Show Notes: linuxunplugged.com/439

The post Double Server Jeopardy | LINUX Unplugged 439 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/425

The post Sad Server Stories | LINUX Unplugged 425 first appeared on Jupiter Broadcasting.

Show Notes: selfhosted.show/54

The post Ultimate Off-Site Setup | Self-Hosted 54 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/383

The post Murder of a Distro | LINUX Unplugged 383 first appeared on Jupiter Broadcasting.

Project Zero lays into Symantec’s enterprise products, the botnet you’ll never find & the poor security of HTML5 video ads.

Plus your questions, our answers & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Google’s Project Zero lays into Symantec’s Enterprise Endpoint Security products

• “Symantec is a popular vendor in the enterprise security market, their flagship product is Symantec Endpoint Protection. They sell various products using the same core engine in several markets, including a consumer version under the Norton brand.”
• “Today we’re publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws.”
• “These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”
• “As Symantec use the same core engine across their entire product line, all Symantec and Norton branded antivirus products are affected by these vulnerabilities, including:”
• Norton Security, Norton 360, and other legacy Norton products (All Platforms)
• Symantec Endpoint Protection (All Versions, All Platforms)
• Symantec Email Security (All Platforms)
• Symantec Protection Engine (All Platforms)
• Symantec Protection for SharePoint Servers
• And so on.
• “Some of these products cannot be automatically updated, and administrators must take immediate action to protect their networks. Symantec has published advisories for customers, available here.”
• “Many developers will be familiar with executable packers like UPX, they’re tools intended to reduce the size of executables by compressing them. This causes a problem for antivirus products because it changes how executables look.”
• Packers can be designed to obfuscate the executable, and make it harder for virus scanners to match against their signature database, or heuristically detect bad code
• “Antivirus vendors solve this problem with two solutions. First, they write dedicated unpackers to reverse the operation of the most common packers, and then use emulation to handle less common and custom packers.”
• “The problem with both of these solutions is that they’re hugely complicated and prone to vulnerabilities; it’s extremely challenging to make code like this safe. We recommend sandboxing and a Security Development Lifecycle, but vendors will often cut corners here. Because of this, unpackers and emulators continue to be a huge source of vulnerabilities, we’ve written about examples in Comodo, ESET, Kaspersky, Fireeye and many more.”
• “Let’s look at an example from Symantec and Norton Antivirus. This vulnerability has an unusual characteristic: Symantec runs their unpackers in the Kernel!”
• “Reviewing Symantec’s unpacker, we noticed a trivial buffer overflow when a section’s SizeOfRawData field is greater than SizeOfImage. When this happens, Symantec will allocate SizeOfImage bytes and then memcpy all available data into the buffer.”
• “This was enough for me to make a testcase in NASM that reliably triggered Symantec’s ASPack unpacker. Once I verified this work with a debugger, building a PE header that mismatched SizeOfImage and SizeOfRawData would reliably trigger the vulnerability.”
• “Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.”
• “An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.”
• There is also a buffer overflow in the Power Point decomposer (used to check for macros etc)
• There is another vulnerability in “Advanced Heuristic Protection” or “Bloodhound Heuristics” mode
• “As with all software developers, antivirus vendors have to do vulnerability management. This means monitoring for new releases of third party software used, watching published vulnerability announcements, and distributing updates.”
• “Nobody enjoys doing this, but it’s an integral part of secure software development. Symantec dropped the ball here.”
• “A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries like libmspack and unrarsrc, but hadn’t updated them in at least 7 years.”
• “Dozens of public vulnerabilities in these libraries affected Symantec, some with public exploits. We sent Symantec some examples, and they verified they had fallen behind on releases.”
• There is “behind” and then there is 7 years, which is pretty much “definitely didn’t bother to look at all”
• “As well as the vulnerabilities we described in detail here, we also found a collection of other stack buffer overflows, memory corruption and more.”
• Additional Coverage: Fortune.com
• Additional Coverage: Ars Technica

Botnet made up to CCTV Cameras and DVRs conducts DDoS attacks

• As we reported in TechSNAP #259 a security research found that 70 different CCTV-DVR vendors are just reselling devices from the same Chinese manufacturer, with the same firmware
• This firmware has a number of critical security flaws that the vendor was notified about, but refused to fix
• Original coverage from March
• Now criminals have exploited one or more of these known vulnerabilities to turn these devices into a large botnet
• Unlike a typical botnet made up of personal computers that are turned on and off at random, and where a user might notice sluggish performance, infected embedded devices tend to be always on, and performance issues are rarely noticed
• A botnet of over 25,000 of these CCTV systems is being used to conduct layer7 DDoS attacks against various businesses
• One of the victims, a Jewelry store, moved their site behind a WAF (Web Application Firewall), to protect it from the attack
• Unlike most attackers, instead of admitting defeat and moving on, the attacker stepped up the attack, and prolonged it for multiple days
• Most botnets lose strength the longer the attack is sustained, because infected machines are shutdown, isolated, reported, or disconnected.
• The fact that this botnet is made up of embedded CCTV devices gives it more staying power, and it is not likely to be considered the source of the problem if abuse reports do come in.

