Show Notes: linuxactionnews.com/202

The post Linux Action News 202 first appeared on Jupiter Broadcasting.

Show Notes/Links: https://www.bsdnow.tv/346

The post Core File Tales | BSD Now 346 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Mandiant researcher doxed by hackers

• HACKERS LEAK DATA FROM MANDIANT SECURITY RESEARCHER IN OPERATION #LEAKTHEANALYST

• The leaked data included more screenshots than documents. Images showed that the hackers might have gained access to the researcher’s Microsoft (Hotmail, OneDrive) and LinkedIn accounts. Earlier in the day, when Bleeping Computer was alerted of the leak, the researcher’s LinkedIn account had been defaced.

• No clear proof that anything more than a personal computer / personal accounts were breeched.

• Other news “sources” used headlines such as Hackers kick off #leaktheanalyst campaign by dumping data of $1bn security firm
  .

70,000 Memcached Servers Can Be Hacked Using Eight-Month-Old Flaws

• Original Talos blog post

• Background: January 2017, a series of Mongodb incidents wherein multiple competing groups were attacking the same servers which leads to the conclusion that there is no hope of actually recovering data, if there ever was in the first place.

• This prompted Talos to investigate memcached

Dan talks about upgrading ZFS arrays

• raidz arrays cannot be expanded. You have n devices; it stays N devices

• you can replace devices

• you can replace devices with bigger devices

• once they area all replaced, BANG, you have more space

• what options exist for replacing devices?

• Pull a drive, insert a new one, issue the zfs replace command.

• Insert a new drive, if you have space, issue the zfs replace command.

• But then Dan had a great idea the other night….

Feedback

• Hypervisor and ZFS setup for home

• PXE boot for imaging servers

• Cheap Managed Switch – Original question from Episode 318

Round Up:

• From the Netflix Technology Blog ChAP: Chaos Automation Platform

• Hacking Voting Machines at DEF CON 25

• real people’ don’t need end-to-end encryption

• FreeNAS 11.0 is Now Here

The post Netflix Lab Rats | TechSNAP 330 first appeared on Jupiter Broadcasting.

Why didn’t Apple choose ZFS for its new filesystem? We journey through the long history of ZFS at Apple. Plus how the BadTunnel bug can hijack traffic from all versions of Windows & should we worry about Intel’s management tech?

Plus great questions, a huge round up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

BadTunnel bug can hijack traffic from all versions of Windows

• “Microsoft has patched a severe security issue in its implementation of the NetBIOS protocol that affected all Windows versions ever released”
• “Among the more than three dozen vulnerabilities Microsoft patched on Tuesday was a fix for a bug that the researcher who found it said has “probably the widest impact in the history of Windows.””
• “An attacker could leverage this vulnerability to pass as a WPAD or ISATAP server and redirect all the victim’s network traffic through a point controlled by the attacker.”
• “The flaw, which he’s called BadTunnel, exposes local area networks to cross-network NetBIOS Name Service spoofing. An attacker can remotely attack a firewall- or NAT-protected LAN and steal network traffic or spoof a network print or file server.”
• “The flaw is particularly serious because it affects every version of Windows, including long-unsupported versions of the OS going back to Windows 95.”
• “To successfully implement a BadTunnel attack, [you] just need the victim to open a URL (with Internet Explorer or Edge), or open a file (an Office document), or plug in a USB memory stick. [You] even may not need the victim to do anything when the victim is a web server.”
• “For example, if a file URI or UNC path is embedded into a shortcut link file (Microsoft’s LNK), the BadTunnel attack can be triggered at the moment the user views the file in the Windows Explorer. It therefore can be exploited via webpage, email, flash drive and many other medias. It can even be effective against servers.”
• “Exploitation points remain open for non-supported Windows operating systems such as XP, Windows Server 2003, and others, for which patches have not been released. For these operating systems, and for those that can’t be updated just yet, system administrators should disable NetBIOS.”
• Additional Coverage: Threat Post
• Official Microsoft Bulletin MS16-077 CVE-2016-3213

ZFS: Apple’s New Filesystem That Wasn’t

• Adam Leventhal, a ZFS developer who designed features such as RAID-Z3, and also worked on DTrace, writes a post about Apple’s recent announcement of its new file system, APFS.
• This story is mostly about how ZFS was almost the Apple file system, and what happened.
• To learn more about Adam and what he has done, check out our BSDNow #122 Interview with him
• “I attended my first WWDC in 2006 to participate in Apple’s launch of their DTrace port to the next version of Mac OS X (Leopard). Apple completed all but the fiddliest finishing touches without help from the DTrace team. Even when they did meet with us we had no idea that they were mere weeks away from the finished product being announced to the world. It was a testament both to Apple’s engineering acumen as well as their storied secrecy.”
• “At that same WWDC Apple announced Time Machine, a product that would record file system versions through time for backup and recovery. How were they doing this? We were energized by the idea that there might be another piece of adopted Solaris technology. When we launched Solaris 10, DTrace shared the marquee with ZFS, a new filesystem that was to become the standard against which other filesystems are compared. Key among the many features of ZFS were snapshots that made it simple to capture the state of a filesystem, send the changes around, recover data, etc. Time Machine looked for all the world like a GUI on ZFS (indeed the GUI that we had imagined but knew to be well beyond the capabilities of Sun).”
• “Of course Time Machine had nothing to do with ZFS. After the keynote we rushed to an Apple engineer we knew. With shame in his voice he admitted that it was really just a bunch of hard links to directories. For those who don’t know a symlink from a symtab this is the moral equivalent of using newspaper as insulation: it’s fine until the completely anticipated calamity destroys everything you hold dear. So there was no ZFS in Mac OS X, at least not yet.”
• “A few weeks before WWDC 2007 nerds like me started to lose their minds: Apple really was going to port ZFS to Mac OS X. It was actually going to happen! Beyond the snapshots that would make backing up a cinch, ZFS would dramatically advance the state of data storage for Apple users. HFS was introduced in System 2.1. HFS improved upon the Macintosh File System by adding—wait for it—hierarchy! No longer would files accumulate in a single pile; you could organize them in folders. And that filesystem has limped along for more than 30 years, nudged forward, rewritten to avoid in-kernel Pascal code, but never reimagined or reinvented.”
• “ZFS was to bring to Mac OS X data integrity, compression, checksums, redundancy, snapshots, etc, etc etc. But while energizing Mac/ZFS fans, Sun CEO, Jonathan Schwartz, had clumsily disrupted the momentum that ZFS had been gathering in Apple’s walled garden. Apple had been working on a port of ZFS to Mac OS X. They were planning on mentioning it at the upcoming WWDC. Jonathan, brought into the loop either out of courtesy or legal necessity, violated the cardinal rule of the Steve Jobs-era Apple. Only one person at Steve Job’s company announces new products: Steve Jobs.”
• “In fact, this week you’ll see that Apple is announcing at their Worldwide Developer Conference that ZFS has become the file system in Mac OS 10,” mused Jonathan at a press event, apparently to bolster Sun’s own credibility. Less than a week later, Apple spoke about ZFS only when it became clear that a port was indeed present in a developer version of Leopard albeit in a nascent form. Yes, ZFS would be there, sort of, but it would be read-only and no one should get their hopes up.
• “By the next WWDC (2008) it seemed that Sun had been forgiven. ZFS was featured in the keynotes, it was on the developer disc handed out to attendees, and it was even mentioned on the Mac OS X Server website. Apple had been working on their port since 2006 and now it was functional enough to be put on full display. I took it for a spin myself; it was really real. The feature that everyone wanted (but most couldn’t say why) was coming!”
• “By the time Snow Leopard shipped (2009) only a careful examination of the Apple web site would turn up the odd reference to ZFS left unscrubbed. Whatever momentum ZFS had enjoyed within the Mac OS X product team was gone. I’ve heard a couple of theories and anecdotes from people familiar with the situation”
• The uncertainty created by Oracle acquiring Sun, and the fact that it took over a year to close the deal, may not have helped
• “In the meantime Sun and NetApp had been locked in a lawsuit over ZFS and other storage technologies since mid-2007”, that certainly didn’t help
• “Finally, and perhaps most significantly, personal egos and NIH (not invented here) syndrome certainly played a part. I’m told by folks in Apple at the time that certain leads and managers preferred to build their own rather adopting external technology—even technology that was best of breed. They pitched their own project, an Apple project, that would bring modern filesystem technologies to Mac OS X”
• “The design center for ZFS was servers, not laptops—and certainly not phones, tablets, and watches—his argument was likely that it would be better to start from scratch than adapt ZFS.”
• “Licensing FUD was thrown into the mix; even today folks at Apple see the ZFS license as nefarious and toxic in some way whereas the DTrace license works just fine for them. Note that both use the same license with the same grants and same restrictions.”
• By 2010, “Amazingly that wasn’t quite the end for ZFS at Apple. The architect for ZFS at Apple had left, the project had been shelved, but there were high-level conversations between Sun and Apple about reviving the port. Apple would get indemnification and support for their use of ZFS”
• “The Apple-ZFS deal was brought for Larry Ellison’s approval, the first born child of the conquered land brought to be blessed by the new king. “I’ll tell you about doing business with my best friend Steve Jobs,” he apparently said, “I don’t do business with my best friend Steve Jobs.””
• “Amusingly the version of the story told quietly at WWDC 2016 had the friends reversed with Steve saying that he wouldn’t do business with Larry. Still another version I’ve heard calls into question the veracity of their purported friendship, and has Steve instead suggesting that Larry go f*ck himself.”
• “In the 7 years since ZFS development halted at Apple, they’ve worked on a variety of improvements in HFS and Core Storage, and hacked at at least two replacements for HFS that didn’t make it out the door. This week Apple announced their new filesystem, APFS, after 2 years in development. It’s not done; some features are still in development, and they’ve announced the ambitious goal of rolling it out to laptop, phone, watch, and tv within the next 18 months. At Sun we started ZFS in 2001. It shipped in 2005 and that was really the starting line, not the finish line. Since then I’ve shipped the ZFS Storage Appliance in 2008 and Delphix in 2010 and each has required investment in ZFS / OpenZFS to make them ready for prime time. A broadly featured, highly functional filesystem takes a long time.”
• “APFS has merits (more in my next post), but it will always disappoint me that Apple didn’t adopt ZFS irrespective of how and why that decision was made. Dedicated members of the OpenZFS community have built and maintain a port. It’s not quite the same as having Apple as a member of that community, embracing and extending ZFS rather than building their own incipient alternative.”
• Additional Coverage
• Apple’s APFS guide

Intel ME/AMT: The other processor inside your computer

• Recent Intel x86 processors implement a rarely discussed powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine.
• Many (all?) vPro chipsets (MCHs) have:
• An Independent CPU (not IA32!)
• Access to dedicated DRAM memory
• Special interface to the Network Card (NIC)
• Execution environment called Management Engine (ME)
• The Intel Management Engine (ME) is a subsystem composed of a special 32-bit ARC microprocessor that’s physically located inside the chipset. It is an extra general purpose computer running a firmware blob that is sold as a management system for big enterprise deployments.
• On some chipsets, the firmware running on the ME implements a system called Intel’s Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU.
• The purpose of AMT is to provide a way to manage computers remotely.
• This is similar to an older system called “Intelligent Platform Management Interface” or IPMI, but more powerful).
• It can offer VNC access to the screen (optionally prompting the local user for permission), IDE redirection (Virtual Media, to boot from a remote device), Serial redirection, etc
• To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine addresses to the second MAC address bypass any firewall running on your system.
• ME is classified by security researchers as “Ring -3”.
• Rings of security can be defined as layers of security that affect particular parts of a system, with a smaller ring number corresponding to an area closer to the hardware.
• For example, Ring 3 threats are defined as security threats that manifest in “userspace” mode. Ring 0 threats occur in “kernel” level,
• Ring -1 threats occur in a “hypervisor” level, one level lower than the kernel
• Ring -2 threats occur in a special CPU mode called “SMM” mode. SMM stands for System-Management-Mode, a special mode that Intel CPUs can be put into that runs a separately defined chunk of code. If attackers can modify the SMM code and trigger the mode, they can get arbitrary execution of code on a CPU.
• Although the ME firmware is cryptographically protected with RSA 2048, researchers have been able to exploit weaknesses in the ME firmware and take partial control of the ME on early models. This makes ME a huge security loophole, and it has been called a very powerful rootkit mechanism.
• On systems newer than the Core2 series, the ME cannot be disabled.
• Intel systems that are designed to have ME but lack ME firmware (or whose ME firmware is corrupted) will refuse to boot, or will shut-down shortly after booting.
• There is no way for the x86 firmware or operating system to disable ME permanently. Intel keeps most details about ME absolutely secret. There is absolutely no way for the main CPU to tell if the ME on a system has been compromised.
• “We also discovered that the critical parts of the ME firmware are stored in a non-standard compressed format, which gets decompressed by a special hardware decompressor. My initial attempts to brute-force the decompression scheme failed miserably. Another group had better success and they have now completed a working decompression routine for all versions of ME up to but not including version 11.”
• There are only a few methods to enable AMT, which is disabled by default.
• Most require physical presence during the BIOS boot
• ME hardware – ME
• Intel ME huffman dictionaries – Unhuffme v2.4
• Introducing Ring -3 Rootkits PDF

How to Write Service Status Updates

• “The lowly incident status update happens to be one of the most essential pieces of communication a company gets to write”
• Your company is having a bad time, your customers are hurting. Everyone is busy, scrambling to fix things, but it is still important to communicate clearly, and regularly, with your customers.
• “When users navigate to a status page, they’re driven by a heightened sense of urgency (compared to, say, a website, a blog, or a newsletter). Not many words get as dissected, discussed and forwarded as the ones we place on our status page.”
• Often times, very little is written, possibly because very little is known. Everything is read with a slant, because you know the company write it to try to minimize how bad they look.
• “Now let’s state the obvious. Customers couldn’t care less about a string of words posted on a status update. What they care about is, “am I in good hands?” Every time we publish (or fail to publish) a service status update we are ultimately answering that question.”
• Goals:
  1. Write frequent status updates — This can mean postly updates hourly, or even more often. It depends how rapidly the situation is developing. There is nothing worse than an acknowledgement that there is a problem from hours ago, with no further updates. Ideally, indicate when to expect the number post at the end of each update.
  2. Well written status updates — Write authoritatively and honestly. Avoid “weasel phrases”.
  3. Productive Updates — “What we learned early on was that regular and well-written status updates reduce the amount of incoming support requests. Investing the time to get incident updates right was paying productivity dividends for the rest of the team”
• “When faced with service interruptions, we drop everything in our hands and perform operational backflips 24×7 until the service is restored for all customers. During this time, over-communication is a good thing. As is transparency, i.e. acknowledging problems and throwing the public light of accountability on all remaining issues until they’re resolved.”
• “While the crisis is unfolding we publish short status updates at regular intervals. We stick to the facts, including scope of impact and possible workarounds. We update the status page even if it’s just to say “we’re still looking into it.””
• “Once service is resolved, it’s time to turn our focus on the less urgent, but equally important piece of writing: the post mortem. It demonstrates that someone is investing time on their product. That they care enough to sit down and think things through. Most crucially, it also creates the space for our team to learn and grow as a company”
• They link to a second post: How to Write a Post Morten
• Or you can just not: Apple offers no explanation for 7 hour outage

Feedback:

• easy SCP server?

• Port Knocking for SSH

• pfSense in a FreeNAS jail

• Email Archiving

• virtualization of Windows Servers

• Proxmox – Powerful Open Source Server Solutions

Round Up:

• An online blackmarket is selling access to government servers for $6
• Dropbox wrongly smeared by LifeLock’s automated breach detection
• Let’s Encrypt Accidentally Spills 7,600 User Emails
• Lecture on OpenZFS read and write code paths
  
• ‘Spam King’ who sent 27 million Facebook messages gets 30 months in jail
• Joyent acquired by Samsung
• LAVA: Large-scale Automated Vulnerability Addition
• New gmail phishing attack pretends to be a different account falsely registered in your name, with a link from google to disavow the account. The link actually disavows YOUR account
• 45 million accounts from 1100 forums stolen after hosting company breached
• Steal 4096 bit RSA keys with a microphone. Your CPU is whispering your private key to everyone
• Telegram flaw allows attackers to crash your device and run up your phone bill
• In wake of Dell / EMC merge, Massachusetts considers law requiring laid off employees be paid 50% of their salary while restricted by non-compete clauses. 18% of all US workers are currently under non-complete agreements, and 37% will be at some point in their career
• MitM attack against Keepass 2’s update checker
• How to improve InfoSec (and other) conferences
• Password Autocorrect — without compromising security?
• A short story: “Access”
• The Crucial MX300 750GB SSD Review: Micron’s 3D NAND Arrives
• ClamAV command injection vulnerability
• Choosing a Key Length

The post Apple Pretend Filesystem | TechSNAP 271 first appeared on Jupiter Broadcasting.

