The sad state of SMTP encryption, a new huge round of flaws has been found in consumer routers & the reviews of Intel’s new Broadwell desktop processors are in!

Plus some great questions, a huge round-up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

The sad state of SMTP (email) encryption

• This article talks about the problems with the way email transport encryption is done
• When clients submit mail to a mail server, and when mail servers talk to each other to exchange those emails, they have the option of encrypting that communication to prevent snooping
• This “opportunistic” encryption happens if the server you are connecting to (as a client, or as another server), advertises the STARTTLS option during the opening exchange
• If that keyword is there, then your client can optionally send the STARTTLS command, and switch further communications to be encrypted
• The first problem with this is that it happens over plain text, which has no protection against modification
• Some cisco firewalls, and most bad guys, will simply modify the message from the server before it gets to you, to remove the STARTTLS keyword, so you client will assume the server just doesn’t speak TLS.
• Do we maybe need something like HSTS for SMTP?
• When submitting email from my client machine, I always use a special port that is ALWAYS SSL.
• But this is only the beginning of the problem
• SSL/TLS are designed to provide 3 guarantees:
  • Authenticity: You are talking to who you think you are talking to (not someone pretending to be them). This is provided by verifying that the presented SSL Certificate is issued by a trusted CA
  • Integrity: The message was not modified or tampered with by someone during transit. This is provided by the MAC (Message Authentication Code), a hash that is used to ensure the message has not been modified
  • Privacy: The contents of the message are encrypted so no one else can read them. This is provided by symmetric encryption using a session key negotiated with the other side using asymmetric cryptography based on the SSL Certificate.
• Mail servers rarely actually check authenticity, because many mail servers use self-signed certificates.
• Many domains are hosted on one server, so the certificate is not likely to match the name of the email domain
• The certificate check is done against the hostname in the MX record, but most people prefer to use a ‘vanity’ name here, mail.mydomain.com, which won’t match in2-smtp.messagingengine.com or whatever the mail server ends up being called
• But, even if we did enforce this, and reject mail sent by servers with self-signed certificates, without DNSSEC, someone could just spoof the MX records, and instead of my email being sent over an encrypted channel to your server, which I have verified, I would be given an incorrect MX record, telling me to deliver mail to mx1.evilguy.com, which has a perfectly vaild SSL certificate for that domain
• In the end, the better solution looks like it will be DNSSEC + DANE (publish the fingerprint of the correct SSL certificate as a DNS entry, alongside your MX record)
• With this setup, you still get all 3 protections of SSL, without needing to trust the Certificate Authorities, who do not have the best record at this point
• Don’t think MitM is a big deal? The ongoing problem of BGP hijacking suggests otherwise. A lot of internet traffic is getting misdirected. If it eventually makes it to its destination, people are much less likely to notice.

Researchers find 60 flaws in 22 common consumer network devices

• A group of security researchers doing their IT Security Master’s Thesis at Universidad Europea de Madrid in Spain have published their research
• They found serious flaws in 22 different SOHO network devices, including those from D-Link, Belkin, Linksys, Huawei, Netgear, and Zyxel
• Most of the devices they surveyed were ones distributed by ISPs in Spain, so these vulnerabilities have a very large impact, since almost every Internet user in Spain has one of these 22 devices
• They found 11 unique types of vulnerability, for a total of 60 flaws across the 22 devices
• Persistent Cross Site Scripting (XSS)
  • Unauthenticated Cross Site Scripting
  • Cross Site Request Forgery (CSRF)
  • Denial of Service (DoS)
  • Privilege Escalation
  • Information Disclosure
  • Backdoor
  • Bypass Authentication using SMB Symlinks
  • USB Device Bypass Authentication
  • Bypass Authentication
  • Universal Plug and Play related vulnerabilities
• All of this makes me glad my router runs FreeBSD.
• Luckily, there are finally some consumer network devices like these that can run a real OS, like the TP-LINK WDR3600, which has a 560mhz MIPS CPU and can run FreeBSD 11 or Linux distros such as DD-WRT
• Additional Coverage – ITWorld

