Adobe is making changes to Flash to mitigate 0day exploits, with help from Google. Chrysler recalls 1.4M vehicles due to a software flaw, we go inside the “Business Club” cyber crime gang.

Plus a great batch of questions, the roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

0day exploits against Flash will be harder thanks to new mitigations

• Three new exploit mitigations are being added to Adobe’s Flash player in an effort to prevent future exploits
• The mitigations were developed in a collaboration between Adobe and Google’s Project Zero
• The mitigations are:
  • “buffer heap partitioning” – Specific types of objects have been moved to an entirely separate heap (the OS Heap instead of the Flash Heap), preventing an overflow in the Flash Heap from ever being able to corrupt those objects. “It’s worth noting that this defense is much more powerful in a 64-bit build of Flash, because of address space limitations of 32-bit processes. This mitigation is now available in the Chrome version of Flash, and is expected to come to all other browsers sometime in August. Now is a good time to upgrade to a 64-bit browser and Flash.”
  • “stronger randomization for the Flash heap” – The flash heap is no longer stores in a predictable location, so it is harder to exploit. In addition, especially on 64-bit platforms, large allocations are further randomized. And older exploit developed by Project Zero used up to a 1GB allocation in order to hit a predictable location. With the large 64bit address space to play with, these allocations can be so far apart that it will be very difficult for an attacker to overflow the flash heap to run into the binary sections.
  • “Vector.<*> length validation secret” – Many of the recent and previous exploits have worked by overwriting the length of the Vector objects, to make them overflow into other areas of memory. The previous two mitigations make it harder to do this, but Adobe have developed a validation technique to detect when the length has been altered unexpectedly. The Adobe mitigation works by storing a “validation secret”, a hash of the correct length and a secret value, the attack doesn’t know the secret value, so cannot write the correct hash, and Flash will exit with a runtime error. This mitigation is available in all Flash builds as of 18.0.0.209.
• “Had they been widely available earlier, they likely would have blunted the effects of at least some of the three most recent zero-day vulnerabilities”
• Hopefully these will propagate quickly and reduce the frequency of flash 0 days
• Google Project Zero Blog Post

1.4M Vehicle Recall After Bug in Chrysler UConnect System

• Fiat Chrysler Automobiles NV is recalling about 1.4 million cars and trucks equipped with radios that are vulnerable to hacking, the first formal safety campaign in response to a cybersecurity threat.
• The recall covers about a million more cars and trucks than those initially identified as needing a software patch. The action includes 2015 versions of Ram pickups, Jeep Cherokee and Grand Cherokee SUVs, Dodge Challenger sports coupes and Viper supercars.
• This isn’t the first time automobiles have been shown to be vulnerable to hacking. What elevates this instance is that researchers were able to find and disable vehicles from miles away over the cellular network that connects to the vehicles’ entertainment and navigation systems.
• Fiat Chrysler’s UConnect infotainment system uses Sprint Corp.’s wireless network.
• It’s not a Sprint issue but they have been “working with Chrysler to help them further secure their vehicles”.
• Unauthorized remote access to certain vehicle systems was blocked with a network-level improvement on Thursday, the company said in a statement. In addition, affected customers will receive a USB device to upgrade vehicles’ software with internal safety features.
• Senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut, both Democrats, introduced legislation on July 21 that would direct NHTSA and the Federal Trade Commission to establish rules to secure cars and protect consumer privacy.
• The senators’ bill would also establish a rating system to inform owners about how secure their vehicles are beyond any minimum federal requirements.
• Chrysler Recalls
• After Jeep Hack, Chrysler Recalls 1.4M Vehicles for Bug Fix
• Fiat Chrysler Automobiles (FCA) Uconnect Vulnerability
• FCA Uconnect Vulnerability | ICS-CERT

