Show Notes: linuxactionnews.com/148

The post Linux Action News 148 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/417

The post Machine Learning Magic | TechSNAP 417 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Researcher accidently roots Microsoft Azure’s Redhat Update Infrastructure servers

• “I was tasked with creating a machine image of Red Hat Enterprise Linux that was compliant to the Security Technical Implementation guide defined by the Department of Defense.”
• “This machine image was to be used for both Amazon Web Services and Microsoft Azure. Both of which offer marketplace images which had a metered billing pricing model. Ideally, I wanted my custom image to be billed under the same mechanism, as such the virtual machines would be able to consume software updates from a local Red Hat Enterprise Linux repository owned and managed by the cloud provider.”
• “Both Amazon Web Services and Microsoft Azure utilise a deployment of Red Hat Update Infrastructure for supplying this functionality.”
• “There is only one Red Hat Update Appliance per Red Hat Update Infrastructure installation, however, both Amazon Web Services and Microsoft Azure create one per region.”
• “Both Amazon Web Services and Microsoft Azure use SSL certificates for authentication against the repositories. However, these are the same SSL certificates for every instance.”
• “On Amazon Web Services having the SSL certificates is not enough, you must have booted your instance from an AMI that had an associated billing code. It is this billing code that ensures you pay the extra premium for running Red Hat Enterprise Linux.”
• “On Azure it remains undefined how they manage to track billing. At the time of research, it was possible to copy the SSL certificates from one instance to another and successfully authenticate. Additionally, if you duplicated a Red Hat Enterprise Linux virtual hard disk and created a new instance from it all billing association seemed to be lost but repository access was still available.”
• “On Azure to setup repository connectivity, they provide an RPM with the necessary configuration. The installation script it references comes from the following archive. If you expand this archive you will find the client configuration for each region.
• The post goes over how the hostnames for all of the Update Appliances were discovered
• “The build host is interesting rhui-monitor.cloudapp.net, at the time of research running a port scan revealed an application running on port 8080.”
• “Despite the application requiring username and password based authentication, It was possible to execute a run of their “backend log collector” on a specified content delivery server. When the collector service completed the application supplied URLs to archives which contain multiple logs and configuration files from the servers.”
• “Included within these archives was an SSL certificate that would grant full administrative access to the Red Hat Update Appliances”
• So now, the researcher could access each Update Appliance with full administrative access, create new packages, or newer versions of common packages, that include a backdoor. Every Redhat VM on the entire cloud provider would then install this “important security update”, giving the attack full access to every machine
• “Given no gpgcheck is enabled, with full administrative access to the Red Hat Enterprise Linux Appliance REST API one could have uploaded packages that would be acquired by client virtual machines on their next yum update.”
• Even if gpgcheck was enabled, it is likely that the GPG key would be exposed to the administrator of the update appliance
• “The issue was reported in accordance to the Microsoft Online Services Bug Bounty terms. Microsoft agreed it was a vulnerability in their systems. Immediate action was taken to prevent public access to rhui-monitor.cloudapp.net. Additionally, they eventually prevented public access to the Red Hat Update Appliances and they claim to have rotated all secrets.”

Newly discovered router flaw being hammered by in-the-wild attacks

• “Online criminals—at least some of them wielding the notorious Mirai malware that transforms Internet-of-things devices into powerful denial-of-service cannons—have begun exploiting a critical flaw that may be present in millions of home routers.”
• “Routers provided to German and Irish ISP customers for Deutsche Telekom and Eircom, respectively, have already been identified as being vulnerable, according to recently published reports from researchers tracking the attacks. The attacks exploit weaknesses found in routers made by Zyxel, Speedport, and possibly other manufacturers. The devices leave Internet port 7547 open to outside connections. The exploits use the opening to send commands based on the TR-069 and related TR-064 protocols, which ISPs use to remotely manage large fleets of hardware. According to this advisory published Monday morning by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploits every five to 10 minutes.”
• “SANS Dean of Research Johannes Ullrich said in Monday’s post that exploits are almost certainly the cause behind an outage that hit Deutsche Telekom customers over the weekend. In a Facebook update, officials with the German ISP said 900,000 customers are vulnerable to the attacks until they are rebooted and receive an emergency patch. Earlier this month, researchers at security firm BadCyber reported that the same one-two port 7547/TR-064 exploit hit the home router of a reader in Poland.”
• “The Shodan search engine shows that 41 million devices leave port 7547 open, while about five million expose TR-064 services to the outside world.”
• “The attacks started shortly after researchers published attack code that exploited the exposed TR-064 service. Included as a module for the Metasploit exploitation framework, the attack code opens the port 80 Web interface that enables remote administration. From there, devices that use default or otherwise weak authentication passwords can be remotely commandeered and made to join botnets that carry out Internet-crippling denial-of-service attacks.”
• Exploit Code
• “To infect as many routers as possible, the exploits deliver three separate exploit files, two tailored to devices running different types of MIPS chips and a third that targets routers with ARM silicon. Just like the Metasploit code, the malicious payloads use the exploit to open the remote administration interface and then attempt to log in using three different default passwords. The attack then closes port 7547 to prevent other criminal enterprises from taking control of the devices”
• “The malware itself is really friendly as it closes the vulnerability once the router is infected. It performs the following commands:”
  • busybox iptables -A INPUT -p tcp –destination-port 7547 -j DROP
• busybox killall -9 telnetd
• “which should make the device “secure”… until next reboot. The first one closes port 7547 and the second one kills the telnet service, making it really hard for the ISP to update the device remotely.”
• So while exploited routers will stop being vulnerable to other attackers, they will be harder for the ISP to fix properly
• ISPs could help protect their customers, and their own command-and-control of customers’ routers, by blocking inbound port 7547 from outside of their network