CareFirst Blue Cross hit by security breach affecting 1.1 million customers

• “CareFirst BlueCross BlueShield last week said it had been hit with a data breach that compromised the personal information on approximately 1.1 million customers. There are indications that the same attack methods may have been used in this intrusion as with breaches at Anthem and Premera, incidents that collectively involved data on more than 90 million Americans.”
• It would be interesting to know if there are common bits of infrastructure or software in use at these providers that made these compromises possible, or if security was just generally lax enough that the attackers were able to compromise the three insurance providers separately
• “According to a statement CareFirst issued Wednesday, attackers gained access to names, birth dates, email addresses and insurance identification numbers. The company said the database did not include Social Security or credit card numbers, passwords or medical information. Nevertheless, CareFirst is offering credit monitoring and identity theft protection for two years.”
• “There are clues implicating the same state-sponsored actors from China thought to be involved in the Anthem and Premera attacks.”
• “As Krebs noted in this Feb. 9, 2015 story, Anthem was breached not long after a malware campaign was erected that mimicked Anthem’s domain names at the time of the breach. Prior to its official name change at the end of 2014, Anthem was known as Wellpoint. Security researchers at cybersecurity firm ThreatConnect Inc. had uncovered a series of subdomains for we11point[dot]com (note the “L’s” in the domain were replaced by the numeral “1”) — including myhr.we11point[dot]com and hrsolutions.we11point[dot]com. ThreatConnect also found that the domains were registered in April 2014 (approximately the time that the Anthem breach began), and that the domains were used in conjunction with malware designed to mimic a software tool that many organizations commonly use to allow employees remote access to internal networks.”
• “On Feb. 27, 2015, ThreatConnect published more information tying the same threat actors and modus operandi to a domain called “prennera[dot]com” (notice the use of the double “n” there to mimic the letter “m”)
• So it seems that the compromises may have just been a combination of spear phishing and malware, to trick employees into divulging their credentials to sites they thought were legitimate
• Such targeted attacks on teleworkers are a disturbing new trend
• The same Chinese bulk registrant also bought careflrst[dot]com (the “i” replaced with an “L”) and caref1rst[dot]com (the “i” replaced with the number “1”).
• “Additionally, ThreatConnect has unearthed evidence showing the same tactics were used on EmpireB1ue.com (note the “L” replaced with a number “1”), a domain registered April 11, 2014 (the same day as the phony Carefirst domains). EmpireBlue BlueCross BlueShield was one of the organizations impacted by the Anthem breach.”
• Anthem has broken the trend, and is offering “AllClear ID” credit and identity theft monitoring, rather than Experian

First review of Intel’s new Broadwell desktop processors

• The long awaited new line of desktop processors has landed
• Problems with the new 14nm fabrication process resulted in the entire broadwell line being delayed, significantly in the case of the desktop chip
• The two new models are the Core i7 5775c, and Core i5 5765c with a 65W TDP
• These Broadwell chips are a lower TDP than the top-end Haswell cousins, actually being closer to the lower clocked i7-4790S than the top end i7-4770K
• Overall, speeds are not quite as fast as the current generation Haswell flagship processors
• These new processors use Intel’s Iris Pro 6200 Integrated GPU, with performance numbers that now outpace rival AMD’s offerings, although at a higher price point
• Broadwell will soon be replaced by Skylake, later this year, so you might want to wait to make your next big purchase
• Broadwell also features: “128MB of eDRAM that acts almost like an L4 cache. This helps alleviate memory bandwidth pressure by providing a large(ish) pool near the CPU but with lower latency and much greater bandwidth than main memory. The eDRAM has the greatest effect in graphics, but we also saw some moderate increases in our non-3D regular benchmark suite”
• In the end, it is a bit unexpected for the desktop range to include only 2 processors, and in the middle TDP, with no offerings at the lower end (35W) or higher end (88W)
• Some of the benchmarks suggest the eDRAM may help with video encoding

Feedback:

• FreeNAS question

• iSCSI Question

• ZFS mirrored vdevs, raidz1, or raidz2

Round Up:

• PayPal Draws Consumer Ire Over Robo-Texting Right
• Comparison of SSD firmware reliability of different brands after using thousands of drives for five years
• Facebook announces you’ll be able to give them your PGP key, and they will encrypt all emails they send you. Separately, you can also publish your PGP key on your profile page
• New study finds fake answers to security questions may be more predictable than the real answers
• Everything moving to the cloud may be hurting consumer PC sales, but is bolstering server and storage sales
• Red Hat CEO publishes book on running an open source organization
• Creator of sleeper ransomware appologizes and released decryption keys – possibly due to unwanted attention from either law enforcement or Eastern European organized cybercrime syndicates
• A year later, another text message that can permanently crash all iOS devices
• Feds crack a million dollar coupon counterfeiting site
• Hacked emails claim to reveal Russian operation to steal US military thermal Imaging tech
• Interesting course, learn to hack software by hacking the hardware it runs on
• Why powerpoint presentations should be banned
• Writing more robush shell scripts
• Researchers find that Firefox’s optional tracking protection feature makes news sites load 44% faster and use 39% less data
• Putting your Mac to sleep may make it vulnerable to an EFI rootkit
• Android factory reset fails to delete all sensitive data
• Turns out, powering off your SSD will not cause it to lose all of your data after all. Data was based on SSDs at the end of their live, not at the beginning

The post An Encryptioner's Conscience | TechSNAP 217 first appeared on Jupiter Broadcasting.

Coming up this time on the show, we’ll be chatting with Antoine Jacoutot about how M:Tier uses BSD in their business. After that, we’ll be discussing the different release models across the BSDs, and which style we like the most. As always, answers to your emails and all the latest news, on BSD Now – the place to B.. SD.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

Optimizing TLS for high bandwidth applications

• Netflix has released a report on some of their recent activities, pushing lots of traffic through TLS on FreeBSD
• TLS has traditionally had too much overhead for the levels of bandwidth they’re using, so this pdf outlines some of their strategy in optimizing it
• The sendfile() syscall (which nginx uses) isn’t available when data is encrypted in userland
• To get around this, Netflix is proposing to add TLS support to the FreeBSD kernel
• Having encrypted movie streams would be pretty neat

Crypto in unexpected places

• OpenBSD is somewhat known for its integrated cryptography, right down to strong randomness in every place you could imagine (process IDs, TCP initial sequence numbers, etc)
• One place you might not expect crypto to be used (or even needed) is in the “ping” utility, right? Well, think again
• David Gwynne recently committed a change that adds MAC to the ping timestamp payload
• By default, it’ll be filled with a ChaCha stream instead of an unvarying payload, and David says “this lets us have some confidence that the timestamp hasn’t been damaged or tampered with in transit”
• Not only is this a security feature, but it should also help detect dodgy or malfunctioning network equipment going forward
• Maybe we can look forward to a cryptographically secure “echo” command next…

Broadwell in DragonFly

• The DragonFlyBSD guys have started a new page on their wiki to discuss Broadwell hardware and its current status
• Matt Dillon, the project lead, recently bought some hardware with this chipset, and lays out what works and what doesn’t work
• The two main show-stoppers right now are the graphics and wireless, but they have someone who’s already making progress with the GPU support
• Wireless support will likely have to wait until FreeBSD gets it, then they’ll port it back over
• None of the BSDs currently have full Broadwell support, so stay tuned for further updates

DIY NAS software roundup

• In this blog post, the author compares a few different software solutions for a network attached storage device
• He puts FreeNAS, one of our favorites, up against a number of opponents – both BSD and Linux-based
• NAS4Free gets an honorable mention as well, particularly for its lower hardware requirements and sleek interface
• If you’ve been thinking about putting together a NAS, but aren’t quite comfortable enough to set it up by yourself yet, this article should give you a good view of the current big names
• Some competition is always good, gotta keep those guys on their toes