Security of HTML5 Video Ads

• For a long time many have railed against Flash, and accused it of being the root of all evil when it comes to Malvertising
• “For the last several years, Adobe Flash has been an enemy of the online community. In general, the position is well deserved: there were more than 300 vulnerabilities found in Flash Player during 2015 alone, making it the most vulnerable PC software of the year.”
• This study provides a comparison between Flash and HTM5 based advertisements
• Flash ads tend to be smaller. HTML5 ads also on average 100kb larger, using more bandwidth, which on mobile can be a big deal
• Flash ads may be more work to create, since they are not responsive, and a different file must be created for each different ad size
• HTML5 ads do not require a plugin to run, but older browsers do not support them. This is becoming less of an issue the number of aged devices dwindles
• Flash ads tend to provide better picture quality, due to sub-pixel support
• HTML5 provides better mobile support, where Flash on mobile is rare
• There is currently a larger community of Flash developers, but this is changing
• HTML5 is not controlled by a single entity like Adobe
• Flash provides better optimization
• HTML5 provides better usability and semantic support
• This study finds that killing off Adobe Flash will not solve the security problems, HTML5 has plenty of its own security issues
• “Even if Flash is prohibited, malvertising can still be inserted in the first two stages of video ad delivery.”
• “The proponents pushing for Flash to be prohibited from use in an ad creative are saying that HTML5 is the remedy that can handle security threats in the advertising industry. It stands to reason that if the ad unit itself is clean, then the user won’t have any problems. Unfortunately, this is an inaccurate statement. Malvertising attacks using video ads were already occurring in late 2015 and early 2016.”
• A typical flash malvertising campaign, the ad calls the flash externalCall interface, and runs some malicious javascript, creating a popup, that if you user accepts, may infect their computer
• In an HTML5 based attack, the malvertising campaign payload is not in the actual advertisement, but in the VAST/VPAID metadata, as the tracking url. This silently navigates the user to an Angler exploit kit, where they are infected with no required user interaction
• “the second scenario shows how the ad unit itself is not the only piece of the malvertising pie”
• “The main root of the video ad malvertising problem is, unfortunately, fundamental. VAST/VPAID standards, developed in 2012, provide extensive abilities so that ad industry players can create a rich ad experience.”
• “Since these standards allow advertisers to receive data about the user, they allow for third-party codes to be inserted inside the ad. Once a third-party code is allowed, there is an open door for bad actors to perpetrate malicious activities, i.e. insert malicious code.”
• “Now that we have debunked the idea that malvertising would be eliminated if the industry prohibited the use of Flash in their ads, let’s discuss solutions.”
• Even if malicious ads could be eliminated by better screening, malactors can compromise the ad network, and inject the malicious ads there
• In the end, maybe we need to stop allowing advertisements to have the ability to execute code
• Does anyone remember when advertisements were just animated .gif files?

Feedback:

• Jason

• Rob

• Ray –

• TheCloudisaLie

Round Up:

• Google’s giant new trans-Pacific internet cable goes online Thursday
• Vacationing Security Researcher finds skimmer in the wild
• Resold hard drives on eBay, Craigslist are often still ripe with leftover data
• Google CEO Sundar Pichais has Quota account hacked by “OurMine”
• FBI’s use of Tor exploit is like peering through “broken blinds”
• NASCAR team pays ransomware fee of $500 to recover 2 million dollar design files
• Chrome DRM bug makes it easy to download streaming video
• Java, PHP, NodeJS, and Ruby exposed to Swagger vulnerability
• Bits, Please!: QSEE privilege escalation vulnerability and exploit (CVE-2015-6639)
• Video: Lecture 13 – How to Build an Insecure System out of Perfectly Good Cryptography
• DoJ report: less than a quarter of one percent of wiretaps encounter any crypto
• Exfiltrate data from an air-gapped computer by modulating the fan speed — Fansmitter
• Microsoft to make saying no to Windows 10 update easier
• IRS kills off doomed PIN authentication method early. Authentication with your last years adjusted gross income to remain standard
• Javascript 7th edition released
• StartEncrypt had design, get a certificate for dropbox or github by faking API calls

The post Make Ads GIF Again | TechSNAP 273 first appeared on Jupiter Broadcasting.

