Show Notes: linuxunplugged.com/410

The post Ye Olde Linux Distro | LINUX Unplugged 410 first appeared on Jupiter Broadcasting.

Show Notes: coder.show/404

The post Not Found | Coder Radio 404 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/133

The post Linux Action News 133 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Malware hosted in your browser

• Last show, we talked about malware, blocking it via URLs, and malware which spoofs the domain names, thereby bypassing many URL-based filters.
• This show, we have an instance of malware which completely defeats all of the above, in a very simple and clever way.
• A common way to steal credentials is hosting a webpage which looks a lot like the real thing. Google, Facebook, Paypal, etc are all targets of this. It is simple to do. Just throw up a web page, and start directing people to it.
• Lots of ways to defeat this with conventional tools
• This method bypasses all those tools
• Tom Scott tweeted about malware he received via email.
• when you click on the link, you get what appears to be a Google Login page.
• The URI is of the form: data:text/html,https…… lots of spaces <script src=date:text/html;…. etc
• However, it is hosted entirely within your browser
• Matt Hughes reportrd that Andriod actually tries to autofill his Google account credentials on that data URI
• This has been around at least a year, and was written about by linkcabin
  spoofs the login page by hosting it in your browser.
• Suprisingly common and is often using to phish Google or Paypal

Bug Bounty – GitHub Enterprise SQL Injection

• This story involves responsible research and disclosure by Orange Tsai
• GitHub Enterprise is the on-premises version of GitHub.com that you can deploy a whole GitHub service in your private network for businesses
• You can get 45-days free trial and download the VM from enterprise.github.com.
• Code is downloaded, configured, and observations begin.
• GitHub uses a custom library to obfuscate their source code. If you search for ruby_concealer.so on Google, you will find a snippet in a gist.
• The first two days are getting the VM running etc.
• Day 3-5 are learning Rails by code reviewing.
• On 6, an SQL Injection is found

Feedback:

• Hiring senior sysadmins who listen to TechSNAP and BSDNow

War Story:

• Broken out-going mail from cellphone

Round Up:

• BSDCan Call for Papers
• PGCON Call for Papers
• FTC Sues D-Link Over Insecure Routers, Cameras
• TV anchor says live on-air ‘Alexa, order me a dollhouse’ – guess what happens next

The post Internet of Voice Triggers | TechSNAP 302 first appeared on Jupiter Broadcasting.

Oracle really doesn’t want you to reverse engineer their products but they may have just released the Kraken, we’ll explain.

A massive drop of 35 fixes in one day, great feedback and follow up, a rockin roundup & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Oracle doesn’t think you should try to reverse engineer their products

• “Oracle, never the most researcher-friendly software vendor, has taken its antagonism to another level after publishing a blog post by CSO Mary Ann Davidson that rails against reverse engineering and saying that the company has no need for researchers to look at Oracle’s code for vulnerabilities because “it’s our job to do that, we are pretty good at it”
• The blog post has since been taken down
• Archive.org copy of Oracle Blog post
• Google Cache of Oracle Blog post
• “Davidson, who has been at Oracle for more than 25 years, said in the post that reverse engineering violates Oracle’s license agreement and that the company regularly sends letters to customers and consultants who it believes have violated the EULA. She also said that even when researchers try to report a security vulnerability in an Oracle product, the company often takes issue with how the bug was found and won’t credit researchers.“
• This is where I take the most extreme exception
• First, I don’t imagine that it is most average Oracle customers who are reverse engineering Oracle software looking for bugs
• Often, security research companies will look for bugs in major bits of software (be in Flash, Windows, Firefox, Chrome, Java, etc) with the goal of publishing their research once the bugs they find are fixes, in order to build a reputation, to get security consulting customers
• This system depends on A) Vendors actually accepting and acting upon bug reports, and B) Vendors crediting the people who discover the flaws in the security advisory / patch notes
• When a researcher is helping you better your software, for free, the least you can do is given them credit where it is due
• If Oracle doesn’t want to have a bug bounty program, that is their decision, but they cannot expect the entire security community to just pretend Oracle doesn’t exist, and isn’t an attack surface
• ““I almost hate to answer this question because I want to reiterate that customers Should Not and Must Not reverse engineer our code. However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren’t going to ignore a real problem – that would be a disservice to our customers. We will, however, fix it to protect all our customers, meaning everybody will get the fix at the same time,” Davidson said in the post.“
• So atleast they are going to fix it, eventually …
• ““However, we will not give a customer reporting such an issue (that they found through reverse engineering) a special (one-off) patch for the problem. We will also not provide credit in any advisories we might issue. You can’t really expect us to say ‘thank you for breaking the license agreement.’”“
• But credit? Nope. Ohh, and we might decide to try to engage in litigation against you
• Of course, if you actually read the EULA, Oracle’s software is not warranted for any use what-so-ever. The EULA basically spells out that using any of the software in production is at your own risk, and you probably shouldn’t do that. Of course, that is what every EULA says.
• ““Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers,” Davidson said in the post.“
• Of course, Oracle’s Legal department backpedaled, hard:
• A statement sent by Oracle PR said that the company removed the post because it didn’t fit with the company’s relationship with customers.
• “The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers,” said Edward Screven, Executive Vice President and Chief Corporate Architect, at Oracle.
• Twitter reacted quickly
• An new trend has emerged around the hashtag #OracleFanFic

Why not insider trade on EVERY company?