It’s already our two-year anniversary! This time on the show, we’ll be chatting with Scott Courtney, vice president of infrastructure engineering at Verisign, about this year’s vBSDCon. What’s it have to offer in that’s different in the BSD conference space? We’ll find out!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

OpenBSD hypervisor coming soon

• Our buddy Mike Larkin never rests, and he posted some very tight-lipped console output on Twitter recently
• From what little he revealed at the time, it appeared to be a new hypervisor (that is, X86 hardware virtualization) running on OpenBSD -current, tentatively titled “vmm”
• Later on, he provided a much longer explanation on the mailing list, detailing a bit about what the overall plan for the code is
• Originally started around the time of the Australia hackathon, the work has since picked up more steam, and has gotten a funding boost from the OpenBSD foundation
• One thing to note: this isn’t just a port of something like Xen or Bhyve; it’s all-new code, and Mike explains why he chose to go that route
• He also answered some basic questions about the requirements, when it’ll be available, what OSes it can run, what’s left to do, how to get involved and so on

Why FreeBSD should not adopt launchd

• Last week we mentioned a talk Jordan Hubbard gave about integrating various parts of Mac OS X into FreeBSD
• One of the changes, perhaps the most controversial item on the list, was the adoption of launchd to replace the init system (replacing init systems seems to cause backlash, we’ve learned)
• In this article, the author talks about why he thinks this is a bad idea
• He doesn’t oppose the integration into FreeBSD-derived projects, like FreeNAS and PC-BSD, only vanilla FreeBSD itself – this is also explained in more detail
• The post includes both high-level descriptions and low-level technical details, and provides an interesting outlook on the situation and possibilities
• Reddit had quite a bit to say about this one, some in agreement and some not

DragonFly graphics improvements

• The DragonFlyBSD guys are at it again, merging newer support and fixes into their i915 (Intel) graphics stack
• This latest update brings them in sync with Linux 3.17, and includes Haswell fixes, DisplayPort fixes, improvements for Broadwell and even Cherryview GPUs
• You should also see some power management improvements, longer battery life and various other bug fixes
• If you’re running DragonFly, especially on a laptop, you’ll want to get this stuff on your machine quick – big improvements all around

OpenBSD tames the userland

• Last week we mentioned OpenBSD’s tame framework getting support for file whitelists, and said that the userland integration was next – well, now here we are
• Theo posted a mega diff of nearly 100 smaller diffs, adding tame support to many areas of the userland tools
• It’s still a work-in-progress version; there’s still more to be added (including the file path whitelist stuff)
• Some classic utilities are even being reworked to make taming them easier – the “w” command, for example
• The diff provides some good insight on exactly how to restrict different types of utilities, as well as how easy it is to actually do so (and en masse)
• More discussion can be found on HN, as one might expect
• If you’re a software developer, and especially if your software is in ports already, consider adding some more fine-grained tame support in your next release

Interview – Scott Courtney – vbsdcon@verisign.com / @verisign

vBSDCon 2015

News Roundup

OPNsense, beyond the fork

• We first heard about OPNsense back in January, and they’ve since released nearly 40 versions, spanning over 5,000 commits
• This is their first big status update, covering some of the things that’ve happened since the project was born
• There’s been a lot of community growth and participation, mass bug fixing, new features added, experimental builds with ASLR and much more – the report touches on a little of everything

LibreSSL nukes SSLv3

• With their latest release, LibreSSL began to turn off SSLv3 support, starting with the “openssl” command
• At the time, SSLv3 wasn’t disabled entirely because of some things in the OpenBSD ports tree requiring it (apache being one odd example)
• They’ve now flipped the switch, and the process of complete removal has started
• From the Undeadly summary, “This is an important step for the security of the LibreSSL library and, by extension, the ports tree. It does, however, require lots of testing of the resulting packages, as some of the fallout may be at runtime (so not detected during the build). That is part of why this is committed at this point during the release cycle: it gives the community more time to test packages and report issues so that these can be fixed. When these fixes are then pushed upstream, the entire software ecosystem will benefit. In short: you know what to do!”
• With this change and a few more to follow shortly, LibreSSL won’t actually support SSL anymore – time to rename it “LibreTLS”

FreeBSD MPTCP updated

• For anyone unaware, Multipath TCP is “an ongoing effort of the Internet Engineering Task Force’s (IETF) Multipath TCP working group, that aims at allowing a Transmission Control Protocol (TCP) connection to use multiple paths to maximize resource usage and increase redundancy.”
• There’s been work out of an Australian university to add support for it to the FreeBSD kernel, and the patchset was recently updated
• Including in this latest version is an overview of the protocol, how to get it compiled in, current features and limitations and some info about the routing requirements
• Some big performance gains can be had with MPTCP, but only if both the client and server systems support it – getting it into the FreeBSD kernel would be a good start

UEFI and GPT in OpenBSD

• There hasn’t been much fanfare about it yet, but some initial UEFI and GPT-related commits have been creeping into OpenBSD recently
• Some support for UEFI booting has landed in the kernel, and more bits are being slowly enabled after review
• This comes along with a number of other commits related to GPT, much of which is being refactored and slowly reintroduced
• Currently, you have to do some disklabel wizardry to bypass the MBR limit and access more than 2TB of space on a single drive, but it should “just work” with GPT (once everything’s in)
• The UEFI bootloader support has been committed, so stay tuned for more updates as further progress is made

Feedback/Questions

• John writes in
• Mason writes in
• Earl writes in

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• BSD Now anniversary shirts are no longer available, and should be shipping out very soon (if they haven’t already) – big thanks to everyone who bought one (183 sold!)
• This week is the last episode written/organized by TJ

The post Virginia BSD Assembly | BSD Now 105 first appeared on Jupiter Broadcasting.

