This week, Chris & allan are both out of town at different shenanigans, but they recorded a sneaky episode for you in which they recap the Target breach, from when the news broke to the lessons learned and everything in between!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Episode Links:

• Cleaning up our Mess | TechSNAP 141
• Target XPoSed | TechSNAP 145
• Tarnished Chrome | TechSNAP 146
• Google’s Automated Outage | TechSNAP 147
• Targeting the HVAC | TechSNAP 148
• Internet Over Packet Loss | TechSNAP 162

The post On Target | TechSNAP 264 first appeared on Jupiter Broadcasting.

This week, the FBI says APT6 has pawned the government for the last 5 years, Unaoil: a company that’s bribing the world & Researchers find a flaw in the visa database.

All that plus a packed feedback, roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

FBI says APT6 has pwning the government for the last 5 years

• The feds warned that “a group of malicious cyber actors,” whom security experts believe to be the government-sponsored hacking group known as APT6, “have compromised and stolen sensitive information from various government and commercial networks” since at least 2011, according to an FBI alert obtained by Motherboard
• The official advisory is available on the Open Threat Exchange website
• The alert, which is also available online, shows that foreign government hackers are still successfully hacking and stealing data from US government’s servers, their activities going unnoticed for years. This comes months after the US government revealed that a group of hackers, widely believed to be working for the Chinese government, had for more than a year infiltrated the computer systems of the Office of Personnel Management, or OPM. In the process, they stole highly sensitive data about several millions of government workers and even spies.
• In the alert, the FBI lists a long series of websites used as command and control servers to launch phishing attacks “in furtherance of computer network exploitation (CNE) activities [read: hacking] in the United States and abroad since at least 2011.” Domains controlled by the hackers were “suspended” as of late December 2015, according to the alert, but it’s unclear if the hackers have been pushed out or they are still inside the hacked networks.
• Looks like they were in for years before they were caught, god knows where they are,” Michael Adams, an information security expert who served more than two decades in the US Special Operations Command, and who has reviewed the alert, told Motherboard. “Anybody who’s been in that network all this long, they could be anywhere and everywhere.
• “This is one of the earlier APTs, they definitely go back further than 2011 or whatever—more like 2008 I believe,” Kurt Baumgartner, a researcher at the Russian security firm Kaspersky Lab, told me. (Baumgartner declined to say whether the group was Chinese or not, but said its targets align with the interest of a state-sponsored attacker.)
• Kyrk Storer, a spokesperson with FireEye, confirmed that the domains listed in the alert “were associated with APT6 and one of their malware backdoors,” and that the hackers “targeted the US and UK defense industrial base.” APT6 is ”likely a nation-state sponsored group based in China,” according to FireEye, which ”has been dormant for the past several years.”
• Another researcher at a different security company, who spoke on condition of anonymity because he wasn’t authorized to speak publicly about the hacker’s activities, said this was the “current campaign of an older group,” and said there “likely” was an FBI investigation ongoing. (Several other security companies declined to comment for this story.) At this point, it’s unclear whether the FBI’s investigation will lead to any concrete result. But two years after the US government charged five Chinese military members for hacking US companies, it’s clear hackers haven’t given up attacking US targets.

Unaoil: the company that bribed the world

• After a six-month investigation across two continents, Fairfax Media and The Huffington Post are revealing that billions of dollars of government contracts were awarded as the direct result of bribes paid on behalf of firms including British icon Rolls-Royce, US giant Halliburton, Australia’s Leighton Holdings and Korean heavyweights Samsung and Hyundai.
• A massive leak of confidential documents, and a large email, has for the first time exposed the true extent of corruption within the oil industry, implicating dozens of leading companies, bureaucrats and politicians in a sophisticated global web of bribery.
• The investigation centres on a Monaco company called Unaoil.
• Following a coded ad in a French newspaper, a series of clandestine meetings and midnight phone calls led to our reporters obtaining hundreds of thousands of the Ahsanis’ leaked emails and documents.
• The leaked files expose as corrupt two Iraqi oil ministers, a fixer linked to Syrian dictator Bashar al-Assad, senior officials from Libya’s Gaddafi regime, Iranian oil figures, powerful officials in the United Arab Emirates and a Kuwaiti operator known as “the big cheese”.
• Western firms involved in Unaoil’s Middle East operation include some of the world’s wealthiest and most respected companies: Rolls-Royce and Petrofac from Britain; US companies FMC Technologies, Cameron and Weatherford; Italian giants Eni and Saipem; German companies MAN Turbo (now know as MAN Diesal & Turbo) and Siemens; Dutch firm SBM Offshore; and Indian giant Larsen & Toubro. They also show the offshore arm of Australian company Leighton Holdings was involved in serious, calculated corruption.
• The leaked files reveal that some people in these firms believed they were hiring a genuine lobbyist, and others who knew or suspected they were funding bribery simply turned a blind eye.
• The files expose the betrayal of ordinary people in the Middle East. After Saddam Hussein was toppled, the US declared Iraq’s oil would be managed to benefit the Iraqi people. Today, in part one of the ‘Global Bribe Factory’ expose, that claim is demolished.
• It is the Monaco company that almost perfected the art of corruption.
• It is called Unaoil and it is run by members of the Ahsani family – Monaco millionaires who rub shoulders with princes, sheikhs and Europe’s and America’s elite business crowd.
• How they make their money is simple. Oil-rich countries often suffer poor governance and high levels of corruption. Unaoil’s business plan is to play on the fears of large Western companies that they cannot win contracts without its help.
• Its operatives then bribe officials in oil-producing nations to help these clients win government-funded projects. The corrupt officials might rig a tender committee. Or leak inside information. Or ensure a contract is awarded without a competitive tender.
• On a semi-related note, another big story for you to go read:
• How to hack an Election from someone who has done it, more than once

Researchers find flaw in Visa database

• No, not that kind of Visa, the other one.
• Systems run by the US State Department, that issue Travel Visas that are required for visitors from most countries to be admitted to the US
• This has very important security considerations, as the application process for getting a visa is when most security checks are done
• Cyber-defense experts found security gaps in a State Department system that could have allowed hackers to doctor visa applications or pilfer sensitive data from the half-billion records on file, according to several sources familiar with the matter –- though defenders of the agency downplayed the threat and said the vulnerabilities would be difficult to exploit.
• Briefed to high-level officials across government, the discovery that visa-related records were potentially vulnerable to illicit changes sparked concern because foreign nations are relentlessly looking for ways to plant spies inside the United States, and terrorist groups like ISIS have expressed their desire to exploit the U.S. visa system, sources added
• After commissioning an internal review of its cyber-defenses several months ago, the State Department learned its Consular Consolidated Database –- the government’s so-called “backbone” for vetting travelers to and from the United States –- was at risk of being compromised, though no breach had been detected, according to sources in the State Department, on Capitol Hill and elsewhere.
• As one of the world’s largest biometric databases –- covering almost anyone who has applied for a U.S. passport or visa in the past two decades -– the “CCD” holds such personal information as applicants’ photographs, fingerprints, Social Security or other identification numbers and even children’s schools.
• “Every visa decision we make is a national security decision,” a top State Department official, Michele Thoren Bond, told a recent House panel.
• Despite repeated requests for official responses by ABC News, Kirby and others were unwilling to say whether the vulnerabilities have been resolved or offer any further information about where efforts to patch them now stand.
• State Department documents describe CCD as an “unclassified but sensitive system.” Connected to other federal agencies like the FBI, Department of Homeland Security and Defense Department, the database contains more than 290 million passport-related records, 184 million visa records and 25 million records on U.S. citizens overseas.
• “Because of the CCD’s importance to national security, ensuring its data integrity, availability, and confidentiality is vital,” the State Department’s inspector general warned in 2011.

Feedback:

• SSH key protection

• Router Thoughts from Allan

• rmh from the chatroom asks…

Round Up:

• Microsoft Sues Justice Department Over Client Data Gag Orders
• Root cause analysis of a recent Flash zero day
• Exclusive: Canadian Police Obtained BlackBerry’s Global Decryption Key
• After an outage, an Australian mobile provider credited customers with a single day of unlimited data usage. One customer managed to use 994 GB of mobile usage in a single day
• Sophisticated bribe scheme gets game company with access to antivirus whitelist to falsely list malware was trusted
• Microsoft releases optional Windows update to mitigate “mousejacking”, where an attacker can take over your wireless mount and keyboard from up to 100 meters away
• Github commits can now be GPG signed to prove their authenticity
• If you can’t break crypto, break the client. Recovery of plaintext from iMessage
• Renting a movie on your iOS device might free up some space for you
• The Italian Ministry of Economical Progress has revoked “HackingTeam”’s licence to export their Galileo remote control software outside of the EU, must ask special permission for each sale
• Laziness remains the greatest enemy of password security
• The “All Prior Art” project seems to machine generate every possible patent and release it under a creative commons license, so it can never be patented by anyone else. The ultimate reverse patent troll?
• How to identify a vehicle at risk of collisions

The post One Key to Rule Them All | TechSNAP 263 first appeared on Jupiter Broadcasting.

