Show Notes: podcast.asknoahshow.com/84

The post Better Than Google Titan | Ask Noah 84 first appeared on Jupiter Broadcasting.

LinkedIn password dump strikes Mark Zuckerberg & Google Two Factor authenticator users & others. We round it all up. Plus some of the new security features coming to Android N, the era of backpack PC’s is here & what the heck is going on with Nest?

Plus our Kickstarter of the week & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Links

• Mark Zuckerberg’s Twitter and Pinterest accounts hacked, LinkedIn password dump likely to blame
• Nest’s time at Alphabet: A “virtually unlimited budget” with no results
• How Android N addresses security
• Need to bypass Google’s two-factor authentication? Send a text message
• Are backpack VR PCs really a thing now? MSI, Zotac and HP think so
• Superyacht is converted from supply ship – Tech Insider

Kickstater of the week

• Portal: Turbocharged WiFi by Ignition Design Labs — Kickstarter

The post Zuckerpunched | TTT 247 first appeared on Jupiter Broadcasting.

A 0-day exploit is attacking Microsoft Windows boxes all over the web, thanks to a weaponized power power presentation. No, I’m not kidding. The details are fascinating.

Old ATMs become more and more of a target & it’s not because of Windows XP, and great big batch of your questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Older ATMs being targeted more and more often by Malware attacks

• Krebs describes the growing trend in ATM “Jackpotting”
• Formerly, the most common attack against ATMs was skimming, installing small physical devices to read the card data and capture the PIN of victims who use the ATM, and then creating fake cards to empty the victims’ accounts
• The new trend, installing Malware on the computer that operates ATM, allows the attackers to drain all of the cash out of the ATM, without requiring compromised accounts with large balances
• The fraud is harder to detect because money does not go missing from bank accounts in real time, the theft may not be discovered until the ATM is emptied and stops dispensing cash
• Some of the malware is even smart enough to interfere with the ATM’s reports back to the bank about the level of cash available, that might tip the bank off to the fact that the ATM is infected
• “Last month, media outlets in Malaysia reported that organized crime gangs had stolen the equivalent of about USD $1 million with the help of malware they’d installed on at least 18 ATMs across the country. Several stories about the Malaysian attack mention that the ATMs involved were all made by ATM giant NCR.”
• In an Interview with Owen Wild, NCR’s “global marketing director, security compliance solutions”, Krebs learned:
• More than half of the ATM install base is using a model that was discontinued 7 years ago (Windows XP Based?)
• Most of the attacks involve physically assaulting the ATM, removing the top of front casing to access the standard PC inside, and then infecting the machine via CD or USB stick
• “What we’re finding is these types of attacks are occurring on standalone, unattended types of units where there is much easier access to the top of the box than you would normally find in the wall-mounted or attended models.”
• When asked about Windows XP: “Right now, that’s not a major factor. It is certainly something that has to be considered by ATM operators in making their migration move to newer systems. Microsoft discontinued updates and security patching on Windows XP, with very expensive exceptions. Where it becomes an issue for ATM operators is that maintaining Payment Card Industry (credit and debit card security standards) compliance requires that the ATM operator be running an operating system that receives ongoing security updates. So, while many ATM operators certainly have compliance issues, to this point we have not seen the operating system come into play.”
• It would seem that installing malware on the machine would affect newer versions of Windows almost as easily, so Windows XP might not actually be that big of a factor in these cases
• “Most of these attacks come down to two different ways of jackpotting the ATM. The first is what we call “black box” attacks, where some form of electronic device is hooked up to the ATM — basically bypassing the infrastructure in the processing of the ATM and sending an unauthorized cash dispense code to the ATM. That was the first wave of attacks we saw that started very slowly in 2012, went quiet for a while and then became active again in 2013.”

Sandworm Team – not a worm, but still a big deal

• “Microsoft has announced the discovery of a zero-day vulnerability affecting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. Reports are also coming in that this specific vulnerability has been exploited and used in attacks against the North Atlantic Treaty Organization (NATO) and several European industries and sectors.”
• This particular vulnerability has allegedly been in use since August 2013, “mainly through weaponized PowerPoint documents.”
• The vulnerability exploits a flaw in the Microsoft OLE functionality
• It allows a PowerPoint or other office document to have an embedded file, or to embed and external untrusted resource
• This can cause remote code execution, allowing the attacker to run any code they wish as the user who is opening the document
• In the case of at least on attack, the embedded file was a .inf that then installed malware on the system
• Many users still run with administrative rights, giving the malware full control of the target system
• iSight Partners says: “We are actively monitoring multiple intrusion teams with differing missions, targets and attack capabilities. We are tracking active campaigns by at least five distinct intrusions teams”, “As part of our normal cyber threat intelligence operations, iSIGHT Partners is tracking a growing drum beat of cyber espionage activity out of Russia”
• “For example, we recently disclosed the activities of one of those teams (dubbed Tsar team) surrounding the use of mobile malware. This team has previously launched campaigns targeting the United States and European intelligence communities, militaries, defense contractors, news organizations, NGOs and multilateral organizations. It has also targeted jihadists and rebels in Chechnya”
• Trend Micro also found this same flaw being used against SCADA systems: “These attacks target Microsoft Windows PCs running the GE Intelligent Platform’s CIMPLICITY HMI solution suite with a spear phishing email.”, which downloads the Black Energy malware
• Researcher Post
• Technical Analysis by HP Security Research
• Additional Coverage – ZDNet
• Microsoft Security Bulletin

Delivering malicious Android apps hidden in image files

• Researchers have discovered a way to deliver Android malware by embedding the encrypted form in an image file
• The attack was demonstrated at Black Hat Europe last week in Amsterdam
• The tool encrypts a malicious .APK in such a way that it appears to be a .JPG or .PNG image file
• Then, they developed a simple wrapper .APK that includes that image file, and the ability to decrypt it
• Thus, the malicious app remains hidden from reverse engineering, anti-virus, and the Google Bouncer, so can be listed in the Google Play Store
• “In their testing, Android did show a permission request when the legitimate wrapper file tried to install the malicious APK, but the researchers say that this can be prevented by using DexClassLoader”
• Work was inspired by a previous exploit, Android/Gamex.A!tr that hid its payload in a .zip file named logos.png, with the added twist that the .zip was valid and innocuous, but if XOR’s with a key (18), it was also a valid .zip file containing a malware payload
• It turns out that .zip files do not require the header to be at the beginning of the file, so by simply concatenating a .png and a .zip file, the file will look like a valid .png, but can also be extracted as a valid .zip file
• PDF: Slides
• Example Code, Create a .PNG, .JPG, .FLV, or .PDF
• PDF: Paper

Feedback:

• Embed Browser For Steam

• Cheap NAS/Media Server

• Patch & System Management .:. Especially with all these recent bugs!

• Central Firewall Management

• But is it really your job to point out other peoples security issues?

• ZFS lag

• Windows Explorer and SMB Traffic – Ask the Performance Team – Site Home – TechNet Blogs

Round Up:

• Disney rendered its new animated film on a 55,000-core supercomputer
• Cisco finally fixed telnet bug from 2011 in Web Security Appliance, Email Security Appliance and Content Security Management Appliance
• Google’s 2-Step Verification Now Supports FIDO “Universal 2nd Factor” Open Standard
• Ironic: Publisher of Brian Krebs’ book discloses credit card breach in online shopping cart
• Hungary plans new tax on Internet traffic, public calls for rally
• MongoDB Advisory: Using MongoDB on Linux on top of VMWare may cause namespace files to be improperly zeroed, resulting in left over data that when read later is interpreted as a corrupt namespace, rather than the expected empty space. Patch resolves issue by manually zeroing the file rather than using the kernel facility to zero the entire file
• T-Mobile to upgrade US Cellular network 2G encryption from A5/1 to A5/3 to make surveillance harder. Made similar changes in Germany last year after NSA revelations
• Week old Flash vulnerability already included in 2 major Exploit kits, being deployed on legitimate infected sites throughout the Internet
• Kickstarter Freezes Anonabox Privacy Router Project for Misleading Funders
• Samsung acknowledges flaw in EVO 840 SSDs, issues Firmware update and “Data Migration Software” that re-writes data on the SSD to ‘refresh’ it, making reads faster again
• South Korea to rebuilt national ID system after a series of data breaches since 2004 have left 80% of the country exposed to identity theft. Many similar mistakes to US ID system, overuse across different sectors made the single ID number a ‘master key’ to a persons Identity, Inability to get a new ID number left victims with no recourse, and the ID numbers are based on date of birth and sex. Also, the government required the use of Microsoft ActiveX to provide digital signatures when interacting with banks and the government online

The post Weaponized PowerPoint | TechSNAP 185 first appeared on Jupiter Broadcasting.

Apple outlines the immediate improvements to iCloud security they’ll be making but the core issues are still rotting. Facebook is killing your cell & why we can’t wait to buy our NSA Nanny Cam!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Tim Cook: Apple to Add Security Alerts for iCloud Users, Broaden Two-Factor Authentication – Mac Rumors

Apple will add security alerts for iCloud users, broaden two-factor authentication and make a more aggressive effort to alert users about protecting their accounts, Apple CEO Tim Cook told the Wall Street Journal in his first interview since the recent hacking incident involving celebrities’ iCloud accounts.

To make such leaks less likely, Mr. Cook said Apple will alert users via email and push notifications when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time. Until now, users got an email when someone tried to change a password or log in for the first time from an unknown Apple device; there were no notifications for or restoring iCloud data.

Cook said the new notifications will begin in two weeks and will allow users to take action on potential hacking immediately, allowing them to either change the password to retake the account or alerting Apple’s security team. Cook echoed Apple’s previous press release on the hackings, stressing that the best prevention for future incidents are more human than technological.

Exclusive aerial footage of Apple’s mysterious white box next to ‘iPhone 6’ event site

The large white structure is being erected next to the Flint Center for the Performing Arts in Cupertino, Calif.

The included photos and video were captured by a DJI Phantom 2 Vision+ drone, offering a unique perspective on the mystery building.

Apple hasn’t used the Cupertino Flint Center venue for introducing new products since the late 1990s. The space is notable in Apple’s history for serving as the first public introduction of the Macintosh in 1984.

[DARPA Develops Implants that Treat Diseases and Depression Without Medication

](https://www.extremetech.com/extreme/188908-darpas-tiny-implants-will-hook-directly-into-your-nervous-system-treat-diseases-and-depression-without-medication)

DARPA, on the back of the US government’s BRAIN program, has begun the development of tiny electronic implants that interface directly with your nervous system and can directly control and regulate many different diseases and chronic conditions, such as arthritis, PTSD, inflammatory bowel diseases (Crohn’s disease), and depression. The program, called ElectRx (pronounced ‘electrics’), ultimately aims to replace medication with “closed-loop” neural implants, which constantly assess the state of your health, and then provide the necessary nerve stimulation to keep your various organs and biological systems functioning properly.

The ElectRx program will focus on a fairly new area of medical therapies called neuromodulation. As the name implies, neuromodulation is all about modulating your nervous system, to improve or fix an underlying problem. Notable examples of neuromodulation are cochlear implants, which restore hearing by directly modulating your brain’s auditory nerve system, and deep brain stimulation (DBS), which appears to be capable of curing/regulating various conditions (depression, Parkinson’s) by overriding erroneous neural spikes with regulated, healthy stimulation.

Facebook’s autoplay video feature is destroying cell phone bills – Sep. 3, 2014

Smartphone users could be at risk of maxing out their data plans if they don’t change this default setting in the Facebook app, which otherwise will automatically start streaming videos in the News Feed window.

The issue was flagged by consumer finance site MoneySavingExpert.com, which said it had “seen many complaints from people who have been stung with data bills after exceeding their monthly allowance and who believe it to be because of Facebook autoplaying videos.”

A Smart Nanny Cam With Facial Recognition and Air Pollution Sensors

It’s a nanny cam with upgraded intelligence: Not only can it send images to your phone via an app, it can also serve as a autonomous sentry, alerting you to strange activity in the house thanks to facial recognition and air-quality sensors.

It supplies users with a live, high-definition video feed of their house. The white-and-wood device—it almost looks like a little candle for your mantel—has a 135-degree viewing angle on the room it’s in, night vision, and two-way audio.

Likewise, for audio, Withings has programmed the device to discern between, say, a baby crying and a motorcycle engine. Whenever something is a awry, users get a push notification on their phone. If the user chooses to view the notification later, it gets saved in a timeline. (How far back the timeline goes will be based on a pay-for-space subscription model.)

These clever systems for detecting abnormalities also work with the Home’s air quality sensors. These pick up on volatile organic compounds, or harmful gases often released by cleaning products or building materials. When the Home alerts users about harmful chemicals, it also points out the likely culprit.

This allows you to isolate a problem area of the house.

Borderlands 2 Also Looks Like It’s Coming To Linux, UPDATE: Confirmed | GamingOnLinux

Michael Blair, Aspyr Media: Yes! BL2 Linux is absolutely real! We’ve been working hard on it for months and will talk about a release date as soon as possible.

• Borderlands 2 · AppID: 49520 · Steam Database

The post Facebook Lobotomy | Tech Talk Today 53 first appeared on Jupiter Broadcasting.