Hack Windows 10 by holding down Shift+F10

• “Every Windows 10 in-place Upgrade is a SEVERE Security risk”
• During the update process, when the computer boots into the updater, holding Shift+F10 will pop a command prompt, running as SYSTEM, the highest privilege level possible on windows.
• What makes this worse, is that this happens after the volume encryption keys have been loaded, so even bitkeeper encrypted disks are vulnerable to access by unauthorized people
• “This is a big issue and it has been there for a long time. Just a month ago I finally got verification that the Microsoft Product Groups not only know about this but that they have begun working on a fix. As I want to be known as a white hat I had to wait for this to happen before I blog this.”
• “There is a small but CRAZY bug in the way the “Feature Update” (previously known as “Upgrade”) is installed. The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment). This has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker. I demonstrate this in the following video.”
• “The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft’s hard disk encryption) protected machine. And of course that this doesn’t require any external hardware or additional software.”
• Additional Coverage: BleepingComputer
• “In an email conversation with Bleeping Computer, Laiho reveals that because of certain defaults in Windows 10 configurations, computers might be forced to perform an update, even if a user is not present, or has logged on for a long period of time.”
• “At some point, every computer that is not managed by WSUS/SCCM or such will force the installation of a new version of Windows. Microsoft has decided that these will be forced by default.”
• “Laiho recommends that users not leave their computers unattended during a Windows 10 update and that users remain on Windows 10 LTSB (Long Time Servicing Branch) versions for the time being.”
• “The LTSB-version of Windows 10 is not affected by this as it doesn’t automatically do upgrades”
• “Furthermore, Laiho says that Windows SCCM (System Center Configuration Manager) can block access to the command-line interface during update procedures if users add a file named DisableCMDRequest.tag to the %windir%\Setup\Scripts\ folder.”
• The Police could use this on seized laptops, just keep the machine offline until the next “feature update”, then pop a command prompt during the installation, and have unrestricted access to the encrypted disk.

Feedback:

• Chris’ MeetBSD Road Trip Videos

• MeetBSD Videos

• Two Factor authentication

• All eggs in one basket

• VMDKs on ZFS vs. ZFS on VMDKs

• ZFS Send/Receive Question

• Backblaze Hard Drive Failure Rates for Q3 of 2016

• HGST drives still the most reliable
• Seagate ST4000DM000 still the most plentiful, good reliability, great SMART data
• WD drives still hard to get in quantity
• BackBlaze continued its migration from 2TB to 8TB drives. Resulting in the first time they have ever had fewer drives than the previous quarter.
• Replacing 4400 2TB drives with 5100 8TB drives, turned 9 PB into 40 PB

Round Up:

• Ransomware creep accidentally hijacks San Francisco Muni, won’t give it back
• San Francisco Rail System Hacker Hacked
• UK’s new Snoopers’ Charter just passed an encryption backdoor law by the backdoor
• The GeoCities cagge at the Exodus data center, circa 1999
• FBI to gain expanded hacking powers as Senate effort to block fails
• Exploiting a game to create a software updater
• AWS launches Amazon Lightsail, a DigitalOcean killer offering $5 virtual private servers
• SSH using Certificates
• AWS launches Shield to protect web applications from DDoS attacks
• The Internet Archive (archive.org) is creating a complete backup of its 15 Petabytes of data in Canada, to shield it from the US government
• Plex Gets Its Own Kodi Add-On
• Schneier: The Key to IoT Security Incentives
• Slack client for Commodore 64
• ClickClickClick dot Click

The post Shift+F10 and Done | TechSNAP 295 first appeared on Jupiter Broadcasting.

The TrueCrypt project has shut down, and we’ll run down what we think is the most likely answer to this sudden mystery is.

