Archive for the ‘java’ Category
Coming up on this week’s on TechSNAP…
Have you ever been curious how hackers pull off massive security breaches? This week we’ve got the details on a breach that exposed private data of 35 millions customers.
Plus MySQL.com spreads custom malware tailored just for your system, and the details are amazing!
On top of all that, we’ll share our insights are setting up the ultimate network file server!
Direct Download Links:
Subscribe via RSS and iTunes:
- Between July 18th and 25th, SK Telecom’s systems were compromised, and all of their customer records (35 million customers) were compromised. The records included a wealth of information, including username, password, national ID number, name, address, mobile phone number and email address.
- The attack was classified as an Advanced Persistent Threat, the attackers compromised 60 computers at SK Telecom in total, biding their time until they could compromise the database. Data was exchanged between the compromised computers at SK Telecom, and a server at a Taiwanese publishing company that had been compromised by the attackers at an earlier date.
- The attack was very sophisticated, specifically targeted, and also seems to indicate a degree of knowledge about the the target. The well organized attackers managed to compromise the software updates server of another company (ESTsoft) who’s software (ALTools) was used by SK Telecom, then piggyback a trojan in to the secure systems that way. Only computers from SK Telecom received the malicious update.
- The attackers send the compromised data through a number of way points before receiving it, masking the trail and the identities of the attackers. A similar pattern was seen with the RSA APT attack, the attackers uploaded the stolen data to a compromised web server, and once they had removed the data from there, destroyed the server and broke the trail back to them selves.
- Proper code signing, or GPG signing could have prevented this
- Original BBC Article about the attack
- The Directory Services command allows users to search for data about other users on the machine. This is the intended function.
- The problem is that the search results for the current user also include sensitive information, such as the users’ password hash. You are authorized to view this information, because you are the current user.
- However, any application running as that user, could also gain that information, and send it back to an attacker.
- Using the hash, an attacker could perform an offline brute force attack against the password. These attacks have gotten more common and less time consuming with the advent of better parallel computing, cloud computing and high performance GPGPUs.
- My bitcoin mining rig could easily be converting to a password hash cracking rig, especially now that the current value of bitcoin is sagging. If there were a big enough market for cracking hashed passwords, there are now a huge number of highly specialized machines devoted to bitcoin that could be easily switched over.
- The tool can also allow the current user to overwrite their own password hash with a new one, without the need to provide the current plain text password. This means that rather than spend time cracking the password, the attacker could just change the current users password, and then take over the account that way.
- These attacks would require some kind of exploit that allowed the attack to perform the required actions, however we have seen a number of flash, java and general browsers exploits that could allow this.
- The current recommended work around is to chmod the dscl command such that it can only be used by root
- Additional Article
- The MySQL.com front page was compromised and had malicious code injected in to it.
- The code (usually an iframe) caused a java exploit to be executed against the visitor. The exploit required no interaction or confirmation from the user. This type of attack is know as a ‘drive by infection’, because the user does not have to take any action to become infected.
- Two different trojans were detected being sent to users, Troj/WndRed-C and Troj/Agent-TNV
- Because of the nature of the iframe attack, and the redirect chain the attackers could have easily varied the payload, or selected different payloads based on the platform the user was visiting the site on.
- There are reports of Russian hackers offering to sell admin access to mysql.com for $3000
- Detailed Analysis with malicious source code, video of the infection process
- Article about previous compromise
- When the previous compromise was reported, it was also reported that MySQL.com was subject to a XSS (Cross Site Scripting) attack, where content from another site could be injected in to the MySQL site, subverting the browsers usual ‘Same Origin’ policy. This vulnerability, if not repaired, could have been the source of this latest attack.
Continuing our Home Server Segment – This week we are covering file servers.
Some possible solutions:
- Roll Your Own (UNIX)
- Linux or FreeBSD Based
- Install Samba for SMB Server (allow windows and other OS machines to see your shared files)
- Setup FTP (unencrypted unless you do FTPS (ftp over ssl), high speed, doesn’t play well with NAT, not recommended)
- Configure SSH (provides SCP and SFTP) (encrypted, slightly higher cpu usage, recommended for Internet access)
- Install rsync (originally designed to keep mirrors of source code and websites up to date, allows you to transfer only the differences between files, rather than the entire file) (although it is recommended you do rsync over SSH not via the native protocol)
- Configure NFS (default UNIX file sharing system)
- Build your own iSCSI targets (allows you to mount a remote disk as if it were local, popular in virtualization as it removes a layer of abstraction. required for virtual machines that can be transferred from one host to another.
- Roll Your Own (Windows)
- Windows provides built in support for SMB
- Install Filezilla Server for FTP/FTPs (Alternative: CyberDuck)
- There are some NFS alternatives for windows, but not are not free
- There is an rsync client for windows, or you could use cygwin, same goes for SSH. Similar tools like robocopy and synctoy
- FreeBSD Based. Provides: SMB, NFS, FTP, SFTP/SCP, iSCSI (and more)
- Supports ZFS
- Chris’ Previous Coverage of FreeNAS:
- FreeNAS, IN DEPTH
- FreeNAS Vs. HP MediaSmart WHS
- FreeNAS vs Drobo
- To Stop BEAST, Mozilla Developer Proposes Blocking Java Framework
- The NSA Wants Its Own Smartphone
- New Mac OS X Trojan Imuler Hides Inside Malicious PDF
- IBM Seeks Patent On Retailer-Rigged Driving Routes
- Anonymous Goes After the Pepper Spray Cop’s Personal Info
It’s our review of Mandriva 2011!
Plus we cover the early rumors of MeeGo’s death, Mark Shuttleworth’s bet against the mobile operators, and the major security issues that struck Linux this week.
All this week on, The Linux Action Show!
GoDaddy.com Use our codes LINUX to save 10% at checkout, or LINUX20 to save 20% on hosting!
Direct Episode Download Links:
Episode Show Notes:
- MeeGo OS fading fast? Intel says it’s ‘still committed’
- Ohio LinuxFest 2011
- Oracle retires licence for distributing its Java with Linux
- Mark Shuttleworth donates USD$400k to the Serval Batphone – Peer to Peer telephony using Android
- Upcoming Linux Game ‘Blocks That Matter’ Wins $ 40,000 playable demo is out for download
- Watch Jupiter Broadcasting rock PAX
- Kernel.org security breach
- Kernel.org attackers did not know what they had
- Debian and Ubuntu patch apache from the ‘killer’ DoS
- More info on both stories in this week’s TechSNAP
Mandriva 2011 Review:
- Mandriva Desktop 2011 review
- 2011.0 Mandriva Tour
- 2011.0 Release Notes
- Mageia – Based on Mandriva Distribution
- Mandriva 2011 vs Mageia 1
Find us on Google+
Find us on Twitter:
Follow the network on Facebook:
Catch the show LIVE at 10am on Sunday:
Oracle Taking Java Away From Linux Users
- Ubuntu, Debian, and all other Linux distributions will soon have to remove Sun-java6 packages from their repositories due to a licensing change by Oracle.
- Oracle is retiring their “Operating System Distributor License for Java” that allowed Linux distributors to package and distribute Oracle’s Java versions in their Linux distributions. This means that further Oracle JDK 6 and Oracle JDK 7 releases on Linux will no longer be released under the same license. This result is that Linux users will be forced to use the free OpenJDK, which has come a long way but still has a few bugs.
- This appears to be just another example of Oracle’s disregard towards Linux when it doesn’t make them money.
Defending Against the Apache Killer
- There is a denial-of-service tool that is circulating and being used that exploits a vulnerability in the popular Apache Web server.
- This denial-of-service tool is called the Apache Killer. With this tool an attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. All versions in the Apache software, including 1.3 and 2.0 lines, are vulnerable to attack. The Apache project is busy trying to come up with a fix for this major vulnerability and are hoping to release a patch very soon.
- Apache offered steps administrators can take to defend their Web servers until a patch is available.
Google Wants to Own Your Online Identity
- Chairman and former CEO Eric Schmidt has admitted that the reason real names are required for Google+ accounts is that Google+ is designed to be an identity service.
- The bottom line is that real names are more valuable to advertisers and to Google. Anonymous people are not useful for Google’s future plans. Google+ was build primarily as an identity service and it depends on people using their real names in order to build future products that leverage that information. Why does Google want to be an identity gatekeeper? Dave Winer thinks that the company wants to effectively become a bank.
- One has to ask how all this information about us will be used by these identity gatekeepers.
Department of Defence Considering More Open Source Software
- The Department of Defense is turning to Open Source software to try to bring down its expenditures on software.
- The Department of Defense, along with five other government agencies, formed the Open Technology Foundation. Their goal is to facilitate collaboration and interoperable technology in the public sector. They have specifically been considering Open Source software for more than three years. They currently use Red Hat infrastructure software and Apache web server software and are likely to adopt more Open Source software in the web content management area.
- To give you a prospective on possible savings, realize that the Department of Defense spends $100 million each year on software licenses alone.
CloudStack Goes Open Source
- Citrix Systems is open sourcing the CloudStack cloud management framework that it acquired when it purchased Cloud.com back in July.
- In addition to open sourcing the framework, they are also adding support for the provisioning of workloads on additional hypervisors and, for the first time, on bare-metal machines. Cloud.com’s goal is to create a cloud framework for internal clouds that adheres to APIs used in public clouds and allows companies to mix and match hypervisors as they see fit.
- They plan to include support for Microsoft’s Hyper-V hypervisor sometime later this year.
Samsung Considing Buying webOS
- With HP deciding to kill off webOS, it appears that Samsung might be interested in purchasing it.
- Although neither HP or Samsung are confirming it, sources are saying that Samsung plans to take over HP’s PC business and is considering purchasing webOS. This would allow them to compete with Apple and Google in the smartphone market. If these reports turn out to be true, it could mean that webOS may still have a future.
- Some speculate that Google’s purchase of Motorola could have sparked Samsung’s interest in webOS.
Wyse Introduces Two New SUSE Linux-Based Thin Clients
- Wyse Technology has introduced and are now shipping two new thin client computers running SUSE Linux Enterprise.
- Thin clients are compact, energy efficient and productive desktops with all the dynamic user-experience of a PC, but have no moving parts. Their service lives are extended beyond those of comparable PCs and the noise from fans and hard drives is eliminated. All are powered by AMD’s single-core T52R clocked at 1.5GHz or dual-core T56N clocked at 1.6GHz, and the Z50S and Z50D come with SUSE Linux Enterprise installed.
- Reports are saying that these are the fastest thin clients ever.
Iranian Man-in-the-Middle Attack Against Google Users
- Someone has launched a man-in-the-middle attack against Iranian Google users by using a fake digital certificate to intercept everything from email to search results.
- In an event that could possibly put Iranian activists in danger, it appears that someone obtained a fraudulent certificate. This would allow that person to eavesdrop on the traffic between a user and a website even while the user believes that the connection is secure. The digital certificate enables encrypted connections to web services in order to protect users from being spied on by ISPs, governments, or others. Unfortunately the security of this type of encryption continues to prove to be vulnerable to attack.
- Worse still, it appears that this attack has been going on for about two months.
Older Hardware Loses Graphics Driver Support
- Linux graphic driver support comes to an end for such older hardware as the 3Dfx Voodoo, Intel i810, ATI Rage, and S3 Savage graphics processors.
- The developers behind the Mesa 3D graphics library have decided to end support for older hardware. The 3D graphics library provides the default graphics driver support for most hardware on Linux, BSD, and Solaris. Other drivers that are also being dropped are for Matrox and VIA graphics. They also will be ending support for the BeOS operating system.
- There are several people who are hoping to see GL3 and OpenCL support in Linux soon.
Sony Tablet S2 to be called Tablet P when it launches?
- The Sony Android Tablet that was codenamed the S2 will launch as the Sony Tablet P this September
- The information we have so far is that the new Tablet will weight 370 grams, have 512Mb of RAM, 4GB of storage and a 2GB SD card, with connectivity over 4G or WiFi. It will have an NVIDIA Tegra 2 processors and 0.3 megapixel front camera.
- There’s still no word on price or exact shipping dates, but retailers have been told that more information is coming soon.
Microsoft Open Sourcing Python Extension for Visual Studio
- Although Visual Studio is not open source, Microsoft has decided to open source an add-on called Python Tools for Visual Studio that is designed for it.
- The new, free tools are available for download from Microsoft’s CodePlex site and are licensed under the Apache 2.0 license. Python Tools for Visual Studio came out of Microsoft’s Technical Computing Group. The new tools include a Python editor with support for IntelliSense, debugging and profiling capabilities, and support for parallel computing.
- It just goes to show you that even Microsoft understands the power of Open Source.
Acer Iconia A500 3.2 Update Coming September 10th
- The update for the Acer Iconia A500 is now scheduled to be released on September 10th.
- The update was originally planned for August 25th, but problems with the GPS settings delayed the release. They are hoping to have those issues resolved before the September 10th deadline. They though it is much better idea to push back the release than to let it out in the wild with bugs.
- They have promised to update earlier if there’s any news, which we’ll pass on to you..
The latest major releases include….
- Dream Studio 11.04
- Mandriva Linux 2011
- Chakra GNU/Linux 2011.09
- Linux 3.1-rc4
- Linux 3.0.4
- GNOME Shell 3.1.90
- ALT Linux 6.0.0
Bookstore – Get Linux software and books about Linux.
T-Shirts – Show your support with cool t-shirts, mugs, and more.
About Us – Introduces you to the podcast and the podcaster.
Contact – Complaments, Problem, concerns, and suggestions welcomed.
In This Episode:
- Listener Feedback
- Jeremy’s eeePC 1000HE
- JD’s eeePC 901
- Debian leaves glibc
- Oracle buys Sun Microsystems
—– Calling out David Nalley on Postgres
— Sun hardware?
- No Agenda references
- LOTS of Top Gear references. No seriously. LOTS.
- Wolfram Alpha
- Several references to the Southeast Linuxfest. We’ll be there and YOU SHOULD BE TOO! Sign up to attend here