We explain the Venom vulnerability, what the impact is & the steps major providers are taking to protect themselves.

Plus strategies to mitigate Cyber Intrusions, a truly genius spammer, great questions, a huge round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

VENOM: Virtualized Environment Neglected Operations Manipulation

• A flaw in the way qemu emulates floppy disks could allow an attacker to break out of a virtual machine and take over the host
• “This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.”
• This vulnerability affects qemu, KVM, VirtualBox, and some types of Xen, because they all share the same qemu floppy emulation code
• Unaffected hypervisors include: VMWare, Hyper-V, Bochs, and bhyve
• The issue has been assigned the identifier CVE-2015-3456
• “Since the VENOM vulnerability exists in the hypervisor’s codebase, the vulnerability is agnostic of the host operating system (Linux, Windows, Mac OS, FreeBSD, etc.).”
• “It needs to be noted that even if a guest does not explicitly have a virtual floppy disk configured and attached, this issue is exploitable. The problem exists in the Floppy Disk Controller, which is initialized for every x86 and x86_64 guest regardless of the configuration and cannot be removed or disabled.”
• “The guest operating system communicates with the FDC by sending commands such as seek, read, write, format, etc. to the FDC’s input/output port. QEMU’s virtual FDC uses a fixed-size buffer for storing these commands and their associated data parameters. The FDC keeps track of how much data to expect for each command and, after all expected data for a given command is received from the guest system, the FDC executes the command and clears the buffer for the next command. This buffer reset is performed immediately at the completion of processing for all FDC commands, except for two of the defined commands. An attacker can send these commands and specially crafted parameter data from the guest system to the FDC to overflow the data buffer and execute arbitrary code in the context of the host’s hypervisor process.”
• “The VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase.”
• “After verifying the vulnerability, CrowdStrike responsibly disclosed VENOM to the QEMU Security Contact List, Xen Security mailing list, Oracle security mailing list, and the Operating System Distribution Security mailing list on April 30, 2015.
• After a patch was developed CrowdStrike publicly disclosed VENOM on May 13, 2015. Since the availability of the patch, CrowdStrike has continued to work with major users of these vulnerable hypervisors to make sure that the vulnerability is patched as quickly as possible.”
• CrowdStrike blog about the disclosure
• “While it seems obvious that infrastructure providers could be impacted, there are many other less obvious technologies that depend on virtualization. For example, security appliances that perform virtual detonation of malware often run these untrusted files with administrative privileges, potentially allowing an adversary to use the VENOM vulnerability to bypass, crash or gain code execution on the very device designed to detect malware.”
• “CrowdStrike would also like to publicly recognize Dan Kaminsky, Chief Scientist at White Ops, who is a renowned researcher with extensive experience discovering and disclosing major vulnerabilities. Dan provided invaluable advice to us throughout this process on how best to coordinate the release of open source patches across the numerous vendors and users of these technologies.”
• Xen Advisory
• Amazon Statement
• Digital Ocean statement
• Redhat Advisory
• Working PoC exploit
• This has refocused attention on some older work to exploit qemu/KVM, like this from DEFCON / BlackHat 2011
• Or this paper from a Google researcher from 2007: An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments
• There is also some backlash against the naming and glamorization of vulnerabilities, as seen with the recent announcement of AnalBleed

Strategies to Mitigate Targeted Cyber Intrusions – From the Australian Signals Directorate

• The Australian equivalent to the NSA has published a study on the top 35 mitigation methods to protect networks for targeted cyber attacks
• They say that 85% of all network intrusions could be prevented if organizations adopted just the top 4 recommendations
• These 4 recommendations are:
  • Use application whitelisting, to prevent malicious software from being able to run
  • Install application updates (especially java, flash, PDF readers, browsers, etc)
  • Install OS updates (quickly!), Do not use Windows XP
  • Do not give administrator privileges to more people than absolutely required
• Video: Catch, Patch, and Match
• Table: The full list of 35 mitigation strategies
• How to employ the top 4 mitigations in a Linux environment
• The ASD even goes so far as to rank each mitigation strategy by its effectiveness, how much users will resist/complain, how much work it will be to setup, and how much work it will be to maintain.
• “Once organisations have implemented the Top 4 mitigation strategies, first on the computers of users who are most likely to be targeted by cyber intrusions and then on all computers and servers, additional mitigation strategies can be selected to address security gaps until an acceptable level of residual risk is reached. “
• Of these, only the application whitelisting is likely to rise the ire of the average end user
• Additional Coverage – SecureList
• The list of 35 mitigation methods can be roughly divided into 4 categories:
• Administrative — Training, physical security
• Networking — These measures are easier to implement at a network hardware level
• System administration — The OS contains everything needed for implementation
• Specialized security solutions — Specialized security software is applicable
• Kaspersky SecureList has broken its analysis of the ASD publication down into 4 parts in its Security Encyclopedia:
• Part 1. How to mitigate APTs. Applied theory
• Part 2. Top-4 mitigation strategies which address 85% of threats
• Part 3. Strategies outside the Top-4. For real bulletproof defense
• Part 4. Forewarned is Forearmed: the Detection Strategy against Advanced Persistent Threats (APTs)
• Gartner: Best Practices for Mitigating Advanced Persistent Threats

