Confiscan dominios de Z-Library – Best of NTX 2022

Esta semana repasamos los episodios con las noticias más importantes en el año, así como algunos de los episodios más vistos. Toca el turno sobre la caída de los dominios de Z-Library. Por cierto, no confíen en los “nuevos dominios de Z-Library” ya que son copias piratas. Más piratas que el original, en donde se difundían textos de manera ilegal.Chequen su canal de Telegram o consulten su dominio en la Dark Web vía Tor para llegar a la “fuente oficial.

MP3


Puedes  SUSCRIBIRTE AQUÍ.

Puedes apoyar a Noticias de Tecnología Express directamente en este enlace.
Gracias a todos los que nos apoyan. Sin ustedes, nada de esto sería posible.
Muchas gracias a Dan Lueders por la música.

Contáctanos escribiendo a [email protected]

Missing the Focus on Marketing – DTNS Weekend Edition 4

Are continual camera upgrades a good thing, is camera marketing broken, and what camera gear do you bring to big events?

Hosted by Rich Stroffolino and Anthony Lemos

MP3 Download

Follow us on Twitter Instgram YouTube and Twitch

Please SUBSCRIBE HERE.

Subscribe through Apple Podcasts.

A special thanks to all our supporters–without you, none of this would be possible.

If you are willing to support the show or to give as little as 10 cents a day on Patreon, Thank you!

Become a Patron!

Big thanks to Dan Lueders for the headlines music and Martin Bell for the opening theme!

Big thanks to Mustafa A. from thepolarcat.com for the logo!

Thanks to our mods Jack_Shid and KAPT_Kipper on the subreddit

Send to email to [email protected]

Show Notes
To read the show notes in a separate page click here!


LastPass Had One Job! – DTNS 4422

It’s our last LIVE show for the 2022 year and we’re doing a special Q&A episode. Watch as we answer questions submitted to us from our listeners.

Starring Tom Merritt, Patrick Norton, Len Peralta, Roger Chang, Joe, Amos

MP3 Download


Using a Screen Reader? Click here

Multiple versions (ogg, video etc.) from Archive.org

Follow us on Twitter Instgram YouTube and Twitch

Please SUBSCRIBE HERE.

Subscribe through Apple Podcasts.

A special thanks to all our supporters–without you, none of this would be possible.

If you are willing to support the show or to give as little as 10 cents a day on Patreon, Thank you!

Become a Patron!

Big thanks to Dan Lueders for the headlines music and Martin Bell for the opening theme!

Big thanks to Mustafa A. from thepolarcat.com for the logo!

Thanks to our mods Jack_Shid and KAPT_Kipper on the subreddit

Send to email to [email protected]

Show Notes
To read the show notes in a separate page click here!


Revisa tus contraseñas de Lastpass – NTX 278

Meta paga multa millonaria, Microsoft responde a la FTC y es hora de revisar nuestras contraseñas en Lastpass.

MP3


Puedes  SUSCRIBIRTE AQUÍ.

Noticias:
ByteDance confirmó un informe del New York Times de que algunos empleados rastrearon a varios periodistas y asociados en TikTok, obteniendo direcciones IP y datos de usuarios.
-Twitter empezó a implementar el Conteo de Vistas en Android y iOS, el cual mostrará públicamente cuántas vistas tiene un tweet
-Meta accedió a pagar un acuerdo de $275 millones de dólares en una demanda colectiva que acusa a la compañía de permitir que terceros, como Cambridge Analytics, accedieran a la información personal de usuarios.
-Microsoft presentó su respuesta a la demanda de la Comisión Federal de Comercio de los Estados Unidos para impedir su compra de Activision Blizzard.
-El administrador de contraseñas LastPass reveló que tuvo una violación de datos en agosto, y en ese momento comentó que un actor malicioso “tomó partes del código fuente y alguna información técnica patentada por LastPass”.

Análisis: ¿Quién protege a nuestros protectores?

Puedes apoyar a Noticias de Tecnología Express directamente en este enlace.
Gracias a todos los que nos apoyan. Sin ustedes, nada de esto sería posible.
Muchas gracias a Dan Lueders por la música.

Contáctanos escribiendo a [email protected]

Show Notes
Para leer las notas del episodio en una ventana aparte, ¡haz click aquí!

