RSS Feeds:

MP3 Feed | Video Feed | iTunes Feed

Become a supporter on Patreon:

Links

• Ubuntu Rally in NYC | Ubuntu Insights
• 1289 – Broadcom: OOB write when handling 802.11k Neighbor Report Response – project-zero – Monorail
• Remote Wi-Fi Attack Backdoors iPhone 7 | Threatpost | The first stop for security news
• Security Alert: Why You Should Update to iOS 11 Now

The post That one time in NYC | User Error 28 first appeared on Jupiter Broadcasting.

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Links:

• Miyamoto Proves His Point, Eats a Hamburger While Playing Super Mario Run – GameSpot
• Samsung Galaxy Note 7 explodes in New York, burns six-year-old boy | Ars Technica
• The iPhone 7 is the walled-off computer Apple has always wanted
• Microsoft Lumia to end sales this year – SlashGear
• Long-Secret Stingray Manuals Detail How Police Can Spy on Phones
• Hands-on: Blue Hydra can expose the all-too-unhidden world of Bluetooth | Ars Technica
• movrcx on Twitter: “The 0day impacting all deployments of the Tor Browser has been confirmed. In 96 hours we will be taking the next action.”
• Netflix asks FCC to declare data caps “unreasonable” | Ars Technica
• Microsoft just approved an NES emulator on Xbox One | TechRadar
• Fidget Cube: A Vinyl Desk Toy by Matthew and Mark McLachlan — Kickstarter

The post Satisfy your Fidgeting | TTT 259 first appeared on Jupiter Broadcasting.

Find out why everyone’s just a little disappointed in Badlock, the bad security that could be connected to the Panama Papers leak & the story of a simple delete command that took out an entire hosting provider.

Plus your batch of networking questions, our answers & a packed round up!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Badlock vulnerability disclosed

• The badlock vulnerability was finally disclosed on Tuesday after 3 weeks of hype
• It turns out to not have been as big a deal as we were lead to believe
• The flaw was not in the SMB protocol itself, but in the related SAM and LSAD protocols
• The flaw itself is identified as https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2118
• It affects all versions of Samba clear back to 3.0
• “Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases are available”
• “Please be aware that Samba 4.1 and below are therefore out of support, even for security fixes. There will be no official security releases for Samba 4.1 and below published by the Samba Team or SerNet (for EnterpriseSAMBA). We strongly advise users to upgrade to a supported release.”
• See the Samba Release Planning page for more details about support lifetime for each branch
• Microsoft releases MS16-047 but rated it only “Important”, not “Critical”
• The patch fixes an “elevation of privilege bug in both SAM and LSAD that could be exploited in a man-in-the-middle attack, forcing a downgrade of the authentication level of both channels. An attacker could then impersonate an authenticated user”
• Microsoft was also careful to note: “Only applications and products that use the SAM or LSAD remote protocols are affected by this issue. The SMB protocol is not vulnerable.”
• It seems most of the “badlock” bugs were actually in Samba itself, rather than the protocol as we were lead to believe
• “There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user. Impact examples of intercepting administrator network traffic:”
• Samba AD server – view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
• standard Samba server – modify user permissions on files or directories.
• There were also a number of related CVEs that are also fixed:
  • CVE-2015-5370 3.6.0 to 4.4.0: Errors in Samba DCE-RPC code can lead to denial of service (crashes and high cpu consumption) and man in the middle attacks. It is unlikely but not impossible to trigger remote code execution, which may result in an impersonation on the client side.
  • CVE-2016-2110 3.0.0 to 4.4.0: The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags, especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL. Which has implications on encrypted LDAP traffic.
  • CVE-2016-2111 3.0.0 to 4.4.0: When Samba is configured as Domain Controller it allows remote attackers to spoof the computer name of a secure channel’s endpoints, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic.
  • CVE-2016-2112 3.0.0 to 4.4.0: A man in the middle is able to downgrade LDAP connections to no integrity protection. It’s possible to attack client and server with this.
  • CVE-2016-2113 4.0.0 to 4.4.0: Man in the middle attacks are possible for client triggered LDAP connections (with ldaps://) and ncacn_http connections (with https://).
  • CVE-2016-2114 4.0.0 to 4.4.0: Due to a bug Samba doesn’t enforce required smb signing, even if explicitly configured. In addition the default for the active directory domain controller case was wrong.
  • CVE-2016-2115 3.0.0 to 4.4.0: The protection of DCERPC communication over ncacn_np (which is the default for most the file server related protocols) is inherited from the underlying SMB connection. Samba doesn’t enforce SMB signing for this kind of SMB connections by default, which makes man in the middle attacks possible.
• Additional Coverage: Threadpost – Badlock vulnerability falls flat against its type
• “As it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it’s a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services.”
• “Red Hat security strategist Josh Bressers said Badlock could have been much worse, especially if it had turned out to be a memory corruption issue in SMB as some had surmised. Such a scenario would have cleared a path for remote code execution, for example.”
• Additional Coverage: sadlock.org