Interview – Antoine Jacoutot – ajacoutot@openbsd.org / @ajacoutot

OpenBSD at M:Tier, business adoption of BSD, various topics

News Roundup

OpenBSD on DigitalOcean

• When DigitalOcean rolled out initial support for FreeBSD, it was a great step in the right direction – we hoped that all the other BSDs would soon follow
• This is not yet the case, but a blog article here has details on how you can install OpenBSD (and likely the others too) on your VPS
• Using a -current snapshot and some swapfile trickery, it’s possible to image an OpenBSD ramdisk installer onto an unmounted portion of the virtual disk
• After doing so, you just boot from their web UI-based console and can perform a standard installation
• You will have to pay special attention to some details of the disk layout, but this article takes you through the entire process step by step

Initial ARM64 support lands in FreeBSD

• The ARM64 architecture, sometimes called ARMv8 or AArch64, is a new generation of CPUs that will mostly be in embedded devices
• FreeBSD has just gotten support for this platform in the -CURRENT branch
• Previously, it was only the beginnings of the kernel and enough bits to boot in QEMU – now a full build is possible
• Work should now start happening in the main source code tree, and hopefully they’ll have full support in a branch soon

Scripting with least privilege

• A new scripting language with a focus on privilege separation and running with only what’s absolutely needed has been popular in the headlines lately
• Shell scripts are used everywhere today: startup scripts, orchestration scripts for mass deployment, configuring and compiling software, etc.
• Shill aims to answer the questions “how do we limit the authority of scripts” and “how do we determine what authority is necessary” by including a declarative security policy that’s checked and enforced by the language runtime
• If used on FreeBSD, Shill will use Capsicum for sandboxing
• You can find some more of the technical information in their documentation pdf or watch their USENIX presentation video
• Hacker News also had some discussion on the topic

OpenBSD first impressions

• A brand new BSD user has started documenting his experience through a series of blog posts
• Formerly a Linux guy, he’s tried out FreeBSD and OpenBSD so far, and is currently working on an OpenBSD desktop
• The first post goes into why he chose BSD at all, why he’s switching away from Linux, how the initial transition has been, what you’ll need to relearn and what he’s got planned going forward
• He’s only been using OpenBSD for a few days as of the time this was written – we don’t usually get to hear from people this early in on their BSD journey, so it offers a unique perspective

PC-BSD and 4K oh my!

• Yesterday, Kris Moore got ahold of some 4K monitor hardware to test PC-BSD out
• The short of it – It works great!
• Minor tweaks being made to some of the PC-BSD defaults to better accommodate 4K out of box
• PSA: This particular model monitor ships with DisplayPort set to 1.1 mode only, switching it to 1.2 mode enables 60Hz properly

Feedback/Questions

• Darin writes in
• Mitch writes in

Discussion

Comparison of BSD release cycles

• FreeBSD, OpenBSD, NetBSD and DragonFlyBSD

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• We’re still looking for some new interviews, so let us know if you’re interested in coming on the show (or have someone you’d like us to approach)
• If we have any listeners in Poland, there’s a new Polish BSD users group that’s just started up
• If you’re closer to Germany, there’s a local BSD installfest happening on May 15th in the Landshut area
• If neither of those locations are close to you, but India is, there’s the brand new New Delhi BSD users group as well
• Check the show notes for the links to all of those
• Lastly, the EuroBSDCon 2015 call for papers has been extended due to the massive amount of last-minute submissions, so now you’ve got until May 22nd to send in your ideas

The post Business as Usual | BSD Now 86 first appeared on Jupiter Broadcasting.

It’s a day filled with war stories, we start off by sharing how things have blown up in our laps this morning, and cover your excellent feedback.

Then – Chris shares his new gadget purchase, and how it’s making him re-think some of his firm opinions.

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

— Show Notes: —

Follow up / Feedback

• Lackluster Laptops
• Wait for Broadwell?
• \”Everyone should learn how to code\”
• How to Learn?
• Making money on mobile
• DigitalOcean\’s Support is Fast!

• Celebrate Coder Radio Episode 100!

Dev Hoopla

• NVIDIA Releases The SHIELD Versions Of Portal And Half-Life 2 At The Same Time

The post Shields Up | CR 101 first appeared on Jupiter Broadcasting.