openSSL – Jupiter Broadcasting

This second release candidate of GhostBSD 18.10 is the second official release of GhostBSD with TrueOS under the hood. The official desktop of GhostBSD is MATE. However, in the future, there might be an XFCE community release, but for now, there is no community release yet.

What has changed since RC1
Removed drm-stable-kmod and we will let users installed the propper drm-*-kmod
Douglas Joachin added libva-intel-driver libva-vdpau-driver to supports accelerated some video driver for Intel
Issues that got fixed
Bug #70 Cannot run Octopi, missing libgksu error.
Bug #71 LibreOffice doesn’t start because of missing libcurl.so.4
Bug #72 libarchive is a missing dependency

Again thanks to iXsystems, TrueOS, Joe Maloney, Kris Moore, Ken Moore, Martin Wilke, Neville Goddard, Vester “Vic” Thacker, Douglas Joachim, Alex Lyakhov, Yetkin Degirmenci and many more who helped to make the transition from FreeBSD to TrueOS smoother.

Updating from RC1 to RC2:
sudo pkg update -f
sudo pkg install -f libarchive curl libgksu
sudo pkg upgrade
Where to download:
All images checksum, hybrid ISO(DVD, USB) and torrent are available here: https://www.ghostbsd.org/download
[ScreenShots]
https://www.ghostbsd.org/sites/default/files/Screenshot_at_2018-10-20_13-22-41.png
https://www.ghostbsd.org/sites/default/files/Screenshot_at_2018-10-20_13-27-26.png

###OpenSSH 7.9 has been released and it has support for OpenSSL 1.1

Changes since OpenSSH 7.8
=========================

This is primarily a bugfix release.

New Features
------------
 * ssh(1), sshd(8): allow most port numbers to be specified using
   service names from getservbyname(3) (typically /etc/services).
 * ssh(1): allow the IdentityAgent configuration directive to accept
   environment variable names. This supports the use of multiple
   agent sockets without needing to use fixed paths.
 * sshd(8): support signalling sessions via the SSH protocol.
   A limited subset of signals is supported and only for login or
   command sessions (i.e. not subsystems) that were not subject to
   a forced command via authorized_keys or sshd_config. bz#1424
 * ssh(1): support "ssh -Q sig" to list supported signature options.
   Also "ssh -Q help" to show the full set of supported queries.
 * ssh(1), sshd(8): add a CASignatureAlgorithms option for the
   client and server configs to allow control over which signature
   formats are allowed for CAs to sign certificates. For example,
   this allows banning CAs that sign certificates using the RSA-SHA1
   signature algorithm.
 * sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to
   revoke keys specified by SHA256 hash.
 * ssh-keygen(1): allow creation of key revocation lists directly
   from base64-encoded SHA256 fingerprints. This supports revoking
   keys using only the information contained in sshd(8)
   authentication log messages.

Bugfixes
--------

 * ssh(1), ssh-keygen(1): avoid spurious "invalid format" errors when
   attempting to load PEM private keys while using an incorrect
   passphrase. bz#2901
 * sshd(8): when a channel closed message is received from a client,
   close the stderr file descriptor at the same time stdout is
   closed. This avoids stuck processes if they were waiting for
   stderr to close and were insensitive to stdin/out closing. bz#2863
 * ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11
   forwarding timeout and support X11 forwarding indefinitely.
   Previously the behaviour of ForwardX11Timeout=0 was undefined.
 * sshd(8): when compiled with GSSAPI support, cache supported method
   OIDs regardless of whether GSSAPI authentication is enabled in the
   main section of sshd_config. This avoids sandbox violations if
   GSSAPI authentication was later enabled in a Match block. bz#2107
 * sshd(8): do not fail closed when configured with a text key
   revocation list that contains a too-short key. bz#2897
 * ssh(1): treat connections with ProxyJump specified the same as
   ones with a ProxyCommand set with regards to hostname
   canonicalisation (i.e. don't try to canonicalise the hostname
   unless CanonicalizeHostname is set to 'always'). bz#2896
 * ssh(1): fix regression in OpenSSH 7.8 that could prevent public-
   key authentication using certificates hosted in a ssh-agent(1)
   or against sshd(8) from OpenSSH <7.8.

Portability
-----------

 * All: support building against the openssl-1.1 API (releases 1.1.0g
   and later). The openssl-1.0 API will remain supported at least
   until OpenSSL terminates security patch support for that API version.
 * sshd(8): allow the futex(2) syscall in the Linux seccomp sandbox;
   apparently required by some glibc/OpenSSL combinations.
 * sshd(8): handle getgrouplist(3) returning more than
   _SC_NGROUPS_MAX groups. Some platforms consider this limit more
   as a guideline.

##News Roundup

###MeetBSD 2018: The Ultimate Hallway Track

Founded in Poland in 2007 and first hosted in California in 2008, MeetBSD combines formal talks with UnConference activities to provide a level of interactivity not found at any other BSD conference. The character of each MeetBSD is determined largely by its venue, ranging from Hacker Dojo in 2010 to Intel’s Santa Clara headquarters this year. The Intel SC12 building provided a beautiful auditorium and sponsors’ room, plus a cafeteria for the Friday night social event and the Saturday night FreeBSD 25th Anniversary Celebration. The formal nature of the auditorium motivated the formation of MeetBSD’s first independent Program Committee and public Call for Participation. Together these resulted in a backbone of talks presented by speakers from the USA, Canada, and Poland, combined with UnConference activities tailored to the space.

MeetBSD Day 0

Day Zero of MeetBSD was a FreeBSD Developer/Vendor Summit hosted in the same auditorium where the talks would take place. Like the conference itself, this event featured a mix of scheduled talks and interactive sessions. The scheduled talks were LWPMFS: LightWeight Persistent Memory Filesystem by Ravi Pokala, Evaluating GIT for FreeBSD by Ed Maste, and NUMA by Mark Johnston. Ed’s overview of the advantages and disadvantages of using Git for FreeBSD development was of the most interest to users and developers, and the discussion continued into the following two days.

MeetBSD Day 1

The first official day of MeetBSD 2018 was kicked off with introductions led by emcee JT Pennington and a keynote, “Using TrueOS to boot-strap your FreeBSD-based project” by Kris Moore. Kris described a new JSON-based release infrastructure that he has exercised with FreeBSD, TrueOS, and FreeNAS. Kris’ talk was followed by “Intel & FreeBSD: Better Together” by Ben Widawsky, the FreeBSD program lead at Intel, who gave an overview of Intel’s past and current efforts supporting FreeBSD. Next came lunch, followed by Kamil Rytarowski’s “Bug detecting software in the NetBSD userland: MKSANITIZER”. This was followed by 5-Minute Lightning Talks, Andrew Fengler’s “FreeBSD: What to (Not) Monitor”, and an OpenZFS Panel Discussion featuring OpenZFS experts Michael W. Lucas, Allan Jude, Alexander Motin, Pawel Dawidek, and Dan Langille. Day one concluded with a social event at the Intel cafeteria where the discussions continued into the night.

MeetBSD Day 2

Day Two of MeetBSD 2018 kicked off with a keynote by Michael W. Lucas entitled “Why BSD?”, where Michael detailed what makes the BSD community different and why it attracts us all. This was followed by Dr. Kirk McKusick’s “The Early Days of BSD” talk, which was followed by “DTrace/dwatch in Production” by Devin Teske. After lunch, we enjoyed “A Curmudgeon’s Language Selection Criteria: Why I Don’t Write Everything in Go, Rust, Elixir, etc” by G. Clifford Williams and, “Best practices of sandboxing applications with Capsicum” by Mariusz Zaborski. I then hosted a Virtualization Panel Discussion that featured eight developers from FreeBSD, OpenBSD, and NetBSD. We then split up for Breakout Sessions and the one on Bloomberg’s controversial article on backdoored Supermicro systems was fascinating given the experts present, all of whom were skeptical of the feasibility of the attack. The day wrapped up with a final talk, “Tales of a Daemontown Performance Peddler: Why ‘it depends’ and what you can do about it” by Nick Principe, followed by the FreeBSD 25th Anniversary Celebration.

Putting the “meet” in MeetBSD

I confess the other organizers and I were nervous about how well one large auditorium would suit a BSD event but the flexible personal space it gave everyone allowed for countless meetings and heated hacking that often brought about immediate results. I watched people take ideas through several iterations with the help and input of obvious and unexpected experts, all of whom were within reach. Not having to pick up and leave for a talk in another room organically resulted in essentially a series of mini hackathons that none of us anticipated but were delighted to witness, taking the “hallway track” to a whole new level. The mix of formal and UnConference activities at MeetBSD is certain to evolve. Thank you to everyone who participated with questions, Lightning Talks, and Panel participation. A huge thanks to our sponsors, including Intel for both hosting and sponsoring MeetBSD California 2018, Western Digital, Supermicro, Verisign, Jupiter Broadcasting, the FreeBSD Foundation, Bank of America Merrill Lynch, the NetBSD Foundation, and the team at iXsystems.

See you at MeetBSD 2020!

###Setup DragonflyBSD with a desktop on real hardware ThinkPad T410
+Video Demo

Linux has become too mainstream and standard BSD is a common thing now? How about DragonflyBSD which was created as a fork of FreeBSD 4.8 in conflict over system internals. This tutorial will show how to install it and set up a user-oriented desktop. It should work with DragonflyBSD, FreeBSD and probably all BSDs.
Some background: BSD was is ultimately derived from UNIX back in the days. It is not Linux even though it is similar in many ways because Linux was designed to follow UNIX principles. Seeing is believing, so check out the video of the install!
I did try two BSD distros before called GhostBSD and TrueOS and you can check out my short reviews. DragonflyBSD comes like FreeBSD bare bones and requires some work to get a desktop running.

Download image file and burn to USB drive or DVD
First installation
Setting up the system and installing a desktop
Inside the desktop
Install some more programs
How to enable sound?
Let’s play some free games
Setup WiFi
Power mode settings
More to do?

You can check out this blog post if you want a much more detailed tutorial. If you don’t mind standard BSD, get the GhostBSD distro instead which comes with a ready-made desktop xcfe or mate and many functional presets.

A small summary of what we got on the upside:
- Free and open source operating system with a long history
- Drivers worked fine including Ethernet, WiFi, video 2D & 3D, audio, etc
- Hammer2 advanced file system
- You are very unique if you use this OS fork
Some downsides:
Less driver and direct app support than Linux
Installer and desktop have some traps and quirks and require work

###Porting Keybase to NetBSD

Keybase significantly simplifies the whole keypair/PGP thing and makes what is usually a confusing, difficult experience actually rather pleasant. At its heart is an open-source command line utility that does all of the heavy cryptographic lifting. But it’s also hooked up to the network of all other Keybase users, so you don’t have to work very hard to maintain big keychains. Pretty cool!
So, this evening, I tried to get it to all work on NetBSD.
The Keybase client code base is, in my opinion, not very well architected… there exist many different Keybase clients (command line apps, desktop apps, mobile apps) and for some reason the code for all of them are seemingly in this single repository, without even using Git submodules. Not sure what that’s about.
Anyway, “go build”-ing the command line program (it’s written in Go) failed immediately because there’s some platform-specific code that just does not seem to recognize that NetBSD exists (but they do for FreeBSD and OpenBSD). Looks like the Keybase developers maintain a Golang wrapper around struct proc, which of course is different from OS to OS. So I literally just copypasted the OpenBSD wrapper, renamed it to “NetBSD”, and the build basically succeeded from there! This is of course super janky and untrustworthy, but it seems to Mostly Just Work…
I forked the GitHub repo, you can see the diff on top of keybase 2.7.3 here: bccaaf3096a
Eventually I ended up with a ~/go/bin/keybase which launches just fine. Meaning, I can main() okay. But the moment you try to do anything interesting, it looks super scary:

charlotte@sakuracity:~/go/bin ./keybase login
▶ WARNING Running in devel mode
▶ INFO Forking background server with pid=12932
▶ ERROR unexpected error in Login: API network error: doRetry failed,
attempts: 1, timeout 5s, last err: Get
https://localhost:3000/_/api/1.0/merkle/path.json?last=3784314&load_deleted=1&load_reset_chain=1&poll=10&sig_hints_low=3&uid=38ae1dfa49cd6831ea2fdade5c5d0519:
dial tcp [::1]:3000: connect: connection refused

There’s a few things about this error message that stuck out to me:

Forking a background server? What?
It’s trying to connect to localhost? That must be the server that doesn’t work …

Unfortunately, this nonfunctional “background server” sticks around even when a command as simple as ‘login’ command just failed:

charlotte@sakuracity:~/go/bin ps 12932
  PID TTY STAT    TIME COMMAND
  12932 ?   Ssl  0:00.21 ./keybase --debug --log-file
  /home/charlotte/.cache/keybase.devel/keybase.service.log service --chdir
  /home/charlotte/.config/keybase.devel --auto-forked

I’m not exactly sure what the intended purpose of the “background server” even is, but fortunately we can kill it and even tell the keybase command to not even spawn one:

charlotte@sakuracity:~/go/bin ./keybase help advanced | grep -- --standalone
   --standalone                         Use the client without any daemon support.

And then we can fix wanting to connect to localhost by specifying an expected Keybase API server – how about the one hosted at https://keybase.io?

charlotte@sakuracity:~/go/bin ./keybase help advanced | grep -- --server
   --server, -s                         Specify server API.

Basically, what I’m trying to say is that if you specify both of these options, the keybase command does what I expect on NetBSD:

charlotte@sakuracity:~/go/bin ./keybase --standalone -s https://keybase.io login
▶ WARNING Running in devel mode
Please enter the Keybase passphrase for dressupgeekout (6+ characters): 

charlotte@sakuracity:~/go/bin ./keybase --standalone -s https://keybase.io id dressupgeekout
▶ WARNING Running in devel mode
▶ INFO Identifying dressupgeekout
✔ public key fingerprint: 7873 DA50 A786 9A3F 1662 3A17 20BD 8739 E82C 7F2F
✔ "dressupgeekout" on github:
https://gist.github.com/0471c7918d254425835bf5e1b4bcda00 [cached 2018-10-11
20:55:21 PDT]
✔ "dressupgeekout" on reddit:
          My Keybase proof [reddit:dressupgeekout = keybase:dressupgeekout] (D4emf2X3JH5vi4R-FvelGoUUkPGg4oQCk5XvYpZy0F8) from      KeybaseProofs    
    
[cached 2018-10-11 20:55:21 PDT]

###Initial implementation of draft-ietf-6man-ipv6only-flag

This change defines the RA "6" (IPv6-Only) flag which routers
may advertise, kernel logic to check if all routers on a link
have the flag set and accordingly update a per-interface flag.

