CVE – Jupiter Broadcasting

define dependencies in one of the supported manifest file types, like package.json or Gemfile.
similar to FreeBSD vuxml database – uses dependencies already listed in each FreeBSD port

here are over a billion outdated Android devices in use

It’s common knowledge that Android device tend to be more out of date than iOS devices, but what does this actually mean?
People sometimes compare Android to Windows XP because there are a large number of both in the wild and in both cases, most devices will not get security updates. However, this is tremendously unfair to Windows XP, which was released on 10/2001 and got security updates until 4/2014, twelve and a half years later.
Another difference between Android and Windows is that Android’s scale is unprecedented in the desktop world. The were roughly 200 million PCs sold in 2017. Samsung alone has been selling that many mobile devices per year since 2008.
If we look at the newest Android release (8.0, 8/2017), it looks like you’re quite lucky if you have a two year old device that will get the latest update. The oldest “Google” phone supported is the Nexus 6P (9/2015), giving it just under two years of support.
But even with the data we have, we can take a guess at how many outdated devices are in use. In May 2017, Google announced that there are over two billion active Android devices. If we look at the latest stats (the far right edge), we can see that nearly half of these devices are two years out of date. At this point, we should expect that there are more than one billion devices that are two years out of date! Given Android’s update model, we should expect approximately 0% of those devices to ever get updated to a modern version of Android.
Project Treble

Flight rules for git

A guide for astronauts (now, programmers using git) about what to do when things go wrong.

Flight Rules are the hard-earned body of knowledge recorded in manuals that list, step-by-step, what to do if X occurs, and why. Essentially, they are extremely detailed, scenario-specific standard operating procedures. […]
NASA has been capturing our missteps, disasters and solutions since the early 1960s, when Mercury-era ground teams first started gathering “lessons learned” into a compendium that now lists thousands of problematic situations, from engine failure to busted hatch handles to computer glitches, and their solutions.
What did I just commit?
I wrote the wrong thing in a commit message
I committed with the wrong name and email configured
I want to remove a file from a commit

Feedback

Dan announces he is leaving the show.
postgres and shared memory
containers vs VM

Round Up:

The post Neutral Nets | TechSNAP 346 first appeared on Jupiter Broadcasting.

State Sponsored Audiophiles | TechSNAP 307

chris — Tue, 21 Feb 2017 21:41:43 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Trend Micro’s Own Cybersecurity Blog Gets Hacked

We covered the WordPress bug in TechSNAP 306
See also [Security Firm Trend Micro’s Blog Falls Victim To Content Spoofing Attack]https://www.silicon.co.uk/security/trendmicro-blog-security-205197
and WordPress Quietly Fixes Zero-Day Flaw Tom
WordPress was alerted to the flaw on 20 January
WordPress officially released WordPress 4.7.2 to the world on Thursday 26 January.
- “The release went out over our autoupdate system and, over a couple of hours, millions of WordPress 4.7.x users were protected without knowing about the issue or taking any action at all.”
Dan confirms the above upgrade timeline; his WordPress sites were updated on 26 January, between 2:30 and 3:30 EST
Researcher’s Feb 1 blog post with details
WordPress’ Feb 1 10:59 AM blog post
NOTE: Virally growing attacks on unpatched WordPress sites affect ~2m pages
Attacks on websites running an outdated version of WordPress are increasing at a viral rate. Almost 2 million pages have been defaced since a serious vulnerability in the content management system came to light nine days ago. The figure represents a 26 percent spike in the past 24 hours
Google trend chart

Hackers who took control of PC microphones siphon >600 GB from 70 targets

Real information in the blog post
Suggestions: put such devices on their own VLAN, but I’m not sure how their connections work
Large-scale ~= 70 organisations
Most of the targets are located in the Ukraine, but there are also targets in Russia and a smaller number of targets in Saudi Arabia and Austria. Many targets are located in the self-declared separatist states of Donetsk and Luhansk, which have been classified as terrorist organizations by the Ukrainian government.

