Strength – Jupiter Broadcasting

Password SecuritIEEE | TechSNAP 77

chris — Thu, 27 Sep 2012 16:30:08 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A big password leak from a major industry player, mobile security takes a big hit, we cover a couple of the major vulnerabilities affecting our favorite gadgets, and more Java troubles.

Plus moving from Apache to Nginx, and a big batch of your questions.

All that and so much more, on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

BONOUS ROUND PROMO:

Get your .COMs just $5.99 per year up to 3 domains! Additional .COMs just $7.99 per year!
CODE: 599tech

Expires 10/31/12

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Virgin Mobile USA customers may be at risk

Virgin Mobile customers in the USA access their customer portal using their mobile phone number and a 6 digit pin
In addition to the obvious lack of security of using such a limited keyspace, it seems that the Virgin portal does not implement any type of lockout or intrusion detection
Specifically, they do not block an IP after 100s of failed attempts, meaning an attacker can quickly run through the entire 1 million possible passwords and gain access to any account
Kevin Burke, the researcher who discovered the flaw, said that after several phone and email exchanges with parent company Sprint in which he attempted to warn them about the exploit, he was ignored and his concerns were dismissed
Later, a fix was applied to the portal, blocking users after 4 failed attempts, however it relied on a browser cookie to keep track of the number. In additional to how easily this mitigation is evaded, most attack scripts don’t keep cookies anyway
Virgin’s portal now correctly blocks an IP address after 20 failed attempts
Virgin uses a 404 error instead of 503 or another more proper error code
Additional Coverage

Security Explorations finds another Java 0-day, for Java SE 5, 6 and 7

Security Explorations, the Polish research firm that found the previous Java exploits, has now topped 50 different vulnerabilities reported to Oracle, and the 50th one is the worst to date
The flaw affects fully patched Windows 7 machine, using all major browsers
Oracle has produced a comprehensive status report regarding upcoming Java Critical Patch Update. The company claims to have fixes for all, except two issues (29 and 50) integrated and undergoing testing for release in the October 2012 Java SE CPU. Oracle is still evaluating fixes for Issue 50 and will provide further update on whether a fix for it will be also included in the October 2012 Java SE CPU
Additional Coverage

IEEE passwords exposed via FTP site

A researcher found a log file on a publically accessible IEEE FTP site
The file contained logs from 01/Aug/2012:20:46:28 +0000 to 18/Sep/2012:08:47:17 +0000
The log contained around 375 million lines, 400,000 of which contained plain text passwords, 17k of which were password reset requests
A total of 99,979 unique usernames were found
7 of the top 10 passwords were all numeric, variations of 123 – 1234567890
Other popular passwords included ieee2012, IEEE2012, password, library and ADMIN123
38% of users use gmail, 7.6% use yahoo
It does not appear that the IEEE actually stores usernames and passwords in plaintext in its authentication database, but it is unclear why or how the passwords were included in the access logs
The IEEE acknowledged the breach
And issues a notice to its members, encouraging them to use strong passwords when they are forced to reset thier password
Additional Coverage

Your Android phone could be remotely erased by a malicious website

Security Researcher Ravi Borgaonkar revealed the exploit at ekoparty 2012
An apparent bug in the Samsung TouchWiz UI makes it possible for a malicious website or remote attacker to reset your Android device
The vulnerability can be exploited via NFC, QR code, SMS, or a web link
Remote wipe attack not limited to Samsung phones, Android dialer may be to blame
The vulnerability may actually be in the Android dialer, which would mean all devices are vulnerable
As a temporary fix you can get the TelStop app, which publishes a URL handler for tel: URLs and prevents the exploit from being used via websites
Additional Coverage:
Major Samsung Galaxy TouchWiz exploit hard resets a device by just visiting a website
Critical vulnerability in Samsung Galaxy S3, possibly other smartphones. – Spiceworks
Samsung has released new firmware that resolves the issue
- Samsung applies quick patch to dailer vulnerability