Find out why everyone’s just a little disappointed in Badlock, the bad security that could be connected to the Panama Papers leak & the story of a simple delete command that took out an entire hosting provider.

Plus your batch of networking questions, our answers & a packed round up!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Badlock vulnerability disclosed

• The badlock vulnerability was finally disclosed on Tuesday after 3 weeks of hype
• It turns out to not have been as big a deal as we were lead to believe
• The flaw was not in the SMB protocol itself, but in the related SAM and LSAD protocols
• The flaw itself is identified as https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2118
• It affects all versions of Samba clear back to 3.0
• “Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases are available”
• “Please be aware that Samba 4.1 and below are therefore out of support, even for security fixes. There will be no official security releases for Samba 4.1 and below published by the Samba Team or SerNet (for EnterpriseSAMBA). We strongly advise users to upgrade to a supported release.”
• See the Samba Release Planning page for more details about support lifetime for each branch
• Microsoft releases MS16-047 but rated it only “Important”, not “Critical”
• The patch fixes an “elevation of privilege bug in both SAM and LSAD that could be exploited in a man-in-the-middle attack, forcing a downgrade of the authentication level of both channels. An attacker could then impersonate an authenticated user”
• Microsoft was also careful to note: “Only applications and products that use the SAM or LSAD remote protocols are affected by this issue. The SMB protocol is not vulnerable.”
• It seems most of the “badlock” bugs were actually in Samba itself, rather than the protocol as we were lead to believe
• “There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user. Impact examples of intercepting administrator network traffic:”
• Samba AD server – view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
• standard Samba server – modify user permissions on files or directories.
• There were also a number of related CVEs that are also fixed:
  • CVE-2015-5370 3.6.0 to 4.4.0: Errors in Samba DCE-RPC code can lead to denial of service (crashes and high cpu consumption) and man in the middle attacks. It is unlikely but not impossible to trigger remote code execution, which may result in an impersonation on the client side.
  • CVE-2016-2110 3.0.0 to 4.4.0: The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags, especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL. Which has implications on encrypted LDAP traffic.
  • CVE-2016-2111 3.0.0 to 4.4.0: When Samba is configured as Domain Controller it allows remote attackers to spoof the computer name of a secure channel’s endpoints, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic.
  • CVE-2016-2112 3.0.0 to 4.4.0: A man in the middle is able to downgrade LDAP connections to no integrity protection. It’s possible to attack client and server with this.
  • CVE-2016-2113 4.0.0 to 4.4.0: Man in the middle attacks are possible for client triggered LDAP connections (with ldaps://) and ncacn_http connections (with https://).
  • CVE-2016-2114 4.0.0 to 4.4.0: Due to a bug Samba doesn’t enforce required smb signing, even if explicitly configured. In addition the default for the active directory domain controller case was wrong.
  • CVE-2016-2115 3.0.0 to 4.4.0: The protection of DCERPC communication over ncacn_np (which is the default for most the file server related protocols) is inherited from the underlying SMB connection. Samba doesn’t enforce SMB signing for this kind of SMB connections by default, which makes man in the middle attacks possible.
• Additional Coverage: Threadpost – Badlock vulnerability falls flat against its type
• “As it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it’s a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services.”
• “Red Hat security strategist Josh Bressers said Badlock could have been much worse, especially if it had turned out to be a memory corruption issue in SMB as some had surmised. Such a scenario would have cleared a path for remote code execution, for example.”
• Additional Coverage: sadlock.org

Panama Papers: Mossack Fonseca

• Eleven million documents were leaked from one of the world’s most secretive companies, Panamanian law firm Mossack Fonseca.
• They show how Mossack Fonseca has helped clients launder money, dodge sanctions and avoid tax.
• The documents show 12 current or former heads of state and at least 60 people linked to current or former world leaders in the data.
• Eleven million documents held by the Panama-based law firm Mossack Fonseca have been passed to German newspaper Sueddeutsche Zeitung, which then shared them with the International Consortium of Investigative Journalists. BBC Panorama is among 107 media organisations – including UK newspaper the Guardian – in 76 countries which have been analysing the documents.
• There are many conspiracy theories about the source of the Panama Papers leak. One of the more prominent theories today blames the CIA.
• Bradley Birkenfeld is “the most significant financial whistleblower of all time,” and he has opinions about who’s responsible for leaking the Panama Papers rattling financial and political power centers around the world.
• Wikileaks is also getting attention today for blaming USAID and George Soros for the leaks.
• What little is known about the source of the leak comes from details published by German newspaper Suddeutsche Zeitung. Communicating via encrypted chat in late 2014, the source warned his or her life was “in danger” but that they had data from law firm Mossack Fonseca that they wanted to share. When asked how much data they had, the source replied “more than you have ever seen,” according to the newspaper.
• Regardless, the front-end computer systems of Mossack Fonseca are outdated and riddled with security flaws, analysis has revealed.
• Mossack Fonseca’s client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site’s changelog.
• On its main website Mossack Fonseca claims its Client Information Portal provides a “secure online account” allowing customers to access “corporate information anywhere and everywhere”. The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal’s backend can also be accessed by guessing the URL structure, a security researcher noted.
• Mossack Fonseca’s webmail system, which runs on Microsoft’s Outlook Web Access, was last updated in 2009, while its main site runs a version of WordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca’s site simply by guessing the URL.
• Mossack Fonseca’s emails were also not transport encrypted, according to privacy expert Christopher Soghoian who noted the company did not use the TLS security protocol.
• Who leaked the Panama Papers? A famous financial whistleblower says: CIA. / Boing Boing
• Wikileaks Accuses US Of Funding Panama Papers Putin Expose | The Daily Caller
• Panama Papers: The security flaws at the heart of Mossack Fonseca (Wired UK)
• Additional Coverage: The Register – Mossack Fonseca website found vulnerable to SQL injection
• Additional Coverage: Forbes
• Additional Coverage: WordFence
• Additional Coverage: Slashdot
• In general, it seems there were so many flaws in the website we may never know which one was used to compromise the server

I accidently rm -rf /’d, and destroyed my entire company

• “I run a small hosting provider with more or less 1535 customers and I use Ansible to automate some operations to be run on all servers. Last night I accidentally ran, on all servers, a Bash script with a rm -rf {foo}/{bar} with those variables undefined due to a bug in the code above this line.”
• “All servers got deleted and the offsite backups too because the remote storage was mounted just before by the same script (that is a backup maintenance script).
  How I can recover from a rm -rf / now in a timely manner?”
• There is not usually any easy way to recover from something like this
• That is why you need backups. Backups are not just a single copy of your files in another location, you need time series data, in case you need to go back more than the most recent backup
• It is usually best to not have your backups mounted directly, for exactly this reason
• Even if you will never rm -rf /, an attacker might run rm -rf /backup/*
• While cleaning up after an attacker attempted to use a Linux kernel exploit against my FreeBSD machine in 2003, I accidently rm -rf /’d in a roundabout way, Trying to remove a symlink to / that had a very funky name (part of the exploit iirc), i used tab complete, and instead of: rm -rf badname, it did rm -rf badname/, which deletes the target of the symlink, which was /.
• Obviously this was my fault for using -r for a symlink, since I only wanted to delete one thing
• When the command took too long, I got worried, and when I saw ‘can’t delete /sbin/init’, I panicked and aborted it with control+c
• Luckily, I had twice daily backups with bacula, to another server. 30 minutes later, everything was restored, and the server didn’t even require a reboot. The 100+ customers on the machine never noticed, since I stopped the rm before it hit /usr/home
• There are plenty of other examples of this same problem though
• Steam accidently deletes ALL of your files
• Bryan Cantrill tells a similiar story from the old SunOS days
• Discussion continues and talks about why rm -rf / is blocked by on SunOS and FreeBSD
• Additional Coverage: ServerFault
• When told to dd the drive to a file, to use testdisk to try to recover files, the user reports accidentally swapping if= and of=, which likely would just error out if the input file didn’t exist, but it might also mean that this entire thing is just a troll. Further evidence: rm -rf / usually doesn’t work on modern linux, without the –no-preserve-root flag

Feedback:

• NAS or SAN?
• Full SSD ZFS array

Round Up:

• “FreeBSD Mastery: Advanced ZFS” has been released as ebook for $9.99, print version in a few weeks
• Book features a fancy “Wrap Around” cover, the secret art not revealed yet
• How to not get pwned on Windows: Don’t run any virtual machines, open any web pages, Office docs, hyperlinks
• OpenWhisperSystems has integrated its Signal Protocol public key encryption systems into WhatsApp, now fully end-to-end encrypted with identity verification
• FBI bought previously undisclosed zeroday to crack the iPhone 5c
• After Apple claims to have fixed iOS 1970 bug in February, researchers demo a new remote version, bricks your device 20 minutes after connecting to their rouge WiFi, if your battery doesn’t catch fire first…
• 0-day exploits more than double as attackers prevail in security arms race
• Proving apps don’t take data security seriously, new website uses Tinder’s official API to let you spy on other users
• Google’s monthly Android update fixes Linux kernel flaw from 2014 that was being used to root Android devices
• Nest pulls the plug on the Resolv Hub, leaving owners who were promised a lifetime service subscription with a $299 paperweight
• The entire Turkish citizenship database appears to have been hacked and leaked online
• Python, Go, and PHP (before 5.6), failed to check for self-signed, expired, or worse revoked SSL certificates, also older versions may still accept RC4 and weak DH (logjam)
• Cellebrite, the company originally rumoured to have helped the FBI crack the iPhone, set to release a road side ‘textalyzer’, to determine if you were using your cell phone at the time of an accident
• Google’s new “BeyondCorp” security model, all networks are untrusted, users earn trust with good behaviour, devices earn trust with known good state
• All the resources in the world are not use if you don’t know how to use them

The post rm -rf $ALLTHETHINGS/ | TechSNAP 262 first appeared on Jupiter Broadcasting.

Since Allan is off being fancy at FOSDEM, we decided that now would be a good time to celebrate the audience & feature some of the best feedback we’ve had over the years!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Episode List

• Ideal ZFS Configurations | TechSNAP 135
• TrekSNAP | TechSNAP 134
• Best Tool for the Job | TechSNAP 80
• ZFS Can Do that | TechSNAP 130
• One Ping Only | TechSNAP 133
• Ideal ZFS Configurations | TechSNAP 135
• A Rip in NTP | TechSNAP 237
• EXTenuating Circumstances | TechSNAP 215
• Not Neutrality | TechSNAP 161
• Double ROT-13 | TechSNAP 241

The post A Look Back On Feedback | TechSNAP 251 first appeared on Jupiter Broadcasting.

Lisha is the Executive director of Geeks without bounds, an accelerator for humanitarian projects. She has found a great way to mix her desire to do humanitarian work along with technology!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Geeks Without Bounds » Support “Canoe Net” in the Ecuadoran Amazon!
• Geeks Without Bounds (@GWOBorg) | Twitter
• Geeks Without Bounds
• Random Hacks (@randomhacks) | Twitter
• Random Hacks of Kindness
• Lisha Sterling (@lishevita) | Twitter
• Worried Monkey (@worriedmonk) | Twitter
• Taarifa – Building the infrastructure of nations :: Home
• LDLN: Off-Grid Communications for Disaster Relief Agencies
• Mailvelope
• Early Tech Obsession | WTR 30 | Jupiter Broadcasting

Full transcription of previous episodes can be found below:

Transcription:

ANGELA: This is Women’s Tech Radio.
PAIGE: A show on the Jupiter Broadcasting Network interviewing interesting women in technology. Exploring their roles and how they are successful in technology careers. I’m Paige.
ANGELA: And I’m Angela.
PAIGE: So, Angela, today we interviewed Lisha Sterling. She is the executive director for Geeks Without Bounds. She has a pretty awesome story where she started out actually doing humanitarian aid work, ended up in programing, and then wound back up in humanitarian aid work with programing. It’s a fascinating story. Geeks Without Bounds is a great program, and I’m super excited to have her on the show.
ANGELA: Me too. But before we get into the show, I want to tell you about DigitalOcean. If you go to digitalocean.com and you use the promo code heywtr, you can save $10.00, which turns out is a two month rental of a server. Right? Because it’s only $5.00 a month. They have datacenter locations in New York, San Francisco, Singapore, AMsterdam, and London. And basically, they’re a cloud hosting provider. You can spin up a cloud server in 55 seconds. That include 512 megabytes of RAM, 20 gigabytes SSDS, i CPU, and i terabyte transfer. And they also pay authors $100 to $200.00 to technical tutorials. So, if you happen to already use DIgitalOcean or want to try it, and then like it so much that you want to write about it, you can get paid for that. After, of course, you save on two months of service.
PAIGE: Yeah, and their tutorials are bar none some of the best on the internet. I even end up there for things not for my DIgitalOcean VPS, which by the way, with those SSDs is disgustingly fast.
ANGELA: So, if you use heywtr, you support Women’s Tech Radio. ANd turns out, if you did not remember to enter a promo code when you started DigitalOcean, just go try to put in in there.
PAIGE: Yeah. I actually did that and it totally worked for mine.
ANGELA: After the fact.
PAIGE: Like a couple years ago when Coder Radio had it. That was sweet.
ANGELA: Yep, so you can still use it. So heywtr. Go to digitalocena.com
PAIGE: Yeah. And we got started with our interview with Lisha by asking her to explain her current position and what she’s up to in technology.
LISHA: I’m the Executive Director at Geeks Without Bounds and we support humanitarian open source projects through a combination of hackathons and an accelerator program. So, my work these days sort of entangles both my early career in international aid work and charity work and my academic side. I studied Latin American studies in college. And the rest of my professional life, which has been software development and systems engineering. And now I get to use technology to do disaster response and humanitarian aid and international development work.
PAIGE: Wow. That’s a pretty awesome way to use technology.
ANGELA: Yeah it is.
PAIGE: So that sounds like a pretty big jump from, you know, international aid work into software development. Can you tell me the story of like how that came to be for you?
LISHA: Yeah. So, first off, being, you know, a privileged white kid, i had my first computer when I was eight years old. Actually, my dad got me two Timex Sinclair 1000s. One for his house and one for my moms’ house. And connected it up to the black and white TV and put rubber bands around it so that the extra 16K of memory wouldn’t disconnect while we programmed. And thus I began my journey as a new programer learning basic and then going there’s a thing called Assembly Language. And I got involved with a computer club and was your basic tomboy geek girl. Then I had my first kid when I was 17 and went off to El Salvador. Did aid work during the war and during the first year of the peace. Came back to the US, did a bunch of work with refugees. Had another kid. Decided that I should probably go to college. And since I’d been working with Central American and in Central America, it was obvious what I was going to study. I was going to study Latin American studies and go do more of the same sort of stuff. But being a mom with two small kids, I, and no real skills or degree, I was able to make $4.25 an hour and my childcare cost like $7.50 an hour. The math doesn’t add up.
ANGELA: No. Now that I have three, daycare just isn’t even an option.
LISHA: Yeah. So one of my friends from my young computing days, a young man that I dated when I was like 11 and 12, and our first date was actually to a tech conference at the Moscone Center.
ANGELA: That’s adorable.
LISHA: So, you know, we’re still friends as adults. And he said to me, why don’t you get a job as a programer? And I was like, you’re crazy. I don’t have a degree in CS. I can’t program. He’s like, don’t be stupid. Nobody cares about your CS degree. Just tell them you can program. Show them some code and they’ll let you do it. But his caveat came. You must charge $25 an hour. I was like, I can’t charge $25 an hour. He’s like, no if you do not charge $25 an hour I will never speak to you again.
ANGELA: Oh my goodness.
PAIGE: So I’m going to pause you there, because this is a really interesting question that I always dig around. Why could you not charge $25 an hour?
LISHA: Well, because I was getting $4.25 an hour. The idea-
ANGELA: Perceived value. Perceived value.
LISHA: Right. The idea that I was going to go to somebody and have balls enough to say, yeah I’m a programer. I don’t have any degrees or any proof that i can actually do this, but you should totally pay me $25 an hour for it.
ANGELA: Inferiority complex. Yep. I’m familiar with all of that.
LISHA: Yeah. Yeah. So, but, you know my friendship was on the line and my need to take care of my children was on the line. So I did it and just about keeled over the first time somebody said, yes we will hire you.
ANGELA: Wow.
PAIGE: What did it take to get your foot in the door? Was it really just like you friend said? You just showed up and were like, look I can program. Let’s go.
LISHA: Actually, yeah. It literally was that easy. So I went for low hanging fruit right at the start, since I was at community college at the time. And so at the time I was working as an administrative assistant for Sybase. This probably puts the timing into, into perspective.
PAIGE: Your choice of computerm, your choice of computer at the top made that pretty clear.
LISHA: Right. Right. Right. Yeah, so I was working for Sybase as an administrative assistant and had gotten the opportunity to play with web stuff there on the side. The first browsers were out, but nobody was really using them. So even at Sybase they were like, this is stupid. Why are you wasting your time with this? But of course I was going to college so I went to all of my professors and I said have you seen this thing called the web? You should check this out. You can put your research up and you can put your classwork stuff up.
PAIGE: Which is exactly what the web was originally built for, was to share research.
LISHA: Right. Exactly. And they said, oh wow that’s neat. And yeah could you do that for me. So that was how i got my foot in the door. ANd then, you know, I got a little bit braver and I went to the administrators of the Parelta College District. So I went to the administrators at the Parelta COllege District and said, you know, you guys should really have a better website. And they said, you know what, you’re right. And so I got to do some contracting for them. And then I found out about dice.com and atually the saem friend that told me that I had to charge $25 or neer speak to me again told me about Dice. And at the time, almost nobody knew about it and you had to get your Dice listings off of Gopher. And he told me, don’t tell anyone about this, because when everyone knows about it then it’s going to start getting harder to get jobs. So you’re not allowed to tell anybody about it. So, you know, there I was in the early ‘90s using Dice by Gopher. But I found some jobs and then recruiters started contacting me and I found that I could actually work from home, which by that time was actually the UC Berkeley family housing. I was able to basically pay for my own schooling with scholarships, pay for my kids’ daycare and private school with programming. And everybody kept saying why aren’t you studying computer science, and I would say I’m already working in computer science, why would I get a degree in it? But then eventually I finished my bachelor’s degree and I intended to on with grad school, but I had that moment where it’s like I need some time without poverty and working just enough hours to keep us afloat is, we’ve done that for a while. I need to spend some time working full time. And then work ended up eating my life for oh, 20 years.
PAIGE: So at that point you got a full time job in computer science somewhere?
LISHA: Yeah. At that time I ended up getting full time work. I worked, while in the mid-90s I worked at Wells Fargo Bank doing problem and change tracking during the Y2K reprograming stuff. Anybody who says that the Y2K thing was nothing, was not there to program all the fixes.
PAIGE: Yeah. It only wasn’t a thing because you guys were doing it.
ANGELA: Yeah.
LISHA: Right. Exactly. It wasn’t a thing because there were a lot of people working really hard to make sure it was not a thing. So I was there. I worked, i did random contracts for media companies and whatnot in the San Francisco Bay area. Amazon, I worked at Amazon in the UK. That kind of thing.
PAIGE: And then eventually stumbled back into Geeks Without Bounds?
LISHA: Yeah. So my first sort of hit between the eyes was 2001 and after 911 I said I’m not working on any more Microsoft or any more closed sourced from here on out. I’m only going to do open source, because I’ve already sold my soul and I’m not doing humanitarian work, at least I’m going to do code work that I care about. So from 2001 onward I was working almost exclusively on open source software. And then even that kind of hit me at some point. I’m like, I went to college so that I could do humanitarian work. Why am I still writing code? And so I decided to just quit everything and figure out what I was going to do with my life, when I grow up. And I declared myself an un-graduate student. If you’re familiar with the idea of unschooling, which is like homeschooling without a curriculum.
ANGELA: Yep.
LISHA: There’s also such a thing as un-college. And I don’t know, there might be somebody else in the world who came up the with idea at about the same time I did, or even before I did, but I came up with this sort of independently. Where I had been thinking about going back to grad school and then said why would I get myself into more debt? I’m going to un-grad school. So that’s what I did. And that ended up getting me into an organization called The School Factory, which is the fiscal sponsor for Geeks Without Bounds. And then that, of course, led me into Geeks Without Bounds. I started out as a volunteer. Then i was the developer coordinator. And then last year I became the executive director.
PAIGE: Congratulations.
ANGELA: Yeah.
LISHA: Thank you.
PAIGE: That’s a really awesome journey. It’s all over the map, but it’s very personal . And I love that about tech. It’s not a straight and narrow path.
LISHA: Yeah. Yeah. And there’s lots of ways you can come to tech and there’s lots of things you can do with the tech once you’re in it or playing with it. It’s not just one tool. It’s like all these different tools. It’s kind of like saying, what can you do with wood? Well, you can do all sorts of things with wood.
PAIGE: Right. What do you want to do with wood?
LISHA: RIght.
PAIGE: Yeah. So, I think a lot of people would hear you story and stay, well you kind of had perfect timing. You’re like in the Bill Gates timing era, where if you just caught on to the right thing at the right time you were good to go. How would you respond to somebody saying that in today’s climate? Oh, I couldn’t just show up and say I know how to code, pay me $25 an hour, let’s go, kind of a thing. Because I would argue that in some ways we’re kind of seeing that again, but what’s your thoughts?
LISHA: I think we’re absolutely seeing that again. I think that right now is a really good time to ride the wave of open source into your dream job. ANd so, a little shameless promotion here. At Geeks Without Bounds, one of the programs that we have is an internship program and we take novice developers who have, who have learned some programming skills but have either never gotten any job experience or they don’t know how to use GitHub and work in a team, or go through issue tracking and figure out how to pick a project out of the issues, you know, that kind of thing. We give them mentorship. We have them work on some of the humanitarian projects in our ecosystem and we try to shove them at as many other opportunities to get a real job as possible. Sometimes we also manage to get a grant here or there to get them a stipend, but most of them are sort of slave labor in exchange for lots of mentorship. And they’re code up on GitHub so that they can show it to other people. And we have had some really great success with people coming into that program. Doing some amazing work on one project or another over the course of three months, five months, six months, and then going on to get a real job in programming. We had one guy who had studied aeronautical engineering. Got all the way through his degree and realized that that was not what he wanted to do with his life and what he really wanted to do was be a programer.
PAIGE: That’s a big investment to make that shift.
LISHA: Exactly. And I snagged him and I was like, let me put you to work. And it was fantastic. He got projects that he really enjoyed working on. He learned a whole bunch of stuff very fast. He managed to get a stipend and then he got a paid internship and then, you know, he’s working full time as a developer in Chicago and, you know, you can totally do that. And you don’t have to have to have a bachelor’s degree to begin with either. Anybody really can do that.
PAIGE: So do you take a lot of people who have maybe done either a lot of self-taught stuff on the internet now or boot camp graduates? How do you people kind of end up ready to go into Geeks Without Bounds internships?
LISHA: All of the above. I’ve had people who were in their junior or senior year of college decide to spend the summer working on projects with us. I’ve had people that were totally and completely self-taught. And there’ve been people who’ve done some sort of boot camp like experience. So they knew a bit more about how to work in teams and things like that, but they just wanted to get some more work experience while they were looking for a job. They already knew how to look for a job, they just wanted to keep their, the code lines on GitHub up while they were looking for that job. So, yes.
PAIGE: And that’s, I mean that’s one of the biggest recommendations I give to anybody who’s going through boot camp is keep committing. Just keep getting it up there.
LISHA: Absolutely.
PAIGE: So that’s kind of the intern side of it. How about in the nonprofit side. How does a nonprofit get involved with you? Are they just finding you online? Are you doing events or something to kind of bring them in? What does that look like?
LISHA: We end up meeting people in all sorts of situations. Sometimes as conferences or at say disaster response drills. Sometime we’ll meet people there. Sometimes it’s literally look for who’s in the area that needs support right now. And sometimes people come to us. And then, basically we just kind of have lots of conversations and develop relationship over time and let people know that if they have challenges that they think that technology could help them with, that we are happy to help them craft that into a challenge that somebody can actually address. And when we’re crafting or curating challenges for hackathons, we try to create a challenge that can actually be addressed in a weekend. So there might be back story and a problem that clearly this is not going to be solved in a weekend, but here’s the backstory and here’s the piece we want to accomplish this weekend.
PAIGE: So you guys kind of handle the project managy end of that prepping it to go into the hackathon?
LISHA: Right. Exactly. And then, so once you get a starting point basically, if you’ve got, say an app that sort of is attempting to deal with the big pictures, um, then you can break that down into lots of different challenges and you can take that from one humanitarian hackathon to next to the next. And the great thing about that is that you start with a couple of people who got interested in the project at the first hackathon and maybe on those, maybe two people will stay on board and keep working on the project over time.
PAIGE: Which is one of the biggest challenges with hackathons is actually getting people to commit, almost.
LISHA: Exactly. So you take the project to the next hackathon. And let’s say four or five people work on it and one of those people decides they want to keep working on the project long term. So now you’ve just snowballed your team. You’ve got two people or three people instead of just the people from the original hackathon. And then you take it to the next one and it gets stickier. And the more work has been done and the larger the core team is, the stickier the ball gets as it goes from one hackathon to the next.
PAIGE: It builds momentum.
LISHA: Yeah. It builds momentum and you get to a certain point where you can actually have a whole hackathon where all the challenges that are being presented are all based around that one piece of software. So, for instance, one of the projects that started at a hackathon, Taarifa, that project has had multiple hackathons that are just about Taarifa. Where all of the challenges are all, either bug fixes or feature request for Taarifa that have ranged from improved the documentation to create a Swahili translation for all of the text, to fix the security bugs, to create new features. And that team is one of, one of the most amazing teams that we’re working with right now, actually. I’m pretty impressed with where that project has ended up. It’s being used by the World’s Bank in many countries in Africa. We at Geeks Without Bounds are part of a consortium that is being supported by HDAF, UK aid to put Taarifa into the water system in Tanzania in order to allow citizens to report to the government when water pumps and spigots and other water points are broken. And allows the government to keep track of what is working and what is broken in the water infrastructure everywhere in the country.
PAIGE: Crowdsourcing water maintenance. That’s awesome.
ANGELA: That is awesome.
LISHA: Exactly. Exactly. And Taarifa was originally developed for water management, actually. But now it’s being used for tracking education systems, healthcare systems, and this summer I’m going down to Ecuador to work with people from the Kofan community in Northern Ecuador in order to use Taarifa to track pollution and encroachment in the Amazon Jungle. So pretty awesome little piece of software there.
PAIGE: Yeah. So you have a formal commitment in your life to only work on open source software. Is that something that’s carried forward that Geeks Without Bounds is also doing when they’re doing these projects with nonprofits?
LISHA: Yes.
PAIGE: Are you largely open source, mostly? What’s the deal?
LISHA: It’s all open source. We specifically work on open source humanitarian projects. So open source projects that for whatever reason we can’t find a way to call it humanitarian, we don’t work on those. We’ve managed to find ways to call lots of ways humanitarian though. Today we were working in PGP email app for Firefox OS phones.
PAIGE: Wow.
LISHA: And I consider that to be a humanitarian issue because Firefox OS phones are marketed to low income people in developed countries. And to people in the least developed countries on the planet. So, in other words, Firefox OS phones are being marketed to vulnerable people. And as a system it doesn’t have the security and privacy pulls that an iPhone or an Android phone has. And at the moment there’s no guardian project for Firefox OS. So we’re trying to kick one off, basically.
PAIGE: Yeah. So I’m going to jump in just for anybody listening who doesn’t know, PGP is an email encryption program called Pretty Good Privacy. It’s kind of the de facto standard right now for email encryption. Usable by anybody. If you’re interested in having encrypted email, there’s tons of stuff online. And one of our former guests, uh Snubs, has some awesome tutorials on Hak5 about how to do that if you want to check it out. But yeah, so privacy and security.
LISHA: And for newbies to PGP who use hotmail or yahoo mail or Gmail, I would recommend looking up a program called Mailvelope. It’s a Firefox and Chrome plugin. So you just plug it into your browser and then it recognizes that you’re on a webmail site and it will allow you to encrypt your email in webmail. Which is pretty cool.
PAIGE: Yeah. That’s pretty awesome. I mean this project you’re involved with, I’m not going to lie, it touches my heart in a very special way. I think that technology can change the world if we let it. And I think getting more people involved at that level is just phenomenal. The way that you’re doing it is great. If people want to find you how do they do that? To find Geeks WIthout Bounds, to get involved either as a nonprofit or as a coder, whatever?
LISHA: Whatever, yeah. So we’re online at gwob.org.
ANGELA: Thank you for listening to this episode of Women’s Tech Radio. Remember, you can go to jupiterbroadcasting.com for the show notes and a full transcription, as well as the contact form. Drop down the show drop down to Women’s Tech Radio and send us your feedback or suggestions on who you’d like to hear on the show.
PAIGE: You can also check us out on iTunes and our RSS feed is linked at our show page on Jupiter Broadcasting. If you have a moment, please leave us a review on iTunes. Those help out the show and also lets us know what you think. And also, follow us @heywtr on Twitter. We’ll talk to you soon.

Transcribed by Carrie Cotter | Transcription@cotterville.net

The post Humanitarian Tech | WTR 31 first appeared on Jupiter Broadcasting.

The sad state of SMTP encryption, a new huge round of flaws has been found in consumer routers & the reviews of Intel’s new Broadwell desktop processors are in!

Plus some great questions, a huge round-up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

The sad state of SMTP (email) encryption

• This article talks about the problems with the way email transport encryption is done
• When clients submit mail to a mail server, and when mail servers talk to each other to exchange those emails, they have the option of encrypting that communication to prevent snooping
• This “opportunistic” encryption happens if the server you are connecting to (as a client, or as another server), advertises the STARTTLS option during the opening exchange
• If that keyword is there, then your client can optionally send the STARTTLS command, and switch further communications to be encrypted
• The first problem with this is that it happens over plain text, which has no protection against modification
• Some cisco firewalls, and most bad guys, will simply modify the message from the server before it gets to you, to remove the STARTTLS keyword, so you client will assume the server just doesn’t speak TLS.
• Do we maybe need something like HSTS for SMTP?
• When submitting email from my client machine, I always use a special port that is ALWAYS SSL.
• But this is only the beginning of the problem
• SSL/TLS are designed to provide 3 guarantees:
  • Authenticity: You are talking to who you think you are talking to (not someone pretending to be them). This is provided by verifying that the presented SSL Certificate is issued by a trusted CA
  • Integrity: The message was not modified or tampered with by someone during transit. This is provided by the MAC (Message Authentication Code), a hash that is used to ensure the message has not been modified
  • Privacy: The contents of the message are encrypted so no one else can read them. This is provided by symmetric encryption using a session key negotiated with the other side using asymmetric cryptography based on the SSL Certificate.
• Mail servers rarely actually check authenticity, because many mail servers use self-signed certificates.
• Many domains are hosted on one server, so the certificate is not likely to match the name of the email domain
• The certificate check is done against the hostname in the MX record, but most people prefer to use a ‘vanity’ name here, mail.mydomain.com, which won’t match in2-smtp.messagingengine.com or whatever the mail server ends up being called
• But, even if we did enforce this, and reject mail sent by servers with self-signed certificates, without DNSSEC, someone could just spoof the MX records, and instead of my email being sent over an encrypted channel to your server, which I have verified, I would be given an incorrect MX record, telling me to deliver mail to mx1.evilguy.com, which has a perfectly vaild SSL certificate for that domain
• In the end, the better solution looks like it will be DNSSEC + DANE (publish the fingerprint of the correct SSL certificate as a DNS entry, alongside your MX record)
• With this setup, you still get all 3 protections of SSL, without needing to trust the Certificate Authorities, who do not have the best record at this point
• Don’t think MitM is a big deal? The ongoing problem of BGP hijacking suggests otherwise. A lot of internet traffic is getting misdirected. If it eventually makes it to its destination, people are much less likely to notice.

Researchers find 60 flaws in 22 common consumer network devices

• A group of security researchers doing their IT Security Master’s Thesis at Universidad Europea de Madrid in Spain have published their research
• They found serious flaws in 22 different SOHO network devices, including those from D-Link, Belkin, Linksys, Huawei, Netgear, and Zyxel
• Most of the devices they surveyed were ones distributed by ISPs in Spain, so these vulnerabilities have a very large impact, since almost every Internet user in Spain has one of these 22 devices
• They found 11 unique types of vulnerability, for a total of 60 flaws across the 22 devices
• Persistent Cross Site Scripting (XSS)
  • Unauthenticated Cross Site Scripting
  • Cross Site Request Forgery (CSRF)
  • Denial of Service (DoS)
  • Privilege Escalation
  • Information Disclosure
  • Backdoor
  • Bypass Authentication using SMB Symlinks
  • USB Device Bypass Authentication
  • Bypass Authentication
  • Universal Plug and Play related vulnerabilities
• All of this makes me glad my router runs FreeBSD.
• Luckily, there are finally some consumer network devices like these that can run a real OS, like the TP-LINK WDR3600, which has a 560mhz MIPS CPU and can run FreeBSD 11 or Linux distros such as DD-WRT
• Additional Coverage – ITWorld

CareFirst Blue Cross hit by security breach affecting 1.1 million customers

• “CareFirst BlueCross BlueShield last week said it had been hit with a data breach that compromised the personal information on approximately 1.1 million customers. There are indications that the same attack methods may have been used in this intrusion as with breaches at Anthem and Premera, incidents that collectively involved data on more than 90 million Americans.”
• It would be interesting to know if there are common bits of infrastructure or software in use at these providers that made these compromises possible, or if security was just generally lax enough that the attackers were able to compromise the three insurance providers separately
• “According to a statement CareFirst issued Wednesday, attackers gained access to names, birth dates, email addresses and insurance identification numbers. The company said the database did not include Social Security or credit card numbers, passwords or medical information. Nevertheless, CareFirst is offering credit monitoring and identity theft protection for two years.”
• “There are clues implicating the same state-sponsored actors from China thought to be involved in the Anthem and Premera attacks.”
• “As Krebs noted in this Feb. 9, 2015 story, Anthem was breached not long after a malware campaign was erected that mimicked Anthem’s domain names at the time of the breach. Prior to its official name change at the end of 2014, Anthem was known as Wellpoint. Security researchers at cybersecurity firm ThreatConnect Inc. had uncovered a series of subdomains for we11point[dot]com (note the “L’s” in the domain were replaced by the numeral “1”) — including myhr.we11point[dot]com and hrsolutions.we11point[dot]com. ThreatConnect also found that the domains were registered in April 2014 (approximately the time that the Anthem breach began), and that the domains were used in conjunction with malware designed to mimic a software tool that many organizations commonly use to allow employees remote access to internal networks.”
• “On Feb. 27, 2015, ThreatConnect published more information tying the same threat actors and modus operandi to a domain called “prennera[dot]com” (notice the use of the double “n” there to mimic the letter “m”)
• So it seems that the compromises may have just been a combination of spear phishing and malware, to trick employees into divulging their credentials to sites they thought were legitimate
• Such targeted attacks on teleworkers are a disturbing new trend
• The same Chinese bulk registrant also bought careflrst[dot]com (the “i” replaced with an “L”) and caref1rst[dot]com (the “i” replaced with the number “1”).
• “Additionally, ThreatConnect has unearthed evidence showing the same tactics were used on EmpireB1ue.com (note the “L” replaced with a number “1”), a domain registered April 11, 2014 (the same day as the phony Carefirst domains). EmpireBlue BlueCross BlueShield was one of the organizations impacted by the Anthem breach.”
• Anthem has broken the trend, and is offering “AllClear ID” credit and identity theft monitoring, rather than Experian

First review of Intel’s new Broadwell desktop processors

• The long awaited new line of desktop processors has landed
• Problems with the new 14nm fabrication process resulted in the entire broadwell line being delayed, significantly in the case of the desktop chip
• The two new models are the Core i7 5775c, and Core i5 5765c with a 65W TDP
• These Broadwell chips are a lower TDP than the top-end Haswell cousins, actually being closer to the lower clocked i7-4790S than the top end i7-4770K
• Overall, speeds are not quite as fast as the current generation Haswell flagship processors
• These new processors use Intel’s Iris Pro 6200 Integrated GPU, with performance numbers that now outpace rival AMD’s offerings, although at a higher price point
• Broadwell will soon be replaced by Skylake, later this year, so you might want to wait to make your next big purchase
• Broadwell also features: “128MB of eDRAM that acts almost like an L4 cache. This helps alleviate memory bandwidth pressure by providing a large(ish) pool near the CPU but with lower latency and much greater bandwidth than main memory. The eDRAM has the greatest effect in graphics, but we also saw some moderate increases in our non-3D regular benchmark suite”
• In the end, it is a bit unexpected for the desktop range to include only 2 processors, and in the middle TDP, with no offerings at the lower end (35W) or higher end (88W)
• Some of the benchmarks suggest the eDRAM may help with video encoding

Feedback:

• FreeNAS question

• iSCSI Question

• ZFS mirrored vdevs, raidz1, or raidz2

Round Up:

• PayPal Draws Consumer Ire Over Robo-Texting Right
• Comparison of SSD firmware reliability of different brands after using thousands of drives for five years
• Facebook announces you’ll be able to give them your PGP key, and they will encrypt all emails they send you. Separately, you can also publish your PGP key on your profile page
• New study finds fake answers to security questions may be more predictable than the real answers
• Everything moving to the cloud may be hurting consumer PC sales, but is bolstering server and storage sales
• Red Hat CEO publishes book on running an open source organization
• Creator of sleeper ransomware appologizes and released decryption keys – possibly due to unwanted attention from either law enforcement or Eastern European organized cybercrime syndicates
• A year later, another text message that can permanently crash all iOS devices
• Feds crack a million dollar coupon counterfeiting site
• Hacked emails claim to reveal Russian operation to steal US military thermal Imaging tech
• Interesting course, learn to hack software by hacking the hardware it runs on
• Why powerpoint presentations should be banned
• Writing more robush shell scripts
• Researchers find that Firefox’s optional tracking protection feature makes news sites load 44% faster and use 39% less data
• Putting your Mac to sleep may make it vulnerable to an EFI rootkit
• Android factory reset fails to delete all sensitive data
• Turns out, powering off your SSD will not cause it to lose all of your data after all. Data was based on SSDs at the end of their live, not at the beginning

The post An Encryptioner's Conscience | TechSNAP 217 first appeared on Jupiter Broadcasting.

Been putting off that patch? This week we’ll cover how an out of date Joomla install led to a massive breach, Microsoft and Google spar over patch disclosures & picking the right security question…

Plus a great batch of your feedback, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Data thieves target parking lots

• “Late last year, KrebsOnSecurity wrote that two huge swaths of credit card numbers put up for sale in the cybercrime underground had likely been stolen from Park ‘N Fly and from OneStopParking.com, competing airport parking services that lets customers reserve spots in advance of travel via Internet reservation systems. This week, both companies confirmed that they had indeed suffered a breach.”
• “When contacted by Krebs on Dec. 15, Atlanta-based Park ‘N Fly said while it had recently engaged multiple security firms to investigate breach claims, it had not found any proof of an intrusion. In a statement released Tuesday, however, the company acknowledged that its site was hacked and leaking credit card data, but stopped short of saying how long the breach persisted or how many customers may have been affected”
• “OneStopParking.com reached via phone this morning, the site’s manager Amer Ghanem said the company recently determined that hackers had broken in to its systems via a vulnerability in Joomla for which patches were made available in Sept. 2014. Unfortunately for OneStopParking.com and its customers, the company put off applying that Joomla update because it broke portions of the site.”
• “Unlike card data stolen from main street retailers — which can be encoded onto new plastic and used to buy stolen goods in physical retail stores — cards stolen from online transactions can only be used by thieves for fraudulent online purchases. However, most online carding shops that sell stolen card data in underground stores market both types of cards, known in thief-speak as “dumps” and “CVVs,” respectively.”
• “Interestingly, the disclosure timeline for both of these companies would have been consistent with a new data breach notification law that President Obama called for earlier this week. That proposal would require companies to notify consumers about a breach within 30 days of discovering their information has been hacked.”
• Krebs also appears to be having fun with the LizzardSquad

Microsoft pushes emergency fixes, blames Google

• Microsoft and Adobe both released critical patches this week
• “Leading the batch of Microsoft patches for 2015 is a drama-laden update to fix a vulnerability in Windows 8.1 that Google researchers disclosed just two days ago. Google has a relatively new policy of publicly disclosing flaws 90 days after they are reported to the responsible software vendor — whether or not that vendor has fixed the bug yet. That 90-day period elapsed over the weekend, causing Google to spill the beans and potentially help attackers develop an exploit in advance of Patch Tuesday.”
• Yahoo recently announced a similar new policy, to disclose all bugs after 90 days
• This is the result of too many vendors take far too long to resolve bugs after they are notified
• Researchers have found that need to straddle the line between responsible disclosure, and full disclosure, as it is irresponsible to not notify the public when it doesn’t appear as if the vendor is taking the vulnerability seriously.
• Microsoft also patched a critical telnet vulnerability
• “For its part, Microsoft issued a strongly-worded blog post chiding Google for what it called a “gotcha” policy that leaves Microsoft users in the lurch”
• There is also a new Adobe flash to address multiple issues
• Krebs notes: “Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).” because of the way Microsoft bundles flash
• Infact, if you use Chrome and Firefox on windows, you’ll need to make sure all 3 have properly updated.

What makes a good security question?

• Safe: cannot be guessed or researched
• Stable: does not change over time
• Memorable: you can remember it
• Simple: is precise, simple, consistent
• Many: has many possible answers
• It is important that the answer not be something that could easily be learned by friending you on facebook or twitter
• Some examples:
• What is the name of the first beach you visited?
• What is the last name of the teacher who gave you your first failing grade?
• What is the first name of the person you first kissed?
• What was the name of your first stuffed animal or doll or action figure?
• Too many of the more popular questions are too easy to research now
• Some examples of ones that might not be so good:
  • In what town was your first job? (Resume, LinkedIn, Facebook)
  • What school did you attend for sixth grade?
  • What is your oldest sibling’s birthday month and year? (e.g., January 1900) (Now it isn’t your facebook, but theirs that might be the leak, you can’t control what information other people expose)
• Sample question scoring

Feedback:

• FreeNAS Replication

• Ep 196 – Staples Hack

• Best at home router solution

• OpenWrt

• MyOpenRouter

• FQDN on LAN? Peace of mind on WAN?

• hardware upgrade

Round Up:

• Apache Spark: 100 terabytes (TB) of data sorted in 23 minutes
• Quick wins for cyber security
• The New CISPA Bill Is Literally Exactly the Same as the Last One
• Sony: Losses from hack will be covered by insurance
• Forget Wearable Tech. People Really Want Better Batteries.
• New data breach notification law not good enough
• Panasonic Arbitrator Back-End Server (BES) uses unencrypted communication
• US CENTCOM gets its twitter account hacked — Why no 2FA?
• Verizon Cloud system schedules 48 hour downtime
• Canadian Federal Police refuse to pay fees to telco for tracking suspects
• The path from beginner to expert
• Mac “bootkit” permanently backdoors macs

The post Patch and Notify | TechSNAP 197 first appeared on Jupiter Broadcasting.

2014 has been the year of the celebrity bugs, we take a look at the new trend of giving security vulnerabilities names & logos & ask who it truly benefits.

Plus practical way to protect yourself from ATM Skimmers, how they work & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

• Are you a BSD User? The first question we ask in every interview is “How did you get started with BSD?” Send your video clip or writeup before December 17th for our Christmas Episode

• Spam Nation: The Inside Story of Organized Cybercrim

• Brian Krebs’s “Spam Nation”

• Best of JB Submission Form

Wiretapping ATMs

• “Banks in Europe are warning about the emergence of a rare, virtually invisible form of ATM skimmer involving a so-called “wiretapping” device that is inserted through a tiny hole cut in the cash machine’s front. The hole is covered up by a fake decal, and the thieves then use custom-made equipment to attach the device to ATM’s internal card reader.”
• “The criminals cut a hole in the fascia around the card reader where the decal is situated,” EAST described in a recent, non-public report. “A device is then inserted and connected internally onto the card reader, and the hole covered with a fake decal”
• “It’s where a tap is attached to the pre-read head or read head of the card reader,” Lachlan said. “The card data is then read through the tap. We still classify it as skimming, but technically the magnetic stripe [on the customer/victim’s card] is not directly skimmed as the data is intercepted.”
• So, they attach to the REAL card reader, and siphon off a copy of the data as the card is read
• That makes this form of skimming pretty much undetectable (except possibly by the fake decal used to cover the hole cut in the front of the ATM)
• The Krebs article also talks about new “insert transmitter skimmers”, that use a small battery and transmit the skimmed data a short distance, meaning the attacker does not have to return to the scene of the crime to collect the stolen data, decreasing their risk of getting caught
• “It’s best to focus instead on protecting your own physical security while at the cash machine. If you visit an ATM that looks strange, tampered with, or out of place, try to find another ATM. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots”
• “Last, but certainly not least, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).”

Bug naming and shaming

• This article discusses the advantages and disadvantages to having named and branded bugs like Heartbleed, as well as some behind the scenes info on that exploit, and the people behind the naming of various other vulnerabilities since then
• “If the bug is dangerous enough, it gets a name. Heartbleed’s branding changed the way we talk about security, but did giving a bug a logo make it frivolous… or is this the evolution of infosec?”
• Heartbleed was discovered some time before Friday, March 21, 2014 by a Google security researcher. It was later shared with Open SSL, Red Hat, CloudFlare, Facebook, and Akamia
• Finnish security company Codenomicon separately discovered Heartbleed on April 3, and informing the National Cyber Security Centre Finland the next day”
• They then immediately went to work on a marketing plan. This discovery was going to launch their small firm into super stardom. They had a logo and website designed, and prepared for the public disclosure of the bug
• The original public disclosure was supposed to be made on April 9th. However, after details started to leak, and the OpenSSL team decided that if more than 1 group had already discovered the bug, more would quickly follow, they released the details early, on April 7th
• “Half an hour after OpenSSL published a security advisory the morning of April 7, CloudFlare bragged in a blog post and a tweet that it was first to protect its customers, and how CloudFlare was enacting an example for “responsible disclosure.”
• “An hour after CloudFlare’s little surprise, Codenomicon tweeted to announce the bug, now named Heartbleed, linking to a fully prepared website, with a logo, and an alternate SVG file of the logo made available for download.”
• “Heartbleed — birth name CVE-2014-0160 — became a household term overnight, even though average households still don’t actually understand what it is.”
• “The media mostly didn’t understand what Heartbleed was either, but its logo was featured on every major news site in the world, and the news spread quickly. Which was good, because for the organizations who needed to remediate Heartbleed, it was critical to move fast.”
• In the end, it seems Heartbleed was a success, most systems were patched quite quickly, although many systems did not follow the full procedure, and that has had some fallout that we have covered
• In justifying the name given to a Russian hacking group, iSight Partners said: “Without naming these teams, it would be impossible for a network defender to keep track of them all. We think that’s essential, because intimately understanding these teams is the first step to mounting an effective defense. Giving a name to a team — as we have done with Sandworm — helps practitioners and researchers track and attribute tactics, techniques, procedures and ongoing campaigns back to the team. By assigning identities, It helps to bring these actors out of the shadows and into the light.“
• Other vulnerabilities, like POODLE, had alarmingly bad reporting that may have done more harm than good
• ShellShock was the anti-case. It didn’t have a logo, or an official website. ShellShock timeline
• It was actually originally dubbed BashDoor by its creator, but when it was leaked to the press by someone else, they provided the name ShellShock
• Further, because the initial fix for the ShellShock vulnerability did not entirely solve the problem, there was much confusion, where people thought they had already patched, but didn’t have the “latest” patch
• Then, there were a number of follow-on vulnerabilities in bash, that didn’t have names, but were lumped in with ShellShock, which lead to even more confusion
• Closing Quote: “The researchers didn’t tell their closest biz-buddies in a game of telephone, one in which Heartbleed became an arms race of egos, insider information trading, and opportunism”
• Who gets to decide what bugs are bad enough to get a name instead of just a CVE number? Should MITRE start tracking names along with the CVE numbers?
• Who gains more for naming bugs, the end users who might become more aware of the issue and be able to protect themselves, or the PR powered firms that exploit it for their own good?

Feedback:

• Why is md5 not secure?

• Md5crypt Password scrambler is no longer considered safe by author — PHKs Bikeshed

• VMware’s page-sharing woes

• Brute Force, How Do They Know They Got It?

• Thank you – seriously

• BSDCan 2015 Call for Papers — Due by Jan 19th

Round Up:

• NSA spies on carriers to break call encryption, report suggests
• Government sites remain hacked 2 weeks later — The problem with not disclosing security breaches
• U.S. Intelligence Agency Aims to Develop Superconducting Computer
• The Cost of HTTPS everywhere
• Google Can Now Tell You’re Not a Robot With Just One Click
• Samsung announces 3.2TB PCI-E SSD, Intel/Micron announce 3D NAND, hard drives stuck at 7200rpm (or lower)
• “Its signed, must be legit” — Lessons in Interface Design
• ExplainShell.com — Explain what that code is actually doing, a quick way to learn to read shell scripts
• Prosecutors charge “hacker” with 44 felonies in typical scare tactics (10 year max on each, resulting in a total sentence that would be multiple lifetimes), final charges: a single misdemeanor with a $10,000 fine
• Crash CentOS6 init by touching a bunch of files
• Judge rules that IP addresses should not be exempt from a public records request because of “security”
• Nuclear weapons use fluctuating radiation fields to generate their own one-time passwords to restrict their use
• Your new 500GB external hard drive, guaranteed to be quieter than any other external hard drive

The post Celebrity Bugs | TechSNAP 191 first appeared on Jupiter Broadcasting.

Is there a fix to the human flaw in banking systems? We’ll debate. Plus how hackers can take over your internal network using a pixel on a webpage.

Then its a huge batch of your storage questions, the Giganews conspiracy & much, much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

5 people charged in identity theft ring linked to bank tellers

• Five people have been charged as part of an identity theft ring in which bank tellers used personal information about customers to withdraw a total of $850,000 from numerous accounts over the course of several years.
• The tellers used customer information to create fake driver’s licenses and checks to gain access to accounts
• “The victims were customers at several of banks in the region, including JPMorgan Chase and Bank of America locations in the Bronx, White Plains and Yonkers”
• “The banks reimbursed the customers whose accounts were affected”
• The five defendants were each charged with grand larceny, identity theft and scheme to defraud. Four of the five have already been arrested, while the fifth is from Florida and is currently being sought by the New York State Attorney’s office
• The three women involved in the scheme worked as tellers at a TD Bank in Apollo Beach, Fla., a Bank of America in White Plains, a JPMorgan Chase in White Plains, and a Wachovia (now Wells Fargo), in Newburgh, N.Y.”
• How do you maintain security when it is the people who are supposed to enforce that security that are stealing the information?

Hacked Brazillian news site targets router dns settings

• In an attack we practically predicted on a previous TechSNAP…
• The website of Politica Estadao (one of the biggest newspapers in Brazil) was compromised
• The pages had a series of iframes injected, which basically carried out a simple brute-force attack against the admin credentials of common routers
• “Five domains and nine DNS servers were found in this attack hosting bank phishing sites“
• “The payload was trying the user admin, root, gvt and a few other usernames, all using the router default passwords,”
• “Hackers are well aware of the shortcomings of home and small business routers, most of which are woefully shy of appropriate patching levels, and are likely protected only by a default or weak password“
• “At the DEF CON conference last month, the SOHOpelessly Broken contest enumerated the security issues around SOHO routers. Fifteen zero-day vulnerabilities were disclosed and demonstrated during the contest, leading to seven full router compromises and another attack that could have led to corruption of the internal network.“
• Watch your browser disclose your local network configuration
• Additional Coverage: Sucuri
• Additional Coverage: SecureList
• Previous Coverage: TechSNAP 86
• Previous Coverage: TechSNAP 106

Feedback:

• Having some FreeNAS iSCSI and NFS performance problems

• Self healing drive

• ZFS on Linux

• zfs linux story

• Comcast is awful : techsnap

Round Up:

• Giganews Is an FBI Operation
• New Archie exploit kit targets Adobe Flash and Microsoft Silverlight vulnerabilities
• IRC Freenode Network Hacked
• US Government threatened to fine Yahoo $250,000/day in 2008 to force them to release data on users and become part of PRISM
• Malware going around Twitch.tv that steals your steam account, puts your games up for sale, and empties your steam wallet
• Why is it taking so long to secure Internet Routing?
• Apple will no longer unlock most iPhones, iPads for police, even with search warrants
• Facebook turns off entire data center to test resiliency

The post Pixel Imperfect Security | TechSNAP 180 first appeared on Jupiter Broadcasting.

Google leverages Chrome’s marketshare to push web security forward. Are we about to see zero day exploits reclassified as weapons & ZFS gets the green light on Linux for production.

Then it’s a great batch of your questions, our answers & much, much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Killing off SHA-1 in SSL certificates

• “The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to be since at least 2005 — 9 years ago”
• “That’s why Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November. HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface.”
• The CA/Browser forum, the group made up of Google, Mozilla, Microsoft, Apple, Opera, and most of the Certificate Authorities, and sets the policies for the group
• The forum is how the browsers decide which CAs to include in their trust store
• Part of the problem was that older browsers and devices only supported SHA-1, and none of the SHA-2 (SHA256, SHA512) algorithms
• The CA/Browser Forum officially deprecated SHA-1 in 2011, no new certificates can be issued that use SHA-1
• Google is proposing to add increasingly severe warning messages for visitors to site using SHA-1 certificates that have an expiration date after the end of 2016
• Upgrades may still be complicated. Windows Server 2003 and Windows XP SP2 does not support SHA-256, only SHA-1. Servers would need to be upgraded, and Windows XP clients would need to install SP3. Android before 2.3 only supports SHA-1, 2.2 is still quite popular
• Support for running 2 certificates, an upgraded one for clients that support it, and a legacy certificates for ones that do not, is being worked on. Apache supports it now, and work is underway to add support to NGINX and Apache Traffic Server.
• GlobalSign’s SHA-256 compatibility matrix
• It is nice to see the steps being taken with plenty of time for everyone to update gracefully. In the past, the move away from MD5 was much less smooth, only finally spurred on by the real danger of rogue certificates via MD5 collisions
• The CA/Browser forum similarly disallowed new 1024 bit certificates in 2010, with no certificate to have an expiration date later than Dec 31st 2013. Mozilla recently pulled the plug on 1024 bit certificates, leaving 107,000 “valid” certificates no longer trusted
• SSL Labs breaks down what you need to know
• Additional Coverage: Why Google is Hurrying to kill SHA-1

Will selling 0-day exploits soon be considered “Arms Dealing” and be illegal?

• VUPEN and others are now following the Wassenaar Arrangement that classifies their 0-days and exploits as regulated and export-controlled “dual-use” technologies. Going forward they will only sell to approved government agencies in approved countries.
• The latest version of the agreement included 0-days, exploits, and backdoors as regulated and export-controlled “dual-use” technologies. Previously, the US wasn’t recognizing these most recent additions but that is all changing come later this month according to a recent Federal Register notice (pdf). The notice states that the US will be adopting changes made to the list of dual-use items made in December 2013 as of August 4th.
• The big question is where the government will draw the line in terms of defining “dual-use.” Will day-to-day security tools (e.g., Nessus and Nmap) fit into this category? What about a quick bash script you write up to bruteforce web application session ids?

The state of ZFS on Linux

• ZFS on Linux is now “officially” production ready
• Key ZFS data integrity features work on Linux like they do on other platforms
• ZFS runtime stability on Linux is comparable to other filesystems, with certain exceptions
• ZoL is at near feature parity with ZFS on other platforms.
• ZoL does not lose data
• changes to the disk format are forward compatible
• Updates are always flawless
• Up until now, it was mostly the “on Linux” part that was at question, OpenZFS (the open source fork used in IllumOS, FreeBSD, SmartOS, and elsewhere) has been stable for many years
• “Data loss can be defined as the occurrence of either of two events. The first is failing to store some information. The second is attempting to retrieve information that was successfully stored and getting either something else or nothing at all”
• “The ZFS on Linux kernel driver performs the same block device operations as its counterparts on other platforms. As a consequence, its ability to ensure data integrity is equivalent to its counterparts on other platforms and this ability far exceeds that of any other Linux filesystem for direct attached storage”
• ZoL is missing 9 of the newest features in OpenZFS, including LZ4 compression, Spacemap histographs (speed improvements under heavy fragmentation), Feature Flag enabled TXG (support for rolling back and upgrade), Hole Birth (improved replication performance) and ZFS Bookmarks (resumable zfs send/recv)
• Also, there are 9 other features missing from ZoL, including integration for iSCSI (also missing on FreeBSD, as until recently FreeBSD did not have a kernel iSCSI target daemon), Integration with Containers (Linux doesn’t really have a feature similar to Solaris Zones or FreeBSD Jails), Boot Loader integration, etc.
• “The current release is 0.6.3 and the next release will be 0.6.4 later this year. The plan is to continue performing 0.6.x releases with distribution maintainers doing backports until the /dev/zfs ioctl interface is stabilized. At that point, the project will release 1.0. New releases will be 1.x while 1.x.y maintenance releases will be done to back port fixes like is done by the Linux kernel stable maintainers”

Feedback:

• Hall of Shame: Enigmail

• Untrusted mail servers

• Creating a backup system for my mom with NAS using Linux but for windows

• I’m not sure how to tell a gym about a miss configuration in there systems

• xp pos systems

Round Up:

• Dread Pirate Sunk By Leaky CAPTCHA — Krebs on Security
• Intel Announces new 18 core Xeon E5 dual-socket processors. DDR4 and all the other goodies too
• FBI reveals how they found Silk Road, security experts claim unlikely
• Using the iPhone thermal camera to steal PIN codes PDF: Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks
• Dropbox Transparency Report update: fighting for your right to know
• 5 Million google usernames and passwords from large Russian dump. Likely from other databases that were compromised, and these 5 million people happened to use the same password Download .txt file of just usernames
• Microsoft agrees to contempt order so e-mail privacy case can be appealed
• Secretive Bitcoin creator’s email address may have been compromised
• Malware found at Healthcare.gov, no personal data was at risk
• Allan’s Musings while depositing a cheque
• Switching ISPS is too hard. FCC says it might think about possibly maybe doing something to help a little, kind of, maybe

The post It's not a Bug, It's a Weapon | TechSNAP 179 first appeared on Jupiter Broadcasting.