimately, how actual human users interface with the outputs of large data analytics will greatly determine if the technology is adopted or deemed to produce useful information in a reasonable amount of time,” said Mr. Ahlm. “Like other disciplines that have leveraged large data analytics to discover new things or produce new outputs, visualization of that data will greatly affect adoption of the technology.”
• It will be interesting to see where the industry goes with these new concepts

China’s Great Cannon

• “This post describes our analysis of China’s “Great Cannon,” our term for an attack tool that we identify as separate from, but co-located with, the Great Firewall of China. The first known usage of the Great Cannon is in the recent large-scale novel DDoS attack on both GitHub and servers used by GreatFire.org.”
• “On March 16, GreatFire.org observed that servers they had rented to make blocked websites accessible in China were being targeted by a Distributed Denial of Service (DDoS) attack. On March 26, two GitHub pages run by GreatFire.org also came under the same type of attack. Both attacks appear targeted at services designed to circumvent Chinese censorship. A report released by GreatFire.org fingered malicious Javascript returned by Baidu servers as the source of the attack. Baidu denied that their servers were compromised.”
• “Several previous technical reports have suggested that the Great Firewall of China orchestrated these attacks by injecting malicious Javascript into Baidu connections. This post describes our analysis of the attack, which we were able to observe until April 8, 2015.”
• “We show that, while the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the “Great Cannon.” The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.”
• The report is broken down into a number of sections
• Section 2 locates and characterizes the Great Cannon as a separate system;
• Section 3 analyzes DDoS logs and characterizes the distribution of affected systems;
• Section 4 presents our attribution of the Great Cannon to the Government of China;
• Section 5 addresses the policy context and implications;
• Section 6 addresses the possibility of using the Great Cannon for targeted exploitation of individual users.
• I wonder what the next target of the Great Cannon of China will be

New French Surveillance Law

• “The new French Intelligence Bill has provoked concern among many of the country’s lawmakers, as well as international NGOs.”
• “According to French Human Rights Defender Jacques Toubon, the legislation contravenes the rulings of the European Court of Human Rights”
• “Despite boasting the support of France’s two major political parties, the Union for a Popular Movement (UMP) and the Socialist Party (PS), the Intelligence Bill has come in for some strong criticism in France, and it is now also beginning to raise eyebrows abroad.”
• “Many international NGOs, have condemned the vague and general nature of the bill. Designed to legalise certain surveillance practices, the bill would also broaden the powers of the security services, giving them the authority to ask private operators to follow and report on the activity of internet users. The debate over using terrorism as an excuse for internet surveillance is already raging in France, since Paris decided to “block” access to certain sites in the wake of the 7 January attacks.”
• “But the new bill goes even further. If adopted, it will allow investigators and government agents to intercept private emails and telephone conversations in the name of security, if they are directly linked to an investigation. Agents would be allowed to use new technologies wherever they deem necessary, including microphones, trackers and spy cameras. They would also be able to intercept conversations typed on a keyboard in real time. All these interceptions would be authorised by the Prime Minister, without the prior approval of a judge, and would be authorised after the fact by a new administrative authority, the National Commission for the Control of Intelligence Techniques (CNCTR).”
• “Seven companies, including web hosting and technology companies OVH, IDS, and Gandi have said in a letter to the French prime minister Manuel Valls that they will be pushed into de facto “exile” if the French government goes ahead with the “real-time capture of data” by its intelligence agencies.”
• Letter to French Prime Minister (in French)
• This has caused a very large backlash from the IT community
• Especially some of the large Internet and Server providers like Gandi, OVH, IDS, Ikoula and Lomaco who have threatened to leave France if the law passes
• OVH and Gandi threaten to move their operations, customers, tax revenue, and most importantly, 1000s of high tech jobs
• Hopefully this sends a clear warning to the US and other countries who are considering or proposing similar legislation, or who’s intelligence agencies have run amok
• “The companies argued that being required by the law to install “black boxes” on their networks will “destroy a major segment of the economy,” and if passed it will force them to “move our infrastructure, investments, and employees where our customers will want to work with us.” Citing a figure of 30-40 percent of foreign users, the companies say their customers come to them “because there is no Patriot Act in France,” France’s surveillance bill (“projet de loi relatif au renseignement”) allows the government’s law enforcement and intelligence agencies to immediately access live phone and cellular data for anyone suspected of being linked to terrorism. These phone records can be held for five years.”
• Tech firms threaten mass exodus from franch of new mass suveillance law
• Additional Coverage
• Hacker News

Feedback:

• hardening SSH? on your server and port forwarding email SPAM mail attack analysis….