Inside the “Business Club” crime gang

• Krebs profiles the “Business Club” crime gang, which apparently managed to steal more than $100 million from European banks and businesses
• The story centers on the “Gameover ZeuS” trojan and botnet. The commercial ZeuS malware had been popular for years for stealing banking credentials, but this was a closely held private version built for himself by the original author
• “Last year’s takedown of the Gameover ZeuS botnet came just months after the FBI placed a $3 million bounty on the botnet malware’s alleged author — a Russian programmer named Evgeniy Mikhailovich Bogachev who used the hacker nickname “Slavik.””
• “That changed today with the release of a detailed report from Fox-IT, a security firm based in the Netherlands that secretly gained access to a server used by one of the group’s members. That server, which was rented for use in launching cyberattacks, included chat logs between and among the crime gang’s core leaders, and helped to shed light on the inner workings of this elite group.”
• “The chat logs show that the crime gang referred to itself as the “Business Club,” and counted among its members a core group of a half-dozen people supported by a network of more than 50 individuals. In true Oceans 11 fashion, each Business Club member brought a cybercrime specialty to the table, including 24/7 tech support technicians, third-party suppliers of ancillary malicious software, as well as those engaged in recruiting “money mules” — unwitting or willing accomplices who could be trained or counted on to help launder stolen funds.”
• “Business Club members who had access to the GameOver ZeuS botnet’s panel for hijacking online banking transactions could use the panel to intercept security challenges thrown up by the victim’s bank — including one-time tokens and secret questions — as well as the victim’s response to those challenges. The gang dubbed its botnet interface “World Bank Center,” with a tagline beneath that read: “We are playing with your banks.””
• “The Business Club regularly divvied up the profits from its cyberheists, although Fox-IT said it lamentably doesn’t have insight into how exactly that process worked. However, Slavik — the architect of ZeuS and Gameover ZeuS — didn’t share his entire crime machine with the other Club members. According to Fox-IT, the malware writer converted part of the botnet that was previously used for cyberheists into a distributed espionage system that targeted specific information from computers in several neighboring nations, including Georgia, Turkey and Ukraine.”
• “Beginning in late fall 2013 — about the time that conflict between Ukraine and Russia was just beginning to heat up — Slavik retooled a cyberheist botnet to serve as purely a spying machine, and began scouring infected systems in Ukraine for specific keywords in emails and documents that would likely only be found in classified documents, Fox-IT found.”
• The botnet was also used against Turkey
• “The keywords are around arms shipments and Russian mercenaries in Syria,” Sandee said. “Obviously, this is something Turkey would be interested in, and in this case it’s obvious that the Russians wanted to know what the Turkish know about these things.”
• “The espionage side of things was purely managed by Slavik himself,” Sandee said. “His co-workers might not have been happy about that. They would probably have been happy to work together on fraud, but if they would see the system they were working on was also being used for espionage against their own country, they might feel compelled to use that against him.”
• The full Fox-IT report is available as a PDF here

Feedback:

• FreeNAS with Quad GbEthernet

• eSata enclosure

• pfSense Minix Router

• GlusterFS alternatives

• Enhanced commit privileges: Allan Jude (src)

Round Up:

• Kim Dotcom: ‘I don’t think your data is safe on Mega anymore’
• Get root on any OS X machine, with a shell command that fits in a tweet
• The Martian author says Comcast let hacker take over his e-mail
• Scaling Netflix – From 0 to a Terabit
• “Thunderstrike 2” rootkit uses Thunderbolt accessories to infect Mac firmware
• Why Netflix chose NGINX and FreeBSD to build its CDN
• An Update to Nexus Devices
• PHP mt_rand only returns odd numbers? Looks even worse in hex, low bits not being set?
• Breach at PNI Digital Media Inc., a company that makes photo kiosks, has affected customers a many large retailers including Walmart, CVS, Rite Aid, Sam’s Club and Costco
  
• How coordinated disclosure works in the real world
• HP Researchers find the Smart Watches are a security risk
• Belgian Government accidently includes 20,000 employees of transit operator in its phishing test

The post Solving the Flash Plague | TechSNAP 226 first appeared on Jupiter Broadcasting.

It’s a big show this week! We’ll be interviewing Marc Espie about OpenBSD’s package system and build cluster. Also, we’ve been asked many times “how do I keep my BSD box up to date?” Well, today’s tutorial should finally answer that. Answers to all your emails and this week’s headlines, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

EuroBSDCon 2014 talks and schedule

• The talks and schedules for EuroBSDCon 2014 are finally revealed
• The opening keynote is called “FreeBSD, looking forward to another 10 years” by jkh
• Lots of talks spanning FreeBSD, OpenBSD and PCBSD, and we finally have a few about NetBSD and DragonflyBSD too! Variety is great
• It looks like Theo even has a talk, but the title isn’t on the page… how mysterious
• There are also days dedicated to some really interesting tutorials
• Register now, the conference is on September 25-28th in Bulgaria
• If you see Allan and Kris walking towards you and you haven’t given us an interview yet… well you know what’s going to happen
• Why aren’t the videos up from last year yet? Will this year also not have any?

