We go inside the epic takedown of SpamHaus, then we break down why CloudFlare’s Flexible SSL is the opposite of security.

Followed by a great batch of questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Krebs covers the arrest of one of the attackers in the SpamHaus attack, but digs even deeper

• “A 17-year-old male from London, England pleaded guilty this week to carrying out a massive denial-of-service attack last year against anti-spam outfit SpamHaus and content delivery network CloudFlare”
• In late March 2013, a massive distributed denial-of-service (DDoS) attack hit the web site of SpamHaus, an organization that distributes a blacklist of spammers to email and network providers.
• When SpamHaus moved its servers behind CloudFlare, which specializes in blocking such attacks — the attackers pelted CloudFlare’s network, taking it down as well.
• “The New York Times called the combined assault the largest known DDoS attack ever on the Internet at the time; for its part, CloudFlare dubbed it “the attack that almost broke the Internet.”
• Both of these were wrong, the attack was no larger than others seen every day on the internet
• The only clever part of the DDoS was attacking the, supposed to be unpublished and unreachable, IP address of the route server at the London Internet Exchange (LINX)
• A response from the CTO of nLayer/GTT (major backbone providers)
• TechSNAP Episode 104 – We tear down the hype around this attack
• The Krebs article also digs much deeper into the story, covering StopHaus, the group that ordered the attack, uncovering who is behind it
• “this seems as good a time as any to look deeper into who’s likely the founder and driving force behind the Stophaus movement itself. All signs point to an angry, failed spammer living in Florida who runs an organization that calls itself the Church of Common Good”
• The Church of Common Good lists as its leader a Gulfport, Fla. man named Andrew J. Stephens, whose LinkedIn page says he is a “media mercenary” at the same organization (hours after this story was posted, large chunks of text were deleted from Stephens’ profile; a PDF of the original profile is here).
• Stephens’ CV lists a stint in 2012 as owner of an email marketing firm variously called Digital Dollars and IBT Inc, moneymaking schemes which Stephens describes as a “beginner to intermediate level guide to successful list marketing in today’s email environment. It incorporates the use of both white hat and some sketchy techniques you would find on black hat forums, but has avoided anything illegal or unethical…which you would also find on black hat forums.”
• Under his “Featured Work” heading, he lists “The Stophaus Project,” “Blackhat Learning Center,” and a link to an spamming software tool called “Quick Send v.1.0.”
• “Putting spammers and other bottom feeders in jail for DDoS attacks may be cathartic, but it certainly doesn’t solve the underlying problem: That the raw materials needed to launch attacks the size of the ones that hit SpamHaus and CloudFlare last year are plentiful and freely available online. As I noted in the penultimate chapter of my new book — Spam Nation (now a New York Times bestseller, thank you dear readers!), the bad news is that little has changed since these ultra-powerful attacks first surfaced more than a decade ago.”

Why CloudFlare’s Flexible SSL is the opposite of security

• “Flexible SSL makes it easy to create a secure connection and have it mean nothing. Do you need a trusted certificate for your latest phishing scheme? Just host it regularly on your insecure server and set it up on Cloudflare: that padlock might just seal the deal to the distracted user”
• The issue is that, to buy real SSL certificates, costs money for each domain
• But setting up 100s of sites and using Flexibile SSL costs much less
• “I’m not giving the reader a brilliant criminal idea, I’m sure this is rather obvious to any serious cybercriminal that creates those realistic website copies and the appealing emails that lead people to them – they have been trying to emulate the security features of real websites, but setting up trusted SSL has been a challenge. Now SSL is within their reach, even without the minimum knowledge on how to configure SSL servers.”
• “It subverts the idea of a secure channel, because it is not secure by any reasonable definition, given the data is transmitted in the clear at some point through the public internet; the idea of authentication, given you no longer are interacting with the websites’ actual servers; and the idea of trust, since thousands of bogus certificates emitted this way will not ensure users’ security, leading me to distrust the trust model of the entire Web. That’s pretty severe right there.”
• “I’m all for the proliferation of SSL, and security is indeed too difficult for the average webmaster to figure out. This means, unfortunately, that some websites that ask for your private data send it in the clear. Certainly SSL for everybody is much better?
  I’d argue that not really. Not only does it empower anyone to create malicious websites (see above) but it empowers people who don’t know security to do it badly. And by making Flexible SSL available, the easiest and default option is just that.“
• Do you trust Cloudflare entirely? — Enabling Universal SSL gives your users a sense of security: that the data they are sending is protected from the preying eyes of attackers. Remember though, in this setup, Cloudflare has access to the entire data stream in cleartext, thus your transmission is only as secure as Cloudflare’s infrastructure: one zero-day exploit is all it takes to read traffic of potentially millions of websites with a single attack (this means it could take more than one attack, but certainly not proportional to the number of websites affected, in the sense that a single Cloudflare endpoint mediates traffic to multiple websites).
• Full SSL allows you to use an untrusted certificate between your server and CloudFlare, then CloudFlare uses a real certificate between them and your users, but they can still snoop on everything
• Sure, Cloudflare may be in a better position than you are to combat a zero day, but what about combating the government?
• So, while CloudFlare touts itself as providing SSL for everyone, we are left questioning if that is actually a good thing. Should people that don’t understand how SSL works really be hosting sites using SSL, leaving them and their users trusting that things are secure when they likely aren’t, and trusting CloudFlare doesn’t seem like the best idea

Feedback:

• Distributed File Store for MOTF

• sysadmin process

• Best virtualization for cross building?