• Chaining SSH connections | BSD Now

• Creating a snapshot in the middle of file being written.

• An Allan cameo

• FreeBSD Mastery: ZFS (in-progress draft) | Tilted Windmill Press

Some twitter comics:

• A population study of companies identifying the phenotype of a next generation
• An examination of strategic play versus action, concluding that action whilst important was not the key
• An examination of predictability, demonstrating that there was many knowable things which often failed to exploit
• Using weak signals to identify when ‘war’ (i.e. industrialisation) was likely to start in different tech fields
• Not one of my graphs but a neat profile from @DanHushon which make my top list

Second Set:

• Everything you need to know about Knowledge & Expertise
• The Enterprise IT Adoption cycle
• The Entire History of Cloud in one handy 2 x 2
• Build or use? Everything you need to know about Cloud in a handy 2×2
• The Entire history of product development in a handy table
• The future history of technology with helpful hints

Round Up:

• Cash register maker used same password – 166816 – non-stop since 1990
• When the security community eats its own — How the hype around intrusions and compromises can cause problems
• United Airlines prevents security analyst from boarding after tweet
• US Blocks Intel from selling Xeon chips to Chinese Supercomputer Project over concerns they are being used in nuclear tests
• Match.com uses HTTP only login page exposing millions of users’ passwords to those sniffing traffic
• Chinese hacker group going after air gapped computers
• Privilege Escalation via Docker
• US Arms Export restrictions cause Rapid7 to have to manually verify licenses for Metasploit for users outside of the US and Canada. All foreign governmental agencies are no longer allowed to be issued licenses.
• NASA asks to keep an unencrypted options in HTTP/2 because scientific data needs to be cachable
• Adversaries need credentials more than malware. Deny them by avoiding the sins of Windows credential administration

The post The French Disconnection | TechSNAP 211 first appeared on Jupiter Broadcasting.

Adobe has a bad week, with exploits in the wild & no patch. We’ll share the details. Had your credit card stolen? We’ll tell you how.

Plus the harsh reality for IT departments, a great batch of questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

New flash zero day found being exploited in the wild, no patch yet

• The new exploit is being used in some versions of the Angler exploit kit (the new top dog, replacing former champ blackhole)
• The exploit kit currently uses three different flash exploits:
• CVE-2014-8440 – which was added to the exploit kit only 9 days after being patched
• CVE-2015-0310 – Which was patched today
• and a 3rd new exploit, which is still being investigated
• Most of these exploit kits rely on reverse engineering an exploit based on the patch or proof of concept, so the exploit kits only gain the ability to inflict damage on users after the patch is available
• However, a 0 day where the exploit kit authors are the first to receive the details, means that even at this point, researchers and Adobe are not yet sure what the flaw is that is being exploited
• Due to a bug in the Angler exploit kit, Firefox users were not affected, but as of this morning, the bug was fixed and the Angler kit is now exploiting Firefox users as well
• Additional Coverage – Krebs On Security
• Additional Coverage – PCWorld
• Additional Coverage – Malware Bytes
• Additional Coverage – ZDNet

How was your credit card stolen

• Krebs posts a write up to answer the question he is asked most often: “My credit card was stolen, can you help me find out how”
• Different ways to get your card stolen, and your chance of proving it:
• Hacked main street merchant, restaurant (low, depends on card use)
• Processor breach (nil)
• Hacked point-of-sale service company/vendor (low)
• Hacked E-commerce Merchant (nil to low)
• ATM or Gas Pump Skimmer (high)
• Crooked employee (nil to low)
• Lost/Stolen card (high)
• Malware on Consumer PC (very low)
• Physical record theft (nil to low)
• “I hope it’s clear from the above that most consumers are unlikely to discover the true source or reason for any card fraud. It’s far more important for cardholders to keep a close eye on their statements for unauthorized charges, and to report that activity as quickly as possible.”
• Luckily, since most consumers enjoy zero liability, they do not have to worry about trying to track down the source of the fraud
• With the coming change to Chip-and-Pin in the US, the liability for some types of fraud will shift from the banks to the retailers, which might see some changes to the way things are done
• Banks have a vested interest in keeping the results of their investigations secret, whereas a retailer who is the victim of fraudulent cards, may have some standing to go after the other vendor that was the source of the leak
• Machine Learning for Fraud Detection

