Show Notes: linuxunplugged.com/458

The post NVIDIA's New View | LINUX Unplugged 458 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/457

The post Automated Chaos | LINUX Unplugged 457 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/178

The post Linux Action News 178 first appeared on Jupiter Broadcasting.

Show Notes: chooselinux.show/25

The post Tails + Virtualization | Choose Linux 25 first appeared on Jupiter Broadcasting.

Show Notes/Links: https://www.bsdnow.tv/314

The post Swap that Space | BSD Now 314 first appeared on Jupiter Broadcasting.

Show Notes/Links: https://www.bsdnow.tv/304

The post Prospering with Vulkan | BSD Now 304 first appeared on Jupiter Broadcasting.

Show Notes: podcast.asknoahshow.com/95

The post Community Night! | Ask Noah Show 95 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Feed | iTunes Feed

Become a supporter on Patreon:

Episode Links:

linuxactionnews.com/72

The post Linux Action News 72 first appeared on Jupiter Broadcasting.

RSS Feeds:

MP3 Feed | Video Feed | iTunes Feed

Become a supporter on Patreon:

Links

• System76 Announce Their Own Linux Distribution called Pop!_OS (Updated) – OMG! Ubuntu!
• Pop!_OS by System76
• Twitch Affiliate
• Twitch Affiliate Program launches today! First invites going out…
• Twitch | Joining the Affiliate Program
• Update: As of June 28 at 11am PDT, Subscriptions are live for Affiliates!
• Hyper-V – Wikipedia
• Dell PowerEdge RAID Controller (PERC) | Dell
• Disk2vhd
• Alexa Calling & Messaging – Amazon Official Site

The post Popping the OS | User Error 15 first appeared on Jupiter Broadcasting.

Is it possible to make a truly private phone call anymore? The answer might surprise you. Cisco and Level 3 battle a huge SSH botnet & how to Build a successful Information Security career.

Plus a great batch of your questions, a rocking round up, and much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

How to make secret phone calls

• “There’s a lot you can find in the depths of the dark web, but in 2013, photographer and artist Curtis Wallen managed to buy the ingredients of a new identity”
• “After purchasing a Chromebook with cash, Wallen used Tor, virtual marketplaces, and a bitcoin wallet to purchase a fake driver’s license, insurance card, social security number, and cable bill, among other identifying documents. Wallen saw his new identity, Aaron Brown, as more than just art: Brown was a political statement on the techno-surveillance age.”
• The article sets out the steps required to conduct untraceable phone calls
• The instructions are based on looking at how CIA OpSec was compromised by cell phones in the cases of the 2005 extraordinary rendition of Hassan Mustafa Osama in Italy and their surveillance of Lebanese Hezbollah
• “using a prepaid “burner” phone, posting its phone number publicly on Twitter as an encrypted message, and waiting for your partner to decrypt the message and call you at a later time”
• Analyze your daily movements, paying special attention to anchor points (basis of operation like home or work) and dormant periods in schedules (8-12 p.m. or when cell phones aren’t changing locations);
• Leave your daily cell phone behind during dormant periods and purchase a prepaid no-contract cell phone (“burner phone”);
• After storing burner phone in a Faraday bag, activate it using a clean computer connected to a public Wi-Fi network;
• Encrypt the cell phone number using a onetime pad (OTP) system and rename an image file with the encrypted code. Using Tor to hide your web traffic, post the image to an agreed upon anonymous Twitter account, which signals a communications request to your partner;
• Leave cell phone behind, avoid anchor points, and receive phone call from partner on burner phone at 9:30 p.m.—or another pre-arranged “dormant” time—on the following day;
• Wipe down and destroy handset.
• “The approach is “very passive” says Wallen. For example, “Posting an image to Twitter is a very common thing to do, [and] it’s also very common for image names to have random numbers and letters as a file name,” he says. “So, if I’ve prearranged an account where I’m going to post an encrypted message, and that message comes in the form of a ‘random’ filename, someone can see that image posted to a public Twitter account, and write down the filename—to decrypt by hand—without ever actually loading the image. Access that Twitter account from Tor, from a public Internet network, and there’s hardly any trace that an interaction even happened.””
• “This is not easy, of course. In fact, it’s really, comically hard. “If the CIA can’t even keep from getting betrayed by their cell phones, what chance do we have?””
• “Central to good privacy, says Wallen, is eliminating or reducing anomalies that would pop up on surveillance radars, like robust encryption or SIM card swapping. To understand the risks of bringing unwanted attention to one’s privacy practices, Wallen examined the United States Marine Corps’ “Combat Hunter” program, which deals with threat assessment through observation, profiling, and tracking.”
• “Anomalies are really bad for what I’m trying to accomplish—that means any overt encryption is bad, because it’s a giant red flag,” Wallen said. “I tried to design the whole system to have as small a footprint as possible, and avoid creating any analyzable links.”
• “I was going out and actually buying phones, learning about different ways to buy them, to activate them, to store them, and so on,” said Wallen, who eventually bought a burner phone from a Rite Aid. “I kept doing it until I felt like I’d considered it from every angle.”
• “After consulting on commercially available Faraday bags, Wallen settled on the Ramsey Electronics STP1100”
• Wallen cautions his audience about taking his instructions too literally. The project, he says, “was less about arriving at a necessarily practical system for evading cell phone tracking, than it was about the enjoyment of the ‘game’ of it all. In fact, I think that it is so impractical says a lot.”
• “Bottom line,” he adds. “If your adversary is a nation state, don’t use a cellphone.”
• Guide to creating and using One-Time Pads
• John Oliver: Government Surveillance — Interview with Edward Snowden

Cisco and Level 3 battle a huge SSH botnet

• “Talos has been monitoring a persistent threat for quite some time, a group we refer to as SSHPsychos or Group 93. This group is well known for creating significant amounts of scanning traffic across the Internet. Although our research efforts help inform and protect Cisco customers globally, sometimes it is our relationships that can multiply this impact. Today Cisco and Level 3 Communications took action to help ensure a significantly larger portion of the Internet is also protected.”
• “The behavior consists of large amounts of SSH brute force login attempts from 103.41.124.0/23, only attempting to guess the password for the root user, with over 300,000 unique passwords. Once a successful login is achieved the brute forcing stops. The next step involves a login from a completely different IP ranges owned by shared hosting companies based out of the United States. After login is achieved a wget request is sent outbound for a single file which has been identified as a DDoS rootkit. “
• “Once the rootkit is installed additional instructions are downloaded via an XOR encoded file from one of the C2 servers. The config file is largely constructed of a list of IP addresses that are being denied and filenames, and files to be deleted.”
• “At times, this single attacker accounted for more than 35% of total Internet SSH traffic”
• Level 3 then worked to block the malicious traffic
• “Our goal, when confirming an Internet risk, is to remove it as broadly as possible; however, before removing anything from the Internet, it is important to fully understand the impact that may have to more benign hosts. To do this, we must understand more details of the attacker’s tools and infrastructure.”
• “As part of the process, Level 3 worked to notify the appropriate providers regarding the change. On March 30th SSHPsychos suddenly pivoted. The original /23 network went from a huge volume of SSH brute force attempts to almost no activity and a new /23 network began large amounts of SSH brute forcing following the exact same behavior associated with SSHPsychos. The new network is 43.255.190.0/23 and its traffic was more than 99% SSH immediately after starting communication. The host serving the malware also changed and a new host (23.234.19.202) was seen providing the same file as discussed before a DDoS Rootkit.”
• “Based on this sudden shift, immediate action was taken. Talos and Level 3 decided to remove the routing capabilities for 103.41.124.0/23, but also add the new netblock 43.255.190.0/23. The removal of these two netblocks introduced another hurdle for SSHPsychos, and hopefully slows their activity, if only for a short period.”
• “For those of you who have Linux machines running sshd on the open Internet, be sure to follow the best practice of disabling root login in your sshd config file. That step alone would stop this particular attacker from being successful in your environment.”
• Remote root login should never be allowed anyway
• Hopefully this will send a clear message to the providers that allow these type of attackers to operate on their network. If you don’t clean up your act, you’ll find large swaths of your IP space unusable on the public internet.

