August 23, 2014

Netflix in Linux Using Chrome

Netflix Logo

Update 01.01.2015 - I have some awesome news! It is now unnecessary to use the "User Agent Extension" for Google Chrome in order to watch Netflix online. Simply remove the agent then relaunch the video that you want to watch and it should work!

The World Wide Web Consortium or W3C has made a push for protected media content to be streamed using HTML5 media playback through the Encrypted Media Extension specifications. Watching Netflix natively in Linux has been made possible in Beta versions of Google Chrome using an extension. You will no longer have to use a funky wine/silverlight work around any longer as long as you use the Beta version of Google Chrome!
By spoofing the user agent of an official supported EME platform (e.g., Windows 8.1) in Chrome for Linux we can get fuss-free totally native playback of movies and TV shows — for now, at least.
It does take a bit of tweaking to get it up and running, but once you do, it plays much nicer than the wine configurations from earlier days.

Requirements for this install:
  • Ubuntu 14.04 or 14.10 Alpha
  • Google Chrome Beta or Dev version v37 or greater 
  • A Netflix subscription 
  • Have Prefer HTML5 selected in Netflix Account Playback
You can install Google Chrome Beta by using the following command inside of a terminal window.

sudo apt-get install google-chrome-beta

After all of those things have been completed you will need to update your Ubuntu 14.04 LTS install to the latest version of libnss3. If you have some trouble getting this to work try running an update on your system. This should install all of the latest updates for libnss3. There may be some dependencies that Ubuntu is unable to resolve, but if you run the following command, it should fix any dependency issues:

sudo aptitude upgrade --full-resolver

Next, you will need to install the "User Agent Extension". You can find it in the Chrome Store or by going to the link below:

User Agent Extension for Chrome

After the extension is installed, there should be a new extension icon at the top right of the Chrome browser. Right-click on the extension and select options. In the Custom User-Agent section input the following information:

  • Name: Netflix Linux
  • String: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2114.2 Safari/537.36
  • Group: (is filled in automatically)
  • Append?: Select ‘Replace’
  • Flag: IE
When the information has been added, press the "Add" button. Then, navigate to Netflix.com in Google Chrome Beta, click on the user agent extension, select "Chrome". Then, under Chrome select the "Netflix Linux" agent that was just created. After that, you should be in business. 




August 6, 2014

Russian Cyber Gang "Steals" Passwords


A source told the Guardian, on Tuesday, that a Russian cyber gang has stolen 1.5 billion unique passwords belonging to multiple email address. However, there does not seem to be enough information as to whether or not the reporting party is telling the truth. At least there hasn't been a big name security firms that have been allowed to verify this claim. A information security researcher from University College London told the Guardian,
It’s plausible that they have found this many credentials, but whether they actually have or not we would need to see more data ... We’ve been told independent experts have verified it, but we haven’t seen what they’ve verified and we don’t know who they are.
The article goes on to say that this news, whether true or not, is just another nail in the theoretical coffin for the use of usernames and passwords as the mechanism of choice to secure Web pages. People are always getting the advice that says, "You need to make a secure password that is some number of characters long, contains each of the following character types, and is difficult for others to guess but easy enough for you to remember. However, the problem is not that people cannot remember their passwords, it's that they have so manly passwords for so many place that we, as security professionals, should not expect them to reasonable be able to remember all of them without using the same one here and there or write some of them down. At least the ones that they do not use that often.
An alternative solution is to move to another device or mechanism for proving identity. Wueest explained that one potential solution would to be to use a mobile phone that confirmed a login via a push notification or text message that the user would verify to allow entry into a website or computer system.
In other words, this quote is referring to the use of two fact authentication, which is something that I have been using for almost a year now, on the sites that are allowing it. Twitter, Google, LastPass, Evernote, DuoSec (Two factor auth company), and many others have begun to utilize this technique as an alternate means of verifying someone's identity.

I thought it was interesting that the security firm claiming to have discovered the threat will not release any data, but they say that the credentials have been stolen from many big name sites. The had the NY Times sign confidentiality agreements before they would allow an outside source, not affiliated with the firm, to analyze the data and prove its authenticity. What sights are they referring to? There hasn't been word of any companies making a public statement urging their users to update passwords, but the security firm claims that some of them do know their records are among the ones that were stolen. I also found it very interesting that the CISO of the security firm (Hold Security) has some sources in the cyber criminal realms who have given him some information regarding the nature of the attack as well as the possible general where abouts of the criminals. I would really like to know if I need to warn anyone that they need to go change their account passwords due to a large breach.

At this point, no one is sure of anything. It is still a bit early to determine exactly what happened, if anything. The best thing for people to do for the moment is watch their accounts closely. Especially those tide to financial data, banks, credit cards, etc. We will have to see what surfaces in the next few days.

Update:

It appears that the primary method used by the hackers to get information was through SQL injections. The hackers created a large Botnet of zombie computer systems (computers that have been taken over by a hacker, usually without the knowledge of the owner,  to be used as a mechanism to attack other entities on a large scale) to go to Web sites and test to see if they were vulnerable to SQL injections. If they were, the hacker gang would mark that site as vulnerable then come back later to chiffon any information.

Brian Krebs from Krebs on Security, said that he has seen the data, found by Hold Security,  first hand and it is, without a doubt, the real thing, but he is not at liberty to disclose the means by which the information was found or who the data belongs to. He also mentioned that Hold Security does have close ties with the cyber criminal underground.

Furthermore,  an article from The Dark Reading says that the cyber gang, at this time, does not seem to be selling any of the information that has been gathered. They look to be using it as a way to create an email spamming business for hire.

Do we know how many of the password databases were hashed? Because this would help us to figure out how many of the passwords are readily available for the hackers to use. Yes, the SQL vulnerabilities should be addressed, but putting a hash of a password in a database is far more secure than storing the actual password in plain text, so even if the data was stolen it would be more difficult for the information to be used.

For more on this breach, visit the Hold Security blog: http://www.holdsecurity.com/news/cybervor-breach/.

---------------------------------------------------------------------------------------------------------------------

Source Information:
  • Breach Source: http://www.holdsecurity.com/news/cybervor-breach/
  • Source: http://www.theguardian.com/technology/2014/aug/06/cybersecurity-expert-russian-hacking-scare-hold-security-passwords
  • Source: http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html?_r=0
  • Source: http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/
  • Source: http://www.darkreading.com/biggest-cache-of-stolen-creds-ever-includes-12-billion-unique-logins/d/d-id/1297811