We’ll tell you about the real world pirates that hacked a shipping company, the open source libraries from Mars Rover found being used in malware & Microsoft’s solution for that after-hack hangover.

Plus great questions, a packed round up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pirates hacked Shipping Company to find valuable cargo

• As described in Verizon’s most recent Data Breach Digest, a collection of cyber-security case studies the company’s RISK Team helped investigate and solve sometime in the past year, a reputable global shipping conglomerate started having peculiar problems with sea pirates.
• The shipping company was telling Verizon that pirates were boarding their vessels at regular intervals.
• Equipped with a barcode reader (and weapons, of course), searching specific crates, emptying all the high-value cargo, and making off with the loot within minutes of launching their attacks.
• All of this made the shipping company think there was something strange and hired the RISK Team to track down the source of a possible leak.
• The RISK Team quickly narrowed down the problem to the firm’s outdated custom-built CMS, which featured an insecure upload script.
• As the Verizon team explained, a hacker, either part of the sea pirates group or hired by them, had uploaded a Web shell via this insecure form. In turn, this shell was uploaded inside a Web-accessible directory.
• To make things worse, that particular folder also had “execute” permissions.
• Using this access to the shipping firm’s database, the hacker pulled down BoLs (bills of lading), future shipment schedules, and ship routes so the pirates could plan their attack and identify crates holding valuable content.
• Fortunately, the hacker wasn’t that skilled. Verizon says that the attacker used a Web shell that didn’t support SSL, meaning that all executed commands were recorded in the Web server’s log.
• The RISK Team was able to recreate a historic timeline of all the hacker’s actions and identify exactly what he looked at and where he sent the files.
• Verizon’s RISK Team states:

“These threat actors, while given points for creativity, were clearly not highly skilled,” the RISK Team explains. “For instance, we found numerous mistyped commands and observed that the threat actors constantly struggled to interact with the compromised servers.”

• Additionally, as a sign of their lack of skills, the attacker also didn’t use a proxy or VPN and exposed their home IP address.
• The rest of the Verizon threat digest report
• Direct PDF Download

Open source libraries from Mars Rover found being used in malware

• According to Palo Alto Networks, on December 24, 2015, India’s Ambassador to Afghanistan received a spear-phishing email that contained a new malware variant, which, if downloaded and installed, would have opened a backdoor on the official’s computer.
• India has been a trustworthy business partner for Afghanistan, helping the latter build its new Parliament complex, the Salma Dam, along with smaller transportation, energy, and infrastructure projects.
• Because of this tight collaboration between the two, it is normal that other nations or interest groups may want to know what the two countries are planning together.
• The Ambassador’s email was spoofed and made to look like it was coming from India’s Defense Minister, Manohar Parrikar. Attached to the email was an RTF file.
• Palo Alto researchers say that this file contained malicious code to exploit the CVE-2010-3333 Office XP vulnerability, resulting in the download of a file named “file.exe” from the newsumbrealla[.]net domain.
• This file was automatically launched into execution and was a simple malware payload dropper that was tasked with downloading the real threat, a new trojan that the researchers christened Rover.
• This malware was given the “Rover” name because it relied on the OpenCV and OpenAL open source libraries, both used in the software deployed with the famous Mars Rover exploration robot.
• OpenCV is a library used in computer vision applications and image processing while OpenAL is a cross-platform library for working with multichannel audio data.
• Its capabilities included the ability to take screenshots of the desktop in BMP format and send them to the C&C server every 60 minutes, logging keystrokes and uploading the data to the C&C server every 10 seconds, and scanning for Office files and uploading them to the C&C server every 60 minutes.
• Additionally, there was also a backdoor component that allowed attackers to send commands from the C&C server and tell Rover to take screenshots or start recording video (via webcam) and audio (via microphone) whenever the attacker wanted to.
• “Though ‘Rover’ is an unsophisticated malware lacking modern malware features, it seems to be successful in bypassing traditional security systems and fulfilling the objectives of the threat actor behind the campaign in exfiltrating information from the targeted victim,” Palo Alto researchers explain.
• Rover is largely undetected by today’s antivirus engines, and despite not coming with that many features, it is successful at keeping a low profile, exactly what cyber-espionage groups need from their malware to begin with.
• New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan – Palo Alto Networks Blog