Russian hackers collect 1.2 billion usernames and passwords, and while questions remain the details are compelling.

Plus simply working around two-factor authentication, crypto-malware that targets NAS Boxes, your questions, our answers and much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Reportedly 1.2 billion username and password combinations found in Russian cybercrime stash

• The data was apparently stolen from 420,000 different websites using SQL injection and other common techniques
• Original post at Hold Security
• “So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.”
• The Russian cybercrime group (called CyberVor by Hold Security) appears to have used a large botnet to scan most of the internet looking for vulnerable sites and software and collecting as much data as possible
• “Criminals were able to collect 4.5 billion records — each a user name and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique”
• Because of the varied sources of the data, the passwords are likely a combination of plain text, simple hashes (md5, sha1, sha256), esoteric hashes like md5(salt.password.salt) or md5(salt.md5(password)) etc, and proper cryptographic hashes
• Original Coverage from 6 months ago
• Alex Holden was the researcher who originally discovered the Adobe breach late last year, and tracked the trafficking of the stolen Target data
• Krebs has a Q&A on the subject, based on his past working with Alex Holden, or Holden Security
• There has been a bit of backlash against Hold Security, because they are charging $120/year for their “Breach Notification Service” (BNS) to be alerted if your website was one of the ones compromised
• Sophos and others still have questions about the data from CyberVor
• While still under construction, there is a individual version of the service that will allow you to find out if your electronic identity was found in possession of the CyberVor gang, which will be provided free for the first 30 days
• This service will take a SHA512 hash of your password(s), and then compare that to the passwords in the data dump, notifying you which of your passwords may have been compromised
• The issue with this is that if a compromised site used proper cryptographic hashes, the only way to compare the passwords without knowing your original password in plain text, is to brute force the hash and return it to the plain text. If Hold Security had your plain text password, they could compare it to the database much more quickly and accurately, but it would then lead them to being a bigger security threat than the exposure of the hashed passwords
• Additional Coverage: Forbes

PayPal 2 factor authentication contained simple bypass used for linking ebay account

• While investigating the usefulness of the PayPal 2 Factor Authentication system, a security researcher (Joshua Rogers) was astonished to find a simple by pass
• PayPal (owned by eBay) has a system to link your eBay account to your PayPal account to facilitate sending and receiving payments in connection with auctions
• This system works by sending an additional HTTP GET parameter when directing the user to the PayPal login or signup page
• By using “cmd=_integrated-registration” in the request, PayPal skips asking for any two factor authentication, allowing an attacker that knows your username and password to access your account without requiring the second factor
• The exploit can be used without needing to have an affiliated eBay account
• The issue was reported to PayPal on June 5th 2014, who replied on June 27th and July 4th
• After two months the issue has not been resolved, so the researcher released his findings
• It is not clear if the issue was reported via the PayPal Bug Bounty program, but if it was, publicly disclosing the vulnerability voids the researchers eligibility for the bug bounty reward

SynoLocker malware targets Synology NAS appliances, encrypts files and demands ransom

• New malware has serviced that has been targeting Synology NAS appliances exposed to the Internet
• Users will be greeted by a screen telling them that the files on their NAS have been encrypted, and directing them to use tor to visit a website and pay a 0.6 Bitcoin (~$350) ransom to get the decryption keys to regain access to their files
• It was not immediately clear how the NAS devices were being compromised
• Synology reports: “Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0”
• Users are encouraged to upgrade to the latest DSM 5.0 or:
• For DSM 4.3, please install DSM 4.3-3827 or later
• For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
• For DSM 4.0, please install DSM 4.0-2259 or later
• If you suspect you have been affected by this, Synology recommends following these steps:
  1. Shutdown the Synology NAS to prevent any more files being encrypted
  2. Contact the Synology support team at security@synology.com or fill out the support form
• Users whose files have already been encrypted may not be out of luck, yesterday a new service launched that can decrypt files locked by CryptoLocker similar malware that targetted Windows

Feedback:

• DNSsec and DANE

• LastPass Trick

• USB 3 faster then HDD 7200rpm

• cruelfate comments on “Kreb’s Law”

• ZM-VE300-B 2.5″ SATA USB 3.0 External HDD Enclosure

Round Up:

• PFChangs posts update about security breach
• Microsoft blocks older versions of Skype, leaving customers using older versions of OS X without a version they can install. Linux users also need to upgrade to 4.3.0 or higher in order to connect
• Mozilla accidently discloses email addresses of 76,000 members of the Mozilla Developers Network, as well as 4000 hashes passwords. The email and password columns were supposed to be sanitized from the database before it was disclosed, but for a period of approximately 30 days this was not happening correctly
• Dan Geer @ Blackhat – Cybersecurity as Realpolitik
  