Mumblehard — Muttering spam from your servers

• “Several thousand computers running the Linux and FreeBSD operating systems have been infected over the past seven months with sophisticated malware that surreptitiously makes them part of a renegade network blasting the Internet with spam”
• The virus consisted of perl code packed into an ELF binary
• During a 7 month monitoring period, Eset researchers saw 8,867 IP addresses connect to one of the command and control servers
• “The Mumblehard malware is the brainchild of experienced and highly skilled programmers. It includes a backdoor and a spam daemon, which is a behind-the-scenes process that sends large batches of junk mail.”
• “These two main components are written in Perl and they’re obfuscated inside a custom “packer” that’s written in assembly, a low-level programming language that closely corresponds to the native machine code of the computer hardware it runs on. Some of the Perl script contains a separate executable with the same assembly-based packer that’s arranged in the fashion of a Russian nesting doll. The result is a very stealthy infection that causes production servers to send spam and may serve other nefarious purposes.”
• “Malware targeting Linux and BSD servers is becoming more and more complex,” researchers from Eset wrote. “The fact that the authors used a custom packer to hide the Perl source code is somewhat sophisticated. However, it is definitely not as complex as the Windigo Operation we documented in 2014. Nonetheless, it is worrying that the Mumblehard operators have been active for many years without disruption.”
• The way the malware was architected, it polled a list of Command and Control servers, accepting commands from any of them
• The list included some legitimate sites, to throw researchers off
• “A version of the Mumblehard spam component was uploaded to the VirusTotal online malware checking service in 2009, an indication that the spammer program has existed for more than five years. The researchers were able to monitor the botnet by registering one of the domain names that Mumblehard-infected machines query every 15 minutes.”
• At some point, one of the domains on the command and control list became available, so the researchers registered it and directed all of the infected machines to talk to their own command and control server
• The communications with the C&C servers was cleverly hidden in what look like PHP Session cookies, and in the fake browser user-agent strings
• One of the giveaways is the fact that the base browser user-agent string is for Firefox 7.0.1 on Windows 7
• Part of the version string would be replaced with the command id, http status, and number of bytes downloaded by the infected machine
• “The Eset researchers still aren’t certain how Mumblehard is installed. Based on their analysis of the infected server, they suspect the malware may take hold by exploiting vulnerabilities in the Joomla and WordPress content management systems. Their other theory is that the infections are the result of installing pirated versions of the DirecMailer program.”
• Eset research PDF

Feedback:

• Jupiter Broadcasting Meetup

• zfs send (and receive)

• What really is DevOps?

• Is my FreeNAS open?

• answer to question last week

Round-Up:

• Cybersecurity Firm May Have Hacked Its Own Clients To Extort Them Additional Coverage – CNN Money
• Enterprise SSDs may start to lose data if left powered off for even just a few days
• RHEL 7 will break with its typical long term backporting strategy, and update GTK3/Gnome3 mid-cycle
• Interesting issue with PHP Hash comparisons could result in many vulnerability announcements in the coming weeks. In php: 0e == 0 (or 0e), so hashes could falsely match
• Military Strategy: A West Point Teacher’s Last Letter to His Cadets
• Brian Krebs Discusses Investigative Security Journalism – Indepth interview with Norse “Dark Matters” blog
• Top cyber attack vectors for critical SAP systems
• Proof of concept Linux rootkit uses processor and memory of GPU to hide from operating system
• Beware the ticking Internet of Things security time bomb
• Ad network compromised, spreads “nuclear exploit kit”
• Australia outlaws warrant canaries
• Dropbox updates Terms of Service, users ourside North America will be served from Ireland instead of the USA
• Virus Scanners need to be more than just a GUI with a big “SAFE” label on them
• Intels new Core M 5Y71 keeps pace with its Core i5 cousins
• Adallom is not a Bureaucracy checkbox
• What year is this: Researcher Richard Bejtlich posts an excerpt from a novel about computer security, guess when it was written
• Bug Bounty Program | United Airlines

The post Venomous Floppy Legacy | TechSNAP 214 first appeared on Jupiter Broadcasting.

Venom is claimed to be the new Heartbleed threatening datacenters around the world but is it legit?

The new 4k Blu-Ray spec is revealed & the YotaPhone 2 with an E-ink display back is coming to a country near you!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

‘Venom’ Security Vulnerability Threatens Most Datacenters

A new vulnerability found in open source virtualization software QEMU, which is run on hardware in datacenters around the world (CVE-2015-3456). “The cause is a widely-ignored, legacy virtual floppy disk controller that, if sent specially crafted code, can crash the entire hypervisor. That can allow a hacker to break out of their own virtual machine to access other machines — including those owned by other people or companies.” The vulnerable code is used in Xen, KVM, and VirtualBox, while VMware, Hyper-V, and Bochs are unaffected. “Dan Kaminsky, a veteran security expert and researcher, said in an email that the bug went unnoticed for more than a decade because almost nobody looked at the legacy disk drive system, which happens to be in almost every virtualization software.” The vulnerability has been dubbed “Venom,” for “Virtualized Environment Neglected Operations Manipulation.”

• VENOM Vulnerability

Ultra HD Blu-ray specification now complete, logo unveiled – CNET

The Blu-ray Disc Association (BDA) has announced the Ultra HD Blu-ray (4K) specification is now complete and has also revealed the next-gen format’s official logo.

The BDA says the format incorporates a 3,840×2,160-pixel resolution, expanded color range support, high dynamic range (HDR) and high frame rate content (read 60fps). As well as the promise of up-to-date video, UHD Blu-ray will also support “next-generation immersive, object-based sound formats.”

