Archive for the ‘Skype’ Category
Coming up on this week’s TechSNAP…
Researches have developed a way to tie your file sharing to your Skype account. We’ll share the details on how this works, and what you can do to prevent being tracked!
Plus we cover the Ultimate way to host your own email, and what happened when Chinese hackers took control of US Satellites!
All that and more, on this week’s episode of TechSNAP!
Direct Download Links:
Subscribe via RSS and iTunes:
- On four separate occasions during 2007 and 2008 US satellites were hijacked by way of their ground control stations.
- The effected satellites were Landsat–7 (Terrain Mapping and Satellite Photography, example 1 example 2) and Terra AM–1 (Climate and Environmental Monitoring, 2010 Hurricane Karl)
- While the US does not directly accuse the Chinese government in writing, these types of actions are consistent with known war plans that involve disabling communications, command and control, and GPS satellites as a precursor to war.
- In one incident with NASA’s Terra AM–1, “the responsible party achieved all steps required to command the satellite,” however the attackers never actually took control of the satellite.
- It was not until the 2008 investigation that the previous compromises in 2007 were detected
- This raises an important question, are the US military and other NATO members, too reliant of satellite communications and GPS?
- In a recent NATO exercise called ‘Joint Warrior’, it was planned to jam GPS satellite signals, however the jamming was suspended after pressure on the governments over civilian safety concerns. Story
- The tools developed by the researchers at New York University allow any to determine a strong correlation between bittorrent downloads and a specific skype user.
- Importantly, unlike RIAA/MPAA law suites, the researchers consider the possibility of false positives because of multiple users behind NAT.
- The researchers resolve this issue by probing both the skype and bittorrent clients after a correlation is suspected. By generating a response from both clients at nearly the same time and comparing the IP ID (similar to a sequence number) of the packets, if the ID numbers are close together, than it is extremely likely that the response was generated by the same physical machine. If the IDs are very different, then it is likely that the Skype and BitTorrent users are on different machines, and there is no correlation between them.
- This same technique could be made to work with other VoIP and P2P applications, and could be used to gather enough evidence to conclusively prove a bittorrent user’s identity.
- This situation can be mitigated by using the feature of some OS’s that randomizes the IP ID to prevent such tracking. (net.inet.ip.random_id in FreeBSD, separate ‘scrub random-id’ feature in the BSD PF firewall)
- The discovery could also be prevented by fixing the skype client such that it will not reply with its IP address if the privacy settings do not allow calls from that user. The current system employed by the researches does not actually place a call to the user, just tricks skype into thinking that a call will be placed, and skype then leaks the sensitive information by returning its IP address or initiating a connection to the attacker.
- Read the full research paper
- Directors Desk is a web application designed to allow executives to share documents and other sensitive information
- When NASDAQ was hacked in February, they did not believe that any customer data was stolen
- The attackers implanted spyware into the Directors Desk application and were able to spy on the sensitive documents of publicly traded companies as they were passed back and forth through the system
- This is another example of the Advanced Persistent Threat (APT) as we saw with the RSA and South Korea Telecom hacks, where the attackers went after a service provider (in his case NASDAQ) to compromise the ultimate targets, the publicly traded companies and their sensitive documents.
- It is not known what if any protection or encryption systems were part of Directors Desk, but it seems that the application was obviously lacking some important security measures, including an Intrusion Detection System that would have detected the modifications to the application.
- The new guidance from the SEC spells out some of the things that companies may need to disclose to investors and others, depending upon their situation.
- Some of the potential items companies may need to disclose include:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences
- To the extent the registrant outsources functions that have material cyber security risks, description of those functions and how the registrant addresses those risks
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences
- Risks related to cyber incidents that may remain undetected for an extended period
- “For example, if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition,” the statement says.
- From the SEC guidance: The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision”
- CF Disclosure Guidance: Topic No. 2 – Cybersecurity
- Q: Owning my own Email?
- Roundcube – Free webmail for the masses
- MailServer – Community Ubuntu Documentation
- Postfix – Community Ubuntu Documentation
- Setting up a Forwarding Account in the Email Control Center – GoDaddy Help Center (Remember to use the coupon code LINUX or LINUX20)
- Google apps for your domain (free)
It is definitely advantageous to own the domain that your email address is on. On top of looking more professional than a hotmail, or even gmail address, it also allows you to choose your host and have full control over everything. There are some caveats though, of course you must remember to renew your domain name, else your email stops working (just ask Chris about that one), you also have to be careful about picking where to host your domain, having your site or email hosted by a less reputable service can result in your domain being included on blacklists and stopping delivery of your mail to some users. The biggest problem with hosting your own email, from your home, is that you must keep the server up 24/7, and it must have a reasonable static IP address. If you are going to host from your home, I recommend you get a ‘backup mx’ service, a backup mail server that will collect mail sent to you while you are offline, and then forward it to your server when it is back up. Even if you are using a dedicated server or VPS, this is important, because email is usually the most critical service on your server. The other major issue with hosting your email from home, is that most ISPs block port 25 inbound and outbound, to prevent infected computers from sending spam. This means that you will not be able to send or receive email to other servers. Usually your ISP will require you to have a more expensive business class connection with a dedicated static IP address in order to allow traffic on port 25. Also, a great many spam filtering systems, such as spamassassin, use blacklists that contain the IP ranges of all consumer/home Internet providers, designed to stop spam from virus infected machines, because email should not be send from individual client machines, but through the ISP or Domain email server.
- Facebook to build server farm on edge of Arctic Circle
- Passwords of 93,000 Politicians, Reporters, Bloggers Leaked
- Stuxnet’s Son “Duqu” Removal Tool released by Bitdefender
- Japanese parliament hit by cyber-attack
- FBI to launch nationwide facial recognition service
- Anonymous Attacks Child Porn Websites and Publish User Names
Attackers take aim at Apple with an exploit that could brick your Macbook, or perhaps worse. Plus you need to patch against a 9 year old SSL flaw.
Plus find out about a Google bug that could wipe a site from their Index, and a excellent batch of your feedback!
All that and more, on this week’s TechSNAP!
Direct Download Links:
Subscribe via RSS and iTunes:
- A nine year old bug discovered and disclosed by Moxie Marlinspike in 2002 allows attackers to decrypt intercepted SSL sessions. Moxie Marlinspike released a newer, easier to use version of the tool on monday, to coincide with Apple finally patching the flaw on iPhone and other iOS devices.
- Any unpatched iOS device can have all of it’s SSL traffic trivially intercepted and decrypted
- This means anyone with this new easy to use tool sitting near a wifi hotspot, can intercept encrypted login information (gmail, facebook), banking credentials, e-commerce transactions, or anything else people do from their phone.
- The bug was in the way iOS interpreted the certificate chain. Apple failed to respect the ‘basicConstraint’ parameter, allowing an attacker to sign a certificate for any domain with an existing valid certificate, a condition normally prevented by the constraint.
- There are no known flaws in SSL it self, in this case, the attacker could perform a man-in-the-middle attack, by feeding the improperly signed certificate to the iPhone which would have accepted it, and used the attackers key to encrypt the data.
- Patch is out with a support doc and direct download links
- After analyzing a battery firmware update that Apple pushed in 2009, researchers found that all patched batteries, and all batteries manufactured since, use the same password
- With this password, it is possible to control the firmware on the battery
- This means that an attacker can remotely brick your Macbook, or cause the battery to overheat and possibly even explode
- The attacker can also falsify the data returned to the OS from the battery, causing odd system behaviour
- The attacker could also completely replace the Apple firmware, with one designed to silently infect the machine with malware. Even if the malware is removed, the battery would be able to reinfect the machine, even after a complete OS wipe and reinstall.
- Further research will be presented at this years Black Hat Security Conference
- In the meantime, researchers have notified Apple of the vulnerability, and have created a utility that generates a completely random password for your Mac’s battery.
- A glitch in facebook allowed you to see the thumbnail preview and description of private videos posted by other users, even when they were not shared with you.
- It was not possible to view the actual videos
- Using the google webmaster tools, users were able to remove websites that did not belong to them from the Google Index
- By simply modifying the query string of a valid request to remove your own site from the google index, and changing one of the two references to the target url, you were able to remove an arbitrary site from the google index
- The issue was resolved within 7 hours of being reported to Google
- Google restored sites that were improperly removed from its index.
- Inproper input validation and output sanitation allowed attackers to inject code into their skype profile
- By entering html and java script in to the ‘mobile phone’ section of your profile, anyone who had you on their friends list would execute the injected code.
- This vulnerability could have allowed attackers to high your session, steal your account, capture your payment data, and change your password
Q: (Sargoreth) I downloaded eclipse, and I didn’t bother to verify the md5 hash they publish on the download page, how big a security risk is this?
A: Downloadable software often has an MD5 hash published along with the downloadable file, as a measure to allow you to ensure that the file you downloaded is valid. Checking the downloaded file against this hash can ensure that the file was not corrupted during transfer. However it is not a strong enough indicator that the file has not been tampered with. If the file was modified, the MD5 hash could just as easily have been updated along with it. In order to be sure that the file has not been tampered with, you need a hash that is provided out of band, from a trusted source (The FreeBSD Ports tree comes with the SHA256 hashs of all files, which are then verified once they are downloaded). SHA256 is much more secure, as MD5 has been defeated a number of times, with attackers able to craft two files with matching hashes. SHA-1 is no longer considered secure enough for cryptographic purposes. It should also be noted that SHA-512 is actually faster to calculate than SHA256 on 64bit hardware, however it is not as widely supported yet. The ultimate solution for ensuring the integrity of downloadable files is a GPG signature, verified against a trusted public key. Many package managers (such as yum) take this approach, and some websites offer a .asc file for verification. A number of projects have stopped publishing the GPG signatures because the proportion of users who checked the signature was too low to justify the additional effort. Some open source projects have had backdoors injected in to their downloadable archives on official mirrors, such as the UnrealIRCd project.
Q: (Christoper) I have a windows 7 laptop, and a Ubuntu desktop, what would be a cheap and easy way to share files between them?
A: The easiest and most secure way, is to enable SSH on the ubuntu machine, and then use an SFTP client like FileZilla (For Windows, Mac and Linux), and then just login to your ubuntu machine using your ubuntu username/password. Alternatively, If you have shared a folder on your windows machine, you should be be able to browse to it from the Nautilus file browser in Ubuntu. Optionally, you can also install Samba, to allow your Ubuntu machine to share files with windows, it will appear as if it were another windows machine in your windows ‘network neighbourhood’.
Q: (Chad) I have a network of CentOS servers, and a central NFS/NIS server, however we are considering adding a FreeNAS box to provide ZFS. I need to be able to provide consistent centralized permissions control on this new file system. I don’t want to have to manually recreate the users on the FreeNAS box. Should I switch to LDAP?
A: FreeNAS is based on FreeBSD, so it has a native NIS client you can use (ypbind) to connect to your existing NIS system. This would allow the same users/groups to exist across your heterogeneous network. You may need to modify the /etc/nsswitch.conf file to configure the order local files and NIS are checked in, and set your NIS domain in /etc/rc.conf. Optionally, you could use LDAP, again, adding some additional parameters to nsswitch.conf and configuring LDAP. If you decide to use LDAP, I would recommend switching your CentOS machines to using LDAP as well, allowing you to again maintain a single system for both Linux and BSD, instead of maintaining separate account databases. If you are worried about performance, you might consider setting the BSD machine up as an NIS slave, so that it maintains a local copy of the NIS database. The FreeBSD NIS server is called ypserv. You can find out more about configuring NIS on FreeBSD here
- Allan’s Bitcoin mining rig mined it’s 36th bitcoin today
- Research shows Bitcoin may be less anonymous than initially though
- Buy Humble Bundle 3 with Bitcoins!
- Why We Are No Longer Accepting Dwolla « TradeHill
- Do It Yourself Dropbox Alternatives
- Attackers steal 8GB of data from the Italian Cybercrime unit
- Build your own 135 Terabyte storage server for under $8000
- Anonymous claims to have 1GB of stolen data from NATO and plans to release it
- Google is now actively warning users who it detects are infected with malware, especially attempts to hijack their search results
- The US Department of Defense lost 24k files via a compromised contractor
- Australian ISP’s Wireless Routers setup second hidden unprotected WiFi network
We’ve been looking ahead at the future of technology in our daily lives, we wrap up this series with a look at 3D Printing, and why they just might be modern day replicators.
Plus we invite live stream viewers to call in and share their thoughts for the everyday technology taking a big leap in the next decade!
We end on a true high-note for the show, and share a quick story about a “hot” incentive a major insurance came up with to motivate their sales team.
We react to Microsoft’s purchase of Skype, and share our thoughts, predictions, and a full round up of analyst chatter. Plus find out why Microsoft might be getting a bit of a deal on this massive $8.5B purchase!
Plus – Our quick thoughts on today’s Google I/O news and a few highlights from today’s announcements from Google!
FreshBooks.com for sponsoring tonight’s episode!
-Fears & Hopes
-Coming to MS platforms
-5 Big Takeaways-Security vulnerability on Skype for Mac
MS Not paying US taxes for the $8.5Bill purchase?
“Of Microsoft’s nearly $50.2 billion in cash and liquid investments, about $42 billion is held in foreign subsidiaries and would otherwise be subject to a tax hit if the money were brought back to the U.S. Ballmer said it is appropriate to use overseas cash because Skype is headquartered in Luxembourg.”
-Xbox 360 integration might finally bring Video calling to the TV in an easy way?
-Crazy VR possibilities with Kinect?
-What does this mean for Skype on Linux? (and Mac?)
-Will skype be built into Windows Phone 7 to compete with facetime and GoogleTalk?
“This Is My Next” coverage: http://live.thisismynext.com/Event/Google_IO_2011
Gizmodo coverage: http://gizmodo.com/5800397/live-from-google-io
Engadget coverage: http://www.engadget.com/2011/05/10/live-from-google-i-o-2011s-opening-keynote/
co-host David Abbott from “The Linux Crazy” podcast
0:55 - Interview with John Todd, the Open Source Community Director for Digium, the company behind Asterisk, the open source PBX.
5:05 - Apache httpd
5:18 - The vintage NeXT Computer
7:30 - OpenBSD
8:20 - Sun Solaris
8:25 - Sip protocol
12:05 - O’Reilly book “Asterisk, The Future of Telephony” download it here as a PDF. A Cookbook with sample dial plans is in the works.
12:52 - Openfire by Jive, Jabber, Apache, MySQL, Python
14:35 - Open Source phones
14:50 - Google Android and the G1
16:20 - TalkPlus and cool phone tricks
20:00 - How does Caller ID work?
22:15 - Asterisk email lists
28:20 - The AstriCon Asterisk conference
31:15 - IAX2 protocol
34:00 - Podcast interview with Danny Windham, CEO of Digium, and a podcast interview with Mark Spencer, Founder and CTO of Asterisk
35:30 - Business models that are similar to Digium
37:00 - Get the source code for v1.6 and start hacking
38:35 - Asterisk supports video on SIP
39:35 - Skype and Asterisk are teaming up. In 2009 you will be able to call a Skype user by dialing their Skype ID