How to Build a Successful Information Security Career

• A question I often get is “how do I get into InfoSec”
• Myself, not actually being an InfoSec professional, and never having really worked in that space, do not have the answer
• Luckily, someone who is in that space, finally wrote it all down
• “One of the most important things for any infosec professional is a good set of inputs for news, articles, tools, etc.”
  • So, keep watching TechSNAP
• Basic Steps:
• Education (Sysadmin, Networking, Development)
• Building Your Lab (VMs, VPSs from Digital Ocean)
• You Are Your Projects (Build something)
• Have a Presence (Website, Blog, Twitter, etc)
• Certifications (“Things have the value that others place on them”)
• Networking With Others (Find a mentor, be an intern)
• Conferences (Go to Conferences. Speak at them)
• Mastering Professionalism (Dependability, Well Written, Good Speaker)
• Understanding the Business (Businesses want to quantify risk so they can decide how much should be spent on mitigating it)
• Having Passion (90% of being successful is simply getting 100,000 chances to do so. You get chances by showing up)
• Becoming Guru
• It is a very good read, broken down into easy to understand steps, with the justification for each requirement, as well as some alternatives, because one size does not fit all
• Related, but Roundup is already full enough: How to Avoid a Phone Call from Brian Krebs – The Basics of Intrusion Detection and Prevention with Judy Novak

Feedback:

• Data Delivery/Syncing over WAN

• TOR Question

• Upgrading password hash algorithm

Round Up:

• Announcing Git Large File Storage (LFS)
• Amazon EFS
• One in seven employees will self corporate passwords for $150 or less
• Hidden backdoor API to root privileges in Apple OS X
• Vulnerability in Firefox forced Mozilla to disable opportunistic encryption
• The FBI Has Its Own Secret Brand of Malware
• AT&T Call Center staff sold hundres of thousands of customer records to criminals
• Expired SSL certificate
• Google lets the Root CA certificate that issues the smtp.gmail.com certificate expire
• Congress must end mass NSA surveillance with next Patriot Act vote
• Greenwald criticized universities which open up their campuses to government agencies in exchange for funding
• 8 Ways You Didn’t Know Hackers Could Steal Your Identity
• Apple did not remove CNNIC Root CA from trust lists in latest security update
• Every Wi-Fi Router Should Look Like The USS Enterprise
• IT Security in a nutshell

The post Day-0 of an InfoSec Career | TechSNAP 209 first appeared on Jupiter Broadcasting.

Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections, we’ll break down how this is possible, the danger that still exists & more.

Plus the story of a billion dollar cyber heist anyone could pull off, the Equation group, your questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

APT Attack robs banks

• A staggering APT attack has been conducted against over 100 banks in 30 countries, and has reportedly managed to steal as much as 1 billion USD.
• “In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment.”
• While investigating, Kaspersky Labs found no malware on the ATM, just a strange VPN connection
• Later, they were called into the bank’s headquarters, after the bank’s security officer got an alert about a connection from their domain controller to China
• Kaspersky Video
• “In order to infiltrate the bank’s intranet, the attackers used spear phishing emails, luring users to open them, infecting machines with malware. A backdoor was installed onto the victim’s PC based on the Carberp malicious code, which, in turn gave the name to the campaign — Carbanak.”
• “After obtaining control over the compromised machine, cybecriminals used it as an entry point; they probed the bank’s intranet and infected other PCs to find out which of them could be used to access critical financial systems.”
• “That done, the criminals studied the financial tools used by the banks, using keyloggers and stealth screenshot capabilities.”
• “Then, to wrap up the scheme, the hackers withdrew funds, defining the most convenient methods on a case-by-case basis, whether using a SWIFT transfer or creating faux bank accounts with cash withdrawn by ‘mules’ or via a remote command to an ATM.”
• On average, it took from two to four months to drain each victim bank, starting from the Day 1 of infection to cash withdrawal.
• The oldest code that could be found related to these attacks was from August 2013
• Additional Coverage – NY Times
• Additional Coverage – ThreatPost
• Additional Coverage – SecureList
• Report PDF
• This attack is related to the malware installed directly on ATMs that we have reported on before

Lenovo spyware installs own Root CA

• It has been discovered that Lenovo has been shipping devices preinstalled with an advertising application called SuperFish
• This “Visual Discovery” advertising system injects picture ads for items related to search terms into your google search results, and other websites
• While this is bad enough, and upsets many people, the bigger problem is how they do it
• In order to snoop upon the search terms you are using, SuperFish must intercept your encrypted communications with Google and others
• In order to do this, the SuperFish software installs its own SSL Root Certificate Authority into the trusted certificate store
• This makes your machine trust every certificate signed by SuperFish
• The proxy that SuperFish installs, intercepts all of your web traffic, when it sees you trying to make a secure connection, which it would not be able to snoop on, what it does is create (on the fly), a new certificate for the site you are trying to visit (google.com, bankofamerica.com, whatever), and signs it with its private key
• Now your browser trusts the authenticity of this fake certificate, so it does not issue a warning, and you are completely unaware that SuperFish is intercepting all of your communications
• There are a number of security problems with this, including, does SuperFish sign a ‘valid’ certificate even for invalid certificates, like self signed certificates, meaning that an attack could trick you into going to a website, and seeing it as authentic when it is not, because SuperFish has signed a fresh certificate for it
• Worse, because of the way SuperFish works, rather than relying on the SuperFish backend infrastructure to generate these bogus certificates, instead SuperFish ships the private key for their fake Root CA with their software
• Researchers at Errata Security were able to crack the password used to encrypt the private key in only 3 hours
• The password was: komodia
• He found it fairly easily, first using procdump to defeat the self-encryption used by SuperFish (procdump wrote out the binary as it was in memory after it had decrypted it self)
• Next, he ran the standard unix tool ‘strings’ on the resulting file, and found the encrypted SSL private key
• After failed attempts to brute force it, or run a dictionary attack against it, he went back to his ‘strings’ file
• After filtering it down to only include short all lowercase words, he used it as a dictionary, and found the password
• Now, anyone can download the SuperFish software, extract the certificate and private key, and start signing bogus certificates for any website they wish, and every Lenovo or other machine that has the SuperFish software installed, will happily accept it as genuine
• SuperFish CEO Adi Pinhas tells Ars that “Superfish has not been active on Lenovo laptops since December. We standby this Lenovo statement
• While Lenovo and SuperFish disabled the server side component of SuperFish, which will prevent it from showing the ads, it seems that even uninstalling the SuperFish software, does not remove the trusted root certificate, leaving the users vulnerable to Man-In-the-Middle attacks
• It is unclear what the certificate pinning feature in Google’s Chrome browser did not prevent this from working
• Given that this same technique is popular in corporate security software, and there are also open source application proxies that can do it (OpenBSD’s relayd for one), it may be that Google had to relax their requirements to be compatible with corporate networks
• Lenovo Forums
• Additional Coverage – ThreatPost
• Additional Coverage – TheNextWeb
• Additional Coverage – TechSpot
• Additional Coverage – ZDNet

The Equation Group — Part of the NSA?