Researches prove its possible to extract an RSA key from the noises your computer makes, the NSA foils the great BIOS plot, but we’re a little skeptical….

Then it’s a batch of your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

RSA Key Extraction via Acoustic Cryptanalysis

• Many computers emit a high-pitched noise during operation, due to vibration in some of their electronic components.
• These acoustic emanations are more than a nuisance: they can convey information about the software running on the computer, and in particular leak sensitive information about security-related computations.
• In the report they describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG\’s current implementation of RSA.
• The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts.
• Experimentally they demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters (13 feet) away.
• A modern mobile phone placed next to the computer is sufficient to carry out the attack, but up to four meters have been successfully tested using specially designed microphones.
• They have disclosed the attack to GnuPG developers under CVE-2013-4576, suggested suitable countermeasures, and worked with the developers to test them. New versions of GnuPG 1.x and of libgcrypt (which underlies GnuPG 2.x), containing these countermeasures and resisting our current key-extraction attack, were released concurrently with the first public posting of these results
• PDF Report
• Adi Shamir – Wikipedia
• Inventor of SSSS (Shamir\’s secret-sharing scheme)
• CVE – CVE-2013-4576

NSA Says It Foiled the BIOS Plot

• Called a BIOS plot, the exploit would have ruined, or \”bricked,\” computers across the country, causing untold damage to the national and even global economy.
• Debora Plunkett, director of cyber defense for the The National Security Agency described for the first time a cataclysmic cyber threat the NSA claims to have stopped On Sunday\’s \”60 Minutes.\”
• CBS suggest China is to Blame, the NSA does not confirm or deny that in the interview.
• CBS reported the “virus” would be delivered via a software update to every computer’s BIOS.
• The NSA says it closed this vulnerability by working with computer manufacturers.
• No further technical, or general details provided.
• CBS Airs NSA Propaganda Informercial Masquerading As \’Hard Hitting\’ 60 Minutes Journalism By Reporter With Massive Conflict Of Interes
• In the end, this appears to be the NSA stealing the plot from our book recommendation a few weeks ago. Mark Russinovich’s Zero Day – which is very much the same plot (Copyright March 2011), except the attackers were wealthy backers of Al Qaeda instead of the Chinese
• In the sequel Trojan Horse , China uses APT techniques to compromise computers at the UN Office for Disarmament Affairs, and alter a report about Iran’s Nuclear Weapons Program to disrupt international attempts to prevent Iran from getting Nuclear Weapons. Look for this story on the news next year…

Krebs: The Case For a Global, Compulsory Bug Bounty

• Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products
• This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products
• Stefan Frei, director of research at NSS Labs, suggests compelling companies to purchase all available vulnerabilities at above black-market prices.
• The director of research for Austin, Texas-based NSS Labs examined all of the software vulnerabilities reported in 2012, and found that the top 10 software makers were responsible for more than 30 percent of all flaws fixed.
• Even if vendors were required to pay $150,000 per bug, it would still come to less than two-tenths of one percent of these companies\’ annual revenue
• To ensure that submitted bugs get addressed and not hijacked by regional interests, Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers.
• The questions is, would this result in a reduction in cybercrime overall, or would it simply hamper innovation? As one person quoted in the article points out, a majority of data breaches that cost companies tens of millions of dollars have far more to do with other factors unrelated to software flaws, such as social engineering, weak and stolen credentials, and sloppy server configurations.
• The Case for a Compulsory Bug Bounty — Krebs on Security
• How many Zero-Days hit you today?

Feedback:

• How do you verify if a website is legitimate or not?
• Ghostery
• DNSSEC Validator

• Chrome Web Store – DNSSEC Validator

• IPMI

Round Up:

• Report: Bot traffic is up to 61.5% of all website traffic
• The inspiration behind many of todays tech symbols and icons
• Google Said to Mull Designing Server Chips in Threat to Intel
• Google blocks ability to search for credit cards (in hex), but snubs researcher who reported it
• DRM has always been a horrible idea
• NSA Spying costs Boeing $4.5 billion military contract in Brazil
• NSA has long had the ability to crack the encryption used by GSM phones, and the carriers have known about it
• Security Researcher Bruce Schneier leaves British Telecom
• The Year in Downtime: The Top 10 Outages of 2013

The post The Sound of Security | TechSNAP 142 first appeared on Jupiter Broadcasting.