• This bloomberg view article starts with a typical description of how insider trading works, and how people get away with it
• It then starts to dig into how a group of Ukrainian malactors did it against a huge number of companies, and illegally profited over $100 million.
• The group broke into the systems of Marketwired, PR Newswire, and Business Wire, and lifted the press releases before they became public
• Then, rather than acting on this information themselves, which might have been obvious, they sold the information to various different people, in exchange for a flat fee, or a stake in the action
• They created an entire industry around the information, eventually growing a support infrastructure, and even taking ‘requests’ for releases from specific companies
• “They ran this like a business. They provided customer support: The hackers allegedly set up servers for their customers to access their information, and “created a video tutorial on how to access and use one of the servers they used to share the Stolen Releases.””
• “The defendants allegedly stole approximately 150,000 confidential press releases from the servers of the newswire companies,”
• “The size and professionalization of the business, though, shouldn’t be confused with sophistication. There are some signs that these guys actually weren’t all that sophisticated. For one thing, the traders seem to have gotten caught in the usual way. “The investigation began when prosecutors in Brooklyn and the FBI received a referral from the SEC about a pattern of suspicious trading by some of the defendants,”
• “The other place where the hackers may not have been that sophisticated was in the actual hacking. The hackers “gained unauthorized access to press releases on the networks of Marketwired using a series of SQL Injection Attacks.” They gained access to Business Wire after “the login credentials of approximately fifteen Business Wire employees had been ‘bruted.’”
• The author of the article makes an interesting point: “But I feel like part of it has to be that the people in charge of those databases, like me until today, had a disenchanted view of the financial world. These systems didn’t hold the nuclear launch codes. They held press releases — documents that, by definition, would be released publicly within a few days at most. Speed, convenience and reliability were what mattered, not top-notch security. How important could it be to keep press releases secure? What were the odds that a crack team of criminals would be downloading tens of thousands of press releases before they became public, in order to sell them to further teams of criminals who would trade on them? It just sounds so crazy. You’d have to be paranoid to even think of it. But — allegedly! — it’s exactly what happened.”
• Additional Coverage – Bloomberg
• Additional Coverage – Threat Post
• Justice Department Press Release
• New Jersey Federal Criminal Complaint
• Brooklyn Federal Criminal Complaint
• SEC Press Release
• SEC Civil Complaint

Adobe issues huge patch that fixes 35 vulnerabilities in Flash and AIR

• “The vulnerabilities Adobe patched Tuesday include a number of type confusion flaws, use-after-free vulnerabilities, buffer overflows, and memory corruption vulnerabilities. Many of the vulnerabilities can be used to take complete control of vulnerable machines”
• Make sure your flash version is 18.0.0.232 or newer
• The fixes flaws include:
• 16 use-after-frees
• 8 memory corruptions
• 5 type confusions
• 5 buffer overflow and heap buffer overflow bugs
• 1 integer overflow flaw
• “These updates include further hardening to a mitigation introduced in version 18.0.0.209 to defend against vector length corruptions (CVE-2015-5125).”
• In an interesting turn of events, “On Monday, researchers from Kaspersky Lab disclosed that attackers behind the Darkhotel APT campaign have been using one of the patched Flash bugs developed by Hacking Team in its attacks”
• “Darkhotel seems to have burned through a pile of Flash zero-day and half-day exploits over the past few years, and it may have stockpiled more to perform precise attacks on high-level individuals globally,” Kaspersky Lab principal security researcher Kurt Baumgartner said
• “Note: Beginning August 11, 2015, Adobe will update the version of the “Extended Support Release” from Flash Player 13 to Flash Player 18 for Macintosh and Windows. To stay current with all available security updates, users must install version 18 of the Flash Player Extended Support Release or update to the most recent available version. For full details, please see this blog post “
• Official Adobe Advisory
• The advisory issues thanks to a number of researchers and companies that found the vulnerabilities including:
  • Google Project Zero
  • FortiGuard Labs
  • Alibaba Security Research Team
  • Chromium Vulnerability Rewards Program
  • 360 Vulcan Team
• Additional Coverage

Feedback:

• multiboot linux and running openssh-server on all

• Allan made a comment in response to a question “FreeNAS with Quad GbEthernet

• Get some Fiber in your Freenas.. Fiber Channel

• Server Envy

Round Up:

• The first publicly released Android Security Advisory – Fixing StageFright and other video processing vulnerabilities on Nexus devices
• Sharp announces new line of DC powered appliances, starting with an Air Conditioner. Avoiding the conversion from DC to AC to DC for Solar and other alternative power sources
• Cisco warns customers of attacks replacing IOS bootstrap images on routers
• Why it is important to choose your audience. When you leak documents, and no one takes you seriously
• Facebook’s Internet Defense Prize ($100,000) was awarded to a team of Georgia Tech researchers who found a new class of browser-based memory-corruption vulnerabilities and built a corresponding detection technique
• The team behind the Anthem breach may also be who hit United Airlines
• Steam fixes vulnerability in site that allowed anyone to reset the password of another account, hijacking it
• 3 Chechen women use “CatFishing” scheme to take ISIS combatants for $3300
• Don’t be fooled by phony online reviews – Krebs details the story of someone who got scammed, badly
• Finally, a way to explain IaaS, PaaS, and SaaS

The post Oracle's EULAgy #oraclefanfic | TechSNAP 227 first appeared on Jupiter Broadcasting.