• Cross-platform encryption

Round Up:

• Our 6 TB Hard Drive Face-Off
• Researchers Make BitTorrent Anonymous and Impossible to Shut Down | TorrentFreak
• Global Internet Authority ICANN Has Been Hacked
• Google’s End-To-End Email Encryption Tool Gets Closer To Launch
• Software glitch in 3rd party software used by some Amazon sellers results in 1000s of products being priced at 0.01 GBP – Brendan Doherty, the chief executive of Northern Ireland and New York-based Repricer Express, said its investigation was continuing but the problem had been corrected after an hour. However, it took “a further few hours” to get incorrect prices to revert to the originals, he added.
• 9 Data breaches that cost someone their job
• ShellShock exploit being used in the wild against unpatched QNAP NAS devices

The post Cloudy With a Chance of SSL | TechSNAP 195 first appeared on Jupiter Broadcasting.

Our bold predictions for Linux & open source over 2015. Thought provoking, sometimes a bit inspired or maybe just plain wrong, this edition of Unplugged promises to entertain.

Plus what goes into making a great & secure messaging system & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• User Liberation: Watch and share our new video

FU:

Telegram

Being good at going full Salesman on things comes with a certain responsibility if you care about your audience. Touting the security of Telegram should be avoided. By all means, use it if it fits your needs but please don’t portrait Telegram as something vetted and secure, that’s doing the audience a disservice.

Only half of the equation (the client) is open source and the protocol is full of weirdness and outright flaws. I believe their crypto contest charade was even featured and scoffed at on one of the network’s channels a while ago.

Its encryption score in the following table should be taken with a grain of salt since it’s vulnerable to ‘hostile server’ attacks, which are sadly just a subpoena away:

https://www.eff.org/secure-messaging-scorecard

• Is Telegram secure? – Information Security Stack Exchange
• Telegram, AKA “Stand back, we have Math PhDs!” – Unhandled expression
• F-Droid

Why isn’t Debian as popular as Ubuntu on LAS

I have been loving LAS for some time now, but it always bothers me that Debian (the mother of so many great Linux distros) isn’t discussed as a primary Linux distro option as Arch/OpenSUSE/Ubuntu and so on. What is the deal with that? // Thanks for a great year, keep up the good work LAS!

• Fedora 21 (or Anaconda) Installer

• Where to after Ubuntu?

2015 VLUG Linux Predictions

• HighDPI
• Secuirty? Audits? Shellshock 2.0?
• Elementary OS Fork
• The first batch of Steam Machines reach the general public?
• Ubuntu Touch?
• Firefox OS?

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

New Shows : Tech Talk Today (Mon – Thur)

• Tech Talk Today Today | Jupiter Broadcasting

Support Jupiter Broadcasting on Patreon

Post-Show

• Builder, An IDE of our GNOME | Indiegogo

• 4K Video Playback on two 1080P monitors with the X2Go Linux Terminal Server – YouTube

The post Predicting 2015 | LINUX Unplugged 73 first appeared on Jupiter Broadcasting.

2014 has been the year of the celebrity bugs, we take a look at the new trend of giving security vulnerabilities names & logos & ask who it truly benefits.

Plus practical way to protect yourself from ATM Skimmers, how they work & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

• Are you a BSD User? The first question we ask in every interview is “How did you get started with BSD?” Send your video clip or writeup before December 17th for our Christmas Episode

• Spam Nation: The Inside Story of Organized Cybercrim

• Brian Krebs’s “Spam Nation”

• Best of JB Submission Form

Wiretapping ATMs

• “Banks in Europe are warning about the emergence of a rare, virtually invisible form of ATM skimmer involving a so-called “wiretapping” device that is inserted through a tiny hole cut in the cash machine’s front. The hole is covered up by a fake decal, and the thieves then use custom-made equipment to attach the device to ATM’s internal card reader.”
• “The criminals cut a hole in the fascia around the card reader where the decal is situated,” EAST described in a recent, non-public report. “A device is then inserted and connected internally onto the card reader, and the hole covered with a fake decal”
• “It’s where a tap is attached to the pre-read head or read head of the card reader,” Lachlan said. “The card data is then read through the tap. We still classify it as skimming, but technically the magnetic stripe [on the customer/victim’s card] is not directly skimmed as the data is intercepted.”
• So, they attach to the REAL card reader, and siphon off a copy of the data as the card is read
• That makes this form of skimming pretty much undetectable (except possibly by the fake decal used to cover the hole cut in the front of the ATM)
• The Krebs article also talks about new “insert transmitter skimmers”, that use a small battery and transmit the skimmed data a short distance, meaning the attacker does not have to return to the scene of the crime to collect the stolen data, decreasing their risk of getting caught
• “It’s best to focus instead on protecting your own physical security while at the cash machine. If you visit an ATM that looks strange, tampered with, or out of place, try to find another ATM. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots”
• “Last, but certainly not least, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).”

