Oracle really doesn’t want you to reverse engineer their products but they may have just released the Kraken, we’ll explain.

A massive drop of 35 fixes in one day, great feedback and follow up, a rockin roundup & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Oracle doesn’t think you should try to reverse engineer their products

• “Oracle, never the most researcher-friendly software vendor, has taken its antagonism to another level after publishing a blog post by CSO Mary Ann Davidson that rails against reverse engineering and saying that the company has no need for researchers to look at Oracle’s code for vulnerabilities because “it’s our job to do that, we are pretty good at it”
• The blog post has since been taken down
• Archive.org copy of Oracle Blog post
• Google Cache of Oracle Blog post
• “Davidson, who has been at Oracle for more than 25 years, said in the post that reverse engineering violates Oracle’s license agreement and that the company regularly sends letters to customers and consultants who it believes have violated the EULA. She also said that even when researchers try to report a security vulnerability in an Oracle product, the company often takes issue with how the bug was found and won’t credit researchers.“
• This is where I take the most extreme exception
• First, I don’t imagine that it is most average Oracle customers who are reverse engineering Oracle software looking for bugs
• Often, security research companies will look for bugs in major bits of software (be in Flash, Windows, Firefox, Chrome, Java, etc) with the goal of publishing their research once the bugs they find are fixes, in order to build a reputation, to get security consulting customers
• This system depends on A) Vendors actually accepting and acting upon bug reports, and B) Vendors crediting the people who discover the flaws in the security advisory / patch notes
• When a researcher is helping you better your software, for free, the least you can do is given them credit where it is due
• If Oracle doesn’t want to have a bug bounty program, that is their decision, but they cannot expect the entire security community to just pretend Oracle doesn’t exist, and isn’t an attack surface
• ““I almost hate to answer this question because I want to reiterate that customers Should Not and Must Not reverse engineer our code. However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren’t going to ignore a real problem – that would be a disservice to our customers. We will, however, fix it to protect all our customers, meaning everybody will get the fix at the same time,” Davidson said in the post.“
• So atleast they are going to fix it, eventually …
• ““However, we will not give a customer reporting such an issue (that they found through reverse engineering) a special (one-off) patch for the problem. We will also not provide credit in any advisories we might issue. You can’t really expect us to say ‘thank you for breaking the license agreement.’”“
• But credit? Nope. Ohh, and we might decide to try to engage in litigation against you
• Of course, if you actually read the EULA, Oracle’s software is not warranted for any use what-so-ever. The EULA basically spells out that using any of the software in production is at your own risk, and you probably shouldn’t do that. Of course, that is what every EULA says.
• ““Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers,” Davidson said in the post.“
• Of course, Oracle’s Legal department backpedaled, hard:
• A statement sent by Oracle PR said that the company removed the post because it didn’t fit with the company’s relationship with customers.
• “The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers,” said Edward Screven, Executive Vice President and Chief Corporate Architect, at Oracle.
• Twitter reacted quickly
• An new trend has emerged around the hashtag #OracleFanFic

Why not insider trade on EVERY company?

• This bloomberg view article starts with a typical description of how insider trading works, and how people get away with it
• It then starts to dig into how a group of Ukrainian malactors did it against a huge number of companies, and illegally profited over $100 million.
• The group broke into the systems of Marketwired, PR Newswire, and Business Wire, and lifted the press releases before they became public
• Then, rather than acting on this information themselves, which might have been obvious, they sold the information to various different people, in exchange for a flat fee, or a stake in the action
• They created an entire industry around the information, eventually growing a support infrastructure, and even taking ‘requests’ for releases from specific companies
• “They ran this like a business. They provided customer support: The hackers allegedly set up servers for their customers to access their information, and “created a video tutorial on how to access and use one of the servers they used to share the Stolen Releases.””
• “The defendants allegedly stole approximately 150,000 confidential press releases from the servers of the newswire companies,”
• “The size and professionalization of the business, though, shouldn’t be confused with sophistication. There are some signs that these guys actually weren’t all that sophisticated. For one thing, the traders seem to have gotten caught in the usual way. “The investigation began when prosecutors in Brooklyn and the FBI received a referral from the SEC about a pattern of suspicious trading by some of the defendants,”
• “The other place where the hackers may not have been that sophisticated was in the actual hacking. The hackers “gained unauthorized access to press releases on the networks of Marketwired using a series of SQL Injection Attacks.” They gained access to Business Wire after “the login credentials of approximately fifteen Business Wire employees had been ‘bruted.’”
• The author of the article makes an interesting point: “But I feel like part of it has to be that the people in charge of those databases, like me until today, had a disenchanted view of the financial world. These systems didn’t hold the nuclear launch codes. They held press releases — documents that, by definition, would be released publicly within a few days at most. Speed, convenience and reliability were what mattered, not top-notch security. How important could it be to keep press releases secure? What were the odds that a crack team of criminals would be downloading tens of thousands of press releases before they became public, in order to sell them to further teams of criminals who would trade on them? It just sounds so crazy. You’d have to be paranoid to even think of it. But — allegedly! — it’s exactly what happened.”
• Additional Coverage – Bloomberg
• Additional Coverage – Threat Post
• Justice Department Press Release
• New Jersey Federal Criminal Complaint
• Brooklyn Federal Criminal Complaint
• SEC Press Release
• SEC Civil Complaint

Adobe issues huge patch that fixes 35 vulnerabilities in Flash and AIR

• “The vulnerabilities Adobe patched Tuesday include a number of type confusion flaws, use-after-free vulnerabilities, buffer overflows, and memory corruption vulnerabilities. Many of the vulnerabilities can be used to take complete control of vulnerable machines”
• Make sure your flash version is 18.0.0.232 or newer
• The fixes flaws include:
• 16 use-after-frees
• 8 memory corruptions
• 5 type confusions
• 5 buffer overflow and heap buffer overflow bugs
• 1 integer overflow flaw
• “These updates include further hardening to a mitigation introduced in version 18.0.0.209 to defend against vector length corruptions (CVE-2015-5125).”
• In an interesting turn of events, “On Monday, researchers from Kaspersky Lab disclosed that attackers behind the Darkhotel APT campaign have been using one of the patched Flash bugs developed by Hacking Team in its attacks”
• “Darkhotel seems to have burned through a pile of Flash zero-day and half-day exploits over the past few years, and it may have stockpiled more to perform precise attacks on high-level individuals globally,” Kaspersky Lab principal security researcher Kurt Baumgartner said
• “Note: Beginning August 11, 2015, Adobe will update the version of the “Extended Support Release” from Flash Player 13 to Flash Player 18 for Macintosh and Windows. To stay current with all available security updates, users must install version 18 of the Flash Player Extended Support Release or update to the most recent available version. For full details, please see this blog post “
• Official Adobe Advisory
• The advisory issues thanks to a number of researchers and companies that found the vulnerabilities including:
  • Google Project Zero
  • FortiGuard Labs
  • Alibaba Security Research Team
  • Chromium Vulnerability Rewards Program
  • 360 Vulcan Team
• Additional Coverage

Feedback:

• multiboot linux and running openssh-server on all

• Allan made a comment in response to a question “FreeNAS with Quad GbEthernet

• Get some Fiber in your Freenas.. Fiber Channel

• Server Envy

Round Up:

• The first publicly released Android Security Advisory – Fixing StageFright and other video processing vulnerabilities on Nexus devices
• Sharp announces new line of DC powered appliances, starting with an Air Conditioner. Avoiding the conversion from DC to AC to DC for Solar and other alternative power sources
• Cisco warns customers of attacks replacing IOS bootstrap images on routers
• Why it is important to choose your audience. When you leak documents, and no one takes you seriously
• Facebook’s Internet Defense Prize ($100,000) was awarded to a team of Georgia Tech researchers who found a new class of browser-based memory-corruption vulnerabilities and built a corresponding detection technique
• The team behind the Anthem breach may also be who hit United Airlines
• Steam fixes vulnerability in site that allowed anyone to reset the password of another account, hijacking it
• 3 Chechen women use “CatFishing” scheme to take ISIS combatants for $3300
• Don’t be fooled by phony online reviews – Krebs details the story of someone who got scammed, badly
• Finally, a way to explain IaaS, PaaS, and SaaS