YotaPhone 2 adds white color option to AMOLED + E-ink display hardware, Lollipop update rolling out

YotaPhone 2 sports a completely functional 4.7-inch E-ink display with always-on capabilities on its back.

As for the planned North American debut of the unique YotaPhone 2, the company says its Indiegogo campaign to help bring it to the US will kick off on May 19th with early bird pricing for the first backers ahead of its summer release.

ASUS confirms next-gen Android Wear ZenWatch coming early Q3, improved 4-day battery life

ASUS reportedly confirmed that the device will feature improved battery life, up from 2 days on the first-gen ZenWatch to 4 days on the upcoming version. That still falls short of the company’s goal to offer 7-days battery life, according to the report.

The company added that it expects to sell less than a million units of its smartwatch this year.

The post Venomous Snakeoil | Tech Talk Today 170 first appeared on Jupiter Broadcasting.

We\’ve got some great news for OpenBSD, as well as the scoop on FreeBSD 10.0-RELEASE – yes it\’s finally here! We\’re gonna talk to Colin Percival about running FreeBSD 10 on EC2 and lots of other interesting stuff. After that, we\’ll be showing you how to do some bandwidth monitoring and network performance testing in a combo tutorial. We\’ve got a round of your questions and the latest news, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD 10.0-RELEASE is out

• The long awaited, giant release of FreeBSD is now official and ready to be downloaded
• One of the biggest releases in FreeBSD history, with tons of new updates
• Some features include: LDNS/Unbound replacing BIND, Clang by default (no GCC anymore), native Raspberry Pi support and other ARM improvements, bhyve, hyper-v support, AMD KMS, VirtIO, Xen PVHVM in GENERIC, lots of driver updates, ZFS on root in the installer, SMP patches to pf that drastically improve performance, Netmap support, pkgng by default, wireless stack improvements, a new iSCSI stack, FUSE in the base system… the list goes on and on
• Start up your freebsd-update or do a source-based upgrade right now!

OpenSSH 6.5 CFT

• Our buddy Damien Miller announced a Call For Testing for OpenSSH 6.5
• Huge, huge release, focused on new features rather than bugfixes (but it includes those too)
• New ciphers, new key formats, new config options, see the mailing list for all the details
• Should be in OpenBSD 5.5 in May, look forward to it – but also help test on other platforms!
• We\’ll talk about it more when it\’s released

DIY NAS story, FreeNAS 9.2.1-BETA

• Another new blog post about FreeNAS!
• \”I did briefly consider suggesting nas4free for the EconoNAS blog, since it’s essentially a fork off the FreeNAS tree but may run better on slower hardware, but ultimately I couldn’t recommend anything other than FreeNAS\”
• Really long article with lots of nice details about his setup, why you might want a NAS, etc.
• Speaking of FreeNAS, they released 9.2.1-BETA with lots of bugfixes

OpenBSD needed funding for electricity.. and they got it

• Briefly mentioned at the end of last week\’s show, but has blown up over the internet since
• OpenBSD in the headlines of major tech news sites: slashdot, zdnet, the register, hacker news, reddit, twitter.. thousands of comments
• They needed about $20,000 to cover electric costs for the server rack in Theo\’s basement
• Lots of positive reaction from the community helping out so far, and it appears they have reached their goal and got $100,000 in donations
• From Bob Beck, \”we have in one week gone from being in a dire situation to having a commitment of approximately $100,000 in donations to the foundation\”
• This is a shining example of the BSD community coming together, and even the Linux people realizing how critical BSD is to the world at large

This episode was brought to you by

Interview – Colin Percival – cperciva@freebsd.org / @twitter

FreeBSD on Amazon EC2, backups with Tarsnap, 10.0-RELEASE, various topics

Tutorial

Bandwidth monitoring and testing

News Roundup

pfSense talk at Tokyo FreeBSD Benkyoukai

• Isaac Levy will be presenting \”pfSense Practical Experiences: from home routers, to High-Availability Datacenter Deployments\”
• He\’s also going to be looking for help to translate the pfSense documentation into Japanese
• The event is on February 17, 2014 if you\’re in the Tokyo area

m0n0wall 1.8.1 released

• For those who don\’t know, m0n0wall is an older BSD-based firewall OS that\’s mostly focused on embedded applications
• pfSense was forked from it in 2004, and has a lot more active development now
• They switched to FreeBSD 8.4 for this new version
• Full list of updates in the changelog
• This version requires at least 128MB RAM and a disk/CF size of 32MB or more, oh no!

Ansible and PF, plus NTP

• Another blog post from our buddy Michael Lucas
• There\’ve been some NTP amplification attacks recently in the news
• The post describes how he configured ntpd on a lot of servers without a lot of work
• He leverages pf and ansible for the configuration
• OpenNTPD is, not surprisingly, unaffected – use it

ruBSD videos online

• Just a quick followup from a few weeks ago
• Theo and Henning\’s talks from ruBSD are now available for download
• There\’s also a nice interview with Theo

PCBSD weekly digest

• 10.0-RC4 images are available
• Wine PBI is now available for 10
• 9.2 systems will now be able to upgrade to version 10 and keep their PBI library

Feedback/Questions

• Sha\’ul writes in: https://slexy.org/view/s2WQXwMASZ
• Kjell-Aleksander writes in: https://slexy.org/view/s2H0FURAtZ
• Mike writes in: https://slexy.org/view/s21eKKPgqh
• Charlie writes in (and gets a reply): https://slexy.org/view/s21UMLnV0G
• Kevin writes in: https://slexy.org/view/s2SuazcfoR

Contest

• We\’ll be giving away a handmade FreeBSD pillow – yes you heard right
• All you need to do is write a tutorial for the show
• Submit your BSD tutorial write-ups to feedback@bsdnow.tv
• Check bsdnow.tv/contest for all the rules, details, instructions and a picture of the pillow.

