In this first episode back after being in the United Arab Emirates, India and Nepal for nearly a month, I tell you about the trip but through the lens of technology. Internet access limitations, planning tools, fun apps I used along the way, something for everyone. Check out Touchnote for Postcards for a fun way to send personalized cards on travel. In Chit Chat Across the Pond Bart takes us through Taming the Terminal Part 30 of n, SSHing more secure.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Monday March 30, 2015 and this is show number 516. Well it’s GREAT to be back! I am exhausted and a bit jet lagged but so happy to be home. We had a fantastic trip and it was such a treat to have THREE NosillaCasts to listen to from the guys. I know I thanked them in advance, but I think Bart, Guy, Gaz and Allister did such a great job.
I can listen to Bart any day of the week (that’s why I listen to ALL of his podcasts), and it was a treat to get to hear Bren talking about how he uses his iPad for his music work. Even though I don’t do any music stuff myself any more, it was still cool to hear about his progress away from paper. It was especially fun because we got to hang out with Bren when we were in Ireland with Bart a few years ago.
In spite of what Guy said on the show, I really enjoyed it. I would like to debate Gaz’s perspective on the Apple watch, and that’s what makes that kind of discussion fun. I have to admit that I did have that, “what was I thinking?” moment after asking Guy to host the show, but with Gaz as adult supervision…wait, was that even scarier?
And closing it out with Allister was perfect. As I’ve said many times, Allister could read me the phone book with that voice and I’d be happy! I learned a lot from Mike and Elaine too, really made me think a lot about good and bad training I’ve had over the years. I was most fascinated when she talked about training the clothing designers on Correl Draw’s vector program and then finding out they really needed photoshop training and just flipping over to that. Really shows her depth of knowledge and talent to be able to change a course on the fly like that. I hope you enjoyed the shows as much as I did. Thank you thank you thank you boys!
I have to admit something. Before I left, I was able to come up with three NEW examples of how I use Clarify to send to the boys for inclusion as ads in the show, but in the last four weeks, I didn’t do a single tutorial for ANYONE! Maybe it was the lack of Internet, maybe it was how much I was eating and drinking and watching rhinos and tigers. Maybe it was how relaxed and pampered I was, but I didn’t do anything to help anyone else with their computers or iOS devices. I think it’s the first time I’ve gone that long without using Clarify! I am certain that if it weren’t for Clarify, I wouldn’t do nearly as much to help others. I love it when I hear from you how you’ve used Clarify to take screenshots, annotate them and posted your tutorials to clarify-it.com so you only have to answer a question once. Keep those stories going, and if you don’t know what we’re talking about, go to Clarify-it.com yourself and give Clarify a free trial. Mac or Windows or both if you’re a slider who likes to help others. And be sure to tell them Allison sent you!
Chit Chat Across the Pond
Security Medium – a Bad Few Weeks for HTTPS/TLS:
Four news stories highlighted a range of problems with the Public Key Infrastructure (PKI) that we rely on for so much of our online security – the PKI gives us HTTPS to secure our browsing, as well as TLS to secure a variety of other internet-connecter services including email.
Unfortunately in all these stories, there is very little end-users can do other than the vitally important task of keeping their software up to date. The bulk of the work to shore-up the rickety PKI has to fall on the IT industry broadly.
The first two stories revolve around RC4, the cryptographic cypher used to secure about a third of HTTPS/TLS traffic today. There have been theoretical attacks against this cypher for many years, but they have been mostly theoretical, practical attacks were impractical to the point of being effectively impossible. The problem is that theoretical attacks only get better, and at two separate security conferences, two new and improved attacks against RC4 were released. These attacks are still not practical, but they are getting uncomfortably close to being so. It’s time for people who run websites and other TLS-secured services to phase out RC4. For now, this is not something end users need to worry about, just sysadmins, and it’s not yet an emergency. More detail: http://arstechnica.com/security/2015/03/noose-around-internets-tls-system-tightens-with-2-new-decryption-attacks/
The second to stories revolve around procedures around issuing certificates. The two failures are very different, but the end result was the same, fraudulent certificates issued for major websites.
The first certificate whoopsie came courtesy of Microsoft. From reading their statements you’d think the certificate authorities had messed up, but that’s not true, it was Microsoft themselves who messed up.