Bug naming and shaming

• This article discusses the advantages and disadvantages to having named and branded bugs like Heartbleed, as well as some behind the scenes info on that exploit, and the people behind the naming of various other vulnerabilities since then
• “If the bug is dangerous enough, it gets a name. Heartbleed’s branding changed the way we talk about security, but did giving a bug a logo make it frivolous… or is this the evolution of infosec?”
• Heartbleed was discovered some time before Friday, March 21, 2014 by a Google security researcher. It was later shared with Open SSL, Red Hat, CloudFlare, Facebook, and Akamia
• Finnish security company Codenomicon separately discovered Heartbleed on April 3, and informing the National Cyber Security Centre Finland the next day”
• They then immediately went to work on a marketing plan. This discovery was going to launch their small firm into super stardom. They had a logo and website designed, and prepared for the public disclosure of the bug
• The original public disclosure was supposed to be made on April 9th. However, after details started to leak, and the OpenSSL team decided that if more than 1 group had already discovered the bug, more would quickly follow, they released the details early, on April 7th
• “Half an hour after OpenSSL published a security advisory the morning of April 7, CloudFlare bragged in a blog post and a tweet that it was first to protect its customers, and how CloudFlare was enacting an example for “responsible disclosure.”
• “An hour after CloudFlare’s little surprise, Codenomicon tweeted to announce the bug, now named Heartbleed, linking to a fully prepared website, with a logo, and an alternate SVG file of the logo made available for download.”
• “Heartbleed — birth name CVE-2014-0160 — became a household term overnight, even though average households still don’t actually understand what it is.”
• “The media mostly didn’t understand what Heartbleed was either, but its logo was featured on every major news site in the world, and the news spread quickly. Which was good, because for the organizations who needed to remediate Heartbleed, it was critical to move fast.”
• In the end, it seems Heartbleed was a success, most systems were patched quite quickly, although many systems did not follow the full procedure, and that has had some fallout that we have covered
• In justifying the name given to a Russian hacking group, iSight Partners said: “Without naming these teams, it would be impossible for a network defender to keep track of them all. We think that’s essential, because intimately understanding these teams is the first step to mounting an effective defense. Giving a name to a team — as we have done with Sandworm — helps practitioners and researchers track and attribute tactics, techniques, procedures and ongoing campaigns back to the team. By assigning identities, It helps to bring these actors out of the shadows and into the light.“
• Other vulnerabilities, like POODLE, had alarmingly bad reporting that may have done more harm than good
• ShellShock was the anti-case. It didn’t have a logo, or an official website. ShellShock timeline
• It was actually originally dubbed BashDoor by its creator, but when it was leaked to the press by someone else, they provided the name ShellShock
• Further, because the initial fix for the ShellShock vulnerability did not entirely solve the problem, there was much confusion, where people thought they had already patched, but didn’t have the “latest” patch
• Then, there were a number of follow-on vulnerabilities in bash, that didn’t have names, but were lumped in with ShellShock, which lead to even more confusion
• Closing Quote: “The researchers didn’t tell their closest biz-buddies in a game of telephone, one in which Heartbleed became an arms race of egos, insider information trading, and opportunism”
• Who gets to decide what bugs are bad enough to get a name instead of just a CVE number? Should MITRE start tracking names along with the CVE numbers?
• Who gains more for naming bugs, the end users who might become more aware of the issue and be able to protect themselves, or the PR powered firms that exploit it for their own good?

Feedback:

• Why is md5 not secure?

• Md5crypt Password scrambler is no longer considered safe by author — PHKs Bikeshed

• VMware’s page-sharing woes

• Brute Force, How Do They Know They Got It?

• Thank you – seriously

• BSDCan 2015 Call for Papers — Due by Jan 19th

Round Up:

• NSA spies on carriers to break call encryption, report suggests
• Government sites remain hacked 2 weeks later — The problem with not disclosing security breaches
• U.S. Intelligence Agency Aims to Develop Superconducting Computer
• The Cost of HTTPS everywhere
• Google Can Now Tell You’re Not a Robot With Just One Click
• Samsung announces 3.2TB PCI-E SSD, Intel/Micron announce 3D NAND, hard drives stuck at 7200rpm (or lower)
• “Its signed, must be legit” — Lessons in Interface Design
• ExplainShell.com — Explain what that code is actually doing, a quick way to learn to read shell scripts
• Prosecutors charge “hacker” with 44 felonies in typical scare tactics (10 year max on each, resulting in a total sentence that would be multiple lifetimes), final charges: a single misdemeanor with a $10,000 fine
• Crash CentOS6 init by touching a bunch of files
• Judge rules that IP addresses should not be exempt from a public records request because of “security”
• Nuclear weapons use fluctuating radiation fields to generate their own one-time passwords to restrict their use
• Your new 500GB external hard drive, guaranteed to be quieter than any other external hard drive

The post Celebrity Bugs | TechSNAP 191 first appeared on Jupiter Broadcasting.

An AT&T insider steals customer info, Samsung’s sales could be slipping by as much as 60% and Yahoo gets bit by Shellshock.

Plus our Kickstarter of the week & much more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

AT&T Hit By Insider Breach | Threatpost | The first stop for security news

AT&T is warning consumers about a data breach involving an insider who illegally accessed the personal information of an unspecified number of users. The compromised data includes Social Security numbers and driver’s license numbers.

In a letter sent to the Vermont attorney general, AT&T officials said that the breach occurred in August and that the employee in question also was able to access account information for AT&T customers.

“We recently determined that one of our employees violated our strict privacy and security guidelines by accessing your account without authorization in August 2014, and while doing so, would have been able to view and may have obtained your account information including your social security number and driver’s license number. Additionally, while accessing your account, the employee would have been able to view your Customer Proprietary Network Information (CPNI), without proper authorization,” said Michael A. Chiarmonte, director of finance billing operations at AT&T, in a letter to the Vermont AG.

The CPNI he referred to in the letter includes data that’s related to the services that consumers buy from the company. Chiarmonte said that the letter that the employee responsible for the breach no longer works for AT&T. It’s not clear from AT&T’s disclosure how many consumers have been affected by the breach or which other states may have citizens who are affected.

As a result of the breach, AT&T is offering affected customers a year of free credit monitoring, as has become customary in these incidents.

Samsung Warns Weak Q3 Earnings – Business Insider

Samsung warned Monday night that its third-quarter earnings will be weaker than expected.

The company said it would report an operating profit of $3.8 billion for the quarter ending in September — a decline of nearly 60 percent from the same time a year earlier. Sales fell to $44 billion, off 20 percent from a year ago. […]

The South Korean electronics giant said that while smartphone shipments increased, its operating margins fell because of higher marketing costs, fewer shipments of high-end phones and a lower average selling price for the devices.

The company said it is responding with a new smartphone lineup that will include new mid-range and low-end devices, which would make Samsung’s products more competitive in markets such as China.

