TechSNAP

Our FreeNAS build is complete and Allan’s back to cover the final details. Plus the new GPU attack against Android phones, and a perfect example of poor IoT security.Sponsored By: Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you! Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean Links: Drive-by Rowhammer attack uses GPU to compromise an Android phone | Ars Technica — JavaScript based GLitch pwns browsers by flipping bits inside memory chips. Rooting a Logitech Harmony Hub — Exploitation of these vulnerabilities from the local network could allow an attacker to control the devices linked to the Hub as well as use the Hub as an execution space to attack other devices on the local network A Complete Guide to FreeNAS Hardware Design, Part I: Purpose and Best Practices — If it’s imperative that your ZFS based system must always be available, ECC RAM is a requirement. If it’s only some level of annoying (slightly, moderately…) that you need to restore your ZFS system from backups, non-ECC RAM will fit the bill. FreeNAS: A Worst Practices Guide Jason likes Hubble Bryan Nuked an email server once... Humble Book Bundle: DevOps by Packt (pay what you want and help charity) — This software engineering bundle is Packt with information! Streamline your processes with ebooks like Automate it!, DevOps for Networking, Mastering Ansible, and Continuous Delivery with Docker and Jenkins. You'll also get helpful videos including Mastering DevOps, Mastering Windows PowerShell 5 Administration, Learning Kubernetes, and more.

We catch up with Allan Jude and he shares stories of hunting network bottlenecks, memories of old firewalls, and some classic ZFS updates. Plus the vulnerabilities found in Volkswagen cars, and the lengths a security research went to create the ultimate honeypot laptop.Special Guest: Allan Jude.Sponsored By: iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you! Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean Links: Volkswagen and Audi Cars Vulnerable to Remote Hacking — esearchers also gained access to the IVI system's root account, which they say allowed them access to other car data. It’s Impossible to Prove Your Laptop Hasn’t Been Hacked. I Spent Two Years Finding Out. — For the last two years, I have carried a “honeypot” laptop with me every time I’ve traveled; this computer was intended to attract (and then detect) tampering. chipsec — Platform Security Assessment Framework UEFITool — UEFI firmware image viewer and editor Haven Project — Haven is for people who need a way to protect their personal spaces and possessions without compromising their own privacy, through an Android app and on-device sensors Mr S. Delivers on his DO FreeNAS Guide OZ Shares a War Story Dave's REALLY Close Call... Karl Gives us the CTO View on new Hires Our Approach to Employee Security Training | PagerDuty — These are both training courses that we developed in-house and delivered ourselves.

Hardware flaws that can’t be solved, human errors at the physical layer, and spoofing cellular networks with a $5 dongle. Sponsored By: Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you! Links: Sysadmin unplugged wrong server, ran away, hoped nobody noticed • The Register — ‘I was a snot-nosed kid fresh out of college and thought I knew everything!’ Spoofing Cell Networks with a USB to VGA Adapter | Hackaday — Available through the usual overseas suppliers for as little has $5 USD, these devices can be used unmodified to transmit low-power FM, DAB, DVB-T, GSM, UMTS and GPS signals. ShofEL2, a Tegra X1 and Nintendo Switch exploit — The Tegra X1 (also known as Tegra210) SoC inside the Nintendo Switch contains an exploitable bug that allow taking control over early execution, bypassing all signature checks. Atlanta spends more than $2 million to recover from ransomware attack — . It appears that firms Secureworks and Ernst & Young were paid $650,000 and $600,000, respectively, for emergency services while Edelman was paid $50,000 for crisis communication services. Overall, the funds seemingly applied to the ransomware attack response add up to approximately $2.7 million. Google Chrome 66 Released Today Focuses on Security — The biggest change is that Google Chrome will start showing SSL certificate errors for all Symantec certs issued before June 1, 2016. This is "stage two" of Google's long-term plan on distrusting Symantec certificates altogether. Where to get started with monitoring? defunkt uses a fool tools for his network Brian shares some love for Zabbix VMware Patches Pwn2Own VM Escape Vulnerabilities — VMware on Tuesday patched a series of vulnerabilities uncovered earlier this month at Pwn2Own. The flaws enabled an attacker to execute code on a workstation and carry out a virtual machine escape to attack a host server. balena - A Moby-based container engine for IoT — A Moby-based container engine for IoT

We cover all the bases this week in our TechSNAP introduction to server monitoring. Why you should monitor, what you should monitor, the basics of Nagios, the biggest drawbacks of Nagios, its alternatives, and our lessons learned from the trenches. Sponsored By: iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you! Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean Links: Why Bother with Server Monitoring? — Once a network or server has been installed, how do you know it is working as it should? Just like a car or any appliance, it may need maintenance or parts replaced to keep it in top working order. Network and server monitoring allows the Network Administrator to see how hardware and software are performing. We can look for certain signs or warnings that the system is not working efficiently and take action to fix things to prevent system degradation or failure. What is Nagios? — Monitoring of network services such as SMTP, POP2, HTTP, NNTP, ICMP, SNMP, FTP, SSH. A Real Example Of Nagios Monitoring — There are two major problems the monitoring solves: alerting and trending. Alerting is to notify the person in charge about a major event like service failing to work. Trending is to track the change of something over time – disk or memory usage, replication lag etc. graphios — A program to send nagios perf data to graphite (carbon) / statsd / librato / influxdb Sensu — Sensu’s platform is the solution to the monitoring problems you’re facing today, and the right foundation for your organization tomorrow. From bare metal to Kubernetes—get complete visibility across every system, every protocol, every time. Sensu: Finally the Nagios Replacement I Have Been Looking For! – Chariot Solutions Icinga 2 — With the RESTful API of Icinga 2 you can update your configurations on the fly or show live information about current problems on your custom dashboards. You can process check results from third party tools or tell the Core to run actions interactively. The interface is secured with SSL. Access control can be configured fine grained and per user. Nagios Vs. Icinga: the real story of one of the most heated forks in free software Phill Barber's Blog: Nagios vs Sensu vs Icinga2 Prometheus — Power your metrics and alerting with a leading open-source monitoring solution. nagios - Docker Hub — Nagios Core with Nagiosgraph, check_nrpe, custom checks & XMPP Notifications Previous TechSNAP Coverage: Keeping it Up | TechSNAP 20 Dax was inspired by last weeks episode

Getting started or getting ahead in IT is a moving target, so we’ve crowd sourced some of the best tips and advice to help. Plus a tricky use of zero-width characters to catch a leaker, a breakdown of the new BranchScope attack, and a full post-mortem of the recent Travis CI outage.Sponsored By: Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you! Links: Invisibly inserting usernames into text with Zero-Width Characters — Zero-width characters are invisible, ‘non-printing’ characters that are not displayed by the majority of applications. Incident Post-Mortem and Security Advisory — On Tuesday, 13 March 2018 at 12:04 UTC a database query was accidentally run against our production database which truncated all tables. As predicted, more branch prediction processor attacks are discovered — New attack focuses on a different part of the branch prediction system. BranchScope: A New Side-Channel Attack on Directional Branch Predictor - asplos18.pdf Mathew has a neat use for Terraform Del says Learn just one thing... Mat Man has some great tips Ben says you might already be doing it Mr S with a advice from recruiting stand point.

It’s a TechSNAP introduction to Terraform, a tool for building, changing, and versioning infrastructure safely and efficiently. Plus a recent spat of data leaks suggest a common theme, Microsoft’s self inflicted Total Meltdown flaw, and playing around with DNS Rebinding attacks for fun.Sponsored By: iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you! Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean Links: The Under Armour Hack Was Even Worse Than It Had To Be — When Under Armour announced that its nutrition app MyFitnessPal had suffered a data breach impacting the information of roughly 150 million users, things actually didn't seem so bad. Panerabread.com Leaks Millions of Customer Records — Panerabread.com, the Web site for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned. No, Panera Bread Doesn’t Take Security Seriously – PB — This post establishes a canonical timeline so subsequent reporting doesn’t get confused. Total Meltdown — In short - the User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself. Terraform by HashiCorp — HashiCorp Terraform enables you to safely and predictably create, change, and improve infrastructure. It is an open source tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned. Terraforming 1Password - AgileBits Blog — Most of the 2 hours and 39 minutes of downtime were related to data migration. The 1Password.com database is just under 1TB in size (not including documents and attachments), and it took almost two hours to complete the snapshot and restore operations. Whonow — A malicious DNS server for executing DNS Rebinding attacks on the fly

Embarrassing flaws get exposed when the logs get reviewed, Atlanta city government gets shut down by Ransomware, and the cleverest little Android malware you’ll ever meet. Plus we go from a hacked client to a Zero-day discovery, answer some questions, ask a few, and more!Sponsored By: Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you! Links: Unified Logs in High Sierra (10.13) Show Plaintext Password for APFS Encrypted External Volumes — My verification test is below. Note that it gets stored in on-disk, collected logs (non-volatile logs). Thousands of servers found leaking 750MB worth of passwords and keys — Leaky etcd servers could be a boon to data thieves and ransomware scammers. Atlanta city government systems down due to ransomware attack — FBI called in as some city services are interrupted, employees told to turn off PCs. Android malware found inside apps downloaded 500,000 times | ZDNet — Cybercriminals have distributed malware to hundreds of thousands of Android users by hiding it inside a series of apparently harmless apps. From hacked client to 0day discovery — The client’s account had been blocked because it was spotted sending spam. Once connected to the service, it was clear that the monthly quota of the account was almost reached and that the latest emails sent shown on the dashboard had content that were clearly spam. Listener Feedback from Jeff S Listener Feedback from Tyler

We cut through the noise and explain in clear terms what’s really been discovered. The botched disclosure of flaws in AMD products has overshadowed the technical details of the vulnerabilities, and we aim to fix that.. Plus another DNS Rebinding attack is in the wild and stealing Ethereum, Microsoft opens up a new bug bounty program, Expedia gets hacked, and we perform a TechSNAP checkup.Sponsored By: iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you! Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com Links: Microsoft Offers New Bug Bounties for Spectre, ... — Microsoft last week announced new bug bounties for speculative execution side-channel vulnerabilities. These vulnerabilities, of which Spectre and Meltdown were the first known examples, represent a new class of problem and Microsoft would like to know what else might be lurking in the neighborhood. Microsoft patches RDP vulnerability. — Microsoft announced this week that they’ve released a preliminary fix for a vulnerability rated important, and present in all supported versions of Windows in circulation (basically any client or server version of Windows from 2008 onward). Firefox Master Password System Has Been Poorly Secured for the Past 9 Years — For at past nine years, Mozilla has been using an insufficiently strong encryption mechanism for the "master password" feature. Firefox Lockbox Extension — The Lockbox extension is a simple, stand-alone password manager that works with Firefox for desktop. It’s the first of several planned experiments designed to help us test and improve password management and online security. How your ethereum can be stolen through DNS rebinding — Most of the ethereum clients run a JSON-RPC service on port 8545 on localhost, but since it’s on localhost, we can’t access it directly from user’s browser due to SOP. TechSNAP Episode 353: Too Many Containers “AMD Flaws” Technical Summary | Trail of Bits Blog — Most of the discussion after the public announcement of the vulnerabilities has been focused on the way they were disclosed rather than their technical impact. In this post, we have tried to extract the relevant technical details from the CTS whitepaper so they can be of use to the security community without the distraction of the surrounding disclosure issues. Ivan is not happy with our memcrashed coverage — Discussion re:"memcrashed" on latest TechSNAP left me very mad. I think hosts did not properly explain the issue. PSA: Chrome distrusts certificates issued by Symantec starting today — This was announced back in September for v66, but we have machines running 65.0.3325.162 that display the full page "NET::ERR_CERT_AUTHORITY_INVALID" warning so it seems they jumped the gun a bit. Follow up: fail2ban AWS access controls Mr S Has a Handy pfSense how-to Running pfSense on a DigitalOcean droplet

Netflix has a few tricks we can learn from, and the story of clever malware that was operating undetected since 2012. Plus we discuss Let's Encrypt’s Wildcard support and explain what ACME v2 is. Then we detail the bad position Samba 4 admins are in, and the real cause of these recent 1.7Tbps DDoS attacks.Sponsored By: Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you! Links: Hardcoded Password Found in Cisco Software — Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password. Potent malware that hid for six years spread through routers — "The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor." CVE 2018-1057: Authenticated Samba users can change other users' password — On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts (eg Domain Controllers). CVE-2018-1057 - SambaWiki Workarounds — Revoke the change passwords right for 'the world' from all user objects (including computers) in the directory, leaving only the right to change a user's own password. ACME v2 and Wildcard Certificate Support is Live — We’re pleased to announce that ACMEv2 and wildcard certificate support is live! It just got much easier to wage record-breaking DDoSes — Within days of the new technique going public, security firms reported it being used in a record-setting 1.3 terabit-per-second DDoS against Github and then, two days later, a record-topping 1.7 Tbps attack against an unnamed US-based service provider. The real cause of large DDoS — All the gigantic headline-grabbing attacks are what we call "L3" (Layer 3 OSI[1]). This kind of attack has a common trait - the malicious software sends as many packets as possible onto the network. Project Nimble – Netflix TechBlog — We set ourselves an aggressive goal of being able to fail over traffic in less than 10 minutes. Follow Up: Alex has a tip for Alex Question: Oliver asks about a fail2ban replacement S3Scanner — Scan for open S3 buckets and dump Chromium is also a Snap

The term serverless gets thrown around a lot, but what does it really mean? What are the benefits and the drawbacks? It’s a TechSNAP introduction to Serverless Architecture. Plus new research with ideas to dramatically improve private web browsing, the growing problem of tracking security vulnerabilities with CVE’s, and much more!Sponsored By: Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you! Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com Links: Revamp of 'Pwned Passwords' Boosts Privacy and Size of Database — In V2 of Pwned Passwords, launched last week, Hunt updated his password data set from 320 million passwords to 501 million new passwords, pulled from almost 3,000 breaches over the past year. Finding Pwned Passwords with 1Password — Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password. Troy Hunt: I've Just Added 2,844 New Data Breaches With 80M Records To Have I Been Pwned Apple’s China data migration includes iCloud keys, making data requests easier for authorities — Now, according to Apple, for the first time the company will store the keys for Chinese iCloud accounts in China itself. That means Chinese authorities will no longer have to use the U.S. courts to seek information on iCloud users and can instead use their own legal system to ask Apple to hand over iCloud data for Chinese users, legal experts said. Microsoft’s Big Email Privacy Case Heads to the Supreme Court Tomorrow — The 2013 warrant involved a drug case, and the Justice Department asked Microsoft to turn over emails that were stored in its Ireland data center. Microsoft objected, arguing that the DoJ could not use a domestic warrant to conduct an international search and that it should instead acquire the data through a treaty process with the Irish government. Researchers Propose Improved Private Web Browsing System — The newly proposed system keeps all the data that the browse loads into memory encrypted until it is displayed on the screen, the researchers say. Users no longer type a URL into the browser, but access the Veil website and enter the URL there. With the help of a blinding server, the Veil format of the requested page is transmitted.  Nearly 8,000 Security Flaws Did Not Receive a CVE ID in 2017 — A record-breaking number of 20,832 vulnerabilities have been discovered in 2017 but only 12,932 of these received an official CVE identifier last year, a Risk Based Security (RBS) report reveals. What is Serverless Architecture? What are its criticisms and drawbacks? — Serverless architectures refer to applications that significantly depend on third-party services (knows as Backend as a Service or “BaaS”) or on custom code that’s run in ephemeral containers (Function as a Service or “FaaS”), the best known vendor host of which currently is AWS Lambda. Serverless Security: What's Left to Protect? OpenFaaS - Serverless Functions Made Simple — Serverless Functions Made Simple for Docker and Kubernetes open-lambda: An open source serverless computing platform — An open source serverless computing platform Iron.io - DevOps Solutions from Startups to Enterprise Apache OpenWhisk is a serverless, open source cloud platform Feedback: David's Drive Tips Question: Alex has BIG cloud storage requirements.... Crostini - Linux App Containers on ChromeOS — In other words, the Crostini/Terminal feature could be to Chrome OS what the Windows Subsystem for Linux is for Windows 10: a way that developers, power users, and Linux enthusiasts can run native Linux software on a device that’s not running a traditional Linux distribution.

New variants, bad patches, busted microcode and devastated performance. It’s a TechSNAP Meltdown and Spectre check up. Plus Tesla gets hit by Monero Cryptojacking, and a dating site that matches people based on their bad passwords…. So we gave it a go!Sponsored By: iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you! Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean Links: People Are Actually Using a Joke Dating Site That Matches People Based on Their Passwords — This website answers the question no one ever asked: what if you dated someone who used the same password? Flight Sim Company Embeds Malware to Steal Pirates' Passwords — Flight sim company FlightSimLabs has found itself in trouble after installing malware onto users' machines as an anti-piracy measure. Code embedded in its A320-X module contained a mechanism for detecting 'pirate' serial numbers distributed on The Pirate Bay, which then triggered a process through which the company stole usernames and passwords from users' web browsers. Lessons from the Cryptojacking Attack at Tesla — In cases involving the WannaMine malware, a tool called Mimikatz is used to pull credentials from a computer’s memory to infect other computers on the network. The malware then uses the infected computers’ compute to mine a cryptocurrency called Monero quietly in the background. Chef InSpec 2.0 — InSpec is a free open source tool that enables development teams to express security and compliance rules as code. Version 1.0 was about ensuring that applications were set up properly. The new version extends this capability to the cloud where companies are running the applications, allowing teams to test and write rules for compliance with cloud security policy. It supports AWS and Azure and comes with 30 common configurations out of the box including Docker, IIS, NGINX and PostgreSQL. meltdownspectre-patches summary on Github — Summary of the patch status for Meltdown / Spectre. Spectre & Meltdown Checker for Linux — A simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018. FreeBSD Finally Gets Mitigated For Spectre & Meltdown — It's taken a few more weeks longer than most of the Linux distributions to be re-worked for Spectre/Meltdown mitigation as well as DragonFlyBSD, but with FreeBSD Revision 329462 it appears their initial fixes are in place. SpeculativeExecutionVulnerabilities - FreeBSD Wiki Red Hat Checker Debian Checker Microsoft's free analytics service sniffs out Meltdown, Spectre patch status — Windows Analytics can now scan enterprise PCs running Windows 10, Windows 8.1 and Windows 7 and report on whether they're prepped to fend off attacks based on the Meltdown and Spectre vulnerabilities. KPTI/KAISER Meltdown Initial Performance Regressions — In this post I'll look at the Linux kernel page table isolation (KPTI) patches that workaround Meltdown: what overheads to expect, and ways to tune them. Much of my testing was on Linux 4.14.11 and 4.14.12 a month ago, before we deployed in production. Some older kernels have the KAISER patches for Meltdown, and so far the performance overheads look similar. These results aren't final, since more changes are still being developed, such as for Spectre. New Spectre, Meltdown variants leave victims open to side-channel attacks — MeltdownPrime and SpectrePrime, found by Princeton and NVIDIA researchers, may require significant hardware changes to be mitigated. Question: How to Lock Down Firefox Addons Locking preferences - MozillaZine Knowledge Base CCK2 Firefox Lockdown Tool Question: Namespaces and sandboxing Linux Sandboxing Firejail

The problems containers can’t solve, nasty security flaws in Skype and Telegram, and Cisco discovers they have a bigger issue on their hands then first realized. And the latest jaw-dropping techniques to extract data from air-gapped systems.Sponsored By: Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you! Links: Skype can't fix a nasty security bug without a massive code rewrite — The bug grants a low-level user access to every corner of the operating system. Zero-day vulnerability in Telegram — The special nonprinting right-to-left override (RLO) character is used to reverse the order of the characters that come after that character in the string. In the Unicode character table, it is represented as ‘U+202E’; one area of legitimate use is when typing Arabic text. In an attack, this character can be used to mislead the victim. It is usually used when displaying the name and extension of an executable file: a piece of software vulnerable to this sort of attack will display the filename incompletely or in reverse. Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability — After further investigation, Cisco has identified additional attack vectors and features that are affected by this vulnerability. In addition, it was also found that the original fix was incomplete so new fixed code versions are now available. Microsoft To Embrace Decentralized Identity Systems Built On Bitcoin And Other Blockchains — In a new post today, Microsoft announced their embrace of public blockchains, such as Bitcoin and Ethereum, for use in decentralized identity systems. XRballer comments on The Stolen XRB has already been Redistributed/Sold Off — But this check was only on java-script client side, you find the js which is sending the request, then you inspect element - console, and run the java-script manually, to send a request for withdrawal of a higher amount than in your balance. Containers Will Not Fix Your Broken Culture — Spoiler alert: the solutions to many difficulties that seem technical can be found by examining our interactions with others. Let's talk about five things you'll want to know when working with those pesky creatures known as humans. Escaping Sensitive Data from Faraday-Caged, Air-Gapped Computers via Magnetic Fields — In this paper, we show how attackers can bypass Faraday cages and air-gaps in order to leak data from highly secure computers. Feedback: BeyondCorp Feedback: Mgmt Feedback: SuperMicro Mobo? Super Micro Computer X8DTN+

We save our FreeNAS Mini from the edge, and perform an emergency migration to much larger hardware. Plus 12 tips for secure authentication, the future of network security where there is no LAN, a botnet exploiting Android ADB, and your questions.Sponsored By: iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you! Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean Links: In just 24 hours, 5,000 Android devices are conscripted into mining botnet — A fast-moving botnet that appeared over the weekend has already infected thousands of Android devices with potentially destructive malware that mines digital coins on behalf of the unknown attackers, researchers said. 12 best practices for user account, authorization and password management — Account management, authorization and password management can be tricky. For many developers, account management is a dark corner that doesn't get enough attention. For product managers and customers, the resulting experience often falls short of expectations. Google’s Zero Trust 'BeyondCorp' Infrastructure Shows Future Of Network Security — Google started changing its network security policies to a new model of “zero trust,” which treats its own internal network as the insecure Internet. Google released a new paper detailing how this new model works for its network security policies. Google dedicates engineering team to accelerate development of WordPress ecosystem — Google's partnership with WordPress aims to jump-start the platform's support of the latest web technologies -- particularly those involving performance & mobile experience. And they're hiring WordPress experts. UNIXSurplus — UNIXSurplus is a multi-level provider of new and refurbished custom built servers, storage solutions and computer equipment. FreeNAS Storage Operating System — FreeNAS is an operating system that can be installed on virtually any hardware platform to share data over a network. FreeNAS is the simplest way to create a centralized and easily accessible place for your data. Use FreeNAS with ZFS to protect, store, backup, all of your data. FreeNAS is used everywhere, for the home, small business, and the enterprise.

AutoSploit has the security industry in a panic, so we give it a go. To our surprise we discover systems at the DOD, Amazon, and other places vulnerable to this automated attack. We’ll tell you all about it, and what these 400 lines of Python known as AutoSploit really do. Plus injecting arbitrary waveforms into Alexa and Google Assistant commands, making WordPress bulletproof, and how to detect and prevent excessive port scan attacks.Sponsored By: Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you! Links: Audio Adversarial Examples — We have constructed targeted audio adversarial examples on speech-to-text transcription neural networks: given an arbitrary waveform, we can make a small perturbation that when added to the original waveform causes it to transcribe as any phrase we choose. Keylogger found on thousands of WordPress-based sites, stealing every keypress as you type — But, in a twist, this particular attack isn’t just interested in mining Monero. While the website’s front-end is digging for cryptocurrencies, the back-end is secretly hosting a keylogger designed to steal unsuspecting users’ login credentials. Qubes Air: Generalizing the Qubes Architecture | Qubes OS — Qubes Air is the next step on our roadmap to making the concept of “Security through Compartmentalization” applicable to more scenarios. It is also an attempt to address some of the biggest problems and weaknesses plaguing the current implementation of Qubes, specifically the difficulty of deployment and virtualization as a single point of failure. While Qubes-as-a-Service is one natural application that could be built on top of Qubes Air, it is certainly not the only one. We have also discussed running Qubes over clusters of physically isolated devices, as well as various hybrid scenarios. I believe the approach to security that Qubes has been implementing for years will continue to be valid for years to come, even in a world of apps-as-a-service. Making network authentication simple in a Bring Your Own Device environment — In this article, we explore in depth the challenges we faced regarding compatibility, security, and user experience, and the solutions we came up with. We explain how we combined 802.1X authentication (wired & wireless) and per-subscriber VLANs to offer our users a quality Internet experience. “Autosploit” tool sparks fears of empowered “script kiddies” — "AutoSploit attempts to automate the exploitation of remote hosts." AutoSploit: Automated Mass Exploiter — Clone the repo. Or deploy via Docker. How To Use psad to Detect Network Intrusion Attempts — The key to using psad effectively is to configure danger levels and email alerts appropriately, and then follow up on any problems. This tool, coupled with other intrusion detection resources like tripwire can provide fairly good coverage to be able to detect intrusion attempts. Portainer: Simple management UI for Docker What is iSCSI (Internet Small Computer System Interface)

We introduce you to Kubernetes, what problems it solves, why everyone is talking about it, and where it came from. Also who shouldn’t be using Kubernetes, and the problems you can run into when scaling it. Plus how you can store files in others DNS resolver cache, Project Zero finds a new BitTorrent client flaw, and more.Sponsored By: Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you! Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean Links: DNSFS. Store your files in others DNS resolver caches — The DNSFS code is a relatively simple system, every file uploaded is split into 180 byte chunks, and those chunks are “set” inside caches by querying the DNSFS node via the public resolver for a TXT record. After a few seconds the data is removed from DNSFS memory and the data is no longer on the client computer. BPF - the forgotten bytecode — BPF is an absolutely marvelous and flexible way of filtering packets. dnsfs: Store your data in others DNS revolvers cache — Store your data in others DNS revolvers cache Unauthenticated LAN remote code execution in AsusWRT — However due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user. AI is moving towards acceptance in cyber security, says Check Point — Artificial intelligence is well on its way to being a useful tool in the cyber security professional’s kit, but according to Check Point, there are still big challenges to overcome. Alphabet is launching a new CyberSecurity unit. — Alphabet, the parent company of Google, announced today that they will be launching Chronicle, a new business unit that will focus on Cyber Security, using their servers and infrastructure. The new organization hopes to focus on machine learning and artificial intelligence to assist in the fight against cybercrime moving forward. Google Project Zero claims new BitTorrent flaw could enable cyber crooks get into users' PCs — According to Project Zero, the client is vulnerable to a DNS re-binding attack that effectively tricks the PC into accepting requests via port 9091 from malicious websites that it would (and should) ordinarly ignore.  CVE-2018-5702: Mitigate dns rebinding attacks against daemon by taviso · Pull Request #468 Blizzard Fixes DNS Rebinding Flaw that Put All the Company's Users at Risk What is DNS rebinding, in layman's terms? An Introduction to Kubernetes — Kubernetes, at its basic level, is a system for managing containerized applications across a cluster of nodes. In many ways, Kubernetes was designed to address the disconnect between the way that modern, clustered infrastructure is designed, and some of the assumptions that most applications and services have about their environments. What is Kubernetes? — Kubernetes was originally developed and designed by engineers at Google. Google was one of the early contributors to Linux container technology and has talked publicly about how everything at Google runs in containers. (This is the technology behind Google’s cloud services.) Google generates more than 2 billion container deployments a week—all powered by an internal platform: Borg. Borg was the predecessor to Kubernetes and the lessons learned from developing Borg over the years became the primary influence behind much of the Kubernetes technology. Scaling Kubernetes to 2,500 Nodes — We’ve been running Kubernetes for deep learning research for over two years. While our largest-scale workloads manage bare cloud VMs directly, Kubernetes provides a fast iteration cycle, reasonable scalability, and a lack of boilerplate which makes it ideal for most of our experiments. Feedback: Talk more about Windows — I listened to your intro to change management and it seemed like it will be very Linux centric ("everything is she"). I'm future segments, please try to include windows desktop and server OS as well. Question: Starting with Ansible Quick — Are there any way to get started other than writing a playbook and trying it out with trial and error? Ansible Best Practises: A project structure that outlines some best practises of how to use ansible — A project structure that outlines some best practises of how to use ansible ansible-console: An Interactive REPL for Ansible — omething found out recently is that Ansible has an interactive REPL of sorts in ansible-console for doing some adhoc things on a collection of hosts. Introduction To Ad-Hoc Commands — Ansible Documentation — An ad-hoc command is something that you might type in to do something really quick, but don’t want to save for later. About the security content of macOS High Sierra 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan - Apple Support — This document describes the security content of macOS High Sierra 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan.