exploit – Jupiter Broadcasting

misconfigured database containing the sensitive personal details of over 198 million American voters was left exposed to the internet by a firm working on behalf of the Republican National Committee (RNC)
names, dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as “modeled” voter ethnicities and religions.
exposing the personal information of over sixty-one percent of the entire US population

Dan’s DNS setup

DNS can be thought of as a phone book
Once ran a single DNS server at home
Had both internal (non public) and public hosts in the same zone file
Moved internal hosts to .int subdomain
had master/slave in public, but went to svn later
Held zone files in svn, published them directly to servers

Feedback

Round Up:

The post DNS Mastery | TechSNAP 324 first appeared on Jupiter Broadcasting.

Gambling with Code | TechSNAP 305

chris — Tue, 07 Feb 2017 23:31:28 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Russians Engineer a Brilliant Slot Machine Cheat—And Casinos Have No Fix

In this case, it was the accountants who noticed something was wrong.
What? No centralised real-time monitoring?
IN EARLY JUNE 2014, accountants at the Lumiere Place Casino in St. Louis noticed that several of their slot machines had—just for a couple of days—gone haywire. The government-approved software that powers such machines gives the house a fixed mathematical edge, so that casinos can be certain of how much they’ll earn over the long haul—say, 7.129 cents for every dollar played. But on June 2 and 3, a number of Lumiere’s machines had spit out far more money than they’d consumed, despite not awarding any major jackpots, an aberration known in industry parlance as a negative hold. Since code isn’t prone to sudden fits of madness, the only plausible explanation was that someone was cheating.
Casino security pulled up the surveillance tapes and eventually spotted the culprit, a black-haired man in his thirties who wore a Polo zip-up and carried a square brown purse. Unlike most slots cheats, he didn’t appear to tinker with any of the machines he targeted, all of which were older models manufactured by Aristocrat Leisure of Australia. Instead he’d simply play, pushing the buttons on a game like Star Drifter or Pelican Pete while furtively holding his iPhone close to the screen.
He’d walk away after a few minutes, then return a bit later to give the game a second chance. That’s when he’d get lucky. The man would parlay a $20 to $60 investment into as much as $1,300 before cashing out and moving on to another machine, where he’d start the cycle anew. Over the course of two days, his winnings tallied just over $21,000. The only odd thing about his behavior during his streaks was the way he’d hover his finger above the Spin button for long stretches before finally jabbing it in haste; typical slots players don’t pause between spins like that.
On June 9, Lumiere Place shared its findings with the Missouri Gaming Commission, which in turn issued a statewide alert. Several casinos soon discovered that they had been cheated the same way, though often by different men than the one who’d bilked Lumiere Place. In each instance, the perpetrator held a cell phone close to an Aristocrat Mark VI model slot machine shortly before a run of good fortune.
By examining rental-car records, Missouri authorities identified the Lumiere Place scammer as a 37-year-old Russian national. He had flown back to Moscow on June 6, but the St. Petersburg–based organization he worked for, which employs dozens of operatives to manipulate slot machines around the world, quickly sent him back to the United States to join another cheating crew. The decision to redeploy him to the US would prove to be a rare misstep for a venture that’s quietly making millions by cracking some of the gaming industry’s most treasured algorithms.
Russia has been a hotbed of slots-related malfeasance since 2009, when the country outlawed virtually all gambling. (Vladimir Putin, who was prime minister at the time, reportedly believed the move would reduce the power of Georgian organized crime.) The ban forced thousands of casinos to sell their slot machines at steep discounts to whatever customers they could find. Some of those cut-rate slots wound up in the hands of counterfeiters eager to learn how to load new games onto old circuit boards. Others apparently went to the supect’s bosses in St. Petersburg, who were keen to probe the machines’ source code for vulnerabilities.
By early 2011, casinos throughout central and eastern Europe were logging incidents in which slots made by the Austrian company Novomatic paid out improbably large sums. Novomatic’s engineers could find no evidence that the machines in question had been tampered with, leading them to theorize that the cheaters had figured out how to predict the slots’ behavior. “Through targeted and prolonged observation of the individual game sequences as well as possibly recording individual games, it might be possible to allegedly identify a kind of ‘pattern’ in the game results,” the company admitted in a February 2011 notice to its customers.
Recognizing those patterns would require remarkable effort. Slot machine outcomes are controlled by programs called pseudorandom number generators that produce baffling results by design. Government regulators, such as the Missouri Gaming Commission, vet the integrity of each algorithm before casinos can deploy it.
But as the “pseudo” in the name suggests, the numbers aren’t truly random. Because human beings create them using coded instructions, PRNGs can’t help but be a bit deterministic. (A true random number generator must be rooted in a phenomenon that is not manmade, such as radioactive decay.) PRNGs take an initial number, known as a seed, and then mash it together with various hidden and shifting inputs—the time from a machine’s internal clock, for example—in order to produce a result that appears impossible to forecast. But if hackers can identify the various ingredients in that mathematical stew, they can potentially predict a PRNG’s output. That process of reverse engineering becomes much easier, of course, when a hacker has physical access to a slot machine’s innards.
Knowing the secret arithmetic that a slot machine uses to create pseudorandom results isn’t enough to help hackers, though. That’s because the inputs for a PRNG vary depending on the temporal state of each machine. The seeds are different at different times, for example, as is the data culled from the internal clocks. So even if they understand how a machine’s PRNG functions, hackers would also have to analyze the machine’s gameplay to discern its pattern. That requires both time and substantial computing power, and pounding away on one’s laptop in front of a Pelican Pete is a good way to attract the attention of casino security.
On December 10, not long after security personnel spotted the suspect inside the Hollywood Casino in St. Louis, four scammers were arrested. Because he and his cohorts had pulled their scam across state lines, federal authorities charged them with conspiracy to commit fraud. The indictments represented the first significant setbacks for the St. Petersburg organization; never before had any of its operatives faced prosecution.
The Missouri and Singapore cases appear to be the only instances in which scammers have been prosecuted, though a few have also been caught and banned by individual casinos. At the same time, the St. Petersburg organization has sent its operatives farther and farther afield. In recent months, for example, at least three casinos in Peru have reported being cheated by Russian gamblers who played aging Novomatic Coolfire slot machines.
The economic realities of the gaming industry seem to guarantee that the St. Petersburg organization will continue to flourish. The machines have no easy technical fix. As Hoke notes, Aristocrat, Novomatic, and any other manufacturers whose PRNGs have been cracked “would have to pull all the machines out of service and put something else in, and they’re not going to do that.” (In Aristocrat’s statement to WIRED, the company stressed that it has been unable “to identify defects in the targeted games” and that its machines “are built to and approved against rigid regulatory technical standards.”) At the same time, most casinos can’t afford to invest in the newest slot machines, whose PRNGs use encryption to protect mathematical secrets; as long as older, compromised machines are still popular with customers, the smart financial move for casinos is to keep using them and accept the occasional loss to scammers.
So the onus will be on casino security personnel to keep an eye peeled for the scam’s small tells. A finger that lingers too long above a spin button may be a guard’s only clue that hackers in St. Petersburg are about to make another score.

Netgear Exploit Found in 31 Models Lets Hackers Turn Your Router Into a Botnet

This came to our attention from Shawn
For most people, routers are the little boxes which sit between you and your ISP. They do NAT, possibly firewall, and general stop the outside world from getting in without your permission. Well, that’s what they are supposed to do. The issue, long standing, is updates. When vulnerabilities are found, the code needs to be patched. With these devices, that issues can be troublesome, given that everyday consumers cannot be expected to update them. For us geeks, this isn’t so much as an issue, if the updates are made available to us
We patch our own systems already, patching the firmware on a device… we can do that too.
The vast majority of router users are unaware that they require an update. They sit there waiting, and sometimes they are found. When they are found to have a vulnerability, they can become part of a bot-net, a huge collection of devices ready to do the bidding of those with ill-intent. These bot-nets can be used for a variety of malicious purposes. Why do this? Most often, it’s money.
This story is about someone discovering a problem with their router, and then exploring it.

GitLab.com melts down after wrong directory deleted, backups fail

This also came from Shawn
Source-code hub GitLab.com is in meltdown after experiencing data loss as a result of what it has suddenly discovered are ineffectual backups.
On Tuesday evening, Pacific Time, the startup issued a sobering series of tweets we’ve listed below. Behind the scenes, a tired sysadmin, working late at night in the Netherlands, had accidentally deleted a directory on the wrong server during a frustrating database replication process: he wiped a folder containing 300GB of live production data that was due to be replicated.
Just 4.5GB remained by the time he canceled the rm -rf command. The last potentially viable backup was taken six hours beforehand.
That Google Doc mentioned in the last tweet notes: “This incident affected the database (including issues and merge requests) but not the git repos (repositories and wikis).”
So some solace there for users because not all is lost. But the document concludes with the following:
So in other words, out of 5 backup/replication techniques deployed none are working reliably or set up in the first place.
The world doesn’t contain enough faces and palms to even begin to offer a reaction to that sentence. Or, perhaps, to summarise the mistakes the startup candidly details as follows:
- LVM snapshots are by default only taken once every 24 hours. YP happened to run one manually about 6 hours prior to the outage
- Regular backups seem to also only be taken once per 24 hours, though YP has not yet been able to figure out where they are stored. According to JN these don’t appear to be working, producing files only a few bytes in size.
- SH: It looks like pg_dump may be failing because PostgreSQL 9.2 binaries are being run instead of 9.6 binaries. This happens because omnibus only uses Pg 9.6 if data/PG_VERSION is set to 9.6, but on workers this file does not exist. As a result it defaults to 9.2, failing silently. No SQL dumps were made as a result. Fog gem may have cleaned out older backups.
- Disk snapshots in Azure are enabled for the NFS server, but not for the DB servers.
- The synchronisation process removes webhooks once it has synchronised data to staging. Unless we can pull these from a regular backup from the past 24 hours they will be lost
- The replication procedure is super fragile, prone to error, relies on a handful of random shell scripts, and is badly documented
- Our backups to S3 apparently don’t work either: the bucket is empty
Making matters worse is the fact that GitLab last year decreed it had outgrown the cloud and would build and operate its own Ceph clusters. GitLab’s infrastructure lead Pablo Carranza said the decision to roll its own infrastructure “will make GitLab more efficient, consistent, and reliable as we will have more ownership of the entire infrastructure.”
See also GitLab.com Database Incident
see also Catastrophic Failure – Myth Weavers – My thanks to Rikai for bringing this to our attention.
example of why making sure your backup solution is solid as hell is extremely important
The guy is completly honest and takes ownership of the mistakes he made. Hopefully others can learn from his mistakes.
For context, myth-weavers is a website that handles things like the creation/managing and sharaing of D&D (and other tabletop RPG) character sheets online ( https://www.myth-weavers.com/sheetindex.php ), they lost about 6 months of data.
Backup automation is good, because people will fail and skip steps more often than computers will, and this is a perfect example of that.
The trick is getting it done RIGHT and having it NOTIFY you when something ISN’T right. As well as making it consistent, reproducible and redundant if possible. This is also an example of why if you have data you care about, that step should not be skipped.
Automated backups are a lot of up-front work that people often avoid doing, at least partially and regret it later. This is a well documented postmortem of what happens when you do that and why you should set aside the time and get it done
Not exactly mission-critical data, but still very important data for the audience they cater too. Handcrafted, imagination-related kinda stuff
This GitLab outage and database deletion & lack of backups is a great reminder to routinely test your disaster recovery strategies
Dataloss at GitLab
Thoughts On Gitlab Data Incident
Blameless PostMortems and a Just Culture

Feedback:

Round Up:

The post Gambling with Code | TechSNAP 305 first appeared on Jupiter Broadcasting.

Fancy Bear Misfire.apk | TechSNAP 299

chris — Thu, 29 Dec 2016 18:41:47 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Patch Your Sh** T-Shirt

TechSNAP is about to reach episode 300 so before Chris and Allan hand over the show to Wes & Dan we have a round of PATCH YOUR SH** swag to get out! Be sure to check out the tote bag and the sticker too!

Exploit in PHPMailer puts almost every PHP CMS at risk

“PHPMailer continues to be the world’s most popular transport class, with an estimated 9 million users worldwide. Downloads continue at a significant pace daily.”
“Probably the world’s most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, [..], Joomla! and many more”
“An independent researcher uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.”
“To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.”
“A successful exploitation could let remote attackers to gain access to the target server in the context of the web server account which could lead to a full compromise of the web application.”
When the mailer software calls the system’s sendmail binary to send the email, it can optionally pass additional parameters to sendmail, like -f to override the from address.
Proper input validation was not performed on this input. Instead of the content being restricted based on what is safe to evaluate in the shell, the input is validated as an email address via RFC 3696, which allows for quoted usernames with spaces.
So if the attacker fills out the form such that their email address is:
“attacker\” -oQ/tmp/ -X/var/www/cache/phpcode.php some”@email.com
this will actually execute:
Arg no. 0 == [/usr/sbin/sendmail]
- Arg no. 1 == [-t]
- Arg no. 2 == [-i]
- Arg no. 3 == [-fattacker]
- Arg no. 4 == [-oQ/tmp/]
- Arg no. 5 == [-X/var/www/cache/phpcode.php]
- Arg no. 6 == [some”@email.com]
If the attacker can also provide some PHP code as the body of the message, it will be written to the indicated file, phpcode.php, where it can then be run by the attacker via the web server.
“The vulnerability was responsibly disclosed to PHPMailer vendor. The vendor released a critical security release of PHPMailer 5.2.18 to fix the issue as notified”
“UPDATE: The author of this advisory published a bypass of the current solution/fix which makes the PHPMailer vulnerable again in versions <5.2.20”
There was also a similar vulnerability found in SwiftMailer, another similar application

Use of Fancy Bear Android Malware in Tracking of Ukrainian Field Artillery Units

“From late 2014 and through 2016, FANCY BEAR X-Agent implant was covertly distributed on Ukrainian military forums within a legitimate Android application developed by Ukrainian artillery officer Yaroslav Sherstuk”
“The original application enabled artillery forces to more rapidly process targeting data for the Soviet-era D-30 Howitzer employed by Ukrainian artillery forces reducing targeting time from minutes to under 15 seconds. According to Sherstuk’s interviews with the press, over 9000 artillery personnel have been using the application in Ukrainian military”
“Successful deployment of the FANCY BEAR malware within this application may have facilitated reconnaissance against Ukrainian troops. The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them”
“Open source reporting indicates that Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal”
“This previously unseen variant of X-Agent represents FANCY BEAR’s expansion in mobile malware development from iOS-capable implants to Android devices, and reveals one more component of the broad spectrum approach to cyber operations taken by Russia-based actors in the war in Ukraine”
“The collection of such tactical artillery force positioning intelligence by FANCY BEAR further supports CrowdStrike’s previous assessments that FANCY BEAR is likely affiliated with the Russian military intelligence (GRU), and works closely with Russian military forces operating in Eastern Ukraine and its border regions in Russia”
“The original application central to this discussion, Попр-Д30.apk, was initially developed domestically within Ukraine by a member of the 55th Artillery Brigade. Based on the file creation timestamps as well as the app signing process, which occurred on 28 March 2013, CrowdStrike has determined that the app was developed sometime between 20 February and 13 April 2013.”
Distributed on a forum, and popularized via social media under a name that translates to “Correction-D30”, described as “Modern combat software”
“As an additional control measure, the program was only activated for
use after the developer was contacted and issued a code to the individual
downloading the application”
“At the time of this writing, it is unclear to what degree and for how long this specific application was utilized by the entirety of the Ukrainian Artillery Forces. Based on open source reporting, social media posts, and video evidence, CrowdStrike assesses that Попр-Д30.apk was potentially used through 2016 by at least one artillery unit operating in eastern Ukraine”
“The use of the X-Agent implant in the original Попр-Д30.apk application appears to be the first observed case of FANCY BEAR malware developed for the Android mobile platform. On 21 December 2014 the malicious variant of the Android application was first observed in limited public distribution on a Russian language, Ukrainian military forum.”
“The creation of an application that targets some of the front line forces pivotal in Ukrainian defense on the eastern front would likely be a high priority for Russian adversary malware developers seeking to turn the tide of the conflict in their favor”
“Although traditional overhead intelligence surveillance and reconnaissance (ISR) assets were likely still needed to finalize tactical movements, the ability of this application to retrieve communications and gross locational data from infected devices, could provide insight for further planning, coordination, and tasking of ISR, artillery assets, and fighting forces.”
“The X-Agent Android variant does not exhibit a destructive function and does not interfere with the function of the original Попр-Д30.apk application. Therefore, CrowdStrike Intelligence has assessed that the likely role of this malware is strategic in nature. The capability of the malware includes gaining access to contacts, Short Message Service (SMS) text messages, call logs, and internet data, and FANCY BEAR would likely leverage this information for its intelligence and planning value.”
“CrowdStrike Intelligence assesses a tool such as this has the potential ability to map out a unit’s composition and hierarchy, determine their plans, and even triangulate their approximate location. This type of strategic analysis can enable the identification of zones in which troops are operating and help prioritize assets within those zones for future targeting”
The Evidence to Prove the Russian Hack

Bigger than Miria? New leet botnet launches ddos attacks

“Earlier in the year, a huge DDoS attack was launched on Krebs on Security. Analysis showed that the attack pelted servers with 620 Gbps, and there were fears that the release of the Mirai source code used to launch the assault would lead to a rise in large-scale DDoS attacks. Welcome Leet Botnet.”
“In the run-up to Christmas, security firm Imperva managed to fend off a 650 Gbps DDoS attack. But this was nothing to do with Mirai; it is a completely new form of malware, but is described as “just as powerful as the most dangerous one to date”. The concern for 2017 is that “it’s about to get a lot worse”.”
“Clearly proud of the work put into the malware, the creator or creators saw fit to sign it. Analysis of the attack showed that the TCP Options header of the SYN packets used spelled out l33t, hence the Leet Botnet name.”
“The attack itself took place on 21 December, but details of what happened are only just starting to come out. It targeted a number of IP addresses, and Imperva speculates that a single customer was not targeted because of an inability to resolve specific IP addresses due to the company’s proxies. One wave of the attack generated 650 Gbps of traffic — or more than 150 million packets per second.”
“Despite attempting to analyze the attack, Imperva has been unable to determine where it originated from, but the company notes that it used a combination of both small and large payloads to “clog network pipes and bring down network switches”. While the Mirai attacks worked by firing randomly generated strings of characters to generate traffic, in the case of Leet Botnet the malware was accessing local files and using scrambled versions of the compromised content as its payload. Imperva describes the attack as “a mishmash of pulverized system files from thousands upon thousands of compromised devices”. What’s the reason for using this particular method?”
“Besides painting a cool mental image, this attack method serves a practical purpose. Specifically, it makes for an effective obfuscation technique that can be used to produce an unlimited number of extremely randomized payloads. Using these payloads, an offender can circumvent signature-based security systems that mitigate attacks by identifying similarities in the content of network packets.”
“While in this instance Imperva was able to mitigate the attack, the company says that Leet Botnet is “a sign of things to come”. Brace yourself for a messy 2017…”
Technical Details
“The attack began around 10:55 AM on December 21, targeting several anycasted IPs on the Imperva Incapsula network.”
“It’s hard to say why this attack didn’t focus on a specific customer. Most likely, it was the result of the offender not being able to resolve the IP address of his actual victim, which was masked by Incapsula proxies. And so, lacking any better option, the offender turned his attention to the service that stood between him and his target.”
“The first DDoS burst lasted roughly 20 minutes, peaking at 400 Gbps. Failing to make a dent, the offender regrouped and came back for a second round. This time enough botnet “muscle” to generate a 650 Gbps DDoS flood of more than 150 million packets per second (Mpps)”
“Both attack bursts originated from spoofed IPs, making it impossible to trace the botnet’s actual geo-location or learn anything about the nature of the attacking devices.”
So, unlike Mirai, it seems leet depends on reflection and amplification, rather than raw power
The attack traffic was generated by two different SYN payloads:
Regular-sized SYN packets, ranging from 44 to 60 bytes in size
Abnormally large SYN packets, ranging from 799 to 936 bytes in size
“The former was used to achieve high Mpps packet rates, while the latter was employed to scale up the attack’s capacity to 650 Gbps.”
Additional Coverage

Feedback:

ZFS pool additions
I thought it would never happen to me.
Torikun asks: So ISP’s have slow upload speeds and high download speeds. Is my download speed affected when I max out the upload?

Round Up:

The post Fancy Bear Misfire.apk | TechSNAP 299 first appeared on Jupiter Broadcasting.

Insecurity Appliance | TechSNAP 245

chris — Thu, 17 Dec 2015 19:45:41 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Meet BOOTTRASH the Malware that executes before your OS does, the hard questions you need to ask when buying a security appliance, Project Zero finds flaws in Fireeye hardware.

Plus some great audience questions, a big round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

BOOTRASH malware executes before your OS does

“Researchers at FireEye spotted the financial threat group FIN1 targeting payment card data using sophisticated malware dubbed “BOOTRASH” that executes before the operating system boots.”
The malware only works against MBR formatted disks, if it detects GPT it just exists
It backs up the original VBR (Volume Boot Record, the boot code at the start of the partition, which is calls from the boot code installed in the MBR) to a different location on the disk
It finds some free space between partitions or at the end of the disk, and uses that to create its own tiny virtual file system, to store the actual malware files
Additional files and resources are encoded into a registry hive, so they do not leave any files on the regular file system. Only the invisible virtual file system (not listed in the partition table, hiding in unused space), and some random strings on encoded binary in the registry
“As previously discussed, during a normal boot process the MBR loads the VBR, which loads the operating system code. However, during the hijacked boot process, the compromised system’s MBR will attempt to load the boot partition’s VBR, which has been overwritten with the malicious BOOTRASH bootstrap code. This code loads the Nemesis bootkit components from the custom virtual file system. The bootkit then passes control to the original boot sector, which was saved to a different location on disk during the installation process. From this point the boot process continues with the loading and executing of the operating system software.”
“The bootkit intercepts several system interrupts to assist with the injection of the primary Nemesis components during the boot process. The bootkit hijacks the BIOS interrupt responsible for miscellaneous system services and patches the associated Interrupt Vector Table entry so it can intercept memory queries once the operating system loader gains control. The bootkit then passes control to the original VBR to allow the boot process to continue. While the operating system is being loaded, the bootkit also intercepts the interrupt and scans the operating system loader memory for a specific instruction that transfers the CPU from real mode to protected mode. This allows the bootkit to patch the Interrupt Descriptor Table each time the CPU changes from real mode to protected mode. This patch involves a modified interrupt handler that redirects control to the bootkit every time a specific address is executed. This is what allows the bootkit to detect and intercept specific points of the operating system loader execution and inject Nemesis components as part of the normal kernel loading.”
So it dynamically replaces bits of kernel code with its own code, making it a very hard to detect rootkit, since it is actually injected before the kernel is loaded (hence the name, bootkit)
Researcher Blog

“A decisionmaker’s guide to buying security appliances and gateways”

“With the prevalence of targeted “APT-style” attacks and the business risks of data breaches reaching the board level, the market for “security appliances” is as hot as it has ever been. Many organisations feel the need to beef up their security – and vendors of security appliances offer a plethora of content-inspection / email-security / anti-APT appliances, along with glossy marketing brochures full of impressive-sounding claims.”
This article provides a bit of a guide to help you shop for an appliance that might actually be worth the number of zeros on the price tag
“Most security appliances are Linux-based, and use a rather large number of open-source libraries to parse the untrusted data stream which they are inspecting. These libraries, along with the proprietary code by the vendor, form the “attack surface” of the appliance, e.g. the code that is exposed to an outside attacker looking to attack the appliance. All security appliances require a privileged position on the network – a position where all or most incoming and outgoing traffic can be seen. This means that vulnerabilities within security appliances give an attacker a particularly privileged position – and implies that the security of the appliance itself is rather important.”
Five questions to ask the vendor of a security appliance
- What third-party libraries interact directly with the incoming data, and what are the processes to react to security issues published in these libraries?
- Are all these third-party libraries sandboxed in a sandbox that is recognized as industry-standard? The sandbox Google uses in Chrome and Adobe uses in Acrobat Reader is open-source and has undergone a lot of scrutiny, so have the isolation features of KVM and qemu. Are any third-party libraries running outside of a sandbox or an internal virtualization environment? If so, why, and what is the timeline to address this?
- How much of the proprietary code which directly interacts with the incoming data runs outside of a sandbox? To what extent has this code been security-reviewed?
- Is the vendor willing to provide a hard disk image for a basic assessment by a third-party security consultancy? Misconfigured permissions that allow privilege escalation happen all-too often, so basic permissions lockdown should have happened on the appliance.
- In the case of a breach in your company, what is the process through which your forensics team can acquire memory images and hard disk images from the appliance?
Not to mention, in the case of a breach at the vendor, what information could the attacker get about your appliance, your network, or your security? How are the trusted keys protected on the vendor’s network?
- Bonus Question: Does the vendor publish hashes of the packages they install on the appliance so in case of a forensic investigation it is easy to verify that the attacker has not replaced some?
“A vendor that takes their product quality (and hence your data security) seriously will be able to answer these questions, and will be able to confidently state that all third-party parsers and a large fraction of their proprietary code runs sandboxed or virtualized, and that the configuration of the machine has been reasonably locked down – and will be willing to provide evidence for this (for example a disk image or virtual appliance along with permission to inspect).”
All of these are very good questions, and I happen to know one vendor who answered these questions in their recent BSDNow interview.

Project Zero finds flaws in FireEye security appliance

“FireEye sell security appliances to enterprise and government customers. FireEye’s flagship products are monitoring devices designed to be installed at egress points of large networks”
The device is connected to a SPAN, MONITOR, or MIRROR port. A feature of high end switches that allows all traffic from a port or set of ports to be copied to another port
“The FireEye device then watches all network traffic passively, monitoring common protocols like HTTP, FTP, SMTP, etc, for any transferred files. If a file transfer is detected (for example, an email attachment or a HTTP download) the FireEye extracts the file and scans it for malware.”
If the device detects malware, it alerts the security team
The device can also be configured in a IPS (Intrusion Prevention System) mode, where it would block such traffic
“For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario. This would mean an attacker would only have to send an email to a user to gain access to a persistent network tap – the recipient wouldn’t even have to read the email, just receiving it would be enough”
If you compromise one of these devices, you are basically sitting on a wiretap of the entire network. These devices are sometimes even installed behind devices that decrypt encrypted traffic, giving you even more access
“A network tap is one of the most privileged machines on the network, with access to employee’s email, passwords, downloads, browsing history, confidential attachments, everything. In some deployment configurations an attacker could tamper with traffic, inserting backdoors or worse. Because FireEye devices typically have a secondary internet-connected interface for updates and management, the issue could even be wormable across the internet.”
“FireEye have issued a patch for this vulnerability, and customers who have not updated should do so immediately to protect their infrastructure.” Devices with security content release 427.334 and higher have this issue resolved
Q. How long did FireEye take to resolve this issue after it was reported?
A. FireEye responded very quickly, pushed out temporary mitigations to customers within hours of our report and resolved the issue completely within 2 days.
- Q. Have FireEye supported your security research?
A. Yes, FireEye have been very cooperative. They worked with us closely, provided test equipment, support, and have responded very quickly to any issues we reported.
“Project Zero have been evaluating a FireEye NX 7500 appliance, and created a lab to generate sample traffic. The test environment consisted of a workstation with four network interfaces. Two interfaces were connected to a hub, which were used for simulating network traffic. The FireEye passive monitoring interface (called pether3) was connected to a third port on the hub (acting like a mirror port) so that it could observe traffic being exchanged between the two interfaces on the test machine. This simulates an intranet user receiving email or downloading files from the internet.”
“The main analyses performed by the FireEye appliance are monitoring for known malicious traffic (blacklisted netblocks, malware domains, snort rules, etc), static analysis of transferred files (antivirus, yara rules, and analysis scripts), and finally tracing the execution of transferred files in instrumented virtual machines. Once an execution trace has been generated, pattern matching against known-bad behaviour is performed.”
“The MIP (Malware Input Processor) subsystem is responsible for the static analysis of files, invoking helper programs and plugins to decode various file types. For example, the swf helper invokes flasm to disassemble flash files, the dmg helper invokes p7zip to extract the contents of Mac OS Disk Images and the png helper invokes pngcheck to check for malformed images. The jar helper is used to analyze captured Java Archives, which checks for signatures using jarsigner, then attempts to decompile the contents using an open source Java decompiler called JODE.”
The problem is that the JODE decompiler, actually executes small bits of the java code, to try to deobfuscate it
“With some trial and error, we were eventually able to construct a class that JODE would execute, and used it to invoke java.lang.Runtime.getRuntime().exec(), which allows us to execute arbitrary shell commands. This worked during our testing, and we were able to execute commands just by transferring JAR files across the passive monitoring interfaces.”
So, just by emailing someone behind this device a .jar file, it would end up getting executed on the security device, running arbitrary shell commands
“As FireEye is shipped with ncat installed by default, creating a connect-back shell is as simple as specifying the command we want and the address of our control server.”
“We now have code execution as user mip, the Malware Input Processor. The mip user is already quite privileged, capable of accessing sensitive network data. However, , there is a very simple privilege escalation to root”
“FireEye have requested additional time to prepare a fix for the privilege escalation component of this attack”
“This allows exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating internet worms.”
“If you would like to read more from our series on attacks against security products, we have also published research into ESET, Kaspersky, Sophos, Avast and more, with further research scheduled for release soon.”

Feedback:

Round Up:

The post Insecurity Appliance | TechSNAP 245 first appeared on Jupiter Broadcasting.

Straight from the Src | BSD Now 100

chris — Thu, 30 Jul 2015 10:33:39 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We’ve finally reached a hundred episodes, and this week we’ll be talking to Sebastian Wiedenroth about pkgsrc. Though originally a NetBSD project, now it runs pretty much everywhere & he even runs a conference about it!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

Remote DoS in the TCP stack

A pretty devious bug in the BSD network stack has been making its rounds for a while now, allowing remote attackers to exhaust the resources of a system with nothing more than TCP connections
While in the LAST_ACK state, which is one of the final stages of a connection’s lifetime, the connection can get stuck and hang there indefinitely
This problem has a slightly confusing history that involves different fixes at different points in time from different people
Juniper originally discovered the bug and announced a fix for their proprietary networking gear on June 8th
On June 29th, FreeBSD caught wind of it and fixed the bug in their -current branch, but did not issue a security notice or MFC the fix back to the -stable branches
On July 13th, two weeks later, OpenBSD fixed the issue in their -current branch with a slightly different patch, citing the FreeBSD revision from which the problem was found
Immediately afterwards, they merged it back to -stable and issued an errata notice for 5.7 and 5.6
On July 21st, three weeks after their original fix, FreeBSD committed yet another slightly different fix and issued a security notice for the problem (which didn’t include the first fix)
After the second fix from FreeBSD, OpenBSD gave them both another look and found their single fix to be sufficient, covering the timer issue in a more general way
NetBSD confirmed they were vulnerable too, and applied another completely different fix to -current on July 24th, but haven’t released a security notice yet
DragonFly is also investigating the issue now to see if they’re affected as well

c2k15 hackathon reports

Reports from OpenBSD’s latest hackathon, held in Calgary this time, are starting to roll in (there were over 40 devs there, so we might see a lot more of these)
The first one, from Ingo Schwarze, talks about some of the mandoc work he did at the event
He writes, “Did you ever look at a huge page in man, wanted to jump to the definition of a specific term – say, in ksh, to the definition of the “command” built-in command – and had to step through dozens of false positives with the less ‘/’ and ‘n’ search keys before you finally found the actual definition?”
With mandoc’s new internal jump targets, this is a problem of the past now
Jasper also sent in a report, doing his usual work with Puppet (and specifically “Facter,” a tool used by Puppet to gather various bits of system information)
Aside from that and various ports-related work, Jasper worked on adding tame support to some userland tools, fixing some Octeon stuff and introduced something that OpenBSD has oddly lacked until now: an “-i” flag for sed (hooray!)
Antoine Jacoutot gave a report on what he did at the hackathon as well, including improvements to the rcctl tool (for configuring startup services)
It now has an “ls” subcommand with status parsing, allowing you to list running services, stopped services or even ones that failed to start or are supposed to be running (he calls this “the poor man’s service monitoring tool”)
He also reworked some of the rc.d system to allow smoother operation of multiple instances of the same daemon to run (using tor with different config files as an example)
His list also included updating ports, updating ports documentation, updating the hotplug daemon and laying out some plans for automatic sysmerge for future upgrades
Foundation director Ken Westerback was also there, getting some disk-related and laptop work done
He cleaned up and committed the 4k sector softraid code that he’d been working on, as well as fixing some trackpad issues
Stefan Sperling, OpenBSD’s token “wireless guy,” had a lot to say about the hackathon and what he did there (and even sent in his write-up before he got home)
He taught tcpdump about some new things, including 802.11n metadata beacons (there’s a lot more specific detail about this one in the report)
Bringing a bag full of USB wireless devices with him, he set out to get the unsupported ones working, as well as fix some driver bugs in the ones that already did work
One quote from Stefan’s report that a lot of people seem to be talking about: “Partway through the hackathon tedu proposed an old diff of his to make our base ls utility display multi-byte characters. This led to a long discussion about how to expand UTF-8 support in base. The conclusion so far indicates that single-byte locales (such as ISO-8859-1 and KOI-8) will be removed from the base OS after the 5.8 release is cut. This simplifies things because the whole system only has to care about a single character encoding. We’ll then have a full release cycle to bring UTF-8 support to more base system utilities such as vi, ksh, and mg. To help with this plan, I started organizing a UTF-8-focused hackathon for some time later this year.”
Jeremy Evans wrote in to talk about updating lots of ports, moving the ruby ports up to the latest version and also creating perl and ruby wrappers for the new tame subsystem
While he’s mainly a ports guy, he got to commit fixes to ports, the base system and even the kernel during the hackathon
Rafael Zalamena, who got commit access at the event, gives his very first report on his networking-related hackathon activities
With Rafael’s diffs and help from a couple other developers, OpenBSD now has support for VPLS
Jonathan Gray got a lot done in the area of graphics, working on OpenGL and Mesa, updating libdrm and even working with upstream projects to remove some GNU-specific code
As he’s become somewhat known for, Jonathan was also busy running three things in the background: clang’s fuzzer, cppcheck and AFL (looking for any potential crashes to fix)
Martin Pieuchot gave an write-up on his experience: “I always though that hackathons were the best place to write code, but what’s even more important is that they are the best (well actually only) moment where one can discuss and coordinate projects with other developers IRL. And that’s what I did.”
He laid out some plans for the wireless stack, discussed future plans for PF, made some routing table improvements and did various other bits to the network stack
Unfortunately, most of Martin’s secret plans seem to have been left intentionally vague, and will start to take form in the next release cycle
We’re still eagerly awaiting a report from one of OpenBSD’s newest developers, Alexandr Nedvedicky (the Oracle guy who’s working on SMP PF and some other PF fixes)
OpenBSD 5.8’s “beta” status was recently reverted, with the message “take that as a hint,” so that may mean more big changes are still to come…

FreeBSD quarterly status report

FreeBSD has published their quarterly status report for the months of April to June, citing it to be the largest one so far
It’s broken down into a number of sections: team reports, projects, kernel, architectures, userland programs, ports, documentation, Google Summer of Code and miscellaneous others
Starting off with the cluster admin, some machines were moved to the datacenter at New York Internet, email services are now more resilient to failure, the svn mirrors (now just “svn.freebsd.org”) are now using GeoGNS with official SSL certs and general redundancy was increased
In the release engineering space, ARM and ARM64 work continues to improve on the Cavium ThunderX, more focus is being put into cloud platforms and the 10.2-RELEASE cycle is reaching its final stages
The core team has been working on phabricator, the fancy review system, and is considering to integrate oauth support soon
Work also continues on bhyve, and more operating systems are slowly gaining support (including the much-rumored Windows Server 2012)
The report also covers recent developments in the Linux emulation layer, and encourages people using 11-CURRENT to help test out the 64bit support
Multipath TCP was also a hot topic, and there’s a brief summary of the current status on that patch (it will be available publicly soon)
ZFSguru, a project we haven’t talked about a lot, also gets some attention in the report – version 0.3 is set to be completed in early August
PCIe hotplug support is also mentioned, though it’s still in the development stages (basic hot-swap functions are working though)
The official binary packages are now built more frequently than before with the help of additional hardware, so AMD64 and i386 users will have fresher ports without the need for compiling
Various other small updates on specific areas of ports (KDE, XFCE, X11…) are also included in the report
Documentation is a strong focus as always, a number of new documentation committers were added and some of the translations have been improved a lot
Many other topics were covered, including foundation updates, conference plans, pkgsrc support in pkgng, ZFS support for UEFI boot and much more

The OpenSSH bug that wasn’t

There’s been a lot of discussion about a supposed flaw in OpenSSH, allowing attackers to substantially amplify the number of password attempts they can try per session (without leaving any abnormal log traces, even)
There’s no actual exploit to speak of; this bug would only help someone get more bruteforce tries in with a fewer number of connections
FreeBSD in its default configuration, with PAM and ChallengeResponseAuthentication enabled, was the only one vulnerable to the problem – not upstream OpenSSH, nor any of the other BSDs, and not even the majority of Linux distros
If you disable all forms of authentication except public keys, like you’re supposed to, then this is also not a big deal for FreeBSD systems
Realistically speaking, it’s more of a PAM bug than anything else
OpenSSH added an additional check for this type of setup that will be in 7.0, but simply changing your sshd_config is enough to mitigate the issue for now on FreeBSD (or you can run freebsd-update)

Interview – Sebastian Wiedenroth – wiedi@netbsd.org / @wied0r

pkgsrc and pkgsrcCon

News Roundup

Now served by OpenBSD

We’ve mentioned that you can also install OpenBSD on DO droplets, and this blog post is about someone who actually did it
The use case for the author was for a webserver, so he decided to try out the httpd in base
Configuration is ridiculously simple, and the config file in his example provides an HTTPS-only webserver, with plaintext requests automatically redirecting
TLS 1.2 by default, strong ciphers with LibreSSL and HSTS combined give you a pretty secure web server

FreeBSD laptop playbooks

A new project has started up on Github for configuring FreeBSD on various laptops, unsurprisingly named “freebsd-laptops”
It’s based on ansible, and uses the playbook format for automatic set up and configuration
Right now, it’s only working on a single Lenovo laptop, but the plan is to add instructions for many more models
Check the Github page for instructions on how to get started, and maybe get involved if you’re running FreeBSD on a laptop

NetBSD on the NVIDIA Jetson TK1

If you’ve never heard of the Jetson TK1, we can go ahead and spoil the secret here: NetBSD runs on it
As for the specs, it has a quad-core ARMv7 CPU at 2.3GHz, 2 gigs of RAM, gigabit ethernet, SATA, HDMI and mini-PCIE
This blog post shows which parts of the board are working with NetBSD -current (which seems to be almost everything)
You can even run X11 on it, pretty sweet

DragonFly power mangement options

DragonFly developer Sepherosa, who we’ve had on the show, has been doing some ACPI work over there
In this email, he presents some of DragonFly’s different power management options: ACPI P-states, C-states, mwait C-states and some Intel-specific bits as well
He also did some testing with each of them and gave his findings about power saving
If you’ve been thinking about running DragonFly on a laptop, this would be a good one to read

OpenBSD router under FreeBSD bhyve

If one BSD just isn’t enough for you, and you’ve only got one machine, why not run two at once
This article talks about taking a FreeBSD server running bhyve and making a virtualized OpenBSD router with it
If you’ve been considering switching over your router at home or the office, doing it in a virtual machine is a good way to test the waters before committing to real hardware
The author also includes a little bit of history on how he got into both operating systems
There are lots of mixed opinions about virtualizing core network components, so we’ll leave it up to you to do your research
Of course, the next logical step is to put that bhyve host under Xen on NetBSD…

Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
We’re always looking for interviews – get in touch if you’re doing anything cool with BSD that you’d like to talk about (or want to suggest someone else)

The post Straight from the Src | BSD Now 100 first appeared on Jupiter Broadcasting.

Google’s Creepiness Controls | Tech Talk Today 177

chris — Tue, 02 Jun 2015 10:26:18 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Thunderbolt 3 promise to unify the connector and usher in peace and tranquility. But when will we see it ship? Microsoft has prices & ship dates for Windows 10, Apple has a major Mac Flaw & Google wants to kinda give you better privacy controls.

Direct Download:

RSS Feeds:

Become a supporter on Patreon

Show Notes:

The post Google's Creepiness Controls | Tech Talk Today 177 first appeared on Jupiter Broadcasting.

RIP Nexus 5 | Tech Talk Today 144

chris — Fri, 13 Mar 2015 11:05:28 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Some critical security news, then Microsoft expands Cortona, Apple is a little creepy, Google ends sales on the Nexus 5 & much more!

Direct Download:

RSS Feeds:

Become a supporter on Patreon

Show Notes:

Adobe Flash Update Plugs 11 Security Holes — Krebs on Security

The newest, patched version is 17.0.0.134 for Windows and Mac users. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to version 17.0.0.134.

Exclusive: Microsoft’s digital assistant to head to Android, Apple devices | Reuters

“This kind of technology, which can read and understand email, will play a central role in the next roll out of Cortana, which we are working on now for the fall time frame,” said Eric Horvitz, managing director of Microsoft Research and a part of the Einstein project, in an interview at the company’s Redmond, Washington, headquarters. Horvitz and Microsoft declined comment on any plan to take Cortana beyond Windows.

Epic Google snafu leaks hidden whois data for 280,000 domains | Ars Technica

The 282,867 domains counted by Cisco Systems’ researchers account for 94 percent of the addresses Google Apps has registered through a partnership with registrar eNom.

Tim Cook offered Steve Jobs his liver, and other revelations from new biography | Cult of Mac

After discovering that he shared a rare blood type with his sick colleague, and undergoing a battery of tests at a hospital “far from the Bay Area, since he didn’t want to be recognized,” Cook offered his liver to Jobs — only for Steve to turn it down.

Google is done selling the Nexus 5 | The Verge

A Google spokesperson told The Verge today that “while some inventory of Nexus 5 still exists (with our retail and carrier partners), our focus is on the Nexus 6 at this time.”

The post RIP Nexus 5 | Tech Talk Today 144 first appeared on Jupiter Broadcasting.

Just Add QEMU | BSD Now 79

chris — Thu, 05 Mar 2015 12:04:35 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Coming up this time on the show, we’ll be talking to Sean Bruno. He’s been using poudriere and QEMU to cross compile binary packages, and has some interesting stories to tell about it. We’ve also got answers to viewer-submitted questions and all this week’s news, on BSD Now – the place to B.. SD.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

AsiaBSDCon 2015 schedule

Almost immediately after we finished recording an episode last week, the 2015 AsiaBSDCon schedule went up
This year’s conference will be between 12-15 March at the Tokyo University of Science in Japan
The first and second days are for tutorials, as well as the developer summit and vendor summit
Days four and five are the main event with the presentations, which Kris and Allan both made the cut for once again
Not counting the ones that have yet to be revealed (as of the day we’re recording this), there will be thirty-six different talks in all – four BSD-neutral, four NetBSD, six OpenBSD and twenty-two FreeBSD
Summaries of all the presentations are on the timetable page if you scroll down a bit

FreeBSD foundation updates and more

The FreeBSD foundation has posted a number of things this week, the first of which is their February 2015 status update
It provides some updates on the funded projects, including PCI express hotplugging and FreeBSD on the POWER8 platform
There’s a FOSDEM recap and another update of their fundraising goal for 2015
They also have two new blog posts: a trip report from SCALE13x and a featured “FreeBSD in the trenches” article about how a small typo caused a lot of ZFS chaos in the cluster
“Then panic ensued. The machine didn’t panic — I did.”

OpenBSD improves browser security

No matter what OS you run on your desktop, the most likely entry point for an exploit these days is almost certainly the web browser
Ted Unangst writes in to the OpenBSD misc list to introduce a new project he’s working on, simply titled “improving browser security”
He gives some background on the W^X memory protection in the base system, but also mentions that some applications in ports don’t adhere to it
For it to be enforced globally instead of just recommended, at least one browser (or specifically, one JIT engine) needs to be fixed to use it
“A system that is ‘all W^X except where it’s not’ is the same as a system that’s not W^X. We’ve worked hard to provide a secure foundation for programs; we’d like to see them take advantage of it.”
The work is being supported by the OpenBSD foundation, and we’ll keep you updated on this undertaking as more news about it is released
There’s also some discussion on Hacker News and Undeadly about it

NetBSD at Open Source Conference 2015 Tokyo

The Japanese NetBSD users group has once again invaded a conference, this time in Tokyo
There’s even a spreadsheet of all the different platforms they were showing off at the booth (mostly ARM, MIPS, PowerPC and Landisk this time around)
If you just can’t get enough strange devices running BSD, check the mailing list post for lots of pictures
Their next target is, as you might guess, AsiaBSDCon 2015 – maybe we’ll run into them

Interview – Sean Bruno – sbruno@freebsd.org / @franknbeans

Cross-compiling packages with poudriere and QEMU

News Roundup

The Crypto Bone

The Crypto Bone is a new device that’s aimed at making encryption and secure communications easier and more accessible
Under the hood, it’s actually just a Beaglebone board, running stock OpenBSD with a few extra packages
It includes a web interface for configuring keys and secure tunnels
The source code is freely available for anyone interested in hacking on it (or auditing the crypto), and there’s a technical overview of how everything works on their site
If you don’t want to teach your mom how to use PGP, buy her one of these(?)

BSD in the 2015 Google Summer of Code

For those who don’t know, GSoC is a way for students to get paid to work on a coding project for an open source organization
Good news: both FreeBSD and OpenBSD were accepted for the 2015 event
FreeBSD has a wiki page of ideas for people to work on
OpenBSD also has an ideas page where you can see some of the initial things that might be interesting
If you’re a student looking to get involved with BSD development, this might be a great opportunity to even get paid to do it
Who knows, you may even end up on the show if you work on a cool project
GSoC will be accepting idea proposals starting March 16th, so you have some time to think about what you’d like to hack on

pfSense 2.3 roadmap

The pfSense team has posted a new blog entry, detailing some of their plans for future versions
PPTP will finally be deprecated, PHP will be updated to 5.6 and other packages will also get updated to newer versions
PBIs are scheduled to be replaced with native pkgng packages
Version 3.0, something coming much later, will be a major rewrite that gets rid of PHP entirely
3.0 will focus on having a REST API, and separating the GUI from the actual implementation of the configuration
The ultimate goal is to have pfSense be a package you can just install on top of a regular FreeBSD Install

PCBSD 10.1.2 security features

PCBSD 10.1.2 will include a number of cool security features, some of which are detailed in a new blog post
A new “personacrypt” utility is introduced, which allows for easy encryption and management of external drives for your home directory
Going along with this, it also has a “stealth mode” that allows for one-time temporary home directories (but it doesn’t self-destruct, don’t worry)
The LibreSSL integration also continues, and now packages will be built with it by default
If you’re using the Life Preserver utility for backups, it will encrypt the remote copy of your files in the next update
They’ve also been working on introducing some new options to enable tunneling your traffic through Tor
There will now be a fully-transparent proxy option that utilizes the switch to IPFW we mentioned last week
A small disclaimer: remember that many things can expose your true IP when using Tor, so use this option at your own risk if you require full anonymity
Look forward to Kris wearing a Tor shirt in future episodes

Feedback/Questions

Mailing List Gold

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
Next week’s episode will be prerecorded since we’ll be at AsiaBSDCon in Tokyo
Be sure to say hello if you’re at the event – we’ve got at least two interviews confirmed already

The post Just Add QEMU | BSD Now 79 first appeared on Jupiter Broadcasting.

Dude Where’s My Card? | TechSNAP 198

chris — Thu, 22 Jan 2015 21:16:58 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Adobe has a bad week, with exploits in the wild & no patch. We’ll share the details. Had your credit card stolen? We’ll tell you how.

Plus the harsh reality for IT departments, a great batch of questions, our answers & much much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

New flash zero day found being exploited in the wild, no patch yet

The new exploit is being used in some versions of the Angler exploit kit (the new top dog, replacing former champ blackhole)
The exploit kit currently uses three different flash exploits:
CVE-2014-8440 – which was added to the exploit kit only 9 days after being patched
CVE-2015-0310 – Which was patched today
and a 3rd new exploit, which is still being investigated
Most of these exploit kits rely on reverse engineering an exploit based on the patch or proof of concept, so the exploit kits only gain the ability to inflict damage on users after the patch is available
However, a 0 day where the exploit kit authors are the first to receive the details, means that even at this point, researchers and Adobe are not yet sure what the flaw is that is being exploited
Due to a bug in the Angler exploit kit, Firefox users were not affected, but as of this morning, the bug was fixed and the Angler kit is now exploiting Firefox users as well
Additional Coverage – Krebs On Security
Additional Coverage – PCWorld
Additional Coverage – Malware Bytes
Additional Coverage – ZDNet

How was your credit card stolen

Krebs posts a write up to answer the question he is asked most often: “My credit card was stolen, can you help me find out how”
Different ways to get your card stolen, and your chance of proving it:
Hacked main street merchant, restaurant (low, depends on card use)
Processor breach (nil)
Hacked point-of-sale service company/vendor (low)
Hacked E-commerce Merchant (nil to low)
ATM or Gas Pump Skimmer (high)
Crooked employee (nil to low)
Lost/Stolen card (high)
Malware on Consumer PC (very low)
Physical record theft (nil to low)
“I hope it’s clear from the above that most consumers are unlikely to discover the true source or reason for any card fraud. It’s far more important for cardholders to keep a close eye on their statements for unauthorized charges, and to report that activity as quickly as possible.”
Luckily, since most consumers enjoy zero liability, they do not have to worry about trying to track down the source of the fraud
With the coming change to Chip-and-Pin in the US, the liability for some types of fraud will shift from the banks to the retailers, which might see some changes to the way things are done
Banks have a vested interest in keeping the results of their investigations secret, whereas a retailer who is the victim of fraudulent cards, may have some standing to go after the other vendor that was the source of the leak
Machine Learning for Fraud Detection

15% of business cloud accounts are hacked

Research by Netskope, a cloud analysis company, finds that only one in ten cloud apps are secure enough for enterprise use
In their survey, done using network probes, gateways, and other analysis techniques (rather than asking humans), they found that the average large enterprise uses over 600 cloud applications
Many of these applications were not designed for enterprise use, and lack features like 2 factor authentication, hierarchical access control, “group” features, etc
The report also found that 8% of files uploaded to cloud storage provides like Google Drive, Dropbox, Box.com etc, were in violoation of the enterprises’ own Data Loss Prevention (DLP) policies.
The downloading numbers were worst, 25% of all company files in cloud providers were shared with 1 or more people from outside the company. 12% of outsiders had access to more than 100 files.
Part of the problem is that many “cloud apps” used in the enterprise are not approved, but just individual employees using personal accounts to share files or data
When the cloud apps are used that lack enterprise features that allow the IT and Security teams to oversee the accounts, or when IT doesn’t even know that an unapproved app is being used, there is no hope of them being able to properly manage and secure the data
Management of the account life cycle: password changes, password resets, employees who leave or are terminated, revoking access to contractors when their project is finished, etc, is key
If an employee just makes a dropbox share, adds a few other employees, then adds an outside contractor that is working on a project, but accidently shares all files instead of only specific project files, then fails to remove that person later on, data can leak.
When password resets are managed by the cloud provider, rather than the internal IT/Security team, it makes it possible for an attacker to more easily use social engineering to take over an account
Infographic
Report

Feedback:

Round Up:

The post Dude Where's My Card? | TechSNAP 198 first appeared on Jupiter Broadcasting.

The Daemon’s Apprentice | BSD Now 57

chris — Thu, 02 Oct 2014 11:54:25 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We’re back from EuroBSDCon! This week we’ll be talking with Steve Wills about mentoring new BSD developers. If you’ve ever considered becoming a developer or helping out, it’s actually really easy to get involved. We’ve also got all the BSD news for the week and answers to your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

NetBSD at Hiroshima Open Source Conference

NetBSD developers are hard at work, putting NetBSD on everything they can find
At a technology conference in Hiroshima, some developers brought their exotic machines to put on display
As usual, there are lots of pictures and a nice report from the conference

FreeBSD’s Linux emulation ports rehaul

For a long time, FreeBSD’s emulation layer has been based on an ancient Fedora 10 system
If you’ve ever needed to install Adobe Flash on BSD, you’ll be stuck with all this extra junk
With some recent work, that’s been replaced with a recent CentOS release
This opens up the door for newer versions of Skype to run on FreeBSD, and maybe even Steam someday

pfSense 2.2-BETA

Big changes are coming in pfSense land, with their upcoming 2.2 release
We talked to the developer a while back about future plans, and now they’re finally out there
The 2.2 branch will be based on FreeBSD 10-STABLE (instead of 8.3) and include lots of performance fixes
It also includes some security updates, lots of package changes and updates and much more
You can check the full list of changes on their wiki

NetBSD on the Raspberry Pi

This article shows how you can install NetBSD on the ever-so-popular Raspberry Pi
As of right now, you’ll need to use a -CURRENT snapshot to do it
It also shows how to grow the filesystem to fill up an SD card, some pkgsrc basics and how to get some initial things set up
Can anyone find something that you can’t install NetBSD on?

Interview – Steve Wills – swills@freebsd.org / @swills

Mentoring new BSD developers

News Roundup

MidnightBSD 0.5 released

We don’t hear a whole lot about MidnightBSD, but they’ve just released version 0.5
It’s got a round of the latest FreeBSD security patches, driver updates and various small things
Maybe one of their developers could come on the show sometime and tell us more about the project

BSD Router Project 1.52 released

The newest update for the BSD Router Project is out
This version is based on a snapshot of 10-STABLE that’s very close to 10.1-RELEASE
It’s mostly a bugfix release, but includes some small changes and package updates

Configuring a DragonFly BSD desktop

We’ve done tutorials on how to set up a FreeBSD or OpenBSD desktop, but maybe you’re more interested in DragonFly
In this post from Justin Sherrill, you’ll learn some of the steps to do just that
He pulled out an old desktop machine, gave it a try and seems to be pleased with the results
It includes a few Xorg tips, and there are some comments about the possibility of making a GUI DragonFly installer

Building a mini-ITX pfSense box

Another week, another pfSense firewall build post
This time, the author is installing to a Jetway J7F2, a mini-ITX device with four LAN ports
He used to be a m0n0wall guy, but wanted to give the more modern pfSense a try
Lots of great pictures of the hardware, which we always love

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
Slides from most of the EuroBSDCon talks are up, hopefully we’ll have the links to all the videos soon
We got lots of great interviews, so look forward to those in the coming months
The Book of PF’s third edition is now available to buy digitally, and physical copies will be available later this month
OpenBSD 5.6 preorders are up on their new store, openbsdstore.com – there’s also some other cool things there
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post The Daemon's Apprentice | BSD Now 57 first appeared on Jupiter Broadcasting.

The Big Apple | Tech Talk Today 59

chris — Wed, 17 Sep 2014 09:37:06 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We meta-cover the iPhone 6 reviews & discuss the pros and cons of large format mobiles. Then the updates coming to almost all Android phones, Microsoft’s bad news, Docker’s great news & hacking your Amazon account via an ebook exploit!

Direct Download:

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

iPhone 6 Plus review | The Verge

I can’t see myself ever using my iPad mini again after having the 6 Plus, and it’s getting harder and harder to justify pulling out my iPad Air. With the right software changes, I could basically use an iPhone 6 Plus all day long, for everything from sending messages to editing documents to watching videos. A do-everything phone like the 6 Plus would eventually allow Apple to push the iPad even further towards becoming the true laptop replacement it was always meant to be.

We’re going to need bigger hands.

t I have no desire to use an iPhone 6 Plus as my personal phone. I ordered an iPhone 6 for my own use. And if the iPhone 6 Plus were the only new iPhone this year, I probably would have stuck with the iPhone 5S.

Google Play Services Updated for Testing Google Fit Apps

oogle has begun rolling out Google Play services 6.1 with a set of new APIs for developers. The new features include an Enhanced Ecommerce extension for analytics, improvements to Drive support, and testing capabilities for the upcoming Google Fit platform.

Enhanced Ecommerce provides “richer insights into pre-purchase shopping behavior and into product performance.”

Round two of Microsoft layoffs coming September 18: Sources | ZDNet

Microsoft cut 13,000 employees total in the first wave back in July. That wave included some, but not all, of the former Nokia employees, my contacts say. It also included employees in the Operating Systems Group and just about every other group across the company. Microsoft also is planning to reduce its dependency on “contingent” (non full-time) employees by 20 percent as part of its realignment.

I am not sure how many will be cut in this week’s round, which I’ve heard will be announced internally this Thursday, September 18. But I do hear that the second round of cuts will span across almost every group at the company. I’ve also heard there still will be more cuts happening as part of the original 18,000 total at further dates in the future.

Docker Raises $40M, Plans New Enterprise Tool for 2015

Docker Inc., the lead commercial sponsor behind the open-source Docker container technology, today announced that it has closed a $40 million Series C round of funding. The new round of funding comes on the heels of the Docker 1.0 release and the emergence of a commercial ecosystem around the container virtualization technology.

The Series C round of funding is the second funding event for Docker in 2014. In January, Docker announced a $15 million funding round.

The latest funding round brings Dockers’ total funding since its founding to $66 million, CEO Ben Golub said, adding that Docker has only now just begun spending the Series A funding money and is starting to tap into the Series B funds. “We closed the Series C pre-emptively, so we would have a full powder keg to go after the market opportunity,” G

Amazon Kindle vulnerability lets hackers take over your account – The Inquirer

AMAZON’S KINDLE has been found to be vulnerable to a type of malware that is triggered by downloading an ebook with a booby-trap.

Security researcher Benjamin Daniel Mussler has demonstrated a proof of concept attack the uses cross-site scripting (XSS) to infect a computer opening a sideloaded title containing code.

The post The Big Apple | Tech Talk Today 59 first appeared on Jupiter Broadcasting.

The Friendly Sandbox | BSD Now 39

chris — Thu, 29 May 2014 13:26:06 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This time on the show we\’ll be talking with Jon Anderson about Capsicum and Casper to securely sandbox processes. After that, our tutorial will show you how to encrypt all your DNS lookups, either on a single system or for your whole network. News, emails and all the usual fun, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

BSDCan 2014 talks and reports

The majority of the BSDCan talks are finally uploaded, so prepare to be flooded with links
Karl Lehenbauer\’s keynote (he\’s on next week\’s episode)
Mariusz Zaborski and Pawel Jakub Dawidek,
Capsicum and Casper (relevant to today\’s interview)
Luigi Rizzo,
In-kernel OpenvSwitch on FreeBSD
Dwayne Hart, Migrating from Linux to FreeBSD for Backend Data Storage
Warner Losh, NAND Flash and FreeBSD
Simon Gerraty, FreeBSD bmake and Meta Mode
Bob Beck, LibreSSL – The First 30 Days
Henning Brauer, OpenBGPD Turns 10 Years Old
Arun Thomas, BSD ARM Kernel Internals
Peter Hessler, Using BGP for Realtime Spam Lists
Pedro Giffuni, Features and Status of FreeBSD\’s Ext2 Implementation
Matt Ahrens, OpenZFS Upcoming Features and Performance Enhancements
Daichi Goto, Shellscripts and Commands
Benno Rice, Keeping Current
Sean Bruno, MIPS Router Hacking
John-Mark Gurney, Optimizing GELI Performance
Patrick Kelsey, Userspace Networking with libuinet
Massimiliano Stucchi, IPv6 Transitioning Mechanisms
Roger Pau Monné, Taking the Red Pill
Shawn Webb, Introducing ASLR in FreeBSD
There\’s also a trip report from Peter Hessler and one from Julio Merino
The latter report also talks about how, unfortunately, NetBSD basically had no presence in the event at all (and how that\’s a recurring trend)

Defend your network and privacy with a VPN and OpenBSD

After all the recent news about spying, backdoored routers, deep packet inspection and everything else, you might want to start taking steps at getting some privacy back
This article describes how to set up a secure network gateway and VPN using OpenBSD and related crypto utilities
There are bits for DHCP, DNS, OpenVPN, DNSCrypt and a watchdog script to make sure your tunnel is always being used
You can transparently tunnel all your outbound traffic over the VPN with this configuration, nothing is needed on any of the client systems – this could also be used with Tor (but it would be very slow)
It also includes a few general privacy tips, recommended browser extensions, etc
The intro to the article is especially great, so give the whole thing a read
He mentions our OpenBSD router guide and other tutorials being a big help for this setup, so hello if you\’re watching!

You should try FreeBSD

In this blog post, the author talks a bit about how some Linux people aren\’t familiar with the BSDs and how we can take steps to change that
He goes into some FreeBSD history specifically, then talks about some of the apparent (and not-so-apparent) differences between the two
Possibly the most useful part is how to address the question \”my server already works, why bother switching?\”
\”Stackoverflow’s answers assume I have apt-get installed\” ← lol
It includes mention of the great documentation, stability, ports, improved security and much more
A takeaway quote for would-be Linux switchers: \”I like to compare FreeBSD to a really tidy room where you can find everything with your eyes closed. Once you know where the closets are, it is easy to just grab what you need, even if you have never touched it before\”

OpenBSD and the little Mauritian contributor

This is a story about a guy from Mauritius named Logan, one of OpenBSD\’s newest developers
Back in 2010, he started sending in patched for OpenBSD\’s \”mg\” editor, among other small things, and eventually added file transfer resume support for SFTP
The article talks about his journey from just a guy who submits a patch here and there to joining the developer ranks and even getting his picture taken with Theo at a recent hackathon
It really shows how easy it is to get involved with the different BSDs and contribute back to the software ecosystem
Congrats to Logan, and hopefully this will inspire more people to start helping out and contributing code back

Interview – Jon Anderson – jonathan@freebsd.org

Capsicum and Casperd

Tutorial

Encrypting DNS lookups

News Roundup

FreeBSD Journal, May 2014 issue

The newest issue of the FreeBSD Journal is out, following the bi-monthly release cycle
This time the topics include: a letter from the foundation, a ports report, some 9.3-RELEASE plans, an events calendar, an overview of ipfw, exploring network activity with dtrace, an article about kqueue, data distribution with dnssec and finally an article about TCP scaling
Pick up your (digital) copy at Amazon, Google Play or on iTunes and have a read

LibreSSL porting update

Since the last LibreSSL post we covered, a couple unofficial \”portable\” versions have died off
Unfortunately, people still think they can just port LibreSSL to other BSDs and Linux all willy-nilly – stop doing that!
This post reiterates that LibreSSL currently relies on a lot of OpenBSD-specific security functions that are not present in other systems, and also gives a very eye-opening example
Please wait for an official portable version instead of wasting time with these dime-a-dozen github clones that do more harm than good

BSDMag May 2014 issue is out

The usual monthly release from BSDMag, covering a variety of subjects
This time around the topics include: managing large development projects using RCS, working with HAMMER FS and PFSes, running MeteorJS on FreeBSD 11, another bhyve article, more GIMP tutorials and a few other things
It\’s a free PDF, go grab it

BSDTalk episode 241

A new episode of BSDTalk is out, this time with Bob Beck
He talks about the OpenBSD foundation\’s recent activities, his own work in the project, some stories about the hardware in Theo\’s basement and a lot more
The interview itself isn\’t about LibreSSL at all, but they do touch on it a bit too
Really interesting stuff, covers a lot of different topics in a short amount of time

Feedback/Questions

We got a number of replies about last week\’s VPN question, so thanks to everyone who sent in an email about it – the vpnc package seems to be what we were looking for
Tim writes in
AJ writes in
Peter writes in
Thomas writes in
Martin writes in

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
We\’re looking for new tutorial ideas, so if there\’s something specific you\’d like to learn about, let us know
FreeBSD core team elections are in progress – nominations ended today. There are 21 candidates, and voting is open for the next month. We\’ll let you know how it goes in a future episode.
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post The Friendly Sandbox | BSD Now 39 first appeared on Jupiter Broadcasting.

Not Neutrality | TechSNAP 161

chris — Thu, 08 May 2014 15:13:23 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Adobe’s latest flaw has being exploited by an advanced persistent threat, we’ve got the details, Heartbleed follow ups, and getting started with Virtualization.

Plus our thoughts on the fate of net neutrality, your questions, our answers, and much much more!

On this week’s episode of TechSNAP!

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

Adobe releases patch for critical Flash flaw affecting all OSs

A new exploit has been discovered that works against all versions of Adobe Flash Player
This is a zero-day exploit, meaning that even a fully patched computer can be exploited
Adobe has since released the fix, and users are encouraged to apply the patch as soon as possible
The attack used two different exploits, one general exploit against Flash and the other exploiting a flaw in Internet Explorer
One of the malware files was detected by Kaspersky using a heuristic signature, but the other was new
The exploits slightly alter the attack methodology if Windows 8 or newer is detected, to work around mitigations provided by the OS
The first bit of malware (movie.swf) was generic, downloading more malware from a URL and running it
The second bit of malware (include.swf) was very specific, targeting “Cisco MeetingPlace Express Add-In version 5”
“This add-in is used by web-conference participants to view documents and images from presenter\’s screen. It should be noted that the exploit will not work if the required versions of Adobe Flash Player ActiveX and Cisco MPE are not present on the system”
This suggests that the malware was written with a very specific target in mind, rather than designed to target the general Internet
The malware was hosted on an official Syrian government website, although it appears that the site may have been compromised to store the files there
Kaspersky was not able to examine the payload of the second exploit because the files had already been taken down from the website, and there is evidence to suggest there was a 3rd payload (stream.swf)
“We are sure that all these tricks were used in order to carry out malicious activity against a very specific group of users without attracting the attention of security solutions. We believe that the Cisco add-in mentioned above may be used to download/implement the payload as well as to spy directly on the infected computer.”
“It\’s likely that the attack was carefully planned and that professionals of a pretty high caliber were behind it. The use of professionally written 0-day exploits that were used to infect a single resource testifies to this.”
CVE-2015-0515
Adobe Security Bulletin
Additional Coverage – ARS Technica
Additional Coverage – Krebs on Security
Since IE uses a separate version of Flash from other browsers (Firefox, Chrome, Opera, etc), Windows users will need to apply the patch twice, one to their browser and once to IE, which is used as a component in many other applications including Skype and Steam

Exploit used in the wild against all versions of Internet Explorer 6 through 11

As part of the same attack from the previous story, an exploit for all versions of Internet Explorer was found
The exploit was used as part of a watering hole attack
CVE-2014-1776
This was to be the first of many 0day exploits that will not be fixed on Windows XP, however Microsoft issued a statement and released the update for Windows XP , inspite of the fact that it is no longer supported

[Heartbleed Followups]

The heartbleed bug was used to attack and compromise a number of blackhat and underground forums – Many sites were compromised, upgraded OpenSSL but did not revoke SSL certificates or reset passwords
US-CERT issues advisory warning business and users to update their Apple AirPort devices that are vulnerable to Heartbleed
CERT has issued an advisory about the NetSSL library failing to properly validate wildcard certificates
Whitehouse comments, says they did not know about Heartbleed before hand
Even heartbleed can’t convince people to change their passwords and stop reusing passwords
Android 4.1.1 has not received OpenSSL patches yet

Feedback:

Round-Up:

The post Not Neutrality | TechSNAP 161 first appeared on Jupiter Broadcasting.

Certified Package Delivery | BSD Now 33

chris — Thu, 17 Apr 2014 18:59:10 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We sit down with Jim Brown from the BSD Certification group to talk about the BSD exams. Following that, we\’ll be showing you how to build OpenBSD binary packages in bulk, a la poudriere. There\’s a boatload of news and we\’ve got answers to your questions, coming up on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

BSDCan schedule, speakers and talks

This year\’s BSDCan will kick off on May 14th in Ottawa
The list of speakers is also out
And finally the talks everyone\’s looking forward to
Lots of great tutorials and talks, spanning a wide range of topics of interest
Be sure to come by so you can and meet Allan and Kris in person and get BSDCan shirts

NYCBSDCon talks uploaded

The BSD TV YouTube channel has been uploading recordings from the 2014 NYCBSDCon
Jeff Rizzo\’s talk, \”Releasing NetBSD: So Many Targets, So Little Time\”
Dru Lavigne\’s talk, \”ZFS Management Tools in FreeNAS and PC-BSD\”
Scott Long\’s talk, \”Serving one third of the Internet via FreeBSD\”
Michael W. Lucas\’ talk, \”BSD Breaking Barriers\”

FreeBSD Journal, issue 2

The bi-monthly FreeBSD journal\’s second issue is out
Topics in this issue include pkg, poudriere, the PBI format, hwpmc and journaled soft-updates
In less than two months, they\’ve already gotten over 1000 subscribers! It\’s available on Google Play, iTunes, Amazon, etc
\”We are also working on a dynamic version of the magazine that can be read in many web browsers, including those that run on FreeBSD\”
Check our interview with GNN for more information about the journal

OpenSSL, more like OpenSS-Hell

We mentioned this huge OpenSSL bug last week during all the chaos, but the aftermath is just as messy
There\’s been a pretty vicious response from security experts all across the internet and in all of the BSD projects – and rightfully so
We finally have a timeline of events
Reactions from ISC, PCBSD, Tarsnap, the Tor project, FreeBSD, NetBSD, oss-sec, PHK, Varnish and Akamai
pfSense released a new version to fix it
OpenBSD disabled heartbeat entirely and is very unforgiving of the IETF
Ted Unangst has two good write-ups about the issue and how horrible the OpenSSL codebase is
A nice quote from one of the OpenBSD lists: \”Given how trivial one-liner fixes such as #2569 have remained unfixed for 2.5+ years, one can only assume that OpenSSL\’s bug tracker is only used to park bugs, not fix them\”
Sounds like someone else was having fun with the bug for a while too
There\’s also another OpenSSL bug that\’s possibly worse that OpenBSD patched – it allows an attacker to inject data from one connection into another
OpenBSD has also imported the most current version of OpenSSL and are ripping it apart from the inside out – we\’re seeing a fork in real time (over 55000 lines of code removed as of yesterday evening)

Interview – Jim Brown – info@bsdcertification.org

The BSD Certification exams

Tutorial

Building OpenBSD binary packages in bulk

News Roundup

Portable signify

Back in episode 23 we talked with Ted Unangst about the new \”signify\” tool in OpenBSD
Now there\’s a (completely unofficial) portable version of it on github
If you want to verify your OpenBSD sets ahead of time on another OS, this tool should let you do it
Maybe other BSD projects can adopt it as a replacement for gpg and incorporate it into their base systems

Foundation goals and updates

The OpenBSD foundation has reached their 2014 goal of $150,000
You can check their activities and goals to see where the money is going
Remember that funding also goes to OpenSSH, which EVERY system uses and relies on everyday to protect their data
The FreeBSD foundation has kicked off their spring fundraising campaign
There\’s also a list of their activities and goals available to read through
Be sure to support your favorite BSD, whichever one, so they can continue to make and improve great software that powers the whole internet

PCBSD weekly digest

New PBI runtime that fixes stability issues and decreases load times
\”Update Center\” is getting a lot of development and improvements
Lots of misc. bug fixes and updates

Feedback/Questions

There\’s a reddit thread we wanted to highlight – a user wants to show his friend BSD and why it\’s great
Brad writes in
Sha\’ul writes in
iGibbs writes in
Matt writes in

All the tutorials are posted in their entirety at bsdnow.tv – there\’s a couple new ones on the site now that we\’ll be covering in future episodes
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you\’ve got something cool to talk about and want to come on for an interview, shoot us an email
Also if you have any tutorial requests, we\’d be glad to show whatever the viewers want to see
If you\’re in or around Colorado in the US, there\’s a brand new BSD users group that was just formed and announced – they\’ll be having meetings and doing tutorials, so check out their site (also, if you have a local BUG, let us know!)
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Certified Package Delivery | BSD Now 33 first appeared on Jupiter Broadcasting.

GIF me root | TechSNAP 101

chris — Thu, 14 Mar 2013 12:07:36 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We’ll explain the MiniDuke malware and the extremely clever way to slipped it’s way into victims systems.

Researchers discovered a way to bypass google two-factor authentication, we’ll explain the details, and we look back at 25 years of software vulnerabilities.

Plug a big batch of your questions, our answers, and so much more on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our code hostdeal4 to score economy hosting for $1 a month, for one year.

35% off your ENTIRE order just use our code go35off4 until the end of the month!

Ting.com

Visit techsnap.ting.com to save $25 off your device or service credits.

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

[asa]B0095ZMMCK[/asa]

Grab it at Audible.com

Miniduke malware used against European goverments

A new attack against many european governments has been detected using a new malware called Miniduke
The malware exploits a sandbox-bypass in Adobe Reader
The malware targeted a very small (59) but specific number of people from 23 different countries mostly in Europe
The spear phishing attacks were perpetrated using well crafted PDF files purporting to be NATO membership plans, Ukrainian foreign policy documents or a seminar on human rights
The malware allowed the attackers to copy and move files from the infected machines to their own servers, as well as kill other processes (like security software) and install additional malware
The attack was unique because of the unusual nature of the backdoor that was used and how specific and narrow the targets were
The backdoor contained components written in assembly, a relative rarity in viruses and vulnerabilities
The malware also used twitter as a command and control system, following specific users and looking for tweets containing encrypted commands prefixed with uri!
The malware also used .gif files as an update and distribution method, the gif files had regular images (like the RSS icon) but also contained malware binaries embedded in the image using steganography
The backdoor also gathered system specific information and used it to encrypt communications back and forth with the attacker’s servers (likely to avoid IDS and other forms to detection)
This system specific information was also used as part of the attack, many parts of the malware that were subsequently loaded on the machines, contained code to make them only work on that specific machine, making the job of the security analysts much more difficult, as they could not run the malware on controlled virtual machines or their own machines in order to analyze it
The researchers say the style and methods of the attack are reminiscent of attackers from the 90s
The attack pattern and programming style are reminiscent of hacking group that was thought to have been long disbanded
The group, called 29A (666 in hex) published their first malware magazine in December of 1996 and were active until February 2008, when the last standing member announced the group’s dismissal
Digital Underground Podcast – Intricacies of Miniduke
Full PDF with details

Researchers discovered a way to bypass google two-factor authentication

For the last 7 months, researchers from DuoSecurity and any attackers with knowledge of the vulnerability have been able to bypass Google’s two-factor authentication system, even for Google services such as Gmail
An attacker who managed to steal or guess a user’s application-specific password could then exploit the Android auto-login feature to take over full control of a user’s entire Google profile, without having to enter the result of the secondary authentication mechanism
Once they have access to the profile, they could then reset the master password and disable two-factor authentication entirely, allowing them to completely steal the account
Application specific passwords are a feature created by Google to allow you to use your Google account to authenticate to applications and services that do not support two-step login
This allows you to use your existing authentication to google to access other apps that do not support web based login (like IMAP/SMTP, Chat and Calendar apps)
“if a user has linked their Android device to their Google account, the Chrome browser will use local-device authentication to override Google’s two-factor authentication”
This is a classic case of trading the stronger security that two-factor authentication and strong passwords provide, for the higher convenience factor
The scary part is that this mechanism allowed an attacker to access the Google ‘Account Settings’ portal, where you can change your backup email address, the phone number linked to your google account, and other other settings that are extremely sensitive and important to the security of your account
Researchers clarify that the only way for this vulnerability to affect users in a desktop environment, is when their mobile authentication is compromised and used to seize their entire account
Google patched the vulnerability before it was announced last week
Researchers Post

Google introduces new compression algorithm

A key feature of Zopfli, is that the compression is deflate compatible, meaning the compressed data can be decompressed using the libraries already built into nearly all existing web browsers
Zopfli has a compression gain of 3–8% over zlib, but takes 2–3 orders of magnitude longer to compress, making it only really useful for compression of static data, rather than compressing dynamic data for HTTP streams
For example, to compress a 100mb sample of the english wikipedia, gzip takes 5.6 seconds, 7-zip takes 128 seconds, and zopfli takes 454 seconds
All three compressed files can be decompressed in under 1 second
Google’s goal is to save bandwidth and battery life by reducing the size of text and images transmitted to mobile devices
The research started as an offshoot of the WebP project (advanced lossy and lossless image compression)
Google has open sourced the code as a C library under the business friendly Apache 2.0 license
PDF Paper on the compression savings
Additional Coverage

VRT profiles 25 years of software vulnerabilities

VRT, the Sourcefire Vulnerability Research Team, dug through the CVE (Common Vulnerabilities and Exposures) database and NIST NVD (National Vulnerability Database)
2012 was the first year since 2007 where the number of new vulnerability was greater than the previous year
However the number of vulnerabilities with a score over 7 (out of a possible 10) was still down each year since 2007
However 2012 had a record high number of vulnerabilities with scores of 10/10
The top types of vulnerabilities over the last 25 years have been buffer errors (buffer overflow etc), Cross Site Scripting, Access control, SQL Injection, Code Injection and Input Validation
Top Vendors with high severity vulnerabilities: Mozilla, Apple, Cisco, Sun, Adobe, IBM, Mozilla, HP, Google, and Oracle
Mobile Vulnerability Share: iPhone: 81%, Android: 9%, Windows: 6%, Blackberry: 4%
Full PDF

Feedback:

+What is the value of a hacked PC?
+ Steal your username/passwords (banking, games, web servers, skype)
+ Steal your CD keys (windows, office, games, etc)
+ Use your computer as a web server (host spam, malware, etc)
+ Join a botnet (click fraud, send spam, launch ddos)
+ Reputation hijacking (using your facebook account to ‘like’ businesses etc that pay the malware author)

Conference Round Up:

How to ask good questions at RSA
RSA – Researchers find ‘beta’ of Stuxnet, making it 2 years older than previously thought – Also found more evidence linking the developers of Stuxnet to the developers of Flame – Paper
Cyber Dialogue – Hacking Back, Signaling and State-Society Relations
RSA – Analysis of SEC filings under new cyber attack disclosure rules
RSA – [VIDEO] Key Source International makes Secure Logon Devices
RSA: [VIDEO] Self encrypting USB hard drive for all operating systems
RSA: [VIDEO] PwnPad – A steathly penetration testing platform
RSA: [VIDEO] BehavioSec – Behaviorial Biometrics for Authentication

The post GIF me root | TechSNAP 101 first appeared on Jupiter Broadcasting.

Attacking the Devs | TechSNAP 98

chris — Thu, 21 Feb 2013 19:40:44 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Facebook and Apple are compromised by the same Java exploit, and the details are quite interesting, Punkbuster service goes offline, taking down online game servers for 100s of users.

And a thorough look at report claiming the Chinese military is responsible for hundreds of system compromises.

Plus a big batch of your questions and more!

Thanks to:

GoDaddy.com

Use our code tech295 to get a .COM for $2.95.

Something else in mind? Use go28off2 to save 28% on your entire order!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

TechSNAP 100 Limited Edition Shirt:

Limited time left on our limited run TechSNAP 100 T-shirt!

Oracle releases another Java Critical Patch Update

As discussed previously, Oracle accelerated Java 7u13 from its planned release date of Feb 19th to Feb 1st due to the flaws it fixed being exploited in the wild
According to Oracle, this caused a number of fixes to not make the cut and so they have released Java 7u15 on the originally scheduled date to address those flaws
The patch includes fixes for 5 vulnerabilities, 3 rated with a CVSS score of 10/10
Patch Notes

Facebook and Apple compromised by Java exploit

A watering hole attack was successfully executed against Facebook, Apple and other mobile developers
Malware was found on the iPhoneDevSDK web forum. The site was apparently compromised by the attackers and the java applet was injected into the HTML to infect members of the site
The zero-day exploit that was used is one of the ones patched in Java 7u13, and may have been the biggest reason behind Oracle accelerating the release of that patch
The exploit used separate payloads to compromise machines running either Windows or MacOS
This is one of the most widespread and successful attacks against Mac OS, and underscores the fact that with the growing popularity, OS X has become a real target for malware authors
This may provide insight into the reasoning behind Twitter’s comments about disabling java in their announcement when 250,000 twitter users’ accounts were compromised
It was also likely the reasoning behind Apple’s disabling of outdated java on all versions of OS X that upset some users
The most worrying part of this attack is that it might have gone undetected if it were not for the Facebook Security Team finding suspicious activity on their internal network, including DNS queries to almost legit looking domains (Apple spelled wrong, a fake cloud storage service, etc)
100s or 1000s of other mobile app developers’ machines may have been compromised, and through them, the source code for their applications, meaning that there may be apps in your favourite app store containing code not but there by the author, but by an attacker
It is recommended that anyone who visited the forum check their computers, and also check the revision history of their source code repositories and look for any unauthorized changes
Facebook Announcement
Additional Coverage
Additional Coverage

Punkbuster service goes offline, taking down online game servers for 100s of games

Punkbuster is an online anti-cheating/hacking service, that can take screenshots of gaming sessions and provide md5 hashes of files in the game directory to prove that files have been altered or that cheats are being used. Punkbuster also runs a blacklisting service which bans your hardware hash from all games that use the service
The service is used by many online games, especially from publishers such as EA, Ubisoft and Activision
On Wednesday February 13th, the Punkbuster service went down, making it impossible for gamers to connect to any server with the service enabled (all official and ranked servers are required to run Punkbuster)
This again highlights the problems with replying on a 3rd party provider for critical services
At the same time, if each studio or publisher had to maintain their own system, the service level may be worse, as the studios are unlikely to maintain dedicated teams to run the service

iOS 6.1 security flaw allows bypassing lock screen

Through a series of key presses, anyone with physical access to your iOS device can bypass the lock screen and gain access to your contacts
Unauthorized users could make calls from your phone, access your voicemail, view and edit your contacts, or by attempting to add/change the photo for a contact, they can browse all photos stored on your phone
an Apple spokesperson said: “Apple takes user security very seriously. We are aware of this issue, and will deliver a fix in a future software update.”
No word on when we can expect an update from Apple
An Ontario court ruled today that Police officers only need a warrant to search your phone if you have a password on it

Mandiant, the security firm hired by the NY Times to investigate the breech of their network, releases a report called APT1

Mandiant has written a 76 page report detailing who they believe to be behind the attack on the New York Times and over 140 other organizations, the attackers have been dubbed ‘APT1’
“APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.”
APT1 is believed to have taken hundreds of terabytes of designs, drawings, intellectual property, intelligence, and other data from victims in english speaking countries
97% of the 1900+ attacks attributed APT1 originated from a set of IP addresses registered in Shanghai and from computers with the Simplified Chinese character set
They have also identified 3 unique personas that play various roles in APT1
The appendices of the report include a list of domain names that have been used by APT1, as well as MD5 hashes of known malware samples and SSL certificates
The data is also available as definition files for Mandiant’s free tool Redline, for detecting APT1 threats
Video evidence of an APT1 actor
View the report and Appendicies
A recruitment notice for PLA Unit 61398 from 2004 found on the website of Zhejiang University Translated
Symantec has detected one or more attackers attempting to use the Mandiant report as bait, the .PDF attached to the emails actually drops Trojan.Pidief using CVE–2013–0641, an Adobe Acrobat remote code execution exploit

Feedback:

Round Up:

The post Attacking the Devs | TechSNAP 98 first appeared on Jupiter Broadcasting.

Universal Exploit n’ Play | TechSNAP 95

chris — Thu, 31 Jan 2013 17:53:30 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

It’s way past time to turn off Universal Plug and Play, we’ll give you the details on the exploit that only requires a single network packet.

Plus how we’ve built our VM storage setup, our favorite network monitoring tools, and much much more! In this week’s episode of TechSNAP!

Thanks to:

GoDaddy.com

Use our code tech295 to get a .COM for $2.95.

Something else in mind? Use go28off2 to save 28% on your entire order!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Many consumer devices exposed via new uPnP exploits

Universal Plug’n’Play is a networking protocol that allows your consumer devices (routers, printers, media servers, IP cameras, SmartTVs, home automation systems and network storage devices) to communicate and discover each other
Most consumer devices come with uPnP enabled by default, and many devices lack a way to turn the feature off
As with all consumer devices, a large portion of these do not include any update facilities and cannot be updated or patched
Rapid7 security researcher HD Moore conducted a survey of all Internet addressable IPv4 addresses and found many more devices than expected
He also found more than 10 different vulnerabilities across the various devices and implementations
His survey found over 6900 unique products from 1500 manufacturers
81 million unique IP addresses responded to uPnP queries (2.2% of the internet, more IP addresses than are assigned to the entire country of Canada)
over 20% (17 million) of those devices exposed the uPnP SOAP API to the Internet
73% of the devices were created using the 4 most popular SDKs, meaning the any exploits for one device and likely to affect a large portion of all devices, even from different manufacturers
332 unique products use MiniUPnPd 1.0, which is remotely exploitable
69% of all devices using MiniUPnPd where version 1.0 or older
23 million devices use a vulnerable version of libupnp that allows remote code execution
uPnP is a 12 year old protocol, and has had security problems from the start, while it contains some systems for authentication, they are rarely implemented
The main issue seems to be that many manufacturers are using older version of the SDK, or not updating their code base when developing newer devices, as well as not including update mechanisms in the products to allow them to be patched as vulnerabilities like these are found
HD Moore commented that he was unable to find any previous CVE’s mentioning any of the uPnP SDKs that he found exploits for, meaning they have not been extensively tested, or that vulnerabilities were attributed to individual devices when they actually apply to all devices based on the same SDK
Full Paper

New York Times hacked by Chinese

The New York Times reports that for the last 4 months it has been under attack by Chinese hackers
Using custom APT (Advanced Persistent Threat) malware, the attackers managed to steal passwords for reporters and other employees of the newspaper
The attacks apparently started after the Times posted an investigation that found that relatives of Chinese Premier Wen Jiabao had amassed a fortune worth over a billion dollars from various business dealings
The Chinese attackers routed their attacks through computers they had compromised at various US Universities, in an attempt to mask the source of the attack and evade detection
Investigators were not able to determine how the attackers initially broke into the systems, but they suspect a spear-phishing attack was used to compromise an individual computer, then island hop from there
Investigators identified 45 unique pieces of malware, all of which appeared to be custom and only 1 of which was detected by the Symantec Anti-virus system used at the Times
“Security experts found evidence that the hackers stole the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees”
The official Chinese response was “Chinese laws prohibit any action including hacking that damages Internet security.”
“damages Internet security” is sufficiently vague that it could mean anything from an individual user using a weak password to a security researcher disclosing a vulnerability
Technically, targeted attacks do not necessarily “damage the security of the Internet”
Consultants hired by the New York Times’ claim that no customer data was exposed
This is not the first attack against the US media that appears to have come from the Chinese government
Bloomberg News reported being attacked in a similar fashion in June after posting an article about relatives of Xi Jinping (General Secretary of the Communist Party, expected to become President in March 2013)
New York Times Hack Started With A Simple Email Scam

Feedback:

Chris is not sure if we should keep submitting plain text password offenders. While it is shameful, it’s also so common that if we put every organization guilty of this that we find out about in the Hall of Shame it will be huge. I think the Hall of Shame should be reserved for especially bad, unique and large in scope security blunders.

Limited TechSNAP 100 T-Shirt

T-Shirt with or without Swearing?

Round-Up:

The post Universal Exploit n’ Play | TechSNAP 95 first appeared on Jupiter Broadcasting.