Hackers Compromised Yahoo’s Servers Using Shellshock

The exploits were first discovered by security researcher, Jonathan Hall. Hall pointed to two Yahoo Games servers that had been exploited. After Yahoo was contacted by Security Week it issued the following statement:

A security flaw, called Shellshock, that could expose vulnerabilities in many web servers was identified on September 24. As soon as we became aware of the issue, we began patching our systems and have been closely monitoring our network. Last night, we isolated a handful of our impacted servers and at this time we have no evidence of a compromise to user data. We’re focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users’ data.

• Yahoo! got hacked this morning… Hooray for Shellshock! : technology

• Shellshock: Romanian hackers are accessing Yahoo servers, claims security expert

Plex Launches On Xbox One

The Plex app for Xbox One is a new approach to Plex overall, with a landscape interface that Plex co-founder and Chief Product Officer Scott Olechowski says is admittedly due partly to design requirements set out by the Xbox team, but that also will make its way back to the wider suite of Plex software on other platforms, too.

“[Xbox] certainly kind of encouraged this landscape type scrolling, but the more we used this the more we realized how well it works,” he said. “You’ll see this approach taken in other places. The more we used it, the more we realized it’s more natural. We kind of fell in love with aspects of it, [and] over time we want to have a more consistent experience.”

• Report: Microsoft Sells 100,000 Xbox Ones in China

The Xbox One, the first official video game console to launch in China in 14 years, has started its console life in the middle kingdom with a bang! According to Chinese news sources, the Xbox One sold over 100,000 units within the first week of sales.

KICK STATER OF THE WEEK: Granola Strolla – Portable Solar USB charger by Granola Strolla Inc. — Kickstarter

GranolaStrolla is a portable, affordable and easy to use solar charged batterypack able to charge USB devices as fast as a wall charger

The post AT&T's Identity Giveaway! | Tech Talk Today 71 first appeared on Jupiter Broadcasting.

Recent major flaws found in in critical open source software have sent the Internet into a panic. From Shellshock to Xen we’ll discuss how these vulnerabilities can be chained together to own a box.

Plus how secure are VLANs, a big batch of your questions, our answers, and much much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Bash plus Xen bug send the entire internet scrambling

• A critical flaw was discovered in the bash shell, used as the default system shell in most versions of linux, as well as OS X.
• The flaw was with the parsing of environment variables. If a new variable was set to contain a function, if that function was followed by a semi-colon (normally a separator that can be used to chain multiple commands together), the code after the semicolon would be be executed when the shell started
• Many people are not aware, that CGI scripts pass the original request data, as well as all HTTP headers to the scripts via environment variables
• After those using bash CGI scripts ran around with chickens with their heads cut off, others came to realize that even if the CGI scripts are actually perl or something else, if they happen to fork a shell with the system() call, or similar, to do something, that shell will inherit those environment variables, and be vulnerable
• As more people spent brain cycles thinking of creative ways to exploit this bug, it was realized that even qmail was vulnerable in some cases, if a user has a .qmail file or similar to forward their email via a pipe, that command is executed via the system shell, with environment variables containing the email headers, including from, to, subject etc
• While FreeBSD does not ship with bash by default, it is a common dependency of most of the desktop environments, including gnome and KDE. PCBSD also makes bash available to users, to make life easier to linux switchers. FreeNAS uses bash for its interactive web shell for the same reason. While not vulnerable in most cases, all have been updated to ensure that some new creative way to exploit the bug does not crop up
• Apparently the DHCP client in Mac OS X also uses bash, and a malicious DHCP server could exploit the flaw
• The flaw also affects a number of VMWare products
• OpenVPN and many other software packages have also been found to be vulnerable
• The version of bash on your system can be tested easily with this one-liner:
  env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
• Which will print “this is a test”, and if bash has not yet been patched, will first print ‘vulnerable’
• ArsTechnica: Bug in bash shell creates big security hole on anything with linux in it
• Concern over bash bug grows as it is actively exploited in the wild
• First bash patch doesn’t solve problem, second patch rushed out to resolve issue
• Now that people are looking, even more bugs in bash found and fixed
• Shellshock fixes result in another round of patches as attacks get more clever
• Apple releases patch for shellshock bug
• There were also a critical update to NSS (the Mozilla cryptographic library, which was not properly validating SSL certificates)
• The other big patch this week was for Xen
• It was announced by a number of public cloud providers, including Amazon and Rackspace, that some virtual server host machines would need to be rebooted to install security fixes, resulting in downtime for 10% of Amazon instances
• It is not clear why this could not be resolved by live migrations
• All versions of Xen since 4.1 until this patch are vulnerable. The flaw is only exploitable when running fully virtualized guests (HVM mode, uses the processor virtualization features), and can not be exploited by virtual machines running in the older paravirtualization mode. Xen on ARM is not affected
• Xen Security Advisory
• Amazon Blog Post #1
• Amazon Blog Post #2
• Rackspace Blog Post
• Additional Coverage: eweek

Cox Communications takes the privacy of its customers seriously, kind of

• A female employee of Cox Communications (a large US ISP) was socially engineered into giving up her username and password
• These credentials were then used to access the private data of Cox Customers
• The attacker apparently only stole data about 52 customers, one of which was Brian Krebs
• This makes it sound like a targeted attack, or at least an attacker by someone who is (or is not) a fan of Brian Krebs
• It appears that the Cox internal customer database can be accessed directly from the internet, with only a username and password
• Cox says they use two factor authentication “in some cases”, and plan to expand the use of 2FA in the wake of this breach
• Cox being able to quickly determine exactly how many customers’ data was compromised suggests they atleast have some form of auditing in place, to leave a trail describing what data was accessed
• Brian points out: “This sad state of affairs is likely the same across multiple companies that claim to be protecting your personal and financial data. In my opinion, any company — particularly one in the ISP business — that isn’t using more than a username and a password to protect their customers’ personal information should be publicly shamed.” “Unfortunately, most companies will not proactively take steps to safeguard this information until they are forced to do so — usually in response to a data breach. Barring any pressure from Congress to find proactive ways to avoid breaches like this one, companies will continue to guarantee the security and privacy of their customers’ records, one breach at a time.”