Panama Papers: Mossack Fonseca

• Eleven million documents were leaked from one of the world’s most secretive companies, Panamanian law firm Mossack Fonseca.
• They show how Mossack Fonseca has helped clients launder money, dodge sanctions and avoid tax.
• The documents show 12 current or former heads of state and at least 60 people linked to current or former world leaders in the data.
• Eleven million documents held by the Panama-based law firm Mossack Fonseca have been passed to German newspaper Sueddeutsche Zeitung, which then shared them with the International Consortium of Investigative Journalists. BBC Panorama is among 107 media organisations – including UK newspaper the Guardian – in 76 countries which have been analysing the documents.
• There are many conspiracy theories about the source of the Panama Papers leak. One of the more prominent theories today blames the CIA.
• Bradley Birkenfeld is “the most significant financial whistleblower of all time,” and he has opinions about who’s responsible for leaking the Panama Papers rattling financial and political power centers around the world.
• Wikileaks is also getting attention today for blaming USAID and George Soros for the leaks.
• What little is known about the source of the leak comes from details published by German newspaper Suddeutsche Zeitung. Communicating via encrypted chat in late 2014, the source warned his or her life was “in danger” but that they had data from law firm Mossack Fonseca that they wanted to share. When asked how much data they had, the source replied “more than you have ever seen,” according to the newspaper.
• Regardless, the front-end computer systems of Mossack Fonseca are outdated and riddled with security flaws, analysis has revealed.
• Mossack Fonseca’s client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site’s changelog.
• On its main website Mossack Fonseca claims its Client Information Portal provides a “secure online account” allowing customers to access “corporate information anywhere and everywhere”. The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal’s backend can also be accessed by guessing the URL structure, a security researcher noted.
• Mossack Fonseca’s webmail system, which runs on Microsoft’s Outlook Web Access, was last updated in 2009, while its main site runs a version of WordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca’s site simply by guessing the URL.
• Mossack Fonseca’s emails were also not transport encrypted, according to privacy expert Christopher Soghoian who noted the company did not use the TLS security protocol.
• Who leaked the Panama Papers? A famous financial whistleblower says: CIA. / Boing Boing
• Wikileaks Accuses US Of Funding Panama Papers Putin Expose | The Daily Caller
• Panama Papers: The security flaws at the heart of Mossack Fonseca (Wired UK)
• Additional Coverage: The Register – Mossack Fonseca website found vulnerable to SQL injection
• Additional Coverage: Forbes
• Additional Coverage: WordFence
• Additional Coverage: Slashdot
• In general, it seems there were so many flaws in the website we may never know which one was used to compromise the server

I accidently rm -rf /’d, and destroyed my entire company

• “I run a small hosting provider with more or less 1535 customers and I use Ansible to automate some operations to be run on all servers. Last night I accidentally ran, on all servers, a Bash script with a rm -rf {foo}/{bar} with those variables undefined due to a bug in the code above this line.”
• “All servers got deleted and the offsite backups too because the remote storage was mounted just before by the same script (that is a backup maintenance script).
  How I can recover from a rm -rf / now in a timely manner?”
• There is not usually any easy way to recover from something like this
• That is why you need backups. Backups are not just a single copy of your files in another location, you need time series data, in case you need to go back more than the most recent backup
• It is usually best to not have your backups mounted directly, for exactly this reason
• Even if you will never rm -rf /, an attacker might run rm -rf /backup/*
• While cleaning up after an attacker attempted to use a Linux kernel exploit against my FreeBSD machine in 2003, I accidently rm -rf /’d in a roundabout way, Trying to remove a symlink to / that had a very funky name (part of the exploit iirc), i used tab complete, and instead of: rm -rf badname, it did rm -rf badname/, which deletes the target of the symlink, which was /.
• Obviously this was my fault for using -r for a symlink, since I only wanted to delete one thing
• When the command took too long, I got worried, and when I saw ‘can’t delete /sbin/init’, I panicked and aborted it with control+c
• Luckily, I had twice daily backups with bacula, to another server. 30 minutes later, everything was restored, and the server didn’t even require a reboot. The 100+ customers on the machine never noticed, since I stopped the rm before it hit /usr/home
• There are plenty of other examples of this same problem though
• Steam accidently deletes ALL of your files
• Bryan Cantrill tells a similiar story from the old SunOS days
• Discussion continues and talks about why rm -rf / is blocked by on SunOS and FreeBSD
• Additional Coverage: ServerFault
• When told to dd the drive to a file, to use testdisk to try to recover files, the user reports accidentally swapping if= and of=, which likely would just error out if the input file didn’t exist, but it might also mean that this entire thing is just a troll. Further evidence: rm -rf / usually doesn’t work on modern linux, without the –no-preserve-root flag

Feedback:

• NAS or SAN?
• Full SSD ZFS array

Round Up:

• “FreeBSD Mastery: Advanced ZFS” has been released as ebook for $9.99, print version in a few weeks
• Book features a fancy “Wrap Around” cover, the secret art not revealed yet
• How to not get pwned on Windows: Don’t run any virtual machines, open any web pages, Office docs, hyperlinks
• OpenWhisperSystems has integrated its Signal Protocol public key encryption systems into WhatsApp, now fully end-to-end encrypted with identity verification
• FBI bought previously undisclosed zeroday to crack the iPhone 5c
• After Apple claims to have fixed iOS 1970 bug in February, researchers demo a new remote version, bricks your device 20 minutes after connecting to their rouge WiFi, if your battery doesn’t catch fire first…
• 0-day exploits more than double as attackers prevail in security arms race
• Proving apps don’t take data security seriously, new website uses Tinder’s official API to let you spy on other users
• Google’s monthly Android update fixes Linux kernel flaw from 2014 that was being used to root Android devices
• Nest pulls the plug on the Resolv Hub, leaving owners who were promised a lifetime service subscription with a $299 paperweight
• The entire Turkish citizenship database appears to have been hacked and leaked online
• Python, Go, and PHP (before 5.6), failed to check for self-signed, expired, or worse revoked SSL certificates, also older versions may still accept RC4 and weak DH (logjam)
• Cellebrite, the company originally rumoured to have helped the FBI crack the iPhone, set to release a road side ‘textalyzer’, to determine if you were using your cell phone at the time of an accident
• Google’s new “BeyondCorp” security model, all networks are untrusted, users earn trust with good behaviour, devices earn trust with known good state
• All the resources in the world are not use if you don’t know how to use them

The post rm -rf $ALLTHETHINGS/ | TechSNAP 262 first appeared on Jupiter Broadcasting.

Adobe is making changes to Flash to mitigate 0day exploits, with help from Google. Chrysler recalls 1.4M vehicles due to a software flaw, we go inside the “Business Club” cyber crime gang.

Plus a great batch of questions, the roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

0day exploits against Flash will be harder thanks to new mitigations

• Three new exploit mitigations are being added to Adobe’s Flash player in an effort to prevent future exploits
• The mitigations were developed in a collaboration between Adobe and Google’s Project Zero
• The mitigations are:
  • “buffer heap partitioning” – Specific types of objects have been moved to an entirely separate heap (the OS Heap instead of the Flash Heap), preventing an overflow in the Flash Heap from ever being able to corrupt those objects. “It’s worth noting that this defense is much more powerful in a 64-bit build of Flash, because of address space limitations of 32-bit processes. This mitigation is now available in the Chrome version of Flash, and is expected to come to all other browsers sometime in August. Now is a good time to upgrade to a 64-bit browser and Flash.”
  • “stronger randomization for the Flash heap” – The flash heap is no longer stores in a predictable location, so it is harder to exploit. In addition, especially on 64-bit platforms, large allocations are further randomized. And older exploit developed by Project Zero used up to a 1GB allocation in order to hit a predictable location. With the large 64bit address space to play with, these allocations can be so far apart that it will be very difficult for an attacker to overflow the flash heap to run into the binary sections.
  • “Vector.<*> length validation secret” – Many of the recent and previous exploits have worked by overwriting the length of the Vector objects, to make them overflow into other areas of memory. The previous two mitigations make it harder to do this, but Adobe have developed a validation technique to detect when the length has been altered unexpectedly. The Adobe mitigation works by storing a “validation secret”, a hash of the correct length and a secret value, the attack doesn’t know the secret value, so cannot write the correct hash, and Flash will exit with a runtime error. This mitigation is available in all Flash builds as of 18.0.0.209.
• “Had they been widely available earlier, they likely would have blunted the effects of at least some of the three most recent zero-day vulnerabilities”
• Hopefully these will propagate quickly and reduce the frequency of flash 0 days
• Google Project Zero Blog Post

1.4M Vehicle Recall After Bug in Chrysler UConnect System

• Fiat Chrysler Automobiles NV is recalling about 1.4 million cars and trucks equipped with radios that are vulnerable to hacking, the first formal safety campaign in response to a cybersecurity threat.
• The recall covers about a million more cars and trucks than those initially identified as needing a software patch. The action includes 2015 versions of Ram pickups, Jeep Cherokee and Grand Cherokee SUVs, Dodge Challenger sports coupes and Viper supercars.
• This isn’t the first time automobiles have been shown to be vulnerable to hacking. What elevates this instance is that researchers were able to find and disable vehicles from miles away over the cellular network that connects to the vehicles’ entertainment and navigation systems.
• Fiat Chrysler’s UConnect infotainment system uses Sprint Corp.’s wireless network.
• It’s not a Sprint issue but they have been “working with Chrysler to help them further secure their vehicles”.
• Unauthorized remote access to certain vehicle systems was blocked with a network-level improvement on Thursday, the company said in a statement. In addition, affected customers will receive a USB device to upgrade vehicles’ software with internal safety features.
• Senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut, both Democrats, introduced legislation on July 21 that would direct NHTSA and the Federal Trade Commission to establish rules to secure cars and protect consumer privacy.
• The senators’ bill would also establish a rating system to inform owners about how secure their vehicles are beyond any minimum federal requirements.
• Chrysler Recalls
• After Jeep Hack, Chrysler Recalls 1.4M Vehicles for Bug Fix
• Fiat Chrysler Automobiles (FCA) Uconnect Vulnerability
• FCA Uconnect Vulnerability | ICS-CERT