Researches prove its possible to extract an RSA key from the noises your computer makes, the NSA foils the great BIOS plot, but we’re a little skeptical….

Then it’s a batch of your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

RSA Key Extraction via Acoustic Cryptanalysis

• Many computers emit a high-pitched noise during operation, due to vibration in some of their electronic components.
• These acoustic emanations are more than a nuisance: they can convey information about the software running on the computer, and in particular leak sensitive information about security-related computations.
• In the report they describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG\’s current implementation of RSA.
• The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts.
• Experimentally they demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters (13 feet) away.
• A modern mobile phone placed next to the computer is sufficient to carry out the attack, but up to four meters have been successfully tested using specially designed microphones.
• They have disclosed the attack to GnuPG developers under CVE-2013-4576, suggested suitable countermeasures, and worked with the developers to test them. New versions of GnuPG 1.x and of libgcrypt (which underlies GnuPG 2.x), containing these countermeasures and resisting our current key-extraction attack, were released concurrently with the first public posting of these results
• PDF Report
• Adi Shamir – Wikipedia
• Inventor of SSSS (Shamir\’s secret-sharing scheme)
• CVE – CVE-2013-4576

NSA Says It Foiled the BIOS Plot

• Called a BIOS plot, the exploit would have ruined, or \”bricked,\” computers across the country, causing untold damage to the national and even global economy.
• Debora Plunkett, director of cyber defense for the The National Security Agency described for the first time a cataclysmic cyber threat the NSA claims to have stopped On Sunday\’s \”60 Minutes.\”
• CBS suggest China is to Blame, the NSA does not confirm or deny that in the interview.
• CBS reported the “virus” would be delivered via a software update to every computer’s BIOS.
• The NSA says it closed this vulnerability by working with computer manufacturers.
• No further technical, or general details provided.
• CBS Airs NSA Propaganda Informercial Masquerading As \’Hard Hitting\’ 60 Minutes Journalism By Reporter With Massive Conflict Of Interes
• In the end, this appears to be the NSA stealing the plot from our book recommendation a few weeks ago. Mark Russinovich’s Zero Day – which is very much the same plot (Copyright March 2011), except the attackers were wealthy backers of Al Qaeda instead of the Chinese
• In the sequel Trojan Horse , China uses APT techniques to compromise computers at the UN Office for Disarmament Affairs, and alter a report about Iran’s Nuclear Weapons Program to disrupt international attempts to prevent Iran from getting Nuclear Weapons. Look for this story on the news next year…

Krebs: The Case For a Global, Compulsory Bug Bounty

• Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products
• This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products
• Stefan Frei, director of research at NSS Labs, suggests compelling companies to purchase all available vulnerabilities at above black-market prices.
• The director of research for Austin, Texas-based NSS Labs examined all of the software vulnerabilities reported in 2012, and found that the top 10 software makers were responsible for more than 30 percent of all flaws fixed.
• Even if vendors were required to pay $150,000 per bug, it would still come to less than two-tenths of one percent of these companies\’ annual revenue
• To ensure that submitted bugs get addressed and not hijacked by regional interests, Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers.
• The questions is, would this result in a reduction in cybercrime overall, or would it simply hamper innovation? As one person quoted in the article points out, a majority of data breaches that cost companies tens of millions of dollars have far more to do with other factors unrelated to software flaws, such as social engineering, weak and stolen credentials, and sloppy server configurations.
• The Case for a Compulsory Bug Bounty — Krebs on Security
• How many Zero-Days hit you today?

Feedback:

• How do you verify if a website is legitimate or not?
• Ghostery
• DNSSEC Validator

• Chrome Web Store – DNSSEC Validator

• IPMI

Round Up:

• Report: Bot traffic is up to 61.5% of all website traffic
• The inspiration behind many of todays tech symbols and icons
• Google Said to Mull Designing Server Chips in Threat to Intel
• Google blocks ability to search for credit cards (in hex), but snubs researcher who reported it
• DRM has always been a horrible idea
• NSA Spying costs Boeing $4.5 billion military contract in Brazil
• NSA has long had the ability to crack the encryption used by GSM phones, and the carriers have known about it
• Security Researcher Bruce Schneier leaves British Telecom
• The Year in Downtime: The Top 10 Outages of 2013

The post The Sound of Security | TechSNAP 142 first appeared on Jupiter Broadcasting.