15% of business cloud accounts are hacked

• Research by Netskope, a cloud analysis company, finds that only one in ten cloud apps are secure enough for enterprise use
• In their survey, done using network probes, gateways, and other analysis techniques (rather than asking humans), they found that the average large enterprise uses over 600 cloud applications
• Many of these applications were not designed for enterprise use, and lack features like 2 factor authentication, hierarchical access control, “group” features, etc
• The report also found that 8% of files uploaded to cloud storage provides like Google Drive, Dropbox, Box.com etc, were in violoation of the enterprises’ own Data Loss Prevention (DLP) policies.
• The downloading numbers were worst, 25% of all company files in cloud providers were shared with 1 or more people from outside the company. 12% of outsiders had access to more than 100 files.
• Part of the problem is that many “cloud apps” used in the enterprise are not approved, but just individual employees using personal accounts to share files or data
• When the cloud apps are used that lack enterprise features that allow the IT and Security teams to oversee the accounts, or when IT doesn’t even know that an unapproved app is being used, there is no hope of them being able to properly manage and secure the data
• Management of the account life cycle: password changes, password resets, employees who leave or are terminated, revoking access to contractors when their project is finished, etc, is key
• If an employee just makes a dropbox share, adds a few other employees, then adds an outside contractor that is working on a project, but accidently shares all files instead of only specific project files, then fails to remove that person later on, data can leak.
• When password resets are managed by the cloud provider, rather than the internal IT/Security team, it makes it possible for an attacker to more easily use social engineering to take over an account
• Infographic
• Report

Feedback:

• ZFS me timbers

• Allan’s Modified Lenovo

• Sharing a large movie collection over the internet

• RAID alternatives for a bug

Round Up:

• Yes, Every Freeware Download Site is Serving Crapware (Here’s the Proof)
• CERT-UK offers a new best practices guide to combat social engineering
• FBI seeks to legally hack you if you are using TOR or a VPN
• Java patches 19 security holes (13 with 10/10 exploitability score). Make sure you are running at least 7u75 or 8u31
• NSA says it has proof DPRK was behind Sony hack, because they had already hacked the DPRK
• Government health care website quietly sharing personal data
• Steam shell script bug causes it to rm -rf /
• NSA Preps America for Future Battle
• Diary of an NSA Intern
• Password reuse causes spike in Hotel Rewards fraud
• The Sorry State of In-Flight Wi-Fi
• Technical mistake, not terrorist DDoS downed french media websites
• Blackhat, the movie, gets the technobabble mostly right
• All you need is a clipboard, or a stethoscope

The post Dude Where's My Card? | TechSNAP 198 first appeared on Jupiter Broadcasting.

The US State Department shuts down its email in what can only be described as a major overreaction, WebRTC sees a major breakthrough that will bring major competition to Skype.

Plus the big results from Mobile Pwn2Own 2014 & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

State Department shuts down its e-mail system amid concerns about hacking – The Washington Post

The State Department scrambled over the weekend to secure its unclassified e-mails, shutting down the entire e-mail system after finding evidence suggesting a hacker may have been been poking around.

A senior State Department official said technicians recently detected “activity of concern” in portions of the system handling unclassified e-mail. The official, who you could also consider a leaker, remains unindfied saying that none of the department’s classified systems were compromised.

VP8 and H.264 to both become mandatory for WebRTC | Andreas Gal

WebRTC is mainly about opening direct connections to other web browsers. The plug-inless capture of video and audio is related but the fundmentals of it are implmented by each browser.

Unfortunately, the full potential of the WebRTC ecosystem has been held back by a long-running disagreement about which video codec should be mandatory to implement. The mandatory to implement audio codecs were chosen over two years ago with relatively little contention: the legacy codec G.711 and Opus, an advanced codec co-designed by Mozilla engineers. The IETF RTCWEB Working Group has been deadlocked for years over whether to pick VP8 or H.264 for the video side.