FreeNAS vs NAS4Free

• More mainstream news covering BSD, this time with an article about different NAS solutions
• In a possibly excessive eight-page article, Ars Technica discusses the pros and cons of both FreeNAS and NAS4Free
• Both are based on FreeBSD and ZFS of course, but there are more differences than you might expect
• Discusses the different development models, release cycles, features, interfaces and ease-of-use factor of each project
• “One is pleasantly functional; the other continues devolving during a journey of pain” – uh oh, who’s the loser?

Quality software costs money, heartbleed was free

• PHK writes an article for ACM Queue about open source software projects’ funding efforts
• A lot of people don’t realize just how widespread open source software is – TVs, printers, gaming consoles, etc
• The article discusses ways to convince your workplace to fund open source efforts, then goes into a little bit about FreeBSD and Varnish’s funding
• The latest heartbleed vulnerability should teach everyone that open source projects are critical to the internet, and need people actively maintaining them
• On that subject, “Earlier this year the OpenSSL Heartbleed bug laid waste to Internet security, and there are still hundreds of thousands of embedded devices of all kinds—probably your television among them—that have not been and will not ever be software-upgraded to fix it. The best way to prevent that from happening again is to avoid having bugs of that kind go undiscovered for several years, and the only way to avoid that is to have competent people paying attention to the software”
• Consider donating to your favorite BSD foundation (or buying cool shirts and CDs!) and keeping the ecosystem alive

Geoblock evasion with pf and OpenBSD rdomains

• Geoblocking is a way for websites to block visitors based on the location of their IP
• This is a blog post about how to get around it, using pf and rdomains
• It has the advantage of not requiring any browser plugins or DNS settings on the users’ computers, you just need to be running OpenBSD on your router (hmm, if only a website had a tutorial about that…)
• In this post, the author wanted to get an American IP address, since the service he was using (Netflix) is blocked in Australia
• It’s got all the details you need to set up a VPN-like system and bypass those pesky geographic filters

Interview – Marc Espie – espie@openbsd.org / @espie_openbsd

OpenBSD’s package system, building cluster, various topics

Tutorial

Keeping your BSD up to date

News Roundup

BoringSSL and LibReSSL

• Yet another OpenSSL fork pops up, this time from Google, called BoringSSL
• Adam Langley has a blog post about it, why they did it and how they’re going to maintain it
• You can easily browse the source code
• Theo de Raadt also weighs in with how this effort relates to LibReSSL
• More eyes on the code is good, and patches will be shared between the two projects

More BSD Tor nodes wanted

• Friend of the show bcallah posts some news to the Tor-BSD mailing list about monoculture in the Tor network being both bad and dangerous
• Originally discussed on the Tor-Relays list, it was made apparent that having such a large amount of Linux nodes weakens the security of the whole network
• If one vulnerability is found, a huge portion of the network would be useless – we need more variety in the network stacks, crypto, etc.
• The EFF is also holding a Tor challenge for people to start up new relays and keep them online for over a year
• Check out our Tor tutorial and help out the network, and promote BSD at the same time!

FreeBSD 10 OpenStack images

• OpenStack, to quote Wikipedia, is “a free and open-source software cloud computing platform. It is primarily deployed as an infrastructure as a service (IaaS) solution.”
• The article goes into detail about creating a FreeBSD instant, installing and converting it for use with “bsd-cloudinit”
• The author of the article is a regular listener and emailer of the show, hey!

BSDday 2014 call for papers

• BSD Day, a conference not so well-known, is going to be held August 9th in Argentina
• It was created in 2008 and is the only BSD conference around that area
• The “call for papers” was issued, so if you’re around Argentina and use BSD, consider submitting a talk
• Sysadmins, developers and regular users are, of course, all welcome to come to the event

Feedback/Questions

• Maruf writes in
• Solomon writes in
• Silas writes in
• Bert writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• Just a reminder for those who don’t check the website, you’ll also find contact information for every guest we’ve ever had in the show notes – so if you have follow up questions for them, it’s easy to get in touch
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you want to come on for an interview or have a tutorial you’d like to see, let us know
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• Congrats to Matt Ahrens for getting FreeBSD commit access – hopefully lots of great ZFS stuff to come
• A special 21st happy birthday to FreeBSD

The post Package Design | BSD Now 43 first appeared on Jupiter Broadcasting.