Microsoft brings post-breach detection features to Windows

• Microsoft announced its new post-breach enterprise security service called Windows Defender Advanced Threat Protection, which will respond to these advanced attacks on companies’ networks.
• The company found that it currently takes an enterprise more than 200 days to detect a security breach, and 80 days to contain it. When there is such a breach, the attackers can steal company data, find private information, and damage the brand and customer trust in the company.
• For example, a social engineering attack might encourage a victim to run a program that was attached to an e-mail or execute a suspicious-looking PowerShell command. The Advanced Persistent Threat (APT) software that’s typically used in such attacks may scan ports, connect to network shares to look for data to steal, or connect to remote systems to seek new instructions and exfiltrate data. Windows Defender Advanced Threat Protection can monitor this behavior and see how it deviates from normal, expected system behavior. The baseline is the aggregate behavior collected anonymously from more than 1 billion Windows systems. If systems on your network start doing something that the “average Windows machine” doesn’t, WDATP will alert you.
• The whole thing is cloud-based with no need for any on-premises server. A client on each endpoint is needed, which would presumably be an extended version of the Windows Defender client.
• Windows Defender Advanced Threat Protection is under development, though it is currently available to some early-adopter customers.
• This service will help enterprises to detect, investigate and respond to advanced attacks on their networks.
• Microsoft said that it is building on the existing security defenses Windows 10 offers today, and the new service will provide a post-breach layer of protection to the Windows 10 security stack.
• With the client technology built into Windows 10 along with the cloud service, it will help detect threats that have made it past other defenses, provide enterprises with information to investigate the breach across endpoints, and offer response recommendations.
• To avoid Windows 7 becoming “the new Windows XP,” the company is being rather more aggressive in applying pressure on users to upgrade to Windows 10 sooner rather than later.
• WDATP is going to be part of that same push to Windows 10, and it won’t be available for older operating systems.
• Windows Defender Advanced Threat Protection uses cloud power to figure out you’ve been pwned | Ars Technica

Feedback:

• The main difference between a router and a switch.

• Penetration Testing

• Expanding 4 drive zed pool

• Allan’s Internet

Round Up:

• SSD reliability in the real world: Google’s experience
• Google suggests new “tall” hard drive form factor
• Comcast’s “Home Security System” product defeated by simple tape recorder and battery
• The story of some aweful IoT lightbulbs
• Samsung ships the world’s highest capacity SSD, with 15TB of storage
• ITU gives first-stage approval to 40Gbps FTTH standard
• Thieves Nab IRS PINs to Hijack Tax Refunds
• Cyber Criminals face same talent shortages that security firms do
• IBM researcher finds PDF library used by Microsoft Edge has serious exploits
• Abusing a wifi chip to micro-broadcast color TV signals

The post Fixing the Barn Door | TechSNAP 257 first appeared on Jupiter Broadcasting.

Mike & Chris discuss the hard problem of identifying opportunity costs vs staying flexible and cheap, why making communication a priority is almost never a priority & the numbers suggest coding bootcamps are growing like crazy… But is that a good thing?

Plus when to ship, and why testing can really make Mike testy, your feedback & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

Show Notes:

Hoopla:

Why Software Outsourcing Doesn’t Work … Anymore – Yegor Bugayenko

I_’m talking about outsourcing, not offshore development. The difference is that in outsourcing, there are two companies involved: you the client and some WeCodeLikeNoOneElse Inc. from Loompaland. In offshore development, you just open an office in that same Loompaland with your own management and employees_

Shipping

When is it time to just call something done and ship
How much polish is enough
Acceptable bugs?

Testing is Making Me Testy

Can you be a good dev and be ‘bad at testing’?
Once upon a time… QA Staff Existed…. Should they come back?
TDD? BDD? Alphabet Soup?

Can coding bootcamps replace a computer science degree?

A _2015 survey from Course Report of 67 U.S. and Canadian bootcamp schools_found that the average tuition per program is just over $11,000, with an average program length of about 11 weeks. Compare that with an average cost of $31,321 for one year at a private college, and a tech bootcamp seems like a great deal. Even a year for in-state students attending a public institution can expect to pay just over $9,000 per year, while out-of-state students pay an average of $22,958 per year at public colleges.

Michael Dominick on Twitter: “#ubuntu 15.10 should I give it a shot @ChrisLAS ? #linux”

Feedback:

• FOSS alternative to Slack

• How to install and run Mattermost on DigitalOcean using Docker

This guide will get you up and running Mattermost on DigitalOcean using the Docker container system.

• Muting Android notifications when watch is connected

#ProTip: Having #Cordova / #ionic build problems in #XCode. Make sure you have: "$(OBJROOT)/UninstalledProducts/$(PLATFORM_NAME)/include"

— Buccaneer Tech, INC (@BuccaneerTech) October 29, 2015

The post Coder Puppy Mills | CR 177 first appeared on Jupiter Broadcasting.

Oculus VR gets a ship date and we discuss the devices about to hit market. Reddit gets into creating its own content & the NSA brags about transcribing your phone calls.

Plus replacing Plex with Kodi, the burdens of a hand model & much more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Oculus Rift virtual reality headset will ship in early 2016 | Technology | The Guardian

The first commercial model of Facebook’s much anticipated Oculus Rift virtual reality headset will go on sale in the first quarter of 2016, the company confirmed today.

The announcement ends months of speculation that the release, which had been anticipated to happen by the end of 2015, would slip beyond Christmas. The most high profile device in the virtual reality market, Oculus Rift has been developed primarily for gaming but the technology is also being explored for occupational therapy, education and by film makers.

Reddit launches a video division to create original content | The Verge

Recently it has begun to venture into original content with a podcast and newsletter. Today it is going even further with the launch of its own video division. “Reddit’s mission is to connect people across the world through authentic conversations, collaboration, and community — video is an amazing storytelling medium and there’s no better wellspring of original stories than Reddit,” said co-founder Alexis Ohanian.

• Eye To Eye With Katie Couric: Being A Hand Model (CBS News) – YouTube

How the NSA Converts Spoken Words Into Searchable Text – The Intercept

Top-secret documents from the archive of former NSA contractor Edward Snowden show the National Security Agency can now automatically recognize the content within phone calls by creating rough transcripts and phonetic representations that can be easily searched and stored.

The documents show NSA analysts celebrating the development of what they called “Google for Voice” nearly a decade ago.

Kodi | Open Source Home Theatre Software

Kodi(tm) (formerly known as XBMC(tm)) is an award-winning free and open source (GPL) software media center for playing videos, music, pictures, games, and more. Kodi runs on Linux, OS X, Windows, iOS, and Android, featuring a 10-foot user interface for use with televisions and remote controls. It allows users to play and view most videos, music, podcasts, and other digital media files from local and network storage media and the internet. Our forums and Wiki are bursting with knowledge and help for the new user right up to the application developer. We also have helpful Facebook, Google+, Twitter and Youtube pages.

Open Source Kollaboration | LUP 91 | Jupiter Broadcasting

Aaron Seigo joins us to discuss the Kolab project, open source’s genuine answer to Microsoft Exchange and other groupware solutions. We also discuss the Roundcube project’s fundraiser & possible integration with Kolab.

The post Okay "NSA", I'm Listening… | Tech Talk Today 167 first appeared on Jupiter Broadcasting.

When is the time right to launch your project? Mike and Chris discuss how understanding your market can be key to answering that question, building a community, advertising, and when to just ship it.

Plus: Things to tell your IT guy, QA war stories, and a batch of your feedback!

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Show Notes:

Feedback

• New Coder wants to when he is considered to “know” a language.

• Luke asks:

“How is it you come to figure out the right tools (languages) for the right job, and once you do that, what\’s the anticipated \’study time\’ that needs to go into learning to use the language well enough to feel like you can actually do what you\’ve set out to do?”

• Eric shares a development contest

• Hayden wants to know what I think of JavaFX

• mdominick.com – Give Duke a Break

Brian’s War Story

Hello Michael and Chris,

I work in a medium sized development shop with about 20 developers working on what\’s essentially an enterprise client side app. I have always considered our process for releasing bug fix updates as being rather backwards and poorly executed. Essentially our head of \”QA\” will send an e-mail one morning to all developers that the code is \”frozen\”.

He will then do a build, test it for 4 or 5 days and then send an e-mail to everyone that the code is \”unfrozen\”. During this \”frozen\” time the developers are still expected to continue fixing bugs but rather than check in their changes they are supposed to \”sit\” on them, usually for several days, until the \”unfrozen\” e-mail is sent out. At this point a free-for-all of code check in commences with all sorts of conflict and collision shenanigans.

That said, there is nothing physically restricting the checking in of code. If a developer doesn\’t see the \”fr eeze\” e-mail or simply forgets after a few days then \”QA\” unleashes their wrath on the poor sod. I\’m sure you can see all sorts of problems with this joke of a build/test/release process and I am even a little embarrassed just describing it. I would like to offer some suggestions to my superiors about ways to improve this and was wondering if you guys had any thoughts or suggestions.

One, perhaps obvious idea would be to switch to using Git as we are still using the ancient CVS for source control. However I\’m still very much a novice and trying to learn it better in my spare time. How would you suggest to use Git in a way that we can improve our build/test/release cycle? Do you have any other thoughts or suggestions to bring our release cycle up to a more sane and reasonable, not to mention modern process?

Thanks for your thoughts and thank you for the awesome show you do each week.

Sincerely,
Brian M.

Launch!

• How do you know when your project is ready to launch?

• Is this really a bug?

  • Bug? or new feature?

• Do I have to be 100% bug free to ship?

  • Is that even possible

• What market?

Follow the show

• Email the show
• Live Monday 9am PST
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post Just Ship | CR 33 first appeared on Jupiter Broadcasting.