• CIA infosec guru: US govt must buy all zero-days and set them free
• US State Department Passport database (largest known Oracle database in the world) suffers outage, “crashed shortly after maintenance was performed. We believe the root cause of the problem was a combination of software optimization and hardware compatibility issues.”
• David Litchfield @ Blackhat: Oracle Database Redaction service is trivial to bypass
• Catherine Pearce and Patrick Thomas @ Blackhat: Multipath TCP may leave security appliances blind to new types of attacks
• The FinFisher spyware used by governments, cannot intercept calls from the Metro version of Skype
• Docker does not provide security, stop assuming it does

The post Two-factor Exemption | TechSNAP 174 first appeared on Jupiter Broadcasting.

It’s great to be a malware author, if your selling to the government, Bypassing PayPal’s two-factor authentication is easier than you might think. Plus a great batch of your questions and our answers and much, much more!

Thanks to:

— Show Notes: —

Flaw in mobile app allows attackers to bypass PayPal two-factor authentication

• Researchers at Duo Security have produced a proof-of-concept app that is able to bypass the two-factor authentication when using the PayPal mobile app, allowing an attacker to transfer funds out of a PayPal account with only the username and password, without needing to provide the one-time password
• The PayPal bug was discovered by an outside researcher, Dan Saltman, who asked Duo Security for help validating it and communicating with the PayPal security team
• “PayPal has been aware of the issue since March and has implemented a workaround, but isn’t planning a full patch until the end of July”
• Currently, the PayPal mobile apps do not support 2 factor authentication, meaning if you have 2FA enabled on your PayPal account, you cannot use the mobile app
• The exploit tricks the PayPal app into ignoring the 2FA flag and allowing the mobile app to work anyway
• The researchers found that in the PayPal mobile app, the only thing preventing a 2FA enabled account from working was a flag in the response from the server
• After modifying that flag, it was found that the client could login, and transfer funds
• The check to prevent 2FA enabled accounts from logging in without the one-time passwords appears to only be enforced on the client, not the server as it should be
• Once logged in with a valid session_id, the proof-of-concept app is able to use the API to transfer funds
• “There are plenty of cases of PayPal passwords being compromised in giant database dumps, and there’s also been a giant rise in PayPal related phishing”
• It is not clear how large the bug bounty on this vulnerability will be

“Hacking Team”

• “Hacking Team” is an Italian company that develops “legal” spyware used by law enforcement and other government agencies all over the world
• They originally came to light in 2011 after WikiLeaks released documents from 2008 where Hacking Team was trying to sell its software to governments
• The software bills itself as “Offensive Security”, allowing LEAs to remotely monitor and control infected machines
• The software claims to be undetectable, however when samples were anonymously sent to AV vendors in July of 2012, most scanners added definitions to detect some variants of the malware
• In newly released research, Kaspersky has tracked the Command & Control (C2) servers used by “HackingTeam”
• The countries with the most C2 servers include the USA, Kazakhstan, Ecuador, the UK and Canada
• It is not clear if all of the C2 servers located in these countries are for the exclusive use of LEAs in those countries
• “several IPs were identified as “government” related based on their WHOIS information and they provide a good indication of who owns them.”
• The malware produced by Hacking Team has evolved to include modern malware for mobile phones
• Although this is rarely seen, if it is only used by LEAs rather than for mass infection, this is to be expected
• On a jail broken iOS device, the malware has the following features:
• Control of Wi-Fi, GPS, GPRS
• Recording voice
• E-mail, SMS, MMS
• Listing files
• Cookies
• Visited URLs and Cached web pages
• Address book and Call history
• Notes and Calendar
• Clipboard
• List of apps
• SIM change
• Live microphone
• Camera shots
• Support chats, WhatsApp, Skype, Viber
• Log keystrokes from all apps and screens via libinjection
• The Android version is heavily obfuscated, but it appears to target these specific applications:
• com.tencent.mm
• com.google.android.gm
• android.calendar
• com.facebook
• jp.naver.line.android
• com.google.android.talk
• The article also provides details about how mobile phones are infected. Connecting a phone to an already compromised computer can silently infect it. In addition, the research includes screenshots of the iOS “Infector”, that merely requires LEAs connect the phone to their computer, where they can manually infect it before returning it to the owner
• Additional Coverage – ThreatPost
• Additional Coverage – SecureList
• Additional Coverage – SecureList – Original article on HackingTeam from April 2013

Feedback:

• What is the point of SUDO?
  • SUDO Mastery

• Sending E-mail from a server

• How To Install and Setup Postfix on Ubuntu 14.04 | DigitalOcean

• How To Configure a Mail Server Using Postfix, Dovecot, MySQL, and SpamAssasin | DigitalOcean

• Securing data in a database with GnuPG or OpenSSL

Round Up:

• Google Starts Removing Search Results Under Europe’s ‘Right to be Forgotten’
• Malware authors targeting vendors of legitimate apps as new infection vector. By hacking the websites of legitimate applications used by plants that also employ ICS (Industrial Control Systems), such as power plants, they gain a way to get a foothold in secure networks.
• Nation States implicated in two airports hacked with spear-phishing emails
• Yeah, I trust that ATM, looks totally legit
• Intel offering x86 based robot kits designed to be augmented with 3d printed parts
• MIT researchers unveil 36 core ‘tile’ processor that uses a routed network to move data between cores
• Red Hat Assistant General Counsel posts analysis of Supreme Court’s patent ruling
• Intuit defeats patent troll that bested NewEgg, may finally put an end to the SSL+RC4 trials

The post Big Brother's Malware | TechSNAP 169 first appeared on Jupiter Broadcasting.

We\’re back from AsiaBSDCon! This week we\’ll be chatting with Gleb Kurtsou about some a filesystem-level encryption utility called PEFS. After that, we\’ll give you a step by step guide on how to actually use it. There\’s also the usual round of your questions and we\’ve got a lot of news to catch up on, so stay tuned to BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

AsiaBSDCon wrap-up chat

• bhyvecon Tokyo videos and slides

Headlines

Using OpenSSH Certificate Authentication

• SSH has a not-so-often-talked-about authentication option in addition to passwords and keys: certificates – you can add certificates to any current authentication method you\’re using
• They\’re not really that complex, there just isn\’t a lot of documentation on how to use them – this post tries to solve that
• There\’s the benefit of not needing a known_hosts file or authorized_users file anymore
• The post goes into a fair amount of detail about the differences, advantages and implications of using certificates for authentication

Back to FreeBSD, a new series

• Similar to the \”FreeBSD Challenge\” blog series, one of our listeners will be writing about his switching BACK to FreeBSD journey
• \”So, a long time ago, I had a box which was running FreeBSD 4, running on a Pentium. 14 years later, I have decided to get back into FreeBSD, now at FreeBSD 10\”
• He\’s starting off with PCBSD since it\’s easy to get working with dual graphics
• Should be a fun series to follow!

OpenBSD\’s recent experiments in package building

• If you\’ll remember back to our poudriere tutorial, it lets you build FreeBSD binary packages in bulk – OpenBSD\’s version is called dpb
• Marc Espie recently got some monster machines in russia to play with to help improve scaling of dpb on high end hardware
• This article goes through some of his findings and plans for future versions that increase performance
• We\’ll be showing a tutorial of dpb on the show in a few weeks

Securing FreeBSD with 2FA

• So maybe you\’ve set up two-factor authentication with gmail or twitter, but have you done it with your BSD box?
• This post walks us through the process of locking down an ssh server with 2FA
• With just a mobile phone and a few extra tools, you can enable two-factor auth on your BSD box and have just that little extra bit of protections

Interview – Gleb Kurtsou – gleb.kurtsou@gmail.com

PEFS

Tutorial

Filesystem-based encryption with PEFS

News Roundup

BSDCan 2014 registration

• Registration is finally open!
• The prices are available along with a full list of presentations
• Tutorial sessions for various topics as well
• You have to go

Big changes for OpenBSD 5.6

• Although 5.5 was just frozen and the release process has started, 5.6 is already looking promising
• OpenBSD has, for a long time, included a heavily-patched version of Apache based on 1.3
• They\’ve also imported nginx into base a few years ago, but now have finally removed Apache
• Sendmail is also no longer the default MTA, OpenSMTPD is the new default
• Will BIND be removed next? Maybe so
• They\’ve also discontinued the hp300, mvme68k and mvme88k ports

Getting to know your portmgr lurkers

• The \”getting to know your portmgr\” series makes its return
• This time we get to talk with danfe@ (probably most known for being the nVidia driver maintainer, but he does a lot with ports)
• How he got into FreeBSD? He \”wanted a unix system that I could understand and that would not get bloated as time goes by\”
• Mentions why he\’s still heavily involved with the project and lots more