At the last IETF meeting in Hawaii the RTCWEB working group reached strong consensus to follow in our footsteps and make support for both H.264 and VP8 mandatory for browsers. This compromises was put forward by Mozilla, Cisco and Google. The details are a little bit complicated, but here’s the executive summary:

• Browsers will be required to support both H.264 and VP8 for WebRTC.
• Non-browser WebRTC endpoints will be required to support both H.264 and VP8. However, if either codec becomes definitely royalty free (with no outstanding credible non-RF patent claims) then endpoints will only have to do that codec.
• “WebRTC-compatible” endpoints will be allowed to do either codec, both, or neither.

See the complete proposal by Mozilla Principal Engineer Adam Roach here. There are still a few procedural issues to resolve, but given the level of support in the room, things are looking good.

Mobile Pwn2Own 2014: Windows Phone’s sandbox resists attack

The Mobile Pwn2Own 2014 hacking competition, held at the PacSec Applied Security Conference in Tokyo, Japan, was concluded on Thursday, and not one of the targeted phones has survived completely unscathed.

Of the targets available for selection, Amazon Fire Phone, Apple iPhone 5S, Samsung Galaxy S5, and Google/LG Nexus were completely “pwned,” the Nokia Lumia 1520 running Windows Phone partially, and BlackBerry Z30, Apple’s iPad Mini and the Nexus 7 weren’t targeted at all.

A successful exploitation of a bug in the latter carried with it a $150,000 prize, the others less: $100,000 for messaging services, $75,000 for short distance and $50,000 for the browser, apps or OS.

What we know is that the Apple iPhone 5S was owned via the Safari browser by exploiting two bugs, the Amazon Fire Phone was breached via three bugs in its browser, Samsung Galaxy S5 was successfully targeted via NFC by two different teams (one by triggering a deserialization issue in certain code, and the other by targeting a logical error), and the Nexus 5 was forced to pair with another phone via Bluetooth.

The two contestants that did their attacks on the second day were less successful: Jüri Aedla used Wi-Fi to target a Nexus 5, but was unable to elevate his privileges further than their original level. And Nico Joly tried to exploit Lumia’s browser, but didn’t manage to gain full control of the system as the sandbox held. He did, however, manage to extract the cookie database.

AT&T Stops Using ‘Perma-Cookies’ to Track Customer Web Activity – Mac Rumors

In late October, researchers discovered that AT&T and Verizon had been engaging in some unsavory customer tracking methods, using unique identifying numbers or “perma-cookies” to track the websites that customers visited on their cellular devices to deliver target advertisements.

Following significant negative attention from the media, AT&T today told the Associated Press that it is no longer injecting the hidden web tracking codes into the data sent from its customers’ devices.

The change by AT&T essentially removes a hidden string of letters and numbers that are passed along to websites that a consumer visits. It can be used to track subscribers across the Internet, a lucrative data-mining opportunity for advertisers that could still reveal users’ identities based on their browsing habits.

AT&T’s customer tracking practices, called “Relevant Advertising,” were the result of a pilot program the company had been experimenting with, which has apparently come to an end.

While AT&T has opted to stop using the invasive tracking method, Verizon is continuing to utilize perma-cookies to track the web activity of its customers. Unlike AT&T’s experimental program, Verizon has been using Relevant Advertising techniques for approximately two years.

• Simple test page for Cellular ISP tracking beacons – by Kenn White

The post WebRTC vs Skype | Tech Talk Today 92 first appeared on Jupiter Broadcasting.

Our review of the major flavors of Ubuntu 14.10. We’ll show you how this tried and true desktop can be the fertile playground of future desktop technologies. Our all-star lineup will review everything from Kubuntu to the MATE Edition of Ubuntu 14.10 Utopic Unicorn.

Plus Linus responds to the culture of hostility claims, Plasma 5’s big update, Docker’s surprising news, a new AAA game for Linux…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

• Get Paid to Write for DigitalOcean

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Ubuntu Turns 10

Ubuntu with Unity 7

If we’re honest, a review of Ubuntu 14.10 could be summarized simply as:

“For those who love Ubuntu, 14.10 is more of what you love. And not much else, for better or worse.”

But Ubuntu 14.10 also offers an appealing playground to check out some of the latest desktop technologies.

• Ubuntu 14.10 will be supported for 9 months for Ubuntu Desktop, Ubuntu Server, Ubuntu Core, Kubuntu, Edubuntu, Ubuntu Kylin along with all other flavours. This 9 month window of time is too short for a long-term deployment, but just about right for the enthusiast.

• Linux kernel 3.16

Kubuntu

Kubuntu is releasing two flavors: One with Plasma 4 for stability, and one with Plasma 5 to try the new hotness. Both can be grabbed from Kubuntu.org.

Updates to Plasma 5.1

• Kubuntu Plasma 5 will come with Plasma 5.0. Use the Kubuntu Next PPA which provides KDE Frameworks 5 / Plasma 5 – using this PPA will upgrade your current KDE installation.

• KDE – Plasma 5.1 Brings Back Many Popular Features

Xubuntu

Xubuntu is an elegant and easy-to-use operating system. Xubuntu comes with Xfce, which is a stable, light and configurable desktop environment.

Ubuntu MATE

Ubuntu MATE is a stable, easy-to-use operating system with a configurable desktop environment. Ideal for those who want the most out of their desktops, laptops and netbooks and prefer a traditional desktop metaphor. With modest hardware requirements it is suitable for modern workstations and older hardware alike.

Ubuntu GNOME

Ubuntu GNOME is Ubuntu with a pure GNOME Shell experience as opposed to Unity.

Ubuntu GNOME includes GNOME 3.12, but can be upgraded to 3.14 using the following PPAs: ppa:gnome3-team/gnome3 and ppa:gnome3-team/gnome3-staging

Lubuntu

Lubuntu is the LXDE-based variant of Ubuntu for low resource usage and targeting older computers.

Lubuntu includes LXDE but LXQt is available for installation via the following PPA: ppa:lubuntu-dev/daily

Other flavors released this cycle:

Edubuntu: Education-targeted flavor using Unity as the desktop environment.
Ubuntu Studio: Xubuntu-based flavor using Xfce as the desktop environment targeting graphic artists, photographers, musicians, and audio/video production.
Ubuntu Kylin: Ubuntu Kylin is the official Chinese version of Ubuntu. It uses Unity as the desktop environment.

— PICKS —

Runs Linux

Formula 1 Runs Linux

Hi Chris and Matt,

Don’t know how popular F1 is in the US, but while watching the Japanese Grand Prix, I noticed the “weather man” was using a unity desktop while displaying the forecast for the race. I’m guessing ubuntu 12.04.

Love the show,

Roald

• Ubuntu Spotted At F1 Suzuka – YouTube

Video sent in by fkol-k4

Desktop App Pick

CrossOver 14.0 Makes Installing Windows Apps Easier

CodeWeavers’ CrossOver 14 features improvements to the installation of Windows binaries by using a new automatic configuration feature for detecting/downloading/installing system components needed to run particular Windows applications. CrossOver 14.0 also boasts support for Quicken 2015 and supports a number of new upgrades.

Weekly Spotlight

Ohio LinuxFest 2014 – The Future of Free | Free and Open Software Conference and Expo – Columbus, Ohio – October 24-26, 2014

• Come say hi, we will be armed with stickers

• Ang will expect selfie’s with her in exchange for stickers.

• Special additional sticker for those wearing JB swag

• And be sure to say hi and hang out at the after party

• If you want an interview contact production@jupiterbroadcasting.com

• If you got a las jacket email angela@jupiterbroadcasting.com

• Follow Jupiter Broadcasting on Instagram and my Twitter feed for updates on events.

Next LAS Monday afternoon Oct 27th

• Seattle (U.S.A. – Washington)Monday, October 27, 2014 at 3:00:00 PMPDTUTC-7 hours

• UTC (Time Zone)Monday, October 27, 2014 at 10:00:00 PMUTC

• New York (U.S.A. – New York)Monday, October 27, 2014 at 6:00:00 PMEDTUTC-4 hours

• London (United Kingdom – England)Monday, October 27, 2014 at 10:00:00 PMGMTUTC

— NEWS —

Linus Torvalds Regrets Alienating Developers with Strong Language

“One of the reasons we have this culture of strong language, that admittedly many people find off-putting, is that when it comes to technical people with strong opinions and with a strong drive to do something technically superior, you end up having these opinions show up as sometimes pretty strong language,” said Linus Torvalds.