Feedback

Round Up:

The post State Sponsored Audiophiles | TechSNAP 307 first appeared on Jupiter Broadcasting.

Certified Package Delivery | BSD Now 33

chris — Thu, 17 Apr 2014 18:59:10 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We sit down with Jim Brown from the BSD Certification group to talk about the BSD exams. Following that, we\’ll be showing you how to build OpenBSD binary packages in bulk, a la poudriere. There\’s a boatload of news and we\’ve got answers to your questions, coming up on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

BSDCan schedule, speakers and talks

This year\’s BSDCan will kick off on May 14th in Ottawa
The list of speakers is also out
And finally the talks everyone\’s looking forward to
Lots of great tutorials and talks, spanning a wide range of topics of interest
Be sure to come by so you can and meet Allan and Kris in person and get BSDCan shirts

NYCBSDCon talks uploaded

The BSD TV YouTube channel has been uploading recordings from the 2014 NYCBSDCon
Jeff Rizzo\’s talk, \”Releasing NetBSD: So Many Targets, So Little Time\”
Dru Lavigne\’s talk, \”ZFS Management Tools in FreeNAS and PC-BSD\”
Scott Long\’s talk, \”Serving one third of the Internet via FreeBSD\”
Michael W. Lucas\’ talk, \”BSD Breaking Barriers\”

FreeBSD Journal, issue 2

The bi-monthly FreeBSD journal\’s second issue is out
Topics in this issue include pkg, poudriere, the PBI format, hwpmc and journaled soft-updates
In less than two months, they\’ve already gotten over 1000 subscribers! It\’s available on Google Play, iTunes, Amazon, etc
\”We are also working on a dynamic version of the magazine that can be read in many web browsers, including those that run on FreeBSD\”
Check our interview with GNN for more information about the journal

OpenSSL, more like OpenSS-Hell

We mentioned this huge OpenSSL bug last week during all the chaos, but the aftermath is just as messy
There\’s been a pretty vicious response from security experts all across the internet and in all of the BSD projects – and rightfully so
We finally have a timeline of events
Reactions from ISC, PCBSD, Tarsnap, the Tor project, FreeBSD, NetBSD, oss-sec, PHK, Varnish and Akamai
pfSense released a new version to fix it
OpenBSD disabled heartbeat entirely and is very unforgiving of the IETF
Ted Unangst has two good write-ups about the issue and how horrible the OpenSSL codebase is
A nice quote from one of the OpenBSD lists: \”Given how trivial one-liner fixes such as #2569 have remained unfixed for 2.5+ years, one can only assume that OpenSSL\’s bug tracker is only used to park bugs, not fix them\”
Sounds like someone else was having fun with the bug for a while too
There\’s also another OpenSSL bug that\’s possibly worse that OpenBSD patched – it allows an attacker to inject data from one connection into another
OpenBSD has also imported the most current version of OpenSSL and are ripping it apart from the inside out – we\’re seeing a fork in real time (over 55000 lines of code removed as of yesterday evening)

Interview – Jim Brown – info@bsdcertification.org

The BSD Certification exams

Tutorial

Building OpenBSD binary packages in bulk

News Roundup

Portable signify

Back in episode 23 we talked with Ted Unangst about the new \”signify\” tool in OpenBSD
Now there\’s a (completely unofficial) portable version of it on github
If you want to verify your OpenBSD sets ahead of time on another OS, this tool should let you do it
Maybe other BSD projects can adopt it as a replacement for gpg and incorporate it into their base systems

Foundation goals and updates

The OpenBSD foundation has reached their 2014 goal of $150,000
You can check their activities and goals to see where the money is going
Remember that funding also goes to OpenSSH, which EVERY system uses and relies on everyday to protect their data
The FreeBSD foundation has kicked off their spring fundraising campaign
There\’s also a list of their activities and goals available to read through
Be sure to support your favorite BSD, whichever one, so they can continue to make and improve great software that powers the whole internet