Inside the “Business Club” crime gang

• Krebs profiles the “Business Club” crime gang, which apparently managed to steal more than $100 million from European banks and businesses
• The story centers on the “Gameover ZeuS” trojan and botnet. The commercial ZeuS malware had been popular for years for stealing banking credentials, but this was a closely held private version built for himself by the original author
• “Last year’s takedown of the Gameover ZeuS botnet came just months after the FBI placed a $3 million bounty on the botnet malware’s alleged author — a Russian programmer named Evgeniy Mikhailovich Bogachev who used the hacker nickname “Slavik.””
• “That changed today with the release of a detailed report from Fox-IT, a security firm based in the Netherlands that secretly gained access to a server used by one of the group’s members. That server, which was rented for use in launching cyberattacks, included chat logs between and among the crime gang’s core leaders, and helped to shed light on the inner workings of this elite group.”
• “The chat logs show that the crime gang referred to itself as the “Business Club,” and counted among its members a core group of a half-dozen people supported by a network of more than 50 individuals. In true Oceans 11 fashion, each Business Club member brought a cybercrime specialty to the table, including 24/7 tech support technicians, third-party suppliers of ancillary malicious software, as well as those engaged in recruiting “money mules” — unwitting or willing accomplices who could be trained or counted on to help launder stolen funds.”
• “Business Club members who had access to the GameOver ZeuS botnet’s panel for hijacking online banking transactions could use the panel to intercept security challenges thrown up by the victim’s bank — including one-time tokens and secret questions — as well as the victim’s response to those challenges. The gang dubbed its botnet interface “World Bank Center,” with a tagline beneath that read: “We are playing with your banks.””
• “The Business Club regularly divvied up the profits from its cyberheists, although Fox-IT said it lamentably doesn’t have insight into how exactly that process worked. However, Slavik — the architect of ZeuS and Gameover ZeuS — didn’t share his entire crime machine with the other Club members. According to Fox-IT, the malware writer converted part of the botnet that was previously used for cyberheists into a distributed espionage system that targeted specific information from computers in several neighboring nations, including Georgia, Turkey and Ukraine.”
• “Beginning in late fall 2013 — about the time that conflict between Ukraine and Russia was just beginning to heat up — Slavik retooled a cyberheist botnet to serve as purely a spying machine, and began scouring infected systems in Ukraine for specific keywords in emails and documents that would likely only be found in classified documents, Fox-IT found.”
• The botnet was also used against Turkey
• “The keywords are around arms shipments and Russian mercenaries in Syria,” Sandee said. “Obviously, this is something Turkey would be interested in, and in this case it’s obvious that the Russians wanted to know what the Turkish know about these things.”
• “The espionage side of things was purely managed by Slavik himself,” Sandee said. “His co-workers might not have been happy about that. They would probably have been happy to work together on fraud, but if they would see the system they were working on was also being used for espionage against their own country, they might feel compelled to use that against him.”
• The full Fox-IT report is available as a PDF here

Feedback:

• FreeNAS with Quad GbEthernet

• eSata enclosure

• pfSense Minix Router

• GlusterFS alternatives

• Enhanced commit privileges: Allan Jude (src)

Round Up:

• Kim Dotcom: ‘I don’t think your data is safe on Mega anymore’
• Get root on any OS X machine, with a shell command that fits in a tweet
• The Martian author says Comcast let hacker take over his e-mail
• Scaling Netflix – From 0 to a Terabit
• “Thunderstrike 2” rootkit uses Thunderbolt accessories to infect Mac firmware
• Why Netflix chose NGINX and FreeBSD to build its CDN
• An Update to Nexus Devices
• PHP mt_rand only returns odd numbers? Looks even worse in hex, low bits not being set?
• Breach at PNI Digital Media Inc., a company that makes photo kiosks, has affected customers a many large retailers including Walmart, CVS, Rite Aid, Sam’s Club and Costco
  
• How coordinated disclosure works in the real world
• HP Researchers find the Smart Watches are a security risk
• Belgian Government accidently includes 20,000 employees of transit operator in its phishing test

The post Solving the Flash Plague | TechSNAP 226 first appeared on Jupiter Broadcasting.

We sit down with Jim Brown from the BSD Certification group to talk about the BSD exams. Following that, we\’ll be showing you how to build OpenBSD binary packages in bulk, a la poudriere. There\’s a boatload of news and we\’ve got answers to your questions, coming up on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

BSDCan schedule, speakers and talks

• This year\’s BSDCan will kick off on May 14th in Ottawa
• The list of speakers is also out
• And finally the talks everyone\’s looking forward to
• Lots of great tutorials and talks, spanning a wide range of topics of interest
• Be sure to come by so you can and meet Allan and Kris in person and get BSDCan shirts

NYCBSDCon talks uploaded

• The BSD TV YouTube channel has been uploading recordings from the 2014 NYCBSDCon
• Jeff Rizzo\’s talk, \”Releasing NetBSD: So Many Targets, So Little Time\”
• Dru Lavigne\’s talk, \”ZFS Management Tools in FreeNAS and PC-BSD\”
• Scott Long\’s talk, \”Serving one third of the Internet via FreeBSD\”
• Michael W. Lucas\’ talk, \”BSD Breaking Barriers\”

FreeBSD Journal, issue 2

• The bi-monthly FreeBSD journal\’s second issue is out
• Topics in this issue include pkg, poudriere, the PBI format, hwpmc and journaled soft-updates
• In less than two months, they\’ve already gotten over 1000 subscribers! It\’s available on Google Play, iTunes, Amazon, etc
• \”We are also working on a dynamic version of the magazine that can be read in many web browsers, including those that run on FreeBSD\”
• Check our interview with GNN for more information about the journal

OpenSSL, more like OpenSS-Hell

• We mentioned this huge OpenSSL bug last week during all the chaos, but the aftermath is just as messy
• There\’s been a pretty vicious response from security experts all across the internet and in all of the BSD projects – and rightfully so
• We finally have a timeline of events
• Reactions from ISC, PCBSD, Tarsnap, the Tor project, FreeBSD, NetBSD, oss-sec, PHK, Varnish and Akamai
• pfSense released a new version to fix it
• OpenBSD disabled heartbeat entirely and is very unforgiving of the IETF
• Ted Unangst has two good write-ups about the issue and how horrible the OpenSSL codebase is
• A nice quote from one of the OpenBSD lists: \”Given how trivial one-liner fixes such as #2569 have remained unfixed for 2.5+ years, one can only assume that OpenSSL\’s bug tracker is only used to park bugs, not fix them\”
• Sounds like someone else was having fun with the bug for a while too
• There\’s also another OpenSSL bug that\’s possibly worse that OpenBSD patched – it allows an attacker to inject data from one connection into another
• OpenBSD has also imported the most current version of OpenSSL and are ripping it apart from the inside out – we\’re seeing a fork in real time (over 55000 lines of code removed as of yesterday evening)

Interview – Jim Brown – info@bsdcertification.org

The BSD Certification exams

Tutorial

Building OpenBSD binary packages in bulk

News Roundup

Portable signify

• Back in episode 23 we talked with Ted Unangst about the new \”signify\” tool in OpenBSD
• Now there\’s a (completely unofficial) portable version of it on github
• If you want to verify your OpenBSD sets ahead of time on another OS, this tool should let you do it
• Maybe other BSD projects can adopt it as a replacement for gpg and incorporate it into their base systems

Foundation goals and updates

• The OpenBSD foundation has reached their 2014 goal of $150,000
• You can check their activities and goals to see where the money is going
• Remember that funding also goes to OpenSSH, which EVERY system uses and relies on everyday to protect their data
• The FreeBSD foundation has kicked off their spring fundraising campaign
• There\’s also a list of their activities and goals available to read through
• Be sure to support your favorite BSD, whichever one, so they can continue to make and improve great software that powers the whole internet

PCBSD weekly digest

• New PBI runtime that fixes stability issues and decreases load times
• \”Update Center\” is getting a lot of development and improvements
• Lots of misc. bug fixes and updates

Feedback/Questions

• There\’s a reddit thread we wanted to highlight – a user wants to show his friend BSD and why it\’s great
• Brad writes in
• Sha\’ul writes in
• iGibbs writes in
• Matt writes in

• All the tutorials are posted in their entirety at bsdnow.tv – there\’s a couple new ones on the site now that we\’ll be covering in future episodes
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you\’ve got something cool to talk about and want to come on for an interview, shoot us an email
• Also if you have any tutorial requests, we\’d be glad to show whatever the viewers want to see
• If you\’re in or around Colorado in the US, there\’s a brand new BSD users group that was just formed and announced – they\’ll be having meetings and doing tutorials, so check out their site (also, if you have a local BUG, let us know!)
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Certified Package Delivery | BSD Now 33 first appeared on Jupiter Broadcasting.

We explore some common misconceptions about Linux security. Plus the 0-Day hitting Microsoft Office users…

A great big batch of your questions, our answers, and much much more!

On this week’s episode, of TechSNAP.