Other researches recreate the BadUSB exploit and release the code on Github

• The “BadUSB” research was originally done by Karsten Nohl and Jakob Lell, at SR Labs in Germany.
• Presented at BlackHat, it described being able to reprogram the firmware of USB devices to perform other functions, such as a USB memory stick that presented itself to the computer as a keyboard, and typed out commands once plugged in, allowing it to compromise the computer and exfiltrate data
• Brandon Wilson and Adam Caudill were doing their own work in this space, and when they heard about the talk at BlackHat, decided to accelerate their own work
• They have now posted their code on Github
• “The problem is that Nohl and Lell—and Caudill and Wilson—have not exploited vulnerabilities in USB. They’re just taking advantage of weaknesses in the manner in which USBs are supposed to behave“
• “At Derby Con, they were able to demonstrate their attack with the device pretending to be a keyboard that typed out a predetermined script once it was plugged into the host computer. They also showed another demo where they had a hidden partition on a flash drive that was not detected by the host PC“
• “It’s undetectable while it’s happening,” Wilson said. “The PC has no way of determining the difference. The way a PC determines the type of device all happens through the USB and code on the other device. Our ability to control that code means you cannot trust anything a USB device tells you.”
• The way around this issue would be for device manufacturers to implement code signing
• The existing firmware would only allow the firmware to be updated if the new firmware was signed by the manufacturer, preventing a malicious users from overwriting the good firmware with ‘bad’ firmware
• However, users could obviously create their own devices specifically for the purpose of the evil firmware, but it would prevent the case where an attack modifies your device to work against you
• At the same time, many users might argue against losing control over their device, and no longer being able to update the firmware if they wish
• The real solution may be for Operating Systems and users to evolve to no longer trust random USB devices, and instead allow the user to decide if they trust the device, possibly something similar to mobile apps, where the OS tells the user what functionality the device is trying to present
• You might choose to not trust that USB memstick that is also attempting to present a network adapter, in order to override your DHCP settings and make your system use a set of rogue DNS servers

Feedback:

• GroffTheBSDGoat

• [Suggestion] Is it possible to enable https on www.jupiterbroadcasting.com?

• I need a cli encryption tool

• Security of a VLAN?

• Weird emails delivered to wildcard mailbox

• Bash Shellshock vs SSH

• Is open source better?

Round Up:

• Chinese iOS Trojan Targets Jailbroken iPhones Used by Hong Kong Protesters
• The science of network troubleshooting
• GitHub.com blacklisted in Russia as of today
• TheSecuritySetup.com profiles H. D. Moore’s setup
• An FBI informant led hacks against 30 countries—now we know which ones
• How hackers accidentally sold a homemade pre-release XBox One to the FBI
• LibreSSL: More Than 30 Days Later
• Cross site scripting vulnerability at eBay has existed since atleast February, redirected users to password harvesting sites and other malicious links which clicking on auction listings
• OpenVPN vulnerable to Shellshock Bash vulnerability
• Large advertising network Zedo found serving malware infected advertisements, including via Google’s DoubleClick advertising service, affected large sites including Last.fm
• The Open Technology Fund (backed by Google, Dropbox and others) is attempting to team User Interface Designers with Security Experts to design new security and cryptography tools that are easy to use
• Why parts of the internet stopped working – A small company accidently started announcing the entire internet routing table it received from one of its upstreams via its second upstream provider, causing large swaths of the internet to be routed via their connection
• Second same-origin policy bypass flaw in Android Browser

The post Xen Gets bashed | TechSNAP 182 first appeared on Jupiter Broadcasting.

We’re back from EuroBSDCon! This week we’ll be talking with Steve Wills about mentoring new BSD developers. If you’ve ever considered becoming a developer or helping out, it’s actually really easy to get involved. We’ve also got all the BSD news for the week and answers to your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

NetBSD at Hiroshima Open Source Conference

• NetBSD developers are hard at work, putting NetBSD on everything they can find
• At a technology conference in Hiroshima, some developers brought their exotic machines to put on display
• As usual, there are lots of pictures and a nice report from the conference

FreeBSD’s Linux emulation ports rehaul

• For a long time, FreeBSD’s emulation layer has been based on an ancient Fedora 10 system
• If you’ve ever needed to install Adobe Flash on BSD, you’ll be stuck with all this extra junk
• With some recent work, that’s been replaced with a recent CentOS release
• This opens up the door for newer versions of Skype to run on FreeBSD, and maybe even Steam someday

pfSense 2.2-BETA

• Big changes are coming in pfSense land, with their upcoming 2.2 release
• We talked to the developer a while back about future plans, and now they’re finally out there
• The 2.2 branch will be based on FreeBSD 10-STABLE (instead of 8.3) and include lots of performance fixes
• It also includes some security updates, lots of package changes and updates and much more
• You can check the full list of changes on their wiki

NetBSD on the Raspberry Pi

• This article shows how you can install NetBSD on the ever-so-popular Raspberry Pi
• As of right now, you’ll need to use a -CURRENT snapshot to do it
• It also shows how to grow the filesystem to fill up an SD card, some pkgsrc basics and how to get some initial things set up
• Can anyone find something that you can’t install NetBSD on?