Linux: On The Internet no one Hears Subtle

• LinuxCon + CloudOpen Europe 2014 – Linux Kernel Developer Panel – YouTube

KDE – Plasma 5.1 Brings Back Many Popular Features

October 15, 2014.
Today, KDE releases Plasma 5.1.0, the first release containing new features since the release of Plasma 5.0 this summer. Plasma 5.1 sports a wide variety of improvements.

• Plasma desktop 5.1 is available in arch official repo now : LinuxActionShow

Docker 1.3 Improves Container Security

Among the big additions is the ability to check images with the using of a digital signature. By having the digital signature, it provides users with an additional layer of confidence to know that an image has not been tampered with.

Docker container support coming to Microsoft’s next Windows Server release

Under the terms of the agreement announced today, the Docker Engine open source runtime for building, running and orchestrating containers will work with the next version of Windows Server. The Docker Engine for Windows Server will be developed as a Docker open source project, with Microsoft participating as an active community member. Docker Engine images for Windows Server will be available in the Docker Hub. The Docker Hub will also be integrated directly into Azure so that it is accessible through the Azure Management Portal and Azure Gallery. Microsoft also will be contributing to Docker’s open orchestration application programming interfaces (APIs).

Borderlands: The Pre-Sequel! Arrives on Linux

Development team Aspyr, responsible for the Mac and Linux ports, worked with Gearbox and 2K Games to ensure same-day support for the Tux-faithful arrived alongside the Mac, Windows and console releases of the game.

Linux gamers get access to all of the same features, downloadable content add-ons, settings and multiplayer functionality as their Windows and OS X counterparts thanks to the Unreal 3 engine the title is built on.

Borderlands: The Pre-Sequel is set between the previous two Borderlands games to reveal the story behind Handsome Jack’s rise to villainy.

Note: October 14 marks its North American release only. It goes live in Australasia on October 16. The European release follows on October 17.

VCs Pushing Young Entrepreneurs to Build Proprtary Products that Lock-In

To some extent, I think this goes back to the pernicious myth of the “sustainable competitive advantage.” This is a line you hear all too often from venture capitalists, and as I’ve said for over a decade, it’s misleading in the extreme.

Thanks to users’ input on the issue, ChromeOS developers’ decision to drop ext* filesystem support on the file manager is being reversed.

Thanks for all of your feedback on this bug. We’ve heard you loud and clear.

We plan to re-enable ext2/3/4 support in Files.app immediately. It will come back, just like it was before, and we’re working to get it into the next stable channel release.

Please star this bug to get the latest updates. We’ll post everything here.

— FEEDBACK —

• Making search more open source and secure

• Syncthing is now called Pulse.

• LAS 334 – Smokeping on Docker – ChrisLAS need your help!

• Minetest an OSS Alt to MS Owned Minecraft

— CHRIS’ STASH —

Next LAS Monday Oct 27th

• Seattle (U.S.A. – Washington)Monday, October 27, 2014 at 3:00:00 PMPDTUTC-7 hours

• UTC (Time Zone)Monday, October 27, 2014 at 10:00:00 PMUTC

• New York (U.S.A. – New York)Monday, October 27, 2014 at 6:00:00 PMEDTUTC-4 hours

• London (United Kingdom – England)Monday, October 27, 2014 at 10:00:00 PMGMTUTC

OLF Updates During OLF

• Angela (@Angerz) | Twitter
• Chris Fisher (@ChrisLAS) | Twitter
• jupiterbroadcasting on Instagram

Hang in our chat room:

The best source for the latest info on our OLF adventures.

irc.geekshed.net #jupiterbroadcasting

— MATT’S STASH —

• Check out LINUX Unplugged
• The Divisive Linux Community

Find us on Google+

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Matt – matthartley

Follow the network on Facebook

• Jupiter Broadcasting on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

• https://jblive.tv
• Network Calendar

The post Ubuntu 14.10 Mega Review | LAS 335 first appeared on Jupiter Broadcasting.

We’ve got exclusive interviews from LinuxCon 2014, learn about Linux in big networking, what the future holds for SUSE & much more.

