Plus the latest vulnerabilities in Wireshark and OpenSSH, the new forensic hotness from Netflix, and some great introductions to cryptography.

Special Guest: Martin Wimpress.

Links:

• I’m teaching email security to Democratic campaigns. It’s as bad as 2016.
• Botched CIA Communications System Helped Blow Cover of Chinese Agents
• NSA-Designed Speck Algorithm to Be Removed From Linux 4.20
• Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades
• Wireshark can be crashed via malicious packet trace files
• Service provider story about tracking down TCP RSTs
• The case of the 500-mile email
• Diffy: A cloud-centric triage tool for digital forensics and incident response
• An intensive introduction to Cryptography
• The Manga Guide to Cryptography | No Starch Press

Plus we discuss Let's Encrypt’s Wildcard support and explain what ACME v2 is.

Then we detail the bad position Samba 4 admins are in, and the real cause of these recent 1.7Tbps DDoS attacks.

Sponsored By:

• Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
• Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
• iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!

Links:

• Hardcoded Password Found in Cisco Software — Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password.
• Potent malware that hid for six years spread through routers — "The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor."
• CVE 2018-1057: Authenticated Samba users can change other users' password — On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts (eg Domain Controllers).
• CVE-2018-1057 - SambaWiki Workarounds — Revoke the change passwords right for 'the world' from all user objects (including computers) in the directory, leaving only the right to change a user's own password.
• ACME v2 and Wildcard Certificate Support is Live — We’re pleased to announce that ACMEv2 and wildcard certificate support is live!
• It just got much easier to wage record-breaking DDoSes — Within days of the new technique going public, security firms reported it being used in a record-setting 1.3 terabit-per-second DDoS against Github and then, two days later, a record-topping 1.7 Tbps attack against an unnamed US-based service provider.
• The real cause of large DDoS — All the gigantic headline-grabbing attacks are what we call "L3" (Layer 3 OSI[1]). This kind of attack has a common trait - the malicious software sends as many packets as possible onto the network.
• Project Nimble – Netflix TechBlog — We set ourselves an aggressive goal of being able to fail over traffic in less than 10 minutes.
• Follow Up: Alex has a tip for Alex
• Question: Oliver asks about a fail2ban replacement
• S3Scanner — Scan for open S3 buckets and dump
• Chromium is also a Snap

Then we do a deep dive into some SMB fundamentals and practical tips to stay on top of suspicious network traffic.

Sponsored By:

• iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
• Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
• Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

• Why TLS 1.3 isn't in browsers yet — It has been over a year since Cloudflare’s TLS 1.3 launch and still, none of the major browsers have enabled TLS 1.3 by default.
• TLS 1.3 middleboxes test — This page performs some tests to check for middlebox interference with TLS 1.3. For that it requires Adobe Flash and TCP port 843 to be open. If this is not the case, all tests will fail with N/A.
• Drone maker DJI left its private SSL, firmware keys open to world+dog on GitHub FOR YEARS — AWS account credentials and firmware AES encryption keys were also exposed on GitHub,
• Data on 123 million US households exposed — Leaky bucket might be a better description because when opened the database revealed the personal financial data of 123m American households – in effect everyone with an address in the US around the time of the file’s creation in 2013.
• Massive US military social media spying archive left wide open in AWS S3 buckets — Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing "dozens of terabytes" of social media posts and similar pages – all scraped from around the world by the US military to identify and profile persons of interest.
• Security Monkey — Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations. Support is available for OpenStack public and private clouds. It provides a single UI to browse and search through all of your accounts, regions, and cloud services. The monkey remembers previous states and can show you exactly what changed, and when.
• An Introduction to SMB for Network Security Analysts — At its most basic, SMB is a protocol to allow devices to perform a number of functions on each other over a (usually local) network.
• StorageCrypter Ransomware: Security Threat or Clickbait? — Hats off to the most buzzword-loaded headline of the year: “StorageCrypt Ransomware Infecting NAS Devices Using SambaCry”.
• DHCPDECLINE Follow Up — I think I have a hypothesis. When dhclient is offered an IP, it attempts to look it up in dhcpd.leases (under /var), and if /var has errors, the lookup fails and says "not found" (which is what the DHCPDECLINE line says in the log).
• Please keep some BSD — Please don't get too Linux single-minded. Some FreeBSD plugs here and there are welcome.
• Repairing a 1960s mainframe: Fixing the IBM 1401's core memory and power supply — Core memory was a popular form of storage in this era as it was relatively fast and inexpensive. Each bit is stored in a tiny magnetized ferrite ring called a core.