Interview – Steve Wills – swills@freebsd.org / @swills

Mentoring new BSD developers

News Roundup

MidnightBSD 0.5 released

• We don’t hear a whole lot about MidnightBSD, but they’ve just released version 0.5
• It’s got a round of the latest FreeBSD security patches, driver updates and various small things
• Maybe one of their developers could come on the show sometime and tell us more about the project

BSD Router Project 1.52 released

• The newest update for the BSD Router Project is out
• This version is based on a snapshot of 10-STABLE that’s very close to 10.1-RELEASE
• It’s mostly a bugfix release, but includes some small changes and package updates

Configuring a DragonFly BSD desktop

• We’ve done tutorials on how to set up a FreeBSD or OpenBSD desktop, but maybe you’re more interested in DragonFly
• In this post from Justin Sherrill, you’ll learn some of the steps to do just that
• He pulled out an old desktop machine, gave it a try and seems to be pleased with the results
• It includes a few Xorg tips, and there are some comments about the possibility of making a GUI DragonFly installer

Building a mini-ITX pfSense box

• Another week, another pfSense firewall build post
• This time, the author is installing to a Jetway J7F2, a mini-ITX device with four LAN ports
• He used to be a m0n0wall guy, but wanted to give the more modern pfSense a try
• Lots of great pictures of the hardware, which we always love

Feedback/Questions

• Damian writes in
• Jan writes in
• Dale writes in
• Joe writes in
• Bostjan writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Slides from most of the EuroBSDCon talks are up, hopefully we’ll have the links to all the videos soon
• We got lots of great interviews, so look forward to those in the coming months
• The Book of PF’s third edition is now available to buy digitally, and physical copies will be available later this month
• OpenBSD 5.6 preorders are up on their new store, openbsdstore.com – there’s also some other cool things there
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post The Daemon's Apprentice | BSD Now 57 first appeared on Jupiter Broadcasting.

Today’s show is full of robust discussion as your hosts discuss the recent criticism over our coverage of Ubuntu 14.10, the general reaction to Shellshock & the Netflixification of Photoshop on Chromebooks.

Plus picking the best distro for getting a job, a little more XFCE chat & much more!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

Adobe brings Creative Cloud to Chromebooks starting w/ ‘Project Photoshop Streaming’ beta | 9to5Google

FU:

• The Future of XFCE: Rewrite for Wayland

• XFCE

• Bash bug

• Hibernate, Suspend, or Shutdown?

• Why the Ubuntu community is losing faith in LAS well the part that watch this show, (just the majority of viewers & why should Chris step out of the arch fraternity

• Ubuntu 14.10 @ LAS

Shellshock Reaction Overblown?

• weev: Dear clueless assholes: stop bashing bash and GNU.

_This is a defense of the most prolific and dedicated public servant that has graced the world in my lifetime. One man has added hundreds of billions, if not trillions of dollars of value to the global economy. This man has worked tirelessly for the benefit of everyone around him. It is impossible to name a publicly traded company that has not somehow benefitted from his contributions, and many have benefitted to the tune of billions. In return for the countless billions of wealth that people made from the fruits of his labor, he was rewarded with poverty and ridicule. Now that the world is done taking from him, they are heading to the next step of villifying him as incompetent.

• Could Shellshock cause internet MELTDOWN? Hackers scramble to exploit Bash bug | Daily Mail Online

Save 75% on Borderlands 2 on Steam for Linux!

A new era of shoot and loot is about to begin. Play as one of four new vault hunters facing off against a massive new world of creatures, psychos and the evil mastermind, Handsome Jack. Make new friends, arm them with a bazillion weapons and fight alongside them in 4 player co-op on a relentless quest for revenge and redemption across the undiscovered and unpredictable living planet.

Operating System: SteamOS, Ubuntu 14.04

CPU Processor: Intel Core 2 Quad, AMD Phenom II X4

CPU Speed: 2.4GHz

Memory: 4 GB RAM

Hard Disk Space: 13 GB

Video Card (NVidia): Geforce 260

Video Memory (VRam): 1GB

IMPORTANT NOTICE: Don’t meet the above requirements? That doesn’t mean your configuration wont run Borderlands 2. Visit the Borderlands 2 community page to share your experience with other Linux players and learn about how to send bugs to Aspyr. Your feedback will help us improve Borderlands 2 Linux and future AAA Linux releases!

• Save 75% on Valve Complete Pack on Steam

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

New Shows : Tech Talk Today (Mon – Thur)

• Tech Talk Today Today | Jupiter Broadcasting

Support Jupiter Broadcasting on Patreon

The post Calm Before the Storm | LINUX Unplugged 60 first appeared on Jupiter Broadcasting.

The Shellshock bug is taking the internet by storm, Fedora project lead Matthew Miller joins us to discuss how this Bash bug works, how big of a problem it really is, and how large projects are responding to the issue. Plus we chat a little Fedora.next and more!

Then it’s our look at what’s great in Gnome 3.14, Ubuntu 14.10 & another systemd alternative that’s doing it right.

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Shellshock with Matthew Miller – FedoraProject

Brought to you by: System76

Shellshock BASH Vulnerability Tester

Shellshock (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187) is a vulnerability in GNU’s bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in the last 24 hours (See patch history), you’re most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.

Shellshock: How does it actually work? | Fedora Magazine

And there’s quite a lot of other little cleanups in there too — security people at Fedora, at Red Hat, and around the world sure have been busy for the couple of days. Thanks to all of you for your hard work, and to Fedora’s awesome QA and Release Engineering teams, who sprung into action to make sure that these updates got to you quickly and safely.

