Show Notes: linuxactionnews.com/242

The post Linux Action News 242 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/185

The post Linux Action News 185 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/386

The post Perilously Precocious Predictions | LINUX Unplugged 386 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/362

The post The Hidden Cost of Nextcloud | LINUX Unplugged 362 first appeared on Jupiter Broadcasting.

Show Notes: selfhosted.show/15

The post Keeping Track of Stuff | Self-Hosted 15 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/149

The post Linux Action News 149 first appeared on Jupiter Broadcasting.

Show Notes: selfhosted.show/2

The post Why Self-Host? | Self-Hosted 2 first appeared on Jupiter Broadcasting.

Show Notes: coder.show/346

The post Serverless Squabbles | Coder Radio 346 first appeared on Jupiter Broadcasting.

MP3 Feed | HD Video Feed | iTunes Feed

Become a supporter on Patreon:

— Show Notes: —

— The Cliff Notes —

• The Carver Challenge | Stereophile.com
• Windows Virtio Drivers – FedoraProject
• Spice Space
• Understanding Guest Agents and Other Tools — oVirt
• oVirt-toolsSetup

— Stay In Touch —

Find all the resources for this show on the Ask Noah Dashboard

Ask Noah Dashboard

Need more help than a radio show can offer? Altispeed provides commercial IT services and they’re excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show!

Altispeed Technologies

Contact Noah

asknoah [at] jupiterbroadcasting.com

— Twitter —

• Noah – Kernellinux
• Ask Noah Show
• Altispeed Technologies
• Jupiter Broadcasting

The post Interview with Bob Carver | Ask Noah 25 first appeared on Jupiter Broadcasting.

MP3 Feed | HD Video Feed | iTunes Feed

Become a supporter on Patreon:

— Show Notes: —

— The Cliff Notes —

• LineageOS – LineageOS Android Distribution
• F-Droid – Free and Open Source Android App Repository
• yeriomin/YalpStore: Download apks from Google Play Store

— Stay In Touch —

Find all the resources for this show on the Ask Noah Dashboard

Ask Noah Dashboard

Need more help than a radio show can offer? Altispeed provides commercial IT services and they’re excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show!

Altispeed Technologies

Contact Noah

asknoah [at] jupiterbroadcasting.com

— Twitter —

• Noah – Kernellinux
• Ask Noah Show
• Altispeed Technologies
• Jupiter Broadcasting

The post Kickin' Harder Than a Sensei | Ask Noah 20 first appeared on Jupiter Broadcasting.

MP3 Feed | HD Video Feed | iTunes Feed

Become a supporter on Patreon:

— Show Notes: —

— The Cliff Notes —

• Ubuntu Mate – The Best Distro Ever
• Register4Less
• Gandi
• Free Web Templates

How to Restart LightDM

• Press CTRL + ALT + F2
• Log in
• sudo restart lightdm
• Press CTRL + ALT + F5

How to kill a process

• Press CTRL + ALT + F2
• Log in
• ps -aux | grep myprogramiwantokill
• Take note of the process ID, we will assume 1234
• sudo kill -9 1234

— Stay In Touch —

Find all the resources for this show on the Ask Noah Dashboard

Ask Noah Dashboard

Need more help than a radio show can offer? Altispeed provides commercial IT services and they’re excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show!

Altispeed Technologies

Contact Noah

asknoah [at] jupiterbroadcasting.com

— Twitter —

• Noah – Kernellinux
• Ask Noah Show
• Altispeed Technologies
• Jupiter Broadcasting

The post /home/Dumpster | Ask Noah 19 first appeared on Jupiter Broadcasting.

MP3 Feed | HD Video Feed | iTunes Feed

Become a supporter on Patreon:

— Show Notes: —

— The Cliff Notes —

• How to automate your system administration tasks with Ansible | Opensource.com
• Netflix Throttle Megathread : verizon
• Why do enterprise environments typically choose to deploy Red Hat or CentOS instead of Ubuntu or Debian? [X-Post /r/sysadmin] : linux
• Google Glass 2.0 Is a Startling Second Act | WIRED
• Hostwinds Web Hosting Services

— Stay In Touch —

Find all the resources for this show on the Ask Noah Dashboard

Ask Noah Dashboard

Need more help than a radio show can offer? Altispeed provides commercial IT services and they’re excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show!

Altispeed Technologies

Contact Noah

asknoah [at] jupiterbroadcasting.com

— Twitter —

• Noah – Kernellinux
• Ask Noah Show
• Altispeed Technologies
• Jupiter Broadcasting

The post Switching London to Linux | Ask Noah 18 first appeared on Jupiter Broadcasting.

MP3 Feed | HD Video Feed | iTunes Feed

Become a supporter on Patreon:

— Show Notes: —

— The Cliff Notes —

• PSA: Errors after updating libdb – Fedora Magazine
• Projects/FleetCommander – GNOME Wiki!
• Amazon.com: AMD Radeon RX 480 4GB GDDR5 PCI Express 3.0 Gaming Graphics Card

— Stay In Touch —

Find all the resources for this show on the Ask Noah Dashboard

Ask Noah Dashboard

Need more help than a radio show can offer? Altispeed provides commercial IT services and they’re excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show!

Altispeed Technologies

Contact Noah

asknoah [at] jupiterbroadcasting.com

— Twitter —

• Noah – Kernellinux
• Ask Noah Show
• Altispeed Technologies
• Jupiter Broadcasting

The post Fedora 26 Fleet Commander | Ask Noah 17 first appeared on Jupiter Broadcasting.