• Researchers at Kaspersky Lab have uncovered a cyberespionage group that has been operating for at least 15 years and has worked with and supported the attackers behind Stuxnet, Flame and other highly sophisticated operations.
• Known as the Equation Group, used two of the zero days contained in Stuxnet before that worm employed them and have used a number of other infection methods +
• Beginning in 2001, and possibly as early as 1996, the Equation Group began conducting highly targeted and complex exploitation and espionage operations against victims in countries around the world. The group’s toolkit includes components for infection, a self-propagating worm that gathers data from air-gapped targets, a full-featured bootkit that maintains control of a compromised machine and a “validator” module that determines whether infected PCs are interesting enough to install the full attack platform on.
• An unusual if not truly novel way of bypassing code-signing restrictions in modern versions of Windows, which require that all third-party software interfacing with the operating system kernel be digitally signed by a recognized certificate authority. To circumvent this restriction, Equation Group malware exploited a known vulnerability in an already signed driver for CloneCD to achieve kernel-level code execution.
• The trump card for the Equation Group attackers is their ability to inject an infected machine’s hard drive firmware. This module, known only by a cryptic name – “nls_933w.dll”, essentially allows the attackers to reprogram the HDD or SSD firmware with a custom payload of their own creation.
• One of the Equation Group’s malware platforms, for instance, rewrote the hard-drive firmware of infected computers—a never-before-seen engineering marvel that worked on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate.
• Additional Coverage – Ars Technica
• Additional Coverage – ZDNet
• Additional Coverage – Digital Munitition

Feedback:

• ZFS expansion on iSCSI or LUN on FreeBSD

• Towers and Bread Racks posing as a Data Center.. I’ve got that beat!!

• FreeBSD as Xen Dom0 host?
  • FreeBSD Xen Dom0

• Exclude a specific device from my VPN

• Vizio TV Broadcasting SSID

Round-Up:

• French government has its own malware capable of eavesdropping on Skype, MSN, Yahoo Messanger and the like
• HTTP/2 is Done
• Even your car wash is on Facebook
• m0n0wall – End of the m0n0wall project
• TrueCrypt 7.1a audit stirs back to life
• UK parliament calls for Internet to be classified as a public utility
• Vint Cerf: we need to do a better job of recording the history of what we do on computers
• The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle
• After Microsoft spat, Google will allow 14 days of flexibility beyond the 90 day disclosure window
• Payment Processor Stripe Now Allows Any Business to Accept Bitcoin
• Flaw in netgear wi-fi routers exposes admin password and WLAN settings
• Russian man extradited to US while visiting NL, charged with Heartland and Dow Jones hacks
• BadUSB in SCADA/ICS gear too
• AOL Email went down for many hours starting at 4am this morning

The post SuperFishy Mistake | TechSNAP 202 first appeared on Jupiter Broadcasting.

Authentic iOS Apps can be replaced with malware, the US Postal service gets breached & Microsoft has a hot mess of critical patches.

Plus some great feedback, a rocking round-up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Masque Attack — authentic iOS apps can be replaced by malware with ease

• Last week we talked about new malware for OS X that infected iOS devices with malicious apps
• Part of the problem seemed to stem from the fact that if a corporation got a certificate from Apple to sign internally developed apps for use by employees, these apps were innately trusted by all iOS devices, even those not part of the corporation who signed the application
• While we suspected this may be a fairly major vulnerability in the architecture of iOS, it turns out was was only the tip of the iceberg
• “In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier”
• This means that the malicious app, signed by a random corporate certificate issued by Apple (supposedly only for internal use), can replace any application on your phone, except those directly from Apple
• “An attacker can leverage this vulnerability both through wireless networks and USB”
• If you install ‘new flappy bird’, or, connect your iOS device to an infected computer, a malicious charging port in some public space, or untrusted wifi, the Twitter app on your device could be replaced with one that steals the credentials for your account and tweets spam, or worse
• “That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly”
• FireEye shared this information with Apple in July, but after the news about the WireLurker malware, which uses a very limited form of this attack (the attackers may not have realized the full extend of what they had discovered), FireEye felt it necessary to go public with the information so customers can take steps to protect themselves
• “As mentioned in our Virus Bulletin 2014 paper “Apple without a shell – iOS under targeted attack”, apps distributed using enterprise provisioning profiles (which we call “EnPublic apps”) aren’t subjected to Apple’s review process. Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring (CVE-2014-1276) and mimic iCloud’s UI to steal the user’s Apple ID and password.”
• “The attacker can also use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team”

USPS computer networks compromised, telecommuting VPN temporarily shutdown

• Attackers compromised the internal network of the United States Postal Service
• It is not clear how or where the compromise happened, although some information suggestions a call center was compromised, possibly via the VPN
• Possibly compromised information includes: Employee names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment, emergency contact information and other information
• “The intrusion also compromised call center data for customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1, 2014, and Aug. 16, 2014. This compromised data consists of names, addresses, telephone numbers, email addresses and other information for those customers who may have provided this information. At this time, we do not believe that potentially affected customers need to take any action as a result of this incident”
• Additional Information
• “VPN was identified as vulnerable to this type of intrusion and will remain unavailable as we work to make modifications to this type of remote access to our networks. When VPN is available again users will notice changes in functionality. We will have additional information about VPN in the near future”
• I wonder if this might have been related to Heartbleed. We have had stories in the recent past about SSL based VPNs that were compromised before they could be upgraded with the heartbleed fix, and then this access was used later on because passwords were not changed
• “Should I change my ACE ID and password, Postal EIN or other postal passwords as a result of this incident?”
• “At this time there is no requirement to change your ACE password or other passwords unless prompted to do so by email prompts from IT as part of the normal password change process. You will be notified if other password changes are required.”
• Having IT email you to ask you to change your password just seems like a really bad idea. This is a great opening for a phishing campaign. If a password change is required, it should be prompted for from a more trustworthy source than email
• After a breach, out of an abundance of caution, all passwords should be changed.

Microsoft releases patch for OLE vulnerability

• As part of this months Patch Tuesday, Microsoft has released an official patch for both OLE vulnerability (specially crafted website, and malicious office document) used in the “Sandworm Team” attacks against NATO and other government agencies that we discussed on episode 185
• This new patch, MS14-064 replaces the patch from October’s Patch Tuesday MS14-060
• Microsoft – November Patch Update Summary
• Microsoft Advisory – MS14-064
• Microsoft Advisory – MS14-070 – Local user remote code execution via vulnerability in Windows TCP/IP stack
• Also included was a cumulative patch for Internet Explorer, however this patch breaks compatibility with EMET (Enhanced Mitigation Experience Toolkit
  ) 5.0, and customers are instructed to upgrade to EMET 5.1 before upgrading IE
• “If you are using Internet Explorer 11, either on Windows 7 or Windows 8.1, and have deployed EMET 5.0, it is particularly important to install EMET 5.1 as compatibility issues were discovered with the November Internet Explorer security update and the EAF+ mitigation”
• “Microsoft also patched a remote code execution vulnerability in Microsoft Secure Channel, or Schannel, a Windows encryption security package used for SSL and TLS connections”
• “MS14-067 is the final bulletin ranked critical by Microsoft. The vulnerability can be exploited by a malicious website designed to invoke Microsoft XML Core Services through IE. MSXML improperly parses XML content, which can then in turn corrupt the system state and enable remote code execution”
• The previous patch for the OLE vulnerability merely marked files that come from the internet as untrusted. However there are a number of ways around this, some of which may already be in use by attackers
• McAfee Labs – Bypassing Microsofts Patch for Sandworm Zero Day
• In addition, the Microsoft ‘workaround’ for the flaw, by marking the file as untrusted, only applies when you try to ‘execute’ a file. If you right click and file and open it for ‘editing’, or open it from within an application, the untrusted flag is never checked
• McAfee also found samples in the wild that ran the untrusted file as administrator, which only pops up the standard ‘run this program as admin?’ prompt (only if UAC is not disabled), and does not show the ‘this file is not trusted’ prompt