The problem revolved around DCV (domain control validation), the process certificate authorities use to verify that the person applying for the certificate really does own the domain they are apply for the certificate for. There are a few flavours of DCV, for example a CA (certificate authority) can request that the applicant add a randomly generated DNS recored to their domain, or that they put a particular web page at a randomly generated file path on their domain. But the DCV method that caught Microsoft off-guard was email-based DCV. There is a small set of standard administrative email addresses that are used for DCV, including [email protected], and Microsoft failed to reserve that address in their mail offerings, allowing enterprising Microsoft Live users to add the emails address [email protected]_microsoft_domains as aliases to their Microsoft Live accounts, and hence, to pass DCV, and hence to register certificates for Microsoft domains. The CAs did nothing wrong here, they followed DCV procedures to the letter, it is MS who messed up by not reserving all the standard DCV email addresses at all their domains. More Detail: http://arstechnica.com/security/2015/03/man-who-obtained-windows-live-cert-said-his-warnings-went-unanswered/
The second problem was entirely the fault of a CA though. The Chinese CA China Internet Network Information Centre issued an intermediary cert to an Egyptian company that had the power to sign any certificate. They gave the certificate to the Egyptian company with the agreement that they would only use this cert to sign certs for domains they controlled, but, the Egyptians broke that agreement, and signed certs for all sorts of domains, including Google domains. Chrome phones home when ever it meets a fraudulent Google cert, and so the whole story came out. More Detail: https://nakedsecurity.sophos.com/2015/03/26/serious-security-china-internet-network-information-center-in-tls-certificate-blunder/
Both of these sets of fraudulent certs were revoked through browser updates, hence the importance of keeping your browser up to date.
However, the real take-away for the industry is that they really need to figure out certificate revocation once and for all. At the moment, the system is a mess, and not at all effective. That needs fixing ASAP.
Important Security Updates:
- Apple release security Update 2015-003 for older versions of OS X, and OS X 10.10.2 for Yosemite to fix a number of security vulnerabilities including a weakness in iCloud Keychain – https://www.us-cert.gov/ncas/current-activity/2015/03/20/Apple-Releases-Security-Update-OS-X-Yosemite & http://www.macobserver.com/tmo/article/apples-yosemite-2015-003-security-update-patches-hole-in-icloud-keychain
- Apple release a security update for Safari – http://www.macobserver.com/tmo/article/apple-squashes-memory-corruption-and-url-disguising-bugs-in-safari
Important Security News
- Over the last few years we’ve covered the story of how Google used a hack to bypass the explicit settings of Safari users blocking the user of 3rd party cookies. In the US Google got away with what amounts to a slap on the wrist, but the story has taken an interesting turn in the UK, with the Court of Appeals ruling that UK citizens are free to sue Google for breaching their privacy – http://www.macobserver.com/tmo/article/uk-safari-users-can-sue-google-over-unwanted-browser-cookies
- A prank website that tricks straight men into chatting up other straight men on Tinder underlines yet again how insecure the Tinder API is – https://nakedsecurity.sophos.com/2015/03/27/tinder-hack-tricks-men-into-unknowingly-flirting-with-each-other/
- About half of Android handsets are vulnerable to an installer bug that allows attackers to install a different app to the one users approve, and the unapproved app that gets installed can take different permissions to the ones the user approved – a malware-auther’s dream! You show the customer a free game that asks for almost no permissions, then install a key logger with permissions do anything it wants! – http://arstechnica.com/security/2015/03/android-hijacking-bug-may-allow-attaclers-to-install-password-stealers/ & https://www.us-cert.gov/ncas/current-activity/2015/03/24/Installer-Hijacking-Vulnerability-Android-Devices
- Weak security in the Steam GreenLight pages briefly distributes malware to Steam users – http://arstechnica.com/gaming/2015/03/malicious-user-hides-trojan-links-in-cloned-steam-greenlight-pages/
- Intego take a deep-dive into the Ask Toolbar now being bundled into Java Security Updates by Oracle – http://www.intego.com/mac-security-blog/inside-the-ask-toolbar-installed-with-java-for-mac/ (editorial by Bart: I find this practice disgusting and immoral, and its the end of Java from Oracle for me. If I have to use Java it will be on Linux with an open-source JRE – I refuse to do business with any company that ship what I consider malware with security updates)
- A leaked report shows that an FTC investigation found that Google was manipulating search results to hurt competitors, but, no action was taken by the regulator despite the report’s finding – http://www.macobserver.com/tmo/article/ftc-report-details-how-google-manipulated-results-to-hurt-competitors (editorial by Bart: this seems like a real scandal to me, but, it does’t seem to be making much of a splash in the media)
- All the major browsers get hacked at the annual Pwn2Own competition – be sure to patch your browser as the vendors all issue security updates to patch the holes – http://arstechnica.com/security/2015/03/all-four-major-browsers-take-a-stomping-at-pwn2own-hacking-competition/
- It’s confirmed – our brains really do shut down when we see too many security warnings! At least that’s what MRI scans appear to show – http://arstechnica.com/security/2015/03/mris-show-our-brains-shutting-down-when-we-see-security-prompts/
- An interesting hardware hack against iPhone PINs got a lot of attention in the news. If you have patched your iPhone to the latest version of iOS you are safe though. The device required that your phone be opened up, and probes be attached to certain points on the phones circuitry. The device would then try a PIN, and if it failed, kill the power in the phone before the phone had time to record the failure, hence getting around the 10 tries limit. The bug was fixed by Apple simply changing the order in which the code does things, now, a failure is assumed, and after unlock succeeds, that failure is removed from the counter. Now, if you kill the power the instant you know the unlock failed, the failed attempt still gets logged – http://www.intego.com/mac-security-blog/iphone-pin-pass-code/
- PSA – Americans – sign up at irs.gov before someone does it for you – http://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-it-for-you/
Noteable Breaches and other Privacy-related Developments:
- Thousands of Uber logins available to purchase on the Dark Web – http://arstechnica.com/tech-policy/2015/03/dark-web-vendors-offer-up-thousands-of-uber-logins-starting-at-1-each/
- Uber join the ranks of big-data sellers as they start selling data about their customers movements and shopping habits – https://nakedsecurity.sophos.com/2015/03/26/uber-goes-big-data-shares-customers-data-with-a-hotel-chain/ (editorial by Bart – I love the idea of not needing to own a car, but everything I learn about this company makes me more and more determined never to have anything to do with them ever)
- Entire Oakland police license plate reader data available to the public – https://nakedsecurity.sophos.com/2015/03/26/entire-oakland-police-license-plate-reader-data-set-handed-to-journalist/
- Twitch resets all user passwords following a breach – http://arstechnica.com/security/2015/03/twitch-resets-user-passwords-following-breach/
- A surprisingly amateurish blunder in basic web security exposed all Hilton Honours accounts. The bug has been fixed, but if you have a Hilton Honours account, now would be a great time to log in and make sure no one has pinched your points, and perhaps also set a new password while you’re there – http://krebsonsecurity.com/2015/03/hilton-honors-flaw-exposed-all-accounts/
- US healthcare provider Premera Blue Shield may have leaked information on 11 million customers – http://arstechnica.com/security/2015/03/premera-cyberattack-could-have-exposed-information-for-11-million-customers/
- A parent’s guide to in-app purchases – http://www.intego.com/mac-security-blog/guide-to-in-app-purchases/
- Rich Mogul on TidBits does a great job debunking some FUD being spread about the new MacBook’s use of USB-C – http://tidbits.com/article/15505
- Windows 10 will let you log in with your face – http://arstechnica.com/information-technology/2015/03/windows-10-says-hello-to-logging-in-with-your-face-and-the-end-of-passwords/
- Google makes some improvements to it’s Google Play app aproval process that involves the addition of some humans into the equation. Their process is still a lot less rigorous than Apples though – https://nakedsecurity.sophos.com/2015/03/19/google-announces-two-improvements-to-google-play-app-approval-process/ & http://social.techcrunch.com/2015/03/17/app-submissions-on-google-play-now-reviewed-by-staff-will-include-age-based-ratings/
- Microsoft generated some controversy by changing their requirements around secure boot for Windows 10 certification. For Windows 8, vendors had to allow secure boot be disabled for the machine to be certified, with Windows 10, that requirement has gone. Devices certified for Windows 10 Mobile will not be allowed to have such a switch, which such a switch has become optional for other Windows 10 devices. The reason this is controversial is that secure boot makes it impossible to run open sources OSes like Linux – http://arstechnica.com/information-technology/2015/03/windows-10-to-make-the-secure-boot-alt-os-lock-out-a-reality/
- Bank testing heartbeat encoded wristbands for online auth – https://nakedsecurity.sophos.com/2015/03/16/bank-tests-heartbeat-encoded-wristbands-for-online-authentication/
- Some good advice for what to do if you ever get doxed, and how to minimise your chances of getting doxed in the first place – http://arstechnica.com/security/2015/03/anti-doxing-strategy-or-how-to-avoid-50-qurans-and-287-of-chick-fil-a/
- ISIS doxes US soldiers and call on supporters to kill them – http://arstechnica.com/tech-policy/2015/03/islamic-state-doxes-us-soldiers-airmen-calls-on-supporters-to-kill-them/
Main Topic – More SSHing
Before starting into Taming the Terminal Part 30 of N, I just want to acknowledge a great tip sent in by a listener/reader, twitter user @adrianluff.
In part 29 I said that if you find you need to delete an SSH host key, you need to edit the file ~/.ssh/known_hosts with a text editor and delete the offending line, Adrian pointed out that you can use the ssh-keygen command to do this for you, so I’ve added that tip into Taming the Terminal Part 29 of N: https://www.bartbusschots.ie/s/2015/02/14/taming-the-terminal-part-29-of-n-intro-to-ssh/
Now we are ready to move on into part 30 of N – adding more security and convenience through the user of SSH keys – https://www.bartbusschots.ie/s/2015/03/29/taming-the-terminal-part-30-of-n-sshing-more-securely/
That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, the makers of Clarify over at clarify-it.com. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.