MP3 Feed | HD Video Feed | iTunes Feed

Become a supporter on Patreon:

— Show Notes: —

— The Cliff Notes —

• Turn VPS into QCOW2 File
• Setup a Virtual host on Centos 6
• io Domains Compromised
• Video for Linux Control Panel
• Magewell USB HDMI Capture Interface

— Noobs Corner —

• Check out the Ask Noah Dashboard

— Stay In Touch —

Find all the resources for this show on the Ask Noah Dashboard

Ask Noah Dashboard

Need more help than a radio show can offer? Altispeed provides commercial IT services and they’re excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show!

Altispeed Technologies

Contact Noah

asknoah [at] jupiterbroadcasting.com

— Twitter —

• Noah – Kernellinux
• Ask Noah Show
• Altispeed Technologies
• Jupiter Broadcasting

The post Libvirt on QEMU | Ask Noah 16 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Sophisticated, persistent mobile attack against high-value targets on iOS

• “Persistent, enterprise-class spyware is an underestimated problem on mobile devices. However, targeted attack scenarios against high-value mobile users are a real threat.”
• “Citizen Lab (Munk School of Global Affairs, University of Toronto) and Lookout have uncovered an active threat using three critical iOS zero-day vulnerabilities that, when exploited, form an attack chain that subverts even Apple’s strong security environment. We call these vulnerabilities “Trident.” Our two organizations have worked directly with Apple’s security team, which was very responsive and immediately fixed all three Trident iOS vulnerabilities in its 9.3.5 patch.”
• “Trident is used in a spyware product called Pegasus, which according to an investigation by Citizen Lab, is developed by an organization called NSO Group. NSO Group is an Israeli-based organization that was acquired by U.S. company Francisco Partners Management in 2010, and according to news reports specializes in “cyber war.” Pegasus is highly advanced in its use of zero-days, obfuscation, encryption, and kernel-level exploitation.”
• “We have created two reports that discuss the use of this targeted attack against political dissidents and provide a detailed analysis of the malicious code itself. In its report, Citizen Lab details how attackers targeted a human rights defender with mobile spyware, providing evidence that governments digitally harass perceived enemies, including activists, journalists, and human rights workers. In its report, Lookout provides an in-depth technical look at the targeted espionage attack that is actively being used against iOS users throughout the world.”
• The target of the attack was Ahmed Mansoor, an internationally recognized human rights defender
• “On August 10th and 11th, he received text messages promising “secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. Recognizing the links as belonging to an exploit infrastructure connected to NSO group, Citizen Lab collaborated with Lookout to determine that the links led to a chain of zero-day exploits that would have jailbroken Mansoor’s iPhone and installed sophisticated malware.”
• “This marks the third time Mansoor has been targeted with “lawful intercept” malware. Previous Citizen Lab research found that in 2011 he was targeted with FinFisher spyware, and in 2012 with Hacking Team spyware. The use of such expensive tools against Mansoor shows the lengths that governments are willing to go to target activists.”
• “Citizen Lab also found evidence that state-sponsored actors used NSO’s exploit infrastructure against a Mexican journalist who reported on corruption by Mexico’s head of state, and an unknown target or targets in Kenya. The NSO group used fake domains, impersonating sites such as the International Committee for the Red Cross, the U.K. government’s visa application processing website, and a wide range of news organizations and major technology companies. This nods toward the targeted nature of this software.”
• “Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile — always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists. It is modular to allow for customization and uses strong encryption to evade detection.”
• “The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.”
• “We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code (e.g., a kernel mapping table that has values all the way back to iOS 7). It is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android, and Blackberry.”
• CitizenLab report
• Lookout Report PDF
• Additional Coverage: Arstechnica: Apple releases iOS 9.3.5 with “an important security update”
• Additional Coverage: NY Times
• Additional Coverage: Motherboard
• Additional Coverage: WaPo