Feedback:

spleeeem submitted something handy for a common theme on our show, secure passwords: Password Storage Cheat Sheet
Best Way to Migrate a lot of Sites from Apache to NGINX
How to benchmark nginx?
Why can’t you just send the “finished” hash?
Mail Server with Blocked Port 25?
I wonder if I could get your thoughts on https://www.sendfilessecurely.com
Followup: rikai found an SSH SVR record wrapper script

Book: Nginx HTTP Server

It provides a step-by-step tutorial to replace your existing web server with Nginx. With commented configuration sections and in-depth module descriptions

Have some fun:

What will be in the news the week in October when Allan is at Euro BSD Con? Let make a prediction on the head lines or just make up funny stuff to read

What I wish the new hires “knew”

Round-Up:

Adobe Announces Rapid Release Cycle for Flash Player
Compromised phpMyAdmin download reinforces importance of verifying checksums . SourceForge is investigating how the copy of the file on a Korean mirror was compromised and downloaded by over 400 users
Android 4.0.4 NFC vulnerability exposed at Pwn2Own contest
How to build a passive ethernet tap, to spy on traffic as it crosses the wire
Microsoft may have known about IE 0-day flaw for months, credit goes to “TippingPoint Zero Day Initiative” on July 24th, not to researcher who disclosed the flaw in September
Bruce Schneier doesn’t want his algorithm, or any other, to win the SHA–3 competition
Guild Wars 2’s Mike O’Brien on Account Security

HALL of SHAME: Secret Microsoft policy limited Hotmail passwords to 16 characters

The post Password SecuritIEEE | TechSNAP 77 first appeared on Jupiter Broadcasting.

New STF Gear | STOked 109

chris — Mon, 09 Jan 2012 20:38:22 +0000

The team takes a look at the new STF gear, and the current gear’s changes. Plus Chris shares his 2012 STO predictions, and plays back a few from 2011, find out how they did!

This will be the last STOked produced for the foreseeable future. The show will be going on hiatus.

I plan to take another look at things, perhaps as the new featured episodes are near release, or something really exciting that I want to share with you all. And I will continue to monitor news and the STO community closely.

Check out the live stream on Saturdays, from time to time I plan to do live game play with the chat room during the hiatus. Following my G+ or Twitter feeds would be the fastest way to find out when those happen.

And finally, thank you so much for watching. If we make our return, I hope you’ll be there to tune in!

Direct Download Links

Subscribe via RSS and iTunes:

Fill out my Wufoo form!

[ad#shownotes]

Show Notes:

2011 PREDICTIONS from STOked 63

Jeremy:

Cryptic will acknowledge the positive impact the Foundry can have on their game, and embrace it by appointing a point of contact (or team) that will focus on publicity for the best-made and highly-reviewed player missions on a regular basis. Maybe a secondary weekly spotlight?
We will see an announcement toward the end of the year for a Romulan expansion. Including the new faction, 3–4 new sectors complete with PvE stories. The unique Romulan mechanic will be “espionage” and will be similar to Fed DXP.
More voice overs and cut scenes for episode content.

Chris:

Voice Overs + Cut Scenes (Demo record fly through)
More Star Trek
Slow Down
UGC will snowball into requiring a more robust out-of-game experience to discover and discuss new player created content.

2012 Predictions:

The possibility of failure lumes over STO. The price of failure may be too low.
The Foundry make it or break it time. DStahl has a big task on his hands. .
SW:TOR will help STO find it’s identity. SPACE COMBAT.
The next feature episode will be revealed to the community with the biggest fan fare yet.
D’angelo is replaced? The lack of transparency will turn the community even more angry. Anyone who takes the figure head spot, and does not chant “content, content, content” they will be flamed.
Foundry created episodes will take a larger role in the game. Cryptic will acknowledge them, and make efforts towards driving players towards them. After they get over having to admit they need the players to help them create content.
Crafting revamp replaces the current “vendorised” system with something spectacular and player skill based.
Additional writing staff, preferably with Star Trek experience, will be hired (possibly temporarily).
Cryptic will assign / hire a staff member to produce content using the Foundry toolset on a regular basis
STO will face it’s own “NGE” crisis and will only survive it by shifting focus to delivering content rather than game systems

Community Feedback

New STF Gear Sets:

Set feedback thread

Borg set (3 set items for 5 edc each from a vendor, console from the mission ‘Assimilation’).
Shield – The most regenerative shield of all the sets along with the lowest shield capacity and has a bonus resistance to plasma damage attacks to the shields by 15%. A bonus to shield power improves shield regen and resistance.

