Plus, Magecart strikes again, Alpine has package problems, and why you shouldn't trust Western Digital's MyCloud.

Special Guest: Jon Spriggs.

Links:

• GovPayNow.com Leaks 14M+ Records — Government Payment Service Inc. has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.
• Magecart claims another victim in Newegg merchant data theft — Researchers from RiskIQ, together with Volexity, revealed that California-based retailer Newegg is the latest well-known merchant to succumb to the threat actors.
• RiskIQ: Another Victim of the Magecart Assault Emerges
• Password bypass flaw in Western Digital My Cloud drives puts data at risk — A security researcher has published details of a vulnerability in Western Digital’s My Cloud devices, which could allow an attacker to bypass the admin password on the drive, gaining complete control over the user’s data.
• WD MyCloud Metasploit Example
• Cloudflare goes InterPlanetary — Today we’re excited to introduce Cloudflare’s IPFS Gateway, an easy way to access content from the InterPlanetary File System (IPFS) that doesn’t require installing and running any special software on your computer.
• End-to-End Integrity with IPFS — This post describes how to use Cloudflare's IPFS gateway to set up a website which is end-to-end secure, while maintaining the performance and reliability benefits of being served from Cloudflare’s edge network.
• How permanent is data stored on IPFS?
• Lesson: Add Content to IPFS and Retrieve It · Decentralized Web Primer
• Leo Tindall: Putting This Blog on IPFS
• A Beginner’s Guide to IPFS — IPFS consists of several innovations in communication protocols and distributed systems that have been combined to produce a file system like no other.
• Useful resources for using IPFS and building things on top of it
• OrbitDB: Peer-to-Peer Databases for the Decentralized Web
• Rebuild Alpine Linux Docker Containers After Package Manager Patch — An attacker could intercept a package request as a Alpine Linux Docker image is being built and add malicious code that target machines would then unpack and run within the Docker container

Plus a concise breakdown of Meltdown, Spectre, and side-channel attacks like only TechSNAP can.

Then we run through the timeline of events, and the scuttlebutt of so called coordinated disclosure. We also discuss yet another security issue in macOS High Sierra, a backdoor in popular storage appliances, your questions, and more!

Sponsored By:

• Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
• iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
• Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean

Links:

• Meltdown and Spectre — Meltdown and Spectre exploit critical vulnerabilities in modern processors.
• The Meltdown and Spectre CPU Bugs, Explained
• How we got to Spectre and Meltdown A Timeline My version of the timeline... — My version of the timeline on Spectre Meltdown. This post will be updated! If you want to add/correct something, please comment.
• How Tier 2 cloud vendors banded together to cope with Spectre and Meltdown | TechCrunch — Eventually six cloud providers — Scaleway, DigitalOcean, Packet, Vultr, Linode and OVH — formed a consortium of sorts to help one another and share information. In order to make the process more efficient, they started a Slack channel with CEOs, CTOs and engineers from the various companies sharing information and fixes as they became available.
• FreeBSD was made aware of Meltdown and Spectre in late December. There's currently no ETA for mitigation. — It looks like Dragonfly BSD has a patch, so hopefully that will be useful for FreeBSD.
• heads up: Fix for intel hardware bug will lead to performance regressions — Upcoming versions of the linux kernel (and apparently also windows and others), will include new feature that apparently has been implemented with haste to work around an intel hardware bug.
• AWS Developer Forums: Degraded performance — Immediately following the reboot my server running on this instance started to suffer from cpu stress.
• Google is pushing Retpoline — With Retpoline, we could protect our infrastructure at compile-time, with no source-code modifications. Furthermore, testing this feature, particularly when combined with optimizations such as software branch prediction hints, demonstrated that this protection came with almost no performance loss.
• PCID is now a critical performance/security feature on x86 — On any system that does not currently show "pcid" in the flags line of /proc/cpuinfo, Meltdown is a bigger issue than "install latest updates".
• Spectre & Meltdown vulnerability/mitigation checker for Linux — A simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
• Microsoft PowerShell Script to check for Meltdown — To help customers verify that protections are enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands.
• Why Raspberry Pi isn't vulnerable to Spectre or Meltdown — To help us understand why, here’s a little primer on some concepts in modern processor design.
• macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password — A bug report submitted on Open Radar this week has revealed a security flaw in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.
• Major macOS High Sierra Bug Allows Full Admin Access Without Password
• WD My Cloud NAS devices have hard-wired backdoor — Lets anyone log in as user mydlinkBRionyg with the password abc12345cba.
• Question: How could I measure all of these overhead performance hits? — My question: how could I measure all of these overhead performance hits, so I can put in a well educated request to adjust all of these components, so I have a computer that performs near its capacity?
• Perfmon
• Troubleshooting with the Windows Sysinternals Tools
• ProcDump
• Process Monitor - Replaces filemon
• Question: MySQL Replication Woes — The problem is that during some larger deletes on the master, the tables on the slave get locked and the slave lag goes through the roof.. During this time all of my selects that have been sent to the slave are just sitting there and waiting for the table to unlock while the master is just fine.
• Ask Noah 44: Red Hat with Brandon Johnson
• BSD Now 228: The Spectre of Meltdown