• OpenZFS Developer Summit – OpenZFS

Feedback:

• Instant Answer tutorial

• SGID SFTP Uploads
  • This only works on some file systems
  • On FreeBSD, only set-uid on a directory works (sets owner on all newly created files), only if the file system is UFS, only if the file system is mounted with the MNT_SUIDDIR flag, and only if the Kernel is compiled with support for SUIDDIR (not enabled by default)
  • ZFS is working on a feature to force the owner/group on a dataset

• caryhartline comments on Apple Approved Malware

• FreeBSD ZFS – preferred method of auto snapshot
  • ZFSTools
• shared root password or sudo?
  • SUDO Master

Round Up:

• ISPs caught stripping StartTLS flag from servers, causing clients to not be aware that the remote server supports encryption
• FBI’s most wanted cybercriminal used his cat’s name as a password
• Pwn2Own event in Tokyo breaks security on slew of modern mobile devices
• Home Depot attackers also got 53 million customer email addresses. Other details about the attack, original compromise was via stolen 3rd party vendor credentials
• 4 NOAA (National Oceanic and Atmospheric Administration) websites hacked, services including satelite weather and ice data temporarily suspended
• ‘Replay’ attack used to pilfer money from stolen Home Depot credit cards via chip-and-pin system, even though the bank has never issued cards with chips – because banks do not check properly
• German Spy Agency Wants To Buy Zero-Day Vulnerabilities In Order To Undermine SSL Security
• Silk Road 2.0 and other ‘hidden services’ sites may have been decloaked via DDoS, sending huge amounts of traffic and looking for where it ended up
• Retailers ask to be regulated to protect customers, is the government too gridlocked to actually do it?
• BrowserStack a website testing service for developers, has a rather embarassing security breach
• Mozilla’s “Open Standard” interviews Brian Krebs

The post Hackers Go Postal | TechSNAP 188 first appeared on Jupiter Broadcasting.

A comprehensive study shows that you’re probably taking way too long to patch your box.

Plus research on possible iOS backdoors, TOR’s nasty bug, your questions, our answers, and much much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Qualys releases “The Laws of Vulnerabilities 2.0”

• Qualys, known for the SSL Labs site where you can test the encryption capabilities of your browser and web server, has released the new version of their “laws”
• Qualys sells an “on demand vulnerability management solution” which does continuous perimeter monitoring of a network and scans servers for vulnerable versions of software and services
• Using the data they have collected they did statistical analysis and came up with some basic laws that cover the “vulnerability half-life, prevalence, persistence and exploitation trends for five critical industry segments including Finance, Healthcare, Retail, Manufacturing and Services.”
• The average system remains vulnerable for 30 days. Service sector usually patched within 21 days, whereas Manufacturing usually took 51 days
• The most popular vulnerabilities are regularly replaced, leaving some systems almost continuously vulnerable
• “the lifespan of most, if not all vulnerabilities is unlimited and a large percentage of vulnerabilities are never fully fixed.”
• “Eighty percent of vulnerability exploits are now available within single digit days after the vulnerabilities public release. In 2008, Qualys Labs logged 56 vulnerabilities with zero-day exploits, including the RPC vulnerability that produced Conficker. In 2009, the first vulnerability released by Microsoft, MS09-001 had an exploit available within seven days. Microsoft’s April Patch Tuesday included known exploits for over 47 percent of the published vulnerabilities. This law had the most drastic change from the Laws 1.0 in 2004, which provided a comfortable 60 days as guidance”
• Compared to in the past, installing updates in a timely fashion is even more important. The old 60 day window is gone

Payment Card Data Theft: Tips For Small Business

• An article at DarkReading.com by Chris Nutt, Director of Incident Response and Malware at Mandiant, on steps small businesses can take to avoid being the next credit card breach
• Things to consider when processing credit cards via a computer:
• Does the company browse the Internet or read email on the computer used for credit card processing?
• Is unencrypted card data transmitted through any exposed cables or over the internal network?
• Is the card-processing software configured correctly and up-to-date?
• Has the computer’s operating system up to date? has it been hardened?
• Is the computer running antivirus and is it up-to-date?
• Does the company outsource IT management and is there a remote management port open to the Internet?
• Small business often have an advantage in this area, it is easier to upgrade software when there is only a single system involved, not a complex back office system with multiple servers
• Some Recommendations
  • Use a dedicated LAN (or VLAN) or use a cellular connection instead of running the payment system on the same LAN or WiFi that is used for regular business and/or used by customers
• “Do not maintain a Payment Card Industry (PCI) environment or maintain the smallest PCI environment possible”
  • Instead, use a PCI compliant reader like Stripe or Square, data should be encrypted and sent directly to the payment processor, never stored on a device
  • Never store credit card details, a service like Stripe will give you a unique token that can be used for rebilling, refunds etc, without requiring you store the original card details
  • “Do not outsource the maintenance of POS devices to a company that will directly access remote management ports over the Internet.”
  • “Protect the physical security of all systems that store, process, or transmit cardholder information. All security is lost if an attacker can alter or replace your equipment”
  • “Do not allow systems in you PCI environment to connect to the Internet, aside from the connections required to process card transactions or patch the system”
  • “Do not allow systems in your PCI environment to connect to any systems on your network that are not necessary for processing card transactions or patching”
• Some possibly bad advice from the article: Use a mobile device or a tablet, they are more secure than a desktop
• Where possible, offload the processing to a provider, it might be slightly more expensive, but it moves most of the risk to the provider, rather than you

Government Accountability Office report shows shortcomings in incident response procedures

• GAO Report: Agencies Need to Improve Cyber Incident Response Practices
• “Based on a statistical sample of cyber incidents reported in fiscal year 2012, GAO projects that these agencies did not completely document actions taken in response to detected incidents in about 65 percent of cases”
• “For example, agencies identified the scope of an incident in the majority of cases, but frequently did not demonstrate that they had determined the impact of an incident. In addition, agencies did not consistently demonstrate how they had handled other key activities, such as whether preventive actions to prevent the reoccurrence of an incident were taken.”
• “agencies had recorded actions to halt the spread of, or otherwise limit, the damage caused by an incident in about 75 percent of incidents government-wide. However, agencies did not demonstrate such actions for about 25 percent of incidents government-wide.”
• “for about 77 percent of incidents government-wide, the agencies had identified and eliminated the remaining elements of the incident. However, agencies did not demonstrate that they had effectively eradicated incidents in about 23 percent of incidents”
• “agencies returned their systems to an operationally ready state for about 81 percent of incidents government-wide. However, they had not consistently documented remedial actions on whether they had taken steps to prevent an incident from reoccurring. Specifically, agencies did not demonstrate that they had acted to prevent an incident from reoccurring in about 49 percent of incidents government-wide.”
• “In another incident, an agency received a report from US-CERT indicating that login credentials at two of the agency’s components may have been compromised. When contacting the impacted components, agency incident handlers mistyped the potentially compromised credentials for one component and did not respond to an e-mail from the component requesting clarification, and failed to follow up with the second component when it did not respond to the initial alert. Despite these errors, the incident handlers closed the incident without taking further action.”
• “In a malware incident, sensors on an agency’s network recorded an agency computer contacting an external domain known to host malicious files, and downloading a suspicious file. Incident handlers closed the ticket without recording any actions taken to contain or otherwise remediate the potential malware infection”
• The GAO used NIST Special Publication 800-61: Computer Security Incident Handling Guide as a reference
• FireEye, makes of an enterprise security real-time threat protection platform, had some reactions to these findings:
• “Anything less than 100% containment is essentially 0% containment”. “If a government agency fails to completely contain an intrusion, any gaps leave the adversary freedom of maneuver. He can exploit the containment failure to proliferate to other systems and remain in control of an organization’s systems.“
• “If an adversary retains access to even one system, he can rebuild his position and retake control of the victim”
• “If a victim fails to make the environment tougher for the adversary, the intruder will likely return using the same techniques that he utilized to first gain access.” Victims need to learn from intrusions and implement remediation
• It is not clear from the report, but if a machine is compromised, it should be reformatted, rather than merely ‘cleaned’. In light of recent reports about persistent malware, the BIOS should also be flashed before the fresh OS is reinstalled.