If all routers agree that it is an IPv6-only link, ether_output_frame(),
based on the interface flag, will filter out all ETHERTYPE_IP/ARP
frames, drop them, and return EAFNOSUPPORT to upper layers.

The change also updates ndp to show the "6" flag, ifconfig to
display the IPV6_ONLY nd6 flag if set, and rtadvd to allow
announcing the flag.

Further changes to tcpdump (contrib code) are availble and will
be upstreamed.

Tested the code (slightly earlier version) with 2 FreeBSD
IPv6 routers, a FreeBSD laptop on ethernet as well as wifi,
and with Win10 and OSX clients (which did not fall over with
the "6" flag set but not understood).

We may also want to (a) implement and RX filter, and (b) over
time enahnce user space to, say, stop dhclient from running
when the interface flag is set.  Also we might want to start
IPv6 before IPv4 in the future.

All the code is hidden under the EXPERIMENTAL option and not
compiled by default as the draft is a work-in-progress and
we cannot rely on the fact that IANA will assign the bits
as requested by the draft and hence they may change.

Dear 6man, you have running code.

Discussed with: Bob Hinden, Brian E Carpenter

##Beastie Bits

##Feedback/Questions

Greg – Interview suggestion for the show
Nelson – Ghostscript vulnerabilities
Allison – Ports and GCC

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post Ghostly Releases | BSD Now 270 first appeared on Jupiter Broadcasting.

Trials of TLS | TechSNAP 350

chris — Fri, 29 Dec 2017 10:35:32 +0000

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Why TLS 1.3 isn’t in browsers yet

It has been over a year since Cloudflare’s TLS 1.3 launch and still, none of the major browsers have enabled TLS 1.3 by default.

Leaky S3 Buckets

Drone maker DJI left its private SSL, firmware keys open to world+dog on GitHub FOR YEARS

“I had seen unencrypted flight logs, passports, drivers licenses, and identification cards,” Finisterre said, adding: “It should be noted that newer logs and PII [personally identifiable information] seemed to be encrypted with a static OpenSSL password, so theoretically some of the data was at least loosely protected from prying eyes.”

Data on 123 million US households exposed – Naked Security

For a researcher at UpGuard, on 6 October the answer turned out to be an intriguing 36GB database file sitting in plain view_on an Amazon Simple Storage Service (S3) bucket uploaded by analytics company Alteryx._

Massive US military social media spying archive left wide open in AWS S3 buckets • The Register

Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing “dozens of terabytes” of social media posts and similar pages — all scraped from around the world by the US military to identify and profile persons of interest.

Netflix/security_monkey: Security Monkey

Introduction to SMB for Network Security

Of all the common protocols a new analyst encounters, perhaps none is quite as impenetrable as Server Message Block (SMB). Its enormous size, sparse documentation, and wide variety of uses can make it one of the most intimidating protocols for junior analysts to learn. But SMB is vitally important: lateral movement in Windows Active Directory environments can be the difference between a minor and a catastrophic breach, and almost all publicly available techniques for this movement involve SMB in some way. While there are numerous guides to certain aspects of SMB available, I found a dearth of material that was accessible, thorough, and targeted towards network analysis. The goal of this guide is to explain this confusing protocol in a way that helps new analysts immediately start threat hunting with it in their networks, ignoring the irrelevant minutiae that seem to form the core of most SMB primers and focusing instead on the kinds of threats an analyst is most likely to see.

StorageCrypter Ransomware: Security Threat or Clickbait?

The StorageCrypter Ransomware appears to be targeting NAS systems around the world but the facts surrounding it have been somewhat confusing.

Feedback

Repairing a 1960s mainframe: Fixing the IBM 1401’s core memory and power supply

The IBM 1401 was a popular business computer of the early 1960s. It had 4000 characters of internal core memory with additional 12000 characters in an external expansion box. 2 Core memory was a popular form of storage in this era as it was relatively fast and inexpensive. Each bit is stored in a tiny magnetized ferrite ring called a core. (If you’ve ever heard of a “core dump”, this is what the term originally referred to.) The photo below is a magnified view of the cores, along with the red wires used to select, read and write the cores.4 The cores are wired in an X-Y grid; to access a particular address, one of the X lines is pulsed and one of the Y lines is pulsed, selecting the core where they intersect.

The post Trials of TLS | TechSNAP 350 first appeared on Jupiter Broadcasting.

Cyber Liability | TechSNAP 314

chris — Wed, 12 Apr 2017 02:09:54 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Researchers demonstrate how PINs and other info can be gathered through phone movement

Team was able to crack four digit-PINs with 70 percent accuracy on the first try, with 100 percent accuracy by try number five
A site accessed with malicious code can open the device to such sensor-based monitoring working in the background when browser tabs are left open.
The team suggests a number of ways to help combat vulnerabilities, including regularly changing PINs and quitting out of any apps not currently in use
Dan suggests: Simple way around this: randomize the display of numbers on the keypad. I think this should be standard for all PIN entry. I recall seeing this somewhere, years ago, but I don’t recall where. I’ve always wondered why I’ve never seen it again. If the numbers have a narrow field of vision, nobody can watch over your shoulder.
A better article on the issue
The PDF of the study
From the PDF: . In the latest Apple Security Updates for iOS 9.3 (released in March 2016), Safari took a similar countermeasure by “suspending the availability of this [motion and orientation] data when the web view is hidden”x

Computer security is broken from top to bottom

Robert Watson spoke at the very first BSDCan
There are three main fundamental causes of insecurity: technology complexity, culture, an the economic incentives of the computer business.

Deep Dive starts with Dan’s first blog post about PostgreSQL

PostgreSQL
PostgreSQL < 9.6 has DATADIR is the same for all versions
PostgreSQL 9.6+ on FreeBSD, each major version has it’s own DATADIR
Installing in a FreeBSD jail means you can easily upgrading another jail, then start using it

Feedback

10 messages this past week. Requests for deep dives on PostgreSQL, DNS, ZFS, Jails.
The guy who asked us about that free DNS service, wrote in to say he has no connection with them.
Building pfsense box
Suggestion for a Simple Inventory & Change Management Software
Raidz-1 with hotspare vs raidz-2

Round Up:

The post Cyber Liability | TechSNAP 314 first appeared on Jupiter Broadcasting.

Unix Security Trifecta | TechSNAP 292

chris — Thu, 10 Nov 2016 08:48:15 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Unix Trifecta — Patch Your Shit

This week saw the trifecta, critical vulnerabilities in 3 of the most important and widely used server applications
CVE-2016-8610 – OpenSSL: A remote attacker who can initiate handshakes with an OpenSSL based server can cause the server to consume a lot of computation power with very little bandwidth usage, and may be able to use this technique in a leveraged Denial of Service attack.
The flaw is in the way OpenSSL handles “SSL Alerts”. The SSL alert protocol is a way to communicate problems within a SSL/TLS session. Due to improper handling of alert packets, OpenSSL would consume an excessive amount of CPU time processing undefined alert messages.
- CVE-2016-8864 – Bind: A remote attacker who could cause a server to make a query deliberately chosen to trigger the failed assertions could cause named(8) to stop, resulting in a Denial of Service condition to its clients.
- A defect in BIND’s handling of responses containing a DNAME answer could cause a resolver to exit after encountering an assertion failure in db.c or resolver.c.
- CVE-2016-8858 – OpenSSH: A remote attacker may be able to cause a SSH server to allocate an excessive amount of memory. Note that the default MaxStartups setting on FreeBSD will limit the effectiveness of this attack.
During the SSH handshake procedure, the client and server exchanges the supported encryption, MAC and compression algorithms along with other information to negotiate algorithms for initial key exchange, with a message named SSH_MSG_KEXINIT.
When processing the SSH_MSG_KEXINIT message, the server could allocate up to a few hundreds of megabytes of memory per each connection, before any authentication take place.
Patches for most OSes should be out by now, make sure you install them.

LessPass, an open source, storage-less password manager? Or is it…

“Managing your Internet passwords is not easy. You probably use a password manager to help you. The system is simple, the tool generates random passwords whenever you need them and save them into a file protected with a strong password. This system is very robust, you only need to remember one password to rule them all! Now you have a unique password for each site on the Internet.”
But, there are some shortcomings to that type of password manager
How do I synchronize this file on all my devices?
How do I access a password on my parents’ computer without installing my password manager?
How do I access a password on my phone, without any installed app?
To solve this, LessPass does it differently
“The system uses a pure function, i.e. a function that given the same parameters will always give the same result. In our case, given a login, a master password, a site and options it will returns a unique password”
“No need to save your passwords in an encrypted file. You just need to access the tool to recalculate a password from information that you know (mostly the login)”
There are some issues though.
- Some sites have different password complexity requirements, such as banks that limit the length of your password, or require a PIN that is all digits
- Some sites obviously do not hash passwords correctly, and do not allow some characters
- What if you want to, or need to, change your password?
LessPass has a solution for all of these, where you specify “password profile”, to remember the different complexity settings to generate the valid password
To manage to change the password, there is also a counter, that starts at 1, and you increment to get a different password.
Of course now, you have to remember: your login, your master password, the password complexity profile for each site, and how many times you have changed your password on that site
So, they have a “connected” version, that remembers each site, your login, the password profile, and your password change counter.
There are obviously some privacy concerns, and security concerns here.
How do you restrict access in the connected version, with a username and password? Is that password the same or different from your master password. Is your profile data encrypted per user?
Of course, being an open source project, there is the option to self-host, which eliminates a number of those concerns
“You can host your own LessPass database if you do not want to use the official one. The requirement for self-hosting is to have docker and docker-compose installed on your machine.”
The fact that the installation instructions are curl | bash (written the other way around, so that when you stick sudo in front of it it works), does raise some other concerns
This leaves a few problems:
- You can never change your master password, as it will effectively change all of your passwords
- It is still technically possible for someone to brute force your master password. Each attempt will require them to do the full PBKDF2 run, but 8192 rounds will take only a small fraction of a second, and it can be parallelized quite well. If someone does compromise your master password (via brute force, or with a keylogger, or whatever), they have access to all of your passwords, but worse, they even have access to your ‘new’ passwords, if you change your password, it just changes the ‘count’ parameter, so I could generate your next 10 gmail passwords and keep them for later.
- The key-derivation seems weak, 8192 rounds of PBKDF2 is likely not enough. LastPass uses 100,000 rounds for its server-side key-derivation. FreeBSD’s GELI disk encryption uses a number of rounds that will take approximately 2 seconds, which on modern machines is over 1 million rounds. The issue is that changing this number in the future will change all of your passwords. At a minimum, it should be part of the password profile, so you can select a different value for each site, so you can change the default for new sites in the future, and increase the strength of the password for one site by changing the password.
- LessPass cannot deal with SSO (Single Sign On). There are a number of sites for which I have the same password, because they all authenticate against the same LDAP database (or ActiveDirectory). LessPass ONLY allows you to use its derived passwords, which might not always work.
There are definitely some interesting aspects to LessPass, especially being able to self host, but, I don’t think I’ll be switching to it.

A very valuable vulnerability

It all started with a facebook post by Colin Percival: “I think I just accidentally exploited a “receive arbitrarily large amounts of money” security vulnerability. Oops.”
Colin Percival is a security and cryptography expert, and a former FreeBSD Security Officer
Colin’s day job is running Tarsnap – backups for the truly paranoid.
To accept payments for his business, he uses Stripe – a credit card processing service, which also allows him to accept bitcoins
“While I very firmly wear a white hat, it is useful to be able to consider things from the perspective of the bad guys, in order to assess the likelihood of a vulnerability being exploited and its potential impact. For the subset of bad guys who exploit security vulnerabilities for profit — as opposed to selling them to spy agencies, for example — I imagine that there are some criteria which would tend to make a vulnerability more valuable:”
- the vulnerability can be exploited remotely, over the internet;
the attack cannot be blocked by firewalls;
- the attack can be carried out without any account credentials on the system being attacked;
- the attack yields money (as opposed to say, credit card details which need to be separately monetized);
- once successfully exploited, there is no way for a victim to reverse or mitigate the damage; and
- the attack can be performed without writing a single line of code.
“Much to my surprise, a few weeks ago I stumbled across a vulnerability satisfying every one of these criteria.”
“The vulnerability — which has since been fixed, or else I would not be writing about it publicly — was in Stripe’s bitcoin payment functionality. Some background for readers not familiar with this: Stripe provides payment processing services, originally for credit cards but now also supporting ACH, Apple Pay, Alipay, and Bitcoin, and was designed to be the payment platform which developers would want to use; in very much the way that Amazon fixed the computing infrastructure problem with S3 and EC2 by presenting storage and compute functionality via simple APIs, Stripe fixed the “getting money from customers online” problem. I use Stripe at my startup, Tarsnap, and was in fact the first user of Stripe’s support for Bitcoin payments: Tarsnap has an unusually geeky and privacy-conscious user base, so this functionality was quite popular among Tarsnap users.”
“Despite being eager to accept Bitcoin payments, I don’t want to actually handle bitcoins; Tarsnap’s services are priced in US dollars, and that’s what I ultimately want to receive. Stripe abstracts this away for me: I tell Stripe that I want $X, and it tells me how many bitcoins my customer should send and to what address; when the bitcoin turns up, I get the US dollars I asked for. Naturally, since the exchange rate between dollars and bitcoins fluctuates, Stripe can’t guarantee the exchange rate forever; instead, they guarantee the rate for 10 minutes (presumably they figured out that the exchange rate volatility is low enough that they won’t lose much money over the course of 10 minutes). If the “bitcoin receiver” isn’t filled within 10 minutes, incoming coins are converted at the current exchange rate.”
“For a variety of reasons, it is sometimes necessary to refund bitcoin transactions: For example, a customer cancelling their order; accidentally sending in the wrong number of bitcoins; or even sending in the correct number of bitcoins, but not within the requisite time window, resulting in their value being lower than necessary. Consequently, Stripe allows for bitcoin transactions to be refunded — with the caveat that, for obvious reasons, Stripe refunds the same value of bitcoins, not the same number of bitcoins. (This is analogous to currency exchange issues with credit cards — if you use a Canadian dollar credit card to buy something in US dollars and then get a refund later, the equal USD amount will typically not translate to an equal number of CAD refunded to your credit card.)”
The vulnerability lay in the exchange rate handling. As I mentioned above, Stripe guarantees an exchange rate for 10 minutes; if the requisite number of bitcoins arrive within that window, the exchange rate is locked in. So far so good; but what Stripe did not intend was that the exchange rate was locked in permanently — and applied to any future bitcoins sent to the same address. This made a very simple attack possible:
- Pay for something using bitcoin.
- Wait until the price of bitcoin drops.
- Send more bitcoins to the address used for the initial payment.
- Ask for a refund of the excess bitcoin.
“Because the exchange rate used in step 3 was the one fixed at step 1, this allowed for bitcoins to be multiplied by the difference in exchange rates; if step 1 took place on July 2nd and steps 3/4 on August 2nd, for example, an arbitrary number of bitcoins could be increased by 30% in a matter of minutes. Moreover, the attacker does not need an account with Stripe; they merely need to find a merchant which uses Stripe for bitcoin payments and is willing to click “refund payment” (or even better, is set up to automatically refund bitcoin overpayments).”
“Needless to say, I reported this to Stripe immediately. Fortunately, their website includes a GPG key and advertises a vulnerability disclosure reward (aka. bug bounty) program; these are two things I recommend that every company does, because they advertise that you take security seriously and help to ensure that when people stumble across vulnerabilities they’ll let you know. (As it happens, I had Stripe security’s public GPG key already and like them enough that I would have taken the time to report this even without a bounty; but it’s important to maximize the odds of receiving vulnerability reports.) Since it was late on a Friday afternoon and I was concerned about how easily this could be exploited, I also hopped onto Stripe’s IRC channel to ask one of the Stripe employees there to relay a message to their security team: “Check your email before you go home!””
“Stripe’s handling of this issue was exemplary. They responded promptly to confirm that they had received my report and reproduced the issue locally; and a few days later followed up to let me know that they had tracked down the code responsible for this misbehaviour and that it had been fixed. They also awarded me a bug bounty — one significantly in excess of the $500 they advertise, too.”
“As I remarked six years ago, Isaac Asimov’s remark that in science “Eureka!” is less exciting than “That’s funny…” applies equally to security vulnerabilities. I didn’t notice this issue because I was looking for ways to exploit bitcoin exchange rates; I noticed it because a Tarsnap customer accidentally sent bitcoins to an old address and the number of coins he got back when I clicked “refund” was significantly less than what he had sent in. (Stripe has corrected this “anti-exploitation” of the vulnerability.) It’s important to keep your eyes open; and it’s important to encourage your customers to keep their eyes open, which is the largest advantage of bug bounty programs — and why Tarsnap’s bug bounty program offers rewards for all bugs, not just those which turn out to be vulnerabilities.”
“And if you have code which handles fluctuating exchange rates… now might be a good time to double-check that you’re always using the right exchange rates.”
A very interesting attack, that was only found because someone accidentally did the wrong thing