• All the tutorials are posted in their entirety at bsdnow.tv
• The poudriere tutorial got a couple fixes and modernizations
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Stop commenting on the Jupiterbroadcasting pages and Youtube! We don\’t read those!
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post Tendresse for Ten | BSD Now 21 first appeared on Jupiter Broadcasting.

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

OpenBSD automatic installation

• A CFT (call for testing) was posted for OpenBSD’s new automatic installer process
• Using this new system, you can spin up fully-configured OpenBSD installs very quickly
• Allows you to PXE boot the system and load the answer file via HTTP by each machines MAC address, with fallback to a default config file
• It will answer all the questions for you and can put files into place and start services
• Great for large deployments, help test it and report your findings

FreeNAS install guide and blog posts

• A multipart series on YouTube about installing FreeNAS
• In part 1, the guy (who is possibly Dracula, with his very Transylvanian accent..) builds his new file server and shows off the hardware
• In part 2, he shows how to install and configure FreeNAS, uses IPMI, sets up his pools
• He pronounces gigabytes as jiggabytes and it’s hilarious
• We’ve also got an unrelated blog post about a very satisfied FreeNAS user who details his setup
• As well as another blog post from our old pal Devin Teske about his recent foray into the FreeNAS development world

FreeBSD 10.0-RC5 is out

• Another, unexpected RC is out for 10.0
• Includes an ABI change, you must recompile/reinstall all ports/packages if you are upgrading from a previous 10.0-RC
• Minor fixes included, please help test and report any bugs
• You can update via freebsd-update or from source
• Hopefully this will be the last one before 10.0-RELEASE, which has tons of new features we’ll talk about
• It’s been tagged -RELEASE in SVN already too!

OpenBSD 5.5-beta is out

• Theo updated the branch status to 5.5-beta
• A list of changes is available
• Help test and report any bugs you find
• Lots of rapid development with signify (which we mentioned last week), the beta includes some “test keys”
• Does that mean it’ll be part of the final release? We’ll find out in May.. or when we interview Ted (soon)

This episode was brought to you by

iX doesn’t just make big servers for work, they also make little servers for home. The FreeNAS Mini is a compact little rig that will take up to 4 drives and makes a great home storage server.

Interview – Neel Natu & Peter Grehan – neel@freebsd.org & grehan@freebsd.org

BHyVe – the BSD hypervisor
+ Could you tell us a bit about yourselves and how you first got into BSD?
+ What’s your current roles in the FreeBSD project, and how did you get there?
+ What exactly is bhyve and how did the project get started?
+ What is the current status of bhyve? What guest OSes are supported?
+ What bugs remain when running different guest OSs?
+ How is support for AMD hardware virtualization progressing?
+ Is there any work on supporting older hardware that does not have EPT?
+ What will it take to be able to boot FreeBSD root-on-zfs inside bhyve?
+ Any progress on a ‘vfs hack’ to mount/passthru a file system (zfs dataset?) from the host to the guest, a la Jails?
+ How is the performance? How does the network performance compare to alternatives? How much benchmarking has been done?
+ What features have been added recently? (nmdm etc)
+ When is VGA support planned?
+ When might we see Windows (server) as a guest? What else would be required to make that happen?
+ What features are you planning for the future? How far do you plan to take bhyve (snapshots, live migration etc)

Tutorial

Virtualization with bhyve

News Roundup

Hostname canonicalisation in OpenSSH

• Blog post from our friend Damien Miller
• This new feature allows clients to canonicalize unqualified domain names
• SSH will know if you typed “ssh bsdnow” you meant “ssh bsdnow.tv” with new config options
• This will help clean up some ssh configs, especially if you have many hosts
• Should make it into OpenSSH 6.5, which is “due really soon”

Dragonfly on a Chromebook

• Some work has been done by Matthew Dillon to get DragonflyBSD working on a Google Chromebook
• These couple of posts detail some of the things he’s got working so far
• Changes were needed to the boot process, trackpad and wifi drivers needed updating…
• Also includes a guide written by Dillon on how to get yours working

Spider in a box

• “Spiderinabox” is a new OpenBSD-based project
• Using a combination of OpenBSD, Firefox, XQuartz and VirtualBox, it creates a secure browsing experience for OS X
• Firefox runs encapsulated in OpenBSD and doesn’t have access to OS X in any way
• The developer is looking for testers on other operating systems!

PCBSD weekly digest

• PCBSD 10 has entered into the code freeze phase
• They’re focusing on fixing bugs now, rather than adding new features
• The update system got a lot of improvements
• PBI load times reduced by up to 40%! what!!!

Feedback/Questions

• Scott writes in: https://slexy.org/view/s25zbSPtcm
• Chris writes in: https://slexy.org/view/s2EarxbZz1
• SW writes in: https://slexy.org/view/s2MWKxtWxF
• Ole writes in: https://slexy.org/view/s20kzex2qm
• Gertjan writes in: https://slexy.org/view/s2858Ph4o0

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
• Reminder: OpenBSD still really needs funding for electricity – if you know a company that can help, please contact Theo or the foundation
• Reminder: NYCBSDCon February 8th – The BSDs in Production
• Reminder: Our tutorial contest is going until the end of this month, check bsdnow.tv/contest for info and rules, win a cool BSD pillow!

The post Bhyve Mind | BSD Now 20 first appeared on Jupiter Broadcasting.