Feeling a bit down? Maybe it’s because Linux users are being told to shut up about Desktop Linux & move on. We’ll discuss why this an absurdly short sighted idea.

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• Choose your side on the Linux divide

FU:

• Switching to Mac controversy.

• Switching to Arch Linux, disappointed with gnome due to geoclue

• Open Source In Schools

• Kickstarter Platformer right up your alley

LinuxCon 2014

• LinuxCon North America | Linux Conferences and Linux Events | The Linux Foundation

Is Desktop Linux Dead? Everyone seems to think so.

• Can we please stop talking about the Linux desktop? – TechRepublic

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

New Shows : Tech Talk Today (Mon – Thur)

• Tech Talk Today Today | Jupiter Broadcasting

Support Jupiter Broadcasting on Patreon

The post LinuxCon 2014 Unplugged | LINUX Unplugged 55 first appeared on Jupiter Broadcasting.

Mike and Chris record a bonus episode of Coder Radio for you this week. We discuss the possibility of Steam selling productivity apps for Desktop Linux, how Overcast.fm could set the trend for future mobile apps, and Chris shares his thoughts about his new Oculus Rift DK2.

Plus you great feedback, some follow up and more!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

Feedback / Follow Up:

• Wisdom for the N00bs

• Proper security in development

• The Ubuntu Software Center

• Bitlab?

Dev Hoopla:

ownCloud Powered Freedom

• How To Install OwnCloud and Configure OwnCloud Apps on an Ubuntu 12.04 VPS | DigitalOcean

In this guide, we will install and configure an ownCloud instance on an Ubuntu 12.04 VPS. We will then discuss how to mount the ownCloud share to another VPS using WebDAV. We will also cover some other exciting options.

• iOS – Synchronize iPhone/iPad — ownCloud User Manual 6.0 documentation

Amtrak on the App Store

Discover the convenience of traveling with Amtrak. With the Amtrak app you can you can get simple and intuitive access to all the travel information you need, whenever you need it.

• Amtrak – Android Apps o

Overcast

Smart Speed

Pick up extra speed without distortion with Smart Speed, which dynamically shortens silences in talk shows.

Conversations still sound so natural that you’ll forget it’s on — until you see how much extra time you’ve saved.

Voice Boost

Boost and normalize volume so every show is loud, clear, and at the same volume.

Listen in more places, such as noisy cars, and still hear what everyone says without cranking the volume so high for quiet people that the loud ones blow your ears out.

The All New Oculus Rift Development Kit 2 (DK2) Virtual Reality Headset | Oculus Rift – Virtual Reality Headset for 3D Gaming

DK2 is the latest development kit for the Oculus Rift that allows developers to build
amazing games and experiences for the consumer Oculus Rift.

The Oculus Rift is paired with the publicly available Oculus SDK which includes source code, documentation, and samples to help you hit the ground running. The Oculus Rift and the Oculus SDK currently support Windows, Mac OS X, and Linux.

The post Corner of Shame | CR 113 first appeared on Jupiter Broadcasting.

Big changes could be coming to the WHOIS database in the name of privacy, but security experts have major concerns.

Plus our suggestions for rolling your own server, a huge batch of questions, and much much more!

On this week’s TechSNAP.

Thanks to:

— Show Notes: —

WHOIS Privacy Plan Draws Fire

• Internet regulators are pushing a controversial plan to restrict public access to WHOIS Web site registration records. Proponents of the proposal say it would improve the accuracy of WHOIS data and better protect the privacy of people who register domain names.

• According to an interim report (PDF) by the ICANN working group, the WHOIS data would be accessible only to \”authenticated requestors that are held accountable for appropriate use\” of the information.

• The working group’s current plan envisions creating what it calls an “aggregated registration directory service” (ARDS) to serve as a clearinghouse that contains a non-authoritative copy of all of the collected data elements.

• The registrars and registries that operate the hundreds of different generic top-level domains (gTLDs, like dot-biz, dot-name, e.g.) would be responsible for maintaining the authoritative sources of WHOIS data for domains in their gTLDs.
• Those who wish to query WHOIS domain registration data from the system would have to apply for access credentials to the ARDS, which would be responsible for handling data accuracy complaints, auditing access to the system to minimize abuse, and managing the licensing arrangement for access to the WHOIS data.
• The interim proposal has met with a swell of opposition from some security and technology experts who worry about the plan\’s potential for harm to consumers and cybercrime investigators.