Thanks to:

— Show Notes: —

Exploring the misconceptions of Linux Security

• “There is a perception out there that Linux systems don\’t need additional security”
• As Linux grows more and more mainstream, attacks become more prominent
• We have already seen malware with variants targeting Linux desktop users, Flash and Java exploits with Linux payloads
• Linux servers have been under attack for more than a decade, but these incidents are rarely publicized
• The most common attacks are not 0day exploits against the kernel or some critical service, but compromised web applications, or plain old brute force password cracking
• However, it is still important to keep services up to date as well (openssh, openssl, web server, mail server, etc)
• Typical ‘best practice’ involves having firewalls, web application firewalls and intrusion detection systems. These systems cannot prevent every type of attack.
• Firewalls generally do not help attacks against web applications, because they operate at layer 3 & 4 and can no detect an attempted exploit
• Web Application Firewalls operate at layer 7 and inspect HTTP traffic before it is sent to the application and attempt to detect exploit or SQL injection attempts. These are limited by definitions of what is an attack, and are also often limited to providing protection for specific applications, since protecting an application generally means knows exactly what legitimate traffic will look like
• Intrusion detection systems again rely on detecting specific patterns and are often unable to detect an attack, or detect so many false positives that the attack is buried in a report full of noise and isn’t recognized
• Linux backdoors have become remarkably sophisticated, taking active steps to avoid detection, including falling silent when an administrator logs in, and suspending exfiltration when an interface is placed in promiscuous mode (such as when tcpdump is run)
• Linux servers are often out of date, because most distributions do not have something similar to Microsoft’s “Patch Tuesday”. Security updates are often available more frequently, but the irregular cadence can cause operational issues. Most enterprise patch management systems do not include support for Linux, and it is often hard to tell if a Linux server is properly patched
• “The main problem is that these system administrators think their [Linux] systems are so secure, when they haven\’t actually done anything to secure them,” David Jacoby, a senior security researcher for the Global Research and Analysis Team at Kaspersky Lab said. For example, the default Linux configuration for most distributions does not restrict login attempts, Jacoby warned. Attackers can attempt to brute-force passwords by running through a list of possibilities without having to worry about locking out the account or getting disconnected from the server. This is something the administrator has to configure manually, and many don\’t, Jacoby said.

0day exploit in MS Word triggered by Outlook preview

• Microsoft issued a warning on Monday of a new 0day exploit against MS Word being exploited in the wild
• Microsoft has released an emergency Fix-It Solution until a proper patch can be released
• This attack is especially bad since it doesn’t not require the victim to open the malicious email, looking at the message in Outlook’s preview mode will trigger the exploit
• According to Microsoft’s advisory the flaw is also present in Word 2003, 2007, 2010, 2013, Word Viewer and Office for Mac 2011
• The attack uses a malicious RTF (Rich-Text file), Outlook renders RTF files with MS Word by default
• The Fix-It solution disables automatically opening emails with RTF content with MS Word
• This attack can also be worked around by configuring your email client to view all emails in plain-text only
• Instructions for Office 2003, 2007 and 2010
• Instructions for Outlook 2013
• “The attack is very sophisticated, making use of an ASLR bypass, ROP techniques (bypassing the NX bit and DEP), shellcode, and several layers of tools designed to detect and defeat analysis”
• The code attempts to determine if it is running in a sandbox and will fail to execute, to hamper analysis and reverse engineering
• The exploit also checks how recently windows updates have been installed on the machine. “The shellcode will not perform any additional malicious action if there are updates installed after April, 8 2014”
• Additional Coverage – ThreatPost

Feedback:

• Multiple ISPs

• Securing my fortress

• Can you please explain some basic terms

• Is better/safer to use keys than passwords?

• Proper use of SSH keys

• SSH: Best Practices | HowtoForge – Linux Howtos and Tutorials

• IPv6

Round Up:

• Tarsnap now accepts Bitcoin
• Fake GPG keys for crypto developers found in the wild
• Apps with millions of Google Play downloads covertly mine cryptocurrency
• More holes in SCADA systems, 7600 power, chemical and petrochemical plants at risk
• Gordon Lyon reboots the Full Disclosure mailing list
• Deanonymizing tor with denial of service attacks
• Sony Pictures Plans Movie About Brian Krebs
• Robbing ATMs using SMS messages
• Hackers transform EA Web page into Apple ID phishing scheme
• Cabling done right More cable porn
• WPA2 vulnerabilities found in deauthentication phase, may allow an attacker to temporarily gain access to the network
• Trendjacking – New phishing campaign against governement targets using MH-370
• California DMV breach leaks credit cards

The post Misconceptions of Linux Security | TechSNAP 155 first appeared on Jupiter Broadcasting.

Big changes could be coming to the WHOIS database in the name of privacy, but security experts have major concerns.

Plus our suggestions for rolling your own server, a huge batch of questions, and much much more!

On this week’s TechSNAP.

Thanks to:

— Show Notes: —

WHOIS Privacy Plan Draws Fire

• Internet regulators are pushing a controversial plan to restrict public access to WHOIS Web site registration records. Proponents of the proposal say it would improve the accuracy of WHOIS data and better protect the privacy of people who register domain names.

• According to an interim report (PDF) by the ICANN working group, the WHOIS data would be accessible only to \”authenticated requestors that are held accountable for appropriate use\” of the information.

• The working group’s current plan envisions creating what it calls an “aggregated registration directory service” (ARDS) to serve as a clearinghouse that contains a non-authoritative copy of all of the collected data elements.

• The registrars and registries that operate the hundreds of different generic top-level domains (gTLDs, like dot-biz, dot-name, e.g.) would be responsible for maintaining the authoritative sources of WHOIS data for domains in their gTLDs.
• Those who wish to query WHOIS domain registration data from the system would have to apply for access credentials to the ARDS, which would be responsible for handling data accuracy complaints, auditing access to the system to minimize abuse, and managing the licensing arrangement for access to the WHOIS data.
• The interim proposal has met with a swell of opposition from some security and technology experts who worry about the plan\’s potential for harm to consumers and cybercrime investigators.

\”Internet users (individuals, businesses, law enforcement, governments, journalists and others) should not be subject to barriers — including prior authorization, disclosure obligations, payment of fees, etc. — in order to gain access to information about who operates a website, with the exception of legitimate privacy protection services,\” reads a letter (PDF) jointly submitted to ICANN last month by G2 Web Services, OpSec Security, LegitScript and DomainTools.

• Kerbs says: the working group’s interim report leaves open in my mind the question of how exactly the ARDS would achieve more accurate and complete WHOIS records. Current accreditation agreements that registrars/registries must sign with ICANN already require the registrars/registries to validate WHOIS data and to correct inaccurate records, but these contracts have long been shown to be ineffective at producing much more accurate records.

WeChat security found to be lax, your password is at risk

• The WeChat Android client has an undocumented debugging interface that can be accessed by other apps on your Android device
• This interface allows an attacker to intercept all data flowing through the WeChat application, including your username and hashed password
• The password is only hashed with straight md5, making it trivial to brute force or rainbow table
• “In WeChat versions up to 4.3.5 we identified several vulnerabilities which allow an attacker who can intercept the traffic to quickly decrypt the message body, thus being able to access the messages sent and received by the user. More recent versions seems to be immune to these attacks, but we still have to perform a more in-depth analysis of the encryption scheme implemented in the latest WeChat releases. “
• The local SQLite database used by WeChat is encrypted, but the key is a derived from the WeChat uid and the local DeviceID, meaning an attacker with access to this debug interface has access to both parameters
• “We tried to contact developers to notify our findings, but with no luck: we wrote an e-mail to Tencent technical support both on August 30th and on September 3th, but we got no reply.”

DRAM prices still being driven up by plant fire

• As TechSNAP reported previously, there was a chemical explosion and fire at the SK Hynix plant in Wuxi China on September 4th
• SK Hynix is attempting to rush repairs to the damaged fab, and has reopened the remaining fab at the Wuxi site on September 7th. The two fabs are isolated to prevent a problem at one from crippling the other
• SK Hynix is also shifting some production to other plants in Korea
• However the expected shortage has still driven DRAM prices up 27 percent
• The Wuxi plant makes approximately 10% of the worlds supply of DRAM
• SK Hynix expects the plant to be back at full capacity sometime in October
• Full repairs will take between three months and six months and reduce total output by two months’ worth of production
• Even once the repaired plant is online, SK Hynix plans to ram up production beyond the previous levels as well as maintain the increased production in Korea
• SK Hynix will also ramp up production in stages as portions of the damaged plant are cleaned and repaired to match what analysts expect will be a spike in demand for PC-oriented chips as the Oct. 18 ship date of Windows 8.1 approaches, analysts said.

Feedback:

• Freelance rates..

• Suggestions for an orchestration framework

• Roll your own Mail Server/Directory Server/Samba Server

• Will Mozilla Persona fail just as OpenID did?

• ninite – unified software updater for windows

• Jails and network isolation

• Private IPs can be seen by web page

• What have you guys replaced google reader with?

• Reader Replacements for Linux | The Linux Action Show s27e07

Build your own Google Reader replacement, or check out one of the hosted options. Will run down the list of the candidates we think have the best potential to replace Google Reader on Linux.

Round Up:

• Microsoft\’s Real-Time Translation Software Converts English to Chinese—and Preserves the Sound of Your Voice
• Declassified contract shows NSA subscribes to VUPEN
• Declassified FISC document: no company has challenged directives to turn over bulk telephone records
• Building vs. buying: How Netflix streams 114,000 years of video every month
• Netflix CEO says torrent piracy in Canada down 50 per cent
• Open letter from UK Security Researchers asks GCHQ/NSA to identify which crypto systems have been weakened
• Facebook Android Bug Sent Users\’ Photos in the Clear | Threatpost
• Tom Tomorrow comic from 1994 about the ClipperChip – still valid today
• NASDAQ left site vulnerable to XSS for more than 2 weeks after it was reported

The post WHOIS Hiding | TechSNAP 129 first appeared on Jupiter Broadcasting.

The business of selling 0day exploits is booming, we’ll explain how this shady market works, and how a couple guys turned a Verizon Network Extender into a spy listening post.

A huge batch of your questions…

And much much more, on This week’s TechSNAP!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! Get private registration FOR FREE with a .COM! code: free5
Ting.com Visit techsnap.ting.com to save $25 off your device or service credits.

Yahoo to start recycling disused email addresses, introduces new security feature to prevent abuse

• Yahoo’s email server has been running for a very very long time
• As such, many of the best usernames are taken, even though many of them have not been used in a decade
• So, Yahoo plans to start recycling those addresses that are no longer used
• The obvious problem with a move like this is that if there are any accounts still tied to this old email address, the new owner can request a password reset to the email address that they now control, and take over that account
• Yahoo’s Developers have come up with a rather ingenious way to prevent this, although the implementation is dependant on the 3rd party services to implement it (Facebook already has)
• Yahoo’s mail servers will now respect the non-standard header ‘Require­-Recipient­-Valid­-Since’
• The idea is that when Facebook sends a password reset email, they include this header with the date that the facebook account was created, if the yahoo email address is NEWER than that date, it may not belong to the same person any more, and yahoo will send a bounce message back to Facebook, rather than delivering the email
• This prevents someone from acquiring the disused email address and performing the password reset
• Yahoo has created an IETF Draft specification for this header, if ratified, it will become an internet standard and be added to the IANA Permanent Message Header Field registry
• It is not yet clear if other services such as Twitter will implement this
• It seems unlikely that Online Banking and other services will implement this system, so make sure all of your online services have a valid current email address, preferably one you plan to keep for the long term
• Yahoo Developers Blog

The business of selling 0day exploits is booming

• There are a number of businesses selling zero day exploits including: Vupen in Montpellier, France; Netragard in Acton, Mass.; Exodus Intelligence in Austin, Tex.; and ReVuln in Malta
• There is as a Virginia startup called Endgame, apparently involving a former director of the NSA which is doing a lot of undisclosed business with the US Government
• The USA, Israel, Britain, Russia, India and Brazil spend staggering amounts of money buying these exploits
• Many other countries including North Korea, a number of Middle Eastern intelligence agencies, Malaysia and Singapore are also in the market
• These exploits have value both offensively and defensively, if you know the details of a zero day exploit, you can better protect yourself from others who may know about it as well
• However if you report it to the vendor so it gets patched, you protect everyone, but lose the offensive value
• The average zero-day exploits goes undetected for 312 days, before it gets used enough that AV vendors notice it and it gets reported and patched
• Services like Vupen charge $100,000/year for access to their catalogue, with varying prices of the actual exploits
• Netragard only sells to US clients, and reports that the average flaw now sells from $35,000 to $160,000
• In years past, rather than selling these flaws to companies like Vupen and ReVuln, who then sell them to governments, security researchers would report them to vendors like Microsoft and Google, just for the recognition and sometimes a t-shirt
• Many vendors now have bug bounty programs to reward researchers for reporting vulnerabilities, rather than keeping them, using them or selling them
• To counter this, Microsoft recently raised its bug bounty reward program, now up to $150,000

Feedback:

TechSNAP Bitmessage: BM-GuGEaEtsqQjqgHRAfag5FW33Dy2KHUmZ

• A few weeks ago someone asked about creating a system to automatically route all of their traffic over TOR. A FreeBSD developer has created a simple system to do just that

• Runs FreeBSD? Mcafee Sidewinder enterprise firewall

• Submit the best security finds and the biggest fails to the pwnies – Awards Ceremony to be held at Blackhat USA 2013

• laptop/live-sd for cautious traveler

• Google\’s solution if you get hit by a bus.

• Roll Your Own CrashPlan

• pfSense Freezing

• Needs to start at square one to remotely login into his FreeNAS

• Seafile the OSS Dropbox Killer?

• Basically another Question

• Just wondering if either of you has used \’verified execution\’ or \’veriexec\’?

  • I have never used it, but there has been a lot of interesting discussion of it at BSD Conferences, and if I was trying to make an exceptionally secure system, it would definitely be something I would consider implementing
  • Introduction to Verified Exec – Brett Lymn – BSDCan 2012
  • Extension to veriexec to use digital signatures – Alistair Crooks – EuroBSDCon 2012
  • And for some other considerations to building a secure appliance: FreeBSD, Capsicum, GELI and ZFS as key components of a security applaince – Pawel Jakub Dawidek – BSDCan 2013

Round Up:

• Russia cites Snowden type leaks as basis for government control of the Internet
• Blackberry 10 devices send your email passwords in the clear back to BlackBerry HQ
• The EFF awards Yahoo a gold star for fighting to preserve users’ privacy against government spying
• 9 traits of a veteran network admin
• DuckDuckGo provides privacy, but only from advertisers, not governments
• Turning a Verizon Network Extender into a spy listening post
• Amazon 1 button sniffing your HTTPS traffic?
• Why collecting all data does not work – Lessons from Medical Tests
• Network Solutions posted on facebook that they were experiencing a large DDOS at 10:57 – Followup post said issue was resolved at 13:22
• Who has the most Web Servers – Updated July 2013
• Google backs up your wifi passwords in plain text?

The post Exploit Brokers | TechSNAP 119 first appeared on Jupiter Broadcasting.