Plus the good news for openSSL, the top 10 Windows configuration mistakes, and big batch of your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

TrueCrypt shuts down unexpectedly

• TrueCrypt is a cross-platform image or whole disk encryption system
• The website for TrueCrypt changed yesterday, stating that “it may contain unfixed security issues”
• The page states now that Windows XP is EOL and all supported versions of Windows support ‘BitLocker’ disk encryption, TrueCrypt is no longer necessary
• The website provides information about transitioning data from TrueCrypt to the OS disk encryption system for various different OSs
• The website has been updated with version 7.2 of TrueCrypt, which only allows the user to decrypt their files, not encrypt any new files
• This was originally thought to be a hack of the site, or a hoax
• The new binary is signed with the correct key, the same as previous versions of TrueCrypt, suggesting that this post is legitimate
• While the code is available, the license is restrictive
• The developers of TrueCrypt are anonymous
• GIST tracking various bits of information and speculating about possible causes
• ThreatPost coverage
• One of the suspicious things about the announcement is the recommendation to use BitLocker, the authors of TrueCrypt had previously expressed concerns about how BitLocker stores the secret keys in the TPM (Trusted Platform Module), which may also allow the NSA to access the secret key
• There is some speculation that this could be a ‘warrant canary’, the authors’ way to telling the public that they were forced to do something to TrueCrypt, or divulge something about TrueCrypt
• However, it is more likely that the developers just no longer have an interest in maintaining TrueCrypt
• The last major version release was 3 years ago, and the most recent release before the announcement was over a year ago. An actively developed project would likely have had at least some maintenance releases in that time
• The code for TrueCrypt was being audited after a crowdfunding effort. The first phase of the audit found no obvious backdoors, but the actual cryptography had not been analyzed yet.
• Additional Coverage – Krebs On Security

Core Infrastructure Initiative provides OpenSSL with 2 full time developers and funds a security audit

• The CII has announced its Advisory board and the list of projects it is going to support
• Advisory Board members include:
• longtime Linux kernel developer and open source advocate Alan Cox
• Matt Green of Open Crypto Audit Project
• Dan Meredith of the Radio Free Asia’s Open Technology Fund
• Eben Moglen of Software Freedom Law Center
• Bruce Schneier of the Berkman Center for Internet & Society at Harvard Law School
• Eric Sears of the MacArthur Foundation
• Ted T’so of Google and the Linux kernel community
• Projects identified as core infrastructure:
• Network Time Protocol
• OpenSSH
• OpenSSL
• Open Crypto Audit Project to conduct security audit of OpenSSL
• The security audit will be difficult due to the lack of a consistent style in the code and the maze of ifdef and ifndef segments
• the OCAP (Open Crypto Audit Project) team, which includes Johns Hopkins professor and cryptographer Matthew Green and Kenn White, will now have the money to fund an audit of OpenSSL
• OCAP was originally created by a crowdfunded project to audit TrueCrypt

The top 10 windows server security misconfigurations

• NCCGroup does what it calls ‘Build Surveys’, where they check production environments to ensure they are configured properly
• The following is the result of an analysis of their last 50 such surveys:
  • Missing Microsoft Patches: 82%
  • Insufficient Auditing: 50%
  • Third-Party Software Updates: 48%
  • Weak Password Policy: 38%
  • UAC Disabled for Administrator Account: 34%
  • Disabled Host-Based Firewall: 34%
  • Clear Text Passwords and Other Sensitive Information: 24%
  • Account Lockout Disabled: 20%
  • Out-of-Date Virus Definitions: 18%
  • No Antivirus Installed: 12%
• Conclusions: Everyone makes the same mistakes, over and over
• Most of these problems are trivial to fix
• Part of the problem is this culture of ‘patch averseness’, partly this is the fault of software vendors often issuing patches that break more things than they fix, but in general Microsoft has actually done a good job of ensuring their patches apply smoothly and do not break things
• Part of this is the fact that they only issue updates once a month, and only once they have been tested
• In the study, most of the machines that were missing patches, were missing patches that were more than a year old, so it isn’t just conservatism, but just a complete lack of proper patch management

Feedback:

• FreeBSD Developers Summit

• BSDCan 2014 videos

• Replacing failed disk in Freenas

• Am I too old?

• Bacula Retention and Storage Guidance

• VLAN Tag You\’re It

• Virtualisation as a Work LAN Solution

• devops is specialization

• DevOps – Wikipedia, the free encyclopedia

• Can you please talk about load balancing?

• Update on me not getting a job.

Round-Up:

• DISH Teams Up with Coinbase to Become Largest Company to Accept Bitcoin
• Post Mortem at Joyent — Opps, I accidently rebooted every server in the data center at once
• Official Google Blog: Getting to work on diversity at Google
• PeakScale’s list of PostMortems from all around the web
• YouTube starts rating U.S. ISPs, puts its weight behind settlement-free peering
• Why you don’t want to use AES-XTS encryption for anything except FDE
• Apple Forgets to Renew SSL Certificate, Breaking OS X Software Update [Fixed]
• Security concerns about HTTP/2.0 — rushing to finish and cutting corners
• Separate from the recent eBay hack, an XSS vulnerability that has not been fixed
• Last night on IRC to topic changes to VGA, and Peter Wemm dug out his old dual cpu Pentium 90mhz running FreeBSD
• Windows XP hack to get updates — Not a great idea

The post Tales from the TrueCrypt | TechSNAP 164 first appeared on Jupiter Broadcasting.