PCBSD weekly digest

• Work has started to port Pulseaudio to PCBSD 10.01 (why?)
• There\’s a new \”pc-mixer\” utility being worked on for sound management as well
• New PBIs, GNOME/Mate updates, Life Preserver fixes and a lot more
• PCBSD 10.0.1 was released too

Feedback/Questions

• Alex writes in
• Ben writes in
• Nick writes in
• Sami writes in
• Christopher writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• The pkgng, ZFS, OpenBSD router and FreeBSD desktop tutorials have gotten some updates and fixes
• If you were using the automatic errata checking script in the router tutorial, you need to redownload the new, fixed version (they rearranged some stuff on the website and broke it)
• A few weeks\’ worth of new tutorials were uploaded ahead of time for the benefit of everyone, no point in holding them hostage – go check \’em all out
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• Dusko, the winner of our tutorial contest, sent us a picture with his awesome FreeBSD pillow!

The post P.E.F.S. | BSD 29 first appeared on Jupiter Broadcasting.

We chat with Dan at the Mozilla about his work on the Persona project, and how Mozilla offers developers a neutral platform for effective authentication.

Plus our thoughts on what’s troubling the Ubuntu Edge project, a batch of your questions, and much more!

Thanks to:

GoDaddy.com Use our code coder249 to get a .COM for $2.49.
UnitySync Visit dirwiz.com/unitysync use code coder for an extended trial and a year of maintenance.
Ting.com Visit coderradio.ting.com to save $25 off your device or service credits.

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Feedback

• Dani\’s email: How can I follow my passion when my \’professional\’ experience is elsewhere
• Lennon\’s Email: Over worked
• Thanks for Fizzing my Buzz!
• Chris and his in-app purchase habbit

Persona

• Mozilla Persona — simple sign-in with email

At Mozilla, we believe that your online life is your business. With that in mind, we created Persona to make it easier to sign in to websites.

Persona allows you to sign in to sites using any of your existing email addresses; and if you use Yahoo! or Gmail for email, you will be able to sign in without having to create a new password.

• Mozilla Persona: A Better Way to Sign In

Connect with Mozilla Persona, the safest & easiest way to sign in.

• Home – Mozilla Webmaker
  > We\’re a global community that creates the web by making, teaching and remixing. Check out this week\’s most inspiring Makes and sign up to create your own.

Follow the show

• Email the show
• Join the Coder Radio Subreddit
• Live Monday 9am PST
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post Mozilla Persona | CR 63 first appeared on Jupiter Broadcasting.

We\’ll cover Dropbox’s two-factor authentication flaw, how “Team Telecom” forced fibre providers to enable surveillance, the FBI’s warning about phishing attacks.

A great big batch of your questions our answers, and much much more!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! Get private registration FOR FREE with a .COM! code: free5
Ting.com Visit techsnap.ting.com to save $25 off your device or service credits.

Mentioned this Episode:

[asa]0312605536[/asa]
[asa]0307279391[/asa]
[asa]B000BKUSS8[/asa]

Dropbox flaw allows attackers to circumvent two-factor authentication

• If an attacker is able to get the username and password for your dropbox account, they can access your account even if you have enabled two-factor authentication
• Dropbox does not verify the email address used to signup for a new account, because of this, the attacker can signup for a new account with your email address and just append a dot to the end of the domain name
• Login to this new account and enable 2 factor authentication
• Save the ‘emergency override code’, used in case you lose your phone
• Logout and login to the victim account, when prompted for the one-time password, click “I lost my phone”
• Enter the emergency override code (it is the same for both accounts)
• It is not clear why having the dot at the end of the email (valid) is enough to make the account unique, but does not make the override code unique

US Government established “Team Telecom” to force foreign owned fibre providers to allow the government access to the data transitting them

• In 2003 the “Network Security Agreement” was signed between the US Government and Global Crossing, one of the largest internet transit providers, connecting 200 major cities in 27 nations on four continents
• “In months of private talks, the team of lawyers from the FBI and the departments of Defense, Justice and Homeland Security demanded that the company maintain what amounted to an internal corporate cell of American citizens with government clearances”
• The FCC would hold up approval of cable licenses until such agreements were in place
• The agreements required the transit providers to maintain a “Network Operations Center” (NOC) on U.S. soil. This NOC must be staffed with U.S. citizens pre-screened by the government and operating under gag orders, preventing the employees for sharing the information even with their bosses.
• Originally a US company, Global Crossing filed for Chapter 11 bankruptcy protection in 2002
• A deal was setup where a partnership between Singapore Technologies Telemedia and Hong Kong-based Hutchison Whampoa would buy Global Crossing
• The Hong Kong side of the partnership was pressured by the US Government and eventually withdrew. The US was worried that the Chinese Government would gain access to the US’s surveillance requests
• Singapore Technologies Telemedia eventually agreed to buy the majority stake in Global Crossing and that half of the new board of directors would consist of American citizens with security clearances
• This agreement has been used as a template for other foreign owned telcos and applied as foreign investors bought existing telcos from US investors
• In 2011 Global Crossing was sold to US Telecom giant Level3, however ST Telemedia maintained a minority stake, resulting in another round of review by “Team Telecom”
• A spokesman for Level 3 Communications declined to comment for this article
• Tapping undersea cables has been a key component of US intelligence collection since WWII, the US Navy used to have a number of submarines specifically outfitted for tapping undersea copper phone lines to listen to sensitive traffic in the Soviet Union
• Infographic

FBI issues formal warning about targetted spear phishing

• Many of the very large compromises that we have covered lately were made possible by the attacker establishing an initial beachhead on a single machine, via spear phishing
• The compromises at The Onion and the Financial Times were both explained in detail after the fact and showed just how much damage an attacker can do once they get inside the network, and how easily they can get inside the network with spear phishing
• Many in the defense and aerospace industries have been targeted by highly sophisticated spear phishing campaigns, including professionally produced .pdf flyers for fake conferences that took advantage of flaws in Adobe Acrobat to infect the system
• According to research by AV vendor Trend Micro, 91% of all targeted attacks involved spear phishing in the initial phases
• Training firm PhishMe says their clients usually start at around 60% susceptibility, but training reduces this to single digits
• The PhiseMe system works by sending your users different types of phishing emails, including links, attachments, etc
• When the user falls for the phishing attempt, they are redirected to training pages, teaching them what they did wrong
• Enhanced versions will even disguise themselves to look like your company\’s page, and prompt users to enter sensitive information. If they do, they are admonished and given further training
• This type of ongoing proactive training seems like the only real way to increase security, because typical training does not seem to work

MIT Media lab rolls out ‘Immersion’ tool to allow you to visualize your email metadata

• Logs in to your gmail via OAuth
• Looks at only the headers (To, From, CC, and timestamp)
• Builds a visualization of your ‘social graph’
• After you view the report, you have the option to allow them to save it, or ask them to erase it
• If you save a snapshot of your social graph, it is automatically deleted after 30 days

Feedback:

• Don’t mount an iSCSI device in two places at once

• File Server Woes

• Starting in Networking Tech?

• What happens if you get hit by a bus?

• NIC Driver Woes in FreeBSD

  • Get a different intel NIC, some of the onboard ones are less good
  • service netif restart; service routing restart

• pfSense Wifi Xtreme

TechSNAP Bitmessage: BM-GuGEaEtsqQjqgHRAfag5FW33Dy2KHUmZ

Round Up:

• Attacker who compromised .pk domain root last year, claims to have access to Pakistan’s Federal Investigation Agency (FIA)’s servers that contain files on every citizen
• The problems with debugging software on mars
• Password sharing compromises 24,000 nintendo accounts – More than 15 million login attempts were made, but only those accounts that had a common password with some other unknown (likely related) service were compromised
• 911 dispatch system in Detroit goes down, backup does not kick in. Apparently the backup had not been tested in over 2 years
• Federal Judge rejects “states secrets” claim, allows EFF case against illegal surveillance (originally filed against the GW Bush administration) to proceed
• Root SSH key for Emergency Broadcasting Systems compromised
• Audit finds US Economic Development Administration destroyed hardware after minor malware infection, including uninfected systems, printers, cameras and mice
• Team of famous security researchers write amicus brief in defense of weev in his trial against AT&T for accessing data they accidently placed on their public website
• Android master key vulnerability checker now online
• ARM’s response to high efficency – lower power: one chip for each, use as needed
• PirateBay founder brokep starts encrypted messaging service
• PC-BSD Now Uses a CDN

The post Phish and Chips | TechSNAP 118 first appeared on Jupiter Broadcasting.

Oracle patches 128 vulnerabilities, you won’t believe how many of them are critical.

Plus how twitter can solve their hacking problem, ZFS questions galore, and much much more!

On this week’s TechSNAP.

Thanks to:

GoDaddy.com Use our code tech295 to score .COM for $2.95! 35% off your ENTIRE first order just use our code go35off4 until the end of the month!

Support the Show: