Meet BOOTTRASH the Malware that executes before your OS does, the hard questions you need to ask when buying a security appliance, Project Zero finds flaws in Fireeye hardware.

Plus some great audience questions, a big round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

BOOTRASH malware executes before your OS does

• “Researchers at FireEye spotted the financial threat group FIN1 targeting payment card data using sophisticated malware dubbed “BOOTRASH” that executes before the operating system boots.”
• The malware only works against MBR formatted disks, if it detects GPT it just exists
• It backs up the original VBR (Volume Boot Record, the boot code at the start of the partition, which is calls from the boot code installed in the MBR) to a different location on the disk
• It finds some free space between partitions or at the end of the disk, and uses that to create its own tiny virtual file system, to store the actual malware files
• Additional files and resources are encoded into a registry hive, so they do not leave any files on the regular file system. Only the invisible virtual file system (not listed in the partition table, hiding in unused space), and some random strings on encoded binary in the registry
• “As previously discussed, during a normal boot process the MBR loads the VBR, which loads the operating system code. However, during the hijacked boot process, the compromised system’s MBR will attempt to load the boot partition’s VBR, which has been overwritten with the malicious BOOTRASH bootstrap code. This code loads the Nemesis bootkit components from the custom virtual file system. The bootkit then passes control to the original boot sector, which was saved to a different location on disk during the installation process. From this point the boot process continues with the loading and executing of the operating system software.”
• “The bootkit intercepts several system interrupts to assist with the injection of the primary Nemesis components during the boot process. The bootkit hijacks the BIOS interrupt responsible for miscellaneous system services and patches the associated Interrupt Vector Table entry so it can intercept memory queries once the operating system loader gains control. The bootkit then passes control to the original VBR to allow the boot process to continue. While the operating system is being loaded, the bootkit also intercepts the interrupt and scans the operating system loader memory for a specific instruction that transfers the CPU from real mode to protected mode. This allows the bootkit to patch the Interrupt Descriptor Table each time the CPU changes from real mode to protected mode. This patch involves a modified interrupt handler that redirects control to the bootkit every time a specific address is executed. This is what allows the bootkit to detect and intercept specific points of the operating system loader execution and inject Nemesis components as part of the normal kernel loading.”
• So it dynamically replaces bits of kernel code with its own code, making it a very hard to detect rootkit, since it is actually injected before the kernel is loaded (hence the name, bootkit)
• Researcher Blog

“A decisionmaker’s guide to buying security appliances and gateways”

• “With the prevalence of targeted “APT-style” attacks and the business risks of data breaches reaching the board level, the market for “security appliances” is as hot as it has ever been. Many organisations feel the need to beef up their security – and vendors of security appliances offer a plethora of content-inspection / email-security / anti-APT appliances, along with glossy marketing brochures full of impressive-sounding claims.”
• This article provides a bit of a guide to help you shop for an appliance that might actually be worth the number of zeros on the price tag
• “Most security appliances are Linux-based, and use a rather large number of open-source libraries to parse the untrusted data stream which they are inspecting. These libraries, along with the proprietary code by the vendor, form the “attack surface” of the appliance, e.g. the code that is exposed to an outside attacker looking to attack the appliance. All security appliances require a privileged position on the network – a position where all or most incoming and outgoing traffic can be seen. This means that vulnerabilities within security appliances give an attacker a particularly privileged position – and implies that the security of the appliance itself is rather important.”
• Five questions to ask the vendor of a security appliance
  • What third-party libraries interact directly with the incoming data, and what are the processes to react to security issues published in these libraries?
  • Are all these third-party libraries sandboxed in a sandbox that is recognized as industry-standard? The sandbox Google uses in Chrome and Adobe uses in Acrobat Reader is open-source and has undergone a lot of scrutiny, so have the isolation features of KVM and qemu. Are any third-party libraries running outside of a sandbox or an internal virtualization environment? If so, why, and what is the timeline to address this?
  • How much of the proprietary code which directly interacts with the incoming data runs outside of a sandbox? To what extent has this code been security-reviewed?
  • Is the vendor willing to provide a hard disk image for a basic assessment by a third-party security consultancy? Misconfigured permissions that allow privilege escalation happen all-too often, so basic permissions lockdown should have happened on the appliance.
  • In the case of a breach in your company, what is the process through which your forensics team can acquire memory images and hard disk images from the appliance?
• Not to mention, in the case of a breach at the vendor, what information could the attacker get about your appliance, your network, or your security? How are the trusted keys protected on the vendor’s network?
  • Bonus Question: Does the vendor publish hashes of the packages they install on the appliance so in case of a forensic investigation it is easy to verify that the attacker has not replaced some?
• “A vendor that takes their product quality (and hence your data security) seriously will be able to answer these questions, and will be able to confidently state that all third-party parsers and a large fraction of their proprietary code runs sandboxed or virtualized, and that the configuration of the machine has been reasonably locked down – and will be willing to provide evidence for this (for example a disk image or virtual appliance along with permission to inspect).”
• All of these are very good questions, and I happen to know one vendor who answered these questions in their recent BSDNow interview.

Project Zero finds flaws in FireEye security appliance

• “FireEye sell security appliances to enterprise and government customers. FireEye’s flagship products are monitoring devices designed to be installed at egress points of large networks”
• The device is connected to a SPAN, MONITOR, or MIRROR port. A feature of high end switches that allows all traffic from a port or set of ports to be copied to another port
• “The FireEye device then watches all network traffic passively, monitoring common protocols like HTTP, FTP, SMTP, etc, for any transferred files. If a file transfer is detected (for example, an email attachment or a HTTP download) the FireEye extracts the file and scans it for malware.”
• If the device detects malware, it alerts the security team
• The device can also be configured in a IPS (Intrusion Prevention System) mode, where it would block such traffic
• “For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario. This would mean an attacker would only have to send an email to a user to gain access to a persistent network tap – the recipient wouldn’t even have to read the email, just receiving it would be enough”
• If you compromise one of these devices, you are basically sitting on a wiretap of the entire network. These devices are sometimes even installed behind devices that decrypt encrypted traffic, giving you even more access
• “A network tap is one of the most privileged machines on the network, with access to employee’s email, passwords, downloads, browsing history, confidential attachments, everything. In some deployment configurations an attacker could tamper with traffic, inserting backdoors or worse. Because FireEye devices typically have a secondary internet-connected interface for updates and management, the issue could even be wormable across the internet.”
• “FireEye have issued a patch for this vulnerability, and customers who have not updated should do so immediately to protect their infrastructure.” Devices with security content release 427.334 and higher have this issue resolved
• Q. How long did FireEye take to resolve this issue after it was reported?
• A. FireEye responded very quickly, pushed out temporary mitigations to customers within hours of our report and resolved the issue completely within 2 days.
  • Q. Have FireEye supported your security research?
• A. Yes, FireEye have been very cooperative. They worked with us closely, provided test equipment, support, and have responded very quickly to any issues we reported.
• “Project Zero have been evaluating a FireEye NX 7500 appliance, and created a lab to generate sample traffic. The test environment consisted of a workstation with four network interfaces. Two interfaces were connected to a hub, which were used for simulating network traffic. The FireEye passive monitoring interface (called pether3) was connected to a third port on the hub (acting like a mirror port) so that it could observe traffic being exchanged between the two interfaces on the test machine. This simulates an intranet user receiving email or downloading files from the internet.”
• “The main analyses performed by the FireEye appliance are monitoring for known malicious traffic (blacklisted netblocks, malware domains, snort rules, etc), static analysis of transferred files (antivirus, yara rules, and analysis scripts), and finally tracing the execution of transferred files in instrumented virtual machines. Once an execution trace has been generated, pattern matching against known-bad behaviour is performed.”
• “The MIP (Malware Input Processor) subsystem is responsible for the static analysis of files, invoking helper programs and plugins to decode various file types. For example, the swf helper invokes flasm to disassemble flash files, the dmg helper invokes p7zip to extract the contents of Mac OS Disk Images and the png helper invokes pngcheck to check for malformed images. The jar helper is used to analyze captured Java Archives, which checks for signatures using jarsigner, then attempts to decompile the contents using an open source Java decompiler called JODE.”
• The problem is that the JODE decompiler, actually executes small bits of the java code, to try to deobfuscate it
• “With some trial and error, we were eventually able to construct a class that JODE would execute, and used it to invoke java.lang.Runtime.getRuntime().exec(), which allows us to execute arbitrary shell commands. This worked during our testing, and we were able to execute commands just by transferring JAR files across the passive monitoring interfaces.”
• So, just by emailing someone behind this device a .jar file, it would end up getting executed on the security device, running arbitrary shell commands
• “As FireEye is shipped with ncat installed by default, creating a connect-back shell is as simple as specifying the command we want and the address of our control server.”
• “We now have code execution as user mip, the Malware Input Processor. The mip user is already quite privileged, capable of accessing sensitive network data. However, , there is a very simple privilege escalation to root”
• “FireEye have requested additional time to prepare a fix for the privilege escalation component of this attack”
• “This allows exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating internet worms.”
• “If you would like to read more from our series on attacks against security products, we have also published research into ESET, Kaspersky, Sophos, Avast and more, with further research scheduled for release soon.”

Feedback:

• RAID Repair Gone Wrong

• adblocking with pfsense – how?

• Pfblocker – PFSenseDocs
  • Pfsense Blocking ads with squid or lusca

• How feasible would it be to set up passwordless systems?

• Greetings from Ecuador!

Round Up:

• Further investigation shows Satoshi PGP keys may have been backdated
• More bitcoin followup from Wired
• Google will actively distrust Symantec’s “Class 3 Public Primary CA”. The root CA, issued in 1996, is being retired because it uses SHA-1, which no longer meets the requirements of the CA/Browser forum. Symantec will continue to use the root CA for “other things”, so Google is actively distrusting it, to prevent it being used.
• MacKeeper database exposed. Not hacked, just totally open to the entire Internet. Passwords hashed with plain md5, no salt.
• Shodan search shows over 650 terabytes of data exposed via completely unsecured MongoDB instances
• Cyber Crime 3.0: Stealing whole houses
• Why Governments lie about encryption backdoors
• 21-year old man arrested in the UK in connection with VTech hack
• Bypass authentication in Grub2, by pressing backspace 28 times
• (0Day) Microsoft Office Excel Binary Worksheet Use-After-Free Remote Code Execution Vulnerability. After the researchers worked with Microsoft since September, Microsoft closes the issue as “won’t fix”
  
• OPSEC of Honeypots, if your honeypot is obvious, it doesn’t do much good
• Joomla exploit via user-agent string, injecting code allows full remote command execution
• SMTP Injection via recipient email addresses
• Steam introduces a Trade Escrow system to stop scamming and hijacked accounts. Trend jackers jump on this and trick users into installing malware
• How not to do two factor authentication

The post Insecurity Appliance | TechSNAP 245 first appeared on Jupiter Broadcasting.

Qubes OS, you could call it Linux for the truly paranoid. This system offers a unique isolated approach to keep you and your data safe, we dive in to show you how this system works!

Plus: The big Red Hat news, Docker goes 1.0, a Linux port done right…

And so much more!

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

Qubes OS:

Brought to you by: System76

• Qubes Release 1 was released in September 2012. Qubes Release 2 is almost complete, with rc1 having been released in April 201

• On February 16, 2014, Qubes was selected as a finalist of Access Innovation Prize 2014 for Endpoint Security Solution.

Built on top of Xen:

Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and utilize most of the Linux drivers.

• Qubes implements a Security by Isolation approach.

• Qubes utilizes virtualization technology in order to isolate various programs from each other and even to sandbox many system-level components, such as networking and storage subsystems, so that the compromise of any of these programs or components does not affect the integrity of the rest of the system.

• Qubes lets the user define many security domains, which are implemented as lightweight Virtual Machines (VMs), or “AppVMs.”

For example, the user can have “personal,” “work,” “shopping,” “bank,” and “random” AppVMs and can use the applications within those VMs just as if they were executing on the local machine. At the same time, however, these applications are well isolated from each other.

• Qubes also supports secure copy-and-paste and file sharing between the AppVMs, of course.

Key Architectural features¶

• The network mechanism is the most exposed to security attacks. This is why it is isolated in a separate, unprivileged virtual machine, called the Network Domain.

• Disk space is saved thanks to the fact that various virtual machines (VM) share the same root file system in a read-only mode.

• Separate disk storage is only used for userʼs directory and per-VM settings. This allows to centralize software installation and updates. Of course, some software can be installed only on a specific VM.

• Some documents or application can be run in disposable VMs through an action available in the file manager. The mechanism follows the idea of sandboxes: after viewing the document or application, then the whole Disposable VM will be destroyed.

• Based on a secure bare-metal hypervisor (Xen)
• USB stacks and drivers sand-boxed in an unprivileged VM (currently experimental feature)
• No networking code in the privileged domain (dom0)
• All user applications run in “AppVMs,” lightweight VMs based on Linux
• Centralized updates of all AppVMs based on the same template
• Qubes GUI virtualization presents applications as if they were running locally
• Qubes GUI provides isolation between apps sharing the same desktop
• Secure system boot based (optional)

Not just for Linux, Qubes can run Windows app seamless too:

• WindowsAppVms – Qubes

— Picks —

Runs Linux

Mini-drones jump, flip, fly, climb, and and run Linux

Desktop App Pick

SnapRAID

SnapRAID is an application able to make a partial backup of your disk array. If some of the disks of your array fail, even if they are completely broken, you will be able to recover their content. It’s only a partial backup, because it doesn’t allow to recover from a failure of the whole array, but only if the number of failed disks are under a predefined limit.

Weekly Spotlight

magpie —

Basically, magpie is just a web tool for managing text files in a git repo. In it, you can create notebooks (which are just folders); create, edit, and delete notes (which are just files). That’s pretty much it. However, when you make any of these changes, they are automatically committed to git.

Thanks to haliphax for submitting this link

— NEWS —

A big step forward in business Linux: Red Hat Enterprise Linux 7 arrives

As for the features, RHEL 7 boasts many stability and performance upgrades. Red Hat claims that, depending upon the load, RHEL 7 is 11 to 25 percent faster than the previous iteration of the software, RHEL 6.

• Red Hat Unveils Red Hat Enterprise Linux 7

• You know you’re a nerd when the most interesting news of the week is about a filesystem…

It’s Here: Docker 1.0

On March 20, 2013, we released the first version of Docker. After 15 months, 8,741 commits from more than 460 contributors, 2.75 million downloads, over 14,000 “Dockerized” apps, and feedback from 10s of 1000s of users about their experience with Docker, from a single container on a laptop to 1000s in production in the cloud … we’re excited to announce that it’s here: Docker 1.0.

HP bets it all on The Machine, a new computer architecture based on memristors and silicon photonics

In the words of HP Labs, The Machine will be a complete replacement for current computer system architectures. There will be a new operating system, a new type of memory (memristors), and super-fast buses/peripheral interconnects (photonics). Speaking to Bloomberg, HP says it will commercialize The Machine within a few years, “or fall on its face trying.”

• Day 2 Keynote – HP Discover Las Vegas 2014 – tStarts at 15:50

Some of our favorite bullshit headlines:

• HP Stabs Microsoft in the Back: Dumps Windows, Prepares Linux-Based Operating System – Softpedia News for Mobile

• HP’s The Machine kicks Microsoft to the curb in favor of Linux – TechRepublic

• HP Announces Plans To Destroy Windows – Business Insider

On top of that, HP is working on a brand new operating system for The Machine based on Linux. And another one based on Android, Fink continued:

“We are, as part of The Machine, announcing our intent to build a new operating system all open source from the ground up, optimized for non-volatile memory systems.

…

We also have a team that’s starting from a Linux environment and stripping out all the bits we don’t need. So that way you maintain … compatibility for apps.

What if we build a version of Android? … We have a team that’s doing that, too.”

Aspyr Media Comments On Linux, More AAA Games In Future

Aspyr Media have quite clearly proven themselves at porting to Linux with a port that works this well, but the bigger news is that they may have more to come.

— Chris’ Stash —

• jupiterbroadcasting on Instagram

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Check out LINUX Unplugged
• 14 Apps To Boost Ubuntu
• Fez – Part 3 | Geek And The Gamer

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post Qubes OS: Security By Isolation | LAS 317 first appeared on Jupiter Broadcasting.

This time on the show we\’ll be talking with Jon Anderson about Capsicum and Casper to securely sandbox processes. After that, our tutorial will show you how to encrypt all your DNS lookups, either on a single system or for your whole network. News, emails and all the usual fun, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

BSDCan 2014 talks and reports

• The majority of the BSDCan talks are finally uploaded, so prepare to be flooded with links
• Karl Lehenbauer\’s keynote (he\’s on next week\’s episode)
• Mariusz Zaborski and Pawel Jakub Dawidek,
  Capsicum and Casper (relevant to today\’s interview)
• Luigi Rizzo,
  In-kernel OpenvSwitch on FreeBSD
• Dwayne Hart, Migrating from Linux to FreeBSD for Backend Data Storage
• Warner Losh, NAND Flash and FreeBSD
• Simon Gerraty, FreeBSD bmake and Meta Mode
• Bob Beck, LibreSSL – The First 30 Days
• Henning Brauer, OpenBGPD Turns 10 Years Old
• Arun Thomas, BSD ARM Kernel Internals
• Peter Hessler, Using BGP for Realtime Spam Lists
• Pedro Giffuni, Features and Status of FreeBSD\’s Ext2 Implementation
  
• Matt Ahrens, OpenZFS Upcoming Features and Performance Enhancements
• Daichi Goto, Shellscripts and Commands
• Benno Rice, Keeping Current
• Sean Bruno, MIPS Router Hacking
• John-Mark Gurney, Optimizing GELI Performance
• Patrick Kelsey, Userspace Networking with libuinet
• Massimiliano Stucchi, IPv6 Transitioning Mechanisms
• Roger Pau Monné, Taking the Red Pill
• Shawn Webb, Introducing ASLR in FreeBSD
• There\’s also a trip report from Peter Hessler and one from Julio Merino
• The latter report also talks about how, unfortunately, NetBSD basically had no presence in the event at all (and how that\’s a recurring trend)

Defend your network and privacy with a VPN and OpenBSD

• After all the recent news about spying, backdoored routers, deep packet inspection and everything else, you might want to start taking steps at getting some privacy back
• This article describes how to set up a secure network gateway and VPN using OpenBSD and related crypto utilities
• There are bits for DHCP, DNS, OpenVPN, DNSCrypt and a watchdog script to make sure your tunnel is always being used
• You can transparently tunnel all your outbound traffic over the VPN with this configuration, nothing is needed on any of the client systems – this could also be used with Tor (but it would be very slow)
• It also includes a few general privacy tips, recommended browser extensions, etc
• The intro to the article is especially great, so give the whole thing a read
• He mentions our OpenBSD router guide and other tutorials being a big help for this setup, so hello if you\’re watching!

You should try FreeBSD

• In this blog post, the author talks a bit about how some Linux people aren\’t familiar with the BSDs and how we can take steps to change that
• He goes into some FreeBSD history specifically, then talks about some of the apparent (and not-so-apparent) differences between the two
• Possibly the most useful part is how to address the question \”my server already works, why bother switching?\”
• \”Stackoverflow’s answers assume I have apt-get installed\” ← lol
• It includes mention of the great documentation, stability, ports, improved security and much more
• A takeaway quote for would-be Linux switchers: \”I like to compare FreeBSD to a really tidy room where you can find everything with your eyes closed. Once you know where the closets are, it is easy to just grab what you need, even if you have never touched it before\”

OpenBSD and the little Mauritian contributor

• This is a story about a guy from Mauritius named Logan, one of OpenBSD\’s newest developers
• Back in 2010, he started sending in patched for OpenBSD\’s \”mg\” editor, among other small things, and eventually added file transfer resume support for SFTP
• The article talks about his journey from just a guy who submits a patch here and there to joining the developer ranks and even getting his picture taken with Theo at a recent hackathon
• It really shows how easy it is to get involved with the different BSDs and contribute back to the software ecosystem
• Congrats to Logan, and hopefully this will inspire more people to start helping out and contributing code back

Interview – Jon Anderson – jonathan@freebsd.org

Capsicum and Casperd

Tutorial

Encrypting DNS lookups

News Roundup

FreeBSD Journal, May 2014 issue

• The newest issue of the FreeBSD Journal is out, following the bi-monthly release cycle
• This time the topics include: a letter from the foundation, a ports report, some 9.3-RELEASE plans, an events calendar, an overview of ipfw, exploring network activity with dtrace, an article about kqueue, data distribution with dnssec and finally an article about TCP scaling
• Pick up your (digital) copy at Amazon, Google Play or on iTunes and have a read

LibreSSL porting update

• Since the last LibreSSL post we covered, a couple unofficial \”portable\” versions have died off
• Unfortunately, people still think they can just port LibreSSL to other BSDs and Linux all willy-nilly – stop doing that!
• This post reiterates that LibreSSL currently relies on a lot of OpenBSD-specific security functions that are not present in other systems, and also gives a very eye-opening example
• Please wait for an official portable version instead of wasting time with these dime-a-dozen github clones that do more harm than good

BSDMag May 2014 issue is out

• The usual monthly release from BSDMag, covering a variety of subjects
• This time around the topics include: managing large development projects using RCS, working with HAMMER FS and PFSes, running MeteorJS on FreeBSD 11, another bhyve article, more GIMP tutorials and a few other things
• It\’s a free PDF, go grab it

BSDTalk episode 241

• A new episode of BSDTalk is out, this time with Bob Beck
• He talks about the OpenBSD foundation\’s recent activities, his own work in the project, some stories about the hardware in Theo\’s basement and a lot more
• The interview itself isn\’t about LibreSSL at all, but they do touch on it a bit too
• Really interesting stuff, covers a lot of different topics in a short amount of time

Feedback/Questions

• We got a number of replies about last week\’s VPN question, so thanks to everyone who sent in an email about it – the vpnc package seems to be what we were looking for
• Tim writes in
• AJ writes in
• Peter writes in
• Thomas writes in
• Martin writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• We\’re looking for new tutorial ideas, so if there\’s something specific you\’d like to learn about, let us know
• FreeBSD core team elections are in progress – nominations ended today. There are 21 candidates, and voting is open for the next month. We\’ll let you know how it goes in a future episode.
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post The Friendly Sandbox | BSD Now 39 first appeared on Jupiter Broadcasting.