Feedback:

ipV6 vs Mirai
Freenas replication
Freenas 10 question
Backup & LUKS
Chromecast across subnets
A user wrote in about the mention of BCP38 the other week, and asked what other best practises there are: here is a list

Round Up:

The post Unix Security Trifecta | TechSNAP 292 first appeared on Jupiter Broadcasting.

Insecure Socket Layer | TechSNAP 265

chris — Thu, 05 May 2016 20:35:37 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A critical flaw in that bit of software tucked far far away that you never think about… Until now, we explain why ImageTragick is a pain. More OpenSSL flaws & fraudsters stealing tax data from the motherload.

Plus great questions, our answers, a packed Round up & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Critical flaw found in ImageMagick

ImageMagick is a very popular suite of applications for working with images
It is used by many websites, to process, convert, and resize uploaded images
It is used for photos, avatars, and any other type of image a website might process
“There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.”
“If you use ImageMagick or an affected library, we recommend you mitigate the known vulnerabilities by doing at least one of these two things (but preferably both!):”
Verify that all image files begin with the expected “magic bytes” corresponding to the image file types you support before sending them to ImageMagick for processing. (see FAQ for more info)
Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in “/etc/ImageMagick”. The below policy.xml example will disable the coders EPHEMERAL, URL, MVG, and MSL.
A first draft of the fix was released as ImageMagick to 6.9.3-9, on 2016-04-30
However, it is not clear that this entirely resolves the problem
“Insufficient filtering for filename passed to delegate’s command allows remote code execution during conversion of several file formats.”
“ImageMagick allows to process files with external libraries. This feature is called ‘delegate’. It is implemented as a system() with command string (‘command’) from the config file delegates.xml with actual value for different params (input/output filenames etc). Due to insufficient %M param filtering it is possible to conduct shell command injection. One of the default delegate’s command is used to handle https requests:”
“wget” -q -O “%o” “https:%M”
If instead of a URL, you provide say: https://example.com;ls -la
It runs your command in addition to the normal operation, allowing the attacker to run any command they wish
“The most dangerous part is ImageMagick supports several formats like svg, mvg, and maybe some others – which allow to include external files from any supported protocol including delegates. As a result, any service, which uses ImageMagick to process user supplied images and uses default delegates.xml / policy.xml, may be vulnerable to this issue.”
Why are you disclosing a vulnerability like this?
“We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software. ImageMagick also disclosed this on their forum a few hours ago.”
Additional Coverage – OSS Security List
Additional Coverage – Ars Technica – Huge number of sites imperiled by critical image-processing vulnerability [Updated]

Fraudsters steal tax and salary data from ADP

“Identity thieves stole tax and salary data from payroll giant ADP by registering accounts in the names of employees at more than a dozen customer firms”
“ADP says the incidents occurred because the victim companies all mistakenly published sensitive ADP account information online that made those firms easy targets for tax fraudsters.”
“ADP provides payroll, tax and benefits administration for more than 640,000 companies”
“Last week, U.S. Bancorp (U.S. Bank) — the nation’s fifth-largest commercial bank — warned some of its employees that their W-2 data had been stolen thanks to a weakness in ADP’s customer portal.”
“ID thieves are interested in W-2 data because it contains much of the information needed to fraudulently request a large tax refund from the U.S. Internal Revenue Service (IRS) in someone else’s name.”
US Bancorp: “Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP. During the course of that investigation we have learned that an external W-2 portal, maintained by ADP, may have been utilized by unauthorized individuals to access your W-2, which they may have used to file a fraudulent income tax return under your name.”
“The incident originated because ADP offered an external online portal that has been exploited. For individuals who had never used the external portal, a registration had never been established. Criminals were able to take advantage of that situation to use confidential personal information from other sources to establish a registration in your name at ADP. Once the fraudulent registration was established, they were able to view or download your W-2.”
“ADP emphasized that the fraudsters needed to have the victim’s personal data — including name, date of birth and Social Security number — to successfully create an account in someone’s name. ADP also stressed that this personal data did not come from its systems, and that thieves appeared to already possess that data when they created the unauthorized accounts at ADP’s portal.”
“According to ADP, new users need to be in possession of two other things (in addition to the victim’s personal data) at a minimum in order to create an account: A custom, company-specific link provided by ADP, and a static code assigned to the customer by ADP.”
“The problem, ADP Chief Security Officer Roland Cloutier said, seems to stem from ADP customers that both deferred the signup process for some or all of their employees and at the same time inadvertently published online the link and the company code. As a result, for users who never registered, criminals were able to register as them with fairly basic personal info, and access W-2 data on those individuals.”
“We viewed the code as an identification code, not as an authentication code, and we posted it to a Web site for the convenience of our employees so they could access their W-2 information,” Ripley said. “We have discontinued that practice.”
A secret can only be protected if everyone that possesses it, knows it is a secret
“ADP’s portal, like so many other authentication systems, relies entirely on static data that is available on just about every American for less than $4 in the cybercrime underground (SSN/DOB, address, etc). It’s true that companies should know better than to publish such a crucial link online along with the company’s ADP code, but then again these are pretty weak authenticators.”
“Cloutier said ADP does offer an additional layer of authentication — a personal identification code (PIC) — basically another static code that can be assigned to each employee. He added that ADP is trialing a service that will ask anyone requesting a new account to successfully answer a series of questions based on information that only the real account holder is supposed to know.”
Of course, “supposed to know” is the problem
The IRS learned this the hard way, and has already had to replace 2 different authentication systems because the ‘knowledge based authentication’ questions were easily guessed by attackers
“It’s truly a measure of the challenges ahead in improving online authentication that so many organizations are still looking backwards to obsolete and insecure approaches. ADP’s logo includes the clever slogan, “A more human resource.” It’s hard to think of a more apt mission statement for the company. After all, it’s high time we started moving away from asking people to robotically regurgitate the same static identifiers over and over, and shift to a more human approach that focuses on dynamic elements for authentication. But alas, that’s fodder for a future post.”
Apparently Kreb’s report caused a large temporary dip in ADP’s stock price

Another OpenSSL Advisory

More fun with OpenSSL
Memory corruption in the ASN.1 encoder (CVE-2016-2108) [HIGH]
The advisory notes that the most severe of the issues was partially fixed over a year ago: “This issue affected versions of OpenSSL prior to April 2015. The bug causing the vulnerability was fixed on April 18th 2015, and released as part of the June 11th 2015 security releases. The security impact of the bug was not known at the time.”
However, because of a second bug, this issue turned out to be a critical flaw
Padding oracle in AES-NI CBC MAC check (CVE-2016-2107) [HIGH]
- “This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes.”
In both of these cases it seems that, in a rush to fix a bug, a further flaw was created
Additional Fixes:
EVP_EncodeUpdate overflow (CVE-2016-2105) [LOW]
EVP_EncryptUpdate overflow (CVE-2016-2106) [LOW]
ASN.1 BIO excessive memory allocation (CVE-2016-2109) [LOW]
EBCDIC overread (CVE-2016-2176) [LOW]
Note: support for OpenSSL version 1.0.1 will cease on 31st December 2016. Support for versions 0.9.8 and 1.0.0 already ended on 31st December 2015. Those versions are no longer receiving security updates.
Additional Coverage: Ars Technica

How do fraudsters get the CVV number for your credit card?

“A longtime reader recently asked: “How do online fraudsters get the 3-digit card verification value (CVV or CVV2) code printed on the back of customer cards if merchants are forbidden from storing this information? The answer: If not via phishing, probably by installing a Web-based keylogger at an online merchant so that all data that customers submit to the site is copied and sent to the attacker’s server.”
The CVV is the 3 (or 4 in the case of AMEX) digit number on the back of your credit card
This number is not normally used for “card present” transactions, like checking out at the supermarket
The CVV is designed for “card not present” transactions, like shopping online
The idea was, this number was NEVER to be stored, so even in the event of a credit card database breach, the attackers would not get the CVV number, and so could not use the stolen cards in online transactions
The CVV is basically how you prove that you have the card in your hands
This of course works in theory, but just because merchants are not SUPPOSED to not store the CVV, doesn’t mean they don’t
“The vast majority of the time, this CVV data has been stolen by Web-based keyloggers. This is a relatively uncomplicated program that behaves much like a banking Trojan does on an infected PC, except it’s designed to steal data from Web server applications.”
“PC Trojans like ZeuS, for example, siphon information using two major techniques: snarfing passwords stored in the browser, and conducting “form grabbing” — capturing any data entered into a form field in the browser before it can be encrypted in the Web session and sent to whatever site the victim is visiting.”
“Web-based keyloggers also can do form grabbing, ripping out form data submitted by visitors — including names, addresses, phone numbers, credit card numbers and card verification code — as customers are submitting the data during the online checkout process.”
“These attacks drive home one immutable point about malware’s role in subverting secure connections: Whether resident on a Web server or on an end-user computer, if either endpoint is compromised, it’s ‘game over’ for the security of that Web session. With PC banking trojans, it’s all about surveillance on the client side pre-encryption, whereas what the bad guys are doing with these Web site attacks involves sucking down customer data post- or pre-encryption (depending on whether the data was incoming or outgoing).”

Feedback:

Round Up:

The post Insecure Socket Layer | TechSNAP 265 first appeared on Jupiter Broadcasting.

Open Server Sadness Layer | TechSNAP 256

chris — Thu, 03 Mar 2016 17:20:45 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

OpenSSL issues a major security advisory, we break down the important details, then go in depth on the real world impact of these flaws.

Plus some great storage and networking question, a packed round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

OpenSSL issues major security advisory

OpenSSL has released versions 1.0.2g and 1.0.1s to address a number of vulnerabilities:
CVE-2016-0800 (DROWN): HIGH: Cross-protocol attack on TLS using SSLv2
CVE-2016-0703: HIGH: Divide-and-conquer session key recovery in SSLv2
CVE-2016-0702 (CacheBleed): LOW: Side channel attack on modular exponentiation
CVE-2016-0704: MODERATE: Bleichenbacher oracle in SSLv2
CVE-2016-0705: LOW: Double-free in DSA code
CVE-2016-0798: LOW: Memory leak in SRP database lookups
CVE-2016-0797: LOW: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
CVE-2016-0799: LOW: Fix memory issues in BIO_*printf functions
As per previous announcements, support for OpenSSL version 1.0.1 will cease on 31st December 2016. No security updates for that version will be provided after that date
Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates.