Hacking Electronic Safes

• An interesting bit of research was brought to my attention via Bruce Schneier’s blog
• “On Friday, a hacker known as Plore presented strategies for identifying a safe custom-selected keycode and then using it to unlock the safe normally, without any damage or indication that the code has been compromised”
• “Plore’s techniques interesting is what they lack: any physical or even algorithmic sabotage”
• “Plore used side-channel attacks to pull it off. These are ways of exploiting physical indicators from a cryptographic system to get around its protections.”
• “Plore was able to figure out the keycodes for locks that are designated by independent third-party testing company Underwriter’s Laboratory as Type 1 High Security. These aren’t the most robust locks on the market by any means, but they are known to be pretty secure. Safes with these locks are the kind of thing you might have in your house.”
• “In practice, Plore was able to defeat the security of two different safe locks made by Sargent and Greenleaf, each of which uses a six-digit code. “I chose Sargent and Greenleaf locks due to their popularity. They are the lock manufacturer of choice on Liberty brand gun safes, among others, and safes featuring those locks are widely available at major stores,” Plore told WIRED”
• “Plore said he didn’t have time before Defcon to try his attacks on other lock brands, but he added, “I would not be particularly surprised if techniques similar to those I described would apply to other electronic safe locks, other electronic locks in general (e.g., door locks), or other devices that protect secrets (e.g., phones).”
• I am glad the 6 digit combination lock that protects my house is mechanical
• “For the Sargent and Greenleaf 6120, a lock developed in the 1990s and still sold today, Plore noticed that when he entered any incorrect keycode he could deduce the correct code by simply monitoring the current being consumed by the lock.”
• ““What you do here is place the resistor in series with the battery and the lock, and by monitoring voltage across that resistor we can learn how much current the lock is drawing at any particular time. And from that we learn something about the state of the lock,” Plore explained. As the lock’s memory checked the input against its stored number sequence, the current on the data line would fluctuate depending on whether the bits storing each number in the code were a 0 or a 1. This essentially spelled out the correct key code until Plore had all of its digits in sequence and could just enter them to unlock the safe. Bafflingly easy.”
• “For the second demonstration, he experimented with a newer lock, the Sargent and Greenleaf Titan PivotBolt. This model has a more secure electronics configuration so Plore couldn’t simply monitor power consumption to discover the correct keycode. He was able to use another side-channel approach, though, a timing attack, to open the lock. Plore observed that as the system checked a user code input against its stored values there was a 28 microsecond delay in current consumption rise when a digit was correct. The more correct digits, the more delayed the rise was. This meant that Plore could efficiently figure out the safe’s keycode by monitoring current over time while trying one through 10 for each digit in the keycode, starting the inputs over with more and more correct digits as he pinpointed them. Plore did have to find a way around the safe’s “penalty lockout feature” that shuts everything down for 10 minutes after five incorrect input attempts, but ultimately he was able to get the whole attack down to 15 minutes, versus the 3.8 years it would take to try every combination and brute force the lock.”
• This is why cryptography is usually implemented in ‘constant time’, where it is purposely slow. Both the right input and the wrong input take the same amount of time to return the result, so the attack can’t learn anything from the amount of time the response takes
• ““Burglars aren’t going to bother with this. They’re going to use a crowbar or a hydraulic jack from your garage or if they’re really fancy they’ll use a torch,” Plore said. “I think the more interesting thing here is [these attacks] have applicability to other systems. We see other systems that have these sorts of lockout mechanisms.” Plore said that he has been trying to contact Sargent and Greenleaf about the vulnerabilities since February. WIRED reached out to the company for comment but hadn’t heard back by publication time.”
• “Even though no one would expect this type of affordable, consumer-grade lock to be totally infallible, Plore’s research is important because it highlights how effective side-channel attacks can be. They allow a bad actor to get in without leaving a trace. And this adds an extra layer of gravity, because not only do these attacks compromise the contents of the safe, they could also go undetected for long periods of time.”
• This practical example makes the software versions much easier to understand

Turkish Journalist Jailed for Terrorism Was Framed, Computer Forensics Report Shows

• Turkish investigative journalist Barış Pehlivan spent 19 months in jail, accused of terrorism based on documents found on his work computer.
• But when digital forensics experts examined his PC, they discovered that those files were put there by someone who removed the hard drive from the case, copied the documents, and then reinstalled the hard drive.
• The attackers also attempted to control the journalist’s machine remotely, trying to infect it using malicious email attachments and thumb drives.
• Among the viruses detected in his computer was an extremely rare trojan called Ahtapot, in one of the only times it’s been seen in the wild.
• The attackers seemed to pull everything out of their bag of tricks,” Mark Spencer, digital forensics expert at Arsenal Consulting, said.
• Pehlivan went to jail in February of 2011, along with six of his colleagues, after electronic evidence seized during a police raid in 2011 appeared to connect all of them to a group accused of terrorism in Turkey.
• It is not clear who perpetrated the attack, but the sophistication of the malware used, the tightly-targeted way Ahtapot works, and the timing of Pehlivan’s arrest suggests a highly-coordinated, well-funded attack.
• A paper recently published by computer expert Mark Spencer in Digital Forensics Magazine sheds light into the case after several other reports have acknowledged the presence of malware.
• Spencer said no other forensics expert noticed the trojan, nor has determined accurately how those documents showed up on the journalist’s computer.
• However, almost all the reports have concluded that the incriminating files were planted.
• What baffled Spencer the most during the investigation was an unusual malware, one he hasn’t seen before. It was installed on Pehlivan’s computer on the evening of February 11, 2011, a Friday. The police raid took place on the following Monday morning.
• Spencer called Gabor Szappanos, principal researcher at Sophos, who has been analyzing computer viruses for over two decades. They worked together to find out what happened.
• This malware appeared to be in unfinished beta development. It was a Remote Access Trojan (RAT), a malicious software that allows attackers to control a computer without having physical access.
• There are clues to suggest the malware is Turkish in origin, including Turkish words in Ahtapot’s code, yet security experts are almost always uncomfortable talking about attribution.
• The Sophos researcher believes this Remote Access Trojan was rushed into use out of desperation, after several attacks failed to deliver expected results. “Looking at the code revealed some mistakes that are typical at the beginning of development processes [of a malware],” the researcher said.
• Prior to bringing in Ahtapot trojan, the attackers relied on more common malware. First, they tried to infect Pehlivan’s computer with the Turkojan RAT through a thumb drive. Email attachments were also used.
• Spencer said, attackers copied both malware and incriminating documents to Pehlivan’s hard drive the nights of February 9 and 11, to cover their bases in case they won’t be able to control the computer remotely using the malware.
• They were smart enough to forge the dates associated with these documents, Spencer said. The key to his investigation was constructing the true timeline of the events.
• He suspects the journalist’s PC was attacked locally during those two evenings of February 9 and 11, because previous attempts to remotely infect it with malware failed.
• “There were about a dozen different malware samples found. Analyzing them in detail revealed that these were not independent incidents, we could find connection between them,” Szappanos said.
• He believes this was an expensive targeted attack, which used malware samples and command and control servers dedicated to this case alone.
• Most infosec professionals refrain from saying who the attacker is, as attribution is usually difficult to establish in the cyberworld. “We think it was developed by a Turkish speaking person/people. Internal texts found in the malware samples were all in the Turkish language,” Szappanos said.
• Meanwhile in Turkey, Barış Pehlivan is getting ready for his next hearing, scheduled for September 21. He believes the trial could end this year, and hopes to be acquitted.

Feedback:

• Slow file transfer speeds over NFS between FreeNAS and VMware VMs?

• Bypassing the Ultimate Blocking – My life sucks here!

• Owncloud/Nextcloud frontend with access to files outside of cloud interface

• Stop Windows 10 spying.

Round up:

• Behind the Scenes of iOS Security
• Researchers find bug in libgcrypt’s random number generator that has existed since 1998
  
• Encryption under fire in Europe as France and Germany call for decrypt law
• Using PGP on your phone does not make you a criminal
• PlayStation Network finally adds two-factor authentication
• New collision attacks against 3DES, impact legacy HTTPS, and against Blowfish impacts OpenVPN
• Researchers are able to detect your keystrokes with over 90% accuracy using Wi-Fi devices. Not using a malicious software, but by detecting the ripples in the Wi-Fi signal.
• DiskFiltration: New air gap jumping malware can steal data from your hard drive my the noises it makes. Can steal a 4096 bit PGP key in 25 minutes
• WhatsApp is going to share your phone number with Facebook
• MS Excel corrupting 20% of scientific papers about genes
• Microsoft breaks millions of webcams with Windows 10 Anniversary Update
• How compression works
• Saving a Rare NeXT Computer

The post iPhishing Expedition | TechSNAP 281 first appeared on Jupiter Broadcasting.

Jennifer is the VP of business development at Women Who Code, with over 50k members across 20 countries and 67 cities & growing!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Women Who Code (@WomenWhoCode) | Twitter
• Jennifer Tacheff (@JenniferTacheff) | Twitter
• Welcome | Women Who Code
• Jennifer Tacheff: Becoming Tech Shiny with WWCode | Women Who Code
• AmazonSmile: You shop. Amazon gives.
• Khan Academy
• Girls Inc. |
• Learn to code | Codecademy
• Anybody can learn | Code.org
• Send Better Email | MailChimp
• Build a Website – Squarespace

Are you looking for the transcription? Please let us know you use it and we may bring it back!

• WTR Transcription Poll

The post Authentic Partnership | WTR 49 first appeared on Jupiter Broadcasting.

This week, how hard lessons learned in 1982 could be apply to 2015’s security breaches, hacking for hire goes big & a savage sentient car that needs better programming.

Plus some fantastic questions, a rocking round-up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Cyber Security and the Tylenol Murders

• “When a criminal started lacing Tylenol capsules with cyanide in 1982, Johnson & Johnson quickly sprang into action to ensure consumer safety. It increased its internal production controls, recalled the capsules, offered an exchange for tablets, and within two months started using triple-seal tamper-resistant packaging. The company focused on fixing weak points in their supply chain so that users could be sure that no one had interfered with the product before they purchased it.”
• “This story is taught in business schools as an example of how a company chose to be proactive to protect its users. The FDA also passed regulations requiring increased security and Congress ultimately passed an anti-tampering law. But the focus of the response from both the private and the public sector was on ensuring that consumers remained safe and secure, rather than on catching the perpetrator. Indeed, the person who did the tampering was never caught.”
• If only we could learn from this example in the case of Internet Security, or even just security in general
• “To folks who understand computer security and networks, it’s plain that the key problem are our vulnerable infrastructure and weak computer security, much like the vulnerabilities in Johnson & Johnson’s supply chain in the 1980s. As then, the failure to secure our networks, the services we rely upon, and our individual computers makes it easy for bad actors to step in and “poison” our information.”
• “So if we were to approach this as a safety problem, the way forward is clear: We need better incentives for companies who store our data to keep it secure. In fact, there is broad agreement that we can easily raise the bar against cyberthieves and spies. Known vulnerabilities frequently go unpatched. For instance, The New York Times reported that the J.P. Morgan hack occurred due to an un-updated server. Information is too often stored in the clear rather than in encrypted form and many devices like smart phones or tablets, that increasingly store our entire lives, don’t even allow for key security upgrades.”
• “Not only is Congress failing to address the need for increased computer and network security, key parts of the government are working to undermine our safety. The FBI continues to demonize strong cryptography, trying instead to sell the public on “technologically stupid” strategy that will make us all less safe. Equally outrageous, the recent Logjam vulnerabilities show that the NSA has been spending billions of our tax dollars to exploit weaknesses in our computer security—weaknesses caused by the government’s own ill-advised regulation of cryptography in the 1990s—rather than helping us strengthen our systems.”
• So how can we actually solve the problem?
• “We need to ensure that companies to whom we entrust our data have clear, enforceable obligations to keep it safe from bad guys. This includes those who handle it it directly and those who build the tools we use to store or otherwise handle it ourselves. In the case of Johnson & Johnson, products liability law makes the company responsible for the harm that comes to us due to the behavior of others if safer designs are available, and the attack was foreseeable. Similarly, hotels and restaurants that open their doors to the public have obligations under the law of premises liability to take reasonable steps to keep us safe, even if the danger comes from others. People who hold your physical stuff for you—the law calls them bailees—also have a responsibility to take reasonable steps to protect it against external forces.”
• “Looking at the Congressional debate, it’s as if the answer for Americans after the Tylenol incident was not to put on tamper-evident seals, or increase the security of the supply chain, but only to require Tylenol to “share” its customer lists with the government and with the folks over at Bayer aspirin. We wouldn’t have stood for such a wrongheaded response in 1982, and we shouldn’t do so now.”
• Additional Coverage: USNews — A cybersecurity bill with White House support may weaken both network security and privacy
• Additional Coverage: PBS — How the Tylenol Murders changed how we consume medication

IRS reports thieves stole tax data on over 100,000 people

• “Sophisticated criminals used an online service run by the IRS to access personal tax information from more than 100,000 taxpayers, part of an elaborate scheme to steal identities and claim fraudulent tax refunds, the IRS said Tuesday.”
• They used the “Get Transcript” feature to steal the data
• The criminals already had most of the sensitive data about the users, including their SSN, Date of Birth, and Address
• This data was used to attempt to file fraudulent tax returns
• The IRS is careful to note that this was not a breach, the data was not stolen in a hack, but rather, Criminals used the sensitive data they had already collected to impersonal each of the 100,000 affected people, an access their IRS account “legitimately”
• “The agency estimates it paid out $5.8 billion in fraudulent refunds to identity thieves in 2013”
• The thieves tried to access over 200,000 accounts, but were only successful in about half of the cases. The IRS will notify all those who had attempts against their accounts, in the cases where they were successful, the IRS will provide credit monitoring. The users of the accounts that had attempts but were not compromised, should also consider carefully monitoring their credit reports, as it is likely the thieves already have most of your sensitive data to make the attempts in the first place
• This attack may actually be a symptom of another breach, where this data was stolen in bulk from somewhere else, and then used against the IRS
• It will be interesting to see if there are any commonalities between all of the 200,000 victims
• It also suggests that the IRS’ online system doesn’t have a very good IDS (Intrusion Detection System), if a small set of IP addresses are attempting to access 200,000 accounts, this should set off alarms. Especially if half of the attempts are failures, but even if they are not.

CaaS: Crime as a Service — The cybercrime service economy

• “In 2013, a pair of private investigators in the Bay Area embarked on a fairly run-of-the-mill case surrounding poached employees. But according to a federal indictment unsealed in February, their tactics sounded less like a California noir and something more like sci-fi: To spy on the clients’ adversaries, prosecutors say, they hired a pair of hackers.”
• “Nathan Moser and Peter Siragusa were working on behalf of Internet marketing company ViSalus to investigate a competitor, which ViSalus had sued for poaching some of its former employees. Next, the government alleges, Moser and Siragusa—a retired, 29-year veteran of the San Francisco police department—recruited two hackers to break into the email and Skype accounts of the competing firm. To cover their tracks, they communicated by leaving messages in the draft folder of the Gmail account “krowten.a.lortnoc”—”control a network” in reverse, according to the indictment.”
• “The California case sheds light on a burgeoning cybercrime market, where freelance hackers, both on public forums and in black markets, cater to everyone from cheating students and jealous boyfriends to law firms and executives”
• Some call it Espionage as a Service (EaaS), but it is really just Crime as a Service.
• “While it is difficult to verify the legitimacy or the quality of the hacker postings on a half-dozen online exchanges that Fast Company examined, some sites boast eBay-like feedback mechanisms that let users vouch for reliable sellers and warn each other of scams. Carr describes a range of expertise, from amateur teenagers wielding off-the-shelf spyware who may charge up to $300 for a single operation, to sophisticated industrial espionage services that make tens of thousands of dollars or more smuggling intellectual property across international lines. “The threat landscape is very complex,” he says. “A hacker group will sell to whoever wants to pay.””
• “At Hackers List, for instance, hackers bid on projects in a manner similar to other contract-work marketplaces like Elance. Those in the market for hackers can post jobs for free, or pay extra to have their listings displayed more prominently. Hackers generally pay a $3 fee to bid on projects, and users are also charged for sending messages. The site provides an escrow mechanism to ensure vendors get paid only when the hacking’s done.”
• How much do you trust a site selling an illegal service?
• “In a report released in March, Europol, the European Union’s law enforcement arm, predicts online networking sites and anonymous cash-transfer mechanisms like cryptocurrencies will continue to contribute to the growth of “crime as a service” and to criminals who “work on a freelance basis . . . facilitated by social networking online with its ability to provide a relatively secure environment to easily and anonymously communicate.””
• “The environment isn’t always secure. Earlier this month, one security sleuth unmasked the apparent owner of Hackers List as Charles Tendell, a Denver-based security expert. Soon after, Stanford legal scholar Jonathan Mayer crawled the site’s data, revealing the identities of thousands of the site’s visitors and their requests for hacks.”
• “Mayer found only 21 satisfied requests, including “i need hack account facebook of my girlfriend,” completed for $90 in January, “need access to a g mail account,” finished for $350 in February, and “I need [a database hacked] because I need it for doxing,” done for $350 in April. A majority of requests on the service involve compromising Facebook (expressly referenced in 23% of projects) and Google (14%), and are sparked by a business dispute, jilted romance, or the desire to artificially improve grades, with targets including the University of California, UConn, and the City College of New York.”
• Dell Research: Chart
• It will be interesting to see what happens in this area, I expect the more serious hacking forums to go further underground, and the more obvious ones to be infiltrated by researchers and law enforcement. I also expect to see lots of scams.
• Additional Coverage: WebPolicy.org

Feedback:

• ZFS pools: swimmingly brilliant or a sink hole for randomly sized disks?

• Honeypots

• Deploying PostgreSQL and Ruby on Rails with Docker

• Backup Paranoia melts my face off

Round Up:

• Hunting for Hackers, N.S.A. Secretly Expands Internet Spying at U.S. Border
• Tests show robotic surgery is not that sensitive to Internet latency, surgery from 1200 miles away becomes possible. 200ms: no problem, 300-500: gets harder, if it is just bursts of lag, surgeons just pause and wait for it to resolve. Only at 600ms did they become unconfortable with continuing
• Bank of England accidently emails top secret “brexit” plan to news paper
• Linux systems with hwclock SUID root vulnerable, allows unprivleged users to execute arbitrary commands as root
• Official list of features that will be removed as you upgrade from Windows 7 or 8 to Windows 10
• Insurance company refuses to pay out after breach at Cottage Health, cites lax security practises
• Volvo self-parking car runs people over if owner doesn’t pay for extra “Pedestrian Detection” feature
• Funny email I got, that looked promising at first
• Researchers show how tor hidden services can easily be de-anonymized
• Intel releases its new “Kernel Guard Technology” — Installation instructions: curl | bash…
• New Russian billboard detects uniforms and insignias, and hides adverts for banned items
• x86 emulator for ARM extends support to older ARMv6 platforms including the original Raspberry Pi. Now both Pi and Pi2 can run unmodified x86 apps
• Is security really stuck in the dark ages?
• Researchers write a secure online voting system, only problem is, it is hard to use. Neither the vote device, nor your computer, can determine how you voted though. Paper
• GitHub Commit Crawler is a tool that looks for people’s public commits and parses those commits for keywords/regexes that may contain sensitive information

The post Hacking Henchmen for Hire | TechSNAP 218 first appeared on Jupiter Broadcasting.

Using encryption is a good thing, but its just the start, we’ll explain. Plus how one developer totally owned the Uber app.

Then it’s a great batch of your questions & our answers!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

OPSEC (Operational Security) for Activists and Journalists

• Using encryption is a good thing, but if you need to hide from advanced adversaries, like foreign governments you are protecting against or reporting on, you need more than just encryption to make sure you don’t get “disappeared”
• The FBI has identified people even when they were using tor
• “The only protection against communication systems is to avoid their use.” —Cryptome [32], Communications Privacy Folly, June 13, 2012
• Anti-forensics [33] is all about reducing both the quantity and quality of information that adversaries acquire. In other words, if spies succeed in breaching your computer then give them as little useful information as possible. One way to achieve this is through compartmentalization, a technique honed to a fine edge by intelligence outfits like the KGB.
• Especially important secret government messages are still passed by courier, even the government doesn’t trust crypto 100%
• “Avoid patterns (geographic, chronological, etc.). Arbitrarily relocate to new spots during the course of a phone call. Stay in motion. Phone calls should be as short as possible so that the amount of data collected by surveillance equipment [44] during the call’s duration is minimized. This will make it more difficult for spies to make accurate predictions.”
• “Carrying additional mobile devices (e.g. surface tablet, second cell phone) creates the risk that the peripheral hardware may undermine anonymity through correlation. Finally, pay for items using cash when operational. Credit card transactions are like a big red flag”
• “If spies somehow captures a secure cell phone and are able to siphon data off of it, one potential countermeasure is to flood the device with false information. Skillful application of this technique can lead spies on a goose chase. When Edward Snowden was fleeing Hong Kong he intentionally bought a plane ticket to India with his own credit card in an effort to throw pursuers off his track.”
• “In summary, expect security tools to fail, compartmentalize to contain damage and apply the Grugq’s core tenets of anti-forensics. Don’t put blind faith in technology. Focus your resources on maintaining rigorous procedures. When things get dicey it’ll be your training and preparation that keep you secure.”

How I accessed employee settings on the Uber app

• While debugging an upcoming app, Nathan Mock an iOS Engineer, “accidentally” got a closer glimpse into Uber’s iOS app internals.
• Using Charles, a tool that allows you to monitor and analyze traffic between a client and the internet. You are able to self sign requests, effectively allowing you to view the requests in plain text. With the requests flowing in, he noticed a request made every 5 seconds.
• One particular request of interest is used by Uber to receive and communicate rider location, driver availability, application configurations settings and more to devices.
• Upon inspecting the response, he discovered the key isAdmin, which was set to false for his particular account. Charles allows you to define rewrite rules, so he rewrote the response changing, the value for isAdmin to true, curious to see the effects it would have on the app. He perused through the app with the new value applied… lo and behold, he stumbled upon the Employee Settings screen from the About screen
• Uber’s app is extremely dynamic. Their client’s architecture allows them to customize the app’s UI to certain geographical areas, riders, and even individual devices, allowing them to do things such as deliver kittens, deliver food, offer rides on helicopters, and of course, change prices…all without re-submitting the binary for approval to the app store. This is common practice for many client-server applications, a neat way to target certain features/functionality to a limited subset of users without the burden/time constraints of submitting an app for review.
• If a malicious developer wanted to get a forbidden feature or functionality past the review team, it is possible to hide the feature behind a “switch”, turning it off during the review process only to enable it after approved, all server side. If their purpose is to control the feature set of apps that get into the store, it can be bypassed through this type of client-server configuration architecture. Apple certainly has the power to take an app down once they make the discovery but before they make that discovery, it is out in the wild.
• As you can see, your traffic is not 100% safe and anyone can inspect your requests and responses (even with HTTPS), so it’s a good idea to always utilize defensive programming. A malicious third party could use this flaw to exploit the app in ways unforeseen. Even though Uber utilized HTTPS, there are still inherent flaws with the protocol that allows one to access certain screens meant for employees only.
• Uber recently suffered a data breach that leaked information about 50,000 drivers
• The breach apparently occurred on May 13 2014, was not discovered until September 17 2014, and was not announced until February 27 2015.
• “Uber says it will offer a free one-year membership of Experian’s ProtectMyID Alert”
• It turns out, Uber might have accidently stored sensitive database keys on a public github page, is sueing Github to get the IP address of those who accessed the information

Feedback:

• iSCSI Question

• What software is used for the video link on Techsnap (between Allan and Chris)

• Freebsd 10.1 on aging iMac G4

Round Up:

• Iran implicated in hack on US Casino
• How NGINX plans to support HTTP/2 and why it won’t be happening very soon
• This guys light bulb performed DDoS on his entire Smart House
• Intel announces new socketed i7 with Iris Pro graphics, and new i7 NUC
• MySQL 5.7 will include an HTTP server built in, to provide JSON API to access data
• Skylight – looking inside a new SMR (Shingled Magnetic Recording) drive while it is running
• The IT department is dead, Long live the IT department
• War Story: Building a ZFS Foot Cannon
• New Pharming attack targets home routers

The post An Uber Mess | TechSNAP 205 first appeared on Jupiter Broadcasting.

Special guest Noah is in studio & We look at Android’s huge 2014, and recent Bitcoin volatility. Then, as long time VirtualBox users, we discuss the future of the project.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Android Shipped 1 Billion Smartphones Worldwide in 2014

According to the latest research from our WSS (Smartphones) service, global smartphone shipments grew 30 percent annually to reach a record 1.3 billion units in 2014. Android accounted for 81 percent of all smartphones last year and shipped over 1 billion units worldwide for the first time ever.

Microsoft to Invest in Rogue Android Startup Cyanogen – Digits – WSJ

People familiar with the matter say Microsoft is putting money into Cyanogen, which is building a version of the Android mobile-operating system outside of Google’s auspices.

Microsoft would be a minority investor in a roughly $70 million round of equity financing that values Cyanogen in the high hundreds of millions, one of the people said. The person said the financing round could grow with other strategic investors that have expressed interest in Cyanogen because they’re also eager to diminish Google’s control over Android. The identity of the other potential investors couldn’t be learned.

Prosecutors Trace $13.4M in Bitcoins From the Silk Road to Ulbricht’s Laptop

In Ulbricht’s trial Thursday, former FBI special agent Ilhwan Yum described how he traced 3,760 bitcoin transactions over 12 months ending in late August 2013 from servers seized in the Silk Road investigation to Ross Ulbricht’s Samsung 700z laptop, which the FBI seized at the time of his arrest in October of that year. In all, he followed more than 700,000 bitcoins along the public ledger of bitcoin transactions, known as the blockchain, from the marketplace to what seemed to be Ulbricht’s personal wallets. Based on exchange rates at the time of each transaction, Yum calculated that the transferred coins were worth a total of $13.4 million.

Does VirtualBox VM Have Much A Future Left? – Phoronix

It’s been a long time since last hearing of any major innovations or improvements to VirtualBox, the VM software managed by Oracle since their acquisition of Sun Microsystems. Is there any hope left for a revitalized VirtualBox?

The post VirtualBox on the Ropes | Tech Talk Today 125 first appeared on Jupiter Broadcasting.

We’ll tell you about the VMware flaw so bad, the solution is to just turn the service off & we now have more details on a major Windows flaw.

Plus new research discovers that up to 81% of Tor users could be de-anonymized, a great batch of your networking questions & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Why the VMWare TPS flaw is a big deal

• VMWare recently disclosed a vulnerability in its line of virtualization products (vSphere, ESXi, etc)
• VMWare has a feature called TPS (“Transparent Page Sharing”), which basically provides deduplication of memory between virtual machines
• When two or more virtual machines have an identical 4k block of memory, only 1 block of physical memory on the host is actually used
• VMs may have many common blocks if they are running the same OS and Applications, especially if the VMs are clones of each other
• “Experimental implementations show that using this method, it is possible to run over 50 Windows XP VMs with 1GB of RAM each on a physical machine with just 16GB of RAM”
• VMWare Whitepapers of TPS for ESXi 3 and vSphere 5
• The TPS feature is not new, it has shipped in VMWare since 2006, and is on by default
• “Why is this a big deal? Because a virtualized architecture demands VM isolation, this is the most important security requirement for virtualization. Each VM guest running on a host must not be allowed in any way to access another VM guest. They must be kept in separate locked rooms with only the hypervisor possessing the keys to access all of them”
• “VMware appears to be down-playing it as it obviously exposes a chink in their virtual armor, they have issued a KB article describing the vulnerability and giving guidance on how customers can disable TPS on their hosts. VMware doesn’t name the specific source that found the vulnerability in the KB article, they simply refer to it as “an academic paper””
• THE “Academic Paper” — Wait a minute! A fast, Cross-VM attack on AES
• “This work exploits resource sharing in virtualization software to build a powerful cache-based attack on AES. We demonstrate the vulnerability by mounting Cross-VM Flush+Reload cache attacks in VMware VMs to recover the AES keys of OpenSSL 1.0.1 running inside the victim VM. Furthermore, the attack works in a realistic setting where different VMs are located on separate cores. The modified flush+reload attack we present, takes only in the order of seconds to minutes to succeed in a cross-VM setting. Therefore long term co-location, as required by other fine grain attacks in the literature, are not needed. The results of this study show that there is a great security risk to OpenSSL AES implementation running on VMware cloud services when the deduplication is not disabled.”
• The paper describes a technique in which an attacker with access to a VM on the same physical machine, even if it is not on the same CPU Core, could recover the SSL/TLS private key from a web server running Apache+OpenSSL in a victim VM
• This would then allow the attacker to impersonate that site, possibly allowing them to successfully phish or otherwise gain sensitive information from end users
• “All versions of vSphere back to VI3 are vulnerable to the exploit but VMware is only patching the 5.x versions of vSphere as the 4.x versions are no longer officially supported as of May 2014”. “Note these patches only disable TPS which is currently enable by default, they do nothing to fix the vulnerability, it will most likely take VMware some time to figure out how to make TPS work in a way that cannot be exploited”

WinShock – What that Microsoft SChannel vulnerability was

• SChannel is Microsofts tool similar to OpenSSL. “SChannel is used by anything leveraging built-in SSL and TLS this includes IIS, Active Directory, OWA, Exchange, Internet Explorer, and Windows Update.”
• The vulnerability allows remote code execution, so it especially severe, and users should patch immediately if they have not already done so
• An attacker can send specially crafted malicious packets, which are not properly checked for validity, and the victim machine may execute commands included in that message, allowing the attacker to take full control of the machine
• Rapid7 Blog: Is MS14-066 another Red alert?
• Rapid7 takes pains to clarify that this is not on the same level as Heartbleed, Shellshock, Poodle, or other recent vulnerabilities of that scale, mostly because this was privately disclosed to Microsoft, and is not being actively exploited in the wild
• No one knows the details of the problem yet, and there are no proof-of-concept exploits
• “Details surrounding the vulnerability are vague, but Microsoft has indicated that there are no known exploits in the wild and the development of exploit code will be challenging. This vulnerability is reported to affect all Windows servers and clients, and while it’s unlikely to be exploited today, it should be patched as soon as possible given the possibility of remote code execution.”

New research discovers that up to 81% of tor users could be de-anonymized by new traffic analysis techniques

• “Research undertaken between 2008 and 2014 suggests that more than 81% of Tor clients can be ‘de-anonymised’ – their originating IP addresses revealed – by exploiting the ‘Netflow’ technology that Cisco has built into its router protocols, and similar traffic analysis software running by default in the hardware of other manufacturers.”
• “The technique depends on injecting a repeating traffic pattern – such as HTML files, the same kind of traffic of which most Tor browsing consists – into the TCP connection that it sees originating in the target exit node, and then comparing the server’s exit traffic for the Tor clients, as derived from the router’s flow records, to facilitate client identification.”
• “To achieve acceptable quality of service, [Tor attempts] to preserve packet interarrival characteristics, such as inter-packet delay. Consequently, a powerful adversary can mount traffic analysis attacks by observing similar traffic patterns at various point
• “Traffic analysis of this kind does not involve the enormous expense and infrastructural effort that the NSA put into their FoxAcid Tor redirects, but it benefits from running one or more high-bandwidth, high-performance, high-uptime Tor relays”
• The technical involves getting the user to download a file, large enough that it takes a few minutes over which the flow of data can be manipulated and observed (this could be as easy as injecting an oversized images into a website, where the user does not see it)
• By having the server that is sending the image modulate the bandwidth of the TCP connection in question, shifting every 20 seconds between 1 mbit (about the max you would expect to be able to get over tor), 50 kbit, 300 kbit, and then 100 kbit, it created a unique enough pattern of traffic, that tor preserved, that the same pattern could be observed on the entry node that the tor user was connected to
• By collecting Netflow type data (start and end time, source and destination ip, number of packets, number of bytes), from the source (or exit node) and the entry node (or a router in front of the entry node or the end user), and correlated the data, researchers were able to identify the real ip address of the tor user that connected to their server

Feedback:

• How to prevent a “man-in-the-browser attack” to my lastpass account ?

• pfSense and vlans

• Masque attack

• Looking for some DDOS protection tool, what do you use, how did you configured it?

Round Up:

• Let’s Encrypt
• WhatsApp adds end-to-end encryption using TextSecure
• Apple Disables Trim Support On 3rd Party SSDs In OS X
• The upside of accidently hiring a hacker
• SUSE Linux Enterprise Live Patching Now Available
• Government Employees and Contractors responsible for most government data breaches
• FTC shuts down massive “PC cleaner” scam
• The problem with Android on big tablets
• Amnesty, EFF, Privacy International Put Out Free Anti-Surveillance Tool
• New York to roll out gigabit wifi and touch screen ‘information stations’ in place of old pay phones

The post Tor Vibrations | TechSNAP 190 first appeared on Jupiter Broadcasting.