Engine – one of the slower impulse engines but a standard agility and a power bonus to engines, the greatest bonus of this engine is the ability for transwarp speed in sector space (minimum speed of warp 14).

Deflector geared towards (in order of magnitude) – Resistance – (geared towards greater hull boost, moderate restistance to shield/energy/movement debuff and a boost to auxillary power.
Hull Strength – change to an offensive debuff like power drain or exotic damage? Make it more offensive/adaptive deflector?
Resistance to shield and energy drain abilities
Resistance to hold, disable, repel, knock and slow effects
Knock, repel and slow abilities
Aux power (improve aux based abilities)

Aegis – a craftable set
Shields – highest capacity (for the feds) covarient shields with one of the lowest regenerations but grants a boost to shield power and shield strength.

Engines – geared towards speed and defense (performing better at higher engine speeds).

Deflector – Shield defense (geared towards shield strength, buffs and resistance to debuffs and a small boost to shield regen/resistance).
Shield strength – Boost to placate/confuse? Make it a more evasive deflector?
Shield repair/healing
Resistance to energy/shield drain abilities
Resistance to hold, disable, repel, knock and slow effects
Shield power (improves shield regen and shield resistance)

MACO – FED only
Shield – while the capacity is lower than a covarient, resilient shields regenerate slightly better and allow less damage to impact the hull. In addition for each attack you receive you gain a stacking 10 second bonus of +1 to all power settings. Shield grants a standard 20% plasma damage resistance to the shields.

Engine – while a tiny bit slower than the Aegis engines there is no bonus to having a high engine power. In addition, ships in sector space can travel at 9.99 (so we aren’t all going to turn in to amphibian beings ) and in the eventuality that your engines are disabled, you’ll still have some maneuverabilty.

Deflector – Defense orientated (geared towards hull strength, shield strength buffs, resistance to movement debuffs and transfering power between subsystems).
Hull strength
Shield repair/healing
Resistance to hold, disable, repel, knock and slow effects
Shield strength
Power transfer rate

Omega Force – FED/KDF
Shield – A less regenerative capacity version of the Borg shield. In addition though for each attack you receive you gain a bonus 5 flight speed and 30% turn rate for 5 seconds. Shield grants a standard 20% plasma damage resistance to the shields.

Engine – The fastest engine available to both factions and one of the most agile with a greater bonus when using a high engine power.

Deflector – Debuff orientated (equally passive and damaging debuff boost with a small boost to cloak detection and shield repair).
Cloak detection and sensor debuff resistance
Resistance to hold, disable, repel, knock and slow effects
Resistance to energy/shield drain abilities Change to hold, disable, repel, knock and slow effects? Make it a more ambush/hit and run deflector?
Improved accuracy
Damage from ‘exotic’ attacks

KHG – KDF only
Shield – the highest shield capacity covarient shield and one of the lowest regenerations, however, there is a 25% chance when hit by energy damage to debuff the enemy’s accuracy by 25% for 10 seconds and placate for 1 second. Shield grants a standard 20% plasma damage resistance to the shields.

Engine – the slowest engine overall but the most agile especially at low power levels with an added bonus of being able to restart disabled engines after only 1 second and a flat bonus to all power levels.

Deflector – strength and offense orientated (geared towards boosting hull strength and offensive debuffs with a bonus to transferring power).
Hull strength
Damage from ‘exotic’ attacks
Knock, repel and slow abilities
Power transfer
Improved cloak

The post New STF Gear | STOked 109 first appeared on Jupiter Broadcasting.