Allister Jenks reviews the Behringer UCA222 Digital Audio Interface, we have CES interviews about the Ring Video Doorbell and The FLIR One Personal Thermal Imager. Then I’ll tell you a story about FFmpeg and video transcoding, followed by two more CES interviews with IOGear and Black & Decker. Finally we’ll have Security Bits with Bart Busschots.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday January 24, 2016 and this is show number 559. We’ve got lots of fun on deck today, including a review by good friend of the show and often host when I’m on vacation, Allister Jenks. Then we’ll hear a couple of interviews from CES. Next I’ll regale you with a tale of how I was actually the smart one for once and helped Dorothy with a technical problem. We’ll toss in a couple more CEs interviews and then clean our palettes with Security Bits with Bart Busschots.
Before we dig in, I have a little personal news that I wanted to share with you. Our daughter Lindsay, also known as Jibblies in the live chat room and her husband Nolan are expecting a baby this July. Steve and I are of course thrilled to be grandparents to be. Warning for those of us who follow us on social media: you know how insufferable we are with pictures of our dog Tesla and now of our kittens Ada Lovelace and Grace Hopper, can you just imagine how annoying we’ll be with a grandchild??? You’ve got about six more months of relative sanity.
On Chit Chat Across the Pond this week Bart was back with Programming By Stealth episode 7, entitled More CSS. FINALLY we got to learn how to format text with CSS. it was definitely my favorite episode yet! Don’t forget you have to subscribe to Chit Chat Across the Pond separately from the NosillaCast in your favorite podcatcher.
Let’s hear Allister’s dulcet tones:
Blog Posts
Behringer U-Control UCA222 Digital Audio Interface
CES 2016: Ring Video Doorbell
CES 2016: FLIR One Personal Thermal Imager
Fun with Video Encoding – FFmpeg & VidConvert
CES 2016: IOGEAR USB-C Adapters
CES 2016: Black+Decker Smartech Tools
New Title – Security Bits
As you might have noticed, Bart and I have been in the process of renaming Security Lite. He noticed a while ago that really often the stories didn’t fit our definition of “Lite” which was that he would only tell you about things you could do something about. Over time it has evolved into giving you knowledge about what you should light your hair on fire about and maybe just as important, those things where a conflagration was unecessary. And then there’s Interesting Security News. We started calling it Security Stuff, but we really didn’t like it. Last week during the live show, https://podfeet.com/live, I asked the NosillaCastaways for ideas and they rose to the occasion.
Some were constructive and useful like “Security Safeguards” from Sandy, “Security Sessions” from Rose, and “Security Sunday” from Lindsay. And some were silly and made us giggle like “Security Slog” from Kevin, “You are Not Security with Bart Busschots” from Will, and “Security Scams and Secrecy” from Cybyl and my personal favorite, “The Allison Sheridan Security Sing-along” from John,
Allister had lots of helpful ideas including the winner and our new title, “Security Bits”. He also suggested “Security Bytes” but I already have plans for that name. I hope to some day soon make the time to start a security newsletter for high tech people to send to their muggle friends and relatives. It will start slow and probably stay slow. Let me know what you think of that idea?
Anyway, thanks to all of the NosillaCastaways for help in coming up with our new name, Security Bits!
Security Bits with Bart Busschots
Open SSH Bugs
A pair of vulnerabilities were patched in the most commonly used SSH implementation – OpenSSH. These were given the CVE numbers CVE-2016-0777 & CVE-2016-0778.
The first bug allows private data from a connecting client to be leaked to a malicious SSH server. This bug is in code that is on by default in SSH, but not actually usable because the matching server code was never written. Why something that cannot possibly be used for anything was enabled by default is beyond me – that seems like a really dumb thing to do!
To exploit the bug, you need to be tricked into making an SSH connection to a malicious server, so this means that people who never use SSH are not in danger, even if their computers have a vulnerable version of SSH installed.
The second bug is a buffer overflow, but this one can only be exploited in very specific situations – when the client uses the non-standard proxy command option as well as either X11 or agent forwarding, again, not enabled by default. This means that the attack surface for the second bug is much much smaller.
Linux users should get updated versions of SSH via their normal software update channels. OS X users will probably get a patch via Apple eventually, but no such patch was included in the security update Apple released this week.
Mac users can protect themselves from the more dangerous of these two bugs by disabling the non-functional feature at the root of this problem. This will obviously have no negative impact, and it is relatively easy to do assuming you have the skills needed to use SSH in the first place. If you don't use SSH, you don't need this fix, and if you do, you are probably comfortable on the terminal.
What you need to do to protect yourself is edit the SSH config file and disable the UseRoaming option by adding the line to the bottom of the file:
UseRoaming no
On OS X 10.11 El Capitan the SSH config file is /etc/ssh/ssh_config, on earlier versions of OS X it's /etc/ssh_config.
If you don't have sudo access you can also set this option for just your account by adding the line to ~/.ssh/config.
The reality is that this bug will only affect a tiny percentage of OS X users – those who use SSH to connect to un-trusted servers. This is why I expect it might take Apple a while to push out the fix.
Links:
- A human-friendly writeup on the bug from Ars – arstechnica.com/…
- A technical description of the bugs at US CERT – www.kb.cert.org/…
- Detailed instructions for applying the workaround to all versions of SSH on OS X, even non-standard ones from Fink, MacPorts, and HomeBrew – maclemon.at/…
Important Security Updates
- Patch Tuesday has been and gone, with important updates from Microsoft and Adobe – krebsonsecurity.com/…
- All versions of IE other than 11 are now dead – www.microsoft.com/…
- Apple releases iOS 9.2.1 which contains many security updates – support.apple.com/…
- The iOS update includes a fix to how iOS's interacts with Captive Portals to close a security hole that allowed malicious captive portal servers read and write access to reader's cookies – www.intego.com/…
- Apple releases OS X 10.11.3 & security update 2016-001 – support.apple.com/…
- Apple releases Safari 9.0.3 including many security updates – support.apple.com/…
Important Security News
- A major bug has been found in versions of the Linux kernel dating back to early 2013. The bug allows any process to execute code as root. Updating Linux computers and servers will be easy, updating Android devices a little slower, and updating embedded Linux devices very difficult indeed – arstechnica.com/…
- Both the Netherlands and France have officially come out against encryption back doors – nakedsecurity.sophos.com/… & nakedsecurity.sophos.com/…
- Lawmakers in two US states, NY & CA, introduce bills to outlaw true encryption in their states by mandating back-doors – nakedsecurity.sophos.com/… & arstechnica.com/…
- British security researcher claims that the MIKEY-SAKKE encryption scheme being pushed by the British Government contains a backdoor to facilitate "undetectable mass surveillance" – arstechnica.com/…
- Tim Cook lashes out at White House Officials for being wishy-washy on Encryption – theintercept.com/…
- Former NSA boss General Michael Hayden says the current FBI director James Comey is wrong about encryption – money.cnn.com/…
- A Google security researcher has excoriated TrendMicro over the deeply flawed design of their AV product (problems include remote code execution and remote dumping of all saved passwords in plain text) (editorial by Bart: if this was not so serious the design of this product would be hilarious) – arstechnica.com/…
- Forbes forces readers to disable ad blockers, then serves them malware through ads – www.extremetech.com/…
- Last time it was Juniper that had a nasty back-door in their corporate firewall appliances, this time it's Fortune's turn – having a hard-coded SSH password in their firmwares that gives anyone who knows the password SSH access. (Editorial by Bart: Fortinet PR is insisting this is not a back door, but I couldn't disagree more – an account you do not set up that allows others into your device is a back door!) – arstechnica.com/…
- Germany's Highest Court finds that Facebook's Friend Finder "constituted advertising harassment", and is hence unlawful – nakedsecurity.sophos.com/…
Notable Breaches
- There has been a spate of FitBit account compromises which seem to be the result of password re-use rather than a breach of FitBit's own systems (yet another reminder of why you need a password manager) – nakedsecurity.sophos.com/…
- 250 Hyatt hotels in 50 countries suffer credit card breach – krebsonsecurity.com/…
Suggested Reading
- For those of you in the US, Brian Krebs has a good article on which states you can and cannot pre-emptively protect your kids credit ratings in by freezing them – krebsonsecurity.com/…
- Those of you in the UK – some unsettling results from a survey of NHS IT manager – nakedsecurity.sophos.com/…
- A great article about how social engineering work, and how to protect yourself – www.intego.com/…
- A reminder that the cloud is not immune to ransomeware – krebsonsecurity.com/…
- The Woodrow Wilson International Centre for Scholars is developing a Congressional Cybersecurity Lab to try educate politicians about cybersecurity – www.macobserver.com/…
- SplashData have just released the 25 worst passwords of 2015 – nakedsecurity.sophos.com/…
- Security researchers find back door in AV equipment sold to the US government – arstechnica.com/…
- Google is piloting a passwordless form of authentication – nakedsecurity.sophos.com/…
- Security researcher warns that Apple's fix to the recent Gatekeeper bypass has fixed the immediate problem, but not the underlying problem. A proper fix will require Apple to make major changes to OS X – www.intego.com/… & arstechnica.com/…
- Police in two continues are claiming to be able to decrypt data from BlackBerry devices – nakedsecurity.sophos.com/…
- MAC address scrambling coming to Linux – nakedsecurity.sophos.com/…
Lastpass –> LostPas
Bart gives his explanation of the LastPass vulnerability in the news this week. For more in depth info go to Security Now episode 543: twit.tv/sn…
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.
A point of clarity from Security Bits, NodeJS is a JavsScript runtime, which can run a server. It can also be used as an app platform too, Atom for example is a Node app, that runs a “browser” frame to host the app.