Feedback:

• IPSec vs OpenVPN

• Canvas Fingerprinting – A New Threat To Privacy

• Meet the Online Tracking Device That is Virtually Impossible to Block

• ksoftirqd – High Network Throughput

• Why is ksoftirqd/0 process using all of my CPU?

• In the kernel command line (/etc/grub.conf), add “nohz=off” CentOS Forum

• multiple vm’s with 1 ip

• What is a true backup?

Round Up:

• Tails live OS affected by critical zero-day vulnerabilities
• European Central Bank hacked, only founds out after attacker demands ransom. Stolen: database of 20,000 email addresses of people who had registered for ECB conferences, visits and other events
• WSJ website hacked, data offered for sale for 1 bitcoin
• Google announces project zero, “hunt down security vulnerabilities in every popular piece of software that touches the internet”
• Tor Project working to fix weakness that can unmask anonymous users
• New IE vulnerabilities up over 100% since 2013
• How Hackers Hid a Money-Mining Botnet in Amazon’s Cloud
• Researcher finds hidden way to access plaint-text version of encrypted data on iOS devices
• Chromium Switching to BoringSSL.
• Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Devices
• The Open Source Responsible Disclosure Framework
• How your profile picture can be used against you
• Posh-SSH – Open Source PowerShell module for SSH, SFTP, SCP
• What the feds really know about you
• Australian deals website waits 3 years to tell customers and privacy commissioner. Told police, banks and credit card companies immediately. Only told customers now because “technological advances” mean the old hashes are now easier to crack
• NY Metro Card Terminal still runs Windows NT 4.03
• Sony to pay up to $17.75 million in 2011 PSN hacking settlemen

The post 9 Days to Patch | TechSNAP 172 first appeared on Jupiter Broadcasting.

An exploit that leaves Docker containers leaky, who really owns your email account and one hash algorithm to rule them all.

Then it’s a great batch of your questions and much, much more!

Thanks to:

— Show Notes: —

Docker Linux containers spring a security leak

• A security exploit has surfaced that can allow rogue programs to break out of Docker containers and access files on their host OS.
• The flaw has been solved in the latest version of the tech.
• The flaw \”Demonstrates that any given Docker image someone is asking you to run in your Docker setup can access ANY file on your host, e.g. dumping hosts /etc/shadow or other sensitive info, compromising security of the host and any other docker container is on\”
• \”The proof of concept exploit relies on a kernel capability that allows a process to open any file in the host based on its inode. On most systems, the inode of the / (root) filesystem is 2. With this information and the kernel capability it is possible to walk the host’s filesystem tree until you find the object you wish to open and then extract sensitive information like passwords,\” Docker explained in a blog post published after the flaw came out.
• \”In earlier Docker Engine releases (pre-Docker Engine 0.12) we dropped a specific list of kernel capabilities, ( a list which did not include this capability), and all other kernel capabilities were available to Docker containers. In Docker Engine 0.12 (and continuing in Docker Engine 1.0) we drop all kernel capabilities by default. Essentially, this changes our use of kernel capabilities from a blacklist to a whitelist.\”
• \”Please remember, however, that at this time we don\’t claim that Docker Engine out-of-the-box is suitable for containing untrusted programs with root privileges,\”
• Proof of Concept exploit prints /etc/shadow from the host from within Docker

Generalized Secure Hashing Algorithm

• Ted Unangst (one of the lead developers of LibreSSL, as well as OpenBSDs secure signing infrastructure and many other things) posted a thought experiment to his blog
• How would you design an uncrackable password hashing algorithm?
• Ted’s idea: create a very large number of unique hashing algorithms, or rather, a generalized hashing algorithm that takes a ‘tweaking’ parameters that changes how the hash is generated
• “Consider a hash function GSHA512, very similar to SHA512, but with slight variations on each of its constants. You could use GSHA512 #42, or GSHA512 #98765, or even GSHA512 #658743092112345678890 if there were enough variants available. 2^512 variants should be enough for anyone.”
• Now, instead of having to spend a few million on specialized SHA512 cracking hardware, an attacker (the NSA) would have to build 2^512 different specialized cracking chips
• The results?
• “Safe to say we’ve defeated custom silicon. Nobody has a fab that can trace out millions of distinct custom circuits per second.”
• “FPGA is finished too. Assuming you don’t melt it trying, you can’t reprogram an FPGA fast enough.”
• “GPUs are harder. Without having tried it, my gut tells me you won’t be able to copy out the GSHA code to the GPU fast enough to make it worthwhile.”
  • “An attacker with lots of CPUs can still crack our password, but CPUs are very expensive. What if somebody could fab their own very cheap, very limited CPUs? Like a 100000 core CPU with only just enough cache to implement GSHA? Now we may be in trouble. The transistor count for GSHA is quite low, but they need to be the special high speed general purpose kind of transistor circuit. The scrypt paper notes that a CPU could be cheaper than RAM if stripped of all its extra functionality, but in practice it’s hard to calculate all the tradeoffs.”
  • “This part isn’t very practical The idea is that a cracker would look less like a SHA512 cracker, capable only of performing one hash, and more like a typical CPU, capable of performing many hashes. Requiring the attacker to be adaptable in this way brings their costs in line with our costs. Maybe. Waves hands.”
• Of course, to defeat custom CPUs, one could just use GSHA512 as the core to something like scrypt, which tries to defeat customer hardware by requiring a lot of memory instead
• Example Implementation
• “Don’t use these functions for anything but password hashing. (Don’t use them at all is even sounder advice.)”

Who owns your email account?

• A user had their Yahoo email account terminated by Yahoo for violation of its terms of service
• The violation was apparently for flaming another user in the comments thread under Yahoo news articles
• Since the email address is part of the overall ‘Yahoo Account’, it was terminated
• Eric Goldman, law professor at Santa Clara University says: \”A cloud service can lock off your assets,\” he adds. \”They may still be your assets from a matter of legal ownership, but if you have no access to them, who cares?\” (Possession is 9/10th of the law?)
• Microsoft and Google have similar terms, although Google adds: \”If we discontinue a Service, where reasonably possible, we will give you reasonable advance notice and a chance to get information out of that Service\”
• This is why it is probably best to always use your own domain, that you own it
• Even if you use gmail or some other service to actually host the mail, if your gmail account gets terminated, you can move your hosting elsewhere and most importantly, your email address does not change
• There is also the option to host your own email, with a hosting account, VPS or dedicated server
• In these cases, especially when you do not have multiple servers to provide backup MX, I recommend a service such as: DNSMadeEasy Backup Email Service

Feedback:

• Rolling out disk-level encryption on a domain (healthcare, gasp)

• mail archiving help

• Question: Unix machines (Linux or BSD) In an office setting

• DNS fuckery from my ISP

• Why not SSH as root?