As many as one third of all HTTPS sites vulnerable to DROWN

“More than 11 million websites and e-mail services protected by the transport layer security protocol are vulnerable to a newly discovered, low-cost attack that decrypts sensitive communications in a matter of hours and in some cases almost immediately”
The researchers have dubbed the latest vulnerability DROWN, short for Decrypting RSA with Obsolete and Weakened eNcryption
DROWN Attack
“The attack works against TLS-protected communications that rely on the RSA cryptosystem when the key is exposed even indirectly through SSLv2, a TLS precursor that was retired almost two decades ago because of crippling weaknesses. The vulnerability allows an attacker to decrypt an intercepted TLS connection by repeatedly using SSLv2 to make connections to a server. In the process, the attacker learns a few bits of information about the encryption key each time. While many security experts believed the removal of SSLv2 support from browser and e-mail clients prevented abuse of the legacy protocol, some misconfigured TLS implementations still tacitly support the legacy protocol when an end-user computer specifically requests its use.”
LibreSSL is not affected by DROWN because support for SSLv2 was removed long ago
“Recent scans of the Internet at large show that more than 5.9 million Web servers, comprising 17 percent of all HTTPS-protected machines, directly support SSLv2. The same scans reveal that at least 936,000 TLS-protected e-mail servers also support the insecure protocol. That’s a troubling finding, given widely repeated advice that SSLv2—short for secure sockets layer version 2—be disabled. More troubling still, even when a server doesn’t allow SSLv2 connections, it may still be susceptible to attack if the underlying RSA key pair is reused on a separate server that does support the old protocol.”
So even a locked down and tightened up server can be compromised, if a less secure server shares the same certificate
I have seen this with my bank, when I changed settings in my browser to be more restrictive on what TLS versions and algorithms were used, a specific subdomain of the bank’s site would no longer load properly
“A website, for instance, that forbids SSLv2 may still be vulnerable if its key is used on an e-mail server that allows SSLv2”
How many people think to adjust the settings on their email server to protect their web server?
TLS security hit a new low last May with the discovery of Logjam, a vulnerability caused by deliberately weakened cryptography that allowed eavesdroppers to read and modify data passing through tens of thousands of Web and e-mail servers
“It’s pretty practical because if you know you want to target certain websites and they’re vulnerable, you can pretty much set up shop and the next thing you know you have all of these secure connections, the passwords, and everything else,” Matt Green, a cryptography expert at Johns Hopkins University who has read the research paper, told Ars. “It’s amazing to me that we keep finding one or two of these [vulnerabilities] per year for protocols that are this old. This shouldn’t keep happening. It kind of makes me feel like we’re not doing our jobs.”
“Tuesday’s OpenSSL updates make it impossible for ordinary end users to enable SSLv2 without declaring explicit intent to do so. The patch also removes support for extremely weak 1990s-era ciphers that are key to making DROWN attacks work. The weak ciphers were added to all SSL and TLS versions prior to 2000 as part of US government’s export regulations”
“Microsoft’s IIS versions 7.0 and on and versions 3.13 and above of the NSS crypto library all have SSLv2 disabled by default. Anyone using older versions of either of these programs should upgrade right away.”
“The most general DROWN attack exploits 1990s-era cryptography that uses extremely weak 40-bit symmetric encryption so software would comply with export restrictions. The attacker captures roughly 1,000 RSA key exchanges made between an end user and a vulnerable TLS server, and the connections can use any version of the SSL or TLS protocols, including the current TLS 1.2. The attacker then uses the intercepted RSA ciphertexts to initiate several thousand SSLv2 connection attempts that include an instruction for the server to use the 40-bit cipher. The attacker then compares the ciphertext to all the 240 possibilities”
“Decrypting the TLS connection requires just 250 computations, a task that in a worst-case scenario Amazon’s EC2 service can perform in eight hours for just $440. The researchers devised an alternate decryption method that uses a cluster of graphics cards and takes 18 hours”
“The researchers also devised a significantly more severe version of DROWN that works against servers running versions of OpenSSL that haven’t been patched since March 2015. It allows attackers to decrypt the “premaster secret” almost instantly. An attacker can use the technique to perform man-in-the-middle attacks that cryptographically impersonate a vulnerable server. Scans performed by the researchers show that a significant percentage of servers vulnerable to DROWN are also susceptible to this more severe version of the exploit. The finding suggests that a surprisingly large number of OpenSSL users have yet to install the March 2015 update, which unknowingly fixed the vulnerabilities that make the more severe attack possible.”
“DROWN is an extension of what cryptographers call the 1998 Bleichenbacher attack, named after Daniel Bleichenbacher, the Swiss cryptographer who discovered the underlying weakness in the PKCS#1 v1 encoding function. While considered a seminal exploit for the mathematical insight it provided, it wasn’t considered especially practical, because it required attackers to make hundreds of thousands or millions of connections to the victim server to compromise a single session key.”
“Ironically, some of the Bleichenbacher countermeasures built into the SSLv2 provided precisely the type of data required to carry out the type of so-called “padding oracle” attack that Bleichenbacher discovered. The Bleichenbacher defenses, it turned out, provided its own oracle that exposed TLS version 1.0 and later exposed it to plaintext recovery attacks. The DROWN research is notable not only because it requires many fewer queries to the server, but also because its cross-protocol nature allows attackers to exploit the SSLv2 weakness to defeat the separate TLS specification. The DROWN findings are also significant because they were the first to identify the ineffectiveness of the Bleichenbacher countermeasures, some two decades after they were added to SSLv2.”
Additional Coverage: CSO Online — Latest attack against TLS shows the pitfalls of intentionally weakening encryption
There is actually a second major exploit that is fixed by this recent OpenSSL update
While this one requires local access to the machine, and is much harder to pull off, the results could be quite disastrous
CacheBleed: A Timing Attack on OpenSSL Constant Time RSA
“CacheBleed is a side-channel attack that exploits information leaks through cache-bank conflicts in Intel processors. By detecting cache-bank conflicts via minute timing variations, we are able to recover information about victim processes running on the same machine. Our attack is able to recover both 2048-bit and 4096-bit RSA secret keys from OpenSSL 1.0.2f running on Intel Sandy Bridge processors after observing only 16,000 secret-key operations (decryption, signatures). This is despite the fact that OpenSSL’s RSA implementation was carefully designed to be constant time in order to protect against cache-based (and other) side-channel attacks.”
“While the possibility of an attack based on cache-bank conflicts has long been speculated, this is the first practical demonstration of such an attack. Intel’s technical documentation describes cache-bank conflicts as early as 2004. However, these were not widely thought to be exploitable, and as a consequence common cryptographic software developers have not implemented countermeasures to this attack.”
“We believe that all Sandy Bridge processors are vulnerable. Earlier microarchitectures, such as Nehalem and Core 2 may be vulnerable as well. Our attack code does not work on Intel Haswell processors, where, apparently, cache-bank conflicts are no longer an issue”
“Cache timing attacks exploit timing differences between accessing cached vs. non-cached data. Since accessing cached data is faster, a program can check if its data is cached by measuring the time it takes to access it.”
“In one form of a cache timing attack, the attacker fills the cache with its own data. When a victim that uses the same cache accesses data, the victim’s data is brought into the cache. Because the cache size is finite, loading the victim’s data into the cache forces some of the attacker’s data out of a cache. The attacker then checks which sections of its data remain in the cache, deducing from this information what parts of the victim’s memory were accessed.”
“To facilitate access to the cache and to allow concurrent access to the L1 cache, cache lines are divided into multiple cache banks. On the processor we tested, there are 16 banks, each four bytes wide. The cache uses bits 2-5 of the address to determine the bank that a memory location uses. In the Sandy Bridge microarchitectures, the cache can handle concurrent accesses to different cache banks, however it cannot handle multiple concurrent accesses to the same cache bank. A cache-bank conflict occurs when multiple requests to access memory in the same bank are issued concurrently. In the case of a conflict, one of the conflicting requests is served immediately, whereas other requests are delayed until the cache bank is available.”
“The main operation OpenSSL performs when decrypting or signing using RSA is modular exponentiation. That is, it calculates cd mod n where d is the private key. To compute a modular exponentiation, OpenSSL repeatedly performs five squaring operations followed by one multiplication. The multiplier in the multiplications is one of 32 possible values. All the numbers involved in these operations are half the size of the key. That is, for a 2048 bit RSA key, the numbers are 1024 bits long.”
“Knowing which multiplier is used in each multiplication reveals the secret exponent and with it the private key. Past cache timing attacks against OpenSSL and GnuPG recover the multipliers by monitoring the cache lines in which the multipliers are stored. To protect against such attacks, OpenSSL stores the data of several multipliers in each cache line, ensuring that all of the cache lines are used in each multiplication. However, the multipliers are not spread evenly across cache banks. Instead, they are divided into 8 bins, each bin spanning two cache banks. More specifically, multipliers 0, 8, 16 and 24 only use bin 0, which spans cache banks 0 and 1. Multipliers 1, 9, 17, and 25 only use bin 1, which spans cache banks 2 and 3, etc. As a result of this memory layout, each multiplication accesses two cache banks slightly more than it accesses the other cache banks. For example, in the case of 4096-bit RSA, the multiplication makes 128 additional accesses to the multiplier’s cache banks.”
“Recovering a 4096 RSA key from 60% of the key material requires around two CPU hours and can be accomplished on a high-end server in less than 3 minutes.”

Feedback:

Round Up:

The post Open Server Sadness Layer | TechSNAP 256 first appeared on Jupiter Broadcasting.

Weaponized Comic Sans | TechSNAP 254

chris — Thu, 18 Feb 2016 18:53:24 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A common vulnerability is impacting Firefox, LibreOffice, and others, the 7 problems with ATM security, and the Enterprise grade protection defeated with a batch script.

Plus some great questions, our answers, a rockin roundup, and much much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

The 7 problems with ATM security

Kaspersky presents a list of the 7 reasons why ATMs are so easily compromised, based on a talk given at the SAS2016 conference
“Automated teller machines (ATM) have always a been a big target for criminals. In the past hunting for ATMs included some heavy tools like a cutting torch or explosives. However with the dawn of the Digital Age, everything has changed. Nowadays culprits can ‘jackpot’ an ATM without such special effects.”

ATMs are basically just computers (PCs)
That PC is likely running an old operating system (in early 2014, 95% of all ATMs still ran Windows XP)
The software other than the OS is also likely vulnerable. Many ATMs still have the bundled version of flash that came with stock Windows XP, which now has 9000 known vulnerabilities
ATMs have no software integrity control, no antivirus solutions, no authentication of an app that sends commands to cash dispenser.
Weak physical security for the PC part of the ATM. While the deposit box and cash dispenser are armored against attack, the PC is usually only hidden behind some thin plastic. “There is no money in that part of the ATM”
ATM control PCs have standard interfaces, that are not secured. Let me just plug this USB stick into your ATM, now it is my ATM
ATMs are increasingly directly connected to the Internet. You can find ATMs on Shodan

ATMs are not replaced very often, so upgrades to the physical protections of the PC component will likely not happen very soon
When was the last time you saw an ATM down for software updates?
Maybe if the criminals keep stealing large amounts of money, the banks will be more interested in replacing the ATMs
This of course doesn’t cover the private ATMs you often see in convenience stores

FireEye Detection Evasion and Whitelisting of Arbitrary Malware

Researchers at Blue Frost Security have developed a way to evade the dynamic analysis of the FireEye suite of security appliances
The FireEye appliance works by starting untrusted binaries and applications in virtualization and observing what they do
If the application is found to be malicious, it is blocked
Only applications allowed by the FireEye device can be run on the protected computers
“The analysis engine evasion allows an attacker to completely bypass FireEye’s virtualization-based dynamic analysis on Windows and add arbitrary binaries to the internal whitelist of binaries for which the analysis will be skipped until the whitelist entry is wiped after a day”
“FireEye is employing the Virtual Execution Engine (VXE) to perform a dynamic analysis. In order to analyze a binary, it is first placed inside a virtual machine. A Windows batch script is then used to copy the binary to a temporary location within the virtual machine, renaming it from “malware.exe” to its original file name.”
“No further sanitization of the original filename is happening which allows an attacker to use Windows environment variables inside the original filename which are resolved inside the batch script. Needless to say this can easily lead to an invalid filename, letting the copy operation fail.”
Let’s take the filename FOO%temp%BAR.exe which results in:
copy malware.exe “%temp%\FOOC:\Users\admin\AppData\Local\TempBAR.exe”
The filename, directory name, or volume label syntax is incorrect.
“The batch script continues and tries to execute the binary under its new name which of course will fail as well because it does not exist.”
“Afterwards the behavioral analysis inside the virtual machine is started which is running for a certain amount of time looking for malicious behavior. Since the binary was not started in the virtual machine in the first place, an empty virtual machine will be analyzed and no malicious behavior will be detected.”
“Once a binary was analyzed and did not show any malicious behavior, its MD5 hash is added to an internal list of binaries already analyzed. If a future binary which is to be analyzed matches an MD5 hash in this list, the analysis will be skipped for that file. The MD5 hash will stay in the white list until it is wiped after day.”
The issue was reported to FireEye on September 14th, and responded quickly
FireEye released updates for some of its products on October 5th and 15th
On December 31st FireEye published their Q4 security advisory
FireEye Security Advisory
On January 14th, FireEye asked that BFS delay publication of the vulnerability for another 30 days, as too many clients had not yet installed the update

Libgraphite Vulnerabilities Impact Firefox, OpenOffice, and Others

Talos is releasing an advisory for four vulnerabilities that have been found within the Libgraphite library
Which is used for font processing in Linux, Firefox, OpenOffice, and other major applications.
The most severe vulnerability results from an out-of-bounds read which the attacker can use to achieve arbitrary code execution.
A second vulnerability is an exploitable heap overflow.
Finally, the last two vulnerabilities result in denial of service situations.
To exploit these vulnerabilities, an attacker simply needs the user to run a Graphite-enabled application that renders a page using a specially crafted font that triggers one of these vulnerabilities.
Since Mozilla Firefox versions 11-42 directly support Graphite, the attacker could easily compromise a server and then serve the specially crafted font when the user renders a page from the server (since Graphite supports both local and server-based fonts).
Graphite is a package that can be used to create “smart fonts” capable of displaying writing systems with various complex behaviors.
Basically Graphite’s smart fonts are just TrueType Fonts (TTF) with added extensions.
The issues that Talos identified include the following:

An exploitable denial of service vulnerability exists in the font handling of Libgraphite. A specially crafted font can cause an out-of-bounds read potentially resulting in an information leak or denial of service.

A specially crafted font can cause a buffer overflow resulting in potential code execution.

An exploitable NULL pointer dereference exists in the bidirectional font handling functionality of Libgraphite. A specially crafted font can cause a NULL pointer dereference resulting in a crash.

If a malicious font is provided then an arbitrary length buffer overflow can occur when handling context items.
The first denial of service issue results from a NULL pointer dereference.
The second denial of service issue results from an out of bounds read that can not only cause a DoS, but it can also cause a leak of information. When reading an invalid font where the local table size is set to 0, an out of bounds read will occur.
Known Vulnerable Versions:
Libgraphite 2-1.2.4
Firefox 31-42
Firefox ESR before 38.6.1

Feedback:

Make sure you patch your linux machines for the glibc vulnerability

Round Up:

The post Weaponized Comic Sans | TechSNAP 254 first appeared on Jupiter Broadcasting.

Hot Norse Potato | TechSNAP 252

chris — Thu, 04 Feb 2016 18:35:16 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A new openSSL exploit, cyber security firm Norse implodes & the Windows Hot Potato flaw that’s been around for over a decade.

Plus great questions, our answers, a rockin round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

OpenSSL Exploit

Official Advisory
The OpenSSL team announced versions 1.0.2f and 1.0.1r to fix a number of vulnerabilities
The first issue, DH small subgroups (CVE-2016-0701), is classified as “High Severity”
“Historically OpenSSL usually only ever generated DH parameters based on “safe” primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be “safe”. Where an application is using DH configured with parameters based on primes that are not “safe” then an attacker could use this fact to find a peer’s private DH exponent.”
“OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk.”
“OpenSSL 1.0.1 is not affected by this CVE because it does not support X9.42 based parameters”
Another issue, SSLv2 doesn’t block disabled ciphers (CVE-2015-3197), is classified as “Low Severity”
“A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2”
So if your server disabled all of the SSLv2 ciphers, but didn’t disable the SSLv2 protocol itself, SSLv2 could still be used. This is likely higher severity than it seems, since it could be used in a downgrade attack
A third issue was an update on DHE man-in-the-middle protection (Logjam)
“OpenSSL added Logjam mitigation for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits in releases 1.0.2b and 1.0.1n. This limit has been increased to 1024 bits in this release, to offer stronger cryptographic assurance for all TLS connections using ephemeral Diffie-Hellman key exchange.”
“As per the previous announcements support for OpenSSL version 1.0.1 will cease on 31st December 2016. No security updates for that version will be provided after that date. Users of 1.0.1 are advised to upgrade. Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates.”

Krebs: Norse Corp. Implodes

Norse Corp is a security startup that has made a lot of headlines, many surrounding its graphical “Attack Map” of the Internet
Last month, Norse unexpectedly laid off more than 30% of its workforce
Now, Norse’s CEO, Sam Glines, has been asked to step down by the board of directors
“sources say the company’s investors have told employees that they can show up for work on Monday but that there is no guarantee they will get paid if they do.”
“Glines agreed earlier this month to an interview with KrebsOnSecurity but later canceled that engagement without explanation.”
“Two sources at Norse said the company’s assets will be merged with networking firm SolarFlare, which has some of the same investors and investment capital as Norse. Neither Norse nor SolarFlare would comment for this story.
“Update, Feb. 1, 12:34 p.m. ET: SolarFlare CEO Russell Stern just pinged me to say that “there has been no transaction between Norse and SolarFlare.””
“A careful review of previous ventures launched by the company’s founders reveals a pattern of failed businesses, reverse mergers, shell companies and product promises that missed the mark by miles”
“In the tech-heavy, geek-speak world of cybersecurity, infographics and other eye candy are king because they promise to make complicated and boring subjects accessible and sexy. And Norse’s much-vaunted interactive attack map is indeed some serious eye candy: It purports to track the source and destination of countless Internet attacks in near real-time, and shows what appear to be multicolored fireballs continuously arcing across the globe.”
“Several departing and senior Norse employees said the company’s attack data was certainly voluminous enough to build a business upon — if not especially sophisticated or uncommon. But most of those interviewed said Norse’s top leadership didn’t appear to be interested in or capable of building a strong product behind the data. More worryingly, those same people said there are serious questions about the validity of the data that informs the company’s core product.”
“Norse Corp. and its fundamental technology arose from the ashes of several companies that appear to have been launched and then acquired by shell companies owned by Norse’s top executives — principally the company’s founder and chief technology officer Tommy Stiansen. Stiansen”
“This acquisition process, known as a “reverse merger” or “reverse takeover,” involves the acquisition of a public company by a private company so that the private company can bypass the lengthy and complex process of going public. Reverse mergers are completely legal, but they can be abused to hide the investors in a company and to conceal certain liabilities of the acquired company, such as pending lawsuits or debt. In 2011, the U.S. Securities and Exchange Commission (SEC) issued a bulletin cautioning investors about plunking down investments in reverse mergers, warning that they may be prone to fraud and other abuses.”
The founders of Norse Corp. got their start in 1998 with a company called Cyco.net (pronounced “psycho”). According to a press release issued at the time, “Cyco.net was a New Mexico based firm established to develop a network of cyber companies.” “This site is a lighthearted destination that will be like the ‘People Magazine’ of the Internet”
“In 2003, Cyco.net acquired Orion Security Services, a company founded by Stiansen, Norse’s current CTO and founder and the one Norse executive who is actually from Norway. Orion was billed as a firm that provides secure computer network management solutions, as well as video surveillance systems via satellite communications.”
“Despite claims that Cyco.net was poised to “rocket into the deepest riches of cyberspace,” it somehow fell short of that destination and ended up selling cigarettes online instead. Perhaps inevitably, the company soon found itself the target of a lawsuit by several states led by the Washington state attorney general that accused the company of selling tobacco products to minors, failing to report cigarette sales and taxes, and for falsely advertising cigarettes as tax-free.”
“In 2005, Cyco.net changed its name to Nexicon, but only after acquiring by stock swap another creation by Stiansen — Pluto Communications — a company formed in 2002 and whose stated mission was to provide “operational billing solutions for telecom networks.” Again, Urrea would issue a press release charting a course for the company that would have almost no bearing on what it actually ended up doing.”
“In June 2008, Sam Glines — who would one day become CEO of Norse Corp. — joined Nexicon and was later promoted to chief operating officer. By that time, Nexicon had morphed itself into an online copyright cop, marketing a technology they claimed could help detect and stop illegal file-sharing. The company’s “GetAmnesty” technology sent users a pop-up notice explaining that it was expensive to sue the user and even more expensive for the user to get sued. Recipients of these notices were advised to just click the button displayed and pay for the song and all would be forgiven.”
“In November 2008, Nexicon was acquired by Priviam, another shell company operated by Stiansen and Nexicon’s principals. Nexicon went on to sign Youtube.com and several entertainment studios as customers. But soon enough, reports began rolling in of rampant false-positives — Internet users receiving threatening legal notices from Nexicon that they were illegally sharing files when they actually weren’t. Nexicon/Priviam’s business began drying up, and it’s stock price plummeted.”
“In September 2011, the Securities and Exchange Commission revoked the company’s ability to trade its penny stock (then NXCO on the pink sheets), noting that the company had failed to file any periodic reports with the SEC since its inception. In June 2012, the SEC also revoked Priviam’s ability to trade its stock, citing the same compliance failings that led to the de-listing of Nexicon.”
“By the time the SEC revoked Nexicon’s trading ability, the company’s founders were already working to reinvent themselves yet again. In August 2011, they raised $50,000 in seed money from Capital Innovators to jump-start Norse Corp. A year later, Norse received $3.5 million in debt refinancing, and in December 2013 got its first big infusion of cash — $10 million from Oak Investment Partners. In September 2015, KPMG invested $11.4 million in the company.”
“Several former employees say Stiansen’s penchant for creating shell corporations served him well in building out Norse’s global sensor network. Some of the sensors are in countries where U.S. assets are heavily monitored, such as China. Those same insiders said Norse’s network of shell corporations also helped the company gain visibility into attack traffic in countries where it is forbidden for U.S. firms to do business, such as Iran and Syria.”
By 2014, former employees say Norse’s systems were collecting a whopping 140 terabytes of Internet attack and traffic data per day.”
Norse’s senior data scientist says she “wasn’t actually given access to all that data until the fall of 2015 — seven months after being hired as Norse’s chief data scientist — and that when she got the chance to dig into it, she was disappointed: The information appeared to be little more than what one might glean from a Web server log — albeit millions of them around the world.”
“The data isn’t great, and it’s pretty much the same thing as if you looked at Web server logs that had automated crawlers and scanning tools hitting it constantly. But if you know how to look at it and bring in a bunch of third-party data and tools, the data is not without its merits, if not just based on the sheer size of it.”
“Landesman and other current and former Norse employees said very few people at the company were permitted to see how Norse collected its sensor data, and that Norse founder Stiansen jealously guarded access to the back-end systems that gathered the information.”
This seems to be to cover up the fact that there was no “secret sauce”, it was all smoke and mirrors
“With this latest round of layoffs, if Tommy got hit by a bus tomorrow I don’t think there would be a single person in the company left who understands how the whole thing works,” said one former employee at Norse who spoke on condition of anonymity.
“Stuart McClure, president and founder of the cybersecurity firm Cylance, said he found out just how reluctant Stiansen could be to share Norse data when he visited Stiansen and the company’s offices in Northern California in late 2014. McClure said he went there to discuss collaborating with Norse on two upcoming reports: One examining Iran’s cyber warfare capabilities, and another about exactly who was responsible for the massive Nov. 2014 cyber attack on Sony Pictures Entertainment.”
“The FBI had already attributed the attack to North Korean hackers. But McClure was intrigued after Stiansen confidentially shared that Norse had reached a vastly different conclusion than the FBI: Norse had data suggesting the attack on Sony was the work of disgruntled former employees.”
“McClure said he recalls listening to Stiansen ramble on for hours about Norse’s suspicions and simultaneously dodging direct questions about how it had reached the conclusion that the Sony attack was an inside job.”
“I just kept going back to them and said, ‘Tommy, show me the data.’ We wanted to work with them, but when they couldn’t or wouldn’t produce any data or facts to substantiate their work, we couldn’t proceed.”
“Conversely, Norse’s take on Iran’s cyber prowess (PDF) was trounced by critics as a deeply biased, headline-grabbing report. It came near the height of international negotiations over lifting nuclear sanctions against Iran, and Norse had teamed up with the American Enterprise Institute, a conservative think tank that has traditionally taken a hard line against threats or potential threats to the United States.”
“In its report, Norse said it saw a half-million attacks on industrial control systems by Iran in the previous 24 months — a 115 percent increase in attacks. But in a scathing analysis of Norse’s findings, critical infrastructure security expert Robert M. Lee said Norse’s claim of industrial control systems being attacked and implying it was definitively the Iranian government was disingenuous at best. Lee said he obtained an advanced copy of an earlier version of the report that was shared with unclassified government and private industry channels, and that the data in the report simply did not support its conclusions.”
“KrebsOnSecurity interviewed almost a dozen current and former employees at Norse, as well as several outside investors who said they considered buying the firm. None but Landesman would speak on the record. Most said Norse’s data — the core of its offering — was solid, if prematurely marketed as a way to help banks and others detect and deflect cyber attacks.”
The problem seems to be that the top executives of the company we more interested in getting investments based on the “Attack Map” and their marketing, than actually building the product
“I think they just went to market with this a couple of years too soon,” said one former Norse employee who left on his own a few months prior to the January 2016 layoffs, in part because of concerns about the validity of the data that the company was using to justify some of its public threat reports. “It wasn’t all there, and I worried that they were finding what they wanted to find in the data. If you think about the network they built, that’s a lot of power.”
After being fired, some former employees started doing some deeper digging
“I realized that, oh crap, I think this is a scam,” Landesman said. “They’re trying to draw this out and tap into whatever the buzzwords du jour there are, and have a product that’s going to meet that and suck in new investors.”
“These shell companies formed by [the company’s founders] bilked investors,” Landesman said. “Had anyone gone and investigated any of these partnerships they were espousing as being the next big thing, they would have realized this was all smoke and mirrors.”

Windows Privilege Escalation — Hot Potato

Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing.
If this sounds vaguely familiar, it’s because a similar technique was disclosed by the guys at Google Project Zero – https://code.google.com/p/google-security-research/issues/detail?id=222 . In fact, some of our code was shamelessly borrowed from their PoC and expanded upon.
Using this technique, they can elevate their privilege on a Windows workstation from the lowest levels to “NT AUTHORITY\SYSTEM” – the highest level of privilege available on a Windows machine.
This is important because many organizations unfortunately rely on Windows account privileges to protect their corporate network.
This is perfect for the island hopping technique we frequently talk about on TechSNAP.
The techniques that this exploit uses to gain privilege escalation aren’t new, but the way they are combined is. Microsoft is aware of all of these issues and has been for some time (circa 2000). These are unfortunately hard to fix without breaking backward compatibility and have been leveraged by attackers for over 15 years.
The exploit consists of 3 main parts, all of which are somewhat configurable through command-line switches.
Part One: Local NBNS Spoofer
If we can know ahead of time which hostname a target machine (in this case our target is 127.0.0.1) will be sending an NBNS query for, we can craft a fake response and flood the target host with NBNS responses very quickly (since it is a UDP protocol).
One complication is that a 2-byte field in the NBNS packet, the TXID, must match in the request and response, and we are unable to see the request. We can overcome this by flooding quickly and iterating over all 65536 possible values.
What if the network we are targeting has a DNS record for the host we want to spoof?
We can use a technique called UDP port exhaustion to force ALL DNS lookups on the system to fail. All we do is bind to EVERY single UDP port. This causes DNS to fail because there will be no available UDP source port for the request. When DNS fails, NBNS will be the fallback.
Part Two: Fake WPAD Proxy Server
In Windows, Internet Explorer by default will automatically try to detect network proxy setting configuration.
This also surprisingly applies to some Windows services such as Windows Update, but exactly how and under what conditions seems to be version dependent.
With the ability to spoof NBNS responses, we can target our NBNS spoofer at 127.0.0.1. We flood the target machine (our own machine) with NBNS response packets for the host “WPAD”, or “WPAD.DOMAIN.TLD”, and we say that the WPAD host has IP address 127.0.0.1.
At the same time, we run an HTTP server locally on 127.0.0.1, configured with a response at the URL IE will be checking.
This will cause all HTTP traffic on the target to be redirected through our server running on 127.0.0.1.

Part Three: HTTP -> SMB NTLM Relay

NTLM relay is a well known, but often misunderstood attack against Windows NTLM authentication. The NTLM protocol is vulnerable to man-in-the-middle attacks. If an attacker can trick a user into trying to authenticate using NTLM to his machine, he can relay that authentication attempt to another machine!
Microsoft patched this by disallowing same-protocol NTLM authentication using a challenge that is already in flight. What this means is that SMB->SMB NTLM relay from one host back to itself will no longer work. However cross-protocol attacks such as HTTP->SMB will still work with no issue!
With all HTTP traffic now presumably flowing through an HTTP server that we control, we can do things like redirect them somewhere that will request NTLM authentication.
In the Potato exploit, all HTTP requests are redirected with a 302 redirect to “https://localhost/GETHASHESxxxxx”, where xxxxx is some unique identifier. Requests to “https://localhost/GETHASHESxxxxx” respond with a 401 request for NTLM authentication.
Any NTLM credentials are then relayed to the local SMB listener to create a new system service that runs a user-defined command.
When the HTTP request in question originates from a high privilege account, for example, when it is a request from the Windows Update service, this command will run with “NT AUTHORITY\SYSTEM” privilege!
Windows 7 can be fairly reliably exploited through the Windows Defender update mechanism.
Wince Windows Server doesn’t come with Defender, we need an alternate method. Instead we’ll simply check for Windows updates.
In the newest versions of Windows, it appears that Windows Update may no longer respect the proxy settings set in “Internet Options”, or check for WPAD. Instead proxy settings for Windows Update are controlled using “netsh winhttp proxy…”
Instead for these versions, we rely on a newer feature of Windows, the “automatic updater of untrusted certificates”
It’s unclear whether this attack would work when SMB signing is enabled. The exploit as released currently does not, but this may just be due to lack of SMB signing support in the CIFS library they’re using.

Feedback:

Round Up:

The post Hot Norse Potato | TechSNAP 252 first appeared on Jupiter Broadcasting.