Still more vulnerabilities in bash? Shellshock becomes whack-a-mole | Ars Technica

Here’s how the Shellshock vulnerability works, in a nutshell: an attacker sends a request to a Web server (or Git, a DHCP client, or anything else affected) that uses bash internally to interact with the operating system. This request includes data stored in an environmental variable. Environmental variables are like a clipboard for operating systems, storing information used to help it and software running on it know where to look for certain files or what configuration to start with. But in this case, the data is malformed so as to trick bash into treating it as a command, and that command is executed as part of what would normally be a benign set of script. This ability to trick bash is the shellshock bug. As a result, the attacker can run programs with the same level of access as the part of the system launching a bash shell.

Shellshock just ‘a blip’ says Richard Stallman as Bash bug attacks increase | Technology

GNU Project founder: ‘Any program can have a bug. But a proprietary program is likely to have intentional bugs’

The bash vulnerability and Docker containers | Colin Walters

In a previous post about Docker, I happened to randomly pick bash as a package shared between the host and containers. I had thought of it as a relatively innocent package, but the choice turned out to be prescient. The bash vulnerability announced today shows just how important even those apparently innocent packages can be.

shellshock – What does env x='() { :;}; command’ bash do and why is it insecure? – Unix & Linux Stack Exchange

bash stores exported function definitions as environment variables. Exported functions look like this:

$ foo() { bar; }
$ export -f foo
$ env | grep -A1 foo
foo=() {  bar
}

That is, the environment variable foo has the literal contents:

() {  bar
}

When a new instance of bash launches, it looks for these specially crafted environment variables, and interprets them as function definitions. You can even write one yourself, and see that it still works:

$ export foo='() { echo "Inside function"; }'
$ bash -c 'foo'
Inside function

Unfortunately, the parsing of function definitions from strings (the environment variables) can have wider effects than intended. In unpatched versions, it also interprets arbitrary commands that occur after the termination of the function definition. This is due to insufficient constraints in the determination of acceptable function-like strings in the environment. For example:

$ export foo='() { echo "Inside function" ; }; echo "Executed echo"'
$ bash -c 'foo'
Executed echo
Inside function

Note that the echo outside the function definition has been unexpectedly executed during bash startup. The function definition is just a step to get the evaluation and exploit to happen, the function definition itself and the environment variable used are arbitrary. The shell looks at the environment variables, sees foo, which looks like it meets the constraints it knows about what a function definition looks like, and it evaluates the line, unintentionally also executing the echo (which could be any command, malicious or not).

This is considered insecure because variables are not typically allowed or expected, by themselves, to directly cause the invocation of arbitrary code contained in them. Perhaps your program sets environment variables from untrusted user input. It would be highly unexpected that those environment variables could be manipulated in such a way that the user could run arbitrary commands without your explicit intent to do so using that environment variable for such a reason declared in the code.

— PICKS —

Runs Linux

India’s Mission to Mars, runs Linux

India has made history today by being the first and only country in the world to send a space craft to Mars in first attempt. The country also made history as it achieved it in a budget lesser than the un-scientific Hollywood block buster Gravity; India spent only $71 million on the mission.

Desktop App Pick

• How to Protect your Server Against the Shellshock Bash Vulnerability | DigitalOcean

Shellshock BASH Vulnerability Tester

You can use this website to test if your system is vulnerable, and also learn how to patch the vulnerability so you are no longer at risk for attack.

• shellshocker · GitHub

Weekly Spotlight

RockStor: Store Smartly: Free Advanced File Storage

Installs on 64-bit commodity hardware or virtual machine
Built on top of Enterprise Linux operating system
Supports NA sharing protocols including Samba/CIFS, NFS and SFTP
Efficient storage management functionility with web-ui or CLI
Extend functionality with plugins

— NEWS —

GNOME 3.14 Released, See What`s New

After six months of development, GNOME 3.14 was released today and it includes quite a few interesting changes such as multi-touch gestures for both the system and applications, re-worked default theme, new animations as well as various enhancements for the code GNOME applications.

• Gnome 3.14 reviewed on Arch Linux

In a nutshell I like Gnome 3.14 a lot. It’s a really nice release. Though I am a hard core Plasma user, I see myself spending some time with Gnome, enjoying things like online integration, easy-to-set-up Evolution and many more features which I can’t find in KDE’s Plasma. That said, both are my favorite. They both excel in their focus areas. If you have not tried Gnome yet, do give it a try.

• Gesture support in Shell Apart from Touch support in Shell there is also…

Apart from Touch support in Shell there is also support for GNOME apps and in fact some GNOME apps they do use gestures!

• GTK+ 3.14 Brings Much Better Wayland Support, Multi-Touch, New Theme

The Wayland changes for GTK+ 3.14 include support for the recently released Wayland 1.6, touch input is now supported, working drag-and-drop support, and support for the GNOME classic mode.

• Download GNOME 3.14 ISO (based on Fedora 21)

• Touching on Touchscreen Support | Erich Eickmeyer

Touchscreens are no longer just for tablets and phones. Touchscreen laptop computers and desktops are becoming the norm, if not more common, in the computer market. Much of this has been spurred-on by Microsoft and Windows 8, whose “Modern” interface is about as touchscreen-friendly as you can get. In fact, it is what is driving the laptop market to include capacitive touchscreens.

The nosh package

It should also be suitable for filling the gap caused by the
systemd tool not being portable outwith the Linux kernel since it
is known to work on proper BSD and on Debian Linux, and therefore
should work on Debian kFreeBSD.

Ubuntu 14.10 Beta Downloads Now Available

There’s not even a new default desktop wallpaper.

• Why GNOME 3.14 Won’t Be Included in Ubuntu 14.10 – OMG! Ubuntu!

Feature Freeze is the point past which no new features, packages or APIs are introduced, with emphasis placed on polish and bug fixing to ensure as stable an experience as possible. Feature Freeze for Ubuntu 14.10 and its flavors came into effect on August 21 — a month prior to the release of GNOME 3.14 Stable.

