The Backronym vulnerability hits MySQL right in the SSL protection, we’ll share the details. The hacker Group that hit Apple & Microsoft intensifies their attacks & a survey shows many core Linux tools are at risk.

Plus some great questions, a rockin’ roundup & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Backronym – ssl stripping mysql connections

• Researchers have identified a serious vulnerability in some versions of MySQL that allows an attacker to strip SSL/TLS connections of their security wrapping transparently.
• Researchers at Duo Security realized that even when they set the correct option to initiate an SSL connection with the MySQL server, they could not make the client enforce a secure connection.
• This means that an attacker with a man-in-the-middle position could force an unencrypted connection and passively sniff all of the unencrypted queries from the client to the MySQL database.
• The vulnerability lies within the behaviour of the ‘–ssl’ client option, which on affected versions it is being treated as “advisory”. Therefore while the option would attempt an SSL/TLS connection to be initiated towards a server, it would not actually require it. This allows a MITM attack to transparently “strip” the SSL/TLS protection.
• The issue affects the ssl client option whether used directly or triggered automatically by the use of other ssl options.
• The vulnerability affects MySQL 5.7.2 and earlier versions, along with MySQL Connector versions 6.1.2 and earlier, all versions of Percona Server and all versions of MariaDB.
• The vulnerability is nicknamed BACKRONYM (Bad Authentication Causes Kritical Risk Over Networks Yikes MySQL) by the Duo researchers, who also put up a site that riffs on the recent trend of researchers putting up sites for major vulnerabilities.
• What does BACKRONYM stand for? Bad Authentication Causes Kritical Risk Over Networks, Yikes MySQL!
• They say: “We spent countless hours analyzing the BACKRONYM vulnerability to come up with a human-readable description that would convey the underlying root-cause to infosec professionals.”
• What do I need to do to fix BACKRONYM?
• Step 1: PANIC! I mean look at that logo – your database is basically exploding!
• Step 2: Tell all your friends about BACKRONYM. Use your thought leadership talents to write blog post about BACKRONYM to reap sweet Internet karma. Leverage your efforts in responding to BACKRONYM to build political capital with the executives in your organization. Make sure your parents know it’s not safe to shop online until BACKRONYM is eradicated.
• Step 3: Actually remediate the vulnerability in any of your affected MySQL client-side libraries (also MariaDB and Percona). Unfortunately, there’s no patch backported for MySQL <= 5.7.2. So if you’re on MySQL 5.6 like 99.99% of the Internet is, you’re basically out of luck and have to upgrade to the MySQL 5.7 “preview release” or figure out how to pull in libmysqlclient >= 6.1.3. Backporting security fixes is hard, apparently.
• Additional Coverage: New PHP release to fix backronym flaw
• The BACKRONYM Vulnerability

Hacker Group That Hit Twitter, Facebook, Apple and Microsoft Intensifies Attacks

• The hacker group, which security researchers from Kaspersky Lab and Symantec call Wild Neutron or Morpho, has broken into the networks of over 45 large companies since 2012.
• After the 2013 attacks against Twitter, Facebook, Apple and Microsoft were highly publicized, the group went underground and temporarily halted its activity.
• Symantec has named the group behind the attacks “Butterfly”.
• Butterfly is technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero-day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it cleans up after itself before moving on to its next target.
• The first signs of Butterfly’s activities emerged in early 2013 when several major technology and internet firms were compromised. Twitter, Facebook, Apple and Microsoft disclosed that they had been compromised by very similar attacks. This was done by compromising a website used by mobile developers (that we covered before on the show) using a Java zero-day exploit to infect them with malware.
• The malware used in these attacks was a Mac OS X back door known as OSX.Pintsized. Subsequent analysis by security researcher Eric Romang identified a Windows back door, Backdoor.Jiripbot, which was also used in the attacks.
• Symantec has to date discovered 49 different organizations in more than 20 countries that have been attacked by Butterfly.
• Butterfly has also shown an interest in the commodities sector, attacking two major companies involved in gold and oil in late 2014. In addition to this, the Central Asian offices of a global law firm were compromised in June 2015. The company specializes in finance and natural resources specific to that region. The latter was one of at least three law firms the group has targeted over the past three years.
• Butterfly has also developed a number of its own hacking tools. Hacktool.Securetunnel is a modified version of OpenSSH which contains additional code to pass a command-and-control (C&C) server address and port to a compromised computer.
• Hacktool.Bannerjack is meanwhile used to retrieve default messages issued by Telnet, HTTP, and generic Transmission Control Protocol (TCP) servers. Symantec believes it is used to locate any potentially vulnerable servers on the local network, likely including printers, routers, HTTP servers, and any other generic TCP server.
• The group uses Hacktool.Eventlog to parse event logs, dumping out ones of interest, and delete entries. It also kills processes and performs a secure self-delete. Hacktool.Proxy.A is used to create a proxy connection that allows attackers to route traffic through an intermediary node, onto their destination node.
• Based on the profile of the victims and the type of information targeted by the attackers, Symantec believes that Butterfly is financially motivated, stealing information it can potentially profit from. The group appears to be agnostic about the nationality of its targets, leading us to believe that Butterfly is unaffiliated to any nation state.
• Links:
• Butterfly: Profiting from high-level corporate attacks | Symantec Connect Community
• Hacktool.Securetunnel | Symantec
• Wild Neutron – Economic espionage threat actor returns with new tricks – Securelist

Core Linux tools top list of most at-risk software

• The CII (Core Infrastructure Initiative), a Linux Foundation effort assembled in the wake of the Heartbleed fiasco to provide development support for key Internet protocols, has opened the doors on its Census Project — an effort to figure out what projects need support now, instead of waiting for them to break.
• The Census, with both its code and results available on GitHub, assembles metrics about open source projects found in Debian Linux’s package list and on openhub.net, then scores them based on the amount of risk each presents.
• A copy of the census data downloaded from GitHub on Friday morning showed 395 projects in the census, with the top-listed projects to be core Linux utilities. Ftp, netcat-traditional, tcpd, and whois all scored 11 out of a possible 15.
• High scores in the survey, said the CII in its page on the project, don’t mean a given program should be ditched, or that it’s to be presumed vulnerable. Rather, it means “the project may not be getting the attention that it deserves and that it merits further investigation.”
• Apache’s https Web server, a large and “vitally important” project with many vulnerabilities tracked over the years, ranked as an 8 in part because “there’s already large development & review team in place.”
• Busybox, a project found in many embedded Linux applications that has been implicated before with security concerns, ranked even lower, at 6.
• One of tricky issues that bubbles up is the complications posed by dependencies between projects. For the libaprutil1-ldap project (with a score of 8), the notes indicate that “the general Apache Portable Runtime (APR) appears to be actively maintained. However, it’s not as clear that the LDAP library in it is as actively managed.” Likewise, anything that uses the Kerberos authentication system — recently implicated in a security issue — typically has “Kerberos” in the notes.
• linuxfoundation/cii-census · GitHub

Feedback:

• 6gig SAS

• fail2ban

• Colo or No-Go

Round Up:

• International cybercrime marketplace taken down
• Larry Wall on Perl 6 and teaching kids to code
• Uninstalled Google Photos? Thought your pics safe from slurping? WRONG, bozo
• Toshiba owned OCZ launches new line of SSDs at $0.40/GB. Uses new flash memory and controller directly from Toshiba. Do you trust something new? From
• ID Theft Service Proprietor Gets 13 Years
• When security and politics collide: Lifespan in the SES (Senior Executive Service)
• Intel confirms tick-tock-shattering Kaby Lake processor as Moore’s Law falters