Leaky RSA Keys | TechSNAP 231

chris — Thu, 10 Sep 2015 05:03:52 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Red Hat highlights how leaky many open source RSA implementations are, Netflix releases Sleepy Puppy & the Mac is definitely under attack.

Plus some quick feedback, a rockin’ roundup & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

NetFlix releases new open source security tool, Sleepy Puppy

Sleepy Puppy is a delayed XSS (Cross-Site Scripting) vulnerability scanner
In a typical XSS scan, and attacker (or the scanner program) attempts to send a script as part of some user input (the comment on a blog or something like that, or via a URL variable). This content is then shown to that user, and often times, other users. If I can make a bit of my javascript run on your computer, when you visit someone else’s site, I have achieved XSS
There are a number of scanners out there, and they “fuzz test” all of the inputs and variables they can find, and attempt to get some code they submit to be returned to them
This new tool from NetFlix addresses second level vulnerabilities, and beyond
What if an attacker injects the code on the website, and the website mitigates this, but some other application, internal or public facing, also uses the data from the database, and it then ends up being vulnerable to the XSS
Sleepy Puppy is a “XSS payload management framework”, it generates unique code snippets for each injection, so that when a successful XSS happens, it can be tracked back to its source, even if that is outside of the application where the exploit took place
“Delayed XSS testing is a variant of stored XSS testing that can be used to extend the scope of coverage beyond the immediate application being tested. With delayed XSS testing, security engineers inject an XSS payload on one application that may get reflected back in a separate application with a different origin.”
- Show Diagram
“Here we see a security engineer inject an XSS payload into the assessment target (App #1 Server) that does not result in an XSS vulnerability. However, that payload was stored in a database (DB) and reflected back in a second application not accessible to the tester. Even though the tester can’t access the vulnerable application, the vulnerability could still be used to take advantage of the user. In fact, these types of vulnerabilities can be even more dangerous than standard XSS since the potential victims are likely to be privileged types of users (employees, administrators, etc.)”
SleepyPuppy ships with a default set of assessments includes, so is ready to use out of the box

Researchers announce new iOS vulnerability: brokenchain

The vulnerability allows a piece of malware to access the keychain in iOS, and copy your saved passwords and other secret keys
These keys can then be exfiltrated via SMS or HTTP etc
When the malware attempts to access the keychain, iOS presents a dialog asking them user to allow or deny the action, but the malware can simulate a tap on the screen and accept the dialog
Further, some malware seems to be able to cause the popup to appear off screen, so the user never even sees it
“Special-crafted commands can be triggered by malware — or even an image or video — which causes OS X to display a prompt to click an Allow button. But rather than relying on users clicking on a button that appears unexpectedly, the button is displayed very briefly off the edge of the screen or behind the dock, and is automatically pressed using a further command. It is then possible to intercept a user’s password and send it to the attacker via SMS or any other means.”
“Apple has been told about the vulnerability. The company has not only failed to issue a fix yet, but has not even responded to Jebara and Rahbani.”
Ars Technica found that parts of the vulnerability have existed since 2011, and have been used actively
“DevilRobber, the then new threat caught the attention of security researchers because it commandeered a Mac’s graphics card and CPU to perform the mathematical calculations necessary to mine Bitcoins, something that was novel at the time. Less obvious was the DevilRobber’s use of the AppleScript programming language to locate a window requesting permission to access the Keychain and then simulate a mouse click over the OK button.”
“The same technique was being used by the Genieo adware installer to gain access to a Safari extensions list that’s protected inside the Mac Keychain.”
The same day, another group of researchers independently found the same vulnerability
Windows UAC has a bunch of defenses against apps users accidentally accepting or malware auto-clicking the authorization popups. Maybe we need the same in mobile OSes
“Mac users should remember that the technique works only when invoked by an application already installed on their systems. There is no evidence the technique can be carried out through drive-by exploits or attacks that don’t require social engineering and end-user interaction. Still, the weakness is unsettling, because it allows the same app requesting access to the keychain to unilaterally approve it and to do so quickly enough for many users to have no idea what has happened. And by default, OS X will grant the access without requiring the user to enter a password. The Mac keychain is the protected place storing account passwords and cryptographic keys.”
Maybe the solution is to require the unlock code or password in order to authorize access to sensitive areas like the keychain
“I think that Apple needs to isolate that particular window,” Reed told Ars on Wednesday. “They need to pull that particular window out of the window list … in a way that an app can’t tell it’s on the screen and get its location.”

Factoring RSA keys with TLS Forward Secrecy

“Back in 1996, Arjen Lenstra described an attack against an optimization (called the Chinese Remainder Theorem optimization, or RSA-CRT for short). If a fault happened during the computation of a signature (using the RSA-CRT optimization), an attacker might be able to recover the private key from the signature (an “RSA-CRT key leak”). At the time, use of cryptography on the Internet was uncommon, and even ten years later, most TLS (or HTTPS) connections were immune to this problem by design because they did not use RSA signatures.”
“This changed gradually, when forward secrecy for TLS was recommended and introduced by many web sites.”
“We evaluated the source code of several free software TLS implementations to see if they implement hardening against this particular side-channel attack, and discovered that it is missing in some of these implementations. In addition, we used a TLS crawler to perform TLS handshakes with servers on the Internet, and collected evidence that this kind of hardening is still needed, and missing in some of the server implementations: We saw several RSA-CRT key leaks, where we should not have observed any at all.”
“An observer of the private key leak can use this information to cryptographically impersonate the server, after redirecting network traffic, conducting a man-in-the-middle attack. Either the client making the TLS handshake can see this leak, or a passive observer capturing network traffic. The key leak also enables decryption of connections which do not use forward secrecy, without the need for a man-in-the-middle attack. However, forward secrecy must be enabled in the server for this kind of key leak to happen in the first place, and with such a server configuration, most clients will use forward secrecy, so an active attack will be required for configurations which can theoretically lead to RSA-CRT key leaks.”
“Does this break RSA? No. Lenstra’s attack is a so-called side-channel attack, which means that it does not attack RSA directly. Rather, it exploits unexpected implementation behavior. RSA, and the RSA-CRT optimization with appropriate hardening, is still considered secure.“
While it appears that OpenSSL and NSS properly implement the hardening, some other products do not
It seems RedHat discovered this issue some time ago, and reported it to a number of vendors
Oracle patched OpenJDK back in April
“None of the key leaks we observed in the wild could be attributed to these open-source projects, and no key leaks showed up in our lab testing, which is why this additional hardening, while certainly desirable to have, does not seem critical at this time.”
“Once the necessary data is collected, the actual computation is marginally more complicated than a regular RSA signature verification. In short, it is quite cheap in terms of computing cost, particularly in comparison to other cryptographic attacks.”
Then the most important question came up
“Does this vulnerability have an name? We think that “RSA-CRT hardening” (for the countermeasure) and “RSA-CRT key leaks” (for a successful side-channel attack) is sufficiently short and descriptive, and no branding is appropriate. We expect that several CVE IDs will be assigned for the underlying vulnerabilities leading to RSA-CRT key leaks. Some vendors may also assign CVE IDs for RSA-CRT hardening, although no key leaks have been seen in practice so far.”
Crypto Rundown, Hardened:
- GnuPG
- NSS
- OpenSSL 1.0.1l
- OpenJDK8 (after the April patch)
- cryptlib (hardening disabled by default)
Unhardened:
- GNUTLS (via libgcrypt and Nettle)
- Go 1.4.1
- libgcrypt (1.6.2)
- Nettle (3.0.0)
- ocaml-nocrypto (0.5.1)
- OpenSwan (2.6.44)
- PolarSSL (1.3.9)
Technical Record [PDF]

Feedback

Round Up:

The post Leaky RSA Keys | TechSNAP 231 first appeared on Jupiter Broadcasting.

Beverly Hills 25519 | BSD Now 104

chris — Thu, 27 Aug 2015 10:01:46 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Coming up this week on the show, we’ll be talking with Damien Miller of the OpenSSH team. We will be discussing some of the changes in their latest 7.0 release, including phasing out older crypto and changing one of the defaults that might surprise you.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

EdgeRouter Lite, meet OpenBSD

The ERL, much like the Raspberry Pi and a bunch of other cheap boards, is getting more and more popular as more things get ported to run on it
We’ve covered installing NetBSD and FreeBSD on them before, but OpenBSD has gotten a lot better support for them as well now (including the onboard storage in 5.8)
Ted Unangst got a hold of one recently and kindly wrote up some notes about installing and using OpenBSD on it
He covers doing a network install, getting the (slightly strange) bootloader working with u-boot and some final notes about the hardware
More discussion can be found on Hacker News and various other places
One thing to note about these devices: because of their MIPS64 processor, they’ll have weaker ASLR than X86 CPUs (and no W^X at all)

Design and Implementation of the FreeBSD Operating System interview

For those who don’t know, the “Design and Implementation of the FreeBSD Operating System” is a semi-recently-revived technical reference book for FreeBSD development
InfoQ has a review of the book up for anyone who might be interested, but they also have an interview the authors
“The book takes an approach to FreeBSD from inside out, starting with kernel services, then moving to process and memory management, I/O and devices, filesystems, IPC and network protocols, and finally system startup and shutdown. The book provides dense, technical information in a clear way, with lots of pseudo-code, diagrams, and tables to illustrate the main points.”
Aside from detailing a few of the chapters, the interview covers who the book’s target audience is, some history of the project, long-term support, some of the newer features and some general OS development topics

Path list parameter in OpenBSD tame

We’ve mentioned OpenBSD’s relatively new “tame” subsystem a couple times before: it’s an easy-to-implement “self-containment” framework, allowing programs to have a “reduced feature set” mode with even less privileges
One of the early concerns from users of other process containment tools was that tame was too broad in the way it separated disk access – you could either read/write files or not, nothing in between
Now there’s the option to create a whitelist of specific files and directories that your binary is allowed to access, giving a much finer-grained set of controls to developers
The next step is to add tame restraints to the OpenBSD userland utilities, which should probably be done by 5.9
More discussion can be found on Reddit and Hacker News

FreeBSD & PC-BSD 10.2-RELEASE

The FreeBSD team has released the second minor version bump to the 10.x branch, including all the fixes from 10-STABLE since 10.1 came out
The Linux compatibility layer has been updated to support CentOS 6, rather than the much older Fedora Core base used previously, and the DRM graphics code has been updated to match Linux 3.8.13
New installations (and newly-upgraded systems) will use the quarterly binary package set, rather than the rolling release model that most people are used to
A VXLAN driver was added, allowing you to create virtual LANs by encapsulating the ethernet frame in a UDP packet
The bhyve codebase is much newer, enabling support for AMD CPUs with SVM and AMD-V extensions
ARM and ARM64 code saw some fixes and improvements, including SMP support on a few specific boards and support for a few new boards
The bootloader now supports entering your GELI passphrase before loading the kernel in full disk encryption setups
In addition to assorted userland fixes and driver improvements, various third party tools in the base system were updated: resolvconf, ISC NTPd, netcat, file, unbound, OpenSSL, sendmail
Check the full release notes for the rest of the details and changes
PC-BSD also followed with their 10.2-RELEASE, sporting a few more additional features

Interview – Damien Miller – djm@openbsd.org / @damienmiller

OpenSSH: phasing out broken crypto, default cipher changes

News Roundup

NetBSD at Open Source Conference Shimane

We weren’t the only ones away at conferences last week – the Japanese NetBSD guys are always raiding one event or another
This time they had NetBSD running on some Sony NWS devices (MIPS-based)
JavaStations were also on display – something we haven’t ever seen before (made between 1996-2000)

BAFUG videos

The Bay Area FreeBSD users group has been uploading some videos of their recent meetings
Devin Teske hosts the first one, discussing adding GELI support to the bootloader, including some video demonstrations of how it works
Shortly after beginning, Adrian Chadd takes over the conversation and they discuss various problems (and solutions) related to the bootloader – for example, how can we type encryption passwords with non-US keyboard layouts
In a second video, Jordan Hubbard and Kip Macy introduce “NeXTBSD aka FreeBSD X”
In it, they discuss their ideas of merging more Mac OS X features into FreeBSD (launchd to replace the init system, some APIs, etc)
People should record presentations at their BSD users groups and send them to us

L2TP over IPSEC on OpenBSD

If you’ve got an OpenBSD box and some Mac OS X clients that need secure communications, surprise: they can work together pretty well
Using only the base tools in both operating systems, you can build a nice IPSEC setup for tunneling all your traffic
This guide specifically covers L2TP, using npppd and pre-shared keys
Server setup, client setup, firewall configuration and routing-related settings are all covered in detail

Reliable bare metal with TrueOS

Imagine a server version of PC-BSD with some useful utilities preinstalled – that’s basically TrueOS
This article walks you through setting up a FreeBSD -CURRENT server (using TrueOS) to create a pretty solid backup solution
Most importantly, he also covers how to keep everything redundant and deal with hard drives failing
The author chose to go with the -CURRENT branch because of the delay between regular releases, and newer features not making their way to users as fast as he’d like
Another factor is that there are no binary snapshots of FreeBSD -CURRENT that can be easily used for in-place upgrades, but with TrueOS (and some other BSDs) there are

Kernel W^X on i386

We mentioned some big W^X kernel changes in OpenBSD a while back, but the work was mainly for x86_64 CPU architecture (which makes sense; that’s what most people run now)
Mike Larkin is back again, and isn’t leaving the people with older hardware out, committing similar kernel work into the i386 platform now as well
Check out our interview with Mike for some more background info on memory protections like W^X

Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
BSD Now tshirts are now available, and will be shipping in September (you’ve only got about four days left to place an order, then they’re gone)
Preorders for OpenBSD 5.8 CDs are now open, and the artwork is especially great for this special 20th anniversary release – you won’t wanna miss it

The post Beverly Hills 25519 | BSD Now 104 first appeared on Jupiter Broadcasting.

ZFS does not prevent Stupidity | TechSNAP 222

chris — Thu, 09 Jul 2015 16:46:33 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

From hacking to hacked, hacking team gets owned & what gets leaked is the best part, we’ll share the details.

Plus, a new OpenSSL vulnerability revealed, Apple tweaks their two factor authentication.. Your questions, our answers & much much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Italian intrusion software vendor Hacking Team Breached, Data Released

Hacking Team, a vendor known for selling spyware to governments, suffered a serious data breach
The incident came to light Sunday evening when unnamed attackers released a torrent with roughly 400 GB of data purported to be taken from Hacking Team’s network.
Among the more potentially damaging documents made public are invoices showing that Hacking Team has sold its intrusion software to government agencies in countries known to have oppressive regimes, including Sudan, Ethiopia, and Egypt.
Researchers at Trend Micro have analyzed the leaked data and uncovered several exploits, including a zero-day for Adobe Flash Player.
A readme document found alongside proof-of-concept (PoC) code for the Flash Player zero-day describes the vulnerability as “the most beautiful Flash bug for the last four years since CVE-2010-2161.”
Adobe released a patch on July 7th 2015
Researches also have found that the Adobe Flash zero-day has already been used in the wild.
“In late June, we learned that a user in Korea was the attempted target of various exploits, including CVE-2014-0497, a Flash vulnerability discovered last year,” threat analyst Weimin Wu explains.
The exploit was used to download a Trojan on the target’s computer, which then proceeds to download several other malicious payloads and create malicious processes.
In addition to the Flash Player exploit, Trend Micro said it also spotted an exploit for a Windows kernel zero-day vulnerability in the Hacking Team leak.
Did the “Hacking Team” find these zero days themselves? With the intent to sell them? Or did they discover them being used by others, and then added them to their own arsenal? Why were they not reported to the vendors?
Additional Coverage: Hacking Team’s Flash 0-day exploit used against Korean targets before it was leaked
Additional Coverage: Security Week
Additional Coverage: CSO Online
Additional Coverage: Net Security
Additional Coverage: Daily Dot
Additional Coverage: Threat Post — Update: Hacking Team to continue operations
Hacking Team bought Flash 0-days from Russian hacker

iOS 9 will drop the recovery key from two-factor authentication

After a hacker used social engineering against Apple Support to take over the Apple ID of Mat Honan, a Wired.com reporter, in order to take over his coveted 3 letter twitter handle, everyone raced to setup Two Factor Authentication for their Apple ID
The hacker was able to remotely erase Honan’s iPhone and iPad, destroying personal data, family photos, and all other content.
The hacker was able to reset the password for the Apple ID account by socially engineering the operation at Apple by using stolen information from public data, and from a hacked Amazon account
In the aftermath, Apple promised to increase training of its support operators and improve security
As part of this, when you enable two factor authentication, Apple issues you a recovery key. A short text string that you should print and store in a safe place
Without it, you cannot recover your account if you lose the password
This system is far more secure, but it has its drawbacks
Journalist loses recovery key, and Apple ID
If you, like Owen from the link above, lose your recovery ID, and your account is compromised or you lose your password, you have no way to get it back
Apple has drawn a hard line in the sand, for the sake of security, they can’t recovery an account without that recovery key. You specifically asked to be protected from impersonation etc.
In the wake of scandals such as “the fappening”, this strong stance on security makes sense
However, Apple has decided to abandon it, because, as always, they are more focused on customer satisfaction than security.
But, can you blame them?
“Apple said at WWDC it would build a more integrated and comprehensive two-factor security system into its next OS releases”
“Among other changes, the Recovery Key option that has tripped up users in the past, and led in some cases to users having to abandon an Apple ID as permanently unavailable, has been removed, an Apple spokesperson confirmed. With the new system, Apple customer support will work through a detailed recovery process with users who lose access to all their trusted devices and phone numbers.”
Apple has posted more details about the new system on their Developer site

OpenSSL vuln revealed, while critical, not wide spread. All that hype for nothing

“During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate. This issue was reported to OpenSSL by Adam Langley/David Benjamin (Google/BoringSSL).”
Impact: “An attacker could cause certain checks on untrusted certificates, such as the
CA (certificate authority) flag, to be bypassed, which would enable them to
use a valid leaf certificate to act as a CA and issue an invalid certificate.”
If you installed the OpenSSL update from June 11th, which blocks DH parameters shorter than 768 bits, your system is affected
This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
- OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
- OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p
Older versions of OpenSSL (1.0.0 and 0.9.8) are not affected, but reminder: support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015
This suggests further than OpenSSL needs to separate new features from bug and security fix releases
Why are any new features being added to OpenSSL 1.0.1?
Shouldn’t all new development happen only in the bleeding edge version?
Why has a sane release model not been adopted yet?

Feedback:

Round Up:

The post ZFS does not prevent Stupidity | TechSNAP 222 first appeared on Jupiter Broadcasting.

SSL in the Wild | BSD Now 82

chris — Thu, 26 Mar 2015 10:08:34 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We’ll be chatting with Bernard Spil about wider adoption of LibreSSL in other communities. He’s been doing a lot of work with FreeBSD ports specifically, but also working with upstream projects. As usual, all this weeks news and answers to your questions, on BSD Now – the place to B.. SD.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

EuroBSDCon 2015 call for papers

The call for papers has been announced for the next EuroBSDCon, which is set to be held in Sweden this year
According to their site, the call for presentation proposals period will start on Monday the 23rd of March until Friday the 17th of April
If giving a full talk isn’t your thing, there’s also a call for tutorials – if you’re comfortable teaching other people about something BSD-related, this could be a great thing too
You’re not limited to one proposal – several speakers gave multiple in 2014 – so don’t hesitate if you’ve got more than one thing you’d like to talk about
We’d like to see a more balanced conference schedule than BSDCan’s having this year, but that requires effort on both sides – if you’re doing anything cool with any BSD, we’d encourage you submit a proposal (or two)
Check the announcement for all the specific details and requirements
If your talk gets accepted, the conference even pays for your travel expenses

Making security sausage

Ted Unangst has a new blog post up, detailing his experiences with some recent security patches both in and out of OpenBSD
“Unfortunately, I wrote the tool used for signing patches which somehow turned into a responsibility for also creating the inputs to be signed. That was not the plan!”
The post first takes us through a few OpenBSD errata patches, explaining how some can get fixed very quickly, but others are more complicated and need a bit more review
It also covers security in upstream codebases, and how upstream projects sometimes treat security issues as any other bug
Following that, it leads to the topic of FreeType – and a much more complicated problem with backporting patches between versions
The recent OpenSSL vulnerabilities were also mentioned, with an interesting story to go along with them
Just 45 minutes before the agreed-upon announcement, OpenBSD devs found a problem with the patch OpenSSL planned to release – it had to be redone at the last minute
It was because of this that FreeBSD actually had to release a security update to their security update
He concludes with “My number one wish would be that every project provide small patches for security issues. Dropping enormous feature releases along with a note ‘oh, and some security too’ creates downstream mayhem.”

Running FreeBSD on the server, a sysadmin speaks

More BSD content is appearing on mainstream technology sites, and, more importantly, BSD Now is being mentioned
ITWire recently did an interview with Allan about running FreeBSD on servers (possibly to go with their earlier interview with Kris about desktop usage)
They discuss some of the advantages BSD brings to the table for sysadmins that might be used to Linux or some other UNIX flavor
It also covers specific features like jails, ZFS, long-term support, automating tasks and even… what to name your computers
If you’ve been considering switching your servers over from Linux to FreeBSD, but maybe wanted to hear some first-hand experience, this is the article for you

NetBSD ported to Hardkernel ODROID-C1

In their never-ending quest to run on every new board that comes out, NetBSD has been ported to the Hardkernel ODROID-C1
This one features a quad-core ARMv7 CPU at 1.5GHz, has a gig of ram and gigabit ethernet… all for just $35
There’s a special kernel config file for this board’s hardware, available in both -current and the upcoming 7.0
More info can be found on their wiki page
After this was written, basic framebuffer console support was also committed, allowing a developer to run XFCE on the device

Interview – Bernard Spil – spil.oss@gmail.com / @sp1l

LibreSSL adoption in FreeBSD ports and the wider software ecosystem

News Roundup

Monitoring pf logs with Gource

If you’re using pf on any of the BSDs, maybe you’ve gotten bored of grepping logs and want to do something more fancy
This article will show you how to get set up with Gource for a cinematic-like experience
If you’ve never heard of Gource, it’s “an OpenGL-based 3D visualization tool intended for visualizing activity on source control repositories”
When you put all the tools together, you can end up with some pretty eye-catching animations of your firewall traffic
One of our listeners wrote in to say that he set this up and, almost immediately, noticed his girlfriend’s phone had been compromised – graphical representations of traffic could be useful for detecting suspicious network activity

pkgng 1.5.0 alpha1 released

The development version of pkgng was updated to 1.4.99.14, or 1.5.0 alpha1
This update introduces support for provides/requires, something that we’ve been wanting for a long time
It will also now print which package is the reason for direct dependency change
Another interesting addition is the “pkg -r” switch, allowing cross installation of packages
Remember this isn’t the stable version, so maybe don’t upgrade to it just yet on any production systems
DragonFly will also likely pick up this update once it’s marked stable

Welcome to OpenBSD

We mentioned last week that our listener Brian was giving a talk in the Troy, New York area
The slides from that talk are now online, and they’ve been generating quite a bit of discussion online
It’s simply titled “Welcome to OpenBSD” and gives the reader an introduction to the OS (and how easy it is to get involved with contributing)
Topics include a quick history of the project, who the developers are and what they do, some proactive security techniques and finally how to get involved
As you may know, NetBSD has almost 60 supported platforms and their slogan is “of course it runs NetBSD” – Brian says, with 17 platforms over 13 CPU architectures, “it probably runs OpenBSD”
No matter which BSD you might be interested in, these slides are a great read, especially for any beginners looking to get their feet wet
Try to guess which font he used…

BSDTalk episode 252

And somehow Brian has snuck himself into another news item this week
He makes an appearance in the latest episode of BSD Talk, where he chats with Will about running a BSD-based shell provider
If that sounds familiar, it’s probably because we did the same thing, albeit with a different member of their team
In this interview, they discuss what a shell provider does, hardware requirements and how to weed out the spammers in favor of real people
They also talk a bit about the community aspect of a shared server, as opposed to just running a virtual machine by yourself

Feedback/Questions

Mailing List Gold

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – don’t be afraid to write about your experiences and send them to us, we’d love to read about what you guys are doing with BSD
If you’re interested in OpenZFS discussion, they’re looking to start up the office hours series again on April 2nd (with Justin Gibbs)
There’s a new BSD users group starting up in the Vancouver, British Columbia area – VanBUG will be holding an event on April 8th

The post SSL in the Wild | BSD Now 82 first appeared on Jupiter Broadcasting.

Two Factor Falsification | TechSNAP 206

chris — Thu, 19 Mar 2015 18:47:44 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Microsoft takes 4 years to fix a nasty bug, how to bypass 2 factor authentication in the popular ‘Authy’ app.

Hijacking a domain with photoshop, hardware vs software RAID revisited, tons of great questions, our answers & much much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Microsoft took 4 years to recover privileged TLS certificate addresses

The way TLS certificates are issued currently is not always foolproof
In order to get a TLS certificate, you must prove you own the domain that you are attempting to request the certificate for
Usually, the way this is done is sending an email to one of the administrative addresses at the domain, like postmaster@, hostmaster@, administrator@, or abuse@
The problem comes when webmail services, like hotmail, allow these usernames to be registered
That is exactly what happened with Microsoft’s live.be and live.fi
A Finnish man reported to Microsoft that he had been able to get a valid HTTPS certificate for live.fi by registering the address hostmaster@live.fi
It took Microsoft four to six weeks to solve the problem
Additional Coverage – Ars Technica
When this news story came out, another man, from Belgium, came forward to say he reported the same problem with live.be over 4 years ago
“After the Finnish man used his address to obtain a TLS certificate for the live.fi domain, Microsoft warned users it could be used in man-in-the-middle and phishing attacks. To foreclose any chance of abuse, Microsoft advised users to install an update that will prevent Internet Explorer from trusting the unauthorized credential. By leaving similar addresses unsecured, similar risks may have existed for years.”

Bypass 2 factor authentication in popular ‘Authy’ app

Authy is a popular reusable 2 factor authentication API
It allows 3rd party sites to easily implement 2 factor authentication
Maybe a little too easily
When asked for the verification code that is sent to your phone after a request to Authy is received, simply entering ../sms gives you access to the application
The problem is that the 3rd party sites send the request, and just look for a ‘success’ response
However, because the input is interpreted in the URL, the number you enter is not fed to: https://api.authy.com/protected/json/verify/1234/authy_id as it is expected to be
But rather, the url ends up being: https://api.authy.com/protected/json/verify/../sms/authy_id
Which is actually interpreted by the Authy API as: https://api.authy.com/protected/json/sms/authy_id
This API call is the one used to actually send the code to the user
This call sends another token to the user and returns success
The 3rd party application sees the ‘success’ part, and allows the user access
It seems like a weak design, there should be some kind of token that is returned and verified, or the implementation instructions for the API should be explicit about checking “token”:”is valid” rather than just “success”:true
Also, the middleware should probably not unescape and parse the user input

Hijacking a domain

An article where a reporter had a security researcher steal his GoDaddy account, and document how it was done
A combination of social engineering, publically available information, and a photoshopped government ID, allowed the security researcher to take over the GoDaddy account, and all of the domains inside of it
This could allow:
an attacker to inject malware into your site
redirect your email, capturing password reset emails from other services
redirect traffic from your website to their own
issue new SSL certificates for your sites, allowing them to perform man-in-the-middle attackers on your visitors with a valid SSL certificate
Some of the social engineering steps:
- Create a fake Social Media profile in the name of the victim (with the fake picture of them)
- Create a gmail address in the name of the victim
- Call and use myriad plausible excuses why you do not have the required information:
- please provide your pin #? I don’t remember setting up a pin number
- my assistant registered the domain for me, so I don’t have access to the email address used
- my assistant used the credit card ending in: 4 made up numbers
- create a sense of urgency: “I apologized, both for not having the information and for my daughter yelling in the background. She laughed and said it wasn’t a problem”
- GoDaddy requires additional verification is the domain is registered to a business, however, since many people make up a business name when they register a domain, it is very common for these business to not actually exist, and there are loopholes
- Often, you can create a letter on a fake letterhead, and it will be acceptable
In the end, Customer Support reps are there to help the customer, it is usually rather difficult for them to get away with refusing to help the customer because they lack the required details, or seem suspicious
GoDaddy’s automated system sends notifications when changes are made, however in this case it is often too later, the attacker has already compromised your account
GoDaddy issued a response: “GoDaddy has stringent processes and a dedicated team in place for verifying the identification of customers when a change of account/email is requested. While our processes and team are extremely effective at thwarting illegal requests, no system is 100 percent efficient. Falsifying government issued identification is a crime, even when consent is given, that we take very seriously and will report to law enforcement where appropriate.”
It appears that Hover.com (owned by Tucows, the same company that owns Ting) is one of the only registrars that does not allow photo ID as a form of verification, stating “anyone could just whip something up in Photoshop.”
GoDaddy notes that forging government ID (in photoshop or otherwise) is illegal

Feedback:

Round Up:

The post Two Factor Falsification | TechSNAP 206 first appeared on Jupiter Broadcasting.

Pipe Dreams | BSD Now 73

chris — Thu, 22 Jan 2015 13:48:41 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week on the show we’ll be chatting with David Maxwell, a former NetBSD security officer. He’s got an interesting project called Pipecut that takes a whole new approach to the commandline. We’ve also got answers to viewer-submitted questions and all this week’s headlines, on BSD Now – the place to B.. SD.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD quarterly status report

The FreeBSD team has posted an updated on some of their activities between October and December of 2014
They put a big focus on compatibility with other systems: the Linux emulation layer, bhyve, WINE and Xen all got some nice improvements
As always, the report has lots of updates from the various teams working on different parts of the OS and ports infrastructure
The release engineering team got 10.1 out the door, the ports team shuffled a few members in and out and continued working on closing more PRs
FreeBSD’s forums underwent a huge change, and discussion about the new support model for release cycles continues (hopefully taking effect after 11.0 is released)
Git was promoted from beta to an officially-supported version control system (Kris is happy)
The core team is also assembling a new QA team to ensure better code quality in critical areas, such as security and release engineering, after getting a number of complaints
Other notable entries include: lots of bhyve fixes, Clang/LLVM being updated to 3.5.0, ongoing work to the external toolchain, adding FreeBSD support to more “cloud” services, pkgng updates, work on SecureBoot, more ARM support and graphics stack improvements
Check out the full report for all the details that we didn’t cover

OpenBSD package signature audit

“Linux Audit” is a website focused on auditing and hardening systems, as well as educating people about securing their boxes
They recently did an article about OpenBSD, specifically their ports and package system and signing infrastructure
The author gives a little background on the difference between ports and binary packages, then goes through the technical details of how releases and packages are cryptographically signed
Package signature formats and public key distribution methods are also touched on
After some heckling, the author of the post said he plans to write more BSD security articles, so look forward to them in the future
If you haven’t seen our episode about signify with Ted Unangst, that would be a great one to check out after reading this

Replacing a Linux router with BSD

There was recently a Slashdot discussion about migrating a Linux-based router to a BSD-based one
The poster begins with “I’m in the camp that doesn’t trust systemd. You can discuss the technical merits of all init solutions all you want, but if I wanted to run Windows NT I’d run Windows NT, not Linux. So I’ve decided to migrate my homebrew router/firewall/samba server to one of the BSDs.”
A lot of people were quick to recommend OPNsense and pfSense, being that they’re very easy to administer (requiring basically no BSD knowledge at all)
Other commenters suggested a more hands-on approach, setting one up yourself with FreeBSD or OpenBSD
If you’ve been thinking about moving some routers over from Linux or other commercial solution, this might be a good discussion to read through
Unfortunately, a lot of the comments are just Linux users bickering about systemd, so you’ll have to wade through some of that to get to the good information

LibreSSL in FreeBSD and OPNsense

A FreeBSD sysadmin has started documenting his experience replacing OpenSSL in the base system with the one from ports (and also experimenting with LibreSSL)
The reasoning being that updates in base tend to lag behind, whereas the port can be updated for security very quickly
OPNsense developers are looking into switching away from OpenSSL to LibreSSL’s portable version, for both their ports and base system, which would be a pretty huge differentiator for their project
Some ports still need fixing to be compatible though, particularly a few python-related ones
If you’re a FreeBSD ports person, get involved and help squash some of the last remaining bugs
A lot of the work has already been done in OpenBSD’s ports tree – some patches just need to be adopted
More and more upstream projects are incorporating LibreSSL patches in their code – let your favorite software vendor know that you’re using it

Interview – David Maxwell – david@netbsd.org / @david_w_maxwell

Pipecut, text processing, commandline wizardry

News Roundup

Jetpack, a new jail container system

A new project was launched to adapt FreeBSD jails to the “app container specification”
While still pretty experimental in terms of the development phase, this might be something to show your Linux friends who are in love with docker
It’s a similar project to iocage or bsdploy, which we haven’t talked a whole lot about
There was also some discussion about it on Hacker News

Separating base and package binaries

All of the main BSDs make a strong separation between the base system and third party software
This is in contrast to Linux where there’s no real concept of a “base system” – more recently, some distros have even merged all the binaries into a single directory
A user asks the community about the BSD way of doing it, trying to find out the advantages and disadvantages of both hierarchies
Read the comments for the full explanation, but having things separated really helps keep things organized

Updated i915kms driver for FreeBSD

This update brings the FreeBSD code closer inline with the Linux code, to make it easier to update going forward
This update does not introduce Haswell support just yet, but was required before the Haswell bits can be added

Year of the OpenBSD desktop

Here we have an article about using OpenBSD as a daily driver for regular desktop usage
The author says he “ran fifty thousand different distributions, never being satisfied”
After dealing with the problems of Linux and fragmentation, he eventually gave up and bought a Macbook
He also used FreeBSD between versions 7 and 9, finding a “a mostly harmonious environment,” but regressions lead him to give up on desktop *nix once again
Starting with 2015, he’s back and is using OpenBSD on a Thinkpad x201
The rest of the article covers some of his configuration tweaks and gives an overall conclusion on his current setup
He apparently used our desktop tutorial – thanks for watching!

Unattended FreeBSD installation

A new BSD user was looking to get some more experience, so he documented how to install FreeBSD over PXE
His goal was to have a setup similar to Redhat’s “kickstart” or OpenBSD’s autoinstall
The article shows you how to set up DHCP and TFTP, with no NFS share setup required
He also gives a mention to mfsbsd, showing how you can customize its startup script to do most of the work for you

Feedback/Questions

Mailing List Gold

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
We’re thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It’s meant to be informative like a tutorial, but more of a “free discussion” format. If you have any subjects you want us to explore, or even just a good name for it, send in an email. We may incorporate guests too, so if you’d like to join us for something like that, let us know.
Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post Pipe Dreams | BSD Now 73 first appeared on Jupiter Broadcasting.

The Promised WLAN | BSD Now 55

chris — Thu, 18 Sep 2014 10:26:43 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Coming up this week, we’ll be talking with Adrian Chadd about all things wireless, his experience with FreeBSD on various laptop hardware and a whole lot more. As usual, we’ve got the latest news and answers to all your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD 10.1-BETA1 is out

The first maintenance update in the 10.x series of FreeBSD is on its way
Since we can’t see a changelog yet, the 10-STABLE release notes offer a glimpse at some of the new features and fixes that will be included in 10.1
The vt driver was merged from -CURRENT, lots of drivers were updated, lots of bugs were fixed and bhyve also got many improvements from 11
Initial UEFI support, multithreaded softupdates for UFS and many more things were added
You can check the release schedule for the planned release dates
Details for the various forms of release media can be found in the announcement

Remote headless OpenBSD installation

A lot of server providers only offer a limited number of operating systems to be easily installed on their boxes
Sometimes you’ll get lucky and they’ll offer FreeBSD, but it’s much harder to find ones that natively support other BSDs
This article shows how you can use a Linux-based rescue system, a RAM disk and QEMU to install OpenBSD on the bare metal of a server, headlessly and remotely
It required a few specific steps you’ll want to take note of, but is extremely useful for those pesky hosting providers

Building a firewall appliance with pfSense

In this article, we learn how to easily set up a gateway and wireless access point with pfSense on a Netgate ALIX2C3 APU
After the author’s modem died, he decided to look into a more do-it-yourself option with pf and a tiny router board
The hardware he used has gigabit ports and a BSD-compatible wireless card, as well as enough CPU power for a modest workload and a few services (OpenVPN, etc.)
There’s a lot of great pictures of the hardware and detailed screenshots, definitely worth a look

Receive Side Scaling – UDP testing

Adrian Chadd has been working on RSS (Receive Side Scaling) in FreeBSD, and gives an update on the progress
He’s using some quad core boxes with 10 gigabit ethernet for the tests
The post gives lots of stats and results from his network benchmark, as well as some interesting workarounds he had to do
He also provides some system configuration options, sysctl knobs, etc. (if you want to try it out)
And speaking of Adrian Chadd…

Interview – Adrian Chadd – adrian@freebsd.org / @erikarn

BSD on laptops, wifi, drivers, various topics

News Roundup

Sendmail removed from OpenBSD

Mail server admins around the world are rejoicing, because sendmail is finally gone from OpenBSD
With OpenSMTPD being a part of the base system, sendmail became largely redundant and unneeded
If you’ve ever compared a “sendmail.cf” file to an “smtpd.conf” file… the different is as clear as night and day
5.6 will serve as a transitional release, including both sendmail and OpenSMTPD, but 5.7 will be the first release without it
If you still need it for some reason, sendmail will live in ports from now on
Hopefully FreeBSD will follow suit sometime in the future as well, possibly including DragonFly’s mail transfer agent in base (instead of an entire mail server)

pfSense backups with pfmb

We’ve mentioned the need for a tool to back up pfSense configs a number of times on the show
This script, hosted on github, does pretty much exactly that
It can connect to one (or more!) pfSense installations and back up the configuration
You can roll back or replace failed hardware very easily with its restore function
Everything is done over SSH, so it should be pretty secure

The Design and Implementation of the FreeBSD Operating System

We mentioned when the pre orders were up, but now “The Design and Implementation of the FreeBSD Operating System, 2nd edition” seems to be shipping out
If you’re interested in FreeBSD development, or learning about the operating system internals, this is a great book to buy
We’ve even had all three authors on the show before!

OpenBSD’s systemd replacement updates

We mentioned last week that the news of OpenBSD creating systemd wrappers was getting mainstream attention
One of the developers writes in to Undeadly, detailing what’s going on and what the overall status is
He also clears up any confusion about “porting systemd to BSD” (that’s not what’s going on) or his code ever ending up in base (it won’t)
The top comment as of right now is a Linux user asking if his systemd wrappers can be ported back to Linux… poor guy

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – we’d love to hear from you!
Last week we mentioned that Ken was looking for help to port Lumina to other BSDs, and now it’s been done for OpenBSD and DragonFly – so now you can try it out there too
Antoine Jacoutot sent a screenshot of Lumina on OpenBSD
We’ll be at EuroBSDCon soon, so there will be a prerecorded episode next week
When we’re not in Europe, you can usually watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post The Promised WLAN | BSD Now 55 first appeared on Jupiter Broadcasting.

VPN, My Dear Watson | BSD Now 50

chris — Thu, 14 Aug 2014 10:47:27 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

It’s our 50th episode, and we’re going to show you how to protect your internet traffic with a BSD-based VPN. We’ll also be talking to Robert Watson, of the FreeBSD core team, about security research, exploit mitigation and a whole lot more. The latest news and answers to all of your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

MeetBSD 2014 is approaching

The MeetBSD conference is coming up, and will be held on November 1st and 2nd in San Jose, California
MeetBSD has an “unconference” format, which means there will be both planned talks and community events
All the extra details will be on their site soon
It also has hotels and various other bits of useful information – hopefully with more info on the talks to come
Of course, EuroBSDCon is coming up before then

First experiences with OpenBSD

A new blog post that leads off with “tired of the sluggishness of Windows on my laptop and interested in experimenting with a Unix-like that I haven’t tried before”
The author read the famous “BSD for Linux users” series (that most of us have surely seen) and decided to give BSD a try
He details his different OS and distro history, concluding with how he “eventually became annoyed at the poor quality of Linux userland software”
From there, it talks about how he used the OpenBSD USB image and got a fully-working system
He especially liked the simplicity of OpenBSD’s “hostname.if” system for network configuration
Finally, he gets Xorg working and imports all his usual configuration files – seems to be a happy new user!

NetBSD rump kernels on bare metal (and Kansai OSC report)

When you’re developing a new OS or a very specialized custom solution, working drivers become one of the hardest things to get right
However, NetBSD’s rump kernels – a very unique concept – make this process a lot easier
This blog post talks about the process of starting with just a rump kernel and expanding into an internet-ready system in just a week
Also have a look back at episode 8 for our interview about rump kernels and what exactly they do
While on the topic of NetBSD, there were also a couple of very detailed reports (with lots of pictures!) of the various NetBSD-themed booths at the 2014 Kansai Open Source Conference that we wanted to highlight

OpenSSL and LibreSSL updates

OpenSSL pushed out a few new versions, fixing multiple vulnerabilities (nine to be precise!)
Security concerns include leaking memory, possible denial of service, crashing clients, memory exhaustion, TLS downgrades and more
LibreSSL released a new version to address most of the vulnerabilities, but wasn’t affected by some of them
Whichever version of whatever SSL you use, make sure it’s patched for these issues
DragonFly and OpenBSD are patched as of the time of this recording but, even after a week, FreeBSD (outside of -CURRENT) and NetBSD are not

Interview – Robert Watson – rwatson@freebsd.org

FreeBSD architecture, security research techniques, exploit mitigation

Tutorial

Protecting traffic with a BSD-based VPN

News Roundup

A FreeBSD-based CGit server

If you use git (like a certain host of this show) then you’ve probably considered setting up your own server
This article takes you through the process of setting up a jailed git server, complete with a fancy web frontend
It even shows you how to set up multiple repos with key-based user separation and other cool things
The author of the post is also a listener of the show, thanks for sending it in!

Backup devices for small businesses

In this article, different methods of data storage and backup are compared
After weighing the various options, the author comes to an obvious conclusion: FreeNAS is the answer
He praises FreeNAS and the FreeNAS Mini for their tight integration, rock solid FreeBSD base and the great ZFS featureset that it offers
It also goes over some of the hardware specifics in the FreeNAS Mini

A new Xenocara interview

As a follow up to last week’s OpenSMTPD interview, this Russian blog interviews Matthieu Herrb about Xenocara
If you’re not familiar with Xenocara, it’s OpenBSD’s version of Xorg with some custom patches
In this interview, he discusses how large and complex the upstream X11 development is, how different components are worked on by different people, how they test code (including a new framework) and security auditing
Matthieu is both a developer of upstream Xorg and an OpenBSD developer, so it’s natural for him to do a lot of the maintainership work there

Building a high performance FreeBSD samba server

If you’ve got to PXE boot several hundred Windows boxes to upgrade from XP to 7, what’s the best solution?
FreeBSD, ZFS and Samba obviously!
The master image and related files clock in at over 20GB, and will be accessed at the same time by all of those clients
This article documents that process, highlighting some specific configuration tweaks to maximize performance (including NIC bonding)
It doesn’t even require the newest or best hardware with the right changes, pretty cool

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
We want to give a special thanks to our viewer Adam (aka bsdx) for writing most of today’s OpenVPN tutorial
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post VPN, My Dear Watson | BSD Now 50 first appeared on Jupiter Broadcasting.