\”Internet users (individuals, businesses, law enforcement, governments, journalists and others) should not be subject to barriers — including prior authorization, disclosure obligations, payment of fees, etc. — in order to gain access to information about who operates a website, with the exception of legitimate privacy protection services,\” reads a letter (PDF) jointly submitted to ICANN last month by G2 Web Services, OpSec Security, LegitScript and DomainTools.

• Kerbs says: the working group’s interim report leaves open in my mind the question of how exactly the ARDS would achieve more accurate and complete WHOIS records. Current accreditation agreements that registrars/registries must sign with ICANN already require the registrars/registries to validate WHOIS data and to correct inaccurate records, but these contracts have long been shown to be ineffective at producing much more accurate records.

WeChat security found to be lax, your password is at risk

• The WeChat Android client has an undocumented debugging interface that can be accessed by other apps on your Android device
• This interface allows an attacker to intercept all data flowing through the WeChat application, including your username and hashed password
• The password is only hashed with straight md5, making it trivial to brute force or rainbow table
• “In WeChat versions up to 4.3.5 we identified several vulnerabilities which allow an attacker who can intercept the traffic to quickly decrypt the message body, thus being able to access the messages sent and received by the user. More recent versions seems to be immune to these attacks, but we still have to perform a more in-depth analysis of the encryption scheme implemented in the latest WeChat releases. “
• The local SQLite database used by WeChat is encrypted, but the key is a derived from the WeChat uid and the local DeviceID, meaning an attacker with access to this debug interface has access to both parameters
• “We tried to contact developers to notify our findings, but with no luck: we wrote an e-mail to Tencent technical support both on August 30th and on September 3th, but we got no reply.”

DRAM prices still being driven up by plant fire

• As TechSNAP reported previously, there was a chemical explosion and fire at the SK Hynix plant in Wuxi China on September 4th
• SK Hynix is attempting to rush repairs to the damaged fab, and has reopened the remaining fab at the Wuxi site on September 7th. The two fabs are isolated to prevent a problem at one from crippling the other
• SK Hynix is also shifting some production to other plants in Korea
• However the expected shortage has still driven DRAM prices up 27 percent
• The Wuxi plant makes approximately 10% of the worlds supply of DRAM
• SK Hynix expects the plant to be back at full capacity sometime in October
• Full repairs will take between three months and six months and reduce total output by two months’ worth of production
• Even once the repaired plant is online, SK Hynix plans to ram up production beyond the previous levels as well as maintain the increased production in Korea
• SK Hynix will also ramp up production in stages as portions of the damaged plant are cleaned and repaired to match what analysts expect will be a spike in demand for PC-oriented chips as the Oct. 18 ship date of Windows 8.1 approaches, analysts said.

Feedback:

• Freelance rates..

• Suggestions for an orchestration framework

• Roll your own Mail Server/Directory Server/Samba Server

• Will Mozilla Persona fail just as OpenID did?

• ninite – unified software updater for windows

• Jails and network isolation

• Private IPs can be seen by web page

• What have you guys replaced google reader with?

• Reader Replacements for Linux | The Linux Action Show s27e07

Build your own Google Reader replacement, or check out one of the hosted options. Will run down the list of the candidates we think have the best potential to replace Google Reader on Linux.

Round Up:

• Microsoft\’s Real-Time Translation Software Converts English to Chinese—and Preserves the Sound of Your Voice
• Declassified contract shows NSA subscribes to VUPEN
• Declassified FISC document: no company has challenged directives to turn over bulk telephone records
• Building vs. buying: How Netflix streams 114,000 years of video every month
• Netflix CEO says torrent piracy in Canada down 50 per cent
• Open letter from UK Security Researchers asks GCHQ/NSA to identify which crypto systems have been weakened
• Facebook Android Bug Sent Users\’ Photos in the Clear | Threatpost
• Tom Tomorrow comic from 1994 about the ClipperChip – still valid today
• NASDAQ left site vulnerable to XSS for more than 2 weeks after it was reported

The post WHOIS Hiding | TechSNAP 129 first appeared on Jupiter Broadcasting.