LastPass Discloses Customer Vault Data Accessed – DTH

DTH-6-150x150LastPass disclosed that an August data breach copied encrypted password vaults, ByteDance confirms report that employees tracked journalists on TikTok, and Apple scrapped a next-gen GPU for the iPhone 14 Pro due to an engineering design mistake.

MP3

Please SUBSCRIBE HERE.

You can get an ad-free feed of Daily Tech Headlines for $3 a month here.

A special thanks to all our supporters–without you, none of this would be possible.

Big thanks to Dan Lueders for the theme music.

Big thanks to Mustafa A. from thepolarcat.com for the logo!

Thanks to our mods, KAPT_Kipper, and PJReese on the subreddit

Send us email to [email protected]

Show Notes
To read the show notes in a separate page click here.

Haz ejercicio con Netflix – NTX 277

Haz ejercicio con Netflix, Twitter renueva los Cashtags y llega DaVinci Resolve al iPad

MP3


Puedes  SUSCRIBIRTE AQUÍ.

Noticias:

-Se confirmó y Google y la NFL anunciaron que YouTube ofrecerá la suscripción de NFL Sunday Ticket para los juegos de la NFL fuera del mercado, a partir de la temporada del 2023.
-¡Buenas noticias para los postproductores! DaVinci Resolve ya está disponible para iPadOS en la App Store
-Fuentes de Reuters dicen que TikTok ofreció nuevas condiciones al gobierno de Estados Unidos en un intento para aliviar las preocupaciones de seguridad.
-Los Cashtags ahora pueden enlazarse a criptomonedas como Bitcoin y Ether.
-Netflix incorporará entrenamientos del Nike Training Club a su servicio de streaming a partir del 30 de diciembre

Puedes apoyar a Noticias de Tecnología Express directamente en este enlace.
Gracias a todos los que nos apoyan. Sin ustedes, nada de esto sería posible.
Muchas gracias a Dan Lueders por la música.

Contáctanos escribiendo a [email protected]

Show Notes
Para leer las notas del episodio en una ventana aparte, ¡haz click aquí!

Google Calls A Code Red Over ChatGPT – DTNS 4421

As the future of Twitter’s remains clouded Mastodon is benefitting with new users including some big players like Mozilla. But is the distributed social media platform capable of being scaled up and managed effectively? Plus is the future of vertical farming at risk from higher energy prices. The New York Times reports that Google issued a Code red over the rise of ChatGPT. Google CEO Sundar Pichai directed teams in Google’s research, trust, and safety division to assist in developing AI prototypes and products.

Starring Tom Merritt, Sarah Lane, Robb Dunewood, Roger Chang, Joe, Amos,

MP3 Download

Follow us on Twitter Instgram YouTube and Twitch

Please SUBSCRIBE HERE.

Subscribe through Apple Podcasts.

A special thanks to all our supporters–without you, none of this would be possible.

If you are willing to support the show or to give as little as 10 cents a day on Patreon, Thank you!

Become a Patron!

Big thanks to Dan Lueders for the headlines music and Martin Bell for the opening theme!

Big thanks to Mustafa A. from thepolarcat.com for the logo!

Thanks to our mods Jack_Shid and KAPT_Kipper on the subreddit

Send to email to [email protected]

Show Notes
To read the show notes in a separate page click here!


YouTube Gets NFL Sunday Ticket – DTH

DTH-6-150x150YouTube won the bid for the NFL Sunday Ticket, Quora launches a platform to talk with various AI chatbots, and Netflix will add Nike Training Club content.

MP3

Please SUBSCRIBE HERE.

You can get an ad-free feed of Daily Tech Headlines for $3 a month here.

A special thanks to all our supporters–without you, none of this would be possible.

Big thanks to Dan Lueders for the theme music.

Big thanks to Mustafa A. from thepolarcat.com for the logo!

Thanks to our mods, KAPT_Kipper, and PJReese on the subreddit

Send us email to [email protected]

Show Notes
To read the show notes in a separate page click here.

About Supply Chain Attacks

KALM-150x150"

Supply chain attacks are an interesting method of compromising a computer system, but how do they work? Tom Explains.

Featuring Tom Merritt.

MP3

Please SUBSCRIBE HERE.

A special thanks to all our supporters–without you, none of this would be possible.

Thanks to Kevin MacLeod of Incompetech.com for the theme music.

Thanks to Garrett Weinzierl for the logo!

Thanks to our mods, Kylde, Jack_Shid, KAPT_Kipper, and scottierowland on the subreddit

Send us email to [email protected]

Episode transcript:

I heard some software got compromised because of a supply chain attack.

That sounds like malware was delivered by boat or something.

But my SysAdmin friend tells me it’s no joke. What the heck is it?

Confused? Don’t be. Let’s help you know a little more about Supply Chain Attacks.

A supply chain attack can mean a lot of things including people drilling a whole in a warehouse or something. But in the technology world we use the term supply chain attack to mean adding malicious code to software or hardware before it is supplied to its destination. This lets the attacker use it as a Trojan horse. Wait for the compromised admin software or network card to be installed within a company’s network, then attack from within.
Supply chains in tech usually involve multiple vendors. In hardware there is software embedded on parts that may be sent to multiple packagers and assemblers before finally being shipped out for warehousing and distribution. In software, multiple vendors may make components used in the software, some open source and some proprietary. It could be components or dependencies. Little bits of code that do one specific thing and save a lot of time and money so that developers don’t have to rewrite every piece from scratch. Like maybe a clock or a machine learning model. Even when the software is finally done, the software-maker may use intermediaries to distribute the software and to handle pushing out updates.
Any one of those links in the chain can be an opportunity for an attack. Supply chain attacks are conducted by sophisticated actors, often called Advanced Persistent Threats or APT. The attackers will usually conduct surveillance on a supply chain to identify which part of it has the weakest security. You can successfully attack a large well-secured company by compromising a piece of its software made by a smaller less well-secured business.
So the attackers look for an insecure network, unprotected server infrastructure or bad coding practice and exploit it to hide malware in the build or update process in a way that is difficult to detect. The software is released by a trusted vendor, signed and certified without anyone realizing it contains a backdoor or some other malware.
Supply chain attacks come in multiple flavors. Upstream attacks are the most common. That’s where the attackers infect an update, so every installation that updates, gets infected.
Other type of supply chain attacks can include:
Targeting development tools so the developers working on code unknowingly insert malware
Target dependencies – components of software that are frequently included in all kinds of software.
Compromise elements of automation like cloning repositories.
However it’s used, supply chain attacks are efficient because the attacker can just compromise one element, wait for it to appear in multiple places and then choose who to attack. Let’s say a company makes a component that is used in lots of software. Maybe it’s a network management component that goes into all kinds of applications from sales to HR and beyond. The attacker just compromises that one component, which then gets into hundreds of thousands of installs across multiple parts of multiple companies.
And once you’re into a network you can then install more malicious software elsewhere, so that even if the original piece of software is patched, the malicious attacker is still inside.
There are no end of examples of supply chain attacks.
The first supply chain attack was demonstrated in 1984 by one of the creators of Unix, Ken Thompson. For science. He was probing for vulnerabilities and wanted to see if he could hide a backdoor. So he built a compiler that put a backdoor in the login function. He also compromised the compiler that was used to compile that compiler so there wouldn’t be signs of tampering.
One common example is to inject spyware into a firmware installation for a consumer device. This kind of attack has been carried out against multiple computer makers like Lenovo and Asus.
Another example is to infect the software update process. That happened to hard drive utility CCleaner.
Of course the one you most likely have heard of happened to a company called Solar Winds. It offers a network monitoring tool called Orion. Attackers breached SolarWinds and managed to place malicious code in a software update for Orion. Yes the tool you used to monitor your network was compromised to let people into your network. Any company that applied the software update between March and June 2019 unknowingly installed a backdoor to their network. That ended up being around 18,000 networks.
The attackers did not use all these backdoors, but they did exploit many of them including ones at NASA, the US Department of Defense and multiple large companies including Microsoft, Intel, Cisco and security firm FireEye.
Another famous one that you may not realize was a supply chain attack, happened in 2017 when updates for accounting software MEDoc pushed out the destructive NotPetya code.
There are many more and you haven’t heard of most of them because a successful supply chain attack won’t attract attention. Most supply chain attackers want to run quiet, keeping activities at a minimum so as not to be detected. Some even rent out their access to other malicious actors.
Ok so how do we stop them?
Supply chain attacks are hard to defend against. The company affected is not the company that made the software. If you work in any kind of company, you know how hard it is to get people within the same company to cooperate to identify security issues. Now multiply that by one or more vendors in a supply chain to stop supply chain attacks.
So let’s run through the option.
A company could try to screen all its software– and it should– but it won’t always have access to source code and even if it did, will not always catch every cleverly hidden compromise. An update changes the behavior of software by design so it’s hard to tell which changes are intended and which aren’t. FireEye and Microsoft both missed the malware in SolarWinds’ Orion. Not because they are incompetent but because it was that cleverly hidden.
A company could try to write all its software in house, choosing not to trust any vendor. But that would likely end up having more security vulnerabilities of more kinds rather than less. It would also be much more costly than following best practices to prevent supply chain attacks. One of the benefits of using vendors is gaining their expertise and their security efforts at scale.
The common advice these days is to use fewer suppliers and hold them to higher standards of security and quality, while tightening up your own internal network security to make it harder for malicious actors if they do get into your network.
The US issued an executive order in May 2001 charging NIST with setting minimum security standards for a company that wants to sell software to federal agencies. This will cause many companies to raise their standards because they want to sell to the government. But companies who buy software and aren’t the government, can and probably should tailor their own standards as well.
Still, the NIST recommendations are a good template. There are two main areas of defense. Hold your vendors to a high standard to reduce the chance that you are buying software from a compromised entity. And develop robust internal protections that can detect and shutdown compromises if and when they do get in.
Among the security measures recommended for companies to protect themselves are the use of multi factor authentication for all users and admins. Uniquely identify and authenticate each service attempting to access critical software. Don’t trust something just because it’s inside the network. Maintain a software inventory so you know what’s actually running in your system. Encrypt data at rest and in transit. And there’s lots more about training, patching and monitoring. All meant to make it harder for an attacker to move even if they do get inside.
But you also want to make it less likely they get inside your software at all.
To reduce the chance that you are using a compromised vendor there are NIST standards for vendors as well. Vendors must engage in threat modeling, automated testing, code-based analysis, running programs in test cases to look for bugs, check all included libraries and other software and you know, fix bugs when you discover them. Basically make them prove they’ve done everything to help stop malicious actors from infecting their software.
You may be asking why these sorts of things aren’t already common practice. The answer is cost. Companies have been writing software or buying software on the cheap for decades, essentially relying on security through obscurity. Those days are gone. Auditing and certification are expensive but as more companies demand it, the prices will fall. And it’s worth the cost. Ask the victims of the NotPetya and Solar Winds attacks.
There are other movements besides NIST too.
The Consortium for Information and Software Quality for instance developed ISO standards that are the software equivalent of a bill of materials. It lets you know all the components that are in the software you’re buying, when they were last patched and if there are any known outstanding vulnerabilities.
This is a VERY high level overview of this topic. If you’re in an enterprise you should read the full NIST guidelines as well as some very good recommendations from security companies like FireEye and infrastructure providers like Cloudflare and Microsoft.
But I hope it helps you know a little more about supply chain attacks.

Compartir tu password de Netflix podría ser ilegal – NTX 276

Sam Bank-man-Fried llegará a los Estados Unidos, no habrá Raspberry Pi 5 en 2023 y compartir passwords de streaming podría ser ilegal.

MP3


Puedes  SUSCRIBIRTE AQUÍ.

Noticias:
-Fuentes del Wall Street Journal dicen que la NFL está en conversaciones avanzadas con YouTube sobre su paquete de suscripción NFL Sunday Ticket.
-OpenAI abrió su sistema Pont-E el cual puede generar nubes de puntos que representan objetos 3D a partir de comandos de texto.
-El CEO de Raspberry Pi, Eben Upton, dijo que los consumidores no deberían esperar la Raspberry Pi 5 para el próximo año, catalogando al 2023 como un “año de recuperación”.
-Después de su arresto en las Bahamas por varios cargos criminales, el ex CEO de FTX, Sam Bankman-Fried será llevado a los Estados Unidos para enfrentar a la ley.
-En Reino Unido, la Oficina de Propiedad Intelectual publicó una guía para evitar la piratería y dijo que “hay una variedad de disposiciones en el derecho penal y civil” que se aplicarían a las personas que comparten contraseñas para servicios de transmisión con personas que viven en un domicilio distinto.

Análisis: ¿Compartir passwords es piratería?

Puedes apoyar a Noticias de Tecnología Express directamente en este enlace.
Gracias a todos los que nos apoyan. Sin ustedes, nada de esto sería posible.
Muchas gracias a Dan Lueders por la música.

Contáctanos escribiendo a [email protected]

Show Notes
Para leer las notas del episodio en una ventana aparte, ¡haz click aquí!