PCBSD weekly digest

New PBI runtime that fixes stability issues and decreases load times
\”Update Center\” is getting a lot of development and improvements
Lots of misc. bug fixes and updates

Feedback/Questions

There\’s a reddit thread we wanted to highlight – a user wants to show his friend BSD and why it\’s great
Brad writes in
Sha\’ul writes in
iGibbs writes in
Matt writes in

All the tutorials are posted in their entirety at bsdnow.tv – there\’s a couple new ones on the site now that we\’ll be covering in future episodes
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you\’ve got something cool to talk about and want to come on for an interview, shoot us an email
Also if you have any tutorial requests, we\’d be glad to show whatever the viewers want to see
If you\’re in or around Colorado in the US, there\’s a brand new BSD users group that was just formed and announced – they\’ll be having meetings and doing tutorials, so check out their site (also, if you have a local BUG, let us know!)
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Certified Package Delivery | BSD Now 33 first appeared on Jupiter Broadcasting.

Not so Private Keys | TechSNAP 72

chris — Thu, 23 Aug 2012 16:33:58 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

How a Man in the Browser attack could expose an airport VPN, RuggedCom’s messed up the very fundamentals again, and the big update from Adobe.

Plus – Running Linux in a FreeBSD Jail, virtual networking basics, and a great batch of your questions.

All that and more, in this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

Man in the Browser attack used against Airport employees to gain credentials for VPN

In what appears to be a highly targeted attack, some airport employees had their machines infected with Man-in-the-Browser malware
This allowed the attackers to use form-grabbing and screen capturing to steal the airport employee’s login credentials for the airport VPN
The attack also compromised the single channel mode of the airports two-factor authentication system, where an image was displayed and used by the user to transform their password into a temporary one-time code. Because this one-time code is based on the password, an attacker who is able to capture a number of these (the image and the response) can calculate what the original static password was
A more secure two-channel mode, sends a one-time code via SMS or a Mobile Application, but apparently was not used by many airport employees
It is unclear what type of VPN this was, or why the VPN involves logging in via a browser (layer 7), rather than the more typical layer 2 or 3 type VPN
It is not known what the attackers were after, but with access to the internal airport network, they may have been able to gain information on employees, the hiring process (to get their own people employed at the airport), or the ability to flag specific luggage, cargo or persons such that it is not subjected to normal security screenings
Additional Coverage

Adobe releases Flash 11.4, critical update to fix 6 security vulnerabilities

This update resolves a number of memory corruption vulnerabilities that could lead to code execution
CVE–2012–4163 Score: 10.0
CVE–2012–4164 Score: 10.0
CVE–2012–4165 Score: 10.0
CVE–2012–4166 Score: 10.0
This update also resolves an integer overflow vulnerability that could lead to code execution CVE–2012–4167 Score: 10.0
And this update also resolves a cross-domain information leak vulnerability that could expose information from a the site you are visiting to other sites CVE–2012–4168 Score: 4.3
With the end of Flash support for Android, A fake flash player laden with malware and adware has been found in the wild. It rooms your phone and floods it with advertisements, including a popup every 15 minutes

Hard coded SSL Keys in RuggedCom Switches

RuggedCom and their Rugged OS has caused headlines again with a massive security flaw
The rugged devices are used in many very sensitive installations, including military bases, train switches, power distribution systems, and traffic signals
The systems are designed to be rugged, insofar as standing up to harsh climate conditions, however it appears that many of these devices have been connected to the internet to allow for remote management, and the security of these systems has again been compromised
In this case, the RuggedCom devices use a hardcoded SSL private key, meaning that the secret used to decrypt the data sent from the user to the device, can be known by anyone who has ever had access to such a device, or has otherwise gotten access to the key (I am sure it has been posted online somewhere by now)
SSL uses PKI and asymmetric encryption, meaning there is one key to encrypt data (the public key, published as part of the SSL Certificate), and a private key, used to decrypt information encrypted with the public key
It seems that all RuggedCom devices uses the SAME SSL key. This is such a large security fiasco as to defy classification. In order for this to have happened, every single person involved with the RuggedCom OS must have entirely lacked any understanding of how SSL works
The researcher who discovered the vulnerability (Justin W. Clarke, also discovered the previous vulnerability) was able to get the SSL key from various RuggedCom devices he bought on eBay, and discovered that the key on each device was the same
In addition to being able to decrypt the communications between users and the device, in order to get the login credentials or other sensitive information, an attacker with access to the SSL private key could also send modified responses from the device, making it appear to be normal, or even alter the responses from the device such that they compromise the computer of the administrator who is accessing the RuggedCom device, with something like one of the Flash exploits mentioned earlier in the show
ICS-CERT is recommending that all RuggedCom devices be isolated from the internet, and only accessed over VPNs to reduce the risk of an attack being able to decrypt the SSL session
Why any of these devices were connected directly to the public Internet in the first place boggles the mind
Additional Coverage
Additional Coverage
Coverage on Previous Flaw
TechSNAP 55 – Obscurity is not Security

New financial malware demostrates interesting new feature, blocks users from accessing their bank account after it is compromised with friendly error message

Normally, a man-in-the-browser or keylogger style malware that targets your banking credentials would steal them, and send them to the fraudster, who would use them to gain access to your bank account
In a later iteration, the MitB attacks would prompt you for the answers to your secret questions
This level of MitB attacks was confounded by 2 factor authentication, because once the user entered the short-lived PIN, it was no longer useful, so the key-logged information did not allow the fraudster to gain access to the account
This newest version of the attack now stops your browser from actually communicating with the bank at all
When you go to the banks site in your browser, and enter your username, password and the one-time PIN, the form details are taken by the malware, and the fraudster then uses them from his computer, and drains your bank account, meanwhile you are given a friendly error message, informing you that the banks website is down for a short maintenance and will be back later
The reason for this, is the banks fraud-screening system
The banks automated defense systems monitor where you log in to your online banking from, and if you login from two very distant locations within such a short amount of time that it is not possible for you to have traveled that far, it flags your account as possibly compromised
By preventing the legitimate user from accessing their account, it prevents this alarm being tripped, giving the fraudster more time to drain the account before being detected

Feedback:

Sean has some FreeBSD question

FreeBSD has a ‘linux compatibility layer’, a kernel module called the Linuxulator, that basically translate system called from Linux to BSD. If you install the basic libraries from CentOS into /usr/local/compat under BSD (there are packages that do this for you), you can run compiled linux binaries on FreeBSD. The target of this system is commercial linux applications, like game servers, scientific software and all kinds of not-open-source stuff.

If you create a jail (a second copy of the OS installed in a chroot, which uses the host OS’s kernel), and your freebsd kernel has the linux module loaded, then you could install CentOS in the jail chroot instead of FreeBSD, and have CentOS boot (with its boot scripts etc). It would be CentOS, except with a FreeBSD kernel (although CentOS will think it is using a linux kernel). All of the system binaries, and the package binaries would run through the translation layer (there is no real performance penalty for this, some apps even run faster under FreeBSD)

If you google for it, there are some how-tos on running linux in a FreeBSD jail, for some commercial software like Adobe Flash Media Server, that only want to run on CentOS (doesn’t even like to run on other Linux distros, let alone BSD), it can provide an easy out.

Apparently PC-BSD’s new ‘Warden’ jail management GUI includes the option to deploy a linux jail automatically, but I have not tried it yet

How to setup proper virtual networking?

What I wish the new hires “knew”

Round-Up:

The post Not so Private Keys | TechSNAP 72 first appeared on Jupiter Broadcasting.