• Canada’s Anti-Spam Legislation

Round Up:

• Hackers Claim to Leak 1.2 Million Origin Accounts and Passwords; Electronic Arts Finds No Evidence

• Hackers attempt to ransom 600,000 Domino’s Pizza customer records from France and Belgium. Demand 30,000 EUR, $40,000, USD or they will release the data. Data said to include full names, addresses, phone numbers, email addresses, passwords, delivery instructions, and favourite toppings. Dominos says no credit card or financial information was compromised, and they will not pay the ransom

• In 2007 (when half of all smart phones were made by Nokia), Nokia paid a random of millions of euros to an attacker who managed to steal the encryption/signing keys used for Symbian. If the keys had been leaked or used, Nokia would not have had a way to ensure that phones only accepted updated from Nokia, and not malware. The money was left in a bag in a parking lot at a nearby amusement park. The blackmailer took the bag. Police, however, lost track of the blackmailer and the money was gone. Finnish authorities have had no luck solving the case.

• The SSD Endurance Experiment: Casualties on the way to a petabyte
• Intel introduces new Xeons with embedded FPGAs, compatible with existing sockets/motherboards (may require BIOS update), can greatly accelerately specific tasks
• Hacker Hijacks Storage Devices, Mines $620,000 in Dogecoin
• FOIA request releases FBIs translations of ‘twitter shorthand’
• TW Telecom (provider of business internet connections, was spun off from Time Warner Cable years ago) has been purchased by Level3 Communications (major internet backbone) for 5.7 billion USD
• After admitting it has no idea how attackers compromised its payment processing system, PF Changs restaurants switch back to old fashion analog ‘imprint’ machines for credit card processing
• Auditor asks one TrueCrypt author about forking the project, anonymous author says “I am sorry, but I think what you\’re asking for here is impossible. I don\’t feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn\’t require much more work than actually learning and understanding all of truecrypts current codebase. I have no problem with the source code being used as reference.”

The post Docker Shocker | TechSNAP 167 first appeared on Jupiter Broadcasting.

We\’ve got some great news for OpenBSD, as well as the scoop on FreeBSD 10.0-RELEASE – yes it\’s finally here! We\’re gonna talk to Colin Percival about running FreeBSD 10 on EC2 and lots of other interesting stuff. After that, we\’ll be showing you how to do some bandwidth monitoring and network performance testing in a combo tutorial. We\’ve got a round of your questions and the latest news, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD 10.0-RELEASE is out

• The long awaited, giant release of FreeBSD is now official and ready to be downloaded
• One of the biggest releases in FreeBSD history, with tons of new updates
• Some features include: LDNS/Unbound replacing BIND, Clang by default (no GCC anymore), native Raspberry Pi support and other ARM improvements, bhyve, hyper-v support, AMD KMS, VirtIO, Xen PVHVM in GENERIC, lots of driver updates, ZFS on root in the installer, SMP patches to pf that drastically improve performance, Netmap support, pkgng by default, wireless stack improvements, a new iSCSI stack, FUSE in the base system… the list goes on and on
• Start up your freebsd-update or do a source-based upgrade right now!

OpenSSH 6.5 CFT

• Our buddy Damien Miller announced a Call For Testing for OpenSSH 6.5
• Huge, huge release, focused on new features rather than bugfixes (but it includes those too)
• New ciphers, new key formats, new config options, see the mailing list for all the details
• Should be in OpenBSD 5.5 in May, look forward to it – but also help test on other platforms!
• We\’ll talk about it more when it\’s released

DIY NAS story, FreeNAS 9.2.1-BETA

• Another new blog post about FreeNAS!
• \”I did briefly consider suggesting nas4free for the EconoNAS blog, since it’s essentially a fork off the FreeNAS tree but may run better on slower hardware, but ultimately I couldn’t recommend anything other than FreeNAS\”
• Really long article with lots of nice details about his setup, why you might want a NAS, etc.
• Speaking of FreeNAS, they released 9.2.1-BETA with lots of bugfixes

OpenBSD needed funding for electricity.. and they got it

• Briefly mentioned at the end of last week\’s show, but has blown up over the internet since
• OpenBSD in the headlines of major tech news sites: slashdot, zdnet, the register, hacker news, reddit, twitter.. thousands of comments
• They needed about $20,000 to cover electric costs for the server rack in Theo\’s basement
• Lots of positive reaction from the community helping out so far, and it appears they have reached their goal and got $100,000 in donations
• From Bob Beck, \”we have in one week gone from being in a dire situation to having a commitment of approximately $100,000 in donations to the foundation\”
• This is a shining example of the BSD community coming together, and even the Linux people realizing how critical BSD is to the world at large

This episode was brought to you by

Interview – Colin Percival – cperciva@freebsd.org / @twitter

FreeBSD on Amazon EC2, backups with Tarsnap, 10.0-RELEASE, various topics

Tutorial

Bandwidth monitoring and testing

News Roundup

pfSense talk at Tokyo FreeBSD Benkyoukai

• Isaac Levy will be presenting \”pfSense Practical Experiences: from home routers, to High-Availability Datacenter Deployments\”
• He\’s also going to be looking for help to translate the pfSense documentation into Japanese
• The event is on February 17, 2014 if you\’re in the Tokyo area

m0n0wall 1.8.1 released

• For those who don\’t know, m0n0wall is an older BSD-based firewall OS that\’s mostly focused on embedded applications
• pfSense was forked from it in 2004, and has a lot more active development now
• They switched to FreeBSD 8.4 for this new version
• Full list of updates in the changelog
• This version requires at least 128MB RAM and a disk/CF size of 32MB or more, oh no!

Ansible and PF, plus NTP

• Another blog post from our buddy Michael Lucas
• There\’ve been some NTP amplification attacks recently in the news
• The post describes how he configured ntpd on a lot of servers without a lot of work
• He leverages pf and ansible for the configuration
• OpenNTPD is, not surprisingly, unaffected – use it

ruBSD videos online

• Just a quick followup from a few weeks ago
• Theo and Henning\’s talks from ruBSD are now available for download
• There\’s also a nice interview with Theo

PCBSD weekly digest

• 10.0-RC4 images are available
• Wine PBI is now available for 10
• 9.2 systems will now be able to upgrade to version 10 and keep their PBI library

Feedback/Questions

• Sha\’ul writes in: https://slexy.org/view/s2WQXwMASZ
• Kjell-Aleksander writes in: https://slexy.org/view/s2H0FURAtZ
• Mike writes in: https://slexy.org/view/s21eKKPgqh
• Charlie writes in (and gets a reply): https://slexy.org/view/s21UMLnV0G
• Kevin writes in: https://slexy.org/view/s2SuazcfoR

Contest

• We\’ll be giving away a handmade FreeBSD pillow – yes you heard right
• All you need to do is write a tutorial for the show
• Submit your BSD tutorial write-ups to feedback@bsdnow.tv
• Check bsdnow.tv/contest for all the rules, details, instructions and a picture of the pillow.

• All the tutorials are posted in their entirety at bsdnow.tv
• The poudriere tutorial got a couple fixes and modernizations
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Stop commenting on the Jupiterbroadcasting pages and Youtube! We don\’t read those!
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post Tendresse for Ten | BSD Now 21 first appeared on Jupiter Broadcasting.

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

OpenBSD automatic installation

• A CFT (call for testing) was posted for OpenBSD’s new automatic installer process
• Using this new system, you can spin up fully-configured OpenBSD installs very quickly
• Allows you to PXE boot the system and load the answer file via HTTP by each machines MAC address, with fallback to a default config file
• It will answer all the questions for you and can put files into place and start services
• Great for large deployments, help test it and report your findings

FreeNAS install guide and blog posts

• A multipart series on YouTube about installing FreeNAS
• In part 1, the guy (who is possibly Dracula, with his very Transylvanian accent..) builds his new file server and shows off the hardware
• In part 2, he shows how to install and configure FreeNAS, uses IPMI, sets up his pools
• He pronounces gigabytes as jiggabytes and it’s hilarious
• We’ve also got an unrelated blog post about a very satisfied FreeNAS user who details his setup
• As well as another blog post from our old pal Devin Teske about his recent foray into the FreeNAS development world

FreeBSD 10.0-RC5 is out

• Another, unexpected RC is out for 10.0
• Includes an ABI change, you must recompile/reinstall all ports/packages if you are upgrading from a previous 10.0-RC
• Minor fixes included, please help test and report any bugs
• You can update via freebsd-update or from source
• Hopefully this will be the last one before 10.0-RELEASE, which has tons of new features we’ll talk about
• It’s been tagged -RELEASE in SVN already too!

OpenBSD 5.5-beta is out

• Theo updated the branch status to 5.5-beta
• A list of changes is available
• Help test and report any bugs you find
• Lots of rapid development with signify (which we mentioned last week), the beta includes some “test keys”
• Does that mean it’ll be part of the final release? We’ll find out in May.. or when we interview Ted (soon)

This episode was brought to you by

iX doesn’t just make big servers for work, they also make little servers for home. The FreeNAS Mini is a compact little rig that will take up to 4 drives and makes a great home storage server.

Interview – Neel Natu & Peter Grehan – neel@freebsd.org & grehan@freebsd.org

BHyVe – the BSD hypervisor
+ Could you tell us a bit about yourselves and how you first got into BSD?
+ What’s your current roles in the FreeBSD project, and how did you get there?
+ What exactly is bhyve and how did the project get started?
+ What is the current status of bhyve? What guest OSes are supported?
+ What bugs remain when running different guest OSs?
+ How is support for AMD hardware virtualization progressing?
+ Is there any work on supporting older hardware that does not have EPT?
+ What will it take to be able to boot FreeBSD root-on-zfs inside bhyve?
+ Any progress on a ‘vfs hack’ to mount/passthru a file system (zfs dataset?) from the host to the guest, a la Jails?
+ How is the performance? How does the network performance compare to alternatives? How much benchmarking has been done?
+ What features have been added recently? (nmdm etc)
+ When is VGA support planned?
+ When might we see Windows (server) as a guest? What else would be required to make that happen?
+ What features are you planning for the future? How far do you plan to take bhyve (snapshots, live migration etc)

Tutorial

Virtualization with bhyve

News Roundup

Hostname canonicalisation in OpenSSH

• Blog post from our friend Damien Miller
• This new feature allows clients to canonicalize unqualified domain names
• SSH will know if you typed “ssh bsdnow” you meant “ssh bsdnow.tv” with new config options
• This will help clean up some ssh configs, especially if you have many hosts
• Should make it into OpenSSH 6.5, which is “due really soon”

Dragonfly on a Chromebook

• Some work has been done by Matthew Dillon to get DragonflyBSD working on a Google Chromebook
• These couple of posts detail some of the things he’s got working so far
• Changes were needed to the boot process, trackpad and wifi drivers needed updating…
• Also includes a guide written by Dillon on how to get yours working

Spider in a box

• “Spiderinabox” is a new OpenBSD-based project
• Using a combination of OpenBSD, Firefox, XQuartz and VirtualBox, it creates a secure browsing experience for OS X
• Firefox runs encapsulated in OpenBSD and doesn’t have access to OS X in any way
• The developer is looking for testers on other operating systems!

PCBSD weekly digest

• PCBSD 10 has entered into the code freeze phase
• They’re focusing on fixing bugs now, rather than adding new features
• The update system got a lot of improvements
• PBI load times reduced by up to 40%! what!!!

Feedback/Questions

• Scott writes in: https://slexy.org/view/s25zbSPtcm
• Chris writes in: https://slexy.org/view/s2EarxbZz1
• SW writes in: https://slexy.org/view/s2MWKxtWxF
• Ole writes in: https://slexy.org/view/s20kzex2qm
• Gertjan writes in: https://slexy.org/view/s2858Ph4o0

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
• Reminder: OpenBSD still really needs funding for electricity – if you know a company that can help, please contact Theo or the foundation
• Reminder: NYCBSDCon February 8th – The BSDs in Production
• Reminder: Our tutorial contest is going until the end of this month, check bsdnow.tv/contest for info and rules, win a cool BSD pillow!

The post Bhyve Mind | BSD Now 20 first appeared on Jupiter Broadcasting.

On this week\’s show, you\’ll be getting the full jail treatment. We\’ll show you how to create and deploy BSD jails, as well as chatting with Poul-Henning Kamp – the guy who actually invented them! There\’s lots of interesting news items to cover as well.

So stay tuned to BSD Now – the place to B.. SD.

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD turns it up to 11

• The -CURRENT branch is now known as 11
• 10 has been branched to -STABLE
• 10-BETA1 ISOs are available now
• Will be the next -RELEASE, probably next year

Stopping the SSH bruteforce with OpenBSD and pf

• The Hail Mary Cloud is an SSH bruteforce botnet that takes a different approach
• While most botnets pound port 22 rapidly, THMB does it very slowly and passively
• This makes prevention based on rate limiting more involved and complex
• Nice long blog post about some potential solutions and what we\’ve learned

ZFS and GELI in bsdinstall coming soon

• The man with the beard strikes again, new patch allows for ZFS-on-root installs
• Supports GELI for disk encryption
• Might be the push we need to make Michael W Lucas update his FreeBSD book

AsiaBSDCon 2014 announced

• Will be held in Tokyo, 13-16 March, 2014
• The conference is for anyone developing, deploying and using systems based on FreeBSD, NetBSD, OpenBSD, DragonFlyBSD, Darwin and Mac OS X
• Call for papers can be found here

Interview – Poul-Henning Kamp – phk@freebsd.org / @bsdphk

FreeBSD beginnings, md5crypt, jails, varnish and his… telescope project?

Tutorial

Everything you need to know about Jails

• Last week we showed you how to run VNC in a jail, but people asked \”how do I make a jail in the first place?\”
• This time around, we\’ll show you how to do exactly that
• Jails are a dream come true for both security experts and clean freaks, keeping everything isolated
• We\’ll be using the ezjail utility and making a basic jail setup

News Roundup

New pf queue system

• Henning Brauer committed the new kernel-side bandwidth shaping subsystem
• Uses the HFSC algorithm behind the scenes
• ALTQ to be retired \”in a release or two\” – everyone should migrate soon

Dragonfly imports FreeBSD KMS driver

• Hot on the trails of OpenBSD and later FreeBSD, Dragonfly gets AMD KMS
• Ported over from the FreeBSD port

Weekly PCBSD feature digest

• Weekly status update every Friday
• Will be a \”highlight of what important features have been added, what major bugs have been fixed, and what is presently going on in general with the project.\”

Get paid to hack OpenSSH

• Google has announced they will pay up to $3113.70 for security patches to OpenSSH
• Patches can fix security or improve security
• If you come up with something, send it to the OpenSSH guys

Feedback/Questions

• Darren writes in: https://slexy.org/view/s24RmwvEvE
• Kjell-Aleksander writes in: https://slexy.org/view/s2wFcFk9Yz
• Ryan writes in: https://slexy.org/view/s23e920gNG
• Alexander writes in: https://slexy.org/view/s2usxPqO9k

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, etc to feedback@bsdnow.tv
• We don’t check YouTube comments, JB comments, Reddit, etc. If you want us to see it, send it via email (the preferred way) or Twitter (also acceptable)
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Go Directly to Jail(8) | BSD Now 7 first appeared on Jupiter Broadcasting.

A BGP hack reroutes the traffic of banks, Amazon and many others. We’ll explain how this can happen, and why we don’t see it more often.

