Show Notes: techsnap.systems/393

The post Back to our /roots | TechSNAP 393 first appeared on Jupiter Broadcasting.

We take a look back at some of the big stories of 2015, at least, as we see it.

Plus the round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Episode 227: Oracle’s EULAgy #oraclefanfic

• Oracle Chief Security Officer, Mary Ann Davidson, makes a blog post railing against reverse engineering and security research
• Claims Oracle is pretty good at finding bugs in their own code, and doesn’t need anyone else’s help, and that is violates their EULA
• The blog post was quickly taken down, but this is the Internet, it doesn’t work like that

Episode 196: Sony’s Hard Lessons

• Bruce Schneier walks us through what we can learn from the hack of Sony’s corporate network

Episode 217: An Encryptioner’s Conscience

• A recurring theme: firmware is terrible
• Replace your router with something that runs a real OS
• Luckily, more and more routers finally have enough hardware to run a minimal Linux or BSD install
• Smaller APU and Atom machines can run full OS or appliance software like pfSense

Episode 211: The French Disconnection

• Episodes recorded live in the studio always have a different feel to them, especially when it happens to be the 4th anniversary of the show
• The top story in this episode was about how to detect when your network has been breached
• Some great detail, and discussion of the Target and Sony hacks as examples of what to do, and what not to do

Episode 212: Dormant Docker Disasters

• The man who broke the music business
• Detailing the infinalside story of how some of the most popular music albums made it onto the internet before they were even in stores
• Again, in person episodes are always special

Episode 237: A Rip in NTP

• Recap of my visit to the OpenZFS

Round Up:

• Maltrail, a new MIT licensed open source malicious traffic detection system
• Making malware that is harder to detect, breaks some disassemblers
• “Firestorm”, a new vulnerability in “next generation” firewalls
• CryptoWall 4 – The Evolution Continues
• McAfee Enterprise Security Manager failed to manage own security. Authentication bypass vulnerability found
• Tutorial: How to reverse unknown protocols using Netzob
• Don’t be a victim of Tax Refund Fraud in 2016, Krebs has tips to protect yourself
• Tutorial: Fake WiFi Access Point, create a rough AP or an “Evil Twin”

The post Snappy New Year! | TechSNAP 247 first appeared on Jupiter Broadcasting.

LastPass discloses it’s been compromised, we discuss the scope of the hack & what our best and worst options are moving forward.

Plus a recap of the most interesting things from E3 so far & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• LastPass Security Notice | The LastPass Blog
• Microsoft unveils new $150 Xbox One Elite controller—and we’ve held it | Ars Technica
• Microsoft is building a special version of Minecraft for HoloLens | The Verge
• Microsoft is also partnering with Valve for VR on Windows 10
• The Kinect is dead | Polygon
• LeanChair: The portable, reclining standing desk by Wayne Yeager — Kickstarter
• Nintendo Digital Event @ E3 2015 – YouTube
• “For the Love of Spock” – A Documentary Film by Adam Nimoy — Kickstarter

The post LostPass | Tech Talk Today 183 first appeared on Jupiter Broadcasting.

In Microsoft’s attempt to capitalize on container excitement they be rushing to ship a subpar product. We’ll discuss the possible weakness of Windows Server’s Docker implementation.

Plus new interesting details turned up by the Sony Hack, a tip of that hat to John Siracusa’s OS X reviews & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Microsoft Is Making a Stripped-Down Windows to Rival Linux | WIRED

Microsoft’s flagship operating system operates quite differently from Linux—which could be a problem as containers become the preferred way of computing in the cloud. But now, as so many others follow the lead of giants like Google and Twitter, Microsoft is reshaping Windows so that it doesn’t get left behind.

Wikileaks publishes hacked Sony emails, documents | ITworld

It’s made up of 173,132 emails and 30,287 documents, including some that contain highly personal information about Sony employees including home addresses, personal phone numbers and social security numbers.

After fifteen years, Ars says goodbye to John Siracusa’s OS X reviews | Ars Technica

For your reading enjoyment, here is the grand John Siracusa OS X Ars timeline:

• Mac OS X DP2, December 14, 1999
• Mac OS X Update: Quartz & Aqua, January 17, 2000
• Mac OS X DP3: Trial by Water, February 28, 2000
• Mac OS X DP4, May 24, 2000
• Mac OS X Q & A, June 20, 2000
• Mac OS X Public Beta, October 3, 2000
• Mac OS X 10.0 (Cheetah), April 2, 2001
• Mac OS X 10.1 (Puma), October 15, 2001
• Mac OS X 10.2 Jaguar, September 5, 2002
• Mac OS X 10.3 Panther, November 9, 2003
• Mac OS X 10.4 Tiger, April 28, 2005
• Five years of Mac OS X, March 24, 2006
• Mac OS X 10.5 Leopard, October 28, 2007
• Mac OS X 10.6 Snow Leopard, August 31, 2009
• Here’s to the crazy ones: a decade of Mac OS X reviews, May 12, 2011
• Mac OS X 10.7 Lion, July 20, 2011
• OS X 10.8 Mountain Lion, July 25, 2012
• OS X 10.9 Mavericks, October 22, 2013
• OS X 10.10 Yosemite, October 16, 2014

Fanboys Stab Each Other Over Android vs Apple

“When police arrived at the apartment complex, they learned that the roommates had been drinking and arguing over their mobile phones,” KTUL Tulsa reports.

The post Nano Diet Windows | Tech Talk Today 159 first appeared on Jupiter Broadcasting.

The Apple rumor mill is in full swing with claims that Apple’s Netflix killer is in the works. We’re a bit skeptical. Twitter & Google patch things up & now it’s time to blame the Russians for the Sony hack!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Twitter Reaches Deal to Show Tweets in Google Search Results – Bloomberg Business

In the first half of this year, tweets will start to be
visible in Google’s search results as soon as they’re posted,
thanks to a deal giving the Web company access to Twitter’s
firehose, the stream of data generated by the microblogging
service’s 284 million users, people with knowledge of the matter
said Wednesday. Google previously had to crawl Twitter’s site
for the information, which will now be visible automatically.

Apple Talks to TV Programmers About Web TV Service | Re/code

Industry executives say Apple is in talks with TV programmers about deals that would allow Apple to offer an “over the top” pay-TV service, like the one Dish has started selling with its Sling TV product, and the one Sony is getting ready to launch.

The theory is that Apple would put together bundles of programming — but not the entire TV lineup that pay-TV providers generally offer — and sell it directly to consumers, over the Web. That means Apple wouldn’t be reinventing the way TV works today, but offering its own version of it, with its own interface and user experience.

Forget North Korea – Russian Hackers Are Selling Access To Sony Pictures, Claims US Security Firm – Forbes

The firm claimed it has evidence Russian hackers have been silently siphoning off information from Sony’s network for the last few months and may even be the ones responsible for the catastrophic attacks in November, which the US blamed on North Korea. The Russians may have just been working unwittingly alongside the Guardians of Peace hackers, however, who were thought to have shut down Sony for its role in the production of The Interview, a film that depicted the assassination of North Korea leader Kim Jong-Un.

Millions hit by health company hack attack

The attackers stole names, addresses, birthdays and social security numbers of customers from every one of Anthem’s business units.

So far, Anthem has not said how many records were lost or how many people have been affected.

Celebrate TechSNAP 200 with a new look! | Teespring

After 200 episodes of TechSNAP we’d like to introduce the official logo to represent the best systems network and administration podcast around!

The post Apple Trolls Netflix Again | Tech Talk Today 128 first appeared on Jupiter Broadcasting.

We reflect on the lessons learned from the Sony Hack & discuss some of the tools used to own their network.

Plus a overview of what makes up a filesystem, a run down of the Bacula backup system & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Schneier: Lessons from the Sony Hack

• Bruce Schneier, a noted security researcher, discusses the things we can all learn from the Sony hack
• An attack like this can happen to anyone, but that doesn’t mean Sony didn’t make it easy for the attackers
• One of the first things to think about when looking at a hack is: Was this an opportunistic attack, or a targeted attack?
• “You can characterize attackers along two axes: skill and focus. Most attacks are low-skill and low-focus — people using common hacking tools against thousands of networks world-wide. These low-end attacks include sending spam out to millions of email addresses, hoping that someone will fall for it and click on a poisoned link. I think of them as the background radiation of the Internet.”
• “High-skill, low-focus attacks are more serious. These include the more sophisticated attacks using newly discovered “zero-day” vulnerabilities in software, systems and networks. This is the sort of attack that affected Target, J.P. Morgan Chase and most of the other commercial networks that you’ve heard about in the past year or so.”
• “But even scarier are the high-skill, high-focus attacks­ — the type that hit Sony. This includes sophisticated attacks seemingly run by national intelligence agencies”
• That is not to say that all high-skill high-focus attacks are committed by governments, the attacker just needs to be highly motivated
• “This category also includes private actors, including the hacker group known as Anonymous, which mounted a Sony-style attack against the Internet-security firm HBGary Federal, and the unknown hackers who stole racy celebrity photos from Apple’s iCloud and posted them. If you’ve heard the IT-security buzz phrase “advanced persistent threat,” this is it.”
• “The hackers who penetrated Home Depot’s networks didn’t seem to care much about Home Depot; they just wanted a large database of credit-card numbers. Any large retailer would do”
• “Low-focus attacks are easier to defend against: If Home Depot’s systems had been better protected, the hackers would have just moved on to an easier target. With attackers who are highly skilled and highly focused, however, what matters is whether a targeted company’s security is superior to the attacker’s skills, not just to the security measures of other companies. Often, it isn’t. We’re much better at such relative security than we are at absolute security.”
• “We know people who do penetration testing for a living — real, no-holds-barred attacks that mimic a full-on assault by a dogged, expert attacker — and we know that the expert always gets in. Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable.”
• “For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.”
• Additional Coverage
• Investigators believe a newly identified SMB (Server Message Block, mostly used in Windows file sharing and networking) worm was involving in the Sony hack
• “The SMB worm propagates throughout an infected network via brute-force authentication attacks, and connects to a command and control (C2) infrastructure with servers located in Thailand, Poland, Italy, Bolivia, Singapore and the United States, the advisory said”
• The worm had 5 major components: Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning
• US-CERT Advisory

Norse identifies 6 individuals they believe behind Sony hack, including Ex-employees

• Norse, an attack intelligence company, has used its research facilities to investigate the Sony hack, and made some unsurprising conclusions
• “HR files leaked in the hack provided the motive part: a massive restructuring in Spring, 2014, in which many longtime SPE employees were laid off. After researching the online footprint of a list of all the individuals who were fired and had the means to be able to access sensitive data on Sony’s network, Norse said it identified a handful who expressed anger in social media posts following their firing. They included one former employee — a 10-year SPE veteran who he described as having a “very technical background.” Researchers from the company followed that individual online, noting participation in IRC (Internet Relay Chat) forums where they observed communications with other individuals affiliated with underground hacking and hacktivist groups in Europe and Asia. According to Stammberger, the Norse investigation was eventually able to connect an individual directly involved in conversations with the Sony employee with a server on which the earliest known version of the malware used in the attack was compiled, in July, 2014”
• Norse Blog: The nature of Cyber Security and Strategies for Unprecedented attacks
• Video: Norse on MSNBC
• Video: Norse on CBS – is the FBI wrong about North Korea
• Video: Norse on CNN – Former Sony employee implicated in attacks
• Video: Norse on CNN – Norse answers questions about Sony Hack
• Norse Blog – Where do we die first? Find your businesses weakness
• Norse Blog – Breach detection is at least as important as perimeter security
• Additional Coverage
• Do not accept the myth that the attacker is always ahead
• No, North Korea Didn’t Hack Sony – The Daily Beast

Twitter date bug confuses many client applications.

• Many Twitter clients, including the popular client TweetDeck, showed tweets during the last week of the year as being from a year ago
• Many users then found that, even with the official app, they were not able to login anymore
• Turns out the problem was that Twitter’s servers had been sending the incorrect date for all HTTP responses from the API
• The incorrect date format variable was used, strftime(3) defined 2 different ways to express the year
• The most common one: %Y – is replaced by the year with century as a decimal number
• It seems that a programmer at Twitter chose the first one in the man page that mentioned the year:
• %G – is replaced by a year as a decimal number with century. This year is the one that contains the greater part of the week (Monday as the first day of the week).
• So, this went undetected because it would return the correct year, except in the case of the last week of the year, if that week happens to fall more within the new year than within the current year
• So December 30th 2014, was reported was December 30th 2015, which is a year in the future

FreeNAS – up and running!

• Dropbox – Photo 2015-01-02 14 08 50.jpg
• Dropbox – Photo 2015-01-02 14 09 17.jpg
• Dropbox – Photo 2015-01-02 14 11 10.jpg
• Dropbox – Photo 2015-01-02 14 13 26.jpg
• Dropbox – Photo 2015-01-02 14 13 38.jpg

Feedback:

• Re: FW Question

• The Opensource Sphirewall Project

• Filesystem confusion

• UK ISPs using malware-spreading techniques to enforce censorship

• Bacula Overview (with a bit of depth)

• Bacula – Installing on Ubuntu – YouTube

Round Up:

• FBI says search warrants not needed to use “stingrays” in public places
• OpenSSL 1.0.1k, 1.0.0p, and 0.9.8zd released, fixing bugs known since October.
• The OpenSSL dtls1_buffer_record flaw was fixed in OpenBSD’s LibreSSL in May 2014
• ​Android Lollipop is out, but almost no one is using it
• Don’t envy the offense – defenders can be smart too
• Execute arbitrary commands on Asus routers via UDP CVE-2014-10000
• Is it APT if you can buy it off the shelf? New attack uses expensive but easily obtainable pentesting software in attack. May result in analysts incorrectly attributing the attack to nation states or other highly capable attackers
• A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever
• When Security goes right – Should more companies have a Security Officer, and an easy way for researchers to contact them?
• Comcast lobbyists hand out VIP cards, bypass hold when contacting comcast support
• Critical flaws in NTPd could allow code execution
• NTP Flaw marks first time Apple uses automated OS X update, forcing the update on all customers
• Staples (Office Superstore) breach affects over 100 stores and up to 1.16 million credit cards. Breach was originally detected in October
• Samsung announces production of 20nm LPDDR4 – faster than Desktop DDR4 and uses half the energy of LPDDR3 – much longer battery life in mobile devices is expected

The post Sony’s Hard Lessons | TechSNAP 196 first appeared on Jupiter Broadcasting.

The hottest Smartwatch at CES 2015 is running Open WebOS, we share the details. Tablets in cars & 3D printing with wood and other materials.

Plus some follow up & the Drone Rodeo!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Exclusive: The hottest smartwatch of CES isn’t running Android Wear — it’s Open webOS | Android Central

We tracked down the Audi/LG watch — still officially nameless, by the way — in Las Vegas today, and we can exclusively reveal that it’s not running Android Wear as originally believed. In fact, it’s packing completely different software based on LG’s Open webOS.

• Wearing LG’s webOS smartwatch made me happy | The Verge

The most beautiful tablet you’ll ever own comes with an Audi Q7

While the primary purpose of the tablet is entertainment for your rear passengers, the Audi Tablet also controls most of the car’s electronic functions. Passengers in the Q7 can have a look at the current route via a map app and can even set a new waypoint and pass it to the main stack in the front via WiFi. Music choices, media access, speed and even data showing if your driver has been keeping up with the maintenance are all on tap. Charging and a serial port that interfaces with the car’s CANBus — for communication with the auto’s systems — are on the back of the device and a standard micro-USB port and headphone jack are, too

10.1-inch tablet being driven by a Tegra 4

This is the most insane wireless router in the history of mankind | The Verge

The router in question is the D-Link AC3200 Ultra Wi-Fi Router, and make no mistake: as these things go it’s more than solid. Six antennas, support for the latest 802.11 protocols, and speeds up to 3.2Gbps. And this is just one of D-Link’s new Ultra series (it’ll be available on Newegg tomorrow for $309.99).

But mostly it just looks bonkers.

MakerBot makes 3D printing more realistic with metal, wood and stone – CNET

MakerBot announced Tuesday here at the 2015 International CES that it’s using new PLA Composite Filaments made with composites of real metal, stone and wood. Basically, these materials, in powder form, are mixed with regular PLA filament to create a new special type of filament. As the result, the printed objects will provide more of the look and certain characteristics of the materials being used.

For example, an object printed using metal PLA filament can be magnetized and is heavier than the same object printed using regular pure-plastic PLA filaments.

In order to print the new materials, however, a new extruder is needed for each material type. The good news is all MakerBot’s fifth-generation 3D printers support a Smart Extruder, which can be easily swapped out.

FBI Director: Sony’s ‘Sloppy’ North Korean Hackers Revealed Their IP Addresses | WIRED

Speaking at a Fordham Law School cybersecurity conference Wednesday, Comey said that he has “very high confidence” in the FBI’s attribution of the attack to North Korea. And he named several of the sources of his evidence, including a “behavioral analysis unit” of FBI experts trained to psychologically analyze foes based on their writings and actions. He also said that the FBI compared the Sony attack with their own “red team” simulations to determine how the attack could have occurred. And perhaps most importantly, Comey now says that the hackers in the attack failed on multiple occasions to use the proxy servers that bounce their Internet connection through an obfuscating computer somewhere else in the world, revealing IP addresses that tied them to North Koreans.

In his statement Wednesday, Comey acknowledged the skepticism about the FBI’s attributions claims. But he responded that “they don’t have the facts that I have. They don’t see what I see.”

Racing in a Las Vegas Drone Rodeo — CES 2015 – YouTube

The post 3D Printing Wood | Tech Talk Today 114 first appeared on Jupiter Broadcasting.

We round up day 1 of the CES 2015 stuff that has a shot of actually shipping! Sony’s new Walkman will blow you away, Dish wants cord cutters to Sling it, HP goes cheap & Google wants you to cast it!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Dish’s Sling TV Sells Cable Channels on the Web for $20 | Re/code

Dish’s “Sling TV”* offering, which the company says will launch “soon,” comes with 10 notESPN channels, including the Food Network, CNN and the Travel Channel, and the ability to add more networks for additional fees.

Sling TV also won’t do you any good if you want to watch your local broadcast stations or any of the broadcast networks. So no local news, no “Good Wife” and no Sunday NFL games, unless you’re going to buy an antenna. On the other hand,

HP takes on Chromeboxes with $180, Windows-based Stream Mini PC

The Stream Mini is essentially a NUC-sized micro PC with a Celeron 2957U, 2GB of DDR3L/1600 and a 32GB M.2 SSD. In addition to the unit, you also get 200GB of Microsoft OneDrive storage free for two years as well as a $25 gift card to the Windows Store

The unit has Gigabit ethernet, four USB 3.0 ports, integrated 802.11n, Bluetooth 4.0, an SD card reader, combo audio jack for headphone and microphone and DisplayPort 1.2 and an HDMI 1.4 port. Windows 8.1 with Bing is thrown in too.

This is the new Sony Walkman | The Verge

The new Walkman ZX2 is real, and it’s designed exclusively with high-end audiophiles in mind — as Sony puts it themselves, this is “the fruit of continuous refinement in high audio quality technologies.”

Everything around the device is meant for an optimal audio experience. Specs-wise, the new Walkman supports DSD, WAV, AIFF, FLAC, Apple Lossless, and more. It supports Bluetooth for wireless streaming and NFC for one-touch connection to speakers and headphones.

All this high fidelity comes at a price. While the recent Walkman A17 comes in at around $300, the ZX2 will launch in the Spring for over $1,119.99.

It’s running years-old Android — 4.2 Jelly Bean, to be exact, which first debuted in November 2012. And while you can download and play apps from Google Play, this isn’t meant to match wits with today’s smartphones.

Google Cast will offer direct streaming from apps to Sony, LG, and Denon audio products this spring

At CES today, Google announced Google Cast for audio, which lets you play back sound from apps directly to speakers, sound bars, and A/V receivers. Sony, LG, and HEOS by Denon will be the first to offer “Google Cast Ready” products this spring, Google says.

The feature will work just like Google’s Chromecast streaming stick: Tap the “cast” button in an app on Android, iOS, or the web, and select a Google Cast-supported device. The speakers pull content directly from the cloud, not your device, “so you’ll get the best audio quality and can freely multi-task on your phone, tablet, or laptop, all without straining the battery,” Tomer Shekel, Product Manager of Google Cast for audio, said in a statement.

Google Cast for audio uses the same technology that powers the Chromecast. By offering it directly in products made by audio manufacturers, however, the company makes sure it isn’t the only one developing compatible hardware.

Google is naturally promising additional Google Cast Ready products, saying that “more brands” will offer them “later in 2015.”

The post Walkman Returns | Tech Talk Today 112 first appeared on Jupiter Broadcasting.

Microsoft is building a new browser in-house that is rumored to work and look a lot more like Chrome & Firefox. The FBI has a lead on the Lizard Squad & who won big in the gadget sales over the holidays.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Microsoft is building a new browser as part of its Windows 10 push | ZDNet

There’s been talk for a while that Microsoft was going to make some big changes to Internet Explorer in the Windows 10 time frame, making IE “Spartan” look and feel more like Chrome and Firefox.

It turns out that what’s actually happening is Microsoft is building a new browser, codenamed Spartan, which is not IE 12 — at least according to a couple of sources of mine.

Spartan is still going to use Microsoft’s Chakra JavaScript engine and Microsoft’s Trident rendering engine (not WebKit), sources say. As Neowin’s Brad Sams reported back in September, the coming browser will look and feel more like Chrome and Firefox and will support extensions. Sams also reported on December 29 that Microsoft has two different versions of Trident in the works, which also seemingly supports the claim that the company has two different Trident-based browsers.

However, if my sources are right, Spartan is not IE 12. Instead, Spartan is a new, light-weight browser Microsoft is building.

FBI Allegedly Investigating Lizard Squad Member Over Xbox Live, PSN Attacks

The FBI is actively investigating a member of the hacker collective that claimed responsibility for recent high-profile cyberattacks on Microsoft and Sony properties, according to multiple sources with knowledge of the investigation and the attacks. A member of the Lizard Squad hacking group, who goes by the alias “ryanc” or Ryan, allegedly garnered the attention of a special agent with the Federal Bureau of Investigation after speaking with the media about Lizard Squad’s Christmas-day attacks on Xbox Live and the PlayStation Network.

The Interview Online Sales – Business Insider

Sony announced Sunday night that “The Interview” was downloaded or rented online more than 2 million times, generating over $15 million in sales.

After initially pulling the movie from theaters, Sony decided to release it online instead. “The Interview” premiered December 24 on YouTube, Google Play, Xbox Video, and Sony’s own site, SeeTheInterview.com.

On Sunday, Apple made the movie available for rent or purchase on iTunes.

“The Interview” costs $14.99 to own or $5.99 to rent.

A source familiar with the movie’s online sales told Business Insider the “vast majority” of rentals and downloads came from Google Play and YouTube.

Meanwhile, “The Interview” was pirated an estimated 1.5 million times in its first two days, according to Torrent Freak.

Apple and Apps Dominated Christmas 2014 | Flurry

Flurry examined these new device activations to understand what types of devices consumers are exchanging for the holidays, and with which types of apps they are filling them. Since the beginning of the mobile revolution, Christmas Day has seen the highest number of new device activations and app installs each year, and 2014 was no exception. Flurry examined data from the more than 600,000 apps.

Apple accounted for 51% of the new device activations worldwide Flurry recognized in the week leading up to and including Christmas Day (December 19th – 25th). Samsung held the #2 position with 18% of new device activations, and Microsoft (Nokia) rounded out the top three with 5.8% share for mostly Lumia devices. After the top three manufacturers, the device market becomes increasingly fragmented with only Sony and LG commanding more than one percent share of new activations on Christmas Day. Up-and-comers Xiaomi, Huawei, and HTC all had less than one percent share on Christmas Day. One reason is surely their popularity in Asian markets where December 25th is not the biggest gift-giving day of the year.

6 Terabyte Hard Drive Round-Up: WD Red, WD Green and Seagate Enterprise 6TB

For a while, 4TB drives were the top end of what was available in the market but recently Seagate, HGST, and Western Digital announced breakthroughs in areal density and other technologies, that enabled the advent of the 6 Terabyte hard drive. This round-up looks at three offerings in the market currently, with a WD Red 6TB drive, WD Green and a Seagate 6TB Enterprise class model. Though the WD drives only sport a 5400RPM spindle speed, due to their increased areal density of 1TB platters, they’re still able to put up respectable performance. Though the Seagate Enterprise Capacity 6TB (also known as the Constellation ES series) drive offers the best performance at 7200 RPM, it comes at nearly a $200 price premium. Still, at anywhere from .04 to .07 per GiB, you can’t beat the bulk storage value of these new high capacity 6TB HDDs.

The post Microsoft goes Spartan | Tech Talk Today 110 first appeared on Jupiter Broadcasting.

More and more data breaches are leading to blackmail but the stats don’t tell the whole story. We’ll explain.

Plus the latest in the Sony hack, and the wider reaction. Plus a great batch of emails & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Illinois Hospital being blackmailed with stolen Patient Data

• “An Illinois hospital says someone attempted to blackmail it to stop the release of data about some of its patients.”
• The hospital chain received an anonymous email asking for a substantial amount of money in order to prevent the release of patient data. A sample of the data was included in the email as proof
• “The hospital says it immediately notified law enforcement agencies.”
• “An investigation discovered the data relates to patients who visited Clay County Hospital clinics on or before February 2012. A hospital representative declined to disclose how many people are involved but said the data is limited to their names, addresses, Social Security numbers and dates of birth. No medical information was compromised in the breach”
• “The hospital believes the data has not been released so far. It didn’t disclose how the data was obtained but said an audit by an outside expert concluded the hospital hadn’t been hacked.”
• The age of the data suggests that the compromise may have involved backups and/or cold storage
• It is not clear of the Hospital stores the older data themselves, or if they rely on a 3rd party provider that may have been compromised
• “A recent report by the Identity Theft Report Center found that by early December there had been 304 breaches so far this year in the U.S. healthcare sector. That’s 42 percent of the 720 breaches reported across the country. But, in part because of the massive breaches at major retailers, the entire healthcare sector only accounted for 9.7 percent of all records compromised in reported breaches so far in 2014.”

Sony cancels the release of “The Interview” – plays the victim

• Sony has apparently cancelled the release of the film that is apparently the cause of the hack of their systems
• A number of cinemas had declined to screen the file after vague threats of physical violence were made
• “We are deeply saddened at this brazen effort to suppress the distribution of a movie, and in the process do damage to our company, our employees, and the American public,” Sony’s statement continues. “We stand by our filmmakers and their right to free expression and are extremely disappointed by this outcome.”
• If they stand for freedom of expression, they wouldn’t have cancelled the movie
• A number of people believe that the hackers may have found something especially damaging to Sony, and Sony is hoping to avoid the disclosure
• Bruce Schneier – “It’s really a phenomenally awesome hack—they completely owned this company,”
• “this is like Snowden, only with Sony.” He said that releases from the hack could go on for months.
• That seems to suggest that the hackers will soon leak something that will look very, very bad for the company, Schneier says.
• Earlier this week, Sony sent a letter to news outlets reporting on the leaks, saying that they could face prosecution for downloading stolen information. That letter, Schneier said, was a signal that the worst is still to come.
• Gawker posts a copy of the threatening letter
• “The fact that they sent that letter tells me there is stuff still to be found that Sony is terrified of. There’s some really bad stuff in there—stuff they did, stuff they said, stuff that’s illegal. Someone [from Sony] is going to jail for this.”
• Reaction to the Sony hack is beyond the realm of stupid – This is not terrorism
• Cisco analysis of Wiper malware used at Sony
• Newer version of Wiper malware signed with stolen Sony certificate
• ThreatPost Digital Undergound Podcast – Details of the Sony Breach
• The leak has also covered a number of different plans and plots by the MPAA
• Inclusing the MPAA’s post-SOPA plan to make ISP DNS Servers block sites

Feedback:

• FW Question

• IP management with 257 devices

• Isolating a server

• Certificate for web site
  • Mozilla TLS Server Side settings

• OpenYourMouth · GitHub

• Cipherli.st – Strong Ciphers for Apache, nginx and Lighttpd

Round Up:

• Viber calls out ESET for flagging them, ESET responds with a digital uppercut
• Yahoo releases new disclosure policy, all new bugs it finds will be disclosed within 90 days
• Report: Mysterious Russian Malware Is Infecting 100,000+ WordPress Sites
• Red October APT team is back, with the CloudAtlas APT attack
• Verizon’s new “end-to-end” encrypted calling app, includes “Government Access Option” – Cellcrypt’s vice president for North America, disputes the idea that building technology to allow wiretapping is a security risk. “It’s only creating a weakness for government agencies,” he says. “Just because a government access option exists, it doesn’t mean other companies can access it.”
• Leaked Government documents reveal Canadian Telco’s offering the Government “Surveillance Ready Networks”, to avoid legislation, and to force small operators out of the market
• Ars was briefly hacked yesterday; here’s what we know (Ars uses PHPass to hash passwords, that is 2048 rounds of MD5. Not as bad as it sounds: If you want to put this into “OL Hashcat” terms, a single R9 290X (video card) can pull ~ 12.2 GH/s on raw MD5, but only 3 MH/s against PHPass. Divide that by 1,071,734 unique salts, and that means our effective speed is only 2.86 H/s. That’s beyond properly slow.)
• A small bank in Kansas may be the future of banking, replacing ‘batched processed’ ACH transfers with instant transfers backed by the existing ATM processing network
• phpBB Status Update
• Study by Dell SecureWorks researchers finds that prices on the Internet Underground are rising

The post Don’t Fire IT | TechSNAP 193 first appeared on Jupiter Broadcasting.

Senior anonymous government officials have officially unofficially linked North Korea to the Sony Entertainment hack. We discuss the failure of proper reporting that has forced Sony to pull “The Interview” & how this story is now being covered.

Plus TorrentLocker Ransomware makes a comeback & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

U.S. Said to Find North Korea Ordered Cyberattack on Sony – NYTimes.com

American officials have concluded that North Korea was “centrally involved” in the hacking of Sony Pictures computers, even as the studio canceled the release of a far-fetched comedy about the assassination of the North’s leader that is believed to have led to the cyberattack.

Senior administration officials, who would not speak on the record about the intelligence findings, said the White House was debating whether to publicly accuse North Korea of what amounts to a cyberterrorism attack.

While intelligence officials have concluded that the cyberattack was both state-sponsored and far more destructive than any seen before on American soil, there are still differences of opinion over whether North Korea was aided by Sony insiders with knowledge of the company’s computer systems, senior administration officials said.

• The Evidence That North Korea Hacked Sony Is Flimsy | WIRED

Sony Just Canceled The Pre mire Of ‘The Interview’ – Business Insider

Sony Pictures has decided to cancel the Dec. 25 release of “The Interview” after major theaters said they wouldn’t screen the movie.

“We have decided not to move forward with the planned December 25 theatrical release of ‘The Interview,'” the company said in a statement.

Reaction To the Sony Hack Is ‘Beyond the Realm of Stupid’

North Korea may really be behind the Sony hack, but we’re still acting like idiots. Peter W. Singer, one of the nations foremost experts on cybersecurity, says Sony’s reaction has been abysmal. “Here, we need to distinguish between threat and capability—the ability to steal gossipy emails from a not-so-great protected computer network is not the same thing as being able to carry out physical, 9/11-style attacks in 18,000 locations simultaneously. I can’t believe I’m saying this. I can’t believe I have to say this.”

• Sony Has ‘No Further Release Plans’ for ‘The Interview’ | Variety

Sony Pictures Entertainment has chosen to stand down for “The Interview,” deciding against releasing the Seth Rogen–James Franco comedy in any form — including VOD or DVD, as U.S. officials reportedly link Sony’s massive cyber attack to North Korea.

“Sony Pictures has no further release plans for the film,” a spokesman said Wednesday.

Judge rules videotaped Steve Jobs deposition to remain out of public eye

District Court Judge Yvonne Gonzalez Rogers sided with both Apple and plaintiffs in her ruling, saying Jobs’ testimony in the iPod iTunes antitrust case, taped months before his death in 2011, should not be handled as judicial record and will therefore not be made public.

For its part, Apple noted the court has a duty to protect witness testimony. If the Jobs Deposition were made public, it might set a dangerous precedent for the release of videotaped testimony from other high-profile witnesses in future cases. For witnesses in compromising situations, the prospect of having their sworn statements broadcast out of court would likely dissuade testimony, hindering the legal process.

On Tuesday, a jury found Apple not guilty of locking customers in to a monopoly digital music ecosystem with iPod, iTunes and FairPlay digital rights management. Plaintiffs in the case sought $350 million in damages, an amount that would have been tripled to more than $1 billion under U.S. antitrust law.

Over 9,000 PCs In Australia Infected By TorrentLocker Ransomware

Cybercriminals behind the TorrenLocker malware may have earned as much as $585,000 over several months from 39,000 PC infections worldwide, of which over 9,000 were from Australia.
If you’re a Windows user in Australia who’s had their files encrypted by hackers after visiting a bogus Australia Post website, chances are you were infected by TorrentLocker and may have contributed to the tens of thousands of dollars likely to have come from Australia due to this digital shakedown racket.

The post Cyber Hitmen | Tech Talk Today 108 first appeared on Jupiter Broadcasting.

Sony’s new hot legal defense goes after journalist & has a anti-Linux background. Ars gets hacked & why the big trend is the cord cutters friend.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Sony Demands Press Destroy Leaked Documents – Slashdot

In an effort that may run afoul of the first amendment, Sony, through their lawyer David Boies (of SCO infamy), has sent a letter to major news organizations demanding that they refrain from downloading any leaked documents, and destroy those already possessed. Sony threatens legal action to news organizations that do not comply, saying that “Sony Pictures Entertainment will have no choice but to hold you responsible for any damage or loss arising from such use or dissemination by you.”

Sony Planned to Flood Torrent Sites With “Promo” Torrents

Sony Pictures’ TV network AXN developed a guerrilla marketing campaign to convert users of The Pirate Bay, KickassTorrents and other torrent sites to paying customers. The company planned to flood torrent sites with promos for the premiere Hannibal disguised as pirated copies of the popular TV-show.

The revelations are part of the Sony Pictures leaks which contain a discussion on the plan, framing it as a “brilliant anti­piracy social campaign.” The AXN employee describes the idea as follows.

“The idea is simple. We made a promo dedicated to Hannibal which is convincing people in very creative and no­invasive way to watch Hannibal legally on AXN instead downloading it from torrents.

“[T]his promo is supposed to be downloaded on the torrents sites, imitating the first episode of Hannibal season 2 but in reality would be only a 60 sec promo. The torrents sites are exactly the place where people just after [the] US premier would be searching for the first episode of season 2. So the success of this project is more than 100% sure.”

Unfortunately for the AXN Central Europe team the advertising campaign wasn’t well received at Sony Pictures’ headquarters in Los Angeles.

Sony Pictures Executive Vice President, who emphasized that it was a no go.

“Forget about a site blocking strategy if we start putting legitimate PSAs or promos on sites we’ve flagged to governments as having no legitimate purpose other than theft… PSAs being for public good, etc…”*

And so it never happened…

Ars Technica is the latest site to fall victim to hack | The Verge

There has been a lot of hacking news in the past few weeks, and now noted technology news site Ars Technica has fallen victim to a hack. The site’s front page has gone black, with white text reading “Ars Security” alongside a couple of Twitter handles, presumably of those who have taken control of the site. There’s also some music playing to keep you occupied while waiting for the site to come back online.

The issue doesn’t appear to be completely widespread, as some Verge staffers located in different points around the globe aren’t currently having issues connecting to the site. Ars itself is also aware of the hack; the site’s Twitter account indicates they should be back online soon.

NBC to Live Stream Network Shows – WSJ

NBC is launching a live stream of its broadcast network, part of a broader effort at parent NBCUniversal to make more of its content available online via computers and mobile devices.

Instead, to access NBC’s live stream as well as additional content the company plans to offer via an on-demand platform, consumers will have to provide proof that they already have a pay-TV subscription.

NBC’s live stream will debut Tuesday online, and mobile platforms will be available early next year. Walt Disney Co.’s ABC launched a live stream of its network last year.

Separately, NBCUniversal is also going to start making content from its Bravo and Telemundo networks available through Microsoft Corp. ’s Xbox One game console. USA and Syfy already have deals with Xbox One.

OpenYourMouth

The post Sony's Facepalm Buffoonery | Tech Talk Today 106 first appeared on Jupiter Broadcasting.

If we could rebuild the Internet from scratch, what would we change? It’s more than just a thought experiment. We’ll share the details about real world research being done today!

Plus we dig through the Sony hack, answer a ton of great question & a rocking roundup!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Reinventing Computers And The Internet From Scratch, For The Sake Of Security

• DARPA funded research is looking at how we might design the Internet if we had to do it over again
• Many decisions that were made 30 and 40 years ago when UNIX and TCP/IP were designed, may be done differently today
• The overall project has a number of sub-projects:
  • CRASH – Clean-Slate Design of Resilient, Adaptive, Secure Hosts
  • MRC – Mission-Oriented Resilient Clouds
  • CTSRD – Clean Slate Trustworthy Secure Research and Development (Custard)
• BERI: Bluespec Extensible RISC Implementation: a open-source hardware-software research and teaching platform: a 64-bit RISC processor implemented in the high-level Bluespec hardware description language (HDL), along with compiler, operating system, and applications
• CHERI: capability hardware enhanced RISC instructions: hardware-accelerated in-process memory protection and sandboxing model based on a hybrid capability model
• TESLA: temporally enforced security logic assertions: compiler-generated runtime instrumentation continuously validating temporal security properties
• SOAAP: security-oriented analysis of application programs: automated program analysis and transformation techniques to help software authors utilize Capsicum and CHERI features
• The goal is to design newer secure hosts and networks, without having to maintain backwards compatibility with legacy systems, the biggest problem with changing anything on the Internet
• This is why there are still things like SSLv3 (instead of just TLS 1.2+), why we have not switched to IPv6, and why spam is still such a large problem
• I for one would definitely like to replaced SMTP, but no one has yet devised a plan for a system that the world could transition to without breaking legacy email while we wait for the rest of the world to upgrade
• “Corporations are elevating security experts to senior roles and increasing their budgets. At Facebook, the former mantra “move fast and break things” has been replaced. It is now “move slowly and fix things.””
• For performance reasons, when hardware and programming languages were designed 30 and 40 years ago, it was decided that security would be left up to the programmer
• The CHERI project aim to change this, by implementing ‘Capabilities’, a sandboxing and security mechanism into the hardware, allowing the hardware rather than the software to enforce protections, preventing unauthorized access or modification of various regions of memory by malicious or compromised applications.
• CHERI, and the software side of the project, Capsicum, are based on FreeBSD, but are also being ported to Linux, where Google plans to make extensive use of it in its Chrome and Chromium browsers.
• Additional Coverage

Sony Internal Network Hacked

• No, this is not Episode 3 of TechSNAP, Sony was hacked, again
• Hackers identifying the selves as Guardians of Peace (GOP) claim to have stolen as much as 100TB of data from Sony
• One questions how they managed to exfiltrate such a huge amount of data without being noticed. A full 1 GBPS internet connection would have to run at full capacity for 10 days to move that much data. It seems a lot of the data was likely compressible, but unreleased movies etc would not be
• At this point, only about 40GB of data has been leaked, mostly internal documents
• “The data dump includes employee criminal background checks, salary negotiations, and doctors’ letters explaining the medical rationale for leaves of absence. There are spreadsheets containing the salaries of 6,800 global employees, along with Social Security numbers for 3,500 U.S. staff. And there is extensive documentation of the company’s operations, ranging from the script for an unreleased pilot written by Breaking Bad creator Vince Gilligan to the results of sales meetings with local TV executives.”
• When will companies learn that a spread sheet is not a secure place to store sensitive information
• In a memo to Employees Sony Pictures Entertainment chiefs Michael Lynton and Amy Pascal said “While we are not yet sure of the full scope of information that the attackers have or might release, we unfortunately have to ask you to assume that information about you in the possession of the company might be in their possession,”
• Additional Coverage – CNET – 47,000 Social Security Numbers leaked, Celebrity Data included
• Additional Coverage – Sony Employees receive email threats: “your family will be in danger”
• Additional Coverage – BuzzFeed – Inside the Sony Data
• Additional Coverage – Gizmodo – Sony hack worse than thought
• Additional Coverage – Washington Post
• Additional Coverage – Edgadget
• Additional Coverage – The Verge
• George Clooney predicted the Sony Hack in December (in a now leaked email)
• Additional Coverage – BitDefender – Take Aways from the Sony Hack
• Additional Coverage – ArsTechnica – Attackers also stole certificates to sign malware

Feedback:

• Jupiter Dev Summit on Monday the 15th

• Remotely activate/disable firewall rules?

• AuthPF (works, especially remotely)

• FreeNAS/ZFS Filesystem Relationships

• Screenshot

• Naming software bugs like storms

• [ways to use as much bandwidth a possible? ](https://www.reddit.com/r/techsnap/comments/2oftzo/ways_to_use_as_much_bandwidth_a_p
  ossible/)

• Malware Authorship Language

• 31C3 – The 31st Chaos Communication Congress Who will be there?

Round Up:

• Sony hack: Studio Tries to Disrupt Downloads of its Stolen Files
• Brian Krebs interviewed on 60 Minutes
• Reset Linux Root Password
• Payment Processor “Charge Anywhere” transmitted some data in plain text, finds malware on their network stealing the data
• Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory
• Fabrice Bellard (FFMPEG, QEMU, etc) introduces BPG, a replacement for JPG based on HEVC, better image quality in smaller size. Javascript based decoder means all browsers can render the images already
• Ron Wyden (D-OR) Introduces bill to prevent FBI backdoors — “The Secure Data Act would ban agencies from making manufacturers alter their products to allow easier surveillance or search”
• Man arrested for trying to sell detailed plans for next US Air Craft Carrier to Egypt
• DMCA should be altered to allow tinkering with hardware
• Flaw in Mantis bug tracker allow attackers and spammers to bypass captchas
• Keurig 2.0 Genuine K-Cup Spoofing Vulnerability
• Why you should only trust open source for your sensitive emails

The post Signed by Sony | TechSNAP 192 first appeared on Jupiter Broadcasting.

Sony is rumored to be hacking back, a P2P browser is in the works, Microsoft starts accepting Bitcoin & automatically changing your web passwords.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Sony hack: Studio Tries to Disrupt Downloads of its Stolen Files | Re/code

The company is using hundreds of computers in Asia to execute what’s known as a denial of service attack on sites where its pilfered data is available, according to two people with direct knowledge of the matter.

Sony is using Amazon Web Services, the Internet retailer’s cloud computing unit, which operates data centers in Tokyo and Singapore, to carry out the counterattack, one of the sources said. The tactic was once commonly employed by media companies to combat Internet movie and music piracy.

BitTorrent Inc Works on P2P Powered Browser | TorrentFreak

BitTorrent Inc, the company behind the popular file-sharing client uTorrent, is working on a P2P powered browser. Dubbed Project Maelstrom, the browser will be able to “keep the Internet open” by serving websites with help from other users.

Project Maelstrom, as it’s called, is in the very early stages of development but BitTorrent Inc. is gearing up to send out invites for a closed Alpha test.

“It works on top of the BitTorrent protocol. Websites are published as torrents and Maelstrom treats them as first class citizens instead of just downloadable content. So if a website is contained within a torrent we treat it just like a normal webpage coming in over HTTP.”

More details are expected to follow during the months to come. Those interested in Project Maelstrom can sign up for an invite to the Alpha test here.

• BitTorrent launches invite-only alpha of Project Maelstrom, the first torrent-based browser | VentureBeat | Business | by Emil Protalinski

US Navy approves first laser weapon for operation aboard Persian gulf ship | Ars Technica

On Wednesday the Office of Naval Research (ONR) announced that it would approve an experimental laser weapon for use on the USS Ponce in the Persian Gulf. The laser weapon system is part of a $40-million research program to test directed energy weapons, and it is the first to be officially deployed and operated on a naval vessel.

Although the laser weapon system is not as powerful as other weapons aboard the Ponce, Christopher Harmer, Senior Naval Analyst with the Institute for the Study of War told the Wall Street Journal that the directed energy of the laser aimed at a target would “cause a chemical and physical disruption in the structural integrity of that target.” Harmer added that the advantage of the laser weapon system is that it can disable many oncoming targets without needing to reload ammunition: “as long as you’ve got adequate power supply, and adequate cooling supply.”

The laser shot doesn’t look like the photon torpedoes of Star Trek—in fact it looks like nothing at all. The energy beam is invisible (and costs the Navy $0.59 per shot, according to the WSJ). A press release from ONR stated that the laser weapon system was able to hit targets out of the sky and at sea in high winds, heat, and humidity without fail.

LastPass Now Lets You Change Loads of Passwords at Once

Now when you use the password manager, you’ll see an option to change your password automatically below your login info for each site.

Currently, the service supports over 75 accounts, including Facebook, Twitter, Amazon and Dropbox. Rather than going through a cloud network, LastPass says these changes happen locally on your device, so the company never have access to your actual password.

How do I use Bitcoin with my Microsoft account?

You can now use Bitcoin to add money to your Microsoft account. Once you add money to your Microsoft account, you can use it as a payment option to buy apps, games, and other digital content from Windows, Windows Phone, Xbox Games, Xbox Music, or Xbox Video stores.

• 356.94 USD | BitcoinAverage Price Index

The post Distributed Denial of Sony | Tech Talk Today 104 first appeared on Jupiter Broadcasting.

The Chaos Computer Club gets blocked by UK “porn filters” & YouTube is ramping up the heat with secret exclusive deals to content creators.

Then its a full round-up in the Sony Pictures trainwreck of a hack, Fedora 21 is released, emails & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Chaos Computer Club website in blocked by UK “porn filter”

A significant portion of British citizens are currently blocked from accessing the Chaos Computer Club’s (CCC) website. On top of that, Vodafone customers are blocked from accessing the ticket sale to this year’s Chaos Communication Congress (31C3).

Since July 2013, a government-backed so-called opt out list censors the open internet. These internet filters, authorized by Prime Minister David Cameron, are implemented by UK’s major internet service providers (ISPs). Dubbed as the “Great Firewall of Britain”, the lists block adult content as well as material related to alcohol, drugs, smoking, and even opinions deemed “extremist”.

Users can opt-out of censorship, or bypass it by technical means, but only a minority of users know how to bypass those filters.

YouTube Offering Its Stars Bonuses – WSJ

Facebook Inc. and video startup Vessel, among others, have tried to lure YouTube creators to their services in recent months, according to people familiar with the discussions.

In response, Google is offering some of its top video makers bonuses to sign multiyear deals in which they agree to post content exclusively on YouTube for a time before putting it on a rival service. The bonuses can be tied to how well videos perform, but YouTube is making a wide range of offers to counter rivals, according to people involved in the discussions. For several months, YouTube also has been offering to fund additional programming by some of its video makers.

These people say YouTube executives are particularly concerned about Vessel, though the startup has yet to disclose any details about its service or video makers it has signed.

In recent weeks “YouTube has been in a fire drill” led by Robert Kyncl, global head of business, trying to hold on to its stars, according to a person close to the company.

It’s Here! Announcing Fedora 21!

Fedora 21 Release Announcement

The Fedora Project is pleased to announce Fedora 21, the final release, ready to run on your desktops, servers, and in the cloud. Fedora 21 is a game-changer for the Fedora Project, and we think you’re going to be very pleased with the results.

TL;DR?

Impatient? Go straight to https://getfedora.org/ and get started. Otherwise, read on!

Sony Pictures hack was a long time coming, say former employees — Fusion

“Sony’s ‘information security’ team is a complete joke,” one former employee tells us. “We’d report security violations to them and our repeated reports were ignored. For example, one of our Central European website managers hired a company to run a contest, put it up on the TV network’s website and was collecting personally identifying information without encrypting it. A hack of our file server about a year ago turned out to be another employee in Europe who left himself logged into the network (and our file server) in a cafe.”

The information security team is a relatively tiny one. On a company roster in the leaked files that lists nearly 7,000 employees at Sony Pictures Entertainment, there are just 11 people assigned to a top-heavy information security team. Three information security analysts are overseen by three managers, three directors, one executive director and one senior-vice president.

Another former employee says the company did risk assessments to identify vulnerabilities but then failed to act on advice that came out of them. “The real problem lies in the fact that there was no real investment in or real understanding of what information security is,” said the former employee. One issue made evident by the leak is that sensitive files on the Sony Pictures network were not encrypted internally or password-protected.

Sony Pictures has said little about its security failures since the hack, but seven years ago, its information security director was very chatty about “good-enough security.” Back in 2007, Jason Spaltro, then the executive director of information security at Sony Pictures Entertainment, was shockingly cavalier about security in an interview with CIO Magazine. He said it was a “valid business decision to accept the risk” of a security breach, and that he wouldn’t invest $10 million to avoid a possible $1 million loss.

Seven years later, Spaltro is still overseeing data security. Now senior vice president of information security, his salary is over $300,000 this year according to one of the leaked salary documents — and will get bumped over $400,000 if he gets his bonus.

• Sony Describes Hack Attack as ‘Unprecedented’ | Re/code

In his comments, Mandia described the malicious software used in the attack against Sony as “undetectable by industry standard antivirus software.” He also said that the scope of the attack is unlike any other previously seen, primarily because its perpetrators sought to both destroy information and to release it to the public. The attack is one “for which neither SPE nor other companies could have been fully prepared,” Mandia said.

• Expat Newswire | Sony Pictures Hack Traced to Bangkok Hotel

The hacks were traced to the St. Regis Bangkok, a 4.5 star resort where basic rooms cost over $400 per night. It remains unclear whether the hacks were done from a room or a public area, but investigations into the breach have traced the attack to the hotel on December 2nd at 12:25 am, local time.

• Sony saved thousands of passwords in a folder named ‘Password’ – Telegraph

It appears that the leaked files include the Social
Security numbers of 47,000 employees and actors, including Sylvester
Stallone, Judd Apatow and Rebel Wilson.

They also include a file directory entitled ‘Password’, which includes 139
Word documents, Excel spreadsheets, zip files, and PDFs containing thousands
of passwords to Sony Pictures’ internal computers, social media accounts,
and web services accounts.

• DOJ Launches New Cybercrime Unit, Claims Privacy Top Priority – Slashdot

Leslie Caldwell, assistant attorney general in the criminal division of the Department of Justice, announced on Thursday the creation of a new Cybercrime Unit, tasked with enhancing public-private security efforts. A large part of the Cybersecurity Unit’s mission will be to quell the growing distrust many Americans have toward law enforcement’s high-tech investigative techniques. (Even if that lack of trust, as Caldwell claimed, is based largely on misinformation about the technical abilities of the law enforcement tools and the manners in which they are used.) “In fact, almost every decision we make during an investigation requires us to weigh the effect on privacy and civil liberties, and we take that responsibility seriously,” Caldwell said. “Privacy concerns are not just tacked onto our investigations, they are baked in.”

Feedback:

• dyslexic pc readers

The post Sony Security Café | Tech Talk Today 102 first appeared on Jupiter Broadcasting.

The Sony Pictures hack takes a new uglier twist. We get some details on the type of data leaked & speculate if it was possibly an inside job. Also, researchers claim Iran has completely owned critical systems in 15 different nations.

Plus we celebrate episode 100 & feature a fun Kickstarter of the week!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Sony Pictures hack gets uglier; North Korea won’t deny responsibility [Update] | Ars Technica

More evidence has emerged that makes the Sony Pictures hack look similar to a suspected attack on South Korean companies over a year ago. And a spokesperson for the North Korean government, rather than denying his country’s involvement, is playing coy as the damage to Sony appears to be growing daily.

When contacted by the BBC, a spokesperson for North Korea’s mission to the United Nations said, “The hostile forces are relating everything to [North Korea]. I kindly advise you to just wait and see.”

The attackers also posted archive files online containing least 25 gigabytes of data from Sony’s network.

In an email to Ars that included a link to an archive of some of the stolen Sony Pictures data, an individual claiming to be “the boss” of the attackers known as GOP claimed that “tens of TB” of files had been exfiltrated, and would be shared as soon as possible.] Some of those files included Excel spreadsheets and screen grabs from mainframe terminal sessions including employee payroll and medical data.

An archive of files seen by Ars —approximately a gigabyte of sales data , the most recent of which dates to April of this year, and stretches back over 5 years. The files, which have metadata indicating they were produced using a Sony Pictures Entertainment corporate license of Microsoft Office, include corporate PowerPoint templates, image files of contracts for television deals (including local affiliate contracts for “Dr. Oz” and “Seinfeld” reruns) sent by fax machine, and a file from a salesman’s computer called “Passwords.doc.”

The document, last edited by a woman whose LinkedIn account indicates she was a Sony Pictures ad sales assistant in 2011, includes her bosses’ American Express card number and online account information, Lotus Notes usernames and passwords (one of them is “password,” the other is “s0ny123”), Sony network login and password, and their fax numbers. One of those bosses is the current Vice President of Syndication Sales for Sony Pictures Television.

In a phone conversation with Ars, the co-founder and Chief Operating Officer of analytics firm Security Scorecard, said that evidence suggested to him that there was at least some insider involvement in the attack. “From a psychological perspective, this attack is invoking emotions that may apply to employees of Sony as well. It may likely have been someone internal leaking the information because they knew how to get to it, rather than it being an outside attacker.”

Critical networks in US, 15 other nations, completely owned, possibly by Iran | Ars Technica

For more than two years, pro-Iranian hackers have penetrated some of the world’s most sensitive computer networks, including those operated by a US-based airline, auto maker, natural gas producer, defense contractor, and military installation, security researchers said.

In many cases, “Operation Cleaver,” as the sustained hacking campaign is being dubbed, has attained the highest levels of system access of targets located in 16 countries total, according to a report published Tuesday by security firm Cylance. Compromised systems in the ongoing attacks include Active Directory domain controllers that store employee login credentials, servers running Microsoft Windows and Linux, routers, switches, and virtual private networks. With more than 50 victims that include airports, hospitals, telecommunications providers, chemical companies, and governments, the Iranian-backed hackers are reported to have extraordinary control over much of the world’s critical infrastructure.

Tuesday’s 86-page report relies on circumstantial evidence to arrive at the conclusion that the 20 or more hackers participating in Operation Cleaver are backed by Iran’s government.

Many of the custom-configured hacking tools they use issue warnings when their external IP addresses trace back to the Middle Eastern country. The infrastructure supporting the vast campaign is too sprawling to be the work of a lone individual or small group; it could only have been sponsored by a nation state.

In all, 50 targets in 16 countries are known to have been compromised. The tally includes 10 victims in the US, four in Israel, and five in Pakistan.

• Cylance_Operation_Cleaver_Report.pdf

Roku still tops as sales of streaming-media players rise – CNET

During the first three quarters of 2014, 10 percent of US households with a broadband connection bought at least one streaming-media player, market researcher Parks Associates said Tuesday.

Roku’s lineup of set-top boxes and streaming sticks was still the most popular so far this year despite a strong dip, securing 29 percent of sales in the first nine months. Google’s Chromecast stick leaped onto the scene, snagging the No. 2 spot with 20 percent share and stealing Apple TV’s previous slot. The Apple TV box fell to third place with 17 percent share. Amazon’s Fire TV box and stick, also new on the scene, came in fourth place with 10 percent share.

Roku, which has been the dominant force since 2012, saw its market share slip from 46 percent last year to 29 percent in the first nine months of 2014. Apple TV also slipped from 26 percent last year to 17 percent so far this year. They both lost share as Google’s Chromecast and Amazon’s Fire TV have come on strong.

KICKSTATER OF THE WEEK: HANSNAP “Use Your Smartphone Better!” by Justis Earle — Kickstarter

Handsfree video and photography with your smartphone. Use all your phone features better in every situation ~ Capture your Imagination!

• New Invention acts like a GoPro for your smartphone now LIVE on Kickstarter!!

The post Mobile Strap On | Tech Talk Today 100 first appeared on Jupiter Broadcasting.

The Feds want Apple to break iOS encryption using an 18th-century law & it certainly fails the sniff test. Sony is playing the victim after it’s recent breach & the hype is reaching new levels of absurd. Plus the decade old iTunes lawsuit that could feature testimony from Steve Jobs, we’ll tell you how.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Feds want Apple’s help to defeat encrypted phones, new legal case shows

Prosecutors invoke 18th-century All Writs Act to get around thorny problem.

Newly discovered court documents from two federal criminal cases in New York and California that remain otherwise sealed suggest that the Department of Justice (DOJ) is pursuing an unusual legal strategy to compel cellphone makers to assist investigations.

In both cases, the seized phones—one of which is an iPhone 5S—are encrypted and cannot be cracked by federal authorities. Prosecutors have now invoked the All Writs Act, an 18th-century federal law that simply allows courts to issue a writ, or order, which compels a person or company to do something.

Ars is publishing the documents in the California case for the first time in which a federal judge in Oakland specifically notes that “Apple is not required to attempt to decrypt, or otherwise enable law enforcement’s attempts to access any encrypted data.”

The two orders were both handed down on October 31, 2014, about six weeks after Apple announced that it would be expanding encryption under iOS 8, which aims to render such a data handover to law enforcement useless. Last month, The Wall Street Journal reported that DOJ officials told Apple that it was “marketing to criminals” and that “a child will die” because of Apple’s security design choices.

Apple did not immediately respond to Ars’ request for comment.

DOJ is uing an Antiquated 1789 ‘All Writs Act’ To Try To Force Phone Manufacturers To Help Unlock Encrypted Phones

Ars went in person to the Oakland courthouse on Wednesday to obtain the documents and is publishing both the government’s application and the judge’s order for the first time here. The All Writs Act application and order are not available via PACER, the online database for federal court records.

“This Court has the authority to order Apple, Inc., to use any capabilities it may have to unlock the iPhone,” Garth Hire, an assistant US attorney, wrote to the court and cited the All Writs Act.

Cyber Ring Stole Secrets For Gaming US Stock Market

Reuters has the scoop this morning on a new report out from the folks at FireEye about a cyber espionage ring that targets financial services firms. The campaign, dubbed FIN4 by FireEye, stole corporate secrets for the purpose of gaming the stock market. FireEye believes that the extensive cyber operation compromised sensitive data about dozens of publicly held companies. According to the report, the victims include financial services firms and those in related sectors, including investment bankers, attorneys and investor relations firms. Rather than attempting to break into networks overtly, the attackers targeted employees within each organization. Phishing e-mail messages led victims to bogus web sites controlled by the hackers, who harvested login credentials to e-mail and social media accounts. Those accounts were then used to expand the hackers’ reach within the target organization: sending phishing email messages to other employees.

Sony hires Mandiant after cyber attack, FBI starts probe | Reuters

Sony Pictures Entertainment has hired FireEye Inc’s Mandiant forensics unit to clean up a massive cyber attack that knocked out the studio’s computer network nearly a week ago, three people with knowledge of the matter said on Sunday.

• New evidence points to North Korean involvement in Sony Pictures hack | The Verge

New evidence is emerging that suggests North Korea may be behind the hack. The Wall Street Journal is reporting that researchers investigating the hack have found the malicious code to be almost exactly the same as the code used in a March 2013 attack on a series of South Korean banks and broadcasters, an attack widely believed to have been conducted by North Korea. Re/code had previously reported that Sony was investigating a North Korean connection, but this new analysis is the most definitive evidence unearthed so far.

• Sony Restored After Hacking, Nears Deal For NYPD Docu ‘The Seven Five’ | Deadline

Sony Pictures has gotten its computer systems back online, with emails and everything else up and running again.

Google sold more Chromebooks to US schools than Apple did iPads in Q3

According to the latest data from IDC, Google, for the first time ever, has overtaken Apple in United States schools. The research firm claims that Google shipped 715,000 Chromebooks to schools in the third quarter, while Apple shipped 702,000 iPads to schools. Chromebooks as a whole now account for a quarter of the educational market (via FT).

Chromebooks start at $199, while last year’s iPad Air, with educational discounts applied, costs $379. The research firm also says that many school corporations prefer the full keyboard found on Chromebooks instead of the touchscreen found on iPads. Some schools that use iPads, however, supply students with a keyboard case as well, but that only further increases the cost of iPads compared to Chromebooks.

Apple faces trial in decade-old iTunes DRM lawsuit | ITworld

Plaintiffs in the Apple iPod iTunes antitrust litigation complain that Apple married iTunes music with iPod players, and they want $350 million in damages. The lawsuit accuses Apple of violating U.S. and California antitrust law by restricting music purchased on iTunes from being played on devices other than iPods and by not allowing iPods to play music purchased on other digital music services. Late Apple founder Steve Jobs will reportedly appear via a videotaped statement during the trial, scheduled to begin Tuesday morning in U.S. District Court for the Northern District of California.

The original January 2005 complaint in the case references a music distribution industry that no longer exists nearly a decade later. The document refers to iTunes competitors Napster, Buy.com, Music Rebellion and Audio Lunch Box, along with digital music players from Gateway, Epson, RCA and e.Digital.

The opening paragraphs of the complaint talk about defunct CD seller Tower Records.

Apple has monopoly market power, lawyers for plaintiff Thomas Slattery wrote. “Apple has rigged the hardware and software in its iPod such that the device will not directly play any music files originating from online music stores other than Apple’s iTunes music store,” they wrote.

Apple removed DRM (digital rights management) from iTunes in early 2009, so the lawsuit covers iPods purchased from Apple between September 2006 and March 2009.

The post Ghosts of DRM Past | Tech Talk Today 99 first appeared on Jupiter Broadcasting.

Sony Pictures’ network is compromised & reports claim employes are locked out, data is being held for ransom, Twitter & Google accounts compromised & that’s just the beginning.

Plus the DOJ claims iMessage will kill kids & our Kickstarter of the week!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Hackers shut down Sony Pictures’ computers and are blackmailing the studio | The Verge

Since this afternoon, computers at the company have been completely unresponsive, showing a glowering CGI skeleton, a series of URL addresses, and a threatening message from a hacker group that identifies itself as #GOP. Dozens of Sony Twitter accounts were also commandeered to tweet out similar messages, although Sony seems to have regained control of those accounts. Early reports from Sony employees suggest the studio has yet to regain computer access.

The ZIP files mentioned in the images contain a list of filenames of a number of documents pertaining to financial records along with private keys for access to servers. The message shown on computers mentions “demands” that must be met by November 24th at 11:00PM GMT or the files named will be released.

A source within Sony has anonymously confirmed to TNW that the hack and image that have appeared on computers inside Sony Pictures is real. They said that “a single server was compromised and the attack was spread from there.”

In the meantime, the compromise seems to have brought day-to-day work at the studio to a crashing halt. Employees are reportedly unable to send email, use their computers, or even answer phones. As one employee told Deadline, “We are down, completely paralyzed.” In the official statement, Sony used more measure language: “We are investigating an IT matter.”

• I used to work for Sony Pictures. My friend still works there and sent me this. It’s on every computer all over Sony Pictures nationwide. : hacking

Updated: Hackers replace Sony’s backup app on Google Play — Tech News and Analysis

Sony’s Backup & Restore tool is a pretty straightforward app. It can back up device settings and data to a MicroSD card. It’s pre-installed on a lot of Sony phones, including the new Xperia Z3. But the version on Google Play for several hours on Monday said it was managed by “Nirak Patel Kanudo” and its reviews were terrible. The app description also included several typos.

iMessage encryption will kill kids, DOJ warns | Cult of Mac

The U.S. Department of Justice has issued a chilling warning to Apple executives as a response to increased privacy protections added to iOS 8: Children might die because we can’t hack into bad guys’ iMessages.

Deputy Attorney General James Cole met with Apple executives last month, reports the Wall Street Journal, to discuss privacy issues, but after making the ridiculous claim that the blood of dead children will be on Apple’s hands if it doesn’t give the NSA access to iMessages, the talks have ended in a standoff.

“The No. 2 official at the Justice Department delivered a blunt message last month to Apple Inc. executives: New encryption technology that renders locked iPhones impervious to law enforcement would lead to tragedy. A child would die, he said, because police wouldn’t be able to scour a suspect’s phone, according to people who attended the meeting.”

KICKSTARTER OF THE WEEK: 6thfinger: Keep games or apps active without human touch by Danny & Wayne — Kickstarter

The post Patch your Sony | Tech Talk Today 97 first appeared on Jupiter Broadcasting.

Sony is under attack again, but this time the hackers have taken it to the physical world. Another Android flaw is getting over hyped, Windows 9 gets a release date, the most popular open source cloud projects & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Sony PlayStation Network taken down by attack

Sony Corp said on Sunday its PlayStation Network was taken down by a denial of service-style attack and the FBI was investigating the diversion of a flight carrying a top Sony executive amid reports of a claim that explosives were on board.

The company said in a posting on its PlayStation blog that no personal information of the network was accessed in the attack, which overwhelmed the system with heavy traffic.

Plane carrying Sony Online Entertainment President John Smedley was diverted on Sunday, Smedley said in a post on microblogging site Twitter.

A group called Lizard Squad sent a message through its Twitter account to American Airlines saying Smedley’s flight had explosives on board, according to a report by USA Today. The group also used Twitter to claim credit for the network attack, the newspaper said.

USA Today reported that the Dallas/Fort Worth flight to San Diego was diverted and landed safely in Phoenix.

A PlayStation spokeswoman in the United States said the diverted flight was being handled by the FBI and had no comment.

Android attack improves timing, allows data theft | Ars Technica

According to a team of researchers from the University of Michigan and the University of California at Riverside.

The attack, known as a user interface (UI) inference attack, makes use of the design of programming frameworks that share memory, allowing one application to gather information about the state of other applications. The information can be gathered without any special Android permissions or by grabbing screen pixels, according to a paper presented at the USENIX Security Conference on Friday.

The technique gives attackers the ability to infer the state of a targeted application, enabling more convincing attacks. If malware knows that the targeted user has just clicked on a “login” button, then it can throw up a dialog box asking for a username and password. If the malware can infer that a user is about to take a picture of a check or sensitive document, it can quickly take a second picture.

An attack application must be running in the background, where it can determine the foreground activity of a targeted app with 80 to 90 percent accuracy in most applications, the researchers said. The technique detects transitions in the UI state of the targeted app and then uses a signature to identify the new state.

In videos demonstrating the UI inference attack, the research group showed the malicious software stealing a username and password from the H&R Block application, copying an image of a check taken by the Chase Bank application, and stealing credit-card information from the NewEgg store.

“By design, Android allows apps to be preempted or hijacked,” Qian said in a statement. “But the thing is you have to do it at the right time so the user doesn’t notice. We do that and that’s what makes our attack unique.”

Because the attack does not focus on any specific vulnerability in the operating system, hardening the software to attack will be difficult, according to the paper.

While the researchers focused on the Android operating system, the operating-system architecture that they exploit is present on most other major OSes, including MacOS X, iOS and Windows, the paper stated.

“We believe our attack on Android is likely to be generalizable to other platforms,” the paper stated.

• Cyber security experts find 92 percent successful Gmail hack- The Inquirer

Most smartphone users download zero apps per month

Mobile apps have skyrocketed in popularity and utility since Apple introduced the iPhone App Store in the summer of 2008. Apps now represent 52% of time spent with digital media in the US, according to comScore, up from 40% in early 2013. Apple boasted 75 billion all-time App Store downloads at its developers conference in June, and followed up by declaring July the best month ever for App Store revenue, with a record number of people downloading apps.

Yet most US smartphone owners download zero apps in a typical month, according to comScore’s new mobile app report.

Only about one-third of smartphone owners download any apps in an average month, with the bulk of those downloading one to three apps. The top 7% of smartphone owners account for “nearly half of all download activity in a given month,” comScore reports.

Microsoft set to unveil Windows 9 on September 30th | The Verge

Microsoft is planning to unveil its Windows 8 successor next month at a special press event. Sources familiar with Microsoft’s plans tell The Verge that the software maker is tentatively planning its press event for September 30th to detail upcoming changes to Windows as part of a release codenamed “Threshold.” This date may change, but the Threshold version of Windows is currently in development and Microsoft plans to release a preview version of what will likely be named Windows 9 to developers on September 30th or shortly afterwards. The date follows recent reports from ZDNet that suggested Microsoft is planning to release a preview version of Windows 9 in late September or early October.

Most popular open-source cloud projects of 2014 | ZDNet

At CloudOpen, a Linux Foundation tradeshow held in conjunction with LinuxCon, the Foundation announced that an online survey of open-source cloud professionals found OpenStack to be the most popular overall project.

That wasn’t surprising. Although OpenStack is only four years old, the Infrastructure-as-a-Service (IaaS) cloud project is very popular with support from such industry giants HP, Red Hat, and VMware. What was somewhat surprising was that number two was Docker, the just-over-a-year old container technology.

Behind those two, you’ll find KVM, the x86 virtualization technology that’s recently been ported to Power; CloudStack, one of the older open-source IaaS cloud projects; and Ceph, the open-source, software-defined storage stack.

The post Sony's the Bomb | Tech Talk Today 48 first appeared on Jupiter Broadcasting.

A comprehensive study shows that you’re probably taking way too long to patch your box.

Plus research on possible iOS backdoors, TOR’s nasty bug, your questions, our answers, and much much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Qualys releases “The Laws of Vulnerabilities 2.0”

• Qualys, known for the SSL Labs site where you can test the encryption capabilities of your browser and web server, has released the new version of their “laws”
• Qualys sells an “on demand vulnerability management solution” which does continuous perimeter monitoring of a network and scans servers for vulnerable versions of software and services
• Using the data they have collected they did statistical analysis and came up with some basic laws that cover the “vulnerability half-life, prevalence, persistence and exploitation trends for five critical industry segments including Finance, Healthcare, Retail, Manufacturing and Services.”
• The average system remains vulnerable for 30 days. Service sector usually patched within 21 days, whereas Manufacturing usually took 51 days
• The most popular vulnerabilities are regularly replaced, leaving some systems almost continuously vulnerable
• “the lifespan of most, if not all vulnerabilities is unlimited and a large percentage of vulnerabilities are never fully fixed.”
• “Eighty percent of vulnerability exploits are now available within single digit days after the vulnerabilities public release. In 2008, Qualys Labs logged 56 vulnerabilities with zero-day exploits, including the RPC vulnerability that produced Conficker. In 2009, the first vulnerability released by Microsoft, MS09-001 had an exploit available within seven days. Microsoft’s April Patch Tuesday included known exploits for over 47 percent of the published vulnerabilities. This law had the most drastic change from the Laws 1.0 in 2004, which provided a comfortable 60 days as guidance”
• Compared to in the past, installing updates in a timely fashion is even more important. The old 60 day window is gone

Payment Card Data Theft: Tips For Small Business

• An article at DarkReading.com by Chris Nutt, Director of Incident Response and Malware at Mandiant, on steps small businesses can take to avoid being the next credit card breach
• Things to consider when processing credit cards via a computer:
• Does the company browse the Internet or read email on the computer used for credit card processing?
• Is unencrypted card data transmitted through any exposed cables or over the internal network?
• Is the card-processing software configured correctly and up-to-date?
• Has the computer’s operating system up to date? has it been hardened?
• Is the computer running antivirus and is it up-to-date?
• Does the company outsource IT management and is there a remote management port open to the Internet?
• Small business often have an advantage in this area, it is easier to upgrade software when there is only a single system involved, not a complex back office system with multiple servers
• Some Recommendations
  • Use a dedicated LAN (or VLAN) or use a cellular connection instead of running the payment system on the same LAN or WiFi that is used for regular business and/or used by customers
• “Do not maintain a Payment Card Industry (PCI) environment or maintain the smallest PCI environment possible”
  • Instead, use a PCI compliant reader like Stripe or Square, data should be encrypted and sent directly to the payment processor, never stored on a device
  • Never store credit card details, a service like Stripe will give you a unique token that can be used for rebilling, refunds etc, without requiring you store the original card details
  • “Do not outsource the maintenance of POS devices to a company that will directly access remote management ports over the Internet.”
  • “Protect the physical security of all systems that store, process, or transmit cardholder information. All security is lost if an attacker can alter or replace your equipment”
  • “Do not allow systems in you PCI environment to connect to the Internet, aside from the connections required to process card transactions or patch the system”
  • “Do not allow systems in your PCI environment to connect to any systems on your network that are not necessary for processing card transactions or patching”
• Some possibly bad advice from the article: Use a mobile device or a tablet, they are more secure than a desktop
• Where possible, offload the processing to a provider, it might be slightly more expensive, but it moves most of the risk to the provider, rather than you

Government Accountability Office report shows shortcomings in incident response procedures

• GAO Report: Agencies Need to Improve Cyber Incident Response Practices
• “Based on a statistical sample of cyber incidents reported in fiscal year 2012, GAO projects that these agencies did not completely document actions taken in response to detected incidents in about 65 percent of cases”
• “For example, agencies identified the scope of an incident in the majority of cases, but frequently did not demonstrate that they had determined the impact of an incident. In addition, agencies did not consistently demonstrate how they had handled other key activities, such as whether preventive actions to prevent the reoccurrence of an incident were taken.”
• “agencies had recorded actions to halt the spread of, or otherwise limit, the damage caused by an incident in about 75 percent of incidents government-wide. However, agencies did not demonstrate such actions for about 25 percent of incidents government-wide.”
• “for about 77 percent of incidents government-wide, the agencies had identified and eliminated the remaining elements of the incident. However, agencies did not demonstrate that they had effectively eradicated incidents in about 23 percent of incidents”
• “agencies returned their systems to an operationally ready state for about 81 percent of incidents government-wide. However, they had not consistently documented remedial actions on whether they had taken steps to prevent an incident from reoccurring. Specifically, agencies did not demonstrate that they had acted to prevent an incident from reoccurring in about 49 percent of incidents government-wide.”
• “In another incident, an agency received a report from US-CERT indicating that login credentials at two of the agency’s components may have been compromised. When contacting the impacted components, agency incident handlers mistyped the potentially compromised credentials for one component and did not respond to an e-mail from the component requesting clarification, and failed to follow up with the second component when it did not respond to the initial alert. Despite these errors, the incident handlers closed the incident without taking further action.”
• “In a malware incident, sensors on an agency’s network recorded an agency computer contacting an external domain known to host malicious files, and downloading a suspicious file. Incident handlers closed the ticket without recording any actions taken to contain or otherwise remediate the potential malware infection”
• The GAO used NIST Special Publication 800-61: Computer Security Incident Handling Guide as a reference
• FireEye, makes of an enterprise security real-time threat protection platform, had some reactions to these findings:
• “Anything less than 100% containment is essentially 0% containment”. “If a government agency fails to completely contain an intrusion, any gaps leave the adversary freedom of maneuver. He can exploit the containment failure to proliferate to other systems and remain in control of an organization’s systems.“
• “If an adversary retains access to even one system, he can rebuild his position and retake control of the victim”
• “If a victim fails to make the environment tougher for the adversary, the intruder will likely return using the same techniques that he utilized to first gain access.” Victims need to learn from intrusions and implement remediation
• It is not clear from the report, but if a machine is compromised, it should be reformatted, rather than merely ‘cleaned’. In light of recent reports about persistent malware, the BIOS should also be flashed before the fresh OS is reinstalled.

Feedback:

• IPSec vs OpenVPN

• Canvas Fingerprinting – A New Threat To Privacy

• Meet the Online Tracking Device That is Virtually Impossible to Block

• ksoftirqd – High Network Throughput

• Why is ksoftirqd/0 process using all of my CPU?

• In the kernel command line (/etc/grub.conf), add “nohz=off” CentOS Forum

• multiple vm’s with 1 ip

• What is a true backup?

Round Up:

• Tails live OS affected by critical zero-day vulnerabilities
• European Central Bank hacked, only founds out after attacker demands ransom. Stolen: database of 20,000 email addresses of people who had registered for ECB conferences, visits and other events
• WSJ website hacked, data offered for sale for 1 bitcoin
• Google announces project zero, “hunt down security vulnerabilities in every popular piece of software that touches the internet”
• Tor Project working to fix weakness that can unmask anonymous users
• New IE vulnerabilities up over 100% since 2013
• How Hackers Hid a Money-Mining Botnet in Amazon’s Cloud
• Researcher finds hidden way to access plaint-text version of encrypted data on iOS devices
• Chromium Switching to BoringSSL.
• Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Devices
• The Open Source Responsible Disclosure Framework
• How your profile picture can be used against you
• Posh-SSH – Open Source PowerShell module for SSH, SFTP, SCP
• What the feds really know about you
• Australian deals website waits 3 years to tell customers and privacy commissioner. Told police, banks and credit card companies immediately. Only told customers now because “technological advances” mean the old hashes are now easier to crack
• NY Metro Card Terminal still runs Windows NT 4.03
• Sony to pay up to $17.75 million in 2011 PSN hacking settlemen

The post 9 Days to Patch | TechSNAP 172 first appeared on Jupiter Broadcasting.