It’s this tight timeframe that conspires against the Ubuntu GNOME team, making it impossible for them to include latest GNOME stack. If you were one of those who hoped to find GNOME 3.12 in Ubuntu 14.04 LTS, you’ll be familiar with the impact this has.

A series of maintained PPAs — Stable, Staging, and Next — provide backports of newer GNOME releases to Ubuntu, allowing you to optionally roll with (potentially untested) newer software should you want to.

Tech Talk Today | A Daily Tech News Show with a Linux Perspective

• Tech Talk Today Subreddit

— FEEDBACK —

• Jupiter Broadcasting Fall/Spring Jacket | Teespring

• Jupiter Broadcasting at Ohio LinuxFest – Google+

— CHRIS’ STASH —

• jupiterbroadcasting on Instagram

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— MATT’S STASH —

• Check out LINUX Unplugged
• Articles by Matt Hartley

Find us on Google+

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Matt – matthartley

Follow the network on Facebook

• Jupiter Broadcasting on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

• https://jblive.tv
• Network Calendar

The post Weaponized Bash | Linux Action Show 332 first appeared on Jupiter Broadcasting.

A major flaw in the Bash shell has been discovered, and the Internet is losing its collective mind over it. We discuss the possible far reaching ramifications of the flaw, and the comparisons to Heartbleed.

Plus some solid rumors on the next Nexus device, major iOS 8 update issues, and India’s historical tech event from this week.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Exclusive: This is ‘Shamu,’ Motorola’s upcoming Nexus 6/X

Google’s upcoming “Nexus 6″ (some claim it will be called “Nexus X”) has long been rumored, and there have been many leaked specifications and details rolling out for quite some time now.

Notably, a report from last month based on specifications leaked via GFXBench seemingly all but confirmed a variety of facts about the device: a 2.6GHz quad-core Snapdragon 805 processor, 3GB of RAM, 32GB of internal storage, a 13-megapixel rear-facing camera, a 2-megapixel front-facing shooter and Android L (surprise, surprise).

The biggest unknown is the screen, but 9to5Google reports 5.92-inch screen, with QHD resolution of 2560 x 1440. This dense screen according to our calculations comes out to be 498 PPI—a fairly impressive number for any smartphone. As such, it’s going to have a battery that is equally impressive, packing 3,200 mAh to power all of those pixels.

Previous reports suggested a 5.2-inch screen instead of the currently rumored 5.92-inch

As for the overall appearance of the device, it’s basically going to be a scaled up 2nd generation Moto X with some minor tweaks to make the larger size easier to use.

Bug in Bash shell creates big security hole on anything with *nix in it | Ars Technica

The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network–based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

While Bash is often thought of just as a local shell, it is also frequently used by Apache servers to execute CGI scripts for dynamic content (through mod_cgi and mod_cgid). A crafted web request targeting a vulnerable CGI application could launch code on the server. Similar attacks are possible via OpenSSH, which could allow even restricted secure shell sessions to bypass controls and execute code on the server.

Errata Security: Bash bug as big as Heartbleed

Today’s bash bug is as big a deal as Heartbleed. That’s for many reasons.

The first reason is that the bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the bash bug. This is similar to the OpenSSL bug: OpenSSL is included in a bajillion software packages, so we were never able to fully quantify exactly how much software is vulnerable.

The second reason is that while the known systems (like your web-server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things

For the record, cygwin is vulnerable, as well as bash-3.1 from 2005 pic.twitter.com/yYtVnPlTAJ

— Robert Graham (@ErrataRob) September 25, 2014

First attacks using ‘shellshock’ Bash bug discovered

AusCERT earlier yesterday also claimed to have received reports the bug was being exploited in the wild.

Meanwhile, security researcher Robert Graham claims to have found at least 3,000 systems vulnerable to the bug. However Graham’s scan only looked at systems on port 80; the researcher noted embedded webservers on odd ports are the real danger and a scan for these “would give a couple times more results”.

Check our self:

There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

vulnerable
 this is a test

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

Jupiter Broadcasting at Ohio LinuxFest

Going to Ohio LinuxFest? Join our Google+ event for future meetup plans!

iOS 8.0.1 Causing No Service, Touch ID Issues on iPhone 6/6 Plus, Apple Support Recommends iTunes Restore – Mac Rumors

Following the release of iOS 8.0.1 this morning, numerous of users found that their cellular service was disabled, reporting “No Service” messages after updating. Affected users also appear to be experiencing problems with Touch ID, which seems to be completely non-functional.

It appears that the issue is limited to users who have an iPhone 6 or an iPhone 6 Plus, but affected devices span several carriers.

Apple support has also recommended restoring iOS 8.0.1 via iTunes to fix the problem.

OS 8.0.1 is no longer available via an over-the-air download.

Apple says that it is actively investigating reports of problems and has pulled iOS 8.0.1 in the meantime. The company also says that it will provide information as quickly as it can.

Upcoming price increase for NEW Plex Pass subscriptions – Plex Blog : Plex Blog

So on September 29, 2014 we’ll be making some changes to our Plex Pass subscription rates for new subscribers:

• Monthly Plex Pass subscriptions will increase from $3.99 to $4.99 per month.
• Annual Plex Pass subscriptions will increase from $29.99 to $39.99 per year.
• Lifetime Plex Passes will increase from $74.99 to $149.99.

India’s Mars mission could be a giant leap | Priyamvada Gopal | Comment is free | The Guardian

After a journey of 300 days and 420 million miles, an Indian satellite has arrived in orbit around Mars. To have done so on an economy ticket — at $74m “the cheapest interplanetary mission ever to be undertaken by the world”, according to the mission’s leader

The post The Bourne Shellshock | Tech Talk Today 65 first appeared on Jupiter Broadcasting.