Plus an Interview with Brendan Gregg author of a new book that focuses on Systems Performance in the Enterprise and the Cloud, plus a big batch of your questions, our answers, and much much more!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! Get private registration FOR FREE with a .COM! code: free5
UnitySync Visit dirwiz.com/unitysync use code tech for an extended trial and a year of maintenance.

BGP hijack used to redirect traffic destin for online banking

• On 24 July 2013 a number of specific IP addresses were maliciously mis-routed to an ISP in the Netherlands
• This is especially unusual because most all BGP routes are /24 or larger (because routers only have so much RAM in which to hold the routing table for the entire Internet), and most of these were specific /32s (a single IP address).
• This might be considering a mistake or something, however the owners of the specific IP addresses suggest otherwise:
  • AMAZON-AES – Amazon.com, Inc.
  • AS-7743 – JPMorgan Chase & Co.
  • ASN-BBT-ASN – Branch Banking and Trust Company
  • BANK-OF-AMERICA Bank of America
  • CEGETEL-AS Societe Francaise du Radiotelephone S.A
  • FIRSTBANK – FIRSTBANK
  • HSBC-HK-AS HSBC HongKong
  • PFG-ASN-1 – The Principal Financial Group
  • PNCBANK – PNC Bank
  • REGIONS-ASN-1 – REGIONS FINANCIAL CORPORATION
• The ISP, NedZone.nl normally announced about 30 prefixes of various sizes between /18 and /24, but on the date in question, they were announcing 369, most all of which were smaller than /24 (usually the smallest that would be announced)
• It is most likely this was caused by a malicious customer, rather than NedZone or one of it’s Employees
• The attack appears to have been an attempt to run a MITM attack against online banking
• RIPE AS Dashabout for AS25459, showing list of prefixes announced in the last 30 days
• HE BGP Looking Glass AS25459 Prefixes

Digital Ocean Cloud ‘Droplets’ found to be reusing same SSH private keys

• While using Digital Ocean’s cloud server to write a comparison of Ansible and Salt, two different administration/orchestration tools, Joshua Lund discovered that many of his ‘Droplets’ had the same SSH fingerprint
• While rapidly creating and destroying Droplets, he ended up with the same ip address, and noticed that he did not receive an SSH fingerprint mismatch, warning him that this server is not the same as the one that resided at this IP address previously
• Upon further investigation he found that the SSH keys appeared to be part of the base image, rather than being generated on first boot
• While this was likely a simple oversight while creating the images, or an attempt to make the droplets boot faster by foregoing the SSH key generation, it is a significant security issue
• This means someone could replace your droplet with their own and have the same SSH private key (and therefore fingerprint), if you or one of your old users connected to your old IP which now belonged to someone else, they could capture your password or otherwise perform a MITM attack
• The issue was reported to Digital Ocean and they responded the same day
• The immediate fix did not resolve all instances of the issue, but within 7 days the issue had been resolved
• Digital Ocean then started working with their customers to have them replace their SSH host keys with unique ones
• 6 weeks later a public security advisory was issued
• If you do not install the OS your self, it may be a good idea to regenerate the SSH keys as part of the initial setup process
• Official Advisory
• On a future Episode of TechSNAP we’ll talk about SSHFP DNS records and maintaining a system wide ssh_known_hosts file

Interview with Brendan Gregg

[asa]0133390098[/asa]

Feedback:

• Starting out as a Sysadmin

• Question about a home webserver

• How do I double check my encryption?

• Backing up a live VM

• FreeNAS Crashing

• Hitting the sweet spot on a low power home server?

Directory Dive:

• Central User Management? Check out Zentyal

• LDAP + SMB4 + Windows = Win

• What graphical remote desktop software do you recommend?

Round Up:

• XKeyscore – NSA program allows analysts to search vast databases of emails, online chats and the browsing histories
• Feds tell Web firms to turn over user account passwords | Politics and Law – CNET News
• Canada’s hangup with foreign owned telcos
• Google gives AT&T the boot, will supply 7000 US Starbucks locations with WiFi starting next month
• College students misdirect an $80 million Yacht with GPS spoofing
• Russia proposes ban on foul language on the internet with a law named \”On the protection of children from information harmful to their health and development\”
• A look at LZ4 in ZFS

The post Grand Theft BGP | TechSNAP 121 first appeared on Jupiter Broadcasting.

A compromise at Apple turns Mike’s week upside down. Reeling from the setback we dig into Mike’s concerns with Canonical’s crowd sourced Ubuntu Edge phone.

Why we\’re a bit dismayed at Firefox OS’ attempts to kill the app store…

And we answer your hard questions.

Thanks to:

GoDaddy.com Use our code coder249 to get a .COM for $2.49.

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Feedback

• ZOMG, MIKE! Crypto is NOT broken… except that it is….
• Patrick’s Email
• Kyle was inspired by our Pomo love and wrote this web app
• Cary’s email: [In defense of Apple(https://slexy.org/view/s216d3rIzI)
• David is working on a project for a school system and though the law does not require that he encrypt the data itself in the database (make it not human readable that is) he wonders if he should anyway.
• Matty’s email: Could talk about \”environments\”
• Chris asks if we believe that devs who focus on langs that are run by corps are hurting their careers long term.
• Isak’s email: Working on a Game

Dev World Hoopla

• Apple Dev Center Down

• Apple Developer Website Hacked: Developer Names, Addresses May Have Been Taken

In an email to developers today, Apple revealed that its Developer Center website was breached by unknown hackers and was taken offline last Thursday as a precaution.

• UPDATE: Turkish hacker posts video of Apple Dev Centre breach | ITProPortal.com

\”This is definitely not an hack attack. I have reported all the bugs I have found to the company and waited for approval. I am being accused of hacking but I have not given any harm to the system and i did notwanted to damage [sic],\” writes the user Ibrahim Baliç.

He has since told the Guardian, \”My intention was not attacking. In total I found 13 bugs and reported [them] directly one by one to Apple straight away. Just after my reporting [the] dev center got closed. I have not heard anything from them, and they announced that they got attacked. My aim was to report bugs and collect the datas [sic] for the purpose of seeing how deep I can go with it.\”

• FireFox wants to kill App Stores

• How Firefox OS plans to kill — not reinvent — the app store | VentureBeat

\”In essence, with Firefox OS, we made app discovery as easy as browsing the web, and we give you a very good reason to brush up the mobile optimised web sites you already have on the web,\” writes Mozillan Chris Heilmann on the company blog.

• Ubuntu Edge | Indiegogo

In the car industry, Formula 1 provides a commercial testbed for cutting-edge technologies. The Ubuntu Edge project aims to do the same for the mobile phone industry — to provide a low-volume, high-technology platform, crowdfunded by enthusiasts and mobile computing professionals.

Tool of the Week

[asa]B005JN9310[/asa]

Hard Drives for Jupiter:

• Hard Drives for Jupiter

Follow the show

• Email the show
• Join the Coder Radio Subreddit
• Live Monday 9am PST
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post Sour Apple | CR 59 first appeared on Jupiter Broadcasting.

Some of the best tools to save and recover data from a failing drive are free, and built for Linux. We’ll demo some of the best tools to save your data, and make the best of a bad situation. Plus a few tips to prevent data loss and monitor the health of your drives.

PLUS: Setting up a Honeypot for security and fun, things to keep in mind, and using a Raspberry Pi as the Honeypot.

Then: A big batch of your emails, dev drama of the week, Ubuntu Forums is hacked…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

GoDaddy.com Use our code linux249 to score .COM for just $2.49! Free Private Registration with your .COM just use our code free3 until the end of the month!
Ting.com Visit las.ting.com to save $25 off your device or service credits.

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show: