NC #605 Exercise, IRCcloud, Affinity Photo 1.5, Security Bits

I got to be on the Ritual Misery Podcast at ritualmisery.com/…. In a completely non-tech story I tell you about my path to exercise and give you some really practical tips on how to get in shape yourself. Joe LaGreca and I collaborated on a review of IRCcloud at irccloud.com, which helps you stay logged into all your favorite IRC clients. The folks at Serif have done it again, coming out with Affinity Photo 1.5 for Mac AND Windows that adds HDR, Tone Mapping, Focus Stacking and more. Bart Busschots joins us with his fortnightly Security Bits segment.

mp3 download

Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday December 11, 2016 and this is show number 605.

NosillaCastaways Rock

Two weeks ago Terry Austin joined us for Chit Chat Across the Pond where he talked about the iPhone app Hearing Aid Pro and how paired with the Trekz Titanium bone-conducting headphones, it provided an amazing hearing enhancement. In the show he mentioned that he’s been working closely with the Hungarian developer of Hearing Aid Pro, Gabor Szántó. Terry also mentioned that the folks over at Trekz sent him two pairs of headphones, one for him and one for Gabor.

Very cool of Trekz to do that, but there was one problem. For Terry to ship them to Gabor in Hungary was going to cost around $100 and it would cost Gobar another $25 in VAT taxes to receive them, which adds up to about what the headphones cost in the first place. Terry did a shoutout to the NosillaCastaways asking if anyone knew a more cost-effective way to get them to Hungary.

This week Peter Szabó wrote to Terry and me explaining that he’d just heard the show, and if Terry could ship them to him in Washington DC by December 17th, he would be delighted to get them to Gabor when he was traveling to Hungary. How cool is that? The NosillaCastaways in every way rock. The generosity to offer to do this is amazing. I often forget that there are so many of you out their quietly listening (maybe yelling at your audio devices, but I can’t hear you). Thank you Peter, you’re a gentleman and a scholar!

Chit Chat Across the Pond

Bart Busschots is back with another installment of Programming By Stealth. In this week’s episode we wake Allison up from her long winter nap away from programming and continue our work on our JavaScript clock. The goal is to create a better API for our clock so that we can publish it and have it be used by others. My personal goal is to have a secure clock I can display on https://podfeet.com/live so that you know when it’s coming up on 5pm at my house and hence time for the NosillaCast Live. In order to achieve this goal, we need to learn how to add data attributes within html, and ithen change those attributes using jQuery. Dust off your memories of prototypes and screw your propeller beanie on tight for this one!

Ritual Misery Podcast

A few weeks ago I was on a podcast that’s nothing like any other I’ve been on before, called the Ritual Misery Podcast. It’s hosted by two fine gentlemen, Kent Fellure and Anthony Lemos, aka Amos. They start with a review of their week from a personal perspective, then they ask the guest about the geekiest thing they’ve done that week. I decided to talk about how I tried to get the VPN working on my Netgear router, and how I failed miserably in my task but explained that I see this as a temporary setback. I plan to get Denise to play with me soon so we can mess up BOTH of our Netgear X8s.

Next the guest is asked about a TED talk they watched that week. I told them about the one with Dr. Elizabeth Loftus, memory psychologist and mentor to Dr. Maryanne Garry who’s been on this show several times. They talked about their recent TED talk viewing and explained that it’s rare that all three were actually ones they liked. Evidently they often talk about TED talks they DON’T like! Anyway, I don’t want to spoil the whole episode because it was great fun, and I hope you’ll go check out episode 104 of the Ritual Misery Podcast at ritualmisery.com/…

Blog Posts

And Now for Something Completely Different

IRCcloud Keeps You Logged In Across Devices

Affinity Photo 1.5 Adds HDR, Tone Mapping, Focus Stacking and More

Patreon and Amazon

We only have a few more weeks of shopping left in the holiday season, so if you could make a mental note to start at podfeet.com when shopping at Amazon, that would be awesome. Ideally you can click on a link to a product you like in a review or you can just use the big Amazon search link to get to Amazon, If you remember to do this, a small percentage of what you spend in that session will go to support the costs of producing the shows.

If you have trouble remembering, maybe a monthly Patreon donation is more up your alley. Just go to podfeet.com/patreon and from there you can pledge a quarter a show, a dollar, five hundred dollars – what ever you feel the show is worth. You only get charged for the NosillaCast, and only if I produce the shows I promise to produce.

Thank you to all of you who’ve been buying away on the podfeet Amazon Affiliate Links and to our wonderful Patrons.

Security Bits

Security Medium 1 – Mirai Attacks German & Irish Routers

Mirai botnets have found a new source of victim devices – home routers provided to customers by German ISP Deutsche Telecom, and Irish ISP Eircom. The routers in question are made by Zyxel and Speedport. Both have flaws in their implementation of the TR-064 & TR-069 protocols which are designed to allow ISPs remotely manage routers. Attackers can use these flaws to enable remote access to the router’s web admin interface. This allows them to attack the admin password – if the admin password is weak, or worse still, the default, then the attackers can take over the routers and recruit them into their botnet – at least until they are rebooted. Honeypots run by Kaspersky are showing attempted attacks against TR-064/69 every 10 to 15 seconds, so a reboot won’t keep an affected router with a default password safe for very long!

In Germany up to 900,000 customers are affected, though it will inevitably be much fewer in Ireland because it’s a much smaller country.

Widespread outages affecting Deutsche Telecom customers were related to the flaws in these routers.

Deutsche Telecom has implemented a crude workaround that seems to be keeping the attacks under control for now – they are using firewalls to filter out packets that look like they are attacking the vulnerabilities before they get as far as the routers. This is not a real fix, if attackers can better disguise the attacks, they could get through again. Firmware updates will need to be pushed to all the affected routers in both Germany and Ireland.

In the mean time, there is something very simple users can do to protect themselves – set a strong admin password on your router. This is good advice for everyone, not just Deutsche Telecom and Eircom customers.

Links:

• arstechnica.com/…
• nakedsecurity.sophos.com/…
• krebsonsecurity.com/…

Security Medium 2 – Ransomware takes out Muni

The Muni rail network in San Francisco was taken down by ransomware infecting thousands of PCs and servers. It seems the attacks were limited to staff systems, and did not get into the systems that control the signals and things like that. This meant the trains could run safely, but it was impossible for Muni to issue tickets. To avoid grinding the city to a halt, Muni gave people free rides while they got their systems back in gear.

It seems that exploitation of a Java vulnerability that was patched a year ago let the attackers in.

In an ironic twist, the Muni attacker was himself hacked, so we know he’s been making a good living from his crimes – at leat $140,000 in ransoms.

Links:

• nakedsecurity.sophos.com/…
• arstechnica.com/…
• krebsonsecurity.com/…

Security Medium 3 – Russian Attacks on Western Democracy

It now seems clear that Russia engaged in cyber attacks with the express intention of not only disrupting US elections, but affecting their outcome. US intelligence agencies believe there is clear evidence that the Russians worked to skew the election towards Donald Trump.

The Obama administration learned about this back in September, but did not want to go public without bi-partisan support for fear of affecting the elections. Republicans were divided on the matter, so bi-partisan support was not forthcoming, so the public were only told that Russians appeared to be trying to undermine the election, not that they were trying to affect the result. (Editorial by Bart – quite the contrast with the FBI’s behaviour!)

President Obama has asked for a “full review” of election-related hacks.

The problem is not confined to US elections, there is also evidence the Russians are attacking Germany’s up-coming elections.

Finally, in response to these revelations, some on the fringes of US politics have stated to push a conspiracy theory that the US DHS tried to hack the stage of Georgia’s voter registration DB – it’s important to note that there is no evidence to back up this claim.

Links:

• arstechnica.com/…
• arstechnica.com/…
• arstechnica.com/…

Important Security Updates

• FireFox and TOR have released emergency updates to their browsers to address a 0-day vulnerability that was being actively exploited in the wild – nakedsecurity.sophos.com/…

Important Security News

• Yet another reason never to plug anything a stranger gives you into your computer – you can now buy a device that looks like a USB thumb drive, but is designed to dump a strong electrical discharge into a device and destroy it for $50 – arstechnica.com/…
• Yet another reason not to buy counterfeit chargers – investigators find that 99% of fake Apple chargers fail basic safety tests – www.bbc.com/…
• Security researchers warn users to steer clear of AccessURL – a Chrome plugin that has been getting traction online. The plugin promises to share your online accounts with others without having to share your password, but it does so by sharing your cookies – this is not safe – nakedsecurity.sophos.com/…
• The highly controversial ‘Snoopers Charter’ has become law in the UK – the law forces ISPs to keep records of all their customers surfing for a year, and the records can be accessed by police without approval from a judge – nakedsecurity.sophos.com/…
• Following a massive increase in a new kind of spam targeted at Apple users – iCloud calendar spam – Apple says they are working on a fix to better filter the messages out before they arrive in users inboxes – www.macobserver.com/…
  • If you do get targeted, here is some advice on how to deal with it from various publications: www.macsparky.com/… & www.macobserver.com/…
• Security researchers find that BitLocker, Microsoft’s full disk encryption, can be bypassed at certain times during automated software upgrades – if you have the time, and you really want to access the drive of a windows machine that is encrypted, you just have to wait till it automatically reboots to do a software upgrade, and then you can swoop in and capture all the data from the encrypted drives – nakedsecurity.sophos.com/…
• The US passes the Consumer Review Fairness Act making honest but uncomplimentary reviews legal and protected – nakedsecurity.sophos.com/…
• Dangerous flaws have been found in AirDroid, a popular remote management app for Android phones. The app does not properly encrypt its communication, allowing a man in the middle to install any code of their choosing on people’s phones. There is no fix yet, but the company promise to have one soon – arstechnica.com/…
• Researchers discover a bug in iOS that allows attackers to bypass the remove lock that can be triggered with Find My iPhone should should your device be stolen. Until this bug is patched, you can’t assume the remote lock actually locks people out. Should your iOS device be stolen before there is a patch, consider remote wiping it rather than remote locking it – nakedsecurity.sophos.com/…
• UK Police find a low-tech way to bypass strong encryption on mobile devices – after getting a court order, they wait till the target answers a call, then swipe the unlocked phone out of their hands – www.macobserver.com/…
• Business Insider report that FaceBook is going back to having humans curate news stories after their attempts to automated the process failed miserable, with a raft of fake ‘news’ being pushed at people by the company – nakedsecurity.sophos.com/…
• Owners of high-end Sony IP cameras need to update their firmware ASAP to remove two back doors Sony intentionally included in the firmware. At least 80 models of camera are affected – nakedsecurity.sophos.com/…
• More proof that there is no such thing as a safe webpage, especially if it serves ads. Attackers successfully tricked ad networks into distributing attempted browser exploits which were cleverly hidden within ads – arstechnica.com/…

Notable Breaches

• Password re-use allows attackers to steal personal data on about 26.5k UK citizens who have online accounts with the UK’s national lottery – thankfully no financial data was available in those accounts for the attackers to steal – nakedsecurity.sophos.com/…
• 80 million user records stolen from video sharing site Daily Motion, including hashed passwords – nakedsecurity.sophos.com/…
• Two reputable UK charities have been fined by the UK Information Commissioner for sharing donor data without user consent – the charities were sharing data so they could target people they deduced were probably wealthy – nakedsecurity.sophos.com/…

Suggested Reading

• What is Mesh Networking, and will it solve my WiFi Problems? – lifehacker.com/…
• A Beginners Guide to Beefing up your Privacy and Security Online – arstechnica.com/…
• Coordinated raids in 5 countries take down the Avalanche botnet – arstechnica.com/… & krebsonsecurity.com/…
• Because different websites check credit card details in different ways, attackers have found a way to use a database of which sites check what in combination with bots that simultaneously try to use VISA cards on many sites at once to guess CVV and Expiry dates in seconds. These attacks only work because VISA’s backend does not notice when the same card is used simultaneously on many sites. The attack doesn’t work against MasterCard, because their backend does notice simultaneous use on different sites, and blocks the card being attacked – arstechnica.com/… & nakedsecurity.sophos.com/…
• The Internet Archive is moving a full copy of its systems and data to Canada to protect from any censorship or other overreach from the rapidly approaching Trump administration – www.theverge.com/…
• Cloudflare see a new, as yet unnamed DDOS botnet rising – arstechnica.com/…

A Pallet Cleanser

• The story behind the famous Lunch atop a skyscraper photo – www.youtube.com/…

That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Remember, everything good starts with podfeet.com/. podfeet.com/patreon, podfeet.com/facebook, podfeet.com/googleplus, podfeet.com/amazon! And if you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.